2019-03-18 03:14:00 +01:00
|
|
|
import os, shutil, pathlib
|
2019-03-18 08:07:19 +01:00
|
|
|
from g import templates_dir, config_dir, root_crt_path, secret_key_dir,DEFAULT_UID, DEFAULT_GID
|
2018-11-15 04:09:57 +01:00
|
|
|
from .cert import openssl_installed, create_cert, create_root_cert, get_alias
|
|
|
|
from .jinja import render_jinja
|
2019-08-01 10:02:08 +02:00
|
|
|
from .misc import mark_file, prepare_dir
|
2018-11-15 04:09:57 +01:00
|
|
|
|
|
|
|
notary_template_dir = os.path.join(templates_dir, "notary")
|
|
|
|
notary_signer_pg_template = os.path.join(notary_template_dir, "signer-config.postgres.json.jinja")
|
|
|
|
notary_server_pg_template = os.path.join(notary_template_dir, "server-config.postgres.json.jinja")
|
|
|
|
notary_server_nginx_config_template = os.path.join(templates_dir, "nginx", "notary.server.conf.jinja")
|
|
|
|
notary_signer_env_template = os.path.join(notary_template_dir, "signer_env.jinja")
|
|
|
|
notary_server_env_template = os.path.join(notary_template_dir, "server_env.jinja")
|
|
|
|
|
|
|
|
notary_config_dir = os.path.join(config_dir, 'notary')
|
|
|
|
notary_signer_pg_config = os.path.join(notary_config_dir, "signer-config.postgres.json")
|
|
|
|
notary_server_pg_config = os.path.join(notary_config_dir, "server-config.postgres.json")
|
|
|
|
notary_server_config_path = os.path.join(notary_config_dir, 'notary.server.conf')
|
|
|
|
notary_signer_env_path = os.path.join(notary_config_dir, "signer_env")
|
|
|
|
notary_server_env_path = os.path.join(notary_config_dir, "server_env")
|
|
|
|
|
|
|
|
|
2019-04-01 12:06:24 +02:00
|
|
|
def prepare_env_notary(nginx_config_dir):
|
2019-08-01 10:02:08 +02:00
|
|
|
notary_config_dir = prepare_dir(config_dir, "notary")
|
2019-03-18 03:14:00 +01:00
|
|
|
old_signer_cert_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer.crt'))
|
|
|
|
old_signer_key_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer.key'))
|
|
|
|
old_signer_ca_cert_secret_path = pathlib.Path(os.path.join(config_dir, 'notary-signer-ca.crt'))
|
|
|
|
|
2019-08-01 10:02:08 +02:00
|
|
|
notary_secret_dir = prepare_dir('/secret/notary')
|
2019-03-18 03:14:00 +01:00
|
|
|
signer_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.crt'))
|
|
|
|
signer_key_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer.key'))
|
|
|
|
signer_ca_cert_secret_path = pathlib.Path(os.path.join(notary_secret_dir, 'notary-signer-ca.crt'))
|
|
|
|
|
|
|
|
# In version 1.8 the secret path changed
|
|
|
|
# If cert, key , ca all are exist in new place don't do anything
|
|
|
|
if not(
|
|
|
|
signer_cert_secret_path.exists() and
|
|
|
|
signer_key_secret_path.exists() and
|
|
|
|
signer_ca_cert_secret_path.exists()
|
|
|
|
):
|
|
|
|
# If the certs are exist in old place, move it to new place
|
|
|
|
if old_signer_ca_cert_secret_path.exists() and old_signer_cert_secret_path.exists() and old_signer_key_secret_path.exists():
|
2018-11-15 04:09:57 +01:00
|
|
|
print("Copying certs for notary signer")
|
2019-03-18 03:14:00 +01:00
|
|
|
shutil.copy2(old_signer_ca_cert_secret_path, signer_ca_cert_secret_path)
|
|
|
|
shutil.copy2(old_signer_key_secret_path, signer_key_secret_path)
|
|
|
|
shutil.copy2(old_signer_cert_secret_path, signer_cert_secret_path)
|
|
|
|
# If certs neither exist in new place nor in the old place, create it and move it to new place
|
2019-03-18 08:07:19 +01:00
|
|
|
elif openssl_installed():
|
2019-03-18 03:14:00 +01:00
|
|
|
try:
|
|
|
|
temp_cert_dir = os.path.join('/tmp', "cert_tmp")
|
|
|
|
if not os.path.exists(temp_cert_dir):
|
|
|
|
os.makedirs(temp_cert_dir)
|
|
|
|
ca_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=Self-signed by GoHarbor"
|
|
|
|
cert_subj = "/C=US/ST=California/L=Palo Alto/O=GoHarbor/OU=Harbor/CN=notarysigner"
|
|
|
|
signer_ca_cert = os.path.join(temp_cert_dir, "notary-signer-ca.crt")
|
|
|
|
signer_ca_key = os.path.join(temp_cert_dir, "notary-signer-ca.key")
|
|
|
|
signer_cert_path = os.path.join(temp_cert_dir, "notary-signer.crt")
|
|
|
|
signer_key_path = os.path.join(temp_cert_dir, "notary-signer.key")
|
|
|
|
create_root_cert(ca_subj, key_path=signer_ca_key, cert_path=signer_ca_cert)
|
|
|
|
create_cert(cert_subj, signer_ca_key, signer_ca_cert, key_path=signer_key_path, cert_path=signer_cert_path)
|
|
|
|
print("Copying certs for notary signer")
|
|
|
|
shutil.copy2(signer_cert_path, signer_cert_secret_path)
|
|
|
|
shutil.copy2(signer_key_path, signer_key_secret_path)
|
|
|
|
shutil.copy2(signer_ca_cert, signer_ca_cert_secret_path)
|
|
|
|
finally:
|
|
|
|
srl_tmp = os.path.join(os.getcwd(), ".srl")
|
|
|
|
if os.path.isfile(srl_tmp):
|
|
|
|
os.remove(srl_tmp)
|
|
|
|
if os.path.isdir(temp_cert_dir):
|
|
|
|
shutil.rmtree(temp_cert_dir, True)
|
2019-03-18 08:07:19 +01:00
|
|
|
else:
|
|
|
|
raise(Exception("No certs for notary"))
|
2018-11-15 04:09:57 +01:00
|
|
|
|
|
|
|
|
|
|
|
print("Copying nginx configuration file for notary")
|
2019-07-29 09:52:17 +02:00
|
|
|
|
|
|
|
render_jinja(
|
2019-03-27 10:56:31 +01:00
|
|
|
os.path.join(templates_dir, "nginx", "notary.upstream.conf.jinja"),
|
2019-07-29 09:52:17 +02:00
|
|
|
os.path.join(nginx_config_dir, "notary.upstream.conf"),
|
|
|
|
gid=DEFAULT_GID,
|
|
|
|
uid=DEFAULT_UID)
|
2018-11-15 04:09:57 +01:00
|
|
|
|
2019-03-18 03:14:00 +01:00
|
|
|
mark_file(os.path.join(notary_secret_dir, "notary-signer.crt"))
|
|
|
|
mark_file(os.path.join(notary_secret_dir, "notary-signer.key"))
|
|
|
|
mark_file(os.path.join(notary_secret_dir, "notary-signer-ca.crt"))
|
2018-11-15 04:09:57 +01:00
|
|
|
|
|
|
|
|
|
|
|
def prepare_notary(config_dict, nginx_config_dir, ssl_cert_path, ssl_cert_key_path):
|
|
|
|
|
2019-04-01 12:06:24 +02:00
|
|
|
prepare_env_notary(nginx_config_dir)
|
2018-11-15 04:09:57 +01:00
|
|
|
|
|
|
|
render_jinja(
|
2019-05-10 04:44:05 +02:00
|
|
|
notary_server_nginx_config_template,
|
|
|
|
os.path.join(nginx_config_dir, "notary.server.conf"),
|
2019-07-29 09:52:17 +02:00
|
|
|
gid=DEFAULT_GID,
|
|
|
|
uid=DEFAULT_UID,
|
2019-05-10 04:44:05 +02:00
|
|
|
ssl_cert=ssl_cert_path,
|
|
|
|
ssl_cert_key=ssl_cert_key_path)
|
2018-11-15 04:09:57 +01:00
|
|
|
|
|
|
|
render_jinja(
|
|
|
|
notary_server_pg_template,
|
|
|
|
notary_server_pg_config,
|
|
|
|
uid=DEFAULT_UID,
|
|
|
|
gid=DEFAULT_GID,
|
2019-05-10 04:44:05 +02:00
|
|
|
token_endpoint=config_dict['public_url'],
|
|
|
|
**config_dict)
|
2018-11-15 04:09:57 +01:00
|
|
|
|
|
|
|
render_jinja(
|
2019-05-10 04:44:05 +02:00
|
|
|
notary_server_env_template,
|
|
|
|
notary_server_env_path,
|
|
|
|
**config_dict
|
|
|
|
)
|
2018-11-15 04:09:57 +01:00
|
|
|
|
2019-03-12 12:09:01 +01:00
|
|
|
default_alias = get_alias(secret_key_dir)
|
2019-05-10 04:44:05 +02:00
|
|
|
|
2018-11-15 04:09:57 +01:00
|
|
|
render_jinja(
|
|
|
|
notary_signer_env_template,
|
|
|
|
notary_signer_env_path,
|
2019-05-10 04:44:05 +02:00
|
|
|
alias=default_alias,
|
|
|
|
**config_dict)
|
2018-11-15 04:09:57 +01:00
|
|
|
|
|
|
|
render_jinja(
|
2019-05-10 04:44:05 +02:00
|
|
|
notary_signer_pg_template,
|
|
|
|
notary_signer_pg_config,
|
|
|
|
uid=DEFAULT_UID,
|
|
|
|
gid=DEFAULT_GID,
|
|
|
|
alias=default_alias,
|
|
|
|
**config_dict)
|