diff --git a/.travis.yml b/.travis.yml index cbb0dcf..0d8dd9d 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,7 +9,7 @@ virtualenv: system_site_packages: true install: - echo "127.0.0.1 localhost" | sudo tee /etc/hosts - - echo "127.0.0.1 ca.example.lan ca" | sudo tee -a /etc/hosts + - echo "127.0.1.1 ca.example.lan ca" | sudo tee -a /etc/hosts - echo "127.0.0.1 vpn.koodur.lan" | sudo tee -a /etc/hosts - sudo mkdir -p /etc/systemd/system - sudo pip install -r requirements.txt diff --git a/MANIFEST.in b/MANIFEST.in index 2b5cf35..16f08c1 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -7,6 +7,8 @@ include certidude/templates/*.ini include certidude/templates/mail/*.md include certidude/templates/client/*.timer include certidude/templates/client/*.service +include certidude/templates/server/*.service +include certidude/templates/server/*.conf include certidude/static/js/*.js include certidude/static/css/*.css include certidude/static/fonts/*.woff2 diff --git a/certidude/authority.py b/certidude/authority.py index f0c69a3..115e983 100644 --- a/certidude/authority.py +++ b/certidude/authority.py @@ -204,11 +204,11 @@ def delete_request(common_name): def generate_ovpn_bundle(common_name, owner=None): # Construct private key - click.echo("Generating 4096-bit RSA key...") + click.echo("Generating %d-bit RSA key..." % const.KEY_SIZE) key = rsa.generate_private_key( public_exponent=65537, - key_size=4096, + key_size=const.KEY_SIZE, backend=default_backend() ) @@ -234,17 +234,17 @@ def generate_ovpn_bundle(common_name, owner=None): servers = list_server_names()) return bundle, cert -def generate_pkcs12_bundle(common_name, key_size=4096, owner=None): +def generate_pkcs12_bundle(common_name, owner=None): """ Generate private key, sign certificate and return PKCS#12 bundle """ # Construct private key - click.echo("Generating %d-bit RSA key..." % key_size) + click.echo("Generating %d-bit RSA key..." % const.KEY_SIZE) key = rsa.generate_private_key( public_exponent=65537, - key_size=4096, + key_size=const.KEY_SIZE, backend=default_backend() ) diff --git a/certidude/cli.py b/certidude/cli.py index 5350444..3033a46 100755 --- a/certidude/cli.py +++ b/certidude/cli.py @@ -921,11 +921,11 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country, else: click.echo("CA configuration files are saved to: {}".format(directory)) - click.echo("Generating 4096-bit RSA key...") + click.echo("Generating %d-bit RSA key..." % const.KEY_SIZE) key = rsa.generate_private_key( public_exponent=65537, - key_size=4096, + key_size=const.KEY_SIZE, backend=default_backend() ) @@ -1145,7 +1145,7 @@ def certidude_cron(): click.echo("Moved %s to %s" % (path, expired_path)) @click.command("serve", help="Run server") -@click.option("-p", "--port", default=8080 if os.getuid() else 80, help="Listen port") +@click.option("-p", "--port", default=80, help="Listen port") @click.option("-l", "--listen", default="0.0.0.0", help="Listen address") @click.option("-f", "--fork", default=False, is_flag=True, help="Fork to background") def certidude_serve(port, listen, fork): @@ -1158,21 +1158,19 @@ def certidude_serve(port, listen, fork): from certidude import config - # Fetch UID, GID of certidude user - if os.getuid() == 0: - # Process directories - if not os.path.exists(const.RUN_DIR): - click.echo("Creating: %s" % const.RUN_DIR) - os.makedirs(const.RUN_DIR) + # Process directories + if not os.path.exists(const.RUN_DIR): + click.echo("Creating: %s" % const.RUN_DIR) + os.makedirs(const.RUN_DIR) - import pwd - _, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude") - restricted_groups = [] - restricted_groups.append(gid) - from logging.handlers import RotatingFileHandler - rh = RotatingFileHandler("/var/log/certidude.log", maxBytes=1048576*5, backupCount=5) - rh.setFormatter(logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s")) - log_handlers.append(rh) + import pwd + _, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude") + restricted_groups = [] + restricted_groups.append(gid) + from logging.handlers import RotatingFileHandler + rh = RotatingFileHandler("/var/log/certidude.log", maxBytes=1048576*5, backupCount=5) + rh.setFormatter(logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s")) + log_handlers.append(rh) """ diff --git a/certidude/const.py b/certidude/const.py index 7a1977f..fd7e96c 100644 --- a/certidude/const.py +++ b/certidude/const.py @@ -4,6 +4,7 @@ import os import socket import sys +KEY_SIZE = 1024 if os.getenv("TRAVIS") else 4096 RUN_DIR = "/run/certidude" CONFIG_DIR = os.path.expanduser("~/.certidude") if os.getuid() else "/etc/certidude" CONFIG_PATH = os.path.join(CONFIG_DIR, "server.conf") diff --git a/certidude/helpers.py b/certidude/helpers.py index 0164215..7be007e 100644 --- a/certidude/helpers.py +++ b/certidude/helpers.py @@ -134,10 +134,10 @@ def certidude_request_certificate(server, system_keytab_required, key_path, requ except EnvironmentError: # Construct private key - click.echo("Generating 4096-bit RSA key...") + click.echo("Generating %d-bit RSA key..." % const.KEY_SIZE) key = rsa.generate_private_key( public_exponent=65537, - key_size=4096, + key_size=const.KEY_SIZE, backend=default_backend() ) diff --git a/certidude/relational.py b/certidude/relational.py index 274012d..ca60ae3 100644 --- a/certidude/relational.py +++ b/certidude/relational.py @@ -16,24 +16,11 @@ class RelationalMixin(object): def __init__(self, uri): self.uri = urlparse(uri) - if self.SQL_CREATE_TABLES and self.SQL_CREATE_TABLES not in SCRIPTS: - conn = self.sql_connect() - cur = conn.cursor() - with open(self.sql_resolve_script(self.SQL_CREATE_TABLES)) as fh: - click.echo("Executing: %s" % fh.name) - if self.uri.scheme == "sqlite": - cur.executescript(fh.read()) - else: - cur.execute(fh.read(), multi=True) - conn.commit() - cur.close() - conn.close() - def sql_connect(self): if self.uri.scheme == "mysql": import mysql.connector - return mysql.connector.connect( + conn = mysql.connector.connect( user=self.uri.username, password=self.uri.password, host=self.uri.hostname, @@ -42,10 +29,21 @@ class RelationalMixin(object): if self.uri.netloc: raise ValueError("Malformed database URI %s" % self.uri) import sqlite3 - return sqlite3.connect(self.uri.path) + conn = sqlite3.connect(self.uri.path) else: raise NotImplementedError("Unsupported database scheme %s, currently only mysql://user:pass@host/database or sqlite:///path/to/database.sqlite is supported" % o.scheme) + if self.SQL_CREATE_TABLES and self.SQL_CREATE_TABLES not in SCRIPTS: + cur = conn.cursor() + buf, path = self.sql_load(self.SQL_CREATE_TABLES) + click.echo("Executing: %s" % path) + if self.uri.scheme == "sqlite": + cur.executescript(buf) + else: + cur.execute(buf, multi=True) + conn.commit() + cur.close() + return conn def sql_resolve_script(self, filename): return os.path.realpath(os.path.join(os.path.dirname(__file__), @@ -59,16 +57,17 @@ class RelationalMixin(object): fh = open(self.sql_resolve_script(filename)) click.echo("Caching SQL script: %s" % fh.name) buf = re.sub("\s*\n\s*", " ", fh.read()) - SCRIPTS[filename] = buf + SCRIPTS[filename] = buf, fh.name fh.close() - return buf + return buf, fh.name def sql_execute(self, script, *args): conn = self.sql_connect() cursor = conn.cursor() click.echo("Executing %s with %s" % (script, args)) - cursor.execute(self.sql_load(script), args) + buf, path = self.sql_load(script) + cursor.execute(buf, args) rowid = cursor.lastrowid conn.commit() cursor.close() diff --git a/tests/test_cli.py b/tests/test_cli.py index a2797b6..a0013e5 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -78,7 +78,7 @@ def test_cli_setup_authority(): assert authority.ca_cert.not_valid_after > datetime.now() + timedelta(days=7000) # Start server before any signing operations are performed - result = runner.invoke(cli, ['serve', '-f']) + result = runner.invoke(cli, ['serve', '-f', '-p', '80', '-l', '127.0.1.1']) assert not result.exception, result.output import requests