modules/fm-orchestrator
1
0
Fork 0
mirror of https://pagure.io/fm-orchestrator.git synced 2026-04-04 11:20:00 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'mprahl/message-signing'

Browse Source
This commit is contained in:
Nils Philippsen
2016-09-30 09:59:07 +02:00
parent 7260a029d1 7a84e65752
commit 632812f15d
8 changed files with 192 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@@ -1,7 +1,7 @@
FROM fedora:24
# so we don't have to compile those when fetched from PyPI
RUN dnf install -y python-pip python2-setuptools python2-cffi python2-zmq python2-cryptography koji python2-pdc-client && \
RUN dnf install -y python-pip python2-setuptools python2-cffi python2-zmq python2-cryptography koji python2-pdc-client swig && \
dnf autoremove -y && dnf clean all && \
mkdir /opt/fm-orchestrator/
WORKDIR /opt/fm-orchestrator/
@@ -12,5 +12,5 @@ COPY koji.conf /etc/rida/
COPY . /opt/fm-orchestrator/
RUN python2 ./manage.py upgradedb && ./generate_localhost_cert.sh
RUN python2 ./manage.py upgradedb && python2 manage.py generatelocalhostcert
CMD ["python2", "manage.py", "runssl"]

24
README.rst
View File

@@ -395,3 +395,27 @@ It may happen that you will run into issues and the container won't start proper
$ sudo docker-compose build --no-cache --pull
First command will stop and remove all containers and volumes and second command will pull latest base image and perform a clean build without cache.
``fedmsg Signing for Development``
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In order to enable fedmsg signing in development, you will need to follow a series of steps.
Note that this will conflict with signed messages from a different CA that are on the message bus, so this may cause unexpected results.
Generate the CA, the certificate to be used by fedmsg, and the CRL with::
$ python manage.py gendevfedmsgcert
Setup Apache to host the CRL::
$ dnf install httpd && systemctl enable httpd && systemctl start httpd
$ mkdir -p /var/www/html/crl
$ ln -s /opt/fm-orchestrator/pki/ca.crl /var/www/html/crl/ca.crl
$ ln -s /opt/fm-orchestrator/pki/ca.crt /var/www/html/crl/ca.crt
Create a directory to house the fedmsg cache::
$ mkdir -p /etc/pki/fedmsg
Then uncomment the fedmsg signing configuration in fedmsg.d/rida.py.

4
Vagrantfile vendored
View File

@@ -2,14 +2,14 @@
# vi: set ft=ruby :
$script = <<SCRIPT
dnf install -y python python-virtualenv python-devel libffi-devel redhat-rpm-config openssl-devel gcc gcc-c++ koji git
dnf install -y python python-virtualenv python-devel libffi-devel redhat-rpm-config openssl-devel gcc gcc-c++ koji git swig
pip install -r /opt/fm-orchestrator/src/requirements.txt
pip install -r /opt/fm-orchestrator/src/test-requirements.txt
cd /opt/fm-orchestrator/src
mkdir -p /etc/rida
cp -av koji.conf /etc/rida/
python manage.py upgradedb
./generate_localhost_cert.sh
python manage.py generatelocalhostcert
SCRIPT
Vagrant.configure("2") do |config|

17
fedmsg.d/rida.py
View File

@@ -8,4 +8,21 @@ config = {
"tcp://127.0.0.1:300%i" % i for i in range(10)
],
},
# Start of code signing configuration
# 'sign_messages': True,
# 'validate_signatures': True,
# 'crypto_backend': 'x509',
# 'crypto_validate_backends': ['x509'],
# 'ssldir': '/opt/fm-orchestrator/pki',
# 'crl_location': 'http://localhost/crl/ca.crl',
# 'crl_cache': '/etc/pki/fedmsg/crl.pem',
# 'crl_cache_expiry': 10,
# 'ca_cert_location': 'http://localhost/crl/ca.crt',
# 'ca_cert_cache': '/etc/pki/fedmsg/ca.crt',
# 'ca_cert_cache_expiry': 0, # Never expires
# 'certnames': {
# 'rida.localhost': 'localhost'
# }
# End of code signing configuration
}

3
generate_localhost_cert.sh
View File

@@ -1,3 +0,0 @@
#!/bin/bash
openssl req -subj '/CN=localhost/O=My Company Name LTD./C=US' -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout server.key -out server.crt

148
manage.py
View File

@@ -26,11 +26,13 @@ import flask_migrate
import logging
import os
import ssl
from shutil import rmtree
from rida import app, conf, db
from rida.config import Config
from rida.pdc import get_pdc_client_session, get_module, get_module_runtime_dependencies, get_module_tag, \
get_module_build_dependencies
from rida.pdc import (
get_pdc_client_session, get_module, get_module_runtime_dependencies,
get_module_tag, get_module_build_dependencies)
import rida.auth
@@ -75,12 +77,14 @@ def testpdc():
cfg.pdc_develop = True
pdc_session = get_pdc_client_session(cfg)
module = get_module(pdc_session, {'name': 'testmodule', 'version': '4.3.43', 'release': '1'})
module = get_module(pdc_session, {'name': 'testmodule', 'version': '4.3.43',
'release': '1'})
if module:
print ("pdc_data=%s" % str(module))
print ("deps=%s" % get_module_runtime_dependencies(pdc_session, module))
print ("build_deps=%s" % get_module_build_dependencies(pdc_session, module))
print ("build_deps=%s" % get_module_build_dependencies(
pdc_session, module))
print ("tag=%s" % get_module_tag(pdc_session, module))
else:
print ('module was not found')
@@ -93,6 +97,142 @@ def upgradedb():
flask_migrate.upgrade()
@manager.command
def gendevfedmsgcert(pki_dir='/opt/fm-orchestrator/pki', force=False):
"""
Creates a CA, a certificate signed by that CA, and generates a CRL.
"""
from OpenSSL import crypto
if os.path.exists(pki_dir):
if force:
rmtree(pki_dir)
else:
print('The directory "{}" already exists'.format(pki_dir))
return
os.mkdir(pki_dir)
ca_crt_path = os.path.join(pki_dir, 'ca.crt')
ca_key_path = os.path.join(pki_dir, 'ca.key')
msg_key_path = os.path.join(pki_dir, 'localhost.key')
msg_crt_path = os.path.join(pki_dir, 'localhost.crt')
ca_crl = os.path.join(pki_dir, 'ca.crl')
# Create a key pair for the CA
ca_key = crypto.PKey()
ca_key.generate_key(crypto.TYPE_RSA, 2048)
with open(ca_key_path, 'w') as ca_key_file:
ca_key_file.write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, ca_key))
# Create a self-signed CA cert
ca_cert = crypto.X509()
ca_subject = ca_cert.get_subject()
ca_subject.C = 'US'
ca_subject.ST = 'MA'
ca_subject.L = 'Boston'
ca_subject.O = 'Development'
ca_subject.CN = 'Dev-CA'
ca_cert.set_serial_number(1)
ca_cert.gmtime_adj_notBefore(0)
ca_cert.gmtime_adj_notAfter(315360000) # 10 years
ca_cert.set_issuer(ca_cert.get_subject())
ca_cert.set_pubkey(ca_key)
ca_cert.add_extensions([
crypto.X509Extension('basicConstraints', True, 'CA:true')])
ca_cert.sign(ca_key, 'sha256')
with open(ca_crt_path, 'w') as ca_crt_file:
ca_crt_file.write(
crypto.dump_certificate(crypto.FILETYPE_PEM, ca_cert))
# Create a key pair for the message signing cert
msg_key = crypto.PKey()
msg_key.generate_key(crypto.TYPE_RSA, 2048)
with open(msg_key_path, 'w') as msg_key_file:
msg_key_file.write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, msg_key))
# Create a cert signed by the CA
msg_cert = crypto.X509()
msg_cert_subject = msg_cert.get_subject()
msg_cert_subject.C = 'US'
msg_cert_subject.ST = 'MA'
msg_cert_subject.L = 'Boston'
msg_cert_subject.O = 'Development'
msg_cert_subject.CN = 'localhost'
msg_cert.set_serial_number(2)
msg_cert.gmtime_adj_notBefore(0)
msg_cert.gmtime_adj_notAfter(315360000) # 10 years
msg_cert.set_issuer(ca_cert.get_subject())
msg_cert.set_pubkey(msg_key)
cert_extensions = [
crypto.X509Extension(
'keyUsage', True,
'digitalSignature, keyEncipherment, nonRepudiation'),
crypto.X509Extension('extendedKeyUsage', True, 'serverAuth'),
crypto.X509Extension('basicConstraints', True, 'CA:false'),
crypto.X509Extension('crlDistributionPoints', False,
'URI:http://localhost/crl/ca.crl'),
crypto.X509Extension('authorityInfoAccess', False,
'caIssuers;URI:http://localhost/crl/ca.crt'),
crypto.X509Extension('subjectKeyIdentifier', False, 'hash',
subject=ca_cert)
]
msg_cert.add_extensions(cert_extensions)
msg_cert.sign(ca_key, 'sha256')
with open(msg_crt_path, 'w') as msg_crt_file:
msg_crt_file.write(
crypto.dump_certificate(crypto.FILETYPE_PEM, msg_cert))
# Generate the CRL
with open(ca_crl, 'w') as ca_crl_file:
ca_crl_file.write(
crypto.CRL().export(ca_cert, ca_key, type=crypto.FILETYPE_PEM,
days=3650, digest='sha256'))
@manager.command
def generatelocalhostcert():
# Create a key pair for the message signing cert
from OpenSSL import crypto
cert_key = crypto.PKey()
cert_key.generate_key(crypto.TYPE_RSA, 2048)
with open('server.key', 'w') as cert_key_file:
cert_key_file.write(
crypto.dump_privatekey(crypto.FILETYPE_PEM, cert_key))
cert = crypto.X509()
msg_cert_subject = cert.get_subject()
msg_cert_subject.C = 'US'
msg_cert_subject.ST = 'MA'
msg_cert_subject.L = 'Boston'
msg_cert_subject.O = 'Development'
msg_cert_subject.CN = 'localhost'
cert.set_serial_number(2)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(315360000) # 10 years
cert.set_issuer(cert.get_subject())
cert.set_pubkey(cert_key)
cert_extensions = [
crypto.X509Extension(
'keyUsage', True,
'digitalSignature, keyEncipherment, nonRepudiation'),
crypto.X509Extension('extendedKeyUsage', True, 'serverAuth'),
]
cert.add_extensions(cert_extensions)
cert.sign(cert_key, 'sha256')
with open('server.crt', 'w') as cert_file:
cert_file.write(
crypto.dump_certificate(crypto.FILETYPE_PEM, cert))
@manager.command
def runssl(host=conf.host, port=conf.port, debug=False):
""" Runs the Flask app with the HTTPS settings configured in config.py

2
requirements.txt
View File

@@ -12,3 +12,5 @@ Flask-SQLAlchemy
Flask-Migrate
python-fedora
funcsigs # Python2 only
m2crypto
m2ext

2
submit-build.sh
View File

@@ -3,5 +3,5 @@ echo "Submmiting a build of modules/testmodule, #020ea37251df5019fde9e7899d2f7d7
echo "Using https://localhost:5000/rida/module-builds/"
echo "NOTE: You need to be a Fedora packager for this to work"
echo
curl --cert ~/.fedora.cert -k -H "Content-Type: text/json" --data @submit-build.json https://localhost:5000/rida/module-builds/
curl --cert ~/.fedora.cert -k -H "Content-Type: text/json" --data @submit-build.json https://localhost:5000/rida/1/module-builds/
echo