testing Flask

f390f0cd · Max Adamo · f1b93e2b · f390f0cd · f390f0cd · f390f0cd
Unverified Commit f390f0cd authored 4 years ago by Max Adamo
--- a/files/geant_acme_web.py
+++ b/files/geant_acme_web.py
+#!/usr/bin/env python3
+"""
+    run flask CGI that will trigger cert2json.py -p <provider>
+"""
+import subprocess as sp
+from flask import Flask
+from flask import request
+from flask import render_template
+from flask import send_from_directory
+
+APP = Flask(__name__, template_folder='/var/www/acme_web')
+
+
+@APP.route('/<provider>')
+@APP.route('/static/<path:path>')
+@APP.route('/')
+def index(provider=None):
+    """ check the git environment and run g10k """
+    url_name = str(request.path)
+    base_urls = ['/sectigo_ev', '/sectigo_ov', '/letsencrypt',
+                 '/sectigo_ev/', '/sectigo_ov/', '/letsencrypt/']
+
+    def create_json(provider):
+        """ create generator with output message """
+        if provider:
+            script_cmd = "/usr/bin/cert2json.sh {}".format(provider)
+        else:
+            script_cmd = 'true'
+        print(script_cmd)
+        script_proc = sp.Popen(script_cmd.split(), stdout=sp.PIPE, stderr=sp.STDOUT)
+        _, script_err = script_proc.communicate()
+        if script_proc.returncode != 0:
+            return "error running cert2json.py for provider {}: {}".format(
+                provider, script_err.decode("utf-8"))
+
+        return 'ok'
+
+    if url_name == '/':
+        return render_template("index.html")
+
+    if url_name in base_urls:
+        stripped_url = url_name.replace("/", "")
+        json_out = create_json(stripped_url)
+        if json_out == 'ok':
+            return render_template("{}/index.html".format(stripped_url))
+
+        return json_out
+
+    if url_name.startswith('static'):
+        return send_from_directory('static', provider)
+
+if __name__ == '__main__':
+
+    APP.run(debug=False, host='::', port=8000)
--- a/manifests/files.pp
+++ b/manifests/files.pp
@@ -106,70 +106,6 @@ class geant_acme::files (
      '/var/log/acme_sectigo_ov',
      '/var/log/acme_sectigo_ev']:
      ensure => directory;
-    ## http site
-    [$web_base,
-      "${web_base}/letsencrypt",
-      "${web_base}/sectigo_ov",
-      "${web_base}/sectigo_ev"]:
-      ensure  => directory,
-      mode    => undef,
-      require => Class['nginx'],
-      recurse => true,
-      source  => "puppet:///modules/${module_name}/acme_web";
-    "${web_base}/anvil.ico":
-      mode    => '0644',
-      require => File[$web_base],
-      source  => 'puppet:///modules/depot/anvil/anvil.ico';
-    "${web_base}/anvil.png":
-      mode    => '0644',
-      require => File[$web_base],
-      source  => 'puppet:///modules/depot/anvil/anvil.png';
-    "${web_base}/letsencrypt/index.html":
-      mode    => '0644',
-      require => File[$web_base],
-      content => epp("${module_name}/index.html.epp", {
-        json_file  => 'letsencrypt',
-        html_title => 'LetsEncrypt'}
-      );
-    "${web_base}/letsencrypt/expiry_date.html":
-      mode    => '0644',
-      require => File[$web_base],
-      content => epp("${module_name}/index.html.epp", {
-        json_file  => 'letsencrypt_expired',
-        html_title => 'LetsEncrypt'}
-      );
-    "${web_base}/sectigo_ev/index.html":
-      mode    => '0644',
-      require => File[$web_base],
-      content => epp("${module_name}/index.html.epp", {
-        json_file  => 'sectigo_ev',
-        html_title => 'SectiGO EV'}
-      );
-    "${web_base}/sectigo_ev/expiry_date.html":
-      mode    => '0644',
-      require => File[$web_base],
-      content => epp("${module_name}/index.html.epp", {
-        json_file  => 'sectigo_ev_expired',
-        html_title => 'SectiGO EV'}
-      );
-    "${web_base}/sectigo_ov/index.html":
-      mode    => '0644',
-      require => File[$web_base],
-      content => epp("${module_name}/index.html.epp", {
-        json_file  => 'sectigo_ov',
-        html_title => 'SectiGO OV'}
-      );
-    "${web_base}/sectigo_ov/expiry_date.html":
-      mode    => '0644',
-      require => File[$web_base],
-      content => epp("${module_name}/index.html.epp", {
-        json_file  => 'sectigo_ov_expired',
-        html_title => 'SectiGO OV'}
-      );
-    "${web_base}/index.html":
-      mode    => '0644',
-      require => File[$web_base],
-      source  => "puppet:///modules/${module_name}/index.html";
  }

 }

--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@@ -9,15 +9,21 @@ class geant_acme::firewall ($haproxy_ips = $geant_acme::params::haproxy_ips) {
      dport    => 6379,
      proto    => tcp,
      provider => ['iptables', 'ip6tables'];
+    '340 Allow temporarily accesso to Flask':
+      chain    => 'INPUT',
+      action   => accept,
+      dport    => 8000,
+      proto    => tcp,
+      provider => ['iptables', 'ip6tables'];
  }

  $haproxy_ips.each | String $source | {
    if $source =~ Stdlib::IP::Address::V6 { $provider = 'ip6tables' } else { $provider = 'iptables' }
-    firewall { "340 Allow inbound TCP to http from ${source} for provider ${provider}":
+    firewall { "340 Allow inbound TCP to port 80 and port 8000 from ${source} for provider ${provider}":
      action   => accept,
      chain    => 'INPUT',
      source   => $source,
-      dport    => 80,
+      dport    => [80, 8000],
      proto    => tcp,
      provider => $provider;
    }

--- a/manifests/flask/files.pp
+++ b/manifests/flask/files.pp
+# == Class: geant_acme::files
+#
+class geant_acme::flask::files ($web_base) {
+
+  file {
+    default:
+      ensure => file,
+      owner  => root,
+      group  => root,
+      mode   => '0755';
+    '/usr/bin/geant_acme_web.py':
+      source => "puppet:///modules/${module_name}/geant_acme_web.py";
+    '/usr/bin/cert2json.sh':
+      content => "#!/usr/bin/bash\n/usr/bin/flock /tmp/cert2json.lock /root/bin/cert2json.py -p \$1\n";
+    '/root/bin/cert2json.py':
+      source => "puppet:///modules/${module_name}/cert2json.py";
+    [$web_base, "${web_base}/letsencrypt", "${web_base}/sectigo_ov", "${web_base}/sectigo_ev"]:
+      ensure => directory;
+    "${web_base}/static":
+      ensure  => directory,
+      recurse => true,
+      source  => "puppet:///modules/${module_name}/acme_web";
+  }
+
+  file {
+    default:
+      ensure  => file,
+      owner   => root,
+      group   => root,
+      require => File[$web_base],
+      mode    => '0644';
+    "${web_base}/static/anvil.ico":
+      source => 'puppet:///modules/depot/anvil/anvil.ico';
+    "${web_base}/static/anvil.png":
+      source => 'puppet:///modules/depot/anvil/anvil.png';
+    "${web_base}/letsencrypt/index.html":
+      content => epp("${module_name}/index.html.epp", {
+        json_file  => 'letsencrypt',
+        html_title => 'LetsEncrypt'}
+      );
+    "${web_base}/letsencrypt/expiry_date.html":
+      content => epp("${module_name}/index.html.epp", {
+        json_file  => 'letsencrypt_expired',
+        html_title => 'LetsEncrypt'}
+      );
+    "${web_base}/sectigo_ev/index.html":
+      content => epp("${module_name}/index.html.epp", {
+        json_file  => 'sectigo_ev',
+        html_title => 'SectiGO EV'}
+      );
+    "${web_base}/sectigo_ev/expiry_date.html":
+      content => epp("${module_name}/index.html.epp", {
+        json_file  => 'sectigo_ev_expired',
+        html_title => 'SectiGO EV'}
+      );
+    "${web_base}/sectigo_ov/index.html":
+      content => epp("${module_name}/index.html.epp", {
+        json_file  => 'sectigo_ov',
+        html_title => 'SectiGO OV'}
+      );
+    "${web_base}/sectigo_ov/expiry_date.html":
+      content => epp("${module_name}/index.html.epp", {
+        json_file  => 'sectigo_ov_expired',
+        html_title => 'SectiGO OV'}
+      );
+    "${web_base}/index.html":
+      source => "puppet:///modules/${module_name}/index.html";
+  }
+
+}
+# vim:ts=2:sw=2
--- a/manifests/flask/flask.pp
+++ b/manifests/flask/flask.pp
+# Class: repositories::nginx
+#
+#
+class geant_acme::flask::flask {
+
+  package { 'python3-flask': ensure => 'present'; }
+
+  systemd::unit_file { 'acme-web.service':
+    content => epp("${module_name}/acme-web.service.epp"),
+    notify  => Service['acme-web'],
+  }
+
+  service { 'acme-web':
+    ensure => 'running',
+    enable => true;
+  }
+
+}
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -44,7 +44,8 @@ class geant_acme (

  resources { 'cron': purge => true; }

-  include geant_acme::nginx
+  include geant_acme::flask::flask
+  include geant_acme::flask::files
  include geant_acme::firewall

  $ev_units = keys($sg_certificates_ev)

--- a/templates/acme-web.service.epp
+++ b/templates/acme-web.service.epp
+#
+# Starts webserver on port 8000
+#
+[Unit]
+Description=ACME Web
+Wants=basic.target
+After=basic.target network.target
+
+[Service]
+User=root
+Group=root
+ExecStart=/usr/bin/geant_acme_web.py
+ExecReload=/usr/bin/kill -HUP $MAINPID
+ExecStop=/usr/bin/pkill -f geant_acme_web.py
+
+[Install]
+WantedBy=multi-user.target