[Pypi-checkins] r920 - trunk/pypi

[martin.von.loewis]

Author: martin.von.loewis
Date: Wed Apr 27 17:38:18 2011
New Revision: 920

Modified:
   trunk/pypi/admin.py
   trunk/pypi/config.ini.template
   trunk/pypi/config.py
   trunk/pypi/store.py
   trunk/pypi/webui.py
Log:
Add key rotations support.


Modified: trunk/pypi/admin.py
==============================================================================
--- trunk/pypi/admin.py	(original)
+++ trunk/pypi/admin.py	Wed Apr 27 17:38:18 2011
@@ -97,6 +97,34 @@
            print "Deleting", path
            shutil.rmtree(path)
 
+def keyrotate(config, store):
+    '''Rotate server key'''
+    key_dir = config.key_dir
+    prefixes = (os.path.join(key_dir, 'privkey'), os.path.join(key_dir,'pubkey'))
+    def rename_if_exists(oldsuffix, newsuffix):
+        for p in prefixes:
+            if os.path.exists(p+oldsuffix):
+                os.rename(p+oldsuffix, p+newsuffix)
+    # 1. generate new new key
+    os.system('openssl dsaparam -out /tmp/param 2048')
+    os.system('openssl gendsa -out %s/privkey.newnew /tmp/param' % key_dir)
+    os.system('openssl dsa -in %s/privkey.newnew -pubout -out %s/pubkey.newnew' % (key_dir, key_dir))
+    os.unlink('/tmp/param')
+    # 2. delete old old key
+    for p in prefixes:
+        if os.path.exists(p+'.old'):
+            os.unlink(p+'.old')
+    # 3. rotate current key -> old key
+    rename_if_exists('', '.old')
+    # 4. rotate new key -> current key
+    rename_if_exists('.new', '')
+    # 5. rotate new new key -> new key
+    rename_if_exists('.newnew', '.new')
+    # 6. restart web server
+    os.system('/usr/sbin/apache2ctl graceful')
+    # 7. log rotation
+    store.log_keyrotate()
+
 def merge_user(store, old, new):
     c = store.get_cursor()
     if not store.get_user(old):
@@ -176,6 +204,8 @@
             merge_user(*args)
         elif command == 'nuke_nested_lists':
             nuke_nested_lists(*args)
+        elif command == 'keyrotate':
+            keyrotate(config, *args)
         else:
             print "unknown command '%s'!"%command
         st.changed()

Modified: trunk/pypi/config.ini.template
==============================================================================
--- trunk/pypi/config.ini.template	(original)
+++ trunk/pypi/config.ini.template	Wed Apr 27 17:38:18 2011
@@ -18,7 +18,7 @@
 packages_rss_file = /tmp/pypi_packages_rss.xml
 debug_mode = yes
 cheesecake_password = secret
-privkey = privkey
+key_dir = .
 simple_sign_script = /serversig
 
 [logging]

Modified: trunk/pypi/config.py
==============================================================================
--- trunk/pypi/config.py	(original)
+++ trunk/pypi/config.py	Wed Apr 27 17:38:18 2011
@@ -32,7 +32,7 @@
         self.rss_file = c.get('webui', 'rss_file')
         self.debug_mode = c.get('webui', 'debug_mode')
         self.cheesecake_password = c.get('webui', 'cheesecake_password')
-        self.privkey = c.get('webui', 'privkey')
+        self.key_dir = c.get('webui', 'key_dir')
         self.simple_sign_script = c.get('webui', 'simple_sign_script')
         if c.has_option('webui', 'sshkeys_update'):
             self.sshkeys_update = c.get('webui', 'sshkeys_update')

Modified: trunk/pypi/store.py
==============================================================================
--- trunk/pypi/store.py	(original)
+++ trunk/pypi/store.py	Wed Apr 27 17:38:18 2011
@@ -1815,6 +1815,16 @@
         cursor = self.get_cursor()
         safe_execute(cursor, 'delete from openids where id=%s', (openid,))
 
+    def log_keyrotate(self):
+        cursor = self.get_cursor()
+        date = time.strftime('%Y-%m-%d %H:%M:%S', time.gmtime())
+        safe_execute(cursor, '''insert into journals (
+              name, version, action, submitted_date, submitted_by,
+              submitted_from) values (%s, %s, %s, %s, %s, %s)''',
+            ('', '', 'keyrotate ', date,
+            None, None))
+
+
     #
     # Handle the underlying database
     #

Modified: trunk/pypi/webui.py
==============================================================================
--- trunk/pypi/webui.py	(original)
+++ trunk/pypi/webui.py	Wed Apr 27 17:38:18 2011
@@ -656,7 +656,7 @@
             raise NotFound, path
         html = self.simple_body(path)
         if not self.privkey:
-            self.privkey = DSA.load_key(self.config.privkey)
+            self.privkey = DSA.load_key(os.path.join(self.config.privkey, 'privkey'))
         md = EVP.MessageDigest('sha1')
         md.update(html)
         digest = md.final()