mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-23 00:25:18 +00:00
Add dynamic package installation via decorators
This commit is contained in:
parent
6264846284
commit
1c5913ee3b
@ -1,6 +1,5 @@
|
|||||||
|
|
||||||
import click
|
import click
|
||||||
import falcon
|
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
import re
|
import re
|
||||||
@ -22,6 +21,7 @@ if "kerberos" in config.AUTHENTICATION_BACKENDS:
|
|||||||
|
|
||||||
|
|
||||||
def authenticate(optional=False):
|
def authenticate(optional=False):
|
||||||
|
import falcon
|
||||||
def wrapper(func):
|
def wrapper(func):
|
||||||
def kerberos_authenticate(resource, req, resp, *args, **kwargs):
|
def kerberos_authenticate(resource, req, resp, *args, **kwargs):
|
||||||
# If LDAP enabled and device is not Kerberos capable fall
|
# If LDAP enabled and device is not Kerberos capable fall
|
||||||
|
@ -16,6 +16,7 @@ import sys
|
|||||||
from configparser import ConfigParser, NoOptionError, NoSectionError
|
from configparser import ConfigParser, NoOptionError, NoSectionError
|
||||||
from certidude.helpers import certidude_request_certificate
|
from certidude.helpers import certidude_request_certificate
|
||||||
from certidude.common import expand_paths, ip_address, ip_network
|
from certidude.common import expand_paths, ip_address, ip_network
|
||||||
|
from certidude.decorators import apt, rpm, pip
|
||||||
from cryptography import x509
|
from cryptography import x509
|
||||||
from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID
|
from cryptography.x509.oid import NameOID, ExtendedKeyUsageOID
|
||||||
from cryptography.hazmat.backends import default_backend
|
from cryptography.hazmat.backends import default_backend
|
||||||
@ -481,6 +482,8 @@ def certidude_setup_nginx(authority, site_config, tls_config, common_name, direc
|
|||||||
default="/etc/openvpn/client-to-site.conf",
|
default="/etc/openvpn/client-to-site.conf",
|
||||||
type=click.File(mode="w", atomic=True, lazy=True),
|
type=click.File(mode="w", atomic=True, lazy=True),
|
||||||
help="OpenVPN configuration file")
|
help="OpenVPN configuration file")
|
||||||
|
@apt("openvpn python-requests-kerberos")
|
||||||
|
@rpm("openvpn python2-requests-kerberos")
|
||||||
def certidude_setup_openvpn_client(authority, remote, config, proto):
|
def certidude_setup_openvpn_client(authority, remote, config, proto):
|
||||||
|
|
||||||
# Create corresponding section in Certidude client configuration file
|
# Create corresponding section in Certidude client configuration file
|
||||||
@ -598,6 +601,9 @@ def certidude_setup_strongswan_server(authority, config, secrets, subnet, route,
|
|||||||
@click.command("client", help="Set up strongSwan client")
|
@click.command("client", help="Set up strongSwan client")
|
||||||
@click.argument("authority")
|
@click.argument("authority")
|
||||||
@click.argument("remote")
|
@click.argument("remote")
|
||||||
|
@apt("network-manager-openvpn-gnome python-requests-kerberos")
|
||||||
|
@rpm("NetworkManager-openvpn-gnome python2-requests-kerberos")
|
||||||
|
@pip("ipsecparse")
|
||||||
def certidude_setup_strongswan_client(authority, config, remote, dpdaction):
|
def certidude_setup_strongswan_client(authority, config, remote, dpdaction):
|
||||||
# Create corresponding section in /etc/certidude/client.conf
|
# Create corresponding section in /etc/certidude/client.conf
|
||||||
client_config = ConfigParser()
|
client_config = ConfigParser()
|
||||||
@ -645,6 +651,8 @@ def certidude_setup_strongswan_client(authority, config, remote, dpdaction):
|
|||||||
@click.command("networkmanager", help="Set up strongSwan client via NetworkManager")
|
@click.command("networkmanager", help="Set up strongSwan client via NetworkManager")
|
||||||
@click.argument("authority") # Certidude server
|
@click.argument("authority") # Certidude server
|
||||||
@click.argument("remote") # StrongSwan gateway
|
@click.argument("remote") # StrongSwan gateway
|
||||||
|
@apt("strongswan-nm")
|
||||||
|
@rpm("NetworkManager-strongswan-gnome")
|
||||||
def certidude_setup_strongswan_networkmanager(authority, remote):
|
def certidude_setup_strongswan_networkmanager(authority, remote):
|
||||||
endpoint = "IPSec to %s" % remote
|
endpoint = "IPSec to %s" % remote
|
||||||
|
|
||||||
@ -744,6 +752,8 @@ def certidude_setup_openvpn_networkmanager(authority, remote):
|
|||||||
@click.option("--directory", help="Directory for authority files")
|
@click.option("--directory", help="Directory for authority files")
|
||||||
@click.option("--server-flags", is_flag=True, help="Add TLS Server and IKE Intermediate extended key usage flags")
|
@click.option("--server-flags", is_flag=True, help="Add TLS Server and IKE Intermediate extended key usage flags")
|
||||||
@click.option("--outbox", default="smtp://smtp.%s" % const.DOMAIN, help="SMTP server, smtp://smtp.%s by default" % const.DOMAIN)
|
@click.option("--outbox", default="smtp://smtp.%s" % const.DOMAIN, help="SMTP server, smtp://smtp.%s by default" % const.DOMAIN)
|
||||||
|
@apt("python-setproctitle python-openssl python-falcon python-humanize python-markdown python-xattr")
|
||||||
|
@rpm("python-setproctitle pyOpenSSL python-falcon python-humanize python-markdown pyxattr")
|
||||||
def certidude_setup_authority(username, kerberos_keytab, nginx_config, country, state, locality, organization, organizational_unit, common_name, directory, authority_lifetime, push_server, outbox, server_flags):
|
def certidude_setup_authority(username, kerberos_keytab, nginx_config, country, state, locality, organization, organizational_unit, common_name, directory, authority_lifetime, push_server, outbox, server_flags):
|
||||||
openvpn_profile_template_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), "templates", "openvpn-client.conf")
|
openvpn_profile_template_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), "templates", "openvpn-client.conf")
|
||||||
bootstrap_template_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), "templates", "bootstrap.conf")
|
bootstrap_template_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), "templates", "bootstrap.conf")
|
||||||
|
@ -1,7 +1,9 @@
|
|||||||
import falcon
|
import click
|
||||||
import ipaddress
|
import ipaddress
|
||||||
import json
|
import json
|
||||||
import logging
|
import logging
|
||||||
|
import os
|
||||||
|
import subprocess
|
||||||
import types
|
import types
|
||||||
from datetime import date, time, datetime, timedelta
|
from datetime import date, time, datetime, timedelta
|
||||||
from certidude.auth import User
|
from certidude.auth import User
|
||||||
@ -13,6 +15,7 @@ def csrf_protection(func):
|
|||||||
"""
|
"""
|
||||||
Protect resource from common CSRF attacks by checking user agent and referrer
|
Protect resource from common CSRF attacks by checking user agent and referrer
|
||||||
"""
|
"""
|
||||||
|
import falcon
|
||||||
def wrapped(self, req, resp, *args, **kwargs):
|
def wrapped(self, req, resp, *args, **kwargs):
|
||||||
# Assume curl and python-requests are used intentionally
|
# Assume curl and python-requests are used intentionally
|
||||||
if req.user_agent.startswith("curl/") or req.user_agent.startswith("python-requests/"):
|
if req.user_agent.startswith("curl/") or req.user_agent.startswith("python-requests/"):
|
||||||
@ -40,6 +43,7 @@ def csrf_protection(func):
|
|||||||
|
|
||||||
|
|
||||||
def event_source(func):
|
def event_source(func):
|
||||||
|
import falcon
|
||||||
def wrapped(self, req, resp, *args, **kwargs):
|
def wrapped(self, req, resp, *args, **kwargs):
|
||||||
if req.get_header("Accept") == "text/event-stream":
|
if req.get_header("Accept") == "text/event-stream":
|
||||||
resp.status = falcon.HTTP_SEE_OTHER
|
resp.status = falcon.HTTP_SEE_OTHER
|
||||||
@ -72,6 +76,7 @@ def serialize(func):
|
|||||||
"""
|
"""
|
||||||
Falcon response serialization
|
Falcon response serialization
|
||||||
"""
|
"""
|
||||||
|
import falcon
|
||||||
def wrapped(instance, req, resp, **kwargs):
|
def wrapped(instance, req, resp, **kwargs):
|
||||||
if not req.client_accepts("application/json"):
|
if not req.client_accepts("application/json"):
|
||||||
logger.debug("Client did not accept application/json")
|
logger.debug("Client did not accept application/json")
|
||||||
@ -83,3 +88,43 @@ def serialize(func):
|
|||||||
resp.body = json.dumps(func(instance, req, resp, **kwargs), cls=MyEncoder)
|
resp.body = json.dumps(func(instance, req, resp, **kwargs), cls=MyEncoder)
|
||||||
return wrapped
|
return wrapped
|
||||||
|
|
||||||
|
|
||||||
|
def apt(packages):
|
||||||
|
"""
|
||||||
|
Install packages for Debian and Ubuntu
|
||||||
|
"""
|
||||||
|
def wrapper(func):
|
||||||
|
def wrapped(*args, **kwargs):
|
||||||
|
if os.path.exists("/usr/bin/apt-get"):
|
||||||
|
cmd = ["/usr/bin/apt-get", "install", "-yqq"] + packages.split(" ")
|
||||||
|
click.echo("Running: %s" % " ".join(cmd))
|
||||||
|
subprocess.call(cmd)
|
||||||
|
return func(*args, **kwargs)
|
||||||
|
return wrapped
|
||||||
|
return wrapper
|
||||||
|
|
||||||
|
|
||||||
|
def rpm(packages):
|
||||||
|
"""
|
||||||
|
Install packages for Fedora and CentOS
|
||||||
|
"""
|
||||||
|
def wrapper(func):
|
||||||
|
def wrapped(*args, **kwargs):
|
||||||
|
if os.path.exists("/usr/bin/dnf"):
|
||||||
|
cmd = ["/usr/bin/dnf", "install", "-y"] + packages.split(" ")
|
||||||
|
click.echo("Running: %s" % " ".join(cmd))
|
||||||
|
subprocess.call(cmd)
|
||||||
|
return func(*args, **kwargs)
|
||||||
|
return wrapped
|
||||||
|
return wrapper
|
||||||
|
|
||||||
|
|
||||||
|
def pip(packages):
|
||||||
|
def wrapper(func):
|
||||||
|
def wrapped(*args, **kwargs):
|
||||||
|
click.echo("Running: pip install %s" % packages)
|
||||||
|
import pip
|
||||||
|
pip.main(['install'] + packages.split(" "))
|
||||||
|
return func(*args, **kwargs)
|
||||||
|
return wrapped
|
||||||
|
return wrapper
|
||||||
|
@ -1,5 +1,4 @@
|
|||||||
|
|
||||||
import falcon
|
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
logger = logging.getLogger("api")
|
logger = logging.getLogger("api")
|
||||||
@ -8,6 +7,8 @@ def whitelist_subnets(subnets):
|
|||||||
"""
|
"""
|
||||||
Validate source IP address of API call against subnet list
|
Validate source IP address of API call against subnet list
|
||||||
"""
|
"""
|
||||||
|
import falcon
|
||||||
|
|
||||||
def wrapper(func):
|
def wrapper(func):
|
||||||
def wrapped(self, req, resp, *args, **kwargs):
|
def wrapped(self, req, resp, *args, **kwargs):
|
||||||
# Check for administration subnet whitelist
|
# Check for administration subnet whitelist
|
||||||
@ -26,6 +27,8 @@ def whitelist_subnets(subnets):
|
|||||||
return wrapper
|
return wrapper
|
||||||
|
|
||||||
def whitelist_content_types(*content_types):
|
def whitelist_content_types(*content_types):
|
||||||
|
import falcon
|
||||||
|
|
||||||
def wrapper(func):
|
def wrapper(func):
|
||||||
def wrapped(self, req, resp, *args, **kwargs):
|
def wrapped(self, req, resp, *args, **kwargs):
|
||||||
for content_type in content_types:
|
for content_type in content_types:
|
||||||
|
Loading…
Reference in New Issue
Block a user