vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Generate private key on startup

Browse source
This commit is contained in:
Evan Cordell 2016-04-27 13:39:01 -05:00 committed by Jimmy Zelinskie
parent 85667a9cf6
commit 668ce2c7cd
5 changed files with 41 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
binary_dependencies/jwtproxy
View file

Binary file not shown.

34
boot.py
View file

@ -1,15 +1,46 @@
#!/usr/bin/env python #!/usr/bin/env python
from datetime import datetime, timedelta
from urlparse import urlunparse from urlparse import urlunparse
import json
import release from jwkest.jwk import RSAKey
from jinja2 import Template from jinja2 import Template
import release
from app import app from app import app
from data.database import ServiceKeyApprovalType
from data.model.release import set_region_release from data.model.release import set_region_release
from data.model.service_keys import generate_service_key, approve_service_key
from util.config.database import sync_database_with_config from util.config.database import sync_database_with_config
def create_quay_service_key(seconds_until_expiration):
expiration = timedelta(seconds=seconds_until_expiration)
private_key, service_key = generate_service_key('quay', datetime.now()+expiration)
approve_service_key(service_key.kid, None, ServiceKeyApprovalType.SUPERUSER)
private_key_file = {
'KeyID': service_key.kid,
'PrivateKey': {
'N': int(private_key._n),
'E': int(private_key._e),
'D': int(private_key._d),
'Primes': [int(private_key._p), int(private_key._q)],
'Precomputed': {
'Dp': None,
'Dq': None,
'Quinv': None,
'CRTValues': []
}
}
}
with open('/conf/quay.jwk', mode='w') as f:
f.truncate(0)
f.write(json.dumps(private_key_file))
def create_jwtproxy_conf(): def create_jwtproxy_conf():
audience = urlunparse(( audience = urlunparse((
app.config.get('PREFERRED_URL_SCHEME'), app.config.get('PREFERRED_URL_SCHEME'),
@ -33,6 +64,7 @@ def main():
if app.config.get('SETUP_COMPLETE', False): if app.config.get('SETUP_COMPLETE', False):
sync_database_with_config(app.config) sync_database_with_config(app.config)
create_quay_service_key(app.config.get('QUAY_SERVICE_KEY_EXPIRATION', 500))
# Record deploy # Record deploy
if release.REGION and release.GIT_HEAD: if release.REGION and release.GIT_HEAD:

5
conf/jwtproxy_conf.yaml.jnj
View file

@ -2,8 +2,8 @@ jwtproxy:
signer_proxy: signer_proxy:
enabled: true enabled: true
listen_addr: :8080 listen_addr: :8080
ca_key_file: /conf/stack/mitm.key ca_key_file: /conf/mitm.key
ca_crt_file: /conf/stack/mitm.cert ca_crt_file: /conf/mitm.cert
signer: signer:
issuer: quay issuer: quay
@ -12,6 +12,7 @@ jwtproxy:
private_key: private_key:
type: autogenerated type: autogenerated
options: options:
key_folder: /conf
key_server: key_server:
type: keyregistry type: keyregistry
options: options:

3
config.py
View file

@ -312,3 +312,6 @@ class DefaultConfig(object):
# The ID of the user account in the database to be used for service audit logs. If none, the # The ID of the user account in the database to be used for service audit logs. If none, the
# lowest user in the database will be used. # lowest user in the database will be used.
SERVICE_LOG_ACCOUNT_ID = None SERVICE_LOG_ACCOUNT_ID = None
# Quay's service key expiration in seconds
QUAY_SERVICE_KEY_EXPIRATION = 500

2
endpoints/api/superuser.py
View file

@ -142,6 +142,8 @@ def org_view(org):
} }
def user_view(user, password=None): def user_view(user, password=None):
if user is None:
return None
user_data = { user_data = {
'kind': 'user', 'kind': 'user',
'name': user.username, 'name': user.username,