def read_config(self, *args, **kwargs): try: serialized = self.core.config_manager.get(self.MASTER_KEY) except (ConfigError, KeyError): self.warning(tr('Authentication server (certificates) not configured, default values loaded.')) self.auth_cert_cfg = AuthCertConf() else: try: self.auth_cert_cfg = AuthCertConf.deserialize(serialized) except DatastructureIncompatible: self.upgradeFields(serialized) self.auth_cert_cfg = AuthCertConf.deserialize(serialized)
class AuthCertComponent(ConfigServiceComponent, UseCertificateComponent): """ Manage the authentication server's certificates and certificate configuration. """ NAME = "auth_cert" MASTER_KEY = NAME VERSION = "1.0" ACLS = { 'localfw': frozenset(('addFilterIptable', 'addNatIptable', 'apply', 'clear', 'close', 'open')), 'network': frozenset(('getNetconfig',)), 'ufwi_ruleset': frozenset(('open', 'reapplyLastRuleset',)), 'nupki': frozenset(('copyPKI', 'copyCRL', )), 'nuauth_command': frozenset(('refreshCRL', )), } # We need to restart nuauth when nuauth component, actually the user_directory component, # is modified. CONFIG_DEPENDS = ("nuauth",) REQUIRES = ('config', ) if EDENWALL: REQUIRES += ('license',) ACLS['license'] = frozenset(('getMaxClients',)) ROLES = { 'conf_read': set(('getAuthCertConfig', 'runtimeFiles', 'getCertificatesInfo')), 'conf_write': set(('setAuthCertConfig',)), } EXE_NAME = "nuauth" INIT_SCRIPT = "nuauth" CERT_BASE = '/etc/nufw/certs' CERT_PATH = join(CERT_BASE, 'nuauth-cert.pem') KEY_PATH = join(CERT_BASE, 'nuauth-key.pem') CRL_PATH = join(CERT_BASE, 'nuauth-crl.pem') CA_PATH = join(CERT_BASE, 'nuauth-cacert.pem') def __init__(self): ConfigServiceComponent.__init__(self) UseCertificateComponent.__init__(self) def init(self, core): ConfigServiceComponent.init(self, core) UseCertificateComponent.init(self, core) self.core = core try: self.sharedir = self.core.config.get('CORE', 'sharedir') except: self.sharedir = DEFAULT_SHAREDIR self.script_dir = os.path.join(self.sharedir, 'scripts') self.addConfFile(_NUAUTH_CONF, 'root:root', '0644') self.addConfFile('/etc/nufw/nuauth.d/nuauth_tls.conf', 'root:root', '0644') self.addConfFile('/etc/nufw/user-down.sh', 'root:root', '0755') self.addConfFile('/etc/nufw/user-up.sh', 'root:root', '0755') def read_config(self, *args, **kwargs): try: serialized = self.core.config_manager.get(self.MASTER_KEY) except (ConfigError, KeyError): self.warning(tr('Authentication server (certificates) not configured, default values loaded.')) self.auth_cert_cfg = AuthCertConf() else: try: self.auth_cert_cfg = AuthCertConf.deserialize(serialized) except DatastructureIncompatible: self.upgradeFields(serialized) self.auth_cert_cfg = AuthCertConf.deserialize(serialized) def apply_config(self, responsible, arg, modified_paths): return self._apply_conf(responsible) @inlineCallbacks def _apply_conf(self, responsible): #Ensure always enabled on boot. yield deferToThread(self.setEnabledOnBoot, True) self.read_config() yield self.genConfigFiles(responsible) #RunCommandError may happen here if nuauth was not started. yield deferToThread(self.startstopManager, 'restart') if EDENWALL: yield self.setup_portal(responsible) @inlineCallbacks def genConfigFiles(self, responsible): template_variables = { 'auth_by_cert': self.auth_cert_cfg.auth_by_cert, 'portal_enabled': self.auth_cert_cfg.portal_enabled, 'strict': self.auth_cert_cfg.strict, 'disable_crl': self.auth_cert_cfg.disable_crl, } if EDENWALL: context = Context.fromComponent(self) nuauth_tls_max_clients = \ yield self.core.callService(context, 'license', 'getMaxClients') template_variables['nuauth_tls_max_clients'] = nuauth_tls_max_clients self.generate_configfile(template_variables) if not responsible.isRestoring(): ssl_config = self.auth_cert_cfg.getSSLDict() yield self._setSSLConfig(ssl_config) # TODO: move in ufwi_rpcd.backend.use_cert_component for cert_file in self.CERT_ATTR_TO_PATH.values(): self.chownWithNames(cert_file, 'nuauth', 'nuauth') @inlineCallbacks def setup_portal(self, responsible): try: yield deferToThread( self.runCommandAsRootAndCheck, os.path.join( self.script_dir, "portal_ipset" ) ) except RunCommandError: self.error("Could not create captive portal IP set.") localfw = LocalFW('portal') if self.auth_cert_cfg.portal_enabled: try: os.chmod(IPSET_EXE, 04755) except Exception, err: self.critical('Could not add setuid on %s (%s).' % (IPSET_EXE, err)) localfw.call('addNatIptable', False, '-N PORTAL') for network in self.auth_cert_cfg.portal_nets: localfw.call('addNatIptable', False, '-A PREROUTING -p tcp --dport 80 -s %s -j PORTAL' % network) localfw.call('addFilterIptable', False, '-A INPUT -p tcp --dport 80 -s %s -j ACCEPT' % network) localfw.call('addNatIptable', False, '-A PORTAL -m set --set nuauth src,src -j RETURN') localfw.call('addNatIptable', False, '-A PORTAL -j REDIRECT') # else: just clear existing rules context = Context.fromComponent(self) try: yield localfw.execute(self.core, context) except Exception, err: self.writeError(err, 'Error while handling firewall NAT rules for the captive portal') raise
def service_setAuthCertConfig(self, context, serialized, message): self.auth_cert_cfg = AuthCertConf.deserialize(serialized) self.save_config(message, context)