#!/usr/bin/env python # -*- coding: utf-8 -*- # Copyright (c) 2017, NORDUnet A/S. # See LICENSE for licensing information. import sys import argparse import readconfig from certtools import create_ssl_context, get_sth, mv_file import os import errno def get_file(configurl): if configurl.startswith("https://") or configurl.startswith("http://"): result = urlget(configurl) result.raise_for_status() return result elif configurl.startswith("file:///"): path = configurl[8:] path = path.replace("CURRENTWORKINGDIRECTORY", os.getcwd()) return open(path).read() def write_file(fn, data): tempname = fn + ".new" open(tempname, 'w').write(data) mv_file(tempname, fn) def get_config_version(filename, logadminkey): try: config = readconfig.verify_and_read_config(filename, logadminkey) return config["version"] except IOError, e: if e.errno == errno.ENOENT: return -1 raise e def main(): parser = argparse.ArgumentParser(description="") parser.add_argument('--dest', help="Where to write the verified system configuration", required=True) parser.add_argument('--localconfig', help="Local configuration", required=True) args = parser.parse_args() localconfig = readconfig.read_config(args.localconfig) old_config_version = get_config_version(args.dest, localconfig["logadminkey"]) configurl = localconfig["configurl"] unverified_config = get_file(configurl) unverified_config_sig = get_file(configurl + ".sig") new_config = readconfig.verify_config(unverified_config, unverified_config_sig, localconfig["logadminkey"], configurl) verified_config = unverified_config verified_config_sig = unverified_config_sig new_config_version = new_config["version"] if new_config_version > old_config_version: write_file(args.dest, verified_config) write_file(args.dest + ".sig", verified_config_sig) print "newconfig" elif new_config_version < old_config_version: print >>sys.stderr, "The version of the configuration on the admin server is older than the version we have, refusing update" sys.exit(1) main()