def read_config(self, *args, **kwargs):
try:
serialized = self.core.config_manager.get(self.MASTER_KEY)
except (ConfigError, KeyError):
self.warning(tr('Authentication server (certificates) not configured, default values loaded.'))
self.auth_cert_cfg = AuthCertConf()
else:
try:
self.auth_cert_cfg = AuthCertConf.deserialize(serialized)
except DatastructureIncompatible:
self.upgradeFields(serialized)
self.auth_cert_cfg = AuthCertConf.deserialize(serialized)
class AuthCertComponent(ConfigServiceComponent, UseCertificateComponent):
"""
Manage the authentication server's certificates and certificate
configuration.
"""
NAME = "auth_cert"
MASTER_KEY = NAME
VERSION = "1.0"
ACLS = {
'localfw': frozenset(('addFilterIptable', 'addNatIptable', 'apply', 'clear',
'close', 'open')),
'network': frozenset(('getNetconfig',)),
'ufwi_ruleset': frozenset(('open', 'reapplyLastRuleset',)),
'nupki': frozenset(('copyPKI', 'copyCRL', )),
'nuauth_command': frozenset(('refreshCRL', )),
}
# We need to restart nuauth when nuauth component, actually the user_directory component,
# is modified.
CONFIG_DEPENDS = ("nuauth",)
REQUIRES = ('config', )
if EDENWALL:
REQUIRES += ('license',)
ACLS['license'] = frozenset(('getMaxClients',))
ROLES = {
'conf_read': set(('getAuthCertConfig', 'runtimeFiles', 'getCertificatesInfo')),
'conf_write': set(('setAuthCertConfig',)),
}
EXE_NAME = "nuauth"
INIT_SCRIPT = "nuauth"
CERT_BASE = '/etc/nufw/certs'
CERT_PATH = join(CERT_BASE, 'nuauth-cert.pem')
KEY_PATH = join(CERT_BASE, 'nuauth-key.pem')
CRL_PATH = join(CERT_BASE, 'nuauth-crl.pem')
CA_PATH = join(CERT_BASE, 'nuauth-cacert.pem')
def __init__(self):
ConfigServiceComponent.__init__(self)
UseCertificateComponent.__init__(self)
def init(self, core):
ConfigServiceComponent.init(self, core)
UseCertificateComponent.init(self, core)
self.core = core
try:
self.sharedir = self.core.config.get('CORE', 'sharedir')
except:
self.sharedir = DEFAULT_SHAREDIR
self.script_dir = os.path.join(self.sharedir, 'scripts')
self.addConfFile(_NUAUTH_CONF, 'root:root', '0644')
self.addConfFile('/etc/nufw/nuauth.d/nuauth_tls.conf', 'root:root',
'0644')
self.addConfFile('/etc/nufw/user-down.sh', 'root:root', '0755')
self.addConfFile('/etc/nufw/user-up.sh', 'root:root', '0755')
def read_config(self, *args, **kwargs):
try:
serialized = self.core.config_manager.get(self.MASTER_KEY)
except (ConfigError, KeyError):
self.warning(tr('Authentication server (certificates) not configured, default values loaded.'))
self.auth_cert_cfg = AuthCertConf()
else:
try:
self.auth_cert_cfg = AuthCertConf.deserialize(serialized)
except DatastructureIncompatible:
self.upgradeFields(serialized)
self.auth_cert_cfg = AuthCertConf.deserialize(serialized)
def apply_config(self, responsible, arg, modified_paths):
return self._apply_conf(responsible)
@inlineCallbacks
def _apply_conf(self, responsible):
#Ensure always enabled on boot.
yield deferToThread(self.setEnabledOnBoot, True)
self.read_config()
yield self.genConfigFiles(responsible)
#RunCommandError may happen here if nuauth was not started.
yield deferToThread(self.startstopManager, 'restart')
if EDENWALL:
yield self.setup_portal(responsible)
@inlineCallbacks
def genConfigFiles(self, responsible):
template_variables = {
'auth_by_cert': self.auth_cert_cfg.auth_by_cert,
'portal_enabled': self.auth_cert_cfg.portal_enabled,
'strict': self.auth_cert_cfg.strict,
'disable_crl': self.auth_cert_cfg.disable_crl,
}
if EDENWALL:
context = Context.fromComponent(self)
nuauth_tls_max_clients = \
yield self.core.callService(context, 'license', 'getMaxClients')
template_variables['nuauth_tls_max_clients'] = nuauth_tls_max_clients
self.generate_configfile(template_variables)
if not responsible.isRestoring():
ssl_config = self.auth_cert_cfg.getSSLDict()
yield self._setSSLConfig(ssl_config)
# TODO: move in ufwi_rpcd.backend.use_cert_component
for cert_file in self.CERT_ATTR_TO_PATH.values():
self.chownWithNames(cert_file, 'nuauth', 'nuauth')
@inlineCallbacks
def setup_portal(self, responsible):
try:
yield deferToThread(
self.runCommandAsRootAndCheck,
os.path.join(
self.script_dir,
"portal_ipset"
)
)
except RunCommandError:
self.error("Could not create captive portal IP set.")
localfw = LocalFW('portal')
if self.auth_cert_cfg.portal_enabled:
try:
os.chmod(IPSET_EXE, 04755)
except Exception, err:
self.critical('Could not add setuid on %s (%s).' %
(IPSET_EXE, err))
localfw.call('addNatIptable', False, '-N PORTAL')
for network in self.auth_cert_cfg.portal_nets:
localfw.call('addNatIptable', False,
'-A PREROUTING -p tcp --dport 80 -s %s -j PORTAL' %
network)
localfw.call('addFilterIptable', False,
'-A INPUT -p tcp --dport 80 -s %s -j ACCEPT' %
network)
localfw.call('addNatIptable', False,
'-A PORTAL -m set --set nuauth src,src -j RETURN')
localfw.call('addNatIptable', False,
'-A PORTAL -j REDIRECT')
# else: just clear existing rules
context = Context.fromComponent(self)
try:
yield localfw.execute(self.core, context)
except Exception, err:
self.writeError(err,
'Error while handling firewall NAT rules for the captive portal')
raise
def service_setAuthCertConfig(self, context, serialized, message):
self.auth_cert_cfg = AuthCertConf.deserialize(serialized)
self.save_config(message, context)
