2015-07-12 19:22:10 +00:00
# coding: utf-8
2015-07-26 20:34:46 +00:00
import asyncore
2015-08-13 08:11:08 +00:00
import click
2015-10-17 15:07:26 +00:00
import hashlib
2015-08-13 08:11:08 +00:00
import logging
2015-07-12 19:22:10 +00:00
import os
2015-08-13 08:11:08 +00:00
import pwd
2016-09-17 21:00:14 +00:00
import random
2015-07-12 19:22:10 +00:00
import re
2015-07-26 20:34:46 +00:00
import signal
2015-08-13 08:11:08 +00:00
import socket
2016-09-17 21:00:14 +00:00
import string
2015-07-27 15:49:50 +00:00
import subprocess
2015-08-13 08:11:08 +00:00
import sys
2016-09-17 21:00:14 +00:00
from configparser import ConfigParser , NoOptionError , NoSectionError
2016-03-27 20:38:14 +00:00
from certidude . helpers import certidude_request_certificate
2017-04-20 05:20:10 +00:00
from certidude . common import expand_paths , ip_address , ip_network , apt , rpm , pip
2016-03-29 16:29:06 +00:00
from datetime import datetime , timedelta
2016-09-17 21:00:14 +00:00
import const
2015-07-12 19:22:10 +00:00
2017-04-04 05:02:08 +00:00
logger = logging . getLogger ( __name__ )
2015-07-26 20:34:46 +00:00
2015-07-12 19:22:10 +00:00
# http://www.mad-hacking.net/documentation/linux/security/ssl-tls/creating-ca.xml
2015-07-26 20:34:46 +00:00
# https://kjur.github.io/jsrsasign/
2016-09-17 21:00:14 +00:00
# keyUsage, extendedKeyUsage - https://www.openssl.org/docs/apps/x509v3_client_config.html
2015-08-13 08:11:08 +00:00
# strongSwan key paths - https://wiki.strongswan.org/projects/1/wiki/SimpleCA
2015-07-12 19:22:10 +00:00
2015-07-26 20:34:46 +00:00
# Parse command-line argument defaults from environment
2016-09-17 21:00:14 +00:00
2015-07-12 19:22:10 +00:00
NOW = datetime . utcnow ( ) . replace ( tzinfo = None )
2015-08-13 08:11:08 +00:00
2016-09-17 21:00:14 +00:00
@click.command ( " request " , help = " Run processes for requesting certificates and configuring services " )
2017-03-13 17:47:58 +00:00
@click.option ( " -r " , " --renew " , default = False , is_flag = True , help = " Renew now " )
2016-01-14 22:47:30 +00:00
@click.option ( " -f " , " --fork " , default = False , is_flag = True , help = " Fork to background " )
2017-05-01 16:20:50 +00:00
@click.option ( " -nw " , " --no-wait " , default = False , is_flag = True , help = " Return immideately if server doesn ' t autosign " )
def certidude_request ( fork , renew , no_wait ) :
rpm ( " openssl " )
apt ( " openssl " )
2017-04-13 20:30:28 +00:00
import requests
2017-05-01 16:20:50 +00:00
from jinja2 import Environment , PackageLoader
env = Environment ( loader = PackageLoader ( " certidude " , " templates " ) , trim_blocks = True )
2017-04-13 20:30:28 +00:00
2016-09-17 21:00:14 +00:00
if not os . path . exists ( const . CLIENT_CONFIG_PATH ) :
click . echo ( " No %s ! " % const . CLIENT_CONFIG_PATH )
return 1
if not os . path . exists ( const . SERVICES_CONFIG_PATH ) :
click . echo ( " No %s ! " % const . SERVICES_CONFIG_PATH )
return 1
2016-03-21 21:42:39 +00:00
clients = ConfigParser ( )
2016-09-17 21:00:14 +00:00
clients . readfp ( open ( const . CLIENT_CONFIG_PATH ) )
2016-01-14 22:47:30 +00:00
2016-09-17 21:00:14 +00:00
service_config = ConfigParser ( )
service_config . readfp ( open ( const . SERVICES_CONFIG_PATH ) )
2016-01-14 22:47:30 +00:00
# Process directories
2017-05-01 16:20:50 +00:00
if not os . path . exists ( const . RUN_DIR ) :
click . echo ( " Creating: %s " % const . RUN_DIR )
os . makedirs ( const . RUN_DIR )
2016-01-14 22:47:30 +00:00
2017-04-20 05:20:10 +00:00
context = globals ( )
context . update ( locals ( ) )
2016-01-14 22:47:30 +00:00
2017-03-13 11:42:58 +00:00
if not os . path . exists ( " /etc/systemd/system/certidude.timer " ) :
click . echo ( " Creating systemd timer... " )
with open ( " /etc/systemd/system/certidude.timer " , " w " ) as fh :
2017-04-20 05:20:10 +00:00
fh . write ( env . get_template ( " client/certidude.timer " ) . render ( context ) )
2017-03-13 11:42:58 +00:00
if not os . path . exists ( " /etc/systemd/system/certidude.service " ) :
click . echo ( " Creating systemd service... " )
with open ( " /etc/systemd/system/certidude.service " , " w " ) as fh :
2017-04-20 05:20:10 +00:00
fh . write ( env . get_template ( " client/certidude.service " ) . render ( context ) )
2017-03-13 11:42:58 +00:00
2016-09-17 21:00:14 +00:00
for authority in clients . sections ( ) :
2017-03-13 11:42:58 +00:00
try :
endpoint_dhparam = clients . get ( authority , " dhparam path " )
if not os . path . exists ( endpoint_dhparam ) :
2017-05-01 16:20:50 +00:00
cmd = " openssl " , " dhparam " , " -out " , endpoint_dhparam , ( " 512 " if os . getenv ( " TRAVIS " ) else " 2048 " )
2017-03-13 11:42:58 +00:00
subprocess . check_call ( cmd )
except NoOptionError :
pass
2017-04-12 13:21:49 +00:00
2017-01-10 13:01:16 +00:00
try :
endpoint_insecure = clients . getboolean ( authority , " insecure " )
except NoOptionError :
endpoint_insecure = False
2016-09-17 21:00:14 +00:00
try :
endpoint_common_name = clients . get ( authority , " common name " )
except NoOptionError :
endpoint_common_name = const . HOSTNAME
try :
endpoint_key_path = clients . get ( authority , " key path " )
except NoOptionError :
endpoint_key_path = " /var/lib/certidude/ %s /keys/ %s .pem " % ( authority , const . HOSTNAME )
try :
endpoint_request_path = clients . get ( authority , " request path " )
except NoOptionError :
endpoint_request_path = " /var/lib/certidude/ %s /requests/ %s .pem " % ( authority , const . HOSTNAME )
try :
endpoint_certificate_path = clients . get ( authority , " certificate path " )
except NoOptionError :
endpoint_certificate_path = " /var/lib/certidude/ %s /signed/ %s .pem " % ( authority , const . HOSTNAME )
try :
endpoint_authority_path = clients . get ( authority , " authority path " )
except NoOptionError :
endpoint_authority_path = " /var/lib/certidude/ %s /ca_crt.pem " % authority
try :
endpoint_revocations_path = clients . get ( authority , " revocations path " )
except NoOptionError :
endpoint_revocations_path = " /var/lib/certidude/ %s /ca_crl.pem " % authority
# TODO: Create directories automatically
2017-04-13 22:49:32 +00:00
system_keytab_required = False
2016-09-17 21:00:14 +00:00
if clients . get ( authority , " trigger " ) == " domain joined " :
2017-04-13 22:49:32 +00:00
system_keytab_required = True
2016-09-17 21:00:14 +00:00
if not os . path . exists ( " /etc/krb5.keytab " ) :
continue
elif clients . get ( authority , " trigger " ) != " interface up " :
2016-01-14 22:47:30 +00:00
continue
2017-05-01 16:20:50 +00:00
pid_path = os . path . join ( const . RUN_DIR , authority + " .pid " )
2016-01-14 22:47:30 +00:00
try :
with open ( pid_path ) as fh :
pid = int ( fh . readline ( ) )
os . kill ( pid , signal . SIGTERM )
click . echo ( " Terminated process %d " % pid )
os . unlink ( pid_path )
2016-03-21 21:42:39 +00:00
except EnvironmentError :
2016-01-14 22:47:30 +00:00
pass
if fork :
child_pid = os . fork ( )
else :
child_pid = None
if child_pid :
click . echo ( " Spawned certificate request process with PID %d " % ( child_pid ) )
continue
2016-09-17 21:00:14 +00:00
2016-01-14 22:47:30 +00:00
with open ( pid_path , " w " ) as fh :
fh . write ( " %d \n " % os . getpid ( ) )
retries = 30
2016-09-17 21:00:14 +00:00
2016-01-14 22:47:30 +00:00
while retries > 0 :
try :
certidude_request_certificate (
2016-09-17 21:00:14 +00:00
authority ,
2017-04-13 22:49:32 +00:00
system_keytab_required ,
2016-09-17 21:00:14 +00:00
endpoint_key_path ,
endpoint_request_path ,
endpoint_certificate_path ,
endpoint_authority_path ,
endpoint_revocations_path ,
endpoint_common_name ,
2017-01-10 13:01:16 +00:00
insecure = endpoint_insecure ,
2016-01-14 22:47:30 +00:00
autosign = True ,
2017-05-01 16:20:50 +00:00
wait = not no_wait ,
2017-03-13 17:47:58 +00:00
renew = renew )
2016-01-14 22:47:30 +00:00
break
except requests . exceptions . Timeout :
retries - = 1
continue
2016-09-17 21:00:14 +00:00
for endpoint in service_config . sections ( ) :
if service_config . get ( endpoint , " authority " ) != authority :
2016-01-14 22:47:30 +00:00
continue
2016-09-17 21:00:14 +00:00
click . echo ( " Configuring ' %s ' " % endpoint )
2016-01-14 22:47:30 +00:00
csummer = hashlib . sha1 ( )
csummer . update ( endpoint . encode ( " ascii " ) )
csum = csummer . hexdigest ( )
uuid = csum [ : 8 ] + " - " + csum [ 8 : 12 ] + " - " + csum [ 12 : 16 ] + " - " + csum [ 16 : 20 ] + " - " + csum [ 20 : 32 ]
2016-03-27 20:38:14 +00:00
# Intranet HTTPS handled by PKCS#12 bundle generation,
# so it will not be implemented here
2016-09-17 21:00:14 +00:00
# OpenVPN set up with initscripts
if service_config . get ( endpoint , " service " ) == " init/openvpn " :
if os . path . exists ( " /etc/openvpn/ %s .disabled " % endpoint ) and not os . path . exists ( " /etc/openvpn/ %s .conf " % endpoint ) :
os . rename ( " /etc/openvpn/ %s .disabled " % endpoint , " /etc/openvpn/ %s .conf " % endpoint )
if os . path . exists ( " /bin/systemctl " ) :
click . echo ( " Re-running systemd generators for OpenVPN... " )
os . system ( " systemctl daemon-reload " )
2017-04-29 19:09:31 +00:00
if not os . path . exists ( " /etc/systemd/system/openvpn-reconnect.service " ) :
with open ( " /etc/systemd/system/openvpn-reconnect.service " , " wb " ) as fh :
fh . write ( env . get_template ( " client/openvpn-reconnect.service " ) . render ( context ) )
click . echo ( " Created /etc/systemd/system/openvpn-reconnect.service " )
2016-09-17 21:00:14 +00:00
click . echo ( " Starting OpenVPN... " )
os . system ( " service openvpn start " )
2016-01-14 22:47:30 +00:00
continue
2016-09-17 21:00:14 +00:00
# IPSec set up with initscripts
if service_config . get ( endpoint , " service " ) == " init/strongswan " :
2017-04-13 23:49:11 +00:00
remote = service_config . get ( endpoint , " remote " )
2016-01-14 22:47:30 +00:00
from ipsecparse import loads
2017-04-13 23:49:11 +00:00
config = loads ( open ( " %s /ipsec.conf " % const . STRONGSWAN_PREFIX ) . read ( ) )
2017-04-14 17:21:31 +00:00
for section_type , section_name in config :
# Identify correct ipsec.conf section by leftcert
if section_type != " conn " :
continue
if config [ section_type , section_name ] [ " leftcert " ] != endpoint_certificate_path :
continue
if config [ section_type , section_name ] [ " left " ] == " %d efaultroute " :
config [ section_type , section_name ] [ " auto " ] = " start " # This is client
elif config [ section_type , section_name ] [ " leftsourceip " ] :
config [ section_type , section_name ] [ " auto " ] = " add " # This is server
else :
config [ section_type , section_name ] [ " auto " ] = " route " # This is site-to-site tunnel
with open ( " %s /ipsec.conf.part " % const . STRONGSWAN_PREFIX , " w " ) as fh :
fh . write ( config . dumps ( ) )
os . rename (
" %s /ipsec.conf.part " % const . STRONGSWAN_PREFIX ,
" %s /ipsec.conf " % const . STRONGSWAN_PREFIX )
break
2016-01-14 22:47:30 +00:00
# Regenerate /etc/ipsec.secrets
2017-04-13 23:49:11 +00:00
with open ( " %s /ipsec.secrets.part " % const . STRONGSWAN_PREFIX , " w " ) as fh :
for filename in os . listdir ( " %s /ipsec.d/private " % const . STRONGSWAN_PREFIX ) :
2016-01-14 22:47:30 +00:00
if not filename . endswith ( " .pem " ) :
continue
2017-04-13 23:49:11 +00:00
fh . write ( " : RSA %s /ipsec.d/private/ %s \n " % ( const . STRONGSWAN_PREFIX , filename ) )
os . rename (
" %s /ipsec.secrets.part " % const . STRONGSWAN_PREFIX ,
" %s /ipsec.secrets " % const . STRONGSWAN_PREFIX )
2016-01-14 22:47:30 +00:00
# Attempt to reload config or start if it's not running
2017-04-13 23:49:11 +00:00
if os . path . exists ( " /usr/sbin/strongswan " ) : # wtf fedora
2017-04-14 17:21:31 +00:00
if os . system ( " strongswan update " ) :
2017-04-13 23:49:11 +00:00
os . system ( " strongswan start " )
else :
2017-04-14 17:21:31 +00:00
if os . system ( " ipsec update " ) :
2017-04-13 23:49:11 +00:00
os . system ( " ipsec start " )
2016-01-14 22:47:30 +00:00
continue
2016-09-17 21:00:14 +00:00
# OpenVPN set up with NetworkManager
if service_config . get ( endpoint , " service " ) == " network-manager/openvpn " :
2017-04-13 15:17:05 +00:00
try :
endpoint_port = service_config . getint ( endpoint , " port " )
except NoOptionError :
endpoint_port = 1194
try :
endpoint_proto = service_config . get ( endpoint , " proto " )
except NoOptionError :
endpoint_proto = " udp "
# NetworkManager-strongswan-gnome
2017-03-13 11:42:58 +00:00
nm_config_path = os . path . join ( " /etc/NetworkManager/system-connections " , endpoint )
if os . path . exists ( nm_config_path ) :
click . echo ( " Not creating %s , remove to regenerate " % nm_config_path )
continue
2016-09-17 21:00:14 +00:00
nm_config = ConfigParser ( )
nm_config . add_section ( " connection " )
nm_config . set ( " connection " , " id " , endpoint )
nm_config . set ( " connection " , " uuid " , uuid )
nm_config . set ( " connection " , " type " , " vpn " )
nm_config . add_section ( " vpn " )
nm_config . set ( " vpn " , " service-type " , " org.freedesktop.NetworkManager.openvpn " )
nm_config . set ( " vpn " , " connection-type " , " tls " )
nm_config . set ( " vpn " , " comp-lzo " , " yes " )
nm_config . set ( " vpn " , " cert-pass-flags " , " 0 " )
2017-01-26 10:55:26 +00:00
nm_config . set ( " vpn " , " tap-dev " , " no " )
2016-09-17 21:00:14 +00:00
nm_config . set ( " vpn " , " remote-cert-tls " , " server " ) # Assert TLS Server flag of X.509 certificate
nm_config . set ( " vpn " , " remote " , service_config . get ( endpoint , " remote " ) )
2017-04-12 13:21:49 +00:00
nm_config . set ( " vpn " , " port " , endpoint_port )
nm_config . set ( " vpn " , " proto " , endpoint_proto )
2016-09-17 21:00:14 +00:00
nm_config . set ( " vpn " , " key " , endpoint_key_path )
nm_config . set ( " vpn " , " cert " , endpoint_certificate_path )
nm_config . set ( " vpn " , " ca " , endpoint_authority_path )
nm_config . add_section ( " ipv4 " )
nm_config . set ( " ipv4 " , " method " , " auto " )
nm_config . set ( " ipv4 " , " never-default " , " true " )
nm_config . add_section ( " ipv6 " )
nm_config . set ( " ipv6 " , " method " , " auto " )
2016-01-14 22:47:30 +00:00
2016-09-17 21:00:14 +00:00
# Prevent creation of files with liberal permissions
os . umask ( 0o177 )
2015-12-12 22:34:08 +00:00
2016-09-17 21:00:14 +00:00
# Write NetworkManager configuration
2017-03-13 11:42:58 +00:00
with open ( nm_config_path , " w " ) as fh :
2016-09-17 21:00:14 +00:00
nm_config . write ( fh )
2017-03-13 11:42:58 +00:00
click . echo ( " Created %s " % nm_config_path )
2017-01-10 13:09:52 +00:00
os . system ( " nmcli con reload " )
2016-09-17 21:00:14 +00:00
continue
2016-01-10 17:51:54 +00:00
2015-07-26 20:34:46 +00:00
2016-09-17 21:00:14 +00:00
# IPSec set up with NetworkManager
2017-01-10 13:09:52 +00:00
elif service_config . get ( endpoint , " service " ) == " network-manager/strongswan " :
2016-09-17 21:00:14 +00:00
client_config = ConfigParser ( )
2017-04-12 13:56:29 +00:00
nm_config = ConfigParser ( )
2016-09-17 21:00:14 +00:00
nm_config . add_section ( " connection " )
nm_config . set ( " connection " , " id " , endpoint )
nm_config . set ( " connection " , " uuid " , uuid )
nm_config . set ( " connection " , " type " , " vpn " )
nm_config . add_section ( " vpn " )
nm_config . set ( " vpn " , " service-type " , " org.freedesktop.NetworkManager.strongswan " )
nm_config . set ( " vpn " , " encap " , " no " )
nm_config . set ( " vpn " , " virtual " , " yes " )
nm_config . set ( " vpn " , " method " , " key " )
nm_config . set ( " vpn " , " ipcomp " , " no " )
nm_config . set ( " vpn " , " address " , service_config . get ( endpoint , " remote " ) )
nm_config . set ( " vpn " , " userkey " , endpoint_key_path )
nm_config . set ( " vpn " , " usercert " , endpoint_certificate_path )
nm_config . set ( " vpn " , " certificate " , endpoint_authority_path )
nm_config . add_section ( " ipv4 " )
nm_config . set ( " ipv4 " , " method " , " auto " )
2015-07-26 20:34:46 +00:00
2016-09-17 21:00:14 +00:00
# Add routes, may need some more tweaking
if service_config . has_option ( endpoint , " route " ) :
for index , subnet in enumerate ( service_config . get ( endpoint , " route " ) . split ( " , " ) , start = 1 ) :
nm_config . set ( " ipv4 " , " route %d " % index , subnet )
2015-07-26 20:34:46 +00:00
2016-09-17 21:00:14 +00:00
# Prevent creation of files with liberal permissions
os . umask ( 0o177 )
2015-12-12 22:34:08 +00:00
2016-09-17 21:00:14 +00:00
# Write NetworkManager configuration
with open ( os . path . join ( " /etc/NetworkManager/system-connections " , endpoint ) , " w " ) as fh :
nm_config . write ( fh )
click . echo ( " Created %s " % fh . name )
2017-01-10 13:09:52 +00:00
os . system ( " nmcli con reload " )
2016-09-17 21:00:14 +00:00
continue
2015-12-12 22:34:08 +00:00
2016-09-17 21:00:14 +00:00
# TODO: Puppet, OpenLDAP, <insert awesomeness here>
2017-04-13 23:49:11 +00:00
click . echo ( " Unknown service: %s " % service_config . get ( endpoint , " service " ) )
2016-09-17 21:00:14 +00:00
os . unlink ( pid_path )
2016-01-14 22:47:30 +00:00
2015-07-26 20:34:46 +00:00
@click.command ( " server " , help = " Set up OpenVPN server " )
2016-09-17 21:00:14 +00:00
@click.argument ( " authority " )
2017-05-01 16:20:50 +00:00
@click.option ( " --common-name " , " -cn " , default = const . FQDN , help = " Common name, %s by default " % const . FQDN )
2015-07-26 20:34:46 +00:00
@click.option ( " --subnet " , " -s " , default = " 192.168.33.0/24 " , type = ip_network , help = " OpenVPN subnet, 192.168.33.0/24 by default " )
2016-03-27 20:38:14 +00:00
@click.option ( " --local " , " -l " , default = " 0.0.0.0 " , help = " OpenVPN listening address, defaults to all interfaces " )
2017-04-12 13:21:49 +00:00
@click.option ( " --port " , " -p " , default = 1194 , type = click . IntRange ( 1 , 60000 ) , help = " OpenVPN listening port, 1194 by default " )
2015-07-26 20:34:46 +00:00
@click.option ( ' --proto ' , " -t " , default = " udp " , type = click . Choice ( [ ' udp ' , ' tcp ' ] ) , help = " OpenVPN transport protocol, UDP by default " )
2015-08-13 08:11:08 +00:00
@click.option ( " --route " , " -r " , type = ip_network , multiple = True , help = " Subnets to advertise via this connection, multiple allowed " )
2015-07-26 20:34:46 +00:00
@click.option ( " --config " , " -o " ,
default = " /etc/openvpn/site-to-client.conf " ,
type = click . File ( mode = " w " , atomic = True , lazy = True ) ,
help = " OpenVPN configuration file " )
2017-05-01 16:20:50 +00:00
def certidude_setup_openvpn_server ( authority , common_name , config , subnet , route , local , proto , port ) :
2017-04-20 05:20:10 +00:00
# Install dependencies
apt ( " openvpn " )
rpm ( " openvpn " )
2015-07-26 20:34:46 +00:00
2016-09-17 21:00:14 +00:00
# Create corresponding section in Certidude client configuration file
client_config = ConfigParser ( )
if os . path . exists ( const . CLIENT_CONFIG_PATH ) :
client_config . readfp ( open ( const . CLIENT_CONFIG_PATH ) )
if client_config . has_section ( authority ) :
click . echo ( " Section ' %s ' already exists in %s , remove to regenerate " % ( authority , const . CLIENT_CONFIG_PATH ) )
else :
2017-05-01 16:20:50 +00:00
client_config . add_section ( authority )
2016-09-17 21:00:14 +00:00
client_config . set ( authority , " trigger " , " interface up " )
2017-05-01 16:20:50 +00:00
client_config . set ( authority , " common name " , common_name )
slug = common_name . replace ( " . " , " - " )
client_config . set ( authority , " request path " , " /etc/openvpn/keys/ %s .csr " % slug )
client_config . set ( authority , " key path " , " /etc/openvpn/keys/ %s .key " % slug )
client_config . set ( authority , " certificate path " , " /etc/openvpn/keys/ %s .crt " % slug )
2016-09-17 21:00:14 +00:00
client_config . set ( authority , " authority path " , " /etc/openvpn/keys/ca.crt " )
client_config . set ( authority , " revocations path " , " /etc/openvpn/keys/ca.crl " )
2017-03-13 11:42:58 +00:00
client_config . set ( authority , " dhparam path " , " /etc/openvpn/keys/dhparam.pem " )
2016-09-17 21:00:14 +00:00
with open ( const . CLIENT_CONFIG_PATH + " .part " , ' wb ' ) as fh :
client_config . write ( fh )
os . rename ( const . CLIENT_CONFIG_PATH + " .part " , const . CLIENT_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( authority , const . CLIENT_CONFIG_PATH ) )
# Create corresponding section in /etc/certidude/services.conf
2017-05-01 16:20:50 +00:00
endpoint = " OpenVPN server %s of %s " % ( common_name , authority )
2016-09-17 21:00:14 +00:00
service_config = ConfigParser ( )
if os . path . exists ( const . SERVICES_CONFIG_PATH ) :
service_config . readfp ( open ( const . SERVICES_CONFIG_PATH ) )
if service_config . has_section ( endpoint ) :
click . echo ( " Section ' %s ' already exists in %s , not reconfiguring " % ( endpoint , const . SERVICES_CONFIG_PATH ) )
else :
service_config . add_section ( endpoint )
service_config . set ( endpoint , " authority " , authority )
service_config . set ( endpoint , " service " , " init/openvpn " )
2017-03-13 11:42:58 +00:00
2016-09-17 21:00:14 +00:00
with open ( const . SERVICES_CONFIG_PATH + " .part " , ' wb ' ) as fh :
service_config . write ( fh )
os . rename ( const . SERVICES_CONFIG_PATH + " .part " , const . SERVICES_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( endpoint , const . SERVICES_CONFIG_PATH ) )
2017-03-13 11:42:58 +00:00
authority_hostname = authority . split ( " . " ) [ 0 ]
config . write ( " server %s %s \n " % ( subnet . network_address , subnet . netmask ) )
config . write ( " dev tun- %s \n " % authority_hostname )
2016-09-17 21:00:14 +00:00
config . write ( " proto %s \n " % proto )
config . write ( " port %d \n " % port )
config . write ( " local %s \n " % local )
config . write ( " key %s \n " % client_config . get ( authority , " key path " ) )
config . write ( " cert %s \n " % client_config . get ( authority , " certificate path " ) )
config . write ( " ca %s \n " % client_config . get ( authority , " authority path " ) )
2017-03-13 11:42:58 +00:00
config . write ( " dh %s \n " % client_config . get ( authority , " dhparam path " ) )
2016-09-17 21:00:14 +00:00
config . write ( " comp-lzo \n " )
config . write ( " user nobody \n " )
config . write ( " group nogroup \n " )
config . write ( " persist-tun \n " )
config . write ( " persist-key \n " )
2017-03-13 11:42:58 +00:00
config . write ( " #ifconfig-pool-persist /tmp/openvpn-leases.txt \n " )
2016-09-17 21:00:14 +00:00
config . write ( " #crl-verify %s \n " % client_config . get ( authority , " revocations path " ) )
2015-07-26 20:34:46 +00:00
click . echo ( " Generated %s " % config . name )
2016-09-17 21:00:14 +00:00
click . echo ( " Inspect generated files and issue following to request certificate: " )
2015-07-26 20:34:46 +00:00
click . echo ( )
2016-09-17 21:00:14 +00:00
click . echo ( " certidude request " )
2015-07-26 20:34:46 +00:00
2016-03-21 21:42:39 +00:00
@click.command ( " nginx " , help = " Set up nginx as HTTPS server " )
2017-03-13 11:42:58 +00:00
@click.argument ( " authority " )
2016-09-17 21:00:14 +00:00
@click.option ( " --common-name " , " -cn " , default = const . FQDN , help = " Common name, %s by default " % const . FQDN )
2016-03-21 21:42:39 +00:00
@click.option ( " --tls-config " ,
default = " /etc/nginx/conf.d/tls.conf " ,
type = click . File ( mode = " w " , atomic = True , lazy = True ) ,
help = " TLS configuration file of nginx, /etc/nginx/conf.d/tls.conf by default " )
@click.option ( " --site-config " , " -o " ,
2016-09-17 21:00:14 +00:00
default = " /etc/nginx/sites-available/ %s .conf " % const . HOSTNAME ,
2016-03-21 21:42:39 +00:00
type = click . File ( mode = " w " , atomic = True , lazy = True ) ,
2016-09-17 21:00:14 +00:00
help = " Site configuration file of nginx, /etc/nginx/sites-available/ %s .conf by default " % const . HOSTNAME )
2016-03-21 21:42:39 +00:00
@click.option ( " --directory " , " -d " , default = " /etc/nginx/ssl " , help = " Directory for keys, /etc/nginx/ssl by default " )
2016-09-17 21:00:14 +00:00
@click.option ( " --key-path " , " -key " , default = const . HOSTNAME + " .key " , help = " Key path, %s .key relative to -d by default " % const . HOSTNAME )
@click.option ( " --request-path " , " -csr " , default = const . HOSTNAME + " .csr " , help = " Request path, %s .csr relative to -d by default " % const . HOSTNAME )
@click.option ( " --certificate-path " , " -crt " , default = const . HOSTNAME + " .crt " , help = " Certificate path, %s .crt relative to -d by default " % const . HOSTNAME )
2016-03-21 21:42:39 +00:00
@click.option ( " --dhparam-path " , " -dh " , default = " dhparam2048.pem " , help = " Diffie/Hellman parameters path, dhparam2048.pem relative to -d by default " )
@click.option ( " --authority-path " , " -ca " , default = " ca.crt " , help = " Certificate authority certificate path, ca.crt relative to -d by default " )
2016-03-27 20:38:14 +00:00
@click.option ( " --revocations-path " , " -crl " , default = " ca.crl " , help = " Certificate revocation list, ca.crl relative to -d by default " )
2017-03-13 11:42:58 +00:00
@click.option ( " --verify-client " , " -vc " , default = " optional " , type = click . Choice ( [ ' optional ' , ' on ' , ' off ' ] ) )
2016-03-21 21:42:39 +00:00
@expand_paths ( )
2017-03-13 11:42:58 +00:00
def certidude_setup_nginx ( authority , site_config , tls_config , common_name , directory , key_path , request_path , certificate_path , authority_path , revocations_path , dhparam_path , verify_client ) :
if not os . path . exists ( " /etc/nginx " ) :
raise ValueError ( " nginx not installed " )
if " . " not in common_name :
raise ValueError ( " Fully qualified hostname not specified as common name, make sure hostname -f works " )
client_config = ConfigParser ( )
if os . path . exists ( const . CLIENT_CONFIG_PATH ) :
client_config . readfp ( open ( const . CLIENT_CONFIG_PATH ) )
if client_config . has_section ( authority ) :
click . echo ( " Section ' %s ' already exists in %s , remove to regenerate " % ( authority , const . CLIENT_CONFIG_PATH ) )
else :
client_config . add_section ( authority )
client_config . set ( authority , " trigger " , " interface up " )
client_config . set ( authority , " common name " , common_name )
client_config . set ( authority , " request path " , request_path )
client_config . set ( authority , " key path " , key_path )
client_config . set ( authority , " certificate path " , certificate_path )
client_config . set ( authority , " authority path " , authority_path )
client_config . set ( authority , " dhparam path " , dhparam_path )
client_config . set ( authority , " revocations path " , revocations_path )
with open ( const . CLIENT_CONFIG_PATH + " .part " , ' wb ' ) as fh :
client_config . write ( fh )
os . rename ( const . CLIENT_CONFIG_PATH + " .part " , const . CLIENT_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( authority , const . CLIENT_CONFIG_PATH ) )
2016-03-21 21:42:39 +00:00
2016-09-17 21:00:14 +00:00
context = globals ( ) # Grab const.BLAH
2016-03-21 21:42:39 +00:00
context . update ( locals ( ) )
2017-03-13 11:42:58 +00:00
if os . path . exists ( site_config . name ) :
click . echo ( " Configuration file %s already exists, not overwriting " % site_config . name )
2016-03-21 21:42:39 +00:00
else :
2017-03-13 11:42:58 +00:00
site_config . write ( env . get_template ( " nginx-https-site.conf " ) . render ( context ) )
click . echo ( " Generated %s " % site_config . name )
2016-03-21 21:42:39 +00:00
2017-03-13 11:42:58 +00:00
if os . path . exists ( tls_config . name ) :
click . echo ( " Configuration file %s already exists, not overwriting " % tls_config . name )
2016-03-21 21:42:39 +00:00
else :
2017-03-13 11:42:58 +00:00
tls_config . write ( env . get_template ( " nginx-tls.conf " ) . render ( context ) )
click . echo ( " Generated %s " % tls_config . name )
2016-03-21 21:42:39 +00:00
click . echo ( )
click . echo ( " Inspect configuration files, enable it and start nginx service: " )
click . echo ( )
click . echo ( " ln -s %s /etc/nginx/sites-enabled/ %s " % (
2017-03-13 11:42:58 +00:00
os . path . relpath ( site_config . name , " /etc/nginx/sites-enabled " ) ,
os . path . basename ( site_config . name ) ) )
click . echo ( " service nginx restart " )
2016-03-21 21:42:39 +00:00
click . echo ( )
2015-07-26 20:34:46 +00:00
@click.command ( " client " , help = " Set up OpenVPN client " )
2016-09-17 21:00:14 +00:00
@click.argument ( " authority " )
2015-07-26 20:34:46 +00:00
@click.argument ( " remote " )
2017-05-01 16:20:50 +00:00
@click.option ( " --common-name " , " -cn " , default = const . HOSTNAME , help = " Common name, %s by default " % const . HOSTNAME )
2015-07-26 20:34:46 +00:00
@click.option ( ' --proto ' , " -t " , default = " udp " , type = click . Choice ( [ ' udp ' , ' tcp ' ] ) , help = " OpenVPN transport protocol, UDP by default " )
@click.option ( " --config " , " -o " ,
default = " /etc/openvpn/client-to-site.conf " ,
type = click . File ( mode = " w " , atomic = True , lazy = True ) ,
help = " OpenVPN configuration file " )
2017-05-01 16:20:50 +00:00
def certidude_setup_openvpn_client ( authority , remote , common_name , config , proto ) :
2017-04-20 05:20:10 +00:00
# Install dependencies
apt ( " openvpn " )
rpm ( " openvpn " )
2016-09-17 21:00:14 +00:00
# Create corresponding section in Certidude client configuration file
client_config = ConfigParser ( )
if os . path . exists ( const . CLIENT_CONFIG_PATH ) :
client_config . readfp ( open ( const . CLIENT_CONFIG_PATH ) )
if client_config . has_section ( authority ) :
click . echo ( " Section ' %s ' already exists in %s , remove to regenerate " % ( authority , const . CLIENT_CONFIG_PATH ) )
else :
client_config . add_section ( authority )
client_config . set ( authority , " trigger " , " interface up " )
2017-05-01 16:20:50 +00:00
client_config . set ( authority , " common name " , common_name )
client_config . set ( authority , " request path " , " /etc/openvpn/keys/ %s .csr " % const . common_name )
client_config . set ( authority , " key path " , " /etc/openvpn/keys/ %s .key " % common_name )
client_config . set ( authority , " certificate path " , " /etc/openvpn/keys/ %s .crt " % common_name )
2016-09-17 21:00:14 +00:00
client_config . set ( authority , " authority path " , " /etc/openvpn/keys/ca.crt " )
client_config . set ( authority , " revocations path " , " /etc/openvpn/keys/ca.crl " )
with open ( const . CLIENT_CONFIG_PATH + " .part " , ' wb ' ) as fh :
client_config . write ( fh )
os . rename ( const . CLIENT_CONFIG_PATH + " .part " , const . CLIENT_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( authority , const . CLIENT_CONFIG_PATH ) )
# Create corresponding section in /etc/certidude/services.conf
2017-04-20 05:20:10 +00:00
endpoint = " OpenVPN to %s " % remote
2016-09-17 21:00:14 +00:00
service_config = ConfigParser ( )
if os . path . exists ( const . SERVICES_CONFIG_PATH ) :
service_config . readfp ( open ( const . SERVICES_CONFIG_PATH ) )
if service_config . has_section ( endpoint ) :
click . echo ( " Section ' %s ' already exists in %s , not reconfiguring " % ( endpoint , const . SERVICES_CONFIG_PATH ) )
else :
service_config . add_section ( endpoint )
service_config . set ( endpoint , " authority " , authority )
service_config . set ( endpoint , " service " , " init/openvpn " )
2017-04-13 23:49:11 +00:00
service_config . set ( endpoint , " remote " , remote )
2016-09-17 21:00:14 +00:00
with open ( const . SERVICES_CONFIG_PATH + " .part " , ' wb ' ) as fh :
service_config . write ( fh )
os . rename ( const . SERVICES_CONFIG_PATH + " .part " , const . SERVICES_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( endpoint , const . SERVICES_CONFIG_PATH ) )
config . write ( " client \n " )
config . write ( " remote %s \n " % remote )
config . write ( " remote-cert-tls server \n " )
config . write ( " proto %s \n " % proto )
2017-04-29 19:09:31 +00:00
config . write ( " dev tun \n " )
2016-09-17 21:00:14 +00:00
config . write ( " nobind \n " )
config . write ( " key %s \n " % client_config . get ( authority , " key path " ) )
config . write ( " cert %s \n " % client_config . get ( authority , " certificate path " ) )
config . write ( " ca %s \n " % client_config . get ( authority , " authority path " ) )
config . write ( " crl-verify %s \n " % client_config . get ( authority , " revocations path " ) )
config . write ( " comp-lzo \n " )
config . write ( " user nobody \n " )
config . write ( " group nogroup \n " )
config . write ( " persist-tun \n " )
config . write ( " persist-key \n " )
2017-05-01 16:20:50 +00:00
config . write ( " up /etc/openvpn/update-resolv-conf \n " )
config . write ( " down /etc/openvpn/update-resolv-conf \n " )
2015-07-26 20:34:46 +00:00
click . echo ( " Generated %s " % config . name )
2016-09-17 21:00:14 +00:00
click . echo ( " Inspect generated files and issue following to request certificate: " )
2015-07-26 20:34:46 +00:00
click . echo ( )
2016-09-17 21:00:14 +00:00
click . echo ( " certidude request " )
2015-07-26 20:34:46 +00:00
2015-08-13 08:11:08 +00:00
@click.command ( " server " , help = " Set up strongSwan server " )
2017-03-13 11:42:58 +00:00
@click.argument ( " authority " )
2017-04-14 17:21:31 +00:00
@click.option ( " --common-name " , " -cn " , default = const . FQDN , help = " Common name, %s by default " % const . FQDN )
2016-03-21 21:42:39 +00:00
@click.option ( " --subnet " , " -sn " , default = u " 192.168.33.0/24 " , type = ip_network , help = " IPsec virtual subnet, 192.168.33.0/24 by default " )
2015-08-13 08:11:08 +00:00
@click.option ( " --route " , " -r " , type = ip_network , multiple = True , help = " Subnets to advertise via this connection, multiple allowed " )
2017-04-14 17:21:31 +00:00
def certidude_setup_strongswan_server ( authority , common_name , subnet , route ) :
2015-12-16 17:41:49 +00:00
if " . " not in common_name :
raise ValueError ( " Hostname has to be fully qualified! " )
2015-08-13 08:11:08 +00:00
2017-04-20 05:20:10 +00:00
# Install dependencies
apt ( " strongswan " )
rpm ( " strongswan " )
pip ( " ipsecparse " )
2016-09-17 21:00:14 +00:00
# Create corresponding section in Certidude client configuration file
client_config = ConfigParser ( )
if os . path . exists ( const . CLIENT_CONFIG_PATH ) :
client_config . readfp ( open ( const . CLIENT_CONFIG_PATH ) )
2017-04-14 17:21:31 +00:00
if client_config . has_section ( authority ) :
2016-09-17 21:00:14 +00:00
click . echo ( " Section ' %s ' already exists in %s , remove to regenerate " % ( authority , const . CLIENT_CONFIG_PATH ) )
else :
2017-04-14 17:21:31 +00:00
client_config . add_section ( authority )
2016-09-17 21:00:14 +00:00
client_config . set ( authority , " trigger " , " interface up " )
client_config . set ( authority , " common name " , const . FQDN )
2017-04-14 17:21:31 +00:00
client_config . set ( authority , " request path " , " %s /ipsec.d/reqs/ %s .pem " % ( const . STRONGSWAN_PREFIX , const . HOSTNAME ) )
client_config . set ( authority , " key path " , " %s /ipsec.d/private/ %s .pem " % ( const . STRONGSWAN_PREFIX , const . HOSTNAME ) )
client_config . set ( authority , " certificate path " , " %s /ipsec.d/certs/ %s .pem " % ( const . STRONGSWAN_PREFIX , const . HOSTNAME ) )
client_config . set ( authority , " authority path " , " %s /ipsec.d/cacerts/ca.pem " % const . STRONGSWAN_PREFIX )
client_config . set ( authority , " revocations path " , " %s /ipsec.d/crls/ca.pem " % const . STRONGSWAN_PREFIX )
2016-09-17 21:00:14 +00:00
with open ( const . CLIENT_CONFIG_PATH + " .part " , ' wb ' ) as fh :
client_config . write ( fh )
os . rename ( const . CLIENT_CONFIG_PATH + " .part " , const . CLIENT_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( authority , const . CLIENT_CONFIG_PATH ) )
# Create corresponding section to /etc/ipsec.conf
from ipsecparse import loads
2017-04-14 17:21:31 +00:00
config = loads ( open ( " %s /ipsec.conf " % const . STRONGSWAN_PREFIX ) . read ( ) )
config [ " conn " , authority ] = dict (
leftcert = client_config . get ( authority , " certificate path " ) ,
leftsubnet = " , " . join ( route ) ,
2016-09-17 21:00:14 +00:00
right = " %a ny " ,
2017-04-14 17:21:31 +00:00
rightsourceip = str ( subnet ) ,
2016-09-17 21:00:14 +00:00
closeaction = " restart " ,
auto = " ignore " )
2017-04-14 17:21:31 +00:00
with open ( " %s /ipsec.conf.part " % const . STRONGSWAN_PREFIX , " w " ) as fh :
fh . write ( config . dumps ( ) )
os . rename (
" %s /ipsec.conf.part " % const . STRONGSWAN_PREFIX ,
" %s /ipsec.conf " % const . STRONGSWAN_PREFIX )
2015-08-13 08:11:08 +00:00
click . echo ( )
2016-03-29 15:37:28 +00:00
click . echo ( " If you ' re running Ubuntu make sure you ' re not affected by #1505222 " )
click . echo ( " https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1505222 " )
2015-08-13 08:11:08 +00:00
@click.command ( " client " , help = " Set up strongSwan client " )
2017-03-13 11:42:58 +00:00
@click.argument ( " authority " )
2015-08-13 08:11:08 +00:00
@click.argument ( " remote " )
2017-04-13 23:49:11 +00:00
def certidude_setup_strongswan_client ( authority , remote ) :
2017-04-20 05:20:10 +00:00
# Install dependencies
apt ( " strongswan " )
rpm ( " strongswan " )
pip ( " ipsecparse " )
2016-09-17 21:00:14 +00:00
# Create corresponding section in /etc/certidude/client.conf
client_config = ConfigParser ( )
if os . path . exists ( const . CLIENT_CONFIG_PATH ) :
client_config . readfp ( open ( const . CLIENT_CONFIG_PATH ) )
2017-04-13 23:49:11 +00:00
if client_config . has_section ( authority ) :
2016-09-17 21:00:14 +00:00
click . echo ( " Section ' %s ' already exists in %s , remove to regenerate " % ( authority , const . CLIENT_CONFIG_PATH ) )
else :
client_config . add_section ( authority )
client_config . set ( authority , " trigger " , " interface up " )
client_config . set ( authority , " common name " , const . HOSTNAME )
2017-04-13 23:49:11 +00:00
client_config . set ( authority , " request path " , " %s /ipsec.d/reqs/ %s .pem " % ( const . STRONGSWAN_PREFIX , const . HOSTNAME ) )
client_config . set ( authority , " key path " , " %s /ipsec.d/private/ %s .pem " % ( const . STRONGSWAN_PREFIX , const . HOSTNAME ) )
2017-04-14 17:32:59 +00:00
client_config . set ( authority , " certificate path " , " %s /ipsec.d/certs/ %s .pem " % ( const . STRONGSWAN_PREFIX , const . HOSTNAME ) )
2017-04-13 23:49:11 +00:00
client_config . set ( authority , " authority path " , " %s /ipsec.d/cacerts/ca.pem " % const . STRONGSWAN_PREFIX )
client_config . set ( authority , " revocations path " , " %s /ipsec.d/crls/ca.pem " % const . STRONGSWAN_PREFIX )
2016-09-17 21:00:14 +00:00
with open ( const . CLIENT_CONFIG_PATH + " .part " , ' wb ' ) as fh :
client_config . write ( fh )
os . rename ( const . CLIENT_CONFIG_PATH + " .part " , const . CLIENT_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( authority , const . CLIENT_CONFIG_PATH ) )
2017-04-13 23:49:11 +00:00
# Create corresponding section in /etc/certidude/services.conf
endpoint = " IPsec connection to %s " % remote
service_config = ConfigParser ( )
if os . path . exists ( const . SERVICES_CONFIG_PATH ) :
service_config . readfp ( open ( const . SERVICES_CONFIG_PATH ) )
if service_config . has_section ( endpoint ) :
click . echo ( " Section ' %s ' already exists in %s , not reconfiguring " % ( endpoint , const . SERVICES_CONFIG_PATH ) )
else :
service_config . add_section ( endpoint )
service_config . set ( endpoint , " authority " , authority )
service_config . set ( endpoint , " service " , " init/strongswan " )
service_config . set ( endpoint , " remote " , remote )
with open ( const . SERVICES_CONFIG_PATH + " .part " , ' wb ' ) as fh :
service_config . write ( fh )
os . rename ( const . SERVICES_CONFIG_PATH + " .part " , const . SERVICES_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( endpoint , const . SERVICES_CONFIG_PATH ) )
2016-09-17 21:00:14 +00:00
# Create corresponding section in /etc/ipsec.conf
from ipsecparse import loads
2017-04-13 23:49:11 +00:00
config = loads ( open ( ' %s /ipsec.conf ' % const . STRONGSWAN_PREFIX ) . read ( ) )
config [ " conn " , remote ] = dict (
2016-09-17 21:00:14 +00:00
leftsourceip = " %c onfig " ,
left = " %d efaultroute " ,
2017-04-13 23:49:11 +00:00
leftcert = client_config . get ( authority , " certificate path " ) ,
2016-09-17 21:00:14 +00:00
rightid = " %a ny " ,
right = remote ,
2017-04-13 23:49:11 +00:00
#rightsubnet=route,
2016-09-17 21:00:14 +00:00
keyexchange = " ikev2 " ,
keyingtries = " 300 " ,
dpdaction = " restart " ,
closeaction = " restart " ,
auto = " ignore " )
2017-04-13 23:49:11 +00:00
with open ( " %s /ipsec.conf.part " % const . STRONGSWAN_PREFIX , " w " ) as fh :
fh . write ( config . dumps ( ) )
os . rename (
" %s /ipsec.conf.part " % const . STRONGSWAN_PREFIX ,
" %s /ipsec.conf " % const . STRONGSWAN_PREFIX )
2016-09-17 21:00:14 +00:00
2017-04-13 23:49:11 +00:00
click . echo ( " Generated section %s in %s " % ( authority , const . CLIENT_CONFIG_PATH ) )
2016-09-17 21:00:14 +00:00
click . echo ( " Run ' certidude request ' to request certificates and to enable services " )
2015-08-13 08:11:08 +00:00
2015-10-17 15:07:26 +00:00
@click.command ( " networkmanager " , help = " Set up strongSwan client via NetworkManager " )
2017-03-13 11:42:58 +00:00
@click.argument ( " authority " ) # Certidude server
2016-03-27 20:38:14 +00:00
@click.argument ( " remote " ) # StrongSwan gateway
2017-03-13 11:42:58 +00:00
def certidude_setup_strongswan_networkmanager ( authority , remote ) :
2017-04-20 05:20:10 +00:00
# Install dependencies
apt ( " strongswan-nm " )
rpm ( " NetworkManager-strongswan-gnome " )
2016-03-27 20:38:14 +00:00
endpoint = " IPSec to %s " % remote
2015-10-17 15:07:26 +00:00
2016-09-17 21:00:14 +00:00
# Create corresponding section in /etc/certidude/client.conf
client_config = ConfigParser ( )
if os . path . exists ( const . CLIENT_CONFIG_PATH ) :
client_config . readfp ( open ( const . CLIENT_CONFIG_PATH ) )
2017-04-13 23:49:11 +00:00
if client_config . has_section ( authority ) :
2016-09-17 21:00:14 +00:00
click . echo ( " Section ' %s ' already exists in %s , remove to regenerate " % ( authority , const . CLIENT_CONFIG_PATH ) )
2016-03-27 20:38:14 +00:00
else :
2016-09-17 21:00:14 +00:00
client_config . add_section ( authority )
client_config . set ( authority , " trigger " , " interface up " )
client_config . set ( authority , " common name " , const . HOSTNAME )
client_config . set ( authority , " request path " , " /etc/ipsec.d/reqs/ %s .pem " % const . HOSTNAME )
client_config . set ( authority , " key path " , " /etc/ipsec.d/private/ %s .pem " % const . HOSTNAME )
client_config . set ( authority , " certificate path " , " /etc/ipsec.d/certs/ %s .pem " % const . HOSTNAME )
client_config . set ( authority , " authority path " , " /etc/ipsec.d/cacerts/ca.pem " )
2017-04-13 22:50:04 +00:00
client_config . set ( authority , " revocations path " , " /etc/ipsec.d/crls/ca.pem " )
2016-09-17 21:00:14 +00:00
with open ( const . CLIENT_CONFIG_PATH + " .part " , ' wb ' ) as fh :
client_config . write ( fh )
os . rename ( const . CLIENT_CONFIG_PATH + " .part " , const . CLIENT_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( authority , const . CLIENT_CONFIG_PATH ) )
# Create corresponding section in /etc/certidude/services.conf
service_config = ConfigParser ( )
if os . path . exists ( const . SERVICES_CONFIG_PATH ) :
service_config . readfp ( open ( const . SERVICES_CONFIG_PATH ) )
if service_config . has_section ( endpoint ) :
click . echo ( " Section ' %s ' already exists in %s , remove to regenerate " % ( endpoint , const . SERVICES_CONFIG_PATH ) )
else :
service_config . add_section ( endpoint )
2017-04-13 23:49:11 +00:00
service_config . set ( endpoint , " authority " , authority )
service_config . set ( endpoint , " remote " , remote )
service_config . set ( endpoint , " service " , " network-manager/strongswan " )
2016-09-17 21:00:14 +00:00
with open ( const . SERVICES_CONFIG_PATH + " .part " , ' wb ' ) as fh :
service_config . write ( fh )
os . rename ( const . SERVICES_CONFIG_PATH + " .part " , const . SERVICES_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( endpoint , const . SERVICES_CONFIG_PATH ) )
2015-10-17 15:07:26 +00:00
2016-03-27 20:38:14 +00:00
@click.command ( " networkmanager " , help = " Set up OpenVPN client via NetworkManager " )
2017-03-13 11:42:58 +00:00
@click.argument ( " authority " )
2016-03-27 20:38:14 +00:00
@click.argument ( " remote " ) # OpenVPN gateway
2016-09-17 21:00:14 +00:00
@click.option ( " --common-name " , " -cn " , default = const . HOSTNAME , help = " Common name, %s by default " % const . HOSTNAME )
2017-03-13 11:42:58 +00:00
def certidude_setup_openvpn_networkmanager ( authority , remote ) :
2016-09-17 21:00:14 +00:00
# Create corresponding section in /etc/certidude/client.conf
client_config = ConfigParser ( )
if os . path . exists ( const . CLIENT_CONFIG_PATH ) :
client_config . readfp ( open ( const . CLIENT_CONFIG_PATH ) )
if client_config . has_section ( server ) :
click . echo ( " Section ' %s ' already exists in %s , remove to regenerate " % ( authority , const . CLIENT_CONFIG_PATH ) )
else :
client_config . add_section ( authority )
client_config . set ( authority , " trigger " , " interface up " )
client_config . set ( authority , " common name " , const . HOSTNAME )
client_config . set ( authority , " request path " , " /etc/ipsec.d/reqs/ %s .pem " % const . HOSTNAME )
client_config . set ( authority , " key path " , " /etc/ipsec.d/private/ %s .pem " % const . HOSTNAME )
client_config . set ( authority , " certificate path " , " /etc/ipsec.d/certs/ %s .pem " % const . HOSTNAME )
client_config . set ( authority , " authority path " , " /etc/ipsec.d/cacerts/ca.pem " )
2017-04-13 22:50:04 +00:00
client_config . set ( authority , " revocations path " , " /etc/ipsec.d/crls/ca.pem " )
2016-09-17 21:00:14 +00:00
with open ( const . CLIENT_CONFIG_PATH + " .part " , ' wb ' ) as fh :
client_config . write ( fh )
os . rename ( const . CLIENT_CONFIG_PATH + " .part " , const . CLIENT_CONFIG_PATH )
click . echo ( " Section ' %s ' added to %s " % ( authority , const . CLIENT_CONFIG_PATH ) )
2015-10-17 15:07:26 +00:00
2016-03-27 20:38:14 +00:00
endpoint = " OpenVPN to %s " % remote
2015-10-17 15:07:26 +00:00
2016-09-17 21:00:14 +00:00
service_config = ConfigParser ( )
if os . path . exists ( const . SERVICES_CONFIG_PATH ) :
service_config . readfp ( open ( const . SERVICES_CONFIG_PATH ) )
if service_config . has_section ( endpoint ) :
click . echo ( " Section ' %s ' already exists in %s , remove to regenerate " % ( endpoint , const . SERVICES_CONFIG_PATH ) )
2016-03-27 20:38:14 +00:00
else :
2016-09-17 21:00:14 +00:00
service_config . add_section ( endpoint )
service_config . set ( authority , " authority " , server )
service_config . set ( endpoint , " remote " , remote )
service_config . set ( endpoint , " service " , " network-manager/openvpn " )
service_config . write ( open ( " /etc/certidude/services.conf " , " w " ) )
2016-03-27 20:38:14 +00:00
click . echo ( " Section %s added to /etc/certidude/client.conf " % endpoint )
2015-10-17 15:07:26 +00:00
2016-03-29 19:03:27 +00:00
@click.command ( " authority " , help = " Set up Certificate Authority in a directory " )
2015-08-13 08:11:08 +00:00
@click.option ( " --username " , default = " certidude " , help = " Service user account, created if necessary, ' certidude ' by default " )
2016-03-29 19:03:27 +00:00
@click.option ( " --kerberos-keytab " , default = " /etc/certidude/server.keytab " , help = " Kerberos keytab for using ' kerberos ' authentication backend, /etc/certidude/server.keytab by default " )
2015-08-13 08:11:08 +00:00
@click.option ( " --nginx-config " , " -n " ,
2016-03-29 19:03:27 +00:00
default = " /etc/nginx/sites-available/certidude.conf " ,
2015-08-13 08:11:08 +00:00
type = click . File ( mode = " w " , atomic = True , lazy = True ) ,
2016-03-29 19:03:27 +00:00
help = " nginx site config for serving Certidude, /etc/nginx/sites-available/certidude by default " )
2016-09-17 21:00:14 +00:00
@click.option ( " --common-name " , " -cn " , default = const . FQDN , help = " Common name, fully qualified hostname by default " )
2016-03-29 19:03:27 +00:00
@click.option ( " --country " , " -c " , default = None , help = " Country, none by default " )
@click.option ( " --state " , " -s " , default = None , help = " State or country, none by default " )
@click.option ( " --locality " , " -l " , default = None , help = " City or locality, none by default " )
2017-03-13 11:42:58 +00:00
@click.option ( " --authority-lifetime " , default = 20 * 365 , help = " Authority certificate lifetime in days, 20 years by default " )
2016-03-29 19:03:27 +00:00
@click.option ( " --organization " , " -o " , default = None , help = " Company or organization name " )
@click.option ( " --organizational-unit " , " -ou " , default = None )
2017-04-13 20:30:28 +00:00
@click.option ( " --push-server " , help = " Push server, by default http:// %s " % const . FQDN )
2016-09-17 21:00:14 +00:00
@click.option ( " --directory " , help = " Directory for authority files " )
2016-03-29 19:03:27 +00:00
@click.option ( " --server-flags " , is_flag = True , help = " Add TLS Server and IKE Intermediate extended key usage flags " )
2016-09-17 21:00:14 +00:00
@click.option ( " --outbox " , default = " smtp://smtp. %s " % const . DOMAIN , help = " SMTP server, smtp://smtp. %s by default " % const . DOMAIN )
2017-03-13 11:42:58 +00:00
def certidude_setup_authority ( username , kerberos_keytab , nginx_config , country , state , locality , organization , organizational_unit , common_name , directory , authority_lifetime , push_server , outbox , server_flags ) :
2017-05-01 16:20:50 +00:00
if " . " not in common_name :
raise ValueError ( " No FQDN configured on this system! " )
2017-05-01 18:06:47 +00:00
click . echo ( " Using fully qualified hostname: %s " % common_name )
2017-05-01 16:20:50 +00:00
# Install only rarely changing stuff from OS package management
apt ( " python-setproctitle cython python-dev libkrb5-dev libldap2-dev libffi-dev libssl-dev " )
apt ( " python-mimeparse python-markdown python-xattr python-jinja2 python-cffi python-openssl " )
pip ( " gssapi falcon cryptography humanize ipaddress simplepam humanize requests " )
2017-05-01 18:06:47 +00:00
click . echo ( " Software dependencies installed " )
2017-05-01 16:20:50 +00:00
from cryptography import x509
from cryptography . x509 . oid import NameOID , ExtendedKeyUsageOID
from cryptography . hazmat . backends import default_backend
from cryptography . hazmat . primitives import serialization
from cryptography . hazmat . primitives import hashes , serialization
from cryptography . hazmat . primitives . asymmetric import rsa
from jinja2 import Environment , PackageLoader
env = Environment ( loader = PackageLoader ( " certidude " , " templates " ) , trim_blocks = True )
2017-04-20 05:20:10 +00:00
2017-04-22 11:10:54 +00:00
# Generate secret for tokens
token_secret = ' ' . join ( random . choice ( string . letters + string . digits + ' !@#$ % ^&*() ' ) for i in range ( 50 ) )
2017-04-20 05:20:10 +00:00
template_path = os . path . join ( os . path . dirname ( os . path . realpath ( __file__ ) ) , " templates " )
2017-05-01 18:06:47 +00:00
click . echo ( " Using templates from %s " % template_path )
2016-09-17 21:00:14 +00:00
if not directory :
if os . getuid ( ) :
2017-05-01 18:06:47 +00:00
directory = os . path . join ( os . path . expanduser ( " ~/.certidude " ) , common_name )
2016-09-17 21:00:14 +00:00
else :
2017-05-01 18:06:47 +00:00
directory = os . path . join ( " /var/lib/certidude " , common_name )
click . echo ( " Placing authority files in %s " % directory )
2016-09-17 21:00:14 +00:00
2017-03-13 11:42:58 +00:00
certificate_url = " http:// %s /api/certificate/ " % common_name
2017-05-01 18:06:47 +00:00
click . echo ( " Setting CA certificate URL to %s " % certificate_url )
2017-03-13 11:42:58 +00:00
revoked_url = " http:// %s /api/revoked/ " % common_name
2017-05-01 18:06:47 +00:00
click . echo ( " Setting revocation list URL to %s " % revoked_url )
2016-03-29 19:03:27 +00:00
# Expand variables
ca_key = os . path . join ( directory , " ca_key.pem " )
ca_crt = os . path . join ( directory , " ca_crt.pem " )
2016-09-17 21:00:14 +00:00
if os . getuid ( ) == 0 :
try :
pwd . getpwnam ( " certidude " )
2017-05-01 17:56:10 +00:00
click . echo ( " User ' certidude ' already exists " )
2016-09-17 21:00:14 +00:00
except KeyError :
cmd = " adduser " , " --system " , " --no-create-home " , " --group " , " certidude "
if subprocess . call ( cmd ) :
click . echo ( " Failed to create system user ' certidude ' " )
return 255
if os . path . exists ( kerberos_keytab ) :
click . echo ( " Service principal keytab found in ' %s ' " % kerberos_keytab )
else :
click . echo ( " To use ' kerberos ' authentication backend join the domain and create service principal with: " )
click . echo ( )
click . echo ( " KRB5_KTNAME=FILE: %s net ads keytab add HTTP -P " % kerberos_keytab )
click . echo ( " chown %s %s " % ( username , kerberos_keytab ) )
click . echo ( )
2015-08-13 08:11:08 +00:00
2016-09-17 21:00:14 +00:00
if os . path . exists ( " /etc/krb5.keytab " ) and os . path . exists ( " /etc/samba/smb.conf " ) :
# Fetch Kerberos ticket for system account
cp = ConfigParser ( )
cp . read ( " /etc/samba/smb.conf " )
realm = cp . get ( " global " , " realm " )
domain = realm . lower ( )
name = cp . get ( " global " , " netbios name " )
base = " , " . join ( [ " dc= " + j for j in domain . split ( " . " ) ] )
2017-02-07 22:07:21 +00:00
if not os . path . exists ( " /etc/cron.hourly/certidude " ) :
with open ( " /etc/cron.hourly/certidude " , " w " ) as fh :
2017-04-20 05:20:10 +00:00
fh . write ( env . get_template ( " server/cronjob " ) . render ( vars ( ) ) )
2017-02-07 22:07:21 +00:00
os . chmod ( " /etc/cron.hourly/certidude " , 0o755 )
click . echo ( " Created /etc/cron.hourly/certidude for automatic LDAP service ticket renewal, inspect and adjust accordingly " )
2016-09-17 21:00:14 +00:00
os . system ( " /etc/cron.hourly/certidude " )
else :
click . echo ( " Warning: /etc/krb5.keytab or /etc/samba/smb.conf not found, Kerberos unconfigured " )
2015-08-13 08:11:08 +00:00
2017-04-13 20:30:28 +00:00
static_path = os . path . join ( os . path . realpath ( os . path . dirname ( __file__ ) ) , " static " )
2016-09-17 21:00:14 +00:00
certidude_path = sys . argv [ 0 ]
2015-08-13 08:11:08 +00:00
2017-03-13 11:42:58 +00:00
# Push server config generation
2016-09-17 21:00:14 +00:00
if not os . path . exists ( " /etc/nginx " ) :
click . echo ( " Directory /etc/nginx does not exist, hence not creating nginx configuration " )
listen = " 0.0.0.0 "
port = " 80 "
else :
2017-04-13 20:30:28 +00:00
port = " 8080 "
2017-05-01 17:56:10 +00:00
click . echo ( " Generating: %s " % nginx_config . name )
2017-04-20 05:20:10 +00:00
nginx_config . write ( env . get_template ( " server/nginx.conf " ) . render ( vars ( ) ) )
2016-09-17 21:00:14 +00:00
if not os . path . exists ( " /etc/nginx/sites-enabled/certidude.conf " ) :
os . symlink ( " ../sites-available/certidude.conf " , " /etc/nginx/sites-enabled/certidude.conf " )
2017-04-13 20:30:28 +00:00
click . echo ( " Symlinked %s -> /etc/nginx/sites-enabled/ " % nginx_config . name )
2016-09-17 21:00:14 +00:00
if os . path . exists ( " /etc/nginx/sites-enabled/default " ) :
os . unlink ( " /etc/nginx/sites-enabled/default " )
if not push_server :
2017-04-13 20:30:28 +00:00
click . echo ( " Remember to install nchan capable nginx instead of regular nginx! " )
2016-09-17 21:00:14 +00:00
if os . path . exists ( " /etc/systemd " ) :
if os . path . exists ( " /etc/systemd/system/certidude.service " ) :
click . echo ( " File /etc/systemd/system/certidude.service already exists, remove to regenerate " )
else :
with open ( " /etc/systemd/system/certidude.service " , " w " ) as fh :
2017-04-20 05:20:10 +00:00
fh . write ( env . get_template ( " server/systemd.service " ) . render ( vars ( ) ) )
2016-09-17 21:00:14 +00:00
click . echo ( " File /etc/systemd/system/certidude.service created " )
else :
2017-05-01 17:56:10 +00:00
click . echo ( " Not systemd based OS, don ' t know how to set up initscripts " )
2015-08-13 08:11:08 +00:00
2016-09-17 21:00:14 +00:00
_ , _ , uid , gid , gecos , root , shell = pwd . getpwnam ( " certidude " )
os . setgid ( gid )
else :
click . echo ( " Not root, skipping user and system config creation " )
2015-10-26 20:50:10 +00:00
2016-09-17 21:00:14 +00:00
if not os . path . exists ( const . CONFIG_DIR ) :
click . echo ( " Creating %s " % const . CONFIG_DIR )
os . makedirs ( const . CONFIG_DIR )
2015-09-29 12:04:35 +00:00
2016-09-17 21:00:14 +00:00
if os . path . exists ( const . CONFIG_PATH ) :
click . echo ( " Configuration file %s already exists, remove to regenerate " % const . CONFIG_PATH )
2016-03-29 19:03:27 +00:00
else :
os . umask ( 0o137 )
2016-09-17 21:00:14 +00:00
push_token = " " . join ( [ random . choice ( string . ascii_letters + string . digits ) for j in range ( 0 , 32 ) ] )
with open ( const . CONFIG_PATH , " w " ) as fh :
2017-04-20 05:20:10 +00:00
fh . write ( env . get_template ( " server/server.conf " ) . render ( vars ( ) ) )
2016-09-17 21:00:14 +00:00
click . echo ( " Generated %s " % const . CONFIG_PATH )
2016-03-29 19:03:27 +00:00
if os . path . lexists ( directory ) :
2016-09-17 21:00:14 +00:00
click . echo ( " CA directory %s already exists, remove to regenerate " % directory )
else :
click . echo ( " CA configuration files are saved to: {} " . format ( directory ) )
2015-07-26 20:34:46 +00:00
2016-09-17 21:00:14 +00:00
click . echo ( " Generating 4096-bit RSA key... " )
2015-07-26 20:34:46 +00:00
2016-09-17 21:00:14 +00:00
key = rsa . generate_private_key (
public_exponent = 65537 ,
key_size = 4096 ,
backend = default_backend ( )
)
2016-01-10 17:51:54 +00:00
2016-09-17 21:00:14 +00:00
subject = issuer = x509 . Name ( [
x509 . NameAttribute ( o , value ) for o , value in (
( NameOID . COUNTRY_NAME , country ) ,
( NameOID . STATE_OR_PROVINCE_NAME , state ) ,
( NameOID . LOCALITY_NAME , locality ) ,
( NameOID . ORGANIZATION_NAME , organization ) ,
( NameOID . COMMON_NAME , common_name ) ,
) if value
] )
builder = x509 . CertificateBuilder (
) . subject_name ( subject
) . issuer_name ( issuer
) . public_key ( key . public_key ( )
) . not_valid_before ( datetime . utcnow ( )
) . not_valid_after (
datetime . utcnow ( ) + timedelta ( days = authority_lifetime )
2017-03-26 20:44:47 +00:00
) . serial_number (
random . randint (
0x100000000000000000000000000000000000000 ,
0xfffffffffffffffffffffffffffffffffffffff )
2017-02-07 22:07:21 +00:00
) . add_extension ( x509 . BasicConstraints ( ca = True , path_length = 0 ) , critical = True ,
2016-09-17 21:00:14 +00:00
) . add_extension ( x509 . KeyUsage (
2017-02-07 22:07:21 +00:00
digital_signature = server_flags ,
key_encipherment = server_flags ,
2016-09-17 21:00:14 +00:00
content_commitment = False ,
data_encipherment = False ,
key_agreement = False ,
key_cert_sign = True ,
crl_sign = True ,
encipher_only = False ,
decipher_only = False ) , critical = True ,
) . add_extension (
x509 . SubjectKeyIdentifier . from_public_key ( key . public_key ( ) ) ,
critical = False
) . add_extension (
x509 . AuthorityKeyIdentifier . from_issuer_public_key ( key . public_key ( ) ) ,
critical = False
)
if server_flags :
builder = builder . add_extension ( x509 . ExtendedKeyUsage ( [
ExtendedKeyUsageOID . SERVER_AUTH ,
x509 . ObjectIdentifier ( " 1.3.6.1.5.5.8.2.2 " ) ] ) , critical = False )
cert = builder . sign ( key , hashes . SHA512 ( ) , default_backend ( ) )
click . echo ( " Signing %s ... " % cert . subject )
2017-05-01 16:20:50 +00:00
# Create directories with 770 permissions
2016-09-17 21:00:14 +00:00
os . umask ( 0o027 )
if not os . path . exists ( directory ) :
os . makedirs ( directory )
# Create subdirectories with 770 permissions
os . umask ( 0o007 )
2017-05-01 16:20:50 +00:00
for subdir in ( " signed " , " requests " , " revoked " , " expired " , " meta " ) :
2016-09-17 21:00:14 +00:00
if not os . path . exists ( os . path . join ( directory , subdir ) ) :
os . mkdir ( os . path . join ( directory , subdir ) )
2015-07-26 20:34:46 +00:00
2017-05-01 16:20:50 +00:00
# Create SQLite database file with correct permissions
os . umask ( 0o117 )
with open ( os . path . join ( directory , " meta " , " db.sqlite " ) , " wb " ) as fh :
pass
2016-09-17 21:00:14 +00:00
# Set permission bits to 640
os . umask ( 0o137 )
with open ( ca_crt , " wb " ) as fh :
fh . write ( cert . public_bytes ( serialization . Encoding . PEM ) )
# Set permission bits to 600
os . umask ( 0o177 )
with open ( ca_key , " wb " ) as fh :
fh . write ( key . private_bytes (
encoding = serialization . Encoding . PEM ,
format = serialization . PrivateFormat . TraditionalOpenSSL ,
encryption_algorithm = serialization . NoEncryption ( ) # TODO: Implement passphrase
) )
2015-07-26 20:34:46 +00:00
2017-04-24 17:33:55 +00:00
click . echo ( " To enable e-mail notifications install Postfix as sattelite system and set mailer address in %s " % const . CONFIG_PATH )
2015-07-12 19:22:10 +00:00
click . echo ( )
click . echo ( " Use following commands to inspect the newly created files: " )
click . echo ( )
2015-11-15 14:55:26 +00:00
click . echo ( " openssl x509 -text -noout -in %s | less " % ca_crt )
2015-07-26 20:34:46 +00:00
click . echo ( " openssl rsa -check -in %s " % ca_key )
click . echo ( " openssl verify -CAfile %s %s " % ( ca_crt , ca_crt ) )
click . echo ( )
2017-04-24 17:33:55 +00:00
click . echo ( " To enable and start the service: " )
2015-07-12 19:22:10 +00:00
click . echo ( )
2017-04-24 17:33:55 +00:00
click . echo ( " systemctl enable certidude " )
click . echo ( " systemctl start certidude " )
2015-07-26 20:34:46 +00:00
2016-03-31 21:01:58 +00:00
@click.command ( " users " , help = " List users " )
def certidude_users ( ) :
from certidude . user import User
admins = set ( User . objects . filter_admins ( ) )
for user in User . objects . all ( ) :
print " %s ; %s ; %s ; %s ; %s " % (
" admin " if user in admins else " user " ,
user . name , user . given_name , user . surname , user . mail )
2016-09-17 21:00:14 +00:00
2016-03-31 21:01:58 +00:00
2015-07-26 20:34:46 +00:00
@click.command ( " list " , help = " List certificates " )
2015-10-28 08:51:52 +00:00
@click.option ( " --verbose " , " -v " , default = False , is_flag = True , help = " Verbose output " )
2015-07-26 20:34:46 +00:00
@click.option ( " --show-key-type " , " -k " , default = False , is_flag = True , help = " Show key type and length " )
@click.option ( " --show-path " , " -p " , default = False , is_flag = True , help = " Show filesystem paths " )
@click.option ( " --show-extensions " , " -e " , default = False , is_flag = True , help = " Show X.509 Certificate Extensions " )
2015-10-28 08:51:52 +00:00
@click.option ( " --hide-requests " , " -h " , default = False , is_flag = True , help = " Hide signing requests " )
@click.option ( " --show-signed " , " -s " , default = False , is_flag = True , help = " Show signed certificates " )
@click.option ( " --show-revoked " , " -r " , default = False , is_flag = True , help = " Show revoked certificates " )
2015-12-12 22:34:08 +00:00
def certidude_list ( verbose , show_key_type , show_extensions , show_path , show_signed , show_revoked , hide_requests ) :
2015-10-28 08:51:52 +00:00
# Statuses:
# s - submitted
# v - valid
# e - expired
# y - not valid yet
# r - revoked
2017-04-13 20:52:09 +00:00
from humanize import naturaltime
2015-12-16 17:41:49 +00:00
from certidude import authority
2016-09-17 21:00:14 +00:00
2017-03-13 11:42:58 +00:00
def dump_common ( common_name , path , cert ) :
click . echo ( " certidude revoke %s " % common_name )
with open ( path , " rb " ) as fh :
buf = fh . read ( )
click . echo ( " md5sum: %s " % hashlib . md5 ( buf ) . hexdigest ( ) )
click . echo ( " sha1sum: %s " % hashlib . sha1 ( buf ) . hexdigest ( ) )
click . echo ( " sha256sum: %s " % hashlib . sha256 ( buf ) . hexdigest ( ) )
click . echo ( )
for ext in cert . extensions :
print " - " , ext . value
click . echo ( )
2015-10-28 08:51:52 +00:00
2015-12-12 22:34:08 +00:00
if not hide_requests :
2017-03-13 11:42:58 +00:00
for common_name , path , buf , csr , server in authority . list_requests ( ) :
created = 0
2015-12-12 22:34:08 +00:00
if not verbose :
2017-03-13 11:42:58 +00:00
click . echo ( " s " + path )
2015-12-12 22:34:08 +00:00
continue
2017-03-13 11:42:58 +00:00
click . echo ( click . style ( common_name , fg = " blue " ) )
click . echo ( " = " * len ( common_name ) )
click . echo ( " State: ? " + click . style ( " submitted " , fg = " yellow " ) + " " + naturaltime ( created ) + click . style ( " , %s " % created , fg = " white " ) )
click . echo ( " openssl req -in %s -text -noout " % path )
2017-03-28 09:24:51 +00:00
dump_common ( common_name , path , csr )
2017-03-13 11:42:58 +00:00
2015-12-12 22:34:08 +00:00
if show_signed :
2017-03-13 11:42:58 +00:00
for common_name , path , buf , cert , server in authority . list_signed ( ) :
2015-12-12 22:34:08 +00:00
if not verbose :
2017-03-13 11:42:58 +00:00
if cert . not_valid_before < NOW and cert . not_valid_after > NOW :
click . echo ( " v " + path )
elif NOW > cert . not_valid_after :
click . echo ( " e " + path )
2015-10-28 08:51:52 +00:00
else :
2017-03-13 11:42:58 +00:00
click . echo ( " y " + path )
2015-12-12 22:34:08 +00:00
continue
2015-07-12 19:22:10 +00:00
2017-04-12 13:56:29 +00:00
click . echo ( click . style ( common_name , fg = " blue " ) + " " + click . style ( " %x " % cert . serial , fg = " white " ) )
2017-03-13 11:42:58 +00:00
click . echo ( " = " * ( len ( common_name ) + 60 ) )
expires = 0 # TODO
if cert . not_valid_before < NOW and cert . not_valid_after > NOW :
click . echo ( " Status: " + click . style ( " valid " , fg = " green " ) + " until " + naturaltime ( cert . not_valid_after ) + click . style ( " , %s " % cert . not_valid_after , fg = " white " ) )
elif NOW > cert . not_valid_after :
click . echo ( " Status: " + click . style ( " expired " , fg = " red " ) + " " + naturaltime ( expires ) + click . style ( " , %s " % expires , fg = " white " ) )
2015-12-12 22:34:08 +00:00
else :
2017-03-13 11:42:58 +00:00
click . echo ( " Status: " + click . style ( " not valid yet " , fg = " red " ) + click . style ( " , %s " % expires , fg = " white " ) )
2015-12-12 22:34:08 +00:00
click . echo ( )
2017-03-13 11:42:58 +00:00
click . echo ( " openssl x509 -in %s -text -noout " % path )
dump_common ( common_name , path , cert )
2015-12-12 22:34:08 +00:00
if show_revoked :
2017-03-13 11:42:58 +00:00
for common_name , path , buf , cert , server in authority . list_revoked ( ) :
2015-12-12 22:34:08 +00:00
if not verbose :
2017-03-13 11:42:58 +00:00
click . echo ( " r " + path )
2015-12-12 22:34:08 +00:00
continue
2017-03-13 11:42:58 +00:00
click . echo ( click . style ( common_name , fg = " blue " ) + " " + click . style ( " %x " % cert . serial , fg = " white " ) )
click . echo ( " = " * ( len ( common_name ) + 60 ) )
_ , _ , _ , _ , _ , _ , _ , _ , mtime , _ = os . stat ( path )
changed = datetime . fromtimestamp ( mtime )
click . echo ( " Status: " + click . style ( " revoked " , fg = " red " ) + " %s %s " % ( naturaltime ( NOW - changed ) , click . style ( " , %s " % changed , fg = " white " ) ) )
click . echo ( " openssl x509 -in %s -text -noout " % path )
dump_common ( common_name , path , cert )
2015-07-26 20:34:46 +00:00
2015-12-12 22:34:08 +00:00
click . echo ( )
2015-07-12 19:22:10 +00:00
2017-03-13 11:42:58 +00:00
@click.command ( " sign " , help = " Sign certificate " )
2015-07-26 20:34:46 +00:00
@click.argument ( " common_name " )
@click.option ( " --overwrite " , " -o " , default = False , is_flag = True , help = " Revoke valid certificate with same CN " )
2017-03-13 11:42:58 +00:00
def certidude_sign ( common_name , overwrite ) :
from certidude import authority
cert = authority . sign ( common_name , overwrite )
@click.command ( " revoke " , help = " Revoke certificate " )
@click.argument ( " common_name " )
def certidude_revoke ( common_name ) :
from certidude import authority
authority . revoke ( common_name )
2015-07-26 20:34:46 +00:00
2017-03-13 11:42:58 +00:00
@click.command ( " cron " , help = " Run from cron to manage Certidude server " )
def certidude_cron ( ) :
import itertools
from certidude import authority , config
now = datetime . now ( )
for cn , path , buf , cert , server in itertools . chain ( authority . list_signed ( ) , authority . list_revoked ( ) ) :
if cert . not_valid_after < now :
expired_path = os . path . join ( config . EXPIRED_DIR , " %x .pem " % cert . serial )
assert not os . path . exists ( expired_path )
os . rename ( path , expired_path )
click . echo ( " Moved %s to %s " % ( path , expired_path ) )
2016-03-21 21:42:39 +00:00
2016-09-17 21:00:14 +00:00
@click.command ( " serve " , help = " Run server " )
@click.option ( " -p " , " --port " , default = 8080 if os . getuid ( ) else 80 , help = " Listen port " )
2015-07-12 19:22:10 +00:00
@click.option ( " -l " , " --listen " , default = " 0.0.0.0 " , help = " Listen address " )
2017-03-13 15:20:41 +00:00
@click.option ( " -f " , " --fork " , default = False , is_flag = True , help = " Fork to background " )
def certidude_serve ( port , listen , fork ) :
2017-04-13 20:52:09 +00:00
from setproctitle import setproctitle
2016-09-17 21:00:14 +00:00
from certidude . signer import SignServer
from certidude import const
click . echo ( " Using configuration from: %s " % const . CONFIG_PATH )
2017-04-04 05:02:08 +00:00
log_handlers = [ ]
2016-09-17 21:00:14 +00:00
2016-03-21 21:42:39 +00:00
from certidude import config
2016-09-17 21:00:14 +00:00
# Fetch UID, GID of certidude user
2017-01-26 13:11:04 +00:00
if os . getuid ( ) == 0 :
2017-05-01 16:20:50 +00:00
# Process directories
if not os . path . exists ( const . RUN_DIR ) :
click . echo ( " Creating: %s " % const . RUN_DIR )
os . makedirs ( const . RUN_DIR )
2017-01-26 13:11:04 +00:00
import pwd
_ , _ , uid , gid , gecos , root , shell = pwd . getpwnam ( " certidude " )
restricted_groups = [ ]
restricted_groups . append ( gid )
2017-04-04 05:02:08 +00:00
from logging . handlers import RotatingFileHandler
rh = RotatingFileHandler ( " /var/log/certidude.log " , maxBytes = 1048576 * 5 , backupCount = 5 )
rh . setFormatter ( logging . Formatter ( " %(asctime)s - %(name)s - %(levelname)s - %(message)s " ) )
log_handlers . append ( rh )
2016-09-17 21:00:14 +00:00
"""
Spawn signer process
"""
child_pid = os . fork ( )
if child_pid :
pass
else :
click . echo ( " Signer process spawned with PID %d at %s " % ( os . getpid ( ) , const . SIGNER_SOCKET_PATH ) )
setproctitle ( " [signer] " )
with open ( const . SIGNER_PID_PATH , " w " ) as fh :
fh . write ( " %d \n " % os . getpid ( ) )
logging . basicConfig (
filename = const . SIGNER_LOG_PATH ,
level = logging . INFO )
os . umask ( 0o007 )
server = SignServer ( )
# Drop privileges
if not os . getuid ( ) :
os . chown ( const . SIGNER_SOCKET_PATH , uid , gid )
os . chmod ( const . SIGNER_SOCKET_PATH , 0770 )
click . echo ( " Dropping privileges of signer " )
_ , _ , uid , gid , gecos , root , shell = pwd . getpwnam ( " nobody " )
os . setgroups ( [ ] )
os . setgid ( gid )
os . setuid ( uid )
else :
click . echo ( " Not dropping privileges of signer process " )
asyncore . loop ( )
return
2016-03-21 21:42:39 +00:00
click . echo ( " Users subnets: %s " %
" , " . join ( [ str ( j ) for j in config . USER_SUBNETS ] ) )
click . echo ( " Administrative subnets: %s " %
" , " . join ( [ str ( j ) for j in config . ADMIN_SUBNETS ] ) )
click . echo ( " Auto-sign enabled for following subnets: %s " %
" , " . join ( [ str ( j ) for j in config . AUTOSIGN_SUBNETS ] ) )
click . echo ( " Request submissions allowed from following subnets: %s " %
" , " . join ( [ str ( j ) for j in config . REQUEST_SUBNETS ] ) )
2015-07-26 20:34:46 +00:00
logging . basicConfig (
2016-09-17 21:00:14 +00:00
filename = const . SERVER_LOG_PATH ,
2015-07-26 20:34:46 +00:00
level = logging . DEBUG )
2015-07-12 19:22:10 +00:00
click . echo ( " Serving API at %s : %d " % ( listen , port ) )
from wsgiref . simple_server import make_server , WSGIServer
2016-09-17 21:00:14 +00:00
from SocketServer import ThreadingMixIn , ForkingMixIn
2017-04-25 20:32:21 +00:00
from certidude . api import certidude_app
2015-07-12 19:22:10 +00:00
2016-09-17 21:00:14 +00:00
class ThreadingWSGIServer ( ForkingMixIn , WSGIServer ) :
2015-07-12 19:22:10 +00:00
pass
2015-07-27 12:30:50 +00:00
2015-07-12 19:22:10 +00:00
click . echo ( " Listening on %s : %d " % ( listen , port ) )
2015-07-26 20:34:46 +00:00
2017-04-25 21:10:12 +00:00
app = certidude_app ( log_handlers )
2015-07-12 19:22:10 +00:00
httpd = make_server ( listen , port , app , ThreadingWSGIServer )
2015-09-03 09:00:45 +00:00
2016-09-17 21:00:14 +00:00
"""
Drop privileges
"""
2016-03-21 21:42:39 +00:00
2017-05-01 16:20:50 +00:00
# Initialize LDAP service ticket
if os . path . exists ( " /etc/cron.hourly/certidude " ) :
os . system ( " /etc/cron.hourly/certidude " )
2016-02-29 21:06:42 +00:00
2017-05-01 16:20:50 +00:00
# PAM needs access to /etc/shadow
if config . AUTHENTICATION_BACKENDS == { " pam " } :
import grp
name , passwd , num , mem = grp . getgrnam ( " shadow " )
click . echo ( " Adding current user to shadow group due to PAM authentication backend " )
restricted_groups . append ( num )
2016-09-17 21:00:14 +00:00
2017-02-07 22:07:21 +00:00
if config . EVENT_SOURCE_PUBLISH :
from certidude . push import EventSourceLogHandler
log_handlers . append ( EventSourceLogHandler ( ) )
2016-09-17 21:00:14 +00:00
2017-04-04 05:02:08 +00:00
for j in logging . Logger . manager . loggerDict . values ( ) :
if isinstance ( j , logging . Logger ) : # PlaceHolder is what?
if j . name . startswith ( " certidude. " ) :
j . setLevel ( logging . DEBUG )
for handler in log_handlers :
j . addHandler ( handler )
2016-09-17 21:00:14 +00:00
2017-03-13 15:20:41 +00:00
if not fork or not os . fork ( ) :
2017-05-01 16:20:50 +00:00
pid = os . getpid ( )
with open ( const . SERVER_PID_PATH , " w " ) as pidfile :
pidfile . write ( " %d \n " % pid )
def exit_handler ( ) :
logger . debug ( " Shutting down Certidude " )
import atexit
atexit . register ( exit_handler )
logger . debug ( " Started Certidude at %s " , const . FQDN )
# Drop privileges
os . setgroups ( restricted_groups )
os . setgid ( gid )
os . setuid ( uid )
click . echo ( " Switched to user %s (uid= %d , gid= %d ); member of groups %s " %
( " certidude " , os . getuid ( ) , os . getgid ( ) , " , " . join ( [ str ( j ) for j in os . getgroups ( ) ] ) ) )
os . umask ( 0o007 )
2017-03-13 15:20:41 +00:00
httpd . serve_forever ( )
2015-07-12 19:22:10 +00:00
2017-04-07 07:57:25 +00:00
@click.command ( " yubikey " , help = " Set up Yubikey as client authentication token " )
@click.argument ( " authority " )
@click.option ( " -p " , " --pin " , default = " 123456 " , help = " Slot pincode, 123456 by default " )
@click.option ( " -s " , " --slot " , default = " 9a " , help = " Yubikey slot to use, 9a by default " )
@click.option ( " -u " , " --username " , default = os . getenv ( " USER " ) , help = " Username to use, %s by default " % os . getenv ( " USER " ) )
def certidude_setup_yubikey ( authority , slot , username , pin ) :
2017-04-13 20:30:28 +00:00
import requests
2017-04-07 07:57:25 +00:00
cmd = " ykinfo " , " -q " , " -s "
click . echo ( " Executing: %s " % " " . join ( cmd ) )
serial = subprocess . check_output ( cmd ) . strip ( )
dn = " /CN= %s @yk- %s - %s " % ( username , slot , serial )
cmd = " yubico-piv-tool " , " -a " , " generate " , " -s " , slot , " -o " , " /tmp/pk.pem "
click . echo ( " Executing: %s " % " " . join ( cmd ) )
subprocess . call ( cmd )
cmd = " yubico-piv-tool " , \
" -i " , " /tmp/pk.pem " , " -o " , " /tmp/req.pem " , \
" -P " , pin , \
" -S " , dn , \
" -a " , " verify " , " -a " , " request " , \
" -s " , slot
click . echo ( " Executing: %s " % " " . join ( cmd ) )
scheme = " http "
request_url = " %s :// %s /api/request/?wait=true " % ( scheme , authority )
subprocess . check_output ( cmd )
click . echo ( " Submitting to %s , waiting for response... " % request_url )
headers = {
" Content-Type " : " application/pkcs10 " ,
" Accept " : " application/x-x509-user-cert,application/x-pem-file "
}
submission = requests . post ( request_url , data = open ( " /tmp/req.pem " ) , headers = headers )
with open ( " /tmp/cert.pem " , " w " ) as fh :
fh . write ( submission . text )
cmd = " yubico-piv-tool " , " -a " , " import-certificate " , " -s " , slot , " -i " , " /tmp/cert.pem "
click . echo ( " Executing: %s " % " " . join ( cmd ) )
subprocess . call ( cmd )
2017-04-21 16:58:01 +00:00
@click.command ( " test " , help = " Test mailer " )
@click.argument ( " recipient " )
def certidude_test ( recipient ) :
from certidude import mailer
mailer . send (
" test.md " ,
to = recipient
)
2015-08-13 08:11:08 +00:00
@click.group ( " strongswan " , help = " strongSwan helpers " )
def certidude_setup_strongswan ( ) : pass
2015-07-26 20:34:46 +00:00
@click.group ( " openvpn " , help = " OpenVPN helpers " )
def certidude_setup_openvpn ( ) : pass
2015-07-12 19:22:10 +00:00
2015-07-26 20:34:46 +00:00
@click.group ( " setup " , help = " Getting started section " )
def certidude_setup ( ) : pass
2015-07-12 19:22:10 +00:00
@click.group ( )
def entry_point ( ) : pass
2015-08-13 08:11:08 +00:00
certidude_setup_strongswan . add_command ( certidude_setup_strongswan_server )
certidude_setup_strongswan . add_command ( certidude_setup_strongswan_client )
2015-10-17 15:07:26 +00:00
certidude_setup_strongswan . add_command ( certidude_setup_strongswan_networkmanager )
2015-07-26 20:34:46 +00:00
certidude_setup_openvpn . add_command ( certidude_setup_openvpn_server )
certidude_setup_openvpn . add_command ( certidude_setup_openvpn_client )
2016-03-27 20:38:14 +00:00
certidude_setup_openvpn . add_command ( certidude_setup_openvpn_networkmanager )
2015-07-26 20:34:46 +00:00
certidude_setup . add_command ( certidude_setup_authority )
certidude_setup . add_command ( certidude_setup_openvpn )
2015-08-13 08:11:08 +00:00
certidude_setup . add_command ( certidude_setup_strongswan )
2016-03-21 21:42:39 +00:00
certidude_setup . add_command ( certidude_setup_nginx )
2017-04-07 07:57:25 +00:00
certidude_setup . add_command ( certidude_setup_yubikey )
2015-07-26 20:34:46 +00:00
entry_point . add_command ( certidude_setup )
entry_point . add_command ( certidude_serve )
2016-01-15 09:18:27 +00:00
entry_point . add_command ( certidude_request )
2015-07-26 20:34:46 +00:00
entry_point . add_command ( certidude_sign )
2017-03-13 11:42:58 +00:00
entry_point . add_command ( certidude_revoke )
2015-07-26 20:34:46 +00:00
entry_point . add_command ( certidude_list )
2016-03-31 21:01:58 +00:00
entry_point . add_command ( certidude_users )
2017-03-13 11:42:58 +00:00
entry_point . add_command ( certidude_cron )
2017-04-21 16:58:01 +00:00
entry_point . add_command ( certidude_test )
2016-09-17 21:00:14 +00:00
if __name__ == " __main__ " :
entry_point ( )