From 1f8a275000fd2ccecca3e7eb8cbe7bbd34bf12ce Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 12:41:31 -0800 Subject: [PATCH 01/50] Import dev-release2.sh (not currently public) --- tools/dev-release2.sh | 51 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100755 tools/dev-release2.sh diff --git a/tools/dev-release2.sh b/tools/dev-release2.sh new file mode 100755 index 000000000..3ddacb8f0 --- /dev/null +++ b/tools/dev-release2.sh @@ -0,0 +1,51 @@ +#!/bin/sh -xe + +# This script should be put into `./tools/dev-release2.sh`, in the repo. +# +# 1. Create packages. +# +# script -c ./tools/dev-release2.sh log2 +# mv *.tar.xz* dev-releases/ +# mv log2 dev-releases/${version?}.log +# +# 2. Test them. +# +# Copy stuff to VPS and EFF server: +# +# rsync -avzP dev-releases/ le:~/le-dev-releases +# rsync -avzP dev-releases/ ubuntu@letsencrypt-demo.org:~/le-dev-releases +# +# Now test using similar method as in `dev-release.sh` script. On +# remote server `cd ~/le-dev-releases`, extract tarballs, `cd +# $dir/dist.$version; python -m SimpleHTTPServer 1234`. In another +# terminal, outside `le-dev-releases` directory, create new +# virtualenv, `for pkg in setuptools pip wheel; do pip install -U $pkg; done`, +# confirm new installed versions by `pip list`, and try +# to install stuff with `pip install --extra-index-url http://localhost:$PORT +#`. Then play with the client until you're sure +# everything works :) +# +# 3. Upload. +# +# Upload to PyPI using the twine command that was printed earlier. +# +# Now, update tags in git: +# +# git remote remove tmp || true +# git remote add tmp /tmp/le.XXX +# git fetch tmp +# git push github/letsencrypt v0.0.0.dev$date +# +# Create a GitHub issue with the release information, ask someone to +# pull in the tag. + +script --return --command ./tools/dev-release.sh log + +root="$(basename `grep -E '^/tmp/le' log | head -n1 | tr -d "\r"`)" +root_without_le="${root##le.}" +name=${root_without_le%.*} +ext="${root_without_le##*.}" +rev="$(git rev-parse --short HEAD)" +cp -r /tmp/le.$name.$ext/ $name.$rev +tar cJvf $name.$rev.tar.xz log $name.$rev +gpg --detach-sign --armor $name.$rev.tar.xz From e705502ad014949c8eaebee7b4b5d56c05607f11 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 13:30:16 -0800 Subject: [PATCH 02/50] This might be useful. --- tools/half-sign.c | 117 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100644 tools/half-sign.c diff --git a/tools/half-sign.c b/tools/half-sign.c new file mode 100644 index 000000000..561fa22be --- /dev/null +++ b/tools/half-sign.c @@ -0,0 +1,117 @@ +#include +#include +#include +#include +#include +#include +#include + +// Sign with SHA1 +#define HASH_SIZE 20 + +void usage() { + printf("half-sign [binary hash file]\n"); + printf("\n"); + printf(" Computes and prints a binary RSA signature over data given the SHA1 hash of\n"); + printf(" the data as input.\n"); + printf("\n"); + printf(" should be PEM encoded.\n"); + printf("\n"); + printf(" The input SHA1 hash should be %d bytes in length. If no binary hash file is\n", HASH_SIZE); + printf(" specified, it will be read from stdin.\n"); + exit(1); +} + +void sign_hashed_data(EVP_PKEY *signing_key, unsigned char *md, size_t mdlen) { + // cribbed from the openssl EVP_PKEY_sign man page + EVP_PKEY_CTX *ctx; + unsigned char *sig; + size_t siglen; + + /* NB: assumes signing_key, md and mdlen are already set up + * and that signing_key is an RSA private key + */ + ctx = EVP_PKEY_CTX_new(signing_key, NULL); + if ((!ctx) + || (EVP_PKEY_sign_init(ctx) <= 0) + || (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) + || (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha1()) <= 0)) { + fprintf(stderr, "Failure establishing ctx for signature\n"); + exit(1); + } + + /* Determine buffer length */ + if (EVP_PKEY_sign(ctx, NULL, &siglen, md, mdlen) <= 0) { + fprintf(stderr, "Unable to determine buffer length for signature\n"); + exit(1); + } + + sig = OPENSSL_malloc(siglen); + + if (!sig) { + fprintf(stderr, "Malloc failed\n"); + exit(1); + } + + if (EVP_PKEY_sign(ctx, sig, &siglen, md, mdlen) <= 0) { + fprintf(stderr, "Signature error\n"); + exit(1); + } + + /* Signature is siglen bytes written to buffer sig */ + fwrite(sig, siglen, 1, stdout); +} + +EVP_PKEY *read_private_key(char *filename) { + FILE *keyfile; + EVP_PKEY *privkey; + keyfile = fopen(filename, "r"); + if (!keyfile) { + fprintf(stderr, "Failed to open private key.pem file %s\n", filename); + exit(1); + } + privkey = PEM_read_PrivateKey(keyfile, NULL, NULL, NULL); + if (!privkey) { + fprintf(stderr, "Failed to read PEM private key from %s\n", filename); + exit(1); + } + if (EVP_PKEY_type(privkey->type) != EVP_PKEY_RSA) { + fprintf(stderr, "%s was a non-RSA key\n", filename); + exit(1); + } + return privkey; +} + +int main(int argc, char *argv[]) { + FILE *input; + unsigned char *buffer; + int test; + EVP_PKEY *privkey; + if (argc > 3 || argc < 2) + usage(); + if (argc < 3 || strcmp(argv[2],"-") == 0) + input = stdin; + else { + input = fopen(argv[2], "r"); + if (!input) usage(); + } + privkey = read_private_key(argv[1]); + buffer = malloc(HASH_SIZE); + if (!buffer) { + fprintf(stderr, "Argh, malloc failed\n"); + exit(1); + } + if (fread(buffer, HASH_SIZE, 1, input) != 1) { + perror("half-sign: Failed to read SHA1 from input\n"); + exit(1); + } + + test = fgetc(input); + if (test != EOF && test != '\n') { + fprintf(stderr,"Error, more than %d bytes fed to half-sign\n", HASH_SIZE); + fprintf(stderr,"Last byte was :%d\n" , (int) test); + exit(1); + } + sign_hashed_data(privkey, buffer, HASH_SIZE); + return 0; +} From 75a5e57230e13c6a8b2a325b6c65a956c1541c0b Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 13:31:34 -0800 Subject: [PATCH 03/50] Work in progress --- tools/dev-release.sh | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index bd86bff44..f66ce345c 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -1,8 +1,32 @@ #!/bin/sh -xe # Release dev packages to PyPI -version="0.0.0.dev$(date +%Y%m%d)" -DEV_RELEASE_BRANCH="dev-release" +Usage() { + echo Usage: + echo "$0 [ --production ]" + exit 1 +} + +if [ "`dirname $0`" != "tools" ] ; then + echo Please run this script from the repo root + exit 1 +fi + +version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2` +if [ "$1" = "--production" ] ; then + echo Releasing production version "$version"... + if ! echo "$version" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then + echo "Version doesn't look like 1.2.3" + fi + exit 0 +else + # XXX replace 0.0.0 with the last-released-version + version="$version.dev$(date +%Y%m%d)" + DEV_RELEASE_BRANCH="dev-release" + echo Releasing developer version "$version"... + exit 0 +fi + # TODO: create a real release key instead of using Kuba's personal one RELEASE_GPG_KEY="${RELEASE_GPG_KEY:-148C30F6F7E429337A72D992B00B9CC82D7ADF2C}" From 013a3f11453787e18f7acd08c7e54fede59b1b01 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 13:31:40 -0800 Subject: [PATCH 04/50] Switch to "next production release" as the version in the tree --- letsencrypt/__init__.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/letsencrypt/__init__.py b/letsencrypt/__init__.py index 1155a5b0c..ecab4ccbb 100644 --- a/letsencrypt/__init__.py +++ b/letsencrypt/__init__.py @@ -1,4 +1,5 @@ """Let's Encrypt client.""" # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '0.1.0.dev0' +# '0.1.0.dev0' +__version__ = '0.1.0' From aa10799e15c3aa5a00f6d598cbf69bb9640d8f9f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 13:36:33 -0800 Subject: [PATCH 05/50] Add a sub-day digit to the datestamp, just in case... --- tools/dev-release.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index f66ce345c..3b1e72900 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -18,13 +18,11 @@ if [ "$1" = "--production" ] ; then if ! echo "$version" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then echo "Version doesn't look like 1.2.3" fi - exit 0 else # XXX replace 0.0.0 with the last-released-version - version="$version.dev$(date +%Y%m%d)" + version="$version.dev$(date +%Y%m%d)1" DEV_RELEASE_BRANCH="dev-release" echo Releasing developer version "$version"... - exit 0 fi # TODO: create a real release key instead of using Kuba's personal one From be2be2ef94339ea2fd40c941616570bdcabd6c36 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 19 Nov 2015 13:43:04 -0800 Subject: [PATCH 06/50] Declare partial victory on version numbers --- tools/dev-release.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 3b1e72900..8f1ca458c 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -18,8 +18,9 @@ if [ "$1" = "--production" ] ; then if ! echo "$version" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then echo "Version doesn't look like 1.2.3" fi + # XXX TODO rename to RELEASE_BRANCH once bmw isn't editing the same file + DEV_RELEASE_BRANCH="master" else - # XXX replace 0.0.0 with the last-released-version version="$version.dev$(date +%Y%m%d)1" DEV_RELEASE_BRANCH="dev-release" echo Releasing developer version "$version"... @@ -130,3 +131,6 @@ echo "New root: $root" echo "KGS is at $root/kgs" echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" + +echo "Edit and commit letsencrypt/__init__.py to contain the next anticipated" +echo "release version" From d76cd9c31510f4c51b74e00d51bebd786e539af3 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Tue, 1 Dec 2015 15:57:02 -0800 Subject: [PATCH 07/50] remove duplicate docstring line --- letsencrypt-apache/letsencrypt_apache/parser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/letsencrypt-apache/letsencrypt_apache/parser.py b/letsencrypt-apache/letsencrypt_apache/parser.py index ec5211ae4..aad990e3b 100644 --- a/letsencrypt-apache/letsencrypt_apache/parser.py +++ b/letsencrypt-apache/letsencrypt_apache/parser.py @@ -19,7 +19,6 @@ class ApacheParser(object): :ivar str root: Normalized absolute path to the server root directory. Without trailing slash. - :ivar str root: Server root :ivar set modules: All module names that are currently enabled. :ivar dict loc: Location to place directives, root - configuration origin, default - user config file, name - NameVirtualHost, From 5a554bdaa7db39f5058ff236f57a8aa8bf72f469 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 2 Dec 2015 15:12:00 -0800 Subject: [PATCH 08/50] less confusing variable name --- tools/dev-release.sh | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 4a169ab51..8bbe9e4f5 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -18,11 +18,10 @@ if [ "$1" = "--production" ] ; then if ! echo "$version" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then echo "Version doesn't look like 1.2.3" fi - # XXX TODO rename to RELEASE_BRANCH once bmw isn't editing the same file - DEV_RELEASE_BRANCH="master" + RELEASE_BRANCH="master" else version="$version.dev$(date +%Y%m%d)1" - DEV_RELEASE_BRANCH="dev-release" + RELEASE_BRANCH="dev-release" echo Releasing developer version "$version"... fi @@ -63,8 +62,8 @@ echo "Cloning into fresh copy at $root" # clean repo = no artificats git clone . $root git rev-parse HEAD cd $root -git branch -f "$DEV_RELEASE_BRANCH" -git checkout "$DEV_RELEASE_BRANCH" +git branch -f "$RELEASE_BRANCH" +git checkout "$RELEASE_BRANCH" for pkg_dir in $SUBPKGS do From fe4cefb5182172793d2865d9dfa971382de071f1 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 3 Dec 2015 01:41:24 -0800 Subject: [PATCH 09/50] Fix various bugs exposed by actually making a release --- letsencrypt/cli.py | 2 +- tools/dev-release.sh | 8 +++++--- tools/dev-release2.sh | 7 +++++-- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index 9835fa126..2a3f3d18a 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -881,7 +881,7 @@ def prepare_and_parse_args(plugins, args): version="%(prog)s {0}".format(letsencrypt.__version__), help="show program's version number and exit") helpful.add( - "automation", "--renew-by-default", action="store_true", + "automation", "--renew-by-default", "--replace", action="store_true", help="Select renewal by default when domains are a superset of a " "previously attained cert") helpful.add( diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 8bbe9e4f5..ae808117a 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -62,7 +62,9 @@ echo "Cloning into fresh copy at $root" # clean repo = no artificats git clone . $root git rev-parse HEAD cd $root -git branch -f "$RELEASE_BRANCH" +if [ "$RELEASE_BRANCH" != master ] ; then + git branch -f "$RELEASE_BRANCH" +fi git checkout "$RELEASE_BRANCH" for pkg_dir in $SUBPKGS @@ -71,7 +73,7 @@ do done sed -i "s/^__version.*/__version__ = '$version'/" letsencrypt/__init__.py -git add -p # interactive user input +git add -p $SUBPKGS # interactive user input git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version" git tag --local-user "$RELEASE_GPG_KEY" \ --sign --message "Release $version" "$tag" @@ -89,7 +91,7 @@ do echo "Signing ($pkg_dir)" for x in dist/*.tar.gz dist/*.whl do - gpg2 --detach-sign --armor --sign $x + gpg -u "$RELEASE_GPG_KEY" --detach-sign --armor --sign $x done cd - diff --git a/tools/dev-release2.sh b/tools/dev-release2.sh index 3ddacb8f0..5f1bf00fa 100755 --- a/tools/dev-release2.sh +++ b/tools/dev-release2.sh @@ -39,7 +39,10 @@ # Create a GitHub issue with the release information, ask someone to # pull in the tag. -script --return --command ./tools/dev-release.sh log +RELEASE_GPG_KEY=A2CFB51FA275A7286234E7B24D17C995CD9775F2 +export GPG_TTY=$(tty) + +#script --return --command ./tools/dev-release.sh log root="$(basename `grep -E '^/tmp/le' log | head -n1 | tr -d "\r"`)" root_without_le="${root##le.}" @@ -48,4 +51,4 @@ ext="${root_without_le##*.}" rev="$(git rev-parse --short HEAD)" cp -r /tmp/le.$name.$ext/ $name.$rev tar cJvf $name.$rev.tar.xz log $name.$rev -gpg --detach-sign --armor $name.$rev.tar.xz +gpg -U $RELEASE_GPG_KEY --detach-sign --armor $name.$rev.tar.xz From ce2ce697bdbe249e55001f48fe6c0e8e45e5e036 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Thu, 3 Dec 2015 12:12:38 -0800 Subject: [PATCH 10/50] check for missed define statements at the end of parsing --- letsencrypt-apache/letsencrypt_apache/parser.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/letsencrypt-apache/letsencrypt_apache/parser.py b/letsencrypt-apache/letsencrypt_apache/parser.py index aad990e3b..4ed83e652 100644 --- a/letsencrypt-apache/letsencrypt_apache/parser.py +++ b/letsencrypt-apache/letsencrypt_apache/parser.py @@ -35,6 +35,7 @@ class ApacheParser(object): # https://httpd.apache.org/docs/2.4/mod/core.html#ifdefine # This only handles invocation parameters and Define directives! self.variables = {} + self.unparsable = False self.update_runtime_variables(ctl) self.aug = aug @@ -58,6 +59,10 @@ class ApacheParser(object): # Must also attempt to parse sites-available or equivalent # Sites-available is not included naturally in configuration self._parse_file(os.path.join(self.root, "sites-available") + "/*") + #TODO check to see if there were unparsed define statements + if self.unparsable: + if self.find_dir("Define", exclude=False): + raise errors.PluginError("Error parsing runtime variables") def init_modules(self): """Iterates on the configuration until no new modules are loaded. @@ -100,7 +105,9 @@ class ApacheParser(object): try: matches.remove("DUMP_RUN_CFG") except ValueError: - raise errors.PluginError("Unable to parse runtime variables") + self.unparsable = True + return + #raise errors.PluginError("Unable to parse runtime variables") for match in matches: if match.count("=") > 1: From 1bf9fbcc727b42c7a633d8ab935e1b103d960fc6 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Thu, 3 Dec 2015 14:25:49 -0800 Subject: [PATCH 11/50] don't enable socache on apache 2.2 --- letsencrypt-apache/letsencrypt_apache/configurator.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/configurator.py b/letsencrypt-apache/letsencrypt_apache/configurator.py index a0b58c5ff..fda02c7ff 100644 --- a/letsencrypt-apache/letsencrypt_apache/configurator.py +++ b/letsencrypt-apache/letsencrypt_apache/configurator.py @@ -546,7 +546,8 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): """ if "ssl_module" not in self.parser.modules: self.enable_mod("ssl", temp=temp) - + if self.version >= (2, 4) and "socache_shmcb_module" not in self.parser.modules: + self.enable_mod("socache_shmcb", temp=temp) # Check for Listen # Note: This could be made to also look for ip:443 combo if not self.parser.find_dir("Listen", port): @@ -1320,7 +1321,7 @@ def _get_mod_deps(mod_name): """ deps = { - "ssl": ["setenvif", "mime", "socache_shmcb"] + "ssl": ["setenvif", "mime"] } return deps.get(mod_name, []) From 73878f2457a7eebb36a2deed31006785e702d357 Mon Sep 17 00:00:00 2001 From: Marius Gedminas Date: Tue, 8 Dec 2015 11:30:13 +0200 Subject: [PATCH 12/50] Abort when no Pythons are found It seems ill-advised to continue without setting the LE_PYTHON variable, when the very next command tries to use it. --- letsencrypt-auto | 1 + 1 file changed, 1 insertion(+) diff --git a/letsencrypt-auto b/letsencrypt-auto index 44c71883c..5ad4abd76 100755 --- a/letsencrypt-auto +++ b/letsencrypt-auto @@ -97,6 +97,7 @@ DeterminePythonVersion() { export LE_PYTHON=${LE_PYTHON:-python} else echo "Cannot find any Pythons... please install one!" + exit 1 fi PYVER=`$LE_PYTHON --version 2>&1 | cut -d" " -f 2 | cut -d. -f1,2 | sed 's/\.//'` From 0a1b9c2bf0d4f9018bf87b08361b102325b06d3e Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Wed, 9 Dec 2015 17:05:38 -0800 Subject: [PATCH 13/50] fixed failing tests for changes that allow apache22 --- letsencrypt-apache/letsencrypt_apache/parser.py | 1 - .../letsencrypt_apache/tests/configurator_test.py | 13 ++++++++++++- .../letsencrypt_apache/tests/parser_test.py | 6 +++--- .../letsencrypt_apache/tests/tls_sni_01_test.py | 3 ++- 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/parser.py b/letsencrypt-apache/letsencrypt_apache/parser.py index 4ed83e652..8f15ab10c 100644 --- a/letsencrypt-apache/letsencrypt_apache/parser.py +++ b/letsencrypt-apache/letsencrypt_apache/parser.py @@ -107,7 +107,6 @@ class ApacheParser(object): except ValueError: self.unparsable = True return - #raise errors.PluginError("Unable to parse runtime variables") for match in matches: if match.count("=") > 1: diff --git a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py index 0b6170e1d..4e166dfc8 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py @@ -28,10 +28,18 @@ class TwoVhost80Test(util.ApacheTest): self.config = util.get_apache_configurator( self.config_path, self.config_dir, self.work_dir) - + self.config = self.mock_deploy_cert(self.config) self.vh_truth = util.get_vh_truth( self.temp_dir, "debian_apache_2_4/two_vhost_80") + def mock_deploy_cert(self, config): + self.config.real_deploy_cert = self.config.deploy_cert + def mocked_deploy_cert(*args, **kwargs): + with mock.patch("letsencrypt_apache.configurator.ApacheConfigurator.enable_mod") as mock_enable: + config.real_deploy_cert(*args, **kwargs) + self.config.deploy_cert = mocked_deploy_cert + return self.config + def tearDown(self): shutil.rmtree(self.temp_dir) shutil.rmtree(self.config_dir) @@ -245,6 +253,7 @@ class TwoVhost80Test(util.ApacheTest): # Get the default 443 vhost self.config.assoc["random.demo"] = self.vh_truth[1] + self.config = self.mock_deploy_cert(self.config) self.config.deploy_cert( "random.demo", "example/cert.pem", "example/key.pem", "example/cert_chain.pem", "example/fullchain.pem") @@ -271,6 +280,7 @@ class TwoVhost80Test(util.ApacheTest): def test_deploy_cert_newssl_no_fullchain(self): self.config = util.get_apache_configurator( self.config_path, self.config_dir, self.work_dir, version=(2, 4, 16)) + self.config = self.mock_deploy_cert(self.config) self.config.parser.modules.add("ssl_module") self.config.parser.modules.add("mod_ssl.c") @@ -284,6 +294,7 @@ class TwoVhost80Test(util.ApacheTest): def test_deploy_cert_old_apache_no_chain(self): self.config = util.get_apache_configurator( self.config_path, self.config_dir, self.work_dir, version=(2, 4, 7)) + self.config = self.mock_deploy_cert(self.config) self.config.parser.modules.add("ssl_module") self.config.parser.modules.add("mod_ssl.c") diff --git a/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py b/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py index bc1f316f9..121c2ceb2 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py @@ -150,9 +150,9 @@ class BasicParserTest(util.ParserTest): @mock.patch("letsencrypt_apache.parser.ApacheParser._get_runtime_cfg") def test_update_runtime_vars_bad_output(self, mock_cfg): - mock_cfg.return_value = "Define: TLS=443=24" - self.assertRaises( - errors.PluginError, self.parser.update_runtime_variables, "ctl") + #mock_cfg.return_value = "Define: TLS=443=24" + #self.assertRaises( + # errors.PluginError, self.parser.update_runtime_variables, "ctl") mock_cfg.return_value = "Define: DUMP_RUN_CFG\nDefine: TLS=443=24" self.assertRaises( diff --git a/letsencrypt-apache/letsencrypt_apache/tests/tls_sni_01_test.py b/letsencrypt-apache/letsencrypt_apache/tests/tls_sni_01_test.py index f4dff7734..6f10555f8 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/tls_sni_01_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/tls_sni_01_test.py @@ -78,7 +78,8 @@ class TlsSniPerformTest(util.ApacheTest): # pylint: disable=protected-access self.sni._setup_challenge_cert = mock_setup_cert - sni_responses = self.sni.perform() + with mock.patch("letsencrypt_apache.configurator.ApacheConfigurator.enable_mod") as mock_enable: + sni_responses = self.sni.perform() self.assertEqual(mock_setup_cert.call_count, 2) From d761df90d4313a3a161ab0868a63fcc1152d8020 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Wed, 9 Dec 2015 18:51:16 -0800 Subject: [PATCH 14/50] added coverage tests --- .../letsencrypt_apache/parser.py | 3 ++- .../letsencrypt_apache/tests/parser_test.py | 19 ++++++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/parser.py b/letsencrypt-apache/letsencrypt_apache/parser.py index 8f15ab10c..418e0ec39 100644 --- a/letsencrypt-apache/letsencrypt_apache/parser.py +++ b/letsencrypt-apache/letsencrypt_apache/parser.py @@ -59,7 +59,8 @@ class ApacheParser(object): # Must also attempt to parse sites-available or equivalent # Sites-available is not included naturally in configuration self._parse_file(os.path.join(self.root, "sites-available") + "/*") - #TODO check to see if there were unparsed define statements + + #check to see if there were unparsed define statements if self.unparsable: if self.find_dir("Define", exclude=False): raise errors.PluginError("Error parsing runtime variables") diff --git a/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py b/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py index 121c2ceb2..57a75bcec 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py @@ -150,9 +150,9 @@ class BasicParserTest(util.ParserTest): @mock.patch("letsencrypt_apache.parser.ApacheParser._get_runtime_cfg") def test_update_runtime_vars_bad_output(self, mock_cfg): - #mock_cfg.return_value = "Define: TLS=443=24" - #self.assertRaises( - # errors.PluginError, self.parser.update_runtime_variables, "ctl") + mock_cfg.return_value = "Define: TLS=443=24" + self.parser.update_runtime_variables("ctl") + self.assertTrue( self.parser.unparsable) mock_cfg.return_value = "Define: DUMP_RUN_CFG\nDefine: TLS=443=24" self.assertRaises( @@ -185,6 +185,19 @@ class ParserInitTest(util.ApacheTest): shutil.rmtree(self.config_dir) shutil.rmtree(self.work_dir) + @mock.patch("letsencrypt_apache.parser.ApacheParser._get_runtime_cfg") + def test_unparsable(self, mock_cfg): + from letsencrypt_apache.parser import ApacheParser + def unparsable_true(self, arg): + self.unparsable = True + with mock.patch.object(ApacheParser, 'update_runtime_variables', autospec=True) as urv: + urv.side_effect = unparsable_true + mock_cfg.return_value = ('Define: TEST') + self.assertRaises( + errors.PluginError, + ApacheParser, self.aug, os.path.relpath(self.config_path), "ctl") + self.assertEquals(1,1) + def test_root_normalized(self): from letsencrypt_apache.parser import ApacheParser From 9ea3dc313697f52889a6bf3d89edefb9132a618c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 30 Nov 2015 22:12:02 -0800 Subject: [PATCH 15/50] Hackishly add wheezy backports libaugeas0 where required --- bootstrap/_deb_common.sh | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh index 4c6b91a33..cd9036581 100755 --- a/bootstrap/_deb_common.sh +++ b/bootstrap/_deb_common.sh @@ -32,6 +32,26 @@ if apt-cache show python-virtualenv > /dev/null ; then virtualenv="$virtualenv python-virtualenv" fi +augeas_pkg=libaugeas0 +AUGVERSION=`apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut -d" " -f2` + +if dpkg --compare-version 1.0 gt "$AUGVERSION" ; then + if lsb_release -a | grep -q wheezy ; then + if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q wheezy-backports ; then + # XXX ask for permission before doing this? + echo Installing augeas from wheezy-backports... + echo deb http://http.debian.net/debian wheezy-backports main >> /etc/apt/sources.list + apt-get update + apt-get install -y --no-install-recommends -t wheezy-backports libaugeas0 + fi + augeas_pkg= + else + echo "No libaugeas0 version is available that's new enough to run the" + echo "Let's Encrypt apache plugin..." + fi + # XXX add a case for ubuntu PPAs +fi + apt-get install -y --no-install-recommends \ git \ python \ @@ -39,11 +59,13 @@ apt-get install -y --no-install-recommends \ $virtualenv \ gcc \ dialog \ - libaugeas0 \ + $augeas_pkg \ libssl-dev \ libffi-dev \ ca-certificates \ + + if ! command -v virtualenv > /dev/null ; then echo Failed to install a working \"virtualenv\" command, exiting exit 1 From 06175fa2aa22a8060a0f71566420bc02dd278f87 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 14:14:55 -0800 Subject: [PATCH 16/50] We don't use dev-release2.sh --- tools/dev-release2.sh | 54 ------------------------------------------- 1 file changed, 54 deletions(-) delete mode 100755 tools/dev-release2.sh diff --git a/tools/dev-release2.sh b/tools/dev-release2.sh deleted file mode 100755 index 5f1bf00fa..000000000 --- a/tools/dev-release2.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -xe - -# This script should be put into `./tools/dev-release2.sh`, in the repo. -# -# 1. Create packages. -# -# script -c ./tools/dev-release2.sh log2 -# mv *.tar.xz* dev-releases/ -# mv log2 dev-releases/${version?}.log -# -# 2. Test them. -# -# Copy stuff to VPS and EFF server: -# -# rsync -avzP dev-releases/ le:~/le-dev-releases -# rsync -avzP dev-releases/ ubuntu@letsencrypt-demo.org:~/le-dev-releases -# -# Now test using similar method as in `dev-release.sh` script. On -# remote server `cd ~/le-dev-releases`, extract tarballs, `cd -# $dir/dist.$version; python -m SimpleHTTPServer 1234`. In another -# terminal, outside `le-dev-releases` directory, create new -# virtualenv, `for pkg in setuptools pip wheel; do pip install -U $pkg; done`, -# confirm new installed versions by `pip list`, and try -# to install stuff with `pip install --extra-index-url http://localhost:$PORT -#`. Then play with the client until you're sure -# everything works :) -# -# 3. Upload. -# -# Upload to PyPI using the twine command that was printed earlier. -# -# Now, update tags in git: -# -# git remote remove tmp || true -# git remote add tmp /tmp/le.XXX -# git fetch tmp -# git push github/letsencrypt v0.0.0.dev$date -# -# Create a GitHub issue with the release information, ask someone to -# pull in the tag. - -RELEASE_GPG_KEY=A2CFB51FA275A7286234E7B24D17C995CD9775F2 -export GPG_TTY=$(tty) - -#script --return --command ./tools/dev-release.sh log - -root="$(basename `grep -E '^/tmp/le' log | head -n1 | tr -d "\r"`)" -root_without_le="${root##le.}" -name=${root_without_le%.*} -ext="${root_without_le##*.}" -rev="$(git rev-parse --short HEAD)" -cp -r /tmp/le.$name.$ext/ $name.$rev -tar cJvf $name.$rev.tar.xz log $name.$rev -gpg -U $RELEASE_GPG_KEY --detach-sign --armor $name.$rev.tar.xz From 57a8eae28923e9e0c1f8d47312247bf56d31382f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 14:30:04 -0800 Subject: [PATCH 17/50] Release script cleanups: - accept GPG env param - Automate version bumping - don't work in /tmp/ --- tools/dev-release.sh | 39 ++++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index ae808117a..a4f4fc345 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -12,12 +12,20 @@ if [ "`dirname $0`" != "tools" ] ; then exit 1 fi +CheckVersion() { + # Args: + if ! echo "$2" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then + echo "$1 doesn't look like 1.2.3" + exit 1 + fi +} + version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2` if [ "$1" = "--production" ] ; then echo Releasing production version "$version"... - if ! echo "$version" | grep -q -e '[0-9]\+.[0-9]\+.[0-9]\+' ; then - echo "Version doesn't look like 1.2.3" - fi + CheckVersion Version "$version" + nextversion="$2" + CheckVersion "Next version" "$nextversion" RELEASE_BRANCH="master" else version="$version.dev$(date +%Y%m%d)1" @@ -25,7 +33,7 @@ else echo Releasing developer version "$version"... fi -RELEASE_GPG_KEY=A2CFB51FA275A7286234E7B24D17C995CD9775F2 +RELEASE_GPG_KEY=${RELEASE_GPG_KEY:-A2CFB51FA275A7286234E7B24D17C995CD9775F2} # Needed to fix problems with git signatures and pinentry export GPG_TTY=$(tty) @@ -57,7 +65,7 @@ pip install -U wheel # setup.py bdist_wheel # from current env when creating a child env pip install -U virtualenv -root="$(mktemp -d -t le.$version.XXX)" +root="./releases/le.$version.$$" echo "Cloning into fresh copy at $root" # clean repo = no artificats git clone . $root git rev-parse HEAD @@ -67,13 +75,16 @@ if [ "$RELEASE_BRANCH" != master ] ; then fi git checkout "$RELEASE_BRANCH" -for pkg_dir in $SUBPKGS -do - sed -i $x "s/^version.*/version = '$version'/" $pkg_dir/setup.py -done -sed -i "s/^__version.*/__version__ = '$version'/" letsencrypt/__init__.py +SetVersion() { + for pkg_dir in $SUBPKGS + do + sed -i $x "s/^version.*/version = '$version'/" $pkg_dir/setup.py + done + sed -i "s/^__version.*/__version__ = '$version'/" letsencrypt/__init__.py -git add -p $SUBPKGS # interactive user input + git add -p $SUBPKGS # interactive user input +} +SetVersion git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version" git tag --local-user "$RELEASE_GPG_KEY" \ --sign --message "Release $version" "$tag" @@ -134,5 +145,7 @@ echo "KGS is at $root/kgs" echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" -echo "Edit and commit letsencrypt/__init__.py to contain the next anticipated" -echo "release version" +export version="$nextversion" +SetVersion +git diff +git commit -m "Bump version to $version" From f31f637a8edbc8dd842d1f590fa69b565167170c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 14:45:53 -0800 Subject: [PATCH 18/50] Be agnostic about whether the tree has a dev/nondev version in it (though it should always be dev, I think) --- tools/dev-release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index a4f4fc345..96b9cb7c9 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -20,7 +20,7 @@ CheckVersion() { fi } -version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2` +version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2 | sed s/\.dev0//` if [ "$1" = "--production" ] ; then echo Releasing production version "$version"... CheckVersion Version "$version" From 01fba752b570af6fbc0b688e2864bee2a1fbe3e6 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 14:47:42 -0800 Subject: [PATCH 19/50] Only autogenerate versions of dev releases --- tools/dev-release.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 96b9cb7c9..a3461dc4d 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -20,14 +20,15 @@ CheckVersion() { fi } -version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2 | sed s/\.dev0//` if [ "$1" = "--production" ] ; then - echo Releasing production version "$version"... + version="$2" CheckVersion Version "$version" - nextversion="$2" + echo Releasing production version "$version"... + nextversion="$3" CheckVersion "Next version" "$nextversion" RELEASE_BRANCH="master" else + version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2 | sed s/\.dev0//` version="$version.dev$(date +%Y%m%d)1" RELEASE_BRANCH="dev-release" echo Releasing developer version "$version"... From a253e35967a9979af8ff0fc911fd5c7c414389d3 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 15:06:41 -0800 Subject: [PATCH 20/50] Cleanups & bug fixes --- letsencrypt/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt/__init__.py b/letsencrypt/__init__.py index ecab4ccbb..535ec6c40 100644 --- a/letsencrypt/__init__.py +++ b/letsencrypt/__init__.py @@ -2,4 +2,4 @@ # version number like 1.2.3a0, must have at least 2 parts, like 1.2 # '0.1.0.dev0' -__version__ = '0.1.0' +__version__ = '0.2.0.dev0' From aea2bcc0f5a17183f1390a31ff195befd038c9eb Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 11 Dec 2015 17:57:26 -0800 Subject: [PATCH 21/50] Make and sign tarball --- tools/dev-release.sh | 31 +++++++++++++++++++++++-------- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index a3461dc4d..bd7c86642 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -1,4 +1,4 @@ -#!/bin/sh -xe +#!/bin/bash -xe # Release dev packages to PyPI Usage() { @@ -66,7 +66,9 @@ pip install -U wheel # setup.py bdist_wheel # from current env when creating a child env pip install -U virtualenv -root="./releases/le.$version.$$" +root_without_le="$version.$$" +root="./releases/le.$root_without_le" + echo "Cloning into fresh copy at $root" # clean repo = no artificats git clone . $root git rev-parse HEAD @@ -77,15 +79,16 @@ fi git checkout "$RELEASE_BRANCH" SetVersion() { + ver="$1" for pkg_dir in $SUBPKGS do - sed -i $x "s/^version.*/version = '$version'/" $pkg_dir/setup.py + sed -i $x "s/^version.*/version = '$ver'/" $pkg_dir/setup.py done - sed -i "s/^__version.*/__version__ = '$version'/" letsencrypt/__init__.py + sed -i "s/^__version.*/__version__ = '$ver'/" letsencrypt/__init__.py git add -p $SUBPKGS # interactive user input } -SetVersion +SetVersion "$version" git commit --gpg-sign="$RELEASE_GPG_KEY" -m "Release $version" git tag --local-user "$RELEASE_GPG_KEY" \ --sign --message "Release $version" "$tag" @@ -132,21 +135,33 @@ pip install \ letsencrypt $SUBPKGS # stop local PyPI kill $! +cd ~- # freeze before installing anything else, so that we know end-user KGS # make sure "twine upload" doesn't catch "kgs" +if [ -d ../kgs ] ; then + echo Deleting old kgs... + rm -rf ../kgs +fi mkdir ../kgs kgs="../kgs/$version" pip freeze | tee $kgs pip install nose nosetests letsencrypt $subpkgs_modules +cd releases +name=${root_without_le%.*} +ext="${root_without_le##*.}" +rev="$(git rev-parse --short HEAD)" +echo tar cJvf $name.$rev.tar.xz $name.$rev +echo gpg -U $RELEASE_GPG_KEY --detach-sign --armor $name.$rev.tar.xz +cd ~- + echo "New root: $root" echo "KGS is at $root/kgs" echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" -export version="$nextversion" -SetVersion +SetVersion "$nextversion" git diff -git commit -m "Bump version to $version" +git commit -m "Bump version to $nextversion" From 9a0d819626ba0646c1bc006c293207bfd71534f0 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Sat, 12 Dec 2015 00:38:45 -0800 Subject: [PATCH 22/50] Only bump versions if we're making production releases --- tools/dev-release.sh | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index bd7c86642..3232ba946 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -162,6 +162,8 @@ echo "KGS is at $root/kgs" echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" -SetVersion "$nextversion" -git diff -git commit -m "Bump version to $nextversion" +if [ "$RELEASE_BRANCH" = master ] ; then + SetVersion "$nextversion" + git diff + git commit -m "Bump version to $nextversion" +fi From 9beb855618b03ade596c2d0abb42815f21990e75 Mon Sep 17 00:00:00 2001 From: Antoine Jacoutot Date: Mon, 14 Dec 2015 13:57:52 +0100 Subject: [PATCH 23/50] Mention that OpenBSD has a native letsencrypt package now. --- docs/using.rst | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index 687901191..80d429773 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -59,8 +59,8 @@ or for full help, type: ``letsencrypt-auto`` is the recommended method of running the Let's Encrypt client beta releases on systems that don't have a packaged version. Debian -experimental, Arch linux and FreeBSD now have native packages, so on those -systems you can just install ``letsencrypt`` (and perhaps +experimental, Arch linux, FreeBSD and OpenBSD now have native packages, so on +those systems you can just install ``letsencrypt`` (and perhaps ``letsencrypt-apache``). If you'd like to run the latest copy from Git, or run your own locally modified copy of the client, follow the instructions in the :doc:`contributing`. Some `other methods of installation`_ are discussed @@ -346,6 +346,11 @@ Operating System Packages * Port: ``cd /usr/ports/security/py-letsencrypt && make install clean`` * Package: ``pkg install py27-letsencrypt`` +**OpenBSD** + + * Port: ``cd /usr/ports/security/letsencrypt/client && make install clean`` + * Package: ``pkg_add letsencrypt`` + **Arch Linux** .. code-block:: shell From f5029d5eafa63418c560f21ce103eb58e4961eb3 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 14 Dec 2015 11:44:57 -0800 Subject: [PATCH 24/50] Remove a change that shouldn't have been in the release-engineering branch Reverts part of fe4cefb51 --- letsencrypt/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt/cli.py b/letsencrypt/cli.py index 1793f2be7..5e06d00d6 100644 --- a/letsencrypt/cli.py +++ b/letsencrypt/cli.py @@ -982,7 +982,7 @@ def prepare_and_parse_args(plugins, args): version="%(prog)s {0}".format(letsencrypt.__version__), help="show program's version number and exit") helpful.add( - "automation", "--renew-by-default", "--replace", action="store_true", + "automation", "--renew-by-default", action="store_true", help="Select renewal by default when domains are a superset of a " "previously attained cert (often --keep-until-expiring is " "more appropriate). Implies --expand.") From 7193296a2246f85b910384c2f223c89144b6756c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 14 Dec 2015 12:12:20 -0800 Subject: [PATCH 25/50] For some reason, nosetests only survives one subpackage at a time? --- tools/dev-release.sh | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 3232ba946..9cbffea53 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -147,9 +147,13 @@ mkdir ../kgs kgs="../kgs/$version" pip freeze | tee $kgs pip install nose -nosetests letsencrypt $subpkgs_modules +for thing in letsencrypt $subpkgs_modules ; do + echo testing $thing + nosetests $thing +done +deactivate -cd releases +cd .. name=${root_without_le%.*} ext="${root_without_le##*.}" rev="$(git rev-parse --short HEAD)" From 1f58e069c526237554b7e465eadcdc1f7d4d73e0 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 14 Dec 2015 12:13:00 -0800 Subject: [PATCH 26/50] Fix stray $x bug from the old version of this script --- tools/dev-release.sh | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 9cbffea53..41e3f9236 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -82,7 +82,7 @@ SetVersion() { ver="$1" for pkg_dir in $SUBPKGS do - sed -i $x "s/^version.*/version = '$ver'/" $pkg_dir/setup.py + sed -i "s/^version.*/version = '$ver'/" $pkg_dir/setup.py done sed -i "s/^__version.*/__version__ = '$ver'/" letsencrypt/__init__.py @@ -147,13 +147,14 @@ mkdir ../kgs kgs="../kgs/$version" pip freeze | tee $kgs pip install nose -for thing in letsencrypt $subpkgs_modules ; do - echo testing $thing - nosetests $thing +for module in letsencrypt $subpkgs_modules ; do + echo testing $module + nosetests $module done deactivate cd .. +echo Now in $PWD name=${root_without_le%.*} ext="${root_without_le##*.}" rev="$(git rev-parse --short HEAD)" From 57ea80ca5db6afb5d226ceb4071b340fd6fc48f4 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 14 Dec 2015 12:13:18 -0800 Subject: [PATCH 27/50] Production releases come from the candidate-$version branch (then get merged into master with a PR afterwards) --- tools/dev-release.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 41e3f9236..76223d123 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -26,7 +26,7 @@ if [ "$1" = "--production" ] ; then echo Releasing production version "$version"... nextversion="$3" CheckVersion "Next version" "$nextversion" - RELEASE_BRANCH="master" + RELEASE_BRANCH="candidate-$version" else version=`grep "__version__" letsencrypt/__init__.py | cut -d\' -f2 | sed s/\.dev0//` version="$version.dev$(date +%Y%m%d)1" @@ -73,7 +73,7 @@ echo "Cloning into fresh copy at $root" # clean repo = no artificats git clone . $root git rev-parse HEAD cd $root -if [ "$RELEASE_BRANCH" != master ] ; then +if [ "$RELEASE_BRANCH" != "candidate-$version" ] ; then git branch -f "$RELEASE_BRANCH" fi git checkout "$RELEASE_BRANCH" @@ -167,7 +167,7 @@ echo "KGS is at $root/kgs" echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" -if [ "$RELEASE_BRANCH" = master ] ; then +if [ "$RELEASE_BRANCH" = candidate-"$version" ] ; then SetVersion "$nextversion" git diff git commit -m "Bump version to $nextversion" From 49e7e830ebab41502983081874700f6cbdae426b Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 15 Dec 2015 16:17:11 -0800 Subject: [PATCH 28/50] Echo testing instructions --- tools/dev-release.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/dev-release.sh b/tools/dev-release.sh index 76223d123..f3912e67c 100755 --- a/tools/dev-release.sh +++ b/tools/dev-release.sh @@ -164,6 +164,10 @@ cd ~- echo "New root: $root" echo "KGS is at $root/kgs" +echo "Test commands (in the letstest repo):" +echo 'python multitester.py targets.yaml $AWS_KEY $USERNAME scripts/test_leauto_upgrades.sh --alt_pip $YOUR_PIP_REPO --branch public-beta' +echo 'python multitester.py targets.yaml $AWK_KEY $USERNAME scripts/test_letsencrypt_auto_certonly_standalone.sh --branch candidate-0.1.1' +echo 'python multitester.py --saveinstances targets.yaml $AWS_KEY $USERNAME scripts/test_apache2.sh' echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" From adfed7f4c525f8e20a243761f18461141c6d06c7 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 15 Dec 2015 16:17:56 -0800 Subject: [PATCH 29/50] dev-release.sh -> release.sh --- tools/{dev-release.sh => release.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename tools/{dev-release.sh => release.sh} (100%) diff --git a/tools/dev-release.sh b/tools/release.sh similarity index 100% rename from tools/dev-release.sh rename to tools/release.sh From cb713a200b0a951f81018ed647e6002f09cb2ceb Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 15 Dec 2015 16:21:02 -0800 Subject: [PATCH 30/50] Release 0.1.1 --- acme/setup.py | 2 +- letsencrypt-apache/setup.py | 2 +- letsencrypt-nginx/setup.py | 2 +- letshelp-letsencrypt/setup.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index e35b40d6e..ffaff618b 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0.dev0' +version = '0.1.1' install_requires = [ # load_pem_private/public_key (>=0.6) diff --git a/letsencrypt-apache/setup.py b/letsencrypt-apache/setup.py index 58008e1e4..265101628 100644 --- a/letsencrypt-apache/setup.py +++ b/letsencrypt-apache/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0.dev0' +version = '0.1.1' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt-nginx/setup.py b/letsencrypt-nginx/setup.py index 1d42fe488..bb4100c98 100644 --- a/letsencrypt-nginx/setup.py +++ b/letsencrypt-nginx/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0.dev0' +version = '0.1.1' install_requires = [ 'acme=={0}'.format(version), diff --git a/letshelp-letsencrypt/setup.py b/letshelp-letsencrypt/setup.py index d487e556d..762eab396 100644 --- a/letshelp-letsencrypt/setup.py +++ b/letshelp-letsencrypt/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0.dev0' +version = '0.1.1' install_requires = [ 'setuptools', # pkg_resources From 19353d6eb1d5abd7bfde6fdd6b5fa28571981409 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 15 Dec 2015 16:23:08 -0800 Subject: [PATCH 31/50] Bump version to 0.2.0 --- acme/setup.py | 2 +- letsencrypt-apache/setup.py | 2 +- letsencrypt-nginx/setup.py | 2 +- letshelp-letsencrypt/setup.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index ffaff618b..2eb2623fd 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.1.1' +version = '0.2.0' install_requires = [ # load_pem_private/public_key (>=0.6) diff --git a/letsencrypt-apache/setup.py b/letsencrypt-apache/setup.py index 265101628..67556fb90 100644 --- a/letsencrypt-apache/setup.py +++ b/letsencrypt-apache/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.1.1' +version = '0.2.0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt-nginx/setup.py b/letsencrypt-nginx/setup.py index bb4100c98..d63ac9549 100644 --- a/letsencrypt-nginx/setup.py +++ b/letsencrypt-nginx/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.1.1' +version = '0.2.0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letshelp-letsencrypt/setup.py b/letshelp-letsencrypt/setup.py index 762eab396..3e0128ccb 100644 --- a/letshelp-letsencrypt/setup.py +++ b/letshelp-letsencrypt/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.1.1' +version = '0.2.0' install_requires = [ 'setuptools', # pkg_resources From 80b71bfe9f54ffa65030ee1020b6c2b7d47a4b7c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 15 Dec 2015 19:01:18 -0800 Subject: [PATCH 32/50] An actually correct version bump --- acme/setup.py | 2 +- letsencrypt-apache/setup.py | 2 +- letsencrypt-nginx/setup.py | 2 +- letsencrypt/__init__.py | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index 2eb2623fd..8e6c1790a 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0' +version = '0.2.0dev0' install_requires = [ # load_pem_private/public_key (>=0.6) diff --git a/letsencrypt-apache/setup.py b/letsencrypt-apache/setup.py index 67556fb90..7a47946a7 100644 --- a/letsencrypt-apache/setup.py +++ b/letsencrypt-apache/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0' +version = '0.2.0dev0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt-nginx/setup.py b/letsencrypt-nginx/setup.py index d63ac9549..0177c4a81 100644 --- a/letsencrypt-nginx/setup.py +++ b/letsencrypt-nginx/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0' +version = '0.2.0dev0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt/__init__.py b/letsencrypt/__init__.py index 1c7815f78..57024bdb6 100644 --- a/letsencrypt/__init__.py +++ b/letsencrypt/__init__.py @@ -1,4 +1,4 @@ """Let's Encrypt client.""" # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '0.2.0.dev0' +__version__ = '0.2.0dev0' From 59f717fc480318cdb11364cc40438fa869ac95d2 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 16 Dec 2015 12:48:36 -0800 Subject: [PATCH 33/50] Further fixes to version strings --- acme/setup.py | 2 +- letsencrypt-apache/setup.py | 2 +- letsencrypt-nginx/setup.py | 2 +- letsencrypt/__init__.py | 2 +- letshelp-letsencrypt/setup.py | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index 8e6c1790a..e35b40d6e 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0dev0' +version = '0.2.0.dev0' install_requires = [ # load_pem_private/public_key (>=0.6) diff --git a/letsencrypt-apache/setup.py b/letsencrypt-apache/setup.py index 7a47946a7..58008e1e4 100644 --- a/letsencrypt-apache/setup.py +++ b/letsencrypt-apache/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0dev0' +version = '0.2.0.dev0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt-nginx/setup.py b/letsencrypt-nginx/setup.py index 0177c4a81..1d42fe488 100644 --- a/letsencrypt-nginx/setup.py +++ b/letsencrypt-nginx/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0dev0' +version = '0.2.0.dev0' install_requires = [ 'acme=={0}'.format(version), diff --git a/letsencrypt/__init__.py b/letsencrypt/__init__.py index 57024bdb6..1c7815f78 100644 --- a/letsencrypt/__init__.py +++ b/letsencrypt/__init__.py @@ -1,4 +1,4 @@ """Let's Encrypt client.""" # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '0.2.0dev0' +__version__ = '0.2.0.dev0' diff --git a/letshelp-letsencrypt/setup.py b/letshelp-letsencrypt/setup.py index 3e0128ccb..d487e556d 100644 --- a/letshelp-letsencrypt/setup.py +++ b/letshelp-letsencrypt/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.2.0' +version = '0.2.0.dev0' install_requires = [ 'setuptools', # pkg_resources From 5666cf9e0e3dac30d94ea6958bd8fa8af56afcbc Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 16 Dec 2015 12:50:21 -0800 Subject: [PATCH 34/50] Perform "nextversion" incrementing correctly in release.sh --- tools/release.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/release.sh b/tools/release.sh index f3912e67c..eeabfd4a3 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -172,7 +172,7 @@ echo "In order to upload packages run the following command:" echo twine upload "$root/dist.$version/*/*" if [ "$RELEASE_BRANCH" = candidate-"$version" ] ; then - SetVersion "$nextversion" + SetVersion "$nextversion".dev0 git diff git commit -m "Bump version to $nextversion" fi From b8c2118434877d0c42ba0d1b856db3fda546777a Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 16 Dec 2015 14:19:22 -0800 Subject: [PATCH 35/50] Add explanatory comment --- tools/half-sign.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/half-sign.c b/tools/half-sign.c index 561fa22be..454201799 100644 --- a/tools/half-sign.c +++ b/tools/half-sign.c @@ -6,6 +6,9 @@ #include #include +// This program can be used to perform RSA public key signatures given only +// the hash of the file to be signed as input. + // Sign with SHA1 #define HASH_SIZE 20 From 15386fd0decc5dfddbc57efab1b376d1d0b7fce7 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Wed, 16 Dec 2015 18:55:39 -0800 Subject: [PATCH 36/50] fix issue with parsing renewal confs --- letsencrypt/renewer.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/letsencrypt/renewer.py b/letsencrypt/renewer.py index 0a490d447..8f7f38c90 100644 --- a/letsencrypt/renewer.py +++ b/letsencrypt/renewer.py @@ -179,7 +179,9 @@ def main(cli_args=sys.argv[1:]): # RenewableCert object for this cert at all, which could # dramatically improve performance for large deployments # where autorenewal is widely turned off. - cert = storage.RenewableCert(renewal_file, cli_config) + cert = storage.RenewableCert( + os.path.join(cli_config.renewal_configs_dir, renewal_file), + cli_config) except errors.CertStorageError: # This indicates an invalid renewal configuration file, such # as one missing a required parameter (in the future, perhaps From e463fca34d88b9d28c874c97dccbd10c118dfe0a Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Thu, 17 Dec 2015 16:01:21 -0800 Subject: [PATCH 37/50] fix broken test --- letsencrypt/storage.py | 2 +- letsencrypt/tests/renewer_test.py | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/letsencrypt/storage.py b/letsencrypt/storage.py index 7e2802b14..5186cd945 100644 --- a/letsencrypt/storage.py +++ b/letsencrypt/storage.py @@ -260,7 +260,7 @@ class RenewableCert(object): # pylint: disable=too-many-instance-attributes :returns: The path to the current version of the specified member. - :rtype: str + :rtype: str or None """ if kind not in ALL_FOUR: diff --git a/letsencrypt/tests/renewer_test.py b/letsencrypt/tests/renewer_test.py index daec9678f..d583e8645 100644 --- a/letsencrypt/tests/renewer_test.py +++ b/letsencrypt/tests/renewer_test.py @@ -764,6 +764,8 @@ class RenewableCertTests(BaseRenewableCertTest): def test_bad_config_file(self): from letsencrypt import renewer + os.unlink(os.path.join(self.cli_config.renewal_configs_dir, + "example.org.conf")) with open(os.path.join(self.cli_config.renewal_configs_dir, "bad.conf"), "w") as f: f.write("incomplete = configfile\n") From 3e7072e131b288322383628a075775670e880b4e Mon Sep 17 00:00:00 2001 From: Dominic Cleal Date: Fri, 18 Dec 2015 08:08:52 +0000 Subject: [PATCH 38/50] Add failing test from ticket #1934 Augeas fails to parse a directive argument with a quote inside (expecting either fully quoted or unquoted values). --- .../failing/graphite-quote-1934.conf | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 tests/apache-conf-files/failing/graphite-quote-1934.conf diff --git a/tests/apache-conf-files/failing/graphite-quote-1934.conf b/tests/apache-conf-files/failing/graphite-quote-1934.conf new file mode 100644 index 000000000..2a8734b43 --- /dev/null +++ b/tests/apache-conf-files/failing/graphite-quote-1934.conf @@ -0,0 +1,21 @@ + + + WSGIDaemonProcess _graphite processes=5 threads=5 display-name='%{GROUP}' inactivity-timeout=120 user=_graphite group=_graphite + WSGIProcessGroup _graphite + WSGIImportScript /usr/share/graphite-web/graphite.wsgi process-group=_graphite application-group=%{GLOBAL} + WSGIScriptAlias / /usr/share/graphite-web/graphite.wsgi + + Alias /content/ /usr/share/graphite-web/static/ + + SetHandler None + + + ErrorLog ${APACHE_LOG_DIR}/graphite-web_error.log + + # Possible values include: debug, info, notice, warn, error, crit, + # alert, emerg. + LogLevel warn + + CustomLog ${APACHE_LOG_DIR}/graphite-web_access.log combined + + From a72e498c97c4a0f77e0f2996e6fd1251122bcffb Mon Sep 17 00:00:00 2001 From: Dominic Cleal Date: Fri, 18 Dec 2015 08:09:47 +0000 Subject: [PATCH 39/50] Merge Augeas lens fix for quotes in directive arguments From https://github.com/hercules-team/augeas/commit/d4d7ea97718c09c5968277aba08d5e47b971b2ac Closes: #1934 --- letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug | 2 +- .../{failing => passing}/graphite-quote-1934.conf | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename tests/apache-conf-files/{failing => passing}/graphite-quote-1934.conf (100%) diff --git a/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug b/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug index d665ea7a7..0f2cb7b45 100644 --- a/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug +++ b/letsencrypt-apache/letsencrypt_apache/augeas_lens/httpd.aug @@ -59,7 +59,7 @@ let empty = Util.empty_dos let indent = Util.indent (* borrowed from shellvars.aug *) -let char_arg_dir = /([^\\ '"{\t\r\n]|[^ '"{\t\r\n]+[^\\ '"\t\r\n])|\\\\"|\\\\'/ +let char_arg_dir = /([^\\ '"{\t\r\n]|[^ '"{\t\r\n]+[^\\ \t\r\n])|\\\\"|\\\\'/ let char_arg_sec = /[^ '"\t\r\n>]|\\\\"|\\\\'/ let char_arg_wl = /([^\\ '"},\t\r\n]|[^ '"},\t\r\n]+[^\\ '"},\t\r\n])/ diff --git a/tests/apache-conf-files/failing/graphite-quote-1934.conf b/tests/apache-conf-files/passing/graphite-quote-1934.conf similarity index 100% rename from tests/apache-conf-files/failing/graphite-quote-1934.conf rename to tests/apache-conf-files/passing/graphite-quote-1934.conf From ca39b0d12597621d840555f5b29a1b03e37f7ad0 Mon Sep 17 00:00:00 2001 From: Noah Swartz Date: Mon, 21 Dec 2015 14:39:14 -0800 Subject: [PATCH 40/50] fixed linting problems --- .../letsencrypt_apache/tests/configurator_test.py | 5 ++++- letsencrypt-apache/letsencrypt_apache/tests/parser_test.py | 6 ++++-- .../letsencrypt_apache/tests/tls_sni_01_test.py | 3 ++- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py index 2d57de668..d7bc04f20 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/configurator_test.py @@ -33,9 +33,12 @@ class TwoVhost80Test(util.ApacheTest): self.temp_dir, "debian_apache_2_4/two_vhost_80") def mock_deploy_cert(self, config): + """A test for a mock deploy cert""" self.config.real_deploy_cert = self.config.deploy_cert def mocked_deploy_cert(*args, **kwargs): - with mock.patch("letsencrypt_apache.configurator.ApacheConfigurator.enable_mod") as mock_enable: + """a helper to mock a deployed cert""" + with mock.patch( + "letsencrypt_apache.configurator.ApacheConfigurator.enable_mod"): config.real_deploy_cert(*args, **kwargs) self.config.deploy_cert = mocked_deploy_cert return self.config diff --git a/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py b/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py index 57a75bcec..352c2fcf4 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/parser_test.py @@ -152,7 +152,7 @@ class BasicParserTest(util.ParserTest): def test_update_runtime_vars_bad_output(self, mock_cfg): mock_cfg.return_value = "Define: TLS=443=24" self.parser.update_runtime_variables("ctl") - self.assertTrue( self.parser.unparsable) + self.assertTrue(self.parser.unparsable) mock_cfg.return_value = "Define: DUMP_RUN_CFG\nDefine: TLS=443=24" self.assertRaises( @@ -189,6 +189,8 @@ class ParserInitTest(util.ApacheTest): def test_unparsable(self, mock_cfg): from letsencrypt_apache.parser import ApacheParser def unparsable_true(self, arg): + """a helper to set the self unparsabale to true""" + print "side effect has passed in arg: %s", arg self.unparsable = True with mock.patch.object(ApacheParser, 'update_runtime_variables', autospec=True) as urv: urv.side_effect = unparsable_true @@ -196,7 +198,7 @@ class ParserInitTest(util.ApacheTest): self.assertRaises( errors.PluginError, ApacheParser, self.aug, os.path.relpath(self.config_path), "ctl") - self.assertEquals(1,1) + self.assertEquals(1, 1) def test_root_normalized(self): from letsencrypt_apache.parser import ApacheParser diff --git a/letsencrypt-apache/letsencrypt_apache/tests/tls_sni_01_test.py b/letsencrypt-apache/letsencrypt_apache/tests/tls_sni_01_test.py index 6f10555f8..7db4eee6f 100644 --- a/letsencrypt-apache/letsencrypt_apache/tests/tls_sni_01_test.py +++ b/letsencrypt-apache/letsencrypt_apache/tests/tls_sni_01_test.py @@ -78,7 +78,8 @@ class TlsSniPerformTest(util.ApacheTest): # pylint: disable=protected-access self.sni._setup_challenge_cert = mock_setup_cert - with mock.patch("letsencrypt_apache.configurator.ApacheConfigurator.enable_mod") as mock_enable: + with mock.patch( + "letsencrypt_apache.configurator.ApacheConfigurator.enable_mod"): sni_responses = self.sni.perform() self.assertEqual(mock_setup_cert.call_count, 2) From 61816a4029717860e2940d00d7c48e51e80d6bf7 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 21 Dec 2015 18:28:05 -0800 Subject: [PATCH 41/50] Give the user some warning before enabling backports --- bootstrap/_deb_common.sh | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh index cd9036581..1fc9babcc 100755 --- a/bootstrap/_deb_common.sh +++ b/bootstrap/_deb_common.sh @@ -38,11 +38,20 @@ AUGVERSION=`apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut - if dpkg --compare-version 1.0 gt "$AUGVERSION" ; then if lsb_release -a | grep -q wheezy ; then if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q wheezy-backports ; then - # XXX ask for permission before doing this? - echo Installing augeas from wheezy-backports... - echo deb http://http.debian.net/debian wheezy-backports main >> /etc/apt/sources.list - apt-get update - apt-get install -y --no-install-recommends -t wheezy-backports libaugeas0 + # This can theoretically error if sources.list.d is empty, but in that case we don't care. + if ! grep -v -e ' *#' /etc/apt/sources.list.d/* | grep -q wheezy-backports 2>/dev/null ; then + echo -n "Installing libaugeas0 from wheezy-backports in 3 seconds..." + sleep 1s + echo -e "\e[0K\rInstalling libaugeas0 from wheezy-backports in 2 seconds..." + sleep 1s + echo -e "\e[0K\rInstalling libaugeas0 from wheezy-backports in 1 second ..." + sleep 1s + echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")' + + echo deb http://http.debian.net/debian wheezy-backports main >> /etc/apt/sources.list.d/wheezy-backports.list + apt-get update + apt-get install -y --no-install-recommends -t wheezy-backports libaugeas0 + fi fi augeas_pkg= else From 527eb82e6e436662bcfed10145e7c6cfde682d39 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 21 Dec 2015 18:28:36 -0800 Subject: [PATCH 42/50] Install backports, even if they were already present --- bootstrap/_deb_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh index 1fc9babcc..aadacba0a 100755 --- a/bootstrap/_deb_common.sh +++ b/bootstrap/_deb_common.sh @@ -50,9 +50,9 @@ if dpkg --compare-version 1.0 gt "$AUGVERSION" ; then echo deb http://http.debian.net/debian wheezy-backports main >> /etc/apt/sources.list.d/wheezy-backports.list apt-get update - apt-get install -y --no-install-recommends -t wheezy-backports libaugeas0 fi fi + apt-get install -y --no-install-recommends -t wheezy-backports libaugeas0 augeas_pkg= else echo "No libaugeas0 version is available that's new enough to run the" From aa6bf73d4ad828bb87b7f02a0b17e9f98360bb1b Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 21 Dec 2015 19:57:12 -0800 Subject: [PATCH 43/50] Only test permission failures if we're not root or, more generally, if we're on a system where permissions are being enforced Closes: #1979 --- letsencrypt/plugins/webroot_test.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/letsencrypt/plugins/webroot_test.py b/letsencrypt/plugins/webroot_test.py index 9f5b6bba8..07e41e0d0 100644 --- a/letsencrypt/plugins/webroot_test.py +++ b/letsencrypt/plugins/webroot_test.py @@ -66,8 +66,17 @@ class AuthenticatorTest(unittest.TestCase): def test_prepare_reraises_other_errors(self): self.auth.full_path = os.path.join(self.path, "null") + permission_canary = os.path.join(self.path, "rnd") + f = open(permission_canary, "w") + f.write("thingimy") + f.close() os.chmod(self.path, 0o000) - self.assertRaises(errors.PluginError, self.auth.prepare) + try: + open(permission_canary, "r") + print("Warning, running tests as root skips permissions tests...") + except IOError: + # ok, permissions work, test away... + self.assertRaises(errors.PluginError, self.auth.prepare) os.chmod(self.path, 0o700) @mock.patch("letsencrypt.plugins.webroot.os.chown") From e41339cda8e8d091f0bc7babbdd9098c7d17a1f7 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 21 Dec 2015 20:01:28 -0800 Subject: [PATCH 44/50] Keep lint happy (But what about py3?) --- letsencrypt/plugins/webroot_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt/plugins/webroot_test.py b/letsencrypt/plugins/webroot_test.py index 07e41e0d0..137a2673e 100644 --- a/letsencrypt/plugins/webroot_test.py +++ b/letsencrypt/plugins/webroot_test.py @@ -73,7 +73,7 @@ class AuthenticatorTest(unittest.TestCase): os.chmod(self.path, 0o000) try: open(permission_canary, "r") - print("Warning, running tests as root skips permissions tests...") + print "Warning, running tests as root skips permissions tests..." except IOError: # ok, permissions work, test away... self.assertRaises(errors.PluginError, self.auth.prepare) From 67c0c454b4d7381f42bff3677b819818151094ac Mon Sep 17 00:00:00 2001 From: Joona Hoikkala Date: Tue, 22 Dec 2015 13:12:11 +0200 Subject: [PATCH 45/50] Fixed bug in bootstrapping script --- bootstrap/_deb_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh index aadacba0a..227a2a9e3 100755 --- a/bootstrap/_deb_common.sh +++ b/bootstrap/_deb_common.sh @@ -35,7 +35,7 @@ fi augeas_pkg=libaugeas0 AUGVERSION=`apt-cache show --no-all-versions libaugeas0 | grep ^Version: | cut -d" " -f2` -if dpkg --compare-version 1.0 gt "$AUGVERSION" ; then +if dpkg --compare-versions 1.0 gt "$AUGVERSION" ; then if lsb_release -a | grep -q wheezy ; then if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q wheezy-backports ; then # This can theoretically error if sources.list.d is empty, but in that case we don't care. From 092b906dee9d51f9762d16a4497a3beaf279b057 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 22 Dec 2015 11:20:42 -0800 Subject: [PATCH 46/50] Fix the prettyprinted note --- bootstrap/_deb_common.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh index 227a2a9e3..d6487381e 100755 --- a/bootstrap/_deb_common.sh +++ b/bootstrap/_deb_common.sh @@ -40,13 +40,13 @@ if dpkg --compare-versions 1.0 gt "$AUGVERSION" ; then if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q wheezy-backports ; then # This can theoretically error if sources.list.d is empty, but in that case we don't care. if ! grep -v -e ' *#' /etc/apt/sources.list.d/* | grep -q wheezy-backports 2>/dev/null ; then - echo -n "Installing libaugeas0 from wheezy-backports in 3 seconds..." + /bin/echo -n "Installing augeas from wheezy-backports in 3 seconds..." sleep 1s - echo -e "\e[0K\rInstalling libaugeas0 from wheezy-backports in 2 seconds..." + /bin/echo -ne "\e[0K\rInstalling augeas from wheezy-backports in 2 seconds..." sleep 1s - echo -e "\e[0K\rInstalling libaugeas0 from wheezy-backports in 1 second ..." + /bin/echo -ne "\e[0K\rInstalling augeas from wheezy-backports in 1 second ..." sleep 1s - echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")' + /bin/echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")' echo deb http://http.debian.net/debian wheezy-backports main >> /etc/apt/sources.list.d/wheezy-backports.list apt-get update From eaa6a51f0fa8e031fb6894059a877fe06884ae37 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 22 Dec 2015 11:23:36 -0800 Subject: [PATCH 47/50] A different kind of silence --- bootstrap/_deb_common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh index d6487381e..3c33e9beb 100755 --- a/bootstrap/_deb_common.sh +++ b/bootstrap/_deb_common.sh @@ -39,7 +39,7 @@ if dpkg --compare-versions 1.0 gt "$AUGVERSION" ; then if lsb_release -a | grep -q wheezy ; then if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q wheezy-backports ; then # This can theoretically error if sources.list.d is empty, but in that case we don't care. - if ! grep -v -e ' *#' /etc/apt/sources.list.d/* | grep -q wheezy-backports 2>/dev/null ; then + if ! grep -v -e ' *#' /etc/apt/sources.list.d/* | grep -q wheezy-backports >/dev/null ; then /bin/echo -n "Installing augeas from wheezy-backports in 3 seconds..." sleep 1s /bin/echo -ne "\e[0K\rInstalling augeas from wheezy-backports in 2 seconds..." From 28fef227ebb25c8a08baee32ae2d18b96a935a60 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 22 Dec 2015 11:26:36 -0800 Subject: [PATCH 48/50] Final tweaks And a third kind of silence --- bootstrap/_deb_common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bootstrap/_deb_common.sh b/bootstrap/_deb_common.sh index 3c33e9beb..6f9d41c5d 100755 --- a/bootstrap/_deb_common.sh +++ b/bootstrap/_deb_common.sh @@ -39,12 +39,12 @@ if dpkg --compare-versions 1.0 gt "$AUGVERSION" ; then if lsb_release -a | grep -q wheezy ; then if ! grep -v -e ' *#' /etc/apt/sources.list | grep -q wheezy-backports ; then # This can theoretically error if sources.list.d is empty, but in that case we don't care. - if ! grep -v -e ' *#' /etc/apt/sources.list.d/* | grep -q wheezy-backports >/dev/null ; then + if ! grep -v -e ' *#' /etc/apt/sources.list.d/* 2>/dev/null | grep -q wheezy-backports ; then /bin/echo -n "Installing augeas from wheezy-backports in 3 seconds..." sleep 1s /bin/echo -ne "\e[0K\rInstalling augeas from wheezy-backports in 2 seconds..." sleep 1s - /bin/echo -ne "\e[0K\rInstalling augeas from wheezy-backports in 1 second ..." + /bin/echo -e "\e[0K\rInstalling augeas from wheezy-backports in 1 second ..." sleep 1s /bin/echo '(Backports are only installed if explicitly requested via "apt-get install -t wheezy-backports")' From bccff905db5b29bbe346d1669b376e750770001f Mon Sep 17 00:00:00 2001 From: Dominic Cleal Date: Tue, 22 Dec 2015 22:14:53 +0000 Subject: [PATCH 49/50] Add passing test for quote inside RewriteRule Already fixed recently by commit a72e498. Closes: #1960 --- tests/apache-conf-files/passing/rewrite-quote-1960.conf | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 tests/apache-conf-files/passing/rewrite-quote-1960.conf diff --git a/tests/apache-conf-files/passing/rewrite-quote-1960.conf b/tests/apache-conf-files/passing/rewrite-quote-1960.conf new file mode 100644 index 000000000..26214e7b0 --- /dev/null +++ b/tests/apache-conf-files/passing/rewrite-quote-1960.conf @@ -0,0 +1,7 @@ + + RewriteEngine On + RewriteCond %{REQUEST_URI} ^.*(,|;|:|<|>|">|"<|/|\\\.\.\\).* [NC,OR] + RewriteCond %{REQUEST_URI} ^.*(\=|\@|\[|\]|\^|\`|\{|\}|\~).* [NC,OR] + RewriteCond %{REQUEST_URI} ^.*(\'|%0A|%0D|%27|%3C|%3E|%00).* [NC] + RewriteRule ^(.*)$ - [F,L] + From f5cf58f42ef0704a9b4ddf122310527764d727ba Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 22 Dec 2015 15:42:53 -0800 Subject: [PATCH 50/50] with .. open .. as # definitely nicer --- letsencrypt/plugins/webroot_test.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/letsencrypt/plugins/webroot_test.py b/letsencrypt/plugins/webroot_test.py index 137a2673e..defe9396b 100644 --- a/letsencrypt/plugins/webroot_test.py +++ b/letsencrypt/plugins/webroot_test.py @@ -67,9 +67,8 @@ class AuthenticatorTest(unittest.TestCase): def test_prepare_reraises_other_errors(self): self.auth.full_path = os.path.join(self.path, "null") permission_canary = os.path.join(self.path, "rnd") - f = open(permission_canary, "w") - f.write("thingimy") - f.close() + with open(permission_canary, "w") as f: + f.write("thingimy") os.chmod(self.path, 0o000) try: open(permission_canary, "r")