Commit beff048d authored by Chris Snijder's avatar Chris Snijder 🏅
Browse files

Merge branch 'master' into '62-allow-running-one-off-for-debugging-purposes'

# Conflicts:
#   stapled/__main__.py
#   stapled/core/exceptions.py
parents 588951d7 c75e97d3
Pipeline #5541 canceled with stages
in 7 minutes and 54 seconds
......@@ -86,6 +86,19 @@ logdir=/var/log/stapled/
;; https://cbonte.github.io/haproxy-dconv/1.7/management.html#9.3-set%20ssl%20ocsp-response
haproxy-sockets=[/var/run/haproxy/admin.sock]
;; Use HAProxy config files as the source of cert-paths and socket mappings.
;; Setting this will merge your `cert-paths` with paths found in the specified
;; HAProxy config files. Sockets defined in `haproxy-sockets` will also be
;; merged in the path to socket mapping.
; haproxy-config=/etc/haproxy/haproxy.cfg
;; Set a keep alive time in seconds after wich the connection to the HAProxy
;; sockets is terminated. The minimum allowed value is 10 seconds, because
;; stapled will take at least a bit of time to communicate with HAProxy, and
;; either process could be "busy".
; haproxy-socket-keepalive=3600
;; Don't output anything to stdout, can be used together with `logdir`
;; and/or `syslog` to prevent output on stdout while logging the set verbosity
;; level to a file or syslog. Uncomment to enable
......
stapled (1.1) stretch; urgency=low
* Change haproxy socket connection keep-alive (formerly "timeout") to new
default: 3600 seconds.
* Add --haproxy-socket-keepalive command line argument.
-- Chris <chris@greenhost.nl> Mon, 22 Oct 2018 18:34:15 +0200
stapled (1.0) stretch; urgency=low
* This version removes support for debian Jessie due to the shutdown of
......
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
This is the module that parses your command line arguments and then starts
the OCSP Staple daemon, which searches your certificate paths and
requests staples for all certificates in them. They will then be saved as
``certificatename.pem.ocsp`` in the same paths that are being indexed.
Parse command line arguments and starts the OCSP Staple daemon.
The daemon searches your certificate paths and requests staples for all
certificates in them. They will then be saved as ``certificatename.pem.ocsp``
in the same paths that are being indexed.
Type ``stapled.py -h`` for all command line arguments.
......@@ -29,11 +30,11 @@ user's process hierarchy node. In any case, it starts up the
:mod:`stapled.core.daemon`
module to bootstrap the application.
"""
import configargparse
import logging
import logging.handlers
import os
import sys
import configargparse
import daemon
import stapled
import stapled.core.daemon
......@@ -535,6 +536,69 @@ def __get_validated_args():
return args
def __get_haproxy_socket_mapping(args):
"""
Get mapping of configured sockets and certificate directories.
From: haproxy config, stapled config and command line arguments.
:param Namespace args: Argparser argument list.
:return dict Of cert-paths and sockets for inform of changes.
"""
# Parse the cert_paths argument
arg_cert_paths = __get_arg_cert_paths(args)
# Parse haproxy_sockets argument.
arg_haproxy_sockets = __get_arg_haproxy_sockets(args)
# Make a mapping from certificate paths to sockets in a dict.
mapping = dict(zip(arg_cert_paths, arg_haproxy_sockets))
# Parse HAProxy config files.
try:
conf_cert_paths, conf_haproxy_sockets = parse_haproxy_config(
args.haproxy_config
)
except (OSError, IOError) as exc:
logger.critical(handle_file_error(exc))
exit(1)
# Combine the socket and certificate paths of the arguments and config
# files in the sockets dictionary.
for i, paths in enumerate(conf_cert_paths):
for path in paths:
if path in mapping:
mapping[path] = unique(
mapping[path] + conf_haproxy_sockets[i],
preserve_order=False
)
else:
mapping[path] = conf_haproxy_sockets[i]
logger.debug("Paths to socket mapping: %s", str(mapping))
return mapping
def __get_validated_args():
"""
Parse and validate CLI arguments and configuration.
Checks should match the restrictions in the usage help messages.
:returns Namespace: Validated argparser argument list.
"""
parser = get_cli_arg_parser()
args = parser.parse_args()
try:
if args.haproxy_socket_keepalive < 10:
raise ArgumentError(
"`--haproxy-socket-keepalive` should be higher than 10."
)
except ArgumentError as exc:
parser.print_usage(sys.stderr)
logger.critical("Invalid command line argument or value: %s", exc)
exit(1)
return args
if __name__ == '__main__':
try:
init()
......
......@@ -92,6 +92,7 @@ class Stapledaemon(object):
self.haproxy_socket_mapping = kwargs.pop(
'haproxy_socket_mapping', None
)
self.haproxy_socket_keepalive = kwargs.pop('haproxy_socket_keepalive')
self.file_extensions = kwargs.pop('file_extensions')
self.file_extensions = self.file_extensions.replace(" ", "").split(",")
self.renewal_threads = kwargs.pop('renewal_threads')
......@@ -175,6 +176,7 @@ class Stapledaemon(object):
name="proxy-adder",
thread_object=StapleAdder,
haproxy_socket_mapping=self.haproxy_socket_mapping,
haproxy_socket_keepalive=self.haproxy_socket_keepalive,
scheduler=self.scheduler
)
......
......@@ -61,7 +61,6 @@ class CertValidationError(Exception):
pass
class ArgumentError(Exception):
"""
Raised when a command line argument has an invalid value.
......
......@@ -13,7 +13,6 @@ import stapled.core.exceptions
LOG = logging.getLogger(__name__)
SOCKET_BUFFER_SIZE = 1024
SOCKET_TIMEOUT = 86400
class StapleAdder(threading.Thread):
......@@ -41,12 +40,6 @@ class StapleAdder(threading.Thread):
#: the base64 encoded OCSP staple
OCSP_ADD = 'set ssl ocsp-response {}'
#: Predefines commands to send to sockets just after opening them.
CONNECT_COMMANDS = [
"prompt",
"set timeout cli {}".format(SOCKET_TIMEOUT)
]
def __init__(self, *args, **kwargs):
"""
Initialise the thread and its parent :class:`threading.Thread`.
......@@ -65,11 +58,21 @@ class StapleAdder(threading.Thread):
self.haproxy_socket_mapping = kwargs.pop(
'haproxy_socket_mapping', None
)
self.haproxy_socket_keepalive = kwargs.pop(
'haproxy_socket_keepalive', None
)
assert self.scheduler is not None, \
"Please pass a scheduler to get and add proxy-add tasks."
assert self.haproxy_socket_mapping is not None, \
"The StapleAdder needs a haproxy_socket_mapping dict"
assert self.haproxy_socket_keepalive is not None, \
"No keep-alive defined for haproxy socket connection."
# Predefines commands to send to sockets just after opening them.
self.connect_commands = [
"prompt",
"set timeout cli {}".format(self.haproxy_socket_keepalive)
]
self.socks = {}
for paths in self.haproxy_socket_mapping.values():
......@@ -119,7 +122,7 @@ class StapleAdder(threading.Thread):
try:
sock.connect(path)
result = []
for command in self.CONNECT_COMMANDS:
for command in self.connect_commands:
result.extend(self._send(sock, command))
# Results (index 1) come per path (index 0), we need only results
result = [res[1] for res in result]
......
__version__ = '1.0'
__version__ = '1.1'
__app_name__ = 'stapled'
__debian_version__ = 'stretch'
......@@ -286,7 +286,7 @@ class GitVersion(object):
# Take index 7: to strip off 'commit '
commit_hash = str(
subprocess.check_output(
['git', 'log', '-n', '1', self.file],
['git', 'log', '--decorate=', '-n', '1', self.file],
universal_newlines=True
)
).split('\n')[0][len('commit '):]
......@@ -453,7 +453,7 @@ def main():
default='stapled/version.py',
const='stapled/version.py',
help=(
'Save the new number to the a file named .version, optionally pass'
'Save the new number to the version file, optionally pass'
'a different filename to the argument.'
)
)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment