1
0
mirror of https://github.com/laurivosandi/certidude synced 2024-12-23 00:25:18 +00:00

Merge branch 'master' of github.com:laurivosandi/certidude

This commit is contained in:
Lauri Võsandi 2017-04-07 10:57:38 +03:00
commit e68829732d
11 changed files with 42 additions and 22 deletions

View File

@ -16,7 +16,7 @@ from certidude.decorators import serialize, event_source, csrf_protection
from cryptography.x509.oid import NameOID from cryptography.x509.oid import NameOID
from certidude import const, config from certidude import const, config
logger = logging.getLogger("api") logger = logging.getLogger(__name__)
class CertificateStatusResource(object): class CertificateStatusResource(object):
""" """

View File

@ -7,7 +7,7 @@ from datetime import datetime
from certidude import config, authority from certidude import config, authority
from certidude.decorators import serialize from certidude.decorators import serialize
logger = logging.getLogger("api") logger = logging.getLogger(__name__)
class AttributeResource(object): class AttributeResource(object):
@serialize @serialize

View File

@ -3,7 +3,7 @@ import hashlib
from certidude import config, authority from certidude import config, authority
from certidude.auth import login_required from certidude.auth import login_required
logger = logging.getLogger("api") logger = logging.getLogger(__name__)
KEYWORDS = ( KEYWORDS = (
(u"Android", u"android"), (u"Android", u"android"),

View File

@ -9,8 +9,7 @@ from certidude.decorators import serialize
from certidude.relational import RelationalMixin from certidude.relational import RelationalMixin
from jinja2 import Environment, FileSystemLoader from jinja2 import Environment, FileSystemLoader
logger = logging.getLogger("api") logger = logging.getLogger(__name__)
env = Environment(loader=FileSystemLoader("/etc/certidude/scripts"), trim_blocks=True) env = Environment(loader=FileSystemLoader("/etc/certidude/scripts"), trim_blocks=True)
SQL_SELECT_INHERITED = """ SQL_SELECT_INHERITED = """

View File

@ -1,5 +1,6 @@
import click import click
import logging
import xattr import xattr
from datetime import datetime from datetime import datetime
from pyasn1.codec.der import decoder from pyasn1.codec.der import decoder
@ -7,6 +8,8 @@ from certidude import config, authority, push
from certidude.auth import login_required, authorize_admin from certidude.auth import login_required, authorize_admin
from certidude.decorators import serialize from certidude.decorators import serialize
logger = logging.getLogger(__name__)
# TODO: lease namespacing (?) # TODO: lease namespacing (?)
class LeaseDetailResource(object): class LeaseDetailResource(object):

View File

@ -19,7 +19,7 @@ from cryptography.exceptions import InvalidSignature
from cryptography.x509.oid import NameOID from cryptography.x509.oid import NameOID
from datetime import datetime from datetime import datetime
logger = logging.getLogger("api") logger = logging.getLogger(__name__)
class RequestListResource(object): class RequestListResource(object):
@login_optional @login_optional

View File

@ -9,7 +9,7 @@ from cryptography import x509
from cryptography.hazmat.backends import default_backend from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.serialization import Encoding from cryptography.hazmat.primitives.serialization import Encoding
logger = logging.getLogger("api") logger = logging.getLogger(__name__)
class RevocationListResource(object): class RevocationListResource(object):
def on_get(self, req, resp): def on_get(self, req, resp):

View File

@ -7,7 +7,7 @@ from certidude import authority
from certidude.auth import login_required, authorize_admin from certidude.auth import login_required, authorize_admin
from certidude.decorators import csrf_protection from certidude.decorators import csrf_protection
logger = logging.getLogger("api") logger = logging.getLogger(__name__)
class SignedCertificateDetailResource(object): class SignedCertificateDetailResource(object):
def on_get(self, req, resp, cn): def on_get(self, req, resp, cn):

View File

@ -5,7 +5,7 @@ from certidude import authority, push
from certidude.auth import login_required, authorize_admin from certidude.auth import login_required, authorize_admin
from certidude.decorators import serialize, csrf_protection from certidude.decorators import serialize, csrf_protection
logger = logging.getLogger("api") logger = logging.getLogger(__name__)
class TagResource(object): class TagResource(object):
@serialize @serialize

View File

@ -29,6 +29,7 @@ from jinja2 import Environment, PackageLoader
from setproctitle import setproctitle from setproctitle import setproctitle
import const import const
logger = logging.getLogger(__name__)
env = Environment(loader=PackageLoader("certidude", "templates"), trim_blocks=True) env = Environment(loader=PackageLoader("certidude", "templates"), trim_blocks=True)
# http://www.mad-hacking.net/documentation/linux/security/ssl-tls/creating-ca.xml # http://www.mad-hacking.net/documentation/linux/security/ssl-tls/creating-ca.xml
@ -863,7 +864,10 @@ def certidude_setup_authority(username, kerberos_keytab, nginx_config, country,
).not_valid_before(datetime.utcnow() ).not_valid_before(datetime.utcnow()
).not_valid_after( ).not_valid_after(
datetime.utcnow() + timedelta(days=authority_lifetime) datetime.utcnow() + timedelta(days=authority_lifetime)
).serial_number(1 ).serial_number(
random.randint(
0x100000000000000000000000000000000000000,
0xfffffffffffffffffffffffffffffffffffffff)
).add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True, ).add_extension(x509.BasicConstraints(ca=True, path_length=0), critical=True,
).add_extension(x509.KeyUsage( ).add_extension(x509.KeyUsage(
digital_signature=server_flags, digital_signature=server_flags,
@ -956,7 +960,6 @@ def certidude_list(verbose, show_key_type, show_extensions, show_path, show_sign
# r - revoked # r - revoked
from certidude import authority from certidude import authority
from pycountry import countries
def dump_common(common_name, path, cert): def dump_common(common_name, path, cert):
click.echo("certidude revoke %s" % common_name) click.echo("certidude revoke %s" % common_name)
@ -980,7 +983,7 @@ def certidude_list(verbose, show_key_type, show_extensions, show_path, show_sign
click.echo("=" * len(common_name)) click.echo("=" * len(common_name))
click.echo("State: ? " + click.style("submitted", fg="yellow") + " " + naturaltime(created) + click.style(", %s" %created, fg="white")) click.echo("State: ? " + click.style("submitted", fg="yellow") + " " + naturaltime(created) + click.style(", %s" %created, fg="white"))
click.echo("openssl req -in %s -text -noout" % path) click.echo("openssl req -in %s -text -noout" % path)
dump_common(common_name, path, cert) dump_common(common_name, path, csr)
if show_signed: if show_signed:
@ -1061,6 +1064,7 @@ def certidude_serve(port, listen, fork):
from certidude import const from certidude import const
click.echo("Using configuration from: %s" % const.CONFIG_PATH) click.echo("Using configuration from: %s" % const.CONFIG_PATH)
log_handlers = []
from certidude import config from certidude import config
@ -1070,6 +1074,11 @@ def certidude_serve(port, listen, fork):
_, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude") _, _, uid, gid, gecos, root, shell = pwd.getpwnam("certidude")
restricted_groups = [] restricted_groups = []
restricted_groups.append(gid) restricted_groups.append(gid)
from logging.handlers import RotatingFileHandler
rh = RotatingFileHandler("/var/log/certidude.log", maxBytes=1048576*5, backupCount=5)
rh.setFormatter(logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s"))
log_handlers.append(rh)
""" """
Spawn signer process Spawn signer process
@ -1168,8 +1177,6 @@ def certidude_serve(port, listen, fork):
# Set up log handlers # Set up log handlers
log_handlers = []
if config.LOGGING_BACKEND == "sql": if config.LOGGING_BACKEND == "sql":
from certidude.mysqllog import LogHandler from certidude.mysqllog import LogHandler
from certidude.api.log import LogResource from certidude.api.log import LogResource
@ -1187,18 +1194,19 @@ def certidude_serve(port, listen, fork):
from certidude.push import EventSourceLogHandler from certidude.push import EventSourceLogHandler
log_handlers.append(EventSourceLogHandler()) log_handlers.append(EventSourceLogHandler())
for facility in "api", "cli": for j in logging.Logger.manager.loggerDict.values():
logger = logging.getLogger(facility) if isinstance(j, logging.Logger): # PlaceHolder is what?
logger.setLevel(logging.DEBUG) if j.name.startswith("certidude."):
j.setLevel(logging.DEBUG)
for handler in log_handlers: for handler in log_handlers:
logger.addHandler(handler) j.addHandler(handler)
def exit_handler(): def exit_handler():
logging.getLogger("cli").debug("Shutting down Certidude") logger.debug("Shutting down Certidude")
import atexit import atexit
atexit.register(exit_handler) atexit.register(exit_handler)
logging.getLogger("cli").debug("Started Certidude at %s", const.FQDN) logger.debug("Started Certidude at %s", const.FQDN)
if not fork or not os.fork(): if not fork or not os.fork():
httpd.serve_forever() httpd.serve_forever()

View File

@ -13,7 +13,8 @@ def test_cli_setup_authority():
from certidude import const, config from certidude import const, config
from certidude import authority from certidude import authority
assert authority.ca_cert.serial_number == 1 assert authority.ca_cert.serial_number >= 0x100000000000000000000000000000000000000
assert authority.ca_cert.serial_number <= 0xfffffffffffffffffffffffffffffffffffffff
assert authority.ca_cert.not_valid_before < datetime.now() assert authority.ca_cert.not_valid_before < datetime.now()
assert authority.ca_cert.not_valid_after > datetime.now() + timedelta(days=7000) assert authority.ca_cert.not_valid_after > datetime.now() + timedelta(days=7000)
@ -36,6 +37,9 @@ def test_cli_setup_authority():
authority.store_request( authority.store_request(
csr.sign(key, hashes.SHA256(), default_backend()).public_bytes(serialization.Encoding.PEM)) csr.sign(key, hashes.SHA256(), default_backend()).public_bytes(serialization.Encoding.PEM))
result = runner.invoke(cli, ['list', '-srv'])
assert not result.exception
result = runner.invoke(cli, ['sign', 'test', '-o']) result = runner.invoke(cli, ['sign', 'test', '-o'])
assert not result.exception assert not result.exception
@ -44,3 +48,9 @@ def test_cli_setup_authority():
authority.generate_ovpn_bundle(u"test2") authority.generate_ovpn_bundle(u"test2")
authority.generate_pkcs12_bundle(u"test3") authority.generate_pkcs12_bundle(u"test3")
result = runner.invoke(cli, ['list', '-srv'])
assert not result.exception
result = runner.invoke(cli, ['cron'])
assert not result.exception