def _config_load(self):
""" " load config from file"""
self.logger.debug("CAhandler._config_load()")
config_dic = load_config(self.logger, "CAhandler")
if 'CAhandler' in config_dic:
if 'host_variable' in config_dic['CAhandler']:
try:
self.host = os.environ[config_dic['CAhandler']['host_variable']]
except Exception as err:
self.logger.error('CAhandler._config_load() could not load host_variable:{0}'.format(err))
if 'host' in config_dic['CAhandler']:
if self.host:
self.logger.info('CAhandler._config_load() overwrite host')
self.host = config_dic['CAhandler']['host']
if 'user_variable' in config_dic['CAhandler']:
try:
self.user = os.environ[config_dic['CAhandler']['user_variable']]
except Exception as err:
self.logger.error('CAhandler._config_load() could not load user_variable:{0}'.format(err))
if 'user' in config_dic['CAhandler']:
if self.user:
self.logger.info('CAhandler._config_load() overwrite user')
self.user = config_dic['CAhandler']['user']
if 'password_variable' in config_dic['CAhandler']:
try:
self.password = os.environ[config_dic['CAhandler']['password_variable']]
except Exception as err:
self.logger.error('CAhandler._config_load() could not load password_variable:{0}'.format(err))
if 'password' in config_dic['CAhandler']:
if self.password:
self.logger.info('CAhandler._config_load() overwrite password')
self.password = config_dic['CAhandler']['password']
if 'target_domain' in config_dic['CAhandler']:
self.target_domain = config_dic['CAhandler']['target_domain']
if 'domain_controller' in config_dic['CAhandler']:
self.domain_controller = config_dic['CAhandler']['domain_controller']
if 'ca_name' in config_dic['CAhandler']:
self.ca_name = config_dic['CAhandler']['ca_name']
if 'ca_bundle' in config_dic['CAhandler']:
self.ca_bundle = config_dic['CAhandler']['ca_bundle']
if 'template' in config_dic['CAhandler']:
self.template = config_dic['CAhandler']['template']
if 'DEFAULT' in config_dic and 'proxy_server_list' in config_dic['DEFAULT']:
try:
proxy_list = json.loads(config_dic['DEFAULT']['proxy_server_list'])
proxy_server = proxy_check(self.logger, self.host, proxy_list)
self.proxy = {'http': proxy_server, 'https': proxy_server}
except Exception as err_:
self.logger.warning('CAhandler._config_load() proxy_server_list failed with error: {0}'.format(err_))
self.logger.debug("CAhandler._config_load() ended")
def _validate_alpn_challenge(self, challenge_name, fqdn, token,
jwk_thumbprint):
""" validate dns challenge """
self.logger.debug(
'Challenge._validate_alpn_challenge({0}:{1}:{2})'.format(
challenge_name, fqdn, token))
# resolve name
(response, invalid) = fqdn_resolve(fqdn, self.dns_server_list)
self.logger.debug('fqdn_resolve() ended with: {0}/{1}'.format(
response, invalid))
# we are expecting a certifiate extension which is the sha256 hexdigest of token in a byte structure
# which is base64 encoded '0420' has been taken from acme_srv.sh sources
sha256_digest = sha256_hash_hex(
self.logger, '{0}.{1}'.format(token, jwk_thumbprint))
extension_value = b64_encode(
self.logger, bytearray.fromhex('0420{0}'.format(sha256_digest)))
self.logger.debug('computed value: {0}'.format(extension_value))
if not invalid:
# check if we need to set a proxy
if self.proxy_server_list:
proxy_server = proxy_check(self.logger, fqdn,
self.proxy_server_list)
else:
proxy_server = None
cert = servercert_get(self.logger, fqdn, 443, proxy_server)
if cert:
san_list = cert_san_get(self.logger, cert, recode=False)
fqdn_in_san = fqdn_in_san_check(self.logger, san_list, fqdn)
if fqdn_in_san:
extension_list = cert_extensions_get(self.logger,
cert,
recode=False)
if extension_value in extension_list:
self.logger.debug('alpn validation successful')
result = True
else:
self.logger.debug('alpn validation not successful')
result = False
else:
self.logger.debug('fqdn check against san failed')
result = False
else:
self.logger.debug('no cert returned...')
result = False
else:
result = False
self.logger.debug(
'Challenge._validate_alpn_challenge() ended with: {0}/{1}'.format(
result, invalid))
return (result, invalid)
def _config_load(self):
"""" load config from file """
self.logger.debug('CAhandler._config_load()')
config_dic = load_config(self.logger, 'CAhandler')
if 'CAhandler' in config_dic:
if 'host_variable' in config_dic['CAhandler']:
try:
self.host = os.environ[config_dic['CAhandler']['host_variable']]
except BaseException as err:
self.logger.error('CAhandler._config_load() could not load host_variable:{0}'.format(err))
if 'host' in config_dic['CAhandler']:
if self.host:
self.logger.info('CAhandler._config_load() overwrite host')
self.host = config_dic['CAhandler']['host']
if 'user_variable' in config_dic['CAhandler']:
try:
self.user = os.environ[config_dic['CAhandler']['user_variable']]
except BaseException as err:
self.logger.error('CAhandler._config_load() could not load user_variable:{0}'.format(err))
if 'user' in config_dic['CAhandler']:
if self.user:
self.logger.info('CAhandler._config_load() overwrite user')
self.user = config_dic['CAhandler']['user']
if 'password_variable' in config_dic['CAhandler']:
try:
self.password = os.environ[config_dic['CAhandler']['password_variable']]
except BaseException as err:
self.logger.error('CAhandler._config_load() could not load password_variable:{0}'.format(err))
if 'password' in config_dic['CAhandler']:
if self.password:
self.logger.info('CAhandler._config_load() overwrite password')
self.password = config_dic['CAhandler']['password']
if 'template' in config_dic['CAhandler']:
self.template = config_dic['CAhandler']['template']
if 'auth_method' in config_dic['CAhandler'] and config_dic['CAhandler']['auth_method'] == 'ntlm':
self.auth_method = config_dic['CAhandler']['auth_method']
# check if we get a ca bundle for verification
if 'ca_bundle' in config_dic['CAhandler']:
self.ca_bundle = config_dic['CAhandler']['ca_bundle']
if 'DEFAULT' in config_dic and 'proxy_server_list' in config_dic['DEFAULT']:
try:
proxy_list = json.loads(config_dic['DEFAULT']['proxy_server_list'])
proxy_server = proxy_check(self.logger, self.host, proxy_list)
self.proxy = {'http': proxy_server, 'https': proxy_server}
except BaseException as err_:
self.logger.warning('Challenge._config_load() proxy_server_list failed with error: {0}'.format(err_))
self.logger.debug('CAhandler._config_load() ended')
def _validate_http_challenge(self, challenge_name, fqdn, token,
jwk_thumbprint):
""" validate http challenge """
self.logger.debug(
'Challenge._validate_http_challenge({0}:{1}:{2})'.format(
challenge_name, fqdn, token))
# resolve name
(response, invalid) = fqdn_resolve(fqdn, self.dns_server_list)
self.logger.debug('fqdn_resolve() ended with: {0}/{1}'.format(
response, invalid))
if not invalid:
# check if we need to set a proxy
if self.proxy_server_list:
proxy_server = proxy_check(self.logger, fqdn,
self.proxy_server_list)
else:
proxy_server = None
req = url_get(self.logger,
'http://{0}/.well-known/acme-challenge/{1}'.format(
fqdn, token),
dns_server_list=self.dns_server_list,
proxy_server=proxy_server,
verify=False,
timeout=self.challenge_validation_timeout)
if req:
response_got = req.splitlines()[0]
response_expected = '{0}.{1}'.format(token, jwk_thumbprint)
self.logger.debug(
'response_got: {0} response_expected: {1}'.format(
response_got, response_expected))
if response_got == response_expected:
self.logger.debug('validation successful')
result = True
else:
self.logger.debug('validation not successful')
result = False
else:
self.logger.debug(
'validation not successfull.. no request object')
result = False
else:
result = False
self.logger.debug(
'Challenge._validate_http_challenge() ended with: {0}/{1}'.format(
result, invalid))
return (result, invalid)
def _config_load(self):
"""" load config from file """
# pylint: disable=R0912, R0915
self.logger.debug('CAhandler._config_load()')
config_dic = load_config(self.logger, 'CAhandler')
if 'CAhandler' in config_dic:
if 'est_host_variable' in config_dic['CAhandler']:
try:
self.est_host = os.environ[config_dic['CAhandler'][
'est_host_variable']] + '/.well-known/est'
except Exception as err:
self.logger.error(
'CAhandler._config_load() could not load est_host_variable:{0}'
.format(err))
if 'est_host' in config_dic['CAhandler']:
if self.est_host:
self.logger.info(
'CAhandler._config_load() overwrite est_host')
self.est_host = config_dic['CAhandler'][
'est_host'] + '/.well-known/est'
if not self.est_host:
self.logger.error(
'CAhandler._config_load(): missing "est_host" parameter')
# check if we need to use clientauth
if 'est_client_cert' in config_dic[
'CAhandler'] and 'est_client_key' in config_dic[
'CAhandler']:
self.est_client_cert = []
self.est_client_cert.append(
config_dic['CAhandler']['est_client_cert'])
self.est_client_cert.append(
config_dic['CAhandler']['est_client_key'])
elif 'est_client_cert' in config_dic[
'CAhandler'] or 'est_client_key' in config_dic['CAhandler']:
self.logger.error(
'CAhandler._config_load() configuration incomplete: either "est_client_cert or "est_client_key" parameter is missing in config file'
)
# check if we need to use user-auth
if 'est_user_variable' in config_dic['CAhandler']:
try:
self.est_user = os.environ[config_dic['CAhandler']
['est_user_variable']]
except Exception as err:
self.logger.error(
'CAhandler._config_load() could not load est_user_variable:{0}'
.format(err))
if 'est_user' in config_dic['CAhandler']:
if self.est_user:
self.logger.info(
'CAhandler._config_load() overwrite est_user')
self.est_user = config_dic['CAhandler']['est_user']
if 'est_password_variable' in config_dic['CAhandler']:
try:
self.est_password = os.environ[config_dic['CAhandler']
['est_password_variable']]
except Exception as err:
self.logger.error(
'CAhandler._config_load() could not load est_password:{0}'
.format(err))
if 'est_password' in config_dic['CAhandler']:
if self.est_password:
self.logger.info(
'CAhandler._config_load() overwrite est_password')
self.est_password = config_dic['CAhandler']['est_password']
if (self.est_user
and not self.est_password) or (self.est_password
and not self.est_user):
self.logger.error(
'CAhandler._config_load() configuration incomplete: either "est_user" or "est_password" parameter is missing in config file'
)
# check if we have one authentication scheme
if not self.est_client_cert and not self.est_user:
self.logger.error(
'CAhandler._config_load() configuration incomplete: either user or client authentication must be configured'
)
elif self.est_client_cert and self.est_user:
self.logger.error(
'CAhandler._config_load() configuration wrong: user and client authentication cannot be configured together'
)
# check if we get a ca bundle for verification
if 'ca_bundle' in config_dic['CAhandler']:
try:
self.ca_bundle = config_dic.getboolean(
'CAhandler', 'ca_bundle')
except Exception:
self.ca_bundle = config_dic['CAhandler']['ca_bundle']
if 'DEFAULT' in config_dic and 'proxy_server_list' in config_dic[
'DEFAULT']:
try:
proxy_list = json.loads(
config_dic['DEFAULT']['proxy_server_list'])
url_dic = parse_url(self.logger, self.est_host)
if 'host' in url_dic:
(fqdn, _port) = url_dic['host'].split(':')
proxy_server = proxy_check(self.logger, fqdn, proxy_list)
self.proxy = {'http': proxy_server, 'https': proxy_server}
except Exception as err_:
self.logger.warning(
'Challenge._config_load() proxy_server_list failed with error: {0}'
.format(err_))
self.logger.debug('CAhandler._config_load() ended')
def _config_load(self):
"""" load config from file """
self.logger.debug('CAhandler._config_load()')
config_dic = load_config(self.logger, 'CAhandler')
if 'CAhandler' in config_dic:
if 'api_host' in config_dic['CAhandler']:
self.api_host = config_dic['CAhandler']['api_host']
if 'api_user_variable' in config_dic['CAhandler']:
try:
self.credential_dic['api_user'] = os.environ[
config_dic['CAhandler']['api_user_variable']]
except BaseException as err:
self.logger.error(
'CAhandler._config_load() could not load user_variable:{0}'
.format(err))
if 'api_user' in config_dic['CAhandler']:
if self.credential_dic['api_user']:
self.logger.info(
'CAhandler._config_load() overwrite api_user')
self.credential_dic['api_user'] = config_dic['CAhandler'][
'api_user']
if 'api_password_variable' in config_dic['CAhandler']:
try:
self.credential_dic['api_password'] = os.environ[
config_dic['CAhandler']['api_password_variable']]
except BaseException as err:
self.logger.error(
'CAhandler._config_load() could not load password_variable:{0}'
.format(err))
if 'api_password' in config_dic['CAhandler']:
if self.credential_dic['api_password']:
self.logger.info(
'CAhandler._config_load() overwrite api_password')
self.credential_dic['api_password'] = config_dic['CAhandler'][
'api_password']
if 'ca_name' in config_dic['CAhandler']:
self.ca_name = config_dic['CAhandler']['ca_name']
if 'tsg_name' in config_dic['CAhandler']:
self.tsg_info_dic['name'] = config_dic['CAhandler']['tsg_name']
if 'template_name' in config_dic['CAhandler']:
self.template_info_dic['name'] = config_dic['CAhandler'][
'template_name']
# check if we get a ca bundle for verification
if 'ca_bundle' in config_dic['CAhandler']:
try:
self.ca_bundle = config_dic.getboolean(
'CAhandler', 'ca_bundle')
except BaseException:
self.ca_bundle = config_dic['CAhandler']['ca_bundle']
if 'DEFAULT' in config_dic and 'proxy_server_list' in config_dic[
'DEFAULT']:
try:
proxy_list = json.loads(
config_dic['DEFAULT']['proxy_server_list'])
url_dic = parse_url(self.logger, self.api_host)
if 'host' in url_dic:
(fqdn, _port) = url_dic['host'].split(':')
proxy_server = proxy_check(self.logger, fqdn, proxy_list)
self.proxy = {'http': proxy_server, 'https': proxy_server}
except BaseException as err_:
self.logger.warning(
'Challenge._config_load() proxy_server_list failed with error: {0}'
.format(err_))
self.logger.debug('CAhandler._config_load() ended')
def _config_load(self):
"""" load config from file """
self.logger.debug('_config_load()')
config_dic = load_config(self.logger, 'CAhandler')
if 'CAhandler' in config_dic:
if 'api_host' in config_dic['CAhandler']:
self.api_host = config_dic['CAhandler']['api_host']
else:
self.logger.error(
'CAhandler._config_load() configuration incomplete: "api_host" parameter is missing in config file'
)
if 'api_user' in config_dic[
'CAhandler'] or 'api_user_variable' in config_dic[
'CAhandler']:
if 'api_user_variable' in config_dic['CAhandler']:
try:
self.api_user = os.environ[config_dic['CAhandler']
['api_user_variable']]
except BaseException as err:
self.logger.error(
'CAhandler._config_load() could not load user_variable:{0}'
.format(err))
if 'api_user' in config_dic['CAhandler']:
if self.api_user:
self.logger.info(
'CAhandler._config_load() overwrite api_user')
self.api_user = config_dic['CAhandler']['api_user']
else:
self.logger.error(
'CAhandler._config_load() configuration incomplete: "api_user" parameter is missing in config file'
)
if 'api_password' in config_dic[
'CAhandler'] or 'api_password_variable' in config_dic[
'CAhandler']:
if 'api_password_variable' in config_dic['CAhandler']:
try:
self.api_password = os.environ[
config_dic['CAhandler']['api_password_variable']]
except BaseException as err:
self.logger.error(
'CAhandler._config_load() could not load passphrase_variable:{0}'
.format(err))
if 'api_password' in config_dic['CAhandler']:
if self.api_password:
self.logger.info(
'CAhandler._config_load() overwrite api_password_variable'
)
self.api_password = config_dic['CAhandler']['api_password']
else:
self.logger.error(
'CAhandler._config_load() configuration incomplete: "api_password" parameter is missing in config file'
)
if 'ca_name' in config_dic['CAhandler']:
self.ca_name = config_dic['CAhandler']['ca_name']
else:
self.logger.error(
'CAhandler._config_load() configuration incomplete: "ca_name" parameter is missing in config file'
)
if 'polling_timeout' in config_dic['CAhandler']:
self.polling_timeout = int(
config_dic['CAhandler']['polling_timeout'])
# check if we get a ca bundle for verification
if 'ca_bundle' in config_dic['CAhandler']:
try:
self.ca_bundle = config_dic.getboolean(
'CAhandler', 'ca_bundle')
except BaseException:
self.ca_bundle = config_dic['CAhandler']['ca_bundle']
if 'DEFAULT' in config_dic and 'proxy_server_list' in config_dic[
'DEFAULT']:
try:
proxy_list = json.loads(
config_dic['DEFAULT']['proxy_server_list'])
url_dic = parse_url(self.logger, self.api_host)
if 'host' in url_dic:
(fqdn, _port) = url_dic['host'].split(':')
proxy_server = proxy_check(self.logger, fqdn, proxy_list)
self.proxy = {'http': proxy_server, 'https': proxy_server}
except BaseException as err_:
self.logger.warning(
'Challenge._config_load() proxy_server_list failed with error: {0}'
.format(err_))
self.logger.debug('CAhandler._config_load() ended')
