def test_valid_key_valid_password():
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY,
RSA_CA_PRIVATE_KEY_PASSWORD)
assert isinstance(ca, RSACertificateAuthority)
assert SSHPublicKeyType.RSA == ca.public_key_type
assert 65537 == ca.e
assert ca.get_signature_key() == RSA_CA_SSH_PUBLIC_KEY
def test_valid_rsa_request():
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY,
RSA_CA_PRIVATE_KEY_PASSWORD)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER,
EXAMPLE_RSA_PUBLIC_KEY)
cert = cert_builder.get_cert_file()
assert isinstance(cert_builder, RSACertificateBuilder)
assert cert.startswith(SSHCertifiedKeyType.RSA)
def test_valid_key_missing_password():
with pytest.raises(TypeError):
get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY)
def test_valid_key_not_encrypted():
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY_NOT_ENCRYPTED)
assert SSHPublicKeyType.RSA == ca.public_key_type
assert 65537 == ca.e
def test_valid_key_valid_password():
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD)
assert isinstance(ca, RSACertificateAuthority)
assert SSHPublicKeyType.RSA == ca.public_key_type
assert 65537 == ca.e
assert ca.get_signature_key() == RSA_CA_SSH_PUBLIC_KEY
def lambda_handler(event,
context=None,
ca_private_key_password=None,
entropy_check=True,
config_file=os.path.join(os.path.dirname(__file__),
'bless_deploy.cfg')):
"""
This is the function that will be called when the lambda function starts.
:param event: Dictionary of the json request.
:param context: AWS LambdaContext Object
http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
:param ca_private_key_password: For local testing, if the password is provided, skip the KMS
decrypt.
:param entropy_check: For local testing, if set to false, it will skip checking entropy and
won't try to fetch additional random from KMS
:param config_file: The config file to load the SSH CA private key from, and additional settings
:return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file.
"""
# AWS Region determines configs related to KMS
region = os.environ['AWS_REGION']
# Load the deployment config values
config = BlessConfig(region, config_file=config_file)
logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
numeric_level = getattr(logging, logging_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError('Invalid log level: {}'.format(logging_level))
logger = logging.getLogger()
logger.setLevel(numeric_level)
certificate_validity_window_seconds = config.getint(
BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_WINDOW_SEC_OPTION)
entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION,
ENTROPY_MINIMUM_BITS_OPTION)
random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION,
RANDOM_SEED_BYTES_OPTION)
ca_private_key_file = config.get(BLESS_CA_SECTION,
CA_PRIVATE_KEY_FILE_OPTION)
password_ciphertext_b64 = config.getpassword()
# read the private key .pem
with open(os.path.join(os.path.dirname(__file__), ca_private_key_file),
'r') as f:
ca_private_key = f.read()
# decrypt ca private key password
if ca_private_key_password is None:
kms_client = boto3.client('kms', region_name=region)
ca_password = kms_client.decrypt(
CiphertextBlob=base64.b64decode(password_ciphertext_b64))
ca_private_key_password = ca_password['Plaintext']
# if running as a Lambda, we can check the entropy pool and seed it with KMS if desired
if entropy_check:
with open('/proc/sys/kernel/random/entropy_avail', 'r') as f:
entropy = int(f.read())
logger.debug(entropy)
if entropy < entropy_minimum_bits:
logger.info(
'System entropy was {}, which is lower than the entropy_'
'minimum {}. Using KMS to seed /dev/urandom'.format(
entropy, entropy_minimum_bits))
response = kms_client.generate_random(
NumberOfBytes=random_seed_bytes)
random_seed = response['Plaintext']
with open('/dev/urandom', 'w') as urandom:
urandom.write(random_seed)
# Process cert request
schema = BlessSchema(strict=True)
request = schema.load(event).data
# cert values determined only by lambda and its configs
current_time = int(time.time())
valid_before = current_time + certificate_validity_window_seconds
valid_after = current_time - certificate_validity_window_seconds
# Build the cert
ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER,
request.public_key_to_sign)
cert_builder.add_valid_principal(request.remote_username)
cert_builder.set_valid_before(valid_before)
cert_builder.set_valid_after(valid_after)
# cert_builder is needed to obtain the ssh public key's fingerprint
key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key:[{}] ca:[{}] valid_to[{}]'.format(
context.aws_request_id, request.bastion_user, request.bastion_user_ip,
request.command, cert_builder.ssh_public_key.fingerprint,
context.invoked_function_arn,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)))
cert_builder.set_critical_option_source_address(request.bastion_ip)
cert_builder.set_key_id(key_id)
cert = cert_builder.get_cert_file()
logger.info(
'Issued a cert to bastion_ip[{}] for the remote_username of [{}] with the key_id[{}] and '
'valid_from[{}])'.format(
request.bastion_ip, request.remote_username, key_id,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after))))
return cert
def test_invalid_ed25519_request():
with pytest.raises(TypeError):
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD)
get_ssh_certificate_builder(ca, SSHCertificateType.USER, EXAMPLE_ED25519_PUBLIC_KEY)
def lambda_handler(event,
context=None,
ca_private_key_password=None,
entropy_check=True,
config_file=os.path.join(os.path.dirname(__file__),
'bless_deploy.cfg')):
"""
This is the function that will be called when the lambda function starts.
:param event: Dictionary of the json request.
:param context: AWS LambdaContext Object
http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
:param ca_private_key_password: For local testing, if the password is provided, skip the KMS
decrypt.
:param entropy_check: For local testing, if set to false, it will skip checking entropy and
won't try to fetch additional random from KMS
:param config_file: The config file to load the SSH CA private key from, and additional settings
:return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file.
"""
# AWS Region determines configs related to KMS
region = os.environ['AWS_REGION']
# Load the deployment config values
config = BlessConfig(region, config_file=config_file)
logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
numeric_level = getattr(logging, logging_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError('Invalid log level: {}'.format(logging_level))
logger = logging.getLogger()
logger.setLevel(numeric_level)
certificate_validity_before_seconds = config.getint(
BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
certificate_validity_after_seconds = config.getint(
BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION,
ENTROPY_MINIMUM_BITS_OPTION)
random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION,
RANDOM_SEED_BYTES_OPTION)
ca_private_key = config.getprivatekey()
password_ciphertext_b64 = config.getpassword()
certificate_extensions = config.get(BLESS_OPTIONS_SECTION,
CERTIFICATE_EXTENSIONS_OPTION)
# Process cert request
schema = BlessSchema(strict=True)
schema.context[USERNAME_VALIDATION_OPTION] = config.get(
BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION)
schema.context[REMOTE_USERNAMES_VALIDATION_OPTION] = config.get(
BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION)
try:
request = schema.load(event).data
except ValidationError as e:
return error_response('InputValidationError', str(e))
logger.info(
'Bless lambda invoked by [user: {0}, bastion_ips:{1}, public_key: {2}, kmsauth_token:{3}]'
.format(request.bastion_user, request.bastion_user_ip,
request.public_key_to_sign, request.kmsauth_token))
# decrypt ca private key password
if ca_private_key_password is None:
kms_client = boto3.client('kms', region_name=region)
try:
ca_password = kms_client.decrypt(
CiphertextBlob=base64.b64decode(password_ciphertext_b64))
ca_private_key_password = ca_password['Plaintext']
except ClientError as e:
return error_response('ClientError', str(e))
# if running as a Lambda, we can check the entropy pool and seed it with KMS if desired
if entropy_check:
with open('/proc/sys/kernel/random/entropy_avail', 'r') as f:
entropy = int(f.read())
logger.debug(entropy)
if entropy < entropy_minimum_bits:
logger.info(
'System entropy was {}, which is lower than the entropy_'
'minimum {}. Using KMS to seed /dev/urandom'.format(
entropy, entropy_minimum_bits))
response = kms_client.generate_random(
NumberOfBytes=random_seed_bytes)
random_seed = response['Plaintext']
with open('/dev/urandom', 'w') as urandom:
urandom.write(random_seed)
# cert values determined only by lambda and its configs
current_time = int(time.time())
test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION)
if test_user and (request.bastion_user == test_user
or request.remote_usernames == test_user):
# This is a test call, the lambda will issue an invalid
# certificate where valid_before < valid_after
valid_before = current_time
valid_after = current_time + 1
bypass_time_validity_check = True
else:
valid_before = current_time + certificate_validity_after_seconds
valid_after = current_time - certificate_validity_before_seconds
bypass_time_validity_check = False
# Authenticate the user with KMS, if key is setup
if config.get(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION):
if request.kmsauth_token:
try:
validator = KMSTokenValidator(
None, config.getkmsauthkeyids(),
config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION),
region)
# decrypt_token will raise a TokenValidationError if token doesn't match
validator.decrypt_token(
"2/user/{}".format(request.remote_usernames),
request.kmsauth_token)
except TokenValidationError as e:
return error_response('KMSAuthValidationError', str(e))
else:
return error_response('InputValidationError',
'Invalid request, missing kmsauth token')
# Build the cert
ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER,
request.public_key_to_sign)
for username in request.remote_usernames.split(','):
cert_builder.add_valid_principal(username)
cert_builder.set_valid_before(valid_before)
cert_builder.set_valid_after(valid_after)
if certificate_extensions:
for e in certificate_extensions.split(','):
if e:
cert_builder.add_extension(e)
else:
cert_builder.clear_extensions()
# cert_builder is needed to obtain the SSH public key's fingerprint
key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key[{}] ca[{}] valid_to[{}]'.format(
context.aws_request_id, request.bastion_user, request.bastion_user_ip,
request.command, cert_builder.ssh_public_key.fingerprint,
context.invoked_function_arn,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)))
cert_builder.set_critical_option_source_addresses(request.bastion_ips)
cert_builder.set_key_id(key_id)
cert = cert_builder.get_cert_file(bypass_time_validity_check)
logger.info(
'Issued a cert to bastion_ips[{}] for remote_usernames[{}] with key_id[{}] and '
'valid_from[{}])'.format(
request.bastion_ips, request.remote_usernames, key_id,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after))))
return success_response(cert)
def test_invalid_key():
with pytest.raises(TypeError):
get_ssh_certificate_authority(b'bogus')
def test_invalid_ed25519_request():
with pytest.raises(TypeError):
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY,
RSA_CA_PRIVATE_KEY_PASSWORD)
get_ssh_certificate_builder(ca, SSHCertificateType.USER,
EXAMPLE_ED25519_PUBLIC_KEY)
def lambda_handler(event, context=None, ca_private_key_password=None, okta_api_token=None,
entropy_check=True,
config_file=os.path.join(os.path.dirname(__file__), 'bless_deploy.cfg')):
"""
This is the function that will be called when the lambda function starts.
:param event: Dictionary of the json request.
:param context: AWS LambdaContext Object
http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
:param ca_private_key_password: For local testing, if the password is provided, skip the KMS
decrypt.
:param entropy_check: For local testing, if set to false, it will skip checking entropy and
won't try to fetch additional random from KMS
:param config_file: The config file to load the SSH CA private key from, and additional settings
:return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file.
"""
# AWS Region determines configs related to KMS
region = os.environ['AWS_REGION']
# Load the deployment config values
config = BlessConfig(region, config_file=config_file)
logger = logging.getLogger(__name__)
logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
numeric_level = getattr(logging, logging_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError('Invalid log level: {}'.format(logging_level))
logger.setLevel(numeric_level)
certificate_validity_before_seconds = config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
certificate_validity_after_seconds = config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
certificate_breakglass_validity_before_seconds = config.getint(
BLESS_OPTIONS_SECTION,
CERTIFICATE_BREAKGLASS_BEFORE_SEC_OPTION
)
certificate_breakglass_validity_after_seconds = config.getint(
BLESS_OPTIONS_SECTION,
CERTIFICATE_BREAKGLASS_AFTER_SEC_OPTION
)
breakglass_user = config.get(BLESS_OPTIONS_SECTION, BREAKGLASS_USER_OPTION)
entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION)
random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
ca_private_key_file = config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION)
password_ciphertext_b64 = config.getpassword()
certificate_extensions = config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION)
encrypted_okta_api_token = config.get(OKTA_OPTIONS_SECTION, ENCRYPTED_OKTA_API_TOKEN_OPTION)
okta_base_url = config.get(OKTA_OPTIONS_SECTION, OKTA_BASE_URL_OPTION)
okta_allowed_groups = config.get(OKTA_OPTIONS_SECTION, OKTA_ALLOWED_GROUPS_OPTION)
if okta_allowed_groups:
okta_allowed_groups = set(okta_allowed_groups.split(','))
logger.debug("Allowed okta groups: {}".format(okta_allowed_groups))
# Process cert request
schema = BlessSchema(strict=True)
try:
request = schema.load(event).data
except ValidationError as e:
return error_response('InputValidationError', str(e))
logger.info('Bless lambda invoked by okta user: {}@{}, bastion user: {}, kmsauth_token: {}]'.format(
request.okta_user,
request.bastion_user_ip,
request.bastion_user,
request.kmsauth_token)
)
# read the private key .pem
with open(os.path.join(os.path.dirname(__file__), ca_private_key_file), 'r') as f:
ca_private_key = f.read()
kms_client = boto3.client('kms', region_name=region)
# decrypt ca private key password
if ca_private_key_password is None:
try:
ca_password = kms_client.decrypt(
CiphertextBlob=base64.b64decode(password_ciphertext_b64))
ca_private_key_password = ca_password['Plaintext']
except ClientError as e:
return error_response('ClientError', str(e))
# decrypt okta api token
if okta_api_token is None:
try:
decrypted_okta_api_token = kms_client.decrypt(
CiphertextBlob=base64.b64decode(encrypted_okta_api_token))
okta_api_token = decrypted_okta_api_token['Plaintext']
except ClientError as e:
return error_response('ClientError', str(e))
'''
Fetch user context from Okta
* Username
* Groups
* SSH key
'''
# add extra property to Okta user profile schema
OktaUserProfile.types['public_key'] = str
okta_users_client = okta.UsersClient(okta_base_url, okta_api_token)
user = okta_users_client.get_user(request.okta_user)
groups_info = okta_users_client.get_user_groups(request.okta_user)
groups = set()
for group_info in groups_info:
# Encode unicode response from okta json api as a byte string to ease comparisons
groups.add(group_info.profile.name.encode('utf-8'))
logger.debug('User groups: {}'.format(groups))
allowed_groups = okta_allowed_groups
logger.debug('Whitelist groups: {}'.format(allowed_groups))
logger.debug('Matched groups: {}'.format(groups.intersection(allowed_groups)))
# If the len is greater than 0, breakglass will be false.
breakglass = not len(groups.intersection(allowed_groups))
public_key_to_sign = user.profile.public_key
if public_key_to_sign.startswith(VALID_SSH_RSA_PUBLIC_KEY_HEADER):
pass
else:
raise ValidationError('Invalid SSH Public Key.')
# if running as a Lambda, we can check the entropy pool and seed it with KMS if desired
if entropy_check:
with open('/proc/sys/kernel/random/entropy_avail', 'r') as f:
entropy = int(f.read())
logger.debug(entropy)
if entropy < entropy_minimum_bits:
logger.info(
'System entropy was {}, which is lower than the entropy_'
'minimum {}. Using KMS to seed /dev/urandom'.format(
entropy, entropy_minimum_bits))
response = kms_client.generate_random(
NumberOfBytes=random_seed_bytes)
random_seed = response['Plaintext']
with open('/dev/urandom', 'w') as urandom:
urandom.write(random_seed)
# cert values determined only by lambda and its configs
current_time = int(time.time())
test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION)
if test_user and (request.bastion_user == test_user or request.remote_usernames == test_user):
# This is a test call, the lambda will issue an invalid
# certificate where valid_before < valid_after
valid_before = current_time
valid_after = current_time + 1
bypass_time_validity_check = True
else: # Normal user flow
bypass_time_validity_check = False
valid_before = current_time + certificate_validity_after_seconds
valid_after = current_time - certificate_validity_before_seconds
# Authenticate the user with KMS, if key is setup
if config.get(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION):
if request.kmsauth_token:
try:
validator = KMSTokenValidator(
None,
config.getkmsauthkeyids(),
config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION),
region
)
# decrypt_token will raise a TokenValidationError if token doesn't match
validator.decrypt_token(
"2/user/{}".format(request.remote_usernames.split(',')[0]),
request.kmsauth_token
)
except TokenValidationError as e:
return error_response('KMSAuthValidationError', str(e))
else:
return error_response('InputValidationError', 'Invalid request, missing kmsauth token')
# Build the cert
ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER,
public_key_to_sign)
# Handle breakglass certificate modifications
if breakglass:
logger.critical('Breakglass access for okta user: {}@{}, bastion user: {}'.format(
request.okta_user,
request.bastion_user_ip,
request.bastion_user)
)
valid_before = current_time + certificate_breakglass_validity_before_seconds
valid_after = current_time - certificate_breakglass_validity_after_seconds
cert_builder.add_valid_principal(breakglass_user)
for username in request.remote_usernames.split(','):
cert_builder.add_valid_principal(username)
cert_builder.set_valid_before(valid_before)
cert_builder.set_valid_after(valid_after)
if certificate_extensions:
for e in certificate_extensions.split(','):
if e:
cert_builder.add_extension(e)
else:
cert_builder.clear_extensions()
# cert_builder is needed to obtain the SSH public key's fingerprint
key_id = 'AWS Request ID: {}, User: {}, Source IP: {}, Command: {}, ' \
'Fingerprint: {}, Bless CA: {}, Expires: {}'\
.format(
context.aws_request_id,
request.bastion_user,
request.bastion_user_ip,
request.command,
cert_builder.ssh_public_key.fingerprint,
context.invoked_function_arn,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before))
)
cert_builder.set_critical_option_source_addresses(request.bastion_ips)
cert_builder.set_key_id(key_id)
cert = cert_builder.get_cert_file(bypass_time_validity_check)
logger.info(
'Issued a cert to bastion_ips[{}] for the remote_usernames of [{}] with the key_id[{}] and '
'valid_from[{}])'.format(
request.bastion_ips, request.remote_usernames, key_id,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after))))
return success_response(cert)
def test_invalid_key_request():
with pytest.raises(TypeError):
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD)
get_ssh_certificate_builder(ca, SSHCertificateType.USER, 'bogus')
def test_valid_ed25519_request():
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, EXAMPLE_ED25519_PUBLIC_KEY)
cert = cert_builder.get_cert_file()
assert isinstance(cert_builder, ED25519CertificateBuilder)
assert cert.startswith(SSHCertifiedKeyType.ED25519)
def test_valid_key_invalid_password():
with pytest.raises(ValueError):
get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, b'bogus')
def test_invalid_key_request():
with pytest.raises(TypeError):
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY,
RSA_CA_PRIVATE_KEY_PASSWORD)
get_ssh_certificate_builder(ca, SSHCertificateType.USER, 'bogus')
def test_valid_key_not_encrypted_invalid_pass():
with pytest.raises(TypeError):
get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY_NOT_ENCRYPTED, b'bogus')
def lambda_handler_host(
event,
context=None,
ca_private_key_password=None,
entropy_check=True,
config_file=None,
):
"""
This is the function that will be called when the lambda function starts.
:param event: Dictionary of the json request.
:param context: AWS LambdaContext Object
http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
:param ca_private_key_password: For local testing, if the password is provided, skip the KMS
decrypt.
:param entropy_check: For local testing, if set to false, it will skip checking entropy and
won't try to fetch additional random from KMS.
:param config_file: The config file to load the SSH CA private key from, and additional settings.
:return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file.
"""
bless_cache = setup_lambda_cache(ca_private_key_password, config_file)
# Load the deployment config values
config = bless_cache.config
logger = set_logger(config)
certificate_validity_before_seconds = config.getint(
BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
certificate_validity_after_seconds = config.getint(
BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
ca_private_key = config.getprivatekey()
# Process cert request
schema = BlessHostSchema(strict=True)
schema.context[HOSTNAME_VALIDATION_OPTION] = config.get(
BLESS_OPTIONS_SECTION, HOSTNAME_VALIDATION_OPTION)
try:
request = schema.load(event).data
except ValidationError as e:
return error_response("InputValidationError", str(e))
# todo: You'll want to bring your own hostnames validation.
logger.info(
"Bless lambda invoked by [public_key: {}] for hostnames[{}]".format(
request.public_key_to_sign, request.hostnames))
# Make sure we have the ca private key password
if bless_cache.ca_private_key_password is None:
return error_response("ClientError",
bless_cache.ca_private_key_password_error)
else:
ca_private_key_password = bless_cache.ca_private_key_password
# if running as a Lambda, we can check the entropy pool and seed it with KMS if desired
if entropy_check:
check_entropy(config, logger)
# cert values determined only by lambda and its configs
current_time = int(time.time())
valid_before = current_time + certificate_validity_after_seconds
valid_after = current_time - certificate_validity_before_seconds
# Build the cert
ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.HOST,
request.public_key_to_sign)
for hostname in request.hostnames.split(","):
cert_builder.add_valid_principal(hostname)
cert_builder.set_valid_before(valid_before)
cert_builder.set_valid_after(valid_after)
# cert_builder is needed to obtain the SSH public key's fingerprint
key_id = "request[{}] ssh_key[{}] ca[{}] valid_to[{}]".format(
context.aws_request_id,
cert_builder.ssh_public_key.fingerprint,
context.invoked_function_arn,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)),
)
cert_builder.set_key_id(key_id)
cert = cert_builder.get_cert_file()
logger.info("Issued a server cert to hostnames[{}] with key_id[{}] and "
"valid_from[{}])".format(
request.hostnames,
key_id,
time.strftime("%Y/%m/%d %H:%M:%S",
time.gmtime(valid_after)),
))
return success_response(cert)
from bless.ssh.certificate_authorities.ssh_certificate_authority_factory import \
get_ssh_certificate_authority
from bless.ssh.certificates.ssh_certificate_builder import SSHCertificateType
from bless.ssh.certificates.ssh_certificate_builder_factory import get_ssh_certificate_builder
import os
parent_dir = os.path.abspath(os.path.dirname(__file__))
grandparent_dir = os.path.abspath(os.path.join(parent_dir, os.pardir))
ggrandparent_dir = os.path.abspath(os.path.join(grandparent_dir, os.pardir))
ca_private_key = None
ca_private_key_password = '******'
user_public_key = None
with open(os.path.join(os.path.join(ggrandparent_dir, 'example'), 'example-com-ca')) as textfile:
ca_private_key = textfile.read()
with open(os.path.join(os.path.join(ggrandparent_dir, 'example'), 'user.pub')) as textfile:
user_public_key = textfile.read()
ca_private_key_encoded = bytes(ca_private_key.encode())
ca_private_key_password_encoded = bytes(ca_private_key_password.encode())
user_public_key_encoded = bytes(user_public_key.encode())
ca = get_ssh_certificate_authority(ca_private_key_encoded, ca_private_key_password_encoded)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER,
user_public_key_encoded)
print(cert_builder)
def lambda_handler(event, context=None, ca_private_key_password=None,
entropy_check=True,
config_file=os.path.join(os.path.dirname(__file__), 'bless_deploy.cfg')):
"""
This is the function that will be called when the lambda function starts.
:param event: Dictionary of the json request.
:param context: AWS LambdaContext Object
http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
:param ca_private_key_password: For local testing, if the password is provided, skip the KMS
decrypt.
:param entropy_check: For local testing, if set to false, it will skip checking entropy and
won't try to fetch additional random from KMS
:param config_file: The config file to load the SSH CA private key from, and additional settings
:return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file.
"""
# AWS Region determines configs related to KMS
region = os.environ['AWS_REGION']
# Load the deployment config values
config = BlessConfig(region,
config_file=config_file)
logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
numeric_level = getattr(logging, logging_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError('Invalid log level: {}'.format(logging_level))
logger = logging.getLogger()
logger.setLevel(numeric_level)
certificate_validity_before_seconds = config.getint(BLESS_OPTIONS_SECTION,
CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
certificate_validity_after_seconds = config.getint(BLESS_OPTIONS_SECTION,
CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION)
random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
ca_private_key = config.getprivatekey()
password_ciphertext_b64 = config.getpassword()
certificate_extensions = config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION)
# Process cert request
schema = BlessSchema(strict=True)
schema.context[USERNAME_VALIDATION_OPTION] = config.get(BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION)
schema.context[REMOTE_USERNAMES_VALIDATION_OPTION] = config.get(BLESS_OPTIONS_SECTION,
REMOTE_USERNAMES_VALIDATION_OPTION)
try:
request = schema.load(event).data
except ValidationError as e:
return error_response('InputValidationError', str(e))
logger.info('Bless lambda invoked by [user: {0}, bastion_ips:{1}, public_key: {2}, kmsauth_token:{3}]'.format(
request.bastion_user,
request.bastion_user_ip,
request.public_key_to_sign,
request.kmsauth_token))
# decrypt ca private key password
if ca_private_key_password is None:
kms_client = boto3.client('kms', region_name=region)
try:
ca_password = kms_client.decrypt(
CiphertextBlob=base64.b64decode(password_ciphertext_b64))
ca_private_key_password = ca_password['Plaintext']
except ClientError as e:
return error_response('ClientError', str(e))
# if running as a Lambda, we can check the entropy pool and seed it with KMS if desired
if entropy_check:
with open('/proc/sys/kernel/random/entropy_avail', 'r') as f:
entropy = int(f.read())
logger.debug(entropy)
if entropy < entropy_minimum_bits:
logger.info(
'System entropy was {}, which is lower than the entropy_'
'minimum {}. Using KMS to seed /dev/urandom'.format(
entropy, entropy_minimum_bits))
response = kms_client.generate_random(
NumberOfBytes=random_seed_bytes)
random_seed = response['Plaintext']
with open('/dev/urandom', 'w') as urandom:
urandom.write(random_seed)
# cert values determined only by lambda and its configs
current_time = int(time.time())
test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION)
if test_user and (request.bastion_user == test_user or request.remote_usernames == test_user):
# This is a test call, the lambda will issue an invalid
# certificate where valid_before < valid_after
valid_before = current_time
valid_after = current_time + 1
bypass_time_validity_check = True
else:
valid_before = current_time + certificate_validity_after_seconds
valid_after = current_time - certificate_validity_before_seconds
bypass_time_validity_check = False
# Authenticate the user with KMS, if key is setup
if config.get(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION):
if request.kmsauth_token:
# Allow bless to sign the cert for a different remote user than the name of the user who signed it
allowed_remotes = config.get(KMSAUTH_SECTION, KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION)
if allowed_remotes:
allowed_users = allowed_remotes.split(',')
requested_remotes = request.remote_usernames.split(',')
if allowed_users != ['*'] and not all([u in allowed_users for u in requested_remotes]):
return error_response('KMSAuthValidationError',
'unallowed remote_usernames [{}]'.format(request.remote_usernames))
elif request.remote_usernames != request.bastion_user:
return error_response('KMSAuthValidationError',
'remote_usernames must be the same as bastion_user')
try:
validator = KMSTokenValidator(
None,
config.getkmsauthkeyids(),
config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION),
region
)
# decrypt_token will raise a TokenValidationError if token doesn't match
validator.decrypt_token(
"2/user/{}".format(request.bastion_user),
request.kmsauth_token
)
except TokenValidationError as e:
return error_response('KMSAuthValidationError', str(e))
else:
return error_response('InputValidationError', 'Invalid request, missing kmsauth token')
# Build the cert
ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER,
request.public_key_to_sign)
for username in request.remote_usernames.split(','):
cert_builder.add_valid_principal(username)
cert_builder.set_valid_before(valid_before)
cert_builder.set_valid_after(valid_after)
if certificate_extensions:
for e in certificate_extensions.split(','):
if e:
cert_builder.add_extension(e)
else:
cert_builder.clear_extensions()
# cert_builder is needed to obtain the SSH public key's fingerprint
key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key[{}] ca[{}] valid_to[{}]'.format(
context.aws_request_id, request.bastion_user, request.bastion_user_ip, request.command,
cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)))
cert_builder.set_critical_option_source_addresses(request.bastion_ips)
cert_builder.set_key_id(key_id)
cert = cert_builder.get_cert_file(bypass_time_validity_check)
logger.info(
'Issued a cert to bastion_ips[{}] for remote_usernames[{}] with key_id[{}] and '
'valid_from[{}])'.format(
request.bastion_ips, request.remote_usernames, key_id,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after))))
return success_response(cert)
def lambda_handler_user(event,
context=None,
ca_private_key_password=None,
entropy_check=True,
config_file=None):
"""
This is the function that will be called when the lambda function starts.
:param event: Dictionary of the json request.
:param context: AWS LambdaContext Object
http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
:param ca_private_key_password: For local testing, if the password is provided, skip the KMS
decrypt.
:param entropy_check: For local testing, if set to false, it will skip checking entropy and
won't try to fetch additional random from KMS.
:param config_file: The config file to load the SSH CA private key from, and additional settings.
:return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file.
"""
bless_cache = setup_lambda_cache(ca_private_key_password, config_file)
# AWS Region determines configs related to KMS
region = bless_cache.region
# Load the deployment config values
config = bless_cache.config
logger = set_logger(config)
certificate_validity_before_seconds = config.getint(
BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
certificate_validity_after_seconds = config.getint(
BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)
ca_private_key = config.getprivatekey()
certificate_extensions = config.get(BLESS_OPTIONS_SECTION,
CERTIFICATE_EXTENSIONS_OPTION)
# Process cert request
schema = BlessUserSchema(strict=True)
schema.context[USERNAME_VALIDATION_OPTION] = config.get(
BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION)
schema.context[REMOTE_USERNAMES_VALIDATION_OPTION] = config.get(
BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION)
schema.context[REMOTE_USERNAMES_BLACKLIST_OPTION] = config.get(
BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_BLACKLIST_OPTION)
try:
request = schema.load(event).data
except ValidationError as e:
return error_response('InputValidationError', str(e))
logger.info(
'Bless lambda invoked by [user: {0}, bastion_ips:{1}, public_key: {2}, kmsauth_token:{3}]'
.format(request.bastion_user, request.bastion_user_ip,
request.public_key_to_sign, request.kmsauth_token))
# Make sure we have the ca private key password
if bless_cache.ca_private_key_password is None:
return error_response('ClientError',
bless_cache.ca_private_key_password_error)
else:
ca_private_key_password = bless_cache.ca_private_key_password
# if running as a Lambda, we can check the entropy pool and seed it with KMS if desired
if entropy_check:
check_entropy(config, logger)
# cert values determined only by lambda and its configs
current_time = int(time.time())
test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION)
if test_user and (request.bastion_user == test_user
or request.remote_usernames == test_user):
# This is a test call, the lambda will issue an invalid
# certificate where valid_before < valid_after
valid_before = current_time
valid_after = current_time + 1
bypass_time_validity_check = True
else:
valid_before = current_time + certificate_validity_after_seconds
valid_after = current_time - certificate_validity_before_seconds
bypass_time_validity_check = False
# Authenticate the user with KMS, if key is setup
if config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION):
if request.kmsauth_token:
# Allow bless to sign the cert for a different remote user than the name of the user who signed it
allowed_remotes = config.get(
KMSAUTH_SECTION, KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION)
if allowed_remotes:
allowed_users = allowed_remotes.split(',')
requested_remotes = request.remote_usernames.split(',')
if allowed_users != ['*'] and not all(
[u in allowed_users for u in requested_remotes]):
return error_response(
'KMSAuthValidationError',
'unallowed remote_usernames [{}]'.format(
request.remote_usernames))
# Check if the user is in the required IAM groups
if config.getboolean(
KMSAUTH_SECTION,
VALIDATE_REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION):
iam = boto3.client('iam')
user_groups = iam.list_groups_for_user(
UserName=request.bastion_user)
group_name_template = config.get(
KMSAUTH_SECTION,
IAM_GROUP_NAME_VALIDATION_FORMAT_OPTION)
for requested_remote in requested_remotes:
required_group_name = group_name_template.format(
requested_remote)
user_is_in_group = any(
group for group in user_groups['Groups']
if group['GroupName'] == required_group_name)
if not user_is_in_group:
return error_response(
'KMSAuthValidationError',
'user {} is not in the {} iam group'.format(
request.bastion_user, required_group_name))
elif request.remote_usernames != request.bastion_user:
return error_response(
'KMSAuthValidationError',
'remote_usernames must be the same as bastion_user')
try:
validator = KMSTokenValidator(
None, config.getkmsauthkeyids(),
config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION),
region)
# decrypt_token will raise a TokenValidationError if token doesn't match
validator.decrypt_token(
"2/user/{}".format(request.bastion_user),
request.kmsauth_token)
except TokenValidationError as e:
return error_response('KMSAuthValidationError', str(e))
else:
return error_response('InputValidationError',
'Invalid request, missing kmsauth token')
# Build the cert
ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER,
request.public_key_to_sign)
for username in request.remote_usernames.split(','):
cert_builder.add_valid_principal(username)
cert_builder.set_valid_before(valid_before)
cert_builder.set_valid_after(valid_after)
if certificate_extensions:
for e in certificate_extensions.split(','):
if e:
cert_builder.add_extension(e)
else:
cert_builder.clear_extensions()
# cert_builder is needed to obtain the SSH public key's fingerprint
key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key[{}] ca[{}] valid_to[{}]'.format(
context.aws_request_id, request.bastion_user, request.bastion_user_ip,
request.command, cert_builder.ssh_public_key.fingerprint,
context.invoked_function_arn,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)))
cert_builder.set_critical_option_source_addresses(request.bastion_ips)
cert_builder.set_key_id(key_id)
cert = cert_builder.get_cert_file(bypass_time_validity_check)
logger.info(
'Issued a cert to bastion_ips[{}] for remote_usernames[{}] with key_id[{}] and '
'valid_from[{}])'.format(
request.bastion_ips, request.remote_usernames, key_id,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after))))
return success_response(cert)
def lambda_handler(event, context=None, ca_private_key_password=None,
entropy_check=True,
config_file=os.path.join(os.path.dirname(__file__), 'bless_deploy.cfg')):
"""
This is the function that will be called when the lambda function starts.
:param event: Dictionary of the json request.
:param context: AWS LambdaContext Object
http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
:param ca_private_key_password: For local testing, if the password is provided, skip the KMS
decrypt.
:param entropy_check: For local testing, if set to false, it will skip checking entropy and
won't try to fetch additional random from KMS
:param config_file: The config file to load the SSH CA private key from, and additional settings
:return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file.
"""
# AWS Region determines configs related to KMS
region = os.environ['AWS_REGION']
# Load the deployment config values
config = BlessConfig(region,
config_file=config_file)
logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
numeric_level = getattr(logging, logging_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError('Invalid log level: {}'.format(logging_level))
logger = logging.getLogger()
logger.setLevel(numeric_level)
certificate_validity_window_seconds = config.getint(BLESS_OPTIONS_SECTION,
CERTIFICATE_VALIDITY_WINDOW_SEC_OPTION)
entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION)
random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)
ca_private_key_file = config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION)
password_ciphertext_b64 = config.getpassword()
# read the private key .pem
with open(os.path.join(os.path.dirname(__file__), ca_private_key_file), 'r') as f:
ca_private_key = f.read()
# decrypt ca private key password
if ca_private_key_password is None:
kms_client = boto3.client('kms', region_name=region)
ca_password = kms_client.decrypt(
CiphertextBlob=base64.b64decode(password_ciphertext_b64))
ca_private_key_password = ca_password['Plaintext']
# if running as a Lambda, we can check the entropy pool and seed it with KMS if desired
if entropy_check:
with open('/proc/sys/kernel/random/entropy_avail', 'r') as f:
entropy = int(f.read())
logger.debug(entropy)
if entropy < entropy_minimum_bits:
logger.info(
'System entropy was {}, which is lower than the entropy_'
'minimum {}. Using KMS to seed /dev/urandom'.format(
entropy, entropy_minimum_bits))
response = kms_client.generate_random(
NumberOfBytes=random_seed_bytes)
random_seed = response['Plaintext']
with open('/dev/urandom', 'w') as urandom:
urandom.write(random_seed)
# Process cert request
schema = BlessSchema(strict=True)
request = schema.load(event).data
# cert values determined only by lambda and its configs
current_time = int(time.time())
valid_before = current_time + certificate_validity_window_seconds
valid_after = current_time - certificate_validity_window_seconds
# Build the cert
ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER,
request.public_key_to_sign)
cert_builder.add_valid_principal(request.remote_username)
cert_builder.set_valid_before(valid_before)
cert_builder.set_valid_after(valid_after)
# cert_builder is needed to obtain the ssh public key's fingerprint
key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key:[{}] ca:[{}] valid_to[{}]'.format(
context.aws_request_id, request.bastion_user, request.bastion_user_ip, request.command,
cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)))
cert_builder.set_critical_option_source_address(request.bastion_ip)
cert_builder.set_key_id(key_id)
cert = cert_builder.get_cert_file()
logger.info(
'Issued a cert to bastion_ip[{}] for the remote_username of [{}] with the key_id[{}] and '
'valid_from[{}])'.format(
request.bastion_ip, request.remote_username, key_id,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after))))
return cert
