OCA
/
server-tools
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1050 Commits
13 Branches
0 Tags
45 MiB
Tree: 7e7c489bf5
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7e7c489bf5'
${ noResults }
server-tools/letsencrypt/models/letsencrypt.py

157 lines
5.7 KiB
Raw Normal View History

[ADD] letsencrypt
9 years ago
  1. # -*- coding: utf-8 -*-
  2. # © 2016 Therp BV <http://therp.nl>
  3. # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl.html).
  4. import os
  5. import logging
  6. import urllib2
  7. import urlparse
  8. import subprocess
  9. import tempfile
  10. from openerp import _, api, models, exceptions
  11. from openerp.tools.config import _get_default_datadir
  12. from openerp.tools.misc import file_open
  13. from .acme_tiny import get_crt, DEFAULT_CA
  16. DEFAULT_KEY_LENGTH = 4096
  17. _logger = logging.getLogger(__name__)
  20. class Letsencrypt(models.AbstractModel):
  21. _name = 'letsencrypt'
  22. _description = 'Abstract model providing functions for letsencrypt'
  24. @api.model
  25. def get_data_dir(self):
  26. return os.path.join(_get_default_datadir(), 'letsencrypt')
  28. @api.model
  29. def call_cmdline(self, cmdline, loglevel=logging.INFO,
  30. raise_on_result=True):
  31. process = subprocess.Popen(
  32. cmdline, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  33. stdout, stderr = process.communicate()
  34. if stderr:
  35. _logger.log(loglevel, stderr)
  36. if stdout:
  37. _logger.log(loglevel, stdout)
  39. if process.returncode:
  40. raise exceptions.Warning(
  41. _('Error calling %s: %d') % (cmdline[0], process.returncode),
  42. ' '.join(cmdline),
  43. )
  45. return process.returncode
  47. @api.model
  48. def generate_account_key(self):
  49. data_dir = self.get_data_dir()
  50. if not os.path.isdir(data_dir):
  51. os.makedirs(data_dir)
  52. account_key = os.path.join(data_dir, 'account.key')
  53. if not os.path.isfile(account_key):
  54. _logger.info('generating rsa account key')
  55. self.call_cmdline([
  56. 'openssl', 'genrsa', '-out', account_key,
  57. str(DEFAULT_KEY_LENGTH),
  58. ])
  59. assert os.path.isfile(account_key), 'failed to create rsa key'
  60. return account_key
  62. @api.model
  63. def generate_domain_key(self, domain):
  64. domain_key = os.path.join(self.get_data_dir(), '%s.key' % domain)
  65. if not os.path.isfile(domain_key):
  66. _logger.info('generating rsa domain key for %s', domain)
  67. self.call_cmdline([
  68. 'openssl', 'genrsa', '-out', domain_key,
  69. str(DEFAULT_KEY_LENGTH),
  70. ])
  71. return domain_key
  73. @api.model
  74. def validate_domain(self, domain):
  75. if domain in ['localhost', '127.0.0.1'] or\
  76. domain.startswith('10.') or\
  77. domain.startswith('172.16.') or\
  78. domain.startswith('192.168.'):
  79. raise exceptions.Warning(
  80. _("Let's encrypt doesn't work with private addresses!"))
  82. @api.model
  83. def generate_csr(self, domain):
  84. domains = [domain]
  85. i = 0
  86. while self.env['ir.config_parameter'].get_param(
  87. 'letsencrypt.altname.%d' % i):
  88. domains.append(
  89. self.env['ir.config_parameter']
  90. .get_param('letsencrypt.altname.%d' % i)
  91. )
  92. i += 1
  93. _logger.info('generating csr for %s', domain)
  94. if len(domains) > 1:
  95. _logger.info('with alternative subjects %s', ','.join(domains[1:]))
  96. config = self.env['ir.config_parameter'].get_param(
  97. 'letsencrypt.openssl.cnf', '/etc/ssl/openssl.cnf')
  98. csr = os.path.join(self.get_data_dir(), '%s.csr' % domain)
  99. with tempfile.NamedTemporaryFile() as cfg:
  100. cfg.write(open(config).read())
  101. if len(domains) > 1:
  102. cfg.write(
  103. '\n[SAN]\nsubjectAltName=' +
  104. ','.join(map(lambda x: 'DNS:%s' % x, domains)) + '\n')
  105. cfg.file.flush()
  106. cmdline = [
  107. 'openssl', 'req', '-new',
  108. self.env['ir.config_parameter'].get_param(
  109. 'letsencrypt.openssl.digest', '-sha256'),
  110. '-key', self.generate_domain_key(domain),
  111. '-subj', '/CN=%s' % domain, '-config', cfg.name,
  112. '-out', csr,
  113. ]
  114. if len(domains) > 1:
  115. cmdline.extend([
  116. '-reqexts', 'SAN',
  117. ])
  118. self.call_cmdline(cmdline)
  119. return csr
  121. @api.model
  122. def cron(self):
  123. domain = urlparse.urlparse(
  124. self.env['ir.config_parameter'].get_param(
  125. 'web.base.url', 'localhost')).netloc
  126. self.validate_domain(domain)
  127. account_key = self.generate_account_key()
  128. csr = self.generate_csr(domain)
  129. manifest, manifest_path = file_open(
  130. 'letsencrypt/__openerp__.py', pathinfo=True)
  131. manifest.close()
  132. acme_challenge = os.path.join(
  133. os.path.dirname(manifest_path),
  134. 'static', 'acme-challenge')
  135. if not os.path.isdir(acme_challenge):
  136. os.makedirs(acme_challenge)
  137. if not self.env.context.get('letsencrypt_fake_cert'):
  138. crt_text = get_crt(
  139. account_key, csr, acme_challenge, log=_logger, CA=DEFAULT_CA)
  140. else:
  141. crt_text = 'I\'m a test text'
  142. with open(os.path.join(self.get_data_dir(), '%s.crt' % domain), 'w')\
  143. as crt:
  144. crt.write(crt_text)
  145. chain_cert = urllib2.urlopen(
  146. self.env['ir.config_parameter'].get_param(
  147. 'letsencrypt.chain_certificate_address',
  148. 'https://letsencrypt.org/certs/'
  149. 'lets-encrypt-x1-cross-signed.pem')
  150. )
  151. crt.write(chain_cert.read())
  152. chain_cert.close()
  153. _logger.info('wrote %s', crt.name)
  154. self.call_cmdline([
  155. 'sh', '-c', self.env['ir.config_parameter'].get_param(
  156. 'letsencrypt.reload_command', ''),
  157. ])