import grp import pwd import os import re import string import subprocess import sys from shutil import rmtree from tempfile import NamedTemporaryFile import click CERTTOOL_COMMAND = "@certtool@" TASKD_COMMAND = "@taskd@" TASKD_DATA_DIR = "@dataDir@" TASKD_USER = "@user@" TASKD_GROUP = "@group@" FQDN = "@fqdn@" RE_CONFIGUSER = re.compile(r'^\s*user\s*=(.*)$') RE_USERKEY = re.compile(r'New user key: (.+)$', re.MULTILINE) def lazyprop(fun): """ Decorator which only evaluates the specified function when accessed. """ name = '_lazy_' + fun.__name__ @property def _lazy(self): val = getattr(self, name, None) if val is None: val = fun(self) setattr(self, name, val) return val return _lazy class TaskdError(OSError): pass def run_as_taskd_user(): uid = pwd.getpwnam(TASKD_USER).pw_uid gid = grp.getgrnam(TASKD_GROUP).gr_gid os.setgid(gid) os.setuid(uid) def taskd_cmd(cmd, *args, **kwargs): """ Invoke taskd with the specified command with the privileges of the 'taskd' user and 'taskd' group. If 'capture_stdout' is passed as a keyword argument with the value True, the return value are the contents the command printed to stdout. """ capture_stdout = kwargs.pop("capture_stdout", False) fun = subprocess.check_output if capture_stdout else subprocess.check_call return fun( [TASKD_COMMAND, cmd, "--data", TASKD_DATA_DIR] + list(args), preexec_fn=run_as_taskd_user, **kwargs ) def label(msg): if sys.stdout.isatty() or sys.stderr.isatty(): sys.stderr.write(msg + "\n") def mkpath(*args): return os.path.join(TASKD_DATA_DIR, "orgs", *args) def fetch_username(org, key): for line in open(mkpath(org, "users", key, "config"), "r"): match = RE_CONFIGUSER.match(line) if match is None: continue return match.group(1).strip() return None def generate_key(org, user): basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user) if os.path.exists(basedir): raise OSError("Keyfile directory for {} already exists.".format(user)) privkey = os.path.join(basedir, "private.key") pubcert = os.path.join(basedir, "public.cert") cakey = os.path.join(TASKD_DATA_DIR, "keys", "ca.key") cacert = os.path.join(TASKD_DATA_DIR, "keys", "ca.cert") try: os.makedirs(basedir, mode=0700) cmd = [CERTTOOL_COMMAND, "-p", "--bits", "2048", "--outfile", privkey] subprocess.call(cmd, preexec_fn=lambda: os.umask(0077)) template = NamedTemporaryFile(mode="w", prefix="certtool-template") template.writelines(map(lambda l: l + "\n", [ "organization = {0}".format(org), "cn = {}".format(FQDN), "tls_www_client", "encryption_key", "signing_key" ])) template.flush() cmd = [CERTTOOL_COMMAND, "-c", "--load-privkey", privkey, "--load-ca-privkey", cakey, "--load-ca-certificate", cacert, "--template", template.name, "--outfile", pubcert] subprocess.call(cmd, preexec_fn=lambda: os.umask(0077)) except: rmtree(basedir) raise def is_key_line(line, match): return line.startswith("---") and line.lstrip("- ").startswith(match) def getkey(*args): path = os.path.join(TASKD_DATA_DIR, "keys", *args) buf = [] for line in open(path, "r"): if len(buf) == 0: if is_key_line(line, "BEGIN"): buf.append(line) continue buf.append(line) if is_key_line(line, "END"): return ''.join(buf) raise IOError("Unable to get key from {}.".format(path)) def mktaskkey(cfg, path, keydata): heredoc = 'cat > "{}" <