Move CSR off disk, fix hardcoded client_secrets path.
This commit is contained in:
Ian Gulliver
@@ -49,6 +49,11 @@ parser.add_argument(
|
|||||||
dest='certserver',
|
dest='certserver',
|
||||||
action='store',
|
action='store',
|
||||||
required=True)
|
required=True)
|
||||||
|
parser.add_argument(
|
||||||
|
'--client-secrets',
|
||||||
|
dest='client_secrets',
|
||||||
|
action='store',
|
||||||
|
required=True)
|
||||||
parser.add_argument(
|
parser.add_argument(
|
||||||
'--export-password',
|
'--export-password',
|
||||||
dest='export_password',
|
dest='export_password',
|
||||||
@@ -89,7 +94,8 @@ class HTTPServer6(server.HTTPServer):
|
|||||||
|
|
||||||
class OAuthProxy(object):
|
class OAuthProxy(object):
|
||||||
|
|
||||||
def __init__(self, listen_host, listen_port, server_key, server_cert, api_key, allowed_domain, subject, ca_cert, export_password, certclient):
|
def __init__(self, listen_host, listen_port, server_key, server_cert, client_secrets, api_key, allowed_domain, subject, ca_cert, export_password, certclient):
|
||||||
|
self._client_secrets = client_secrets
|
||||||
self._api_key = api_key
|
self._api_key = api_key
|
||||||
self._allowed_domain = allowed_domain
|
self._allowed_domain = allowed_domain
|
||||||
self._subject = subject
|
self._subject = subject
|
||||||
@@ -129,7 +135,7 @@ class OAuthProxy(object):
|
|||||||
'/oauth2callback',
|
'/oauth2callback',
|
||||||
])
|
])
|
||||||
return client.flow_from_clientsecrets(
|
return client.flow_from_clientsecrets(
|
||||||
'client_secrets.json',
|
self._client_secrets,
|
||||||
login_hint=self._allowed_domain,
|
login_hint=self._allowed_domain,
|
||||||
scope='https://www.googleapis.com/auth/userinfo.email',
|
scope='https://www.googleapis.com/auth/userinfo.email',
|
||||||
redirect_uri=return_url)
|
redirect_uri=return_url)
|
||||||
@@ -138,25 +144,25 @@ class OAuthProxy(object):
|
|||||||
with tempfile.TemporaryDirectory() as td:
|
with tempfile.TemporaryDirectory() as td:
|
||||||
key_path = os.path.join(td, 'key.pem')
|
key_path = os.path.join(td, 'key.pem')
|
||||||
subprocess.check_call([
|
subprocess.check_call([
|
||||||
'openssl', 'ecparam', '-genkey',
|
'openssl', 'ecparam', '-genkey',
|
||||||
'-name', 'secp384r1',
|
'-name', 'secp384r1',
|
||||||
'-out', key_path,
|
'-out', key_path,
|
||||||
])
|
])
|
||||||
csr_path = os.path.join(td, 'csr.pem')
|
csr_path = os.path.join(td, 'csr.pem')
|
||||||
subprocess.check_call([
|
proc = subprocess.Popen([
|
||||||
'openssl', 'req', '-new',
|
'openssl', 'req', '-new',
|
||||||
'-key', key_path,
|
'-key', key_path,
|
||||||
'-out', csr_path,
|
'-subj', self._subject.replace('EMAIL', email),
|
||||||
'-subj', self._subject.replace('EMAIL', email),
|
],
|
||||||
])
|
stdout=subprocess.PIPE)
|
||||||
csr = open(csr_path, 'rb').read()
|
csr = proc.stdout.read()
|
||||||
cert = self._certclient.Request(csr)
|
cert = self._certclient.Request(csr)
|
||||||
proc = subprocess.Popen([
|
proc = subprocess.Popen([
|
||||||
'openssl', 'pkcs12', '-export',
|
'openssl', 'pkcs12', '-export',
|
||||||
'-inkey', key_path,
|
'-inkey', key_path,
|
||||||
'-certfile', self._ca_cert,
|
'-certfile', self._ca_cert,
|
||||||
'-passout', self._export_password,
|
'-passout', self._export_password,
|
||||||
],
|
],
|
||||||
stdin=subprocess.PIPE,
|
stdin=subprocess.PIPE,
|
||||||
stdout=subprocess.PIPE)
|
stdout=subprocess.PIPE)
|
||||||
proc.stdin.write(cert.encode('ascii'))
|
proc.stdin.write(cert.encode('ascii'))
|
||||||
@@ -204,6 +210,7 @@ def main():
|
|||||||
FLAGS.listen_port,
|
FLAGS.listen_port,
|
||||||
FLAGS.server_key,
|
FLAGS.server_key,
|
||||||
FLAGS.server_cert,
|
FLAGS.server_cert,
|
||||||
|
FLAGS.client_secrets,
|
||||||
FLAGS.api_key,
|
FLAGS.api_key,
|
||||||
FLAGS.allowed_domain,
|
FLAGS.allowed_domain,
|
||||||
FLAGS.subject,
|
FLAGS.subject,
|
||||||
|
|||||||
Reference in New Issue
Block a user