Various fixes

2025-10-31 09:29:13 +00:00 · 2017-04-13 20:30:28 +00:00
parent d91e12942d
commit 52d35012a4
8 changed files with 49 additions and 28 deletions
--- a/certidude/api/init.py
+++ b/certidude/api/init.py
@@ -6,7 +6,6 @@ import logging
 import os
 import click
 import hashlib
 import xattr
 from datetime import datetime
 from time import sleep
 from certidude import authority, mailer
@@ -46,6 +45,8 @@ class SessionResource(object):
    @login_required
    @event_source
    def on_get(self, req, resp):
        import xattr
        def serialize_requests(g):
            for common_name, path, buf, obj, server in g():
                yield dict(
@@ -126,7 +127,6 @@ class SessionResource(object):
                requests=serialize_requests(authority.list_requests),
                signed=serialize_certificates(authority.list_signed),
                revoked=serialize_certificates(authority.list_revoked),
                users=User.objects.all(),
                admin_users = User.objects.filter_admins(),
                user_subnets = config.USER_SUBNETS,
                autosign_subnets = config.AUTOSIGN_SUBNETS,
--- a/certidude/api/attrib.py
+++ b/certidude/api/attrib.py
@@ -1,11 +1,10 @@
 import falcon
 import logging
 from ipaddress import ip_address
 from xattr import getxattr, listxattr
 from datetime import datetime
 from certidude import config, authority
 from certidude.decorators import serialize
 from xattr import getxattr, listxattr
 logger = logging.getLogger(__name__)
--- a/certidude/authority.py
+++ b/certidude/authority.py
@@ -15,7 +15,6 @@ from cryptography.hazmat.primitives import hashes, serialization
 from certidude import config, push, mailer, const
 from certidude import errors
 from jinja2 import Template
 from xattr import getxattr, listxattr, setxattr
 RE_HOSTNAME =  "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])(@(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))?$"
@@ -297,6 +296,8 @@ def sign(common_name, overwrite=False):
 def _sign(csr, buf, overwrite=False):
    assert buf.startswith("-----BEGIN CERTIFICATE REQUEST-----\n")
    assert isinstance(csr, x509.CertificateSigningRequest)
    from xattr import getxattr, listxattr, setxattr
    common_name, = csr.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
    cert_path = os.path.join(config.SIGNED_DIR, common_name.value + ".pem")
    renew = False
@@ -375,5 +376,3 @@ def _sign(csr, buf, overwrite=False):
        push.publish("request-signed", common_name.value)
    return cert, cert_buf
--- a/certidude/cli.py
+++ b/certidude/cli.py
@@ -8,7 +8,6 @@ import os
 import pwd
 import random
 import re
 import requests
 import signal
 import socket
 import string
@@ -67,6 +66,8 @@ ExecStart=%s request
@click.option("-r", "--renew", default=False, is_flag=True, help="Renew now")
@click.option("-f", "--fork", default=False, is_flag=True, help="Fork to background")
 def certidude_request(fork, renew):
    import requests
    if not os.path.exists(const.CLIENT_CONFIG_PATH):
        click.echo("No %s!" % const.CLIENT_CONFIG_PATH)
        return 1
@@ -741,7 +742,7 @@ def certidude_setup_openvpn_networkmanager(authority, remote):
@click.option("--authority-lifetime", default=20*365, help="Authority certificate lifetime in days, 20 years by default")
@click.option("--organization", "-o", default=None, help="Company or organization name")
@click.option("--organizational-unit", "-ou", default=None)
-@click.option("--push-server", default="http://" + const.FQDN, help="Push server, by default http://%s" % const.FQDN)
+@click.option("--push-server", help="Push server, by default http://%s" % const.FQDN)
@click.option("--directory", help="Directory for authority files")
@click.option("--server-flags", is_flag=True, help="Add TLS Server and IKE Intermediate extended key usage flags")
@click.option("--outbox", default="smtp://smtp.%s" % const.DOMAIN, help="SMTP server, smtp://smtp.%s by default" % const.DOMAIN)
@@ -799,8 +800,7 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
        else:
            click.echo("Warning: /etc/krb5.keytab or /etc/samba/smb.conf not found, Kerberos unconfigured")
-
+        static_path = os.path.join(os.path.realpath(os.path.dirname(__file__)), "static")
        working_directory = os.path.realpath(os.path.dirname(__file__))
        certidude_path = sys.argv[0]
        # Push server config generation
@@ -809,15 +809,16 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
            listen = "0.0.0.0"
            port = "80"
        else:
-            nginx_client_config.write(env.get_template("nginx.conf").render(vars()))
+            port = "8080"
-            click.echo("Generated: %s" % nginx_client_config.name)
+            nginx_config.write(env.get_template("nginx.conf").render(vars()))
            click.echo("Generated: %s" % nginx_config.name)
            if not os.path.exists("/etc/nginx/sites-enabled/certidude.conf"):
                os.symlink("../sites-available/certidude.conf", "/etc/nginx/sites-enabled/certidude.conf")
-                click.echo("Symlinked %s -> /etc/nginx/sites-enabled/" % nginx_client_config.name)
+                click.echo("Symlinked %s -> /etc/nginx/sites-enabled/" % nginx_config.name)
            if os.path.exists("/etc/nginx/sites-enabled/default"):
                os.unlink("/etc/nginx/sites-enabled/default")
            if not push_server:
-                click.echo("Remember to install nchan instead of regular nginx!")
+                click.echo("Remember to install nchan capable nginx instead of regular nginx!")
        if os.path.exists("/etc/systemd"):
            if os.path.exists("/etc/systemd/system/certidude.service"):
@@ -1231,6 +1232,7 @@ def certidude_serve(port, listen, fork):
@click.option("-s", "--slot", default="9a", help="Yubikey slot to use, 9a by default")
@click.option("-u", "--username", default=os.getenv("USER"), help="Username to use, %s by default" % os.getenv("USER"))
 def certidude_setup_yubikey(authority, slot, username, pin):
    import requests
    cmd = "ykinfo", "-q", "-s"
    click.echo("Executing: %s" % " ".join(cmd))
    serial = subprocess.check_output(cmd).strip()
--- a/certidude/const.py
+++ b/certidude/const.py
@@ -2,6 +2,7 @@
 import click
 import os
 import socket
 import sys
 CONFIG_DIR = os.path.expanduser("~/.certidude") if os.getuid() else "/etc/certidude"
 CONFIG_PATH = os.path.join(CONFIG_DIR, "server.conf")
@@ -18,7 +19,11 @@ SIGNER_LOG_PATH = os.path.join(CONFIG_DIR, "signer.log") if os.getuid() else "/v
 if os.getenv("TRAVIS"):
    FQDN = "buildbot"
 else:
-    FQDN = socket.getaddrinfo(socket.gethostname(), 0, socket.AF_INET, 0, 0, socket.AI_CANONNAME)[0][3]
+    try:
        FQDN = socket.getaddrinfo(socket.gethostname(), 0, socket.AF_INET, 0, 0, socket.AI_CANONNAME)[0][3]
    except socket.gaierror:
        click.echo("Failed to resolve fully qualified hostname of this machine, make sure hostname -f works")
        sys.exit(254)
 if "." in FQDN:
    HOSTNAME, DOMAIN = FQDN.split(".", 1)
--- a/certidude/helpers.py
+++ b/certidude/helpers.py
@@ -1,7 +1,6 @@
 import click
 import os
 import requests
 import subprocess
 import tempfile
 from base64 import b64encode
@@ -30,6 +29,7 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa
    """
    Exchange CSR for certificate using Certidude HTTP API server
    """
    import requests
    # Create directories
    for path in key_path, request_path, certificate_path, authority_path, revocations_path:
--- a/certidude/templates/nginx.conf
+++ b/certidude/templates/nginx.conf
@@ -1,13 +1,29 @@
 # To set up SSL certificates using Let's Encrypt run:
 #
 #   apt install letsencrypt
 #   certbot certonly -d {{common_name}} --webroot /var/www/html/
 #
 # Also uncomment URL rewriting and SSL configuration below
 server {
    server_name {{ common_name }};
    listen 80 default_server;
 #    rewrite ^ https://$server_name$request_uri? permanent;
 #}
 #server {
 #    server_name {{ common_name }};
 #    listen 443 ssl http2 default_server;
 #    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
 #    ssl_certificate /etc/letsencrypt/live/{{common_name}}/fullchain.pem;
 #    ssl_certificate_key /etc/letsencrypt/live/{{common_name}}/privkey.pem;
    error_page 500 502 503 504 /50x.html;
    root {{static_path}};
    location /api/ {
-        proxy_pass http://127.0.0.1{% if listen != 80 }:{{ listen }}{% endif %}/api/;
+        proxy_pass http://127.0.0.1{% if port != 80 %}:{{ port }}{% endif %}/api/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_connect_timeout 600;
@@ -16,7 +32,15 @@ server {
        send_timeout 600;
    }
-    {% if not push_server %}
+    # This is for Let's Encrypt
    location /.well-known/ {
        alias /var/www/html/.well-known/;
    }
 {% if not push_server %}
    # This only works with nchan, for Debian 9 just apt install libnginx-mod-nchan
    # For Ubuntu and older Debian releases install nchan from https://nchan.io/
    location ~ "^/lp/pub/(.*)" {
        allow 127.0.0.1;
        nchan_publisher;
@@ -40,7 +64,7 @@ server {
        nchan_channel_id $1;
        nchan_subscriber eventsource;
    }
-    {% endif %}
+{% endif %}
 }
--- a/setup.py
+++ b/setup.py
@@ -18,14 +18,6 @@ setup(
    ],
    long_description=open("README.rst").read(),
    install_requires=[
        "setproctitle",
        "click",
        "falcon",
        "jinja2",
        "pyopenssl",
        "humanize",
        "cryptography",
        "markupsafe",
    ],
    scripts=[
        "misc/certidude"