Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
slapos
Commits
b4838a33
Commit
b4838a33
authored
Aug 05, 2013
by
Julien Muchembled
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Review generate.password recipe, dropping pwgen.*
parent
3d810d17
Changes
13
Hide whitespace changes
Inline
Side-by-side
Showing
13 changed files
with
81 additions
and
117 deletions
+81
-117
setup.py
setup.py
+0
-2
slapos/recipe/generatepassword.py
slapos/recipe/generatepassword.py
+56
-14
slapos/recipe/librecipe/generic.py
slapos/recipe/librecipe/generic.py
+7
-11
slapos/recipe/pwgen.py
slapos/recipe/pwgen.py
+0
-60
software/erp5testnode/instance-default.cfg
software/erp5testnode/instance-default.cfg
+4
-6
software/erp5testnode/software.cfg
software/erp5testnode/software.cfg
+0
-1
software/gitrepo/instance-gitrepo.cfg
software/gitrepo/instance-gitrepo.cfg
+4
-7
software/gitrepo/software.cfg
software/gitrepo/software.cfg
+0
-1
software/lxc/instance-lxc.cfg
software/lxc/instance-lxc.cfg
+3
-4
software/lxc/software.cfg
software/lxc/software.cfg
+0
-2
software/trac-svn/instance-trac.cfg
software/trac-svn/instance-trac.cfg
+5
-6
software/trac-svn/software.cfg
software/trac-svn/software.cfg
+0
-1
stack/erp5/instance-tidstorage.cfg.in
stack/erp5/instance-tidstorage.cfg.in
+2
-2
No files found.
setup.py
View file @
b4838a33
...
...
@@ -165,8 +165,6 @@ setup(name=name,
'publish.serialised = slapos.recipe.publish:Serialised'
,
'publishsection = slapos.recipe.publish:PublishSection'
,
'publishurl = slapos.recipe.publishurl:Recipe'
,
'pwgen = slapos.recipe.pwgen:Recipe'
,
'pwgen.stable = slapos.recipe.pwgen:StablePasswordGeneratorRecipe'
,
'redis.server = slapos.recipe.redis:Recipe'
,
'request = slapos.recipe.request:Recipe'
,
'request.serialised = slapos.recipe.request:Serialised'
,
...
...
slapos/recipe/generatepassword.py
View file @
b4838a33
...
...
@@ -26,27 +26,69 @@
#
##############################################################################
import
binascii
import
errno
import
os
import
random
import
string
from
slapos.recipe.librecipe
import
GenericBaseRecipe
def
generatePassword
(
length
):
return
''
.
join
(
random
.
SystemRandom
().
sample
(
string
.
ascii_lowercase
,
length
))
class
Recipe
(
GenericBaseRecipe
):
class
Recipe
(
object
):
"""Generate a password that is only composed of lowercase letters
This recipe only makes sure that ${:passwd} does not end up in `.installed`
file, which is world-readable by default. So be careful not to spread it
throughout the buildout configuration by referencing it directly: see
recipes like slapos.recipe.template:jinja2 to safely process the password.
Options:
- bytes: password length (default: 8 characters)
- storage-path: plain-text persistent storage for password,
that can only be accessed by the user
(default: ${buildout:parts-directory}/${:_buildout_section_name_})
"""
def
__init__
(
self
,
buildout
,
name
,
options
):
if
os
.
path
.
exists
(
options
[
'storage-path'
]):
open_file
=
open
(
options
[
'storage-path'
],
'r'
)
options
[
'passwd'
]
=
open_file
.
read
()
open_file
.
close
()
options_get
=
options
.
get
try
:
self
.
storage_path
=
options
[
'storage-path'
]
except
KeyError
:
self
.
storage_path
=
options
[
'storage-path'
]
=
os
.
path
.
join
(
buildout
[
'buildout'
][
'parts-directory'
],
name
)
try
:
with
open
(
self
.
storage_path
)
as
f
:
passwd
=
f
.
read
()
except
IOError
,
e
:
if
e
.
errno
!=
errno
.
ENOENT
:
raise
passwd
=
None
if
not
passwd
:
passwd
=
self
.
generatePassword
(
int
(
options_get
(
'bytes'
,
'8'
)))
self
.
update
=
self
.
install
self
.
passwd
=
passwd
# Password must not go into .installed file, for 2 reasons:
# security of course but also to prevent buildout to always reinstall.
options
.
get
=
lambda
option
,
*
args
,
**
kw
:
passwd
\
if
option
==
'passwd'
else
options_get
(
option
,
*
args
,
**
kw
)
if
options
.
get
(
'passwd'
,
''
)
==
''
:
options
[
'passwd'
]
=
binascii
.
hexlify
(
os
.
urandom
(
int
(
options
.
get
(
'bytes'
,
'24'
))))
return
GenericBaseRecipe
.
__init__
(
self
,
buildout
,
name
,
options
)
generatePassword
=
staticmethod
(
generatePassword
)
def
install
(
self
):
with
open
(
self
.
options
[
'storage-path'
],
'w'
)
as
fout
:
fout
.
write
(
self
.
options
[
'passwd'
])
return
[
self
.
options
[
'storage-path'
]]
if
self
.
storage_path
:
try
:
os
.
unlink
(
self
.
storage_path
)
except
OSError
,
e
:
if
e
.
errno
!=
errno
.
ENOENT
:
raise
fd
=
os
.
open
(
self
.
storage_path
,
os
.
O_CREAT
|
os
.
O_EXCL
|
os
.
O_WRONLY
,
0600
)
try
:
os
.
write
(
fd
,
self
.
passwd
)
finally
:
os
.
close
(
fd
)
return
self
.
storage_path
def
update
(
self
):
return
()
slapos/recipe/librecipe/generic.py
View file @
b4838a33
...
...
@@ -183,17 +183,13 @@ class GenericBaseRecipe(object):
'template/%s'
%
template_name
)
def
generatePassword
(
self
,
len_
=
32
):
"""
The purpose of this method is to generate a password which doesn't change
from one execution to the next, so the generated password doesn't change
on each slapgrid-cp execution.
Currently, it returns a hardcoded password because no decision has been
taken on where a generated password should be kept (so it is generated
once only).
"""
# TODO: implement a real password generator which remember the last
# call.
# TODO: Consider having generate.password recipe inherit this class,
# so that it can be easily inheritable.
# In the long-term, it's probably better that passwords are provided
# by software requesters, to avoid keeping unhashed secrets in
# partitions when possible.
log
.
warning
(
"GenericBaseRecipe.generatePassword is deprecated."
" Use generate.password recipe instead."
)
return
"insecure"
def
isTrueValue
(
self
,
value
):
...
...
slapos/recipe/pwgen.py
deleted
100644 → 0
View file @
3d810d17
##############################################################################
#
# Copyright (c) 2010 Vifib SARL and Contributors. All Rights Reserved.
#
# WARNING: This program as such is intended to be used by professional
# programmers who take the whole responsibility of assessing all potential
# consequences resulting from its eventual inadequacies and bugs
# End users who are looking for a ready-to-use solution with commercial
# guarantees and support are strongly adviced to contract a Free Software
# Service Company
#
# This program is Free Software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 3
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
##############################################################################
import
subprocess
import
os
from
slapos.recipe.librecipe
import
GenericBaseRecipe
class
Recipe
(
GenericBaseRecipe
):
def
_options
(
self
,
options
):
if
not
os
.
path
.
exists
(
self
.
options
[
'file'
]):
password
=
subprocess
.
check_output
([
self
.
options
[
'pwgen-binary'
],
'-1'
]).
strip
()
with
open
(
self
.
options
[
'file'
],
'w'
)
as
password_file
:
password_file
.
write
(
password
)
else
:
with
open
(
self
.
options
[
'file'
],
'r'
)
as
password_file
:
password
=
password_file
.
read
()
options
[
'password'
]
=
password
def
install
(
self
):
os
.
chmod
(
self
.
options
[
'file'
],
0600
)
return
[]
class
StablePasswordGeneratorRecipe
(
GenericBaseRecipe
):
"""
The purpose of this class is to generate a password which doesn't change
from one execution to the next (hence "stable"), so the generated password
doesn't change on each slapgrid-cp execution.
See GenericBaseRecipe.generatePassword .
"""
def
_options
(
self
,
options
):
options
[
'password'
]
=
self
.
generatePassword
()
update
=
install
=
lambda
self
:
[]
software/erp5testnode/instance-default.cfg
View file @
b4838a33
...
...
@@ -7,7 +7,6 @@ offline = true
parts =
connection-dict
testnode
pwgen
shell
shellinabox
certificate-authority
...
...
@@ -16,12 +15,11 @@ parts =
[connection-dict]
recipe = slapos.cookbook:publish
url = http://[$${shellinabox:ipv6}]:$${shellinabox:port}/
password = $${pwgen:passw
or
d}
password = $${pwgen:passwd}
[pwgen]
recipe = slapos.cookbook:pwgen
file = $${buildout:directory}/.password
pwgen-binary = ${pwgen:location}/bin/pwgen
recipe = slapos.cookbook:generate.password
storage-path = $${buildout:directory}/.password
[testnode]
recipe = slapos.cookbook:erp5testnode
...
...
@@ -82,7 +80,7 @@ port = 8080
shell = $${shell:wrapper}
wrapper = $${rootdirectory:bin}/shellinaboxd
shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
password = $${pwgen:passw
or
d}
password = $${pwgen:passwd}
directory = $${buildout:directory}/
login-shell = $${rootdirectory:bin}/login
certificate-directory = $${directory:shellinabox}
...
...
software/erp5testnode/software.cfg
View file @
b4838a33
...
...
@@ -20,7 +20,6 @@ extends =
../../component/zip/buildout.cfg
../../component/busybox/buildout.cfg
../../component/shellinabox/buildout.cfg
../../component/pwgen/buildout.cfg
# Local development
develop =
...
...
software/gitrepo/instance-gitrepo.cfg
View file @
b4838a33
...
...
@@ -13,14 +13,13 @@ parts =
gitdaemon
git-http-backend-cgi
htpasswd
pwgen
git-repos
[publish]
recipe = slapos.cookbook:publish
url = http://[$${slap-network-information:global-ipv6}]:$${httpd-conf:port}/
user = $${pwgen:user}
password = $${pwgen:passw
or
d}
password = $${pwgen:passwd}
[httpd]
recipe = slapos.cookbook:wrapper
...
...
@@ -79,14 +78,12 @@ output = $${basedirectory:services}/git-daemon
recipe = collective.recipe.cmd
output = $${rootdirectory:etc}/httpd.htpasswd
on_install = true
on_u
dpta
e = true
on_u
pdat
e = true
cmds =
${apache:location}/bin/htpasswd -cb $${:output} $${pwgen:user} $${pwgen:passw
or
d}
${apache:location}/bin/htpasswd -cb $${:output} $${pwgen:user} $${pwgen:passwd}
[pwgen]
recipe = slapos.cookbook:pwgen
file = $${buildout:directory}/.password
pwgen-binary = ${pwgen:location}/bin/pwgen
recipe = slapos.cookbook:generate.password
user = slapos
[rootdirectory]
...
...
software/gitrepo/software.cfg
View file @
b4838a33
...
...
@@ -4,7 +4,6 @@ extends =
../../component/apache/buildout.cfg
../../component/perl/buildout.cfg
../../component/git/buildout.cfg
../../component/pwgen/buildout.cfg
../../stack/slapos.cfg
parts =
...
...
software/lxc/instance-lxc.cfg
View file @
b4838a33
...
...
@@ -68,9 +68,8 @@ bridge = !!BRIDGE_NAME!!
interface = lxc$${slap-network-information:network-interface}
[passwd]
recipe = slapos.cookbook:pwgen
file = $${buildout:directory}/.password
pwgen-binary = ${pwgen:location}/bin/pwgen
recipe = slapos.cookbook:generate.password
storage-path = $${buildout:directory}/.password
[shellinabox]
recipe = slapos.cookbook:shellinabox
...
...
@@ -79,7 +78,7 @@ port = 8080
shell = ${lxc:location}/bin/lxc-console -n $${uuid:uuid}
wrapper = $${rootdirectory:bin}/shellinaboxd_raw
shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
password = $${passwd:passw
or
d}
password = $${passwd:passwd}
directory = $${buildout:directory}/
login-shell = $${rootdirectory:bin}/login
certificate-directory = $${directory:shellinabox}
...
...
software/lxc/software.cfg
View file @
b4838a33
...
...
@@ -10,7 +10,6 @@ extends =
../../component/xz-utils/buildout.cfg
../../component/tar/buildout.cfg
../../component/shellinabox/buildout.cfg
../../component/pwgen/buildout.cfg
../../component/bash/buildout.cfg
../../component/coreutils/buildout.cfg
...
...
@@ -23,7 +22,6 @@ parts =
slapos-toolbox
lxc
shellinabox
pwgen
[template]
recipe = slapos.recipe.template
...
...
software/trac-svn/instance-trac.cfg
View file @
b4838a33
...
...
@@ -308,9 +308,8 @@ githttpbackend = ${git:location}/libexec/git-core/git-http-backend
base-directory = $${trac-config:project_dir}/git
[trac-admin]
recipe = slapos.cookbook:pwgen
file = $${buildout:directory}/.password
pwgen-binary = ${pwgen:location}/bin/pwgen
recipe = slapos.cookbook:generate.password
storage-path = $${buildout:directory}/.password
user = TracAdmin
#---------------------
...
...
@@ -330,7 +329,7 @@ eggs-dirs =
python-lib = ${python2.7:location}/lib
trac-admin = ${buildout:bin-directory}/trac-admin
admin-user = $${trac-admin:user}
admin-password = $${trac-admin:passw
or
d}
admin-password = $${trac-admin:passwd}
#MySQL informations
mysql-username = $${mariadb-urlparse:username}
mysql-password = $${mariadb-urlparse:password}
...
...
@@ -401,7 +400,7 @@ port = 9000
shell = $${shell:wrapper}
wrapper = $${rootdirectory:bin}/shellinaboxd_raw
shellinabox-binary = ${shellinabox:location}/bin/shellinaboxd
password = $${trac-admin:passw
or
d}
password = $${trac-admin:passwd}
directory = $${inittrac:site-dir}
login-shell = $${rootdirectory:bin}/login
certificate-directory = $${directory:shellinabox}
...
...
@@ -454,7 +453,7 @@ frontend_url = $${request-frontend:connection-site_url}
git = $${request-frontend:connection-site_url}git/
svn = $${request-frontend:connection-site_url}svn/
admin_user = $${trac-admin:user}
admin_password = $${trac-admin:passw
or
d}
admin_password = $${trac-admin:passwd}
admin_shell = https://[$${shellinabox:ipv6}]:$${shellinabox:port}/
#----------------
...
...
software/trac-svn/software.cfg
View file @
b4838a33
...
...
@@ -41,7 +41,6 @@ extends =
../../component/lxml-python/buildout.cfg
../../component/mysql-python/buildout.cfg
../../component/git/buildout.cfg
../../component/pwgen/buildout.cfg
../../component/shellinabox/buildout.cfg
../../component/perl/buildout.cfg
...
...
stack/erp5/instance-tidstorage.cfg.in
View file @
b4838a33
...
...
@@ -331,7 +331,7 @@ runzope-binary = {{ bin_directory }}/runzope
bt5-repository-list =
[deadlock-debugger-password]
recipe = slapos.cookbook:
pwgen.stable
recipe = slapos.cookbook:
generate.password
[zope-conf-parameter-base]
ip = {{ ipv4 }}
...
...
@@ -346,7 +346,7 @@ context =
key instance directory:instance
key instance_products directory:instance-products
raw deadlock_path /manage_debug_threads
key deadlock_debugger_password deadlock-debugger-password:passw
or
d
key deadlock_debugger_password deadlock-debugger-password:passwd
key tidstorage_ip tidstorage:ip
key tidstorage_port tidstorage:port
key promise_path erp5-promise:promise-path
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment