Add preliminary bootstrap API call
This commit is contained in:
parent
90b663ce26
commit
09724e04dc
|
|
@ -190,6 +190,7 @@ def certidude_app():
|
||||||
from .cfg import ConfigResource, ScriptResource
|
from .cfg import ConfigResource, ScriptResource
|
||||||
from .tag import TagResource, TagDetailResource
|
from .tag import TagResource, TagDetailResource
|
||||||
from .attrib import AttributeResource
|
from .attrib import AttributeResource
|
||||||
|
from .bootstrap import BootstrapResource
|
||||||
|
|
||||||
app = falcon.API(middleware=NormalizeMiddleware())
|
app = falcon.API(middleware=NormalizeMiddleware())
|
||||||
app.req_options.auto_parse_form_urlencoded = True
|
app.req_options.auto_parse_form_urlencoded = True
|
||||||
|
|
@ -202,6 +203,7 @@ def certidude_app():
|
||||||
app.add_route("/api/request/{cn}/", RequestDetailResource())
|
app.add_route("/api/request/{cn}/", RequestDetailResource())
|
||||||
app.add_route("/api/request/", RequestListResource())
|
app.add_route("/api/request/", RequestListResource())
|
||||||
app.add_route("/api/", SessionResource())
|
app.add_route("/api/", SessionResource())
|
||||||
|
app.add_route("/api/bootstrap/", BootstrapResource())
|
||||||
|
|
||||||
# Extended attributes for scripting etc.
|
# Extended attributes for scripting etc.
|
||||||
app.add_route("/api/signed/{cn}/attr/", AttributeResource())
|
app.add_route("/api/signed/{cn}/attr/", AttributeResource())
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,14 @@
|
||||||
|
import logging
|
||||||
|
from certidude.decorators import serialize
|
||||||
|
from certidude.config import cp
|
||||||
|
from certidude import authority, config, const
|
||||||
|
from jinja2 import Template
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
class BootstrapResource(object):
|
||||||
|
def on_get(self, req, resp):
|
||||||
|
resp.body = Template(open(config.BOOTSTRAP_TEMPLATE).read()).render(
|
||||||
|
authority = const.FQDN,
|
||||||
|
servers = [cn for cn, path, buf, cert, server in authority.list_signed() if server])
|
||||||
|
|
||||||
|
|
@ -106,6 +106,15 @@ def certidude_request(fork, renew):
|
||||||
subprocess.check_call(cmd)
|
subprocess.check_call(cmd)
|
||||||
except NoOptionError:
|
except NoOptionError:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
try:
|
||||||
|
endpoint_port = service_config.getint(endpoint, "port")
|
||||||
|
except NoOptionError:
|
||||||
|
endpoint_port = 1194
|
||||||
|
try:
|
||||||
|
endpoint_proto = service_config.get(endpoint, "proto")
|
||||||
|
except NoOptionError:
|
||||||
|
endpoint_proto = "udp"
|
||||||
try:
|
try:
|
||||||
endpoint_insecure = clients.getboolean(authority, "insecure")
|
endpoint_insecure = clients.getboolean(authority, "insecure")
|
||||||
except NoOptionError:
|
except NoOptionError:
|
||||||
|
|
@ -254,7 +263,8 @@ def certidude_request(fork, renew):
|
||||||
nm_config.set("vpn", "tap-dev", "no")
|
nm_config.set("vpn", "tap-dev", "no")
|
||||||
nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate
|
nm_config.set("vpn", "remote-cert-tls", "server") # Assert TLS Server flag of X.509 certificate
|
||||||
nm_config.set("vpn", "remote", service_config.get(endpoint, "remote"))
|
nm_config.set("vpn", "remote", service_config.get(endpoint, "remote"))
|
||||||
nm_config.set("vpn", "port", "51900")
|
nm_config.set("vpn", "port", endpoint_port)
|
||||||
|
nm_config.set("vpn", "proto", endpoint_proto)
|
||||||
nm_config.set("vpn", "key", endpoint_key_path)
|
nm_config.set("vpn", "key", endpoint_key_path)
|
||||||
nm_config.set("vpn", "cert", endpoint_certificate_path)
|
nm_config.set("vpn", "cert", endpoint_certificate_path)
|
||||||
nm_config.set("vpn", "ca", endpoint_authority_path)
|
nm_config.set("vpn", "ca", endpoint_authority_path)
|
||||||
|
|
@ -319,7 +329,7 @@ def certidude_request(fork, renew):
|
||||||
@click.argument("authority")
|
@click.argument("authority")
|
||||||
@click.option("--subnet", "-s", default="192.168.33.0/24", type=ip_network, help="OpenVPN subnet, 192.168.33.0/24 by default")
|
@click.option("--subnet", "-s", default="192.168.33.0/24", type=ip_network, help="OpenVPN subnet, 192.168.33.0/24 by default")
|
||||||
@click.option("--local", "-l", default="0.0.0.0", help="OpenVPN listening address, defaults to all interfaces")
|
@click.option("--local", "-l", default="0.0.0.0", help="OpenVPN listening address, defaults to all interfaces")
|
||||||
@click.option("--port", "-p", default=51900, type=click.IntRange(1,60000), help="OpenVPN listening port, 51900 by default")
|
@click.option("--port", "-p", default=1194, type=click.IntRange(1,60000), help="OpenVPN listening port, 1194 by default")
|
||||||
@click.option('--proto', "-t", default="udp", type=click.Choice(['udp', 'tcp']), help="OpenVPN transport protocol, UDP by default")
|
@click.option('--proto', "-t", default="udp", type=click.Choice(['udp', 'tcp']), help="OpenVPN transport protocol, UDP by default")
|
||||||
@click.option("--route", "-r", type=ip_network, multiple=True, help="Subnets to advertise via this connection, multiple allowed")
|
@click.option("--route", "-r", type=ip_network, multiple=True, help="Subnets to advertise via this connection, multiple allowed")
|
||||||
@click.option("--config", "-o",
|
@click.option("--config", "-o",
|
||||||
|
|
|
||||||
|
|
@ -46,6 +46,7 @@ OUTBOX_MAIL = cp.get("authority", "outbox sender address")
|
||||||
|
|
||||||
BUNDLE_FORMAT = cp.get("bundle", "format")
|
BUNDLE_FORMAT = cp.get("bundle", "format")
|
||||||
OPENVPN_PROFILE_TEMPLATE = cp.get("bundle", "openvpn profile template")
|
OPENVPN_PROFILE_TEMPLATE = cp.get("bundle", "openvpn profile template")
|
||||||
|
BOOTSTRAP_TEMPLATE = cp.get("bootstrap", "services template")
|
||||||
|
|
||||||
MACHINE_ENROLLMENT_ALLOWED = {
|
MACHINE_ENROLLMENT_ALLOWED = {
|
||||||
"forbidden": False, "allowed": True }[
|
"forbidden": False, "allowed": True }[
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,31 @@
|
||||||
|
# This will be merged to /etc/certidude/services.conf
|
||||||
|
|
||||||
|
[Some old connection]
|
||||||
|
managed = true
|
||||||
|
enabled = false
|
||||||
|
|
||||||
|
[Connection in another authority]
|
||||||
|
refers = http://ca2.example.lan/api/bootstrap/
|
||||||
|
|
||||||
|
[Office LLC]
|
||||||
|
managed = true
|
||||||
|
enabled = true
|
||||||
|
|
||||||
|
# Authority FQDN
|
||||||
|
authority = {{ authority }}
|
||||||
|
|
||||||
|
# Service to be configured on the client
|
||||||
|
service = init/openvpn
|
||||||
|
;service = init/strongswan
|
||||||
|
;service = network-manager/openvpn
|
||||||
|
;service = network-manager/strongswan
|
||||||
|
|
||||||
|
# Server addresses for the client
|
||||||
|
remote ={% for server in servers %} {{ server }}{% endfor %}
|
||||||
|
|
||||||
|
# To customize port number advertised for certidude bootstrap
|
||||||
|
;port = 1194
|
||||||
|
|
||||||
|
# Protocol to advertise for certidude bootstrap
|
||||||
|
;proto = udp
|
||||||
|
|
||||||
|
|
@ -10,7 +10,7 @@ proto udp
|
||||||
{% if servers %}
|
{% if servers %}
|
||||||
remote-random
|
remote-random
|
||||||
{% for server in servers %}
|
{% for server in servers %}
|
||||||
remote {{ server }} 51900
|
remote {{ server }} 1194
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% else %}
|
{% else %}
|
||||||
remote 1.2.3.4 1194
|
remote 1.2.3.4 1194
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue