Do not parse disabled configuration files from under sites-available on Debian / Ubuntu

[joohoi]

This changes the apache plugin behaviour to only parse enabled configuration files, while still writing new files to sites-available, and respecting the --apache-vhost-root CLI parameter for new SSL vhost creation. If --apache-vhost-root isn't defined, or doesn't exist, the SSL vhost will be created to originating non-SSL vhost directory.

This PR also implements actual check for vhost enabled state, and makes sure parser.parse_file() does not discard changes in Augeas DOM, by doing an autosave.

Also handles enabling the new SSL vhost, if it's on a path that's not parsed by Apache.

Fixes: #1328
Fixes: #3545
Fixes: #3791
Fixes: #4523
Fixes: #4837
Fixes: #4905

[bmw]

I ran Apache test farm tests on this (with the change from #4126 merged in) and everything passed. If no one beats me to it, I'm going to try and review this first thing tomorrow morning.

[bmw]

LGTM, but I have a couple questions to check my understanding and to make sure we can't simplify things a bit.

[bmw]

Question: Why doesn't vhost.enabled work anymore? Calling is_site_enabled doesn't seem like it'll cause incorrect behavior, but I'm not sure it's necessary.

[bmw]

Should we be calling parse_file() here at all anymore? If I understand correctly, Augeas already automatically parses any files included in an Apache configuration. With this in mind, why do we need to parse anything here manually?

If we need this call for some reason, is the logic here correct? Assuming constants.py doesn't change, we now don't parse the vhost directory if it ends in *sites-available or we're on Debian?

[bmw]

Another thing I forgot to take a look at during my review is whether calling parse_file() causes us to lose any changes due to hercules-team/python-augeas#15. parse_file() conditionally calls match meaning that any unsaved changes in Augeas may be lost. Did you look to see if this is a potential problem here?

If it's OK with you, I'd like to leave this out of 0.11.0 and merge it for 0.12.0. I'm not sure there's any problems here, but I have some questions and want to make sure this behaves as we expect.

EDIT: I wanted to add that not getting this out on time is my own fault for not getting a chance to review this sooner.

[joohoi]

is_site_enabled method has been removed, as well as the parse_file call for constants.vhost_root. Would love a new test farm run.

[bmw]

All test farm tests pass 😄

In addition to my inline review comments, I'm curious if you took a look at the potential problems with the new calls to parse_file() that I mentioned here. I do not know there is a problem here, but this issue has bit us before and I think it has the potential to do so again if we're not careful.

[bmw]

Is this the right logic? I think it works in the conventional case, but what if someone has a file in sites-enabled rather than a symlink?

[joohoi]

This is always newly generated vhost, and this is the only situation a vhost can actually be in disabled state in the current vhost object lifecycle (we "handle-sites" only for debian based distros).

However maybe we should instead do the handling logic in vhost object init and populate this value instead. Currently, vhosts are always created with enabled = True.

[bmw]

Yeah I agree this is the only case the vhost can be in an enabled state, but I think it's possible it's already enabled. While it's maybe a bit of a silly example, I was able to get this PR to fail because it tries to enable an already enabled vhost. Starting with the default Apache2 config on Ubuntu 16.04, the changes I made were:

sudo a2dissite 000-default.conf
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-enabled
sudo rm /etc/apache2/sites-available/*
sudo a2enmod ssl

In the end, your only vhost is a real file in sites-enabled which when we run Certbot it creates a vhost in sites-enabled which is marked as not enabled.

[bmw]

nit: missing closing parenthesis

[bmw]

When we talked about this on the call I think we expressed some concerns about whether or not we can safely do this. In the conventional case, this works fine but what about people who have been manually setting --apache-vhost-root? These people may not exist, but this might break things for them correct?

[joohoi]

You are right, I brought it back with a condition that we're running a distro with no "handle-sites" (anything but Debian / Ubuntu basically), or have defined a path other than the one in constants. Effectively letting users define the value, but ignoring sites-available.

[bmw]

I have a number of comments and questions inline, but this looks like great progress. I'm very happy that you've already managed to fix #4905!

[bmw]

We don't need to set self.vhostroot, but I think we still want to use the absolute path of vhostroot. If I take the default configuration on Ubuntu 16.04, disable all vhosts, and set --apache-vhost-root to a relative path to sites-available, Certbot fails unless we use the absolute path in the call to parse_file.

[joohoi]

You are right, absolute path will be used.

[bmw]

I think we still need this code here to support multiple vhosts per file. As an example, take the default Ubuntu 16.04 config and modify /etc/apache2/sites-available/000-default.conf to be:

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName example.org

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html/org

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	ServerName example.net

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html/net

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

While we don't error, we don't modify the configuration correctly and the return value here only contains one vhost. This works properly in master.

While not the fault of this PR, it's slightly terrifying that all our tests pass...

[bmw]

If a user sets --apache-vhost-root, we may still want code like this. For example, if the user sets --apache-vhost-root to /etc/apache2/sites-available on Debian, whether the filep for a vhost points to sites-available or sites-enabled is undefined. This is because self.parser.parser_paths is a dict whose ordering is undefined when we turn it into a list and for each realpath, we take the first vhost we find.

Do we have a preference which vhost we use? We probably should just for consistency's sake. If we don't add this code back, we probably want something similar below for internal vhost paths to prevent a symlinked vhost from being added twice in this scenario.

[joohoi]

You are right, the removal has been undone.

[bmw]

nit: This should be :rtype: str, otherwise, the built documentation points to https://docs.python.org/2/library/string.html

[joohoi]

Fixed

[bmw]

nit: It's probably better to use os.path.join here than hard coding the forward slash.

[joohoi]

Fixed

[bmw]

Is this code supposed to be uncommented? If not, perhaps these comments should be deleted.

[joohoi]

Yeah, removed the lines altogether

[bmw]

I think we may want to add the include whether or not handle-sites is True. If we don't, we're going to raise an exception down below.

[joohoi]

If handle-sites is true, we're handling the include using distribution specific manner (eg, enabling the site) in deploy_cert method instead.

[bmw]

I was wrong about raising an exception in my original message, but a couple things after thinking about this and playing with it more:

1. If handle-sites is False, why are we automatically enabling the site?
2. When playing with this code, I was able to reliably reproduce the bug I was worried about here. I did this by using the Fedora 26 Docker image and installing Certbot with our developer instructions and checking out this branch. After that, I made a simple vhost at an arbitrary location and created a symlink to it from /etc/httpd/conf.d. When this is done and you run Certbot, the if branch here is taken and an Include was meant to be added to httpd.conf. If I call self.save() before calling parse_file, this Include is written to the file, but if I call self.save() afterwards, it is not. This is a problem here and potentially anywhere else new we are calling match or parse_file.

cc @SwartzCr, you may be interested in point 2.

[bmw]

Why do we need this now when we didn't before? Why isn't the file included as default? At least in normal cases, we'll find it when we reload augeas in make_vhost_ssl. In the cases we won't, if you make my suggested change to always add an Include directive as necessary, we'll also handle this there.

[joohoi]

Before we parsed sites-available contents (added manually to augeas parse tree using value in constants.py). It's not included until the vhost is enabled by creating a symlink from sites-enabled. We need this temporarily to find the newly created vhost in the certificate configuration step.

[bmw]

Calls to parse_file causing changes to be lost should certainly be addressed, however, if it is, perhaps we should just call this unconditionally here, especially if the logic in make_vhost_ssl I commented on is changed. Rather than parsing the file in two locations depending on whether or not sites-enabled is set, does it hurt anything to always ensure Augeas has parsed the file?

[bmw]

Similar to my other comment, why do we need this change?

[joohoi]

We handle the actual include later in the process.

[bmw]

Similar to my other comment, if problems with parse_file (and specifically match) can be addressed, perhaps we should just do this unconditionally?

[bmw]

I never knew about strerror.

[bmw]

Turns out this is pretty complicated. I left a few comments inline.

I'm happy to keep reviewing this, however, if you think it'd be easier and not mess with your workflow too much, we could potentially land a PR that accomplishes this after your distro refactor. It may make things simpler and I don't think there's a need to rush this change out.

Totally up to you though. I'm happy either way.

[bmw]

I was wrong about raising an exception in my original message, but a couple things after thinking about this and playing with it more:

1. If handle-sites is False, why are we automatically enabling the site?
2. When playing with this code, I was able to reliably reproduce the bug I was worried about here. I did this by using the Fedora 26 Docker image and installing Certbot with our developer instructions and checking out this branch. After that, I made a simple vhost at an arbitrary location and created a symlink to it from /etc/httpd/conf.d. When this is done and you run Certbot, the if branch here is taken and an Include was meant to be added to httpd.conf. If I call self.save() before calling parse_file, this Include is written to the file, but if I call self.save() afterwards, it is not. This is a problem here and potentially anywhere else new we are calling match or parse_file.

cc @SwartzCr, you may be interested in point 2.

[bmw]

I think we may want to address it now. On Debian based systems, we're incorrectly marking vhosts as enabled which can cause problems later in execution.

For example, while it's not trivial to repro, starting with the default Apache config on Ubuntu 16.04, do the following:

sudo a2dissite 000-default.conf
sudo mkdir /etc/apache2/sites-available2
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available2/
# Add a ServerName directive to /etc/apache2/sites-available2/000-default.conf that you can obtain a cert for
sudo certbot -d foo.science --apache --no-redirect --apache-vhost-root /etc/apache2/sites-available2/
# Add a ServerAlias directive to /etc/apache2/sites-available2/000-default.conf
sudo certbot -d foo.science --apache --redirect --apache-vhost-root /etc/apache2/sites-available2/

On this branch, this last command fails because it things the disabled vhost in /etc/apache2/sites-available2 would conflict with a redirect vhost. If you checkout master, this problem goes away.

[bmw]

Calls to parse_file causing changes to be lost should certainly be addressed, however, if it is, perhaps we should just call this unconditionally here, especially if the logic in make_vhost_ssl I commented on is changed. Rather than parsing the file in two locations depending on whether or not sites-enabled is set, does it hurt anything to always ensure Augeas has parsed the file?

[bmw]

Similar to my other comment, if problems with parse_file (and specifically match) can be addressed, perhaps we should just do this unconditionally?

[joohoi]

This PR contains a lot of things I'm building on, and it's a nice overall cleanup of the configurator, hence: Ready for yet another round of review :)

All your concerns were valid, and required actions so I cleaned up the AugeasConfigurator.save() method and implemented a check for unsaved changes and autosave functionality when doing destructive operations in Augeas DOM tree. I'm not very happy about the way that I had to implement it (passing the ApacheConfigurator instance reference to parser), but I toyed around with options at hand and this seemed like the only way to do this without duplicating too much code. This is result of how the augeas_configurator, configurator and parser relate to each other, it works and seems pretty robust whatsoever.

I also implemented an actual check for vhost enabled state in the way we discussed on the last call, so it should reflect the actual state now.

All the requested changes should have been made solving the issues in a generic way.

[bmw]

I'm planning to hold off on reviewing this until the problem causing test failures is fixed, but let me know if you'd like me to review it sooner.

[bmw]

Other than very minor stylistic comments about code structure, this LGTM. Nice work @joohoi. This PR fixes so much stuff!

[bmw]

Feel free to ignore this comment if you disagree, but I think these three methods make more sense in parser.py.

[joohoi]

I do agree. These are now moved to parser.py

[bmw]

One thing that worries me a bit is this is never updated if an Include directive is added later. What if we moved the add_include function into the parser and keep this value up to date?

[joohoi]

Nice catch! This functionality is now added to the PR

[joohoi]

Suggested improvements have been done, good suggestions regarding code health, thanks!

While adding new include paths to the parser.existing_paths-variable I stumbled upon a bug in site enabling functionality: when vhost.enabled was False in the later check if a enable_site should be run (for Debian / Ubuntu symlinking), the new dynamic check for if the vhost was enabled was correctly reporting True, hence symlink was not added. I moved the add_include call to enable_site function, so it gets run instead of the symlinking if needed.

[bmw]

Other than a very small suggested change, this LGTM!

[bmw]

We should probably set vhost.enabled to True after this to make sure the value stays up to date.

[joohoi]

Oh, of course. Thanks!

[bmw]

And the big moment...this LGTM! Thanks for spending so much time on this @joohoi.

Now I'm going to mark all of our Apache issues as closed in our milestone.