def modify_keygateway(ops: command.Operations, overwrite_keytab: bool) -> None:
config = configuration.get_config()
if not config.is_kerberos_enabled():
print("keygateway disabled; skipping")
return
for node in config.nodes:
if node.kind != "supervisor":
continue
# keytab is stored encrypted in the configuration folder
keytab = os.path.join(configuration.get_project(), "keytab.%s.crypt" % node.hostname)
decrypted = keycrypt.gpg_decrypt_to_memory(keytab)
def safe_upload_keytab(node=node):
if not overwrite_keytab:
try:
existing_keytab = ssh.check_ssh_output(node, "cat", KEYTAB_PATH)
except subprocess.CalledProcessError as e_test:
# if there is no existing keytab, cat will fail with error code 1
if e_test.returncode != 1:
command.fail(e_test)
print("no existing keytab found, uploading local keytab")
else:
if existing_keytab != decrypted:
command.fail("existing keytab does not match local keytab")
return # existing keytab matches local keytab, no action required
ssh.upload_bytes(node, decrypted, KEYTAB_PATH)
ops.add_operation("upload keytab for {}".format(node), safe_upload_keytab)
ssh_cmd(ops, "enable keygateway on @HOST", node, "systemctl", "enable", "keygateway")
ssh_cmd(ops, "restart keygateway on @HOST", node, "systemctl", "restart", "keygateway")
def list_passphrases():
passwords = os.path.join(configuration.get_project(), "passwords")
if not os.path.isdir(passwords):
command.fail("no passwords stored")
print("Passphrases:")
for passfile in os.listdir(passwords):
if passfile.startswith("at-") and passfile.endswith(".gpg"):
date = passfile[3:-4]
passph = keycrypt.gpg_decrypt_to_memory(
os.path.join(passwords, passfile)).decode()
print(" ", date, "=>", passph)
print("End of list.")
def setup_keygateway(ops: Operations, config: configuration.Config) -> None:
for node in config.nodes:
if node.kind != "supervisor":
continue
# keytab is stored encrypted in the configuration folder
keytab = os.path.join(configuration.get_project(),
"keytab.%s.crypt" % node.hostname)
decrypted = keycrypt.gpg_decrypt_to_memory(keytab)
ops.ssh("confirm no existing keytab on @HOST", node, "test", "!", "-e",
KEYTAB_PATH)
ops.ssh_upload_bytes("upload keytab for @HOST", node, decrypted,
KEYTAB_PATH)
ops.ssh("restart keygateway on @HOST", node, "systemctl", "restart",
"keygateway")
def setup_bootstrap_registry(ops: Operations) -> None:
config = configuration.get_config()
for node in config.nodes:
if node.kind != "supervisor":
continue
keypath = os.path.join(configuration.get_project(), "https.%s.key.crypt" % REGISTRY_HOSTNAME)
certpath = os.path.join(configuration.get_project(), "https.%s.pem" % REGISTRY_HOSTNAME)
keydata = keycrypt.gpg_decrypt_to_memory(keypath)
ops.ssh_mkdir("create ssl cert directory on @HOST", node, "/etc/homeworld/ssl")
ops.ssh_upload_bytes("upload %s key to @HOST" % REGISTRY_HOSTNAME, node, keydata, "/etc/homeworld/ssl/%s.key" % REGISTRY_HOSTNAME)
ops.ssh_upload_path("upload %s cert to @HOST" % REGISTRY_HOSTNAME, node, certpath, "/etc/homeworld/ssl/%s.pem" % REGISTRY_HOSTNAME)
ops.ssh("unmask nginx on @HOST", node, "systemctl", "unmask", "nginx")
ops.ssh("restart nginx on @HOST", node, "systemctl", "restart", "nginx")
def decrypt_https(hostname):
return keycrypt.gpg_decrypt_to_memory(os.path.join(configuration.get_project(), "https.%s.key.crypt" % hostname)), \
util.readfile(os.path.join(configuration.get_project(), "https.%s.pem" % hostname))
