def __init__(self, configpath):
self.config = config.Config(configpath)
self.loglevel = self.get_level(self.config.get_value("LOG", "level"))
# create logger
root = logging.getLogger()
root.handlers.clear() # workaround for default stdout handler
root.setLevel(self.loglevel)
# create formatter and add it to the handlers
formatter = logging.Formatter(
'[%(asctime)s] [%(levelname)s] [%(filename)s:%(lineno)d] %(message)s'
)
# create console handler -> logs are always written to stdout
if bool(self.config.get_value("LOG", "to_stdout")):
std_handler = logging.StreamHandler(stdout)
std_handler.setLevel(self.loglevel)
std_handler.setFormatter(formatter)
root.addHandler(std_handler)
# create file handler if enabled in configuration
if bool(self.config.get_value("LOG", "to_files")):
# create log filepath if not exists
utility.create_folder_if_not_exists(
self.config.get_value("LOG", "filepath"))
file_handler = logging.FileHandler(
self.config.get_value("LOG", "filepath") + "/" +
self.config.get_value("LOG", "filename"))
file_handler.setLevel(self.loglevel)
file_handler.setFormatter(formatter)
root.addHandler(file_handler)
def restore(self):
log.logging.debug("Starting Firewall Rule Restore...")
filepath = self.config.getValue("BACKUP", "filepath")
utility.create_folder_if_not_exists(filepath)
log.logging.debug("Restoring ipv4 rules...")
filename = self.config.getValue("BACKUP", "ipv4filename")
os.system(self.iptables_bin_restore + " < " + filepath + "/" +
filename)
if self.ipv6 == True:
log.logging.debug("Restoring ipv6 rules...")
filename = self.config.getValue("BACKUP", "ipv6filename")
os.system(self.ip6tables_bin_restore + " < " + filepath + "/" +
filename)
def __init__(self,
relative_path_to_ca_root="./CA",
root_ca_configuration=None):
# logging
if not os.path.exists(self.TMP):
os.makedirs(self.TMP)
self.logfile = open(self.LOG_FILENAME, "a+")
self.l = Logger(self.logfile, self.LOG_LEVEL, str(os.getpid()))
self.l.add_writer(sys.stdout, self.LOG_LEVEL)
self.output = open(self.OUTPUT_FILENAME, "a+")
self.l.add_writer(self.output, self.OUTPUT_LOGLEVEL)
# Paths
self.relative_path_to_ca_root = relative_path_to_ca_root
self.relative_path_to_the_intermediate_directory = self.relative_path_to_ca_root + self.INTERMEDIATE_PATH
self.ca_private_path = self.relative_path_to_ca_root + self.PRIVATE_PATH
# CA parameters
self.ca_names = ["irisca1", "irisca2"]
if root_ca_configuration is not None:
self.root_ca_configuration = root_ca_configuration
# Hardcoded commands: TODO: Refactor me to a command builder-pattern
self.ECDSA_parameters_command = CA_OPENSSL_PATH + " ecparam -name secp384r1 -out " + self.ca_private_path + "/curve_secp384r1.pem"
self.ECDSA_dump_parameters = CA_OPENSSL_PATH + " ecparam -in " + self.ca_private_path + "/curve_secp384r1.pem -text -param_enc explicit -noout"
self.CA_generate_keys_command = CA_OPENSSL_PATH + " ecparam -out " + self.ca_private_path + "/cakey.pem -genkey -name secp384r1 -noout"
self.list_key_file_command = CA_OPENSSL_PATH + " ec -in " + self.ca_private_path + "/cakey.pem -text -noout"
self.generate_certificate_command = CA_OPENSSL_PATH + " req -new -batch -x509 -sha256 -key " + self.ca_private_path + "/cakey.pem -config " + os.path.join(self.relative_path_to_ca_root, 'openssl.cnf') + " " + \
"-days " + str(
CA_ROOT_CERTIFICATE_VALIDITY_DAYS) + " -out " + self.ca_private_path + "/cacert.pem -outform PEM"
self.test_certificate_command = CA_OPENSSL_PATH + " x509 -purpose -in " + self.ca_private_path + "/cacert.pem -inform PEM"
self.convert_certificate_to_der_command = CA_OPENSSL_PATH + " x509 -in " + self.ca_private_path + "/cacert.pem -out " + self.ca_private_path + "/cacert.der -outform DER"
self.dump_ca_certificate_command = CA_OPENSSL_PATH + " x509 -in " + self.ca_private_path + "/cacert.der -inform DER -text -noout"
# Intermediate parameters
self.intermediate_ca_names = ["sub-ca-air", "sub-ca-gnd"]
self.lastOperationOutput = None
# Create file structures
# ROOT CA STRUCTURE
create_folder_if_not_exists(self.TMP)
if root_ca_configuration is not None:
self.create_subfolder_structure_for_a_given_ca(
relative_path_to_ca_root, True)
for sub_ca in self.intermediate_ca_names:
self.create_subfolder_structure_for_a_given_ca(
self.relative_path_to_the_intermediate_directory + "/" +
sub_ca, False)
def save(self):
log.logging.debug("Starting Firewall Rule Backup...")
# Create Backup Directory if not exists
filepath = self.config.getValue("BACKUP", "filepath")
utility.create_folder_if_not_exists(filepath)
# backing up ipv4 iptables rules
log.logging.debug("Backing up ipv4 rules...")
filename = self.config.getValue("BACKUP", "ipv4filename")
with open(filepath + "/" + filename, 'w'):
pass
os.system(self.iptables_bin_save +
" | while read IN ; do echo $IN >> " + filepath + "/" +
filename + " ; done")
# backing up ipv6 iptables rules
if self.ipv6 == True:
log.logging.debug("Backing up ipv6 rules...")
filename = self.config.getValue("BACKUP", "ipv6filename")
with open(filepath + "/" + filename, 'w'):
pass
os.system(self.ip6tables_bin_save +
" | while read IN ; do echo $IN >> " + filepath + "/" +
filename + " ; done")
def ensure_rules_files(config):
for ruletype in ["blacklist", "whitelist", "tcp", "udp"]:
filepath = config.getValue("RULES", "filepath")
filename = config.getValue("RULES", ruletype)
utility.create_folder_if_not_exists(filepath)
utility.create_file_if_not_exists(filepath + "/" + filename)
def create_subfolder_structure_for_a_given_ca(self, ca_path, is_ca):
create_folder_if_not_exists(ca_path)
create_folder_if_not_exists(ca_path + self.CERTS_PATH)
create_folder_if_not_exists(ca_path + self.CRL_PATH)
create_folder_if_not_exists(ca_path + self.NEW_CERTS_PATH)
create_folder_if_not_exists(ca_path + self.PRIVATE_PATH)
with open(ca_path + "/index.txt", "w+") as touchFile:
pass
with open(ca_path + "/serial", "w+") as writeFile:
writeFile.write("1000")
if not is_ca:
with open(ca_path + "/crlnumber", "w+") as writeFile:
writeFile.write("1000")
create_folder_if_not_exists(ca_path + "/csr")
configuration = create_ca_configuration(
ca_path.rsplit("/", 1)[-1], self.relative_path_to_ca_root)
configuration.add_writer(open(ca_path + "/" + "openssl.cnf", "w+"))
configuration.policy = "signing_policy_air"
configuration.write_config_file()
configuration.cleanup()
else:
create_folder_if_not_exists(
self.relative_path_to_the_intermediate_directory)
self.root_ca_configuration.add_writer(
open(self.relative_path_to_ca_root + "/" + "openssl.cnf",
"w+"))
self.root_ca_configuration.write_config_file()
self.root_ca_configuration.cleanup()