def __init__(self,
client_service,
keyfile,
keytab,
server,
realm,
ldap_uri=None,
auth_type=None):
if client_service.endswith(realm) or "@" not in client_service:
raise ValueError(
"Client service name must be a GSS name (service@host), "
"not '{}'.".format(client_service))
self.client_service = client_service
self.keytab = keytab
self.server = server
self.realm = realm
self.ldap_uri = ldap_uri
self.auth_type = auth_type
self.service_name = gssapi.Name('HTTP@{}'.format(server),
gssapi.NameType.hostbased_service)
self.keystore = IPASecStore()
# use in-process MEMORY ccache. Handler process don't need a TGT.
self.ccache = 'MEMORY:Custodia_{}'.format(secrets.token_hex())
with ccache_env(self.ccache):
# Init creds immediately to make sure they are valid. Creds
# can also be re-inited by _auth_header to avoid expiry.
self.creds = self._init_creds()
self.ikk = IPAKEMKeys({
'server_keys': keyfile,
'ldap_uri': ldap_uri
})
self.kemcli = KEMClient(self._server_keys(), self._client_keys())
def uninstall(self):
super(CustodiaInstance, self).uninstall()
keystore = IPAKEMKeys({
'server_keys': self.server_keys,
'ldap_uri': self.ldap_uri
})
keystore.remove_server_keys_file()
installutils.remove_file(self.config_file)
sysupgrade.set_upgrade_state('custodia', 'installed', False)
def __init__(self,
client_service,
keyfile,
keytab,
server,
realm,
ldap_uri=None,
auth_type=None):
self.client_service = client_service
self.keytab = keytab
# Init creds immediately to make sure they are valid. Creds
# can also be re-inited by _auth_header to avoid expiry.
#
self.creds = self.init_creds()
self.service_name = gssapi.Name('HTTP@%s' % (server, ),
gssapi.NameType.hostbased_service)
self.server = server
self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri})
self.kemcli = KEMClient(self._server_keys(server, realm),
self._client_keys())
self.keystore = self._keystore(realm, ldap_uri, auth_type)
# FIXME: Remove warnings about missing subjAltName for the
# requests module
urllib3.disable_warnings()
def uninstall(self):
super(CustodiaInstance, self).uninstall()
keystore = IPAKEMKeys({
'server_keys': self.server_keys,
'ldap_uri': self.ldap_uri
})
# Call remove_server_keys_file explicitly to ensure that the key
# file is always removed.
keystore.remove_server_keys_file()
try:
keystore.remove_server_keys()
except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN):
logger.debug(
"Cannot remove custodia keys now, server_del takes care of "
"them later."
)
installutils.remove_file(self.config_file)
sysupgrade.set_upgrade_state('custodia', 'installed', False)
def uninstall(self):
super(CustodiaInstance, self).uninstall()
keystore = IPAKEMKeys({
'server_keys': self.server_keys,
'ldap_uri': self.ldap_uri
})
# Call remove_server_keys_file explicitly to ensure that the key
# file is always removed.
keystore.remove_server_keys_file()
try:
keystore.remove_server_keys()
except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN):
logger.debug(
"Cannot remove custodia keys now, server_del takes care of "
"them later.")
installutils.remove_file(self.config_file)
sysupgrade.set_upgrade_state('custodia', 'installed', False)
def __gen_keys(self):
keystore = IPAKEMKeys({
'server_keys': self.server_keys,
'ldap_uri': self.ldap_uri
})
keystore.generate_server_keys()
def __gen_keys(self):
keystore = IPAKEMKeys({
'server_keys': self.server_keys,
'ldap_uri': self.ldap_uri
})
keystore.generate_server_keys()
class CustodiaClient:
def __init__(self,
client_service,
keyfile,
keytab,
server,
realm,
ldap_uri=None,
auth_type=None):
if client_service.endswith(realm) or "@" not in client_service:
raise ValueError(
"Client service name must be a GSS name (service@host), "
"not '{}'.".format(client_service))
self.client_service = client_service
self.keytab = keytab
self.server = server
self.realm = realm
self.ldap_uri = ldap_uri
self.auth_type = auth_type
self.service_name = gssapi.Name('HTTP@{}'.format(server),
gssapi.NameType.hostbased_service)
self.keystore = IPASecStore()
# use in-process MEMORY ccache. Handler process don't need a TGT.
self.ccache = 'MEMORY:Custodia_{}'.format(secrets.token_hex())
with ccache_env(self.ccache):
# Init creds immediately to make sure they are valid. Creds
# can also be re-inited by _auth_header to avoid expiry.
self.creds = self._init_creds()
self.ikk = IPAKEMKeys({
'server_keys': keyfile,
'ldap_uri': ldap_uri
})
self.kemcli = KEMClient(self._server_keys(), self._client_keys())
def _client_keys(self):
return self.ikk.server_keys
def _server_keys(self):
principal = krb5_format_service_principal_name('host', self.server,
self.realm)
sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG)))
ek = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_ENC)))
return sk, ek
def _init_creds(self):
name = gssapi.Name(self.client_service,
gssapi.NameType.hostbased_service)
store = {'client_keytab': self.keytab, 'ccache': self.ccache}
return gssapi.Credentials(name=name, store=store, usage='initiate')
def _auth_header(self):
if self.creds.lifetime < 300:
self.creds = self._init_creds()
ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds)
authtok = ctx.step()
return {
'Authorization':
'Negotiate %s' % b64encode(authtok).decode('ascii')
}
def fetch_key(self, keyname, store=True):
# Prepare URL
url = 'https://%s/ipa/keys/%s' % (self.server, keyname)
# Prepare signed/encrypted request
encalg = ('RSA-OAEP', 'A256CBC-HS512')
request = self.kemcli.make_request(keyname, encalg=encalg)
# Prepare Authentication header
headers = self._auth_header()
# Perform request
r = requests.get(url,
headers=headers,
verify=paths.IPA_CA_CRT,
params={
'type': 'kem',
'value': request
})
r.raise_for_status()
reply = r.json()
if 'type' not in reply or reply['type'] != 'kem':
raise RuntimeError('Invlid JSON response type')
value = self.kemcli.parse_reply(keyname, reply['value'])
if store:
self.keystore.set('keys/%s' % keyname, value)
else:
return value
return None