feat: cert_manager detect file change
This commit is contained in:
+1
-1
@@ -65,7 +65,7 @@ docker-run docker run
|
|||||||
- [x] github actions
|
- [x] github actions
|
||||||
- [x] X-Redirect
|
- [x] X-Redirect
|
||||||
- [x] X-Proxy
|
- [x] X-Proxy
|
||||||
- [ ] detect root certificate change and update server
|
- [x] detect root certificate change and update server
|
||||||
- [x] detect tokens change and update token_manager
|
- [x] detect tokens change and update token_manager
|
||||||
- [ ] allow args before/after command
|
- [ ] allow args before/after command
|
||||||
- [x] proper doc
|
- [x] proper doc
|
||||||
|
|||||||
@@ -17,6 +17,7 @@ class CertManager:
|
|||||||
__slots__ = [
|
__slots__ = [
|
||||||
"certbot_conf",
|
"certbot_conf",
|
||||||
"certbot_www",
|
"certbot_www",
|
||||||
|
"last_file_change",
|
||||||
"logger",
|
"logger",
|
||||||
"self_signed_path",
|
"self_signed_path",
|
||||||
"with_certbot",
|
"with_certbot",
|
||||||
@@ -32,6 +33,7 @@ class CertManager:
|
|||||||
self.certbot_www: pathlib.Path = pathlib.Path(params.certbot_www)
|
self.certbot_www: pathlib.Path = pathlib.Path(params.certbot_www)
|
||||||
self.self_signed_path: pathlib.Path = pathlib.Path(params.self_signed_path)
|
self.self_signed_path: pathlib.Path = pathlib.Path(params.self_signed_path)
|
||||||
self.with_certbot: bool = params.with_certbot
|
self.with_certbot: bool = params.with_certbot
|
||||||
|
self.last_file_change: int | float = 0
|
||||||
|
|
||||||
def init(self, hosts: list[str]) -> None:
|
def init(self, hosts: list[str]) -> None:
|
||||||
self.logger.debug("Initializing...")
|
self.logger.debug("Initializing...")
|
||||||
@@ -187,6 +189,7 @@ class CertManager:
|
|||||||
return None
|
return None
|
||||||
cert_file = self.get_cert(default_host)
|
cert_file = self.get_cert(default_host)
|
||||||
key_file = self.get_key(default_host)
|
key_file = self.get_key(default_host)
|
||||||
|
self.last_file_change = cert_file.stat().st_mtime
|
||||||
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
|
||||||
context.load_cert_chain(
|
context.load_cert_chain(
|
||||||
cert_file,
|
cert_file,
|
||||||
@@ -195,6 +198,13 @@ class CertManager:
|
|||||||
context.sni_callback = self.__sni_callback
|
context.sni_callback = self.__sni_callback
|
||||||
return context
|
return context
|
||||||
|
|
||||||
|
def detect_default_cert_change(self, default_host: str) -> bool:
|
||||||
|
cert_file = self.get_cert(default_host)
|
||||||
|
if cert_file.exists() and cert_file.stat().st_mtime != self.last_file_change:
|
||||||
|
self.logger.debug("Detected change: %s", cert_file)
|
||||||
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
def __sni_callback(
|
def __sni_callback(
|
||||||
self, socket: ssl.SSLObject, host: str | None, _: ssl.SSLContext, /
|
self, socket: ssl.SSLObject, host: str | None, _: ssl.SSLContext, /
|
||||||
) -> None | int:
|
) -> None | int:
|
||||||
|
|||||||
+31
-6
@@ -2,6 +2,7 @@ import contextlib
|
|||||||
import http.server
|
import http.server
|
||||||
import logging
|
import logging
|
||||||
import threading
|
import threading
|
||||||
|
import time
|
||||||
import typing
|
import typing
|
||||||
|
|
||||||
from . import (
|
from . import (
|
||||||
@@ -24,9 +25,11 @@ class StaplerServer:
|
|||||||
"cert_manager",
|
"cert_manager",
|
||||||
"data_dir",
|
"data_dir",
|
||||||
"default_host",
|
"default_host",
|
||||||
|
"https",
|
||||||
"logger",
|
"logger",
|
||||||
"params",
|
"params",
|
||||||
"registry",
|
"registry",
|
||||||
|
"server",
|
||||||
"token_manager",
|
"token_manager",
|
||||||
]
|
]
|
||||||
|
|
||||||
@@ -38,6 +41,8 @@ class StaplerServer:
|
|||||||
self.token_manager: TokenManager = TokenManager(params, self.registry)
|
self.token_manager: TokenManager = TokenManager(params, self.registry)
|
||||||
self.data_dir: DataDir = DataDir(params.data_dir)
|
self.data_dir: DataDir = DataDir(params.data_dir)
|
||||||
self.default_host: str = params.host.split(":", maxsplit=2)[0]
|
self.default_host: str = params.host.split(":", maxsplit=2)[0]
|
||||||
|
self.server: http.server.ThreadingHTTPServer | None = None
|
||||||
|
self.https = params.https
|
||||||
|
|
||||||
def __get_all_hosts(self) -> list[str]:
|
def __get_all_hosts(self) -> list[str]:
|
||||||
return [self.default_host, *self.registry.get_hosts()]
|
return [self.default_host, *self.registry.get_hosts()]
|
||||||
@@ -115,29 +120,49 @@ class StaplerServer:
|
|||||||
threading.Thread(target=server.serve_forever, daemon=True).start()
|
threading.Thread(target=server.serve_forever, daemon=True).start()
|
||||||
return server
|
return server
|
||||||
|
|
||||||
def __token_manager_background(self) -> None:
|
def __token_manager_background(self) -> None: # pragma: no cover
|
||||||
with contextlib.suppress(KeyboardInterrupt):
|
with contextlib.suppress(KeyboardInterrupt):
|
||||||
while True:
|
while True:
|
||||||
self.token_manager.detect_file_change()
|
if self.token_manager.detect_file_change():
|
||||||
|
self.token_manager.init()
|
||||||
|
time.sleep(1)
|
||||||
|
|
||||||
|
def __cert_manager_background(self) -> None: # pragma: no cover
|
||||||
|
with contextlib.suppress(KeyboardInterrupt):
|
||||||
|
while True:
|
||||||
|
if (
|
||||||
|
self.server is not None
|
||||||
|
and self.cert_manager.detect_default_cert_change(self.default_host)
|
||||||
|
and (
|
||||||
|
context := self.cert_manager.get_https_context(
|
||||||
|
self.default_host
|
||||||
|
)
|
||||||
|
)
|
||||||
|
is not None
|
||||||
|
):
|
||||||
|
self.server.socket = context.wrap_socket(self.server.socket)
|
||||||
|
time.sleep(1)
|
||||||
|
|
||||||
def __start_background_tasks(self) -> None:
|
def __start_background_tasks(self) -> None:
|
||||||
threading.Thread(target=self.__token_manager_background, daemon=True).start()
|
threading.Thread(target=self.__token_manager_background, daemon=True).start()
|
||||||
|
if self.https:
|
||||||
|
threading.Thread(target=self.__cert_manager_background, daemon=True).start()
|
||||||
|
|
||||||
def run(self) -> int:
|
def run(self) -> int:
|
||||||
self.logger.info("Version %s", project.get_version())
|
self.logger.info("Version %s", project.get_version())
|
||||||
for line in STAPLER_ASCII.split("\n"):
|
for line in STAPLER_ASCII.split("\n"):
|
||||||
self.logger.debug(line.ljust(36))
|
self.logger.debug(line.ljust(36))
|
||||||
self.__startup()
|
self.__startup()
|
||||||
base_server, https = self.__create_base_server()
|
self.server, self.https = self.__create_base_server()
|
||||||
upgrade_server = self.__start_upgrade_server() if https else None
|
upgrade_server = self.__start_upgrade_server() if self.https else None
|
||||||
self.logger.info(
|
self.logger.info(
|
||||||
"Server up and ready on %s://%s",
|
"Server up and ready on %s://%s",
|
||||||
"https" if https else "http",
|
"https" if self.https else "http",
|
||||||
self.params.host,
|
self.params.host,
|
||||||
)
|
)
|
||||||
self.__start_background_tasks()
|
self.__start_background_tasks()
|
||||||
with contextlib.suppress(KeyboardInterrupt):
|
with contextlib.suppress(KeyboardInterrupt):
|
||||||
base_server.serve_forever()
|
self.server.serve_forever()
|
||||||
self.logger.info("Shutting down...")
|
self.logger.info("Shutting down...")
|
||||||
if upgrade_server is not None:
|
if upgrade_server is not None:
|
||||||
upgrade_server.shutdown()
|
upgrade_server.shutdown()
|
||||||
|
|||||||
@@ -60,13 +60,11 @@ class TokenManager:
|
|||||||
self.logger.warning("NEW TOKEN: %s", new_token)
|
self.logger.warning("NEW TOKEN: %s", new_token)
|
||||||
self.logger.warning("Please copy this secret value before it disappears")
|
self.logger.warning("Please copy this secret value before it disappears")
|
||||||
|
|
||||||
def detect_file_change(self) -> None:
|
def detect_file_change(self) -> bool:
|
||||||
if (
|
if self.tokens_file.stat().st_mtime != self.last_file_change:
|
||||||
not self.tokens_file.exists()
|
|
||||||
or self.tokens_file.stat().st_mtime != self.last_file_change
|
|
||||||
):
|
|
||||||
self.logger.debug("Detected change: %s", self.tokens_file)
|
self.logger.debug("Detected change: %s", self.tokens_file)
|
||||||
self.init()
|
return True
|
||||||
|
return False
|
||||||
|
|
||||||
def __hash_token(self, token: str) -> str:
|
def __hash_token(self, token: str) -> str:
|
||||||
return hashlib.sha512(
|
return hashlib.sha512(
|
||||||
|
|||||||
@@ -249,6 +249,17 @@ class TestRegistry(BaseTestCase):
|
|||||||
self.socket_mock, "new_host", self.context_mock
|
self.socket_mock, "new_host", self.context_mock
|
||||||
)
|
)
|
||||||
|
|
||||||
|
def test_detect_default_cert_change(self) -> None:
|
||||||
|
self._make_self_signed("localhost")
|
||||||
|
assert self.cert_manager.detect_default_cert_change("localhost")
|
||||||
|
|
||||||
|
def test_detect_default_cert_change_nothing(self) -> None:
|
||||||
|
self._make_self_signed("localhost")
|
||||||
|
self.cert_manager.last_file_change = (
|
||||||
|
(self.self_signed_path / "localhost" / CertManager.CRT_FILE).stat().st_mtime
|
||||||
|
)
|
||||||
|
assert not self.cert_manager.detect_default_cert_change("localhost")
|
||||||
|
|
||||||
def _make_self_signed(self, host: str) -> None:
|
def _make_self_signed(self, host: str) -> None:
|
||||||
(self.self_signed_path / host).mkdir(parents=True, exist_ok=True)
|
(self.self_signed_path / host).mkdir(parents=True, exist_ok=True)
|
||||||
(self.self_signed_path / host / CertManager.CRT_FILE).touch()
|
(self.self_signed_path / host / CertManager.CRT_FILE).touch()
|
||||||
|
|||||||
@@ -83,6 +83,7 @@ class TestStaplerServer(BaseTestCase):
|
|||||||
|
|
||||||
def test_run_https(self) -> None:
|
def test_run_https(self) -> None:
|
||||||
self.token_manager.detect_file_change.side_effect = KeyboardInterrupt
|
self.token_manager.detect_file_change.side_effect = KeyboardInterrupt
|
||||||
|
self.cert_manager.detect_default_cert_change.side_effect = KeyboardInterrupt
|
||||||
with (
|
with (
|
||||||
self.mock_call(self.registry.load_pages),
|
self.mock_call(self.registry.load_pages),
|
||||||
self.mock_call(self.registry.get_hosts, [], []),
|
self.mock_call(self.registry.get_hosts, [], []),
|
||||||
@@ -102,3 +103,6 @@ class TestStaplerServer(BaseTestCase):
|
|||||||
):
|
):
|
||||||
self.assertEqual(self.server.run(), 0)
|
self.assertEqual(self.server.run(), 0)
|
||||||
self.token_manager.detect_file_change.assert_called_once()
|
self.token_manager.detect_file_change.assert_called_once()
|
||||||
|
self.cert_manager.detect_default_cert_change.assert_called_once_with(
|
||||||
|
"localhost"
|
||||||
|
)
|
||||||
|
|||||||
@@ -120,19 +120,15 @@ class TestTokenManager(BaseTestCase):
|
|||||||
self.token_manager.set_token("test_1", "secret")
|
self.token_manager.set_token("test_1", "secret")
|
||||||
|
|
||||||
def test_detect_file_change(self) -> None:
|
def test_detect_file_change(self) -> None:
|
||||||
|
self.tmp_tokens_file.touch()
|
||||||
self.seal_mocks()
|
self.seal_mocks()
|
||||||
self.token_manager.detect_file_change()
|
assert self.token_manager.detect_file_change()
|
||||||
self.assert_file_content(self.tmp_tokens_file, self.SALT_HASH)
|
|
||||||
self.assertEqual(self.tmp_tokens_file.stat().st_mode, 0o100600)
|
|
||||||
self.assertListEqual(self.token_manager.token_hashes, [])
|
|
||||||
|
|
||||||
def test_detect_file_change_nothing(self) -> None:
|
def test_detect_file_change_nothing(self) -> None:
|
||||||
with self.tmp_tokens_file.open(mode="w") as file:
|
self.tmp_tokens_file.touch()
|
||||||
file.write(self.SALT_HASH + "\n" + self.SECRET_HASH)
|
|
||||||
self.token_manager.last_file_change = self.tmp_tokens_file.stat().st_mtime
|
self.token_manager.last_file_change = self.tmp_tokens_file.stat().st_mtime
|
||||||
self.seal_mocks()
|
self.seal_mocks()
|
||||||
self.token_manager.detect_file_change()
|
assert not self.token_manager.detect_file_change()
|
||||||
self.assertListEqual(self.token_manager.token_hashes, [])
|
|
||||||
|
|
||||||
@unittest.mock.patch("secrets.token_hex")
|
@unittest.mock.patch("secrets.token_hex")
|
||||||
def test_new_token(self, mock_token_hex: unittest.mock.Mock) -> None:
|
def test_new_token(self, mock_token_hex: unittest.mock.Mock) -> None:
|
||||||
|
|||||||
Reference in New Issue
Block a user