pinecrypt/pinecrypt-gateway-backend
2
1
Fork 0
Code Issues 10 Pull Requests Projects Activity

Disable enable firewall in Dev env

Browse Source 
Dns resolving not working in dev env in Docker bridge with firewall enabled.
This commit is contained in:
Marvin Martinson 2021-05-31 22:55:19 +00:00
parent 3f6604921d
commit 52eca76810
2 changed files with 38 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
pinecrypt/server/cli.py
View File

@ -30,10 +30,12 @@ from wsgiref.simple_server import make_server
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
mongolog.register() mongolog.register()
def graceful_exit(signal_number, stack_frame): def graceful_exit(signal_number, stack_frame):
print("Received signal %d, exiting now" % signal_number) print("Received signal %d, exiting now" % signal_number)
sys.exit(0) sys.exit(0)
def fqdn_required(func): def fqdn_required(func):
def wrapped(**args): def wrapped(**args):
common_name = args.get("common_name") common_name = args.get("common_name")
@ -104,7 +106,8 @@ def pinecone_sign(common_name, overwrite, profile):
@click.command("revoke", help="Revoke certificate") @click.command("revoke", help="Revoke certificate")
@click.option("--reason", "-r", default="key_compromise", help="Revocation reason, one of: key_compromise affiliation_changed superseded cessation_of_operation privilege_withdrawn") @click.option("--reason", "-r", default="key_compromise",
help="Revocation reason, one of: key_compromise affiliation_changed superseded cessation_of_operation privilege_withdrawn")
@click.argument("common_name") @click.argument("common_name")
def pinecone_revoke(common_name, reason): def pinecone_revoke(common_name, reason):
from pinecrypt.server import authority from pinecrypt.server import authority
@ -172,16 +175,19 @@ def pinecone_serve_ocsp_responder():
from pinecrypt.server.api.ocsp import app from pinecrypt.server.api.ocsp import app
app.run(port=5001, debug=const.DEBUG) app.run(port=5001, debug=const.DEBUG)
@click.command("events") @click.command("events")
def pinecone_serve_events(): def pinecone_serve_events():
from pinecrypt.server.api.events import app from pinecrypt.server.api.events import app
app.run(port=8001, debug=const.DEBUG) app.run(port=8001, debug=const.DEBUG)
@click.command("builder") @click.command("builder")
def pinecone_serve_builder(): def pinecone_serve_builder():
from pinecrypt.server.api.builder import app from pinecrypt.server.api.builder import app
app.run(port=7001, debug=const.DEBUG) app.run(port=7001, debug=const.DEBUG)
@click.command("provision", help="Provision keys") @click.command("provision", help="Provision keys")
def pinecone_provision(): def pinecone_provision():
default_policy = "REJECT" if const.DEBUG else "DROP" default_policy = "REJECT" if const.DEBUG else "DROP"
@ -211,7 +217,6 @@ def pinecone_provision():
for subnet in const.PROMETHEUS_SUBNETS: for subnet in const.PROMETHEUS_SUBNETS:
os.system("ipset add -exist -quiet ipset%d-prometheus-subnets %s" % (subnet.version, subnet)) os.system("ipset add -exist -quiet ipset%d-prometheus-subnets %s" % (subnet.version, subnet))
def g(): def g():
yield "*filter" yield "*filter"
yield ":INBOUND_BLOCKED - [0:0]" yield ":INBOUND_BLOCKED - [0:0]"
@ -268,6 +273,7 @@ def pinecone_provision():
fh.write(line) fh.write(line)
fh.write("\n") fh.write("\n")
if not const.DISABLE_FIREWALL:
os.system("iptables-restore < /tmp/rules4") os.system("iptables-restore < /tmp/rules4")
os.system("sed -e 's/ipset4/ipset6/g' -e 's/p icmp/p ipv6-icmp/g' /tmp/rules4 > /tmp/rules6") os.system("sed -e 's/ipset4/ipset6/g' -e 's/p icmp/p ipv6-icmp/g' /tmp/rules4 > /tmp/rules6")
os.system("ip6tables-restore < /tmp/rules6") os.system("ip6tables-restore < /tmp/rules6")

14
pinecrypt/server/const.py
View File

@ -1,4 +1,4 @@
import ldap
import click import click
import os import os
import re import re
@ -16,12 +16,15 @@ RE_COMMON_NAME = r"^[A-Za-z0-9\-\_]+$"
# Make sure locales don't mess up anything # Make sure locales don't mess up anything
assert re.match(RE_USERNAME, "abstuzxy19") assert re.match(RE_USERNAME, "abstuzxy19")
# To be migrated to Mongo or removed # To be migrated to Mongo or removed
def parse_tag_types(d): def parse_tag_types(d):
r = [] r = []
for j in d.split(","): for j in d.split(","):
r.append(j.split("/")) r.append(j.split("/"))
return r return r
TAG_TYPES = parse_tag_types(os.getenv("TAG_TYPES", "owner/str,location/str,phone/str,other/str")) TAG_TYPES = parse_tag_types(os.getenv("TAG_TYPES", "owner/str,location/str,phone/str,other/str"))
SCRIPT_DIR = "" SCRIPT_DIR = ""
IMAGE_BUILDER_PROFILES = [] IMAGE_BUILDER_PROFILES = []
@ -61,12 +64,14 @@ except ValueError: # If FQDN is not configured
click.echo("FQDN not configured: %s" % repr(FQDN)) click.echo("FQDN not configured: %s" % repr(FQDN))
sys.exit(255) sys.exit(255)
def getenv_in(key, default, *vals): def getenv_in(key, default, *vals):
val = os.getenv(key, default) val = os.getenv(key, default)
if val not in (default,) + vals: if val not in (default,) + vals:
raise ValueError("Got %s for %s, expected one of %s" % (repr(val), key, vals)) raise ValueError("Got %s for %s, expected one of %s" % (repr(val), key, vals))
return val return val
# Authority namespace corresponds to DNS entry which represents refers to all replicas # Authority namespace corresponds to DNS entry which represents refers to all replicas
AUTHORITY_NAMESPACE = os.getenv("AUTHORITY_NAMESPACE", FQDN) AUTHORITY_NAMESPACE = os.getenv("AUTHORITY_NAMESPACE", FQDN)
if FQDN != AUTHORITY_NAMESPACE and not FQDN.endswith(".%s" % AUTHORITY_NAMESPACE): if FQDN != AUTHORITY_NAMESPACE and not FQDN.endswith(".%s" % AUTHORITY_NAMESPACE):
@ -82,7 +87,7 @@ AUTHORITY_LIFETIME_DAYS = 20*365
ADVERTISE_ADDRESS = os.getenv("ADVERTISE_ADDRESS", "").split(",") ADVERTISE_ADDRESS = os.getenv("ADVERTISE_ADDRESS", "").split(",")
if not ADVERTISE_ADDRESS: if not ADVERTISE_ADDRESS:
ADVERTISE_ADDRESS = set() ADVERTISE_ADDRESS = set()
for fam, _, _, _, addrs in socket.getaddrinfo(const.FQDN, None): for fam, _, _, _, addrs in socket.getaddrinfo(FQDN, None):
if fam in (2, 10): if fam in (2, 10):
ADVERTISE_ADDRESS.add(addrs[0]) ADVERTISE_ADDRESS.add(addrs[0])
@ -125,7 +130,6 @@ LDAP_USER_FILTER = os.getenv("LDAP_USER_FILTER", "(samaccountname=%s)")
LDAP_ADMIN_FILTER = os.getenv("LDAP_ADMIN_FILTER", "(samaccountname=%s)") LDAP_ADMIN_FILTER = os.getenv("LDAP_ADMIN_FILTER", "(samaccountname=%s)")
LDAP_COMPUTER_FILTER = os.getenv("LDAP_COMPUTER_FILTER", "()") LDAP_COMPUTER_FILTER = os.getenv("LDAP_COMPUTER_FILTER", "()")
import ldap
LDAP_CA_CERT = os.getenv("LDAP_CA_CERT") LDAP_CA_CERT = os.getenv("LDAP_CA_CERT")
if LDAP_CA_CERT: if LDAP_CA_CERT:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT) ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT)
@ -134,9 +138,11 @@ if os.getenv("LDAP_DEBUG"):
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1) ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1)
def getenv_subnets(key, default=""): def getenv_subnets(key, default=""):
return set([ip_network(j) for j in os.getenv(key, default).replace(",", " ").split(" ") if j]) return set([ip_network(j) for j in os.getenv(key, default).replace(",", " ").split(" ") if j])
USER_SUBNETS = getenv_subnets("AUTH_USER_SUBNETS", "0.0.0.0/0 ::/0") USER_SUBNETS = getenv_subnets("AUTH_USER_SUBNETS", "0.0.0.0/0 ::/0")
ADMIN_SUBNETS = getenv_subnets("AUTH_ADMIN_SUBNETS", "0.0.0.0/0 ::/0") ADMIN_SUBNETS = getenv_subnets("AUTH_ADMIN_SUBNETS", "0.0.0.0/0 ::/0")
AUTOSIGN_SUBNETS = getenv_subnets("AUTH_AUTOSIGN_SUBNETS", "") AUTOSIGN_SUBNETS = getenv_subnets("AUTH_AUTOSIGN_SUBNETS", "")
@ -178,3 +184,5 @@ SESSION_COOKIE = "sha512brownies"
SESSION_AGE = 3600 SESSION_AGE = 3600
SECRET_STORAGE = getenv_in("SECRET_STORAGE", "fs", "db") SECRET_STORAGE = getenv_in("SECRET_STORAGE", "fs", "db")
DISABLE_FIREWALL = os.getenv("DISABLE_FIREWALL") == "True" if os.getenv("DISABLE_FIREWALL") else False