This repository has been archived by the owner on Aug 7, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Upgrade bless to latestbless commit: c03b8d1bf0a4addef43a5dead85820904fe35123
- Loading branch information
1 parent
3eac7d1
commit b0f1403
Showing
2,666 changed files
with
191,621 additions
and
40,575 deletions.
There are no files selected for viewing
Binary file not shown.
This file was deleted.
Oops, something went wrong.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file removed
BIN
-369 Bytes
bless_lambda/bless_ca/asn1crypto/__pycache__/__init__.cpython-36.pyc
Binary file not shown.
Binary file added
BIN
+373 Bytes
bless_lambda/bless_ca/asn1crypto/__pycache__/__init__.cpython-37.pyc
Binary file not shown.
Binary file removed
BIN
-7.66 KB
bless_lambda/bless_ca/asn1crypto/__pycache__/_elliptic_curve.cpython-36.pyc
Binary file not shown.
Binary file added
BIN
+7.64 KB
bless_lambda/bless_ca/asn1crypto/__pycache__/_elliptic_curve.cpython-37.pyc
Binary file not shown.
Binary file removed
BIN
-1017 Bytes
bless_lambda/bless_ca/asn1crypto/__pycache__/_errors.cpython-36.pyc
Binary file not shown.
Binary file added
BIN
+1016 Bytes
bless_lambda/bless_ca/asn1crypto/__pycache__/_errors.cpython-37.pyc
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file removed
BIN
-3.59 KB
bless_lambda/bless_ca/asn1crypto/__pycache__/_ordereddict.cpython-36.pyc
Binary file not shown.
Binary file added
BIN
+3.58 KB
bless_lambda/bless_ca/asn1crypto/__pycache__/_ordereddict.cpython-37.pyc
Binary file not shown.
Binary file removed
BIN
-2.91 KB
bless_lambda/bless_ca/asn1crypto/__pycache__/_teletex_codec.cpython-36.pyc
Binary file not shown.
Binary file added
BIN
+2.92 KB
bless_lambda/bless_ca/asn1crypto/__pycache__/_teletex_codec.cpython-37.pyc
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file removed
BIN
-335 Bytes
bless_lambda/bless_ca/asn1crypto/__pycache__/version.cpython-36.pyc
Binary file not shown.
Binary file added
BIN
+334 Bytes
bless_lambda/bless_ca/asn1crypto/__pycache__/version.cpython-37.pyc
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file removed
BIN
-148 Bytes
bless_lambda/bless_ca/asn1crypto/_perf/__pycache__/__init__.cpython-36.pyc
Binary file not shown.
Binary file added
BIN
+152 Bytes
bless_lambda/bless_ca/asn1crypto/_perf/__pycache__/__init__.cpython-37.pyc
Binary file not shown.
Binary file removed
BIN
-1.51 KB
bless_lambda/bless_ca/asn1crypto/_perf/__pycache__/_big_num_ctypes.cpython-36.pyc
Binary file not shown.
Binary file added
BIN
+1.51 KB
bless_lambda/bless_ca/asn1crypto/_perf/__pycache__/_big_num_ctypes.cpython-37.pyc
Binary file not shown.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
""" | ||
.. module: bless.aws_lambda.bless_lambda | ||
:copyright: (c) 2016 by Netflix Inc., see AUTHORS for more | ||
:license: Apache, see LICENSE for more details. | ||
""" | ||
from bless.aws_lambda.bless_lambda_user import lambda_handler_user | ||
|
||
|
||
def lambda_handler(*args, **kwargs): | ||
""" | ||
Wrapper around lambda_handler_user for backwards compatibility | ||
""" | ||
return lambda_handler_user(*args, **kwargs) |
75 changes: 75 additions & 0 deletions
75
bless_lambda/bless_ca/bless/aws_lambda/bless_lambda_common.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
""" | ||
.. module: bless.aws_lambda.bless_lambda_common | ||
:copyright: (c) 2016 by Netflix Inc., see AUTHORS for more | ||
:license: Apache, see LICENSE for more details. | ||
""" | ||
import logging | ||
import os | ||
|
||
import boto3 | ||
from bless.cache.bless_lambda_cache import BlessLambdaCache | ||
from bless.config.bless_config import BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION, ENTROPY_MINIMUM_BITS_OPTION, \ | ||
RANDOM_SEED_BYTES_OPTION | ||
|
||
global_bless_cache = None | ||
|
||
|
||
def success_response(cert): | ||
return { | ||
'certificate': cert | ||
} | ||
|
||
|
||
def error_response(error_type, error_message): | ||
return { | ||
'errorType': error_type, | ||
'errorMessage': error_message | ||
} | ||
|
||
|
||
def set_logger(config): | ||
logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION) | ||
numeric_level = getattr(logging, logging_level.upper(), None) | ||
if not isinstance(numeric_level, int): | ||
raise ValueError('Invalid log level: {}'.format(logging_level)) | ||
|
||
logger = logging.getLogger() | ||
logger.setLevel(numeric_level) | ||
return logger | ||
|
||
|
||
def check_entropy(config, logger): | ||
""" | ||
Check the entropy pool and seed it with KMS if desired | ||
""" | ||
region = os.environ['AWS_REGION'] | ||
kms_client = boto3.client('kms', region_name=region) | ||
entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION) | ||
random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION) | ||
|
||
with open('/proc/sys/kernel/random/entropy_avail', 'r') as f: | ||
entropy = int(f.read()) | ||
logger.debug(entropy) | ||
if entropy < entropy_minimum_bits: | ||
logger.info( | ||
'System entropy was {}, which is lower than the entropy_' | ||
'minimum {}. Using KMS to seed /dev/urandom'.format( | ||
entropy, entropy_minimum_bits)) | ||
response = kms_client.generate_random( | ||
NumberOfBytes=random_seed_bytes) | ||
random_seed = response['Plaintext'] | ||
with open('/dev/urandom', 'w') as urandom: | ||
urandom.write(random_seed) | ||
|
||
|
||
def setup_lambda_cache(ca_private_key_password, config_file): | ||
# For testing, ignore the static bless_cache, otherwise fill the cache one time. | ||
global global_bless_cache | ||
if ca_private_key_password is not None or config_file is not None: | ||
bless_cache = BlessLambdaCache(ca_private_key_password, config_file) | ||
elif global_bless_cache is None: | ||
global_bless_cache = BlessLambdaCache(config_file=os.path.join(os.getcwd(), 'bless_deploy.cfg')) | ||
bless_cache = global_bless_cache | ||
else: | ||
bless_cache = global_bless_cache | ||
return bless_cache |
102 changes: 102 additions & 0 deletions
102
bless_lambda/bless_ca/bless/aws_lambda/bless_lambda_host.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
""" | ||
.. module: bless.aws_lambda.bless_lambda_host | ||
:copyright: (c) 2016 by Netflix Inc., see AUTHORS for more | ||
:license: Apache, see LICENSE for more details. | ||
""" | ||
import time | ||
|
||
from bless.aws_lambda.bless_lambda_common import success_response, error_response, set_logger, check_entropy, \ | ||
setup_lambda_cache | ||
from bless.config.bless_config import BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION, \ | ||
SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION, HOSTNAME_VALIDATION_OPTION | ||
from bless.request.bless_request_host import BlessHostSchema | ||
from bless.ssh.certificate_authorities.ssh_certificate_authority_factory import get_ssh_certificate_authority | ||
from bless.ssh.certificates.ssh_certificate_builder import SSHCertificateType | ||
from bless.ssh.certificates.ssh_certificate_builder_factory import get_ssh_certificate_builder | ||
from marshmallow import ValidationError | ||
|
||
|
||
def lambda_handler_host( | ||
event, context=None, ca_private_key_password=None, | ||
entropy_check=True, | ||
config_file=None): | ||
""" | ||
This is the function that will be called when the lambda function starts. | ||
:param event: Dictionary of the json request. | ||
:param context: AWS LambdaContext Object | ||
http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html | ||
:param ca_private_key_password: For local testing, if the password is provided, skip the KMS | ||
decrypt. | ||
:param entropy_check: For local testing, if set to false, it will skip checking entropy and | ||
won't try to fetch additional random from KMS. | ||
:param config_file: The config file to load the SSH CA private key from, and additional settings. | ||
:return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file. | ||
""" | ||
bless_cache = setup_lambda_cache(ca_private_key_password, config_file) | ||
|
||
# Load the deployment config values | ||
config = bless_cache.config | ||
|
||
logger = set_logger(config) | ||
|
||
certificate_validity_before_seconds = config.getint(BLESS_OPTIONS_SECTION, | ||
SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION) | ||
certificate_validity_after_seconds = config.getint(BLESS_OPTIONS_SECTION, | ||
SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION) | ||
|
||
ca_private_key = config.getprivatekey() | ||
|
||
# Process cert request | ||
schema = BlessHostSchema(strict=True) | ||
schema.context[HOSTNAME_VALIDATION_OPTION] = config.get(BLESS_OPTIONS_SECTION, HOSTNAME_VALIDATION_OPTION) | ||
|
||
try: | ||
request = schema.load(event).data | ||
except ValidationError as e: | ||
return error_response('InputValidationError', str(e)) | ||
|
||
# todo: You'll want to bring your own hostnames validation. | ||
logger.info('Bless lambda invoked by [public_key: {}] for hostnames[{}]'.format(request.public_key_to_sign, | ||
request.hostnames)) | ||
|
||
# Make sure we have the ca private key password | ||
if bless_cache.ca_private_key_password is None: | ||
return error_response('ClientError', bless_cache.ca_private_key_password_error) | ||
else: | ||
ca_private_key_password = bless_cache.ca_private_key_password | ||
|
||
# if running as a Lambda, we can check the entropy pool and seed it with KMS if desired | ||
if entropy_check: | ||
check_entropy(config, logger) | ||
|
||
# cert values determined only by lambda and its configs | ||
current_time = int(time.time()) | ||
valid_before = current_time + certificate_validity_after_seconds | ||
valid_after = current_time - certificate_validity_before_seconds | ||
|
||
# Build the cert | ||
ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password) | ||
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.HOST, | ||
request.public_key_to_sign) | ||
|
||
for hostname in request.hostnames.split(','): | ||
cert_builder.add_valid_principal(hostname) | ||
|
||
cert_builder.set_valid_before(valid_before) | ||
cert_builder.set_valid_after(valid_after) | ||
|
||
# cert_builder is needed to obtain the SSH public key's fingerprint | ||
key_id = 'request[{}] ssh_key[{}] ca[{}] valid_to[{}]'.format( | ||
context.aws_request_id, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn, | ||
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before)) | ||
) | ||
|
||
cert_builder.set_key_id(key_id) | ||
cert = cert_builder.get_cert_file() | ||
|
||
logger.info( | ||
'Issued a server cert to hostnames[{}] with key_id[{}] and ' | ||
'valid_from[{}])'.format( | ||
request.hostnames, key_id, | ||
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after)))) | ||
return success_response(cert) |
Oops, something went wrong.