diff --git a/files/tatu.service b/files/tatu.service new file mode 100644 index 0000000..95d64e5 --- /dev/null +++ b/files/tatu.service @@ -0,0 +1,14 @@ +[Unit] +Description=OpenStack SSH certificates and bastions +After=syslog.target network.target + +[Service] +Type=simple +NotifyAccess=all +TimeoutStartSec=0 +Restart=always +User=tatu +ExecStart=/usr/bin/tatu + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/tatu/api/models.py b/tatu/api/models.py index 24b11e8..5bc05c5 100644 --- a/tatu/api/models.py +++ b/tatu/api/models.py @@ -69,9 +69,9 @@ class Authority(object): if auth is None: resp.status = falcon.HTTP_NOT_FOUND return - user_key = RSA.importKey(auth.user_key) + user_key = RSA.importKey(db.getAuthUserKey(auth)) user_pub_key = user_key.publickey().exportKey('OpenSSH') - host_key = RSA.importKey(auth.host_key) + host_key = RSA.importKey(db.getAuthHostKey(auth)) host_pub_key = host_key.publickey().exportKey('OpenSSH') body = { 'auth_id': auth_id, diff --git a/tatu/castellan/__init__.py b/tatu/castellan/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/tatu/castellan/config.py b/tatu/castellan/config.py new file mode 100644 index 0000000..1576b57 --- /dev/null +++ b/tatu/castellan/config.py @@ -0,0 +1,52 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from tatu.castellan import options as castellan +from oslo_config import cfg + +#from sahara.utils.openstack import base as utils + + +opts = [ + cfg.BoolOpt('use_barbican_key_manager', default=False, + help='Enable the usage of the OpenStack Key Management ' + 'service provided by barbican.'), +] + +castellan_opts = [ + cfg.StrOpt('barbican_api_endpoint', + help='The endpoint to use for connecting to the barbican ' + 'api controller. By default, castellan will use the ' + 'URL from the service catalog.'), + cfg.StrOpt('barbican_api_version', default='v1', + help='Version of the barbican API, for example: "v1"'), +] + +castellan_group = cfg.OptGroup(name='castellan', + title='castellan key manager options') + +CONF = cfg.CONF +CONF.register_group(castellan_group) +CONF.register_opts(opts) +CONF.register_opts(castellan_opts, group=castellan_group) + + +def validate_config(): + if CONF.use_barbican_key_manager: + # NOTE (elmiko) there is no need to set the api_class as castellan + # uses barbican by default. + #castellan.set_defaults(CONF, auth_endpoint=utils.retrieve_auth_url()) + castellan.set_defaults(CONF) + else: + castellan.set_defaults(CONF, api_class='tatu.castellan.' + 'tatu_key_manager.TatuKeyManager') \ No newline at end of file diff --git a/tatu/castellan/tatu_key_manager.py b/tatu/castellan/tatu_key_manager.py new file mode 100644 index 0000000..488c366 --- /dev/null +++ b/tatu/castellan/tatu_key_manager.py @@ -0,0 +1,68 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from castellan.common.objects import passphrase as key +from castellan.key_manager import key_manager as km + + +"""tatu.castellan.tatu_key_manager +This module contains the KeyManager class that will be used by the +castellan library, it is not meant for direct usage within tatu. +""" + + +class TatuKeyManager(km.KeyManager): + """Tatu specific key manager + This manager is a thin wrapper around the secret being stored. It is + intended for backward compatible use only. It will not store keys + or generate UUIDs but instead return the secret that is being stored. + This behavior allows Tatu to continue storing secrets in its database + while using the Castellan key manager abstraction. + """ + def __init__(self, configuration=None): + pass + + def create_key(self, context, algorithm=None, length=0, + expiration=None, **kwargs): + """creates a key + algorithm, length, and expiration are unused by tatu keys. + """ + return key.Passphrase(passphrase=kwargs.get('passphrase', '')) + + def create_key_pair(self, *args, **kwargs): + pass + + def store(self, context, key, expiration=None, **kwargs): + """store a key + in normal usage a store_key will return the UUID of the key as + dictated by the key manager. Tatu would then store this UUID in + its database to use for retrieval. As tatu is not actually using + a key manager in this context it will return the key's payload for + storage. + """ + return key.get_encoded() + + def get(self, context, key_id, **kwargs): + """get a key + since tatu is not actually storing key UUIDs the key_id to this + function should actually be the key payload. this function will + simply return a new TatuKey based on that value. + """ + return key.Passphrase(passphrase=key_id) + + def delete(self, context, key_id, **kwargs): + """delete a key + as there is no external key manager, this function will not + perform any external actions. therefore, it won't change anything. + """ + pass \ No newline at end of file diff --git a/tatu/castellan/utils.py b/tatu/castellan/utils.py new file mode 100644 index 0000000..9799ff8 --- /dev/null +++ b/tatu/castellan/utils.py @@ -0,0 +1,52 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from castellan.common.objects import passphrase +from castellan import key_manager + +from oslo_context import context + + +def delete_secret(id, ctx=None): + """delete a secret from the external key manager + :param id: The identifier of the secret to delete + :param ctx: The context, and associated authentication, to use with + this operation (defaults to the current context) + """ + if ctx is None: + ctx = context.current() + key_manager.API().delete(ctx, id) + + +def get_secret(id, ctx=None): + """get a secret associated with an id + :param id: The identifier of the secret to retrieve + :param ctx: The context, and associated authentication, to use with + this operation (defaults to the current context) + """ + if ctx is None: + ctx = context.current() + key = key_manager.API().get(ctx, id) + return key.get_encoded() + + +def store_secret(secret, ctx=None): + """store a secret and return its identifier + :param secret: The secret to store, this should be a string + :param ctx: The context, and associated authentication, to use with + this operation (defaults to the current context) + """ + if ctx is None: + ctx = context.current() + key = passphrase.Passphrase(secret) + return key_manager.API().store(ctx, key) \ No newline at end of file diff --git a/tatu/db/models.py b/tatu/db/models.py index 12d5f1c..b079412 100644 --- a/tatu/db/models.py +++ b/tatu/db/models.py @@ -1,12 +1,13 @@ from datetime import datetime +import falcon +import os import sqlalchemy as sa from sqlalchemy.ext.declarative import declarative_base from sqlalchemy.exc import IntegrityError -import falcon import sshpubkeys -import uuid -import os +from tatu.castellan.utils import get_secret, store_secret from tatu.utils import generateCert,random_uuid +import uuid from Crypto.PublicKey import RSA Base = declarative_base() @@ -21,10 +22,20 @@ class Authority(Base): def getAuthority(session, auth_id): return session.query(Authority).get(auth_id) +def getAuthUserKey(auth): + return get_secret(auth.user_key) + +def getAuthHostKey(auth): + return get_secret(auth.host_key) + def createAuthority(session, auth_id): + user_key = RSA.generate(2048).exportKey('PEM') + user_secret_id = store_secret(user_key) + host_key = RSA.generate(2048).exportKey('PEM') + host_secret_id = store_secret(host_key) auth = Authority(auth_id=auth_id, - user_key=RSA.generate(2048).exportKey('PEM'), - host_key=RSA.generate(2048).exportKey('PEM')) + user_key=user_secret_id, + host_key=host_secret_id) session.add(auth) try: session.commit() @@ -52,7 +63,7 @@ def createUserCert(session, user_id, auth_id, pub): certRecord = session.query(UserCert).get([user_id, fingerprint]) if certRecord is not None: return certRecord - cert = generateCert(auth.user_key, pub, principals='admin,root') + cert = generateCert(get_secret(auth.user_key), pub, principals='admin,root') if cert is None: raise falcon.HTTPInternalServerError("Failed to generate the certificate") user = UserCert( @@ -137,7 +148,7 @@ def createHostCert(session, token_id, host_id, pub): certRecord = session.query(HostCert).get([host_id, fingerprint]) if certRecord is not None: raise falcon.HTTPConflict('This public key is already signed.') - cert = generateCert(auth.host_key, pub, hostname=token.hostname) + cert = generateCert(get_secret(auth.host_key), pub, hostname=token.hostname) if cert == '': raise falcon.HTTPInternalServerError("Failed to generate the certificate") host = HostCert(host_id=host_id,