Change keygen.py to not require root

keygen.py now recommends that you run it as the user you want to have ownership of secret.key and uploadkeys (such as www-data for nginx). Then, if uploadkeys or secret.key don't exist, they will be created with the correct ownership.
2020-09-02 14:26:57 -05:00 · 2020-09-02 14:26:57 -05:00 · f0bb30a747
commit f0bb30a747
parent 7fce3f57e9
1 changed files with 38 additions and 37 deletions
--- a/keygen.py
+++ b/keygen.py
@ -8,11 +8,6 @@ import sys
 import os
 # Check if the script was run as root
 if os.geteuid() != 0:
    exit("Root privileges are necessary to run this script.\nPlease try again as root or using `sudo`.")
 # Check if encryption key already exists
 enckey = Path(settings.ENCKEY_PATH)
 if enckey.is_file():
@ -63,40 +58,46 @@ def ask_yn(msg):
    return proceed
-N = 64  # Size of token
+start = ask_yn("Have you run this program as the correct user (for example, nginx uses www-data)? [y/n] ")
 if not start:
    print("Please run this as the correct user with: sudo su [user] -s /bin/sh -c 'python3 keygen/py'")
 # Generate key
 token = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(N))
 # Decrypt the existing keyfile
 key = load_key()
 keyf = Fernet(key)
 genkey = True
 uploadkeysp = Path("uploadkeys")
 if not uploadkeysp.is_file():
    uploadkeysp.touch()
 else:
    with open("uploadkeys", "rb") as ukf:
        # read the encrypted data
        encrypted_data = ukf.read()
-    try:
+    N = 64  # Size of token
        decrypted_data = keyf.decrypt(encrypted_data)  # decrypt data
        with open("uploadkeys", "wb") as ukf:
            ukf.write(decrypted_data)  # write the original file
    except InvalidToken:
        print("The encrypted key data is invalid and cannot be read.")
        print("It may be necessary to clear the file entirely, which will invalidate all tokens.")
        proceed = ask_yn("Do you wish to proceed to clearing the uploadkeys file? [y/n] ")
-        if proceed:
+    # Generate key
-            os.remove("uploadkeys")
+    token = ''.join(secrets.choice(string.ascii_letters + string.digits) for i in range(N))
            print("Removed uploadkeys file.")
            proceed2 = ask_yn("Would you like to continue and generate a new token? [y/n] ")
            if not proceed2:
                genkey = False
-if genkey:
+    # Decrypt the existing keyfile
-    print("Your new token is: " + str(token))  # Print token
+    key = load_key()
-    encrypt_key(str(token))  # Encrypt the key and save
+    keyf = Fernet(key)
    genkey = True
    uploadkeysp = Path("uploadkeys")
    if not uploadkeysp.is_file():
        uploadkeysp.touch()
    else:
        with open("uploadkeys", "rb") as ukf:
            # read the encrypted data
            encrypted_data = ukf.read()
        try:
            decrypted_data = keyf.decrypt(encrypted_data)  # decrypt data
            with open("uploadkeys", "wb") as ukf:
                ukf.write(decrypted_data)  # write the original file
        except InvalidToken:
            print("The encrypted key data is invalid and cannot be read.")
            print("It may be necessary to clear the file entirely, which will invalidate all tokens.")
            proceed = ask_yn("Do you wish to proceed to clearing the uploadkeys file? [y/n] ")
            if proceed:
                os.remove("uploadkeys")
                print("Removed uploadkeys file.")
                proceed2 = ask_yn("Would you like to continue and generate a new token? [y/n] ")
                if not proceed2:
                    genkey = False
    if genkey:
        print("Your new token is: " + str(token))  # Print token
        encrypt_key(str(token))  # Encrypt the key and save