Add support for expansion of external sources for the sftp , davs and ftps

key/cert fingerprints in MiGserver.conf in order to get rid of tedious
recurring manual fingerprint updates when relying on LetsEncrypt certificates,
which come with frequent renewal.

Allows the user_PROTO_key_sha256 configuration variables to e.g. be set to
FILE::/path/to/fingerprint
in order to always read the current fingerprint from that file.
It also supports the usual
FILE::/path/to/fingerprint$$/path/to/fast/cache/fingerprint
for automatic caching in a fast memory-backed or similar cache location.

Adjust the migcheckssl cron job helper to inform about it and automatically
write the combined pem and pub sha256 fingerprints in the corresponding
'combined.pem.sha256' and 'combined.pub.sha256' files for complete automation
of the flow in that case.

The sftp key remains unchanged in that setup so one can keep that fingerprint
static in MiGserver.conf, or use that combined.pub.sha256 if changes are ever
expected. Such changes are typically rather inconvenient for clients as they
have to find and update their local known hosts file unless also delivered e.g.
on DNSSEC.

Updated unit test templates to fit migcheckssl changes.

Author: jonasbardino

mig/install/migcheckssl-template.sh.cronjob

@@ -40,7 +40,9 @@ server_crt="${domain_cert_path}/server.crt"
 server_crt_ca_pem="${domain_cert_path}/server.crt.ca.pem"
 server_key_crt_ca_pem="${domain_cert_path}/server.key.crt.ca.pem"
 combined_pem="${domain_cert_path}/combined.pem"
+combined_pem_sha256="${combined_pem}.sha256"
 combined_pub="${domain_cert_path}/combined.pub"
+combined_pub_sha256="${combined_pub}.sha256"
 dhparams_pem="${cert_base}/dhparams.pem"
 # use git latest or release version of getssl
 getssl_version="release"
@@ -279,10 +281,23 @@ if [[ ${org_mtime} -ne ${new_mtime} && "${org_chksum}" != "${new_chksum}" ]]; th
         fi
     done
     if [ -n "${migrid_subservices}" ]; then
-        sha256_fingerprint=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
-        sha256_fingerprint=${sha256_fingerprint/SHA256 Fingerprint=/}
-        echo "Please update ftps and davs sha256 fingerprint in MiGserver.conf to:"
-        echo "${sha256_fingerprint}"
+        pem_sha256_fp=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
+        pem_sha256_fp=${pem_sha256_fp/SHA256 Fingerprint=/}
+        echo "Please manually update ftps/davs sha256 fingerprint in MiGserver.conf to:"
+        echo "${pem_sha256_fp}"
+        echo "or point those configuration values to the latest fingerprint file with:"
+        echo "FILE::${combined_pem_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pem_sha256_fp}" > ${combined_pem_sha256}
+        pub_sha256_fp=$(ssh-keygen -l -f ${combined_pub})
+        pub_sha256_fp=${pub_sha256_fp/* SHA256:/}
+        pub_sha256_fp=${pub_sha256_fp/ no comment */}
+        echo "Please verify that sftp sha256 fingerprint in MiGserver.conf is:"
+        echo "${pub_sha256_fp}"
+        echo "or point that configuration value to the latest fingerprint file with:"
+        echo "FILE::${combined_pub_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pub_sha256_fp}" > ${combined_pub_sha256}
     fi
 fi
 

mig/shared/configuration.py

@@ -1134,7 +1134,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             fingerprint = config.get('GLOBAL', 'user_sftp_key_md5')
             self.user_sftp_key_md5 = fingerprint
         if config.has_option('GLOBAL', 'user_sftp_key_sha256'):
-            fingerprint = config.get('GLOBAL', 'user_sftp_key_sha256')
+            fingerprint = expand_external_sources(
+                logger, config.get('GLOBAL', 'user_sftp_key_sha256'))
             self.user_sftp_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_sftp_key_from_dns'):
             self.user_sftp_key_from_dns = config.getboolean(
@@ -1228,7 +1229,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             self.user_davs_key = config.get('GLOBAL',
                                             'user_davs_key')
         if config.has_option('GLOBAL', 'user_davs_key_sha256'):
-            fingerprint = config.get('GLOBAL', 'user_davs_key_sha256')
+            fingerprint = expand_external_sources(
+                logger, config.get('GLOBAL', 'user_davs_key_sha256'))
             self.user_davs_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_davs_auth'):
             self.user_davs_auth = config.get('GLOBAL',
@@ -1274,7 +1276,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             self.user_ftps_key = config.get('GLOBAL',
                                             'user_ftps_key')
         if config.has_option('GLOBAL', 'user_ftps_key_sha256'):
-            fingerprint = config.get('GLOBAL', 'user_ftps_key_sha256')
+            fingerprint = expand_external_sources(
+                logger, config.get('GLOBAL', 'user_ftps_key_sha256'))
             self.user_ftps_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_ftps_auth'):
             self.user_ftps_auth = config.get('GLOBAL',

tests/fixture/confs-stdlocal/migcheckssl

@@ -40,7 +40,9 @@ server_crt="${domain_cert_path}/server.crt"
 server_crt_ca_pem="${domain_cert_path}/server.crt.ca.pem"
 server_key_crt_ca_pem="${domain_cert_path}/server.key.crt.ca.pem"
 combined_pem="${domain_cert_path}/combined.pem"
+combined_pem_sha256="${combined_pem}.sha256"
 combined_pub="${domain_cert_path}/combined.pub"
+combined_pub_sha256="${combined_pub}.sha256"
 dhparams_pem="${cert_base}/dhparams.pem"
 # use git latest or release version of getssl
 getssl_version="release"
@@ -279,10 +281,23 @@ if [[ ${org_mtime} -ne ${new_mtime} && "${org_chksum}" != "${new_chksum}" ]]; th
         fi
     done
     if [ -n "${migrid_subservices}" ]; then
-        sha256_fingerprint=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
-        sha256_fingerprint=${sha256_fingerprint/SHA256 Fingerprint=/}
-        echo "Please update ftps and davs sha256 fingerprint in MiGserver.conf to:"
-        echo "${sha256_fingerprint}"
+        pem_sha256_fp=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
+        pem_sha256_fp=${pem_sha256_fp/SHA256 Fingerprint=/}
+        echo "Please manually update ftps/davs sha256 fingerprint in MiGserver.conf to:"
+        echo "${pem_sha256_fp}"
+        echo "or point those configuration values to the latest fingerprint file with:"
+        echo "FILE::${combined_pem_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pem_sha256_fp}" > ${combined_pem_sha256}
+        pub_sha256_fp=$(ssh-keygen -l -f ${combined_pub})
+        pub_sha256_fp=${pub_sha256_fp/* SHA256:/}
+        pub_sha256_fp=${pub_sha256_fp/ no comment */}
+        echo "Please verify that sftp sha256 fingerprint in MiGserver.conf is:"
+        echo "${pub_sha256_fp}"
+        echo "or point that configuration value to the latest fingerprint file with:"
+        echo "FILE::${combined_pub_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pub_sha256_fp}" > ${combined_pub_sha256}
     fi
 fi