Started integrating Castellan

This commit is contained in:
Pino de Candia 2017-12-07 13:54:19 -06:00
parent c425a3d26e
commit fa70477628
7 changed files with 206 additions and 9 deletions

14
files/tatu.service Normal file
View File

@ -0,0 +1,14 @@
[Unit]
Description=OpenStack SSH certificates and bastions
After=syslog.target network.target
[Service]
Type=simple
NotifyAccess=all
TimeoutStartSec=0
Restart=always
User=tatu
ExecStart=/usr/bin/tatu
[Install]
WantedBy=multi-user.target

View File

@ -69,9 +69,9 @@ class Authority(object):
if auth is None: if auth is None:
resp.status = falcon.HTTP_NOT_FOUND resp.status = falcon.HTTP_NOT_FOUND
return return
user_key = RSA.importKey(auth.user_key) user_key = RSA.importKey(db.getAuthUserKey(auth))
user_pub_key = user_key.publickey().exportKey('OpenSSH') user_pub_key = user_key.publickey().exportKey('OpenSSH')
host_key = RSA.importKey(auth.host_key) host_key = RSA.importKey(db.getAuthHostKey(auth))
host_pub_key = host_key.publickey().exportKey('OpenSSH') host_pub_key = host_key.publickey().exportKey('OpenSSH')
body = { body = {
'auth_id': auth_id, 'auth_id': auth_id,

View File

52
tatu/castellan/config.py Normal file
View File

@ -0,0 +1,52 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from tatu.castellan import options as castellan
from oslo_config import cfg
#from sahara.utils.openstack import base as utils
opts = [
cfg.BoolOpt('use_barbican_key_manager', default=False,
help='Enable the usage of the OpenStack Key Management '
'service provided by barbican.'),
]
castellan_opts = [
cfg.StrOpt('barbican_api_endpoint',
help='The endpoint to use for connecting to the barbican '
'api controller. By default, castellan will use the '
'URL from the service catalog.'),
cfg.StrOpt('barbican_api_version', default='v1',
help='Version of the barbican API, for example: "v1"'),
]
castellan_group = cfg.OptGroup(name='castellan',
title='castellan key manager options')
CONF = cfg.CONF
CONF.register_group(castellan_group)
CONF.register_opts(opts)
CONF.register_opts(castellan_opts, group=castellan_group)
def validate_config():
if CONF.use_barbican_key_manager:
# NOTE (elmiko) there is no need to set the api_class as castellan
# uses barbican by default.
#castellan.set_defaults(CONF, auth_endpoint=utils.retrieve_auth_url())
castellan.set_defaults(CONF)
else:
castellan.set_defaults(CONF, api_class='tatu.castellan.'
'tatu_key_manager.TatuKeyManager')

View File

@ -0,0 +1,68 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from castellan.common.objects import passphrase as key
from castellan.key_manager import key_manager as km
"""tatu.castellan.tatu_key_manager
This module contains the KeyManager class that will be used by the
castellan library, it is not meant for direct usage within tatu.
"""
class TatuKeyManager(km.KeyManager):
"""Tatu specific key manager
This manager is a thin wrapper around the secret being stored. It is
intended for backward compatible use only. It will not store keys
or generate UUIDs but instead return the secret that is being stored.
This behavior allows Tatu to continue storing secrets in its database
while using the Castellan key manager abstraction.
"""
def __init__(self, configuration=None):
pass
def create_key(self, context, algorithm=None, length=0,
expiration=None, **kwargs):
"""creates a key
algorithm, length, and expiration are unused by tatu keys.
"""
return key.Passphrase(passphrase=kwargs.get('passphrase', ''))
def create_key_pair(self, *args, **kwargs):
pass
def store(self, context, key, expiration=None, **kwargs):
"""store a key
in normal usage a store_key will return the UUID of the key as
dictated by the key manager. Tatu would then store this UUID in
its database to use for retrieval. As tatu is not actually using
a key manager in this context it will return the key's payload for
storage.
"""
return key.get_encoded()
def get(self, context, key_id, **kwargs):
"""get a key
since tatu is not actually storing key UUIDs the key_id to this
function should actually be the key payload. this function will
simply return a new TatuKey based on that value.
"""
return key.Passphrase(passphrase=key_id)
def delete(self, context, key_id, **kwargs):
"""delete a key
as there is no external key manager, this function will not
perform any external actions. therefore, it won't change anything.
"""
pass

52
tatu/castellan/utils.py Normal file
View File

@ -0,0 +1,52 @@
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from castellan.common.objects import passphrase
from castellan import key_manager
from oslo_context import context
def delete_secret(id, ctx=None):
"""delete a secret from the external key manager
:param id: The identifier of the secret to delete
:param ctx: The context, and associated authentication, to use with
this operation (defaults to the current context)
"""
if ctx is None:
ctx = context.current()
key_manager.API().delete(ctx, id)
def get_secret(id, ctx=None):
"""get a secret associated with an id
:param id: The identifier of the secret to retrieve
:param ctx: The context, and associated authentication, to use with
this operation (defaults to the current context)
"""
if ctx is None:
ctx = context.current()
key = key_manager.API().get(ctx, id)
return key.get_encoded()
def store_secret(secret, ctx=None):
"""store a secret and return its identifier
:param secret: The secret to store, this should be a string
:param ctx: The context, and associated authentication, to use with
this operation (defaults to the current context)
"""
if ctx is None:
ctx = context.current()
key = passphrase.Passphrase(secret)
return key_manager.API().store(ctx, key)

View File

@ -1,12 +1,13 @@
from datetime import datetime from datetime import datetime
import falcon
import os
import sqlalchemy as sa import sqlalchemy as sa
from sqlalchemy.ext.declarative import declarative_base from sqlalchemy.ext.declarative import declarative_base
from sqlalchemy.exc import IntegrityError from sqlalchemy.exc import IntegrityError
import falcon
import sshpubkeys import sshpubkeys
import uuid from tatu.castellan.utils import get_secret, store_secret
import os
from tatu.utils import generateCert,random_uuid from tatu.utils import generateCert,random_uuid
import uuid
from Crypto.PublicKey import RSA from Crypto.PublicKey import RSA
Base = declarative_base() Base = declarative_base()
@ -21,10 +22,20 @@ class Authority(Base):
def getAuthority(session, auth_id): def getAuthority(session, auth_id):
return session.query(Authority).get(auth_id) return session.query(Authority).get(auth_id)
def getAuthUserKey(auth):
return get_secret(auth.user_key)
def getAuthHostKey(auth):
return get_secret(auth.host_key)
def createAuthority(session, auth_id): def createAuthority(session, auth_id):
user_key = RSA.generate(2048).exportKey('PEM')
user_secret_id = store_secret(user_key)
host_key = RSA.generate(2048).exportKey('PEM')
host_secret_id = store_secret(host_key)
auth = Authority(auth_id=auth_id, auth = Authority(auth_id=auth_id,
user_key=RSA.generate(2048).exportKey('PEM'), user_key=user_secret_id,
host_key=RSA.generate(2048).exportKey('PEM')) host_key=host_secret_id)
session.add(auth) session.add(auth)
try: try:
session.commit() session.commit()
@ -52,7 +63,7 @@ def createUserCert(session, user_id, auth_id, pub):
certRecord = session.query(UserCert).get([user_id, fingerprint]) certRecord = session.query(UserCert).get([user_id, fingerprint])
if certRecord is not None: if certRecord is not None:
return certRecord return certRecord
cert = generateCert(auth.user_key, pub, principals='admin,root') cert = generateCert(get_secret(auth.user_key), pub, principals='admin,root')
if cert is None: if cert is None:
raise falcon.HTTPInternalServerError("Failed to generate the certificate") raise falcon.HTTPInternalServerError("Failed to generate the certificate")
user = UserCert( user = UserCert(
@ -137,7 +148,7 @@ def createHostCert(session, token_id, host_id, pub):
certRecord = session.query(HostCert).get([host_id, fingerprint]) certRecord = session.query(HostCert).get([host_id, fingerprint])
if certRecord is not None: if certRecord is not None:
raise falcon.HTTPConflict('This public key is already signed.') raise falcon.HTTPConflict('This public key is already signed.')
cert = generateCert(auth.host_key, pub, hostname=token.hostname) cert = generateCert(get_secret(auth.host_key), pub, hostname=token.hostname)
if cert == '': if cert == '':
raise falcon.HTTPInternalServerError("Failed to generate the certificate") raise falcon.HTTPInternalServerError("Failed to generate the certificate")
host = HostCert(host_id=host_id, host = HostCert(host_id=host_id,