def modify_keygateway(ops: command.Operations, overwrite_keytab: bool) -> None: config = configuration.get_config() if not config.is_kerberos_enabled(): print("keygateway disabled; skipping") return for node in config.nodes: if node.kind != "supervisor": continue # keytab is stored encrypted in the configuration folder keytab = os.path.join(configuration.get_project(), "keytab.%s.crypt" % node.hostname) decrypted = keycrypt.gpg_decrypt_to_memory(keytab) def safe_upload_keytab(node=node): if not overwrite_keytab: try: existing_keytab = ssh.check_ssh_output(node, "cat", KEYTAB_PATH) except subprocess.CalledProcessError as e_test: # if there is no existing keytab, cat will fail with error code 1 if e_test.returncode != 1: command.fail(e_test) print("no existing keytab found, uploading local keytab") else: if existing_keytab != decrypted: command.fail("existing keytab does not match local keytab") return # existing keytab matches local keytab, no action required ssh.upload_bytes(node, decrypted, KEYTAB_PATH) ops.add_operation("upload keytab for {}".format(node), safe_upload_keytab) ssh_cmd(ops, "enable keygateway on @HOST", node, "systemctl", "enable", "keygateway") ssh_cmd(ops, "restart keygateway on @HOST", node, "systemctl", "restart", "keygateway")
def list_passphrases(): passwords = os.path.join(configuration.get_project(), "passwords") if not os.path.isdir(passwords): command.fail("no passwords stored") print("Passphrases:") for passfile in os.listdir(passwords): if passfile.startswith("at-") and passfile.endswith(".gpg"): date = passfile[3:-4] passph = keycrypt.gpg_decrypt_to_memory( os.path.join(passwords, passfile)).decode() print(" ", date, "=>", passph) print("End of list.")
def setup_keygateway(ops: Operations, config: configuration.Config) -> None: for node in config.nodes: if node.kind != "supervisor": continue # keytab is stored encrypted in the configuration folder keytab = os.path.join(configuration.get_project(), "keytab.%s.crypt" % node.hostname) decrypted = keycrypt.gpg_decrypt_to_memory(keytab) ops.ssh("confirm no existing keytab on @HOST", node, "test", "!", "-e", KEYTAB_PATH) ops.ssh_upload_bytes("upload keytab for @HOST", node, decrypted, KEYTAB_PATH) ops.ssh("restart keygateway on @HOST", node, "systemctl", "restart", "keygateway")
def setup_bootstrap_registry(ops: Operations) -> None: config = configuration.get_config() for node in config.nodes: if node.kind != "supervisor": continue keypath = os.path.join(configuration.get_project(), "https.%s.key.crypt" % REGISTRY_HOSTNAME) certpath = os.path.join(configuration.get_project(), "https.%s.pem" % REGISTRY_HOSTNAME) keydata = keycrypt.gpg_decrypt_to_memory(keypath) ops.ssh_mkdir("create ssl cert directory on @HOST", node, "/etc/homeworld/ssl") ops.ssh_upload_bytes("upload %s key to @HOST" % REGISTRY_HOSTNAME, node, keydata, "/etc/homeworld/ssl/%s.key" % REGISTRY_HOSTNAME) ops.ssh_upload_path("upload %s cert to @HOST" % REGISTRY_HOSTNAME, node, certpath, "/etc/homeworld/ssl/%s.pem" % REGISTRY_HOSTNAME) ops.ssh("unmask nginx on @HOST", node, "systemctl", "unmask", "nginx") ops.ssh("restart nginx on @HOST", node, "systemctl", "restart", "nginx")
def decrypt_https(hostname): return keycrypt.gpg_decrypt_to_memory(os.path.join(configuration.get_project(), "https.%s.key.crypt" % hostname)), \ util.readfile(os.path.join(configuration.get_project(), "https.%s.pem" % hostname))