mirror of
https://github.com/laurivosandi/certidude
synced 2024-12-22 08:15:18 +00:00
Various fixes
This commit is contained in:
parent
d91e12942d
commit
52d35012a4
@ -6,7 +6,6 @@ import logging
|
||||
import os
|
||||
import click
|
||||
import hashlib
|
||||
import xattr
|
||||
from datetime import datetime
|
||||
from time import sleep
|
||||
from certidude import authority, mailer
|
||||
@ -46,6 +45,8 @@ class SessionResource(object):
|
||||
@login_required
|
||||
@event_source
|
||||
def on_get(self, req, resp):
|
||||
import xattr
|
||||
|
||||
def serialize_requests(g):
|
||||
for common_name, path, buf, obj, server in g():
|
||||
yield dict(
|
||||
@ -126,7 +127,6 @@ class SessionResource(object):
|
||||
requests=serialize_requests(authority.list_requests),
|
||||
signed=serialize_certificates(authority.list_signed),
|
||||
revoked=serialize_certificates(authority.list_revoked),
|
||||
users=User.objects.all(),
|
||||
admin_users = User.objects.filter_admins(),
|
||||
user_subnets = config.USER_SUBNETS,
|
||||
autosign_subnets = config.AUTOSIGN_SUBNETS,
|
||||
|
||||
@ -1,11 +1,10 @@
|
||||
|
||||
import falcon
|
||||
import logging
|
||||
from ipaddress import ip_address
|
||||
from xattr import getxattr, listxattr
|
||||
from datetime import datetime
|
||||
from certidude import config, authority
|
||||
from certidude.decorators import serialize
|
||||
from xattr import getxattr, listxattr
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
@ -15,7 +15,6 @@ from cryptography.hazmat.primitives import hashes, serialization
|
||||
from certidude import config, push, mailer, const
|
||||
from certidude import errors
|
||||
from jinja2 import Template
|
||||
from xattr import getxattr, listxattr, setxattr
|
||||
|
||||
RE_HOSTNAME = "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])(@(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9]))?$"
|
||||
|
||||
@ -297,6 +296,8 @@ def sign(common_name, overwrite=False):
|
||||
def _sign(csr, buf, overwrite=False):
|
||||
assert buf.startswith("-----BEGIN CERTIFICATE REQUEST-----\n")
|
||||
assert isinstance(csr, x509.CertificateSigningRequest)
|
||||
from xattr import getxattr, listxattr, setxattr
|
||||
|
||||
common_name, = csr.subject.get_attributes_for_oid(NameOID.COMMON_NAME)
|
||||
cert_path = os.path.join(config.SIGNED_DIR, common_name.value + ".pem")
|
||||
renew = False
|
||||
@ -375,5 +376,3 @@ def _sign(csr, buf, overwrite=False):
|
||||
push.publish("request-signed", common_name.value)
|
||||
|
||||
return cert, cert_buf
|
||||
|
||||
|
||||
|
||||
@ -8,7 +8,6 @@ import os
|
||||
import pwd
|
||||
import random
|
||||
import re
|
||||
import requests
|
||||
import signal
|
||||
import socket
|
||||
import string
|
||||
@ -67,6 +66,8 @@ ExecStart=%s request
|
||||
@click.option("-r", "--renew", default=False, is_flag=True, help="Renew now")
|
||||
@click.option("-f", "--fork", default=False, is_flag=True, help="Fork to background")
|
||||
def certidude_request(fork, renew):
|
||||
import requests
|
||||
|
||||
if not os.path.exists(const.CLIENT_CONFIG_PATH):
|
||||
click.echo("No %s!" % const.CLIENT_CONFIG_PATH)
|
||||
return 1
|
||||
@ -741,7 +742,7 @@ def certidude_setup_openvpn_networkmanager(authority, remote):
|
||||
@click.option("--authority-lifetime", default=20*365, help="Authority certificate lifetime in days, 20 years by default")
|
||||
@click.option("--organization", "-o", default=None, help="Company or organization name")
|
||||
@click.option("--organizational-unit", "-ou", default=None)
|
||||
@click.option("--push-server", default="http://" + const.FQDN, help="Push server, by default http://%s" % const.FQDN)
|
||||
@click.option("--push-server", help="Push server, by default http://%s" % const.FQDN)
|
||||
@click.option("--directory", help="Directory for authority files")
|
||||
@click.option("--server-flags", is_flag=True, help="Add TLS Server and IKE Intermediate extended key usage flags")
|
||||
@click.option("--outbox", default="smtp://smtp.%s" % const.DOMAIN, help="SMTP server, smtp://smtp.%s by default" % const.DOMAIN)
|
||||
@ -799,8 +800,7 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
|
||||
else:
|
||||
click.echo("Warning: /etc/krb5.keytab or /etc/samba/smb.conf not found, Kerberos unconfigured")
|
||||
|
||||
|
||||
working_directory = os.path.realpath(os.path.dirname(__file__))
|
||||
static_path = os.path.join(os.path.realpath(os.path.dirname(__file__)), "static")
|
||||
certidude_path = sys.argv[0]
|
||||
|
||||
# Push server config generation
|
||||
@ -809,15 +809,16 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
|
||||
listen = "0.0.0.0"
|
||||
port = "80"
|
||||
else:
|
||||
nginx_client_config.write(env.get_template("nginx.conf").render(vars()))
|
||||
click.echo("Generated: %s" % nginx_client_config.name)
|
||||
port = "8080"
|
||||
nginx_config.write(env.get_template("nginx.conf").render(vars()))
|
||||
click.echo("Generated: %s" % nginx_config.name)
|
||||
if not os.path.exists("/etc/nginx/sites-enabled/certidude.conf"):
|
||||
os.symlink("../sites-available/certidude.conf", "/etc/nginx/sites-enabled/certidude.conf")
|
||||
click.echo("Symlinked %s -> /etc/nginx/sites-enabled/" % nginx_client_config.name)
|
||||
click.echo("Symlinked %s -> /etc/nginx/sites-enabled/" % nginx_config.name)
|
||||
if os.path.exists("/etc/nginx/sites-enabled/default"):
|
||||
os.unlink("/etc/nginx/sites-enabled/default")
|
||||
if not push_server:
|
||||
click.echo("Remember to install nchan instead of regular nginx!")
|
||||
click.echo("Remember to install nchan capable nginx instead of regular nginx!")
|
||||
|
||||
if os.path.exists("/etc/systemd"):
|
||||
if os.path.exists("/etc/systemd/system/certidude.service"):
|
||||
@ -1231,6 +1232,7 @@ def certidude_serve(port, listen, fork):
|
||||
@click.option("-s", "--slot", default="9a", help="Yubikey slot to use, 9a by default")
|
||||
@click.option("-u", "--username", default=os.getenv("USER"), help="Username to use, %s by default" % os.getenv("USER"))
|
||||
def certidude_setup_yubikey(authority, slot, username, pin):
|
||||
import requests
|
||||
cmd = "ykinfo", "-q", "-s"
|
||||
click.echo("Executing: %s" % " ".join(cmd))
|
||||
serial = subprocess.check_output(cmd).strip()
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
import click
|
||||
import os
|
||||
import socket
|
||||
import sys
|
||||
|
||||
CONFIG_DIR = os.path.expanduser("~/.certidude") if os.getuid() else "/etc/certidude"
|
||||
CONFIG_PATH = os.path.join(CONFIG_DIR, "server.conf")
|
||||
@ -18,7 +19,11 @@ SIGNER_LOG_PATH = os.path.join(CONFIG_DIR, "signer.log") if os.getuid() else "/v
|
||||
if os.getenv("TRAVIS"):
|
||||
FQDN = "buildbot"
|
||||
else:
|
||||
FQDN = socket.getaddrinfo(socket.gethostname(), 0, socket.AF_INET, 0, 0, socket.AI_CANONNAME)[0][3]
|
||||
try:
|
||||
FQDN = socket.getaddrinfo(socket.gethostname(), 0, socket.AF_INET, 0, 0, socket.AI_CANONNAME)[0][3]
|
||||
except socket.gaierror:
|
||||
click.echo("Failed to resolve fully qualified hostname of this machine, make sure hostname -f works")
|
||||
sys.exit(254)
|
||||
|
||||
if "." in FQDN:
|
||||
HOSTNAME, DOMAIN = FQDN.split(".", 1)
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
|
||||
import click
|
||||
import os
|
||||
import requests
|
||||
import subprocess
|
||||
import tempfile
|
||||
from base64 import b64encode
|
||||
@ -30,6 +29,7 @@ def certidude_request_certificate(server, key_path, request_path, certificate_pa
|
||||
"""
|
||||
Exchange CSR for certificate using Certidude HTTP API server
|
||||
"""
|
||||
import requests
|
||||
|
||||
# Create directories
|
||||
for path in key_path, request_path, certificate_path, authority_path, revocations_path:
|
||||
|
||||
@ -1,13 +1,29 @@
|
||||
# To set up SSL certificates using Let's Encrypt run:
|
||||
#
|
||||
# apt install letsencrypt
|
||||
# certbot certonly -d {{common_name}} --webroot /var/www/html/
|
||||
#
|
||||
# Also uncomment URL rewriting and SSL configuration below
|
||||
|
||||
server {
|
||||
server_name {{ common_name }};
|
||||
listen 80 default_server;
|
||||
# rewrite ^ https://$server_name$request_uri? permanent;
|
||||
#}
|
||||
|
||||
#server {
|
||||
# server_name {{ common_name }};
|
||||
# listen 443 ssl http2 default_server;
|
||||
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
|
||||
# ssl_certificate /etc/letsencrypt/live/{{common_name}}/fullchain.pem;
|
||||
# ssl_certificate_key /etc/letsencrypt/live/{{common_name}}/privkey.pem;
|
||||
|
||||
error_page 500 502 503 504 /50x.html;
|
||||
|
||||
root {{static_path}};
|
||||
|
||||
location /api/ {
|
||||
proxy_pass http://127.0.0.1{% if listen != 80 }:{{ listen }}{% endif %}/api/;
|
||||
proxy_pass http://127.0.0.1{% if port != 80 %}:{{ port }}{% endif %}/api/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_connect_timeout 600;
|
||||
@ -16,7 +32,15 @@ server {
|
||||
send_timeout 600;
|
||||
}
|
||||
|
||||
{% if not push_server %}
|
||||
# This is for Let's Encrypt
|
||||
location /.well-known/ {
|
||||
alias /var/www/html/.well-known/;
|
||||
}
|
||||
|
||||
|
||||
{% if not push_server %}
|
||||
# This only works with nchan, for Debian 9 just apt install libnginx-mod-nchan
|
||||
# For Ubuntu and older Debian releases install nchan from https://nchan.io/
|
||||
location ~ "^/lp/pub/(.*)" {
|
||||
allow 127.0.0.1;
|
||||
nchan_publisher;
|
||||
@ -40,7 +64,7 @@ server {
|
||||
nchan_channel_id $1;
|
||||
nchan_subscriber eventsource;
|
||||
}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user