def __init__(self, client_service, keyfile, keytab, server, realm, ldap_uri=None, auth_type=None): if client_service.endswith(realm) or "@" not in client_service: raise ValueError( "Client service name must be a GSS name (service@host), " "not '{}'.".format(client_service)) self.client_service = client_service self.keytab = keytab self.server = server self.realm = realm self.ldap_uri = ldap_uri self.auth_type = auth_type self.service_name = gssapi.Name('HTTP@{}'.format(server), gssapi.NameType.hostbased_service) self.keystore = IPASecStore() # use in-process MEMORY ccache. Handler process don't need a TGT. self.ccache = 'MEMORY:Custodia_{}'.format(secrets.token_hex()) with ccache_env(self.ccache): # Init creds immediately to make sure they are valid. Creds # can also be re-inited by _auth_header to avoid expiry. self.creds = self._init_creds() self.ikk = IPAKEMKeys({ 'server_keys': keyfile, 'ldap_uri': ldap_uri }) self.kemcli = KEMClient(self._server_keys(), self._client_keys())
def uninstall(self): super(CustodiaInstance, self).uninstall() keystore = IPAKEMKeys({ 'server_keys': self.server_keys, 'ldap_uri': self.ldap_uri }) keystore.remove_server_keys_file() installutils.remove_file(self.config_file) sysupgrade.set_upgrade_state('custodia', 'installed', False)
def __init__(self, client_service, keyfile, keytab, server, realm, ldap_uri=None, auth_type=None): self.client_service = client_service self.keytab = keytab # Init creds immediately to make sure they are valid. Creds # can also be re-inited by _auth_header to avoid expiry. # self.creds = self.init_creds() self.service_name = gssapi.Name('HTTP@%s' % (server, ), gssapi.NameType.hostbased_service) self.server = server self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri}) self.kemcli = KEMClient(self._server_keys(server, realm), self._client_keys()) self.keystore = self._keystore(realm, ldap_uri, auth_type) # FIXME: Remove warnings about missing subjAltName for the # requests module urllib3.disable_warnings()
def uninstall(self): super(CustodiaInstance, self).uninstall() keystore = IPAKEMKeys({ 'server_keys': self.server_keys, 'ldap_uri': self.ldap_uri }) # Call remove_server_keys_file explicitly to ensure that the key # file is always removed. keystore.remove_server_keys_file() try: keystore.remove_server_keys() except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN): logger.debug( "Cannot remove custodia keys now, server_del takes care of " "them later." ) installutils.remove_file(self.config_file) sysupgrade.set_upgrade_state('custodia', 'installed', False)
def uninstall(self): super(CustodiaInstance, self).uninstall() keystore = IPAKEMKeys({ 'server_keys': self.server_keys, 'ldap_uri': self.ldap_uri }) # Call remove_server_keys_file explicitly to ensure that the key # file is always removed. keystore.remove_server_keys_file() try: keystore.remove_server_keys() except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN): logger.debug( "Cannot remove custodia keys now, server_del takes care of " "them later.") installutils.remove_file(self.config_file) sysupgrade.set_upgrade_state('custodia', 'installed', False)
def __gen_keys(self): keystore = IPAKEMKeys({ 'server_keys': self.server_keys, 'ldap_uri': self.ldap_uri }) keystore.generate_server_keys()
class CustodiaClient: def __init__(self, client_service, keyfile, keytab, server, realm, ldap_uri=None, auth_type=None): if client_service.endswith(realm) or "@" not in client_service: raise ValueError( "Client service name must be a GSS name (service@host), " "not '{}'.".format(client_service)) self.client_service = client_service self.keytab = keytab self.server = server self.realm = realm self.ldap_uri = ldap_uri self.auth_type = auth_type self.service_name = gssapi.Name('HTTP@{}'.format(server), gssapi.NameType.hostbased_service) self.keystore = IPASecStore() # use in-process MEMORY ccache. Handler process don't need a TGT. self.ccache = 'MEMORY:Custodia_{}'.format(secrets.token_hex()) with ccache_env(self.ccache): # Init creds immediately to make sure they are valid. Creds # can also be re-inited by _auth_header to avoid expiry. self.creds = self._init_creds() self.ikk = IPAKEMKeys({ 'server_keys': keyfile, 'ldap_uri': ldap_uri }) self.kemcli = KEMClient(self._server_keys(), self._client_keys()) def _client_keys(self): return self.ikk.server_keys def _server_keys(self): principal = krb5_format_service_principal_name('host', self.server, self.realm) sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG))) ek = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_ENC))) return sk, ek def _init_creds(self): name = gssapi.Name(self.client_service, gssapi.NameType.hostbased_service) store = {'client_keytab': self.keytab, 'ccache': self.ccache} return gssapi.Credentials(name=name, store=store, usage='initiate') def _auth_header(self): if self.creds.lifetime < 300: self.creds = self._init_creds() ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds) authtok = ctx.step() return { 'Authorization': 'Negotiate %s' % b64encode(authtok).decode('ascii') } def fetch_key(self, keyname, store=True): # Prepare URL url = 'https://%s/ipa/keys/%s' % (self.server, keyname) # Prepare signed/encrypted request encalg = ('RSA-OAEP', 'A256CBC-HS512') request = self.kemcli.make_request(keyname, encalg=encalg) # Prepare Authentication header headers = self._auth_header() # Perform request r = requests.get(url, headers=headers, verify=paths.IPA_CA_CRT, params={ 'type': 'kem', 'value': request }) r.raise_for_status() reply = r.json() if 'type' not in reply or reply['type'] != 'kem': raise RuntimeError('Invlid JSON response type') value = self.kemcli.parse_reply(keyname, reply['value']) if store: self.keystore.set('keys/%s' % keyname, value) else: return value return None