sampledoc

Source code for Bcfg2.Server.Plugins.Cfg.CfgPrivateKeyCreator

""" The CfgPrivateKeyCreator creates SSH keys on the fly. """

import os
import shutil
import tempfile
import subprocess
from Bcfg2.Server.Plugin import PluginExecutionError, StructFile
from Bcfg2.Server.Plugins.Cfg import CfgCreator, CfgCreationError, SETUP
from Bcfg2.Server.Plugins.Cfg.CfgPublicKeyCreator import CfgPublicKeyCreator
try:
    import Bcfg2.Encryption
    HAS_CRYPTO = True
except ImportError:
    HAS_CRYPTO = False


[docs]class CfgPrivateKeyCreator(CfgCreator, StructFile): """The CfgPrivateKeyCreator creates SSH keys on the fly. """ #: Different configurations for different clients/groups can be #: handled with Client and Group tags within privkey.xml __specific__ = False #: Handle XML specifications of private keys __basenames__ = ['privkey.xml'] def __init__(self, fname): CfgCreator.__init__(self, fname) StructFile.__init__(self, fname) pubkey_path = os.path.dirname(self.name) + ".pub" pubkey_name = os.path.join(pubkey_path, os.path.basename(pubkey_path)) self.pubkey_creator = CfgPublicKeyCreator(pubkey_name) @property
[docs] def category(self): """ The name of the metadata category that generated keys are specific to """ if (SETUP.cfp.has_section("sshkeys") and SETUP.cfp.has_option("sshkeys", "category")): return SETUP.cfp.get("sshkeys", "category") return None
@property
[docs] def passphrase(self): """ The passphrase used to encrypt private keys """ if (HAS_CRYPTO and SETUP.cfp.has_section("sshkeys") and SETUP.cfp.has_option("sshkeys", "passphrase")): return Bcfg2.Encryption.get_passphrases(SETUP)[ SETUP.cfp.get("sshkeys", "passphrase")] return None
def handle_event(self, event): CfgCreator.handle_event(self, event) StructFile.HandleEvent(self, event) def _gen_keypair(self, metadata, spec=None): """ Generate a keypair according to the given client medata and key specification. :param metadata: The client metadata to generate keys for :type metadata: Bcfg2.Server.Plugins.Metadata.ClientMetadata :param spec: The key specification to follow when creating the keys. This should be an XML document that only contains key specification data that applies to the given client metadata, and may be obtained by doing ``self.XMLMatch(metadata)`` :type spec: lxml.etree._Element :returns: string - The filename of the private key """ if spec is None: spec = self.XMLMatch(metadata) # set key parameters ktype = "rsa" bits = None params = spec.find("Params") if params is not None: bits = params.get("bits") ktype = params.get("type", ktype) try: passphrase = spec.find("Passphrase").text except AttributeError: passphrase = '' tempdir = tempfile.mkdtemp() try: filename = os.path.join(tempdir, "privkey") # generate key pair cmd = ["ssh-keygen", "-f", filename, "-t", ktype] if bits: cmd.extend(["-b", bits]) cmd.append("-N") log_cmd = cmd[:] cmd.append(passphrase) if passphrase: log_cmd.append("******") else: log_cmd.append("''") self.debug_log("Cfg: Generating new SSH key pair: %s" % " ".join(log_cmd)) proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE) err = proc.communicate()[1] if proc.wait(): raise CfgCreationError("Cfg: Failed to generate SSH key pair " "at %s for %s: %s" % (filename, metadata.hostname, err)) elif err: self.logger.warning("Cfg: Generated SSH key pair at %s for %s " "with errors: %s" % (filename, metadata.hostname, err)) return filename except: shutil.rmtree(tempdir) raise
[docs] def get_specificity(self, metadata, spec=None): """ Get config settings for key generation specificity (per-host or per-group). :param metadata: The client metadata to create data for :type metadata: Bcfg2.Server.Plugins.Metadata.ClientMetadata :param spec: The key specification to follow when creating the keys. This should be an XML document that only contains key specification data that applies to the given client metadata, and may be obtained by doing ``self.XMLMatch(metadata)`` :type spec: lxml.etree._Element :returns: dict - A dict of specificity arguments suitable for passing to :func:`Bcfg2.Server.Plugins.Cfg.CfgCreator.write_data` or :func:`Bcfg2.Server.Plugins.Cfg.CfgCreator.get_filename` """ if spec is None: spec = self.XMLMatch(metadata) category = spec.get("category", self.category) if category is None: per_host_default = "true" else: per_host_default = "false" per_host = spec.get("perhost", per_host_default).lower() == "true" specificity = dict(host=metadata.hostname) if category and not per_host: group = metadata.group_in_category(category) if group: specificity = dict(group=group, prio=int(spec.get("priority", 50))) else: self.logger.info("Cfg: %s has no group in category %s, " "creating host-specific key" % (metadata.hostname, category)) return specificity # pylint: disable=W0221
[docs] def create_data(self, entry, metadata): """ Create data for the given entry on the given client :param entry: The abstract entry to create data for. This will not be modified :type entry: lxml.etree._Element :param metadata: The client metadata to create data for :type metadata: Bcfg2.Server.Plugins.Metadata.ClientMetadata :returns: string - The private key data """ spec = self.XMLMatch(metadata) specificity = self.get_specificity(metadata, spec) filename = self._gen_keypair(metadata, spec) try: # write the public key, stripping the comment and # replacing it with a comment that specifies the filename. kdata = open(filename + ".pub").read().split()[:2] kdata.append(self.pubkey_creator.get_filename(**specificity)) pubkey = " ".join(kdata) + "\n" self.pubkey_creator.write_data(pubkey, **specificity) # encrypt the private key, write to the proper place, and # return it privkey = open(filename).read() if HAS_CRYPTO and self.passphrase: self.debug_log("Cfg: Encrypting key data at %s" % filename) privkey = Bcfg2.Encryption.ssl_encrypt( privkey, self.passphrase, algorithm=Bcfg2.Encryption.get_algorithm(SETUP)) specificity['ext'] = '.crypt' self.write_data(privkey, **specificity) return privkey finally: shutil.rmtree(os.path.dirname(filename)) # pylint: enable=W0221
def Index(self): StructFile.Index(self) if HAS_CRYPTO: for el in self.xdata.xpath("//*[@encrypted]"): try: el.text = self._decrypt(el).encode('ascii', 'xmlcharrefreplace') except UnicodeDecodeError: self.logger.info("Cfg: Decrypted %s to gibberish, skipping" % el.tag) except Bcfg2.Encryption.EVPError: default_strict = SETUP.cfp.get( Bcfg2.Encryption.CFG_SECTION, "decrypt", default="strict") strict = self.xdata.get("decrypt", default_strict) == "strict" msg = "Cfg: Failed to decrypt %s element in %s" % \ (el.tag, self.name) if strict: raise PluginExecutionError(msg) else: self.logger.debug(msg) def _decrypt(self, element): """ Decrypt a single encrypted element """ if not element.text or not element.text.strip(): return passes = Bcfg2.Encryption.get_passphrases(SETUP) try: passphrase = passes[element.get("encrypted")] try: return Bcfg2.Encryption.ssl_decrypt( element.text, passphrase, algorithm=Bcfg2.Encryption.get_algorithm(SETUP)) except Bcfg2.Encryption.EVPError: # error is raised below pass except KeyError: # bruteforce_decrypt raises an EVPError with a sensible # error message, so we just let it propagate up the stack return Bcfg2.Encryption.bruteforce_decrypt( element.text, passphrases=passes.values(), algorithm=Bcfg2.Encryption.get_algorithm(SETUP)) raise Bcfg2.Encryption.EVPError("Failed to decrypt")