Added preliminary Kerberos authentication support

2025-09-12 08:21:03 +00:00 · 2015-08-16 17:21:42 +03:00
parent c5d27e8a76
commit e2f27078d1
12 changed files with 236 additions and 53 deletions
--- a/certidude/templates/index.html
+++ b/certidude/templates/index.html
@@ -15,12 +15,16 @@

 <h1>Submit signing request</h1>

-<p>Request submission is allowed from: {% for i in authority.request_whitelist %}{{ i }} {% endfor %}</p>
-<p>Autosign is allowed from: {% for i in authority.autosign_whitelist %}{{ i }} {% endfor %}</p>
+<p>Hi, {{user}}</p>
+
+<p>Request submission is allowed from: {% if ca.request_subnets %}{% for i in ca.request_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}</p>
+<p>Autosign is allowed from: {% if ca.autosign_subnets %}{% for i in ca.autosign_subnets %}{{ i }} {% endfor %}{% else %}nowhere{% endif %}</p>
+<p>Authority administration is allowed from: {% if ca.admin_subnets %}{% for i in ca.admin_subnets %}{{ i }} {% endfor %}{% else %}anywhere{% endif %}
+<p>Authority administration allowed for: {% for i in ca.admin_users %}{{ i }} {% endfor %}</p>

 <h2>IPsec gateway on OpenWrt</h2>

-{% set s = authority.certificate.subject %}
+{% set s = ca.certificate.subject %}

 <pre>
 opkg update
@@ -70,15 +74,15 @@ certidude setup openvpn client {{request.url}}
 <h1>Pending requests</h1>

 <ul>
-    {% for j in authority.get_requests() %}
+    {% for j in ca.get_requests() %}
        <li>
-            <a class="button" href="/api/{{authority.slug}}/request/{{j.common_name}}/">Fetch</a>
+            <a class="button" href="/api/{{ca.slug}}/request/{{j.common_name}}/">Fetch</a>
            {% if j.signable %}
-            <button onClick="javascript:$.ajax({url:'/api/{{authority.slug}}/request/{{j.common_name}}/',type:'patch'});">Sign</button>
+            <button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/request/{{j.common_name}}/',type:'patch'});">Sign</button>
            {% else %}
            <button title="Please use certidude command-line utility to sign unusual requests" disabled>Sign</button>
            {% endif %}
-            <button onClick="javascript:$.ajax({url:'/api/{{authority.slug}}/request/{{j.common_name}}/',type:'delete'});">Delete</button>
+            <button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/request/{{j.common_name}}/',type:'delete'});">Delete</button>


            <div class="monospace">
@@ -124,10 +128,10 @@ curl -f {{request.url}}/signed/$CN > $CN.crt
 </pre>

 <ul>
-    {% for j in authority.get_signed() | sort | reverse %}
+    {% for j in ca.get_signed() | sort | reverse %}
        <li>
-            <a class="button" href="/api/{{authority.slug}}/signed/{{j.subject.CN}}/">Fetch</a>
-            <button onClick="javascript:$.ajax({url:'/api/{{authority.slug}}/signed/{{j.subject.CN}}/',type:'delete'});">Revoke</button>
+            <a class="button" href="/api/{{ca.slug}}/signed/{{j.subject.CN}}/">Fetch</a>
+            <button onClick="javascript:$.ajax({url:'/api/{{ca.slug}}/signed/{{j.subject.CN}}/',type:'delete'});">Revoke</button>

            <div class="monospace">
            {% include 'iconmonstr-certificate-15-icon.svg' %}
@@ -172,7 +176,7 @@ openssl ocsp -issuer ca.pem -CAfile ca.pem -url {{request.url}}/ocsp/ -serial 0x
 </pre>
 -->
 <ul>
-    {% for j in authority.get_revoked() %}
+    {% for j in ca.get_revoked() %}
        <li>
            {{j.changed}}
            {{j.serial_number}} <span class="monospace">{{j.distinguished_name}}</span>
--- a/certidude/templates/openssl.cnf
+++ b/certidude/templates/openssl.cnf
@@ -17,8 +17,12 @@ emailAddress = {{email_address}}
 {% endif %}
 x509_extensions = {{slug}}_cert
 policy = poliy_{{slug}}
-request_whitelist =
-autosign_whitelist = 127.0.0.0/8
+
+# Certidude specific stuff, TODO: move to separate section?
+request_subnets = 10.0.0.0/8 192.168.0.0/16 172.168.0.0/16
+autosign_subnets = 127.0.0.0/8
+admin_subnets = 127.0.0.0/8
+admin_users =
 inbox = {{inbox}}
 outbox = {{outbox}}

--- a/certidude/templates/strongswan-client-to-site.conf
+++ b/certidude/templates/strongswan-client-to-site.conf
@@ -15,11 +15,11 @@ conn %default

 conn home
 	auto={{auto}}
-    type=tunnel
 	left=%defaultroute # Use IP of default route for listening
+	leftsourceip=%config # Accept server suggested virtual IP as inner address for tunnel
 	leftcert={{certificate_path}} # Client certificate
 	leftid={{common_name}} # Client certificate identifier
-	leftfirewall=yes
+	leftfirewall=yes # Local machine may be behind NAT
 	right={{remote}} # Gateway IP address
 	rightid=%any # Allow any common name
 	rightsubnet=0.0.0.0/0 # Accept all subnets suggested by server
--- a/certidude/templates/strongswan-site-to-client.conf
+++ b/certidude/templates/strongswan-site-to-client.conf
@@ -15,6 +15,7 @@ conn %default
 conn rw
 	auto=add
 	right=%any # Allow connecting from any IP address
+	rightsourceip={{subnet}} # Serve virtual IP-s from this pool
 	left={{local}} # Gateway IP address
 	leftcert={{certificate_path}} # Gateway certificate
 	leftfirewall=yes
--- a/certidude/templates/uwsgi.ini
+++ b/certidude/templates/uwsgi.ini
@@ -11,13 +11,14 @@ module = certidude.wsgi
 callable = app
 chmod-socket = 660
 chown-socket = {{username}}:www-data
+buffer-size = 32768
 {% if push_server %}
-env = CERTIDUDE_EVENT_PUBLISH={{push_server}}/publish/%(channel)s
-env = CERTIDUDE_EVENT_SUBSCRIBE={{push_server}}/subscribe/%(channel)s
+env = PUSH_PUBLISH={{push_server}}/publish/%(channel)s
+env = PUSH_SUBSCRIBE={{push_server}}/subscribe/%(channel)s
 {% else %}
-env = CERTIDUDE_EVENT_PUBLISH=http://localhost/event/publish/%(channel)s
-env = CERTIDUDE_EVENT_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
+env = PUSH_PUBLISH=http://localhost/event/publish/%(channel)s
+env = PUSH_SUBSCRIBE=http://localhost/event/subscribe/%(channel)s
 {% endif %}
 env = LANG=C.UTF-8
 env = LC_ALL=C.UTF-8
-
+env = KRB5_KTNAME={{kerberos_keytab}}