Manually merge PR171 for flexible and dynamic service key/certificate fingerprints in MiGserver.conf

git-svn-id: svn+ssh://svn.code.sf.net/p/migrid/code/trunk@6188 b75ad72c-e7d7-11dd-a971-7dbc132099af

Author: jonasbardino

mig/install/generateconfs.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # generateconfs - create custom MiG server configuration files
-# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project
 #
 # This file is part of MiG.
 #
@@ -146,7 +146,10 @@ def main(argv, _generate_confs=generate_confs, _print=print):
         'ext_oidc_rewrite_cookie',
         'dhparams_path',
         'daemon_keycert',
+        'daemon_keycert_sha256',
         'daemon_pubkey',
+        'daemon_pubkey_md5',
+        'daemon_pubkey_sha256',
         'daemon_show_address',
         'alias_field',
         'peers_permit',

mig/install/migcheckssl-template.sh.cronjob

@@ -40,7 +40,9 @@ server_crt="${domain_cert_path}/server.crt"
 server_crt_ca_pem="${domain_cert_path}/server.crt.ca.pem"
 server_key_crt_ca_pem="${domain_cert_path}/server.key.crt.ca.pem"
 combined_pem="${domain_cert_path}/combined.pem"
+combined_pem_sha256="${combined_pem}.sha256"
 combined_pub="${domain_cert_path}/combined.pub"
+combined_pub_sha256="${combined_pub}.sha256"
 dhparams_pem="${cert_base}/dhparams.pem"
 # use git latest or release version of getssl
 getssl_version="release"
@@ -279,10 +281,32 @@ if [[ ${org_mtime} -ne ${new_mtime} && "${org_chksum}" != "${new_chksum}" ]]; th
         fi
     done
     if [ -n "${migrid_subservices}" ]; then
-        sha256_fingerprint=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
-        sha256_fingerprint=${sha256_fingerprint/SHA256 Fingerprint=/}
-        echo "Please update ftps and davs sha256 fingerprint in MiGserver.conf to:"
-        echo "${sha256_fingerprint}"
+        pem_sha256_fp=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
+        pem_sha256_fp=${pem_sha256_fp/* Fingerprint=/}
+        echo "Please manually update ftps/davs sha256 fingerprint in MiGserver.conf to:"
+        echo "${pem_sha256_fp}"
+        echo "or point those configuration values to the latest fingerprint file with:"
+        echo "FILE::${combined_pem_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pem_sha256_fp}" > ${combined_pem_sha256}
+        pub_md5_fp=$(ssh-keygen -l -E md5 -f ${combined_pub})
+        pub_md5_fp=${pub_md5_fp/* MD5:/}
+        pub_md5_fp=${pub_md5_fp/ */}
+        echo "Please verify that sftp md5 fingerprint in MiGserver.conf is:"
+        echo "${pub_md5_fp}"
+        echo "or point that configuration value to the latest fingerprint file with:"
+        echo "FILE::${combined_pub_md5}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pub_md5_fp}" > ${combined_pub_md5}
+        pub_sha256_fp=$(ssh-keygen -l -f ${combined_pub})
+        pub_sha256_fp=${pub_sha256_fp/* SHA256:/}
+        pub_sha256_fp=${pub_sha256_fp/ */}
+        echo "Please verify that sftp sha256 fingerprint in MiGserver.conf is:"
+        echo "${pub_sha256_fp}"
+        echo "or point that configuration value to the latest fingerprint file with:"
+        echo "FILE::${combined_pub_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pub_sha256_fp}" > ${combined_pub_sha256}
     fi
 fi
 

mig/shared/configuration.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # configuration - configuration wrapper
-# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #
@@ -1157,7 +1157,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             fingerprint = config.get('GLOBAL', 'user_sftp_key_md5')
             self.user_sftp_key_md5 = fingerprint
         if config.has_option('GLOBAL', 'user_sftp_key_sha256'):
-            fingerprint = config.get('GLOBAL', 'user_sftp_key_sha256')
+            fingerprint = expand_external_sources(
+                logger, config.get('GLOBAL', 'user_sftp_key_sha256'))
             self.user_sftp_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_sftp_key_from_dns'):
             self.user_sftp_key_from_dns = config.getboolean(
@@ -1251,7 +1252,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             self.user_davs_key = config.get('GLOBAL',
                                             'user_davs_key')
         if config.has_option('GLOBAL', 'user_davs_key_sha256'):
-            fingerprint = config.get('GLOBAL', 'user_davs_key_sha256')
+            fingerprint = expand_external_sources(
+                logger, config.get('GLOBAL', 'user_davs_key_sha256'))
             self.user_davs_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_davs_auth'):
             self.user_davs_auth = config.get('GLOBAL',
@@ -1297,7 +1299,8 @@ def reload_config(self, verbose, skip_log=False, disable_auth_log=False,
             self.user_ftps_key = config.get('GLOBAL',
                                             'user_ftps_key')
         if config.has_option('GLOBAL', 'user_ftps_key_sha256'):
-            fingerprint = config.get('GLOBAL', 'user_ftps_key_sha256')
+            fingerprint = expand_external_sources(
+                logger, config.get('GLOBAL', 'user_ftps_key_sha256'))
             self.user_ftps_key_sha256 = fingerprint
         if config.has_option('GLOBAL', 'user_ftps_auth'):
             self.user_ftps_auth = config.get('GLOBAL',

mig/shared/install.py

@@ -4,7 +4,7 @@
 # --- BEGIN_HEADER ---
 #
 # install - MiG server install helpers
-# Copyright (C) 2003-2024  The MiG Project lead by Brian Vinter
+# Copyright (C) 2003-2025  The MiG Project by the Science HPC Center at UCPH
 #
 # This file is part of MiG.
 #
@@ -416,7 +416,10 @@ def generate_confs(
     ext_oidc_rewrite_cookie='',
     dhparams_path='',
     daemon_keycert='',
+    daemon_keycert_sha256=keyword_auto,
     daemon_pubkey='',
+    daemon_pubkey_md5=keyword_auto,
+    daemon_pubkey_sha256=keyword_auto,
     daemon_pubkey_from_dns=False,
     daemon_show_address='',
     alias_field='',
@@ -734,7 +737,10 @@ def _generate_confs_prepare(
     ext_oidc_rewrite_cookie,
     dhparams_path,
     daemon_keycert,
+    daemon_keycert_sha256,
     daemon_pubkey,
+    daemon_pubkey_md5,
+    daemon_pubkey_sha256,
     daemon_pubkey_from_dns,
     daemon_show_address,
     alias_field,
@@ -1003,9 +1009,9 @@ def _generate_confs_prepare(
     user_dict['__DHPARAMS_PATH__'] = dhparams_path
     user_dict['__DAEMON_KEYCERT__'] = daemon_keycert
     user_dict['__DAEMON_PUBKEY__'] = daemon_pubkey
-    user_dict['__DAEMON_KEYCERT_SHA256__'] = ''
-    user_dict['__DAEMON_PUBKEY_MD5__'] = ''
-    user_dict['__DAEMON_PUBKEY_SHA256__'] = ''
+    user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
+    user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
+    user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
     user_dict['__DAEMON_PUBKEY_FROM_DNS__'] = "%s" % daemon_pubkey_from_dns
     user_dict['__SFTP_PORT__'] = "%s" % sftp_port
     user_dict['__SFTP_SUBSYS_PORT__'] = "%s" % sftp_subsys_port
@@ -1929,15 +1935,19 @@ def _generate_confs_prepare(
 openssl dhparam 2048 -out %(__DHPARAMS_PATH__)s""" % user_dict)
             sys.exit(1)
 
-    # Auto-fill fingerprints if daemon key is set
+    # Auto-fill fingerprints if daemon key is set with AUTO fingerprint
     if user_dict['__DAEMON_KEYCERT__']:
         if not os.path.isfile(os.path.expanduser("%(__DAEMON_KEYCERT__)s" %
                                                  user_dict)):
             print("ERROR: requested daemon keycert file not found!")
-            print("""You can create it with:
-openssl genrsa -out %(__DAEMON_KEYCERT__)s 2048""" % user_dict)
+            print("""You can create it e.g. with:
+openssl genrsa -out %(__DAEMON_KEYCERT__)s 4096""" % user_dict)
             sys.exit(1)
+    else:
+        user_dict['__DAEMON_KEYCERT_SHA256__'] = ''
 
+    if user_dict['__DAEMON_KEYCERT__'] and keyword_auto in \
+            (daemon_keycert_sha256, ):
         key_path = os.path.expanduser(user_dict['__DAEMON_KEYCERT__'])
         openssl_cmd = ["openssl", "x509", "-noout", "-fingerprint", "-sha256",
                        "-in", key_path]
@@ -1953,15 +1963,21 @@ def _generate_confs_prepare(
             print("ERROR: failed to extract sha256 fingerprint of %s: %s" %
                   (key_path, exc))
             daemon_keycert_sha256 = ''
-        user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
+        if daemon_keycert_sha256 == keyword_auto:
+            user_dict['__DAEMON_KEYCERT_SHA256__'] = daemon_keycert_sha256
     if user_dict['__DAEMON_PUBKEY__']:
         if not os.path.isfile(os.path.expanduser("%(__DAEMON_PUBKEY__)s" %
                                                  user_dict)):
             print("ERROR: requested daemon pubkey file not found!")
             print("""You can create it with:
 ssh-keygen -f %(__DAEMON_KEYCERT__)s -y > %(__DAEMON_PUBKEY__)s""" % user_dict)
             sys.exit(1)
+    else:
+        user_dict['__DAEMON_PUBKEY_MD5__'] = ''
+        user_dict['__DAEMON_PUBKEY_SHA256__'] = ''
 
+    if user_dict['__DAEMON_PUBKEY__'] and keyword_auto in \
+            (daemon_pubkey_md5, daemon_pubkey_sha256):
         pubkey_path = os.path.expanduser(user_dict['__DAEMON_PUBKEY__'])
         pubkey = read_file(pubkey_path, None)
         if pubkey is None:
@@ -1981,9 +1997,12 @@ def _generate_confs_prepare(
         except Exception as exc:
             print("ERROR: failed to extract fingerprints of %s : %s" %
                   (pubkey_path, exc))
+            daemon_pubkey_md5 = ''
             daemon_pubkey_sha256 = ''
-        user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
-        user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
+        if daemon_pubkey_md5 == keyword_auto:
+            user_dict['__DAEMON_PUBKEY_MD5__'] = daemon_pubkey_md5
+        if daemon_pubkey_sha256 == keyword_auto:
+            user_dict['__DAEMON_PUBKEY_SHA256__'] = daemon_pubkey_sha256
 
     # Enable Debian/Ubuntu specific lines only there
     if user_dict['__DISTRO__'].lower() in ('ubuntu', 'debian'):

tests/fixture/confs-stdlocal/migcheckssl

@@ -40,7 +40,9 @@ server_crt="${domain_cert_path}/server.crt"
 server_crt_ca_pem="${domain_cert_path}/server.crt.ca.pem"
 server_key_crt_ca_pem="${domain_cert_path}/server.key.crt.ca.pem"
 combined_pem="${domain_cert_path}/combined.pem"
+combined_pem_sha256="${combined_pem}.sha256"
 combined_pub="${domain_cert_path}/combined.pub"
+combined_pub_sha256="${combined_pub}.sha256"
 dhparams_pem="${cert_base}/dhparams.pem"
 # use git latest or release version of getssl
 getssl_version="release"
@@ -279,10 +281,32 @@ if [[ ${org_mtime} -ne ${new_mtime} && "${org_chksum}" != "${new_chksum}" ]]; th
         fi
     done
     if [ -n "${migrid_subservices}" ]; then
-        sha256_fingerprint=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
-        sha256_fingerprint=${sha256_fingerprint/SHA256 Fingerprint=/}
-        echo "Please update ftps and davs sha256 fingerprint in MiGserver.conf to:"
-        echo "${sha256_fingerprint}"
+        pem_sha256_fp=$(openssl x509 -noout -fingerprint -sha256 -in ${combined_pem})
+        pem_sha256_fp=${pem_sha256_fp/* Fingerprint=/}
+        echo "Please manually update ftps/davs sha256 fingerprint in MiGserver.conf to:"
+        echo "${pem_sha256_fp}"
+        echo "or point those configuration values to the latest fingerprint file with:"
+        echo "FILE::${combined_pem_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pem_sha256_fp}" > ${combined_pem_sha256}
+        pub_md5_fp=$(ssh-keygen -l -E md5 -f ${combined_pub})
+        pub_md5_fp=${pub_md5_fp/* MD5:/}
+        pub_md5_fp=${pub_md5_fp/ */}
+        echo "Please verify that sftp md5 fingerprint in MiGserver.conf is:"
+        echo "${pub_md5_fp}"
+        echo "or point that configuration value to the latest fingerprint file with:"
+        echo "FILE::${combined_pub_md5}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pub_md5_fp}" > ${combined_pub_md5}
+        pub_sha256_fp=$(ssh-keygen -l -f ${combined_pub})
+        pub_sha256_fp=${pub_sha256_fp/* SHA256:/}
+        pub_sha256_fp=${pub_sha256_fp/ */}
+        echo "Please verify that sftp sha256 fingerprint in MiGserver.conf is:"
+        echo "${pub_sha256_fp}"
+        echo "or point that configuration value to the latest fingerprint file with:"
+        echo "FILE::${combined_pub_sha256}"
+        echo "optionally appending '\$\$CACHE_PATH' for memory caching in CACHE_PATH."
+        echo "${pub_sha256_fp}" > ${combined_pub_sha256}
     fi
 fi