certidude/certidude/config.py

import configparser
import ipaddress
import os
from certidude import const
from collections import OrderedDict

# Options that are parsed from config file are fetched here

cp = configparser.RawConfigParser()
cp.readfp(open(const.SERVER_CONFIG_PATH, "r"))

AUTHENTICATION_BACKENDS = set([j for j in
    cp.get("authentication", "backends").split(" ") if j])   # kerberos, pam, ldap
AUTHORIZATION_BACKEND = cp.get("authorization", "backend")  # whitelist, ldap, posix
ACCOUNTS_BACKEND = cp.get("accounts", "backend")             # posix, ldap

KERBEROS_KEYTAB = cp.get("authentication", "kerberos keytab")
LDAP_AUTHENTICATION_URI = cp.get("authentication", "ldap uri")
LDAP_GSSAPI_CRED_CACHE = cp.get("accounts", "ldap gssapi credential cache")
LDAP_ACCOUNTS_URI = cp.get("accounts", "ldap uri")
LDAP_BASE = cp.get("accounts", "ldap base")

USER_SUBNETS = set([ipaddress.ip_network(j) for j in
    cp.get("authorization", "user subnets").split(" ") if j])
ADMIN_SUBNETS = set([ipaddress.ip_network(j) for j in
    cp.get("authorization", "admin subnets").split(" ") if j]).union(USER_SUBNETS)
AUTOSIGN_SUBNETS = set([ipaddress.ip_network(j) for j in
    cp.get("authorization", "autosign subnets").split(" ") if j])
REQUEST_SUBNETS = set([ipaddress.ip_network(j) for j in
    cp.get("authorization", "request subnets").split(" ") if j]).union(AUTOSIGN_SUBNETS)
SCEP_SUBNETS = set([ipaddress.ip_network(j) for j in
    cp.get("authorization", "scep subnets").split(" ") if j])
OCSP_SUBNETS = set([ipaddress.ip_network(j) for j in
    cp.get("authorization", "ocsp subnets").split(" ") if j])
CRL_SUBNETS = set([ipaddress.ip_network(j) for j in
    cp.get("authorization", "crl subnets").split(" ") if j])

AUTHORITY_DIR = "/var/lib/certidude"
AUTHORITY_PRIVATE_KEY_PATH = cp.get("authority", "private key path")
AUTHORITY_CERTIFICATE_PATH = cp.get("authority", "certificate path")
REQUESTS_DIR = cp.get("authority", "requests dir")
SIGNED_DIR = cp.get("authority", "signed dir")
SIGNED_BY_SERIAL_DIR = os.path.join(SIGNED_DIR, "by-serial")
REVOKED_DIR = cp.get("authority", "revoked dir")
EXPIRED_DIR = cp.get("authority", "expired dir")

MAILER_NAME = cp.get("mailer", "name")
MAILER_ADDRESS = cp.get("mailer", "address")

BOOTSTRAP_TEMPLATE = cp.get("bootstrap", "services template")

MACHINE_ENROLLMENT_ALLOWED = {
    "forbidden": False, "allowed": True }[
    cp.get("authority", "machine enrollment")]
USER_ENROLLMENT_ALLOWED = {
    "forbidden": False, "single allowed": True, "multiple allowed": True }[
    cp.get("authority", "user enrollment")]
USER_MULTIPLE_CERTIFICATES = {
    "forbidden": False, "single allowed": False, "multiple allowed": True }[
    cp.get("authority", "user enrollment")]

REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allowed")
AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
AUTHORITY_CRL_URL = cp.get("signature", "revoked url")
AUTHORITY_OCSP_URL = cp.get("signature", "responder url")
CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed")

REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")

EVENT_SOURCE_TOKEN = cp.get("push", "event source token")
EVENT_SOURCE_PUBLISH = cp.get("push", "event source publish")
EVENT_SOURCE_SUBSCRIBE = cp.get("push", "event source subscribe")
LONG_POLL_PUBLISH = cp.get("push", "long poll publish")
LONG_POLL_SUBSCRIBE = cp.get("push", "long poll subscribe")

LOGGING_BACKEND = cp.get("logging", "backend")

USERS_GROUP = cp.get("authorization", "posix user group")
ADMIN_GROUP = cp.get("authorization", "posix admin group")
LDAP_USER_FILTER = cp.get("authorization", "ldap user filter")
LDAP_ADMIN_FILTER = cp.get("authorization", "ldap admin filter")
if "%s" not in LDAP_USER_FILTER: raise ValueError("No placeholder %s for username in 'ldap user filter'")
if "%s" not in LDAP_ADMIN_FILTER: raise ValueError("No placeholder %s for username in 'ldap admin filter'")

TAG_TYPES = [j.split("/", 1) + [cp.get("tagging", j)] for j in cp.options("tagging")]

# Tokens
TOKEN_URL = cp.get("token", "url")
TOKEN_LIFETIME = cp.getint("token", "lifetime") * 60 # Convert minutes to seconds
TOKEN_SECRET = cp.get("token", "secret").encode("ascii")

# TODO: Check if we don't have base or servers

# The API call for looking up scripts uses following directory as root
SCRIPT_DIR = cp.get("script", "path")

PROFILES = OrderedDict([[i, [j.strip() for j in cp.get("profile", i).split(",")]] for i in cp.options("profile")])

cp2 = configparser.RawConfigParser()
cp2.readfp(open(const.BUILDER_CONFIG_PATH, "r"))
IMAGE_BUILDER_PROFILES = [(j, cp2.get(j, "title"), cp2.get(j, "rename")) for j in cp2.sections()]
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00			`import configparser`
			`import ipaddress`
			`import os`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`from certidude import const`
			`from collections import OrderedDict`
Add preliminary Python 2.x support 2016-02-28 20:37:56 +00:00
Refactor codebase * Replace PyOpenSSL with cryptography.io * Rename constants to const * Drop support for uwsgi * Use systemd to launch certidude server * Signer automatically spawned as part of server * Update requirements.txt * Clean up certidude client configuration handling * Add automatic enroll with Kerberos machine cerdentials 2016-09-17 21:00:14 +00:00			`# Options that are parsed from config file are fetched here`

			`cp = configparser.RawConfigParser()`
Integrate LEDE image builder 2018-01-03 22:12:02 +00:00			`cp.readfp(open(const.SERVER_CONFIG_PATH, "r"))`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`AUTHENTICATION_BACKENDS = set([j for j in`
			`cp.get("authentication", "backends").split(" ") if j]) # kerberos, pam, ldap`
			`AUTHORIZATION_BACKEND = cp.get("authorization", "backend") # whitelist, ldap, posix`
			`ACCOUNTS_BACKEND = cp.get("accounts", "backend") # posix, ldap`
Add preliminary PAM authentication backend 2016-02-29 21:06:42 +00:00
Migrate to python-gssapi 2017-04-13 14:33:40 +00:00			`KERBEROS_KEYTAB = cp.get("authentication", "kerberos keytab")`
Refactor LDAP authentication * ldap uri can be specified in /etc/certidude/server.conf now * /etc/ldap/ldap.conf is ignored 2017-01-25 09:43:19 +00:00			`LDAP_AUTHENTICATION_URI = cp.get("authentication", "ldap uri")`
			`LDAP_GSSAPI_CRED_CACHE = cp.get("accounts", "ldap gssapi credential cache")`
			`LDAP_ACCOUNTS_URI = cp.get("accounts", "ldap uri")`
			`LDAP_BASE = cp.get("accounts", "ldap base")`
Move GSSAPI credcache from authorization config section to accounts 2016-03-29 05:45:17 +00:00
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`USER_SUBNETS = set([ipaddress.ip_network(j) for j in`
			`cp.get("authorization", "user subnets").split(" ") if j])`
			`ADMIN_SUBNETS = set([ipaddress.ip_network(j) for j in`
			`cp.get("authorization", "admin subnets").split(" ") if j]).union(USER_SUBNETS)`
			`AUTOSIGN_SUBNETS = set([ipaddress.ip_network(j) for j in`
			`cp.get("authorization", "autosign subnets").split(" ") if j])`
			`REQUEST_SUBNETS = set([ipaddress.ip_network(j) for j in`
			`cp.get("authorization", "request subnets").split(" ") if j]).union(AUTOSIGN_SUBNETS)`
api: Add preliminary SCEP support 2017-05-18 19:29:49 +00:00			`SCEP_SUBNETS = set([ipaddress.ip_network(j) for j in`
			`cp.get("authorization", "scep subnets").split(" ") if j])`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`OCSP_SUBNETS = set([ipaddress.ip_network(j) for j in`
			`cp.get("authorization", "ocsp subnets").split(" ") if j])`
tests: Add test for machine attribute updates 2017-07-07 21:07:25 +00:00			`CRL_SUBNETS = set([ipaddress.ip_network(j) for j in`
			`cp.get("authorization", "crl subnets").split(" ") if j])`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
			`AUTHORITY_DIR = "/var/lib/certidude"`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`AUTHORITY_PRIVATE_KEY_PATH = cp.get("authority", "private key path")`
			`AUTHORITY_CERTIFICATE_PATH = cp.get("authority", "certificate path")`
			`REQUESTS_DIR = cp.get("authority", "requests dir")`
			`SIGNED_DIR = cp.get("authority", "signed dir")`
api: Preliminary OCSP support 2017-05-25 19:20:29 +00:00			`SIGNED_BY_SERIAL_DIR = os.path.join(SIGNED_DIR, "by-serial")`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`REVOKED_DIR = cp.get("authority", "revoked dir")`
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity 2017-03-13 11:42:58 +00:00			`EXPIRED_DIR = cp.get("authority", "expired dir")`
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source 2017-02-07 22:07:21 +00:00
Use local MTA for sending e-mail 2017-04-21 16:58:01 +00:00			`MAILER_NAME = cp.get("mailer", "name")`
			`MAILER_ADDRESS = cp.get("mailer", "address")`
Add preliminary support for logging Current logging mechanism makes use of Python's logging module. MySQL logging handler inserts log entries to MySQL server and another logging handler is used to stream events to web interface via nginx streaming push. 2015-12-13 15:11:22 +00:00
Add preliminary bootstrap API call 2017-04-12 13:21:49 +00:00			`BOOTSTRAP_TEMPLATE = cp.get("bootstrap", "services template")`
Add OpenVPN bundle generation 2017-01-25 11:34:08 +00:00
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity 2017-03-13 11:42:58 +00:00			`MACHINE_ENROLLMENT_ALLOWED = {`
			`"forbidden": False, "allowed": True }[`
			`cp.get("authority", "machine enrollment")]`
			`USER_ENROLLMENT_ALLOWED = {`
Make user certificate enrollment configurable 2016-03-31 22:55:51 +00:00			`"forbidden": False, "single allowed": True, "multiple allowed": True }[`
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity 2017-03-13 11:42:58 +00:00			`cp.get("authority", "user enrollment")]`
Make user certificate enrollment configurable 2016-03-31 22:55:51 +00:00			`USER_MULTIPLE_CERTIFICATES = {`
			`"forbidden": False, "single allowed": False, "multiple allowed": True }[`
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity 2017-03-13 11:42:58 +00:00			`cp.get("authority", "user enrollment")]`
Fix CRL distriution points and add authority information access extensions 2016-03-29 09:29:15 +00:00
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity 2017-03-13 11:42:58 +00:00			`REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allowed")`
			`AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")`
Embed OCSP responder URL in certificate 2017-07-08 12:08:39 +00:00			`AUTHORITY_CRL_URL = cp.get("signature", "revoked url")`
			`AUTHORITY_OCSP_URL = cp.get("signature", "responder url")`
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity 2017-03-13 11:42:58 +00:00			`CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed")`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
Refactor codebase * Replace PyOpenSSL with cryptography.io * Rename constants to const * Drop support for uwsgi * Use systemd to launch certidude server * Signer automatically spawned as part of server * Update requirements.txt * Clean up certidude client configuration handling * Add automatic enroll with Kerberos machine cerdentials 2016-09-17 21:00:14 +00:00			`REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source 2017-02-07 22:07:21 +00:00			`EVENT_SOURCE_TOKEN = cp.get("push", "event source token")`
			`EVENT_SOURCE_PUBLISH = cp.get("push", "event source publish")`
			`EVENT_SOURCE_SUBSCRIBE = cp.get("push", "event source subscribe")`
			`LONG_POLL_PUBLISH = cp.get("push", "long poll publish")`
			`LONG_POLL_SUBSCRIBE = cp.get("push", "long poll subscribe")`
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead. 2015-12-12 22:34:08 +00:00
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00			`LOGGING_BACKEND = cp.get("logging", "backend")`

tests: Preliminary tests for Kerberos/LDAP auth 2017-05-07 19:11:24 +00:00			`USERS_GROUP = cp.get("authorization", "posix user group")`
			`ADMIN_GROUP = cp.get("authorization", "posix admin group")`
			`LDAP_USER_FILTER = cp.get("authorization", "ldap user filter")`
			`LDAP_ADMIN_FILTER = cp.get("authorization", "ldap admin filter")`
			`if "%s" not in LDAP_USER_FILTER: raise ValueError("No placeholder %s for username in 'ldap user filter'")`
			`if "%s" not in LDAP_ADMIN_FILTER: raise ValueError("No placeholder %s for username in 'ldap admin filter'")`
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx 2016-03-21 21:42:39 +00:00
Correct configuration file tagging section name 2017-03-26 10:12:08 +00:00			`TAG_TYPES = [j.split("/", 1) + [cp.get("tagging", j)] for j in cp.options("tagging")]`
Move leases and tagging backend to filesystem extended attributes 2017-03-26 00:10:09 +00:00
Add token based auth for profiles 2017-04-21 21:22:08 +00:00			`# Tokens`
			`TOKEN_URL = cp.get("token", "url")`
Token mechanism fixes 2017-04-24 17:33:55 +00:00			`TOKEN_LIFETIME = cp.getint("token", "lifetime") * 60 # Convert minutes to seconds`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00			`TOKEN_SECRET = cp.get("token", "secret").encode("ascii")`
Add token based auth for profiles 2017-04-21 21:22:08 +00:00
Refactor users, add OpenVPN and mailing support * Add abstraction for user objects * Mail authority admins about pending, revoked and signed certificates * Add NetworkManager's OpenVPN plugin support * Improve CRL support * Refactor CSRF protection * Update documentation 2016-03-27 20:38:14 +00:00			`# TODO: Check if we don't have base or servers`
Add API call for rendering scripts, bugfixes 2017-05-04 17:56:53 +00:00
			`# The API call for looking up scripts uses following directory as root`
Integrate LEDE image builder 2018-01-03 22:12:02 +00:00			`SCRIPT_DIR = cp.get("script", "path")`
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets 2017-12-30 13:57:48 +00:00
			`PROFILES = OrderedDict([[i, [j.strip() for j in cp.get("profile", i).split(",")]] for i in cp.options("profile")])`
Integrate LEDE image builder 2018-01-03 22:12:02 +00:00
			`cp2 = configparser.RawConfigParser()`
			`cp2.readfp(open(const.BUILDER_CONFIG_PATH, "r"))`
			`IMAGE_BUILDER_PROFILES = [(j, cp2.get(j, "title"), cp2.get(j, "rename")) for j in cp2.sections()]`