2016-03-16 21:45:25 +00:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
# you may not use this file except in compliance with the License.
|
|
|
|
# You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
# See the License for the specific language governing permissions and
|
|
|
|
# limitations under the License.
|
|
|
|
|
2016-05-17 23:06:59 +05:30
|
|
|
import argparse
|
2016-08-10 15:48:32 +10:00
|
|
|
import hmac
|
2016-03-27 00:39:07 +08:00
|
|
|
import os
|
2016-03-16 21:45:25 +00:00
|
|
|
import random
|
|
|
|
import string
|
2016-09-02 09:56:56 +02:00
|
|
|
import sys
|
2016-03-16 21:45:25 +00:00
|
|
|
|
2018-07-26 21:58:47 +02:00
|
|
|
from cryptography import fernet
|
2017-04-24 16:44:59 +08:00
|
|
|
from cryptography.hazmat.backends import default_backend
|
|
|
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
|
|
|
from cryptography.hazmat.primitives import serialization
|
2016-08-10 15:48:32 +10:00
|
|
|
from hashlib import md5
|
2016-11-19 15:17:44 +05:30
|
|
|
from oslo_utils import uuidutils
|
|
|
|
import yaml
|
2016-03-27 00:39:07 +08:00
|
|
|
|
2016-09-02 09:56:56 +02:00
|
|
|
# NOTE(SamYaple): Update the search path to prefer PROJECT_ROOT as the source
|
|
|
|
# of packages to import if we are using local tools instead of
|
|
|
|
# pip installed kolla tools
|
|
|
|
PROJECT_ROOT = os.path.abspath(os.path.join(
|
|
|
|
os.path.dirname(os.path.realpath(__file__)), '../..'))
|
|
|
|
if PROJECT_ROOT not in sys.path:
|
|
|
|
sys.path.insert(0, PROJECT_ROOT)
|
|
|
|
|
2016-03-27 00:39:07 +08:00
|
|
|
|
2016-08-11 09:48:21 +00:00
|
|
|
def generate_RSA(bits=4096):
|
2017-04-24 16:44:59 +08:00
|
|
|
new_key = rsa.generate_private_key(
|
|
|
|
public_exponent=65537,
|
|
|
|
key_size=bits,
|
|
|
|
backend=default_backend()
|
|
|
|
)
|
|
|
|
private_key = new_key.private_bytes(
|
|
|
|
encoding=serialization.Encoding.PEM,
|
|
|
|
format=serialization.PrivateFormat.PKCS8,
|
|
|
|
encryption_algorithm=serialization.NoEncryption()
|
2018-05-22 16:33:40 -07:00
|
|
|
).decode()
|
2017-04-24 16:44:59 +08:00
|
|
|
public_key = new_key.public_key().public_bytes(
|
|
|
|
encoding=serialization.Encoding.OpenSSH,
|
|
|
|
format=serialization.PublicFormat.OpenSSH
|
2018-05-22 16:33:40 -07:00
|
|
|
).decode()
|
2016-03-27 00:39:07 +08:00
|
|
|
return private_key, public_key
|
|
|
|
|
2016-03-16 21:45:25 +00:00
|
|
|
|
2019-02-09 22:27:50 +01:00
|
|
|
def genpwd(passwords_file, length, uuid_keys, ssh_keys, blank_keys,
|
|
|
|
fernet_keys, hmac_md5_keys):
|
|
|
|
with open(passwords_file, 'r') as f:
|
|
|
|
passwords = yaml.safe_load(f.read())
|
|
|
|
|
|
|
|
for k, v in passwords.items():
|
|
|
|
if (k in ssh_keys and
|
|
|
|
(v is None
|
|
|
|
or v.get('public_key') is None
|
|
|
|
and v.get('private_key') is None)):
|
|
|
|
private_key, public_key = generate_RSA()
|
|
|
|
passwords[k] = {
|
|
|
|
'private_key': private_key,
|
|
|
|
'public_key': public_key
|
|
|
|
}
|
|
|
|
continue
|
|
|
|
if v is None:
|
|
|
|
if k in blank_keys and v is None:
|
|
|
|
continue
|
|
|
|
if k in uuid_keys:
|
|
|
|
passwords[k] = uuidutils.generate_uuid()
|
|
|
|
elif k in hmac_md5_keys:
|
|
|
|
passwords[k] = (hmac.new(
|
|
|
|
uuidutils.generate_uuid().encode(), ''.encode(), md5)
|
|
|
|
.hexdigest())
|
|
|
|
elif k in fernet_keys:
|
Fix Python3 compatibility for kolla-genpwd
The method `Fernet.generate_key()` generates a binary string in Python 3:
```
>>> Fernet.generate_key()
b'qSMZlOK23pZUw_Uyy-ZRPUfPskMXKGCGmhG6AHCFiV8='
```
Unless properly written as a string to the Kolla `passwords.yml` file,
the Fernet key will end up in the final Barbican config like this:
```
[simple_crypto_plugin]
kek = b'qSMZlOK23pZUw_Uyy-ZRPUfPskMXKGCGmhG6AHCFiV8='
```
Due to the fact that the key is incorrectly written to the barbican
config file (it should be written as a string), every barbican secret
store fails with:
```
barbican.api.controllers File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/store_crypto.py", line 83, in store_secret
barbican.api.controllers encrypting_plugin, context.project_model)
barbican.api.controllers File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/store_crypto.py", line 290, in _find_or_create_kek_objects
barbican.api.controllers kek_meta_dto = plugin_inst.bind_kek_metadata(kek_meta_dto)
barbican.api.controllers File "/var/lib/kolla/venv/lib/python3.6/site-packages/barbican/plugin/crypto/simple_crypto.py", line 104, in bind_kek_metadata
barbican.api.controllers encryptor = fernet.Fernet(self.master_kek)
barbican.api.controllers File "/var/lib/kolla/venv/lib/python3.6/site-packages/cryptography/fernet.py", line 38, in __init__
barbican.api.controllers "Fernet key must be 32 url-safe base64-encoded bytes."
barbican.api.controllers ValueError: Fernet key must be 32 url-safe base64-encoded bytes.
```
This commit fixes the issue described above by properly writing
the Fernet key as a string to the Kolla `passwords.yml` file.
Closes-Bug: #1848191
Change-Id: I27fc0159c889bc2e1576fdd69b7d02a320b620f8
2019-10-15 09:10:07 +00:00
|
|
|
passwords[k] = fernet.Fernet.generate_key().decode()
|
2019-02-09 22:27:50 +01:00
|
|
|
else:
|
|
|
|
passwords[k] = ''.join([
|
|
|
|
random.SystemRandom().choice(
|
|
|
|
string.ascii_letters + string.digits)
|
|
|
|
for n in range(length)
|
|
|
|
])
|
|
|
|
|
|
|
|
with open(passwords_file, 'w') as f:
|
|
|
|
f.write(yaml.safe_dump(passwords, default_flow_style=False))
|
|
|
|
|
|
|
|
|
2016-03-16 21:45:25 +00:00
|
|
|
def main():
|
2016-05-17 23:06:59 +05:30
|
|
|
parser = argparse.ArgumentParser()
|
|
|
|
parser.add_argument(
|
|
|
|
'-p', '--passwords', type=str,
|
|
|
|
default=os.path.abspath('/etc/kolla/passwords.yml'),
|
2017-09-14 00:16:19 +02:00
|
|
|
help=('Path to the passwords.yml file'))
|
2016-05-17 23:06:59 +05:30
|
|
|
|
|
|
|
args = parser.parse_args()
|
|
|
|
passwords_file = os.path.expanduser(args.passwords)
|
|
|
|
|
2016-03-16 21:45:25 +00:00
|
|
|
# These keys should be random uuids
|
2017-03-07 22:03:50 +08:00
|
|
|
uuid_keys = ['ceph_cluster_fsid',
|
|
|
|
'rbd_secret_uuid',
|
|
|
|
'cinder_rbd_secret_uuid',
|
|
|
|
'gnocchi_project_id',
|
|
|
|
'gnocchi_resource_id',
|
|
|
|
'gnocchi_user_id',
|
|
|
|
'designate_pool_id',
|
2016-11-25 06:21:35 +08:00
|
|
|
'karbor_openstack_infra_id']
|
2016-03-16 21:45:25 +00:00
|
|
|
|
2016-03-27 00:39:07 +08:00
|
|
|
# SSH key pair
|
2016-08-03 14:25:52 +00:00
|
|
|
ssh_keys = ['kolla_ssh_key', 'nova_ssh_key',
|
|
|
|
'keystone_ssh_key', 'bifrost_ssh_key']
|
2016-03-27 00:39:07 +08:00
|
|
|
|
2016-03-16 21:45:25 +00:00
|
|
|
# If these keys are None, leave them as None
|
|
|
|
blank_keys = ['docker_registry_password']
|
|
|
|
|
2016-08-10 15:48:32 +10:00
|
|
|
# HMAC-MD5 keys
|
2017-04-10 15:31:41 +01:00
|
|
|
hmac_md5_keys = ['designate_rndc_key',
|
|
|
|
'osprofiler_secret']
|
2016-08-10 15:48:32 +10:00
|
|
|
|
2018-07-26 21:58:47 +02:00
|
|
|
# Fernet keys
|
|
|
|
fernet_keys = ['barbican_crypto_key']
|
2017-03-11 15:29:45 +08:00
|
|
|
|
2016-03-16 21:45:25 +00:00
|
|
|
# length of password
|
|
|
|
length = 40
|
|
|
|
|
2019-02-09 22:27:50 +01:00
|
|
|
genpwd(passwords_file, length, uuid_keys, ssh_keys, blank_keys,
|
|
|
|
fernet_keys, hmac_md5_keys)
|
2016-03-16 21:45:25 +00:00
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main()
|