[LON-CAPA-cvs] cvs: loncom / CrGrant.pl
foxr
lon-capa-cvs@mail.lon-capa.org
Tue, 06 Jul 2004 11:05:46 -0000
This is a MIME encoded message
--foxr1089111946
Content-Type: text/plain
foxr Tue Jul 6 07:05:46 2004 EDT
Modified files:
/loncom CrGrant.pl
Log:
- Add read of config file to figure out where stuff goes.
- Code and test install script creation.
--foxr1089111946
Content-Type: text/plain
Content-Disposition: attachment; filename="foxr-20040706070546.txt"
Index: loncom/CrGrant.pl
diff -u loncom/CrGrant.pl:1.2 loncom/CrGrant.pl:1.3
--- loncom/CrGrant.pl:1.2 Mon Jul 5 07:37:39 2004
+++ loncom/CrGrant.pl Tue Jul 6 07:05:45 2004
@@ -2,7 +2,7 @@
# The LearningOnline Network
# CrGrant.pl - Grant a loncapa SSL certificate.
#
-# $Id: CrGrant.pl,v 1.2 2004/07/05 11:37:39 foxr Exp $
+# $Id: CrGrant.pl,v 1.3 2004/07/06 11:05:45 foxr Exp $
#
# Copyright Michigan State University Board of Trustees
#
@@ -66,7 +66,7 @@
# Import section:
use strict;
-use lib '/home/httpd/lib/perl';
+use lib '/home/httpd/lib/perl'; # An assumption!!!
use MIME::Entity;
use LONCAPA::Configuration;
@@ -74,12 +74,28 @@
# Global variable declarations
-my $ssl_command = "/usr/bin/openssl "; # Command to run openssl.
+
my $ssl_dir = "/usr/share/ssl"; # Where ssl config files etc. live
-my $ca_cert_file = $ssl_dir."/loncapa/cacert.pem"; # CA's certificate file.
+my $ca_cert_file = $ssl_dir."/loncapaca/cacert.pem"; # CA's certificate file.
my $ca_config_file= $ssl_dir."/loncapaca.cnf"; # CA's config file.
-
+
+# LONCAPA Configuration global variables:
+
+# Items read from our configuration file.
+
+my $ssl_command = "/usr/bin/openssl "; # Command to run openssl.
+my $loncapa_cert_dir; # Name of target cert dir (from config)
+my $loncapa_hostcert_name; # Name of host's signed cert file (config)
+my $loncapa_cacert_name; # Name of the CA's certificate file (config)
+
+# Items I just need to know:
+
+my $loncapa_config = "loncapa.conf"; # User's override config file.
+my $loncapa_apache_user = 'www'; # Name of apache daemon's user
+my $loncapa_apache_group = 'www'; # Name of apache daemon's group
+
+
# Debug/log support
@@ -111,6 +127,66 @@
USAGE
}
+#
+# Read the loncapa configuration file and pull out the items
+# we need:
+#
+# Implicit inputs:
+# $loncapa_config - The name of the auxilliary config file.
+# Side effects:
+# - On failure exits with an error message.
+# - On success set the following variables:
+# o loncapa_cert_dir - Path to certificates.
+# o loncapa_hostcert_name - Name of host's cert file in that dir
+# o loncapa_cacert_name - Name of CA's cert file in that dir.
+# o ssl_command - Name of ssl utility command.
+sub ReadConfig {
+ Debug("Reading the config files");
+ my $perlvarref = LONCAPA::Configuration::read_conf($loncapa_config);
+
+ # Pull out the individual variables or die:
+
+ # SSL Command:
+
+ if($perlvarref->{SSLProgram}) {
+ $ssl_command = $perlvarref->{SSLProgram};
+ Debug("SSL utility program is $ssl_command");
+ }
+ else {
+ die "LonCAPA configuration errror: Can't read SSLProgram variable";
+ }
+ # Certificate directory:
+
+ if($perlvarref->{lonCertificateDirectory}) {
+ $loncapa_cert_dir = $perlvarref->{lonCertificateDirectory};
+ Debug("Certificates will be installed in $loncapa_cert_dir");
+ }
+ else {
+ die "LonCAPA configuration error can't read lonCertificateDirectory variable";
+
+ }
+ # Get the name of the host's certificate:
+
+ if($perlvarref->{lonnetCertificate}) {
+ $loncapa_hostcert_name = $perlvarref->{lonnetCertificate};
+ Debug("Host's certificate will be $loncapa_hostcert_name");
+ }
+ else {
+ die "LonCAPA configuration error: Can't read lonnetCertificate variable";
+ }
+ # Get the name of the certificate authority's certificate.
+
+ if($perlvarref->{lonnetCertificateAuthority}) {
+ $loncapa_cacert_name = $perlvarref->{lonnetCertificateAuthority};
+ Debug("CA's certificate will be $loncapa_cacert_name");
+ }
+ else {
+ die "LonCAPA configuration error: Can't read lonnetCertificateAuthority variable";
+ }
+
+
+}
+
# Create a certificate from the request file. The certificate
# is used, in conjunction with the openssl command with the
# certificate authority configuration to produce a certificate
@@ -214,7 +290,117 @@
return $address;
}
-sub CreateInstallScript {}
+#
+# Create the installation script. This will be bash script
+# that will install the certifiate and the CA's certificate with ownership
+# WebUser:WebGroup and permissions 0400. I thought about using a perl
+# script in order to be able to get the certificate file/directory from
+# the configuration files. Unfortunately this is not as easy as it looks.
+# Root has a chicken and egg problem. In order to read the config file
+# you need to have added the ..../lib/perl to the perl lib path. To do
+# that correctly, you need to have read the config file to know where
+# it is...What we will do is read our local configuration file and
+# assume that our configuration is the same as the target's system in
+# all respects we care about.
+# Implicit Inputs:
+# - Bash is in /bin/bash
+# - $loncapa_cert_dir - install target directory.
+# - $loncapa_hostcert_name - Name of installed host cert file.
+# - $loncapa_cacert_name - Name of installed ca cert file.
+# - $loncapa_apache_user - username under which httpd runs.
+# - $loncapa_apache_group - group under which httpd runs.
+# - 0400 - install permissions.
+# - The host's certificate is now in ./hostCertificate.pem
+# - The CA's certificate is now in $ca_cert_file
+#
+# Implicit Outputs:
+# A file named CertInstall.sh
+#
+sub CreateInstallScript {
+ open INSTALLER,">CertInstall.sh";
+ print INSTALLER <<BASH_HEADER;
+#!/bin/bash
+#
+# Installer for your lonCAPA certificates. Please check the
+# configuration variables to be sure they match your installation.
+# Then run this script under a root shell to complete the
+# installation of the certificates.
+#
+# Configuration Variables:
+CERTDIR="$loncapa_cert_dir" # Directory with your host key.
+HOSTCERT="$loncapa_hostcert_name" # Name of host's certificate file.
+CACERT="$loncapa_cacert_name" # Name of certifiate authority file.
+HTTPDUID="$loncapa_apache_user" # UID of httpd.
+HTTPDGID="$loncapa_apache_group" # GID of httpd.
+
+# End of configuration variables.
+
+MODE=0444 # certificates get this mode.
+HOSTCERTPATH="\$CERTDIR/\$HOSTCERT"
+CACERTPATH="\$CERTDIR/\$CACERT"
+
+# Create the host certificate file to install:
+
+echo unpacking host certificate
+
+cat <<-HOSTCERTTEXT >\$HOSTCERT
+BASH_HEADER
+
+ # Now copy the host certificate into the script:
+
+ open HOSTCERT, "<hostCertificate.pem";
+ while(my $line = <HOSTCERT>) {
+ print INSTALLER $line; # Line presumably has a \n.
+ }
+ close HOSTCERT;
+
+ # Close the here doc, and start up the cat of the ca cert:
+
+ print INSTALLER "HOSTCERTTEXT\n";
+ print INSTALLER "echo unpacking CA certificate\n";
+ print INSTALLER "cat <<-CACERTTEXT >\$CACERT\n";
+ open CACERT, "<$ca_cert_file";
+ while(my $line = <CACERT>) {
+ print INSTALLER $line;
+ }
+ close CACERT;
+ print INSTALLER "CACERTTEXT\n";
+
+ # Ok, the script can create the two files, now it must install
+ # install them >and< clean up after itself.
+
+ print INSTALLER <<BASH_TRAILER;
+
+echo Installing certificates
+
+install -m \$MODE -o \$HTTPDUID -g \$HTTPDGID \$CACERT \$CACERTPATH
+install -m \$MODE -o \$HTTPDUID -g \$HTTPDGID \$HOSTCERT \$HOSTCERTPATH
+
+echo done
+
+# rm -f \$CACERT
+# rm -f \$HOSTCERT
+
+# Do they want to restart loncapa:
+#
+
+echo In order to start running in secure mode you will need to start
+echo lonCAPA. If you want I can do that now for you. Otherwise,
+echo you will have to do it yourself later either by rebooting your
+echo system or by typing:
+echo
+echo /etc/init.d/loncontrol restart
+echo
+read -p "Restart loncapa now [yN]?" yesno
+
+if [ "{\$yesno:0:1}" = "Y" ]
+then
+ /etc/init.d/loncontrol restart
+fi
+BASH_TRAILER
+
+ close INSTALLER;
+}
sub CreateEmail {
return "Dummy message"; # Stub.
@@ -238,7 +424,10 @@
}
my $CertificateRequest = $ARGV[0];
-my $email_address = CreateCertificate($CertificateRequest);
+&ReadConfig;
+
+my $email_address = &CreateCertificate($CertificateRequest);
+Debug("CreateCertificate returned: $email_address");
if(!defined $email_address) {
print STDERR "Bad or missing certificate file!!";
@@ -246,9 +435,9 @@
exit -1;
}
-CreateInstallScript;
-my $Message = CreateEmail;
-SendEmail($email_address, $Message);
-Cleanup;
+&CreateInstallScript;
+my $Message = &CreateEmail;
+&SendEmail($email_address, $Message);
+&Cleanup;
# POD documentation.
--foxr1089111946--