| 1 | #!/usr/bin/python |
|---|
| 2 | |
|---|
| 3 | import base64 |
|---|
| 4 | import hashlib |
|---|
| 5 | import ldap |
|---|
| 6 | import os |
|---|
| 7 | import sys |
|---|
| 8 | import textwrap |
|---|
| 9 | |
|---|
| 10 | CERTS_DIR = '/var/lib/scripts-certs' |
|---|
| 11 | |
|---|
| 12 | ll = ldap.initialize('ldapi://%2fvar%2frun%2fslapd-scripts.socket/') |
|---|
| 13 | with open('/etc/signup-ldap-pw') as pw_file: |
|---|
| 14 | ll.simple_bind_s("cn=Directory Manager", pw_file.read()) |
|---|
| 15 | |
|---|
| 16 | if not os.path.exists(CERTS_DIR): |
|---|
| 17 | os.mkdir(CERTS_DIR) |
|---|
| 18 | |
|---|
| 19 | vhosts = ll.search_s( |
|---|
| 20 | 'ou=VirtualHosts,dc=scripts,dc=mit,dc=edu', |
|---|
| 21 | ldap.SCOPE_SUBTREE, |
|---|
| 22 | '(&(objectClass=scriptsVhost)(scriptsVhostCertificate=*))', |
|---|
| 23 | ['scriptsVhostName', 'scriptsVhostAlias', 'scriptsVhostCertificate', 'scriptsVhostCertificateKeyFile']) |
|---|
| 24 | |
|---|
| 25 | vhosts.sort(key=lambda (dn, vhost): vhost['scriptsVhostName']) |
|---|
| 26 | |
|---|
| 27 | cert_filenames = set() |
|---|
| 28 | |
|---|
| 29 | def conf(vhost): |
|---|
| 30 | name, = vhost['scriptsVhostName'] |
|---|
| 31 | aliases = vhost.get('scriptsVhostAlias', []) |
|---|
| 32 | certs, = vhost['scriptsVhostCertificate'] |
|---|
| 33 | key_filename, = vhost['scriptsVhostCertificateKeyFile'] |
|---|
| 34 | |
|---|
| 35 | certs = ''.join('-----BEGIN CERTIFICATE-----\n' + '\n'.join(textwrap.wrap(cert, 64)) + '\n-----END CERTIFICATE-----\n' for cert in certs.split()) |
|---|
| 36 | cert_filename = base64.urlsafe_b64encode(hashlib.sha256(certs).digest()).strip() + '.pem' |
|---|
| 37 | cert_filenames.add(cert_filename) |
|---|
| 38 | cert_path = os.path.join(CERTS_DIR, cert_filename) |
|---|
| 39 | if not os.path.exists(cert_path): |
|---|
| 40 | with open(cert_path + '.new', 'w') as cert_file: |
|---|
| 41 | cert_file.write(certs) |
|---|
| 42 | os.rename(cert_path + '.new', cert_path) |
|---|
| 43 | |
|---|
| 44 | for port in 443, 444: |
|---|
| 45 | yield '<VirtualHost *:{}>\n'.format(port) |
|---|
| 46 | yield '\tServerName {}\n'.format(name) |
|---|
| 47 | if aliases: |
|---|
| 48 | yield '\tServerAlias {}\n'.format(' '.join(aliases)) |
|---|
| 49 | yield '\tInclude conf.d/vhost_ldap.conf\n' |
|---|
| 50 | yield '\tInclude conf.d/vhosts-common-ssl.conf\n' |
|---|
| 51 | if port == 444: |
|---|
| 52 | yield '\tInclude conf.d/vhosts-common-ssl-cert.conf\n' |
|---|
| 53 | yield '\tSSLCertificateFile {}\n'.format(cert_path) |
|---|
| 54 | yield '\tSSLCertificateKeyFile {}\n'.format(os.path.join('/etc/pki/tls/private', key_filename)) |
|---|
| 55 | yield '</VirtualHost>\n' |
|---|
| 56 | |
|---|
| 57 | with open(os.path.join(CERTS_DIR, 'vhosts.conf.new'), 'w') as vhosts_file: |
|---|
| 58 | vhosts_file.write('# Generated by {}. Manual changes will be lost.\n\n'.format(os.path.realpath(__file__))) |
|---|
| 59 | vhosts_file.write(''.join(l for dn, vhost in vhosts for l in conf(vhost))) |
|---|
| 60 | os.rename(os.path.join(CERTS_DIR, 'vhosts.conf.new'), os.path.join(CERTS_DIR, 'vhosts.conf')) |
|---|
| 61 | |
|---|
| 62 | for filename in os.listdir(CERTS_DIR): |
|---|
| 63 | if filename.endswith('.pem') and filename not in cert_filenames: |
|---|
| 64 | os.remove(os.path.join(CERTS_DIR, filename)) |
|---|
