notebook/tools/secure_notebook.py

#!/usr/bin/env python
"""
script to automatically setup notebook over SSL.

Generate cert and keyfiles (rsa 1024) in ~/.ssh/, ask for a password, and add
the corresponding entries in the notebook json configuration file. 

"""

import six

from notebook.auth import passwd
from traitlets.config.loader import JSONFileConfigLoader, ConfigFileNotFound
from jupyter_core.paths import jupyter_config_dir
from traitlets.config import Config

from contextlib import contextmanager

from OpenSSL import crypto
from os.path import exists, join

import io
import os
import json
import traceback


def create_self_signed_cert(cert_dir, keyfile, certfile):
    """
    Create a self-signed `keyfile` and `certfile` in `cert_dir`

    Abort if one of the keyfile of certfile exist.
    """

    if exists(join(cert_dir, certfile))  or exists(join(cert_dir, keyfile)):
        raise FileExistsError('{} or {} already exist in {}. Aborting.'.format(keyfile, certfile, cert_dir))
    else:
        # create a key pair
        k = crypto.PKey()
        k.generate_key(crypto.TYPE_RSA, 1024)

        # create a self-signed cert
        cert = crypto.X509()
        cert.get_subject().C = "US"
        cert.get_subject().ST = "Jupyter notebook self-signed certificate"
        cert.get_subject().L = "Jupyter notebook self-signed certificate"
        cert.get_subject().O = "Jupyter notebook self-signed certificate"
        cert.get_subject().OU = "my organization"
        cert.get_subject().CN = "Jupyter notebook self-signed certificate"
        cert.set_serial_number(1000)
        cert.gmtime_adj_notBefore(0)
        cert.gmtime_adj_notAfter(365*24*60*60)
        cert.set_issuer(cert.get_subject())
        cert.set_pubkey(k)
        cert.sign(k, 'sha256')

        with io.open(join(cert_dir, certfile), "wt") as f:
            f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf8'))
        os.chmod(join(cert_dir, certfile), 0o600)
        
        with io.open(join(cert_dir, keyfile), "wt") as f:
            f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode('utf8'))
        os.chmod(join(cert_dir, keyfile), 0o600)


@contextmanager
def persist_config(mode=0o600):
    """Context manager that can be use to modify a config object

    On exit of the context manager, the config will be written back to disk, 
    by default with 600 permissions.
    """

    loader = JSONFileConfigLoader('jupyter_notebook_config.json', jupyter_config_dir())
    try:
        config = loader.load_config()
    except ConfigFileNotFound:
        config = Config()

    yield config

    filepath = os.path.join(jupyter_config_dir(), 'jupyter_notebook_config.json')
    with io.open(filepath, 'w') as f:
        f.write(six.u(json.dumps(config, indent=2)))
    try:
        os.chmod(filepath, mode)
    except Exception:
        traceback.print_exc()

        print("Something went wrong changing file permissions")


def set_password():
    """Ask user for password, store it in notebook json configuration file"""

    print("First choose a password.")
    hashedpw = passwd()
    print("We will store your password encrypted in the notebook configuration file: ")
    print(hashedpw)

    with persist_config() as config:
        config.NotebookApp.password = hashedpw

    print('... done\n')


def set_certifs():
    """
    Generate certificate to run notebook over ssl and set up the notebook config.
    """
    print("Let's generate self-signed certificates to secure your connexion.")
    print("where should the certificate live?")

    location = input('path [~/.ssh]: ')
    if not location.strip():
        location = os.path.expanduser('~/.ssh')
    keyfile = input('keyfile name [jupyter_server.key]: ')
    if not keyfile.strip():
        keyfile = 'jupyter_server.key'
    certfile = input('certfile name [jupyter_server.crt]: ')
    if not certfile.strip():
        certfile = 'jupyter_server.crt'

    create_self_signed_cert(location, keyfile, certfile)

    fullkey = os.path.join(location, keyfile)
    fullcrt = os.path.join(location, certfile)
    with persist_config() as config:
        config.NotebookApp.certfile = fullcrt
        config.NotebookApp.keyfile = fullkey

    print('done.\n')


if __name__ == '__main__':
    print("This will guide you through the steps towards securing your notebook server.")
    set_password()
    set_certifs()
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00			`#!/usr/bin/env python`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`"""`
			`script to automatically setup notebook over SSL.`

			`Generate cert and keyfiles (rsa 1024) in ~/.ssh/, ask for a password, and add`
typo fix (#3015) * Fix some broken links * typo fix * Fix some broken links * typo fix 2017-11-08 09:07:17 +08:00			`the corresponding entries in the notebook json configuration file.`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00
			`"""`

			`import six`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00
			`from notebook.auth import passwd`
			`from traitlets.config.loader import JSONFileConfigLoader, ConfigFileNotFound`
			`from jupyter_core.paths import jupyter_config_dir`
			`from traitlets.config import Config`

refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`from contextlib import contextmanager`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00
Take comments into account 2015-12-08 16:48:52 +08:00			`from OpenSSL import crypto`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00			`from os.path import exists, join`

			`import io`
			`import os`
			`import json`
Take comments into account 2015-12-08 16:48:52 +08:00			`import traceback`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00

refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`def create_self_signed_cert(cert_dir, keyfile, certfile):`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00			`"""`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00			Create a self-signed `keyfile` and `certfile` in `cert_dir`

Fix comments. 2015-12-01 03:33:02 +08:00			`Abort if one of the keyfile of certfile exist.`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00			`"""`

Take comments into account 2015-12-08 16:48:52 +08:00			`if exists(join(cert_dir, certfile)) or exists(join(cert_dir, keyfile)):`
			`raise FileExistsError('{} or {} already exist in {}. Aborting.'.format(keyfile, certfile, cert_dir))`
			`else:`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00			`# create a key pair`
			`k = crypto.PKey()`
			`k.generate_key(crypto.TYPE_RSA, 1024)`

			`# create a self-signed cert`
			`cert = crypto.X509()`
			`cert.get_subject().C = "US"`
don't write english before breakfast 2015-11-25 20:39:04 +08:00			`cert.get_subject().ST = "Jupyter notebook self-signed certificate"`
			`cert.get_subject().L = "Jupyter notebook self-signed certificate"`
			`cert.get_subject().O = "Jupyter notebook self-signed certificate"`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00			`cert.get_subject().OU = "my organization"`
don't write english before breakfast 2015-11-25 20:39:04 +08:00			`cert.get_subject().CN = "Jupyter notebook self-signed certificate"`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00			`cert.set_serial_number(1000)`
			`cert.gmtime_adj_notBefore(0)`
			`cert.gmtime_adj_notAfter(3652460*60)`
			`cert.set_issuer(cert.get_subject())`
			`cert.set_pubkey(k)`
			`cert.sign(k, 'sha256')`

			`with io.open(join(cert_dir, certfile), "wt") as f:`
			`f.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode('utf8'))`
make certif 0o600 also. 2015-12-08 17:01:25 +08:00			`os.chmod(join(cert_dir, certfile), 0o600)`

Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00			`with io.open(join(cert_dir, keyfile), "wt") as f:`
			`f.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, k).decode('utf8'))`
make certif 0o600 also. 2015-12-08 17:01:25 +08:00			`os.chmod(join(cert_dir, keyfile), 0o600)`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00

refactor secure notebook server script 2015-11-27 00:11:04 +08:00
			`@contextmanager`
Take comments into account 2015-12-08 16:48:52 +08:00			`def persist_config(mode=0o600):`
			`"""Context manager that can be use to modify a config object`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00
Take comments into account 2015-12-08 16:48:52 +08:00			`On exit of the context manager, the config will be written back to disk,`
Typo fix 2017-03-11 04:27:17 +08:00			`by default with 600 permissions.`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`"""`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00
			`loader = JSONFileConfigLoader('jupyter_notebook_config.json', jupyter_config_dir())`
			`try:`
			`config = loader.load_config()`
			`except ConfigFileNotFound:`
			`config = Config()`

refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`yield config`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00
Take comments into account 2015-12-08 16:48:52 +08:00			`filepath = os.path.join(jupyter_config_dir(), 'jupyter_notebook_config.json')`
			`with io.open(filepath, 'w') as f:`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00			`f.write(six.u(json.dumps(config, indent=2)))`
Take comments into account 2015-12-08 16:48:52 +08:00			`try:`
			`os.chmod(filepath, mode)`
			`except Exception:`
			`traceback.print_exc()`

			`print("Something went wrong changing file permissions")`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00

refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`def set_password():`
			`"""Ask user for password, store it in notebook json configuration file"""`

Take comments into account 2015-12-08 16:48:52 +08:00			`print("First choose a password.")`
			`hashedpw = passwd()`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`print("We will store your password encrypted in the notebook configuration file: ")`
Take comments into account 2015-12-08 16:48:52 +08:00			`print(hashedpw)`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00
Fix comments. 2015-12-01 03:33:02 +08:00			`with persist_config() as config:`
Take comments into account 2015-12-08 16:48:52 +08:00			`config.NotebookApp.password = hashedpw`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00
			`print('... done\n')`


			`def set_certifs():`
			`"""`
Take comments into account 2015-12-08 16:48:52 +08:00			`Generate certificate to run notebook over ssl and set up the notebook config.`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`"""`
			`print("Let's generate self-signed certificates to secure your connexion.")`
don't write english before breakfast 2015-11-25 20:39:04 +08:00			`print("where should the certificate live?")`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00			`location = input('path [~/.ssh]: ')`
			`if not location.strip():`
			`location = os.path.expanduser('~/.ssh')`
			`keyfile = input('keyfile name [jupyter_server.key]: ')`
			`if not keyfile.strip():`
			`keyfile = 'jupyter_server.key'`
			`certfile = input('certfile name [jupyter_server.crt]: ')`
			`if not certfile.strip():`
			`certfile = 'jupyter_server.crt'`

			`create_self_signed_cert(location, keyfile, certfile)`

			`fullkey = os.path.join(location, keyfile)`
			`fullcrt = os.path.join(location, certfile)`
Fix comments. 2015-12-01 03:33:02 +08:00			`with persist_config() as config:`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`config.NotebookApp.certfile = fullcrt`
			`config.NotebookApp.keyfile = fullkey`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00
refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`print('done.\n')`
Create tool to auto generate secure settings. 2015-11-25 16:15:07 +08:00

refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`if __name__ == '__main__':`
Take comments into account 2015-12-08 16:48:52 +08:00			`print("This will guide you through the steps towards securing your notebook server.")`
refactor secure notebook server script 2015-11-27 00:11:04 +08:00			`set_password()`
			`set_certifs()`