From dcd1b07f1d6a300dd561d67d70bdbec3e6fa801a Mon Sep 17 00:00:00 2001
From: Thierry Parmentelat <thierry.parmentelat@inria.fr>
Date: Fri, 1 Nov 2013 15:46:44 +0100
Subject: [PATCH] run enforced client-authentication ssl on port 443
 unfold-init-ssl.sh is a new script for setting up certs and the like
 (packaged, but not invoked yet)

---
 apache/myslice.conf       | 34 ++++++++++++++++++++++++
 apache/unfold-init-ssl.sh | 54 +++++++++++++++++++++++++++++++++++++++
 debian/control            |  2 +-
 myslice.spec              |  2 ++
 setup.py                  |  2 +-
 5 files changed, 92 insertions(+), 2 deletions(-)
 create mode 100755 apache/unfold-init-ssl.sh

diff --git a/apache/myslice.conf b/apache/myslice.conf
index b7824520..b36a75ec 100644
--- a/apache/myslice.conf
+++ b/apache/myslice.conf
@@ -12,3 +12,37 @@
         Allow from all
         </Directory>
 </VirtualHost>
+
+# This port (not necessarily well picked) is configured 
+# with client-certificate required
+# corresponding trusted roots (e.g. ple.gid and plc.gid) should be 
+# configured in /etc/unfold/trusted_roots
+# check Jordan's email and pointer to trac, although we do not want 
+# this to be optional on that port
+
+<VirtualHost *:443>
+        WSGIScriptAlias / /usr/share/unfold/myslice/wsgi.py
+        <Directory /usr/share/unfold/apache>
+        <Files myslice.wsgi>
+        Order deny,allow
+        Allow from all
+        </Files>
+        </Directory>
+        Alias /static/ /usr/share/unfold/static/
+        <Directory /usr/share/unfold/static>
+        Order deny,allow
+        Allow from all
+        </Directory>
+
+	SSLEngine on
+	SSLVerifyClient require
+	SSLVerifyDepth 5
+# make this a symlink to /etc/sfa/trusted_roots if that makes sense in your env.
+	SSLCACertificatePath /etc/unfold/trusted_roots
+# see init-ssl.sh for how to create self-signed stuff in here
+	SSLCertificateFile    /etc/unfold/myslice.cert
+	SSLCertificateKeyFile /etc/unfold/myslice.key
+
+#	SSLOptions +StdEnvVars +ExportCertData
+	SSLOptions +StdEnvVars
+</VirtualHost>
diff --git a/apache/unfold-init-ssl.sh b/apache/unfold-init-ssl.sh
new file mode 100755
index 00000000..74c1c32a
--- /dev/null
+++ b/apache/unfold-init-ssl.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+COMMAND=$(basename $0)
+
+# minimal script for initializing SSL material for myslice
+# you probably want to take care of this yourself instead,
+# but until somebody gets around to that apache will at least start up
+# 
+trusted_roots=/etc/unfold/trusted_roots
+key=/etc/unfold/myslice.key
+cert=/etc/unfold/myslice.cert
+
+if [[ -n "$@" ]] ; then hostname=$1; shift; else hostname=$(hostname); fi
+
+function init_trusted_roots () {
+    if [ ! -d $trusted_roots ] ; then
+	echo "Creating empty" $trusted_roots
+	mkdir -p $trusted_roots
+	echo "You will wish to populate that with e.g. ple.gid or the like"
+	echo "Make sure to re-run this command $COMMAND if you add gids"
+    fi
+    ### c_rehash will consider only files ending in .pem or .crt
+    # so, we create symlinks from *.gid to *.pem
+    pushd $trusted_roots >& /dev/null
+    for gid in *.gid; do
+	base=$(basename $gid .gid)
+	pem=$base.pem
+	[ -f $pem ] && ln -s $gid $pem 
+    done
+    ### invoke c_rehash 
+    # on debian c_rehash comes with openssl
+    # on fedora this is part of openssl-perl
+    echo -n "Invoking c_rehash in $(pwd) .. "; c_rehash .
+    popd  >& /dev/null
+}
+
+function init_server_cert () {
+    # both present : we have nothing to do
+    [ -f $key -a -f $cert ] && return
+    # exactly one present : we have a problem
+    [ -f $key -o -f $cert ] && { echo "server key or cert missing ?!?" ; return ; }
+    # create both
+    echo "Creating server key and cert for hostname ${hostname}"
+    openssl req -new -x509 -days 365 -set_serial $RANDOM -batch \
+	-subj "/CN=${hostname}" -nodes -keyout $key -out $cert
+}
+
+
+function main () {
+    init_trusted_roots
+    init_server_cert
+}
+
+main "$@"
diff --git a/debian/control b/debian/control
index b3b54ace..207b30dc 100644
--- a/debian/control
+++ b/debian/control
@@ -13,5 +13,5 @@ Description: Myslice plugins, based on django and unfold frontend
 # Thierry: the recipe I'm using somehow only works with several packages
 Package: unfold
 Architecture: any
-Depends: python, python-django, python-pyparsing, apache2, libapache2-mod-wsgi
+Depends: python, python-django, python-pyparsing, apache2, libapache2-mod-wsgi, openssl
 Description: Generic django-based frontend for manifold backends
diff --git a/myslice.spec b/myslice.spec
index e0504ea4..291ce6d4 100644
--- a/myslice.spec
+++ b/myslice.spec
@@ -21,6 +21,8 @@ Requires: python >= 2.7
 Requires: python-django
 Requires: httpd
 Requires: mod_wsgi
+# for c_rehash
+Requires: openssl-perl
 BuildRequires: python-setuptools make
 
 %description 
diff --git a/setup.py b/setup.py
index 157641a9..e902e32f 100644
--- a/setup.py
+++ b/setup.py
@@ -13,7 +13,7 @@ from distutils.core import setup
 packages= [ os.path.dirname(init) for init in (glob("*/__init__.py")+glob("*/*/__init__.py")) ]
 
 setup(packages = packages,
-      scripts = [],
+      scripts = [ 'apache/unfold-init-ssl.sh' ],
       data_files = [ 
         ( 'static/js', glob ('static/js/*')),
         ( 'static/css', glob ('static/css/*')),
-- 
2.43.0