Example #1
0
 def ensureCertificateExists(self, name):
     certname = "%s-cert.pem" % name
     keyname = "%s-key.pem" % name
     reqname = "%s-req.pem" % name
     if self.hasfile(certname) and self.hasfile(keyname):
         return True
     # No cert/key in repository
     log_info("Creating certificate for %s" % name)
     sParams = self.getCAParameters().copy()
     sParams["CN"] = name
     sParams["emailAddress"] = "root@%s" % \
             config_get_required("network", "domain")
     # Generate the new key / request
     (csr, key) = createKey(0, sParams)
     # Get it signed
     cert = self.signReq(csr)
     # Add it to the repository for safe-keeping
     try:
         a = self.addfile(certname, cert)
         b = self.addfile(keyname, key)
         c = self.addfile(reqname, csr)
         self.checkin("Added %s certificate and key" % name, [a, b, c])
         return True
     except ccs_ca_error:
         (type, value, tb) = sys.exc_info()
         log_error("CA: Failed to create key for %s: %s" % \
                 (name, value), (type, value, tb))
     
     return False
Example #2
0
    def initialiseService():
        """Called by the system the very first time the service is loaded.

        This should setup an entry in the service table and load any default
        service properties into the service_prop table.
        """
        session = getSessionE(ADMIN_SESSION_ID)
        session.begin("initialising RADIUS service")        
        try:

            session.execute("INSERT INTO service (service_id, service_name, " \
                    "enabled) VALUES (DEFAULT, %s, DEFAULT)", \
                    (radius_service.serviceName))
            service_id = session.getCountOf("SELECT currval('" \
                    "service_service_id_seq') AS server_id", ())
            default_ip = getIP(config_get_required("network", "server_name"))
            session.execute("INSERT INTO service_prop (service_prop_id, " \
                "service_id, prop_name, prop_type, default_value, " \
                "required) VALUES (DEFAULT, %s, %s, 'string', %s, 'f')", \
                (service_id, AUTHIP_PROPERTY, default_ip))
            session.execute("INSERT INTO service_prop (service_prop_id, " \
                "service_id, prop_name, prop_type, default_value, " \
                "required) VALUES (DEFAULT, %s, %s, 'string', %s, 'f')", \
                (service_id, ACCTIP_PROPERTY, default_ip))
            session.execute("INSERT INTO service_prop (service_prop_id, " \
                "service_id, prop_name, prop_type, default_value, " \
                "required) VALUES (DEFAULT, %s, %s, 'integer', %s, 'f')", \
                (service_id, AUTHPORT_PROPERTY, 1812))
            session.execute("INSERT INTO service_prop (service_prop_id, " \
                "service_id, prop_name, prop_type, default_value, " \
                "required) VALUES (DEFAULT, %s, %s, 'integer', %s, 'f')", \
                (service_id, ACCTPORT_PROPERTY, 1813))
                
            # Commit the changese
            session.commit()
            
            log_info("Created radius service entries and tables in database")
        except:
            session.rollback()
            log_error("Unable to initialise radius database entries!", \
                    sys.exc_info())
            raise ccs_radius_error("Failed to setup database tables!")

        return service_id
Example #3
0
    def initConfFile(self):
        """Initialises the CA configuration file"""
        
        signdays = config_get("ca", "signdays", DEFAULT_SIGN_DAYS)
        site_name = config_get_required("network", "site_name")
        domain = config_get_required("network", "domain")
        
        fd = open("%s/ca.cnf" % self.rDir, "w")
        fd.write("""#
# OpenSSL configuration file for the CRCnet Configuration System CA

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .
RANDFILE                = $ENV::HOME/.rnd

####################################################################
[ ca ]
default_ca              = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir                 = $ENV::CCS_CA_DIR      # Where everything is kept
certs               = $dir/certs            # Where the issued certs are kept
crl_dir             = $dir/crl              # Where the issued crl are kept
database            = $dir/index.txt        # database index file.
new_certs_dir       = $dir/certs            # default place for new certs.

certificate         = $dir/cacert.pem       # The CA certificate
private_key         = $dir/cakey.pem        # The private key
serial              = $dir/serial           # The current serial number
crlnumber           = $dir/crlnumber        # the current crl number
crl                 = $dir/crl.pem          # The current CRL
RANDFILE            = $dir/.rand            # private random number file

x509_extensions     = usr_cert              # The extentions to add to the cert
name_opt            = ca_default            # Subject Name options
cert_opt            = ca_default            # Certificate field options

default_days        = %s                    # how long to certify for
default_crl_days    = 30                    # how long before next CRL
default_md          = sha1                  # which md to use.
preserve            = no                    # keep passed DN ordering

policy          = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = optional
localityName            = optional
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions         = v3_ca  # Extensions to add to self signed certs
string_mask = nombstr

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = NZ
countryName_min                 = 2
countryName_max                 = 2

localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = %s

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = CRCnet Configuration System

commonName                      = Common Name (eg, YOUR name)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

[ req_attributes ]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20

unstructuredName                = An optional company name

# These extensions are added when 'ca' signs a request.
[ usr_cert ]
basicConstraints                = CA:FALSE

# nsCertType                    = server
# nsCertType                    = client

# This will be displayed in Netscape's comment listbox.
nsComment                       = "Signed by the CRCnet Configuration System"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer

nsRevocationUrl                 = https://%s/certs/crl.pem

# Extensions to add to a certificate request
[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment

# Extensions for a typical CA
[ v3_ca ]
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always,issuer:always
basicConstraints        = CA:true

# CRL extensions.
[ crl_ext ]
authorityKeyIdentifier  = keyid:always,issuer:always
""" % (signdays, site_name, domain))
        fd.close()
        client.svn_client_add("%s/ca.cnf" % self.rDir, False, \
                    self.ctx, self.pool)
        log_info("CA: Initialised configuration file")
        return
Example #4
0
def ifAccountThread():
    """Runs as a thread to account from traffic on an interface"""
    global _accountingInfo, _runIfAccount, nas_id, nas_ip
    global radius_update_interval, radius_acct_server, radius_auth_server

    try:
        # Is interface accounting enabled
        enabled = config_getboolean("accounting", "enabled", True)
        if not enabled:
            log_info("Interface accounting disabled.")
            return
        _runIfAccount = True

        # What interval shall we check hosts at
        check_interval = config_get("accounting", "check_interval", DEFAULT_CHECK_INTERVAL)
        radius_update_interval = config_getint("accounting", "update_interval", DEFAULT_UPDATE_INTERVAL)

        # Initialise the interface list
        default_user_file = "%s/accounting_users" % os.path.dirname(DEFAULT_CONFFILE)
        user_file = config_get("accounting", "user_file", default_user_file)
        if not os.path.exists(user_file):
            log_error("Interface accounting disabled. No user file: %s" % user_file)
            _runIfAccount = False
            return

        # Initialise the RADIUS connection
        try:
            dummy0 = getInterfaces(returnOne="dummy0")[0]
            dummy0ip = dummy0["address"].split("/")[0]
        except:
            log_error("Could not determine host loopback address!", sys.exc_info())
            dummy0ip = "127.0.0.1"
        acct_server = config_get("accounting", "acct_server", "radius")
        acct_secret = config_get_required("accounting", "acct_secret")
        auth_server = config_get("accounting", "auth_server", "radius")
        auth_secret = config_get_required("accounting", "auth_secret")
        nas_id = config_get("accounting", "nas_id", getFQDN())
        nas_ip = config_get("accounting", "nas_ip", dummy0ip)
        radius_acct_server = Client(server=acct_server, secret=acct_secret, dict=Dictionary(RADIUS_DICTIONARY))
        radius_auth_server = Client(server=auth_server, secret=auth_secret, dict=Dictionary(RADIUS_DICTIONARY))
        # FreeRADIUS at least auths based on IP address, make sure our
        # packets come from the right place
        radius_acct_server.bind((nas_ip, 0))
        radius_auth_server.bind((nas_ip, 0))

        # Read and parse the user file
        parseUserFile(user_file)

        # Initialise interface state
        initialiseInterfaceState()

        # Loop forever reading byte counters as appropriate
        while _runIfAccount:
            # wait a bit before checking
            time.sleep(check_interval)
            # Send any queued packets
            processRADIUSQueue()
            # Try and re-authenticate any dead interfaces
            for ifname, iface in _accountingInfo.items():
                if iface["authenticated"]:
                    continue
                age = time.time() - iface["last_auth_check"]
                if age > radius_update_interval:
                    doRADIUSAuthentication(ifname)
            # Update traffic details
            updateTrafficCounters()
            # Generate interim-updates
            processInterimUpdates()

    except:
        (etype, value, tb) = sys.exc_info()
        log_error("Exception in interface accounting thread! - %s" % value, (etype, value, tb))

    log_info("Exiting interface accounting thread")