Add preliminary bootstrap API call

This commit is contained in:
Lauri Võsandi 2017-04-12 13:21:49 +00:00
parent 90b663ce26
commit 09724e04dc
6 changed files with 61 additions and 3 deletions

View File

@ -190,6 +190,7 @@ def certidude_app():
from .cfg import ConfigResource, ScriptResource from .cfg import ConfigResource, ScriptResource
from .tag import TagResource, TagDetailResource from .tag import TagResource, TagDetailResource
from .attrib import AttributeResource from .attrib import AttributeResource
from .bootstrap import BootstrapResource
app = falcon.API(middleware=NormalizeMiddleware()) app = falcon.API(middleware=NormalizeMiddleware())
app.req_options.auto_parse_form_urlencoded = True app.req_options.auto_parse_form_urlencoded = True
@ -202,6 +203,7 @@ def certidude_app():
app.add_route("/api/request/{cn}/", RequestDetailResource()) app.add_route("/api/request/{cn}/", RequestDetailResource())
app.add_route("/api/request/", RequestListResource()) app.add_route("/api/request/", RequestListResource())
app.add_route("/api/", SessionResource()) app.add_route("/api/", SessionResource())
app.add_route("/api/bootstrap/", BootstrapResource())
# Extended attributes for scripting etc. # Extended attributes for scripting etc.
app.add_route("/api/signed/{cn}/attr/", AttributeResource()) app.add_route("/api/signed/{cn}/attr/", AttributeResource())

View File

@ -0,0 +1,14 @@
import logging
from certidude.decorators import serialize
from certidude.config import cp
from certidude import authority, config, const
from jinja2 import Template
logger = logging.getLogger(__name__)
class BootstrapResource(object):
def on_get(self, req, resp):
resp.body = Template(open(config.BOOTSTRAP_TEMPLATE).read()).render(
authority = const.FQDN,
servers = [cn for cn, path, buf, cert, server in authority.list_signed() if server])

View File

@ -106,6 +106,15 @@ def certidude_request(fork, renew):
subprocess.check_call(cmd) subprocess.check_call(cmd)
except NoOptionError: except NoOptionError:
pass pass
try:
endpoint_port = service_config.getint(endpoint, "port")
except NoOptionError:
endpoint_port = 1194
try:
endpoint_proto = service_config.get(endpoint, "proto")
except NoOptionError:
endpoint_proto = "udp"
try: try:
endpoint_insecure = clients.getboolean(authority, "insecure") endpoint_insecure = clients.getboolean(authority, "insecure")
except NoOptionError: except NoOptionError:
@ -254,7 +263,8 @@ def certidude_request(fork, renew):
nm_config.set("vpn", "tap-dev", "no") nm_config.set("vpn", "tap-dev", "no")
nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate
nm_config.set("vpn", "remote", service_config.get(endpoint, "remote")) nm_config.set("vpn", "remote", service_config.get(endpoint, "remote"))
nm_config.set("vpn", "port", "51900") nm_config.set("vpn", "port", endpoint_port)
nm_config.set("vpn", "proto", endpoint_proto)
nm_config.set("vpn", "key", endpoint_key_path) nm_config.set("vpn", "key", endpoint_key_path)
nm_config.set("vpn", "cert", endpoint_certificate_path) nm_config.set("vpn", "cert", endpoint_certificate_path)
nm_config.set("vpn", "ca", endpoint_authority_path) nm_config.set("vpn", "ca", endpoint_authority_path)
@ -319,7 +329,7 @@ def certidude_request(fork, renew):
@click.argument("authority") @click.argument("authority")
@click.option("--subnet", "-s", default="192.168.33.0/24", type=ip_network, help="OpenVPN subnet, 192.168.33.0/24 by default") @click.option("--subnet", "-s", default="192.168.33.0/24", type=ip_network, help="OpenVPN subnet, 192.168.33.0/24 by default")
@click.option("--local", "-l", default="0.0.0.0", help="OpenVPN listening address, defaults to all interfaces") @click.option("--local", "-l", default="0.0.0.0", help="OpenVPN listening address, defaults to all interfaces")
@click.option("--port", "-p", default=51900, type=click.IntRange(1,60000), help="OpenVPN listening port, 51900 by default") @click.option("--port", "-p", default=1194, type=click.IntRange(1,60000), help="OpenVPN listening port, 1194 by default")
@click.option('--proto', "-t", default="udp", type=click.Choice(['udp', 'tcp']), help="OpenVPN transport protocol, UDP by default") @click.option('--proto', "-t", default="udp", type=click.Choice(['udp', 'tcp']), help="OpenVPN transport protocol, UDP by default")
@click.option("--route", "-r", type=ip_network, multiple=True, help="Subnets to advertise via this connection, multiple allowed") @click.option("--route", "-r", type=ip_network, multiple=True, help="Subnets to advertise via this connection, multiple allowed")
@click.option("--config", "-o", @click.option("--config", "-o",

View File

@ -46,6 +46,7 @@ OUTBOX_MAIL = cp.get("authority", "outbox sender address")
BUNDLE_FORMAT = cp.get("bundle", "format") BUNDLE_FORMAT = cp.get("bundle", "format")
OPENVPN_PROFILE_TEMPLATE = cp.get("bundle", "openvpn profile template") OPENVPN_PROFILE_TEMPLATE = cp.get("bundle", "openvpn profile template")
BOOTSTRAP_TEMPLATE = cp.get("bootstrap", "services template")
MACHINE_ENROLLMENT_ALLOWED = { MACHINE_ENROLLMENT_ALLOWED = {
"forbidden": False, "allowed": True }[ "forbidden": False, "allowed": True }[

View File

@ -0,0 +1,31 @@
# This will be merged to /etc/certidude/services.conf
[Some old connection]
managed = true
enabled = false
[Connection in another authority]
refers = http://ca2.example.lan/api/bootstrap/
[Office LLC]
managed = true
enabled = true
# Authority FQDN
authority = {{ authority }}
# Service to be configured on the client
service = init/openvpn
;service = init/strongswan
;service = network-manager/openvpn
;service = network-manager/strongswan
# Server addresses for the client
remote ={% for server in servers %} {{ server }}{% endfor %}
# To customize port number advertised for certidude bootstrap
;port = 1194
# Protocol to advertise for certidude bootstrap
;proto = udp

View File

@ -10,7 +10,7 @@ proto udp
{% if servers %} {% if servers %}
remote-random remote-random
{% for server in servers %} {% for server in servers %}
remote {{ server }} 51900 remote {{ server }} 1194
{% endfor %} {% endfor %}
{% else %} {% else %}
remote 1.2.3.4 1194 remote 1.2.3.4 1194