mirror of
https://github.com/certbot/certbot.git
synced 2025-08-09 15:02:48 +03:00
713b91495b
Fixes #8093. This PR modifies and audits all uses of `subprocess` and `Popen` outside of tests, `certbot-ci/`, `certbot-compatibility-test/`, `letsencrypt-auto-source/`, `tools/`, and `windows-installer/`. Calls to outside programs have their `env` modified to remove the `SNAP` components of paths, if they exist. This includes any calls made from hooks, calls to `apachectl` and `nginx`, and to `openssl` from `ocsp.py`. For testing manually, rsync flags will look something like: ``` rsync -avzhe ssh root@focal.domain:/home/certbot/certbot/certbot_*_amd64.snap . rsync -avzhe ssh certbot_*_amd64.snap root@centos7.domain:/root/certbot/ ``` With these modifications, `certbot plugins --prepare` now passes on Centos 7. If I'm wrong and we package the `openssl` binary, the modifications should be removed from `ocsp.py`, and `env` should be passed into `run_script` rather than set internally in its calls from nginx and apache. One caveat with this approach is the disconnect between why it's a problem (packaging) and where it's solved (internal to Certbot). I considered a wrapping approach, but we'd still have to audit specific calls. I think the best way to address this is robust testing; specifically, running the snap on other systems. For hooks, all calls will remove the snap paths if they exist. This is probably fine, because even if the hook intends to call back into certbot, it can do that, it'll just create a new snap. I'm not sure if we need these modifications for the Mac OS X/ Darwin calls, but they can't hurt. * Add method to plugins util to get env without snap paths * Use modified environment in Nginx plugin * Pass through env to certbot.util.run_script * Use modified environment in Apache plugin * move env_no_snap_for_external_calls to certbot.util * Set env internally to run_script, since we use that only to call out * Add env to mac subprocess calls in certbot.util * Add env to openssl call in ocsp.py * Add env for hooks calls in certbot.compat.misc. * Pass env into execute_command to avoid circular dependency * Update hook test to assert called with env * Fix mypy type hint to account for new param * Change signature to include Optional * go back to using CERTBOT_PLUGIN_PATH * no need to modify PYTHONPATH in env * robustly detect when we're in a snap * Improve env util fxn docstring * Update changelog * Add unit tests for env_no_snap_for_external_calls * Import compat.os
258 lines
7.1 KiB
Python
258 lines
7.1 KiB
Python
""" Utility functions for certbot-apache plugin """
|
|
import binascii
|
|
import fnmatch
|
|
import logging
|
|
import re
|
|
import subprocess
|
|
|
|
import pkg_resources
|
|
|
|
from certbot import errors
|
|
from certbot import util
|
|
|
|
from certbot.compat import os
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
def get_mod_deps(mod_name):
|
|
"""Get known module dependencies.
|
|
|
|
.. note:: This does not need to be accurate in order for the client to
|
|
run. This simply keeps things clean if the user decides to revert
|
|
changes.
|
|
.. warning:: If all deps are not included, it may cause incorrect parsing
|
|
behavior, due to enable_mod's shortcut for updating the parser's
|
|
currently defined modules (`.ApacheParser.add_mod`)
|
|
This would only present a major problem in extremely atypical
|
|
configs that use ifmod for the missing deps.
|
|
|
|
"""
|
|
deps = {
|
|
"ssl": ["setenvif", "mime"]
|
|
}
|
|
return deps.get(mod_name, [])
|
|
|
|
|
|
def get_file_path(vhost_path):
|
|
"""Get file path from augeas_vhost_path.
|
|
|
|
Takes in Augeas path and returns the file name
|
|
|
|
:param str vhost_path: Augeas virtual host path
|
|
|
|
:returns: filename of vhost
|
|
:rtype: str
|
|
|
|
"""
|
|
if not vhost_path or not vhost_path.startswith("/files/"):
|
|
return None
|
|
|
|
return _split_aug_path(vhost_path)[0]
|
|
|
|
|
|
def get_internal_aug_path(vhost_path):
|
|
"""Get the Augeas path for a vhost with the file path removed.
|
|
|
|
:param str vhost_path: Augeas virtual host path
|
|
|
|
:returns: Augeas path to vhost relative to the containing file
|
|
:rtype: str
|
|
|
|
"""
|
|
return _split_aug_path(vhost_path)[1]
|
|
|
|
|
|
def _split_aug_path(vhost_path):
|
|
"""Splits an Augeas path into a file path and an internal path.
|
|
|
|
After removing "/files", this function splits vhost_path into the
|
|
file path and the remaining Augeas path.
|
|
|
|
:param str vhost_path: Augeas virtual host path
|
|
|
|
:returns: file path and internal Augeas path
|
|
:rtype: `tuple` of `str`
|
|
|
|
"""
|
|
# Strip off /files
|
|
file_path = vhost_path[6:]
|
|
internal_path = []
|
|
|
|
# Remove components from the end of file_path until it becomes valid
|
|
while not os.path.exists(file_path):
|
|
file_path, _, internal_path_part = file_path.rpartition("/")
|
|
internal_path.append(internal_path_part)
|
|
|
|
return file_path, "/".join(reversed(internal_path))
|
|
|
|
|
|
def parse_define_file(filepath, varname):
|
|
""" Parses Defines from a variable in configuration file
|
|
|
|
:param str filepath: Path of file to parse
|
|
:param str varname: Name of the variable
|
|
|
|
:returns: Dict of Define:Value pairs
|
|
:rtype: `dict`
|
|
|
|
"""
|
|
return_vars = {}
|
|
# Get list of words in the variable
|
|
a_opts = util.get_var_from_file(varname, filepath).split()
|
|
for i, v in enumerate(a_opts):
|
|
# Handle Define statements and make sure it has an argument
|
|
if v == "-D" and len(a_opts) >= i+2:
|
|
var_parts = a_opts[i+1].partition("=")
|
|
return_vars[var_parts[0]] = var_parts[2]
|
|
elif len(v) > 2 and v.startswith("-D"):
|
|
# Found var with no whitespace separator
|
|
var_parts = v[2:].partition("=")
|
|
return_vars[var_parts[0]] = var_parts[2]
|
|
return return_vars
|
|
|
|
|
|
def unique_id():
|
|
""" Returns an unique id to be used as a VirtualHost identifier"""
|
|
return binascii.hexlify(os.urandom(16)).decode("utf-8")
|
|
|
|
|
|
def included_in_paths(filepath, paths):
|
|
"""
|
|
Returns true if the filepath is included in the list of paths
|
|
that may contain full paths or wildcard paths that need to be
|
|
expanded.
|
|
|
|
:param str filepath: Filepath to check
|
|
:params list paths: List of paths to check against
|
|
|
|
:returns: True if included
|
|
:rtype: bool
|
|
"""
|
|
|
|
return any(fnmatch.fnmatch(filepath, path) for path in paths)
|
|
|
|
|
|
def parse_defines(apachectl):
|
|
"""
|
|
Gets Defines from httpd process and returns a dictionary of
|
|
the defined variables.
|
|
|
|
:param str apachectl: Path to apachectl executable
|
|
|
|
:returns: dictionary of defined variables
|
|
:rtype: dict
|
|
"""
|
|
|
|
variables = {}
|
|
define_cmd = [apachectl, "-t", "-D",
|
|
"DUMP_RUN_CFG"]
|
|
matches = parse_from_subprocess(define_cmd, r"Define: ([^ \n]*)")
|
|
try:
|
|
matches.remove("DUMP_RUN_CFG")
|
|
except ValueError:
|
|
return {}
|
|
|
|
for match in matches:
|
|
if match.count("=") > 1:
|
|
logger.error("Unexpected number of equal signs in "
|
|
"runtime config dump.")
|
|
raise errors.PluginError(
|
|
"Error parsing Apache runtime variables")
|
|
parts = match.partition("=")
|
|
variables[parts[0]] = parts[2]
|
|
|
|
return variables
|
|
|
|
|
|
def parse_includes(apachectl):
|
|
"""
|
|
Gets Include directives from httpd process and returns a list of
|
|
their values.
|
|
|
|
:param str apachectl: Path to apachectl executable
|
|
|
|
:returns: list of found Include directive values
|
|
:rtype: list of str
|
|
"""
|
|
|
|
inc_cmd = [apachectl, "-t", "-D",
|
|
"DUMP_INCLUDES"]
|
|
return parse_from_subprocess(inc_cmd, r"\(.*\) (.*)")
|
|
|
|
|
|
def parse_modules(apachectl):
|
|
"""
|
|
Get loaded modules from httpd process, and return the list
|
|
of loaded module names.
|
|
|
|
:param str apachectl: Path to apachectl executable
|
|
|
|
:returns: list of found LoadModule module names
|
|
:rtype: list of str
|
|
"""
|
|
|
|
mod_cmd = [apachectl, "-t", "-D",
|
|
"DUMP_MODULES"]
|
|
return parse_from_subprocess(mod_cmd, r"(.*)_module")
|
|
|
|
|
|
def parse_from_subprocess(command, regexp):
|
|
"""Get values from stdout of subprocess command
|
|
|
|
:param list command: Command to run
|
|
:param str regexp: Regexp for parsing
|
|
|
|
:returns: list parsed from command output
|
|
:rtype: list
|
|
|
|
"""
|
|
stdout = _get_runtime_cfg(command)
|
|
return re.compile(regexp).findall(stdout)
|
|
|
|
|
|
def _get_runtime_cfg(command):
|
|
"""
|
|
Get runtime configuration info.
|
|
|
|
:param command: Command to run
|
|
|
|
:returns: stdout from command
|
|
|
|
"""
|
|
try:
|
|
proc = subprocess.Popen(
|
|
command,
|
|
stdout=subprocess.PIPE,
|
|
stderr=subprocess.PIPE,
|
|
universal_newlines=True,
|
|
env=util.env_no_snap_for_external_calls())
|
|
stdout, stderr = proc.communicate()
|
|
|
|
except (OSError, ValueError):
|
|
logger.error(
|
|
"Error running command %s for runtime parameters!%s",
|
|
command, os.linesep)
|
|
raise errors.MisconfigurationError(
|
|
"Error accessing loaded Apache parameters: {0}".format(
|
|
command))
|
|
# Small errors that do not impede
|
|
if proc.returncode != 0:
|
|
logger.warning("Error in checking parameter list: %s", stderr)
|
|
raise errors.MisconfigurationError(
|
|
"Apache is unable to check whether or not the module is "
|
|
"loaded because Apache is misconfigured.")
|
|
|
|
return stdout
|
|
|
|
def find_ssl_apache_conf(prefix):
|
|
"""
|
|
Find a TLS Apache config file in the dedicated storage.
|
|
:param str prefix: prefix of the TLS Apache config file to find
|
|
:return: the path the TLS Apache config file
|
|
:rtype: str
|
|
"""
|
|
return pkg_resources.resource_filename(
|
|
"certbot_apache",
|
|
os.path.join("_internal", "tls_configs", "{0}-options-ssl-apache.conf".format(prefix)))
|