From 00d91dcaaa158c6592da2915dde1910a2d6dfdbf Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Mon, 11 Oct 2021 20:57:13 +0200
Subject: [PATCH] jobs - move certbot hooks to python

---
 autoconf/prepare.sh     |  2 +-
 helpers/install.sh      |  2 +-
 jobs/CertbotNew.py      |  2 +-
 jobs/certbot-auth.py    | 36 ++++++++++++++++++++++++++++++++++++
 jobs/certbot-auth.sh    |  9 ---------
 jobs/certbot-cleanup.py | 14 ++++++++++++++
 jobs/certbot-cleanup.sh |  3 ---
 7 files changed, 53 insertions(+), 15 deletions(-)
 create mode 100644 jobs/certbot-auth.py
 delete mode 100644 jobs/certbot-auth.sh
 create mode 100644 jobs/certbot-cleanup.py
 delete mode 100644 jobs/certbot-cleanup.sh

diff --git a/autoconf/prepare.sh b/autoconf/prepare.sh
index b314afe..6469d1c 100644
--- a/autoconf/prepare.sh
+++ b/autoconf/prepare.sh
@@ -16,7 +16,7 @@ chmod ugo+x /opt/bunkerized-nginx/entrypoint/* /opt/bunkerized-nginx/scripts/*
 chmod ugo+x /opt/bunkerized-nginx/gen/main.py
 chmod ugo+x /opt/bunkerized-nginx/jobs/main.py
 chmod ugo+x /opt/bunkerized-nginx/jobs/reload.py
-chmod ugo+x /opt/bunkerized-nginx/jobs/certbot-*.sh
+chmod ugo+x /opt/bunkerized-nginx/jobs/certbot-*.py
 chmod 770 /opt/bunkerized-nginx
 chmod 440 /opt/bunkerized-nginx/settings.json
 
diff --git a/helpers/install.sh b/helpers/install.sh
index 3167d1e..f67e7ed 100755
--- a/helpers/install.sh
+++ b/helpers/install.sh
@@ -845,7 +845,7 @@ do_and_check_cmd chmod 750 /opt/bunkerized-nginx/entrypoint/*
 do_and_check_cmd chmod 750 /opt/bunkerized-nginx/gen/main.py
 do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/main.py
 do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/reload.py
-do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/certbot-*.sh
+do_and_check_cmd chmod 750 /opt/bunkerized-nginx/jobs/certbot-*.py
 # Set permissions for /usr/local/bin/bunkerized-nginx
 do_and_check_cmd chown root:root /usr/local/bin/bunkerized-nginx
 do_and_check_cmd chmod 750 /usr/local/bin/bunkerized-nginx
diff --git a/jobs/CertbotNew.py b/jobs/CertbotNew.py
index 4e42ceb..d215379 100644
--- a/jobs/CertbotNew.py
+++ b/jobs/CertbotNew.py
@@ -6,7 +6,7 @@ class CertbotNew(Job) :
 
 	def __init__(self, redis_host=None, copy_cache=False, domain="", email="", staging=False) :
 		name = "certbot-new"
-		data = ["certbot", "certonly", "--manual", "--preferred-challenges=http", "--manual-auth-hook", "/opt/bunkerized-nginx/jobs/certbot-auth.sh", "--manual-cleanup-hook", "/opt/bunkerized-nginx/jobs/certbot-cleanup.sh", "-n", "-d", domain, "--email", email, "--agree-tos"]
+		data = ["certbot", "certonly", "--manual", "--preferred-challenges=http", "--manual-auth-hook", "/opt/bunkerized-nginx/jobs/certbot-auth.py", "--manual-cleanup-hook", "/opt/bunkerized-nginx/jobs/certbot-cleanup.py", "-n", "-d", domain, "--email", email, "--agree-tos"]
 		if staging :
 			data.append("--staging")
 		type = "exec"
diff --git a/jobs/certbot-auth.py b/jobs/certbot-auth.py
new file mode 100644
index 0000000..d5a0af3
--- /dev/null
+++ b/jobs/certbot-auth.py
@@ -0,0 +1,36 @@
+#!/usr/bin/python3
+
+import os, socket, sys, stat
+
+VALIDATION = os.getenv("CERTBOT_VALIDATION", None)
+TOKEN = os.getenv("CERTBOT_TOKEN", None)
+if VALIDATION == None or TOKEN = None :
+	sys.exit(1)
+
+try :
+	with open("/opt/bunkerized-nginx/acme-challenge/.well-known/acme-challenge/" + TOKEN, "w") as f :
+		f.write(VALIDATION)
+except :
+	sys.exit(2)
+
+try :
+	if os.path.exists("/tmp/autoconf.sock") and stat.S_ISSOCK(os.stat("/tmp/autoconf.sock").st_mode) :
+		sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+		sock.connect("/tmp/autoconf.sock")
+		sock.sendall(b"lock")
+		data = sock.recv(512)
+		if data != b"ok" :
+			raise Exception("can't lock")
+		sock.sendall(b"acme")
+		data = sock.recv(512)
+		if data != b"ok" :
+			raise Exception("can't acme")
+		sock.sendall(b"unlock")
+		data = sock.recv(512)
+		if data != b"ok" :
+			raise Exception("can't unlock")
+		sock.sendall(b"close")
+except :
+	sys.exit(3)
+
+sys.exit(0)
diff --git a/jobs/certbot-auth.sh b/jobs/certbot-auth.sh
deleted file mode 100644
index 539ac1b..0000000
--- a/jobs/certbot-auth.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-. /opt/bunkerized-nginx/entrypoint/utils.sh
-
-echo $CERTBOT_VALIDATION > /opt/bunkerized-nginx/acme-challenge/.well-known/acme-challenge/$CERTBOT_TOKEN
-
-if [ -S "/tmp/autoconf.sock" ] ; then
-	echo -e "lock\nacme\nunlock" | socat UNIX-CONNECT:/tmp/autoconf.sock -
-fi
diff --git a/jobs/certbot-cleanup.py b/jobs/certbot-cleanup.py
new file mode 100644
index 0000000..869386c
--- /dev/null
+++ b/jobs/certbot-cleanup.py
@@ -0,0 +1,14 @@
+#!/usr/bin/python3
+
+import os, sys
+
+TOKEN = os.getenv("CERTBOT_TOKEN", None)
+if TOKEN == None :
+	sys.exit(1)
+
+try :
+	os.remove("/opt/bunkerized-nginx/acme-challenge/.well-known/acme-challenge/" + TOKEN)
+except :
+	sys.exit(2)
+
+sys.exit(0)
diff --git a/jobs/certbot-cleanup.sh b/jobs/certbot-cleanup.sh
deleted file mode 100644
index a797ee0..0000000
--- a/jobs/certbot-cleanup.sh
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-rm -f /opt/bunkerized-nginx/acme-challenge/.well-known/acme-challenge/$CERTBOT_TOKEN