From 44b6f13669e8d33526b46c81b821739d4b771773 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 26 Mar 2017 20:44:47 +0000 Subject: [PATCH 1/8] Use random serial for CA certificate --- certidude/cli.py | 5 ++++- tests/test_cli.py | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/certidude/cli.py b/certidude/cli.py index 2062287..aa0fc9d 100755 --- a/certidude/cli.py +++ b/certidude/cli.py @@ -862,7 +862,10 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country, ).not_valid_before(datetime.utcnow() ).not_valid_after( datetime.utcnow() + timedelta(days=authority_lifetime) - ).serial_number(1 + ).serial_number( + random.randint( + 0x100000000000000000000000000000000000000, + 0xfffffffffffffffffffffffffffffffffffffff) ).add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True, ).add_extension(x509.KeyUsage( digital_signature=server_flags, diff --git a/tests/test_cli.py b/tests/test_cli.py index d979db5..5481029 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -13,7 +13,8 @@ def test_cli_setup_authority(): from certidude import const, config from certidude import authority - assert authority.ca_cert.serial_number == 1 + assert authority.ca_cert.serial_number >= 0x100000000000000000000000000000000000000 + assert authority.ca_cert.serial_number <= 0xfffffffffffffffffffffffffffffffffffffff assert authority.ca_cert.not_valid_before < datetime.now() assert authority.ca_cert.not_valid_after > datetime.now() + timedelta(days=7000) From e3690bedf209809c8687c90cfa14d38a23392a48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 26 Mar 2017 20:45:08 +0000 Subject: [PATCH 2/8] Another attempt to increase code coverage --- tests/test_cli.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/test_cli.py b/tests/test_cli.py index 5481029..4e756f0 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -45,3 +45,6 @@ def test_cli_setup_authority(): authority.generate_ovpn_bundle(u"test2") authority.generate_pkcs12_bundle(u"test3") + + result = runner.invoke(cli, ['list', '-srv']) + assert not result.exception From d5dcadc34696777033de2dcea4c50f83b82764a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 26 Mar 2017 20:47:45 +0000 Subject: [PATCH 3/8] Remove dependency on pycountries --- certidude/cli.py | 1 - 1 file changed, 1 deletion(-) diff --git a/certidude/cli.py b/certidude/cli.py index aa0fc9d..69c1c2a 100755 --- a/certidude/cli.py +++ b/certidude/cli.py @@ -958,7 +958,6 @@ def certidude_list(verbose, show_key_type, show_extensions, show_path, show_sign # r - revoked from certidude import authority - from pycountry import countries def dump_common(common_name, path, cert): click.echo("certidude revoke %s" % common_name) From db3b89c71fca86d63256b176bfb0f4a64772d441 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 26 Mar 2017 21:15:48 +0000 Subject: [PATCH 4/8] Switch to Ubuntu 16.04 for Travis --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 8bb99f4..b04156b 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ sudo: false language: python -dist: trusty +dist: xenial python: - "2.7" after_success: From 25965430250faf28f899197496782ea800cb64bc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 26 Mar 2017 21:16:01 +0000 Subject: [PATCH 5/8] More code coverage --- tests/test_cli.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/test_cli.py b/tests/test_cli.py index 4e756f0..dcbd117 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -37,6 +37,9 @@ def test_cli_setup_authority(): authority.store_request( csr.sign(key, hashes.SHA256(), default_backend()).public_bytes(serialization.Encoding.PEM)) + result = runner.invoke(cli, ['list', '-srv']) + assert not result.exception + result = runner.invoke(cli, ['sign', 'test', '-o']) assert not result.exception @@ -48,3 +51,6 @@ def test_cli_setup_authority(): result = runner.invoke(cli, ['list', '-srv']) assert not result.exception + + result = runner.invoke(cli, ['cron']) + assert not result.exception From e506ea61be4b3776337c17ff6463e1551789ae26 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 26 Mar 2017 21:20:03 +0000 Subject: [PATCH 6/8] Revert back to trusty for Travis, xattr package broken in xenial --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index b04156b..8bb99f4 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ sudo: false language: python -dist: xenial +dist: trusty python: - "2.7" after_success: From 5c6097cc40cadee0107aa354344e1a0fe4394185 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Tue, 28 Mar 2017 12:24:51 +0300 Subject: [PATCH 7/8] Fix CSR listing command --- certidude/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certidude/cli.py b/certidude/cli.py index 69c1c2a..c0f04e6 100755 --- a/certidude/cli.py +++ b/certidude/cli.py @@ -981,7 +981,7 @@ def certidude_list(verbose, show_key_type, show_extensions, show_path, show_sign click.echo("=" * len(common_name)) click.echo("State: ? " + click.style("submitted", fg="yellow") + " " + naturaltime(created) + click.style(", %s" %created, fg="white")) click.echo("openssl req -in %s -text -noout" % path) - dump_common(common_name, path, cert) + dump_common(common_name, path, csr) if show_signed: From 90b663ce26a76120d550df6bbb996ed5f43ad0d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Tue, 4 Apr 2017 05:02:08 +0000 Subject: [PATCH 8/8] Add file based rotating log handler --- certidude/api/__init__.py | 2 +- certidude/api/attrib.py | 2 +- certidude/api/bundle.py | 2 +- certidude/api/cfg.py | 3 +-- certidude/api/lease.py | 3 +++ certidude/api/request.py | 2 +- certidude/api/revoked.py | 2 +- certidude/api/signed.py | 2 +- certidude/api/tag.py | 2 +- certidude/cli.py | 24 +++++++++++++++--------- 10 files changed, 26 insertions(+), 18 deletions(-) diff --git a/certidude/api/__init__.py b/certidude/api/__init__.py index 007ada5..3d3bc0d 100644 --- a/certidude/api/__init__.py +++ b/certidude/api/__init__.py @@ -16,7 +16,7 @@ from certidude.decorators import serialize, event_source, csrf_protection from cryptography.x509.oid import NameOID from certidude import const, config -logger = logging.getLogger("api") +logger = logging.getLogger(__name__) class CertificateStatusResource(object): """ diff --git a/certidude/api/attrib.py b/certidude/api/attrib.py index 46c4040..9186a5d 100644 --- a/certidude/api/attrib.py +++ b/certidude/api/attrib.py @@ -7,7 +7,7 @@ from datetime import datetime from certidude import config, authority from certidude.decorators import serialize -logger = logging.getLogger("api") +logger = logging.getLogger(__name__) class AttributeResource(object): @serialize diff --git a/certidude/api/bundle.py b/certidude/api/bundle.py index 8f76baa..db0a35f 100644 --- a/certidude/api/bundle.py +++ b/certidude/api/bundle.py @@ -3,7 +3,7 @@ import hashlib from certidude import config, authority from certidude.auth import login_required -logger = logging.getLogger("api") +logger = logging.getLogger(__name__) KEYWORDS = ( (u"Android", u"android"), diff --git a/certidude/api/cfg.py b/certidude/api/cfg.py index 7db0e01..092e265 100644 --- a/certidude/api/cfg.py +++ b/certidude/api/cfg.py @@ -9,8 +9,7 @@ from certidude.decorators import serialize from certidude.relational import RelationalMixin from jinja2 import Environment, FileSystemLoader -logger = logging.getLogger("api") - +logger = logging.getLogger(__name__) env = Environment(loader=FileSystemLoader("/etc/certidude/scripts"), trim_blocks=True) SQL_SELECT_INHERITED = """ diff --git a/certidude/api/lease.py b/certidude/api/lease.py index d27564e..8485cec 100644 --- a/certidude/api/lease.py +++ b/certidude/api/lease.py @@ -1,5 +1,6 @@ import click +import logging import xattr from datetime import datetime from pyasn1.codec.der import decoder @@ -7,6 +8,8 @@ from certidude import config, authority, push from certidude.auth import login_required, authorize_admin from certidude.decorators import serialize +logger = logging.getLogger(__name__) + # TODO: lease namespacing (?) class LeaseDetailResource(object): diff --git a/certidude/api/request.py b/certidude/api/request.py index 81c1d5b..7ba8f55 100644 --- a/certidude/api/request.py +++ b/certidude/api/request.py @@ -19,7 +19,7 @@ from cryptography.exceptions import InvalidSignature from cryptography.x509.oid import NameOID from datetime import datetime -logger = logging.getLogger("api") +logger = logging.getLogger(__name__) class RequestListResource(object): @login_optional diff --git a/certidude/api/revoked.py b/certidude/api/revoked.py index d05d310..74b715a 100644 --- a/certidude/api/revoked.py +++ b/certidude/api/revoked.py @@ -9,7 +9,7 @@ from cryptography import x509 from cryptography.hazmat.backends import default_backend from cryptography.hazmat.primitives.serialization import Encoding -logger = logging.getLogger("api") +logger = logging.getLogger(__name__) class RevocationListResource(object): def on_get(self, req, resp): diff --git a/certidude/api/signed.py b/certidude/api/signed.py index 02bfa41..ae185a1 100644 --- a/certidude/api/signed.py +++ b/certidude/api/signed.py @@ -7,7 +7,7 @@ from certidude import authority from certidude.auth import login_required, authorize_admin from certidude.decorators import csrf_protection -logger = logging.getLogger("api") +logger = logging.getLogger(__name__) class SignedCertificateDetailResource(object): def on_get(self, req, resp, cn): diff --git a/certidude/api/tag.py b/certidude/api/tag.py index 8175207..4887494 100644 --- a/certidude/api/tag.py +++ b/certidude/api/tag.py @@ -5,7 +5,7 @@ from certidude import authority, push from certidude.auth import login_required, authorize_admin from certidude.decorators import serialize, csrf_protection -logger = logging.getLogger("api") +logger = logging.getLogger(__name__) class TagResource(object): @serialize diff --git a/certidude/cli.py b/certidude/cli.py index 69c1c2a..af12737 100755 --- a/certidude/cli.py +++ b/certidude/cli.py @@ -28,6 +28,7 @@ from jinja2 import Environment, PackageLoader from setproctitle import setproctitle import const +logger = logging.getLogger(__name__) env = Environment(loader=PackageLoader("certidude", "templates"), trim_blocks=True) # http://www.mad-hacking.net/documentation/linux/security/ssl-tls/creating-ca.xml @@ -1062,6 +1063,7 @@ def certidude_serve(port, listen, fork): from certidude import const click.echo("Using configuration from: %s" % const.CONFIG_PATH) + log_handlers = [] from certidude import config @@ -1071,6 +1073,11 @@ def certidude_serve(port, listen, fork): _, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude") restricted_groups = [] restricted_groups.append(gid) + from logging.handlers import RotatingFileHandler + rh = RotatingFileHandler("/var/log/certidude.log", maxBytes=1048576*5, backupCount=5) + rh.setFormatter(logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s")) + log_handlers.append(rh) + """ Spawn signer process @@ -1169,8 +1176,6 @@ def certidude_serve(port, listen, fork): # Set up log handlers - log_handlers = [] - if config.LOGGING_BACKEND == "sql": from certidude.mysqllog import LogHandler from certidude.api.log import LogResource @@ -1188,18 +1193,19 @@ def certidude_serve(port, listen, fork): from certidude.push import EventSourceLogHandler log_handlers.append(EventSourceLogHandler()) - for facility in "api", "cli": - logger = logging.getLogger(facility) - logger.setLevel(logging.DEBUG) - for handler in log_handlers: - logger.addHandler(handler) + for j in logging.Logger.manager.loggerDict.values(): + if isinstance(j, logging.Logger): # PlaceHolder is what? + if j.name.startswith("certidude."): + j.setLevel(logging.DEBUG) + for handler in log_handlers: + j.addHandler(handler) def exit_handler(): - logging.getLogger("cli").debug("Shutting down Certidude") + logger.debug("Shutting down Certidude") import atexit atexit.register(exit_handler) - logging.getLogger("cli").debug("Started Certidude at %s", const.FQDN) + logger.debug("Started Certidude at %s", const.FQDN) if not fork or not os.fork(): httpd.serve_forever()