2015-12-12 22:34:08 +00:00
|
|
|
import configparser
|
|
|
|
import ipaddress
|
|
|
|
import os
|
2017-12-30 13:57:48 +00:00
|
|
|
from certidude import const
|
2018-04-16 12:13:31 +00:00
|
|
|
from certidude.profile import SignatureProfile
|
2017-12-30 13:57:48 +00:00
|
|
|
from collections import OrderedDict
|
2018-04-16 12:13:31 +00:00
|
|
|
from datetime import timedelta
|
2016-02-28 20:37:56 +00:00
|
|
|
|
2016-09-17 21:00:14 +00:00
|
|
|
# Options that are parsed from config file are fetched here
|
|
|
|
|
|
|
|
cp = configparser.RawConfigParser()
|
2018-01-03 22:12:02 +00:00
|
|
|
cp.readfp(open(const.SERVER_CONFIG_PATH, "r"))
|
2015-12-12 22:34:08 +00:00
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
AUTHENTICATION_BACKENDS = set([j for j in
|
|
|
|
cp.get("authentication", "backends").split(" ") if j]) # kerberos, pam, ldap
|
|
|
|
AUTHORIZATION_BACKEND = cp.get("authorization", "backend") # whitelist, ldap, posix
|
|
|
|
ACCOUNTS_BACKEND = cp.get("accounts", "backend") # posix, ldap
|
2018-04-10 09:28:47 +00:00
|
|
|
MAIL_SUFFIX = cp.get("accounts", "mail suffix")
|
2016-02-29 21:06:42 +00:00
|
|
|
|
2017-04-13 14:33:40 +00:00
|
|
|
KERBEROS_KEYTAB = cp.get("authentication", "kerberos keytab")
|
2018-04-27 07:48:15 +00:00
|
|
|
KERBEROS_REALM = cp.get("authentication", "kerberos realm")
|
2017-01-25 09:43:19 +00:00
|
|
|
LDAP_AUTHENTICATION_URI = cp.get("authentication", "ldap uri")
|
|
|
|
LDAP_GSSAPI_CRED_CACHE = cp.get("accounts", "ldap gssapi credential cache")
|
|
|
|
LDAP_ACCOUNTS_URI = cp.get("accounts", "ldap uri")
|
|
|
|
LDAP_BASE = cp.get("accounts", "ldap base")
|
2016-03-29 05:45:17 +00:00
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
USER_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
|
|
cp.get("authorization", "user subnets").split(" ") if j])
|
|
|
|
ADMIN_SUBNETS = set([ipaddress.ip_network(j) for j in
|
2018-05-02 08:11:01 +00:00
|
|
|
cp.get("authorization", "admin subnets").split(" ") if j])
|
2016-03-21 21:42:39 +00:00
|
|
|
AUTOSIGN_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
|
|
cp.get("authorization", "autosign subnets").split(" ") if j])
|
|
|
|
REQUEST_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
|
|
cp.get("authorization", "request subnets").split(" ") if j]).union(AUTOSIGN_SUBNETS)
|
2017-05-18 19:29:49 +00:00
|
|
|
SCEP_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
|
|
cp.get("authorization", "scep subnets").split(" ") if j])
|
2017-05-25 19:20:29 +00:00
|
|
|
OCSP_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
|
|
cp.get("authorization", "ocsp subnets").split(" ") if j])
|
2017-07-07 21:07:25 +00:00
|
|
|
CRL_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
|
|
cp.get("authorization", "crl subnets").split(" ") if j])
|
2018-04-15 19:27:22 +00:00
|
|
|
RENEWAL_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
|
|
cp.get("authorization", "renewal subnets").split(" ") if j])
|
2018-04-27 07:48:15 +00:00
|
|
|
OVERWRITE_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
|
|
cp.get("authorization", "overwrite subnets").split(" ") if j])
|
|
|
|
MACHINE_ENROLLMENT_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
|
|
cp.get("authorization", "machine enrollment subnets").split(" ") if j])
|
2018-05-04 08:54:55 +00:00
|
|
|
KERBEROS_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
|
|
cp.get("authorization", "kerberos subnets").split(" ") if j])
|
2015-12-12 22:34:08 +00:00
|
|
|
|
|
|
|
AUTHORITY_DIR = "/var/lib/certidude"
|
2016-03-21 21:42:39 +00:00
|
|
|
AUTHORITY_PRIVATE_KEY_PATH = cp.get("authority", "private key path")
|
|
|
|
AUTHORITY_CERTIFICATE_PATH = cp.get("authority", "certificate path")
|
2018-05-07 11:18:29 +00:00
|
|
|
SELF_KEY_PATH = cp.get("authority", "self key path")
|
2016-03-21 21:42:39 +00:00
|
|
|
REQUESTS_DIR = cp.get("authority", "requests dir")
|
|
|
|
SIGNED_DIR = cp.get("authority", "signed dir")
|
2017-05-25 19:20:29 +00:00
|
|
|
SIGNED_BY_SERIAL_DIR = os.path.join(SIGNED_DIR, "by-serial")
|
2016-03-21 21:42:39 +00:00
|
|
|
REVOKED_DIR = cp.get("authority", "revoked dir")
|
2017-03-13 11:42:58 +00:00
|
|
|
EXPIRED_DIR = cp.get("authority", "expired dir")
|
2017-02-07 22:07:21 +00:00
|
|
|
|
2017-04-21 16:58:01 +00:00
|
|
|
MAILER_NAME = cp.get("mailer", "name")
|
|
|
|
MAILER_ADDRESS = cp.get("mailer", "address")
|
2015-12-13 15:11:22 +00:00
|
|
|
|
2017-04-12 13:21:49 +00:00
|
|
|
BOOTSTRAP_TEMPLATE = cp.get("bootstrap", "services template")
|
2017-01-25 11:34:08 +00:00
|
|
|
|
2017-03-13 11:42:58 +00:00
|
|
|
USER_ENROLLMENT_ALLOWED = {
|
2016-03-31 22:55:51 +00:00
|
|
|
"forbidden": False, "single allowed": True, "multiple allowed": True }[
|
2017-03-13 11:42:58 +00:00
|
|
|
cp.get("authority", "user enrollment")]
|
2016-03-31 22:55:51 +00:00
|
|
|
USER_MULTIPLE_CERTIFICATES = {
|
|
|
|
"forbidden": False, "single allowed": False, "multiple allowed": True }[
|
2017-03-13 11:42:58 +00:00
|
|
|
cp.get("authority", "user enrollment")]
|
2016-03-29 09:29:15 +00:00
|
|
|
|
2017-03-13 11:42:58 +00:00
|
|
|
REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allowed")
|
|
|
|
AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
|
2017-07-08 12:08:39 +00:00
|
|
|
AUTHORITY_CRL_URL = cp.get("signature", "revoked url")
|
|
|
|
AUTHORITY_OCSP_URL = cp.get("signature", "responder url")
|
2015-12-12 22:34:08 +00:00
|
|
|
|
2016-09-17 21:00:14 +00:00
|
|
|
REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")
|
2015-12-12 22:34:08 +00:00
|
|
|
|
2017-02-07 22:07:21 +00:00
|
|
|
EVENT_SOURCE_TOKEN = cp.get("push", "event source token")
|
|
|
|
EVENT_SOURCE_PUBLISH = cp.get("push", "event source publish")
|
|
|
|
EVENT_SOURCE_SUBSCRIBE = cp.get("push", "event source subscribe")
|
|
|
|
LONG_POLL_PUBLISH = cp.get("push", "long poll publish")
|
|
|
|
LONG_POLL_SUBSCRIBE = cp.get("push", "long poll subscribe")
|
2015-12-12 22:34:08 +00:00
|
|
|
|
2016-03-21 21:42:39 +00:00
|
|
|
LOGGING_BACKEND = cp.get("logging", "backend")
|
|
|
|
|
2017-05-07 19:11:24 +00:00
|
|
|
USERS_GROUP = cp.get("authorization", "posix user group")
|
|
|
|
ADMIN_GROUP = cp.get("authorization", "posix admin group")
|
|
|
|
LDAP_USER_FILTER = cp.get("authorization", "ldap user filter")
|
|
|
|
LDAP_ADMIN_FILTER = cp.get("authorization", "ldap admin filter")
|
|
|
|
if "%s" not in LDAP_USER_FILTER: raise ValueError("No placeholder %s for username in 'ldap user filter'")
|
|
|
|
if "%s" not in LDAP_ADMIN_FILTER: raise ValueError("No placeholder %s for username in 'ldap admin filter'")
|
2016-03-21 21:42:39 +00:00
|
|
|
|
2017-03-26 10:12:08 +00:00
|
|
|
TAG_TYPES = [j.split("/", 1) + [cp.get("tagging", j)] for j in cp.options("tagging")]
|
2017-03-26 00:10:09 +00:00
|
|
|
|
2017-04-21 21:22:08 +00:00
|
|
|
# Tokens
|
|
|
|
TOKEN_URL = cp.get("token", "url")
|
2017-04-24 17:33:55 +00:00
|
|
|
TOKEN_LIFETIME = cp.getint("token", "lifetime") * 60 # Convert minutes to seconds
|
2017-12-30 13:57:48 +00:00
|
|
|
TOKEN_SECRET = cp.get("token", "secret").encode("ascii")
|
2017-04-21 21:22:08 +00:00
|
|
|
|
2016-03-27 20:38:14 +00:00
|
|
|
# TODO: Check if we don't have base or servers
|
2017-05-04 17:56:53 +00:00
|
|
|
|
|
|
|
# The API call for looking up scripts uses following directory as root
|
2018-01-03 22:12:02 +00:00
|
|
|
SCRIPT_DIR = cp.get("script", "path")
|
2017-12-30 13:57:48 +00:00
|
|
|
|
2018-04-16 12:13:31 +00:00
|
|
|
from configparser import ConfigParser
|
|
|
|
profile_config = ConfigParser()
|
|
|
|
profile_config.readfp(open(const.PROFILE_CONFIG_PATH))
|
|
|
|
|
|
|
|
PROFILES = dict([(key, SignatureProfile(key,
|
|
|
|
profile_config.get(key, "title"),
|
|
|
|
profile_config.get(key, "ou"),
|
|
|
|
profile_config.getboolean(key, "ca"),
|
|
|
|
profile_config.getint(key, "lifetime"),
|
|
|
|
profile_config.get(key, "key usage"),
|
|
|
|
profile_config.get(key, "extended key usage"),
|
|
|
|
profile_config.get(key, "common name"),
|
|
|
|
)) for key in profile_config.sections()])
|
2018-01-03 22:12:02 +00:00
|
|
|
|
|
|
|
cp2 = configparser.RawConfigParser()
|
|
|
|
cp2.readfp(open(const.BUILDER_CONFIG_PATH, "r"))
|
|
|
|
IMAGE_BUILDER_PROFILES = [(j, cp2.get(j, "title"), cp2.get(j, "rename")) for j in cp2.sections()]
|
2018-04-09 13:08:12 +00:00
|
|
|
|
|
|
|
TOKEN_OVERWRITE_PERMITTED=True
|
2018-04-27 07:48:15 +00:00
|
|
|
|
|
|
|
SERVICE_PROTOCOLS = set([j.lower() for j in cp.get("service", "protocols").split(" ") if j])
|
|
|
|
SERVICE_ROUTERS = cp.get("service", "routers")
|