def _config_load(self): """ " load config from file""" self.logger.debug("CAhandler._config_load()") config_dic = load_config(self.logger, "CAhandler") if 'CAhandler' in config_dic: if 'host_variable' in config_dic['CAhandler']: try: self.host = os.environ[config_dic['CAhandler']['host_variable']] except Exception as err: self.logger.error('CAhandler._config_load() could not load host_variable:{0}'.format(err)) if 'host' in config_dic['CAhandler']: if self.host: self.logger.info('CAhandler._config_load() overwrite host') self.host = config_dic['CAhandler']['host'] if 'user_variable' in config_dic['CAhandler']: try: self.user = os.environ[config_dic['CAhandler']['user_variable']] except Exception as err: self.logger.error('CAhandler._config_load() could not load user_variable:{0}'.format(err)) if 'user' in config_dic['CAhandler']: if self.user: self.logger.info('CAhandler._config_load() overwrite user') self.user = config_dic['CAhandler']['user'] if 'password_variable' in config_dic['CAhandler']: try: self.password = os.environ[config_dic['CAhandler']['password_variable']] except Exception as err: self.logger.error('CAhandler._config_load() could not load password_variable:{0}'.format(err)) if 'password' in config_dic['CAhandler']: if self.password: self.logger.info('CAhandler._config_load() overwrite password') self.password = config_dic['CAhandler']['password'] if 'target_domain' in config_dic['CAhandler']: self.target_domain = config_dic['CAhandler']['target_domain'] if 'domain_controller' in config_dic['CAhandler']: self.domain_controller = config_dic['CAhandler']['domain_controller'] if 'ca_name' in config_dic['CAhandler']: self.ca_name = config_dic['CAhandler']['ca_name'] if 'ca_bundle' in config_dic['CAhandler']: self.ca_bundle = config_dic['CAhandler']['ca_bundle'] if 'template' in config_dic['CAhandler']: self.template = config_dic['CAhandler']['template'] if 'DEFAULT' in config_dic and 'proxy_server_list' in config_dic['DEFAULT']: try: proxy_list = json.loads(config_dic['DEFAULT']['proxy_server_list']) proxy_server = proxy_check(self.logger, self.host, proxy_list) self.proxy = {'http': proxy_server, 'https': proxy_server} except Exception as err_: self.logger.warning('CAhandler._config_load() proxy_server_list failed with error: {0}'.format(err_)) self.logger.debug("CAhandler._config_load() ended")
def _validate_alpn_challenge(self, challenge_name, fqdn, token, jwk_thumbprint): """ validate dns challenge """ self.logger.debug( 'Challenge._validate_alpn_challenge({0}:{1}:{2})'.format( challenge_name, fqdn, token)) # resolve name (response, invalid) = fqdn_resolve(fqdn, self.dns_server_list) self.logger.debug('fqdn_resolve() ended with: {0}/{1}'.format( response, invalid)) # we are expecting a certifiate extension which is the sha256 hexdigest of token in a byte structure # which is base64 encoded '0420' has been taken from acme_srv.sh sources sha256_digest = sha256_hash_hex( self.logger, '{0}.{1}'.format(token, jwk_thumbprint)) extension_value = b64_encode( self.logger, bytearray.fromhex('0420{0}'.format(sha256_digest))) self.logger.debug('computed value: {0}'.format(extension_value)) if not invalid: # check if we need to set a proxy if self.proxy_server_list: proxy_server = proxy_check(self.logger, fqdn, self.proxy_server_list) else: proxy_server = None cert = servercert_get(self.logger, fqdn, 443, proxy_server) if cert: san_list = cert_san_get(self.logger, cert, recode=False) fqdn_in_san = fqdn_in_san_check(self.logger, san_list, fqdn) if fqdn_in_san: extension_list = cert_extensions_get(self.logger, cert, recode=False) if extension_value in extension_list: self.logger.debug('alpn validation successful') result = True else: self.logger.debug('alpn validation not successful') result = False else: self.logger.debug('fqdn check against san failed') result = False else: self.logger.debug('no cert returned...') result = False else: result = False self.logger.debug( 'Challenge._validate_alpn_challenge() ended with: {0}/{1}'.format( result, invalid)) return (result, invalid)
def _config_load(self): """" load config from file """ self.logger.debug('CAhandler._config_load()') config_dic = load_config(self.logger, 'CAhandler') if 'CAhandler' in config_dic: if 'host_variable' in config_dic['CAhandler']: try: self.host = os.environ[config_dic['CAhandler']['host_variable']] except BaseException as err: self.logger.error('CAhandler._config_load() could not load host_variable:{0}'.format(err)) if 'host' in config_dic['CAhandler']: if self.host: self.logger.info('CAhandler._config_load() overwrite host') self.host = config_dic['CAhandler']['host'] if 'user_variable' in config_dic['CAhandler']: try: self.user = os.environ[config_dic['CAhandler']['user_variable']] except BaseException as err: self.logger.error('CAhandler._config_load() could not load user_variable:{0}'.format(err)) if 'user' in config_dic['CAhandler']: if self.user: self.logger.info('CAhandler._config_load() overwrite user') self.user = config_dic['CAhandler']['user'] if 'password_variable' in config_dic['CAhandler']: try: self.password = os.environ[config_dic['CAhandler']['password_variable']] except BaseException as err: self.logger.error('CAhandler._config_load() could not load password_variable:{0}'.format(err)) if 'password' in config_dic['CAhandler']: if self.password: self.logger.info('CAhandler._config_load() overwrite password') self.password = config_dic['CAhandler']['password'] if 'template' in config_dic['CAhandler']: self.template = config_dic['CAhandler']['template'] if 'auth_method' in config_dic['CAhandler'] and config_dic['CAhandler']['auth_method'] == 'ntlm': self.auth_method = config_dic['CAhandler']['auth_method'] # check if we get a ca bundle for verification if 'ca_bundle' in config_dic['CAhandler']: self.ca_bundle = config_dic['CAhandler']['ca_bundle'] if 'DEFAULT' in config_dic and 'proxy_server_list' in config_dic['DEFAULT']: try: proxy_list = json.loads(config_dic['DEFAULT']['proxy_server_list']) proxy_server = proxy_check(self.logger, self.host, proxy_list) self.proxy = {'http': proxy_server, 'https': proxy_server} except BaseException as err_: self.logger.warning('Challenge._config_load() proxy_server_list failed with error: {0}'.format(err_)) self.logger.debug('CAhandler._config_load() ended')
def _validate_http_challenge(self, challenge_name, fqdn, token, jwk_thumbprint): """ validate http challenge """ self.logger.debug( 'Challenge._validate_http_challenge({0}:{1}:{2})'.format( challenge_name, fqdn, token)) # resolve name (response, invalid) = fqdn_resolve(fqdn, self.dns_server_list) self.logger.debug('fqdn_resolve() ended with: {0}/{1}'.format( response, invalid)) if not invalid: # check if we need to set a proxy if self.proxy_server_list: proxy_server = proxy_check(self.logger, fqdn, self.proxy_server_list) else: proxy_server = None req = url_get(self.logger, 'http://{0}/.well-known/acme-challenge/{1}'.format( fqdn, token), dns_server_list=self.dns_server_list, proxy_server=proxy_server, verify=False, timeout=self.challenge_validation_timeout) if req: response_got = req.splitlines()[0] response_expected = '{0}.{1}'.format(token, jwk_thumbprint) self.logger.debug( 'response_got: {0} response_expected: {1}'.format( response_got, response_expected)) if response_got == response_expected: self.logger.debug('validation successful') result = True else: self.logger.debug('validation not successful') result = False else: self.logger.debug( 'validation not successfull.. no request object') result = False else: result = False self.logger.debug( 'Challenge._validate_http_challenge() ended with: {0}/{1}'.format( result, invalid)) return (result, invalid)
def _config_load(self): """" load config from file """ # pylint: disable=R0912, R0915 self.logger.debug('CAhandler._config_load()') config_dic = load_config(self.logger, 'CAhandler') if 'CAhandler' in config_dic: if 'est_host_variable' in config_dic['CAhandler']: try: self.est_host = os.environ[config_dic['CAhandler'][ 'est_host_variable']] + '/.well-known/est' except Exception as err: self.logger.error( 'CAhandler._config_load() could not load est_host_variable:{0}' .format(err)) if 'est_host' in config_dic['CAhandler']: if self.est_host: self.logger.info( 'CAhandler._config_load() overwrite est_host') self.est_host = config_dic['CAhandler'][ 'est_host'] + '/.well-known/est' if not self.est_host: self.logger.error( 'CAhandler._config_load(): missing "est_host" parameter') # check if we need to use clientauth if 'est_client_cert' in config_dic[ 'CAhandler'] and 'est_client_key' in config_dic[ 'CAhandler']: self.est_client_cert = [] self.est_client_cert.append( config_dic['CAhandler']['est_client_cert']) self.est_client_cert.append( config_dic['CAhandler']['est_client_key']) elif 'est_client_cert' in config_dic[ 'CAhandler'] or 'est_client_key' in config_dic['CAhandler']: self.logger.error( 'CAhandler._config_load() configuration incomplete: either "est_client_cert or "est_client_key" parameter is missing in config file' ) # check if we need to use user-auth if 'est_user_variable' in config_dic['CAhandler']: try: self.est_user = os.environ[config_dic['CAhandler'] ['est_user_variable']] except Exception as err: self.logger.error( 'CAhandler._config_load() could not load est_user_variable:{0}' .format(err)) if 'est_user' in config_dic['CAhandler']: if self.est_user: self.logger.info( 'CAhandler._config_load() overwrite est_user') self.est_user = config_dic['CAhandler']['est_user'] if 'est_password_variable' in config_dic['CAhandler']: try: self.est_password = os.environ[config_dic['CAhandler'] ['est_password_variable']] except Exception as err: self.logger.error( 'CAhandler._config_load() could not load est_password:{0}' .format(err)) if 'est_password' in config_dic['CAhandler']: if self.est_password: self.logger.info( 'CAhandler._config_load() overwrite est_password') self.est_password = config_dic['CAhandler']['est_password'] if (self.est_user and not self.est_password) or (self.est_password and not self.est_user): self.logger.error( 'CAhandler._config_load() configuration incomplete: either "est_user" or "est_password" parameter is missing in config file' ) # check if we have one authentication scheme if not self.est_client_cert and not self.est_user: self.logger.error( 'CAhandler._config_load() configuration incomplete: either user or client authentication must be configured' ) elif self.est_client_cert and self.est_user: self.logger.error( 'CAhandler._config_load() configuration wrong: user and client authentication cannot be configured together' ) # check if we get a ca bundle for verification if 'ca_bundle' in config_dic['CAhandler']: try: self.ca_bundle = config_dic.getboolean( 'CAhandler', 'ca_bundle') except Exception: self.ca_bundle = config_dic['CAhandler']['ca_bundle'] if 'DEFAULT' in config_dic and 'proxy_server_list' in config_dic[ 'DEFAULT']: try: proxy_list = json.loads( config_dic['DEFAULT']['proxy_server_list']) url_dic = parse_url(self.logger, self.est_host) if 'host' in url_dic: (fqdn, _port) = url_dic['host'].split(':') proxy_server = proxy_check(self.logger, fqdn, proxy_list) self.proxy = {'http': proxy_server, 'https': proxy_server} except Exception as err_: self.logger.warning( 'Challenge._config_load() proxy_server_list failed with error: {0}' .format(err_)) self.logger.debug('CAhandler._config_load() ended')
def _config_load(self): """" load config from file """ self.logger.debug('CAhandler._config_load()') config_dic = load_config(self.logger, 'CAhandler') if 'CAhandler' in config_dic: if 'api_host' in config_dic['CAhandler']: self.api_host = config_dic['CAhandler']['api_host'] if 'api_user_variable' in config_dic['CAhandler']: try: self.credential_dic['api_user'] = os.environ[ config_dic['CAhandler']['api_user_variable']] except BaseException as err: self.logger.error( 'CAhandler._config_load() could not load user_variable:{0}' .format(err)) if 'api_user' in config_dic['CAhandler']: if self.credential_dic['api_user']: self.logger.info( 'CAhandler._config_load() overwrite api_user') self.credential_dic['api_user'] = config_dic['CAhandler'][ 'api_user'] if 'api_password_variable' in config_dic['CAhandler']: try: self.credential_dic['api_password'] = os.environ[ config_dic['CAhandler']['api_password_variable']] except BaseException as err: self.logger.error( 'CAhandler._config_load() could not load password_variable:{0}' .format(err)) if 'api_password' in config_dic['CAhandler']: if self.credential_dic['api_password']: self.logger.info( 'CAhandler._config_load() overwrite api_password') self.credential_dic['api_password'] = config_dic['CAhandler'][ 'api_password'] if 'ca_name' in config_dic['CAhandler']: self.ca_name = config_dic['CAhandler']['ca_name'] if 'tsg_name' in config_dic['CAhandler']: self.tsg_info_dic['name'] = config_dic['CAhandler']['tsg_name'] if 'template_name' in config_dic['CAhandler']: self.template_info_dic['name'] = config_dic['CAhandler'][ 'template_name'] # check if we get a ca bundle for verification if 'ca_bundle' in config_dic['CAhandler']: try: self.ca_bundle = config_dic.getboolean( 'CAhandler', 'ca_bundle') except BaseException: self.ca_bundle = config_dic['CAhandler']['ca_bundle'] if 'DEFAULT' in config_dic and 'proxy_server_list' in config_dic[ 'DEFAULT']: try: proxy_list = json.loads( config_dic['DEFAULT']['proxy_server_list']) url_dic = parse_url(self.logger, self.api_host) if 'host' in url_dic: (fqdn, _port) = url_dic['host'].split(':') proxy_server = proxy_check(self.logger, fqdn, proxy_list) self.proxy = {'http': proxy_server, 'https': proxy_server} except BaseException as err_: self.logger.warning( 'Challenge._config_load() proxy_server_list failed with error: {0}' .format(err_)) self.logger.debug('CAhandler._config_load() ended')
def _config_load(self): """" load config from file """ self.logger.debug('_config_load()') config_dic = load_config(self.logger, 'CAhandler') if 'CAhandler' in config_dic: if 'api_host' in config_dic['CAhandler']: self.api_host = config_dic['CAhandler']['api_host'] else: self.logger.error( 'CAhandler._config_load() configuration incomplete: "api_host" parameter is missing in config file' ) if 'api_user' in config_dic[ 'CAhandler'] or 'api_user_variable' in config_dic[ 'CAhandler']: if 'api_user_variable' in config_dic['CAhandler']: try: self.api_user = os.environ[config_dic['CAhandler'] ['api_user_variable']] except BaseException as err: self.logger.error( 'CAhandler._config_load() could not load user_variable:{0}' .format(err)) if 'api_user' in config_dic['CAhandler']: if self.api_user: self.logger.info( 'CAhandler._config_load() overwrite api_user') self.api_user = config_dic['CAhandler']['api_user'] else: self.logger.error( 'CAhandler._config_load() configuration incomplete: "api_user" parameter is missing in config file' ) if 'api_password' in config_dic[ 'CAhandler'] or 'api_password_variable' in config_dic[ 'CAhandler']: if 'api_password_variable' in config_dic['CAhandler']: try: self.api_password = os.environ[ config_dic['CAhandler']['api_password_variable']] except BaseException as err: self.logger.error( 'CAhandler._config_load() could not load passphrase_variable:{0}' .format(err)) if 'api_password' in config_dic['CAhandler']: if self.api_password: self.logger.info( 'CAhandler._config_load() overwrite api_password_variable' ) self.api_password = config_dic['CAhandler']['api_password'] else: self.logger.error( 'CAhandler._config_load() configuration incomplete: "api_password" parameter is missing in config file' ) if 'ca_name' in config_dic['CAhandler']: self.ca_name = config_dic['CAhandler']['ca_name'] else: self.logger.error( 'CAhandler._config_load() configuration incomplete: "ca_name" parameter is missing in config file' ) if 'polling_timeout' in config_dic['CAhandler']: self.polling_timeout = int( config_dic['CAhandler']['polling_timeout']) # check if we get a ca bundle for verification if 'ca_bundle' in config_dic['CAhandler']: try: self.ca_bundle = config_dic.getboolean( 'CAhandler', 'ca_bundle') except BaseException: self.ca_bundle = config_dic['CAhandler']['ca_bundle'] if 'DEFAULT' in config_dic and 'proxy_server_list' in config_dic[ 'DEFAULT']: try: proxy_list = json.loads( config_dic['DEFAULT']['proxy_server_list']) url_dic = parse_url(self.logger, self.api_host) if 'host' in url_dic: (fqdn, _port) = url_dic['host'].split(':') proxy_server = proxy_check(self.logger, fqdn, proxy_list) self.proxy = {'http': proxy_server, 'https': proxy_server} except BaseException as err_: self.logger.warning( 'Challenge._config_load() proxy_server_list failed with error: {0}' .format(err_)) self.logger.debug('CAhandler._config_load() ended')