Fix CLI scripts for getting user certificates and CA public keys.
This commit is contained in:
parent
4c4e1159d7
commit
c425a3d26e
@ -1,14 +1,24 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
import argparse
|
||||
import json
|
||||
import requests
|
||||
import sys
|
||||
import uuid
|
||||
|
||||
server = 'http://172.24.4.1:18322'
|
||||
auth_id = str(uuid.UUID(sys.argv[1], version=4))
|
||||
response = requests.get(
|
||||
server + '/authorities/' + auth_id)
|
||||
assert response.status_code == 200
|
||||
auth = json.loads(response.content)
|
||||
print auth
|
||||
parser = argparse.ArgumentParser(description="Get the CA's public keys from Tatu API.")
|
||||
parser.add_argument('--projid', '-P', required=True)
|
||||
parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
|
||||
help='URL of the Tatu API')
|
||||
args = parser.parse_args()
|
||||
|
||||
try:
|
||||
auth_id = str(uuid.UUID(args.projid, version=4))
|
||||
except:
|
||||
print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
|
||||
exit()
|
||||
|
||||
server = args.tatu_url
|
||||
response = requests.get(server + '/authorities/' + auth_id)
|
||||
if response.status_code != 200:
|
||||
print 'Failed to retrieve the CA keys.'
|
||||
print response.content
|
||||
|
70
scripts/get-user-cert
Normal file → Executable file
70
scripts/get-user-cert
Normal file → Executable file
@ -1,56 +1,56 @@
|
||||
#!/usr/bin/env python
|
||||
import argparse
|
||||
import json
|
||||
import requests
|
||||
import os
|
||||
import requests
|
||||
import subprocess
|
||||
import uuid
|
||||
from Crypto.PublicKey import RSA
|
||||
|
||||
keyfile = '/opt/stack/.ssh/mykey'
|
||||
user_id = str(uuid.uuid4())
|
||||
auth_id = str(uuid.UUID('0852c6cd6209425c88de582acbcd1170', version=4))
|
||||
key = RSA.generate(2048)
|
||||
keytxt = key.exportKey('PEM')
|
||||
pubkeytxt = key.publickey().exportKey('OpenSSH')
|
||||
server = 'http://127.0.0.1:18321'
|
||||
parser = argparse.ArgumentParser(description='Get a user certificate from Tatu API.')
|
||||
parser.add_argument('--projid', '-P', required=True)
|
||||
parser.add_argument('--pubkeyfile', '-K', required=True)
|
||||
parser.add_argument('--userid', '-U', required=True)
|
||||
parser.add_argument('--tatu-url', default= 'http://127.0.0.1:18322',
|
||||
help='URL of the Tatu API')
|
||||
args = parser.parse_args()
|
||||
|
||||
if not os.path.isfile(args.pubkeyfile):
|
||||
print '--pubkeyfile must point to a valid public key.'
|
||||
exit()
|
||||
try:
|
||||
auth_id = str(uuid.UUID(args.projid, version=4))
|
||||
except:
|
||||
print '--projid should be the UUID of a Tatu CA (usually a cloud tenant/project).'
|
||||
exit()
|
||||
try:
|
||||
user_id = str(uuid.UUID(args.userid, version=4))
|
||||
except:
|
||||
print '--userid should be the UUID of a user with permissions in the cloud project.'
|
||||
exit()
|
||||
|
||||
with open(args.pubkeyfile, 'r') as f:
|
||||
pubkeytext = f.read()
|
||||
|
||||
server = args.tatu_url
|
||||
|
||||
user = {
|
||||
'user_id': user_id,
|
||||
'auth_id': auth_id,
|
||||
'key.pub': pubkeytxt
|
||||
'key.pub': pubkeytext
|
||||
}
|
||||
|
||||
response = requests.post(
|
||||
server + '/usercerts',
|
||||
data=json.dumps(user)
|
||||
)
|
||||
assert response.status_code == 201
|
||||
if response.status_code != 201:
|
||||
print 'Failed: ' + response
|
||||
exit()
|
||||
|
||||
assert 'location' in response.headers
|
||||
location = response.headers['location']
|
||||
print location
|
||||
|
||||
response = requests.get(server + location)
|
||||
usercert = json.loads(response.content)
|
||||
assert 'user_id' in usercert
|
||||
assert usercert['user_id'] == user_id
|
||||
assert 'fingerprint' in usercert
|
||||
assert 'auth_id' in usercert
|
||||
au = str(uuid.UUID(usercert['auth_id'], version=4))
|
||||
assert au == auth_id
|
||||
assert 'key-cert.pub' in usercert
|
||||
|
||||
# Write the user's ID
|
||||
with open(keyfile + '_user_id', 'w') as f:
|
||||
f.write(user_id)
|
||||
|
||||
# Write the user private key
|
||||
with open(keyfile, 'w') as f:
|
||||
f.write(keytxt)
|
||||
os.chmod(keyfile, 0600)
|
||||
|
||||
# Write the user public key
|
||||
with open(keyfile + '.pub', 'w') as f:
|
||||
f.write(pubkeytxt)
|
||||
|
||||
# Write the user certificate
|
||||
with open(keyfile + '-cert.pub', 'w') as f:
|
||||
f.write(usercert['key-cert.pub'])
|
||||
print usercert['key-cert.pub']
|
||||
|
@ -20,3 +20,6 @@ classifier =
|
||||
Development Status :: 3 - Alpha
|
||||
keywords = ssh certificate bastion
|
||||
|
||||
[entry_points]
|
||||
console_scripts =
|
||||
tatu-notify = tatu.notifications:main
|
||||
|
@ -51,7 +51,7 @@ def createUserCert(session, user_id, auth_id, pub):
|
||||
fingerprint = sshpubkeys.SSHKey(pub).hash_md5()
|
||||
certRecord = session.query(UserCert).get([user_id, fingerprint])
|
||||
if certRecord is not None:
|
||||
raise falcon.HTTPConflict('This public key is already signed.')
|
||||
return certRecord
|
||||
cert = generateCert(auth.user_key, pub, principals='admin,root')
|
||||
if cert is None:
|
||||
raise falcon.HTTPInternalServerError("Failed to generate the certificate")
|
||||
|
Loading…
Reference in New Issue
Block a user