[tor-commits] [flashproxy/master] populate /etc/flashproxy during post-install, including generating keys

infinity0 at torproject.org infinity0 at torproject.org
Thu Nov 21 13:18:46 UTC 2013 

commit fef2e2abed21c0a7238e7824d3e733eb379244cb
Author: Ximin Luo <infinity0 at gmx.com>
Date:   Fri Sep 13 15:09:13 2013 +0100

    populate /etc/flashproxy during post-install, including generating keys
---
 facilitator/INSTALL                   |    8 +++++++
 facilitator/Makefile.am               |   38 +++++++++++++++++++++++++++++----
 facilitator/conf/fp-facilitator       |   27 -----------------------
 facilitator/conf/reg-email.pass       |    3 +++
 facilitator/configure.ac              |    1 +
 facilitator/doc/facilitator-howto.txt |   18 +---------------
 facilitator/examples/fp-facilitator   |   27 +++++++++++++++++++++++
 7 files changed, 74 insertions(+), 48 deletions(-)

diff --git a/facilitator/INSTALL b/facilitator/INSTALL
index b6e0882..34004f4 100644
--- a/facilitator/INSTALL
+++ b/facilitator/INSTALL
@@ -16,6 +16,14 @@ It also installs System V init files to /etc/init.d/.
 The pre/post-install scripts create a user for the daemon to as, and
 sets up the initscripts in the default system runlevels.
 
+They also generate a RSA key in /etc/flashproxy/reg-daemon.{key,pub}.
+You will have to edit flashproxy-reg-email (in the client package) and
+copy the contents of reg-daemon.pub into the appropriate place.
+TODO(infinity0): find a better solution for this.
+
+You should also edit /etc/flashproxy/reg-email.pass to contain your
+app-specific Gmail password; see doc/gmail-setup.txt for instructions.
+
 Uninstall.
 
 	# make pre-remove uninstall post-remove
diff --git a/facilitator/Makefile.am b/facilitator/Makefile.am
index 200053a..44c0442 100644
--- a/facilitator/Makefile.am
+++ b/facilitator/Makefile.am
@@ -4,6 +4,8 @@ fpfacilitatoruser = @fpfacilitatoruser@
 initscriptdir = $(sysconfdir)/init.d
 exampledir = $(docdir)/examples
 appenginedir = $(pkgdatadir)/appengine
+pkgconfdir = $(sysconfdir)/flashproxy
+appengineconfdir = $(pkgconfdir)/reg-appengine
 
 # automake PLVs
 
@@ -11,8 +13,9 @@ dist_bin_SCRIPTS = facilitator facilitator-email-poller facilitator-reg-daemon f
 initscript_SCRIPTS = init.d/facilitator init.d/facilitator-email-poller init.d/facilitator-reg-daemon
 
 dist_doc_DATA = doc/appengine-howto.txt doc/facilitator-howto.txt doc/gmail-howto.txt README
-dist_example_DATA = conf/fp-facilitator
+dist_example_DATA = examples/fp-facilitator conf/reg-email.pass
 dist_appengine_DATA = appengine/app.yaml appengine/config.go appengine/fp-reg.go appengine/README
+appengineconf_DATA = appengine/config.go
 
 dist_TESTS = facilitator-test
 
@@ -33,6 +36,7 @@ pre-install:
 	which adduser >/dev/null 2>&1 && \
 	  adduser --quiet \
 	    --system \
+	    --group \
 	    --disabled-password \
 	    --home $(sysconfdir)/flashproxy \
 	    --no-create-home \
@@ -45,24 +49,50 @@ pre-install:
 	    --shell /bin/false \
 	    $(fpfacilitatoruser) ; }
 
-post-install:
+post-install-secrets:
+	install -m 600 /dev/null $(pkgconfdir)/reg-daemon.key
+	openssl genrsa 2048 | tee $(pkgconfdir)/reg-daemon.key | \
+	openssl rsa -pubout > $(pkgconfdir)/reg-daemon.pub
+	install -m 600 $(exampledir)/reg-email.pass $(pkgconfdir)/reg-email.pass
+	chown $(fpfacilitatoruser): $(pkgconfdir)/reg-daemon.key
+	chown $(fpfacilitatoruser): $(pkgconfdir)/reg-email.pass
+
+post-install-symlinks:
+	for i in fp-reg.go app.yaml README; do \
+	  $(LN_S) -f $(appenginedir)/$$i $(appengineconfdir)/$$i; \
+	done
+
+post-install-daemon:
 	for i in facilitator facilitator-email-poller facilitator-reg-daemon; do \
 	  update-rc.d $$i defaults; \
 	  invoke-rc.d $$i start; \
 	done
 
-pre-remove:
+post-install: post-install-secrets post-install-symlinks post-install-daemon
+
+pre-remove-daemon:
 	for i in facilitator facilitator-email-poller facilitator-reg-daemon; do \
 	  invoke-rc.d $$i stop; \
 	done
 
+pre-remove-symlinks:
+	rm -rf $(appengineconfdir)
+
+pre-remove-secrets:
+	rm -f $(pkgconfdir)/reg-*
+
+pre-remove: pre-remove-daemon pre-remove-symlinks pre-remove-secrets
+
 post-remove:
+	: # deluser does actually remove the group as well
 	id -u $(fpfacilitatoruser) >/dev/null 2>&1 && { \
 	which deluser >/dev/null 2>&1 && \
 	  deluser --quiet \
 	    --system \
 	    $(fpfacilitatoruser) || \
 	  userdel \
-	    $(fpfacilitatoruser) ; }
+	    $(fpfacilitatoruser) ; } || true
 
 .PHONY: pre-install post-install pre-remove post-remove
+.PHONY: post-install-secrets post-install-symlinks post-install-daemon
+.PHONY: pre-remove-daemon pre-remove-symlinks pre-remove-secrets
diff --git a/facilitator/conf/fp-facilitator b/facilitator/conf/fp-facilitator
deleted file mode 100644
index 125d0cc..0000000
--- a/facilitator/conf/fp-facilitator
+++ /dev/null
@@ -1,27 +0,0 @@
-# This is an example apache2 config for serving the facilitator.
-#
-# You can edit this file according to the instructions below, then copy it to
-# /etc/apache2/sites-available/fp-facilitator, or wherever is appropriate. Then
-# you can run `a2ensite fp-facilitator` to enable it.
-#
-<VirtualHost *:443>
-	# Update this with your hostname!
-	ServerName fp-facilitator.example.com
-	DocumentRoot /dev/null
-	# Make sure the path below matchs where you installed the facilitator.
-	ScriptAliasMatch ^(.*) /usr/bin/facilitator.cgi$1
-	MaxClients 256
-
-	CustomLog ${APACHE_LOG_DIR}/fp-access.log common
-	ErrorLog ${APACHE_LOG_DIR}/fp-error.log
-	LogLevel warn
-	SSLEngine on
-
-	# Manually install your certificate to the following location.
-	SSLCertificateFile /etc/apache2/fp-facilitator.pem
-	# If you got an intermediate certificate, uncomment the following line
-	# and install the certificate to that location too.
-	#SSLCertificateChainFile /etc/apache2/fp-intermediate.pem
-
-	Header add Strict-Transport-Security "max-age=15768000"
-</VirtualHost>
diff --git a/facilitator/conf/reg-email.pass b/facilitator/conf/reg-email.pass
new file mode 100644
index 0000000..d1a58f7
--- /dev/null
+++ b/facilitator/conf/reg-email.pass
@@ -0,0 +1,3 @@
+Replace the contents of this file with your application-specific password for
+your Gmail account - *not* your account password. You may see gmail-setup.txt in
+this package's documentation for instructions on how to set this up.
diff --git a/facilitator/configure.ac b/facilitator/configure.ac
index 3b74de5..386c20f 100644
--- a/facilitator/configure.ac
+++ b/facilitator/configure.ac
@@ -10,4 +10,5 @@ AC_CONFIG_FILES([Makefile
 	init.d/facilitator-email-poller
 	init.d/facilitator-reg-daemon])
 
+AC_PROG_LN_S
 AC_OUTPUT
diff --git a/facilitator/doc/facilitator-howto.txt b/facilitator/doc/facilitator-howto.txt
index 6da8783..3a853ef 100644
--- a/facilitator/doc/facilitator-howto.txt
+++ b/facilitator/doc/facilitator-howto.txt
@@ -97,7 +97,7 @@ Edit /etc/apache2/ports.conf and comment out the port 80 configuration.
 	# NameVirtualHost *:80
 	# Listen 80
 
-Edit conf/fp-facilitator as per the instructions given in that file, and
+Edit examples/fp-facilitator as per the instructions given in that file, and
 install it to /etc/apache2/sites-available/fp-facilitator or whatever is
 appropriate for your apache2 installation.
 
@@ -125,19 +125,3 @@ Copy the new fp-facilitator.pem to the facilitator server as
 /etc/apache2/fp-facilitator.pem.
 
 	# /etc/init.d/apache2 restart
-
-=== Email poller setup
-
-The facilitator-email-poller program requires a password that is used to
-log in to the designated Gmail account. See the file gmail-howto.txt for
-instructions on setting up a Gmail account. After you've set up the
-account and have the password, save it to a file reg-email.pass and make
-it not readable or writable by anyone but its owner.
-
-	# chmod 600 /etc/flashproxy/reg-email.pass
-
-Install reg-email.pass to /etc/flashproxy to match what the init script
-expects.
-
-	# update-rc.d facilitator-email-poller defaults
-	# /etc/init.d/facilitator-email-poller start
diff --git a/facilitator/examples/fp-facilitator b/facilitator/examples/fp-facilitator
new file mode 100644
index 0000000..125d0cc
--- /dev/null
+++ b/facilitator/examples/fp-facilitator
@@ -0,0 +1,27 @@
+# This is an example apache2 config for serving the facilitator.
+#
+# You can edit this file according to the instructions below, then copy it to
+# /etc/apache2/sites-available/fp-facilitator, or wherever is appropriate. Then
+# you can run `a2ensite fp-facilitator` to enable it.
+#
+<VirtualHost *:443>
+	# Update this with your hostname!
+	ServerName fp-facilitator.example.com
+	DocumentRoot /dev/null
+	# Make sure the path below matchs where you installed the facilitator.
+	ScriptAliasMatch ^(.*) /usr/bin/facilitator.cgi$1
+	MaxClients 256
+
+	CustomLog ${APACHE_LOG_DIR}/fp-access.log common
+	ErrorLog ${APACHE_LOG_DIR}/fp-error.log
+	LogLevel warn
+	SSLEngine on
+
+	# Manually install your certificate to the following location.
+	SSLCertificateFile /etc/apache2/fp-facilitator.pem
+	# If you got an intermediate certificate, uncomment the following line
+	# and install the certificate to that location too.
+	#SSLCertificateChainFile /etc/apache2/fp-intermediate.pem
+
+	Header add Strict-Transport-Security "max-age=15768000"
+</VirtualHost>

More information about the tor-commits mailing list