From c88472a94c15adef4275242934f2a3eec9778dd4 Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Wed, 26 Nov 2014 20:20:52 -0200
Subject: Enforce TLSv1 in soledad server (#6437).

---
 server/changes/bug_6437_avoid-sslv3 | 1 +
 server/pkg/soledad                  | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 server/changes/bug_6437_avoid-sslv3

(limited to 'server')

diff --git a/server/changes/bug_6437_avoid-sslv3 b/server/changes/bug_6437_avoid-sslv3
new file mode 100644
index 00000000..5d41fbb3
--- /dev/null
+++ b/server/changes/bug_6437_avoid-sslv3
@@ -0,0 +1 @@
+  o Avoid use of SSLv3 (#6437).
diff --git a/server/pkg/soledad b/server/pkg/soledad
index 841233d1..62b7c5f8 100644
--- a/server/pkg/soledad
+++ b/server/pkg/soledad
@@ -19,6 +19,7 @@ CERT_PATH=/etc/leap/soledad-server.pem
 PRIVKEY_PATH=/etc/leap/soledad-server.key
 TWISTD_PATH=/usr/bin/twistd
 HOME=/var/lib/soledad/
+SSL_METHOD=TLSv1_METHOD
 
 [ -r /etc/default/soledad ] && . /etc/default/soledad
 
@@ -35,7 +36,7 @@ case "$1" in
             --logfile=$LOGFILE \
             web \
             --wsgi=$OBJ \
-            --port=ssl:$HTTPS_PORT:privateKey=$PRIVKEY_PATH:certKey=$CERT_PATH
+            --port=ssl:${HTTPS_PORT}:privateKey=${PRIVKEY_PATH}:certKey=${CERT_PATH}:sslmethod=${SSL_METHOD}
         echo "."
     ;;
 
-- 
cgit v1.2.3


From 6b6b4af8edc807726341b848165c91ff02e9148b Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Wed, 26 Nov 2014 20:23:33 -0200
Subject: Run daemon as user soledad (#6436).

---
 server/changes/bug_6436_run-daemon-as-user-soledad | 1 +
 server/pkg/soledad                                 | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)
 create mode 100644 server/changes/bug_6436_run-daemon-as-user-soledad

(limited to 'server')

diff --git a/server/changes/bug_6436_run-daemon-as-user-soledad b/server/changes/bug_6436_run-daemon-as-user-soledad
new file mode 100644
index 00000000..886964f1
--- /dev/null
+++ b/server/changes/bug_6436_run-daemon-as-user-soledad
@@ -0,0 +1 @@
+  o Run daemon as user soledad (#6436).
diff --git a/server/pkg/soledad b/server/pkg/soledad
index 62b7c5f8..7f48e2c8 100644
--- a/server/pkg/soledad
+++ b/server/pkg/soledad
@@ -20,6 +20,8 @@ PRIVKEY_PATH=/etc/leap/soledad-server.key
 TWISTD_PATH=/usr/bin/twistd
 HOME=/var/lib/soledad/
 SSL_METHOD=TLSv1_METHOD
+USER=soledad
+GROUP=soledad
 
 [ -r /etc/default/soledad ] && . /etc/default/soledad
 
@@ -31,7 +33,9 @@ test -r /etc/leap/ || exit 0
 case "$1" in
     start)
         echo -n "Starting soledad: twistd"
-          start-stop-daemon --start --quiet --exec $TWISTD_PATH -- \
+          start-stop-daemon --start --quiet \
+            --user=$USER --group=$GROUP \
+            --exec $TWISTD_PATH -- \
             --pidfile=$PIDFILE \
             --logfile=$LOGFILE \
             web \
-- 
cgit v1.2.3


From 4f7a1e1063199cb91535ab9cd3ca428bca2ced96 Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Fri, 28 Nov 2014 09:39:41 -0200
Subject: Enclose server initscript variables in curly brackets.

---
 server/pkg/soledad | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

(limited to 'server')

diff --git a/server/pkg/soledad b/server/pkg/soledad
index 7f48e2c8..bf24dac2 100644
--- a/server/pkg/soledad
+++ b/server/pkg/soledad
@@ -30,16 +30,16 @@ test -r /etc/leap/ || exit 0
 . /lib/lsb/init-functions
 
 
-case "$1" in
+case "${1}" in
     start)
         echo -n "Starting soledad: twistd"
           start-stop-daemon --start --quiet \
-            --user=$USER --group=$GROUP \
-            --exec $TWISTD_PATH -- \
-            --pidfile=$PIDFILE \
-            --logfile=$LOGFILE \
+            --user=${USER} --group=${GROUP} \
+            --exec ${TWISTD_PATH} -- \
+            --pidfile=${PIDFILE} \
+            --logfile=${LOGFILE} \
             web \
-            --wsgi=$OBJ \
+            --wsgi=${OBJ} \
             --port=ssl:${HTTPS_PORT}:privateKey=${PRIVKEY_PATH}:certKey=${CERT_PATH}:sslmethod=${SSL_METHOD}
         echo "."
     ;;
@@ -47,21 +47,21 @@ case "$1" in
     stop)
         echo -n "Stopping soledad: twistd"
         start-stop-daemon --stop --quiet  \
-            --pidfile $PIDFILE
+            --pidfile ${PIDFILE}
         echo "."
     ;;
 
     restart)
-        $0 stop
-        $0 start
+        ${0} stop
+        ${0} start
     ;;
 
     force-reload)
-        $0 restart
+        ${0} restart
     ;;
 
     status)
-        status_of_proc -p $PIDFILE $TWISTD_PATH soledad && exit 0 || exit $?
+        status_of_proc -p ${PIDFILE} ${TWISTD_PATH} soledad && exit 0 || exit ${?}
     ;;
 
     *)
-- 
cgit v1.2.3


From 6fc80e14d568d83df7899e516d1422b2e011d2cb Mon Sep 17 00:00:00 2001
From: Kali Kaneko <kali@leap.se>
Date: Wed, 3 Dec 2014 00:22:18 +0100
Subject: Use SSL negotiation.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Although the API can be misleading, PROTOCOL_SSLv23 selects the highest
protocol version that both the client and server support. Despite the
name, this option can select “TLS” protocols as well as “SSL”.

In this way, we can use TLSv1.2 (PROTOCOL_TLSv1 will *only* give us TLS
v1.0)

In the client side, we try to disable SSLv2 and SSLv3 options
explicitely.

The python version in wheezy does not offer PROTOCOL_TLSv1_2 nor
OP_NO_SSLv2 or OP_NO_SSLv3 (It's new in 2.7.9)
---
 server/pkg/soledad | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'server')

diff --git a/server/pkg/soledad b/server/pkg/soledad
index bf24dac2..ccb3e9b0 100644
--- a/server/pkg/soledad
+++ b/server/pkg/soledad
@@ -19,7 +19,7 @@ CERT_PATH=/etc/leap/soledad-server.pem
 PRIVKEY_PATH=/etc/leap/soledad-server.key
 TWISTD_PATH=/usr/bin/twistd
 HOME=/var/lib/soledad/
-SSL_METHOD=TLSv1_METHOD
+SSL_METHOD=SSLv23_METHOD
 USER=soledad
 GROUP=soledad
 
-- 
cgit v1.2.3


From 2abe641215b6435fa3c18ae802a621a23d01f643 Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Mon, 8 Dec 2014 14:36:25 -0200
Subject: Fold in changes.

---
 server/changes/bug_6436_run-daemon-as-user-soledad | 1 -
 server/changes/bug_6437_avoid-sslv3                | 1 -
 2 files changed, 2 deletions(-)
 delete mode 100644 server/changes/bug_6436_run-daemon-as-user-soledad
 delete mode 100644 server/changes/bug_6437_avoid-sslv3

(limited to 'server')

diff --git a/server/changes/bug_6436_run-daemon-as-user-soledad b/server/changes/bug_6436_run-daemon-as-user-soledad
deleted file mode 100644
index 886964f1..00000000
--- a/server/changes/bug_6436_run-daemon-as-user-soledad
+++ /dev/null
@@ -1 +0,0 @@
-  o Run daemon as user soledad (#6436).
diff --git a/server/changes/bug_6437_avoid-sslv3 b/server/changes/bug_6437_avoid-sslv3
deleted file mode 100644
index 5d41fbb3..00000000
--- a/server/changes/bug_6437_avoid-sslv3
+++ /dev/null
@@ -1 +0,0 @@
-  o Avoid use of SSLv3 (#6437).
-- 
cgit v1.2.3


From 1edacb035f0fc65ca26f8b1324b5cff6fdabf7bf Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Thu, 9 Apr 2015 12:20:19 -0300
Subject: [fix] remove unneded params to CouchServerState

This commit removes some leftover code from a time when Soledad Server used to
check for permissions on certain databases when starting (i.e. shared and
tokens databases). This was later removed as correct permissions enforcement
was relayed to tapicero.

Closes: #6833.
---
 .../changes/bug_6833_remove-unneeded-params-from-couch-server-state  | 2 ++
 server/src/leap/soledad/server/__init__.py                           | 5 +----
 2 files changed, 3 insertions(+), 4 deletions(-)
 create mode 100644 server/changes/bug_6833_remove-unneeded-params-from-couch-server-state

(limited to 'server')

diff --git a/server/changes/bug_6833_remove-unneeded-params-from-couch-server-state b/server/changes/bug_6833_remove-unneeded-params-from-couch-server-state
new file mode 100644
index 00000000..2c927717
--- /dev/null
+++ b/server/changes/bug_6833_remove-unneeded-params-from-couch-server-state
@@ -0,0 +1,2 @@
+  o Remove unneeded parameters from CouchServerState initialization. Closes
+    #6833.
diff --git a/server/src/leap/soledad/server/__init__.py b/server/src/leap/soledad/server/__init__.py
index cd006f51..adb5b561 100644
--- a/server/src/leap/soledad/server/__init__.py
+++ b/server/src/leap/soledad/server/__init__.py
@@ -296,10 +296,7 @@ def load_configuration(file_path):
 
 def application(environ, start_response):
     conf = load_configuration('/etc/leap/soledad-server.conf')
-    state = CouchServerState(
-        conf['couch_url'],
-        SoledadApp.SHARED_DB_NAME,
-        SoledadTokenAuthMiddleware.TOKENS_DB)
+    state = CouchServerState(conf['couch_url'])
     # WSGI application that may be used by `twistd -web`
     application = GzipMiddleware(
         SoledadTokenAuthMiddleware(SoledadApp(state)))
-- 
cgit v1.2.3


From bbb19ed9a755a079da5b79567cb98a921c02f2f4 Mon Sep 17 00:00:00 2001
From: drebs <drebs@leap.se>
Date: Thu, 9 Apr 2015 14:39:05 -0300
Subject: Fold in changes.

---
 server/changes/bug_6833_remove-unneeded-params-from-couch-server-state | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 server/changes/bug_6833_remove-unneeded-params-from-couch-server-state

(limited to 'server')

diff --git a/server/changes/bug_6833_remove-unneeded-params-from-couch-server-state b/server/changes/bug_6833_remove-unneeded-params-from-couch-server-state
deleted file mode 100644
index 2c927717..00000000
--- a/server/changes/bug_6833_remove-unneeded-params-from-couch-server-state
+++ /dev/null
@@ -1,2 +0,0 @@
-  o Remove unneeded parameters from CouchServerState initialization. Closes
-    #6833.
-- 
cgit v1.2.3