author | Tero Marttila <terom@paivola.fi> |
Sun, 07 Sep 2014 14:21:56 +0300 | |
changeset 424 | e77e967d59b0 |
parent 375 | df3bf49634a1 |
permissions | -rw-r--r-- |
373
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
1 |
# encoding: utf-8 |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
2 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
3 |
import base64 |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
4 |
import datetime |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
5 |
import hashlib |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
6 |
import os |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
7 |
import os.path |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
8 |
import string |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
9 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
10 |
import pvl.invoke |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
11 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
12 |
import logging; log = logging.getLogger('pvl.login.ssl') |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
13 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
14 |
class Error (Exception) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
15 |
pass |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
16 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
17 |
class UsersCA (object) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
18 |
OPENSSL = '/usr/bin/openssl' |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
19 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
20 |
SIGN_DAYS = 1 |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
21 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
22 |
VALID_USER = set(string.letters + string.digits + '-.') |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
23 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
24 |
O = u"Päivölän Kansanopisto" |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
25 |
OU = u"People" |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
26 |
DC = ('paivola', 'fi') |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
27 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
28 |
def __init__ (self, ca, users) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
29 |
self.ca = ca |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
30 |
self.users = users |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
31 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
32 |
self.ca_config = os.path.join(ca, 'openssl.cnf') |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
33 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
34 |
def sign_spkac (self, out, spkac, days=SIGN_DAYS) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
35 |
""" |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
36 |
Sign given request file (path). |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
37 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
38 |
Creates the given output file (path). Empty file on errors.. |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
39 |
""" |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
40 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
41 |
pvl.invoke.invoke(self.OPENSSL, ('ca', |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
42 |
'-config', self.ca_config, |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
43 |
'-spkac', spkac, |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
44 |
'-out', out, |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
45 |
'-policy', 'policy_user', |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
46 |
'-days', str(days), |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
47 |
'-utf8', |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
48 |
), |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
49 |
setenv={ |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
50 |
'CA': self.ca, |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
51 |
}, |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
52 |
) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
53 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
54 |
def generate_dn (self, uid, cn=None) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
55 |
""" |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
56 |
Generate OpenSSL (rdn, value) pairs for given user. |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
57 |
""" |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
58 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
59 |
if self.O : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
60 |
yield 'O', self.O |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
61 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
62 |
elif self.DC : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
63 |
for index, dc in enumerate(self.DC, 1) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
64 |
yield '{index}.DC'.format(index=index), dc |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
65 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
66 |
yield 'OU', self.OU |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
67 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
68 |
yield 'UID', uid |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
69 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
70 |
if cn : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
71 |
yield 'CN', cn |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
72 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
73 |
def write_spkac (self, path, spkac, dn) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
74 |
""" |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
75 |
Write out a spkac file to the given path, containing the given base64-encoded spkac and DN. |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
76 |
""" |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
77 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
78 |
# roundtrip the spkac for consistent formatting |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
79 |
spkac = base64.b64encode(base64.b64decode(spkac)) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
80 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
81 |
file = open(path, 'w') |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
82 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
83 |
file.write('SPKAC=') |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
84 |
file.write(spkac) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
85 |
file.write('\n') |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
86 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
87 |
for rdn, value in dn : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
88 |
file.write(u'{rdn}={value}\n'.format(rdn=rdn, value=value).encode('utf-8')) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
89 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
90 |
file.close() |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
91 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
92 |
def sign_user (self, user, spkac, userinfo=None) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
93 |
""" |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
94 |
Sign given spkac string (base64-encoded) for given user. |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
95 |
|
375
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
96 |
Returns a name for the signed cert. |
373
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
97 |
""" |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
98 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
99 |
if not set(user).issubset(self.VALID_USER) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
100 |
raise Error("Invalid username: {user}".format(user=user)) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
101 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
102 |
dir = os.path.join(self.users, user) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
103 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
104 |
if not os.path.exists(dir) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
105 |
os.mkdir(dir) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
106 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
107 |
name = hashlib.sha1(user + spkac).hexdigest() |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
108 |
spkac_file = os.path.join(dir, name) + '.spkac' |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
109 |
cert_file = os.path.join(dir, name) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
110 |
tmp_file = os.path.join(dir, name) + '.tmp' |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
111 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
112 |
# the req to sign |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
113 |
if os.path.exists(spkac_file) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
114 |
log.warning("spkac already exists: %s", spkac_file) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
115 |
else : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
116 |
log.info("%s: write spkac: %s", user, spkac_file) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
117 |
self.write_spkac(os.path.join(dir, name) + '.spkac', spkac, self.generate_dn(user, userinfo)) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
118 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
119 |
# sign it |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
120 |
if os.path.exists(cert_file) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
121 |
log.warning("cert already exists: %s", cert_file) |
375
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
122 |
return name |
373
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
123 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
124 |
if os.path.exists(tmp_file) : |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
125 |
log.warning("cleaning out previous tmp file: %s", tmp_file) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
126 |
os.unlink(tmp_file) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
127 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
128 |
log.info("%s: sign cert: %s", user, cert_file) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
129 |
self.sign_spkac(tmp_file, spkac_file) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
130 |
|
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
131 |
log.debug("%s: rename %s -> %s", user, tmp_file, cert_file) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
132 |
os.rename(tmp_file, cert_file) |
6beb06b59ee6
pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
133 |
|
375
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
134 |
return name |
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
135 |
|
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
136 |
def open_cert (self, user, name) : |
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
137 |
""" |
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
138 |
Return an opened cert file by username / cert name. |
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
139 |
""" |
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
140 |
|
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
141 |
if not set(user).issubset(self.VALID_USER) : |
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
142 |
raise Error("Invalid username: {user}".format(user=user)) |
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
143 |
|
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
144 |
path = os.path.join(self.users, user, name) |
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
145 |
|
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
146 |
if not os.path.exists(path) : |
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
147 |
raise Error("No cert found on server") |
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
148 |
|
df3bf49634a1
pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9
Tero Marttila <terom@paivola.fi>
parents:
373
diff
changeset
|
149 |
return open(path) |