CertificateAuthorityTool.py 9.9 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
# -*- coding: utf-8 -*-
##############################################################################
#
# Copyright (c) 2010 Nexedi SA and Contributors. All Rights Reserved.
#                    Łukasz Nowak <luke@nexedi.com>
#
# WARNING: This program as such is intended to be used by professional
# programmers who take the whole responsibility of assessing all potential
# consequences resulting from its eventual inadequacies and bugs
# End users who are looking for a ready-to-use solution with commercial
# guarantees and support are strongly advised to contract a Free Software
# Service Company
#
# This program is Free Software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
#
##############################################################################

from AccessControl import ClassSecurityInfo
from Products.ERP5Type.Globals import InitializeClass
from Products.ERP5Type.Tool.BaseTool import BaseTool
from Products.ERP5Type import Permissions
from Products.PageTemplates.PageTemplateFile import PageTemplateFile
35
from zLOG import LOG, INFO
36 37 38 39

import os
import subprocess

40 41 42 43 44 45 46
def popenCommunicate(command_list, input=None, **kwargs):
  kwargs.update(stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
  popen = subprocess.Popen(command_list, **kwargs)
  result = popen.communicate(input)[0]
  if popen.returncode is None:
    popen.kill()
  if popen.returncode != 0:
47
    raise ValueError('Issue during calling %r, result was:\n%s' % (command_list,
48 49
      result))
  return result
50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69

class CertificateAuthorityBusy(Exception):
  """Exception raised when certificate authority is busy"""
  pass

class CertificateAuthorityDamaged(Exception):
  """Exception raised when certificate authority is damaged"""
  pass

class CertificateAuthorityTool(BaseTool):
  """CertificateAuthorityTool

  This tool assumes that in certificate_authority_path openssl configuration is ready.
  """

  id = 'portal_certificate_authority'
  meta_type = 'ERP5 Certificate Authority Tool'
  portal_type = 'Certificate Authority Tool'
  security = ClassSecurityInfo()
  allowed_types = ()
70
  isIndexable = 0
71 72

  certificate_authority_path = ''
Łukasz Nowak's avatar
Łukasz Nowak committed
73
  openssl_binary = ''
74

75 76 77 78 79 80 81 82
  manage_options = (({'label': 'Edit',
                      'action': 'manage_editCertificateAuthorityToolForm',},
                     )
                    ) + BaseTool.manage_options

  _properties = (({'id':'certificate_authority_path',
                   'type':'string',
                   'mode':'w',
Łukasz Nowak's avatar
Łukasz Nowak committed
83 84 85 86 87 88
                   'label':'Absolute path to certificate authority'
                   },
                   {'id':'openssl_binary',
                   'type':'string',
                   'mode':'w',
                   'label':'Absolute path to OpenSSL binary'
89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110
                   },
                  )
                 )

  def _lockCertificateAuthority(self):
    """Checks lock and locks Certificate Authority tool, raises CertificateAuthorityBusy"""
    if os.path.exists(self.lock):
      raise CertificateAuthorityBusy
    open(self.lock, 'w').write('locked')

  def _unlockCertificateAuthority(self):
    """Checks lock and locks Certificate Authority tool"""
    if os.path.exists(self.lock):
      os.unlink(self.lock)
    else:
      LOG('CertificateAuthorityTool', INFO, 'Lock file %r did not existed '
        'during unlocking' % self.lock)

  def _checkCertificateAuthority(self):
    """Checks Certificate Authority configuration, raises CertificateAuthorityDamaged"""
    if not self.certificate_authority_path:
      raise CertificateAuthorityDamaged('Certificate authority path is not '
Łukasz Nowak's avatar
Łukasz Nowak committed
111
        'configured')
112 113 114
    if not os.path.isdir(self.certificate_authority_path):
      raise CertificateAuthorityDamaged('Path to Certificate Authority %r is '
        'wrong' % self.certificate_authority_path)
Łukasz Nowak's avatar
Łukasz Nowak committed
115 116 117 118 119 120
    if not self.openssl_binary:
      raise CertificateAuthorityDamaged('OpenSSL binary path is not '
        'configured' % self.certificate_authority_path)
    if not os.path.isfile(self.openssl_binary):
       raise CertificateAuthorityDamaged('OpenSSL binary %r does not exists' %
        self.openssl_binary)
121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154
    self.serial = os.path.join(self.certificate_authority_path, 'serial')
    self.crl = os.path.join(self.certificate_authority_path, 'crlnumber')
    self.index = os.path.join(self.certificate_authority_path, 'index.txt')
    self.openssl_config = os.path.join(self.certificate_authority_path,
      'openssl.cnf')
    self.lock = os.path.join(self.certificate_authority_path, 'lock')
    for f in [self.serial, self.crl, self.index]:
      if not os.path.isfile(f):
        raise CertificateAuthorityDamaged('File %r does not exists.' % f)

  security.declarePrivate('manage_afterAdd')
  def manage_afterAdd(self, item, container) :
    """Init permissions right after creation.

    Permissions in slap tool are simple:
     o Each member can access the tool.
     o Only manager can view and create.
     o Anonymous can not access
    """
    item.manage_permission(Permissions.AddPortalContent,
          ['Manager'])
    item.manage_permission(Permissions.AccessContentsInformation,
          ['Member', 'Manager'])
    item.manage_permission(Permissions.View,
          ['Manager',])
    BaseTool.inheritedAttribute('manage_afterAdd')(self, item, container)

  #'Edit' option form
  manage_editCertificateAuthorityToolForm = PageTemplateFile(
      '../www/Vifib_editCertificateAuthorityTool',
      globals(),
      __name__='manage_editCertificateAuthorityToolForm')

  security.declareProtected(Permissions.ManageProperties, 'manage_editCertificateAuthorityTool')
Łukasz Nowak's avatar
Łukasz Nowak committed
155
  def manage_editCertificateAuthorityTool(self, certificate_authority_path, openssl_binary, RESPONSE=None):
156 157 158 159
    """Edit the object"""
    error_message = ''

    if certificate_authority_path == '' or certificate_authority_path is None:
Łukasz Nowak's avatar
Łukasz Nowak committed
160
      error_message += 'Invalid Certificate Authority'
161 162 163
    else:
      self.certificate_authority_path = certificate_authority_path

Łukasz Nowak's avatar
Łukasz Nowak committed
164 165 166 167 168
    if openssl_binary == '' or openssl_binary is None:
      error_message += 'Invalid OpenSSL binary'
    else:
      self.openssl_binary = openssl_binary

169 170 171 172 173 174 175 176 177 178 179 180 181
    #Redirect
    if RESPONSE is not None:
      if error_message != '':
        self.REQUEST.form['manage_tabs_message'] = error_message
        return self.manage_editCertificateAuthorityToolForm(RESPONSE)
      else:
        message = "Updated"
        RESPONSE.redirect('%s/manage_editCertificateAuthorityToolForm'
                          '?manage_tabs_message=%s'
                          % (self.absolute_url(), message)
                          )

  security.declareProtected(Permissions.AccessContentsInformation, 'getNewCertificate')
182
  def getNewCertificate(self, common_name):
183
    """Returns certificate for passed common name, as dictionary of {key, certificate, id, common_name}"""
184 185 186
    self._checkCertificateAuthority()
    self._lockCertificateAuthority()
    try:
187
      new_id = open(self.serial, 'r').read().strip().lower()
188 189 190 191
      key = os.path.join(self.certificate_authority_path, 'private', new_id+'.key')
      csr = os.path.join(self.certificate_authority_path, new_id + '.csr')
      cert = os.path.join(self.certificate_authority_path, 'certs', new_id + '.crt')
      try:
192
        popenCommunicate([self.openssl_binary, 'req', '-nodes', '-config',
193
          self.openssl_config, '-new', '-keyout', key, '-out', csr, '-days',
194
          '3650'], '%s\n' % common_name, stdin=subprocess.PIPE)
195 196 197
        popenCommunicate([self.openssl_binary, 'ca', '-days', '3650',
          '-batch', '-config', self.openssl_config, '-out', cert, '-infiles',
          csr])
198 199 200 201
        os.unlink(csr)
        return dict(
          key=open(key).read(),
          certificate=open(cert).read(),
202 203
          id=new_id,
          common_name=common_name)
204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221
      except:
        try:
          for p in [key, csr, cert]:
            if os.path.exists(p):
              os.unlink(p)
        except:
          # do not raise during cleanup
          pass
        raise
    finally:
      self._unlockCertificateAuthority()

  security.declareProtected(Permissions.AccessContentsInformation, 'revokeCertificate')
  def revokeCertificate(self, serial):
    """Revokes certificate with serial, returns dictionary {crl}"""
    self._checkCertificateAuthority()
    self._lockCertificateAuthority()
    try:
222
      new_id = open(self.crl, 'r').read().strip().lower()
223 224
      crl_path = os.path.join(self.certificate_authority_path, 'crl')
      crl = os.path.join(crl_path, new_id + '.crl')
225 226 227 228
      cert = os.path.join(self.certificate_authority_path, 'certs', serial + '.crt')
      if not os.path.exists(cert):
        raise ValueError('Certificate with serial %r does not exists' % serial)
      try:
229 230 231 232 233 234 235 236
        popenCommunicate([self.openssl_binary, 'ca', '-config',
          self.openssl_config, '-revoke', cert])
        popenCommunicate([self.openssl_binary, 'ca', '-config',
          self.openssl_config, '-gencrl', '-out', crl])
        hash = popenCommunicate([self.openssl_binary, 'crl', '-noout',
          '-hash', '-in', crl]).strip()
        previous_id = int(len([q for q in os.listdir(crl_path) if hash in q]))
        os.symlink(crl, os.path.join(crl_path, '%s.%s' % (hash, previous_id)))
237 238 239 240 241 242 243 244 245 246 247 248 249 250
        return dict(crl=open(crl).read())
      except:
        try:
          for p in [crl]:
            if os.path.exists(p):
              os.unlink(p)
        except:
          # do not raise during cleanup
          pass
        raise
    finally:
      self._unlockCertificateAuthority()

InitializeClass(CertificateAuthorityTool)