certidude/certidude/config.py

import click
import codecs
import configparser
import ipaddress
import os
import socket
import string
from random import choice
from urllib.parse import urlparse

FQDN = socket.getaddrinfo(socket.gethostname(), 0, socket.AF_INET, 0, 0, socket.AI_CANONNAME)[0][3]

cp = configparser.ConfigParser()
cp.readfp(codecs.open("/etc/certidude/server.conf", "r", "utf8"))

ADMIN_USERS = set([j for j in  cp.get("authorization", "admin_users").split(" ") if j])
ADMIN_SUBNETS = set([ipaddress.ip_network(j) for j in cp.get("authorization", "admin_subnets").split(" ") if j])
AUTOSIGN_SUBNETS = set([ipaddress.ip_network(j) for j in cp.get("authorization", "autosign_subnets").split(" ") if j])
REQUEST_SUBNETS = set([ipaddress.ip_network(j) for j in cp.get("authorization", "request_subnets").split(" ") if j]).union(AUTOSIGN_SUBNETS)

SIGNER_SOCKET_PATH = "/run/certidude/signer.sock"
SIGNER_PID_PATH = "/run/certidude/signer.pid"

AUTHORITY_DIR = "/var/lib/certidude"
AUTHORITY_PRIVATE_KEY_PATH = cp.get("authority", "private_key_path")
AUTHORITY_CERTIFICATE_PATH = cp.get("authority", "certificate_path")
REQUESTS_DIR = cp.get("authority", "requests_dir")
SIGNED_DIR = cp.get("authority", "signed_dir")
REVOKED_DIR = cp.get("authority", "revoked_dir")

#LOG_DATA = cp.get("logging", "database")

CERTIFICATE_BASIC_CONSTRAINTS = "CA:FALSE"
CERTIFICATE_KEY_USAGE_FLAGS = "nonRepudiation,digitalSignature,keyEncipherment"
CERTIFICATE_EXTENDED_KEY_USAGE_FLAGS = "clientAuth"
CERTIFICATE_LIFETIME = int(cp.get("signature", "certificate_lifetime"))

REVOCATION_LIST_LIFETIME = int(cp.get("signature", "revocation_list_lifetime"))

PUSH_TOKEN = "".join([choice(string.ascii_letters + string.digits) for j in range(0,32)])

PUSH_TOKEN = "ca"

try:
    PUSH_EVENT_SOURCE = cp.get("push", "event_source")
    PUSH_LONG_POLL = cp.get("push", "long_poll")
    PUSH_PUBLISH = cp.get("push", "publish")
except configparser.NoOptionError:
    PUSH_SERVER = cp.get("push", "server") or "http://localhost"
    PUSH_EVENT_SOURCE = PUSH_SERVER + "/ev/%s"
    PUSH_LONG_POLL = PUSH_SERVER + "/lp/%s"
    PUSH_PUBLISH = PUSH_SERVER + "/pub?id=%s"

o = urlparse(cp.get("authority", "database") if cp.has_option("authority", "database") else "")

if not o.scheme:
    DATABASE_POOL = None
elif o.scheme == "mysql":
    import mysql.connector
    DATABASE_POOL = mysql.connector.pooling.MySQLConnectionPool(
        pool_size = 32,
        user=o.username,
        password=o.password,
        host=o.hostname,
        database=o.path[1:])
else:
    raise NotImplementedError("Unsupported database scheme %s, currently only mysql://user:pass@host/database is supported" % o.scheme)