wo/core/sslutils.py

import csv
import os
import re

from wo.core.fileutils import WOFileUtils
from wo.core.logging import Log
from wo.core.shellexec import WOShellExec
from wo.core.variables import WOVar


class SSL:

    def getexpirationdays(self, domain, returnonerror=False):
        # check if exist
        if not os.path.isfile('/etc/letsencrypt/live/{0}/cert.pem'
                              .format(domain)):
            Log.error(self, 'File Not Found: '
                      '/etc/letsencrypt/live/{0}/cert.pem'
                      .format(domain), False)
            if returnonerror:
                return -1
            Log.error(self, "Check the WordOps log for more details "
                      "`tail /var/log/wo/wordops.log` and please try again...")

        current_date = WOShellExec.cmd_exec_stdout(self, "date -d \"now\" +%s")
        expiration_date = WOShellExec.cmd_exec_stdout(
            self, "date -d \""
            "$(openssl x509 -in /etc/letsencrypt/live/"
            "{0}/cert.pem -text -noout | grep \"Not After\" "
            "| cut -c 25-)\" +%s"
            .format(domain))

        days_left = int((int(expiration_date) - int(current_date)) / 86400)
        if (days_left > 0):
            return days_left
        else:
            # return "Certificate Already Expired ! Please Renew soon."
            return -1

    def getexpirationdate(self, domain):
        # check if exist
        if os.path.islink('/var/www/{0}/conf/nginx/ssl.conf'):
            split_domain = domain.split('.')
            domain = ('.').join(split_domain[1:])
        if not os.path.isfile('/etc/letsencrypt/live/{0}/cert.pem'
                              .format(domain)):
            Log.error(self, 'File Not Found: /etc/letsencrypt/'
                      'live/{0}/cert.pem'
                      .format(domain), False)
            Log.error(self, "Check the WordOps log for more details "
                      "`tail /var/log/wo/wordops.log` and please try again...")

        expiration_date = WOShellExec.cmd_exec_stdout(
            self, "date -d \"$(/usr/bin/openssl x509 -in "
            "/etc/letsencrypt/live/{0}/cert.pem -text -noout | grep "
            "\"Not After\" | cut -c 25-)\" "
            .format(domain))
        return expiration_date

    def siteurlhttps(self, domain):
        wo_site_webroot = ('/var/www/{0}'.format(domain))
        WOFileUtils.chdir(
            self, '{0}/htdocs/'.format(wo_site_webroot))
        if WOShellExec.cmd_exec(
                self, "{0} --allow-root core is-installed"
                .format(WOVar.wo_wpcli_path)):
            wo_siteurl = (
                WOShellExec.cmd_exec_stdout(
                    self, "{0} option get siteurl "
                    .format(WOVar.wo_wpcli_path) +
                    "--allow-root --quiet"))
            test_url = re.split(":", wo_siteurl)
            if not (test_url[0] == 'https'):
                Log.wait(self, "Updating site url with https")
                try:
                    WOShellExec.cmd_exec(
                        self, "{0} option update siteurl "
                        "\'https://{1}\' --allow-root"
                        .format(WOVar.wo_wpcli_path, domain))
                    WOShellExec.cmd_exec(
                        self, "{0} option update home "
                        "\'https://{1}\' --allow-root"
                        .format(WOVar.wo_wpcli_path, domain))
                    WOShellExec.cmd_exec(
                        self, "{0} search-replace \'http://{1}\'"
                        "\'https://{1}\' --skip-columns=guid "
                        "--skip-tables=wp_users"
                        .format(WOVar.wo_wpcli_path, domain))
                except Exception as e:
                    Log.debug(self, str(e))
                    Log.failed(self, "Updating site url with https")
                else:
                    Log.valide(self, "Updating site url with https")

    # check if a wildcard exist to secure a new subdomain

    def checkwildcardexist(self, wo_domain_name):

        wo_acme_exec = ("/etc/letsencrypt/acme.sh --config-home "
                        "'/etc/letsencrypt/config'")
        # export certificates list from acme.sh
        WOShellExec.cmd_exec(
            self, "{0} ".format(wo_acme_exec) +
            "--list --listraw > /var/lib/wo/cert.csv")

        # define new csv dialect
        csv.register_dialect('acmeconf', delimiter='|')
        # open file
        certfile = open('/var/lib/wo/cert.csv', mode='r', encoding='utf-8')
        reader = csv.reader(certfile, 'acmeconf')
        wo_wildcard_domain = ("*.{0}".format(wo_domain_name))
        for row in reader:
            if wo_wildcard_domain in row[2]:
                if not row[2] == "":
                    iswildcard = True
                    break
            else:
                iswildcard = False
        certfile.close()

        return iswildcard

    def setuphsts(self, wo_domain_name):
        Log.info(
            self, "Adding /var/www/{0}/conf/nginx/hsts.conf"
            .format(wo_domain_name))

        hstsconf = open("/var/www/{0}/conf/nginx/hsts.conf"
                        .format(wo_domain_name),
                        encoding='utf-8', mode='w')
        hstsconf.write("more_set_headers "
                       "\"Strict-Transport-Security: "
                       "max-age=31536000; "
                       "includeSubDomains; "
                       "preload\";")
        hstsconf.close()
        return 0

    def selfsignedcert(self, proftpd=False, backend=False):
        """issue a self-signed certificate"""

        selfs_tmp = '/var/lib/wo/tmp/selfssl'
        # create self-signed tmp directory
        if not os.path.isdir(selfs_tmp):
            WOFileUtils.mkdir(self, selfs_tmp)
        try:
            WOShellExec.cmd_exec(
                self, "openssl genrsa -out "
                "{0}/ssl.key 2048"
                .format(selfs_tmp))
            WOShellExec.cmd_exec(
                self, "openssl req -new -batch  "
                "-subj /commonName=localhost/ "
                "-key {0}/ssl.key -out {0}/ssl.csr"
                .format(selfs_tmp))

            WOFileUtils.mvfile(
                self, "{0}/ssl.key"
                .format(selfs_tmp),
                "{0}/ssl.key.org"
                .format(selfs_tmp))

            WOShellExec.cmd_exec(
                self, "openssl rsa -in "
                "{0}/ssl.key.org -out "
                "{0}/ssl.key"
                .format(selfs_tmp))

            WOShellExec.cmd_exec(
                self, "openssl x509 -req -days "
                "3652 -in {0}/ssl.csr -signkey {0}"
                "/ssl.key -out {0}/ssl.crt"
                .format(selfs_tmp))

        except Exception as e:
            Log.debug(self, "{0}".format(e))
            Log.error(
                self, "Failed to generate HTTPS "
                "certificate for 22222", False)
        if backend:
            WOFileUtils.mvfile(
                self, "{0}/ssl.key"
                .format(selfs_tmp),
                "/var/www/22222/cert/22222.key")
            WOFileUtils.mvfile(
                self, "{0}/ssl.crt"
                .format(selfs_tmp),
                "/var/www/22222/cert/22222.crt")
        if proftpd:
            WOFileUtils.mvfile(
                self, "{0}/ssl.key"
                .format(selfs_tmp),
                "/etc/proftpd/ssl/proftpd.key")
            WOFileUtils.mvfile(
                self, "{0}/ssl.crt"
                .format(selfs_tmp),
                "/etc/proftpd/ssl/proftpd.crt")
        # remove self-signed tmp directory
        WOFileUtils.rm(self, selfs_tmp)
Improve letsencrypt 2019-09-04 03:07:24 +02:00			`import csv`
Refactored 2018-11-13 21:55:59 +01:00			`import os`
Improve letsencrypt 2019-09-04 03:07:24 +02:00			`import re`
Fix sslutils 2019-09-03 19:02:00 +02:00
Improve letsencrypt 2019-09-04 03:07:24 +02:00			`from wo.core.fileutils import WOFileUtils`
Refactored 2018-11-13 21:55:59 +01:00			`from wo.core.logging import Log`
Fix sslutils 2019-09-03 19:02:00 +02:00			`from wo.core.shellexec import WOShellExec`
Refactor acme.sh and WOVariables 2019-10-02 13:13:32 +02:00			`from wo.core.variables import WOVar`
Refactored 2018-11-13 21:55:59 +01:00

			`class SSL:`

Improve letsencrypt 2019-09-04 03:07:24 +02:00			`def getexpirationdays(self, domain, returnonerror=False):`
Refactored 2018-11-13 21:55:59 +01:00			`# check if exist`
			`if not os.path.isfile('/etc/letsencrypt/live/{0}/cert.pem'`
fix acme.sh alias & deb.sury gpg key 2019-03-16 10:30:52 +01:00			`.format(domain)):`
fix ssl util 2019-04-08 13:01:13 +02:00			`Log.error(self, 'File Not Found: '`
			`'/etc/letsencrypt/live/{0}/cert.pem'`
fix acme.sh alias & deb.sury gpg key 2019-03-16 10:30:52 +01:00			`.format(domain), False)`
Refactored 2018-11-13 21:55:59 +01:00			`if returnonerror:`
			`return -1`
			`Log.error(self, "Check the WordOps log for more details "`
			"`tail /var/log/wo/wordops.log` and please try again...")

			`current_date = WOShellExec.cmd_exec_stdout(self, "date -d \"now\" +%s")`
Fix sslutils 2019-09-03 19:02:00 +02:00			`expiration_date = WOShellExec.cmd_exec_stdout(`
			`self, "date -d \""`
			`"$(openssl x509 -in /etc/letsencrypt/live/"`
			`"{0}/cert.pem -text -noout \| grep \"Not After\" "`
			`"\| cut -c 25-)\" +%s"`
			`.format(domain))`
Refactored 2018-11-13 21:55:59 +01:00
fix acme.sh alias & deb.sury gpg key 2019-03-16 10:30:52 +01:00			`days_left = int((int(expiration_date) - int(current_date)) / 86400)`
Refactored 2018-11-13 21:55:59 +01:00			`if (days_left > 0):`
			`return days_left`
			`else:`
			`# return "Certificate Already Expired ! Please Renew soon."`
			`return -1`

Improve letsencrypt 2019-09-04 03:07:24 +02:00			`def getexpirationdate(self, domain):`
Refactored 2018-11-13 21:55:59 +01:00			`# check if exist`
Improve stack_pref 2019-09-06 14:27:45 +02:00			`if os.path.islink('/var/www/{0}/conf/nginx/ssl.conf'):`
			`split_domain = domain.split('.')`
			`domain = ('.').join(split_domain[1:])`
Refactored 2018-11-13 21:55:59 +01:00			`if not os.path.isfile('/etc/letsencrypt/live/{0}/cert.pem'`
fix acme.sh alias & deb.sury gpg key 2019-03-16 10:30:52 +01:00			`.format(domain)):`
fix ssl util 2019-04-08 13:01:13 +02:00			`Log.error(self, 'File Not Found: /etc/letsencrypt/'`
			`'live/{0}/cert.pem'`
fix acme.sh alias & deb.sury gpg key 2019-03-16 10:30:52 +01:00			`.format(domain), False)`
Refactored 2018-11-13 21:55:59 +01:00			`Log.error(self, "Check the WordOps log for more details "`
			"`tail /var/log/wo/wordops.log` and please try again...")

Fix sslutils 2019-09-03 19:02:00 +02:00			`expiration_date = WOShellExec.cmd_exec_stdout(`
			`self, "date -d \"$(/usr/bin/openssl x509 -in "`
			`"/etc/letsencrypt/live/{0}/cert.pem -text -noout \| grep "`
			`"\"Not After\" \| cut -c 25-)\" "`
			`.format(domain))`
Refactored 2018-11-13 21:55:59 +01:00			`return expiration_date`
Improve letsencrypt 2019-09-04 03:07:24 +02:00
			`def siteurlhttps(self, domain):`
			`wo_site_webroot = ('/var/www/{0}'.format(domain))`
			`WOFileUtils.chdir(`
			`self, '{0}/htdocs/'.format(wo_site_webroot))`
			`if WOShellExec.cmd_exec(`
			`self, "{0} --allow-root core is-installed"`
Fix wp-cli path 2019-11-05 17:51:44 +01:00			`.format(WOVar.wo_wpcli_path)):`
Improve letsencrypt 2019-09-04 03:07:24 +02:00			`wo_siteurl = (`
			`WOShellExec.cmd_exec_stdout(`
			`self, "{0} option get siteurl "`
Refactor acme.sh and WOVariables 2019-10-02 13:13:32 +02:00			`.format(WOVar.wo_wpcli_path) +`
Improve letsencrypt 2019-09-04 03:07:24 +02:00			`"--allow-root --quiet"))`
			`test_url = re.split(":", wo_siteurl)`
			`if not (test_url[0] == 'https'):`
Updating logging 2019-09-05 12:31:34 +02:00			`Log.wait(self, "Updating site url with https")`
			`try:`
			`WOShellExec.cmd_exec(`
			`self, "{0} option update siteurl "`
Fix wp-cli path 2019-11-05 17:51:44 +01:00			`"\'https://{1}\' --allow-root"`
			`.format(WOVar.wo_wpcli_path, domain))`
Updating logging 2019-09-05 12:31:34 +02:00			`WOShellExec.cmd_exec(`
			`self, "{0} option update home "`
Fix wp-cli path 2019-11-05 17:51:44 +01:00			`"\'https://{1}\' --allow-root"`
			`.format(WOVar.wo_wpcli_path, domain))`
Updating logging 2019-09-05 12:31:34 +02:00			`WOShellExec.cmd_exec(`
Fix wp-cli path 2019-11-05 17:51:44 +01:00			`self, "{0} search-replace \'http://{1}\'"`
			`"\'https://{1}\' --skip-columns=guid "`
Updating logging 2019-09-05 12:31:34 +02:00			`"--skip-tables=wp_users"`
Fix wp-cli path 2019-11-05 17:51:44 +01:00			`.format(WOVar.wo_wpcli_path, domain))`
Updating logging 2019-09-05 12:31:34 +02:00			`except Exception as e:`
			`Log.debug(self, str(e))`
			`Log.failed(self, "Updating site url with https")`
			`else:`
			`Log.valide(self, "Updating site url with https")`
Improve letsencrypt 2019-09-04 03:07:24 +02:00
			`# check if a wildcard exist to secure a new subdomain`

			`def checkwildcardexist(self, wo_domain_name):`

			`wo_acme_exec = ("/etc/letsencrypt/acme.sh --config-home "`
			`"'/etc/letsencrypt/config'")`
			`# export certificates list from acme.sh`
			`WOShellExec.cmd_exec(`
			`self, "{0} ".format(wo_acme_exec) +`
			`"--list --listraw > /var/lib/wo/cert.csv")`

			`# define new csv dialect`
			`csv.register_dialect('acmeconf', delimiter='\|')`
			`# open file`
			`certfile = open('/var/lib/wo/cert.csv', mode='r', encoding='utf-8')`
			`reader = csv.reader(certfile, 'acmeconf')`
			`wo_wildcard_domain = ("*.{0}".format(wo_domain_name))`
			`for row in reader:`
			`if wo_wildcard_domain in row[2]:`
Fix vhostonly, improve git rollback * prevent issues with wildcard certs 2019-10-02 17:23:07 +02:00			`if not row[2] == "":`
			`iswildcard = True`
			`break`
Improve letsencrypt 2019-09-04 03:07:24 +02:00			`else:`
			`iswildcard = False`
			`certfile.close()`

			`return iswildcard`
Improve stack_pref 2019-09-06 14:27:45 +02:00
Move setuphsts into sslutils 2019-09-06 22:21:16 +02:00			`def setuphsts(self, wo_domain_name):`
Improve stack_pref 2019-09-06 14:27:45 +02:00			`Log.info(`
			`self, "Adding /var/www/{0}/conf/nginx/hsts.conf"`
			`.format(wo_domain_name))`

			`hstsconf = open("/var/www/{0}/conf/nginx/hsts.conf"`
			`.format(wo_domain_name),`
			`encoding='utf-8', mode='w')`
			`hstsconf.write("more_set_headers "`
			`"\"Strict-Transport-Security: "`
			`"max-age=31536000; "`
			`"includeSubDomains; "`
			`"preload\";")`
			`hstsconf.close()`
			`return 0`

Simplify proftpd setup 2019-09-06 16:13:46 +02:00			`def selfsignedcert(self, proftpd=False, backend=False):`
Improve stack_pref 2019-09-06 14:27:45 +02:00			`"""issue a self-signed certificate"""`

			`selfs_tmp = '/var/lib/wo/tmp/selfssl'`
			`# create self-signed tmp directory`
			`if not os.path.isdir(selfs_tmp):`
Fix WOFileUtils 2019-09-06 14:50:44 +02:00			`WOFileUtils.mkdir(self, selfs_tmp)`
Improve stack_pref 2019-09-06 14:27:45 +02:00			`try:`
			`WOShellExec.cmd_exec(`
			`self, "openssl genrsa -out "`
			`"{0}/ssl.key 2048"`
			`.format(selfs_tmp))`
			`WOShellExec.cmd_exec(`
			`self, "openssl req -new -batch "`
Simplify proftpd setup 2019-09-06 16:13:46 +02:00			`"-subj /commonName=localhost/ "`
			`"-key {0}/ssl.key -out {0}/ssl.csr"`
			`.format(selfs_tmp))`
Improve stack_pref 2019-09-06 14:27:45 +02:00
			`WOFileUtils.mvfile(`
			`self, "{0}/ssl.key"`
			`.format(selfs_tmp),`
			`"{0}/ssl.key.org"`
			`.format(selfs_tmp))`

			`WOShellExec.cmd_exec(`
			`self, "openssl rsa -in "`
			`"{0}/ssl.key.org -out "`
			`"{0}/ssl.key"`
			`.format(selfs_tmp))`

			`WOShellExec.cmd_exec(`
			`self, "openssl x509 -req -days "`
			`"3652 -in {0}/ssl.csr -signkey {0}"`
			`"/ssl.key -out {0}/ssl.crt"`
			`.format(selfs_tmp))`

			`except Exception as e:`
			`Log.debug(self, "{0}".format(e))`
			`Log.error(`
			`self, "Failed to generate HTTPS "`
			`"certificate for 22222", False)`
			`if backend:`
			`WOFileUtils.mvfile(`
			`self, "{0}/ssl.key"`
			`.format(selfs_tmp),`
			`"/var/www/22222/cert/22222.key")`
			`WOFileUtils.mvfile(`
Fix ssl.crt 2019-09-06 16:01:35 +02:00			`self, "{0}/ssl.crt"`
Improve stack_pref 2019-09-06 14:27:45 +02:00			`.format(selfs_tmp),`
			`"/var/www/22222/cert/22222.crt")`
Simplify proftpd setup 2019-09-06 16:13:46 +02:00			`if proftpd:`
Improve stack_pref 2019-09-06 14:27:45 +02:00			`WOFileUtils.mvfile(`
			`self, "{0}/ssl.key"`
			`.format(selfs_tmp),`
Simplify proftpd setup 2019-09-06 16:13:46 +02:00			`"/etc/proftpd/ssl/proftpd.key")`
Improve stack_pref 2019-09-06 14:27:45 +02:00			`WOFileUtils.mvfile(`
			`self, "{0}/ssl.crt"`
			`.format(selfs_tmp),`
Simplify proftpd setup 2019-09-06 16:13:46 +02:00			`"/etc/proftpd/ssl/proftpd.crt")`
Improve stack_pref 2019-09-06 14:27:45 +02:00			`# remove self-signed tmp directory`
			`WOFileUtils.rm(self, selfs_tmp)`