certificate authority: move instance.cfg from sr to the stack

certificate-authority software release and stack was renamed to caucase

software/caucase/software.cfg

+[buildout]
+extends =
+  ../../stack/caucase/buildout.cfg
+  ../../stack/slapos.cfg
+
+parts = 
+  slapos-cookbook
+  extra-eggs
+  instance-caucase
+

software/certificate-authority/instance.cfg.in

-[buildout]
-parts =
-  publish-connection-parameter
-extends =
-  {{ certificate_authority_template }}
-
-
-eggs-directory = {{ eggs_directory }}
-develop-eggs-directory = {{ develop_eggs_directory }}
-offline = true
-
-[publish-connection-parameter]
-recipe = slapos.cookbook:publish.serialised
-http-url = ${certificate-authority-server:insecure-url}
-https-url = ${certificate-authority-server:url}
\ No newline at end of file

software/certificate-authority/software.cfg

-[buildout]
-extends =
-  ../../stack/certificate-authority/buildout.cfg
-  ../../stack/slapos.cfg
-
-parts = 
-  slapos-cookbook
-  extra-eggs
-  template
-
-[template]
-recipe = slapos.recipe.template:jinja2
-template = ${:_profile_base_location_}/instance.cfg.in
-rendered = ${buildout:directory}/template.cfg
-mode = 0644
-md5sum = c61a8f951e99002753c3a53d0a18b16d
-context =
-  key bin_directory buildout:bin-directory
-  key develop_eggs_directory buildout:develop-eggs-directory
-  key eggs_directory buildout:eggs-directory
-  key certificate_authority_template template-certificate-authority:rendered

stack/certificate-authority/buildout.cfg → stack/caucase/buildout.cfg

@@ -7,11 +7,12 @@ extends =
   ../../component/curl/buildout.cfg
   ../../component/dash/buildout.cfg
   ../../component/openssl/buildout.cfg
+  ../../component/bcrypt/buildout.cfg
   ../../stack/logrotate/buildout.cfg
 
 
 parts =
-  template-logrotate-base
+  instance-caucase
 
 [extra-eggs]
 recipe = zc.recipe.egg
@@ -20,9 +21,17 @@ eggs =
   gunicorn # for WSGI HTTP Server
   futures
   caucase # certificate authority
+  ${bcrypt:egg}
 # are also required
   plone.recipe.command
   collective.recipe.template
+  slapos.toolbox
+scripts =
+  slapos-kill
+  gunicorn
+  caucase
+  caucase-cli
+  caucase-cliweb
 
 [template-ca-download-base]
 recipe = hexagonit.recipe.download
@@ -37,6 +46,10 @@ mode = 0644
 [template-nginx-ca-conf]
 <= template-ca-download-base
 
+[template-caucase]
+<= template-ca-download-base
+url = ${:_profile_base_location_}/${:filename}
+
 [template-authenticated-server]
 recipe = slapos.recipe.template:jinja2
 template = ${:_profile_base_location_}/${:filename}
@@ -44,7 +57,7 @@ rendered = ${buildout:directory}/template-authenticated-server.cfg
 context =
   key apache_location apache:location
   key template_logrotate_base template-logrotate-base:rendered
-  raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
+  raw certificate_request_bin ${buildout:directory}/bin/caucase-cliweb
   raw curl_executable_location ${curl:location}/bin/curl
   raw dash_executable_location ${dash:location}/bin/dash
   raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
@@ -52,16 +65,19 @@ context =
   raw openssl_executable_location ${openssl:location}/bin/openssl
   raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter}
 
-[template-certificate-authority]
+[instance-caucase]
 recipe = slapos.recipe.template:jinja2
 template = ${:_profile_base_location_}/${:filename}
-rendered = ${buildout:directory}/template-certificate-authority.cfg
+rendered = ${buildout:directory}/template.cfg
 context =
-  key ngix_location nginx:location
+  key develop_eggs_directory buildout:develop-eggs-directory
+  key eggs_directory buildout:eggs-directory
+  key nginx_location nginx:location
   key template_logrotate_base template-logrotate-base:rendered
+  raw caucase_template ${template-caucase:location}/${template-caucase:filename}
   raw curl_executable_location ${curl:location}/bin/curl
-  raw certificate_authority_bin ${buildout:directory}/bin/ca-bin
-  raw certificate_request_bin ${buildout:directory}/bin/ca-cliweb
+  raw caucase_bin ${buildout:directory}/bin/caucase
+  raw certificate_request_bin ${buildout:directory}/bin/caucase-cliweb
   raw template_nginx_ca_conf ${template-nginx-ca-conf:location}/${template-nginx-ca-conf:filename}
   raw dash_executable_location ${dash:location}/bin/dash
   raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
@@ -69,10 +85,11 @@ context =
   raw openssl_executable_location ${openssl:location}/bin/openssl
   raw python_bin ${buildout:directory}/bin/${extra-eggs:interpreter}
 
+
 [versions]
 Flask-User = 0.6.11
 SQLAlchemy = 1.1.9
-caucase = 0.1.1
+caucase = 0.1.2
 futures = 3.1.1
 gunicorn = 19.7.1
 slapos.recipe.template = 2.10

stack/certificate-authority/buildout.hash.cfg → stack/caucase/buildout.hash.cfg

@@ -26,6 +26,10 @@ md5sum = d8bebf1629aacffd619541f363687b4a
 filename = instance-auth-server.cfg.jinja2.in
 md5sum = a317d2f948cd3d16c860d05cc07ecf42
 
-[template-certificate-authority]
-filename = instance-certificate-authority.cfg.jinja2.in
-md5sum = 5ed16bcece904dd4527210c7453c84ca
+[template-caucase]
+filename = instance-caucase.cfg.jinja2.in
+md5sum = b801dfe4212ff97dc29191e4610df3a3
+
+[instance-caucase]
+filename = instance.cfg.in
+md5sum = eb9d2ab646717d123b0472da5194d77f

stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in → stack/caucase/instance-caucase.cfg.jinja2.in

-[buildout]
-
-extends =
-  {{ template_logrotate_base }}
-
-parts = 
-  certificate-authority
-  certificate-authority-server
-
-[certificate-authority-parameters]
-server-port = ${slap-configuration:configuration.ca-server-port}
-server-https-port = ${slap-configuration:configuration.ca-server-https-port}
+{% set part_list = [] -%}
+{% set ipv6 = (ipv6 | list)[0] -%}
+{% set default_subject = '/C=FR/O=Company/CN=SlapOS Certificate Authority/emailAddress=xx@example.com' -%}
+{% if slapparameter_dict is not defined -%}
+{% set slapparameter_dict = {} -%}
+{% endif -%}
+
+[ca-parameters]
+server-port = {{ slapparameter_dict.get('server-port', 8009) }}
+server-https-port = {{ slapparameter_dict.get('server-https-port', 8010) }}
+ipv6 = {{ ipv6 }}
 # Overrite this to set frontend or DNS URL (URL is used as CRL distribution point)
 # Please set http not HTTPS scheme
-crl-external-url = http://[${slap-configuration:ipv6-random}]:${:server-port}
+crl-external-url = {{ slapparameter_dict.get('external-url', 'http://[${:ipv6}]:${:server-port}') }}
+# /CN=XXX is required and should be unique
+ca-subject = {{ slapparameter_dict.get('ca-subject', default_subject) }}
+# Number of pending csr to accept
+max-request-amount = {{ slapparameter_dict.get('max-request-amount', 10) }}
+# one year (in seconds)
+crt-life-time = {{ slapparameter_dict.get('crt-life-time', 31536000) }}
+# crl-life-period correspond to about one week
+crl-life-period = {{ slapparameter_dict.get('crl-life-period', 0.02) }}
+# ca-life-period = ca-life-period * crt-life-time
+ca-life-period = {{ slapparameter_dict.get('ca-life-period', 10) }}
+# time before clean certificate on CA: 60*24*60*60
+crt-keep-time = {{ slapparameter_dict.get('crt-keep-time', 5184000) }}
 
 [directory]
 recipe = slapos.cookbook:mkdirectory
@@ -34,26 +45,6 @@ fastcgi-temp-path = ${:ca-temp}/fastcgi_temp_path
 uwsgi-temp-path = ${:ca-temp}/uwsgi_temp_path
 scgi-temp-path = ${:ca-temp}/scgi_temp_path
 
-[ca-directory]
-recipe = slapos.cookbook:mkdirectory
-root = ${directory:srv}/ssl
-requests = ${:root}/requests
-private = ${:root}/private
-certs = ${:root}/certs
-newcerts = ${:root}/newcerts
-crl = ${:root}/crl
-
-[certificate-authority]
-recipe = slapos.cookbook:certificate_authority
-openssl-binary = {{ openssl_executable_location }}
-ca-dir = ${ca-directory:root}
-requests-directory = ${ca-directory:requests}
-wrapper = ${directory:services}/certificate_authority
-ca-private = ${ca-directory:private}
-ca-certs = ${ca-directory:certs}
-ca-newcerts = ${ca-directory:newcerts}
-ca-crl = ${ca-directory:crl}
-
 [nginx-certificate-request-base]
 recipe = slapos.cookbook:wrapper
 wrapper-path = ${directory:bin}/request-base-certificate
@@ -64,7 +55,7 @@ parameters-extra = true
 command-line = {{ certificate_request_bin }}
   --crt-file ${:cert-file}
   --key-file ${:key-file}
-  --ca-url http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
+  --ca-url http://[${ca-parameters:ipv6}]:${ca-parameters:server-port}
   --ca-crt-file ${:ca-cert}
 
 [nginx-certificate-request]
@@ -100,22 +91,22 @@ cert =
 key = 
 
 [ca-nginx-conf-parameter]
-ip = ${slap-configuration:ipv6-random}
-port = ${certificate-authority-parameters:server-port}
-https-port = ${certificate-authority-parameters:server-https-port}
+ip = ${ca-parameters:ipv6}
+port = ${ca-parameters:server-port}
+https-port = ${ca-parameters:server-https-port}
 pid-file = ${directory:run}/nginx-ca.pid
 access-log = ${directory:log}/nginx-ca-access.log
 error-log = ${directory:log}/nginx-ca-error.log
 cert-file = ${ca-nginx-ssl:cert}
 key-file = ${ca-nginx-ssl:key}
-ca-conf = ${certificate-authority-conf:output}
+ca-conf = ${caucase-conf:output}
 workers-processes = 1
 client-body-temp-path = ${directory:client-body-temp-path}
 proxy-temp-path = ${directory:proxy-temp-path}
 fastcgi-temp-path = ${directory:fastcgi-temp-path}
 uwsgi-temp-path = ${directory:uwsgi-temp-path}
 scgi-temp-path = ${directory:scgi-temp-path}
-socket = ${certificate-authority-gunicorn:socket}
+socket = ${caucase-gunicorn:socket}
 
 [ca-nginx-conf]
 recipe = slapos.recipe.template:jinja2
@@ -125,7 +116,7 @@ mode = 0700
 context =
   section parameter_dict ca-nginx-conf-parameter
 
-[certificate-authority-conf]
+[caucase-conf]
 recipe = collective.recipe.template
 # Values here are intended to be changed in your instance. override this section
 input = inline:
@@ -133,17 +124,17 @@ input = inline:
   # enable debug
   # debug
   # log-file ${directory:log}/ca-server.log
-  subject ${slap-configuration:configuration.ca-subject}
-  max-request-amount ${slap-configuration:configuration.max-request-amount}
-  external-url ${certificate-authority-parameters:crl-external-url}
+  subject ${ca-parameters:ca-subject}
+  max-request-amount ${ca-parameters:max-request-amount}
+  external-url ${ca-parameters:crl-external-url}
   # one year (in seconds)
-  crt-life-time ${slap-configuration:configuration.crt-life-time}
+  crt-life-time ${ca-parameters:crt-life-time}
   # crl-life-period correspond to about one week
-  crl-life-period ${slap-configuration:configuration.crl-life-period}
+  crl-life-period ${ca-parameters:crl-life-period}
   # ca-life-time = ca-life-period * crt-life-time
-  ca-life-period ${slap-configuration:configuration.ca-life-period}
+  ca-life-period ${ca-parameters:ca-life-period}
   # time before clean certificate on CA: 60*24*60*60
-  crt-keep-time ${slap-configuration:configuration.crt-keep-time}
+  crt-keep-time ${ca-parameters:crt-keep-time}
 
 output = ${directory:etc}/ca.conf
 mode = 700
@@ -151,105 +142,83 @@ mode = 700
 [ca-nginx-graceful]
 recipe = collective.recipe.template
 input = inline:#!{{ dash_executable_location }}
-  kill -HUP $(cat ${ca-nginx-conf-parameter:pid-file})
+  kill -HUP "$(cat '${ca-nginx-conf-parameter:pid-file}')"
 
 output = ${directory:scripts}/ca-server-graceful
 mode = 700
 
-[certificate-authority-gunicorn]
+[caucase-gunicorn]
 recipe = slapos.cookbook:wrapper
 socket = ${directory:ca-dir}/ca.flaskserver.sock
-command-line =  {{ gunicorn_bin }} caucase.wsgi:app -b unix:${:socket} -e CA_CONFIGURATION_FILE=${certificate-authority-conf:output} --error-logfile ${:log-file} --pid ${:pid-file} --capture-output --timeout 60 --threads 2 --log-level error --preload
+command-line =  {{ gunicorn_bin }} caucase.wsgi:app -b unix:${:socket} -e CA_CONFIGURATION_FILE=${caucase-conf:output} --error-logfile ${:log-file} --pid ${:pid-file} --capture-output --timeout 60 --threads 2 --log-level error --preload
 log-file = ${directory:log}/ca-gunicorn-error.log
 pid-file = ${directory:run}/ca-gunicorn.pid
 wrapper-path = ${directory:services}/ca-gunicorn
-#environment = #PATH=$${environ:PATH}:${git:location}/bin/
-#  CA_CONFIGURATION_FILE=${certificate-authority-conf:output}
-#  LANG=en_GB.UTF-8
 
-[certificate-authority-server]
+[caucase-server]
 recipe = slapos.cookbook:wrapper
-command-line = {{ ngix_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
-wrapper-path = ${directory:services}/ca-server
-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
-insecure-url = ${certificate-authority-parameters:crl-external-url}
+command-line = {{ nginx_location }}/sbin/nginx -p ${directory:ca-dir} -c ${ca-nginx-conf:rendered}
+wrapper-path = ${directory:services}/caucase-server
+url = https://[${ca-parameters:ipv6}]:${ca-parameters:server-https-port}
+http-url = ${ca-parameters:crl-external-url}
 depends = 
   ${nginx-certificate-request:wrapper-path}
-  ${certificate-authority-server-promise:filename}
-  ${certificate-authority-https-server-promise:filename}
+  ${caucase-server-promise:filename}
+  ${caucase-https-server-promise:filename}
   ${ca-nginx-graceful:output}
   ${ca-certificate-renew-cron-entry:name}
   ${logrotate-ca-nginx:name}
 
-[ca-server-certificate-renew]
-recipe = collective.recipe.template
-input = inline:
-  #!{{ dash_executable_location }}
-
-  d=$({{ openssl_executable_location }} x509 -enddate -noout -in ${nginx-certificate-request-base:cert-file} | cut -d'=' -f 2)
-  cert_time=$(date -d "$d" +"%s")
-  now=$(date +"%s")
-  thresold=2592000  # 30*24*60*60  equivalent to one month in seconds
-  remind=$(($cert_time - $now))
-
-  if [ $remind -lt $thresold ]; then
-    exec ${nginx-certificate-request-base:wrapper-path} --renew
-    # run nginx grancefull restart to reload renewed certificates
-    excec ${ca-nginx-graceful:output}
-  fi
-
-output = ${directory:bin}/server-certificate-renew
-mode = 700
-
 [ca-certificate-renew-cron-entry]
 recipe = slapos.cookbook:cron.d
 cron-entries = ${cron:cron-entries}
 name = ca-server-certificate-auto-renew
 # check renew every-week
-frequency = 5 4 * * 6
-command = ${ca-server-certificate-renew:output}
+time = weekly
+# 2592000 = 30*24*60*60  equivalent to one month in seconds
+command = ${nginx-certificate-request-base:wrapper-path} --renew --threshold 2592000 --on-renew="${ca-nginx-graceful:output}"
 
 [logrotate-ca-nginx]
 < = logrotate-entry-base
-name = certificate-authority-nginx-server
+name = caucase-nginx-server
 log = ${ca-nginx-conf-parameter:access-log} ${ca-nginx-conf-parameter:access-log}
 post = {{ slapos_kill_bin }} --pidfile ${ca-nginx-conf-parameter:pid-file} -s USR1
 
-[certificate-authority-server-promise]
+[caucase-server-promise]
 recipe = slapos.cookbook:check_url_available
 path = ${directory:promises}/${:filename}
-filename = certificate-authority-server-listening-on-tcp
-url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
+filename = caucase-server-listening-on-tcp
+url = http://[${ca-parameters:ipv6}]:${ca-parameters:server-port}
 dash_path = {{ dash_executable_location }}
 curl_path = {{ curl_executable_location }}
 
-[certificate-authority-https-server-promise]
+[caucase-https-server-promise]
 recipe = slapos.cookbook:check_url_available
 path = ${directory:promises}/${:filename}
-filename = certificate-authority-server-https-on-${certificate-authority-parameters:server-https-port}
-url = https://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-https-port}
+filename = caucase-server-https-on-${ca-parameters:server-https-port}
+url = https://[${ca-parameters:ipv6}]:${ca-parameters:server-https-port}
 check-secure = 1
 dash_path = {{ dash_executable_location }}
 curl_path = {{ curl_executable_location }}
 
-[slap-configuration]
-recipe = slapos.cookbook:slapconfiguration.serialised
-computer = ${slap-connection:computer-id}
-partition = ${slap-connection:partition-id}
-url = ${slap-connection:server-url}
-key = ${slap-connection:key-file}
-cert = ${slap-connection:cert-file}
-
-configuration.ca-server-port = 8009
-configuration.ca-server-https-port = 8010
-# /CN=XXX is required
-configuration.ca-subject = /C=Country/ST=State/L=City/OU=O-Unit/O=Company/CN=SlapOS Certificate Authority/emailAddress=xx@example.com
-configuration.max-request-amount = 10
-# one year (in seconds)
-configuration.crt-life-time = 31536000
-# crl-life-period correspond to about one week
-configuration.crl-life-period = 0.02
-# ca-life-period = ca-life-period * crt-life-time
-configuration.ca-life-period = 10
-# time before clean certificate on CA: 60*24*60*60
-configuration.crt-keep-time = 5184000
\ No newline at end of file
+{% if publish_parameter is defined and publish_parameter == 'yes' -%}
+[publish-connection-parameter]
+recipe = slapos.cookbook:publish.serialised
+http-url = ${caucase-server:http-url}
+https-url = ${caucase-server:url}
+{% do part_list.append('publish-connection-parameter') -%}
+{% endif -%}
+
+[buildout]
+
+extends =
+  {{ template_logrotate_base }}
+
+parts = 
+  caucase-server
+# Complete parts with sections
+  {{ part_list | join('\n  ') }}
+
+eggs-directory = {{ eggs_directory }}
+develop-eggs-directory = {{ develop_eggs_directory }}
+offline = true
\ No newline at end of file

stack/caucase/instance.cfg.in

+[buildout]
+parts =
+  switch-softwaretype
+
+eggs-directory = {{ eggs_directory }}
+develop-eggs-directory = {{ develop_eggs_directory }}
+offline = true
+
+[slap-configuration]
+recipe = slapos.cookbook:slapconfiguration.serialised
+computer = ${slap-connection:computer-id}
+partition = ${slap-connection:partition-id}
+url = ${slap-connection:server-url}
+key = ${slap-connection:key-file}
+cert = ${slap-connection:cert-file}
+
+[dynamic-template-caucase]
+recipe = slapos.recipe.template:jinja2
+filename = ${:_buildout_section_name_}.cfg
+rendered = ${buildout:parts-directory}/${:_buildout_section_name_}/${:filename}
+template = {{ caucase_template }}
+extensions = jinja2.ext.do
+extra-context =
+context =
+    key ipv4 slap-configuration:ipv4
+    key ipv6 slap-configuration:ipv6
+    key develop_eggs_directory buildout:develop-eggs-directory
+    key eggs_directory buildout:eggs-directory
+    key slapparameter_dict slap-configuration:configuration
+    raw gunicorn_bin {{ gunicorn_bin }}
+    raw template_logrotate_base {{ template_logrotate_base }}
+    raw certificate_request_bin {{ certificate_request_bin }}
+    raw template_nginx_ca_conf {{ template_nginx_ca_conf }}
+    raw nginx_location {{ nginx_location }}
+    raw slapos_kill_bin {{ slapos_kill_bin }}
+    raw dash_executable_location {{ dash_executable_location }}
+    raw curl_executable_location {{ curl_executable_location }}
+    raw publish_parameter yes
+
+[switch-softwaretype]
+recipe = slapos.cookbook:softwaretype
+default = ${dynamic-template-caucase:rendered}
+