unfinished hacking... still requires integration with the hook script

JedMeister · Oct 27, 2019 · 87988b2 · 87988b2
1 parent 0e8cb45
commit 87988b2
Show file tree

Hide file tree

Showing 3 changed files with 224 additions and 14 deletions.
diff --git a/plugins.d/Lets_Encrypt/add-water-ctl b/plugins.d/Lets_Encrypt/add-water-ctl
@@ -0,0 +1,180 @@
+#!/bin/bash -e
+
+# Copyright (c) 2019 TurnKey GNU/Linux - https://www.turnkeylinux.org
+#
+# add-water-ctl - Script to control add-water HTTP Let's Encrypt challenge
+#                 server
+# 
+# This file is part of Confconsole.
+# 
+# Confconsole is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Affero General Public License as published by the
+# Free Software Foundation; either version 3 of the License, or (at your
+# option) any later version.
+
+[ "$DEBUG" = "y" ] && set -x
+
+
+ADD_WATER_BIN_DEFAULT="/usr/lib/confconsole/plugins.d/Lets_Encrypt/add-water"
+ADD_WATER_LOG_DEFAULT="/var/log/confconsole/letsencrypt.log"
+ADD_WATER_USR_DEFAULT="www-data"
+ADD_WATER_PID_DEFAULT="/var/run/add-water/pid"
+
+AW_BIN="${AW_BIN:-${ADD_WATER_BIN_DEFAULT}}"
+AW_LOG="${AW_LOG:-${ADD_WATER_LOG_DEFAULT}}"
+AW_USR="${AW_USR:-${ADD_WATER_USR_DEFAULT}}"
+AW_PID="${AW_PID:-${ADD_WATER_PID_DEFAULT}}"
+
+CTL_LOG="${CTL_LOG:-${AW_LOG}}"
+
+mkdir -p "$(dirname $AW_PID)" "$(dirname $AW_LOG)" "$(dirname $CTL_LOG)"
+touch $AW_LOG
+chown -R $AW_USR "$(dirname $AW_PID)" "$(dirname $AW_LOG)" 
+
+AUTHBIND80=/etc/authbind/byport/80
+[ -f "$AUTHBIND80" ] || touch "$AUTHBIND80"
+AUTHBIND_USR=$(stat --format '%U' $AUTHBIND80)
+EXIT_CODE=0
+
+usage() {
+echo "$@"
+cat<<EOF
+Syntax: $APP start TOKEN_PATH | stop [-d PIDFILE ] [-l LOGFILE]
+
+Wrapper script for add-water challenge server for dehydrated on TurnKey Linux.
+
+Provides a clean interface to start/stop add-water.
+
+This file is part of confconsole.
+
+Environment variables:
+
+    DEBUG=y $APP will be very verbose (set -x)
+
+    AW_BIN  Path to add-water binary
+            default: $ADD_WATER_BIN_DEFAULT
+
+    AW_LOG  Path to add-water log file
+            default: $ADD_WATER_LOG_DEFAULT
+
+    AW_USR  User account to use when running add-water
+            default: $ADD_WATER_USR_DEFAULT 
+    
+    AW_PID  Path to add-water PID file
+            default: $ADD_WATER_PID_DEFAULT
+
+Arguments:
+
+    start TOKEN_PATH
+
+        - Start add-water server (daemon), serving TOKEN_PATH.
+          If already running, will stop first, then start.
+
+    stop
+    
+        - Stop add-water server.
+
+Options:
+    
+    -d PIDFILE |--daemonize PIDFILE
+
+        - daemonize add-water, storing pid value in PIDFILE
+        - default behaviour is equiavlent to:
+
+                -d \$AW_PID
+
+    -l LOGFILE | --logfile LOGFILE
+
+        - log file to write to
+        - default behviour is equivalent to:
+
+                -l \$AW_LOG
+
+EOF
+exit 1
+}
+
+fatal() {
+    echo "[$(date "+%Y-%m-%d %H:%M:%S")] $APP: FATAL: $@" >&2 > >(tee -a $CTL_LOG >&2)
+}
+
+warning() {
+    echo "[$(date "+%Y-%m-%d %H:%M:%S")] $APP: WARNING: $@" | tee -a $CTL_LOG
+}
+
+check_80() {
+    # returns 'PID/process_name' of what is running on port 80
+    netstat -ltpn | grep ":80 " | head -1 | tr -s '[[:space:]]' '\n' \
+        | tail -1
+}
+
+check_80_pid() {
+    # returns PID of what is running on port 80
+    check_80 | cut -d/ -f1
+}
+
+check_80_actual_proc() {
+    # In the case of add-water; check_80_proc returns 'python'; this returns
+    # the full path of the process associated with PID running on port 80.
+    # E.g. in the case of add-water; returns 'add-water'
+    ps -p $(check_80_pid) -o comm=
+}
+
+status() {
+    # returns one of:
+    #   'running'   - add-water running
+    #   'blocked'   - add-water not running; port 80 in use
+    #   'available' - add-water not ruuning; port 80 free
+    #
+    # even though we have a pid file we're not using it as a race condition 
+    # has been causing the pidfile to mismatch the pid, so we'll just use
+    # the info we can get from port 80
+
+    if [ "$(check_80_actual_proc)" = 'add-water' ]; then
+        echo "running"
+    elif [ "$(check_80)" != "" ]; then
+        echo "blocked"
+    else
+        echo "available"
+    fi
+}
+
+start() {
+    path_to_serve=$1
+    [ "$(status)" = 'running' ] && stop
+    $AW_BIN -d $pidfile -l $logfile $path_to_serve
+}
+
+stop() {
+    if [ "$(status)" = 'running' ]; then
+        sleep 1
+        kill -9 $(check_80_pid)
+        rm -f $pidfile
+    elif [ "$status" = 'blocked' ]; then
+        warning "add-water not running and port 80 in use"
+    fi
+    # just pass if port 80 is free
+}
+
+[ "$EUID" = "0" ] || fatal "$APP must be run as root"
+[ -x "$AW_BIN" ] || fatal "add-water binary not found: $AW_BIN"
+
+unset command pidfile logfile
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        start)          command="start $2"; shift;;
+        stop)           command="stop";;
+		status)		    command="status";;
+        -d|--damonize)  pidfile=$2; shift;;
+        -l|--logfile)   logfile=$2; shift;;
+        -l|--help)      usage;;
+        *)              usage "FATAL: unsupported or unknown argument: '$1'";;
+    esac
+    shift
+done
+[ -n "$command" ] || usage "$APP $@"
+[ -n "$pidfile" ] || pidfile="$AW_PID"
+[ -n "$logfile" ] || logfile="$AW_LOG"
+export pidfile logfile
+$command
+
diff --git a/plugins.d/Lets_Encrypt/dehydrated-wrapper b/plugins.d/Lets_Encrypt/dehydrated-wrapper
@@ -30,7 +30,8 @@ AUTHBIND80=/etc/authbind/byport/80
 AUTHBIND_USR=$(stat --format '%U' $AUTHBIND80)
 EXIT_CODE=0
 
-LE_TOS_URL=https://acme-v01.api.letsencrypt.org/directory
+API="v02"
+LE_TOS_URL=https://acme-${API}.api.letsencrypt.org/directory
 
 SH_CONFIG=$SHARE/dehydrated-confconsole.config
 SH_HOOK=$SHARE/dehydrated-confconsole.hook.sh
@@ -43,7 +44,7 @@ cp $TKL_CERTFILE $TKL_CERTFILE.bak
 cp $TKL_KEYFILE $TKL_KEYFILE.bak
 
 BASE_BIN_PATH="/usr/lib/confconsole/plugins.d/Lets_Encrypt"
-export HTTP="add-water"
+export HTTP="add-water-ctl"
 export HTTP_USR="www-data"
 export HTTP_BIN="$BASE_BIN_PATH/$HTTP"
 export HTTP_PID=/var/run/$HTTP/pid
@@ -112,8 +113,26 @@ copy_if_not_found() {
 }
 
 check_80() {
-    netstat -ltpn | grep ":80 " | head -1 | cut -d/ -f2 \
-        | sed -e 's|[[:space:]].*$||; s|[^a-zA-Z0-9]||g'
+    # returns 'PID/process_name' of what is running on port 80
+    netstat -ltpn | grep ":80 " | head -1 | tr -s '[[:space:]]' '\n' \
+        | tail -1
+}
+
+check_80_proc() {
+    # returns process_name of what is running on port 80
+    check_80 | cut -d/ -f2
+}
+
+check_80_pid() {
+    # returns PID of what is running on port 80
+    check_80 | cut -d/ -f1
+}
+
+check_80_actual_proc() {
+    # In the case of add-water; check_80_proc returns 'python'; this returns
+    # the full path of the process associated with PID running on port 80.
+    # E.g. in the case of add-water; returns 'add-water'
+    ps -p $(check_80_pid) -o comm=
 }
 
 stop_server() {
@@ -139,11 +158,14 @@ clean_finish() {
     # warning: do NOT use 'fatal' in this func as it will cause an inescapable recursive loop
     # You have been warned...
     EXIT_CODE=$1
-    if [ "$(check_80)" = "python" ]; then
-        warning "Python is still listening on port 80"
-        info "attempting to kill add-water server"
-        [ -f "$HTTP_PID" ] && kill -9 $(cat $HTTP_PID)
-        rm -f $HTTP_PID
+    if [ "$(check_80_proc)" = "python" ]; then
+        if [ "$WEBSERVER" = "add-water" ]; then
+            warning "add-water is still listening on port 80"
+            info "killing add-water..."
+            $HTTP_BIN stop
+        else
+            warning "Unknown python process on port 80"
+        fi
     fi
     [ "$AUTHBIND_USR" = "$HTTP_USR" ] || chown $AUTHBIND_USR $AUTHBIND80
     if [ $EXIT_CODE -ne 0 ]; then
@@ -154,7 +176,9 @@ clean_finish() {
         info "Cleaning backup cert & key"
         rm -f $TKL_CERTFILE.bak $TKL_KEYFILE.bak
     fi
-    restart_servers $WEBSERVER stunnel4
+    if [ "$WEBSERVER" != "add-water" ]; then
+        restart_servers $WEBSERVER stunnel4
+    fi
     if [ $EXIT_CODE -ne 0 ]; then
         warning "Check today's previous log entries for details of error."
     else
@@ -218,7 +242,7 @@ copy_if_not_found "$CRON" "$SH_CRON"
 
 ### main script ###
 
-WEBSERVER="$(check_80)"
+WEBSERVER="$(check_80_proc)"
 if [ -n "$WEBSERVER" ]; then
     info "found $WEBSERVER listening on port 80"
     case $WEBSERVER in
@@ -236,8 +260,14 @@ if [ -n "$WEBSERVER" ]; then
             fi;
             stop_server $WEBSERVER;;
         python )
-            unset WEBSERVER;
-            fatal "An unknown Python app is listening on port 80";;
+            if [ "$(check_80_actual_proc)" = "add-water" ]; then
+                warning "add-water is running on port 80; which is unexpected";
+                warning "Continuing anyway";
+                WEBSERVER=add-water;
+            else
+                unset WEBSERVER;
+                fatal "An unknown Python app is listening on port 80";
+            fi;;
         * )
             unknown="$WEBSERVER";
             unset WEBSERVER;

diff --git a/share/letsencrypt/dehydrated-confconsole.hook.sh b/share/letsencrypt/dehydrated-confconsole.hook.sh
@@ -31,7 +31,7 @@ function clean_challenge {
 
     hook_log info "Stopping $HTTP daemon"
     kill -9 $(cat $HTTP_PID)
-    rm $HTTP_PID
+    #rm $HTTP_PID
 }
 
 function deploy_cert {