Hoshpak
/
acme-updater


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331
							# SPDX-FileCopyrightText: 2016-2023 Helmut Pozimski <helmut@pozimski.eu>
#
# SPDX-License-Identifier: GPL-2.0-only

# -*- coding: utf8 -*-

"""
collection of helper functions used in other modules of acme-updater.
"""

import logging
import datetime
import os
import shutil
import hashlib
import subprocess

import OpenSSL
import dns.tsigkeyring
import dns.update
import dns.query

from typing import List
from amulib.vhost_entry import ApacheVhostEntry

LOGGER = logging.getLogger("acme-updater")


def parse_apache_vhost(file_obj) -> List[ApacheVhostEntry]:
    """
    Parses a given vhost file and extracts the main domain,
    the certificate file, the TLS key file and all domains contained
    within the vhost.

    :param file_obj: file obj pointing to a vhost to parse
    :return: list of tuples with domains and found certificates
    :rtype: list
    """
    vhost_started = False
    parsed_info = []
    cert_path = ""
    key_path = ""
    main_domain = ""
    domains = set()
    for line in file_obj:
        if "<VirtualHost" in line:
            vhost_started = True
        elif "</VirtualHost" in line and vhost_started:
            vhost_started = False
            if cert_path and key_path and main_domain and domains:
                parsed_info.append(ApacheVhostEntry(main_domain, cert_path, key_path, domains))
                LOGGER.debug(
                    "Found vhost with main domain %s, certificate %s and key "
                    "file %s", main_domain, cert_path, key_path)
                cert_path = ""
                key_path = ""
                main_domain = ""
        elif "ServerName" in line:
            main_domain = line.strip().rsplit()[1]
            domains.add(line.strip().rsplit()[1])
        elif "SSLCertificateFile" in line:
            cert_path = line.strip().rsplit()[1]
        elif "SSLCertificateKeyFile" in line:
            key_path = line.strip().rsplit()[1]
        elif "ServerAlias" in line:
            for domain in line.strip().rsplit()[1].split(" "):
                domains.add(domain)
    return parsed_info


def parse_asn1_time(timestamp):
    """
    parses an ANS1 timestamp as returned by OpenSSL and turns it into a python
    datetime object.

    :param timestamp: ASN1 timestamp
    :type timestamp: str
    :return: timestamp as datetime object
    :rtype: datetime
    """
    year = int(timestamp[:4])
    month = int(timestamp[4:6])
    day = int(timestamp[6:8])
    date = datetime.datetime(year, month, day)
    return date


def copy_file(source, destination, backup=True):
    """
    Copies a file from the given source file to
    the given destination and optionally creates a copy of the
    destination file.

    :param source: source file path
    :type source: str
    :param destination: destination file path
    :type destination: str
    :param backup: whether to take a backup of the destination file before \
    overwriting it
    :type backup: bool
    :return: success
    :rtype: bool
    """
    if backup:
        if not create_backup_copy(destination):
            return False
    try:
        shutil.copy(source, destination)
    except IOError:
        LOGGER.error("Copying of file %s to %s failed!",
                     source, destination)
    else:
        os.chmod(destination, 0o0644)
        os.chown(destination, 0, 0)
        return True


def create_backup_copy(source):
    """
    creates a backup file of a specified source file.

    :param source: source file path
    :type source: str
    :return: success
    :rtype: bool
    """
    backup_file = source + ".bak_%s" % datetime.datetime.now().strftime(
        "%Y%m%d%H%M%S")
    try:
        shutil.copy(source, backup_file)
    except IOError:
        LOGGER.error("Creating of backup file for %s failed!", source)
        return False
    else:
        return True


def check_renewal(cert, cert_path):
    """
    Checks if the certificate has been renewed.

    :param cert: the certificate that needs to be checked
    :type cert: OpenSSL.crypto.X509
    :param cert_path: absolute path to the certificate file
    :type cert_path: str
    :return: renewal status
    :rtype: bool
    """
    try:
        with open(cert_path, "r") as acme_cert_file:
            acme_cert_text = acme_cert_file.read()
    except IOError:
        LOGGER.error("Could not open certificate %s in acme "
                     "state directory", cert_path)
    else:
        x509_acme_cert = OpenSSL.crypto.load_certificate(
            OpenSSL.crypto.FILETYPE_PEM, acme_cert_text
        )
        expiry_date = x509_acme_cert.get_notAfter().decode("utf-8")
        expiry_datetime = parse_asn1_time(expiry_date)
        if expiry_datetime < datetime.datetime.utcnow():
            LOGGER.warning("Certificate %s is expired and no newer "
                           "one is available, bailing out!", cert_path)
            return False
        else:
            serial_current_cert = cert.get_serial_number()
            serial_acme_cert = x509_acme_cert.get_serial_number()
            if serial_current_cert == serial_acme_cert:
                LOGGER.debug("Cert %s matches with the one "
                             "installed, nothing to do.", cert_path)
                return False
            else:
                return True


def create_tlsa_hash(cert):
    """
    Creates an tlsa 3 1 1 hash to create TLSA records for a given certificate
    :param cert: certificate to be used
    :type cert: OpenSSL.crypto.X509
    :return: sha256 has of the public key
    :rtype: str
    """
    pubkey = cert.get_pubkey()
    pubkey_der = OpenSSL.crypto.dump_publickey(OpenSSL.crypto.FILETYPE_ASN1,
                                               pubkey)
    sha256 = hashlib.sha256()
    sha256.update(pubkey_der)
    hexdigest = sha256.hexdigest()
    return hexdigest


def get_tsig_key(named_key_path):
    """
    Reads the named session key and generates a keyring object for it.

    :param named_key_path: Path to the named session key
    :type named_key_path: str
    :return: keyring, algorithm
    :rtype: tuple
    """
    key_name = None
    key_algorithm = None
    secret = None
    try:
        with open(named_key_path, "r") as bind_key:
            for line in bind_key:
                if "key" in line:
                    key_name = line.split(" ")[1].strip("\"")
                elif "algorithm" in line:
                    key_algorithm = line.strip().split(" ")[1].strip(";")
                elif "secret" in line:
                    secret = line.strip().split(" ")[1].strip("\"").strip(";")
    except IOError:
        LOGGER.error("Error while opening the bind session key")
        return None, None
    else:
        if key_name and key_algorithm and secret:
            keyring = dns.tsigkeyring.from_text({
                key_name: secret
            })
            return keyring, key_algorithm
        else:
            return None, None


def update_tlsa_record(zone, tlsa_port, digest, keyring, keyalgorithm,
                       subdomain="", ttl=300, protocol="tcp",
                       dns_server="localhost"):
    """
    Updates the tlsa record on the DNS server.

    :param zone: Zone of the (sub) domain
    :type zone: str
    :param tlsa_port: port for the tlsa record
    :type tlsa_port: str
    :param digest: cryptographic hash of the certificate public key
    :type digest: str
    :param keyring: keyring object
    :type keyring: dict
    :param keyalgorithm: algorithm used for the tsig key
    :type keyalgorithm: str
    :param subdomain: subdomain to create the tlsa record for
    :type subdomain: str
    :param ttl: TTL to use for the TLSA record
    :type ttl: int
    :param protocol: protocol for the TLSA record
    :type protocol: str
    :param dns_server: DNS server to use to create TLSA records
    :type dns_server: str
    :returns: response of the operation
    :rtype: dns.message.Message
    """
    update = dns.update.Update(zone, keyring=keyring,
                               keyalgorithm=keyalgorithm)
    tlsa_content = "3 1 1 %s" % digest
    if subdomain:
        tlsa_record = "_%s._%s.%s." % (tlsa_port, protocol, subdomain)
    else:
        tlsa_record = "_%s._%s.%s." % (tlsa_port, protocol, zone)
    update.replace(tlsa_record, ttl, "tlsa", tlsa_content)
    response = dns.query.tcp(update, dns_server)
    return response


def get_log_level(input_level=""):
    """
    Determines the log level to use based on a string.

    :param input_level: String representing the desired log level.
    :type input_level: str
    :return: corresponding log level of the logging module
    :rtype: int
    """
    if input_level.lower() == "debug":
        return logging.DEBUG
    elif input_level.lower() == "error":
        return logging.ERROR
    else:
        return logging.INFO


def create_tlsa_records(domain, port, certificate, named_key_path,
                        dns_server):
    """
    Creates tlsa records for the specified (sub-)domain

    :param domain: (sub-)domain the records are to be created for
    :type domain: str
    :param port: port to use for the record
    :type port: str
    :param certificate: certificate object used for record creation
    :type certificate: OpenSSL.crypto.X509
    :param named_key_path: path to the named session key
    :type named_key_path: str
    :param dns_server: DNS server to use to create TLSA records
    :type dns_server: str
    """
    hash_digest = create_tlsa_hash(certificate)
    zone = "%s.%s" % (domain.split(".")[-2], domain.split(".")[-1])
    tsig, keyalgo = get_tsig_key(named_key_path)
    update_tlsa_record(zone, port, hash_digest, tsig, keyalgo, domain,
                       dns_server=dns_server)


def get_subject_alt_name(certificate) -> list:
    """
    Extracts the subjectAltName entries from a X509 certficiate

    :param certificate: the certificate to extract the subjectAltName \
    entries from
    :type certificate: OpenSSL.crypto.X509
    :return: list of hostnames
    :rtype: list
    """
    alt_names = []
    for i in range(0, certificate.get_extension_count(), 1):
        if certificate.get_extension(i).get_short_name() == b"subjectAltName":
            extension_string = str(certificate.get_extension(i))
            for entry in extension_string.split(","):
                alt_names.append(entry.split(":")[1])
            break
    return alt_names


def restart_service(service_name: str):
    if os.path.exists("/run/systemd/system"):
        subprocess.call(["/usr/bin/systemctl", "restart", service_name])
    else:
        subprocess.call(["/etc/init.d/%s" % service_name,
                         "restart"])