tools/getconfig.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Copyright (c) 2017, NORDUnet A/S.
# See LICENSE for licensing information.

import sys
import argparse
import readconfig
from certtools import create_ssl_context, get_sth, mv_file, urlget
import os
import errno

def get_file(configurl):
    if configurl.startswith("https://") or configurl.startswith("http://"):
        result = urlget(configurl)
        result.raise_for_status()
        return result
    elif configurl.startswith("file:///"):
        path = configurl[8:]
        path = path.replace("CURRENTWORKINGDIRECTORY", os.getcwd())
        return open(path).read()

def write_file(fn, data):
    tempname = fn + ".new"
    open(tempname, 'w').write(data)
    mv_file(tempname, fn)

def get_config_version(filename, logadminkey):
    try:
        config = readconfig.verify_and_read_config(filename, logadminkey)
        return config["version"]
    except IOError, e:
        if e.errno == errno.ENOENT:
            return -1
        raise e

def main():
    parser = argparse.ArgumentParser(description="")
    parser.add_argument('--dest', help="Where to write the verified system configuration",
                        required=True)
    parser.add_argument('--localconfig', help="Local configuration",
                        required=True)
    args = parser.parse_args()

    localconfig = readconfig.read_config(args.localconfig)

    old_config_version = get_config_version(args.dest, localconfig["logadminkey"])
    
    configurl = localconfig["configurl"]
    unverified_config = get_file(configurl)
    unverified_config_sig = get_file(configurl + ".sig")
    new_config = readconfig.verify_config(unverified_config, unverified_config_sig, localconfig["logadminkey"], configurl)
    verified_config = unverified_config
    verified_config_sig = unverified_config_sig

    new_config_version = new_config["version"]

    if new_config_version > old_config_version:
        write_file(args.dest, verified_config)
        write_file(args.dest + ".sig", verified_config_sig)
        print "newconfig"
            
    elif new_config_version < old_config_version:
        print >>sys.stderr, "The version of the configuration on the admin server is older than the version we have, refusing update"
        sys.exit(1)

main()