Merge remote-tracking branch 'upstream/master'

This commit is contained in:
Curtis Castrapel 2018-06-12 08:08:01 -07:00
commit f9239b008e
5 changed files with 0 additions and 170 deletions

View File

@ -110,6 +110,5 @@ Subpackages
lemur.plugins.lemur_digicert
lemur.plugins.lemur_java
lemur.plugins.lemur_kubernetes
lemur.plugins.lemur_linuxdst
lemur.plugins.lemur_openssl
lemur.plugins.lemur_slack

View File

@ -1,5 +0,0 @@
try:
VERSION = __import__('pkg_resources') \
.get_distribution(__name__).version
except Exception as e:
VERSION = 'unknown'

View File

@ -1,83 +0,0 @@
#!/usr/bin/python
from lemur.plugins.bases import DestinationPlugin
from lemur.plugins.lemur_linuxdst import remote_host
class LinuxDstPlugin(DestinationPlugin):
title = 'Linux Destination Plugin'
slug = 'linux-destination'
description = 'Allow the distribution of certificates to a Linux host'
version = 1
author = 'Rick Breidenstein '
author_url = 'https://github.com/RickB17/'
options = [
{
'name': 'dstHost',
'type': 'str',
'required': True,
'helpMessage': 'This is the host you will be sending the certificate to',
},
{
'name': 'dstPort',
'type': 'int',
'required': True,
'helpMessage': 'This is the port SSHD is running on',
'default': '22'
},
{
'name': 'dstUser',
'type': 'str',
'required': True,
'helpMessage': 'The user name to use on the remote host. Hopefully not root.',
'default': 'root',
},
{
'name': 'dstPriv',
'type': 'str',
'required': True,
'helpMessage': 'The private key to use for auth',
'default': '/root/.ssh/id_rsa',
},
{
'name': 'dstPrivKey',
'type': 'str',
'required': False,
'helpMessage': 'The password for the destination private key',
'default': 'somethingsecret',
},
{
'name': 'dstDir',
'type': 'str',
'required': True,
'helpMessage': 'This is the directory on the host you want to send the certificate to',
'default': '/etc/nginx/certs/'
},
{
"available": [
"NGINX",
"3File"
],
"name": "exportType",
"required": True,
"value": "NGINX",
"helpMessage": "Reference the docs for an explanation of each export type",
"type": "select"
}
]
requires_key = False
def upload(self, name, body, private_key, cert_chain, options, **kwargs):
export_type = self.get_option('exportType', options)
dst_host = self.get_option('dstHost', options)
dst_host_port = self.get_option('dstPort', options)
dst_user = self.get_option('dstUser', options)
dst_priv = self.get_option('dstPriv', options)
dst_priv_key = self.get_option('dstPrivKey', options)
if dst_priv_key:
dst_priv_key = None
dst_dir = self.get_option('dstDir', options)
remote_host.create_cert(name, dst_dir, export_type, dst_user, dst_priv, dst_priv_key, dst_host, int(dst_host_port))

View File

@ -1,8 +0,0 @@
NOTE: AS OF 4/25/2017 DATA IN THIS PLUGIN IS NOT ENCRYPTED AT REST
example: If you input a password for a private key, it is stored in clear text
add this to the lemur.plugins entry_points in /www/lemur/setup.py
'linux_destination = lemur.plugins.lemur_linuxdst.plugin:LinuxDstPlugin',
note: DO NOT FORGET TO EXECUTE 'make release' and restart your service after modifying the setup.py

View File

@ -1,73 +0,0 @@
#!/usr/bin/python
from lemur.certificates import service
import paramiko
import stat
def copy_cert(cert_cn, dst_user, dst_priv, dst_priv_key, dst_host, dst_port, dst_dir, dst_file, dst_data):
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
# include the private key password if required
if dst_priv_key is None:
priv_key = paramiko.RSAKey.from_private_key_file(dst_priv)
else:
priv_key = paramiko.RSAKey.from_private_key_file(dst_priv, dst_priv_key)
# open the sftp connection
ssh.connect(dst_host, username=dst_user, port=dst_port, pkey=priv_key)
sftp = ssh.open_sftp()
# make the directory on the destination server
# files will be in a folder based on the cert_cn
# example:
# destination folder: /etc/nginx/certs/
# files will go in: /etc/nginx/certs/your.cn.com/cert.pem
try:
sftp.mkdir(dst_dir)
except IOError:
pass
try:
dst_dir_cn = dst_dir + '/' + cert_cn
sftp.mkdir(dst_dir_cn)
except IOError:
pass
cert_out = sftp.open(dst_dir_cn + '/' + dst_file, 'w')
cert_out.write(dst_data)
cert_out.close()
sftp.chmod(dst_dir_cn + '/' + dst_file, (stat.S_IRUSR))
ssh.close()
def create_cert(name, dst_dir, export_type, dst_user, dst_priv, dst_priv_key, dst_host, dst_host_port):
lem_cert = service.get_by_name(name)
dst_file = 'cert.pem'
chain_req = False
if export_type == 'NGINX':
# This process will result in a cert.pem file with the body and chain in a single file
if lem_cert.chain is None:
dst_data = lem_cert.body
else:
dst_data = lem_cert.body + '\n' + lem_cert.chain
chain_req = False
elif export_type == '3File':
# This process will results in three files. cert.pem, priv.key, chain.pem
dst_data = lem_cert.body
chain_req = True
else:
dst_data = lem_cert.body
copy_cert(lem_cert.cn, dst_user, dst_priv, dst_priv_key, dst_host, dst_host_port, dst_dir, dst_file, dst_data)
if chain_req is True:
dst_file = 'chain.pem'
dst_data = lem_cert.chain_req
copy_cert(lem_cert.cn, dst_user, dst_priv, dst_priv_key, dst_host, dst_host_port, dst_dir, dst_file, dst_data)
dst_file = 'priv.key'
dst_data = lem_cert.private_key
copy_cert(lem_cert.cn, dst_user, dst_priv, dst_priv_key, dst_host, dst_host_port, dst_dir, dst_file, dst_data)