nixos/taskserver: Silence certtool everywhere

We only print the output whenever there is an error, otherwise let's shut it up because it only shows information the user can gather through other means. For example by invoking certtool manually, or by just looking at private key files (the whole blurb it's outputting is in there as well). Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-04-12 02:16:35 +02:00 · 2016-04-12 02:16:35 +02:00 · 9586795ef2
parent cfb6ce2abe
commit 9586795ef2
2 changed files with 51 additions and 25 deletions
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@ -118,6 +118,8 @@ let

  mkShellStr = val: "'${replaceStrings ["'"] ["'\\''"] val}'";

+  certtool = "${pkgs.gnutls}/bin/certtool";
+
  nixos-taskserver = pkgs.buildPythonPackage {
    name = "nixos-taskserver";
    namePrefix = "";
@ -126,8 +128,7 @@ let
      mkdir -p "$out"
      cat "${pkgs.substituteAll {
        src = ./helper-tool.py;
-        certtool = "${pkgs.gnutls}/bin/certtool";
-        inherit taskd;
+        inherit taskd certtool;
        inherit (cfg) dataDir user group fqdn;
      }}" > "$out/main.py"
      cat > "$out/setup.py" <<EOF
@ -351,14 +352,21 @@ in {
      serviceConfig.UMask = "0077";

      script = ''
+        silent_certtool() {
+          if ! output="$("${certtool}" "$@" 2>&1)"; then
+            echo "GNUTLS certtool invocation failed with output:" >&2
+            echo "$output" >&2
+          fi
+        }
+
        mkdir -m 0700 -p "${cfg.dataDir}/keys"
        chown root:root "${cfg.dataDir}/keys"

        if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then
-          ${pkgs.gnutls}/bin/certtool -p \
+          silent_certtool -p \
            --bits 2048 \
            --outfile "${cfg.dataDir}/keys/ca.key"
-          ${pkgs.gnutls}/bin/certtool -s \
+          silent_certtool -s \
            --template "${pkgs.writeText "taskserver-ca.template" ''
              cn = ${cfg.fqdn}
              cert_signing_key
@ -372,11 +380,11 @@ in {
        fi

        if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then
-          ${pkgs.gnutls}/bin/certtool -p \
+          silent_certtool -p \
            --bits 2048 \
            --outfile "${cfg.dataDir}/keys/server.key"

-          ${pkgs.gnutls}/bin/certtool -c \
+          silent_certtool -c \
            --template "${pkgs.writeText "taskserver-cert.template" ''
              cn = ${cfg.fqdn}
              tls_www_server
@ -398,7 +406,7 @@ in {
        fi

        if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then
-          ${pkgs.gnutls}/bin/certtool --generate-crl \
+          silent_certtool --generate-crl \
            --template "${pkgs.writeText "taskserver-crl.template" ''
              expiration_days = 3650
            ''}" \
--- a/nixos/modules/services/misc/taskserver/helper-tool.py
+++ b/nixos/modules/services/misc/taskserver/helper-tool.py
@ -69,6 +69,24 @@ def taskd_cmd(cmd, *args, **kwargs):
    )


+def certtool_cmd(*args, **kwargs):
+    """
+    Invoke certtool from GNUTLS and return the output of the command.
+
+    The provided arguments are added to the certtool command and keyword
+    arguments are added to subprocess.check_output().
+
+    Note that this will suppress all output of certtool and it will only be
+    printed whenever there is an unsuccessful return code.
+    """
+    return subprocess.check_output(
+        [CERTTOOL_COMMAND] + list(args),
+        preexec_fn=lambda: os.umask(0077),
+        stderr=subprocess.STDOUT,
+        **kwargs
+    )
+
+
 def label(msg):
    if sys.stdout.isatty() or sys.stderr.isatty():
        sys.stderr.write(msg + "\n")
@ -113,8 +131,7 @@ def generate_key(org, user):
    try:
        os.makedirs(basedir, mode=0700)

-        cmd = [CERTTOOL_COMMAND, "-p", "--bits", "2048", "--outfile", privkey]
-        subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077))
+        certtool_cmd("-p", "--bits", "2048", "--outfile", privkey)

        template_data = [
            "organization = {0}".format(org),
@ -125,13 +142,14 @@ def generate_key(org, user):
        ]

        with create_template(template_data) as template:
-            cmd = [CERTTOOL_COMMAND, "-c",
-                   "--load-privkey", privkey,
-                   "--load-ca-privkey", cakey,
-                   "--load-ca-certificate", cacert,
-                   "--template", template,
-                   "--outfile", pubcert]
-            subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077))
+            certtool_cmd(
+                "-c",
+                "--load-privkey", privkey,
+                "--load-ca-privkey", cakey,
+                "--load-ca-certificate", cacert,
+                "--template", template,
+                "--outfile", pubcert
+            )
    except:
        rmtree(basedir)
        raise
@ -152,15 +170,15 @@ def revoke_key(org, user):
        oldcrl = NamedTemporaryFile(mode="wb", prefix="old-crl")
        oldcrl.write(open(crl, "rb").read())
        oldcrl.flush()
-        cmd = [CERTTOOL_COMMAND,
-               "--generate-crl",
-               "--load-crl", oldcrl.name,
-               "--load-ca-privkey", cakey,
-               "--load-ca-certificate", cacert,
-               "--load-certificate", pubcert,
-               "--template", template,
-               "--outfile", crl]
-        subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077))
+        certtool_cmd(
+            "--generate-crl",
+            "--load-crl", oldcrl.name,
+            "--load-ca-privkey", cakey,
+            "--load-ca-certificate", cacert,
+            "--load-certificate", pubcert,
+            "--template", template,
+            "--outfile", crl
+        )
        oldcrl.close()
    rmtree(basedir)