1 | #!/usr/bin/python |
---|
2 | |
---|
3 | import base64 |
---|
4 | import hashlib |
---|
5 | import ldap |
---|
6 | import os |
---|
7 | import sys |
---|
8 | import textwrap |
---|
9 | from OpenSSL import crypto, SSL |
---|
10 | |
---|
11 | CERTS_DIR = '/var/lib/scripts-certs' |
---|
12 | |
---|
13 | ll = ldap.initialize('ldapi://%2fvar%2frun%2fslapd-scripts.socket/') |
---|
14 | with open('/etc/signup-ldap-pw') as pw_file: |
---|
15 | ll.simple_bind_s("cn=Directory Manager", pw_file.read()) |
---|
16 | |
---|
17 | if not os.path.exists(CERTS_DIR): |
---|
18 | os.mkdir(CERTS_DIR) |
---|
19 | |
---|
20 | vhosts = ll.search_s( |
---|
21 | 'ou=VirtualHosts,dc=scripts,dc=mit,dc=edu', |
---|
22 | ldap.SCOPE_SUBTREE, |
---|
23 | '(&(objectClass=scriptsVhost)(scriptsVhostCertificate=*))', |
---|
24 | ['scriptsVhostName', 'scriptsVhostAlias', 'scriptsVhostCertificate', 'scriptsVhostCertificateKeyFile']) |
---|
25 | |
---|
26 | vhosts.sort(key=lambda (dn, vhost): vhost['scriptsVhostName']) |
---|
27 | |
---|
28 | cert_filenames = set() |
---|
29 | error = False |
---|
30 | |
---|
31 | def err(e): |
---|
32 | global error |
---|
33 | sys.stderr.write(e) |
---|
34 | error = True |
---|
35 | |
---|
36 | def conf(vhost): |
---|
37 | name, = vhost['scriptsVhostName'] |
---|
38 | aliases = vhost.get('scriptsVhostAlias', []) |
---|
39 | certs, = vhost['scriptsVhostCertificate'] |
---|
40 | try: |
---|
41 | key_filename, = vhost['scriptsVhostCertificateKeyFile'] |
---|
42 | except KeyError: |
---|
43 | err('Error: missing scriptsVhostCertificateKeyFile for vhost {}\n'.format(name)) |
---|
44 | return |
---|
45 | |
---|
46 | try: |
---|
47 | certs = [crypto.load_certificate(crypto.FILETYPE_ASN1, base64.b64decode(cert)) for cert in certs.split()] |
---|
48 | except (TypeError, crypto.Error) as e: |
---|
49 | err('Error: malformed certificate list for vhost {}: {}\n'.format(name, e)) |
---|
50 | return |
---|
51 | |
---|
52 | if not certs: |
---|
53 | err('Error: empty certificate list for vhost {}\n'.format(name)) |
---|
54 | return |
---|
55 | |
---|
56 | key_path = os.path.join('/etc/pki/tls/private', key_filename) |
---|
57 | if os.path.split(os.path.abspath(key_path)) != ('/etc/pki/tls/private', key_filename): |
---|
58 | err('Error: bad key filename {} for vhost {}\n'.format(key_path, name)) |
---|
59 | return |
---|
60 | |
---|
61 | ctx = SSL.Context(SSL.SSLv23_METHOD) |
---|
62 | try: |
---|
63 | ctx.use_privatekey_file(key_path, crypto.FILETYPE_PEM) |
---|
64 | except (SSL.Error, crypto.Error) as e: |
---|
65 | err('Error: could not read key {} for vhost {}: {}\n'.format(key_path, name, e)) |
---|
66 | return |
---|
67 | |
---|
68 | ctx.use_certificate(certs[0]) |
---|
69 | for cert in certs[1:]: |
---|
70 | ctx.add_extra_chain_cert(cert) |
---|
71 | |
---|
72 | try: |
---|
73 | ctx.check_privatekey() |
---|
74 | except SSL.Error as e: |
---|
75 | err('Error: key {} does not match certificate for vhost {}: {}\n'.format(key_path, name, e)) |
---|
76 | return |
---|
77 | |
---|
78 | certs_pem = ''.join(crypto.dump_certificate(crypto.FILETYPE_PEM, cert) for cert in certs) |
---|
79 | cert_filename = base64.urlsafe_b64encode(hashlib.sha256(certs_pem).digest()).strip() + '.pem' |
---|
80 | cert_filenames.add(cert_filename) |
---|
81 | cert_path = os.path.join(CERTS_DIR, cert_filename) |
---|
82 | if not os.path.exists(cert_path): |
---|
83 | with open(cert_path + '.new', 'w') as cert_file: |
---|
84 | cert_file.write(certs_pem) |
---|
85 | os.rename(cert_path + '.new', cert_path) |
---|
86 | |
---|
87 | for port in 443, 444: |
---|
88 | yield '<VirtualHost *:{}>\n'.format(port) |
---|
89 | yield '\tServerName {}\n'.format(name) |
---|
90 | if aliases: |
---|
91 | yield '\tServerAlias {}\n'.format(' '.join(aliases)) |
---|
92 | yield '\tInclude conf.d/vhost_ldap.conf\n' |
---|
93 | yield '\tInclude conf.d/vhosts-common-ssl.conf\n' |
---|
94 | if port == 444: |
---|
95 | yield '\tInclude conf.d/vhosts-common-ssl-cert.conf\n' |
---|
96 | yield '\tSSLCertificateFile {}\n'.format(cert_path) |
---|
97 | yield '\tSSLCertificateKeyFile {}\n'.format(key_path) |
---|
98 | yield '</VirtualHost>\n' |
---|
99 | |
---|
100 | with open(os.path.join(CERTS_DIR, 'vhosts.conf.new'), 'w') as vhosts_file: |
---|
101 | vhosts_file.write('# Generated by {}. Manual changes will be lost.\n\n'.format(os.path.realpath(__file__))) |
---|
102 | vhosts_file.write(''.join(l for dn, vhost in vhosts for l in conf(vhost))) |
---|
103 | os.rename(os.path.join(CERTS_DIR, 'vhosts.conf.new'), os.path.join(CERTS_DIR, 'vhosts.conf')) |
---|
104 | |
---|
105 | for filename in os.listdir(CERTS_DIR): |
---|
106 | if filename.endswith('.pem') and filename not in cert_filenames: |
---|
107 | os.remove(os.path.join(CERTS_DIR, filename)) |
---|
108 | |
---|
109 | sys.exit(1 if error else 0) |
---|