yellow team mailing list archive

[Nicola Larosa <nicola.larosa@xxxxxxxxxxxxx>]

Reviewers: mp+140511_code.launchpad.net,

Message:
Please take a look.

Description:
Serve the GUI assets over HTTPS

Generate and install a passphrase-less SSL certificate and private
key, and configure nginx to use it to serve the GUI via HTTPS.

https://code.launchpad.net/~teknico/charms/precise/juju-gui/serve-via-https/+merge/140511

(do not edit description out of merge proposal)


Please review this at https://codereview.appspot.com/6940084/

Affected files:
   M README.md
   A [revision details]
   M config.yaml
   M config/nginx.conf.template
   M hooks/install
   M hooks/utils.py


Index: README.md
=== modified file 'README.md'
--- README.md	2012-12-17 22:10:45 +0000
+++ README.md	2012-12-18 17:46:09 +0000
@@ -61,8 +61,8 @@
              - 8080/tcp
              public-address: ec2-204-236-250-8.compute-1.amazonaws.com

-That tells me I can go to the public-address in my browser
-(http://ec2-204-236-250-8.compute-1.amazonaws.com/ in this example), and  
start
+That tells me I can go to the public-address in my browser via HTTPS
+(https://ec2-204-236-250-8.compute-1.amazonaws.com/ in this example), and  
start
  configuring the rest of Juju with the GUI.  You should see something  
similar.

  Again, until we switch to releases, the charm is fragile.  As I write this,


Index: [revision details]
=== added file '[revision details]'
--- [revision details]	2012-01-01 00:00:00 +0000
+++ [revision details]	2012-01-01 00:00:00 +0000
@@ -0,0 +1,2 @@
+Old revision: bac@xxxxxxxxxxxxx-20121218154147-dy4pblunljkevos7
+New revision: nicola.larosa@xxxxxxxxxxxxx-20121218174609-wwror6qn9jt3wtvp

Index: config.yaml
=== modified file 'config.yaml'
--- config.yaml	2012-12-07 18:39:00 +0000
+++ config.yaml	2012-12-18 17:46:09 +0000
@@ -38,4 +38,8 @@
        commands that are run by charm hooks.
      type: string
      default: /var/log/juju/juju-gui.log
-
+  ssl-cert-path:
+    description: |
+      The path to the directory where the SSL certificates are stored.
+    type: string
+    default: /etc/ssl/private/juju-gui


Index: config/nginx.conf.template
=== modified file 'config/nginx.conf.template'
--- config/nginx.conf.template	2012-12-06 17:45:31 +0000
+++ config/nginx.conf.template	2012-12-18 17:46:09 +0000
@@ -1,9 +1,10 @@
  server {
-    listen 80;
+    listen 443 default_server ssl;
      server_name _;
      root %(server_root)s;
-
      index index.html;
+    ssl_certificate /etc/ssl/private/juju-gui/server.pem
+    ssl_certificate_key /etc/ssl/private/juju-gui/server.key

      # Serve static assets.
      location ^~ /juju-ui/ {


Index: hooks/install
=== modified file 'hooks/install'
--- hooks/install	2012-12-18 13:23:42 +0000
+++ hooks/install	2012-12-18 17:46:09 +0000
@@ -32,7 +32,8 @@


  DEB_DEPENDENCIES = (
-    'bzr', 'imagemagick', 'make', 'nginx', 'nodejs', 'npm', 'zookeeper')
+    'bzr', 'imagemagick', 'make', 'nginx', 'nodejs', 'npm', 'openssl',
+    'zookeeper')


  def get_dependencies():
@@ -45,7 +46,7 @@
      config = get_config()
      get_dependencies()
      fetch(config['juju-gui-branch'], config['juju-api-branch'])
-    build(config['command-log-file'])
+    build(config['command-log-file'], config['ssl-cert-path'])
      config_json.set(config)




Index: hooks/utils.py
=== modified file 'hooks/utils.py'
--- hooks/utils.py	2012-12-18 13:23:42 +0000
+++ hooks/utils.py	2012-12-18 17:46:09 +0000
@@ -17,6 +17,7 @@
  import json
  import os
  import logging
+import shutil
  import tempfile

  from shelltoolbox import (
@@ -201,7 +202,7 @@
          cmd_log(bzr_checkout(juju_api_branch, 'juju'))


-def build(logpath):
+def build(logpath, ssl_cert_path):
      """Set up Juju GUI and nginx."""
      log('Building Juju GUI.')
      with cd('juju-gui'):
@@ -220,3 +221,21 @@
          cmd_log(
              run('ln', '-s', juju_gui_site,
                  '/etc/nginx/sites-enabled/juju-gui'))
+    # Generate the nginx SSL certificates, if needed.
+    pem_path = os.path.join(ssl_cert_path, 'server.pem')
+    key_path = os.path.join(ssl_cert_path, 'server.key')
+    if not (os.path.exists(pem_path) and os.path.exists(pem_path)):
+        os.mkdirs(ssl_cert_path)
+        # Create the server private key.
+        cmd_log(run('openssl', 'genrsa', '-des3', '-out',  
key_path, '1024'))
+        # Create the Certificate Signing Request.
+        csr_path = os.path.join(ssl_cert_path, 'server.csr')
+        cmd_log(run('openssl', 'req', '-new', '-key', key_path, '-out',
+            csr_path))
+        # Avoid passphrase request at nginx startup.
+        orig_key_path = os.path.join(ssl_cert_path, 'server.key.orig')
+        shutil.copyfile(key_path, orig_key_path)
+        cmd_log(run('openssl', 'rsa', '-in', orig_key_path, '-out',  
key_path))
+        # Sign the certificate using the private key and the CSR.
+        cmd_log(run('openssl', 'x509', '-req', '-days', '365', '-in',
+            csr_path, '-signkey', key_path, '-out', pem_path))





-- 
https://code.launchpad.net/~teknico/charms/precise/juju-gui/serve-via-https/+merge/140511
Your team Juju GUI Hackers is requested to review the proposed merge of lp:~teknico/charms/precise/juju-gui/serve-via-https into lp:~juju-gui/charms/precise/juju-gui/trunk.