Compare commits

..

1 Commits

Author SHA1 Message Date
Emmanuel Garette bb5b32a435 add OpenSSH plugin 2021-05-22 16:45:44 +02:00
8 changed files with 17 additions and 154 deletions

1
debian/compat vendored
View File

@ -1 +0,0 @@
11

102
debian/control vendored
View File

@ -1,102 +0,0 @@
Source: lemur
Section: admin
Priority: extra
Maintainer: Cadoles <contact@cadoles.com>
Build-depends: debhelper (>=11),
python3-all,
python3-setuptools,
dh-python,
git,
npm
Standards-Version: 3.9.4
Homepage: https://forge.cadoles.com/Infra/lemur
Package: lemur
Architecture: any
Pre-Depends: dpkg, python3, ${misc:Pre-Depends}
Depends: ${python:Depends}, ${misc:Depends},
python3-lemur
Description: Lemur
Package: python3-lemur
Architecture: any
Pre-Depends: dpkg, python3, ${misc:Pre-Depends}
Depends: python3-acme,
python3-alembic,
python3-amqp,
python3-aniso8601,
python3-arrow,
python3-bcrypt,
python3-bs4,
python3-billiard,
python3-blinker,
python3-boto3,
python3-botocore,
python3-celery,
python3-certifi,
python3-cffi,
python3-chardet,
python3-click,
python3-cloudflare,
python3-dnspython,
python3-flask-bcrypt,
python3-flask-cors,
python3-flask-mail,
python3-flask-migrate,
python3-flask-principal,
python3-flask-restful,
python3-flask-script,
python3-flask-sqlalchemy,
python3-flask,
python3-future,
python3-gunicorn,
python3-hvac,
python3-idna,
python3-inflection,
python3-itsdangerous,
python3-jinja2,
python3-jmespath,
python3-josepy,
python3-kombu,
python3-lockfile,
python3-mako,
python3-markupsafe,
python3-marshmallow-sqlalchemy,
python3-ndg-httpsclient,
python3-paramiko,
python3-pem,
python3-psycopg2,
python3-pyasn1-modules,
python3-pyasn1,
python3-pycparser,
python3-jwt,
python3-nacl,
python3-openssl,
python3-rfc3339,
python3-dateutil,
python3-editor,
python3-pythonjsonlogger,
python3-ldap,
python3-tz,
python3-yaml,
python3-redis,
python3-requests-toolbelt,
python3-requests,
python3-retrying,
python3-s3transfer,
python3-six,
python3-soupsieve,
python3-sqlalchemy-utils,
python3-sqlalchemy,
python3-tabulate,
python3-urllib3,
python3-vine,
python3-werkzeug,
python3-xmltodict
Description: Lemur - library part
Package: lemur-static
Architecture: any
Pre-Depends: ${misc:Pre-Depends}
Depends: ${misc:Depends}
Description: static HTML/JS/CSS file

10
debian/copyright vendored
View File

@ -1,10 +0,0 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: lemur
Upstream-Contact: Cadoles <contact@cadoles.com>
Source: https://forge.cadoles.com/Infra/lemur
Files: *
Copyright: Lemur
License: Apache-2.0 License
License: Apache-2.0 License

View File

@ -1,2 +0,0 @@
lemur/static/dist/* usr/share/lemur/static/
lemur/migrations usr/share/lemur

30
debian/rules vendored
View File

@ -1,30 +0,0 @@
#!/usr/bin/make -f
# See debhelper(7) (uncomment to enable)
# output every command that modifies files on the build system.
#DH_VERBOSE = 1
export PYBUILD_NAME = lemur
export PYBUILD_DISABLE_python3 = test
%:
# suppression requirements version of package
# only last version are supported by lemur
# but Ubuntu has not last version
sed -i "s/==\(\([[:digit:]]\)*\(\.\)*\)*//g" requirements.txt
# unecessary dependency
sed -i "s/zope.deferredimport/#zope.deferredimport/g" requirements.txt
dh $@ --with python3 --buildsystem=pybuild
override_dh_install:
rm -rf debian/python3-lemur/usr/lib/python*/dist-packages/lemur/static/
rm -rf debian/python3-lemur/usr/lib/python*/dist-packages/lemur/tests/
rm -rf debian/python3-lemur/usr/lib/python*/dist-packages/trustores
mkdir -p debian/lemur/usr
mv debian/python3-lemur/usr/bin debian/lemur/usr
dh_install
override_dh_auto_build:
npm install --unsafe-perm
node_modules/.bin/gulp build
node_modules/.bin/gulp package --urlContextPath=lemur
dh_auto_build

View File

@ -1 +0,0 @@
3.0 (quilt)

View File

@ -373,7 +373,8 @@ class CertificateOutputSchema(LemurOutputSchema):
plugin = plugins.get(cert['authority']['plugin']['slug'])
if plugin:
plugin.wrap_certificate(cert)
del cert['root_authority']
if 'root_authority' in cert:
del cert['root_authority']
class CertificateShortOutputSchema(LemurOutputSchema):

View File

@ -48,10 +48,15 @@ def split_cert(body):
def sign_certificate(common_name, public_key, authority_private_key, user, extensions, not_before, not_after):
private_key = parse_private_key(authority_private_key).private_bytes(
encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.OpenSSH,
encryption_algorithm=serialization.NoEncryption(),
).decode()
with mktempfile() as issuer_tmp:
cmd = ['ssh-keygen', '-s', issuer_tmp]
with open(issuer_tmp, 'w') as i:
i.writelines(authority_private_key)
i.writelines(private_key)
if 'extendedKeyUsage' in extensions and extensions['extendedKeyUsage'].get('useClientAuthentication'):
cmd.extend(['-I', user['username'] + ' user key',
'-n', user['username']])
@ -63,9 +68,9 @@ def sign_certificate(common_name, public_key, authority_private_key, user, exten
cmd.extend(['-I', common_name + ' host key',
'-n', ','.join(domains),
'-h'])
# something like 20201024
ssh_not_before = datetime.fromisoformat(not_before).strftime("%Y%m%d")
ssh_not_after = datetime.fromisoformat(not_after).strftime("%Y%m%d")
# something like 20201024102030
ssh_not_before = datetime.fromisoformat(not_before).strftime("%Y%m%d%H%M%S")
ssh_not_after = datetime.fromisoformat(not_after).strftime("%Y%m%d%H%M%S")
cmd.extend(['-V', ssh_not_before + ':' + ssh_not_after])
with mktempfile() as cert_tmp:
with open(cert_tmp, 'w') as f:
@ -102,6 +107,8 @@ class OpenSSHIssuerPlugin(CryptographyIssuerPlugin):
return cert_pem, private_key, chain_cert_pem, roles
def wrap_certificate(self, cert):
if 'body' not in cert:
return
# get public_key in OpenSSH format
public_key = parse_certificate(cert['body']).public_key().public_bytes(
encoding=serialization.Encoding.OpenSSH,
@ -109,10 +116,11 @@ class OpenSSHIssuerPlugin(CryptographyIssuerPlugin):
).decode()
public_key += ' ' + cert['user']['email']
# sign it with authority private key
if 'root_authority' in cert:
root_authority = cert['root_authority']
if 'root_authority' in cert and cert['root_authority']:
authority = cert['root_authority']
else:
root_authority = get_by_root_authority(cert['authority']['id'])
authority = cert['authority']
root_authority = get_by_root_authority(authority['id'])
authority_private_key = root_authority.private_key
cert['body'] = sign_certificate(
cert['common_name'],