Fix CLI scripts for getting user certificates and CA public keys.
This commit is contained in:
parent
4c4e1159d7
commit
c425a3d26e
@ -1,14 +1,24 @@
|
|||||||
#!/usr/bin/env python
|
#!/usr/bin/env python
|
||||||
|
import argparse
|
||||||
import json
|
import json
|
||||||
import requests
|
import requests
|
||||||
import sys
|
import sys
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
server = 'http://172.24.4.1:18322'
|
parser = argparse.ArgumentParser(description="Get the CA's public keys from Tatu API.")
|
||||||
auth_id = str(uuid.UUID(sys.argv[1], version=4))
|
parser.add_argument('--projid', '-P', required=True)
|
||||||
response = requests.get(
|
parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
|
||||||
server + '/authorities/' + auth_id)
|
help='URL of the Tatu API')
|
||||||
assert response.status_code == 200
|
args = parser.parse_args()
|
||||||
auth = json.loads(response.content)
|
|
||||||
print auth
|
try:
|
||||||
|
auth_id = str(uuid.UUID(args.projid, version=4))
|
||||||
|
except:
|
||||||
|
print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
|
||||||
|
exit()
|
||||||
|
|
||||||
|
server = args.tatu_url
|
||||||
|
response = requests.get(server + '/authorities/' + auth_id)
|
||||||
|
if response.status_code != 200:
|
||||||
|
print 'Failed to retrieve the CA keys.'
|
||||||
|
print response.content
|
||||||
|
70
scripts/get-user-cert
Normal file → Executable file
70
scripts/get-user-cert
Normal file → Executable file
@ -1,56 +1,56 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
import argparse
|
||||||
import json
|
import json
|
||||||
import requests
|
|
||||||
import os
|
import os
|
||||||
|
import requests
|
||||||
import subprocess
|
import subprocess
|
||||||
import uuid
|
import uuid
|
||||||
from Crypto.PublicKey import RSA
|
from Crypto.PublicKey import RSA
|
||||||
|
|
||||||
keyfile = '/opt/stack/.ssh/mykey'
|
parser = argparse.ArgumentParser(description='Get a user certificate from Tatu API.')
|
||||||
user_id = str(uuid.uuid4())
|
parser.add_argument('--projid', '-P', required=True)
|
||||||
auth_id = str(uuid.UUID('0852c6cd6209425c88de582acbcd1170', version=4))
|
parser.add_argument('--pubkeyfile', '-K', required=True)
|
||||||
key = RSA.generate(2048)
|
parser.add_argument('--userid', '-U', required=True)
|
||||||
keytxt = key.exportKey('PEM')
|
parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
|
||||||
pubkeytxt = key.publickey().exportKey('OpenSSH')
|
help='URL of the Tatu API')
|
||||||
server = 'http://127.0.0.1:18321'
|
args = parser.parse_args()
|
||||||
|
|
||||||
|
if not os.path.isfile(args.pubkeyfile):
|
||||||
|
print '--pubkeyfile must point to a valid public key.'
|
||||||
|
exit()
|
||||||
|
try:
|
||||||
|
auth_id = str(uuid.UUID(args.projid, version=4))
|
||||||
|
except:
|
||||||
|
print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
|
||||||
|
exit()
|
||||||
|
try:
|
||||||
|
user_id = str(uuid.UUID(args.userid, version=4))
|
||||||
|
except:
|
||||||
|
print '--userid should be the UUID of a user with permissions in the cloud project.'
|
||||||
|
exit()
|
||||||
|
|
||||||
|
with open(args.pubkeyfile, 'r') as f:
|
||||||
|
pubkeytext = f.read()
|
||||||
|
|
||||||
|
server = args.tatu_url
|
||||||
|
|
||||||
user = {
|
user = {
|
||||||
'user_id': user_id,
|
'user_id': user_id,
|
||||||
'auth_id': auth_id,
|
'auth_id': auth_id,
|
||||||
'key.pub': pubkeytxt
|
'key.pub': pubkeytext
|
||||||
}
|
}
|
||||||
|
|
||||||
response = requests.post(
|
response = requests.post(
|
||||||
server + '/usercerts',
|
server + '/usercerts',
|
||||||
data=json.dumps(user)
|
data=json.dumps(user)
|
||||||
)
|
)
|
||||||
assert response.status_code == 201
|
if response.status_code != 201:
|
||||||
|
print 'Failed: ' + response
|
||||||
|
exit()
|
||||||
|
|
||||||
assert 'location' in response.headers
|
assert 'location' in response.headers
|
||||||
location = response.headers['location']
|
location = response.headers['location']
|
||||||
print location
|
|
||||||
|
|
||||||
response = requests.get(server + location)
|
response = requests.get(server + location)
|
||||||
usercert = json.loads(response.content)
|
usercert = json.loads(response.content)
|
||||||
assert 'user_id' in usercert
|
|
||||||
assert usercert['user_id'] == user_id
|
|
||||||
assert 'fingerprint' in usercert
|
|
||||||
assert 'auth_id' in usercert
|
|
||||||
au = str(uuid.UUID(usercert['auth_id'], version=4))
|
|
||||||
assert au == auth_id
|
|
||||||
assert 'key-cert.pub' in usercert
|
|
||||||
|
|
||||||
# Write the user's ID
|
print usercert['key-cert.pub']
|
||||||
with open(keyfile + '_user_id', 'w') as f:
|
|
||||||
f.write(user_id)
|
|
||||||
|
|
||||||
# Write the user private key
|
|
||||||
with open(keyfile, 'w') as f:
|
|
||||||
f.write(keytxt)
|
|
||||||
os.chmod(keyfile, 0600)
|
|
||||||
|
|
||||||
# Write the user public key
|
|
||||||
with open(keyfile + '.pub', 'w') as f:
|
|
||||||
f.write(pubkeytxt)
|
|
||||||
|
|
||||||
# Write the user certificate
|
|
||||||
with open(keyfile + '-cert.pub', 'w') as f:
|
|
||||||
f.write(usercert['key-cert.pub'])
|
|
||||||
|
@ -20,3 +20,6 @@ classifier =
|
|||||||
Development Status :: 3 - Alpha
|
Development Status :: 3 - Alpha
|
||||||
keywords = ssh certificate bastion
|
keywords = ssh certificate bastion
|
||||||
|
|
||||||
|
[entry_points]
|
||||||
|
console_scripts =
|
||||||
|
tatu-notify = tatu.notifications:main
|
||||||
|
@ -51,7 +51,7 @@ def createUserCert(session, user_id, auth_id, pub):
|
|||||||
fingerprint = sshpubkeys.SSHKey(pub).hash_md5()
|
fingerprint = sshpubkeys.SSHKey(pub).hash_md5()
|
||||||
certRecord = session.query(UserCert).get([user_id, fingerprint])
|
certRecord = session.query(UserCert).get([user_id, fingerprint])
|
||||||
if certRecord is not None:
|
if certRecord is not None:
|
||||||
raise falcon.HTTPConflict('This public key is already signed.')
|
return certRecord
|
||||||
cert = generateCert(auth.user_key, pub, principals='admin,root')
|
cert = generateCert(auth.user_key, pub, principals='admin,root')
|
||||||
if cert is None:
|
if cert is None:
|
||||||
raise falcon.HTTPInternalServerError("Failed to generate the certificate")
|
raise falcon.HTTPInternalServerError("Failed to generate the certificate")
|
||||||
|
Loading…
Reference in New Issue
Block a user