public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/taskserver: Silence certtool everywhere

Browse Source 
We only print the output whenever there is an error, otherwise let's
shut it up because it only shows information the user can gather through
other means. For example by invoking certtool manually, or by just
looking at private key files (the whole blurb it's outputting is in
there as well).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2016-04-12 02:16:35 +02:00
parent cfb6ce2abe
commit 9586795ef2
No known key found for this signature in database
GPG Key ID: D0EBD0EC8C2DC961
2 changed files with 51 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
nixos/modules/services/misc/taskserver/default.nix
View File

@ -118,6 +118,8 @@ let
mkShellStr = val: "'${replaceStrings ["'"] ["'\\''"] val}'"; mkShellStr = val: "'${replaceStrings ["'"] ["'\\''"] val}'";
certtool = "${pkgs.gnutls}/bin/certtool";
nixos-taskserver = pkgs.buildPythonPackage { nixos-taskserver = pkgs.buildPythonPackage {
name = "nixos-taskserver"; name = "nixos-taskserver";
namePrefix = ""; namePrefix = "";
@ -126,8 +128,7 @@ let
mkdir -p "$out" mkdir -p "$out"
cat "${pkgs.substituteAll { cat "${pkgs.substituteAll {
src = ./helper-tool.py; src = ./helper-tool.py;
certtool = "${pkgs.gnutls}/bin/certtool"; inherit taskd certtool;
inherit taskd;
inherit (cfg) dataDir user group fqdn; inherit (cfg) dataDir user group fqdn;
}}" > "$out/main.py" }}" > "$out/main.py"
cat > "$out/setup.py" <<EOF cat > "$out/setup.py" <<EOF
@ -351,14 +352,21 @@ in {
serviceConfig.UMask = "0077"; serviceConfig.UMask = "0077";
script = '' script = ''
silent_certtool() {
if ! output="$("${certtool}" "$@" 2>&1)"; then
echo "GNUTLS certtool invocation failed with output:" >&2
echo "$output" >&2
fi
}
mkdir -m 0700 -p "${cfg.dataDir}/keys" mkdir -m 0700 -p "${cfg.dataDir}/keys"
chown root:root "${cfg.dataDir}/keys" chown root:root "${cfg.dataDir}/keys"
if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then if [ ! -e "${cfg.dataDir}/keys/ca.key" ]; then
${pkgs.gnutls}/bin/certtool -p \ silent_certtool -p \
--bits 2048 \ --bits 2048 \
--outfile "${cfg.dataDir}/keys/ca.key" --outfile "${cfg.dataDir}/keys/ca.key"
${pkgs.gnutls}/bin/certtool -s \ silent_certtool -s \
--template "${pkgs.writeText "taskserver-ca.template" '' --template "${pkgs.writeText "taskserver-ca.template" ''
cn = ${cfg.fqdn} cn = ${cfg.fqdn}
cert_signing_key cert_signing_key
@ -372,11 +380,11 @@ in {
fi fi
if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then if [ ! -e "${cfg.dataDir}/keys/server.key" ]; then
${pkgs.gnutls}/bin/certtool -p \ silent_certtool -p \
--bits 2048 \ --bits 2048 \
--outfile "${cfg.dataDir}/keys/server.key" --outfile "${cfg.dataDir}/keys/server.key"
${pkgs.gnutls}/bin/certtool -c \ silent_certtool -c \
--template "${pkgs.writeText "taskserver-cert.template" '' --template "${pkgs.writeText "taskserver-cert.template" ''
cn = ${cfg.fqdn} cn = ${cfg.fqdn}
tls_www_server tls_www_server
@ -398,7 +406,7 @@ in {
fi fi
if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then if [ ! -e "${cfg.dataDir}/keys/server.crl" ]; then
${pkgs.gnutls}/bin/certtool --generate-crl \ silent_certtool --generate-crl \
--template "${pkgs.writeText "taskserver-crl.template" '' --template "${pkgs.writeText "taskserver-crl.template" ''
expiration_days = 3650 expiration_days = 3650
''}" \ ''}" \

54
nixos/modules/services/misc/taskserver/helper-tool.py
View File

@ -69,6 +69,24 @@ def taskd_cmd(cmd, *args, **kwargs):
) )
def certtool_cmd(*args, **kwargs):
"""
Invoke certtool from GNUTLS and return the output of the command.
The provided arguments are added to the certtool command and keyword
arguments are added to subprocess.check_output().
Note that this will suppress all output of certtool and it will only be
printed whenever there is an unsuccessful return code.
"""
return subprocess.check_output(
[CERTTOOL_COMMAND] + list(args),
preexec_fn=lambda: os.umask(0077),
stderr=subprocess.STDOUT,
**kwargs
)
def label(msg): def label(msg):
if sys.stdout.isatty() or sys.stderr.isatty(): if sys.stdout.isatty() or sys.stderr.isatty():
sys.stderr.write(msg + "\n") sys.stderr.write(msg + "\n")
@ -113,8 +131,7 @@ def generate_key(org, user):
try: try:
os.makedirs(basedir, mode=0700) os.makedirs(basedir, mode=0700)
cmd = [CERTTOOL_COMMAND, "-p", "--bits", "2048", "--outfile", privkey] certtool_cmd("-p", "--bits", "2048", "--outfile", privkey)
subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077))
template_data = [ template_data = [
"organization = {0}".format(org), "organization = {0}".format(org),
@ -125,13 +142,14 @@ def generate_key(org, user):
] ]
with create_template(template_data) as template: with create_template(template_data) as template:
cmd = [CERTTOOL_COMMAND, "-c", certtool_cmd(
"--load-privkey", privkey, "-c",
"--load-ca-privkey", cakey, "--load-privkey", privkey,
"--load-ca-certificate", cacert, "--load-ca-privkey", cakey,
"--template", template, "--load-ca-certificate", cacert,
"--outfile", pubcert] "--template", template,
subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077)) "--outfile", pubcert
)
except: except:
rmtree(basedir) rmtree(basedir)
raise raise
@ -152,15 +170,15 @@ def revoke_key(org, user):
oldcrl = NamedTemporaryFile(mode="wb", prefix="old-crl") oldcrl = NamedTemporaryFile(mode="wb", prefix="old-crl")
oldcrl.write(open(crl, "rb").read()) oldcrl.write(open(crl, "rb").read())
oldcrl.flush() oldcrl.flush()
cmd = [CERTTOOL_COMMAND, certtool_cmd(
"--generate-crl", "--generate-crl",
"--load-crl", oldcrl.name, "--load-crl", oldcrl.name,
"--load-ca-privkey", cakey, "--load-ca-privkey", cakey,
"--load-ca-certificate", cacert, "--load-ca-certificate", cacert,
"--load-certificate", pubcert, "--load-certificate", pubcert,
"--template", template, "--template", template,
"--outfile", crl] "--outfile", crl
subprocess.check_call(cmd, preexec_fn=lambda: os.umask(0077)) )
oldcrl.close() oldcrl.close()
rmtree(basedir) rmtree(basedir)