128 lines
3.8 KiB
Python
128 lines
3.8 KiB
Python
# -*- coding: utf-8 -*-
|
|
#
|
|
# some internal functions are copied from salt.states.file
|
|
|
|
from cryptography.hazmat.backends import default_backend
|
|
from cryptography.hazmat.primitives import serialization
|
|
from cryptography.hazmat.primitives.asymmetric import rsa
|
|
import os
|
|
|
|
|
|
def _check_user(user, group):
|
|
'''
|
|
Checks if the named user and group are present on the minion
|
|
'''
|
|
err = ''
|
|
if user:
|
|
uid = __salt__['file.user_to_uid'](user)
|
|
if uid == '':
|
|
err += 'User {0} is not available '.format(user)
|
|
if group:
|
|
gid = __salt__['file.group_to_gid'](group)
|
|
if gid == '':
|
|
err += 'Group {0} is not available'.format(group)
|
|
return err
|
|
|
|
|
|
def _error(ret, err_msg):
|
|
ret['result'] = False
|
|
ret['comment'] = err_msg
|
|
return ret
|
|
|
|
|
|
def _calculate_umask(mode):
|
|
mode = str(mode).lstrip('0')
|
|
if not mode:
|
|
mode = '0'
|
|
modeint = int(mode, 8)
|
|
return modeint ^ 0777
|
|
|
|
|
|
def valid_key(name, bits=2048, user=None, group=None, mode='0700'):
|
|
"""
|
|
Make sure that the given key file exists and contains a valid RSA key.
|
|
|
|
name
|
|
The name of the key file to check
|
|
|
|
bits
|
|
Minimum bits for the RSA key
|
|
|
|
user
|
|
The user to own the file, this defaults to the user salt is running as
|
|
on the minion
|
|
|
|
group
|
|
The group ownership set for the file, this defaults to the group salt
|
|
is running on the minion
|
|
|
|
mode
|
|
The permissions set on the file, this defaults to 0600
|
|
"""
|
|
|
|
mode = __salt__['config.manage_mode'](mode)
|
|
|
|
ret = {
|
|
'name': name,
|
|
'changes': {},
|
|
'result': None,
|
|
'comment': ''}
|
|
if not os.path.isfile(name) and __opts__['test']:
|
|
ret['comment'] = 'would create RSA key in file {0}'.format(name)
|
|
return ret
|
|
|
|
u_check = _check_user(user, group)
|
|
if u_check:
|
|
return _error(ret, u_check)
|
|
if not os.path.isabs(name):
|
|
return _error(
|
|
ret, 'Specified file {0} is not an absolute path'.format(name))
|
|
if os.path.isdir(name):
|
|
return _error(
|
|
ret, 'Specified target {0} is a directory'.format(name))
|
|
if os.path.exists(name):
|
|
ret, perms = __salt__['file.check_perms'](
|
|
name, ret, user, group, mode)
|
|
if __opts__['test']:
|
|
ret['comment'] = 'File {0} not updated'.format(name)
|
|
return ret
|
|
|
|
if not os.path.isfile(name):
|
|
rsakey = rsa.generate_private_key(
|
|
public_exponent=65537,
|
|
key_size=bits,
|
|
backend=default_backend())
|
|
oldumask = os.umask(_calculate_umask(mode))
|
|
with open(name, 'w') as rsafile:
|
|
rsafile.write(rsakey.private_bytes(
|
|
encoding=serialization.Encoding.PEM,
|
|
format=serialization.PrivateFormat.PKCS8,
|
|
encryption_algorithm=serialization.NoEncryption()
|
|
))
|
|
os.umask(oldumask)
|
|
ret['comment'] = 'created new RSA key and saved PEM file {0}'.format(
|
|
name)
|
|
ret['changes']['created'] = name
|
|
ret['result'] = True
|
|
return ret
|
|
try:
|
|
with open(name, 'r') as rsafile:
|
|
rsakey = serialization.load_pem_private_key(
|
|
rsafile.read(),
|
|
password=None,
|
|
backend=default_backend())
|
|
except Exception as e:
|
|
ret['comment'] = 'error loading RSA key from file {0}: {1}'.format(
|
|
name, e)
|
|
ret['result'] = False
|
|
return ret
|
|
if rsakey.key_size < bits:
|
|
ret['comment'] = (
|
|
'RSA key in {0} is only {1} bits, which is less than the '
|
|
'required {2} bits'.format(name, rsakey.key_size, bits))
|
|
ret['result'] = False
|
|
else:
|
|
ret['comment'] = 'RSA key in file {0} is ok ({1} bits)'.format(
|
|
name, rsakey.key_size)
|
|
ret['result'] = True
|
|
return ret
|