Skip to content
This repository has been archived by the owner on Aug 7, 2023. It is now read-only.

Upgrade bless to latest #21

Merged
merged 2 commits into from
May 22, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
Binary file not shown.
1 change: 0 additions & 1 deletion bless_lambda/bless_ca/.gitignore

This file was deleted.

Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file removed bless_lambda/bless_ca/__pycache__/six.cpython-36.pyc
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
72 changes: 36 additions & 36 deletions bless_lambda/bless_ca/asn1crypto-0.24.0.dist-info/RECORD
Original file line number Diff line number Diff line change
@@ -1,11 +1,47 @@
asn1crypto-0.24.0.dist-info/DESCRIPTION.rst,sha256=AKxcPr8A1r7Lgepi1zxda_bylQUpelEwT9VouCPpXFA,86
asn1crypto-0.24.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4
asn1crypto-0.24.0.dist-info/METADATA,sha256=k2awXhDUj-10m5VIjPmW4_v1_g8IxusRxHuHmSikb-c,1132
asn1crypto-0.24.0.dist-info/RECORD,,
asn1crypto-0.24.0.dist-info/WHEEL,sha256=GrqQvamwgBV4nLoJe0vhYRSWzWsx7xjlt74FT0SWYfE,110
asn1crypto-0.24.0.dist-info/metadata.json,sha256=GWUZOttbqBGOXofIFkjNpPeItn-MlCQZLATLKFjoHL4,1177
asn1crypto-0.24.0.dist-info/top_level.txt,sha256=z8-jF_Q-jgzGox7T2XYian3-yeptLS2I7MjoJLBaq1Y,11
asn1crypto/__init__.py,sha256=d-HnaY-IU0N1aepUI9bYR11J2EGccGAN8kDvKMgGu78,209
asn1crypto/__pycache__/__init__.cpython-37.pyc,,
asn1crypto/__pycache__/_elliptic_curve.cpython-37.pyc,,
asn1crypto/__pycache__/_errors.cpython-37.pyc,,
asn1crypto/__pycache__/_ffi.cpython-37.pyc,,
asn1crypto/__pycache__/_inet.cpython-37.pyc,,
asn1crypto/__pycache__/_int.cpython-37.pyc,,
asn1crypto/__pycache__/_iri.cpython-37.pyc,,
asn1crypto/__pycache__/_ordereddict.cpython-37.pyc,,
asn1crypto/__pycache__/_teletex_codec.cpython-37.pyc,,
asn1crypto/__pycache__/_types.cpython-37.pyc,,
asn1crypto/__pycache__/algos.cpython-37.pyc,,
asn1crypto/__pycache__/cms.cpython-37.pyc,,
asn1crypto/__pycache__/core.cpython-37.pyc,,
asn1crypto/__pycache__/crl.cpython-37.pyc,,
asn1crypto/__pycache__/csr.cpython-37.pyc,,
asn1crypto/__pycache__/keys.cpython-37.pyc,,
asn1crypto/__pycache__/ocsp.cpython-37.pyc,,
asn1crypto/__pycache__/parser.cpython-37.pyc,,
asn1crypto/__pycache__/pdf.cpython-37.pyc,,
asn1crypto/__pycache__/pem.cpython-37.pyc,,
asn1crypto/__pycache__/pkcs12.cpython-37.pyc,,
asn1crypto/__pycache__/tsp.cpython-37.pyc,,
asn1crypto/__pycache__/util.cpython-37.pyc,,
asn1crypto/__pycache__/version.cpython-37.pyc,,
asn1crypto/__pycache__/x509.cpython-37.pyc,,
asn1crypto/_elliptic_curve.py,sha256=vdORN6l6XZyCQpA-9tdk71IrGLciAHEimOc5KsG7YNw,9419
asn1crypto/_errors.py,sha256=YCCXkifzLkCnxo-iIO-oIWY-UuPZNbEai7z94ps8ck4,967
asn1crypto/_ffi.py,sha256=Y4IhTLrLTxt7Xg5vcQFLAvH_Mq8xg3LTcmkIJn-G8eE,738
asn1crypto/_inet.py,sha256=z2K8CKxSfEQ3d0UMIIgXw5NugKLZyRS__Cn10ivbiGM,4661
asn1crypto/_int.py,sha256=I-INe1rHGsQfV6vndtD53fhyjsEOG5a6WoDY4w6M2B4,4618
asn1crypto/_iri.py,sha256=5gG6VBG-tYAQT6lWnjvHRH-RvIStaeG_PxhyPLnL-KQ,8628
asn1crypto/_ordereddict.py,sha256=5VAYLbxxEtfdZGKgjzINxlmNkYg9d_7JmZAFfr0EcAk,4533
asn1crypto/_perf/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
asn1crypto/_perf/__pycache__/__init__.cpython-37.pyc,,
asn1crypto/_perf/__pycache__/_big_num_ctypes.cpython-37.pyc,,
asn1crypto/_perf/_big_num_ctypes.py,sha256=bc1WXhoR08nB-l0mOutKldupcjybswWckOxquiXByx8,2027
asn1crypto/_teletex_codec.py,sha256=LhDpkTprPaoc7UJ9i9uwnP-5Am00SVbHSQizPpCLpqE,5053
asn1crypto/_types.py,sha256=OwsX30epv-ETI9eGrLW9GLqv0KeoiSRnJcjN92roqhQ,939
asn1crypto/algos.py,sha256=zcJgP8VnZTT60ijR5-RPuhI9v4kcxrWgzv7_EjlZfW0,34095
Expand All @@ -23,39 +59,3 @@ asn1crypto/tsp.py,sha256=jpjpFmWBwX4GUVrYu9Gnk6YXRnzb-uVFvfaJSo-m_2Q,7827
asn1crypto/util.py,sha256=m3dc7XtmQiq__uC0G2jcyHYkaJPsnm7KGAWiCXj-xio,18043
asn1crypto/version.py,sha256=SqGlEZKUpqLOswcILajD1bITTOejwN3Jvlnw325hHjQ,154
asn1crypto/x509.py,sha256=IGKOKTX3GWIsZhTtcpbcDkFWjpoTozNPlItYZ8pY8QA,92305
asn1crypto/_perf/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
asn1crypto/_perf/_big_num_ctypes.py,sha256=bc1WXhoR08nB-l0mOutKldupcjybswWckOxquiXByx8,2027
asn1crypto-0.24.0.dist-info/DESCRIPTION.rst,sha256=AKxcPr8A1r7Lgepi1zxda_bylQUpelEwT9VouCPpXFA,86
asn1crypto-0.24.0.dist-info/METADATA,sha256=k2awXhDUj-10m5VIjPmW4_v1_g8IxusRxHuHmSikb-c,1132
asn1crypto-0.24.0.dist-info/RECORD,,
asn1crypto-0.24.0.dist-info/WHEEL,sha256=GrqQvamwgBV4nLoJe0vhYRSWzWsx7xjlt74FT0SWYfE,110
asn1crypto-0.24.0.dist-info/metadata.json,sha256=GWUZOttbqBGOXofIFkjNpPeItn-MlCQZLATLKFjoHL4,1177
asn1crypto-0.24.0.dist-info/top_level.txt,sha256=z8-jF_Q-jgzGox7T2XYian3-yeptLS2I7MjoJLBaq1Y,11
asn1crypto-0.24.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4
asn1crypto/__pycache__/_ordereddict.cpython-36.pyc,,
asn1crypto/__pycache__/_iri.cpython-36.pyc,,
asn1crypto/__pycache__/_types.cpython-36.pyc,,
asn1crypto/__pycache__/crl.cpython-36.pyc,,
asn1crypto/__pycache__/ocsp.cpython-36.pyc,,
asn1crypto/__pycache__/keys.cpython-36.pyc,,
asn1crypto/__pycache__/_ffi.cpython-36.pyc,,
asn1crypto/__pycache__/x509.cpython-36.pyc,,
asn1crypto/__pycache__/parser.cpython-36.pyc,,
asn1crypto/__pycache__/tsp.cpython-36.pyc,,
asn1crypto/__pycache__/algos.cpython-36.pyc,,
asn1crypto/__pycache__/_errors.cpython-36.pyc,,
asn1crypto/__pycache__/_elliptic_curve.cpython-36.pyc,,
asn1crypto/__pycache__/_teletex_codec.cpython-36.pyc,,
asn1crypto/__pycache__/pem.cpython-36.pyc,,
asn1crypto/__pycache__/core.cpython-36.pyc,,
asn1crypto/__pycache__/pdf.cpython-36.pyc,,
asn1crypto/__pycache__/csr.cpython-36.pyc,,
asn1crypto/__pycache__/_int.cpython-36.pyc,,
asn1crypto/__pycache__/_inet.cpython-36.pyc,,
asn1crypto/__pycache__/__init__.cpython-36.pyc,,
asn1crypto/__pycache__/pkcs12.cpython-36.pyc,,
asn1crypto/__pycache__/cms.cpython-36.pyc,,
asn1crypto/__pycache__/util.cpython-36.pyc,,
asn1crypto/__pycache__/version.cpython-36.pyc,,
asn1crypto/_perf/__pycache__/_big_num_ctypes.cpython-36.pyc,,
asn1crypto/_perf/__pycache__/__init__.cpython-36.pyc,,
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
13 changes: 13 additions & 0 deletions bless_lambda/bless_ca/bless/aws_lambda/bless_lambda.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
"""
.. module: bless.aws_lambda.bless_lambda
:copyright: (c) 2016 by Netflix Inc., see AUTHORS for more
:license: Apache, see LICENSE for more details.
"""
from bless.aws_lambda.bless_lambda_user import lambda_handler_user


def lambda_handler(*args, **kwargs):
"""
Wrapper around lambda_handler_user for backwards compatibility
"""
return lambda_handler_user(*args, **kwargs)
75 changes: 75 additions & 0 deletions bless_lambda/bless_ca/bless/aws_lambda/bless_lambda_common.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
"""
.. module: bless.aws_lambda.bless_lambda_common
:copyright: (c) 2016 by Netflix Inc., see AUTHORS for more
:license: Apache, see LICENSE for more details.
"""
import logging
import os

import boto3
from bless.cache.bless_lambda_cache import BlessLambdaCache
from bless.config.bless_config import BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION, ENTROPY_MINIMUM_BITS_OPTION, \
RANDOM_SEED_BYTES_OPTION

global_bless_cache = None


def success_response(cert):
return {
'certificate': cert
}


def error_response(error_type, error_message):
return {
'errorType': error_type,
'errorMessage': error_message
}


def set_logger(config):
logging_level = config.get(BLESS_OPTIONS_SECTION, LOGGING_LEVEL_OPTION)
numeric_level = getattr(logging, logging_level.upper(), None)
if not isinstance(numeric_level, int):
raise ValueError('Invalid log level: {}'.format(logging_level))

logger = logging.getLogger()
logger.setLevel(numeric_level)
return logger


def check_entropy(config, logger):
"""
Check the entropy pool and seed it with KMS if desired
"""
region = os.environ['AWS_REGION']
kms_client = boto3.client('kms', region_name=region)
entropy_minimum_bits = config.getint(BLESS_OPTIONS_SECTION, ENTROPY_MINIMUM_BITS_OPTION)
random_seed_bytes = config.getint(BLESS_OPTIONS_SECTION, RANDOM_SEED_BYTES_OPTION)

with open('/proc/sys/kernel/random/entropy_avail', 'r') as f:
entropy = int(f.read())
logger.debug(entropy)
if entropy < entropy_minimum_bits:
logger.info(
'System entropy was {}, which is lower than the entropy_'
'minimum {}. Using KMS to seed /dev/urandom'.format(
entropy, entropy_minimum_bits))
response = kms_client.generate_random(
NumberOfBytes=random_seed_bytes)
random_seed = response['Plaintext']
with open('/dev/urandom', 'w') as urandom:
urandom.write(random_seed)


def setup_lambda_cache(ca_private_key_password, config_file):
# For testing, ignore the static bless_cache, otherwise fill the cache one time.
global global_bless_cache
if ca_private_key_password is not None or config_file is not None:
bless_cache = BlessLambdaCache(ca_private_key_password, config_file)
elif global_bless_cache is None:
global_bless_cache = BlessLambdaCache(config_file=os.path.join(os.getcwd(), 'bless_deploy.cfg'))
bless_cache = global_bless_cache
else:
bless_cache = global_bless_cache
return bless_cache
102 changes: 102 additions & 0 deletions bless_lambda/bless_ca/bless/aws_lambda/bless_lambda_host.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
"""
.. module: bless.aws_lambda.bless_lambda_host
:copyright: (c) 2016 by Netflix Inc., see AUTHORS for more
:license: Apache, see LICENSE for more details.
"""
import time

from bless.aws_lambda.bless_lambda_common import success_response, error_response, set_logger, check_entropy, \
setup_lambda_cache
from bless.config.bless_config import BLESS_OPTIONS_SECTION, SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION, \
SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION, HOSTNAME_VALIDATION_OPTION
from bless.request.bless_request_host import BlessHostSchema
from bless.ssh.certificate_authorities.ssh_certificate_authority_factory import get_ssh_certificate_authority
from bless.ssh.certificates.ssh_certificate_builder import SSHCertificateType
from bless.ssh.certificates.ssh_certificate_builder_factory import get_ssh_certificate_builder
from marshmallow import ValidationError


def lambda_handler_host(
event, context=None, ca_private_key_password=None,
entropy_check=True,
config_file=None):
"""
This is the function that will be called when the lambda function starts.
:param event: Dictionary of the json request.
:param context: AWS LambdaContext Object
http://docs.aws.amazon.com/lambda/latest/dg/python-context-object.html
:param ca_private_key_password: For local testing, if the password is provided, skip the KMS
decrypt.
:param entropy_check: For local testing, if set to false, it will skip checking entropy and
won't try to fetch additional random from KMS.
:param config_file: The config file to load the SSH CA private key from, and additional settings.
:return: the SSH Certificate that can be written to id_rsa-cert.pub or similar file.
"""
bless_cache = setup_lambda_cache(ca_private_key_password, config_file)

# Load the deployment config values
config = bless_cache.config

logger = set_logger(config)

certificate_validity_before_seconds = config.getint(BLESS_OPTIONS_SECTION,
SERVER_CERTIFICATE_VALIDITY_BEFORE_SEC_OPTION)
certificate_validity_after_seconds = config.getint(BLESS_OPTIONS_SECTION,
SERVER_CERTIFICATE_VALIDITY_AFTER_SEC_OPTION)

ca_private_key = config.getprivatekey()

# Process cert request
schema = BlessHostSchema(strict=True)
schema.context[HOSTNAME_VALIDATION_OPTION] = config.get(BLESS_OPTIONS_SECTION, HOSTNAME_VALIDATION_OPTION)

try:
request = schema.load(event).data
except ValidationError as e:
return error_response('InputValidationError', str(e))

# todo: You'll want to bring your own hostnames validation.
logger.info('Bless lambda invoked by [public_key: {}] for hostnames[{}]'.format(request.public_key_to_sign,
request.hostnames))

# Make sure we have the ca private key password
if bless_cache.ca_private_key_password is None:
return error_response('ClientError', bless_cache.ca_private_key_password_error)
else:
ca_private_key_password = bless_cache.ca_private_key_password

# if running as a Lambda, we can check the entropy pool and seed it with KMS if desired
if entropy_check:
check_entropy(config, logger)

# cert values determined only by lambda and its configs
current_time = int(time.time())
valid_before = current_time + certificate_validity_after_seconds
valid_after = current_time - certificate_validity_before_seconds

# Build the cert
ca = get_ssh_certificate_authority(ca_private_key, ca_private_key_password)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.HOST,
request.public_key_to_sign)

for hostname in request.hostnames.split(','):
cert_builder.add_valid_principal(hostname)

cert_builder.set_valid_before(valid_before)
cert_builder.set_valid_after(valid_after)

# cert_builder is needed to obtain the SSH public key's fingerprint
key_id = 'request[{}] ssh_key[{}] ca[{}] valid_to[{}]'.format(
context.aws_request_id, cert_builder.ssh_public_key.fingerprint, context.invoked_function_arn,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_before))
)

cert_builder.set_key_id(key_id)
cert = cert_builder.get_cert_file()

logger.info(
'Issued a server cert to hostnames[{}] with key_id[{}] and '
'valid_from[{}])'.format(
request.hostnames, key_id,
time.strftime("%Y/%m/%d %H:%M:%S", time.gmtime(valid_after))))
return success_response(cert)
Loading