Moving default SSL certificate to Kong working directory

Former-commit-id: a8ad185d7259bcc48ed2e28e3aec91c1dd9f4b0c
Kong · Aug 11, 2015 · eefdaab · eefdaab
1 parent e3a32c7
commit eefdaab
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 16 deletions.
diff --git a/kong-0.4.2-1.rockspec b/kong-0.4.2-1.rockspec
@@ -182,5 +182,5 @@ build = {
     conf = { "kong.yml" },
     bin = { "bin/kong" }
   },
-  copy_directories = { "database/migrations/", "ssl" }
+  copy_directories = { "database/migrations/" }
 }
diff --git a/kong/cli/utils/signal.lua b/kong/cli/utils/signal.lua
@@ -85,7 +85,11 @@ local function prepare_nginx_working_dir(args_config)
   -- Create logs files
   os.execute("touch "..IO.path:join(kong_config.nginx_working_dir, "logs", "error.log"))
   os.execute("touch "..IO.path:join(kong_config.nginx_working_dir, "logs", "access.log"))
-
+  -- Create SSL folder if needed
+  local _, err = IO.path:mkdir(IO.path:join(kong_config.nginx_working_dir, "ssl"))
+  if err then
+    cutils.logger:error_exit(err)
+  end
   -- TODO: this is NOT the place to do this.
   -- @see https://github.com/Mashape/kong/issues/92 for configuration validation/defaults
   -- @see https://github.com/Mashape/kong/issues/217 for a better configuration file
@@ -102,6 +106,7 @@ local function prepare_nginx_working_dir(args_config)
     cutils.logger:warn("Setting \"memory_cache_size\" to default 128MB")
   end
 
+  ssl.prepare_ssl(kong_config)
   local ssl_cert_path, ssl_key_path = ssl.get_ssl_cert_and_key(kong_config)
   local trusted_ssl_cert_path = kong_config.databases_available[kong_config.database].properties.ssl_certificate -- DAO ssl cert
 
@@ -223,7 +228,6 @@ function _M.prepare_kong(args_config, signal)
 
   cutils.logger:info("Connecting to the database...")
   prepare_database(args_config)
-  ssl.prepare_ssl()
   prepare_nginx_working_dir(args_config, signal)
 end
 

diff --git a/kong/cli/utils/ssl.lua b/kong/cli/utils/ssl.lua
@@ -14,8 +14,8 @@ function _M.get_ssl_cert_and_key(kong_config)
     ssl_cert_path = kong_config.ssl_cert_path
     ssl_key_path = kong_config.ssl_key_path
   else
-    ssl_cert_path = IO.path:join(cutils.get_luarocks_install_dir(), "ssl", "kong-default.crt")
-    ssl_key_path = IO.path:join(cutils.get_luarocks_install_dir(), "ssl", "kong-default.key")
+    ssl_cert_path = IO.path:join(kong_config.nginx_working_dir, "ssl", "kong-default.crt")
+    ssl_key_path = IO.path:join(kong_config.nginx_working_dir, "ssl", "kong-default.key")
   end
 
   -- Check that the file exists
@@ -29,9 +29,14 @@ function _M.get_ssl_cert_and_key(kong_config)
   return ssl_cert_path, ssl_key_path
 end
 
-function _M.prepare_ssl()
-  local ssl_cert_path = IO.path:join(cutils.get_luarocks_install_dir(), "ssl", "kong-default.crt")
-  local ssl_key_path = IO.path:join(cutils.get_luarocks_install_dir(), "ssl", "kong-default.key")
+local function is_sudo()
+  local _, code = IO.os_execute("id -u")
+  return code == 0
+end
+
+function _M.prepare_ssl(kong_config)
+  local ssl_cert_path = IO.path:join(kong_config.nginx_working_dir, "ssl", "kong-default.crt")
+  local ssl_key_path = IO.path:join(kong_config.nginx_working_dir, "ssl", "kong-default.key")
 
   if not (IO.file_exists(ssl_cert_path) and IO.file_exists(ssl_key_path)) then
     -- Autogenerating the certificates for the first time
@@ -40,15 +45,17 @@ function _M.prepare_ssl()
     local file_name = os.tmpname()
     local passphrase = utils.random_string()
 
+    local sudo = is_sudo() and "sudo" or ""
+
     local res, code = IO.os_execute([[
       cd /tmp && \
       openssl genrsa -des3 -out ]]..file_name..[[.key -passout pass:]]..passphrase..[[ 1024 && \
       openssl req -new -key ]]..file_name..[[.key -out ]]..file_name..[[.csr -subj "/C=US/ST=California/L=San Francisco/O=Kong/OU=IT Department/CN=localhost" -passin pass:]]..passphrase..[[ && \
       cp ]]..file_name..[[.key ]]..file_name..[[.key.org && \
       openssl rsa -in ]]..file_name..[[.key.org -out ]]..file_name..[[.key -passin pass:]]..passphrase..[[ && \
       openssl x509 -req -in ]]..file_name..[[.csr -signkey ]]..file_name..[[.key -out ]]..file_name..[[.crt && \
-      sudo mv ]]..file_name..[[.crt ]]..ssl_cert_path..[[ && \
-      sudo mv ]]..file_name..[[.key ]]..ssl_key_path)
+      mv ]]..file_name..[[.crt ]]..ssl_cert_path..[[ && \
+      mv ]]..file_name..[[.key ]]..ssl_key_path)
 
     if code ~= 0 then
       cutils.logger:error_exit("There was an error when auto-generating the default SSL certificate: "..res)

diff --git a/spec/plugins/ssl/access_spec.lua b/spec/plugins/ssl/access_spec.lua
@@ -5,7 +5,6 @@ local IO = require "kong.tools.io"
 local http_client = require "kong.tools.http_client"
 local cjson = require "cjson"
 local ssl_fixtures = require "spec.plugins.ssl.fixtures"
-local cutils = require "kong.cli.utils"
 
 local STUB_GET_SSL_URL = spec_helper.STUB_GET_SSL_URL
 local STUB_GET_URL = spec_helper.STUB_GET_URL
@@ -93,8 +92,10 @@ describe("SSL Plugin", function()
     local response = http_client.get(API_URL.."/apis/", {public_dns="ssl3.com"})
     local api_id = cjson.decode(response).data[1].id
 
-    local ssl_cert_path = IO.path:join(cutils.get_luarocks_install_dir(), "ssl", "kong-default.crt")
-    local ssl_key_path = IO.path:join(cutils.get_luarocks_install_dir(), "ssl", "kong-default.key")
+    local kong_working_dir = spec_helper.get_env(spec_helper.TEST_CONF_FILE).configuration.nginx_working_dir
+
+    local ssl_cert_path = IO.path:join(kong_working_dir, "ssl", "kong-default.crt")
+    local ssl_key_path = IO.path:join(kong_working_dir, "ssl", "kong-default.key")
 
     local res = IO.os_execute("curl -s -o /dev/null -w \"%{http_code}\" "..API_URL.."/apis/"..api_id.."/plugins/ --form \"name=ssl\" --form \"value.cert=@"..ssl_cert_path.."\" --form \"value.key=@"..ssl_key_path.."\"")
     assert.are.equal(201, tonumber(res))

diff --git a/ssl/README.md b/ssl/README.md