Fix CLI scripts for getting user certificates and CA public keys.

This commit is contained in:
Pino de Candia 2017-12-01 22:51:39 +00:00
parent 4c4e1159d7
commit c425a3d26e
4 changed files with 59 additions and 46 deletions

View File

@ -1,14 +1,24 @@
#!/usr/bin/env python
import argparse
import json
import requests
import sys
import uuid
server = 'http://172.24.4.1:18322'
auth_id = str(uuid.UUID(sys.argv[1], version=4))
response = requests.get(
server + '/authorities/' + auth_id)
assert response.status_code == 200
auth = json.loads(response.content)
print auth
parser = argparse.ArgumentParser(description="Get the CA's public keys from Tatu API.")
parser.add_argument('--projid', '-P', required=True)
parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
help='URL of the Tatu API')
args = parser.parse_args()
try:
auth_id = str(uuid.UUID(args.projid, version=4))
except:
print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
exit()
server = args.tatu_url
response = requests.get(server + '/authorities/' + auth_id)
if response.status_code != 200:
print 'Failed to retrieve the CA keys.'
print response.content

70
scripts/get-user-cert Normal file → Executable file
View File

@ -1,56 +1,56 @@
#!/usr/bin/env python
import argparse
import json
import requests
import os
import requests
import subprocess
import uuid
from Crypto.PublicKey import RSA
keyfile = '/opt/stack/.ssh/mykey'
user_id = str(uuid.uuid4())
auth_id = str(uuid.UUID('0852c6cd6209425c88de582acbcd1170', version=4))
key = RSA.generate(2048)
keytxt = key.exportKey('PEM')
pubkeytxt = key.publickey().exportKey('OpenSSH')
server = 'http://127.0.0.1:18321'
parser = argparse.ArgumentParser(description='Get a user certificate from Tatu API.')
parser.add_argument('--projid', '-P', required=True)
parser.add_argument('--pubkeyfile', '-K', required=True)
parser.add_argument('--userid', '-U', required=True)
parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
help='URL of the Tatu API')
args = parser.parse_args()
if not os.path.isfile(args.pubkeyfile):
print '--pubkeyfile must point to a valid public key.'
exit()
try:
auth_id = str(uuid.UUID(args.projid, version=4))
except:
print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
exit()
try:
user_id = str(uuid.UUID(args.userid, version=4))
except:
print '--userid should be the UUID of a user with permissions in the cloud project.'
exit()
with open(args.pubkeyfile, 'r') as f:
pubkeytext = f.read()
server = args.tatu_url
user = {
'user_id': user_id,
'auth_id': auth_id,
'key.pub': pubkeytxt
'key.pub': pubkeytext
}
response = requests.post(
server + '/usercerts',
data=json.dumps(user)
)
assert response.status_code == 201
if response.status_code != 201:
print 'Failed: ' + response
exit()
assert 'location' in response.headers
location = response.headers['location']
print location
response = requests.get(server + location)
usercert = json.loads(response.content)
assert 'user_id' in usercert
assert usercert['user_id'] == user_id
assert 'fingerprint' in usercert
assert 'auth_id' in usercert
au = str(uuid.UUID(usercert['auth_id'], version=4))
assert au == auth_id
assert 'key-cert.pub' in usercert
# Write the user's ID
with open(keyfile + '_user_id', 'w') as f:
f.write(user_id)
# Write the user private key
with open(keyfile, 'w') as f:
f.write(keytxt)
os.chmod(keyfile, 0600)
# Write the user public key
with open(keyfile + '.pub', 'w') as f:
f.write(pubkeytxt)
# Write the user certificate
with open(keyfile + '-cert.pub', 'w') as f:
f.write(usercert['key-cert.pub'])
print usercert['key-cert.pub']

View File

@ -20,3 +20,6 @@ classifier =
Development Status :: 3 - Alpha
keywords = ssh certificate bastion
[entry_points]
console_scripts =
tatu-notify = tatu.notifications:main

View File

@ -51,7 +51,7 @@ def createUserCert(session, user_id, auth_id, pub):
fingerprint = sshpubkeys.SSHKey(pub).hash_md5()
certRecord = session.query(UserCert).get([user_id, fingerprint])
if certRecord is not None:
raise falcon.HTTPConflict('This public key is already signed.')
return certRecord
cert = generateCert(auth.user_key, pub, principals='admin,root')
if cert is None:
raise falcon.HTTPInternalServerError("Failed to generate the certificate")