Fix CLI scripts for getting user certificates and CA public keys.

2017-12-01 22:51:39 +00:00 · 2017-12-01 22:51:39 +00:00 · c425a3d26e
commit c425a3d26e
parent 4c4e1159d7
4 changed files with 59 additions and 46 deletions
--- a/scripts/get-ca-keys
+++ b/scripts/get-ca-keys
@ -1,14 +1,24 @@
 #!/usr/bin/env python
-
+import argparse
 import json
 import requests
 import sys
 import uuid

-server = 'http://172.24.4.1:18322'
-auth_id = str(uuid.UUID(sys.argv[1], version=4))
-response = requests.get(
-    server + '/authorities/' + auth_id)
-assert response.status_code == 200
-auth = json.loads(response.content)
-print auth
+parser = argparse.ArgumentParser(description="Get the CA's public keys from Tatu API.")
+parser.add_argument('--projid', '-P', required=True)
+parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
+                    help='URL of the Tatu API')
+args = parser.parse_args()
+
+try:
+    auth_id = str(uuid.UUID(args.projid, version=4))
+except:
+    print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
+    exit()
+
+server = args.tatu_url
+response = requests.get(server + '/authorities/' + auth_id)
+if response.status_code != 200:
+    print 'Failed to retrieve the CA keys.'
+print response.content
--- a/scripts/get-user-cert
+++ b/scripts/get-user-cert
@ -1,56 +1,56 @@
+#!/usr/bin/env python
+import argparse
 import json
-import requests
 import os
+import requests
 import subprocess
 import uuid
 from Crypto.PublicKey import RSA

-keyfile = '/opt/stack/.ssh/mykey'
-user_id = str(uuid.uuid4())
-auth_id = str(uuid.UUID('0852c6cd6209425c88de582acbcd1170', version=4))
-key = RSA.generate(2048)
-keytxt = key.exportKey('PEM')
-pubkeytxt = key.publickey().exportKey('OpenSSH')
-server = 'http://127.0.0.1:18321'
+parser = argparse.ArgumentParser(description='Get a user certificate from Tatu API.')
+parser.add_argument('--projid', '-P', required=True)
+parser.add_argument('--pubkeyfile', '-K', required=True)
+parser.add_argument('--userid', '-U', required=True)
+parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
+                    help='URL of the Tatu API')
+args = parser.parse_args()
+
+if not os.path.isfile(args.pubkeyfile):
+    print '--pubkeyfile must point to a valid public key.'
+    exit()
+try:
+    auth_id = str(uuid.UUID(args.projid, version=4))
+except:
+    print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
+    exit()
+try:
+    user_id = str(uuid.UUID(args.userid, version=4))
+except:
+    print '--userid should be the UUID of a user with permissions in the cloud project.'
+    exit()
+
+with open(args.pubkeyfile, 'r') as f:
+    pubkeytext = f.read()
+
+server = args.tatu_url

 user = {
    'user_id': user_id,
    'auth_id': auth_id,
-    'key.pub': pubkeytxt
+    'key.pub': pubkeytext
 }

 response = requests.post(
-  server + '/usercerts',
-  data=json.dumps(user)
+    server + '/usercerts',
+    data=json.dumps(user)
 )
-assert response.status_code == 201
+if response.status_code != 201:
+    print 'Failed: ' + response
+    exit()
+
 assert 'location' in response.headers
 location = response.headers['location']
-print location
-
 response = requests.get(server + location)
 usercert = json.loads(response.content)
-assert 'user_id' in usercert
-assert usercert['user_id'] == user_id
-assert 'fingerprint' in usercert
-assert 'auth_id' in usercert
-au = str(uuid.UUID(usercert['auth_id'], version=4))
-assert au == auth_id
-assert 'key-cert.pub' in usercert

-# Write the user's ID
-with open(keyfile + '_user_id', 'w') as f:
-  f.write(user_id)
-
-# Write the user private key
-with open(keyfile, 'w') as f:
-  f.write(keytxt)
-os.chmod(keyfile, 0600)
-
-# Write the user public key
-with open(keyfile + '.pub', 'w') as f:
-  f.write(pubkeytxt)
-
-# Write the user certificate
-with open(keyfile + '-cert.pub', 'w') as f:
-  f.write(usercert['key-cert.pub'])
+print usercert['key-cert.pub']
--- a/setup.cfg
+++ b/setup.cfg
@ -20,3 +20,6 @@ classifier =
    Development Status :: 3 - Alpha
 keywords = ssh certificate bastion

+[entry_points]
+console_scripts =
+    tatu-notify = tatu.notifications:main
--- a/tatu/db/models.py
+++ b/tatu/db/models.py
@ -51,7 +51,7 @@ def createUserCert(session, user_id, auth_id, pub):
    fingerprint = sshpubkeys.SSHKey(pub).hash_md5()
    certRecord = session.query(UserCert).get([user_id, fingerprint])
    if certRecord is not None:
-      raise falcon.HTTPConflict('This public key is already signed.')
+      return certRecord
    cert = generateCert(auth.user_key, pub, principals='admin,root')
    if cert is None:
      raise falcon.HTTPInternalServerError("Failed to generate the certificate")