97 lines
4.3 KiB
Python
97 lines
4.3 KiB
Python
|
|
import click
|
|
import codecs
|
|
import configparser
|
|
import ipaddress
|
|
import os
|
|
import string
|
|
import const
|
|
from random import choice
|
|
|
|
# Options that are parsed from config file are fetched here
|
|
|
|
cp = configparser.RawConfigParser()
|
|
cp.readfp(codecs.open(const.CONFIG_PATH, "r", "utf8"))
|
|
|
|
AUTHENTICATION_BACKENDS = set([j for j in
|
|
cp.get("authentication", "backends").split(" ") if j]) # kerberos, pam, ldap
|
|
AUTHORIZATION_BACKEND = cp.get("authorization", "backend") # whitelist, ldap, posix
|
|
ACCOUNTS_BACKEND = cp.get("accounts", "backend") # posix, ldap
|
|
|
|
LDAP_AUTHENTICATION_URI = cp.get("authentication", "ldap uri")
|
|
LDAP_GSSAPI_CRED_CACHE = cp.get("accounts", "ldap gssapi credential cache")
|
|
LDAP_ACCOUNTS_URI = cp.get("accounts", "ldap uri")
|
|
LDAP_BASE = cp.get("accounts", "ldap base")
|
|
|
|
USER_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
cp.get("authorization", "user subnets").split(" ") if j])
|
|
ADMIN_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
cp.get("authorization", "admin subnets").split(" ") if j]).union(USER_SUBNETS)
|
|
AUTOSIGN_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
cp.get("authorization", "autosign subnets").split(" ") if j])
|
|
REQUEST_SUBNETS = set([ipaddress.ip_network(j) for j in
|
|
cp.get("authorization", "request subnets").split(" ") if j]).union(AUTOSIGN_SUBNETS)
|
|
|
|
AUTHORITY_DIR = "/var/lib/certidude"
|
|
AUTHORITY_PRIVATE_KEY_PATH = cp.get("authority", "private key path")
|
|
AUTHORITY_CERTIFICATE_PATH = cp.get("authority", "certificate path")
|
|
REQUESTS_DIR = cp.get("authority", "requests dir")
|
|
SIGNED_DIR = cp.get("authority", "signed dir")
|
|
REVOKED_DIR = cp.get("authority", "revoked dir")
|
|
EXPIRED_DIR = cp.get("authority", "expired dir")
|
|
|
|
OUTBOX = cp.get("authority", "outbox uri")
|
|
OUTBOX_NAME = cp.get("authority", "outbox sender name")
|
|
OUTBOX_MAIL = cp.get("authority", "outbox sender address")
|
|
|
|
BUNDLE_FORMAT = cp.get("bundle", "format")
|
|
OPENVPN_PROFILE_TEMPLATE = cp.get("bundle", "openvpn profile template")
|
|
|
|
MACHINE_ENROLLMENT_ALLOWED = {
|
|
"forbidden": False, "allowed": True }[
|
|
cp.get("authority", "machine enrollment")]
|
|
USER_ENROLLMENT_ALLOWED = {
|
|
"forbidden": False, "single allowed": True, "multiple allowed": True }[
|
|
cp.get("authority", "user enrollment")]
|
|
USER_MULTIPLE_CERTIFICATES = {
|
|
"forbidden": False, "single allowed": False, "multiple allowed": True }[
|
|
cp.get("authority", "user enrollment")]
|
|
|
|
REQUEST_SUBMISSION_ALLOWED = cp.getboolean("authority", "request submission allowed")
|
|
CLIENT_CERTIFICATE_LIFETIME = cp.getint("signature", "client certificate lifetime")
|
|
SERVER_CERTIFICATE_LIFETIME = cp.getint("signature", "server certificate lifetime")
|
|
AUTHORITY_CERTIFICATE_URL = cp.get("signature", "authority certificate url")
|
|
CERTIFICATE_CRL_URL = cp.get("signature", "revoked url")
|
|
CERTIFICATE_RENEWAL_ALLOWED = cp.getboolean("signature", "renewal allowed")
|
|
|
|
REVOCATION_LIST_LIFETIME = cp.getint("signature", "revocation list lifetime")
|
|
|
|
EVENT_SOURCE_TOKEN = cp.get("push", "event source token")
|
|
EVENT_SOURCE_PUBLISH = cp.get("push", "event source publish")
|
|
EVENT_SOURCE_SUBSCRIBE = cp.get("push", "event source subscribe")
|
|
LONG_POLL_PUBLISH = cp.get("push", "long poll publish")
|
|
LONG_POLL_SUBSCRIBE = cp.get("push", "long poll subscribe")
|
|
|
|
TAGGING_BACKEND = cp.get("tagging", "backend")
|
|
LOGGING_BACKEND = cp.get("logging", "backend")
|
|
LEASES_BACKEND = cp.get("leases", "backend")
|
|
|
|
OPENVPN_STATUS_URI = cp.get("leases", "openvpn status uri")
|
|
|
|
|
|
if "whitelist" == AUTHORIZATION_BACKEND:
|
|
USERS_WHITELIST = set([j for j in cp.get("authorization", "users whitelist").split(" ") if j])
|
|
ADMINS_WHITELIST = set([j for j in cp.get("authorization", "admins whitelist").split(" ") if j])
|
|
elif "posix" == AUTHORIZATION_BACKEND:
|
|
USERS_GROUP = cp.get("authorization", "posix user group")
|
|
ADMIN_GROUP = cp.get("authorization", "posix admin group")
|
|
elif "ldap" == AUTHORIZATION_BACKEND:
|
|
LDAP_USER_FILTER = cp.get("authorization", "ldap user filter")
|
|
LDAP_ADMIN_FILTER = cp.get("authorization", "ldap admin filter")
|
|
if "%s" not in LDAP_USER_FILTER: raise ValueError("No placeholder %s for username in 'ldap user filter'")
|
|
if "%s" not in LDAP_ADMIN_FILTER: raise ValueError("No placeholder %s for username in 'ldap admin filter'")
|
|
else:
|
|
raise NotImplementedError("Unknown authorization backend '%s'" % AUTHORIZATION_BACKEND)
|
|
|
|
# TODO: Check if we don't have base or servers
|