Skip to content

GitLab

A
acme-dns-tiny
Commit 436d055b authored by Adrien Dorsaz's avatar Adrien Dorsaz
Browse files
Options

apply pep8 hints and use brackets to split long lines

parent 8d346a56
Hide whitespace changes
Inline Side-by-side
Showing with 80 additions and 54 deletions
acme_dns_tiny.py
View file @ 436d055b
#!/usr/bin/env python3
#pylint: disable=multiple-imports
# pylint: disable=multiple-imports
"""ACME client to met DNS challenge and receive TLS certificate"""
import argparse, base64, binascii, configparser, copy, hashlib, json, logging
import re, sys, subprocess, time
......@@ -8,10 +8,12 @@ import requests, dns.resolver, dns.tsigkeyring, dns.update
LOGGER = logging.getLogger('acme_dns_tiny')
LOGGER.addHandler(logging.StreamHandler())
def _base64(text):
""""Encodes string as base64 as specified in the ACME RFC."""
"""Encodes string as base64 as specified in the ACME RFC."""
return base64.urlsafe_b64encode(text).decode("utf8").rstrip("=")
def _openssl(command, options, communicate=None):
"""Run openssl command line and raise IOError on non-zero return."""
openssl = subprocess.Popen(["openssl", command] + options,
......@@ -22,9 +24,10 @@ def _openssl(command, options, communicate=None):
raise IOError("OpenSSL Error: {0}".format(err))
return out
#pylint: disable=too-many-locals,too-many-branches,too-many-statements
# pylint: disable=too-many-locals,too-many-branches,too-many-statements
def get_crt(config, log=LOGGER):
"""Get ACME certificate by resolving DNS challenge"""
"""Get ACME certificate by resolving DNS challenge."""
def _update_dns(rrset, action):
"""Updates DNS resource by adding or deleting resource."""
......@@ -43,7 +46,7 @@ def get_crt(config, log=LOGGER):
def _send_signed_request(url, payload, extra_headers=None):
"""Sends signed requests to ACME server."""
nonlocal nonce
if payload == "": # on POST-as-GET, final payload has to be just empty string
if payload == "": # on POST-as-GET, final payload has to be just empty string
payload64 = ""
else:
payload64 = _base64(json.dumps(payload).encode("utf8"))
......@@ -93,7 +96,7 @@ def get_crt(config, log=LOGGER):
for san in subject_alt_names.group(1).split(", "):
if san.startswith("DNS:"):
domains.add(san[4:])
if len(domains) == 0: #pylint: disable=len-as-condition
if len(domains) == 0: # pylint: disable=len-as-condition
raise ValueError("Didn't find any domain to validate in the provided CSR.")
log.info("Configure DNS client tools.")
......@@ -109,8 +112,8 @@ def get_crt(config, log=LOGGER):
nameserver = nameserver + [ipv6_rrset.to_text() for ipv6_rrset
in dns.resolver.query(config["DNS"]["Host"], rdtype="AAAA")]
except dns.exception.DNSException:
log.info("A and/or AAAA DNS resources not found for configured dns host: we will use either\
resource found if one exists or directly the DNS Host configuration.")
log.info(("A and/or AAAA DNS resources not found for configured dns host: we will use "
"either resource found if one exists or directly the DNS Host configuration."))
if not nameserver:
nameserver = [config["DNS"]["Host"]]
resolver.nameservers = nameserver
......@@ -143,8 +146,8 @@ def get_crt(config, log=LOGGER):
account_request = {}
if terms_service:
account_request["termsOfServiceAgreed"] = True
log.warning("Terms of service exist and will be automatically agreed if possible, \
you should read them: %s", terms_service)
log.warning(("Terms of service exist and will be automatically agreed if possible, "
"you should read them: %s"), terms_service)
account_request["contact"] = config["acmednstiny"].get("Contacts", "").split(';')
if account_request["contact"] == [""]:
del account_request["contact"]
......@@ -184,8 +187,8 @@ def get_crt(config, log=LOGGER):
.format(order))
elif (http_response.status_code == 403
and order["type"] == "urn:ietf:params:acme:error:userActionRequired"):
raise ValueError("Order creation failed ({0}). Read Terms of Service ({1}), \
then follow your CA instructions: {2}"
raise ValueError(("Order creation failed ({0}). Read Terms of Service ({1}), then follow "
"your CA instructions: {2}")
.format(order["detail"], http_response.headers['Link'], order["instance"]))
else:
raise ValueError("Error getting new Order: {0} {1}"
......@@ -211,15 +214,15 @@ def get_crt(config, log=LOGGER):
keyauthorization = "{0}.{1}".format(token, jwk_thumbprint)
keydigest64 = _base64(hashlib.sha256(keyauthorization.encode("utf8")).digest())
dnsrr_domain = "_acme-challenge.{0}.".format(domain)
try: # a CNAME resource can be used for advanced TSIG configuration
# Note: the CNAME target has to be of "non-CNAME" type (recursion isn't managed)
try: # a CNAME resource can be used for advanced TSIG configuration
# Note: the CNAME target has to be of "non-CNAME" type (recursion isn't managed)
dnsrr_domain = [response.to_text() for response
in resolver.query(dnsrr_domain, rdtype="CNAME")][0]
log.info(" - A CNAME resource has been found for this domain, will install TXT on %s",
dnsrr_domain)
except dns.exception.DNSException as dnsexception:
log.debug(" - Not any CNAME resource has been found for this domain (%s), will install\
TXT directly on %s", dnsrr_domain, type(dnsexception).__name__)
log.debug((" - Not any CNAME resource has been found for this domain (%s), will "
"install TXT directly on %s"), dnsrr_domain, type(dnsexception).__name__)
dnsrr_set = dns.rrset.from_text(dnsrr_domain, config["DNS"].getint("TTL"),
"IN", "TXT", '"{0}"'.format(keydigest64))
try:
......@@ -235,8 +238,8 @@ def get_crt(config, log=LOGGER):
number_check_fail = 1
while challenge_verified is False:
try:
log.debug('Self test (try: %s): Check resource with value "%s" exits on\
nameservers: %s', number_check_fail, keydigest64, resolver.nameservers)
log.debug(('Self test (try: %s): Check resource with value "%s" exits on '
'nameservers: %s'), number_check_fail, keydigest64, resolver.nameservers)
for response in resolver.query(dnsrr_domain, rdtype="TXT").rrset:
log.debug(" - Found value %s", response.to_text())
challenge_verified = (challenge_verified
......@@ -312,6 +315,7 @@ def get_crt(config, log=LOGGER):
log.info("Certificate signed and chain received: %s", order["certificate"])
return http_response.text
def main(argv):
"""Parse arguments and get certificate."""
parser = argparse.ArgumentParser(
......@@ -353,5 +357,6 @@ from the configuration file.")
signed_crt = get_crt(config, LOGGER)
sys.stdout.write(signed_crt)
if __name__ == "__main__": # pragma: no cover
main(sys.argv[1:])
tests/config_factory.py
View file @ 436d055b
......@@ -18,6 +18,7 @@ TSIGKEYVALUE = os.getenv("GITLABCI_TSIGKEYVALUE")
TSIGALGORITHM = os.getenv("GITLABCI_TSIGALGORITHM")
CONTACT = os.getenv("GITLABCI_CONTACT")
def generate_config():
"""Generate basic acme-dns-tiny configuration"""
# Account key
......@@ -50,6 +51,7 @@ def generate_config():
return account_key.name, domain_key.name, domain_csr.name, parser
def generate_acme_dns_tiny_unit_test_config():
"""Genereate acme_dns_tiny configurations used for unit tests"""
# Configuration missing DNS section
......@@ -63,7 +65,8 @@ def generate_acme_dns_tiny_unit_test_config():
return {"missing_dns": missing_dns.name}
def generate_acme_dns_tiny_config(): #pylint: disable=too-many-locals,too-many-statements
def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many-statements
"""Generate acme_dns_tiny configuration with account and domain keys"""
# Simple configuration with good options
account_key, domain_key, _, config = generate_config()
......@@ -132,7 +135,6 @@ def generate_acme_dns_tiny_config(): #pylint: disable=too-many-locals,too-many-s
with open(good_san.name, 'w') as configfile:
config.write(configfile)
# Configuration with CSR containing a wildcard domain inside subjetcAltName
account_key, domain_key, domain_csr, config = generate_config()
......@@ -198,6 +200,7 @@ def generate_acme_dns_tiny_config(): #pylint: disable=too-many-locals,too-many-s
"cname_csr": cname_csr,
}
def generate_acme_account_rollover_config():
"""Generate config for acme_account_rollover script"""
# Old account key is directly created by the config generator
......@@ -219,6 +222,7 @@ def generate_acme_account_rollover_config():
"new_account_key": new_account_key.name
}
def generate_acme_account_deactivate_config():
"""Generate config for acme_account_deactivate script"""
# Account key is created by the by the config generator
......
tests/staging_test_acme_account_deactivate.py
View file @ 436d055b
......@@ -9,8 +9,9 @@ import tools.acme_account_deactivate
ACME_DIRECTORY = os.getenv("GITLABCI_ACMEDIRECTORY_V2",
"https://acme-staging-v02.api.letsencrypt.org/directory")
class TestACMEAccountDeactivate(unittest.TestCase):
"Tests for acme_account_deactivate"
"""Tests for acme_account_deactivate."""
@classmethod
def setUpClass(cls):
......@@ -25,7 +26,7 @@ class TestACMEAccountDeactivate(unittest.TestCase):
super(TestACMEAccountDeactivate, cls).setUpClass()
# To clean ACME staging server and close correctly temporary files
#pylint: disable=bare-except
# pylint: disable=bare-except
@classmethod
def tearDownClass(cls):
# Remove temporary files
......@@ -53,5 +54,6 @@ class TestACMEAccountDeactivate(unittest.TestCase):
self.assertIn("INFO:acme_account_deactivate:The account has been deactivated.",
accountdeactivatelog.output)
if __name__ == "__main__": # pragma: no cover
unittest.main()
tests/staging_test_acme_account_rollover.py
View file @ 436d055b
......@@ -10,8 +10,9 @@ import tools.acme_account_rollover
ACME_DIRECTORY = os.getenv("GITLABCI_ACMEDIRECTORY_V2",
"https://acme-staging-v02.api.letsencrypt.org/directory")
class TestACMEAccountRollover(unittest.TestCase):
"Tests for acme_account_rollover"
"""Tests for acme_account_rollover."""
@classmethod
def setUpClass(cls):
......@@ -20,7 +21,7 @@ class TestACMEAccountRollover(unittest.TestCase):
super(TestACMEAccountRollover, cls).setUpClass()
# To clean ACME staging server and close correctly temporary files
#pylint: disable=bare-except
# pylint: disable=bare-except
@classmethod
def tearDownClass(cls):
# Remove temporary files
......@@ -51,13 +52,13 @@ class TestACMEAccountRollover(unittest.TestCase):
super(TestACMEAccountRollover, cls).tearDownClass()
def test_success_account_rollover(self):
""" Test success account key rollover """
""" Test success account key rollover."""
with self.assertLogs(level='INFO') as accountrolloverlog:
tools.acme_account_rollover.main(["--current", self.configs['old_account_key'],
"--new", self.configs['new_account_key'],
"--acme-directory", ACME_DIRECTORY])
self.assertIn("INFO:acme_account_rollover:Keys rolled over.",
accountrolloverlog.output)
self.assertIn("INFO:acme_account_rollover:Keys rolled over.", accountrolloverlog.output)
if __name__ == "__main__": # pragma: no cover
unittest.main()
tests/staging_test_acme_dns_tiny.py
View file @ 436d055b
......@@ -13,8 +13,9 @@ from tools.acme_account_deactivate import account_deactivate
ACME_DIRECTORY = os.getenv("GITLABCI_ACMEDIRECTORY_V2",
"https://acme-staging-v02.api.letsencrypt.org/directory")
def _openssl(command, options, communicate=None):
"""Helper function to run openssl command"""
"""Helper function to run openssl command."""
openssl = subprocess.Popen(["openssl", command] + options,
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
......@@ -23,8 +24,9 @@ def _openssl(command, options, communicate=None):
raise IOError("OpenSSL Error: {0}".format(err))
return out.decode("utf8")
class TestACMEDNSTiny(unittest.TestCase):
"Tests for acme_dns_tiny.get_crt()"
"""Tests for acme_dns_tiny.get_crt()."""
@classmethod
def setUpClass(cls):
......@@ -36,7 +38,7 @@ class TestACMEDNSTiny(unittest.TestCase):
super(TestACMEDNSTiny, cls).setUpClass()
# To clean ACME staging server and close correctly temporary files
#pylint: disable=bare-except
# pylint: disable=bare-except
@classmethod
def tearDownClass(cls):
# close temp files correctly
......@@ -77,7 +79,7 @@ class TestACMEDNSTiny(unittest.TestCase):
self.assertIn("Issuer", readablecertchain)
def test_success_cn(self):
""" Successfully issue a certificate via common name """
"""Successfully issue a certificate via common name."""
old_stdout = sys.stdout
sys.stdout = StringIO()
......@@ -90,7 +92,7 @@ class TestACMEDNSTiny(unittest.TestCase):
self._assert_certificate_chain(certchain)
def test_success_cn_without_contacts(self):
""" Successfully issue a certificate via CN, but without Contacts field """
"""Successfully issue a certificate via CN, but without Contacts field."""
old_stdout = sys.stdout
sys.stdout = StringIO()
......@@ -103,7 +105,7 @@ class TestACMEDNSTiny(unittest.TestCase):
self._assert_certificate_chain(certchain)
def test_success_cn_with_csr_option(self):
""" Successfully issue a certificate using CSR option outside from the config file"""
"""Successfully issue a certificate using CSR option outside from the config file."""
old_stdout = sys.stdout
sys.stdout = StringIO()
......@@ -117,7 +119,7 @@ class TestACMEDNSTiny(unittest.TestCase):
self._assert_certificate_chain(certchain)
def test_success_wild_cn(self):
""" Successfully issue a certificate via a wildcard common name """
"""Successfully issue a certificate via a wildcard common name."""
old_stdout = sys.stdout
sys.stdout = StringIO()
......@@ -130,16 +132,16 @@ class TestACMEDNSTiny(unittest.TestCase):
self._assert_certificate_chain(certchain)
def test_success_dnshost_ip(self):
""" When DNS Host is an IP, DNS resolution have to fail without error """
"""When DNS Host is an IP, DNS resolution have to fail without error."""
old_stdout = sys.stdout
sys.stdout = StringIO()
with self.assertLogs(level='INFO') as adnslog:
acme_dns_tiny.main([self.configs['dns_host_ip'],
"--verbose"])
self.assertIn("INFO:acme_dns_tiny:A and/or AAAA DNS resources not found for configured dns \
host: we will use either resource found if one exists or directly the DNS Host configuration.",
adnslog.output)
self.assertIn(("INFO:acme_dns_tiny:A and/or AAAA DNS resources not found for configured "
"dns host: we will use either resource found if one exists or directly the "
"DNS Host configuration."), adnslog.output)
certchain = sys.stdout.getvalue()
sys.stdout.close()
......@@ -148,7 +150,7 @@ host: we will use either resource found if one exists or directly the DNS Host c
self._assert_certificate_chain(certchain)
def test_success_san(self):
""" Successfully issue a certificate via subject alt name """
"""Successfully issue a certificate via subject alt name."""
old_stdout = sys.stdout
sys.stdout = StringIO()
......@@ -161,7 +163,7 @@ host: we will use either resource found if one exists or directly the DNS Host c
self._assert_certificate_chain(certchain)
def test_success_wildsan(self):
""" Successfully issue a certificate via wildcard in subject alt name """
"""Successfully issue a certificate via wildcard in subject alt name."""
old_stdout = sys.stdout
sys.stdout = StringIO()
......@@ -174,7 +176,7 @@ host: we will use either resource found if one exists or directly the DNS Host c
self._assert_certificate_chain(certchain)
def test_success_cli(self):
""" Successfully issue a certificate via command line interface """
"""Successfully issue a certificate via command line interface."""
certout, _ = subprocess.Popen([
"python3", "acme_dns_tiny.py", self.configs['good_cname'], "--verbose"
], stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate()
......@@ -184,7 +186,7 @@ host: we will use either resource found if one exists or directly the DNS Host c
self._assert_certificate_chain(certchain)
def test_success_cli_with_csr_option(self):
""" Successfully issue a certificate via command line interface using CSR option"""
"""Successfully issue a certificate via command line interface using CSR option."""
certout, _ = subprocess.Popen([
"python3", "acme_dns_tiny.py", "--csr", self.configs['cname_csr'],
self.configs['good_cname_without_csr'], "--verbose"
......@@ -195,22 +197,23 @@ host: we will use either resource found if one exists or directly the DNS Host c
self._assert_certificate_chain(certchain)
def test_weak_key(self):
""" Let's Encrypt rejects weak keys """
"""Let's Encrypt rejects weak keys."""
self.assertRaisesRegex(ValueError,
"key too small",
acme_dns_tiny.main, [self.configs['weak_key'], "--verbose"])
def test_account_key_domain(self):
""" Can't use the account key for the CSR """
"""Can't use the account key for the CSR."""
self.assertRaisesRegex(ValueError,
"certificate public key must be different than account key",
acme_dns_tiny.main, [self.configs['account_as_domain'], "--verbose"])
def test_failure_dns_update_tsigkeyname(self):
""" Fail to update DNS records by invalid TSIG Key name """
"""Fail to update DNS records by invalid TSIG Key name."""
self.assertRaisesRegex(ValueError,
"Error updating DNS",
acme_dns_tiny.main, [self.configs['invalid_tsig_name'], "--verbose"])
if __name__ == "__main__": # pragma: no cover
unittest.main()
tests/unit_test_acme_dns_tiny.py
View file @ 436d055b
......@@ -7,6 +7,7 @@ import dns.version
import acme_dns_tiny
from tests.config_factory import generate_acme_dns_tiny_unit_test_config
class TestACMEDNSTiny(unittest.TestCase):
"Tests for acme_dns_tiny.get_crt()"
......@@ -31,11 +32,11 @@ class TestACMEDNSTiny(unittest.TestCase):
os.remove(cls.configs[conffile])
super(TestACMEDNSTiny, cls).tearDownClass()
def test_failure_notcompleted_configuration(self):
""" Configuration file have to be completed """
self.assertRaisesRegex(ValueError, r"Some required settings are missing.",
acme_dns_tiny.main, [self.configs['missing_dns'], "--verbose"])
if __name__ == "__main__": # pragma: no cover
unittest.main()
tools/acme_account_deactivate.py
View file @ 436d055b
......@@ -14,10 +14,12 @@ import requests
LOGGER = logging.getLogger("acme_account_deactivate")
LOGGER.addHandler(logging.StreamHandler())
def _b64(text):
""""Encodes text as base64 as specified in ACME RFC """
"""Encodes text as base64 as specified in ACME RFC."""
return base64.urlsafe_b64encode(text).decode("utf8").rstrip("=")
def _openssl(command, options, communicate=None):
"""Run openssl command line and raise IOError on non-zero return."""
openssl = subprocess.Popen(["openssl", command] + options, stdin=subprocess.PIPE,
......@@ -27,13 +29,14 @@ def _openssl(command, options, communicate=None):
raise IOError("OpenSSL Error: {0}".format(err))
return out
def account_deactivate(accountkeypath, acme_directory, log=LOGGER):
"""Deactivate an ACME account"""
"""Deactivate an ACME account."""
def _send_signed_request(url, payload):
"""Sends signed requests to ACME server."""
nonlocal nonce
if payload == "": # on POST-as-GET, final payload has to be just empty string
if payload == "": # on POST-as-GET, final payload has to be just empty string
payload64 = ""
else:
payload64 = _b64(json.dumps(payload).encode("utf8"))
......@@ -109,8 +112,9 @@ def account_deactivate(accountkeypath, acme_directory, log=LOGGER):
raise ValueError("Error while deactivating the account key: {0} {1}"
.format(http_response.status_code, result))
def main(argv):
"""Parse arguments and deactivate account"""
"""Parse arguments and deactivate account."""
parser = argparse.ArgumentParser(
formatter_class=argparse.RawDescriptionHelpFormatter,
description="Tiny ACME script to deactivate an ACME account",
......@@ -138,5 +142,6 @@ https://acme-staging-v02.api.letsencrypt.org/directory"""
LOGGER.setLevel(args.quiet or logging.INFO)
account_deactivate(args.account_key, args.acme_directory, log=LOGGER)
if __name__ == "__main__": # pragma: no cover
main(sys.argv[1:])
tools/acme_account_rollover.py
View file @ 436d055b
#!/usr/bin/env python3
#pylint: disable=too-many-statements
# pylint: disable=too-many-statements
"""Tiny script to rollover two keys for an ACME account"""
import sys
import argparse
......@@ -15,10 +15,12 @@ import requests
LOGGER = logging.getLogger("acme_account_rollover")
LOGGER.addHandler(logging.StreamHandler())
def _b64(text):
""""Encodes text as base64 as specified in ACME RFC """
"""Encodes text as base64 as specified in ACME RFC."""
return base64.urlsafe_b64encode(text).decode("utf8").rstrip("=")
def _openssl(command, options, communicate=None):
"""Run openssl command line and raise IOError on non-zero return."""
openssl = subprocess.Popen(["openssl", command] + options, stdin=subprocess.PIPE,
......@@ -28,6 +30,7 @@ def _openssl(command, options, communicate=None):
raise IOError("OpenSSL Error: {0}".format(err))
return out
def account_rollover(old_accountkeypath, new_accountkeypath, acme_directory, log=LOGGER):
"""Rollover the old and new account key for an ACME account."""
def _get_private_acme_signature(accountkeypath):
......@@ -50,7 +53,7 @@ def account_rollover(old_accountkeypath, new_accountkeypath, acme_directory, log
def _sign_request(url, keypath, payload, is_inner=False):
"""Signs request with a specific right account key."""
nonlocal nonce
if payload == "": # on POST-as-GET, final payload has to be just empty string
if payload == "": # on POST-as-GET, final payload has to be just empty string
payload64 = ""
else:
payload64 = _b64(json.dumps(payload).encode("utf8"))
......@@ -136,8 +139,9 @@ def account_rollover(old_accountkeypath, new_accountkeypath, acme_directory, log
.format(http_response.status_code, result))
log.info("Keys rolled over.")
def main(argv):
"""Parse arguments and roll over the ACME account keys"""
"""Parse arguments and roll over the ACME account keys."""
parser = argparse.ArgumentParser(
formatter_class=argparse.RawDescriptionHelpFormatter,
description="Tiny ACME client to roll over an ACME account key with another one.",
......@@ -162,5 +166,6 @@ https://acme-staging-v02.api.letsencrypt.org/directory""")
LOGGER.setLevel(args.quiet or logging.INFO)
account_rollover(args.current, args.new, args.acme_directory, log=LOGGER)
if __name__ == "__main__": # pragma: no cover
main(sys.argv[1:])
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment