Disable enable firewall in Dev env

Dns resolving not working in dev env in Docker bridge with firewall enabled.
2021-05-31 22:55:19 +00:00 · 2021-05-31 22:55:19 +00:00 · 52eca76810
parent 3f6604921d
commit 52eca76810
2 changed files with 38 additions and 24 deletions
--- a/pinecrypt/server/cli.py
+++ b/pinecrypt/server/cli.py
@ -30,10 +30,12 @@ from wsgiref.simple_server import make_server
 logger = logging.getLogger(__name__)
 mongolog.register()

+
 def graceful_exit(signal_number, stack_frame):
    print("Received signal %d, exiting now" % signal_number)
    sys.exit(0)

+
 def fqdn_required(func):
    def wrapped(**args):
        common_name = args.get("common_name")
@ -104,7 +106,8 @@ def pinecone_sign(common_name, overwrite, profile):


@click.command("revoke", help="Revoke certificate")
-@click.option("--reason", "-r", default="key_compromise", help="Revocation reason, one of: key_compromise affiliation_changed superseded cessation_of_operation privilege_withdrawn")
+@click.option("--reason", "-r", default="key_compromise",
+    help="Revocation reason, one of: key_compromise affiliation_changed superseded cessation_of_operation privilege_withdrawn")
@click.argument("common_name")
 def pinecone_revoke(common_name, reason):
    from pinecrypt.server import authority
@ -172,16 +175,19 @@ def pinecone_serve_ocsp_responder():
    from pinecrypt.server.api.ocsp import app
    app.run(port=5001, debug=const.DEBUG)

+
@click.command("events")
 def pinecone_serve_events():
    from pinecrypt.server.api.events import app
    app.run(port=8001, debug=const.DEBUG)

+
@click.command("builder")
 def pinecone_serve_builder():
    from pinecrypt.server.api.builder import app
    app.run(port=7001, debug=const.DEBUG)

+
@click.command("provision", help="Provision keys")
 def pinecone_provision():
    default_policy = "REJECT" if const.DEBUG else "DROP"
@ -211,7 +217,6 @@ def pinecone_provision():
    for subnet in const.PROMETHEUS_SUBNETS:
        os.system("ipset add -exist -quiet ipset%d-prometheus-subnets %s" % (subnet.version, subnet))

-
    def g():
        yield "*filter"
        yield ":INBOUND_BLOCKED - [0:0]"
@ -268,18 +273,19 @@ def pinecone_provision():
            fh.write(line)
            fh.write("\n")

-    os.system("iptables-restore < /tmp/rules4")
-    os.system("sed -e 's/ipset4/ipset6/g' -e 's/p icmp/p ipv6-icmp/g' /tmp/rules4 > /tmp/rules6")
-    os.system("ip6tables-restore < /tmp/rules6")
-    os.system("sysctl -w net.ipv6.conf.all.forwarding=1")
-    os.system("sysctl -w net.ipv6.conf.default.forwarding=1")
-    os.system("sysctl -w net.ipv4.ip_forward=1")
+    if not const.DISABLE_FIREWALL:
+        os.system("iptables-restore < /tmp/rules4")
+        os.system("sed -e 's/ipset4/ipset6/g' -e 's/p icmp/p ipv6-icmp/g' /tmp/rules4 > /tmp/rules6")
+        os.system("ip6tables-restore < /tmp/rules6")
+        os.system("sysctl -w net.ipv6.conf.all.forwarding=1")
+        os.system("sysctl -w net.ipv6.conf.default.forwarding=1")
+        os.system("sysctl -w net.ipv4.ip_forward=1")

    if const.REPLICAS:
        click.echo("Provisioning MongoDB replicaset")
        # WTF https://github.com/docker-library/mongo/issues/339
        c = pymongo.MongoClient("localhost", 27017)
-        config ={"_id" : "rs0", "members": [
+        config = {"_id": "rs0", "members": [
            {"_id": index, "host": "%s:27017" % hostname} for index, hostname in enumerate(const.REPLICAS)]}
        print("Provisioning MongoDB replicaset: %s" % repr(config))
        try:
@ -404,7 +410,7 @@ def pinecone_serve_backend():

    token_resource = None
    token_manager = None
-    if const.USER_ENROLLMENT_ALLOWED: # TODO: add token enable/disable flag for config
+    if const.USER_ENROLLMENT_ALLOWED:  # TODO: add token enable/disable flag for config
        token_manager = TokenManager()
        token_resource = TokenResource(token_manager)
        app.add_route("/api/token", token_resource)
@ -442,7 +448,7 @@ def pinecone_token_list():
    cols = "uuid", "expires", "subject", "state"
    now = datetime.utcnow().replace(tzinfo=pytz.UTC)
    for token in token_manager.list(expired=True, used=True):
-        token["state"] = "used" if token.get("used") else ("valid" if token.get("expires") > now  else "expired")
+        token["state"] = "used" if token.get("used") else ("valid" if token.get("expires") > now else "expired")
        print(";".join([str(token.get(col)) for col in cols]))


@ -555,8 +561,8 @@ def pinecone_serve_openvpn(local, proto, client_subnet_slot):

    # For more info see: openvpn --show-tls
    args += "--tls-version-min", config.get("Globals", "OPENVPN_TLS_VERSION_MIN")["value"]
-    args += "--tls-ciphersuites", config.get("Globals", "OPENVPN_TLS_CIPHERSUITES")["value"], # Used by TLS 1.3
-    args += "--tls-cipher", config.get("Globals", "OPENVPN_TLS_CIPHER")["value"], # Used by TLS 1.2
+    args += "--tls-ciphersuites", config.get("Globals", "OPENVPN_TLS_CIPHERSUITES")["value"],  # Used by TLS 1.3
+    args += "--tls-cipher", config.get("Globals", "OPENVPN_TLS_CIPHER")["value"],  # Used by TLS 1.2

    # Data channel encryption parameters
    # TODO: Rename to --data-cipher when OpenVPN 2.5 becomes available
@ -604,7 +610,7 @@ def pinecone_serve_strongswan(client_subnet_slot):

        fh.write("  left=%s\n" % const.AUTHORITY_NAMESPACE)
        fh.write("  leftsendcert=always\n")
-        fh.write("  leftallowany=yes\n") # For load-balancing
+        fh.write("  leftallowany=yes\n")  # For load-balancing
        fh.write("  leftcert=%s\n" % const.SELF_CERT_PATH)
        if const.PUSH_SUBNETS:
            fh.write("  leftsubnet=%s\n" % ",".join([str(j) for j in const.PUSH_SUBNETS]))
@ -626,8 +632,8 @@ def pinecone_serve_strongswan(client_subnet_slot):
        public_key = asymmetric.load_public_key(certificate["tbs_certificate"]["subject_public_key_info"])
    with open("/etc/ipsec.secrets", "w") as fh:
        fh.write(": %s %s\n" % (
-          "ECDSA" if public_key.algorithm == "ec" else "RSA",
-          const.SELF_KEY_PATH
+            "ECDSA" if public_key.algorithm == "ec" else "RSA",
+            const.SELF_KEY_PATH
        ))
    executable = "/usr/sbin/ipsec"
    args = executable, "start", "--nofork"
--- a/pinecrypt/server/const.py
+++ b/pinecrypt/server/const.py
@ -1,4 +1,4 @@
-
+import ldap
 import click
 import os
 import re
@ -9,19 +9,22 @@ from ipaddress import ip_network
 from math import log, ceil

 RE_USERNAME = r"^[a-z][a-z0-9]+$"
-RE_FQDN =  r"^(([a-z0-9]|[a-z0-9][a-z0-9\-_]*[a-z0-9])\.)+([a-z0-9]|[a-z0-9][a-z0-9\-_]*[a-z0-9])?$"
-RE_HOSTNAME =  r"^[a-z0-9]([a-z0-9\-_]{0,61}[a-z0-9])?$"
+RE_FQDN = r"^(([a-z0-9]|[a-z0-9][a-z0-9\-_]*[a-z0-9])\.)+([a-z0-9]|[a-z0-9][a-z0-9\-_]*[a-z0-9])?$"
+RE_HOSTNAME = r"^[a-z0-9]([a-z0-9\-_]{0,61}[a-z0-9])?$"
 RE_COMMON_NAME = r"^[A-Za-z0-9\-\_]+$"

 # Make sure locales don't mess up anything
 assert re.match(RE_USERNAME, "abstuzxy19")

+
 # To be migrated to Mongo or removed
 def parse_tag_types(d):
    r = []
    for j in d.split(","):
        r.append(j.split("/"))
    return r
+
+
 TAG_TYPES = parse_tag_types(os.getenv("TAG_TYPES", "owner/str,location/str,phone/str,other/str"))
 SCRIPT_DIR = ""
 IMAGE_BUILDER_PROFILES = []
@ -57,16 +60,18 @@ except socket.gaierror:

 try:
    HOSTNAME, DOMAIN = FQDN.split(".", 1)
-except ValueError: # If FQDN is not configured
+except ValueError:  # If FQDN is not configured
    click.echo("FQDN not configured: %s" % repr(FQDN))
    sys.exit(255)

+
 def getenv_in(key, default, *vals):
    val = os.getenv(key, default)
    if val not in (default,) + vals:
        raise ValueError("Got %s for %s, expected one of %s" % (repr(val), key, vals))
    return val

+
 # Authority namespace corresponds to DNS entry which represents refers to all replicas
 AUTHORITY_NAMESPACE = os.getenv("AUTHORITY_NAMESPACE", FQDN)
 if FQDN != AUTHORITY_NAMESPACE and not FQDN.endswith(".%s" % AUTHORITY_NAMESPACE):
@ -76,14 +81,14 @@ USER_NAMESPACE = "u.%s" % AUTHORITY_NAMESPACE
 MACHINE_NAMESPACE = "m.%s" % AUTHORITY_NAMESPACE
 AUTHORITY_COMMON_NAME = "Pinecrypt Gateway at %s" % AUTHORITY_NAMESPACE
 AUTHORITY_ORGANIZATION = os.getenv("AUTHORITY_ORGANIZATION")
-AUTHORITY_LIFETIME_DAYS = 20*365
+AUTHORITY_LIFETIME_DAYS = 20 * 365

 # Advertise following IP addresses via DNS record
 ADVERTISE_ADDRESS = os.getenv("ADVERTISE_ADDRESS", "").split(",")
 if not ADVERTISE_ADDRESS:
    ADVERTISE_ADDRESS = set()
-    for fam, _, _, _, addrs in socket.getaddrinfo(const.FQDN, None):
-        if fam in(2, 10):
+    for fam, _, _, _, addrs in socket.getaddrinfo(FQDN, None):
+        if fam in (2, 10):
            ADVERTISE_ADDRESS.add(addrs[0])

 # Mailer settings
@ -125,7 +130,6 @@ LDAP_USER_FILTER = os.getenv("LDAP_USER_FILTER", "(samaccountname=%s)")
 LDAP_ADMIN_FILTER = os.getenv("LDAP_ADMIN_FILTER", "(samaccountname=%s)")
 LDAP_COMPUTER_FILTER = os.getenv("LDAP_COMPUTER_FILTER", "()")

-import ldap
 LDAP_CA_CERT = os.getenv("LDAP_CA_CERT")
 if LDAP_CA_CERT:
    ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT)
@ -134,9 +138,11 @@ if os.getenv("LDAP_DEBUG"):
    ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
    ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1)

+
 def getenv_subnets(key, default=""):
    return set([ip_network(j) for j in os.getenv(key, default).replace(",", " ").split(" ") if j])

+
 USER_SUBNETS = getenv_subnets("AUTH_USER_SUBNETS", "0.0.0.0/0 ::/0")
 ADMIN_SUBNETS = getenv_subnets("AUTH_ADMIN_SUBNETS", "0.0.0.0/0 ::/0")
 AUTOSIGN_SUBNETS = getenv_subnets("AUTH_AUTOSIGN_SUBNETS", "")
@ -178,3 +184,5 @@ SESSION_COOKIE = "sha512brownies"
 SESSION_AGE = 3600

 SECRET_STORAGE = getenv_in("SECRET_STORAGE", "fs", "db")
+
+DISABLE_FIREWALL = os.getenv("DISABLE_FIREWALL") == "True" if os.getenv("DISABLE_FIREWALL") else False