letsencrypt/plugins/webroot.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

"""Webroot plugin."""
import errno
import logging
import os
import stat

import zope.interface

from acme import challenges

from letsencrypt import errors
from letsencrypt import interfaces
from letsencrypt.plugins import common


logger = logging.getLogger(__name__)


class Authenticator(common.Plugin):
    """Webroot Authenticator."""
    zope.interface.implements(interfaces.IAuthenticator)
    zope.interface.classProvides(interfaces.IPluginFactory)

    description = "Webroot Authenticator"

    MORE_INFO = """\
Authenticator plugin that performs http-01 challenge by saving
necessary validation resources to appropriate paths on the file
system. It expects that there is some other HTTP server configured
to serve all files under specified web root ({0})."""

    def more_info(self):  # pylint: disable=missing-docstring,no-self-use
        return self.MORE_INFO.format(self.conf("path"))

    @classmethod
    def add_parser_arguments(cls, add):
        # --webroot-path and --webroot-map are added in cli.py because they
        # are parsed in conjunction with --domains
        pass

    def get_chall_pref(self, domain):  # pragma: no cover
        # pylint: disable=missing-docstring,no-self-use,unused-argument
        return [challenges.HTTP01]

    def __init__(self, *args, **kwargs):
        super(Authenticator, self).__init__(*args, **kwargs)
        self.full_roots = {}

    def prepare(self):  # pylint: disable=missing-docstring
        path_map = self.conf("map")

        if not path_map:
            raise errors.PluginError("--{0} must be set".format(
                self.option_name("path")))
        for name, path in path_map.items():
            if not os.path.isdir(path):
                raise errors.PluginError(path + " does not exist or is not a directory")
            self.full_roots[name] = os.path.join(path, challenges.HTTP01.URI_ROOT_PATH)

            logger.debug("Creating root challenges validation dir at %s",
                         self.full_roots[name])
            try:
                os.makedirs(self.full_roots[name])
                # Set permissions as parent directory (GH #1389)
                # We don't use the parameters in makedirs because it
                # may not always work
                # https://stackoverflow.com/questions/5231901/permission-problems-when-creating-a-dir-with-os-makedirs-python
                stat_path = os.stat(path)
                filemode = stat.S_IMODE(stat_path.st_mode)
                os.chmod(self.full_roots[name], filemode)
                # Set owner and group, too
                os.chown(self.full_roots[name], stat_path.st_uid,
                          stat_path.st_gid)

            except OSError as exception:
                if exception.errno != errno.EEXIST:
                    raise errors.PluginError(
                        "Couldn't create root for {0} http-01 "
                        "challenge responses: {1}", name, exception)

    def perform(self, achalls):  # pylint: disable=missing-docstring
        assert self.full_roots, "Webroot plugin appears to be missing webroot map"
        return [self._perform_single(achall) for achall in achalls]

    def _path_for_achall(self, achall):
        try:
            path = self.full_roots[achall.domain]
        except IndexError:
            raise errors.PluginError("Missing --webroot-path for domain: {1}"
                        .format(achall.domain))
        if not os.path.exists(path):
            raise errors.PluginError("Mysteriously missing path {0} for domain: {1}"
                        .format(path, achall.domain))
        return os.path.join(path, achall.chall.encode("token"))

    def _perform_single(self, achall):
        response, validation = achall.response_and_validation()
        path = self._path_for_achall(achall)
        logger.debug("Attempting to save validation to %s", path)
        with open(path, "w") as validation_file:
            validation_file.write(validation.encode())

        # Set permissions as parent directory (GH #1389)
        parent_path = self.full_roots[achall.domain]
        stat_parent_path = os.stat(parent_path)
        filemode = stat.S_IMODE(stat_parent_path.st_mode)
        # Remove execution bit (not needed for this file)
        os.chmod(path, filemode & ~stat.S_IEXEC)
        os.chown(path, stat_parent_path.st_uid, stat_parent_path.st_gid)

        return response

    def cleanup(self, achalls):  # pylint: disable=missing-docstring
        for achall in achalls:
            path = self._path_for_achall(achall)
            logger.debug("Removing %s", path)
            os.remove(path)