def test_valid_key_valid_password(): ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD) assert isinstance(ca, RSACertificateAuthority) assert SSHPublicKeyType.RSA == ca.public_key_type assert 65537 == ca.e assert ca.get_signature_key() == RSA_CA_SSH_PUBLIC_KEY
def test_valid_rsa_request(): ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, EXAMPLE_RSA_PUBLIC_KEY) cert = cert_builder.get_cert_file() assert isinstance(cert_builder, RSACertificateBuilder) assert cert.startswith(SSHCertifiedKeyType.RSA)
def test_valid_key_missing_password(): with pytest.raises(TypeError): get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY)
def test_valid_key_not_encrypted(): ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY_NOT_ENCRYPTED) assert SSHPublicKeyType.RSA == ca.public_key_type assert 65537 == ca.e
def lambda_handler(event, context=None, ca_private_key_password=None, entropy_check=True, config_file=os.path.join(os.path.dirname(__file__), 'bless_deploy.cfg')): """ This is the function that will be called when the lambda function starts. :param event: Dictionary of the json request. :param context: AWS LambdaContext Object http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. :param entropy_check: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS :param config_file: The config file to load the SSH CA private key from, and additional settings :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. """ # AWS Region determines configs related to KMS region = os.environ['AWS_REGION'] # Load the deployment config values config = BlessConfig(region, config_file=config_file) logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) numeric_level = getattr(logging, logging_level.upper(), None) if not isinstance(numeric_level, int): raise ValueError('Invalid log level: {}'.format(logging_level)) logger = logging.getLogger() logger.setLevel(numeric_level) certificate_validity_window_seconds = config.getint( BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_WINDOW_SEC_OPTION) entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) ca_private_key_file = config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION) password_ciphertext_b64 = config.getpassword() # read the private key .pem with open(os.path.join(os.path.dirname(__file__), ca_private_key_file), 'r') as f: ca_private_key = f.read() # decrypt ca private key password if ca_private_key_password is None: kms_client = boto3.client('kms', region_name=region) ca_password = kms_client.decrypt( CiphertextBlob=base64.b64decode(password_ciphertext_b64)) ca_private_key_password = ca_password['Plaintext'] # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired if entropy_check: with open('/proc/sys/kernel/random/entropy_avail', 'r') as f: entropy = int(f.read()) logger.debug(entropy) if entropy < entropy_minimum_bits: logger.info( 'System entropy was {}, which is lower than the entropy_' 'minimum {}. Using KMS to seed /dev/urandom'.format( entropy, entropy_minimum_bits)) response = kms_client.generate_random( NumberOfBytes=random_seed_bytes) random_seed = response['Plaintext'] with open('/dev/urandom', 'w') as urandom: urandom.write(random_seed) # Process cert request schema = BlessSchema(strict=True) request = schema.load(event).data # cert values determined only by lambda and its configs current_time = int(time.time()) valid_before = current_time + certificate_validity_window_seconds valid_after = current_time - certificate_validity_window_seconds # Build the cert ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, request.public_key_to_sign) cert_builder.add_valid_principal(request.remote_username) cert_builder.set_valid_before(valid_before) cert_builder.set_valid_after(valid_after) # cert_builder is needed to obtain the ssh public key's fingerprint key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key:[{}] ca:[{}] valid_to[{}]'.format( context.aws_request_id, request.bastion_user, request.bastion_user_ip, request.command, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before))) cert_builder.set_critical_option_source_address(request.bastion_ip) cert_builder.set_key_id(key_id) cert = cert_builder.get_cert_file() logger.info( 'Issued a cert to bastion_ip[{}] for the remote_username of [{}] with the key_id[{}] and ' 'valid_from[{}])'.format( request.bastion_ip, request.remote_username, key_id, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)))) return cert
def test_invalid_ed25519_request(): with pytest.raises(TypeError): ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD) get_ssh_certificate_builder(ca, SSHCertificateType.USER, EXAMPLE_ED25519_PUBLIC_KEY)
def lambda_handler(event, context=None, ca_private_key_password=None, entropy_check=True, config_file=os.path.join(os.path.dirname(__file__), 'bless_deploy.cfg')): """ This is the function that will be called when the lambda function starts. :param event: Dictionary of the json request. :param context: AWS LambdaContext Object http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. :param entropy_check: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS :param config_file: The config file to load the SSH CA private key from, and additional settings :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. """ # AWS Region determines configs related to KMS region = os.environ['AWS_REGION'] # Load the deployment config values config = BlessConfig(region, config_file=config_file) logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) numeric_level = getattr(logging, logging_level.upper(), None) if not isinstance(numeric_level, int): raise ValueError('Invalid log level: {}'.format(logging_level)) logger = logging.getLogger() logger.setLevel(numeric_level) certificate_validity_before_seconds = config.getint( BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) certificate_validity_after_seconds = config.getint( BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) ca_private_key = config.getprivatekey() password_ciphertext_b64 = config.getpassword() certificate_extensions = config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) # Process cert request schema = BlessSchema(strict=True) schema.context[USERNAME_VALIDATION_OPTION] = config.get( BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION) schema.context[REMOTE_USERNAMES_VALIDATION_OPTION] = config.get( BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION) try: request = schema.load(event).data except ValidationError as e: return error_response('InputValidationError', str(e)) logger.info( 'Bless lambda invoked by [user: {0}, bastion_ips:{1}, public_key: {2}, kmsauth_token:{3}]' .format(request.bastion_user, request.bastion_user_ip, request.public_key_to_sign, request.kmsauth_token)) # decrypt ca private key password if ca_private_key_password is None: kms_client = boto3.client('kms', region_name=region) try: ca_password = kms_client.decrypt( CiphertextBlob=base64.b64decode(password_ciphertext_b64)) ca_private_key_password = ca_password['Plaintext'] except ClientError as e: return error_response('ClientError', str(e)) # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired if entropy_check: with open('/proc/sys/kernel/random/entropy_avail', 'r') as f: entropy = int(f.read()) logger.debug(entropy) if entropy < entropy_minimum_bits: logger.info( 'System entropy was {}, which is lower than the entropy_' 'minimum {}. Using KMS to seed /dev/urandom'.format( entropy, entropy_minimum_bits)) response = kms_client.generate_random( NumberOfBytes=random_seed_bytes) random_seed = response['Plaintext'] with open('/dev/urandom', 'w') as urandom: urandom.write(random_seed) # cert values determined only by lambda and its configs current_time = int(time.time()) test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION) if test_user and (request.bastion_user == test_user or request.remote_usernames == test_user): # This is a test call, the lambda will issue an invalid # certificate where valid_before < valid_after valid_before = current_time valid_after = current_time + 1 bypass_time_validity_check = True else: valid_before = current_time + certificate_validity_after_seconds valid_after = current_time - certificate_validity_before_seconds bypass_time_validity_check = False # Authenticate the user with KMS, if key is setup if config.get(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION): if request.kmsauth_token: try: validator = KMSTokenValidator( None, config.getkmsauthkeyids(), config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION), region) # decrypt_token will raise a TokenValidationError if token doesn't match validator.decrypt_token( "2/user/{}".format(request.remote_usernames), request.kmsauth_token) except TokenValidationError as e: return error_response('KMSAuthValidationError', str(e)) else: return error_response('InputValidationError', 'Invalid request, missing kmsauth token') # Build the cert ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, request.public_key_to_sign) for username in request.remote_usernames.split(','): cert_builder.add_valid_principal(username) cert_builder.set_valid_before(valid_before) cert_builder.set_valid_after(valid_after) if certificate_extensions: for e in certificate_extensions.split(','): if e: cert_builder.add_extension(e) else: cert_builder.clear_extensions() # cert_builder is needed to obtain the SSH public key's fingerprint key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key[{}] ca[{}] valid_to[{}]'.format( context.aws_request_id, request.bastion_user, request.bastion_user_ip, request.command, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before))) cert_builder.set_critical_option_source_addresses(request.bastion_ips) cert_builder.set_key_id(key_id) cert = cert_builder.get_cert_file(bypass_time_validity_check) logger.info( 'Issued a cert to bastion_ips[{}] for remote_usernames[{}] with key_id[{}] and ' 'valid_from[{}])'.format( request.bastion_ips, request.remote_usernames, key_id, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)))) return success_response(cert)
def test_invalid_key(): with pytest.raises(TypeError): get_ssh_certificate_authority(b'bogus')
def lambda_handler(event, context=None, ca_private_key_password=None, okta_api_token=None, entropy_check=True, config_file=os.path.join(os.path.dirname(__file__), 'bless_deploy.cfg')): """ This is the function that will be called when the lambda function starts. :param event: Dictionary of the json request. :param context: AWS LambdaContext Object http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. :param entropy_check: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS :param config_file: The config file to load the SSH CA private key from, and additional settings :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. """ # AWS Region determines configs related to KMS region = os.environ['AWS_REGION'] # Load the deployment config values config = BlessConfig(region, config_file=config_file) logger = logging.getLogger(__name__) logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) numeric_level = getattr(logging, logging_level.upper(), None) if not isinstance(numeric_level, int): raise ValueError('Invalid log level: {}'.format(logging_level)) logger.setLevel(numeric_level) certificate_validity_before_seconds = config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) certificate_validity_after_seconds = config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) certificate_breakglass_validity_before_seconds = config.getint( BLESS_OPTIONS_SECTION, CERTIFICATE_BREAKGLASS_BEFORE_SEC_OPTION ) certificate_breakglass_validity_after_seconds = config.getint( BLESS_OPTIONS_SECTION, CERTIFICATE_BREAKGLASS_AFTER_SEC_OPTION ) breakglass_user = config.get(BLESS_OPTIONS_SECTION, BREAKGLASS_USER_OPTION) entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) ca_private_key_file = config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION) password_ciphertext_b64 = config.getpassword() certificate_extensions = config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) encrypted_okta_api_token = config.get(OKTA_OPTIONS_SECTION, ENCRYPTED_OKTA_API_TOKEN_OPTION) okta_base_url = config.get(OKTA_OPTIONS_SECTION, OKTA_BASE_URL_OPTION) okta_allowed_groups = config.get(OKTA_OPTIONS_SECTION, OKTA_ALLOWED_GROUPS_OPTION) if okta_allowed_groups: okta_allowed_groups = set(okta_allowed_groups.split(',')) logger.debug("Allowed okta groups: {}".format(okta_allowed_groups)) # Process cert request schema = BlessSchema(strict=True) try: request = schema.load(event).data except ValidationError as e: return error_response('InputValidationError', str(e)) logger.info('Bless lambda invoked by okta user: {}@{}, bastion user: {}, kmsauth_token: {}]'.format( request.okta_user, request.bastion_user_ip, request.bastion_user, request.kmsauth_token) ) # read the private key .pem with open(os.path.join(os.path.dirname(__file__), ca_private_key_file), 'r') as f: ca_private_key = f.read() kms_client = boto3.client('kms', region_name=region) # decrypt ca private key password if ca_private_key_password is None: try: ca_password = kms_client.decrypt( CiphertextBlob=base64.b64decode(password_ciphertext_b64)) ca_private_key_password = ca_password['Plaintext'] except ClientError as e: return error_response('ClientError', str(e)) # decrypt okta api token if okta_api_token is None: try: decrypted_okta_api_token = kms_client.decrypt( CiphertextBlob=base64.b64decode(encrypted_okta_api_token)) okta_api_token = decrypted_okta_api_token['Plaintext'] except ClientError as e: return error_response('ClientError', str(e)) ''' Fetch user context from Okta * Username * Groups * SSH key ''' # add extra property to Okta user profile schema OktaUserProfile.types['public_key'] = str okta_users_client = okta.UsersClient(okta_base_url, okta_api_token) user = okta_users_client.get_user(request.okta_user) groups_info = okta_users_client.get_user_groups(request.okta_user) groups = set() for group_info in groups_info: # Encode unicode response from okta json api as a byte string to ease comparisons groups.add(group_info.profile.name.encode('utf-8')) logger.debug('User groups: {}'.format(groups)) allowed_groups = okta_allowed_groups logger.debug('Whitelist groups: {}'.format(allowed_groups)) logger.debug('Matched groups: {}'.format(groups.intersection(allowed_groups))) # If the len is greater than 0, breakglass will be false. breakglass = not len(groups.intersection(allowed_groups)) public_key_to_sign = user.profile.public_key if public_key_to_sign.startswith(VALID_SSH_RSA_PUBLIC_KEY_HEADER): pass else: raise ValidationError('Invalid SSH Public Key.') # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired if entropy_check: with open('/proc/sys/kernel/random/entropy_avail', 'r') as f: entropy = int(f.read()) logger.debug(entropy) if entropy < entropy_minimum_bits: logger.info( 'System entropy was {}, which is lower than the entropy_' 'minimum {}. Using KMS to seed /dev/urandom'.format( entropy, entropy_minimum_bits)) response = kms_client.generate_random( NumberOfBytes=random_seed_bytes) random_seed = response['Plaintext'] with open('/dev/urandom', 'w') as urandom: urandom.write(random_seed) # cert values determined only by lambda and its configs current_time = int(time.time()) test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION) if test_user and (request.bastion_user == test_user or request.remote_usernames == test_user): # This is a test call, the lambda will issue an invalid # certificate where valid_before < valid_after valid_before = current_time valid_after = current_time + 1 bypass_time_validity_check = True else: # Normal user flow bypass_time_validity_check = False valid_before = current_time + certificate_validity_after_seconds valid_after = current_time - certificate_validity_before_seconds # Authenticate the user with KMS, if key is setup if config.get(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION): if request.kmsauth_token: try: validator = KMSTokenValidator( None, config.getkmsauthkeyids(), config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION), region ) # decrypt_token will raise a TokenValidationError if token doesn't match validator.decrypt_token( "2/user/{}".format(request.remote_usernames.split(',')[0]), request.kmsauth_token ) except TokenValidationError as e: return error_response('KMSAuthValidationError', str(e)) else: return error_response('InputValidationError', 'Invalid request, missing kmsauth token') # Build the cert ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, public_key_to_sign) # Handle breakglass certificate modifications if breakglass: logger.critical('Breakglass access for okta user: {}@{}, bastion user: {}'.format( request.okta_user, request.bastion_user_ip, request.bastion_user) ) valid_before = current_time + certificate_breakglass_validity_before_seconds valid_after = current_time - certificate_breakglass_validity_after_seconds cert_builder.add_valid_principal(breakglass_user) for username in request.remote_usernames.split(','): cert_builder.add_valid_principal(username) cert_builder.set_valid_before(valid_before) cert_builder.set_valid_after(valid_after) if certificate_extensions: for e in certificate_extensions.split(','): if e: cert_builder.add_extension(e) else: cert_builder.clear_extensions() # cert_builder is needed to obtain the SSH public key's fingerprint key_id = 'AWS Request ID: {}, User: {}, Source IP: {}, Command: {}, ' \ 'Fingerprint: {}, Bless CA: {}, Expires: {}'\ .format( context.aws_request_id, request.bastion_user, request.bastion_user_ip, request.command, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)) ) cert_builder.set_critical_option_source_addresses(request.bastion_ips) cert_builder.set_key_id(key_id) cert = cert_builder.get_cert_file(bypass_time_validity_check) logger.info( 'Issued a cert to bastion_ips[{}] for the remote_usernames of [{}] with the key_id[{}] and ' 'valid_from[{}])'.format( request.bastion_ips, request.remote_usernames, key_id, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)))) return success_response(cert)
def test_invalid_key_request(): with pytest.raises(TypeError): ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD) get_ssh_certificate_builder(ca, SSHCertificateType.USER, 'bogus')
def test_valid_ed25519_request(): ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, EXAMPLE_ED25519_PUBLIC_KEY) cert = cert_builder.get_cert_file() assert isinstance(cert_builder, ED25519CertificateBuilder) assert cert.startswith(SSHCertifiedKeyType.ED25519)
def test_valid_key_invalid_password(): with pytest.raises(ValueError): get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, b'bogus')
def test_valid_key_not_encrypted_invalid_pass(): with pytest.raises(TypeError): get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY_NOT_ENCRYPTED, b'bogus')
def lambda_handler_host( event, context=None, ca_private_key_password=None, entropy_check=True, config_file=None, ): """ This is the function that will be called when the lambda function starts. :param event: Dictionary of the json request. :param context: AWS LambdaContext Object http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. :param entropy_check: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS. :param config_file: The config file to load the SSH CA private key from, and additional settings. :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. """ bless_cache = setup_lambda_cache(ca_private_key_password, config_file) # Load the deployment config values config = bless_cache.config logger = set_logger(config) certificate_validity_before_seconds = config.getint( BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) certificate_validity_after_seconds = config.getint( BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) ca_private_key = config.getprivatekey() # Process cert request schema = BlessHostSchema(strict=True) schema.context[HOSTNAME_VALIDATION_OPTION] = config.get( BLESS_OPTIONS_SECTION, HOSTNAME_VALIDATION_OPTION) try: request = schema.load(event).data except ValidationError as e: return error_response("InputValidationError", str(e)) # todo: You'll want to bring your own hostnames validation. logger.info( "Bless lambda invoked by [public_key: {}] for hostnames[{}]".format( request.public_key_to_sign, request.hostnames)) # Make sure we have the ca private key password if bless_cache.ca_private_key_password is None: return error_response("ClientError", bless_cache.ca_private_key_password_error) else: ca_private_key_password = bless_cache.ca_private_key_password # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired if entropy_check: check_entropy(config, logger) # cert values determined only by lambda and its configs current_time = int(time.time()) valid_before = current_time + certificate_validity_after_seconds valid_after = current_time - certificate_validity_before_seconds # Build the cert ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.HOST, request.public_key_to_sign) for hostname in request.hostnames.split(","): cert_builder.add_valid_principal(hostname) cert_builder.set_valid_before(valid_before) cert_builder.set_valid_after(valid_after) # cert_builder is needed to obtain the SSH public key's fingerprint key_id = "request[{}] ssh_key[{}] ca[{}] valid_to[{}]".format( context.aws_request_id, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)), ) cert_builder.set_key_id(key_id) cert = cert_builder.get_cert_file() logger.info("Issued a server cert to hostnames[{}] with key_id[{}] and " "valid_from[{}])".format( request.hostnames, key_id, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)), )) return success_response(cert)
from bless.ssh.certificate_authorities.ssh_certificate_authority_factory import \ get_ssh_certificate_authority from bless.ssh.certificates.ssh_certificate_builder import SSHCertificateType from bless.ssh.certificates.ssh_certificate_builder_factory import get_ssh_certificate_builder import os parent_dir = os.path.abspath(os.path.dirname(__file__)) grandparent_dir = os.path.abspath(os.path.join(parent_dir, os.pardir)) ggrandparent_dir = os.path.abspath(os.path.join(grandparent_dir, os.pardir)) ca_private_key = None ca_private_key_password = '******' user_public_key = None with open(os.path.join(os.path.join(ggrandparent_dir, 'example'), 'example-com-ca')) as textfile: ca_private_key = textfile.read() with open(os.path.join(os.path.join(ggrandparent_dir, 'example'), 'user.pub')) as textfile: user_public_key = textfile.read() ca_private_key_encoded = bytes(ca_private_key.encode()) ca_private_key_password_encoded = bytes(ca_private_key_password.encode()) user_public_key_encoded = bytes(user_public_key.encode()) ca = get_ssh_certificate_authority(ca_private_key_encoded, ca_private_key_password_encoded) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, user_public_key_encoded) print(cert_builder)
def lambda_handler(event, context=None, ca_private_key_password=None, entropy_check=True, config_file=os.path.join(os.path.dirname(__file__), 'bless_deploy.cfg')): """ This is the function that will be called when the lambda function starts. :param event: Dictionary of the json request. :param context: AWS LambdaContext Object http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. :param entropy_check: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS :param config_file: The config file to load the SSH CA private key from, and additional settings :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. """ # AWS Region determines configs related to KMS region = os.environ['AWS_REGION'] # Load the deployment config values config = BlessConfig(region, config_file=config_file) logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) numeric_level = getattr(logging, logging_level.upper(), None) if not isinstance(numeric_level, int): raise ValueError('Invalid log level: {}'.format(logging_level)) logger = logging.getLogger() logger.setLevel(numeric_level) certificate_validity_before_seconds = config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) certificate_validity_after_seconds = config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) ca_private_key = config.getprivatekey() password_ciphertext_b64 = config.getpassword() certificate_extensions = config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) # Process cert request schema = BlessSchema(strict=True) schema.context[USERNAME_VALIDATION_OPTION] = config.get(BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION) schema.context[REMOTE_USERNAMES_VALIDATION_OPTION] = config.get(BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION) try: request = schema.load(event).data except ValidationError as e: return error_response('InputValidationError', str(e)) logger.info('Bless lambda invoked by [user: {0}, bastion_ips:{1}, public_key: {2}, kmsauth_token:{3}]'.format( request.bastion_user, request.bastion_user_ip, request.public_key_to_sign, request.kmsauth_token)) # decrypt ca private key password if ca_private_key_password is None: kms_client = boto3.client('kms', region_name=region) try: ca_password = kms_client.decrypt( CiphertextBlob=base64.b64decode(password_ciphertext_b64)) ca_private_key_password = ca_password['Plaintext'] except ClientError as e: return error_response('ClientError', str(e)) # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired if entropy_check: with open('/proc/sys/kernel/random/entropy_avail', 'r') as f: entropy = int(f.read()) logger.debug(entropy) if entropy < entropy_minimum_bits: logger.info( 'System entropy was {}, which is lower than the entropy_' 'minimum {}. Using KMS to seed /dev/urandom'.format( entropy, entropy_minimum_bits)) response = kms_client.generate_random( NumberOfBytes=random_seed_bytes) random_seed = response['Plaintext'] with open('/dev/urandom', 'w') as urandom: urandom.write(random_seed) # cert values determined only by lambda and its configs current_time = int(time.time()) test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION) if test_user and (request.bastion_user == test_user or request.remote_usernames == test_user): # This is a test call, the lambda will issue an invalid # certificate where valid_before < valid_after valid_before = current_time valid_after = current_time + 1 bypass_time_validity_check = True else: valid_before = current_time + certificate_validity_after_seconds valid_after = current_time - certificate_validity_before_seconds bypass_time_validity_check = False # Authenticate the user with KMS, if key is setup if config.get(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION): if request.kmsauth_token: # Allow bless to sign the cert for a different remote user than the name of the user who signed it allowed_remotes = config.get(KMSAUTH_SECTION, KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION) if allowed_remotes: allowed_users = allowed_remotes.split(',') requested_remotes = request.remote_usernames.split(',') if allowed_users != ['*'] and not all([u in allowed_users for u in requested_remotes]): return error_response('KMSAuthValidationError', 'unallowed remote_usernames [{}]'.format(request.remote_usernames)) elif request.remote_usernames != request.bastion_user: return error_response('KMSAuthValidationError', 'remote_usernames must be the same as bastion_user') try: validator = KMSTokenValidator( None, config.getkmsauthkeyids(), config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION), region ) # decrypt_token will raise a TokenValidationError if token doesn't match validator.decrypt_token( "2/user/{}".format(request.bastion_user), request.kmsauth_token ) except TokenValidationError as e: return error_response('KMSAuthValidationError', str(e)) else: return error_response('InputValidationError', 'Invalid request, missing kmsauth token') # Build the cert ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, request.public_key_to_sign) for username in request.remote_usernames.split(','): cert_builder.add_valid_principal(username) cert_builder.set_valid_before(valid_before) cert_builder.set_valid_after(valid_after) if certificate_extensions: for e in certificate_extensions.split(','): if e: cert_builder.add_extension(e) else: cert_builder.clear_extensions() # cert_builder is needed to obtain the SSH public key's fingerprint key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key[{}] ca[{}] valid_to[{}]'.format( context.aws_request_id, request.bastion_user, request.bastion_user_ip, request.command, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before))) cert_builder.set_critical_option_source_addresses(request.bastion_ips) cert_builder.set_key_id(key_id) cert = cert_builder.get_cert_file(bypass_time_validity_check) logger.info( 'Issued a cert to bastion_ips[{}] for remote_usernames[{}] with key_id[{}] and ' 'valid_from[{}])'.format( request.bastion_ips, request.remote_usernames, key_id, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)))) return success_response(cert)
def lambda_handler_user(event, context=None, ca_private_key_password=None, entropy_check=True, config_file=None): """ This is the function that will be called when the lambda function starts. :param event: Dictionary of the json request. :param context: AWS LambdaContext Object http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. :param entropy_check: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS. :param config_file: The config file to load the SSH CA private key from, and additional settings. :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. """ bless_cache = setup_lambda_cache(ca_private_key_password, config_file) # AWS Region determines configs related to KMS region = bless_cache.region # Load the deployment config values config = bless_cache.config logger = set_logger(config) certificate_validity_before_seconds = config.getint( BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) certificate_validity_after_seconds = config.getint( BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) ca_private_key = config.getprivatekey() certificate_extensions = config.get(BLESS_OPTIONS_SECTION, CERTIFICATE_EXTENSIONS_OPTION) # Process cert request schema = BlessUserSchema(strict=True) schema.context[USERNAME_VALIDATION_OPTION] = config.get( BLESS_OPTIONS_SECTION, USERNAME_VALIDATION_OPTION) schema.context[REMOTE_USERNAMES_VALIDATION_OPTION] = config.get( BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_VALIDATION_OPTION) schema.context[REMOTE_USERNAMES_BLACKLIST_OPTION] = config.get( BLESS_OPTIONS_SECTION, REMOTE_USERNAMES_BLACKLIST_OPTION) try: request = schema.load(event).data except ValidationError as e: return error_response('InputValidationError', str(e)) logger.info( 'Bless lambda invoked by [user: {0}, bastion_ips:{1}, public_key: {2}, kmsauth_token:{3}]' .format(request.bastion_user, request.bastion_user_ip, request.public_key_to_sign, request.kmsauth_token)) # Make sure we have the ca private key password if bless_cache.ca_private_key_password is None: return error_response('ClientError', bless_cache.ca_private_key_password_error) else: ca_private_key_password = bless_cache.ca_private_key_password # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired if entropy_check: check_entropy(config, logger) # cert values determined only by lambda and its configs current_time = int(time.time()) test_user = config.get(BLESS_OPTIONS_SECTION, TEST_USER_OPTION) if test_user and (request.bastion_user == test_user or request.remote_usernames == test_user): # This is a test call, the lambda will issue an invalid # certificate where valid_before < valid_after valid_before = current_time valid_after = current_time + 1 bypass_time_validity_check = True else: valid_before = current_time + certificate_validity_after_seconds valid_after = current_time - certificate_validity_before_seconds bypass_time_validity_check = False # Authenticate the user with KMS, if key is setup if config.getboolean(KMSAUTH_SECTION, KMSAUTH_USEKMSAUTH_OPTION): if request.kmsauth_token: # Allow bless to sign the cert for a different remote user than the name of the user who signed it allowed_remotes = config.get( KMSAUTH_SECTION, KMSAUTH_REMOTE_USERNAMES_ALLOWED_OPTION) if allowed_remotes: allowed_users = allowed_remotes.split(',') requested_remotes = request.remote_usernames.split(',') if allowed_users != ['*'] and not all( [u in allowed_users for u in requested_remotes]): return error_response( 'KMSAuthValidationError', 'unallowed remote_usernames [{}]'.format( request.remote_usernames)) # Check if the user is in the required IAM groups if config.getboolean( KMSAUTH_SECTION, VALIDATE_REMOTE_USERNAMES_AGAINST_IAM_GROUPS_OPTION): iam = boto3.client('iam') user_groups = iam.list_groups_for_user( UserName=request.bastion_user) group_name_template = config.get( KMSAUTH_SECTION, IAM_GROUP_NAME_VALIDATION_FORMAT_OPTION) for requested_remote in requested_remotes: required_group_name = group_name_template.format( requested_remote) user_is_in_group = any( group for group in user_groups['Groups'] if group['GroupName'] == required_group_name) if not user_is_in_group: return error_response( 'KMSAuthValidationError', 'user {} is not in the {} iam group'.format( request.bastion_user, required_group_name)) elif request.remote_usernames != request.bastion_user: return error_response( 'KMSAuthValidationError', 'remote_usernames must be the same as bastion_user') try: validator = KMSTokenValidator( None, config.getkmsauthkeyids(), config.get(KMSAUTH_SECTION, KMSAUTH_SERVICE_ID_OPTION), region) # decrypt_token will raise a TokenValidationError if token doesn't match validator.decrypt_token( "2/user/{}".format(request.bastion_user), request.kmsauth_token) except TokenValidationError as e: return error_response('KMSAuthValidationError', str(e)) else: return error_response('InputValidationError', 'Invalid request, missing kmsauth token') # Build the cert ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, request.public_key_to_sign) for username in request.remote_usernames.split(','): cert_builder.add_valid_principal(username) cert_builder.set_valid_before(valid_before) cert_builder.set_valid_after(valid_after) if certificate_extensions: for e in certificate_extensions.split(','): if e: cert_builder.add_extension(e) else: cert_builder.clear_extensions() # cert_builder is needed to obtain the SSH public key's fingerprint key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key[{}] ca[{}] valid_to[{}]'.format( context.aws_request_id, request.bastion_user, request.bastion_user_ip, request.command, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before))) cert_builder.set_critical_option_source_addresses(request.bastion_ips) cert_builder.set_key_id(key_id) cert = cert_builder.get_cert_file(bypass_time_validity_check) logger.info( 'Issued a cert to bastion_ips[{}] for remote_usernames[{}] with key_id[{}] and ' 'valid_from[{}])'.format( request.bastion_ips, request.remote_usernames, key_id, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)))) return success_response(cert)
def lambda_handler(event, context=None, ca_private_key_password=None, entropy_check=True, config_file=os.path.join(os.path.dirname(__file__), 'bless_deploy.cfg')): """ This is the function that will be called when the lambda function starts. :param event: Dictionary of the json request. :param context: AWS LambdaContext Object http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html :param ca_private_key_password: For local testing, if the password is provided, skip the KMS decrypt. :param entropy_check: For local testing, if set to false, it will skip checking entropy and won't try to fetch additional random from KMS :param config_file: The config file to load the SSH CA private key from, and additional settings :return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. """ # AWS Region determines configs related to KMS region = os.environ['AWS_REGION'] # Load the deployment config values config = BlessConfig(region, config_file=config_file) logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) numeric_level = getattr(logging, logging_level.upper(), None) if not isinstance(numeric_level, int): raise ValueError('Invalid log level: {}'.format(logging_level)) logger = logging.getLogger() logger.setLevel(numeric_level) certificate_validity_window_seconds = config.getint(BLESS_OPTIONS_SECTION, CERTIFICATE_VALIDITY_WINDOW_SEC_OPTION) entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) ca_private_key_file = config.get(BLESS_CA_SECTION, CA_PRIVATE_KEY_FILE_OPTION) password_ciphertext_b64 = config.getpassword() # read the private key .pem with open(os.path.join(os.path.dirname(__file__), ca_private_key_file), 'r') as f: ca_private_key = f.read() # decrypt ca private key password if ca_private_key_password is None: kms_client = boto3.client('kms', region_name=region) ca_password = kms_client.decrypt( CiphertextBlob=base64.b64decode(password_ciphertext_b64)) ca_private_key_password = ca_password['Plaintext'] # if running as a Lambda, we can check the entropy pool and seed it with KMS if desired if entropy_check: with open('/proc/sys/kernel/random/entropy_avail', 'r') as f: entropy = int(f.read()) logger.debug(entropy) if entropy < entropy_minimum_bits: logger.info( 'System entropy was {}, which is lower than the entropy_' 'minimum {}. Using KMS to seed /dev/urandom'.format( entropy, entropy_minimum_bits)) response = kms_client.generate_random( NumberOfBytes=random_seed_bytes) random_seed = response['Plaintext'] with open('/dev/urandom', 'w') as urandom: urandom.write(random_seed) # Process cert request schema = BlessSchema(strict=True) request = schema.load(event).data # cert values determined only by lambda and its configs current_time = int(time.time()) valid_before = current_time + certificate_validity_window_seconds valid_after = current_time - certificate_validity_window_seconds # Build the cert ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, request.public_key_to_sign) cert_builder.add_valid_principal(request.remote_username) cert_builder.set_valid_before(valid_before) cert_builder.set_valid_after(valid_after) # cert_builder is needed to obtain the ssh public key's fingerprint key_id = 'request[{}] for[{}] from[{}] command[{}] ssh_key:[{}] ca:[{}] valid_to[{}]'.format( context.aws_request_id, request.bastion_user, request.bastion_user_ip, request.command, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before))) cert_builder.set_critical_option_source_address(request.bastion_ip) cert_builder.set_key_id(key_id) cert = cert_builder.get_cert_file() logger.info( 'Issued a cert to bastion_ip[{}] for the remote_username of [{}] with the key_id[{}] and ' 'valid_from[{}])'.format( request.bastion_ip, request.remote_username, key_id, time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)))) return cert