Use init/openvpn method by default for now
This commit is contained in:
parent
3332c36629
commit
5d798cfec9
@ -9,12 +9,15 @@ RUN echo "Dpkg::Use-Pty=0;" > /etc/apt/apt.conf.d/99quieter
|
||||
|
||||
RUN apt-get update -qq
|
||||
RUN apt-get install -y -qq \
|
||||
python3-pip
|
||||
python3-pip \
|
||||
openvpn
|
||||
|
||||
COPY entrypoint.sh /entrypoint.sh
|
||||
COPY pinecrypt/client/. /src/pinecrypt/client
|
||||
COPY setup.py /src/
|
||||
COPY README.md /src/
|
||||
COPY misc/ /src/misc/
|
||||
WORKDIR /src
|
||||
RUN pip3 install .
|
||||
|
||||
RUN echo "#!/bin/sh" > /usr/bin/chcon
|
||||
RUN chmod +x /usr/bin/chcon
|
||||
|
5
entrypoint.sh
Executable file
5
entrypoint.sh
Executable file
@ -0,0 +1,5 @@
|
||||
#!/bin/sh
|
||||
$@
|
||||
AUTHORITY=$3
|
||||
cat /etc/openvpn/$AUTHORITY.conf
|
||||
openvpn --config /etc/openvpn/$AUTHORITY.conf
|
@ -3,6 +3,7 @@
|
||||
import click
|
||||
import hashlib
|
||||
import logging
|
||||
import json
|
||||
import os
|
||||
import random
|
||||
import re
|
||||
@ -78,22 +79,18 @@ def certidude_provision(authority):
|
||||
@click.command("enroll", help="Run processes for requesting certificates and configuring services")
|
||||
@click.option("-k", "--kerberos", default=False, is_flag=True, help="Offer system keytab for auth")
|
||||
@click.option("-f", "--fork", default=False, is_flag=True, help="Fork to background")
|
||||
@click.option("-nw", "--no-wait", default=False, is_flag=True, help="Return immideately if server doesn't autosign")
|
||||
@click.option("-nw", "--no-wait", default=False, is_flag=True, help="Return immediately if server doesn't autosign")
|
||||
def certidude_enroll(fork, no_wait, kerberos):
|
||||
try:
|
||||
os.makedirs(const.RUN_DIR)
|
||||
except FileExistsError:
|
||||
pass
|
||||
|
||||
context = globals()
|
||||
context.update(locals())
|
||||
|
||||
if not os.path.exists(const.CLIENT_CONFIG_PATH):
|
||||
click.echo("Client not configured, so not going to enroll")
|
||||
return
|
||||
|
||||
clients = ConfigTreeParser(const.CLIENT_CONFIG_PATH)
|
||||
service_config = ConfigTreeParser(const.SERVICES_CONFIG_PATH)
|
||||
|
||||
for authority_name in clients.sections():
|
||||
try:
|
||||
@ -172,34 +169,28 @@ def certidude_enroll(fork, no_wait, kerberos):
|
||||
authority_public_key = asymmetric.load_public_key(
|
||||
authority_certificate["tbs_certificate"]["subject_public_key_info"])
|
||||
|
||||
|
||||
|
||||
# Attempt to install CA certificates system wide
|
||||
try:
|
||||
authority_system_wide = clients.getboolean(authority_name, "system wide")
|
||||
config_path = clients.get(authority_name, "config path")
|
||||
except NoOptionError:
|
||||
authority_system_wide = False
|
||||
config_path = "/etc/certidude/authority/%s/config.json" % authority_name
|
||||
finally:
|
||||
if authority_system_wide:
|
||||
# Firefox, Chromium, wget, curl on Fedora
|
||||
# Note that if ~/.pki/nssdb has been customized before, curl breaks
|
||||
if os.path.exists("/usr/bin/update-ca-trust"):
|
||||
link_path = "/etc/pki/ca-trust/source/anchors/%s" % authority_name
|
||||
if not os.path.lexists(link_path):
|
||||
os.symlink(authority_path, link_path)
|
||||
os.system("update-ca-trust")
|
||||
if os.path.exists(config_path):
|
||||
click.echo("Found config in: %s" % config_path)
|
||||
with open(config_path) as fh:
|
||||
bootstrap = json.loads(fh.read())
|
||||
else:
|
||||
bootstrap_url = "http://%s/api/bootstrap/" % authority_name
|
||||
click.echo("Attempting to bootstrap connection from %s" % bootstrap_url)
|
||||
r = requests.get(bootstrap_url)
|
||||
if r.status_code != 200:
|
||||
raise ValueError("Bootstrap API endpoint returned %s" % r.content)
|
||||
bootstrap = r.json()
|
||||
|
||||
# curl on Fedora ?
|
||||
# pip
|
||||
|
||||
# Firefox (?) on Debian, Ubuntu
|
||||
if os.path.exists("/usr/bin/update-ca-certificates") or os.path.exists("/usr/sbin/update-ca-certificates"):
|
||||
link_path = "/usr/local/share/ca-certificates/%s" % authority_name
|
||||
if not os.path.lexists(link_path):
|
||||
os.symlink(authority_path, link_path)
|
||||
os.system("update-ca-certificates")
|
||||
|
||||
# TODO: test for curl, wget
|
||||
config_partial = config_path + ".part"
|
||||
with open(config_partial, "wb") as oh:
|
||||
oh.write(r.content)
|
||||
click.echo("Writing configuration to: %s" % config_path)
|
||||
os.rename(config_partial, config_path)
|
||||
|
||||
try:
|
||||
common_name = clients.get(authority_name, "common name")
|
||||
@ -326,7 +317,7 @@ def certidude_enroll(fork, no_wait, kerberos):
|
||||
if submission.status_code == requests.codes.ok:
|
||||
pass
|
||||
if submission.status_code == requests.codes.accepted:
|
||||
click.echo("Server accepted the request, but refused to sign immideately (%s). Waiting was not requested, hence quitting for now" % submission.text)
|
||||
click.echo("Server accepted the request, but refused to sign immediately (%s). Waiting was not requested, hence quitting for now" % submission.text)
|
||||
os.unlink(pid_path)
|
||||
continue
|
||||
if submission.status_code == requests.codes.conflict:
|
||||
@ -367,9 +358,8 @@ def certidude_enroll(fork, no_wait, kerberos):
|
||||
### Configure related services ###
|
||||
##################################
|
||||
|
||||
for endpoint in service_config.sections():
|
||||
if service_config.get(endpoint, "authority") != authority_name:
|
||||
continue
|
||||
endpoint = authority_name
|
||||
method = "init/openvpn"
|
||||
|
||||
click.echo("Configuring '%s'" % endpoint)
|
||||
csummer = hashlib.sha1()
|
||||
@ -377,28 +367,42 @@ def certidude_enroll(fork, no_wait, kerberos):
|
||||
csum = csummer.hexdigest()
|
||||
uuid = csum[:8] + "-" + csum[8:12] + "-" + csum[12:16] + "-" + csum[16:20] + "-" + csum[20:32]
|
||||
|
||||
# Intranet HTTPS handled by PKCS#12 bundle generation,
|
||||
# so it will not be implemented here
|
||||
|
||||
# OpenVPN set up with initscripts
|
||||
if service_config.get(endpoint, "service") == "init/openvpn":
|
||||
if os.path.exists("/etc/openvpn/%s.disabled" % endpoint) and not os.path.exists("/etc/openvpn/%s.conf" % endpoint):
|
||||
os.rename("/etc/openvpn/%s.disabled" % endpoint, "/etc/openvpn/%s.conf" % endpoint)
|
||||
if method == "init/openvpn":
|
||||
openvpn_config_path = "/etc/openvpn/%s.conf" % endpoint
|
||||
print(bootstrap)
|
||||
with open(openvpn_config_path + ".part", "w") as fh:
|
||||
fh.write("client\n")
|
||||
fh.write("nobind\n")
|
||||
fh.write("remote %s 1194 udp\n" % endpoint)
|
||||
fh.write("tls-version-min 1.2\n")
|
||||
fh.write("tls-cipher %s\n" % bootstrap["openvpn"]["tls_cipher"])
|
||||
fh.write("cipher %s\n" % bootstrap["openvpn"]["cipher"])
|
||||
fh.write("auth %s\n" % bootstrap["openvpn"]["auth"])
|
||||
fh.write("mute-replay-warnings\n")
|
||||
fh.write("reneg-sec 0\n")
|
||||
fh.write("remote-cert-tls server\n")
|
||||
fh.write("dev tun\n")
|
||||
fh.write("persist-tun\n")
|
||||
fh.write("persist-key\n")
|
||||
fh.write("ca %s\n" % authority_path)
|
||||
fh.write("key %s\n" % key_path)
|
||||
fh.write("cert %s\n" % certificate_path)
|
||||
os.rename(openvpn_config_path + ".part", openvpn_config_path)
|
||||
if os.path.exists("/bin/systemctl"):
|
||||
click.echo("Re-running systemd generators for OpenVPN...")
|
||||
os.system("systemctl daemon-reload")
|
||||
if not os.path.exists("/etc/systemd/system/openvpn-reconnect.service"):
|
||||
with open("/etc/systemd/system/openvpn-reconnect.service.part", "w") as fh:
|
||||
fh.write(env.get_template("client/openvpn-reconnect.service").render(context))
|
||||
os.rename("/etc/systemd/system/openvpn-reconnect.service.part",
|
||||
"/etc/systemd/system/openvpn-reconnect.service")
|
||||
click.echo("Created /etc/systemd/system/openvpn-reconnect.service")
|
||||
click.echo("Starting OpenVPN...")
|
||||
os.system("service openvpn start")
|
||||
# if not os.path.exists("/etc/systemd/system/openvpn-reconnect.service"):
|
||||
# with open("/etc/systemd/system/openvpn-reconnect.service.part", "w") as fh:
|
||||
# fh.write(env.get_template("client/openvpn-reconnect.service").render(context))
|
||||
# os.rename("/etc/systemd/system/openvpn-reconnect.service.part",
|
||||
# "/etc/systemd/system/openvpn-reconnect.service")
|
||||
# click.echo("Created /etc/systemd/system/openvpn-reconnect.service")
|
||||
os.system("systemctl restart openvpn")
|
||||
continue
|
||||
|
||||
# IPSec set up with initscripts
|
||||
if service_config.get(endpoint, "service") == "init/strongswan":
|
||||
if method == "init/strongswan":
|
||||
config = loads(open("%s/ipsec.conf" % const.STRONGSWAN_PREFIX).read())
|
||||
for section_type, section_name in config:
|
||||
# Identify correct ipsec.conf section by leftcert
|
||||
@ -439,7 +443,7 @@ def certidude_enroll(fork, no_wait, kerberos):
|
||||
continue
|
||||
|
||||
# OpenVPN set up with NetworkManager
|
||||
if service_config.get(endpoint, "service") == "network-manager/openvpn":
|
||||
if method == "network-manager/openvpn":
|
||||
# NetworkManager-strongswan-gnome
|
||||
nm_config_path = os.path.join("/etc/NetworkManager/system-connections", endpoint)
|
||||
if os.path.exists(nm_config_path):
|
||||
@ -496,7 +500,7 @@ def certidude_enroll(fork, no_wait, kerberos):
|
||||
|
||||
|
||||
# IPSec set up with NetworkManager
|
||||
if service_config.get(endpoint, "service") == "network-manager/strongswan":
|
||||
if method == "network-manager/strongswan":
|
||||
client_config = ConfigParser()
|
||||
nm_config = ConfigParser()
|
||||
nm_config.add_section("connection")
|
||||
@ -538,7 +542,6 @@ def certidude_enroll(fork, no_wait, kerberos):
|
||||
os.system("nmcli con reload")
|
||||
continue
|
||||
|
||||
# TODO: Puppet, OpenLDAP, <insert awesomeness here>
|
||||
click.echo("Unknown service: %s" % service_config.get(endpoint, "service"))
|
||||
os.unlink(pid_path)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user