def register_service(request, check_command): try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse(status=401, content='Invalid username') status = 204 if request.method == 'POST': if request.body: content = json.loads(request.body.decode('utf-8')) s = ShinkenService(**content) s.host_name = fqdn values = s.to_dict() for key in ('host_name', 'check_command'): if key in values: del values[key] if ShinkenService.objects.filter(host_name=fqdn, check_command=check_command)\ .update(**values) == 0: ShinkenService(host_name=fqdn, check_command=check_command, **values).save() return HttpResponse(status=201) elif request.method == 'GET': form = ShinkenServiceForm(request.GET) if not form.is_valid(): return HttpResponse(status=400) values = {key: value for key, value in form.cleaned_data.items() if value} if ShinkenService.objects.filter(host_name=fqdn, check_command=check_command)\ .update(**values) == 0: ShinkenService(host_name=fqdn, check_command=check_command, **values).save() return HttpResponse(status=201) elif request.method == 'DELETE': ShinkenService.objects.filter(host_name=fqdn, check_command=check_command).delete() status = 202 return HttpResponse(status=status)
def get_host_certificate(request): try: hostname = hostname_from_principal(request.user.username) except ValueError: return HttpResponse(status=401, content='Unable to get host certificate: invalid username') entry = entry_from_hostname(hostname) return CertificateEntryResponse(entry)
def set_ssh_pub(request): try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse(status=401, content='Unable to register public SSH key: invalid username') if Host.objects.filter(fqdn=fqdn).count() == 0: return HttpResponse(status=404) fqdn = '%s.%s%s' % (fqdn.partition('.')[0], settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) domain_name = '%s%s' % (settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) pub_ssh_key = request.body matcher = re.match(r'([\w\-]+) ([\w\+=/]{1,5000})(|\s.*)$', pub_ssh_key) if not matcher: return HttpResponse(status=406, content='Invalid public SSH key') methods = {'ssh-rsa': 1, 'ssh-dss': 2, 'ecdsa-sha2-nistp256': 3, 'ssh-ed25519': 4, } if matcher.group(1) not in methods: return HttpResponse(status=406, content='Unknown SSH key type %s' % matcher.group(1)) sha1_hash = hashlib.sha1(base64.b64decode(matcher.group(2))).hexdigest() sha256_hash = hashlib.sha256(base64.b64decode(matcher.group(2))).hexdigest() algorithm_code = methods[matcher.group(1)] domain = Domain.objects.get(name=domain_name) sha1_value = '%s 1 %s' % (algorithm_code, sha1_hash) sha256_value = '%s 2 %s' % (algorithm_code, sha256_hash) for value in sha1_value, sha256_value: if Record.objects.filter(domain=domain, name=fqdn, type='SSHFP', content__startswith=value[:4]).count() == 0: Record(domain=domain, name=fqdn, type='SSHFP', content=value, ttl=86400).save() else: Record.objects.filter(domain=domain, name=fqdn, type='SSHFP', content__startswith=value[:4]) \ .update(content=value) return HttpResponse(status=201)
def set_mount_point(request): try: hostname = hostname_from_principal(request.user.username) except ValueError: return HttpResponse(status=401, content='Unable to register mount point: invalid username') hosts = list(Host.objects.filter(fqdn=hostname)[0:1]) if not hosts: return HttpResponse(status=404) host = hosts[0] mount_point = request.GET.get('mount_point') if not mount_point: return HttpResponse('mount_point GET argument not provided', status=400) device = request.GET.get('device') if not device: return HttpResponse('device GET argument not provided', status=400) fs_type = request.GET.get('fs_type') if not fs_type: return HttpResponse('fs_type GET argument not provided', status=400) options = request.GET.get('options') if not options: return HttpResponse('options GET argument not provided', status=400) if MountPoint.objects.filter(host=host, mount_point=mount_point) \ .update(fs_type=fs_type, device=device, options=options) == 1: return HttpResponse('', status=204) MountPoint(host=host, mount_point=mount_point, fs_type=fs_type, device=device, options=options).save() return HttpResponse('', status=201)
def set_mount_point(request): try: hostname = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to register mount point: invalid username') hosts = list(Host.objects.filter(fqdn=hostname)[0:1]) if not hosts: return HttpResponse(status=404) host = hosts[0] mount_point = request.GET.get('mount_point') if not mount_point: return HttpResponse('mount_point GET argument not provided', status=400) device = request.GET.get('device') if not device: return HttpResponse('device GET argument not provided', status=400) fs_type = request.GET.get('fs_type') if not fs_type: return HttpResponse('fs_type GET argument not provided', status=400) options = request.GET.get('options') if not options: return HttpResponse('options GET argument not provided', status=400) if MountPoint.objects.filter(host=host, mount_point=mount_point) \ .update(fs_type=fs_type, device=device, options=options) == 1: return HttpResponse('', status=204) MountPoint(host=host, mount_point=mount_point, fs_type=fs_type, device=device, options=options).save() return HttpResponse('', status=201)
def get_dhcpd_conf(request): # noinspection PyUnusedLocal request = request try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse(status=401, content='Unable to get configuration: invalid username') if Service.objects.filter(fqdn=fqdn, scheme='dchp')[0:1].count() == 0: hosts = [] else: hosts = Host.objects.all() def get_ip_or_none(scheme): values = list(Service.objects.filter(scheme=scheme)[0:1]) if not values: return None return Record.local_resolve(values[0].fqdn) or values[0].hostname def get_ip_list(scheme, protocol='udp'): values = list(Service.objects.filter(scheme=scheme, protocol=protocol)) return [Record.local_resolve(x.fqdn) or x.hostname for x in values] template_values = { 'penates_subnets': get_subnets(), 'penates_domain': settings.PENATES_DOMAIN, 'admin_prefix': settings.PDNS_ADMIN_PREFIX, 'infra_prefix': settings.PDNS_INFRA_PREFIX, 'hosts': hosts, 'tftp': get_ip_or_none('tftp'), 'dns_list': get_ip_list('dns'), 'ntp': get_ip_or_none('ntp'), } return render_to_response('dhcpd/dhcpd.conf', template_values, status=200, content_type='text/plain')
def get_service_keytab(request, scheme, hostname, port): try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to get keytab %s://%s:%s/: invalid username' % (scheme, hostname, port)) protocol = request.GET.get('protocol', 'tcp') hosts = list(Host.objects.filter(fqdn=fqdn)[0:1]) if not hosts: return HttpResponse(status=401, content='Unknown host %s is not allowed' % fqdn) host = hosts[0] if scheme == 'ssh' and host.admin_ip_address != host.main_ip_address: fqdn = '%s.%s%s' % (fqdn.partition('.')[0], settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) services = list( Service.objects.filter(fqdn=fqdn, scheme=scheme, hostname=hostname, port=port, protocol=protocol)[0:1]) if not services: return HttpResponse(status=404, content='%s://%s:%s/ unknown' % (scheme, hostname, port)) service = services[0] if not principal_exists(service.principal_name): return HttpResponse(status=404, content='Principal for %s://%s:%s/ undefined' % (scheme, hostname, port)) return KeytabResponse(service.principal_name)
def get_dns_conf(request): # noinspection PyUnusedLocal request = request try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to get configuration: invalid username') if Service.objects.filter(fqdn=fqdn, scheme='dns')[0:1].count() > 0: db_name = settings.DATABASES['powerdns']['NAME'] db_user = settings.DATABASES['powerdns']['USER'] db_password = settings.DATABASES['powerdns']['PASSWORD'] db_host = settings.DATABASES['powerdns']['HOST'] db_port = settings.DATABASES['powerdns']['PORT'] db_content = subprocess.check_output([ 'pg_dump', '--username=%s' % db_user, '--host=%s' % db_host, '--port=%s' % db_port, db_name ], env={'PGPASSWORD': db_password}) else: db_content = '' return HttpResponse(db_content, content_type='application/sql')
def get_admin_certificate(request): try: hostname = hostname_from_principal(request.user.username) except ValueError: return HttpResponse(status=401, content='Unable to get admin certificate: invalid username') hostname = '%s.%s%s' % (hostname.partition('.')[0], settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) entry = admin_entry_from_hostname(hostname) return CertificateEntryResponse(entry)
def get_host_certificate(request): try: hostname = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to get host certificate: invalid username') entry = entry_from_hostname(hostname) return CertificateEntryResponse(entry)
def set_service(request, scheme, hostname, port): encryption = request.GET.get('encryption', 'none') srv_field = request.GET.get('srv', None) kerberos_service = request.GET.get('keytab', None) role = request.GET.get('role', SERVICE) protocol = request.GET.get('protocol', 'tcp') if encryption not in ('none', 'tls', 'starttls'): return HttpResponse('valid encryption levels are none, tls, or starttls') port = int(port) if not (0 <= port <= 65536): return HttpResponse('Invalid port: %s' % port, status=403, content_type='text/plain') if protocol not in ('tcp', 'udp', 'socket'): return HttpResponse('Invalid protocol: %s' % protocol, status=403, content_type='text/plain') description = request.body fqdn = hostname_from_principal(request.user.username) # a few checks if Service.objects.filter(hostname=hostname).exclude(fqdn=fqdn).count() > 0: return HttpResponse(status=401, content='%s is already registered' % hostname) if role not in (SERVICE, KERBEROS_DC, PRINTER, TIME_SERVER, SERVICE_1024): return HttpResponse(status=401, content='Role %s is not allowed' % role) if kerberos_service and kerberos_service not in ('HTTP', 'XMPP', 'smtp', 'IPP', 'ldap', 'cifs', 'imap', 'postgres', 'host'): return HttpResponse(status=401, content='Kerberos service %s is not allowed' % role) hosts = list(Host.objects.filter(fqdn=fqdn)[0:1]) if not hosts: return HttpResponse(status=401, content='Unknown host %s is not allowed' % fqdn) host = hosts[0] if scheme == 'ssh' and host.admin_ip_address != host.main_ip_address: fqdn = '%s.%s%s' % (fqdn.partition('.')[0], settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) # Penates service service, created = Service.objects.get_or_create(fqdn=fqdn, scheme=scheme, hostname=hostname, port=port, protocol=protocol) Service.objects.filter(pk=service.pk).update(kerberos_service=kerberos_service, description=description, dns_srv=srv_field, encryption=encryption) # certificates entry = CertificateEntry(hostname, organizationName=settings.PENATES_ORGANIZATION, organizationalUnitName=_('Services'), emailAddress=settings.PENATES_EMAIL_ADDRESS, localityName=settings.PENATES_LOCALITY, countryName=settings.PENATES_COUNTRY, stateOrProvinceName=settings.PENATES_STATE, altNames=[], role=role) pki = PKI() pki.ensure_certificate(entry) if kerberos_service: principal_name = '%s/%s@%s' % (kerberos_service, fqdn, settings.PENATES_REALM) add_principal(principal_name) # DNS part record_name, sep, domain_name = hostname.partition('.') if sep == '.': domains = list(Domain.objects.filter(name=domain_name)[0:1]) if domains: domain = domains[0] domain.ensure_record(fqdn, hostname) domain.set_extra_records(scheme, hostname, port, fqdn, srv_field, entry=entry) domain.update_soa() return HttpResponse(status=201, content='%s://%s:%s/ created' % (scheme, hostname, port))
def set_dhcp(request, mac_address): try: hostname = hostname_from_principal(request.user.username) except ValueError: return HttpResponse(status=401, content='Unable to register IP and MAC addresses: invalid username') remote_addr = request.META.get('HTTP_X_FORWARDED_FOR', '') admin_mac_address = request.GET.get('mac_address') admin_ip_address = request.GET.get('ip_address') Host.register_mac_address(hostname, remote_addr, mac_address, admin_ip_address, admin_mac_address) return HttpResponse(status=201)
def get_services(request): try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse(status=401, content='Unable to get configuration: invalid username') result = [{'scheme': service.scheme, 'hostname': service.hostname, 'port': service.port, 'protocol': service.protocol, 'encryption': service.encryption, 'kerberos_service': service.kerberos_service, 'dns_srv': service.dns_srv, } for service in Service.objects.filter(fqdn=fqdn, protocol__in=['tcp', 'udp'])] content = json.dumps(result) return HttpResponse(content, content_type='application/json')
def get_admin_certificate(request): try: hostname = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to get admin certificate: invalid username') hostname = '%s.%s%s' % (hostname.partition('.')[0], settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) entry = admin_entry_from_hostname(hostname) return CertificateEntryResponse(entry)
def set_dhcp(request, mac_address): try: hostname = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to register IP and MAC addresses: invalid username' ) remote_addr = request.META.get('HTTP_X_FORWARDED_FOR', '') admin_mac_address = request.GET.get('mac_address') admin_ip_address = request.GET.get('ip_address') Host.register_mac_address(hostname, remote_addr, mac_address, admin_ip_address, admin_mac_address) return HttpResponse(status=201)
def set_ssh_pub(request): try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to register public SSH key: invalid username') if Host.objects.filter(fqdn=fqdn).count() == 0: return HttpResponse(status=404) fqdn = '%s.%s%s' % (fqdn.partition('.')[0], settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) domain_name = '%s%s' % (settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) pub_ssh_key = request.body matcher = re.match(r'([\w\-]+) ([\w\+=/]{1,5000})(|\s.*)$', pub_ssh_key) if not matcher: return HttpResponse(status=406, content='Invalid public SSH key') methods = { 'ssh-rsa': 1, 'ssh-dss': 2, 'ecdsa-sha2-nistp256': 3, 'ssh-ed25519': 4, } if matcher.group(1) not in methods: return HttpResponse(status=406, content='Unknown SSH key type %s' % matcher.group(1)) sha1_hash = hashlib.sha1(base64.b64decode(matcher.group(2))).hexdigest() sha256_hash = hashlib.sha256(base64.b64decode( matcher.group(2))).hexdigest() algorithm_code = methods[matcher.group(1)] domain = Domain.objects.get(name=domain_name) sha1_value = '%s 1 %s' % (algorithm_code, sha1_hash) sha256_value = '%s 2 %s' % (algorithm_code, sha256_hash) for value in sha1_value, sha256_value: if Record.objects.filter(domain=domain, name=fqdn, type='SSHFP', content__startswith=value[:4]).count() == 0: Record(domain=domain, name=fqdn, type='SSHFP', content=value, ttl=86400).save() else: Record.objects.filter(domain=domain, name=fqdn, type='SSHFP', content__startswith=value[:4]) \ .update(content=value) return HttpResponse(status=201)
def set_dhcp(request, mac_address): hostname = hostname_from_principal(request.user.username) mac_address = mac_address.replace('-', ':').upper() remote_addr = request.META.get('HTTP_X_FORWARDED_FOR', '') admin_mac_address = request.GET.get('mac_address') admin_ip_address = request.GET.get('ip_address') admin_mac_address = admin_mac_address.replace('-', ':').upper() if remote_addr: Host.objects.filter(fqdn=hostname).update(main_ip_address=remote_addr, main_mac_address=mac_address) Record.objects.filter(name=hostname).update(content=remote_addr) if admin_ip_address and admin_mac_address: domain_name = '%s%s' % (settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) long_admin_hostname = '%s.%s' % (hostname.partition('.')[0], domain_name) Host.objects.filter(fqdn=hostname)\ .update(admin_ip_address=admin_ip_address, admin_mac_address=admin_mac_address) Domain.ensure_auto_record(admin_ip_address, long_admin_hostname, unique=True, override_reverse=False) return HttpResponse(status=201)
def get_service_keytab(request, scheme, hostname, port): fqdn = hostname_from_principal(request.user.username) protocol = request.GET.get('protocol', 'tcp') hosts = list(Host.objects.filter(fqdn=fqdn)[0:1]) if not hosts: return HttpResponse(status=401, content='Unknown host %s is not allowed' % fqdn) host = hosts[0] if scheme == 'ssh' and host.admin_ip_address != host.main_ip_address: fqdn = '%s.%s%s' % (fqdn.partition('.')[0], settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) services = list(Service.objects.filter(fqdn=fqdn, scheme=scheme, hostname=hostname, port=port, protocol=protocol)[0:1]) if not services: return HttpResponse(status=404, content='%s://%s:%s/ unknown' % (scheme, hostname, port)) service = services[0] principal_name = '%s/%s@%s' % (service.kerberos_service, fqdn, settings.PENATES_REALM) if not principal_exists(principal_name): return HttpResponse(status=404, content='Principal for %s://%s:%s/ undefined' % (scheme, hostname, port)) return KeytabResponse(principal_name)
def get_dns_conf(request): # noinspection PyUnusedLocal request = request try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse(status=401, content='Unable to get configuration: invalid username') if Service.objects.filter(fqdn=fqdn, scheme='dns')[0:1].count() > 0: db_name = settings.DATABASES['powerdns']['NAME'] db_user = settings.DATABASES['powerdns']['USER'] db_password = settings.DATABASES['powerdns']['PASSWORD'] db_host = settings.DATABASES['powerdns']['HOST'] db_port = settings.DATABASES['powerdns']['PORT'] db_content = subprocess.check_output(['pg_dump', '--username=%s' % db_user, '--host=%s' % db_host, '--port=%s' % db_port, db_name], env={'PGPASSWORD': db_password}) else: db_content = '' return HttpResponse(db_content, content_type='application/sql')
def get_services(request): try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to get configuration: invalid username') result = [{ 'scheme': service.scheme, 'hostname': service.hostname, 'port': service.port, 'protocol': service.protocol, 'encryption': service.encryption, 'kerberos_service': service.kerberos_service, 'dns_srv': service.dns_srv, } for service in Service.objects.filter(fqdn=fqdn, protocol__in=['tcp', 'udp'])] content = json.dumps(result) return HttpResponse(content, content_type='application/json')
def get_service_certificate(request, scheme, hostname, port): fqdn = hostname_from_principal(request.user.username) role = request.GET.get('role', SERVICE) protocol = request.GET.get('protocol', 'tcp') port = int(port) services = list(Service.objects.filter(fqdn=fqdn, scheme=scheme, hostname=hostname, port=port, protocol=protocol)[0:1]) if not services: return HttpResponse(status=404, content='%s://%s:%s/ unknown' % (scheme, hostname, port)) if role not in (SERVICE, KERBEROS_DC, PRINTER, TIME_SERVER, SERVICE_1024): return HttpResponse(status=401, content='Role %s is not allowed' % role) entry = CertificateEntry(hostname, organizationName=settings.PENATES_ORGANIZATION, organizationalUnitName=_('Services'), emailAddress=settings.PENATES_EMAIL_ADDRESS, localityName=settings.PENATES_LOCALITY, countryName=settings.PENATES_COUNTRY, stateOrProvinceName=settings.PENATES_STATE, altNames=[], role=role) pki = PKI() pki.ensure_certificate(entry) record_name, sep, domain_name = hostname.partition('.') domain = Domain.objects.get(name=domain_name) domain.set_certificate_records(entry, protocol, hostname, port) return CertificateEntryResponse(entry)
def register_service(request, check_command): try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse(status=401, content='Invalid username') status = 204 if request.method == 'POST': if request.body: content = json.loads(request.body.decode('utf-8')) s = ShinkenService(**content) s.host_name = fqdn values = s.to_dict() for key in ('host_name', 'check_command'): if key in values: del values[key] if ShinkenService.objects.filter(host_name=fqdn, check_command=check_command)\ .update(**values) == 0: ShinkenService(host_name=fqdn, check_command=check_command, **values).save() return HttpResponse(status=201) elif request.method == 'GET': form = ShinkenServiceForm(request.GET) if not form.is_valid(): return HttpResponse(status=400) values = { key: value for key, value in list(form.cleaned_data.items()) if value } if ShinkenService.objects.filter(host_name=fqdn, check_command=check_command)\ .update(**values) == 0: ShinkenService(host_name=fqdn, check_command=check_command, **values).save() return HttpResponse(status=201) elif request.method == 'DELETE': ShinkenService.objects.filter(host_name=fqdn, check_command=check_command).delete() status = 202 return HttpResponse(status=status)
def get_service_certificate(request, scheme, hostname, port): try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to get service certificate: invalid username') role = request.GET.get('role', SERVICE) protocol = request.GET.get('protocol', 'tcp') port = int(port) query = Service.objects.filter(fqdn=fqdn, scheme=scheme, hostname=hostname, port=port, protocol=protocol) services = list(query[0:1]) if not services: return HttpResponse(status=404, content='%s://%s:%s/ unknown' % (scheme, hostname, port)) if role not in (SERVICE, KERBEROS_DC, PRINTER, TIME_SERVER, SERVICE_1024): return HttpResponse(status=401, content='Role %s is not allowed' % role) entry = CertificateEntry(hostname, organizationName=settings.PENATES_ORGANIZATION, organizationalUnitName=_('Services'), emailAddress=settings.PENATES_EMAIL_ADDRESS, localityName=settings.PENATES_LOCALITY, countryName=settings.PENATES_COUNTRY, stateOrProvinceName=settings.PENATES_STATE, altNames=[], role=role) pki = PKI() pki.ensure_certificate(entry) record_name, sep, domain_name = hostname.partition('.') domain = Domain.objects.get(name=domain_name) domain.set_certificate_records(entry, protocol, hostname, port) return CertificateEntryResponse(entry)
def get_dhcpd_conf(request): # noinspection PyUnusedLocal request = request try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to get configuration: invalid username') if Service.objects.filter(fqdn=fqdn, scheme='dchp')[0:1].count() == 0: hosts = [] else: hosts = Host.objects.all() def get_ip_or_none(scheme): values = list(Service.objects.filter(scheme=scheme)[0:1]) if not values: return None return Record.local_resolve(values[0].fqdn) or values[0].hostname def get_ip_list(scheme, protocol='udp'): values = list(Service.objects.filter(scheme=scheme, protocol=protocol)) return [Record.local_resolve(x.fqdn) or x.hostname for x in values] template_values = { 'penates_subnets': get_subnets(), 'penates_domain': settings.PENATES_DOMAIN, 'admin_prefix': settings.PDNS_ADMIN_PREFIX, 'infra_prefix': settings.PDNS_INFRA_PREFIX, 'hosts': hosts, 'tftp': get_ip_or_none('tftp'), 'dns_list': get_ip_list('dns'), 'ntp': get_ip_or_none('ntp'), } return render_to_response('dhcpd/dhcpd.conf', template_values, status=200, content_type='text/plain')
def set_service(request, scheme, hostname, port): try: fqdn = hostname_from_principal(request.user.username) except ValueError: return HttpResponse( status=401, content='Unable to create %s://%s:%s/: invalid username' % (scheme, hostname, port)) encryption = request.GET.get('encryption', 'none') srv_field = request.GET.get('srv', None) kerberos_service = request.GET.get('keytab', None) role = request.GET.get('role', SERVICE) protocol = request.GET.get('protocol', 'tcp') if encryption not in ('none', 'tls', 'starttls'): return HttpResponse( 'valid encryption levels are none, tls, or starttls') port = int(port) if not (0 <= port <= 65536): return HttpResponse('Invalid port: %s' % port, status=403, content_type='text/plain') if protocol not in ('tcp', 'udp', 'socket'): return HttpResponse('Invalid protocol: %s' % protocol, status=403, content_type='text/plain') description = request.body # a few checks if Service.objects.filter(hostname=hostname).exclude( fqdn=fqdn).count() > 0: return HttpResponse(status=401, content='%s is already registered' % hostname) if role not in (SERVICE, KERBEROS_DC, PRINTER, TIME_SERVER, SERVICE_1024): return HttpResponse(status=401, content='Role %s is not allowed' % role) if kerberos_service and kerberos_service not in settings.KERBEROS_SERVICES: return HttpResponse(status=401, content='Kerberos service %s is not allowed' % role) hosts = list(Host.objects.filter(fqdn=fqdn)[0:1]) if not hosts: return HttpResponse(status=401, content='Unknown host %s is not allowed' % fqdn) host = hosts[0] if scheme == 'ssh' and host.admin_ip_address != host.main_ip_address: fqdn = '%s.%s%s' % (fqdn.partition('.')[0], settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) # Penates service service, created = Service.objects.get_or_create(fqdn=fqdn, scheme=scheme, hostname=hostname, port=port, protocol=protocol, defaults={ 'kerberos_service': kerberos_service, 'dns_srv': srv_field, 'encryption': encryption, 'description': description }) Service.objects.filter(pk=service.pk).update( kerberos_service=kerberos_service, description=description, dns_srv=srv_field, encryption=encryption) # certificates entry = CertificateEntry(hostname, organizationName=settings.PENATES_ORGANIZATION, organizationalUnitName=_('Services'), emailAddress=settings.PENATES_EMAIL_ADDRESS, localityName=settings.PENATES_LOCALITY, countryName=settings.PENATES_COUNTRY, stateOrProvinceName=settings.PENATES_STATE, altNames=[], role=role) pki = PKI() pki.ensure_certificate(entry) if kerberos_service: add_principal(service.principal_name) # DNS part record_name, sep, domain_name = hostname.partition('.') if sep == '.': domains = list(Domain.objects.filter(name=domain_name)[0:1]) if domains: domain = domains[0] domain.ensure_record(fqdn, hostname) domain.set_extra_records(scheme, hostname, port, fqdn, srv_field, entry=entry) domain.update_soa() return HttpResponse(status=201, content='%s://%s:%s/ created' % (scheme, hostname, port))
def get_host_certificate(request): entry = entry_from_hostname(hostname_from_principal(request.user.username)) return CertificateEntryResponse(entry)
def get_admin_certificate(request): hostname = hostname_from_principal(request.user.username) hostname = '%s.%s%s' % (hostname.partition('.')[0], settings.PDNS_ADMIN_PREFIX, settings.PENATES_DOMAIN) entry = admin_entry_from_hostname(hostname) return CertificateEntryResponse(entry)