openstack
/
anchor
Code Issues Proposed changes

LDAP auth support and flask internal config

This commit is contained in:
Stanislaw Pitucha 2014-03-25 14:41:54 +00:00
parent 76e4f0418d
commit 1a08cba3f8
5 changed files with 36 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,6 +1,6 @@
*.pyc
temp-*.crt
config.yaml
config.cfg
ephemeral_ca.egg-info
.venv
*.sw[op]

17
config.cfg.sample Normal file
View File

@ -0,0 +1,17 @@
CA_CERT = "CA/root-ca.crt"
CA_KEY = "CA/root-ca-unwrapped.key"
SERIAL_FILE = "CA/serial"
CERTS_DIRECTORY = "certs"
VALID_HOURS = 24
SIGNING_HASH = "sha1"
BIND_HOST = "0.0.0.0"
BIND_PORT = 5000
DEBUG = True
LDAP_HOST = "aw2clouddc01.hpcloud.ms"
LDAP_DOMAIN = "hpcloud.ms"
LDAP_BASE = "CN=Users,DC=hpcloud,DC=ms"
BACKDOOR_AUTH = True

11
config.yaml.sample
View File

@ -1,11 +0,0 @@
ca_cert: "CA/root-ca.crt"
ca_key: "CA/root-ca-unwrapped.key"
serial_file: "CA/serial"
certs_directory: "certs"
valid_hours: 24
signing_hash: "sha1"
bind_host: "0.0.0.0"
bind_port: 5000
flask_debug: true

43
ephemeral_ca/__init__.py
View File

@ -12,25 +12,24 @@ import uuid
import yaml
from flask import Flask, request, redirect, Response
from flask.ext.ldap import LDAP
CONFIG = {}
app = Flask(__name__)
app.config.from_pyfile(os.environ.get('EPHEMERAL_CA_SETTINGS', 'config.cfg'))
ldap = LDAP(app)
def auth(user, secret):
if app.config['BACKDOOR_AUTH']:
return secret=='woot' and user=='woot'
#ToDo: Write some actual authentication routines.
def auth(secret,user,authtype):
if authtype == 'bypass-backdoor':
if secret=='woot' and user=='woot':
return True
return False
return ldap.ldap_login(user, secret)
def sign(csr,encoding):
if encoding != 'pem':
return False
with open(CONFIG['serial_file'], 'a+') as f:
with open(app.config['SERIAL_FILE'], 'a+') as f:
f.seek(0)
fcntl.lockf(f, fcntl.LOCK_EX)
serial = int(f.read() or "1")
@ -38,8 +37,8 @@ def sign(csr,encoding):
f.truncate(0)
f.write(str(serial+1))
ca = M2Crypto.X509.load_cert(CONFIG["ca_cert"])
key = M2Crypto.EVP.load_key(CONFIG["ca_key"])
ca = M2Crypto.X509.load_cert(app.config["CA_CERT"])
key = M2Crypto.EVP.load_key(app.config["CA_KEY"])
req = M2Crypto.X509.load_request_string(csr.encode('ascii'))
new_cert = M2Crypto.X509.X509()
@ -49,7 +48,7 @@ def sign(csr,encoding):
start_time = M2Crypto.ASN1.ASN1_UTCTIME()
start_time.set_time(now)
end_time = M2Crypto.ASN1.ASN1_UTCTIME()
end_time.set_time(now+(CONFIG['valid_hours']*60*60))
end_time.set_time(now+(app.config['VALID_HOURS']*60*60))
new_cert.set_not_before(start_time)
new_cert.set_not_after(end_time)
@ -59,11 +58,11 @@ def sign(csr,encoding):
new_cert.set_issuer(ca.get_subject())
new_cert.set_serial_number(serial)
new_cert.sign(key, CONFIG['signing_hash'])
new_cert.sign(key, app.config['SIGNING_HASH'])
new_cert.save(os.path.join(
CONFIG['certs_directory'],
'%06i-%s.crt' % (serial, new_cert.get_fingerprint(CONFIG['signing_hash']))))
app.config['CERTS_DIRECTORY'],
'%06i-%s.crt' % (serial, new_cert.get_fingerprint(app.config['SIGNING_HASH']))))
return new_cert.as_pem()
@ -89,7 +88,7 @@ def sign_request():
return 'Request is missing keys!\n', 500
"""
if not auth(request.form['secret'],request.form['user'],request.form['authtype']):
if not auth(request.form['user'], request.form['secret']):
return 'Authentication Failure\n', 403
cert = sign(request.form['csr'],request.form['encoding'])
@ -100,15 +99,7 @@ def sign_request():
return cert, 200
def read_config(path):
global CONFIG
with open(path, 'r') as f:
CONFIG = yaml.load(f)
def run_server():
read_config(sys.argv[1] if len(sys.argv) > 1 else 'config.yaml')
app.run(
debug=CONFIG['flask_debug'],
host=CONFIG['bind_host'],
port=CONFIG['bind_port'])
host=app.config['BIND_HOST'],
port=app.config['BIND_PORT'])

2
setup.py
View File

@ -10,7 +10,7 @@ setup(
install_requires=[
'm2crypto',
'flask',
'PyYAML',
'flask-ldap',
'setuptools>=1.0',
],
setup_requires=[