summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@baturin.org>2019-08-15 01:03:06 +0700
committerGitHub <noreply@github.com>2019-08-15 01:03:06 +0700
commit58c5a7e668d0131de50e6f9711f029f9ff4a02ab (patch)
tree9954f9f8d20032a26d6ae0d5601693c80fd01771
parent8d1e768a6f3285ed717f588f356db9340871b043 (diff)
parente304e91a781f79c1e12bb2a7f806a0015bf039e3 (diff)
downloadvyos-1x-58c5a7e668d0131de50e6f9711f029f9ff4a02ab.tar.gz
vyos-1x-58c5a7e668d0131de50e6f9711f029f9ff4a02ab.zip
Merge pull request #103 from jestabro/service-https
[service https] T1443: add self-signed TLS certificate
-rw-r--r--interface-definitions/https.xml24
-rw-r--r--python/vyos/defaults.py19
-rwxr-xr-xsrc/conf_mode/http-api.py11
-rwxr-xr-xsrc/conf_mode/https.py22
-rwxr-xr-xsrc/conf_mode/vyos_cert.py143
5 files changed, 200 insertions, 19 deletions
diff --git a/interface-definitions/https.xml b/interface-definitions/https.xml
index 828de449c..13d5c43ea 100644
--- a/interface-definitions/https.xml
+++ b/interface-definitions/https.xml
@@ -27,6 +27,30 @@
</constraint>
</properties>
</leafNode>
+ <node name="certificates">
+ <properties>
+ <help>TLS certificates</help>
+ </properties>
+ <children>
+ <node name="system-generated-certificate" owner="${vyos_conf_scripts_dir}/vyos_cert.py">
+ <properties>
+ <help>Use an automatically generated self-signed certificate</help>
+ <valueless/>
+ </properties>
+ <children>
+ <leafNode name="lifetime">
+ <properties>
+ <help>Lifetime in days; default is 365</help>
+ <valueHelp>
+ <format>1-65535</format>
+ <description>Number of days</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
<node name="api" owner="${vyos_conf_scripts_dir}/http-api.py">
<properties>
<help>VyOS HTTP API configuration</help>
diff --git a/python/vyos/defaults.py b/python/vyos/defaults.py
index 524b80424..3e4c02562 100644
--- a/python/vyos/defaults.py
+++ b/python/vyos/defaults.py
@@ -27,3 +27,22 @@ cfg_group = 'vyattacfg'
cfg_vintage = 'vyatta'
commit_lock = '/opt/vyatta/config/.lock'
+
+https_data = {
+ 'listen_address' : [ '127.0.0.1' ]
+}
+
+api_data = {
+ 'listen_address' : '127.0.0.1',
+ 'port' : '8080',
+ 'strict' : 'false',
+ 'debug' : 'false',
+ 'api_keys' : [ {"id": "testapp", "key": "qwerty"} ]
+}
+
+vyos_cert_data = {
+ "conf": "/etc/nginx/snippets/vyos-cert.conf",
+ "crt": "/etc/ssl/certs/vyos-selfsigned.crt",
+ "key": "/etc/ssl/private/vyos-selfsign",
+ "lifetime": "365",
+}
diff --git a/src/conf_mode/http-api.py b/src/conf_mode/http-api.py
index c1d596ea3..1f91ac582 100755
--- a/src/conf_mode/http-api.py
+++ b/src/conf_mode/http-api.py
@@ -27,14 +27,6 @@ from vyos import ConfigError
config_file = '/etc/vyos/http-api.conf'
-default_config_data = {
- 'listen_address' : '127.0.0.1',
- 'port' : '8080',
- 'strict' : 'false',
- 'debug' : 'false',
- 'api_keys' : [ {"id": "testapp", "key": "qwerty"} ]
-}
-
vyos_conf_scripts_dir=vyos.defaults.directories['conf_mode']
# XXX: this model will need to be extended for tag nodes
@@ -43,7 +35,8 @@ dependencies = [
]
def get_config():
- http_api = default_config_data
+ http_api = vyos.defaults.api_data
+
conf = Config()
if not conf.exists('service https api'):
return None
diff --git a/src/conf_mode/https.py b/src/conf_mode/https.py
index e1e81eef1..289eacf69 100755
--- a/src/conf_mode/https.py
+++ b/src/conf_mode/https.py
@@ -21,6 +21,7 @@ import os
import jinja2
+import vyos.defaults
from vyos.config import Config
from vyos import ConfigError
@@ -45,11 +46,16 @@ server {
#
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
+
+{% if vyos_cert %}
+ include {{ vyos_cert.conf }};
+{% else %}
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
include snippets/snakeoil.conf;
+{% endif %}
{% for l_addr in listen_address %}
server_name {{ l_addr }};
@@ -75,16 +81,8 @@ server {
}
"""
-default_config_data = {
- 'listen_address' : [ '127.0.0.1' ]
-}
-
-default_api_config_data = {
- 'port' : '8080',
-}
-
def get_config():
- https = default_config_data
+ https = vyos.defaults.https_data
conf = Config()
if not conf.exists('service https'):
return None
@@ -95,8 +93,12 @@ def get_config():
addrs = conf.return_values('listen-address')
https['listen_address'] = addrs[:]
+ if conf.exists('certificates'):
+ if conf.exists('certificates system-generated-certificate'):
+ https['vyos_cert'] = vyos.defaults.vyos_cert_data
+
if conf.exists('api'):
- https['api'] = default_api_config_data
+ https['api'] = vyos.defaults.api_data
if conf.exists('api port'):
port = conf.return_value('api port')
diff --git a/src/conf_mode/vyos_cert.py b/src/conf_mode/vyos_cert.py
new file mode 100755
index 000000000..4a44573ca
--- /dev/null
+++ b/src/conf_mode/vyos_cert.py
@@ -0,0 +1,143 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2019 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#
+
+import sys
+import os
+import subprocess
+import tempfile
+import pathlib
+import ssl
+
+import vyos.defaults
+from vyos.config import Config
+from vyos import ConfigError
+
+vyos_conf_scripts_dir = vyos.defaults.directories['conf_mode']
+
+# XXX: this model will need to be extended for tag nodes
+dependencies = [
+ 'https.py',
+]
+
+def status_self_signed(cert_data):
+# check existence and expiration date
+ path = pathlib.Path(cert_data['conf'])
+ if not path.is_file():
+ return False
+ path = pathlib.Path(cert_data['crt'])
+ if not path.is_file():
+ return False
+ path = pathlib.Path(cert_data['key'])
+ if not path.is_file():
+ return False
+
+ # check if certificate is 1/2 past lifetime, with openssl -checkend
+ end_days = int(cert_data['lifetime'])
+ end_seconds = int(0.5*60*60*24*end_days)
+ checkend_cmd = ('openssl x509 -checkend {end} -noout -in {crt}'
+ ''.format(end=end_seconds, **cert_data))
+ try:
+ subprocess.check_call(checkend_cmd, shell=True)
+ return True
+ except subprocess.CalledProcessError as err:
+ if err.returncode == 1:
+ return False
+ else:
+ print("Called process error: {}.".format(err))
+
+def generate_self_signed(cert_data):
+ san_config = None
+
+ if ssl.OPENSSL_VERSION_INFO < (1, 1, 1, 0, 0):
+ san_config = tempfile.NamedTemporaryFile()
+ with open(san_config.name, 'w') as fd:
+ fd.write('[req]\n')
+ fd.write('distinguished_name=req\n')
+ fd.write('[san]\n')
+ fd.write('subjectAltName=DNS:vyos\n')
+
+ openssl_req_cmd = ('openssl req -x509 -nodes -days {lifetime} '
+ '-newkey rsa:4096 -keyout {key} -out {crt} '
+ '-subj "/O=Sentrium/OU=VyOS/CN=vyos" '
+ '-extensions san -config {san_conf}'
+ ''.format(san_conf=san_config.name,
+ **cert_data))
+
+ else:
+ openssl_req_cmd = ('openssl req -x509 -nodes -days {lifetime} '
+ '-newkey rsa:4096 -keyout {key} -out {crt} '
+ '-subj "/O=Sentrium/OU=VyOS/CN=vyos" '
+ '-addext "subjectAltName=DNS:vyos"'
+ ''.format(**cert_data))
+
+ try:
+ subprocess.check_call(openssl_req_cmd, shell=True)
+ except subprocess.CalledProcessError as err:
+ print("Called process error: {}.".format(err))
+
+ os.chmod('{key}'.format(**cert_data), 0o400)
+
+ with open('{conf}'.format(**cert_data), 'w') as f:
+ f.write('ssl_certificate {crt};\n'.format(**cert_data))
+ f.write('ssl_certificate_key {key};\n'.format(**cert_data))
+
+ if san_config:
+ san_config.close()
+
+def get_config():
+ vyos_cert = vyos.defaults.vyos_cert_data
+
+ conf = Config()
+ if not conf.exists('service https certificates system-generated-certificate'):
+ return None
+ else:
+ conf.set_level('service https certificates system-generated-certificate')
+
+ if conf.exists('lifetime'):
+ lifetime = conf.return_value('lifetime')
+ vyos_cert['lifetime'] = lifetime
+
+ return vyos_cert
+
+def verify(vyos_cert):
+ return None
+
+def generate(vyos_cert):
+ if vyos_cert is None:
+ return None
+
+ if not status_self_signed(vyos_cert):
+ generate_self_signed(vyos_cert)
+
+def apply(vyos_cert):
+ for dep in dependencies:
+ cmd = '{0}/{1}'.format(vyos_conf_scripts_dir, dep)
+ try:
+ subprocess.check_call(cmd, shell=True)
+ except subprocess.CalledProcessError as err:
+ raise ConfigError("{}.".format(err))
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ sys.exit(1)