Merge pull request #1244 from coreos-inc/enableaci

Add UI to the setup tool for enabling ACI conversion

util/config/configutil.py

@@ -21,6 +21,14 @@ def add_enterprise_config_defaults(config_obj, current_secret_key, hostname):
   # Default features that are off.
   config_obj['FEATURE_MAILING'] = config_obj.get('FEATURE_MAILING', False)
   config_obj['FEATURE_BUILD_SUPPORT'] = config_obj.get('FEATURE_BUILD_SUPPORT', False)
+  config_obj['FEATURE_ACI_CONVERSION'] = config_obj.get('FEATURE_ACI_CONVERSION', True)
+
+  # Default the signer config.
+  config_obj['GPG2_PRIVATE_KEY_FILENAME'] = config_obj.get('GPG2_PRIVATE_KEY_FILENAME',
+                                                           'signing-private.gpg')
+  config_obj['GPG2_PUBLIC_KEY_FILENAME'] = config_obj.get('GPG2_PUBLIC_KEY_FILENAME',
+                                                          'signing-public.gpg')
+  config_obj['SIGNING_ENGINE'] = config_obj.get('SIGNING_ENGINE', 'gpg2')
 
   # Default auth type.
   if not 'AUTHENTICATION_TYPE' in config_obj:

util/config/validator.py

@@ -6,6 +6,7 @@ import peewee
 import OpenSSL
 import logging
 
+from StringIO import StringIO
 from fnmatch import fnmatch
 from data.users.keystone import KeystoneUsers
 from data.users.externaljwt import ExternalJWTAuthN
@@ -18,6 +19,7 @@ from storage import get_storage_driver
 from auth.auth_context import get_authenticated_user
 from util.config.oauth import GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuthConfig
 from bitbucket import BitBucket
+from util.security.signing import SIGNING_ENGINES
 
 from app import app, config_provider, get_app_url, OVERRIDE_CONFIG_DIRECTORY
 
@@ -27,8 +29,9 @@ logger = logging.getLogger(__name__)
 SSL_FILENAMES = ['ssl.cert', 'ssl.key']
 DB_SSL_FILENAMES = ['database.pem']
 JWT_FILENAMES = ['jwt-authn.cert']
+ACI_CERT_FILENAMES = ['signing-public.gpg', 'signing-private.gpg']
 
-CONFIG_FILENAMES = SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES
+CONFIG_FILENAMES = SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES + ACI_CERT_FILENAMES
 
 def get_storage_providers(config):
   storage_config = config.get('DISTRIBUTED_STORAGE_CONFIG', {})
@@ -409,6 +412,18 @@ def _validate_keystone(config, password):
                      'OR Keystone auth is misconfigured.') % (username, err_msg))
 
 
+def _validate_signer(config, _):
+  """ Validates the GPG public+private key pair used for signing converted ACIs. """
+  if config.get('SIGNING_ENGINE') is None:
+    return
+
+  if config['SIGNING_ENGINE'] not in SIGNING_ENGINES:
+    raise Exception('Unknown signing engine: %s' % config['SIGNING_ENGINE'])
+
+  engine = SIGNING_ENGINES[config['SIGNING_ENGINE']](config, OVERRIDE_CONFIG_DIRECTORY)
+  engine.detached_sign(StringIO('test string'))
+
+
 _VALIDATORS = {
   'database': _validate_database,
   'redis': _validate_redis,
@@ -423,4 +438,5 @@ _VALIDATORS = {
   'ldap': _validate_ldap,
   'jwt': _validate_jwt,
   'keystone': _validate_keystone,
+  'signer': _validate_signer,
 }

util/security/signing.py

@@ -4,22 +4,22 @@ from StringIO import StringIO
 
 class GPG2Signer(object):
   """ Helper class for signing data using GPG2. """
-  def __init__(self, app, key_directory):
-    if not app.config.get('GPG2_PRIVATE_KEY_NAME'):
+  def __init__(self, config, key_directory):
+    if not config.get('GPG2_PRIVATE_KEY_NAME'):
       raise Exception('Missing configuration key GPG2_PRIVATE_KEY_NAME')
 
-    if not app.config.get('GPG2_PRIVATE_KEY_FILENAME'):
+    if not config.get('GPG2_PRIVATE_KEY_FILENAME'):
       raise Exception('Missing configuration key GPG2_PRIVATE_KEY_FILENAME')
 
-    if not app.config.get('GPG2_PUBLIC_KEY_FILENAME'):
+    if not config.get('GPG2_PUBLIC_KEY_FILENAME'):
       raise Exception('Missing configuration key GPG2_PUBLIC_KEY_FILENAME')
 
     self._ctx = gpgme.Context()
     self._ctx.armor = True
-    self._private_key_name = app.config['GPG2_PRIVATE_KEY_NAME']
-    self._public_key_path = os.path.join(key_directory, app.config['GPG2_PUBLIC_KEY_FILENAME'])
+    self._private_key_name = config['GPG2_PRIVATE_KEY_NAME']
+    self._public_key_path = os.path.join(key_directory, config['GPG2_PUBLIC_KEY_FILENAME'])
 
-    key_file = os.path.join(key_directory, app.config['GPG2_PRIVATE_KEY_FILENAME'])
+    key_file = os.path.join(key_directory, config['GPG2_PRIVATE_KEY_FILENAME'])
     if not os.path.exists(key_file):
       raise Exception('Missing key file %s' % key_file)
 
@@ -37,10 +37,13 @@ class GPG2Signer(object):
   def detached_sign(self, stream):
     """ Signs the given stream, returning the signature. """
     ctx = self._ctx
-    ctx.signers = [ctx.get_key(self._private_key_name)]
+    try:
+      ctx.signers = [ctx.get_key(self._private_key_name)]
+    except:
+      raise Exception('Invalid private key name')
+
     signature = StringIO()
     new_sigs = ctx.sign(stream, signature, gpgme.SIG_MODE_DETACH)
-
     signature.seek(0)
     return signature.getvalue()
 
@@ -58,7 +61,7 @@ class Signer(object):
     if preference is None:
       return None
 
-    return SIGNING_ENGINES[preference](app, key_directory)
+    return SIGNING_ENGINES[preference](app.config, key_directory)
 
   def __getattr__(self, name):
     return getattr(self.state, name, None)