traefik-certificate-extractor/extractor.py

import sys
import os
import errno
import time
import json
import docker
import threading
import argparse
from argparse import ArgumentTypeError as err
from base64 import b64decode
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler
from pathlib import Path


class PathType(object):
    def __init__(self, exists=True, type='file', dash_ok=True):
        '''exists:
                True: a path that does exist
                False: a path that does not exist, in a valid parent directory
                None: don't care
           type: file, dir, symlink, None, or a function returning True for valid paths
                None: don't care
           dash_ok: whether to allow "-" as stdin/stdout'''

        assert exists in (True, False, None)
        assert type in ('file', 'dir', 'symlink',
                        None) or hasattr(type, '__call__')

        self._exists = exists
        self._type = type
        self._dash_ok = dash_ok

    def __call__(self, string):
        if string == '-':
            # the special argument "-" means sys.std{in,out}
            if self._type == 'dir':
                raise err(
                    'standard input/output (-) not allowed as directory path')
            elif self._type == 'symlink':
                raise err(
                    'standard input/output (-) not allowed as symlink path')
            elif not self._dash_ok:
                raise err('standard input/output (-) not allowed')
        else:
            e = os.path.exists(string)
            if self._exists == True:
                if not e:
                    raise err("path does not exist: '%s'" % string)

                if self._type is None:
                    pass
                elif self._type == 'file':
                    if not os.path.isfile(string):
                        raise err("path is not a file: '%s'" % string)
                elif self._type == 'symlink':
                    if not os.path.symlink(string):
                        raise err("path is not a symlink: '%s'" % string)
                elif self._type == 'dir':
                    if not os.path.isdir(string):
                        raise err("path is not a directory: '%s'" % string)
                elif not self._type(string):
                    raise err("path not valid: '%s'" % string)
            else:
                if self._exists == False and e:
                    raise err("path exists: '%s'" % string)

                p = os.path.dirname(os.path.normpath(string)) or '.'
                if not os.path.isdir(p):
                    raise err("parent path is not a directory: '%s'" % p)
                elif not os.path.exists(p):
                    raise err("parent directory does not exist: '%s'" % p)

        return string


def restartContainerWithDomains(domains):
    client = docker.from_env()
    container = client.containers.list(filters = {"label" : "com.github.SnowMB.traefik-certificate-extractor.restart_domain"})
    for c in container:
        restartDomains = str.split(c.labels["com.github.SnowMB.traefik-certificate-extractor.restart_domain"], ',')
        if not set(domains).isdisjoint(restartDomains):
            print('restarting container ' + c.id)
            if not args.dry:
                c.restart()


def createCerts(args):
    # Read JSON file
    data = json.loads(open(args.certificate).read())

    # Determine ACME version
    acme_version = 2 if 'acme-v02' in data['Account']['Registration']['uri'] else 1

    # Find certificates
    if acme_version == 1:
        certs = data['DomainsCertificate']['Certs']
    elif acme_version == 2:
        certs = data['Certificates']

    # Loop over all certificates
    names = []

    for c in certs:
        if acme_version == 1:
            name = c['Certificate']['Domain']
            privatekey = c['Certificate']['PrivateKey']
            fullchain = c['Certificate']['Certificate']
            sans = c['Domains']['SANs']
        elif acme_version == 2:
            name = c['Domain']['Main']
            privatekey = c['Key']
            fullchain = c['Certificate']
            sans = c['Domain']['SANs']

        if (args.include and name not in args.include) or (args.exclude and name in args.exclude):
            continue

        # Decode private key, certificate and chain
        privatekey = b64decode(privatekey).decode('utf-8')
        fullchain = b64decode(fullchain).decode('utf-8')
        start = fullchain.find('-----BEGIN CERTIFICATE-----', 1)
        cert = fullchain[0:start]
        chain = fullchain[start:]

        if not args.dry:
            # Create domain     directory if it doesn't exist
            directory = Path(args.directory)
            if not directory.exists():
                directory.mkdir()

            if args.flat:
                # Write private key, certificate and chain to flat files
                with (directory / name + '.key').open('w') as f:
                    f.write(privatekey)
                with (directory / name + '.crt').open('w') as f:
                    f.write(fullchain)
                with (directory / name + '.chain.pem').open('w') as f:
                    f.write(chain)

                if sans:
                    for name in sans:
                        with (directory / name + '.key').open('w') as f:
                            f.write(privatekey)
                        with (directory / name + '.crt').open('w') as f:
                            f.write(fullchain)
                        with (directory / name + '.chain.pem').open('w') as f:
                            f.write(chain)
            else:
                directory = directory / name
                if not directory.exists():
                    directory.mkdir()

                # Write private key, certificate and chain to file
                with (directory / 'privkey.pem').open('w') as f:
                    f.write(privatekey)

                with (directory / 'cert.pem').open('w') as f:
                    f.write(cert)

                with (directory / 'chain.pem').open('w') as f:
                    f.write(chain)

                with (directory / 'fullchain.pem').open('w') as f:
                    f.write(fullchain)

        print('Extracted certificate for: ' + name +
              (', ' + ', '.join(sans) if sans else ''))
        names.append(name)
    return names


class Handler(FileSystemEventHandler):

    def __init__(self, args):
        self.args = args
        self.isWaiting = False
        self.timer = threading.Timer(0.5, self.doTheWork)
        self.lock = threading.Lock()

    def on_created(self, event):
        self.handle(event)

    def on_modified(self, event):
        self.handle(event)

    def handle(self, event):
        # Check if it's a JSON file
        print('DEBUG : event fired')
        if not event.is_directory and event.src_path.endswith(str(self.args.certificate)):
            print('Certificates changed')

            with self.lock:
                if not self.isWaiting:
                    self.isWaiting = True #trigger the work just once (multiple events get fired)
                    self.timer = threading.Timer(2, self.doTheWork)
                    self.timer.start()

    def doTheWork(self):
        print('DEBUG : starting the work')
        domains = createCerts(self.args)
        if (self.args.restart_container):
            restartContainerWithDomains(domains)

        with self.lock:
            self.isWaiting = False
        print('DEBUG : finished')


if __name__ == "__main__":
    parser = argparse.ArgumentParser(
        description='Extract traefik letsencrypt certificates.')
    parser.add_argument('-c', '--certificate', default='acme.json', type=PathType(
        exists=True), help='file that contains the traefik certificates (default acme.json)')
    parser.add_argument('-d', '--directory', default='.',
                        type=PathType(type='dir'), help='output folder')
    parser.add_argument('-f', '--flat', action='store_true',
                        help='outputs all certificates into one folder')
    parser.add_argument('-r', '--restart_container', action='store_true',
                        help="uses the docker API to restart containers that are labeled with 'com.github.SnowMB.traefik-certificate-extractor.restart_domain=<DOMAIN>' if the domain name of a generated certificates matches. Multiple domains can be seperated by ','")
    parser.add_argument('--dry-run', action='store_true', dest='dry',
                        help="Don't write files and do not start docker containers.")
    group = parser.add_mutually_exclusive_group()
    group.add_argument('--include', nargs='*')
    group.add_argument('--exclude', nargs='*')

    args = parser.parse_args()

    print('DEBUG: watching path: ' + str(args.certificate))
    print('DEBUG: output path: ' + str(args.directory))

    # Create event handler and observer
    event_handler = Handler(args)
    observer = Observer()

    # Register the directory to watch
    observer.schedule(event_handler, str(Path(args.certificate).parent))

    # Main loop to watch the directory
    observer.start()
    try:
        while True:
            time.sleep(1)
    except KeyboardInterrupt:
        observer.stop()
    observer.join()
Added basic extractor 2017-06-27 14:09:51 +02:00			`import sys`
			`import os`
			`import errno`
			`import time`
			`import json`
fixes 2018-08-05 00:00:19 +02:00			`import docker`
fix multiple events 2018-08-05 00:27:22 +02:00			`import threading`
added initial args 2018-08-04 21:52:49 +02:00			`import argparse`
			`from argparse import ArgumentTypeError as err`
Added basic extractor 2017-06-27 14:09:51 +02:00			`from base64 import b64decode`
			`from watchdog.observers import Observer`
			`from watchdog.events import FileSystemEventHandler`
- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00			`from pathlib import Path`

indentation fixes 2018-08-04 22:35:22 +02:00
added initial args 2018-08-04 21:52:49 +02:00			`class PathType(object):`
			`def __init__(self, exists=True, type='file', dash_ok=True):`
			`'''exists:`
			`True: a path that does exist`
			`False: a path that does not exist, in a valid parent directory`
			`None: don't care`
			`type: file, dir, symlink, None, or a function returning True for valid paths`
			`None: don't care`
			`dash_ok: whether to allow "-" as stdin/stdout'''`

			`assert exists in (True, False, None)`
indentation fixes 2018-08-04 22:35:22 +02:00			`assert type in ('file', 'dir', 'symlink',`
			`None) or hasattr(type, '__call__')`
added initial args 2018-08-04 21:52:49 +02:00
			`self._exists = exists`
			`self._type = type`
			`self._dash_ok = dash_ok`

			`def __call__(self, string):`
indentation fixes 2018-08-04 22:35:22 +02:00			`if string == '-':`
added initial args 2018-08-04 21:52:49 +02:00			`# the special argument "-" means sys.std{in,out}`
			`if self._type == 'dir':`
indentation fixes 2018-08-04 22:35:22 +02:00			`raise err(`
			`'standard input/output (-) not allowed as directory path')`
added initial args 2018-08-04 21:52:49 +02:00			`elif self._type == 'symlink':`
indentation fixes 2018-08-04 22:35:22 +02:00			`raise err(`
			`'standard input/output (-) not allowed as symlink path')`
added initial args 2018-08-04 21:52:49 +02:00			`elif not self._dash_ok:`
			`raise err('standard input/output (-) not allowed')`
			`else:`
			`e = os.path.exists(string)`
indentation fixes 2018-08-04 22:35:22 +02:00			`if self._exists == True:`
added initial args 2018-08-04 21:52:49 +02:00			`if not e:`
			`raise err("path does not exist: '%s'" % string)`

			`if self._type is None:`
			`pass`
indentation fixes 2018-08-04 22:35:22 +02:00			`elif self._type == 'file':`
added initial args 2018-08-04 21:52:49 +02:00			`if not os.path.isfile(string):`
			`raise err("path is not a file: '%s'" % string)`
indentation fixes 2018-08-04 22:35:22 +02:00			`elif self._type == 'symlink':`
added initial args 2018-08-04 21:52:49 +02:00			`if not os.path.symlink(string):`
			`raise err("path is not a symlink: '%s'" % string)`
indentation fixes 2018-08-04 22:35:22 +02:00			`elif self._type == 'dir':`
added initial args 2018-08-04 21:52:49 +02:00			`if not os.path.isdir(string):`
			`raise err("path is not a directory: '%s'" % string)`
			`elif not self._type(string):`
			`raise err("path not valid: '%s'" % string)`
			`else:`
indentation fixes 2018-08-04 22:35:22 +02:00			`if self._exists == False and e:`
added initial args 2018-08-04 21:52:49 +02:00			`raise err("path exists: '%s'" % string)`

			`p = os.path.dirname(os.path.normpath(string)) or '.'`
			`if not os.path.isdir(p):`
			`raise err("parent path is not a directory: '%s'" % p)`
			`elif not os.path.exists(p):`
			`raise err("parent directory does not exist: '%s'" % p)`

			`return string`


fixes 2018-08-05 00:00:19 +02:00			`def restartContainerWithDomains(domains):`
refactoring and integrate args in program 2018-08-04 23:26:46 +02:00			`client = docker.from_env()`
			`container = client.containers.list(filters = {"label" : "com.github.SnowMB.traefik-certificate-extractor.restart_domain"})`
			`for c in container:`
			`restartDomains = str.split(c.labels["com.github.SnowMB.traefik-certificate-extractor.restart_domain"], ',')`
fixes 2018-08-05 00:00:19 +02:00			`if not set(domains).isdisjoint(restartDomains):`
refactoring and integrate args in program 2018-08-04 23:26:46 +02:00			`print('restarting container ' + c.id)`
add dry-run 2018-08-05 01:05:20 +02:00			`if not args.dry:`
			`c.restart()`
- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00

include and exclude 2018-08-05 00:48:19 +02:00			`def createCerts(args):`
- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00			`# Read JSON file`
include and exclude 2018-08-05 00:48:19 +02:00			`data = json.loads(open(args.certificate).read())`
- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00
			`# Determine ACME version`
			`acme_version = 2 if 'acme-v02' in data['Account']['Registration']['uri'] else 1`

			`# Find certificates`
			`if acme_version == 1:`
			`certs = data['DomainsCertificate']['Certs']`
			`elif acme_version == 2:`
			`certs = data['Certificates']`

			`# Loop over all certificates`
refactoring and integrate args in program 2018-08-04 23:26:46 +02:00			`names = []`

- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00			`for c in certs:`
			`if acme_version == 1:`
			`name = c['Certificate']['Domain']`
			`privatekey = c['Certificate']['PrivateKey']`
			`fullchain = c['Certificate']['Certificate']`
			`sans = c['Domains']['SANs']`
			`elif acme_version == 2:`
			`name = c['Domain']['Main']`
			`privatekey = c['Key']`
			`fullchain = c['Certificate']`
			`sans = c['Domain']['SANs']`
bugfixes 2018-08-05 00:58:32 +02:00
			`if (args.include and name not in args.include) or (args.exclude and name in args.exclude):`
include and exclude 2018-08-05 00:48:19 +02:00			`continue`
- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00
			`# Decode private key, certificate and chain`
			`privatekey = b64decode(privatekey).decode('utf-8')`
			`fullchain = b64decode(fullchain).decode('utf-8')`
			`start = fullchain.find('-----BEGIN CERTIFICATE-----', 1)`
			`cert = fullchain[0:start]`
			`chain = fullchain[start:]`

add dry-run 2018-08-05 01:05:20 +02:00			`if not args.dry:`
			`# Create domain directory if it doesn't exist`
			`directory = Path(args.directory)`
refactoring and integrate args in program 2018-08-04 23:26:46 +02:00			`if not directory.exists():`
			`directory.mkdir()`

add dry-run 2018-08-05 01:05:20 +02:00			`if args.flat:`
			`# Write private key, certificate and chain to flat files`
			`with (directory / name + '.key').open('w') as f:`
			`f.write(privatekey)`
			`with (directory / name + '.crt').open('w') as f:`
			`f.write(fullchain)`
			`with (directory / name + '.chain.pem').open('w') as f:`
			`f.write(chain)`

			`if sans:`
			`for name in sans:`
			`with (directory / name + '.key').open('w') as f:`
			`f.write(privatekey)`
			`with (directory / name + '.crt').open('w') as f:`
			`f.write(fullchain)`
			`with (directory / name + '.chain.pem').open('w') as f:`
			`f.write(chain)`
			`else:`
			`directory = directory / name`
			`if not directory.exists():`
			`directory.mkdir()`

			`# Write private key, certificate and chain to file`
			`with (directory / 'privkey.pem').open('w') as f:`
			`f.write(privatekey)`
refactoring and integrate args in program 2018-08-04 23:26:46 +02:00
add dry-run 2018-08-05 01:05:20 +02:00			`with (directory / 'cert.pem').open('w') as f:`
			`f.write(cert)`
refactoring and integrate args in program 2018-08-04 23:26:46 +02:00
add dry-run 2018-08-05 01:05:20 +02:00			`with (directory / 'chain.pem').open('w') as f:`
			`f.write(chain)`
refactoring and integrate args in program 2018-08-04 23:26:46 +02:00
add dry-run 2018-08-05 01:05:20 +02:00			`with (directory / 'fullchain.pem').open('w') as f:`
			`f.write(fullchain)`
- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00
indentation fixes 2018-08-04 22:35:22 +02:00			`print('Extracted certificate for: ' + name +`
			`(', ' + ', '.join(sans) if sans else ''))`
refactoring and integrate args in program 2018-08-04 23:26:46 +02:00			`names.append(name)`
			`return names`
- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00

Added basic extractor 2017-06-27 14:09:51 +02:00			`class Handler(FileSystemEventHandler):`
- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00
added initial args 2018-08-04 21:52:49 +02:00			`def __init__(self, args):`
			`self.args = args`
fix multiple events 2018-08-05 00:27:22 +02:00			`self.isWaiting = False`
			`self.timer = threading.Timer(0.5, self.doTheWork)`
			`self.lock = threading.Lock()`
- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00
Added basic extractor 2017-06-27 14:09:51 +02:00			`def on_created(self, event):`
			`self.handle(event)`

			`def on_modified(self, event):`
			`self.handle(event)`

			`def handle(self, event):`
			`# Check if it's a JSON file`
indentation fixes 2018-08-04 22:35:22 +02:00			`print('DEBUG : event fired')`
refactoring and integrate args in program 2018-08-04 23:26:46 +02:00			`if not event.is_directory and event.src_path.endswith(str(self.args.certificate)):`
Added basic extractor 2017-06-27 14:09:51 +02:00			`print('Certificates changed')`

fix multiple events 2018-08-05 00:27:22 +02:00			`with self.lock:`
			`if not self.isWaiting:`
			`self.isWaiting = True #trigger the work just once (multiple events get fired)`
include and exclude 2018-08-05 00:48:19 +02:00			`self.timer = threading.Timer(2, self.doTheWork)`
fix multiple events 2018-08-05 00:27:22 +02:00			`self.timer.start()`
bugfix tabs 2018-08-05 01:16:20 +02:00
fix multiple events 2018-08-05 00:27:22 +02:00			`def doTheWork(self):`
include and exclude 2018-08-05 00:48:19 +02:00			`print('DEBUG : starting the work')`
			`domains = createCerts(self.args)`
fix multiple events 2018-08-05 00:27:22 +02:00			`if (self.args.restart_container):`
			`restartContainerWithDomains(domains)`
include and exclude 2018-08-05 00:48:19 +02:00
fix multiple events 2018-08-05 00:27:22 +02:00			`with self.lock:`
			`self.isWaiting = False`
bugfix tabs 2018-08-05 01:16:20 +02:00			`print('DEBUG : finished')`
Added basic extractor 2017-06-27 14:09:51 +02:00

- Added printouts - Watching reduced to one file (acme.json) - added support to restart containers after renewal of certificates 2018-08-04 19:28:41 +02:00			`if __name__ == "__main__":`
indentation fixes 2018-08-04 22:35:22 +02:00			`parser = argparse.ArgumentParser(`
			`description='Extract traefik letsencrypt certificates.')`
args fix 2018-08-04 22:39:19 +02:00			`parser.add_argument('-c', '--certificate', default='acme.json', type=PathType(`
indentation fixes 2018-08-04 22:35:22 +02:00			`exists=True), help='file that contains the traefik certificates (default acme.json)')`
args fix 2018-08-04 22:39:19 +02:00			`parser.add_argument('-d', '--directory', default='.',`
indentation fixes 2018-08-04 22:35:22 +02:00			`type=PathType(type='dir'), help='output folder')`
			`parser.add_argument('-f', '--flat', action='store_true',`
			`help='outputs all certificates into one folder')`
refactoring and integrate args in program 2018-08-04 23:26:46 +02:00			`parser.add_argument('-r', '--restart_container', action='store_true',`
Small fixes and readme clarification 2018-08-05 19:22:54 +02:00			`help="uses the docker API to restart containers that are labeled with 'com.github.SnowMB.traefik-certificate-extractor.restart_domain=<DOMAIN>' if the domain name of a generated certificates matches. Multiple domains can be seperated by ','")`
add dry-run 2018-08-05 01:05:20 +02:00			`parser.add_argument('--dry-run', action='store_true', dest='dry',`
			`help="Don't write files and do not start docker containers.")`
include and exclude 2018-08-05 00:48:19 +02:00			`group = parser.add_mutually_exclusive_group()`
			`group.add_argument('--include', nargs='*')`
			`group.add_argument('--exclude', nargs='*')`

added initial args 2018-08-04 21:52:49 +02:00			`args = parser.parse_args()`
Added basic extractor 2017-06-27 14:09:51 +02:00
bugfixes 2018-08-04 22:48:28 +02:00			`print('DEBUG: watching path: ' + str(args.certificate))`
			`print('DEBUG: output path: ' + str(args.directory))`
Added basic extractor 2017-06-27 14:09:51 +02:00
			`# Create event handler and observer`
added initial args 2018-08-04 21:52:49 +02:00			`event_handler = Handler(args)`
Added basic extractor 2017-06-27 14:09:51 +02:00			`observer = Observer()`

			`# Register the directory to watch`
bugfixes 2018-08-04 22:48:28 +02:00			`observer.schedule(event_handler, str(Path(args.certificate).parent))`
Added basic extractor 2017-06-27 14:09:51 +02:00
			`# Main loop to watch the directory`
			`observer.start()`
			`try:`
			`while True:`
			`time.sleep(1)`
			`except KeyboardInterrupt:`
			`observer.stop()`
			`observer.join()`