portusctl: disable automatic generation of certificates

Introduce two new flags regarding SSL certificates: * --ssl-gen-self-signed-certs * --ssl-certs-dir <dir> The former, as the name suggests, creates self-signed certificates. The latter uses certificates located in the specified directory. From there, it will copy the certificates to the apache directory and continue the process as before. Should either one of the certificates be missing, it will fail with a meaningful message. If neither flag is specified, it assumes the certificates are already located in `/etc/apache2/ssl.{key,crt}/`. As before, should either one of the certificates be missing, it will fail with a meaningful message. These two flags are mutually exclusive. Signed-off-by: Thomas Hipp <[email protected]>
SUSE · May 9, 2016 · d34714f · d34714f
1 parent 17be80f
commit d34714f
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 35 deletions.
diff --git a/packaging/suse/portusctl/lib/cli.rb b/packaging/suse/portusctl/lib/cli.rb
@@ -4,6 +4,18 @@ class Cli < Thor
   option "secure", desc: "Toggle SSL usage for Portus", type: :boolean, default: true
 
   # SSL certificate options
+  option "ssl-gen-self-signed-certs",
+    desc:    "Generate self-signed certificates",
+    type:    :boolean,
+    default: false
+  option "ssl-certs-dir",
+    desc:      "Location of own certificates",
+    default:   "",
+    long_desc: <<-LONGDESC
+Looks for the following required certificate files in the specified folder:
+   * `<custom dir>/<hostname>-ca.key`: the certificate key
+   * `<custom dir>/<hostname>-ca.crt`: the certificate file
+  LONGDESC
   option "ssl-organization",
     desc:    "SSL certificate: organization",
     default: "SUSE Linux GmbH" # gensslcert -o
@@ -107,7 +119,7 @@ class Cli < Thor
 
   def setup
     ensure_root
-    check_setup_flags
+    check_setup_flags options
 
     configure = Configurator.new(options)
     configure.apache
@@ -169,21 +181,4 @@ def logs(*args)
     Runner.exec("cp", ["/var/log/apache2/error_log", File.join(PORTUS_ROOT, "log/production.log")])
     Runner.tar_files("log/production.log", "log/crono.log", "log/versions.log")
   end
-
-  private
-
-  def ensure_root
-    return if Process.uid == 0
-
-    warn "Must run as root user"
-    exit 1
-  end
-
-  def check_setup_flags
-    return unless options["ldap-enable"] && \
-        (options["ldap-hostname"].nil? || options["ldap-hostname"].empty?)
-
-    warn "LDAP support is enabled but you didn't specify a value for ldap-hostname"
-    exit 1
-  end
 end
diff --git a/packaging/suse/portusctl/lib/configurator.rb b/packaging/suse/portusctl/lib/configurator.rb
@@ -26,19 +26,12 @@ def apache
   end
 
   # Performs the following operations:
-  #   * create the ssl certificates
-  #   * copy the cerificates to the right locations
+  #   * create the ssl certificates if specified
+  #   * check the presence of the required files
+  #   * copy the certificates to the right locations
   def ssl
-    unless File.exist?("/etc/apache2/ssl.key/#{HOSTNAME}-ca.key")
-      puts <<EOM
-Generating private key and certificate"
-************************************************************************
-If you want to use your own private key and certificates, upload them to
-  * /etc/apache2/ssl.key/#{HOSTNAME}-ca.key"
-  * /etc/apache2/ssl.crt/#{HOSTNAME}-ca.crt"
-and then re-run this script"
-************************************************************************
-EOM
+    if @options["ssl-gen-self-signed-certs"]
+      puts "Generating private key and certificate"
       args = [
         "-C", HOSTNAME,
         "-n", HOSTNAME,
@@ -52,23 +45,32 @@ def ssl
       Runner.exec("gensslcert", args)
     end
 
+    handle_own_certs @options["ssl-certs-dir"].chomp \
+      unless @options["ssl-certs-dir"].chomp.empty?
+
+    key_file = "/etc/apache2/ssl.key/#{HOSTNAME}-ca.key"
+    crt_file = "/etc/apache2/ssl.crt/#{HOSTNAME}-ca.crt"
+
+    missing_file(key_file) unless File.exist?(key_file)
+    missing_file(crt_file) unless File.exist?(crt_file)
+
     FileUtils.chown("wwwrun", "www", "/etc/apache2/ssl.key")
     FileUtils.chmod(0750, "/etc/apache2/ssl.key")
 
-    FileUtils.chown("wwwrun", "www", "/etc/apache2/ssl.key/#{HOSTNAME}-ca.key")
-    FileUtils.chmod(0440, "/etc/apache2/ssl.key/#{HOSTNAME}-ca.key")
+    FileUtils.chown("wwwrun", "www", key_file)
+    FileUtils.chmod(0440, key_file)
 
     # Create key used by Portus to sign the JWT tokens
     FileUtils.ln_sf(
-      "/etc/apache2/ssl.key/#{HOSTNAME}-ca.key",
+      key_file,
       File.join("/srv/Portus/config", "server.key"))
 
     FileUtils.cp(
-      "/etc/apache2/ssl.crt/#{HOSTNAME}-ca.crt",
+      crt_file,
       "/srv/www/htdocs")
     FileUtils.chmod(0755, "/srv/www/htdocs/#{HOSTNAME}-ca.crt")
     FileUtils.cp(
-      "/etc/apache2/ssl.crt/#{HOSTNAME}-ca.crt",
+      crt_file,
       "/etc/pki/trust/anchors")
     Runner.exec("update-ca-certificates")
   end

diff --git a/packaging/suse/portusctl/lib/helper.rb b/packaging/suse/portusctl/lib/helper.rb
@@ -0,0 +1,44 @@
+def check_setup_flags(options)
+  if options["ssl-gen-self-signed-certs"] && \
+      !options["ssl-certs-dir"].chomp.empty?
+    warn "cannot use both options --ssl-gen-self-signed-certs and " \
+      "--ssl-certs-dir at the same time"
+    exit 1
+  end
+
+  return unless options["ldap-enable"] && \
+      (options["ldap-hostname"].nil? || options["ldap-hostname"].empty?)
+
+  warn "LDAP support is enabled but you didn't specify a value for ldap-hostname"
+  exit 1
+end
+
+def ensure_root
+  return if Process.uid == 0
+
+  warn "Must run as root user"
+  exit 1
+end
+
+def handle_own_certs(path)
+  puts "Using keys from #{path}"
+  key_file = File.join(path, "#{HOSTNAME}-ca.key")
+  crt_file = File.join(path, "#{HOSTNAME}-ca.crt")
+
+  missing_file(key_file, path) unless File.exist?(key_file)
+  FileUtils.cp(key_file, "/etc/apache2/ssl.key")
+
+  missing_file(crt_file, path) unless File.exist?(crt_file)
+  FileUtils.cp(crt_file, "/etc/apache2/ssl.crt")
+end
+
+def missing_file(filename, path = "")
+  if path.empty?
+    warn "missing file #{filename}.\n" \
+      "Use --ssl-gen-self-signed-certs to generate new certificates, or " \
+      "--ssl-certs-dir <path> to specify a directory containing certificates."
+  else
+    warn "cannot find file #{File.basename filename} inside of #{path}."
+  end
+  exit 1
+end
diff --git a/packaging/suse/portusctl/lib/portusctl.rb b/packaging/suse/portusctl/lib/portusctl.rb
@@ -9,3 +9,4 @@
 require_relative "template_writer"
 require_relative "configurator"
 require_relative "cli"
+require_relative "helper"