def test_invalid_multiple_hostnames(test_input): with pytest.raises(ValidationError) as e: BlessHostSchema().validate_hostnames(test_input) assert str(e.value) == 'Invalid hostname "ssh:// this.that".'
def lambda_handler_host( event, context=None, ca_private_key_password=None, entropy_check=True, config_file=None, ): """ This is the function that will be called when the lambda function starts. :param event: Dictionary of the json request. :param context: AWS LambdaContext Object http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. :param entropy_check: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS. :param config_file: The config file to load the SSH CA private key from, and additional settings. :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. """ bless_cache = setup_lambda_cache(ca_private_key_password, config_file) # Load the deployment config values config = bless_cache.config logger = set_logger(config) certificate_validity_before_seconds = config.getint( BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) certificate_validity_after_seconds = config.getint( BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) ca_private_key = config.getprivatekey() # Process cert request schema = BlessHostSchema(strict=True) schema.context[HOSTNAME_VALIDATION_OPTION] = config.get( BLESS_OPTIONS_SECTION, HOSTNAME_VALIDATION_OPTION) try: request = schema.load(event).data except ValidationError as e: return error_response("InputValidationError", str(e)) # todo: You'll want to bring your own hostnames validation. logger.info( "Bless lambda invoked by [public_key: {}] for hostnames[{}]".format( request.public_key_to_sign, request.hostnames)) # Make sure we have the ca private key password if bless_cache.ca_private_key_password is None: return error_response("ClientError", bless_cache.ca_private_key_password_error) else: ca_private_key_password = bless_cache.ca_private_key_password # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired if entropy_check: check_entropy(config, logger) # cert values determined only by lambda and its configs current_time = int(time.time()) valid_before = current_time + certificate_validity_after_seconds valid_after = current_time - certificate_validity_before_seconds # Build the cert ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.HOST, request.public_key_to_sign) for hostname in request.hostnames.split(","): cert_builder.add_valid_principal(hostname) cert_builder.set_valid_before(valid_before) cert_builder.set_valid_after(valid_after) # cert_builder is needed to obtain the SSH public key's fingerprint key_id = "request[{}] ssh_key[{}] ca[{}] valid_to[{}]".format( context.aws_request_id, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)), ) cert_builder.set_key_id(key_id) cert = cert_builder.get_cert_file() logger.info("Issued a server cert to hostnames[{}] with key_id[{}] and " "valid_from[{}])".format( request.hostnames, key_id, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)), )) return success_response(cert)
def test_valid_multiple_hostnames(test_input): BlessHostSchema().validate_hostnames(test_input)