Fix typo in dns server when separate server provided for specific dom…

…ain(s) conf.d/ssl-mgr.conf - services can now be wildcard services (ALL or *) Every file in group directory that is a service config will be included as service add self signed wild card example Fix bug with sslm-info not showing IP addresses in SAN
gene-git · Nov 27, 2024 · 7e06eab · 7e06eab
1 parent f066403
commit 7e06eab
Show file tree

Hide file tree

Showing 14 changed files with 151 additions and 33 deletions.
diff --git a/Docs/conf.py b/Docs/conf.py
@@ -9,7 +9,7 @@
 project = "ssl-mgr"
 copyright = '2023, Gene C'
 author = 'Gene C'
-release = '4.5.0'
+release = '4.9.0'
 
 # -- General configuration ---------------------------------------------------
 # https://www.sphinx-doc.org/en/master/usage/configuration.html#general-configuration

diff --git a/README.rst b/README.rst
@@ -64,6 +64,12 @@ New / Interesting
 
 Recent changes and important info goes here.
 
+ * Fixed: sslm-info now shows all SANS including IP addresses.
+
+ * Fixed: typo in dns_primary when domain specific dns server provided caused it not to be used. 
+
+ * Feature: config services list can now be wildcard (ALL or \*) same as command line
+
  * New config variable : renew_expire_days_spread (default 0)
    When set to value > 0, renew will happen between expiry_days ±spread days.
    Where spread days is randomly drawn from a uniform distribution between -spread and spread.
@@ -124,14 +130,6 @@ Recent changes and important info goes here.
      * While things can take longer than previous versions, teting to date has shown it 
        to be robust and working well with letsencrypt.
 
- * Fix bug with letsencrypt test cert
-
- * certbot logs are now in *<logdir>/letsencrypt* instead of it's default
-   /var/log/letsencrypt.
-
- * Adjust code to be compatible with upcoming python changes.
-   Some argparse options have been deprecated in 3.12 and will be removed in 3.14.
-
 More Detail
 ===========
 

diff --git a/examples/ca-self/conf.d/ca/my-int b/examples/ca-self/conf.d/ca/my-int
@@ -16,8 +16,8 @@ dane_tls = []
     ec_algo = 'secp384r1'
 
 [X509]
-    CN = "sap-int"
-    O = "Sap IT"
+    CN = "My-Int"
+    O = "My IT Certs"
     C = "US"
     L = ''
     ST = ''

diff --git a/examples/ca-self/conf.d/example.com/wild-self b/examples/ca-self/conf.d/example.com/wild-self
@@ -0,0 +1,26 @@
+#
+# Sapience.com
+#
+# Internal only : signed by my-int which is signed by my-root
+#
+name = 'Wild Self'
+group = 'example.com'
+service = 'wild-self'
+
+signing_ca = 'my-int'
+
+[KeyOpts]
+    ktype = 'ec'
+    ec_algo = 'secp384r1'
+
+[X509]
+    CN = "example.com"
+    O = "Example IT Dept"
+    OU = 'IT web'
+    L = ''
+    ST = ''
+    C = "US"
+    email = 'hostmaster@example.com'
+
+    # Change these
+    sans = ['example.com', '*.example.com']
diff --git a/packaging/PKGBUILD b/packaging/PKGBUILD
@@ -12,7 +12,7 @@ pkgname='ssl-mgr'
 pkgdesc='Manage (re)new certificates and handle DANE TLSA key rollover'
 _gitname='ssl-mgr'
 
-pkgver=4.5.0
+pkgver=4.9.0
 pkgrel=1
 url="https://github.com/gene-git/ssl-mgr"
 

diff --git a/src/ssl_mgr/__about__.py b/src/ssl_mgr/__about__.py
@@ -3,4 +3,4 @@
 """
 Project ssl-mgr
 """
-__version__ = "4.5.0"
+__version__ = "4.9.0"
diff --git a/src/ssl_mgr/certs/cert_info.py b/src/ssl_mgr/certs/cert_info.py
@@ -91,11 +91,16 @@ def get_sans(extensions:Extensions):
         return []
     try:
         sans = extensions.get_extension_for_class(x509.SubjectAlternativeName)
+        san_names = []
         if sans:
             sans = sans.value
             if sans:
-                sans = sans.get_values_for_type(x509.DNSName)
-        return sans
+                san_names = sans.get_values_for_type(x509.DNSName)
+                ips = sans.get_values_for_type(x509.IPAddress)
+                if ips:
+                    ips = [str(ip) for ip in ips]
+                    san_names += ips
+        return san_names
 
     except cryptography.x509.ExtensionNotFound :
         return []

diff --git a/src/ssl_mgr/config/__init__.py b/src/ssl_mgr/config/__init__.py
@@ -6,3 +6,4 @@
 from .class_opts import SslOpts
 from .opts_check import check_options, check_options_cbot_hook
 from .opts_check import check_options_group, check_dns_primary
+from .services_list import (is_wildcard_services, service_list_from_dir)
diff --git a/src/ssl_mgr/config/conf_read.py b/src/ssl_mgr/config/conf_read.py
@@ -5,6 +5,7 @@
 """
 import os
 from utils import read_toml_file
+from .services_list import (is_wildcard_services, service_list_from_dir)
 
 def read_ssl_mgr_conf(opts:"SslOpts"):
     """
@@ -27,13 +28,17 @@ def read_ssl_mgr_conf(opts:"SslOpts"):
     #
     groups = conf_dict.get('groups')
     if not groups or not isinstance(groups, list):
-        print('Error: config groups missing - must be array of tables')
+        print('Error: config groups missing - must be list of tables')
         return conf_dict
 
     grps_svcs = {}
     for item in groups:
         domain = item.get('domain')
+
         services = item.get('services')
+        if is_wildcard_services(services):
+            services = service_list_from_dir(conf_dir, domain)
+
         active = item.get('active')
         if not active:
             continue

diff --git a/src/ssl_mgr/config/opts_check.py b/src/ssl_mgr/config/opts_check.py
@@ -121,6 +121,8 @@ def check_options_group(log, group_name:str, services:[str], opts:"SslOpts") ->
         #okay = False
 
     for svc_name in services:
+        if svc_name in ('*', 'ALL'):
+            continue
         svc_file = os.path.join(group_dir, svc_name)
         if not os.path.exists(svc_file):
             log(f'Error No config for {group_name}:{svc_name}')

diff --git a/src/ssl_mgr/config/services_list.py b/src/ssl_mgr/config/services_list.py
@@ -0,0 +1,90 @@
+'''
+Generate list of services in a directory
+ - used when services config set to "*"
+'''
+import os
+import re
+from typing import Union
+
+from utils import (dir_list, open_file)
+
+def read_file(file):
+    '''
+    Read and return rows
+    '''
+    fob = open_file(file, 'r')
+    data = None
+    if fob:
+        data = fob.readlines()
+        fob.close()
+    return data
+
+def is_wildcard_services(services: Union[str,[str]]):
+    '''
+    Check if wild card (* or ALL)
+    '''
+    if not services:
+        return False
+
+    if isinstance(services, list):
+        for item in services:
+            if item in ('*', 'ALL'):
+                return True
+    elif services in ('*', 'ALL'):
+        return True
+    return False
+
+def check_is_service(group:str, file:str) -> bool:
+    '''
+    Check file is a service config
+    '''
+    checks = ['name=', 'group=', 'service=', '[KeyOpts]', '[X509]']
+    checks_todo = list(checks)
+    found = {}
+    num_checks = len(checks)
+
+    for check in checks:
+        found[check] = False
+
+    path = os.path.join(group, file)
+    rows = read_file(path)
+
+    num_checks_found = 0
+    is_service_config = False
+    for row in rows:
+        # strip all white space
+        row = re.sub(r"\s+", '', row)
+        if row == '' or row.startswith('#'):
+            continue
+
+        checks = list(checks_todo)
+        for check in checks:
+            if not found[check] and row.startswith(check):
+                found[check] = True
+                num_checks_found += 1
+                checks_todo.remove(check)
+                break
+
+        if num_checks_found == num_checks:
+            is_service_config = True
+            break
+
+    return is_service_config
+
+
+def service_list_from_dir(conf_dir:str, group:str) -> [str] :
+    '''
+    Generate list of service configs located in conf_dir/group_dir
+    '''
+    group_dir = os.path.join(conf_dir, group)
+    [files, _dirs, _links] = dir_list(group_dir)
+    if not files:
+        return []
+
+    # checks that file is a service config
+    service_files = []
+    for file in files:
+        if check_is_service(group_dir, file):
+            service_files.append(file)
+
+    return service_files
diff --git a/src/ssl_mgr/groups/avail_services.py b/src/ssl_mgr/groups/avail_services.py
@@ -4,7 +4,7 @@
 Misc utils
 """
 import os
-from utils import dir_list
+from config import service_list_from_dir
 
 def available_services(top_dir:str, grp_name:str) -> [str]:
     """
@@ -13,18 +13,7 @@ def available_services(top_dir:str, grp_name:str) -> [str]:
     to make a list of available services
     TODO: lets use active config services instead
     """
-    conf_path = os.path.join(top_dir, 'conf.d', grp_name)
-    [flist, _dlist, _llist] = dir_list(conf_path)
+    conf_dir = os.path.join(top_dir, 'conf.d')
+    service_names = service_list_from_dir(conf_dir, grp_name)
 
-    #
-    # All services are files named xxx
-    #
-    files = []
-    if flist:
-        files += flist
-
-    services = []
-    for file in files:
-        services.append(file)
-
-    return services
+    return service_names
diff --git a/src/ssl_mgr/groups/class_group.py b/src/ssl_mgr/groups/class_group.py
@@ -11,6 +11,8 @@
 from utils import get_logger
 from db import SslDb
 from services import Service
+from config import is_wildcard_services
+
 from .avail_services import available_services
 from .class_tasks import TaskMgr
 from .group_tasks import group_to_production
@@ -68,7 +70,7 @@ def __init__(self, grp_name:str, svcs:[str], opts:"SslOpts"):
             return
 
         # If all services, then get the fill list of available svcs
-        if 'ALL' in svcs:
+        if is_wildcard_services(svcs):
             svcs = available_services(top_dir, grp_name)
             self.svcs = svcs
 

diff --git a/src/ssl_mgr/ssl_dns/dns_server.py b/src/ssl_mgr/ssl_dns/dns_server.py
@@ -47,7 +47,7 @@ def init_primary_dns_server(opts:"SslOpts", apex_domain:str, log=print) -> SslDn
             default_server = server
             default_port = port
 
-        if domain.lower == apex_domain:
+        if domain.lower() == apex_domain:
             dns_server = server
             dns_port = port
             break