def generate() -> None:
authorities = get_targz_path(check_exists=False)
if os.path.exists(authorities):
command.fail("authorities.tgz already exists")
# tempfile.TemporaryDirectory() creates the directory with 0o600, which protects the private keys
with tempfile.TemporaryDirectory() as d:
certdir = os.path.join(d, "certdir")
keyserver_yaml = os.path.join(d, "keyserver.yaml")
util.writefile(keyserver_yaml, configuration.get_keyserver_yaml().encode())
os.mkdir(certdir)
print("generating authorities...")
try:
# TODO: avoid having these touch disk
subprocess.check_call(["keygen", keyserver_yaml, certdir, "supervisor-nodes"])
except FileNotFoundError as e:
if e.filename == "keygen":
command.fail("could not find keygen binary. is the homeworld-keyserver dependency installed?")
else:
raise e
print("encrypting authorities...")
cryptdir = os.path.join(d, "cryptdir")
os.mkdir(cryptdir)
for filename in os.listdir(certdir):
if filename.endswith(".pub") or filename.endswith(".pem"):
# public keys; copy over without encryption
util.copy(os.path.join(certdir, filename), os.path.join(cryptdir, filename))
else:
# private keys; encrypt when copying
keycrypt.gpg_encrypt_file(os.path.join(certdir, filename), os.path.join(cryptdir, filename))
subprocess.check_call(["shred", "--"] + os.listdir(certdir), cwd=certdir)
print("packing authorities...")
subprocess.check_call(["tar", "-C", cryptdir, "-czf", authorities, "."])
subprocess.check_call(["shred", "--"] + os.listdir(cryptdir), cwd=cryptdir)
def import_keytab(node, keytab_file):
"import and encrypt a keytab for a particular server"
if not configuration.get_config().has_node(node):
command.fail("no such node: %s" % node)
keytab_target = os.path.join(configuration.get_project(),
"keytab.%s.crypt" % node)
keycrypt.gpg_encrypt_file(keytab_file, keytab_target)
def import_https(name, keyfile, certfile):
check_pem_type(certfile, "CERTIFICATE")
check_pem_type(keyfile, "RSA PRIVATE KEY")
keypath = os.path.join(configuration.get_project(),
"https.%s.key.crypt" % name)
certpath = os.path.join(configuration.get_project(), "https.%s.pem" % name)
keycrypt.gpg_encrypt_file(keyfile, keypath)
util.copy(certfile, certpath)
def import_https(name, keyfile, certfile):
if name != setup.REGISTRY_HOSTNAME:
command.fail("unexpected https host: %s" % name)
check_pem_type(certfile, "CERTIFICATE")
check_pem_type(keyfile, "RSA PRIVATE KEY")
keypath = os.path.join(configuration.get_project(),
"https.%s.key.crypt" % name)
certpath = os.path.join(configuration.get_project(), "https.%s.pem" % name)
keycrypt.gpg_encrypt_file(keyfile, keypath)
util.copy(certfile, certpath)
def keytab_op(node, op):
if not configuration.Config.load_from_project().has_node(node):
command.fail("no such node: %s" % node)
keytab_source = os.path.join(configuration.get_project(),
"keytab.%s.crypt" % node)
keytab_target = os.path.join(configuration.get_project(),
"keytab.%s.crypt.tmp" % node)
with tempfile.TemporaryDirectory() as d:
keytab_temp = os.path.join(d, "keytab.temp")
keycrypt.gpg_decrypt_file(keytab_source, keytab_temp)
if op == "rotate":
operation = [
"k5srvutil", "-f", keytab_temp, "change", "-e",
"aes256-cts:normal,aes128-cts:normal"
]
elif op == "delold":
operation = ["k5srvutil", "-f", keytab_temp, "delold"]
else:
command.fail("internal error: no such operation %s" % op)
subprocess.check_call(operation)
keycrypt.gpg_encrypt_file(keytab_temp, keytab_target)
os.remove(keytab_source)
os.rename(keytab_target, keytab_source)
def import_keytab(node, keytab_file):
if not configuration.Config.load_from_project().has_node(node):
command.fail("no such node: %s" % node)
keytab_target = os.path.join(configuration.get_project(),
"keytab.%s.crypt" % node)
keycrypt.gpg_encrypt_file(keytab_file, keytab_target)