upstream/certbot
1
0
Fork 0
mirror of https://github.com/certbot/certbot.git synced 2026-04-22 14:47:13 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
certbot/certbot-apache/certbot_apache/_internal/constants.py

87 lines
3.9 KiB
Python
Raw Normal View History

Move apache constants/args/IConfig to its subdirectory
2015-04-22 04:32:34 -04:00
"""Apache plugin constants."""
Migrate `pkg_resources` usages to `importlib.resources` (#9748) * Migrate pkg_resources API related to resources to importlib_resources * Fix lint and mypy + pin lexicon * Update filterwarnings * Update oldest tests requirements * Update pinned dependencies * Fix for modern versions of python * Fix assets load in nginx integration tests * Fix a warning * Isolate static generation from importlib.resource into a private function --------- Co-authored-by: Adrien Ferrand <adrien.ferrand@amadeus.com>
2023-09-07 14:38:44 -04:00
import atexit
import sys
from contextlib import ExitStack
Fully type certbot apache (#9177) * Work in progress * Work in progress * Work in progress * Work in progress * Fix issues around nullability of VirtualHost.path, may discuss that during review * Work in progress * Fix remaining types * Various lint fixes * Reconfigure tox and mypy to disallow untyped defs globally * Cleanup compatibility tests * Use cast for unused v2 logic * Improve types * Remove unused comment * Fix coverage * Better types * Fix another type * Update certbot-apache/certbot_apache/_internal/apacheparser.py Co-authored-by: alexzorin <alex@zor.io> * Update certbot-apache/certbot_apache/_internal/assertions.py Co-authored-by: alexzorin <alex@zor.io> * Fix type * Various fixes * Refactor imports * Keep naming convention consistent on TypeVars * Improve types * Improve types * Remove remaining Sequence[str] in the project Co-authored-by: alexzorin <alex@zor.io>
2022-01-31 03:17:40 -05:00
from typing import Dict
from typing import List
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
Migrate `pkg_resources` usages to `importlib.resources` (#9748) * Migrate pkg_resources API related to resources to importlib_resources * Fix lint and mypy + pin lexicon * Update filterwarnings * Update oldest tests requirements * Update pinned dependencies * Fix for modern versions of python * Fix assets load in nginx integration tests * Fix a warning * Isolate static generation from importlib.resource into a private function --------- Co-authored-by: Adrien Ferrand <adrien.ferrand@amadeus.com>
2023-09-07 14:38:44 -04:00
if sys.version_info >= (3, 9): # pragma: no cover
import importlib.resources as importlib_resources
else: # pragma: no cover
import importlib_resources
Make the contents of the apache plugin private (#7579) Part of #5775. Tree: ``` certbot-apache/certbot_apache ├── __init__.py ├── _internal │   ├── apache_util.py │   ├── augeas_lens │   │   ├── httpd.aug │   │   └── README │   ├── centos-options-ssl-apache.conf │   ├── configurator.py │   ├── constants.py │   ├── display_ops.py │   ├── entrypoint.py │   ├── http_01.py │   ├── __init__.py │   ├── obj.py │   ├── options-ssl-apache.conf │   ├── override_arch.py │   ├── override_centos.py │   ├── override_darwin.py │   ├── override_debian.py │   ├── override_fedora.py │   ├── override_gentoo.py │   ├── override_suse.py │   └── parser.py └── tests ├── ... ``` * Create _internal folder for certbot_apache * Move apache_util.py to _internal * Move display_ops.py to _internal * Move override_centos.py to _internal * Move override_gentoo.py to _internal * Move override_darwin.py to _internal * Move override_suse.py to _internal * Move override_debian.py to _internal * Move override_fedora.py to _internal * Move override_arch.py to _internal * Move parser.py to _internal * Move obj.py to _internal * Move http_01.py to _internal * Move entrypoint.py to _internal * Move constants.py to _internal * Move configurator.py to _internal * Move augeas_lens to _internal * Move options-ssl-apache.conf files to _internal * move augeas_lens in MANIFEST * Clean up some stray references to certbot_apache that could use _internal * Correct imports and lint
2019-11-25 12:44:40 -05:00
Don't allow user supplied mod_ssl conf destination (fixes #451).
2015-06-01 20:14:10 -04:00
MOD_SSL_CONF_DEST = "options-ssl-apache.conf"
Remove all non essential references to the old Zope interfaces (#8988) As a follow-up to #8971, this PR removes all references to the old Zope interfaces, except the ones used to deprecate them and prepare for their removal. In the process, some documentation and tests about the `Display` objects are simply removed since they are not relevant anymore given that they are removed from the public API. * Cleanup some interfaces.IInstaller * Cleanup IConfig doc * Allmost complete removal * Remove useless tests * Fixes * More cleanup * More cleanup * More cleanup * Remove a non existent reference * Better type * Fix lint
2021-08-17 17:51:26 -04:00
"""Name of the mod_ssl config file as saved
in `certbot.configuration.NamespaceConfig.config_dir`."""
Move apache constants/args/IConfig to its subdirectory
2015-04-22 04:32:34 -04:00
Mechanism for automatically updating options-ssl-apache.conf file * add file update mechanism + tests to apache * update with actual hashes, and update apache test to match since there aren't previous versions
2017-05-23 19:25:39 -04:00
UPDATED_MOD_SSL_CONF_DIGEST = ".updated-options-ssl-apache-conf-digest.txt"
Remove all non essential references to the old Zope interfaces (#8988) As a follow-up to #8971, this PR removes all references to the old Zope interfaces, except the ones used to deprecate them and prepare for their removal. In the process, some documentation and tests about the `Display` objects are simply removed since they are not relevant anymore given that they are removed from the public API. * Cleanup some interfaces.IInstaller * Cleanup IConfig doc * Allmost complete removal * Remove useless tests * Fixes * More cleanup * More cleanup * More cleanup * Remove a non existent reference * Better type * Fix lint
2021-08-17 17:51:26 -04:00
"""Name of the hash of the updated or informed mod_ssl_conf as saved
in `certbot.configuration.NamespaceConfig.config_dir`."""
Mechanism for automatically updating options-ssl-apache.conf file * add file update mechanism + tests to apache * update with actual hashes, and update apache test to match since there aren't previous versions
2017-05-23 19:25:39 -04:00
Disable TLS session tickets for Apache 2.4.11+ (#7191) * Implement the logic * Update tests * Fix lint and changelog * Update configurator.py * Move the TLS configs in a dedicated folder. Fix the formalism of their naming and location. * Improve existing test to check all TLS config have their hash registered in Certbot * Corrections after review * Improve a test * Remove commented useless lines in TLS configs * Add a nice warning. Because I am nice. * Fix lint * Add a test
2019-07-29 15:54:51 -04:00
# NEVER REMOVE A SINGLE HASH FROM THIS LIST UNLESS YOU KNOW EXACTLY WHAT YOU ARE DOING!
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
ALL_SSL_OPTIONS_HASHES: List[str] = [
Mechanism for automatically updating options-ssl-apache.conf file * add file update mechanism + tests to apache * update with actual hashes, and update apache test to match since there aren't previous versions
2017-05-23 19:25:39 -04:00
'2086bca02db48daf93468332543c60ac6acdb6f0b58c7bfdf578a5d47092f82a',
'4844d36c9a0f587172d9fa10f4f1c9518e3bcfa1947379f155e16a70a728c21a',
Finish work on #4718. * Update in response to changes in #4720. * Update ALL_SSL_OPTIONS_HASHES. * Add warning to Apache's SSL options files.
2017-06-01 12:12:50 -04:00
'5a922826719981c0a234b1fbcd495f3213e49d2519e845ea0748ba513044b65b',
'4066b90268c03c9ba0201068eaa39abbc02acf9558bb45a788b630eb85dadf27',
'f175e2e7c673bd88d0aff8220735f385f916142c44aa83b09f1df88dd4767a88',
'cfdd7c18d2025836ea3307399f509cfb1ebf2612c87dd600a65da2a8e2f2797b',
update Apache ciphersuites (#5383)
2018-01-09 10:46:21 -05:00
'80720bd171ccdc2e6b917ded340defae66919e4624962396b992b7218a561791',
'c0c022ea6b8a51ecc8f1003d0a04af6c3f2bc1c3ce506b3c2dfc1f11ef931082',
Disable TLS session tickets for Apache 2.4.11+ (#7191) * Implement the logic * Update tests * Fix lint and changelog * Update configurator.py * Move the TLS configs in a dedicated folder. Fix the formalism of their naming and location. * Improve existing test to check all TLS config have their hash registered in Certbot * Corrections after review * Improve a test * Remove commented useless lines in TLS configs * Add a nice warning. Because I am nice. * Fix lint * Add a test
2019-07-29 15:54:51 -04:00
'717b0a89f5e4c39b09a42813ac6e747cfbdeb93439499e73f4f70a1fe1473f20',
'0fcdc81280cd179a07ec4d29d3595068b9326b455c488de4b09f585d5dafc137',
'86cc09ad5415cd6d5f09a947fe2501a9344328b1e8a8b458107ea903e80baa6c',
'06675349e457eae856120cdebb564efe546f0b87399f2264baeb41e442c724c7',
Disable old SSL versions and ciphersuites to follow Mozilla recommendations in Apache (#7712) Part of #7204. Makes the smaller changes described at https://github.com/certbot/certbot/issues/7204#issuecomment-571838185 to disable many old ciphersuites and TLS versions < 1.2. Does not add checks for OpenSSL version or modify session tickets. Since Apache uses TLS protocol blacklisting instead of whitelisting (as in NGINX), we additionally may not need to determine if the server supports TLS1.3 and turn it on or off based on Apache version. * Update SSL versions and ciphersuites based on Mozilla intermediate recommendations for apache * Update constants with hashes of new config files * Update changelog
2020-01-24 16:37:42 -05:00
'5cc003edd93fb9cd03d40c7686495f8f058f485f75b5e764b789245a386e6daf',
'007cd497a56a3bb8b6a2c1aeb4997789e7e38992f74e44cc5d13a625a738ac73',
Disable TLS session tickets in Apache (#7771) Fixes #7350. This PR changes the parsed modules from a `set` to a `dict`, with the filepath argument as the value. Accordingly, after calling `enable_mod` to enable `ssl_module`, modules now need to be re-parsed, so call `reset_modules`. * Add mechanism for selecting apache config file, based on work done in #7191. * Check OpenSSL version * Remove os imports * debian override still needs os * Reformat remaining apache tests with modules dict syntax * Clean up more apache tests * Switch from property to method for openssl and add tests for coverage. * Sometimes the dict location will be None in which case we should in fact return None * warn thoroughly and consistently in openssl_version function * update tests for new warnings * read file as bytes, and factor out the open for testing * normalize ssl_module_location path to account for being relative to server root * Use byte literals in a python 2 and 3 compatible way * string does need to be a literal * patch builtins open * add debug, remove space * Add test to check if OpenSSL detection is working on different systems * fix relative test location for cwd * put </IfModule> on its own line in test case * Revert test file to status in master. * Call augeas load before reparsing modules to pick up the changes * fix grep, tail, and mod_ssl location on centos * strip the trailing whitespace from fedora * just use LooseVersion in test * call apache2ctl on debian systems * Use sudo for apache2ctl command * add check to make sure we're getting a version * Add boolean so we don't warn on debian/ubuntu before trying to enable mod_ssl * Reduce warnings while testing by setting mock _openssl_version. * Make sure we're not throwing away any unwritten changes to the config * test last warning case for coverage * text changes for clarity
2020-03-23 19:49:52 -04:00
'34783b9e2210f5c4a23bced2dfd7ec289834716673354ed7c7abf69fe30192a3',
Cite Mozilla ssl-config in Apache/NGINX TLS configs (#8670) (#9295) * Cite Mozilla ssl-config in Apache/nginx TLS configs (certbot#8670) * Update CHANGELOG * Add TLS config hashes to ALL_SSL_OPTIONS_HASHES * Update wording in CHANGELOG
2022-05-13 13:59:49 -04:00
'61466bc2f98a623c02be8a5ee916ead1655b0ce883bdc936692076ea499ff5ce',
'3fd812e3e87fe5c645d3682a511b2a06c8286f19594f28e280f17cd6af1301b5',
Mechanism for automatically updating options-ssl-apache.conf file * add file update mechanism + tests to apache * update with actual hashes, and update apache test to match since there aren't previous versions
2017-05-23 19:25:39 -04:00
]
"""SHA256 hashes of the contents of previous versions of all versions of MOD_SSL_CONF_SRC"""
Migrate `pkg_resources` usages to `importlib.resources` (#9748) * Migrate pkg_resources API related to resources to importlib_resources * Fix lint and mypy + pin lexicon * Update filterwarnings * Update oldest tests requirements * Update pinned dependencies * Fix for modern versions of python * Fix assets load in nginx integration tests * Fix a warning * Isolate static generation from importlib.resource into a private function --------- Co-authored-by: Adrien Ferrand <adrien.ferrand@amadeus.com>
2023-09-07 14:38:44 -04:00
def _generate_augeas_lens_dir_static() -> str:
# This code ensures that the resource is accessible as file for the lifetime of current
# Python process, and will be automatically cleaned up on exit.
file_manager = ExitStack()
atexit.register(file_manager.close)
augeas_lens_dir_ref = importlib_resources.files("certbot_apache") / "_internal" / "augeas_lens"
return str(file_manager.enter_context(importlib_resources.as_file(augeas_lens_dir_ref)))
AUGEAS_LENS_DIR = _generate_augeas_lens_dir_static()
constants.AUGEAS_LENS_DIR
2015-11-04 15:12:39 -05:00
"""Path to the Augeas lens directory"""
load augeas httpd lens from inside of lets encrypt
2015-11-02 19:22:58 -05:00
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
REWRITE_HTTPS_ARGS: List[str] = [
Change QSA to NE in HTTPS redirection (#4204) * Change QSA to NE in HTTPS redirection * Seamless transition to new HTTPS redirection RewriteRule
2017-03-02 19:49:34 -05:00
"^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[END,NE,R=permanent]"]
delete unneeded tests
2015-12-01 19:16:13 -05:00
"""Apache version >= 2.3.9 rewrite rule arguments used for redirections to
alter redirect_verification to raise only when an exact Letsencrypt redirction rewrite rule is encountered
2015-12-01 19:05:15 -05:00
https vhost"""
Generalized http-header enhancement
2015-11-07 23:37:57 -05:00
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
OLD_REWRITE_HTTPS_ARGS: List[List[str]] = [
Change QSA to NE in HTTPS redirection (#4204) * Change QSA to NE in HTTPS redirection * Seamless transition to new HTTPS redirection RewriteRule
2017-03-02 19:49:34 -05:00
["^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[L,QSA,R=permanent]"],
apache: remove support for Apache 2.2 and CentOS 6 (#9354) * apache: remove support for Apache 2.2 and CentOS 6 * delete more unused code * remove unused attributes * reorganize REWRITE_HTTPS_ARGS*
2022-08-29 13:05:48 -04:00
["^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[END,QSA,R=permanent]"],
["^", "https://%{SERVER_NAME}%{REQUEST_URI}", "[L,NE,R=permanent]"]]
Change QSA to NE in HTTPS redirection (#4204) * Change QSA to NE in HTTPS redirection * Seamless transition to new HTTPS redirection RewriteRule
2017-03-02 19:49:34 -05:00
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
HSTS_ARGS: List[str] = ["always", "set", "Strict-Transport-Security",
Pep8 love
2016-01-14 06:25:15 -05:00
"\"max-age=31536000\""]
Add HSTS header enhancement to Apache
2015-11-06 17:31:30 -05:00
"""Apache header arguments for HSTS"""
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
UIR_ARGS: List[str] = ["always", "set", "Content-Security-Policy", "upgrade-insecure-requests"]
Generalized http-header enhancement
2015-11-07 23:37:57 -05:00
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
HEADER_ARGS: Dict[str, List[str]] = {
"Strict-Transport-Security": HSTS_ARGS, "Upgrade-Insecure-Requests": UIR_ARGS,
}
Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class
2018-06-21 10:27:19 -04:00
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
AUTOHSTS_STEPS: List[int] = [60, 300, 900, 3600, 21600, 43200, 86400]
Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class
2018-06-21 10:27:19 -04:00
"""AutoHSTS increase steps: 1min, 5min, 15min, 1h, 6h, 12h, 24h"""
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
AUTOHSTS_PERMANENT: int = 31536000
Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class
2018-06-21 10:27:19 -04:00
"""Value for the last max-age of HSTS"""
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
AUTOHSTS_FREQ: int = 172800
Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class
2018-06-21 10:27:19 -04:00
"""Minimum time since last increase to perform a new one: 48h"""
Add typing to certbot.apache (#9071) * Add typing to certbot.apache Co-authored-by: Adrien Ferrand <ferrand.ad@gmail.com>
2022-01-21 04:15:48 -05:00
MANAGED_COMMENT: str = "DO NOT REMOVE - Managed by Certbot"
MANAGED_COMMENT_ID: str = MANAGED_COMMENT + ", VirtualHost id: {0}"
Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class
2018-06-21 10:27:19 -04:00
"""Managed by Certbot comments and the VirtualHost identification template"""
Reference in a new issue Copy permalink