From c379412483d1ba5ad49a44e3800b92ee3750d568 Mon Sep 17 00:00:00 2001 From: Alain Takoudjou <alain.takoudjou@nexedi.com> Date: Thu, 11 May 2017 18:42:50 +0200 Subject: [PATCH] certificate authority: move instance.cfg from sr to the stack certificate-authority software release and stack was renamed to caucase --- software/caucase/software.cfg | 10 + .../certificate-authority/instance.cfg.in | 15 -- software/certificate-authority/software.cfg | 21 -- .../buildout.cfg | 33 ++- .../buildout.hash.cfg | 10 +- .../ca-nginx.conf.in | 0 .../instance-auth-server.cfg.jinja2.in | 0 .../instance-caucase.cfg.jinja2.in} | 189 ++++++++---------- stack/caucase/instance.cfg.in | 43 ++++ .../template-httpd-auth.conf.in | 0 10 files changed, 164 insertions(+), 157 deletions(-) create mode 100644 software/caucase/software.cfg delete mode 100644 software/certificate-authority/instance.cfg.in delete mode 100644 software/certificate-authority/software.cfg rename stack/{certificate-authority => caucase}/buildout.cfg (79%) rename stack/{certificate-authority => caucase}/buildout.hash.cfg (84%) rename stack/{certificate-authority => caucase}/ca-nginx.conf.in (100%) rename stack/{certificate-authority => caucase}/instance-auth-server.cfg.jinja2.in (100%) rename stack/{certificate-authority/instance-certificate-authority.cfg.jinja2.in => caucase/instance-caucase.cfg.jinja2.in} (51%) create mode 100644 stack/caucase/instance.cfg.in rename stack/{certificate-authority => caucase}/template-httpd-auth.conf.in (100%) diff --git a/software/caucase/software.cfg b/software/caucase/software.cfg new file mode 100644 index 000000000..693d55736 --- /dev/null +++ b/software/caucase/software.cfg @@ -0,0 +1,10 @@ +[buildout] +extends = + ../../stack/caucase/buildout.cfg + ../../stack/slapos.cfg + +parts = + slapos-cookbook + extra-eggs + instance-caucase + diff --git a/software/certificate-authority/instance.cfg.in b/software/certificate-authority/instance.cfg.in deleted file mode 100644 index 2b7ec1336..000000000 --- a/software/certificate-authority/instance.cfg.in +++ /dev/null @@ -1,15 +0,0 @@ -[buildout] -parts = - publish-connection-parameter -extends = - {{ certificate_authority_template }} - - -eggs-directory = {{ eggs_directory }} -develop-eggs-directory = {{ develop_eggs_directory }} -offline = true - -[publish-connection-parameter] -recipe = slapos.cookbook:publish.serialised -http-url = ${certificate-authority-server:insecure-url} -https-url = ${certificate-authority-server:url} \ No newline at end of file diff --git a/software/certificate-authority/software.cfg b/software/certificate-authority/software.cfg deleted file mode 100644 index 85cdac1b0..000000000 --- a/software/certificate-authority/software.cfg +++ /dev/null @@ -1,21 +0,0 @@ -[buildout] -extends = - ../../stack/certificate-authority/buildout.cfg - ../../stack/slapos.cfg - -parts = - slapos-cookbook - extra-eggs - template - -[template] -recipe = slapos.recipe.template:jinja2 -template = ${:_profile_base_location_}/instance.cfg.in -rendered = ${buildout:directory}/template.cfg -mode = 0644 -md5sum = c61a8f951e99002753c3a53d0a18b16d -context = - key bin_directory buildout:bin-directory - key develop_eggs_directory buildout:develop-eggs-directory - key eggs_directory buildout:eggs-directory - key certificate_authority_template template-certificate-authority:rendered diff --git a/stack/certificate-authority/buildout.cfg b/stack/caucase/buildout.cfg similarity index 79% rename from stack/certificate-authority/buildout.cfg rename to stack/caucase/buildout.cfg index 69760a539..ed244924a 100644 --- a/stack/certificate-authority/buildout.cfg +++ b/stack/caucase/buildout.cfg @@ -7,11 +7,12 @@ extends = ../../component/curl/buildout.cfg ../../component/dash/buildout.cfg ../../component/openssl/buildout.cfg + ../../component/bcrypt/buildout.cfg ../../stack/logrotate/buildout.cfg parts = - template-logrotate-base + instance-caucase [extra-eggs] recipe = zc.recipe.egg @@ -20,9 +21,17 @@ eggs = gunicorn # for WSGI HTTP Server futures caucase # certificate authority + ${bcrypt:egg} # are also required plone.recipe.command collective.recipe.template + slapos.toolbox +scripts = + slapos-kill + gunicorn + caucase + caucase-cli + caucase-cliweb [template-ca-download-base] recipe = hexagonit.recipe.download @@ -37,6 +46,10 @@ mode = 0644 [template-nginx-ca-conf] <= template-ca-download-base +[template-caucase] +<= template-ca-download-base +url = ${:_profile_base_location_}/${:filename} + [template-authenticated-server] recipe = slapos.recipe.template:jinja2 template = ${:_profile_base_location_}/${:filename} @@ -44,7 +57,7 @@ rendered = ${buildout:directory}/template-authenticated-server.cfg context = key apache_location apache:location key template_logrotate_base template-logrotate-base:rendered - raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb + raw certificate_request_bin ${buildout:directory}/bin/caucase-cliweb raw curl_executable_location ${curl:location}/bin/curl raw dash_executable_location ${dash:location}/bin/dash raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill @@ -52,16 +65,19 @@ context = raw openssl_executable_location ${openssl:location}/bin/openssl raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter} -[template-certificate-authority] +[instance-caucase] recipe = slapos.recipe.template:jinja2 template = ${:_profile_base_location_}/${:filename} -rendered = ${buildout:directory}/template-certificate-authority.cfg +rendered = ${buildout:directory}/template.cfg context = - key ngix_location nginx:location + key develop_eggs_directory buildout:develop-eggs-directory + key eggs_directory buildout:eggs-directory + key nginx_location nginx:location key template_logrotate_base template-logrotate-base:rendered + raw caucase_template ${template-caucase:location}/${template-caucase:filename} raw curl_executable_location ${curl:location}/bin/curl - raw certificate_authority_bin ${buildout:directory}/bin/ca-bin - raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb + raw caucase_bin ${buildout:directory}/bin/caucase + raw certificate_request_bin ${buildout:directory}/bin/caucase-cliweb raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename} raw dash_executable_location ${dash:location}/bin/dash raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill @@ -69,10 +85,11 @@ context = raw openssl_executable_location ${openssl:location}/bin/openssl raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter} + [versions] Flask-User = 0.6.11 SQLAlchemy = 1.1.9 -caucase = 0.1.1 +caucase = 0.1.2 futures = 3.1.1 gunicorn = 19.7.1 slapos.recipe.template = 2.10 diff --git a/stack/certificate-authority/buildout.hash.cfg b/stack/caucase/buildout.hash.cfg similarity index 84% rename from stack/certificate-authority/buildout.hash.cfg rename to stack/caucase/buildout.hash.cfg index ead4421f5..c7bc0848f 100644 --- a/stack/certificate-authority/buildout.hash.cfg +++ b/stack/caucase/buildout.hash.cfg @@ -26,6 +26,10 @@ md5sum = d8bebf1629aacffd619541f363687b4a filename = instance-auth-server.cfg.jinja2.in md5sum = a317d2f948cd3d16c860d05cc07ecf42 -[template-certificate-authority] -filename = instance-certificate-authority.cfg.jinja2.in -md5sum = 5ed16bcece904dd4527210c7453c84ca +[template-caucase] +filename = instance-caucase.cfg.jinja2.in +md5sum = b801dfe4212ff97dc29191e4610df3a3 + +[instance-caucase] +filename = instance.cfg.in +md5sum = eb9d2ab646717d123b0472da5194d77f diff --git a/stack/certificate-authority/ca-nginx.conf.in b/stack/caucase/ca-nginx.conf.in similarity index 100% rename from stack/certificate-authority/ca-nginx.conf.in rename to stack/caucase/ca-nginx.conf.in diff --git a/stack/certificate-authority/instance-auth-server.cfg.jinja2.in b/stack/caucase/instance-auth-server.cfg.jinja2.in similarity index 100% rename from stack/certificate-authority/instance-auth-server.cfg.jinja2.in rename to stack/caucase/instance-auth-server.cfg.jinja2.in diff --git a/stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in b/stack/caucase/instance-caucase.cfg.jinja2.in similarity index 51% rename from stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in rename to stack/caucase/instance-caucase.cfg.jinja2.in index 7d4e75177..33251ef58 100644 --- a/stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in +++ b/stack/caucase/instance-caucase.cfg.jinja2.in @@ -1,18 +1,29 @@ -[buildout] - -extends = - {{ template_logrotate_base }} - -parts = - certificate-authority - certificate-authority-server - -[certificate-authority-parameters] -server-port = ${slap-configuration:configuration.ca-server-port} -server-https-port = ${slap-configuration:configuration.ca-server-https-port} +{% set part_list = [] -%} +{% set ipv6 = (ipv6 | list)[0] -%} +{% set default_subject = '/C=FR/O=Company/CN=SlapOS Certificate Authority/emailAddress=xx@example.com' -%} +{% if slapparameter_dict is not defined -%} +{% set slapparameter_dict = {} -%} +{% endif -%} + +[ca-parameters] +server-port = {{ slapparameter_dict.get('server-port', 8009) }} +server-https-port = {{ slapparameter_dict.get('server-https-port', 8010) }} +ipv6 = {{ ipv6 }} # Overrite this to set frontend or DNS URL (URL is used as CRL distribution point) # Please set http not HTTPS scheme -crl-external-url = http://[${slap-configuration:ipv6-random}]:${:server-port} +crl-external-url = {{ slapparameter_dict.get('external-url', 'http://[${:ipv6}]:${:server-port}') }} +# /CN=XXX is required and should be unique +ca-subject = {{ slapparameter_dict.get('ca-subject', default_subject) }} +# Number of pending csr to accept +max-request-amount = {{ slapparameter_dict.get('max-request-amount', 10) }} +# one year (in seconds) +crt-life-time = {{ slapparameter_dict.get('crt-life-time', 31536000) }} +# crl-life-period correspond to about one week +crl-life-period = {{ slapparameter_dict.get('crl-life-period', 0.02) }} +# ca-life-period = ca-life-period * crt-life-time +ca-life-period = {{ slapparameter_dict.get('ca-life-period', 10) }} +# time before clean certificate on CA: 60*24*60*60 +crt-keep-time = {{ slapparameter_dict.get('crt-keep-time', 5184000) }} [directory] recipe = slapos.cookbook:mkdirectory @@ -34,26 +45,6 @@ fastcgi-temp-path = ${:ca-temp}/fastcgi_temp_path uwsgi-temp-path = ${:ca-temp}/uwsgi_temp_path scgi-temp-path = ${:ca-temp}/scgi_temp_path -[ca-directory] -recipe = slapos.cookbook:mkdirectory -root = ${directory:srv}/ssl -requests = ${:root}/requests -private = ${:root}/private -certs = ${:root}/certs -newcerts = ${:root}/newcerts -crl = ${:root}/crl - -[certificate-authority] -recipe = slapos.cookbook:certificate_authority -openssl-binary = {{ openssl_executable_location }} -ca-dir = ${ca-directory:root} -requests-directory = ${ca-directory:requests} -wrapper = ${directory:services}/certificate_authority -ca-private = ${ca-directory:private} -ca-certs = ${ca-directory:certs} -ca-newcerts = ${ca-directory:newcerts} -ca-crl = ${ca-directory:crl} - [nginx-certificate-request-base] recipe = slapos.cookbook:wrapper wrapper-path = ${directory:bin}/request-base-certificate @@ -64,7 +55,7 @@ parameters-extra = true command-line = {{ certificate_request_bin }} --crt-file ${:cert-file} --key-file ${:key-file} - --ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port} + --ca-url http://[${ca-parameters:ipv6}]:${ca-parameters:server-port} --ca-crt-file ${:ca-cert} [nginx-certificate-request] @@ -100,22 +91,22 @@ cert = key = [ca-nginx-conf-parameter] -ip = ${slap-configuration:ipv6-random} -port = ${certificate-authority-parameters:server-port} -https-port = ${certificate-authority-parameters:server-https-port} +ip = ${ca-parameters:ipv6} +port = ${ca-parameters:server-port} +https-port = ${ca-parameters:server-https-port} pid-file = ${directory:run}/nginx-ca.pid access-log = ${directory:log}/nginx-ca-access.log error-log = ${directory:log}/nginx-ca-error.log cert-file = ${ca-nginx-ssl:cert} key-file = ${ca-nginx-ssl:key} -ca-conf = ${certificate-authority-conf:output} +ca-conf = ${caucase-conf:output} workers-processes = 1 client-body-temp-path = ${directory:client-body-temp-path} proxy-temp-path = ${directory:proxy-temp-path} fastcgi-temp-path = ${directory:fastcgi-temp-path} uwsgi-temp-path = ${directory:uwsgi-temp-path} scgi-temp-path = ${directory:scgi-temp-path} -socket = ${certificate-authority-gunicorn:socket} +socket = ${caucase-gunicorn:socket} [ca-nginx-conf] recipe = slapos.recipe.template:jinja2 @@ -125,7 +116,7 @@ mode = 0700 context = section parameter_dict ca-nginx-conf-parameter -[certificate-authority-conf] +[caucase-conf] recipe = collective.recipe.template # Values here are intended to be changed in your instance. override this section input = inline: @@ -133,17 +124,17 @@ input = inline: # enable debug # debug # log-file ${directory:log}/ca-server.log - subject ${slap-configuration:configuration.ca-subject} - max-request-amount ${slap-configuration:configuration.max-request-amount} - external-url ${certificate-authority-parameters:crl-external-url} + subject ${ca-parameters:ca-subject} + max-request-amount ${ca-parameters:max-request-amount} + external-url ${ca-parameters:crl-external-url} # one year (in seconds) - crt-life-time ${slap-configuration:configuration.crt-life-time} + crt-life-time ${ca-parameters:crt-life-time} # crl-life-period correspond to about one week - crl-life-period ${slap-configuration:configuration.crl-life-period} + crl-life-period ${ca-parameters:crl-life-period} # ca-life-time = ca-life-period * crt-life-time - ca-life-period ${slap-configuration:configuration.ca-life-period} + ca-life-period ${ca-parameters:ca-life-period} # time before clean certificate on CA: 60*24*60*60 - crt-keep-time ${slap-configuration:configuration.crt-keep-time} + crt-keep-time ${ca-parameters:crt-keep-time} output = ${directory:etc}/ca.conf mode = 700 @@ -151,105 +142,83 @@ mode = 700 [ca-nginx-graceful] recipe = collective.recipe.template input = inline:#!{{ dash_executable_location }} - kill -HUP $(cat ${ca-nginx-conf-parameter:pid-file}) + kill -HUP "$(cat '${ca-nginx-conf-parameter:pid-file}')" output = ${directory:scripts}/ca-server-graceful mode = 700 -[certificate-authority-gunicorn] +[caucase-gunicorn] recipe = slapos.cookbook:wrapper socket = ${directory:ca-dir}/ca.flaskserver.sock -command-line = {{ gunicorn_bin }} caucase.wsgi:app -b unix:${:socket} -e CA_CONFIGURATION_FILE=${certificate-authority-conf:output} --error-logfile ${:log-file} --pid ${:pid-file} --capture-output --timeout 60 --threads 2 --log-level error --preload +command-line = {{ gunicorn_bin }} caucase.wsgi:app -b unix:${:socket} -e CA_CONFIGURATION_FILE=${caucase-conf:output} --error-logfile ${:log-file} --pid ${:pid-file} --capture-output --timeout 60 --threads 2 --log-level error --preload log-file = ${directory:log}/ca-gunicorn-error.log pid-file = ${directory:run}/ca-gunicorn.pid wrapper-path = ${directory:services}/ca-gunicorn -#environment = #PATH=$${environ:PATH}:${git:location}/bin/ -# CA_CONFIGURATION_FILE=${certificate-authority-conf:output} -# LANG=en_GB.UTF-8 -[certificate-authority-server] +[caucase-server] recipe = slapos.cookbook:wrapper -command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered} -wrapper-path = ${directory:services}/ca-server -url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port} -insecure-url = ${certificate-authority-parameters:crl-external-url} +command-line = {{ nginx_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered} +wrapper-path = ${directory:services}/caucase-server +url = https://[${ca-parameters:ipv6}]:${ca-parameters:server-https-port} +http-url = ${ca-parameters:crl-external-url} depends = ${nginx-certificate-request:wrapper-path} - ${certificate-authority-server-promise:filename} - ${certificate-authority-https-server-promise:filename} + ${caucase-server-promise:filename} + ${caucase-https-server-promise:filename} ${ca-nginx-graceful:output} ${ca-certificate-renew-cron-entry:name} ${logrotate-ca-nginx:name} -[ca-server-certificate-renew] -recipe = collective.recipe.template -input = inline: - #!{{ dash_executable_location }} - - d=$({{ openssl_executable_location }} x509 -enddate -noout -in ${nginx-certificate-request-base:cert-file} | cut -d'=' -f 2) - cert_time=$(date -d "$d" +"%s") - now=$(date +"%s") - thresold=2592000 # 30*24*60*60 equivalent to one month in seconds - remind=$(($cert_time - $now)) - - if [ $remind -lt $thresold ]; then - exec ${nginx-certificate-request-base:wrapper-path} --renew - # run nginx grancefull restart to reload renewed certificates - excec ${ca-nginx-graceful:output} - fi - -output = ${directory:bin}/server-certificate-renew -mode = 700 - [ca-certificate-renew-cron-entry] recipe = slapos.cookbook:cron.d cron-entries = ${cron:cron-entries} name = ca-server-certificate-auto-renew # check renew every-week -frequency = 5 4 * * 6 -command = ${ca-server-certificate-renew:output} +time = weekly +# 2592000 = 30*24*60*60 equivalent to one month in seconds +command = ${nginx-certificate-request-base:wrapper-path} --renew --threshold 2592000 --on-renew="${ca-nginx-graceful:output}" [logrotate-ca-nginx] < = logrotate-entry-base -name = certificate-authority-nginx-server +name = caucase-nginx-server log = ${ca-nginx-conf-parameter:access-log} ${ca-nginx-conf-parameter:access-log} post = {{ slapos_kill_bin }} --pidfile ${ca-nginx-conf-parameter:pid-file} -s USR1 -[certificate-authority-server-promise] +[caucase-server-promise] recipe = slapos.cookbook:check_url_available path = ${directory:promises}/${:filename} -filename = certificate-authority-server-listening-on-tcp -url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port} +filename = caucase-server-listening-on-tcp +url = http://[${ca-parameters:ipv6}]:${ca-parameters:server-port} dash_path = {{ dash_executable_location }} curl_path = {{ curl_executable_location }} -[certificate-authority-https-server-promise] +[caucase-https-server-promise] recipe = slapos.cookbook:check_url_available path = ${directory:promises}/${:filename} -filename = certificate-authority-server-https-on-${certificate-authority-parameters:server-https-port} -url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port} +filename = caucase-server-https-on-${ca-parameters:server-https-port} +url = https://[${ca-parameters:ipv6}]:${ca-parameters:server-https-port} check-secure = 1 dash_path = {{ dash_executable_location }} curl_path = {{ curl_executable_location }} -[slap-configuration] -recipe = slapos.cookbook:slapconfiguration.serialised -computer = ${slap-connection:computer-id} -partition = ${slap-connection:partition-id} -url = ${slap-connection:server-url} -key = ${slap-connection:key-file} -cert = ${slap-connection:cert-file} - -configuration.ca-server-port = 8009 -configuration.ca-server-https-port = 8010 -# /CN=XXX is required -configuration.ca-subject = /C=Country/ST=State/L=City/OU=O-Unit/O=Company/CN=SlapOS Certificate Authority/emailAddress=xx@example.com -configuration.max-request-amount = 10 -# one year (in seconds) -configuration.crt-life-time = 31536000 -# crl-life-period correspond to about one week -configuration.crl-life-period = 0.02 -# ca-life-period = ca-life-period * crt-life-time -configuration.ca-life-period = 10 -# time before clean certificate on CA: 60*24*60*60 -configuration.crt-keep-time = 5184000 \ No newline at end of file +{% if publish_parameter is defined and publish_parameter == 'yes' -%} +[publish-connection-parameter] +recipe = slapos.cookbook:publish.serialised +http-url = ${caucase-server:http-url} +https-url = ${caucase-server:url} +{% do part_list.append('publish-connection-parameter') -%} +{% endif -%} + +[buildout] + +extends = + {{ template_logrotate_base }} + +parts = + caucase-server +# Complete parts with sections + {{ part_list | join('\n ') }} + +eggs-directory = {{ eggs_directory }} +develop-eggs-directory = {{ develop_eggs_directory }} +offline = true \ No newline at end of file diff --git a/stack/caucase/instance.cfg.in b/stack/caucase/instance.cfg.in new file mode 100644 index 000000000..2d77cc0e7 --- /dev/null +++ b/stack/caucase/instance.cfg.in @@ -0,0 +1,43 @@ +[buildout] +parts = + switch-softwaretype + +eggs-directory = {{ eggs_directory }} +develop-eggs-directory = {{ develop_eggs_directory }} +offline = true + +[slap-configuration] +recipe = slapos.cookbook:slapconfiguration.serialised +computer = ${slap-connection:computer-id} +partition = ${slap-connection:partition-id} +url = ${slap-connection:server-url} +key = ${slap-connection:key-file} +cert = ${slap-connection:cert-file} + +[dynamic-template-caucase] +recipe = slapos.recipe.template:jinja2 +filename = ${:_buildout_section_name_}.cfg +rendered = ${buildout:parts-directory}/${:_buildout_section_name_}/${:filename} +template = {{ caucase_template }} +extensions = jinja2.ext.do +extra-context = +context = + key ipv4 slap-configuration:ipv4 + key ipv6 slap-configuration:ipv6 + key develop_eggs_directory buildout:develop-eggs-directory + key eggs_directory buildout:eggs-directory + key slapparameter_dict slap-configuration:configuration + raw gunicorn_bin {{ gunicorn_bin }} + raw template_logrotate_base {{ template_logrotate_base }} + raw certificate_request_bin {{ certificate_request_bin }} + raw template_nginx_ca_conf {{ template_nginx_ca_conf }} + raw nginx_location {{ nginx_location }} + raw slapos_kill_bin {{ slapos_kill_bin }} + raw dash_executable_location {{ dash_executable_location }} + raw curl_executable_location {{ curl_executable_location }} + raw publish_parameter yes + +[switch-softwaretype] +recipe = slapos.cookbook:softwaretype +default = ${dynamic-template-caucase:rendered} + diff --git a/stack/certificate-authority/template-httpd-auth.conf.in b/stack/caucase/template-httpd-auth.conf.in similarity index 100% rename from stack/certificate-authority/template-httpd-auth.conf.in rename to stack/caucase/template-httpd-auth.conf.in -- 2.30.9