Fix CLI scripts for getting user certificates and CA public keys.

This commit is contained in:
Pino de Candia 2017-12-01 22:51:39 +00:00
parent 4c4e1159d7
commit c425a3d26e
4 changed files with 59 additions and 46 deletions

View File

@ -1,14 +1,24 @@
#!/usr/bin/env python #!/usr/bin/env python
import argparse
import json import json
import requests import requests
import sys import sys
import uuid import uuid
server = 'http://172.24.4.1:18322' parser = argparse.ArgumentParser(description="Get the CA's public keys from Tatu API.")
auth_id = str(uuid.UUID(sys.argv[1], version=4)) parser.add_argument('--projid', '-P', required=True)
response = requests.get( parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
server + '/authorities/' + auth_id) help='URL of the Tatu API')
assert response.status_code == 200 args = parser.parse_args()
auth = json.loads(response.content)
print auth try:
auth_id = str(uuid.UUID(args.projid, version=4))
except:
print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
exit()
server = args.tatu_url
response = requests.get(server + '/authorities/' + auth_id)
if response.status_code != 200:
print 'Failed to retrieve the CA keys.'
print response.content

70
scripts/get-user-cert Normal file → Executable file
View File

@ -1,56 +1,56 @@
#!/usr/bin/env python
import argparse
import json import json
import requests
import os import os
import requests
import subprocess import subprocess
import uuid import uuid
from Crypto.PublicKey import RSA from Crypto.PublicKey import RSA
keyfile = '/opt/stack/.ssh/mykey' parser = argparse.ArgumentParser(description='Get a user certificate from Tatu API.')
user_id = str(uuid.uuid4()) parser.add_argument('--projid', '-P', required=True)
auth_id = str(uuid.UUID('0852c6cd6209425c88de582acbcd1170', version=4)) parser.add_argument('--pubkeyfile', '-K', required=True)
key = RSA.generate(2048) parser.add_argument('--userid', '-U', required=True)
keytxt = key.exportKey('PEM') parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
pubkeytxt = key.publickey().exportKey('OpenSSH') help='URL of the Tatu API')
server = 'http://127.0.0.1:18321' args = parser.parse_args()
if not os.path.isfile(args.pubkeyfile):
print '--pubkeyfile must point to a valid public key.'
exit()
try:
auth_id = str(uuid.UUID(args.projid, version=4))
except:
print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
exit()
try:
user_id = str(uuid.UUID(args.userid, version=4))
except:
print '--userid should be the UUID of a user with permissions in the cloud project.'
exit()
with open(args.pubkeyfile, 'r') as f:
pubkeytext = f.read()
server = args.tatu_url
user = { user = {
'user_id': user_id, 'user_id': user_id,
'auth_id': auth_id, 'auth_id': auth_id,
'key.pub': pubkeytxt 'key.pub': pubkeytext
} }
response = requests.post( response = requests.post(
server + '/usercerts', server + '/usercerts',
data=json.dumps(user) data=json.dumps(user)
) )
assert response.status_code == 201 if response.status_code != 201:
print 'Failed: ' + response
exit()
assert 'location' in response.headers assert 'location' in response.headers
location = response.headers['location'] location = response.headers['location']
print location
response = requests.get(server + location) response = requests.get(server + location)
usercert = json.loads(response.content) usercert = json.loads(response.content)
assert 'user_id' in usercert
assert usercert['user_id'] == user_id
assert 'fingerprint' in usercert
assert 'auth_id' in usercert
au = str(uuid.UUID(usercert['auth_id'], version=4))
assert au == auth_id
assert 'key-cert.pub' in usercert
# Write the user's ID print usercert['key-cert.pub']
with open(keyfile + '_user_id', 'w') as f:
f.write(user_id)
# Write the user private key
with open(keyfile, 'w') as f:
f.write(keytxt)
os.chmod(keyfile, 0600)
# Write the user public key
with open(keyfile + '.pub', 'w') as f:
f.write(pubkeytxt)
# Write the user certificate
with open(keyfile + '-cert.pub', 'w') as f:
f.write(usercert['key-cert.pub'])

View File

@ -20,3 +20,6 @@ classifier =
Development Status :: 3 - Alpha Development Status :: 3 - Alpha
keywords = ssh certificate bastion keywords = ssh certificate bastion
[entry_points]
console_scripts =
tatu-notify = tatu.notifications:main

View File

@ -51,7 +51,7 @@ def createUserCert(session, user_id, auth_id, pub):
fingerprint = sshpubkeys.SSHKey(pub).hash_md5() fingerprint = sshpubkeys.SSHKey(pub).hash_md5()
certRecord = session.query(UserCert).get([user_id, fingerprint]) certRecord = session.query(UserCert).get([user_id, fingerprint])
if certRecord is not None: if certRecord is not None:
raise falcon.HTTPConflict('This public key is already signed.') return certRecord
cert = generateCert(auth.user_key, pub, principals='admin,root') cert = generateCert(auth.user_key, pub, principals='admin,root')
if cert is None: if cert is None:
raise falcon.HTTPInternalServerError("Failed to generate the certificate") raise falcon.HTTPInternalServerError("Failed to generate the certificate")