2024-05-20 02:10:17 +00:00
|
|
|
# builtins
|
|
|
|
import os
|
|
|
|
import datetime
|
|
|
|
import uuid
|
|
|
|
|
2024-04-12 19:22:00 +00:00
|
|
|
# third-party
|
|
|
|
import click
|
2024-04-12 19:22:00 +00:00
|
|
|
import flask
|
2024-05-20 02:10:17 +00:00
|
|
|
import OpenSSL as openssl
|
2024-04-12 19:22:00 +00:00
|
|
|
|
|
|
|
# internals
|
|
|
|
from application import app
|
|
|
|
|
2024-05-20 02:10:17 +00:00
|
|
|
import util
|
2024-04-12 19:22:00 +00:00
|
|
|
import database
|
|
|
|
import admin
|
|
|
|
|
|
|
|
# utility functions
|
|
|
|
|
|
|
|
def show_model(value):
|
|
|
|
|
|
|
|
if value is None:
|
|
|
|
return None
|
|
|
|
return value.__name__
|
|
|
|
|
|
|
|
# cli endpoints (i.e. commands and groups)
|
|
|
|
|
|
|
|
@app.cli.command()
|
|
|
|
def install():
|
|
|
|
|
|
|
|
models = []
|
|
|
|
|
2024-04-12 19:22:00 +00:00
|
|
|
for cls in database.Model.__class_descendants__.values():
|
2024-04-12 19:22:00 +00:00
|
|
|
|
2024-04-12 19:22:00 +00:00
|
|
|
if not cls in app.models_abstract:
|
2024-04-12 19:22:00 +00:00
|
|
|
models.append(cls)
|
|
|
|
|
|
|
|
with click.progressbar(models, label="Creating tables…", item_show_func=show_model) as models:
|
|
|
|
for cls in sorted(models, key=lambda x: x.__class_created__):
|
|
|
|
cls.create_table()
|
2024-04-12 19:22:00 +00:00
|
|
|
|
2024-05-17 00:56:17 +00:00
|
|
|
@app.cli.command()
|
|
|
|
def cron():
|
|
|
|
|
|
|
|
with click.progressbar(app.cron_functions, label="Running cron functions:", item_show_func=lambda f:f.__name__ if f else '') as cron_functions:
|
|
|
|
|
|
|
|
for func in cron_functions:
|
|
|
|
try:
|
|
|
|
func()
|
|
|
|
except Exception as e:
|
|
|
|
click.secho(f"Cron function {func} failed to run: {str(e)}", fg='red')
|
|
|
|
|
2024-04-12 19:22:00 +00:00
|
|
|
cli_user = flask.cli.AppGroup('user')
|
2024-05-20 02:10:17 +00:00
|
|
|
|
2024-05-20 21:33:18 +00:00
|
|
|
@cli_user.command('list')
|
|
|
|
def user_list():
|
|
|
|
|
|
|
|
for user in admin.User.select():
|
|
|
|
|
|
|
|
click.secho(user.name, bold=True)
|
|
|
|
|
|
|
|
stmt = admin.ClientCert.select().where(admin.ClientCert.user == user)
|
|
|
|
count = len(stmt)
|
|
|
|
|
|
|
|
for i, cert in enumerate(stmt):
|
|
|
|
if i == (count - 1):
|
|
|
|
char_list = '└'
|
|
|
|
else:
|
|
|
|
char_list = '├'
|
|
|
|
click.echo(f"{char_list} {cert.name}: " +click.style(cert.fingerprint, fg='green'))
|
|
|
|
|
2024-04-12 19:22:00 +00:00
|
|
|
@cli_user.command('create')
|
2024-05-20 02:10:17 +00:00
|
|
|
@click.argument('name')
|
|
|
|
@click.argument('password')
|
2024-05-20 21:33:18 +00:00
|
|
|
def user_create(name, password):
|
2024-04-12 19:22:00 +00:00
|
|
|
|
|
|
|
try:
|
|
|
|
user = admin.User.register(name, password)
|
|
|
|
|
|
|
|
except Exception as e:
|
|
|
|
click.secho("Could not create user, exception was as follows:", fg='red')
|
|
|
|
click.echo(str(e))
|
|
|
|
else:
|
|
|
|
click.secho(f"Created user '{name}' (#{user.id}).", fg='green')
|
|
|
|
|
2024-05-20 21:33:18 +00:00
|
|
|
@cli_user.command('edit')
|
|
|
|
@click.argument('name')
|
|
|
|
def user_edit(name):
|
|
|
|
|
|
|
|
try:
|
|
|
|
user = admin.User.load(name)
|
|
|
|
|
|
|
|
except admin.User.DoesNotExist:
|
|
|
|
click.secho(f"User '{name}' does not exist!", fg='red')
|
|
|
|
raise click.Abort()
|
|
|
|
|
|
|
|
password = click.prompt("New password", hide_input=True, confirmation_prompt=True)
|
|
|
|
click.echo(f"pw: {password}")
|
|
|
|
|
|
|
|
if user.update_password(password):
|
|
|
|
click.secho(f"Password for user '{name}' successfully updated.", fg='green')
|
|
|
|
else:
|
|
|
|
click.secho(f"Could not update password.", fg='red')
|
|
|
|
|
|
|
|
@cli_user.command('delete')
|
|
|
|
@click.argument('name')
|
|
|
|
@click.option('--yes', is_flag=True, prompt='Really delete user?')
|
|
|
|
def user_delete(name, yes):
|
|
|
|
|
|
|
|
if not yes:
|
|
|
|
click.secho("No opt-in, doing nothing.", fg='yellow')
|
|
|
|
raise click.Abort()
|
|
|
|
|
|
|
|
try:
|
|
|
|
user = admin.User.load(name)
|
|
|
|
|
|
|
|
except admin.User.DoesNotExist:
|
|
|
|
click.secho(f"User '{name}' does not exist!", fg='red')
|
|
|
|
raise click.Abort()
|
|
|
|
|
|
|
|
if user.delete_instance():
|
|
|
|
click.secho(f"Successfully deleted user '{name}'.", fg='green')
|
|
|
|
else:
|
|
|
|
click.secho(f"Could not delete user '{name}'.", fg='red')
|
|
|
|
|
|
|
|
cli_clientcert = flask.cli.AppGroup('clientcert')
|
|
|
|
|
|
|
|
@cli_clientcert.command('create')
|
|
|
|
@click.argument('username')
|
|
|
|
@click.argument('certname')
|
|
|
|
#@click.option('--not-after', default=None) # probably requires datetime?
|
|
|
|
def cert_create(username, certname):
|
|
|
|
|
|
|
|
try:
|
|
|
|
user = admin.User.load(username)
|
|
|
|
|
|
|
|
except admin.User.DoesNotExist:
|
|
|
|
click.secho(f"User '{username}' does not exist", fg='red')
|
|
|
|
raise click.Abort()
|
|
|
|
|
|
|
|
|
|
|
|
not_after = datetime.datetime.utcnow() + app.config['CLIENTCERT_MAX_LIFETIME']
|
|
|
|
|
|
|
|
try:
|
|
|
|
pkcs12 = user.gen_keypair_and_clientcert(certname, not_after)
|
|
|
|
|
|
|
|
except Exception:
|
|
|
|
|
|
|
|
if app.debug:
|
|
|
|
raise
|
|
|
|
|
|
|
|
click.secho("Client certificate creation failed.", fg='red')
|
|
|
|
raise click.Abort()
|
|
|
|
|
|
|
|
passphrase = util.random_string_light()
|
|
|
|
|
|
|
|
filename = f'{username}-{certname}.p12'
|
|
|
|
fd = open(filename, 'wb')
|
|
|
|
fd.write(pkcs12.export(passphrase=passphrase))
|
|
|
|
fd.close()
|
|
|
|
|
|
|
|
cert_info = admin.ClientCert()
|
|
|
|
cert_info.user = user
|
|
|
|
cert_info.name = certname
|
|
|
|
cert_info.fingerprint = pkcs12.get_certificate().digest('sha512').replace(b':', b'')
|
|
|
|
cert_info.save(force_insert=True)
|
|
|
|
|
|
|
|
click.secho(f"Bundled keypair and cert saved as '{filename}'.", fg='green')
|
|
|
|
click.echo("Passphrase: " + click.style(passphrase, bold=True, fg='yellow', bg='black'))
|
|
|
|
|
|
|
|
@cli_clientcert.command('assign')
|
|
|
|
@click.argument('username')
|
|
|
|
@click.argument('certname')
|
|
|
|
@click.argument('fingerprint')
|
|
|
|
def cert_assign(username, certname, fingerprint):
|
|
|
|
|
|
|
|
try:
|
|
|
|
user = admin.User.load(username)
|
|
|
|
|
|
|
|
except admin.User.DoesNotExist:
|
|
|
|
click.secho(f"User '{username}' does not exist", fg='red')
|
|
|
|
raise click.Abort()
|
|
|
|
|
|
|
|
cert_info = admin.ClientCert()
|
|
|
|
cert_info.user = user
|
|
|
|
cert_info.name = certname
|
|
|
|
cert_info.fingerprint = fingerprint
|
|
|
|
|
|
|
|
if cert_info.save():
|
|
|
|
click.secho(f"Assigned certificate fingerprint to user '{username}'.", fg='green')
|
|
|
|
else:
|
|
|
|
click.secho("Could not assign fingerprint.", fg='red')
|
|
|
|
|
|
|
|
@cli_clientcert.command('revoke')
|
|
|
|
@click.argument('username')
|
|
|
|
@click.argument('certname')
|
|
|
|
def cert_revoke(username, certname):
|
|
|
|
|
|
|
|
# TODO: CRL - add entry and host the CRL itself somewhere
|
|
|
|
|
|
|
|
try:
|
|
|
|
user = admin.User.load(username)
|
|
|
|
|
|
|
|
except admin.User.DoesNotExist:
|
|
|
|
click.secho(f"User '{username}' does not exist", fg='red')
|
|
|
|
raise click.Abort()
|
|
|
|
|
|
|
|
try:
|
|
|
|
cert_info = admin.ClientCert().get((admin.ClientCert.user == user) & (admin.ClientCert.name == certname))
|
|
|
|
|
|
|
|
except admin.ClientCert.DoesNotExist:
|
|
|
|
click.secho(f"Client certificate '{certname}' for user '{username}' does not exist.", fg='red')
|
|
|
|
raise click.Abort()
|
|
|
|
|
|
|
|
if cert_info.delete_instance():
|
|
|
|
click.secho(f"Successfully deleted assignment of certificate '{certname}' to user '{username}'.", fg='green')
|
|
|
|
else:
|
|
|
|
click.secho(f"Could not delete client certificate assignment.", fg='red')
|
|
|
|
|
2024-05-20 02:10:17 +00:00
|
|
|
cli_ca = flask.cli.AppGroup('ca')
|
|
|
|
|
|
|
|
@cli_ca.command('create')
|
|
|
|
@click.option('--lifetime', prompt="How long should this CA live (in seconds, 0 means infinite)?", default=0)
|
|
|
|
def ca_create(lifetime):
|
|
|
|
|
|
|
|
if os.path.exists('ca'):
|
|
|
|
click.secho("Directory 'ca' already exists, move or delete it and re-run.", fg='red')
|
|
|
|
raise click.Abort()
|
|
|
|
|
|
|
|
click.echo("Generating keypair…")
|
|
|
|
|
|
|
|
keypair = openssl.crypto.PKey()
|
|
|
|
keypair.generate_key(openssl.crypto.TYPE_RSA, app.config['CLIENTCERT_KEYLENGTH'])
|
|
|
|
|
|
|
|
click.echo("Generating certificate…")
|
|
|
|
|
|
|
|
cert = openssl.crypto.X509()
|
|
|
|
cert.set_serial_number(uuid.uuid4().int) # random uuid, mathmatically ~guaranteed to be unique
|
|
|
|
issuer = cert.get_issuer()
|
|
|
|
issuer.commonName = app.config['SITE_NAME']
|
|
|
|
issuer.C = 'AQ'
|
|
|
|
issuer.L = 'Free Nation Of Radiant Dissent'
|
|
|
|
issuer.O = 'Erisian Liberation Front'
|
|
|
|
issuer.OU = 'Cyber Confusion Center'
|
|
|
|
cert.set_subject(issuer)
|
|
|
|
cert.set_pubkey(keypair)
|
|
|
|
cert.gmtime_adj_notBefore(0)
|
|
|
|
|
|
|
|
if lifetime == 0:
|
|
|
|
cert.set_notAfter(b'99991231235959Z') # "indefinitely valid" as defined in RFC 5280 4.1.2.5.
|
|
|
|
|
|
|
|
else:
|
|
|
|
cert.gmtime_adj_notAfter(lifetime)
|
|
|
|
|
|
|
|
extensions = [
|
|
|
|
openssl.crypto.X509Extension(b'basicConstraints', True, b'CA:TRUE, pathlen:0'),
|
|
|
|
openssl.crypto.X509Extension(b'keyUsage', True, b'digitalSignature, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign'),
|
|
|
|
]
|
|
|
|
|
|
|
|
cert.add_extensions(extensions)
|
|
|
|
|
|
|
|
# sign cert with private key
|
|
|
|
cert.sign(keypair, "sha512")
|
|
|
|
|
|
|
|
click.echo("Creating directory…")
|
|
|
|
os.mkdir('ca')
|
|
|
|
|
|
|
|
click.echo("Saving certificate…")
|
|
|
|
cert_pem = openssl.crypto.dump_certificate(openssl.crypto.FILETYPE_PEM, cert)
|
|
|
|
|
|
|
|
fd = open(os.path.join('ca', 'cert.pem'), 'w')
|
|
|
|
fd.write(cert_pem.decode('ascii'))
|
|
|
|
fd.close()
|
|
|
|
del fd
|
|
|
|
|
|
|
|
click.echo("Saving keypair…")
|
|
|
|
key_pem = openssl.crypto.dump_privatekey(openssl.crypto.FILETYPE_PEM, keypair)
|
|
|
|
|
|
|
|
fd = open(os.path.join('ca', 'key.pem'), 'w')
|
|
|
|
fd.write(key_pem.decode('ascii'))
|
|
|
|
fd.close()
|
|
|
|
del fd
|
|
|
|
|
|
|
|
click.secho("All done!", fg='green')
|
|
|
|
|
2024-05-20 21:33:18 +00:00
|
|
|
cli_user.add_command(cli_clientcert)
|
2024-04-12 19:22:00 +00:00
|
|
|
app.cli.add_command(cli_user)
|
2024-05-20 02:10:17 +00:00
|
|
|
|
|
|
|
app.cli.add_command(cli_ca)
|