1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-22 08:15:18 +00:00

Added preliminary Kerberos authentication support

This commit is contained in:
Lauri Võsandi 2015-08-16 17:21:42 +03:00
parent c5d27e8a76
commit e2f27078d1
12 changed files with 236 additions and 53 deletions

View File

@ -21,6 +21,7 @@ Features
* Certificate numbering obfuscation, certificate serial numbers are intentionally
randomized to avoid leaking information about business practices.
* Server-side events support via for example nginx-push-stream-module.
* Kerberos based authentication
TODO
@ -42,9 +43,12 @@ To install Certidude:
.. code:: bash
apt-get install -y python3 python3-netifaces python3-pip python3-dev cython3 build-essential libffi-dev libssl-dev
apt-get install -y python3 python3-pip python3-dev cython3 build-essential libffi-dev libssl-dev
pip3 install certidude
Make sure you're running PyOpenSSL 0.15+ and netifaces 0.10.4+ from PyPI,
not the outdated ones provided by APT.
Create a system user for ``certidude``:
.. code:: bash
@ -106,7 +110,7 @@ Install uWSGI:
.. code:: bash
apt-get install uwsgi uwsgi-plugin-python3
apt-get install nginx uwsgi uwsgi-plugin-python3
To set up ``nginx`` and ``uwsgi`` is suggested:
@ -132,8 +136,8 @@ Otherwise manually configure uUWSGI application in ``/etc/uwsgi/apps-available/c
callable = app
chmod-socket = 660
chown-socket = certidude:www-data
env = CERTIDUDE_EVENT_PUBLISH=http://localhost/event/publish/%(channel)s
env = CERTIDUDE_EVENT_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
env = PUSH_PUBLISH=http://localhost/event/publish/%(channel)s
env = PUSH_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
Also enable the application:
@ -213,3 +217,71 @@ Restart the services:
service uwsgi restart
service nginx restart
Setting up Kerberos authentication
----------------------------------
Following assumes you have already set up Kerberos infrastructure and
Certidude is simply one of the servers making use of that infrastructure.
Install dependencies:
.. code:: bash
apt-get install samba-common-bin krb5-user ldap-utils
Set up Samba client configuration in ``/etc/samba/smb.conf``:
.. code:: ini
[global]
security = ads
netbios name = CERTIDUDE
workgroup = WORKGROUP
realm = EXAMPLE.LAN
kerberos method = system keytab
Set up Kerberos keytab for the web service:
.. code:: bash
KRB5_KTNAME=FILE:/etc/certidude.keytab net ads keytab add HTTP -U Administrator
Setting up authorization
------------------------
Obviously arbitrary Kerberos authenticated user should not have access to
the CA web interface.
You could either specify user name list
in ``/etc/ssl/openssl.cnf``:
.. code:: bash
admin_users=alice bob john kate
Or alternatively specify file path:
.. code:: bash
admin_users=/run/certidude/user.whitelist
Use following shell snippets eg in ``/etc/cron.hourly/update-certidude-user-whitelist``
to generate user whitelist via LDAP:
.. code:: bash
ldapsearch -H ldap://dc1.id.stipit.com -s sub -x -LLL \
-D 'cn=certidude,cn=Users,dc=id,dc=stipit,dc=com' \
-w 'certidudepass' \
-b 'ou=sso,dc=id,dc=stipit,dc=com' \
'(objectClass=user)' sAMAccountName userPrincipalName givenName sn \
| python3 -c "import ldif3; import sys; [sys.stdout.write('%s:%s:%s:%s\n' % (a.pop('sAMAccountName')[0], a.pop('userPrincipalName')[0], a.pop('givenName')[0], a.pop('sn')[0])) for _, a in ldif3.LDIFParser(sys.stdin.buffer).parse()]" \
> /run/certidude/user.whitelist
Set permissions:
.. code:: bash
chmod 700 /etc/cron.hourly/update-certidude-user-whitelist

View File

@ -7,6 +7,7 @@ import urllib.request
import click
from time import sleep
from certidude.wrappers import Request, Certificate
from certidude.auth import login_required
from certidude.mailer import Mailer
from pyasn1.codec.der import decoder
from datetime import datetime, date
@ -20,9 +21,20 @@ RE_HOSTNAME = "^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0
def omit(**kwargs):
return dict([(key,value) for (key, value) in kwargs.items() if value])
def authorize_admin(func):
def wrapped(self, req, resp, *args, **kwargs):
kerberos_username, kerberos_realm = kwargs.get("user")
if kerberos_username not in kwargs.get("ca").admin_users:
raise falcon.HTTPForbidden("User %s not whitelisted" % kerberos_username)
kwargs["user"] = kerberos_username
return func(self, req, resp, *args, **kwargs)
return wrapped
def pop_certificate_authority(func):
def wrapped(self, req, resp, *args, **kwargs):
kwargs["ca"] = self.config.instantiate_authority(kwargs["ca"])
print(func)
return func(self, req, resp, *args, **kwargs)
return wrapped
@ -72,9 +84,11 @@ def serialize(func):
def templatize(path):
template = env.get_template(path)
def wrapper(func):
def wrapped(instance, req, resp, **kwargs):
def wrapped(instance, req, resp, *args, **kwargs):
assert not req.get_param("unicode") or req.get_param("unicode") == u"", "Unicode sanity check failed"
r = func(instance, req, resp, **kwargs)
print("templatize would call", func, "with", args, kwargs)
r = func(instance, req, resp, *args, **kwargs)
r.pop("self")
if not resp.body:
if req.get_header("Accept") == "application/json":
resp.set_header("Cache-Control", "no-cache, no-store, must-revalidate");
@ -114,9 +128,11 @@ class SignedCertificateDetailResource(CertificateAuthorityBase):
resp.stream = open(path, "rb")
resp.append_header("Content-Disposition", "attachment; filename=%s.crt" % cn)
@login_required
@pop_certificate_authority
@authorize_admin
@validate_common_name
def on_delete(self, req, resp, ca, cn):
def on_delete(self, req, resp, ca, cn, user):
ca.revoke(cn)
class SignedCertificateListResource(CertificateAuthorityBase):
@ -152,9 +168,11 @@ class RequestDetailResource(CertificateAuthorityBase):
resp.append_header("Content-Type", "application/x-x509-user-cert")
resp.append_header("Content-Disposition", "attachment; filename=%s.csr" % cn)
@login_required
@pop_certificate_authority
@authorize_admin
@validate_common_name
def on_patch(self, req, resp, ca, cn):
def on_patch(self, req, resp, ca, cn, user):
"""
Sign a certificate signing request
"""
@ -165,8 +183,10 @@ class RequestDetailResource(CertificateAuthorityBase):
resp.status = falcon.HTTP_201
resp.location = os.path.join(req.relative_uri, "..", "..", "signed", cn)
@login_required
@pop_certificate_authority
def on_delete(self, req, resp, ca, cn):
@authorize_admin
def on_delete(self, req, resp, ca, cn, user):
ca.delete_request(cn)
class RequestListResource(CertificateAuthorityBase):
@ -195,8 +215,8 @@ class RequestListResource(CertificateAuthorityBase):
remote_addr = ipaddress.ip_address(req.env["REMOTE_ADDR"])
# Check for CSR submission whitelist
if ca.request_whitelist:
for subnet in ca.request_whitelist:
if ca.request_subnets:
for subnet in ca.request_subnets:
if subnet.overlaps(remote_addr):
break
else:
@ -225,11 +245,11 @@ class RequestListResource(CertificateAuthorityBase):
# Process automatic signing if the IP address is whitelisted and autosigning was requested
if req.get_param("autosign").lower() in ("yes", "1", "true"):
for subnet in ca.autosign_whitelist:
for subnet in ca.autosign_subnets:
if subnet.overlaps(remote_addr):
try:
resp.append_header("Content-Type", "application/x-x509-user-cert")
resp.body = ca.sign(req).dump()
resp.body = ca.sign(csr).dump()
return
except FileExistsError: # Certificate already exists, try to save the request
pass
@ -245,7 +265,7 @@ class RequestListResource(CertificateAuthorityBase):
# Wait the certificate to be signed if waiting is requested
if req.get_param("wait"):
url_template = os.getenv("CERTIDUDE_EVENT_SUBSCRIBE")
url_template = os.getenv("PUSH_SUBSCRIBE")
if url_template:
# Redirect to nginx pub/sub
url = url_template % dict(channel=request.fingerprint())
@ -286,15 +306,15 @@ class CertificateAuthorityResource(CertificateAuthorityBase):
resp.append_header("Content-Disposition", "attachment; filename=%s.crt" % ca.slug)
class IndexResource(CertificateAuthorityBase):
@templatize("index.html")
@login_required
@pop_certificate_authority
def on_get(self, req, resp, ca):
return {
"authority": ca }
@templatize("index.html")
def on_get(self, req, resp, ca, user):
return locals()
class ApplicationConfigurationResource(CertificateAuthorityBase):
@validate_common_name
@pop_certificate_authority
@validate_common_name
def on_get(self, req, resp, ca, cn):
ctx = dict(
cn = cn,
@ -304,9 +324,11 @@ class ApplicationConfigurationResource(CertificateAuthorityBase):
resp.append_header("Content-Disposition", "attachment; filename=%s.ovpn" % cn)
resp.body = Template(open("/etc/openvpn/%s.template" % ca.slug).read()).render(ctx)
@validate_common_name
@login_required
@pop_certificate_authority
def on_put(self, req, resp, ca, cn=None):
@authorize_admin
@validate_common_name
def on_put(self, req, resp, user, ca, cn=None):
pkey_buf, req_buf, cert_buf = ca.create_bundle(cn)
ctx = dict(

60
certidude/auth.py Normal file
View File

@ -0,0 +1,60 @@
import click
import falcon
import kerberos
import os
import re
import socket
# Vanilla Kerberos provides only username.
# AD also embeds PAC (Privilege Attribute Certificate), which
# is supposed to be sent via HTTP headers and it contains
# the groups user is part of.
# Even then we would have to manually look up the e-mail
# address eg via LDAP, hence to keep things simple
# we simply use Kerberos to authenticate.
FQDN = socket.getaddrinfo(socket.gethostname(), 0, flags=socket.AI_CANONNAME)[0][3]
if not os.getenv("KRB5_KTNAME"):
click.echo("Kerberos keytab not specified, set environment variable 'KRB5_KTNAME'", err=True)
exit(250)
try:
principal = kerberos.getServerPrincipalDetails("HTTP", FQDN)
except kerberos.KrbError as exc:
click.echo("Failed to initialize Kerberos, reason: %s" % exc, err=True)
exit(249)
else:
click.echo("Kerberos enabled, service principal is HTTP/%s" % FQDN)
def login_required(func):
def wrapped(resource, req, resp, *args, **kwargs):
authorization = req.get_header("Authorization")
if not authorization:
resp.append_header("WWW-Authenticate", "Negotiate")
raise falcon.HTTPUnauthorized("Unauthorized", "No Kerberos ticket offered?")
token = ''.join(authorization.split()[1:])
rc, context = kerberos.authGSSServerInit("HTTP@" + FQDN)
if rc != kerberos.AUTH_GSS_COMPLETE:
raise falcon.HTTPForbidden("Forbidden", "Kerberos ticket expired?")
rc = kerberos.authGSSServerStep(context, token)
kerberos_user = kerberos.authGSSServerUserName(context).split("@")
# References lost beyond this point! Results in
# ValueError: PyCapsule_SetPointer called with null pointer
kerberos.authGSSServerClean(context)
if rc == kerberos.AUTH_GSS_COMPLETE:
kwargs["user"] = kerberos_user
return func(resource, req, resp, *args, **kwargs)
elif rc == kerberos.AUTH_GSS_CONTINUE:
raise falcon.HTTPUnauthorized("Unauthorized", "Tried GSSAPI")
else:
raise falcon.HTTPForbidden("Forbidden", "Tried GSSAPI")
return wrapped

View File

@ -402,6 +402,7 @@ def certidude_setup_strongswan_client(url, config, secrets, email_address, commo
@click.option("--username", default="certidude", help="Service user account, created if necessary, 'certidude' by default")
@click.option("--hostname", default=HOSTNAME, help="nginx hostname, '%s' by default" % HOSTNAME)
@click.option("--static-path", default=os.path.join(os.path.dirname(__file__), "static"), help="Static files")
@click.option("--kerberos-keytab", default="/etc/certidude.keytab", help="Specify Kerberos keytab")
@click.option("--nginx-config", "-n",
default="/etc/nginx/nginx.conf",
type=click.File(mode="w", atomic=True, lazy=True),
@ -411,7 +412,7 @@ def certidude_setup_strongswan_client(url, config, secrets, email_address, commo
type=click.File(mode="w", atomic=True, lazy=True),
help="uwsgi configuration, /etc/uwsgi/ by default")
@click.option("--push-server", help="Push server URL, in case of different nginx instance")
def certidude_setup_production(username, hostname, push_server, nginx_config, uwsgi_config, static_path):
def certidude_setup_production(username, hostname, push_server, nginx_config, uwsgi_config, static_path, kerberos_keytab):
try:
pwd.getpwnam(username)
click.echo("Username '%s' already exists, excellent!" % username)
@ -419,8 +420,13 @@ def certidude_setup_production(username, hostname, push_server, nginx_config, uw
cmd = "adduser", "--system", "--no-create-home", "--group", username
subprocess.check_call(cmd)
# cmd = "gpasswd", "-a", username, "www-data"
# subprocess.check_call(cmd)
if subprocess.call("net ads testjoin", shell=True):
click.echo("Domain membership check failed, 'net ads testjoin' returned non-zero value", stderr=True)
exit(255)
if not os.path.exists(kerberos_keytab):
subprocess.call("KRB5_KTNAME=FILE:" + kerberos_keytab + " net ads keytab add HTTP -P")
click.echo("Created Kerberos keytab in '%s'" % kerberos_keytab)
if not static_path.endswith("/"):
static_path += "/"

View File

@ -15,12 +15,16 @@
<h1>Submit signing request</h1>
<p>Request submission is allowed from: {% for i in authority.request_whitelist %}{{ i }} {% endfor %}</p>
<p>Autosign is allowed from: {% for i in authority.autosign_whitelist %}{{ i }} {% endfor %}</p>
<p>Hi, {{user}}</p>
<p>Request submission is allowed from: {% if ca.request_subnets %}{% for i in ca.request_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}</p>
<p>Autosign is allowed from: {% if ca.autosign_subnets %}{% for i in ca.autosign_subnets %}{{ i }} {% endfor %}{% else %}nowhere{% endif %}</p>
<p>Authority administration is allowed from: {% if ca.admin_subnets %}{% for i in ca.admin_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}
<p>Authority administration allowed for: {% for i in ca.admin_users %}{{ i }} {% endfor %}</p>
<h2>IPsec gateway on OpenWrt</h2>
{% set s = authority.certificate.subject %}
{% set s = ca.certificate.subject %}
<pre>
opkg update
@ -70,15 +74,15 @@ certidude setup openvpn client {{request.url}}
<h1>Pending requests</h1>
<ul>
{% for j in authority.get_requests() %}
{% for j in ca.get_requests() %}
<li>
<a class="button" href="/api/{{authority.slug}}/request/{{j.common_name}}/">Fetch</a>
<a class="button" href="/api/{{ca.slug}}/request/{{j.common_name}}/">Fetch</a>
{% if j.signable %}
<button onClick="javascript:$.ajax({url:'/api/{{authority.slug}}/request/{{j.common_name}}/',type:'patch'});">Sign</button>
<button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/request/{{j.common_name}}/',type:'patch'});">Sign</button>
{% else %}
<button title="Please use certidude command-line utility to sign unusual requests" disabled>Sign</button>
{% endif %}
<button onClick="javascript:$.ajax({url:'/api/{{authority.slug}}/request/{{j.common_name}}/',type:'delete'});">Delete</button>
<button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/request/{{j.common_name}}/',type:'delete'});">Delete</button>
<div class="monospace">
@ -124,10 +128,10 @@ curl -f {{request.url}}/signed/$CN > $CN.crt
</pre>
<ul>
{% for j in authority.get_signed() | sort | reverse %}
{% for j in ca.get_signed() | sort | reverse %}
<li>
<a class="button" href="/api/{{authority.slug}}/signed/{{j.subject.CN}}/">Fetch</a>
<button onClick="javascript:$.ajax({url:'/api/{{authority.slug}}/signed/{{j.subject.CN}}/',type:'delete'});">Revoke</button>
<a class="button" href="/api/{{ca.slug}}/signed/{{j.subject.CN}}/">Fetch</a>
<button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/signed/{{j.subject.CN}}/',type:'delete'});">Revoke</button>
<div class="monospace">
{% include 'iconmonstr-certificate-15-icon.svg' %}
@ -172,7 +176,7 @@ openssl ocsp -issuer ca.pem -CAfile ca.pem -url {{request.url}}/ocsp/ -serial 0x
</pre>
-->
<ul>
{% for j in authority.get_revoked() %}
{% for j in ca.get_revoked() %}
<li>
{{j.changed}}
{{j.serial_number}} <span class="monospace">{{j.distinguished_name}}</span>

View File

@ -17,8 +17,12 @@ emailAddress = {{email_address}}
{% endif %}
x509_extensions = {{slug}}_cert
policy = poliy_{{slug}}
request_whitelist =
autosign_whitelist = 127.0.0.0/8
# Certidude specific stuff, TODO: move to separate section?
request_subnets = 10.0.0.0/8 192.168.0.0/16 172.168.0.0/16
autosign_subnets = 127.0.0.0/8
admin_subnets = 127.0.0.0/8
admin_users =
inbox = {{inbox}}
outbox = {{outbox}}

View File

@ -15,11 +15,11 @@ conn %default
conn home
auto={{auto}}
type=tunnel
left=%defaultroute # Use IP of default route for listening
leftsourceip=%config # Accept server suggested virtual IP as inner address for tunnel
leftcert={{certificate_path}} # Client certificate
leftid={{common_name}} # Client certificate identifier
leftfirewall=yes
leftfirewall=yes # Local machine may be behind NAT
right={{remote}} # Gateway IP address
rightid=%any # Allow any common name
rightsubnet=0.0.0.0/0 # Accept all subnets suggested by server

View File

@ -15,6 +15,7 @@ conn %default
conn rw
auto=add
right=%any # Allow connecting from any IP address
rightsourceip={{subnet}} # Serve virtual IP-s from this pool
left={{local}} # Gateway IP address
leftcert={{certificate_path}} # Gateway certificate
leftfirewall=yes

View File

@ -11,13 +11,14 @@ module = certidude.wsgi
callable = app
chmod-socket = 660
chown-socket = {{username}}:www-data
buffer-size = 32768
{% if push_server %}
env = CERTIDUDE_EVENT_PUBLISH={{push_server}}/publish/%(channel)s
env = CERTIDUDE_EVENT_SUBSCRIBE={{push_server}}/subscribe/%(channel)s
env = PUSH_PUBLISH={{push_server}}/publish/%(channel)s
env = PUSH_SUBSCRIBE={{push_server}}/subscribe/%(channel)s
{% else %}
env = CERTIDUDE_EVENT_PUBLISH=http://localhost/event/publish/%(channel)s
env = CERTIDUDE_EVENT_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
env = PUSH_PUBLISH=http://localhost/event/publish/%(channel)s
env = PUSH_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
{% endif %}
env = LANG=C.UTF-8
env = LC_ALL=C.UTF-8
env = KRB5_KTNAME={{kerberos_keytab}}

View File

@ -27,7 +27,7 @@ def notify(func):
def wrapped(instance, csr, *args, **kwargs):
cert = func(instance, csr, *args, **kwargs)
assert isinstance(cert, Certificate), "notify wrapped function %s returned %s" % (func, type(cert))
url_template = os.getenv("CERTIDUDE_EVENT_PUBLISH")
url_template = os.getenv("PUSH_PUBLISH")
if url_template:
url = url_template % dict(channel=csr.fingerprint())
notification = urllib.request.Request(url, cert.dump().encode("ascii"))
@ -79,7 +79,7 @@ class CertificateAuthorityConfig(object):
section = "CA_" + slug
dirs = dict([(key, self.get(section, key))
for key in ("dir", "certificate", "crl", "certs", "new_certs_dir", "private_key", "revoked_certs_dir", "request_whitelist", "autosign_whitelist")])
for key in ("dir", "certificate", "crl", "certs", "new_certs_dir", "private_key", "revoked_certs_dir", "request_subnets", "autosign_subnets", "admin_subnets", "admin_users")])
# Variable expansion, eg $dir
for key, value in dirs.items():
@ -391,8 +391,7 @@ class Certificate(CertificateBase):
return self.signed <= other.signed
class CertificateAuthority(object):
def __init__(self, slug, certificate, crl, certs, new_certs_dir, revoked_certs_dir=None, private_key=None, autosign=False, autosign_whitelist=None, request_whitelist=None, email_address=None, inbox=None, outbox=None, basic_constraints="CA:FALSE", key_usage="digitalSignature,keyEncipherment", extended_key_usage="clientAuth", certificate_lifetime=5*365, revocation_list_lifetime=1):
def __init__(self, slug, certificate, crl, certs, new_certs_dir, revoked_certs_dir=None, private_key=None, autosign_subnets=None, request_subnets=None, admin_subnets=None, admin_users=None, email_address=None, inbox=None, outbox=None, basic_constraints="CA:FALSE", key_usage="digitalSignature,keyEncipherment", extended_key_usage="clientAuth", certificate_lifetime=5*365, revocation_list_lifetime=1):
self.slug = slug
self.revocation_list = crl
self.signed_dir = certs
@ -400,8 +399,9 @@ class CertificateAuthority(object):
self.revoked_dir = revoked_certs_dir
self.private_key = private_key
self.autosign_whitelist = set([ipaddress.ip_network(j) for j in autosign_whitelist.split(" ") if j])
self.request_whitelist = set([ipaddress.ip_network(j) for j in request_whitelist.split(" ") if j]).union(self.autosign_whitelist)
self.admin_subnets = set([ipaddress.ip_network(j) for j in admin_subnets.split(" ") if j])
self.autosign_subnets = set([ipaddress.ip_network(j) for j in autosign_subnets.split(" ") if j])
self.request_subnets = set([ipaddress.ip_network(j) for j in request_subnets.split(" ") if j]).union(self.autosign_subnets)
self.certificate = Certificate(open(certificate))
self.mailer = Mailer(outbox) if outbox else None
@ -411,6 +411,18 @@ class CertificateAuthority(object):
self.key_usage = key_usage
self.extended_key_usage = extended_key_usage
self.admin_emails = dict()
self.admin_users = set()
if admin_users:
if admin_users.startswith("/"):
for user in open(admin_users):
if ":" in user:
user, email, first_name, last_name = user.split(":")
self.admin_emails[user] = email
self.admin_users.add(user)
else:
self.admin_users = set([j for j in admin_users.split(" ") if j])
def _signer_exec(self, cmd, *bits):
sock = self.connect_signer()
sock.send(cmd.encode("ascii"))

View File

@ -13,8 +13,8 @@ from certidude.api import CertificateAuthorityResource, \
config = CertificateAuthorityConfig("/etc/ssl/openssl.cnf")
assert os.getenv("CERTIDUDE_EVENT_SUBSCRIBE"), "Please set CERTIDUDE_EVENT_SUBSCRIBE to your web server's subscription URL"
assert os.getenv("CERTIDUDE_EVENT_PUBLISH"), "Please set CERTIDUDE_EVENT_PUBLISH to your web server's publishing URL"
assert os.getenv("PUSH_SUBSCRIBE"), "Please set PUSH_SUBSCRIBE to your web server's subscription URL"
assert os.getenv("PUSH_PUBLISH"), "Please set PUSH_PUBLISH to your web server's publishing URL"
app = falcon.API()
app.add_route("/api/{ca}/ocsp/", CertificateStatusResource(config))

View File

@ -27,7 +27,8 @@ setup(
"humanize",
"pycrypto",
"cryptography",
"markupsafe"
"markupsafe",
"ldap3"
],
scripts=[
"misc/certidude"