From 405a3d501b1079cafd8a33e3cee8d2ce5fa6de5c Mon Sep 17 00:00:00 2001 From: James Kasten Date: Wed, 22 May 2013 18:15:01 -0400 Subject: [PATCH] SNI Challenge now relies on Configurator checkpoint system to cleanup. --- trustify/client/client.py | 5 +++-- trustify/client/configurator.py | 28 ++++++++++++++++++++++------ trustify/client/sni_challenge.py | 13 +++---------- 3 files changed, 28 insertions(+), 18 deletions(-) diff --git a/trustify/client/client.py b/trustify/client/client.py index b0b4c8e63..e600025e9 100644 --- a/trustify/client/client.py +++ b/trustify/client/client.py @@ -19,6 +19,7 @@ from trustify.client.sni_challenge import SNI_Challenge from trustify.client.payment_challenge import Payment_Challenge from trustify.client import configurator from trustify.client import logger +from trustify.client import trustify_util from trustify.client.CONFIG import difficulty, cert_file, chain_file from trustify.client.CONFIG import SERVER_ROOT, KEY_DIR, CERT_DIR @@ -297,9 +298,9 @@ class Client(object): m.request.csr = csr_pem hashcash_cmd = ["hashcash", "-P", "-m", "-z", "12", "-b", `difficulty`, "-r", self.server] if quiet: - hashcash = subprocess.Popen(hashcash_cmd, preexec_fn=drop_privs, shell= False, stdout=subprocess.PIPE, stderr=open("/dev/null", "w")).communicate()[0].rstrip() + hashcash = subprocess.Popen(hashcash_cmd, preexec_fn=trustify_util.drop_privs, shell= False, stdout=subprocess.PIPE, stderr=open("/dev/null", "w")).communicate()[0].rstrip() else: - hashcash = subprocess.Popen(hashcash_cmd, preexec_fn=drop_privs, shell= False, stdout=subprocess.PIPE).communicate()[0].rstrip() + hashcash = subprocess.Popen(hashcash_cmd, preexec_fn=trustify_util.drop_privs, shell= False, stdout=subprocess.PIPE).communicate()[0].rstrip() if hashcash: m.request.clientpuzzle = hashcash diff --git a/trustify/client/configurator.py b/trustify/client/configurator.py index e640052a2..4a289e1e5 100644 --- a/trustify/client/configurator.py +++ b/trustify/client/configurator.py @@ -13,7 +13,7 @@ from trustify.client.CONFIG import SERVER_ROOT, BACKUP_DIR, MODIFIED_FILES #from CONFIG import SERVER_ROOT, BACKUP_DIR, MODIFIED_FILES, REWRITE_HTTPS_ARGS, CONFIG_DIR, WORK_DIR from trustify.client.CONFIG import REWRITE_HTTPS_ARGS, CONFIG_DIR, WORK_DIR from trustify.client.CONFIG import TEMP_CHECKPOINT_DIR, IN_PROGRESS_DIR -from trustify.client import logger +from trustify.client import logger, trustify_util #import logger # Question: Am I missing any attacks that can result from modifying CONFIG file? @@ -28,7 +28,9 @@ from trustify.client import logger # This is not able to be completely remedied by regular expressions because # Augeas views as an error. This will just # require another check_parsing_errors() after all files are included... -# (after a find_directive search is executed currently) +# (after a find_directive search is executed currently). It can be a one +# time check however because all of Trustifies transactions will ensure +# only properly formed sections are added. # Note: This protocol works for filenames with spaces in it, the sites are # properly set up and directives are changed appropriately, but Apache won't @@ -37,8 +39,20 @@ from trustify.client import logger # to use vhost filenames that contain spaces and offer to change ' ' to '_' # TODO: Make IfModule completely case-insensitive -# TODO: Checkpoints are not registering the creaton of enable_site -# This results in broken links in sites-enabled on revert + +# NOTE: NEW_FILES is not transactional... if the files are added and the program +# quits before Configurator.save() runs and completes, the files will be +# orphaned on the system. The paths need to be appended to NEW_FILES before +# creation. Though, there doesn't appear to be a clean fix, new_files +# need to know if they are going to be appended to an IN_PROGRESS or TEMP cp, +# which may not be apparent at the time of file creation. +# Idea: Maybe a force_critical_new_file() should be added that simply appends +# to the path to a recovery_specific file. This wouldn't clear out self.new_files +# but would only be used in case of a crash... cleared every save, checked at +# start... +# +# However, FILEPATHS and changes to files are transactional. They are copied +# over before the updates are made to the existing files. class VH(object): def __init__(self, filename_path, vh_path, vh_addrs, is_ssl, is_enabled): @@ -822,9 +836,11 @@ LogLevel warn \n\ """ if "/sites-available/" in vhost.file: index = vhost.file.rfind("/") - os.symlink(vhost.file, SERVER_ROOT + "sites-enabled/" + vhost.file[index:]) + enabled_path = "%ssites-enabled/%s" % (SERVER_ROOT, vhost.file[index:]) + os.symlink(vhost.file, enabled_path) vhost.enabled = True self.save_notes += 'Enabled site %s\n' % vhost.file + self.new_files.append(enabled_path) return True return False @@ -1093,7 +1109,7 @@ LogLevel warn \n\ final_dir = BACKUP_DIR + str(time.time()) try: with open(cp_dir + "CHANGES_SINCE.tmp", 'w') as ft: - ft.write("-- %s --" % title) + ft.write("-- %s --\n" % title) with open(cp_dir + "CHANGES_SINCE", 'r') as f: ft.write(f.read()) shutil.move(cp_dir + "CHANGES_SINCE.tmp", cp_dir + "CHANGES_SINCE") diff --git a/trustify/client/sni_challenge.py b/trustify/client/sni_challenge.py index aa27f110d..2bd1b4964 100644 --- a/trustify/client/sni_challenge.py +++ b/trustify/client/sni_challenge.py @@ -102,6 +102,7 @@ DocumentRoot " + CONFIG_DIR + "challenge_page/ \n \ configText += " \n" self.checkForApacheConfInclude(mainConfig) + self.configurator.new_files.append(APACHE_CHALLENGE_CONF) newConf = open(APACHE_CHALLENGE_CONF, 'w') newConf.write(configText) newConf.close() @@ -134,6 +135,7 @@ DocumentRoot " + CONFIG_DIR + "challenge_page/ \n \ self.updateCertConf(oid, ext) subprocess.call(["openssl", "x509", "-req", "-days", "21", "-extfile", CHOC_CERT_CONF, "-extensions", "v3_ca", "-signkey", key, "-out", self.getChocCertFile(nonce), "-in", csr], stdout=open("/dev/null", 'w'), stderr=open("/dev/null", 'w')) + self.configurator.new_files.append(self.getChocCertFile(nonce)) def generateExtension(self, key, y): @@ -203,16 +205,7 @@ DocumentRoot " + CONFIG_DIR + "challenge_page/ \n \ """ self.configurator.revert_challenge_config() self.configurator.restart(True) - self.__remove_files() - - # TODO: This should be done within configuration NEW_FILES temp cp - def __remove_files(self): - """ - Removes all of the temporary SNI files - """ - for tup in self.listSNITuple: - remove(self.getChocCertFile(tup[2])) - remove(APACHE_CHALLENGE_CONF) + #main call def perform(self, quiet=False):