Add preliminary bootstrap API call

certidude/api/__init__.py

@@ -190,6 +190,7 @@ def certidude_app():
     from .cfg import ConfigResource, ScriptResource
     from .tag import TagResource, TagDetailResource
     from .attrib import AttributeResource
+    from .bootstrap import BootstrapResource
 
     app = falcon.API(middleware=NormalizeMiddleware())
     app.req_options.auto_parse_form_urlencoded = True
@@ -202,6 +203,7 @@ def certidude_app():
     app.add_route("/api/request/{cn}/", RequestDetailResource())
     app.add_route("/api/request/", RequestListResource())
     app.add_route("/api/", SessionResource())
+    app.add_route("/api/bootstrap/", BootstrapResource())
 
     # Extended attributes for scripting etc.
     app.add_route("/api/signed/{cn}/attr/", AttributeResource())

certidude/api/bootstrap.py

@@ -0,0 +1,14 @@
+import logging
+from certidude.decorators import serialize
+from certidude.config import cp
+from certidude import authority, config, const
+from jinja2 import Template
+
+logger = logging.getLogger(__name__)
+
+class BootstrapResource(object):
+    def on_get(self, req, resp):
+        resp.body = Template(open(config.BOOTSTRAP_TEMPLATE).read()).render(
+            authority = const.FQDN,
+            servers = [cn for cn, path, buf, cert, server in authority.list_signed() if server])
+

certidude/cli.py

@@ -106,6 +106,15 @@ def certidude_request(fork, renew):
                 subprocess.check_call(cmd)
         except NoOptionError:
             pass
+
+        try:
+            endpoint_port = service_config.getint(endpoint, "port")
+        except NoOptionError:
+            endpoint_port = 1194
+        try:
+            endpoint_proto = service_config.get(endpoint, "proto")
+        except NoOptionError:
+            endpoint_proto = "udp"
         try:
             endpoint_insecure = clients.getboolean(authority, "insecure")
         except NoOptionError:
@@ -254,7 +263,8 @@ def certidude_request(fork, renew):
                 nm_config.set("vpn", "tap-dev", "no")
                 nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate
                 nm_config.set("vpn", "remote", service_config.get(endpoint, "remote"))
-                nm_config.set("vpn", "port", "51900")
+                nm_config.set("vpn", "port", endpoint_port)
+                nm_config.set("vpn", "proto", endpoint_proto)
                 nm_config.set("vpn", "key", endpoint_key_path)
                 nm_config.set("vpn", "cert", endpoint_certificate_path)
                 nm_config.set("vpn", "ca", endpoint_authority_path)
@@ -319,7 +329,7 @@ def certidude_request(fork, renew):
 @click.argument("authority")
 @click.option("--subnet", "-s", default="192.168.33.0/24", type=ip_network, help="OpenVPN subnet, 192.168.33.0/24 by default")
 @click.option("--local", "-l", default="0.0.0.0", help="OpenVPN listening address, defaults to all interfaces")
-@click.option("--port", "-p", default=51900, type=click.IntRange(1,60000), help="OpenVPN listening port, 51900 by default")
+@click.option("--port", "-p", default=1194, type=click.IntRange(1,60000), help="OpenVPN listening port, 1194 by default")
 @click.option('--proto', "-t", default="udp", type=click.Choice(['udp', 'tcp']), help="OpenVPN transport protocol, UDP by default")
 @click.option("--route", "-r", type=ip_network, multiple=True, help="Subnets to advertise via this connection, multiple allowed")
 @click.option("--config", "-o",

certidude/config.py

@@ -46,6 +46,7 @@ OUTBOX_MAIL = cp.get("authority", "outbox sender address")
 
 BUNDLE_FORMAT = cp.get("bundle", "format")
 OPENVPN_PROFILE_TEMPLATE = cp.get("bundle", "openvpn profile template")
+BOOTSTRAP_TEMPLATE = cp.get("bootstrap", "services template")
 
 MACHINE_ENROLLMENT_ALLOWED = {
     "forbidden": False, "allowed": True }[

certidude/templates/bootstrap.conf

@@ -0,0 +1,31 @@
+# This will be merged to /etc/certidude/services.conf
+
+[Some old connection]
+managed = true
+enabled = false
+
+[Connection in another authority]
+refers = http://ca2.example.lan/api/bootstrap/
+
+[Office LLC]
+managed = true
+enabled = true
+
+# Authority FQDN
+authority = {{ authority }}
+
+# Service to be configured on the client
+service = init/openvpn
+;service = init/strongswan
+;service = network-manager/openvpn
+;service = network-manager/strongswan
+
+# Server addresses for the client
+remote ={% for server in servers %} {{ server }}{% endfor %}
+
+# To customize port number advertised for certidude bootstrap
+;port = 1194
+
+# Protocol to advertise for certidude bootstrap
+;proto = udp
+

certidude/templates/openvpn-client.conf

@@ -10,7 +10,7 @@ proto udp
 {% if servers %}
 remote-random
 {% for server in servers %}
-remote {{ server }} 51900
+remote {{ server }} 1194
 {% endfor %}
 {% else %}
 remote 1.2.3.4 1194