lauri
/
certidude
mirror of https://github.com/laurivosandi/certidude
1
0
Fork 0
Code Issues Activity
certidude/certidude/config.py

127 lines
5.6 KiB
Python
Raw Normal View History

Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead.
2015-12-12 22:34:08 +00:00
import configparser
import ipaddress
import os
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets
2017-12-30 13:57:48 +00:00
from certidude import const
Migrate signature profiles to separate config file
2018-04-16 12:13:31 +00:00
from certidude.profile import SignatureProfile
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets
2017-12-30 13:57:48 +00:00
from collections import OrderedDict
Migrate signature profiles to separate config file
2018-04-16 12:13:31 +00:00
from datetime import timedelta
Add preliminary Python 2.x support
2016-02-28 20:37:56 +00:00
Refactor codebase * Replace PyOpenSSL with cryptography.io * Rename constants to const * Drop support for uwsgi * Use systemd to launch certidude server * Signer automatically spawned as part of server * Update requirements.txt * Clean up certidude client configuration handling * Add automatic enroll with Kerberos machine cerdentials
2016-09-17 21:00:14 +00:00
# Options that are parsed from config file are fetched here
cp = configparser.RawConfigParser()
Integrate LEDE image builder
2018-01-03 22:12:02 +00:00
cp.readfp(open(const.SERVER_CONFIG_PATH, "r"))
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead.
2015-12-12 22:34:08 +00:00
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx
2016-03-21 21:42:39 +00:00
AUTHENTICATION_BACKENDS = set([j for j in
cp.get("authentication", "backends").split(" ") if j]) # kerberos, pam, ldap
AUTHORIZATION_BACKEND = cp.get("authorization", "backend") # whitelist, ldap, posix
ACCOUNTS_BACKEND = cp.get("accounts", "backend") # posix, ldap
config: Add 'mail suffix' for POSIX accounts to derive e-mail
2018-04-10 09:28:47 +00:00
MAIL_SUFFIX = cp.get("accounts", "mail suffix")
Add preliminary PAM authentication backend
2016-02-29 21:06:42 +00:00
Migrate to python-gssapi
2017-04-13 14:33:40 +00:00
KERBEROS_KEYTAB = cp.get("authentication", "kerberos keytab")
Several updates * Subnets configuration option for Kerberos machine enrollment * Configurable script snippets via [service] configuration section * Preliminary revocation reason support * Improved signature profile support * Add domain components to DN to distinguish certificate CN's namespace * Image builder improvements, add Elliptic Curve support * Added GetCACaps operation and more digest algorithms for SCEP * Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits) * Move client storage pool to /etc/certidude/authority/ * Cleanups & bugfixes
2018-04-27 07:48:15 +00:00
KERBEROS_REALM = cp.get("authentication", "kerberos realm")
Refactor LDAP authentication * ldap uri can be specified in /etc/certidude/server.conf now * /etc/ldap/ldap.conf is ignored
2017-01-25 09:43:19 +00:00
LDAP_AUTHENTICATION_URI = cp.get("authentication", "ldap uri")
LDAP_GSSAPI_CRED_CACHE = cp.get("accounts", "ldap gssapi credential cache")
LDAP_ACCOUNTS_URI = cp.get("accounts", "ldap uri")
LDAP_BASE = cp.get("accounts", "ldap base")
Move GSSAPI credcache from authorization config section to accounts
2016-03-29 05:45:17 +00:00
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx
2016-03-21 21:42:39 +00:00
USER_SUBNETS = set([ipaddress.ip_network(j) for j in
cp.get("authorization", "user subnets").split(" ") if j])
ADMIN_SUBNETS = set([ipaddress.ip_network(j) for j in
Several updates #2 * Reverse RDN components for all certs * Less side effects in unittests * Split help dialog shell snippets into separate files * Restore 'admin subnets' config option * Embedded subnets, IKE and ESP proposals now configurable in builder.conf * Use expr instead of bc for math operations in shell * Better frontend support for Let's Encrypt certificates
2018-05-02 08:11:01 +00:00
cp.get("authorization", "admin subnets").split(" ") if j])
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx
2016-03-21 21:42:39 +00:00
AUTOSIGN_SUBNETS = set([ipaddress.ip_network(j) for j in
cp.get("authorization", "autosign subnets").split(" ") if j])
REQUEST_SUBNETS = set([ipaddress.ip_network(j) for j in
cp.get("authorization", "request subnets").split(" ") if j]).union(AUTOSIGN_SUBNETS)
api: Add preliminary SCEP support
2017-05-18 19:29:49 +00:00
SCEP_SUBNETS = set([ipaddress.ip_network(j) for j in
cp.get("authorization", "scep subnets").split(" ") if j])
api: Preliminary OCSP support
2017-05-25 19:20:29 +00:00
OCSP_SUBNETS = set([ipaddress.ip_network(j) for j in
cp.get("authorization", "ocsp subnets").split(" ") if j])
tests: Add test for machine attribute updates
2017-07-07 21:07:25 +00:00
CRL_SUBNETS = set([ipaddress.ip_network(j) for j in
cp.get("authorization", "crl subnets").split(" ") if j])
Migrate renewal to mutually authenticated TLS connection
2018-04-15 19:27:22 +00:00
RENEWAL_SUBNETS = set([ipaddress.ip_network(j) for j in
cp.get("authorization", "renewal subnets").split(" ") if j])
Several updates * Subnets configuration option for Kerberos machine enrollment * Configurable script snippets via [service] configuration section * Preliminary revocation reason support * Improved signature profile support * Add domain components to DN to distinguish certificate CN's namespace * Image builder improvements, add Elliptic Curve support * Added GetCACaps operation and more digest algorithms for SCEP * Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits) * Move client storage pool to /etc/certidude/authority/ * Cleanups & bugfixes
2018-04-27 07:48:15 +00:00
OVERWRITE_SUBNETS = set([ipaddress.ip_network(j) for j in
cp.get("authorization", "overwrite subnets").split(" ") if j])
MACHINE_ENROLLMENT_SUBNETS = set([ipaddress.ip_network(j) for j in
cp.get("authorization", "machine enrollment subnets").split(" ") if j])
Several updates #3 * Move SessionResource and CertificateAuthorityResource to api/session.py * Log browser user agent for logins * Remove static sink from backend, nginx always serves static now * Don't emit 'attribute-update' event if no attributes were changed * Better CN extraction from DN during lease update * Log user who deleted request * Remove long polling CRL fetch API call and relevant test * Merge auth decorators ldap_authenticate, kerberos_authenticate, pam_authenticate * Add 'kerberos subnets' to distinguish authentication method * Add 'admin subnets' to filter traffic to administrative API calls * Highlight recent log events * Links to switch between 2, 3 and 4 column layouts in the dashboard * Restored certidude client snippets in request dialog * Various bugfixes, improved log messages
2018-05-04 08:54:55 +00:00
KERBEROS_SUBNETS = set([ipaddress.ip_network(j) for j in
cp.get("authorization", "kerberos subnets").split(" ") if j])
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead.
2015-12-12 22:34:08 +00:00
AUTHORITY_DIR = "/var/lib/certidude"
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx
2016-03-21 21:42:39 +00:00
AUTHORITY_PRIVATE_KEY_PATH = cp.get("authority", "private key path")
AUTHORITY_CERTIFICATE_PATH = cp.get("authority", "certificate path")
REQUESTS_DIR = cp.get("authority", "requests dir")
SIGNED_DIR = cp.get("authority", "signed dir")
api: Preliminary OCSP support
2017-05-25 19:20:29 +00:00
SIGNED_BY_SERIAL_DIR = os.path.join(SIGNED_DIR, "by-serial")
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx
2016-03-21 21:42:39 +00:00
REVOKED_DIR = cp.get("authority", "revoked dir")
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity
2017-03-13 11:42:58 +00:00
EXPIRED_DIR = cp.get("authority", "expired dir")
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source
2017-02-07 22:07:21 +00:00
Use local MTA for sending e-mail
2017-04-21 16:58:01 +00:00
MAILER_NAME = cp.get("mailer", "name")
MAILER_ADDRESS = cp.get("mailer", "address")
Add preliminary support for logging Current logging mechanism makes use of Python's logging module. MySQL logging handler inserts log entries to MySQL server and another logging handler is used to stream events to web interface via nginx streaming push.
2015-12-13 15:11:22 +00:00
Add preliminary bootstrap API call
2017-04-12 13:21:49 +00:00
BOOTSTRAP_TEMPLATE = cp.get("bootstrap", "services template")
Add OpenVPN bundle generation
2017-01-25 11:34:08 +00:00
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity
2017-03-13 11:42:58 +00:00
USER_ENROLLMENT_ALLOWED = {
Make user certificate enrollment configurable
2016-03-31 22:55:51 +00:00
"forbidden": False, "single allowed": True, "multiple allowed": True }[
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity
2017-03-13 11:42:58 +00:00
cp.get("authority", "user enrollment")]
Make user certificate enrollment configurable
2016-03-31 22:55:51 +00:00
USER_MULTIPLE_CERTIFICATES = {
"forbidden": False, "single allowed": False, "multiple allowed": True }[
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity
2017-03-13 11:42:58 +00:00
cp.get("authority", "user enrollment")]
Fix CRL distriution points and add authority information access extensions
2016-03-29 09:29:15 +00:00
Refactor * Remove PyOpenSSL based wrapper classes * Remove unused API calls * Add certificate renewal via X-Renewal-Signature header * Remove (extended) key usage handling * Clean up OpenVPN and nginx server setup code * Use UDP port 51900 for OpenVPN by default * Add basic auth fallback for iOS in addition to Android * Reduce complexity
2017-03-13 11:42:58 +00:00
REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allowed")
AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
Embed OCSP responder URL in certificate
2017-07-08 12:08:39 +00:00
AUTHORITY_CRL_URL = cp.get("signature", "revoked url")
AUTHORITY_OCSP_URL = cp.get("signature", "responder url")
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead.
2015-12-12 22:34:08 +00:00
Refactor codebase * Replace PyOpenSSL with cryptography.io * Rename constants to const * Drop support for uwsgi * Use systemd to launch certidude server * Signer automatically spawned as part of server * Update requirements.txt * Clean up certidude client configuration handling * Add automatic enroll with Kerberos machine cerdentials
2016-09-17 21:00:14 +00:00
REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead.
2015-12-12 22:34:08 +00:00
Refactor * Remove given name and surname attributes because of issues with OpenVPN Connect * Remove e-mail attribute because of no reliable method of deriving usable address * Remove organizational unit attribute * Don't overwrite Kerberos cronjob during certidude setup authority * Enforce path_length=0 for disabling intermediate CA-s * Remove SAN attributes * Add configuration options for outbox sender name and address * Use common name attribute to derive signature flags * Use distinct pub/sub URL-s for long poll and event source
2017-02-07 22:07:21 +00:00
EVENT_SOURCE_TOKEN = cp.get("push", "event source token")
EVENT_SOURCE_PUBLISH = cp.get("push", "event source publish")
EVENT_SOURCE_SUBSCRIBE = cp.get("push", "event source subscribe")
LONG_POLL_PUBLISH = cp.get("push", "long poll publish")
LONG_POLL_SUBSCRIBE = cp.get("push", "long poll subscribe")
Refactor wrappers Completely remove wrapper class for CA, use certidude.authority module instead.
2015-12-12 22:34:08 +00:00
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx
2016-03-21 21:42:39 +00:00
LOGGING_BACKEND = cp.get("logging", "backend")
tests: Preliminary tests for Kerberos/LDAP auth
2017-05-07 19:11:24 +00:00
USERS_GROUP = cp.get("authorization", "posix user group")
ADMIN_GROUP = cp.get("authorization", "posix admin group")
LDAP_USER_FILTER = cp.get("authorization", "ldap user filter")
LDAP_ADMIN_FILTER = cp.get("authorization", "ldap admin filter")
if "%s" not in LDAP_USER_FILTER: raise ValueError("No placeholder %s for username in 'ldap user filter'")
if "%s" not in LDAP_ADMIN_FILTER: raise ValueError("No placeholder %s for username in 'ldap admin filter'")
Complete overhaul * Switch to Python 2.x due to lack of decent LDAP support in Python 3.x * Add LDAP backend for authentication/authorization * Add PAM backend for authentication * Add getent backend for authorization * Add preliminary CSRF protection * Update icons * Update push server documentation, use nchan from now on * Add P12 bundle generation * Add thin wrapper around Python's SQL connectors * Enable mailing subsystem * Add Kerberos TGT renewal cronjob * Add HTTPS server setup commands for nginx
2016-03-21 21:42:39 +00:00
Correct configuration file tagging section name
2017-03-26 10:12:08 +00:00
TAG_TYPES = [j.split("/", 1) + [cp.get("tagging", j)] for j in cp.options("tagging")]
Move leases and tagging backend to filesystem extended attributes
2017-03-26 00:10:09 +00:00
Add token based auth for profiles
2017-04-21 21:22:08 +00:00
# Tokens
TOKEN_URL = cp.get("token", "url")
Token mechanism fixes
2017-04-24 17:33:55 +00:00
TOKEN_LIFETIME = cp.getint("token", "lifetime") * 60 # Convert minutes to seconds
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets
2017-12-30 13:57:48 +00:00
TOKEN_SECRET = cp.get("token", "secret").encode("ascii")
Add token based auth for profiles
2017-04-21 21:22:08 +00:00
Refactor users, add OpenVPN and mailing support * Add abstraction for user objects * Mail authority admins about pending, revoked and signed certificates * Add NetworkManager's OpenVPN plugin support * Improve CRL support * Refactor CSRF protection * Update documentation
2016-03-27 20:38:14 +00:00
# TODO: Check if we don't have base or servers
Add API call for rendering scripts, bugfixes
2017-05-04 17:56:53 +00:00
# The API call for looking up scripts uses following directory as root
Integrate LEDE image builder
2018-01-03 22:12:02 +00:00
SCRIPT_DIR = cp.get("script", "path")
Major refactor * Migrate to Python 3 * Update token generator mechanism * Switch to Bootstrap 4 * Switch from Iconmonstr to Font Awesome icons * Rename default CA common name to "Certidude at ca.example.lan" * Add self-enroll for the TLS server certificates * TLS client auth for lease updating * Compile assets from npm packages to /var/lib/certidude/ca.example.lan/assets
2017-12-30 13:57:48 +00:00
Migrate signature profiles to separate config file
2018-04-16 12:13:31 +00:00
from configparser import ConfigParser
profile_config = ConfigParser()
profile_config.readfp(open(const.PROFILE_CONFIG_PATH))
PROFILES = dict([(key, SignatureProfile(key,
profile_config.get(key, "title"),
profile_config.get(key, "ou"),
profile_config.getboolean(key, "ca"),
profile_config.getint(key, "lifetime"),
profile_config.get(key, "key usage"),
profile_config.get(key, "extended key usage"),
profile_config.get(key, "common name"),
)) for key in profile_config.sections()])
Integrate LEDE image builder
2018-01-03 22:12:02 +00:00
cp2 = configparser.RawConfigParser()
cp2.readfp(open(const.BUILDER_CONFIG_PATH, "r"))
IMAGE_BUILDER_PROFILES = [(j, cp2.get(j, "title"), cp2.get(j, "rename")) for j in cp2.sections()]
Several improvements * Add EC support * Make token form toggleable * Make client certificates compatible with iOS native IKEv2 * Fix OU for self-enroll * Improved sample scripts in web UI
2018-04-09 13:08:12 +00:00
TOKEN_OVERWRITE_PERMITTED=True
Several updates * Subnets configuration option for Kerberos machine enrollment * Configurable script snippets via [service] configuration section * Preliminary revocation reason support * Improved signature profile support * Add domain components to DN to distinguish certificate CN's namespace * Image builder improvements, add Elliptic Curve support * Added GetCACaps operation and more digest algorithms for SCEP * Generate certificate and CRL serial from timestamp (64+32bits) and random bytes (56bits) * Move client storage pool to /etc/certidude/authority/ * Cleanups & bugfixes
2018-04-27 07:48:15 +00:00
SERVICE_PROTOCOLS = set([j.lower() for j in cp.get("service", "protocols").split(" ") if j])
SERVICE_ROUTERS = cp.get("service", "routers")