import grp import json import pwd import os import re import string import subprocess import sys from contextlib import contextmanager from shutil import rmtree from tempfile import NamedTemporaryFile import click IS_AUTO_CONFIG = @isAutoConfig@ # NOQA CERTTOOL_COMMAND = "@certtool@" CERT_BITS = "@certBits@" CLIENT_EXPIRATION = "@clientExpiration@" CRL_EXPIRATION = "@crlExpiration@" TASKD_COMMAND = "@taskd@" TASKD_DATA_DIR = "@dataDir@" TASKD_USER = "@user@" TASKD_GROUP = "@group@" FQDN = "@fqdn@" CA_KEY = os.path.join(TASKD_DATA_DIR, "keys", "ca.key") CA_CERT = os.path.join(TASKD_DATA_DIR, "keys", "ca.cert") CRL_FILE = os.path.join(TASKD_DATA_DIR, "keys", "server.crl") RE_CONFIGUSER = re.compile(r'^\s*user\s*=(.*)$') RE_USERKEY = re.compile(r'New user key: (.+)$', re.MULTILINE) def lazyprop(fun): """ Decorator which only evaluates the specified function when accessed. """ name = '_lazy_' + fun.__name__ @property def _lazy(self): val = getattr(self, name, None) if val is None: val = fun(self) setattr(self, name, val) return val return _lazy class TaskdError(OSError): pass def run_as_taskd_user(): uid = pwd.getpwnam(TASKD_USER).pw_uid gid = grp.getgrnam(TASKD_GROUP).gr_gid os.setgid(gid) os.setuid(uid) def taskd_cmd(cmd, *args, **kwargs): """ Invoke taskd with the specified command with the privileges of the 'taskd' user and 'taskd' group. If 'capture_stdout' is passed as a keyword argument with the value True, the return value are the contents the command printed to stdout. """ capture_stdout = kwargs.pop("capture_stdout", False) fun = subprocess.check_output if capture_stdout else subprocess.check_call return fun( [TASKD_COMMAND, cmd, "--data", TASKD_DATA_DIR] + list(args), preexec_fn=run_as_taskd_user, **kwargs ) def certtool_cmd(*args, **kwargs): """ Invoke certtool from GNUTLS and return the output of the command. The provided arguments are added to the certtool command and keyword arguments are added to subprocess.check_output(). Note that this will suppress all output of certtool and it will only be printed whenever there is an unsuccessful return code. """ return subprocess.check_output( [CERTTOOL_COMMAND] + list(args), preexec_fn=lambda: os.umask(0o077), stderr=subprocess.STDOUT, **kwargs ) def label(msg): if sys.stdout.isatty() or sys.stderr.isatty(): sys.stderr.write(msg + "\n") def mkpath(*args): return os.path.join(TASKD_DATA_DIR, "orgs", *args) def mark_imperative(*path): """ Mark the specified path as being imperatively managed by creating an empty file called ".imperative", so that it doesn't interfere with the declarative configuration. """ open(os.path.join(mkpath(*path), ".imperative"), 'a').close() def is_imperative(*path): """ Check whether the given path is marked as imperative, see mark_imperative() for more information. """ full_path = [] for component in path: full_path.append(component) if os.path.exists(os.path.join(mkpath(*full_path), ".imperative")): return True return False def fetch_username(org, key): for line in open(mkpath(org, "users", key, "config"), "r"): match = RE_CONFIGUSER.match(line) if match is None: continue return match.group(1).strip() return None @contextmanager def create_template(contents): """ Generate a temporary file with the specified contents as a list of strings and yield its path as the context. """ template = NamedTemporaryFile(mode="w", prefix="certtool-template") template.writelines(map(lambda l: l + "\n", contents)) template.flush() yield template.name template.close() def generate_key(org, user): if not IS_AUTO_CONFIG: msg = "Automatic PKI handling is disabled, you need to " \ "manually issue a client certificate for user {}.\n" sys.stderr.write(msg.format(user)) return basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user) if os.path.exists(basedir): raise OSError("Keyfile directory for {} already exists.".format(user)) privkey = os.path.join(basedir, "private.key") pubcert = os.path.join(basedir, "public.cert") try: os.makedirs(basedir, mode=0o700) certtool_cmd("-p", "--bits", CERT_BITS, "--outfile", privkey) template_data = [ "organization = {0}".format(org), "cn = {}".format(FQDN), "expiration_days = {}".format(CLIENT_EXPIRATION), "tls_www_client", "encryption_key", "signing_key" ] with create_template(template_data) as template: certtool_cmd( "-c", "--load-privkey", privkey, "--load-ca-privkey", CA_KEY, "--load-ca-certificate", CA_CERT, "--template", template, "--outfile", pubcert ) except: rmtree(basedir) raise def revoke_key(org, user): basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user) if not os.path.exists(basedir): raise OSError("Keyfile directory for {} doesn't exist.".format(user)) pubcert = os.path.join(basedir, "public.cert") expiration = "expiration_days = {}".format(CRL_EXPIRATION) with create_template([expiration]) as template: oldcrl = NamedTemporaryFile(mode="wb", prefix="old-crl") oldcrl.write(open(CRL_FILE, "rb").read()) oldcrl.flush() certtool_cmd( "--generate-crl", "--load-crl", oldcrl.name, "--load-ca-privkey", CA_KEY, "--load-ca-certificate", CA_CERT, "--load-certificate", pubcert, "--template", template, "--outfile", CRL_FILE ) oldcrl.close() rmtree(basedir) def is_key_line(line, match): return line.startswith("---") and line.lstrip("- ").startswith(match) def getkey(*args): path = os.path.join(TASKD_DATA_DIR, "keys", *args) buf = [] for line in open(path, "r"): if len(buf) == 0: if is_key_line(line, "BEGIN"): buf.append(line) continue buf.append(line) if is_key_line(line, "END"): return ''.join(buf) raise IOError("Unable to get key from {}.".format(path)) def mktaskkey(cfg, path, keydata): heredoc = 'cat > "{}" <