new recipe isotoma.recipe.apache

Author: winjer

isotoma.recipe.apache/CHANGES.txt

@@ -0,0 +1,69 @@
+Apache buildout recipe
+======================
+
+This package provides buildout_ recipes for the configuration of apache.  This
+has a number of features that we have found useful in production, such as
+support for long CA chains, htpasswd authentication protection and the support
+for optional templates provided with the buildout.
+
+We use the system apache, so this recipe will not install apache for you.  If
+you wish to install apache, use `zc.recipe.cmmi`_ perhaps.
+
+.. _buildout: http://pypi.python.org/pypi/zc.buildout
+.. _`zc.recipe.cmmi`: http://pypi.python.org/pypi/zc.recipe.cmmi
+
+
+Mandatory Parameters
+--------------------
+
+interface
+    The IP address of the interface on which to listen
+sitename
+    The name of the site, used to identify the correct virtual host
+serveradmin
+    The email address of the administrator of the server
+proxyport
+    The port to which requests are forwarded
+
+Optional Parameters
+-------------------
+
+realm
+    The name of the HTTP Authentication realm, if you wish to password protect this site
+passwdfile
+    The filename of the htpasswd file to secure the realm, defaults to "passwd" in the part directory
+username
+    The username used in the htpasswd file
+allowpurge
+    The IP address of a server that is permitted to send PURGE requests to this server
+portal
+    The name of the portal object in the zope server, defaults to "portal"
+template
+    The filename of the template file to use, if you do not wish to use the default
+configfile
+    The name of the config file written by the recipe, defaults to "apache.cfg" in the part directory
+sslca
+    A list of full pathnames to certificate authority certificate files
+sslcert
+    The full pathname of the ssl certificate, if required
+sslkey
+    The full pathname of the key for the ssl certificate
+
+License
+-------
+
+Copyright 2010 Isotoma Limited
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+

isotoma.recipe.apache/README.rst

@@ -0,0 +1,2 @@
+__import__('pkg_resources').declare_namespace(__name__)
+

isotoma.recipe.apache/isotoma/__init__.py

@@ -0,0 +1,2 @@
+__import__('pkg_resources').declare_namespace(__name__)
+

isotoma.recipe.apache/isotoma/recipe/__init__.py

@@ -0,0 +1,64 @@
+# Copyright 2010 Isotoma Limited
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import logging
+import os
+import zc.buildout
+from Cheetah.Template import Template
+
+import htpasswd
+
+def sibpath(filename):
+    return os.path.join(os.path.dirname(__file__), filename)
+
+class Apache(object):
+
+    template = os.path.join(os.path.dirname(__file__), "apache.cfg")
+    ssltemplate = os.path.join(os.path.dirname(__file__), "apache-ssl.cfg")
+
+    def __init__(self, buildout, name, options):
+        self.name = name
+        self.options = options
+        self.buildout = buildout
+        if "sslcert" in options:
+            default_template = "apache-ssl.cfg"
+        else:
+            default_template = "apache.cfg"
+        self.outputdir = os.path.join(self.buildout['buildout']['directory'], self.name)
+        self.options.setdefault("template", sibpath(default_template))
+        self.options.setdefault("passwdfile", os.path.join(self.outputdir, "passwd"))
+        self.options.setdefault("configfile", os.path.join(self.outputdir, "apache.cfg"))
+        self.options.setdefault("portal", "portal")
+
+    def install(self):
+        if not os.path.isdir(self.outputdir):
+            os.mkdir(self.outputdir)
+        opt = self.options.copy()
+        # turn a list of sslca's into an actual list
+        opt['sslca'] = [x.strip() for x in opt.get("sslca", "").strip().split()]
+        template = open(self.options['template']).read()
+        cfgfilename = self.options['configfile']
+        c = Template(template, searchList = opt)
+        open(cfgfilename, "w").write(str(c))
+        self.mkpasswd()
+        return [self.outputdir]
+
+    def mkpasswd(self):
+        if "password" in self.options:
+            pw = htpasswd.HtpasswdFile(self.options['passwdfile'], create=True)
+            pw.update(self.options["username"], self.options["password"])
+            pw.save()
+        
+    def update(self):
+        pass

isotoma.recipe.apache/isotoma/recipe/apache/__init__.py

@@ -0,0 +1,59 @@
+# vim: syntax=apache:
+
+<VirtualHost $interface:80>
+    ServerName ${sitename}
+    ServerAdmin ${serveradmin}
+    CustomLog /var/log/apache2/${sitename}-access.log combined
+    ErrorLog /var/log/apache2/${sitename}-error.log
+    ProxyRequests Off
+    RewriteEngine On
+    RewriteRule /(.*)$ https://${sitename}/$1 [R]
+</VirtualHost>
+
+<VirtualHost $interface:443>
+    ServerName ${sitename}
+    ServerAdmin ${serveradmin}
+    CustomLog /var/log/apache2/ssl-${sitename}-access.log combined
+    ErrorLog /var/log/apache2/ssl-${sitename}-error.log
+
+    SSLEngine on
+    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+    SSLCertificateFile ${sslcert}
+    SSLCertificateKeyFile ${sslkey}
+    #for $a in $sslca
+    SSLCACertificateFile ${a}
+    #end for
+
+    #if $getVar('realm', None)
+    <Location />
+        Options Indexes FollowSymLinks MultiViews
+        Order Allow,Deny
+        allow from all
+        AuthType Basic
+        AuthName "${realm}"
+        AuthUserFile ${passwdfile}
+        Require user ${username}
+    </Location>
+    #end if
+
+    #if $getVar('allowpurge', None)
+    <Location />
+        <LimitExcept GET POST HEAD>
+            Order Deny,Allow
+            Deny from all
+            #for $a in $allowpurge.split()
+            Allow from $a
+            #end for
+        </LimitExcept>
+    </Location>
+    #end if
+
+    ProxyRequests Off
+    ProxyPass / http://localhost:${proxyport}/VirtualHostBase/https/$sitename:443/${portal}/VirtualHostRoot/
+    ProxyPreserveHost On
+    <Proxy *>
+        Allow from all
+    </Proxy>
+</VirtualHost>
+
+# conditional, include lines

isotoma.recipe.apache/isotoma/recipe/apache/apache-ssl.cfg

@@ -0,0 +1,42 @@
+# vim: syntax=apache:
+
+<VirtualHost $interface:80>
+    ServerName ${sitename}
+    ServerAdmin ${serveradmin}
+    CustomLog /var/log/apache2/${sitename}-access.log combined
+    ErrorLog /var/log/apache2/${sitename}-error.log
+
+    #if $getVar('realm', None)
+    <Location />
+        Options Indexes FollowSymLinks MultiViews
+        Order Allow,Deny
+        allow from all
+        AuthType Basic
+        AuthName "${realm}"
+        AuthUserFile ${passwdfile}
+        Require user ${username}
+    </Location>
+    #end if
+
+    #if $getVar('allowpurge', None)
+    <Location />
+        <LimitExcept GET POST HEAD>
+            Order Deny,Allow
+            Deny from all
+            #for $a in $allowpurge.split()
+            Allow from $a
+            #end for
+        </LimitExcept>
+    </Location>
+    #end if
+
+
+    ProxyRequests Off
+    ProxyPass / http://localhost:${proxyport}/VirtualHostBase/http/$sitename:80/${portal}/VirtualHostRoot/
+    ProxyPreserveHost On
+    <Proxy *>
+        Allow from all
+    </Proxy>
+</VirtualHost>
+
+# conditional, include lines

isotoma.recipe.apache/isotoma/recipe/apache/apache.cfg

@@ -0,0 +1,123 @@
+#!/usr/bin/python
+"""Replacement for htpasswd"""
+# Original author: Eli Carter
+
+import os
+import sys
+import random
+from optparse import OptionParser
+
+# We need a crypt module, but Windows doesn't have one by default.  Try to find
+# one, and tell the user if we can't.
+try:
+    import crypt
+except ImportError:
+    try:
+        import fcrypt as crypt
+    except ImportError:
+        sys.stderr.write("Cannot find a crypt module.  "
+                         "Possibly http://carey.geek.nz/code/python-fcrypt/\n")
+        sys.exit(1)
+
+
+def salt():
+    """Returns a string of 2 randome letters"""
+    letters = 'abcdefghijklmnopqrstuvwxyz' \
+              'ABCDEFGHIJKLMNOPQRSTUVWXYZ' \
+              '0123456789/.'
+    return random.choice(letters) + random.choice(letters)
+
+
+class HtpasswdFile:
+    """A class for manipulating htpasswd files."""
+
+    def __init__(self, filename, create=False):
+        self.entries = []
+        self.filename = filename
+        if not create:
+            if os.path.exists(self.filename):
+                self.load()
+            else:
+                raise Exception("%s does not exist" % self.filename)
+
+    def load(self):
+        """Read the htpasswd file into memory."""
+        lines = open(self.filename, 'r').readlines()
+        self.entries = []
+        for line in lines:
+            username, pwhash = line.split(':')
+            entry = [username, pwhash.rstrip()]
+            self.entries.append(entry)
+
+    def save(self):
+        """Write the htpasswd file to disk"""
+        open(self.filename, 'w').writelines(["%s:%s\n" % (entry[0], entry[1])
+                                             for entry in self.entries])
+
+    def update(self, username, password):
+        """Replace the entry for the given user, or add it if new."""
+        pwhash = crypt.crypt(password, salt())
+        matching_entries = [entry for entry in self.entries
+                            if entry[0] == username]
+        if matching_entries:
+            matching_entries[0][1] = pwhash
+        else:
+            self.entries.append([username, pwhash])
+
+    def delete(self, username):
+        """Remove the entry for the given user."""
+        self.entries = [entry for entry in self.entries
+                        if entry[0] != username]
+
+
+def main():
+    """%prog [-c] -b filename username password
+    Create or update an htpasswd file"""
+    # For now, we only care about the use cases that affect tests/functional.py
+    parser = OptionParser(usage=main.__doc__)
+    parser.add_option('-b', action='store_true', dest='batch', default=False,
+        help='Batch mode; password is passed on the command line IN THE CLEAR.'
+        )
+    parser.add_option('-c', action='store_true', dest='create', default=False,
+        help='Create a new htpasswd file, overwriting any existing file.')
+    parser.add_option('-D', action='store_true', dest='delete_user',
+        default=False, help='Remove the given user from the password file.')
+
+    options, args = parser.parse_args()
+
+    def syntax_error(msg):
+        """Utility function for displaying fatal error messages with usage
+        help.
+        """
+        sys.stderr.write("Syntax error: " + msg)
+        sys.stderr.write(parser.get_usage())
+        sys.exit(1)
+
+    if not options.batch:
+        syntax_error("Only batch mode is supported\n")
+
+    # Non-option arguments
+    if len(args) < 2:
+        syntax_error("Insufficient number of arguments.\n")
+    filename, username = args[:2]
+    if options.delete_user:
+        if len(args) != 2:
+            syntax_error("Incorrect number of arguments.\n")
+        password = None
+    else:
+        if len(args) != 3:
+            syntax_error("Incorrect number of arguments.\n")
+        password = args[2]
+
+    passwdfile = HtpasswdFile(filename, create=options.create)
+
+    if options.delete_user:
+        passwdfile.delete(username)
+    else:
+        passwdfile.update(username, password)
+
+    passwdfile.save()
+
+
+if __name__ == '__main__':
+    main()