From 9ffc32f680c446d927b359e76a40056fe850fb56 Mon Sep 17 00:00:00 2001 From: Evan Cordell Date: Wed, 27 Apr 2016 14:37:48 -0500 Subject: [PATCH] Generate preshared key on boot --- boot.py | 22 +++++++++++----------- conf/jwtproxy_conf.yaml.jnj | 9 +++------ util/generatepresharedkey.py | 4 ++-- 3 files changed, 16 insertions(+), 19 deletions(-) diff --git a/boot.py b/boot.py index b266b023e..e56d8bafb 100644 --- a/boot.py +++ b/boot.py @@ -13,20 +13,20 @@ from data.database import ServiceKeyApprovalType from data.model.release import set_region_release from data.model.service_keys import generate_service_key, approve_service_key from util.config.database import sync_database_with_config +from util.generatepresharedkey import generate_key def create_quay_service_key(seconds_until_expiration): - expiration = timedelta(seconds=seconds_until_expiration) - private_key, service_key = generate_service_key('quay', datetime.now()+expiration) - approve_service_key(service_key.kid, None, ServiceKeyApprovalType.SUPERUSER) - jwk = RSAKey(key=private_key).serialize(private=True) + quay_key, key_id = generate_key(None, 'quay', 'quay') - with open('/conf/quay.jwk', mode='w') as f: + with open('/conf/quay.pem', mode='w') as f: f.truncate(0) - f.write(json.dumps(jwk)) + f.write(quay_key.exportKey()) + + return key_id -def create_jwtproxy_conf(): +def create_jwtproxy_conf(quay_key_id): audience = urlunparse(( app.config.get('PREFERRED_URL_SCHEME'), app.config.get('SERVER_HOSTNAME'), '', '', '', '')) @@ -37,7 +37,8 @@ def create_jwtproxy_conf(): template = Template(f.read()) rendered = template.render( audience=audience, - registry=registry + registry=registry, + key_id=quay_key_id ) with open('/conf/jwtproxy_conf.yaml', 'w') as f: @@ -45,11 +46,10 @@ def create_jwtproxy_conf(): def main(): - create_jwtproxy_conf() - if app.config.get('SETUP_COMPLETE', False): sync_database_with_config(app.config) - create_quay_service_key(app.config.get('QUAY_SERVICE_KEY_EXPIRATION', 500)) + quay_key_id = create_quay_service_key(app.config.get('QUAY_SERVICE_KEY_EXPIRATION', 500)) + create_jwtproxy_conf(quay_key_id) # Record deploy if release.REGION and release.GIT_HEAD: diff --git a/conf/jwtproxy_conf.yaml.jnj b/conf/jwtproxy_conf.yaml.jnj index d9d6aa633..bff939ec5 100644 --- a/conf/jwtproxy_conf.yaml.jnj +++ b/conf/jwtproxy_conf.yaml.jnj @@ -10,13 +10,10 @@ jwtproxy: expiration_time: 5m max_skew: 1m private_key: - type: autogenerated + type: preshared options: - key_folder: /conf - key_server: - type: keyregistry - options: - registry: {{ registry }} + key_id: {{ key_id }} + private_key_path: /conf/quay.pem verifier_proxy: enabled: true listen_addr: unix:/tmp/jwtproxy_secscan.sock diff --git a/util/generatepresharedkey.py b/util/generatepresharedkey.py index d1284d20c..f91c65dac 100644 --- a/util/generatepresharedkey.py +++ b/util/generatepresharedkey.py @@ -31,7 +31,7 @@ def generate_key(approver, service, name, expiration_date=None, notes=None): log_action('service_key_create', None, metadata=key_log_metadata) log_action('service_key_approve', None, metadata=key_log_metadata) - return private_key + return private_key, key.kid if __name__ == '__main__': @@ -45,5 +45,5 @@ if __name__ == '__main__': args = parser.parse_args() approver_user = model.user.get_user(args.approver) - generated = generate_key(approver_user, args.service, args.name, args.expiration, args.notes) + generated, _ = generate_key(approver_user, args.service, args.name, args.expiration, args.notes) print generated.exportKey('PEM')