crypto: implement simple certificate-key pair for easier management
This commit is contained in:
parent
f6c322be27
commit
8df55f22aa
|
@ -64,6 +64,12 @@
|
||||||
{% trans 'Policies' %}
|
{% trans 'Policies' %}
|
||||||
</a>
|
</a>
|
||||||
</li>
|
</li>
|
||||||
|
<li class="pf-c-nav__item">
|
||||||
|
<a href="{% url 'passbook_admin:certificate_key_pair' %}"
|
||||||
|
class="pf-c-nav__link {% is_active 'passbook_admin:certificate_key_pair' 'passbook_admin:certificatekeypair-create' 'passbook_admin:certificatekeypair-update' 'passbook_admin:certificatekeypair-delete' %}">
|
||||||
|
{% trans 'Certificates' %}
|
||||||
|
</a>
|
||||||
|
</li>
|
||||||
<li class="pf-c-nav__item">
|
<li class="pf-c-nav__item">
|
||||||
<a href="{% url 'passbook_admin:invitations' %}"
|
<a href="{% url 'passbook_admin:invitations' %}"
|
||||||
class="pf-c-nav__link {% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
|
class="pf-c-nav__link {% is_active 'passbook_admin:invitations' 'passbook_admin:invitation-create' 'passbook_admin:invitation-update' 'passbook_admin:invitation-delete' 'passbook_admin:invitation-test' %}">
|
||||||
|
|
|
@ -0,0 +1,69 @@
|
||||||
|
{% extends "administration/base.html" %}
|
||||||
|
|
||||||
|
{% load i18n %}
|
||||||
|
{% load utils %}
|
||||||
|
|
||||||
|
{% block content %}
|
||||||
|
<section class="pf-c-page__main-section pf-m-light">
|
||||||
|
<div class="pf-c-content">
|
||||||
|
<h1>
|
||||||
|
<i class="pf-icon pf-icon-key"></i>
|
||||||
|
{% trans 'Certificate-Key Pairs' %}
|
||||||
|
</h1>
|
||||||
|
<p>{% trans "Import certificates of external providers or create certificates to sign requests with." %}</p>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
<section class="pf-c-page__main-section pf-m-no-padding-mobile">
|
||||||
|
<div class="pf-c-card">
|
||||||
|
<div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-top">
|
||||||
|
<div class="pf-c-toolbar__action-group">
|
||||||
|
<a href="{% url 'passbook_admin:certificatekeypair-create' %}?back={{ request.get_full_path }}" class="pf-c-button pf-m-primary" type="button">{% trans 'Create' %}</a>
|
||||||
|
</div>
|
||||||
|
{% include 'partials/pagination.html' %}
|
||||||
|
</div>
|
||||||
|
<table class="pf-c-table pf-m-compact pf-m-grid-xl" role="grid">
|
||||||
|
<thead>
|
||||||
|
<tr role="row">
|
||||||
|
<th role="columnheader" scope="col">{% trans 'Name' %}</th>
|
||||||
|
<th role="columnheader" scope="col">{% trans 'Private Key available' %}</th>
|
||||||
|
<th role="columnheader" scope="col">{% trans 'Fingerprint' %}</th>
|
||||||
|
<th role="columnheader" scope="col">{% trans 'Provider Type' %}</th>
|
||||||
|
<th role="cell"></th>
|
||||||
|
</tr>
|
||||||
|
</thead>
|
||||||
|
<tbody role="rowgroup">
|
||||||
|
{% for kp in object_list %}
|
||||||
|
<tr role="row">
|
||||||
|
<th role="columnheader">
|
||||||
|
<div>
|
||||||
|
<div>{{ kp.name }}</div>
|
||||||
|
</div>
|
||||||
|
</th>
|
||||||
|
<td role="cell">
|
||||||
|
<span>
|
||||||
|
{% if kp.key_data is not None %}
|
||||||
|
{% trans 'Yes' %}
|
||||||
|
{% else %}
|
||||||
|
{% trans 'No' %}
|
||||||
|
{% endif %}
|
||||||
|
</span>
|
||||||
|
</td>
|
||||||
|
<td role="cell">
|
||||||
|
<span>
|
||||||
|
{{ kp.fingerprint }}
|
||||||
|
</span>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<a class="pf-c-button pf-m-secondary" href="{% url 'passbook_admin:certificatekeypair-update' pk=kp.pk %}?back={{ request.get_full_path }}">{% trans 'Edit' %}</a>
|
||||||
|
<a class="pf-c-button pf-m-danger" href="{% url 'passbook_admin:certificatekeypair-delete' pk=kp.pk %}?back={{ request.get_full_path }}">{% trans 'Delete' %}</a>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
|
{% endfor %}
|
||||||
|
</tbody>
|
||||||
|
</table>
|
||||||
|
<div class="pf-c-toolbar" id="page-layout-table-simple-toolbar-bottom">
|
||||||
|
{% include 'partials/pagination.html' %}
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
{% endblock %}
|
|
@ -4,6 +4,7 @@ from django.urls import path
|
||||||
from passbook.admin.views import (
|
from passbook.admin.views import (
|
||||||
applications,
|
applications,
|
||||||
audit,
|
audit,
|
||||||
|
certificate_key_pair,
|
||||||
debug,
|
debug,
|
||||||
factors,
|
factors,
|
||||||
groups,
|
groups,
|
||||||
|
@ -148,6 +149,27 @@ urlpatterns = [
|
||||||
path(
|
path(
|
||||||
"group/<uuid:pk>/delete/", groups.GroupDeleteView.as_view(), name="group-delete"
|
"group/<uuid:pk>/delete/", groups.GroupDeleteView.as_view(), name="group-delete"
|
||||||
),
|
),
|
||||||
|
# Certificate-Key Pairs
|
||||||
|
path(
|
||||||
|
"crypto/certificates/",
|
||||||
|
certificate_key_pair.CertificateKeyPairListView.as_view(),
|
||||||
|
name="certificate_key_pair",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"crypto/certificates/create/",
|
||||||
|
certificate_key_pair.CertificateKeyPairCreateView.as_view(),
|
||||||
|
name="certificatekeypair-create",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"crypto/certificates/<uuid:pk>/update/",
|
||||||
|
certificate_key_pair.CertificateKeyPairUpdateView.as_view(),
|
||||||
|
name="certificatekeypair-update",
|
||||||
|
),
|
||||||
|
path(
|
||||||
|
"crypto/certificates/<uuid:pk>/delete/",
|
||||||
|
certificate_key_pair.CertificateKeyPairDeleteView.as_view(),
|
||||||
|
name="certificatekeypair-delete",
|
||||||
|
),
|
||||||
# Audit Log
|
# Audit Log
|
||||||
path("audit/", audit.EventListView.as_view(), name="audit-log"),
|
path("audit/", audit.EventListView.as_view(), name="audit-log"),
|
||||||
# Groups
|
# Groups
|
||||||
|
|
|
@ -0,0 +1,77 @@
|
||||||
|
"""passbook CertificateKeyPair administration"""
|
||||||
|
from django.contrib import messages
|
||||||
|
from django.contrib.auth.mixins import LoginRequiredMixin
|
||||||
|
from django.contrib.auth.mixins import (
|
||||||
|
PermissionRequiredMixin as DjangoPermissionRequiredMixin,
|
||||||
|
)
|
||||||
|
from django.contrib.messages.views import SuccessMessageMixin
|
||||||
|
from django.urls import reverse_lazy
|
||||||
|
from django.utils.translation import ugettext as _
|
||||||
|
from django.views.generic import DeleteView, ListView, UpdateView
|
||||||
|
from guardian.mixins import PermissionListMixin, PermissionRequiredMixin
|
||||||
|
|
||||||
|
from passbook.crypto.forms import CertificateKeyPairForm
|
||||||
|
from passbook.crypto.models import CertificateKeyPair
|
||||||
|
from passbook.lib.views import CreateAssignPermView
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPairListView(LoginRequiredMixin, PermissionListMixin, ListView):
|
||||||
|
"""Show list of all keypairs"""
|
||||||
|
|
||||||
|
model = CertificateKeyPair
|
||||||
|
permission_required = "passbook_crypto.view_certificatekeypair"
|
||||||
|
ordering = "name"
|
||||||
|
paginate_by = 40
|
||||||
|
template_name = "administration/certificatekeypair/list.html"
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPairCreateView(
|
||||||
|
SuccessMessageMixin,
|
||||||
|
LoginRequiredMixin,
|
||||||
|
DjangoPermissionRequiredMixin,
|
||||||
|
CreateAssignPermView,
|
||||||
|
):
|
||||||
|
"""Create new CertificateKeyPair"""
|
||||||
|
|
||||||
|
model = CertificateKeyPair
|
||||||
|
form_class = CertificateKeyPairForm
|
||||||
|
permission_required = "passbook_crypto.add_certificatekeypair"
|
||||||
|
|
||||||
|
template_name = "generic/create.html"
|
||||||
|
success_url = reverse_lazy("passbook_admin:certificate_key_pair")
|
||||||
|
success_message = _("Successfully created CertificateKeyPair")
|
||||||
|
|
||||||
|
def get_context_data(self, **kwargs):
|
||||||
|
kwargs["type"] = "Certificate-Key Pair"
|
||||||
|
return super().get_context_data(**kwargs)
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPairUpdateView(
|
||||||
|
SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, UpdateView
|
||||||
|
):
|
||||||
|
"""Update certificatekeypair"""
|
||||||
|
|
||||||
|
model = CertificateKeyPair
|
||||||
|
form_class = CertificateKeyPairForm
|
||||||
|
permission_required = "passbook_crypto.change_certificatekeypair"
|
||||||
|
|
||||||
|
template_name = "generic/update.html"
|
||||||
|
success_url = reverse_lazy("passbook_admin:certificate_key_pair")
|
||||||
|
success_message = _("Successfully updated Certificate-Key Pair")
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPairDeleteView(
|
||||||
|
SuccessMessageMixin, LoginRequiredMixin, PermissionRequiredMixin, DeleteView
|
||||||
|
):
|
||||||
|
"""Delete certificatekeypair"""
|
||||||
|
|
||||||
|
model = CertificateKeyPair
|
||||||
|
permission_required = "passbook_crypto.delete_certificatekeypair"
|
||||||
|
|
||||||
|
template_name = "generic/delete.html"
|
||||||
|
success_url = reverse_lazy("passbook_admin:certificate_key_pair")
|
||||||
|
success_message = _("Successfully deleted Certificate-Key Pair")
|
||||||
|
|
||||||
|
def delete(self, request, *args, **kwargs):
|
||||||
|
messages.success(self.request, self.success_message)
|
||||||
|
return super().delete(request, *args, **kwargs)
|
|
@ -0,0 +1,5 @@
|
||||||
|
"""passbook crypto model admin"""
|
||||||
|
|
||||||
|
from passbook.lib.admin import admin_autoregister
|
||||||
|
|
||||||
|
admin_autoregister("passbook_crypto")
|
|
@ -0,0 +1,10 @@
|
||||||
|
"""passbook crypto app config"""
|
||||||
|
from django.apps import AppConfig
|
||||||
|
|
||||||
|
|
||||||
|
class PassbookCryptoConfig(AppConfig):
|
||||||
|
"""passbook crypto app config"""
|
||||||
|
|
||||||
|
name = "passbook.crypto"
|
||||||
|
label = "passbook_crypto"
|
||||||
|
verbose_name = "passbook Crypto"
|
|
@ -0,0 +1,82 @@
|
||||||
|
"""Create self-signed certificates"""
|
||||||
|
import datetime
|
||||||
|
import uuid
|
||||||
|
|
||||||
|
from cryptography import x509
|
||||||
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
from cryptography.hazmat.primitives import hashes, serialization
|
||||||
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
||||||
|
from cryptography.x509.oid import NameOID
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateBuilder:
|
||||||
|
"""Build self-signed certificates"""
|
||||||
|
|
||||||
|
__public_key = None
|
||||||
|
__private_key = None
|
||||||
|
__builder = None
|
||||||
|
__certificate = None
|
||||||
|
|
||||||
|
def __init__(self):
|
||||||
|
self.__public_key = None
|
||||||
|
self.__private_key = None
|
||||||
|
self.__builder = None
|
||||||
|
self.__certificate = None
|
||||||
|
|
||||||
|
def build(self):
|
||||||
|
"""Build self-signed certificate"""
|
||||||
|
one_day = datetime.timedelta(1, 0, 0)
|
||||||
|
self.__private_key = rsa.generate_private_key(
|
||||||
|
public_exponent=65537, key_size=2048, backend=default_backend()
|
||||||
|
)
|
||||||
|
self.__public_key = self.__private_key.public_key()
|
||||||
|
self.__builder = (
|
||||||
|
x509.CertificateBuilder()
|
||||||
|
.subject_name(
|
||||||
|
x509.Name(
|
||||||
|
[
|
||||||
|
x509.NameAttribute(
|
||||||
|
NameOID.COMMON_NAME, u"passbook Self-signed Certificate",
|
||||||
|
),
|
||||||
|
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"passbook"),
|
||||||
|
x509.NameAttribute(
|
||||||
|
NameOID.ORGANIZATIONAL_UNIT_NAME, u"Self-signed"
|
||||||
|
),
|
||||||
|
]
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.issuer_name(
|
||||||
|
x509.Name(
|
||||||
|
[
|
||||||
|
x509.NameAttribute(
|
||||||
|
NameOID.COMMON_NAME, u"passbook Self-signed Certificate",
|
||||||
|
),
|
||||||
|
]
|
||||||
|
)
|
||||||
|
)
|
||||||
|
.not_valid_before(datetime.datetime.today() - one_day)
|
||||||
|
.not_valid_after(datetime.datetime.today() + datetime.timedelta(days=365))
|
||||||
|
.serial_number(int(uuid.uuid4()))
|
||||||
|
.public_key(self.__public_key)
|
||||||
|
)
|
||||||
|
self.__certificate = self.__builder.sign(
|
||||||
|
private_key=self.__private_key,
|
||||||
|
algorithm=hashes.SHA256(),
|
||||||
|
backend=default_backend(),
|
||||||
|
)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def private_key(self):
|
||||||
|
"""Return private key in PEM format"""
|
||||||
|
return self.__private_key.private_bytes(
|
||||||
|
encoding=serialization.Encoding.PEM,
|
||||||
|
format=serialization.PrivateFormat.TraditionalOpenSSL,
|
||||||
|
encryption_algorithm=serialization.NoEncryption(),
|
||||||
|
).decode("utf-8")
|
||||||
|
|
||||||
|
@property
|
||||||
|
def certificate(self):
|
||||||
|
"""Return certificate in PEM format"""
|
||||||
|
return self.__certificate.public_bytes(
|
||||||
|
encoding=serialization.Encoding.PEM,
|
||||||
|
).decode("utf-8")
|
|
@ -0,0 +1,27 @@
|
||||||
|
"""passbook Crypto forms"""
|
||||||
|
from django import forms
|
||||||
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
|
from passbook.crypto.models import CertificateKeyPair
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPairForm(forms.ModelForm):
|
||||||
|
"""CertificateKeyPair Form"""
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
|
||||||
|
model = CertificateKeyPair
|
||||||
|
fields = [
|
||||||
|
"name",
|
||||||
|
"certificate_data",
|
||||||
|
"key_data",
|
||||||
|
]
|
||||||
|
widgets = {
|
||||||
|
"name": forms.TextInput(),
|
||||||
|
"certificate_data": forms.Textarea(attrs={"class": "monospaced"}),
|
||||||
|
"key_data": forms.Textarea(attrs={"class": "monospaced"}),
|
||||||
|
}
|
||||||
|
labels = {
|
||||||
|
"certificate_data": _("Certificate"),
|
||||||
|
"key_data": _("Private Key"),
|
||||||
|
}
|
|
@ -0,0 +1,67 @@
|
||||||
|
# Generated by Django 3.0.3 on 2020-03-03 21:45
|
||||||
|
|
||||||
|
import uuid
|
||||||
|
|
||||||
|
from django.db import migrations, models
|
||||||
|
|
||||||
|
|
||||||
|
def create_self_signed(apps, schema_editor):
|
||||||
|
CertificateKeyPair = apps.get_model("passbook_crypto", "CertificateKeyPair")
|
||||||
|
db_alias = schema_editor.connection.alias
|
||||||
|
from passbook.crypto.builder import CertificateBuilder
|
||||||
|
|
||||||
|
builder = CertificateBuilder()
|
||||||
|
builder.build()
|
||||||
|
CertificateKeyPair.objects.using(db_alias).create(
|
||||||
|
name="passbook Self-signed Certificate",
|
||||||
|
certificate_data=builder.certificate,
|
||||||
|
key_data=builder.private_key,
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
class Migration(migrations.Migration):
|
||||||
|
|
||||||
|
initial = True
|
||||||
|
|
||||||
|
dependencies = []
|
||||||
|
|
||||||
|
operations = [
|
||||||
|
migrations.CreateModel(
|
||||||
|
name="CertificateKeyPair",
|
||||||
|
fields=[
|
||||||
|
("created", models.DateTimeField(auto_now_add=True)),
|
||||||
|
("last_updated", models.DateTimeField(auto_now=True)),
|
||||||
|
(
|
||||||
|
"uuid",
|
||||||
|
models.UUIDField(
|
||||||
|
default=uuid.uuid4,
|
||||||
|
editable=False,
|
||||||
|
primary_key=True,
|
||||||
|
serialize=False,
|
||||||
|
),
|
||||||
|
),
|
||||||
|
("name", models.TextField()),
|
||||||
|
("certificate_data", models.TextField()),
|
||||||
|
("key_data", models.TextField(blank=True, default="")),
|
||||||
|
],
|
||||||
|
options={
|
||||||
|
"verbose_name": "Certificate-Key Pair",
|
||||||
|
"verbose_name_plural": "Certificate-Key Pairs",
|
||||||
|
},
|
||||||
|
),
|
||||||
|
migrations.RunPython(create_self_signed),
|
||||||
|
migrations.AlterField(
|
||||||
|
model_name="certificatekeypair",
|
||||||
|
name="certificate_data",
|
||||||
|
field=models.TextField(help_text="PEM-encoded Certificate data"),
|
||||||
|
),
|
||||||
|
migrations.AlterField(
|
||||||
|
model_name="certificatekeypair",
|
||||||
|
name="key_data",
|
||||||
|
field=models.TextField(
|
||||||
|
blank=True,
|
||||||
|
default="",
|
||||||
|
help_text="Optional Private Key. If this is set, you can use this keypair for encryption.",
|
||||||
|
),
|
||||||
|
),
|
||||||
|
]
|
|
@ -0,0 +1,50 @@
|
||||||
|
"""passbook crypto models"""
|
||||||
|
from binascii import hexlify
|
||||||
|
from typing import Optional
|
||||||
|
|
||||||
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
from cryptography.hazmat.primitives import hashes
|
||||||
|
from cryptography.x509 import Certificate, load_pem_x509_certificate
|
||||||
|
from django.db import models
|
||||||
|
from django.utils.translation import gettext_lazy as _
|
||||||
|
|
||||||
|
from passbook.lib.models import CreatedUpdatedModel, UUIDModel
|
||||||
|
|
||||||
|
|
||||||
|
class CertificateKeyPair(UUIDModel, CreatedUpdatedModel):
|
||||||
|
"""CertificateKeyPair that can be used for signing or encrypting if `key_data`
|
||||||
|
is set, otherwise it can be used to verify remote data."""
|
||||||
|
|
||||||
|
name = models.TextField()
|
||||||
|
certificate_data = models.TextField(help_text=_("PEM-encoded Certificate data"))
|
||||||
|
key_data = models.TextField(
|
||||||
|
help_text=_(
|
||||||
|
"Optional Private Key. If this is set, you can use this keypair for encryption."
|
||||||
|
),
|
||||||
|
blank=True,
|
||||||
|
default="",
|
||||||
|
)
|
||||||
|
|
||||||
|
_cert: Optional[Certificate] = None
|
||||||
|
|
||||||
|
@property
|
||||||
|
def certificate(self) -> Certificate:
|
||||||
|
"""Get python cryptography Certificate instance"""
|
||||||
|
if not self._cert:
|
||||||
|
self._cert = load_pem_x509_certificate(
|
||||||
|
self.certificate_data.encode("utf-8"), default_backend()
|
||||||
|
)
|
||||||
|
return self._cert
|
||||||
|
|
||||||
|
@property
|
||||||
|
def fingerprint(self) -> str:
|
||||||
|
"""Get SHA256 Fingerprint of certificate_data"""
|
||||||
|
return hexlify(self.certificate.fingerprint(hashes.SHA256())).decode("utf-8")
|
||||||
|
|
||||||
|
def __str__(self) -> str:
|
||||||
|
return f"Certificate-Key Pair {self.name} {self.fingerprint}"
|
||||||
|
|
||||||
|
class Meta:
|
||||||
|
|
||||||
|
verbose_name = _("Certificate-Key Pair")
|
||||||
|
verbose_name_plural = _("Certificate-Key Pairs")
|
|
@ -85,6 +85,7 @@ INSTALLED_APPS = [
|
||||||
"passbook.api.apps.PassbookAPIConfig",
|
"passbook.api.apps.PassbookAPIConfig",
|
||||||
"passbook.lib.apps.PassbookLibConfig",
|
"passbook.lib.apps.PassbookLibConfig",
|
||||||
"passbook.audit.apps.PassbookAuditConfig",
|
"passbook.audit.apps.PassbookAuditConfig",
|
||||||
|
"passbook.crypto.apps.PassbookCryptoConfig",
|
||||||
"passbook.recovery.apps.PassbookRecoveryConfig",
|
"passbook.recovery.apps.PassbookRecoveryConfig",
|
||||||
"passbook.sources.saml.apps.PassbookSourceSAMLConfig",
|
"passbook.sources.saml.apps.PassbookSourceSAMLConfig",
|
||||||
"passbook.sources.ldap.apps.PassbookSourceLDAPConfig",
|
"passbook.sources.ldap.apps.PassbookSourceLDAPConfig",
|
||||||
|
|
Reference in New Issue