taskserver: Allow helper tool in manual config

The helper tool so far was only intended for use in automatic PKI handling, but it also is very useful if you have an existing CA. One of the main advantages is that you don't need to specify the data directory anymore and the right permissions are also handled as well. Another advantage is that we now have an uniform management tool for both automatic and manual config, so the documentation in the NixOS manual now applies to the manual PKI config as well. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2024-11-01 15:11:25 +00:00 · 2017-02-17 19:03:49 +01:00 · 2017-02-17 19:03:49 +01:00 · 78fe00da7c
commit 78fe00da7c
parent 32c2e8f4ae
3 changed files with 32 additions and 19 deletions
--- a/nixos/modules/services/misc/taskserver/default.nix
+++ b/nixos/modules/services/misc/taskserver/default.nix
@ -154,9 +154,8 @@ let

  certtool = "${pkgs.gnutls.bin}/bin/certtool";

-  nixos-taskserver = pkgs.pythonPackages.buildPythonPackage {
+  nixos-taskserver = pkgs.pythonPackages.buildPythonApplication {
    name = "nixos-taskserver";
-    namePrefix = "";

    src = pkgs.runCommand "nixos-taskserver-src" {} ''
      mkdir -p "$out"
@ -167,6 +166,7 @@ let
        certBits = cfg.pki.auto.bits;
        clientExpiration = cfg.pki.auto.expiration.client;
        crlExpiration = cfg.pki.auto.expiration.crl;
+        isAutoConfig = if needToCreateCA then "True" else "False";
      }}" > "$out/main.py"
      cat > "$out/setup.py" <<EOF
      from setuptools import setup
--- a/nixos/modules/services/misc/taskserver/doc.xml
+++ b/nixos/modules/services/misc/taskserver/doc.xml
@ -136,9 +136,9 @@ $ ssh server nixos-taskserver user export my-company alice | sh

    <para>
      If you set any options within
-      <option>service.taskserver.pki.manual.*</option>, the automatic user and
-      CA management by the <command>nixos-taskserver</command> is disabled and
-      you need to create certificates and keys by yourself.
+      <option>service.taskserver.pki.manual.*</option>,
+      <command>nixos-taskserver</command> won't issue certificates, but you can
+      still use it for adding or removing user accounts.
    </para>
  </section>
 </chapter>
--- a/nixos/modules/services/misc/taskserver/helper-tool.py
+++ b/nixos/modules/services/misc/taskserver/helper-tool.py
@ -13,6 +13,7 @@ from tempfile import NamedTemporaryFile

 import click

+IS_AUTO_CONFIG = @isAutoConfig@ # NOQA
 CERTTOOL_COMMAND = "@certtool@"
 CERT_BITS = "@certBits@"
 CLIENT_EXPIRATION = "@clientExpiration@"
@ -149,6 +150,12 @@ def create_template(contents):


 def generate_key(org, user):
+    if not IS_AUTO_CONFIG:
+        msg = "Automatic PKI handling is disabled, you need to " \
+              "manually issue a client certificate for user {}.\n"
+        sys.stderr.write(msg.format(user))
+        return
+
    basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user)
    if os.path.exists(basedir):
        raise OSError("Keyfile directory for {} already exists.".format(user))
@ -243,26 +250,32 @@ class User(object):
        self.key = key

    def export(self):
-        pubcert = getkey(self.__org, self.name, "public.cert")
-        privkey = getkey(self.__org, self.name, "private.key")
-        cacert = getkey("ca.cert")
-
-        keydir = "${TASKDATA:-$HOME/.task}/keys"
-
        credentials = '/'.join([self.__org, self.name, self.key])
        allow_unquoted = string.ascii_letters + string.digits + "/-_."
        if not all((c in allow_unquoted) for c in credentials):
            credentials = "'" + credentials.replace("'", r"'\''") + "'"

-        script = [
-            "umask 0077",
-            'mkdir -p "{}"'.format(keydir),
-            mktaskkey("certificate", os.path.join(keydir, "public.cert"),
-                      pubcert),
-            mktaskkey("key", os.path.join(keydir, "private.key"), privkey),
-            mktaskkey("ca", os.path.join(keydir, "ca.cert"), cacert),
+        script = []
+
+        if IS_AUTO_CONFIG:
+            pubcert = getkey(self.__org, self.name, "public.cert")
+            privkey = getkey(self.__org, self.name, "private.key")
+            cacert = getkey("ca.cert")
+
+            keydir = "${TASKDATA:-$HOME/.task}/keys"
+
+            script += [
+                "umask 0077",
+                'mkdir -p "{}"'.format(keydir),
+                mktaskkey("certificate", os.path.join(keydir, "public.cert"),
+                          pubcert),
+                mktaskkey("key", os.path.join(keydir, "private.key"), privkey),
+                mktaskkey("ca", os.path.join(keydir, "ca.cert"), cacert)
+            ]
+
+        script.append(
            "task config taskd.credentials -- {}".format(credentials)
-        ]
+        )

        return "\n".join(script) + "\n"