Disable enable firewall in Dev env

Dns resolving not working in dev env in Docker bridge with firewall enabled.
This commit is contained in:
Marvin Martinson 2021-05-31 22:55:19 +00:00
parent 3f6604921d
commit 52eca76810
2 changed files with 38 additions and 24 deletions

View File

@ -30,10 +30,12 @@ from wsgiref.simple_server import make_server
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
mongolog.register() mongolog.register()
def graceful_exit(signal_number, stack_frame): def graceful_exit(signal_number, stack_frame):
print("Received signal %d, exiting now" % signal_number) print("Received signal %d, exiting now" % signal_number)
sys.exit(0) sys.exit(0)
def fqdn_required(func): def fqdn_required(func):
def wrapped(**args): def wrapped(**args):
common_name = args.get("common_name") common_name = args.get("common_name")
@ -104,7 +106,8 @@ def pinecone_sign(common_name, overwrite, profile):
@click.command("revoke", help="Revoke certificate") @click.command("revoke", help="Revoke certificate")
@click.option("--reason", "-r", default="key_compromise", help="Revocation reason, one of: key_compromise affiliation_changed superseded cessation_of_operation privilege_withdrawn") @click.option("--reason", "-r", default="key_compromise",
help="Revocation reason, one of: key_compromise affiliation_changed superseded cessation_of_operation privilege_withdrawn")
@click.argument("common_name") @click.argument("common_name")
def pinecone_revoke(common_name, reason): def pinecone_revoke(common_name, reason):
from pinecrypt.server import authority from pinecrypt.server import authority
@ -172,16 +175,19 @@ def pinecone_serve_ocsp_responder():
from pinecrypt.server.api.ocsp import app from pinecrypt.server.api.ocsp import app
app.run(port=5001, debug=const.DEBUG) app.run(port=5001, debug=const.DEBUG)
@click.command("events") @click.command("events")
def pinecone_serve_events(): def pinecone_serve_events():
from pinecrypt.server.api.events import app from pinecrypt.server.api.events import app
app.run(port=8001, debug=const.DEBUG) app.run(port=8001, debug=const.DEBUG)
@click.command("builder") @click.command("builder")
def pinecone_serve_builder(): def pinecone_serve_builder():
from pinecrypt.server.api.builder import app from pinecrypt.server.api.builder import app
app.run(port=7001, debug=const.DEBUG) app.run(port=7001, debug=const.DEBUG)
@click.command("provision", help="Provision keys") @click.command("provision", help="Provision keys")
def pinecone_provision(): def pinecone_provision():
default_policy = "REJECT" if const.DEBUG else "DROP" default_policy = "REJECT" if const.DEBUG else "DROP"
@ -211,7 +217,6 @@ def pinecone_provision():
for subnet in const.PROMETHEUS_SUBNETS: for subnet in const.PROMETHEUS_SUBNETS:
os.system("ipset add -exist -quiet ipset%d-prometheus-subnets %s" % (subnet.version, subnet)) os.system("ipset add -exist -quiet ipset%d-prometheus-subnets %s" % (subnet.version, subnet))
def g(): def g():
yield "*filter" yield "*filter"
yield ":INBOUND_BLOCKED - [0:0]" yield ":INBOUND_BLOCKED - [0:0]"
@ -268,18 +273,19 @@ def pinecone_provision():
fh.write(line) fh.write(line)
fh.write("\n") fh.write("\n")
os.system("iptables-restore < /tmp/rules4") if not const.DISABLE_FIREWALL:
os.system("sed -e 's/ipset4/ipset6/g' -e 's/p icmp/p ipv6-icmp/g' /tmp/rules4 > /tmp/rules6") os.system("iptables-restore < /tmp/rules4")
os.system("ip6tables-restore < /tmp/rules6") os.system("sed -e 's/ipset4/ipset6/g' -e 's/p icmp/p ipv6-icmp/g' /tmp/rules4 > /tmp/rules6")
os.system("sysctl -w net.ipv6.conf.all.forwarding=1") os.system("ip6tables-restore < /tmp/rules6")
os.system("sysctl -w net.ipv6.conf.default.forwarding=1") os.system("sysctl -w net.ipv6.conf.all.forwarding=1")
os.system("sysctl -w net.ipv4.ip_forward=1") os.system("sysctl -w net.ipv6.conf.default.forwarding=1")
os.system("sysctl -w net.ipv4.ip_forward=1")
if const.REPLICAS: if const.REPLICAS:
click.echo("Provisioning MongoDB replicaset") click.echo("Provisioning MongoDB replicaset")
# WTF https://github.com/docker-library/mongo/issues/339 # WTF https://github.com/docker-library/mongo/issues/339
c = pymongo.MongoClient("localhost", 27017) c = pymongo.MongoClient("localhost", 27017)
config ={"_id" : "rs0", "members": [ config = {"_id": "rs0", "members": [
{"_id": index, "host": "%s:27017" % hostname} for index, hostname in enumerate(const.REPLICAS)]} {"_id": index, "host": "%s:27017" % hostname} for index, hostname in enumerate(const.REPLICAS)]}
print("Provisioning MongoDB replicaset: %s" % repr(config)) print("Provisioning MongoDB replicaset: %s" % repr(config))
try: try:
@ -404,7 +410,7 @@ def pinecone_serve_backend():
token_resource = None token_resource = None
token_manager = None token_manager = None
if const.USER_ENROLLMENT_ALLOWED: # TODO: add token enable/disable flag for config if const.USER_ENROLLMENT_ALLOWED: # TODO: add token enable/disable flag for config
token_manager = TokenManager() token_manager = TokenManager()
token_resource = TokenResource(token_manager) token_resource = TokenResource(token_manager)
app.add_route("/api/token", token_resource) app.add_route("/api/token", token_resource)
@ -442,7 +448,7 @@ def pinecone_token_list():
cols = "uuid", "expires", "subject", "state" cols = "uuid", "expires", "subject", "state"
now = datetime.utcnow().replace(tzinfo=pytz.UTC) now = datetime.utcnow().replace(tzinfo=pytz.UTC)
for token in token_manager.list(expired=True, used=True): for token in token_manager.list(expired=True, used=True):
token["state"] = "used" if token.get("used") else ("valid" if token.get("expires") > now else "expired") token["state"] = "used" if token.get("used") else ("valid" if token.get("expires") > now else "expired")
print(";".join([str(token.get(col)) for col in cols])) print(";".join([str(token.get(col)) for col in cols]))
@ -555,8 +561,8 @@ def pinecone_serve_openvpn(local, proto, client_subnet_slot):
# For more info see: openvpn --show-tls # For more info see: openvpn --show-tls
args += "--tls-version-min", config.get("Globals", "OPENVPN_TLS_VERSION_MIN")["value"] args += "--tls-version-min", config.get("Globals", "OPENVPN_TLS_VERSION_MIN")["value"]
args += "--tls-ciphersuites", config.get("Globals", "OPENVPN_TLS_CIPHERSUITES")["value"], # Used by TLS 1.3 args += "--tls-ciphersuites", config.get("Globals", "OPENVPN_TLS_CIPHERSUITES")["value"], # Used by TLS 1.3
args += "--tls-cipher", config.get("Globals", "OPENVPN_TLS_CIPHER")["value"], # Used by TLS 1.2 args += "--tls-cipher", config.get("Globals", "OPENVPN_TLS_CIPHER")["value"], # Used by TLS 1.2
# Data channel encryption parameters # Data channel encryption parameters
# TODO: Rename to --data-cipher when OpenVPN 2.5 becomes available # TODO: Rename to --data-cipher when OpenVPN 2.5 becomes available
@ -604,7 +610,7 @@ def pinecone_serve_strongswan(client_subnet_slot):
fh.write(" left=%s\n" % const.AUTHORITY_NAMESPACE) fh.write(" left=%s\n" % const.AUTHORITY_NAMESPACE)
fh.write(" leftsendcert=always\n") fh.write(" leftsendcert=always\n")
fh.write(" leftallowany=yes\n") # For load-balancing fh.write(" leftallowany=yes\n") # For load-balancing
fh.write(" leftcert=%s\n" % const.SELF_CERT_PATH) fh.write(" leftcert=%s\n" % const.SELF_CERT_PATH)
if const.PUSH_SUBNETS: if const.PUSH_SUBNETS:
fh.write(" leftsubnet=%s\n" % ",".join([str(j) for j in const.PUSH_SUBNETS])) fh.write(" leftsubnet=%s\n" % ",".join([str(j) for j in const.PUSH_SUBNETS]))
@ -626,8 +632,8 @@ def pinecone_serve_strongswan(client_subnet_slot):
public_key = asymmetric.load_public_key(certificate["tbs_certificate"]["subject_public_key_info"]) public_key = asymmetric.load_public_key(certificate["tbs_certificate"]["subject_public_key_info"])
with open("/etc/ipsec.secrets", "w") as fh: with open("/etc/ipsec.secrets", "w") as fh:
fh.write(": %s %s\n" % ( fh.write(": %s %s\n" % (
"ECDSA" if public_key.algorithm == "ec" else "RSA", "ECDSA" if public_key.algorithm == "ec" else "RSA",
const.SELF_KEY_PATH const.SELF_KEY_PATH
)) ))
executable = "/usr/sbin/ipsec" executable = "/usr/sbin/ipsec"
args = executable, "start", "--nofork" args = executable, "start", "--nofork"

View File

@ -1,4 +1,4 @@
import ldap
import click import click
import os import os
import re import re
@ -9,19 +9,22 @@ from ipaddress import ip_network
from math import log, ceil from math import log, ceil
RE_USERNAME = r"^[a-z][a-z0-9]+$" RE_USERNAME = r"^[a-z][a-z0-9]+$"
RE_FQDN = r"^(([a-z0-9]|[a-z0-9][a-z0-9\-_]*[a-z0-9])\.)+([a-z0-9]|[a-z0-9][a-z0-9\-_]*[a-z0-9])?$" RE_FQDN = r"^(([a-z0-9]|[a-z0-9][a-z0-9\-_]*[a-z0-9])\.)+([a-z0-9]|[a-z0-9][a-z0-9\-_]*[a-z0-9])?$"
RE_HOSTNAME = r"^[a-z0-9]([a-z0-9\-_]{0,61}[a-z0-9])?$" RE_HOSTNAME = r"^[a-z0-9]([a-z0-9\-_]{0,61}[a-z0-9])?$"
RE_COMMON_NAME = r"^[A-Za-z0-9\-\_]+$" RE_COMMON_NAME = r"^[A-Za-z0-9\-\_]+$"
# Make sure locales don't mess up anything # Make sure locales don't mess up anything
assert re.match(RE_USERNAME, "abstuzxy19") assert re.match(RE_USERNAME, "abstuzxy19")
# To be migrated to Mongo or removed # To be migrated to Mongo or removed
def parse_tag_types(d): def parse_tag_types(d):
r = [] r = []
for j in d.split(","): for j in d.split(","):
r.append(j.split("/")) r.append(j.split("/"))
return r return r
TAG_TYPES = parse_tag_types(os.getenv("TAG_TYPES", "owner/str,location/str,phone/str,other/str")) TAG_TYPES = parse_tag_types(os.getenv("TAG_TYPES", "owner/str,location/str,phone/str,other/str"))
SCRIPT_DIR = "" SCRIPT_DIR = ""
IMAGE_BUILDER_PROFILES = [] IMAGE_BUILDER_PROFILES = []
@ -57,16 +60,18 @@ except socket.gaierror:
try: try:
HOSTNAME, DOMAIN = FQDN.split(".", 1) HOSTNAME, DOMAIN = FQDN.split(".", 1)
except ValueError: # If FQDN is not configured except ValueError: # If FQDN is not configured
click.echo("FQDN not configured: %s" % repr(FQDN)) click.echo("FQDN not configured: %s" % repr(FQDN))
sys.exit(255) sys.exit(255)
def getenv_in(key, default, *vals): def getenv_in(key, default, *vals):
val = os.getenv(key, default) val = os.getenv(key, default)
if val not in (default,) + vals: if val not in (default,) + vals:
raise ValueError("Got %s for %s, expected one of %s" % (repr(val), key, vals)) raise ValueError("Got %s for %s, expected one of %s" % (repr(val), key, vals))
return val return val
# Authority namespace corresponds to DNS entry which represents refers to all replicas # Authority namespace corresponds to DNS entry which represents refers to all replicas
AUTHORITY_NAMESPACE = os.getenv("AUTHORITY_NAMESPACE", FQDN) AUTHORITY_NAMESPACE = os.getenv("AUTHORITY_NAMESPACE", FQDN)
if FQDN != AUTHORITY_NAMESPACE and not FQDN.endswith(".%s" % AUTHORITY_NAMESPACE): if FQDN != AUTHORITY_NAMESPACE and not FQDN.endswith(".%s" % AUTHORITY_NAMESPACE):
@ -76,14 +81,14 @@ USER_NAMESPACE = "u.%s" % AUTHORITY_NAMESPACE
MACHINE_NAMESPACE = "m.%s" % AUTHORITY_NAMESPACE MACHINE_NAMESPACE = "m.%s" % AUTHORITY_NAMESPACE
AUTHORITY_COMMON_NAME = "Pinecrypt Gateway at %s" % AUTHORITY_NAMESPACE AUTHORITY_COMMON_NAME = "Pinecrypt Gateway at %s" % AUTHORITY_NAMESPACE
AUTHORITY_ORGANIZATION = os.getenv("AUTHORITY_ORGANIZATION") AUTHORITY_ORGANIZATION = os.getenv("AUTHORITY_ORGANIZATION")
AUTHORITY_LIFETIME_DAYS = 20*365 AUTHORITY_LIFETIME_DAYS = 20 * 365
# Advertise following IP addresses via DNS record # Advertise following IP addresses via DNS record
ADVERTISE_ADDRESS = os.getenv("ADVERTISE_ADDRESS", "").split(",") ADVERTISE_ADDRESS = os.getenv("ADVERTISE_ADDRESS", "").split(",")
if not ADVERTISE_ADDRESS: if not ADVERTISE_ADDRESS:
ADVERTISE_ADDRESS = set() ADVERTISE_ADDRESS = set()
for fam, _, _, _, addrs in socket.getaddrinfo(const.FQDN, None): for fam, _, _, _, addrs in socket.getaddrinfo(FQDN, None):
if fam in(2, 10): if fam in (2, 10):
ADVERTISE_ADDRESS.add(addrs[0]) ADVERTISE_ADDRESS.add(addrs[0])
# Mailer settings # Mailer settings
@ -125,7 +130,6 @@ LDAP_USER_FILTER = os.getenv("LDAP_USER_FILTER", "(samaccountname=%s)")
LDAP_ADMIN_FILTER = os.getenv("LDAP_ADMIN_FILTER", "(samaccountname=%s)") LDAP_ADMIN_FILTER = os.getenv("LDAP_ADMIN_FILTER", "(samaccountname=%s)")
LDAP_COMPUTER_FILTER = os.getenv("LDAP_COMPUTER_FILTER", "()") LDAP_COMPUTER_FILTER = os.getenv("LDAP_COMPUTER_FILTER", "()")
import ldap
LDAP_CA_CERT = os.getenv("LDAP_CA_CERT") LDAP_CA_CERT = os.getenv("LDAP_CA_CERT")
if LDAP_CA_CERT: if LDAP_CA_CERT:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT) ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, LDAP_CA_CERT)
@ -134,9 +138,11 @@ if os.getenv("LDAP_DEBUG"):
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1) ldap.set_option(ldap.OPT_DEBUG_LEVEL, 1)
def getenv_subnets(key, default=""): def getenv_subnets(key, default=""):
return set([ip_network(j) for j in os.getenv(key, default).replace(",", " ").split(" ") if j]) return set([ip_network(j) for j in os.getenv(key, default).replace(",", " ").split(" ") if j])
USER_SUBNETS = getenv_subnets("AUTH_USER_SUBNETS", "0.0.0.0/0 ::/0") USER_SUBNETS = getenv_subnets("AUTH_USER_SUBNETS", "0.0.0.0/0 ::/0")
ADMIN_SUBNETS = getenv_subnets("AUTH_ADMIN_SUBNETS", "0.0.0.0/0 ::/0") ADMIN_SUBNETS = getenv_subnets("AUTH_ADMIN_SUBNETS", "0.0.0.0/0 ::/0")
AUTOSIGN_SUBNETS = getenv_subnets("AUTH_AUTOSIGN_SUBNETS", "") AUTOSIGN_SUBNETS = getenv_subnets("AUTH_AUTOSIGN_SUBNETS", "")
@ -178,3 +184,5 @@ SESSION_COOKIE = "sha512brownies"
SESSION_AGE = 3600 SESSION_AGE = 3600
SECRET_STORAGE = getenv_in("SECRET_STORAGE", "fs", "db") SECRET_STORAGE = getenv_in("SECRET_STORAGE", "fs", "db")
DISABLE_FIREWALL = os.getenv("DISABLE_FIREWALL") == "True" if os.getenv("DISABLE_FIREWALL") else False