From 435b6a47032fe88e65fe5d72baf16714fca5e3ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20B=C3=BCchse?= Date: Fri, 8 Nov 2024 13:00:02 +0100 Subject: [PATCH 1/5] Provide support script for adding new test subject MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves #816 Signed-off-by: Matthias Büchse --- Tests/.gitignore | 1 + Tests/add_subject.py | 88 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100755 Tests/add_subject.py diff --git a/Tests/.gitignore b/Tests/.gitignore index 27f5fd549..e3a2cb922 100644 --- a/Tests/.gitignore +++ b/Tests/.gitignore @@ -1,2 +1,3 @@ htmlcov/ .coverage +.secret diff --git a/Tests/add_subject.py b/Tests/add_subject.py new file mode 100755 index 000000000..3937b0234 --- /dev/null +++ b/Tests/add_subject.py @@ -0,0 +1,88 @@ +#!/usr/bin/env python3 +# vim: set ts=4 sw=4 et: +# +# add_subject.py +# +# (c) Matthias Büchse +# SPDX-License-Identifier: Apache-2.0 +import base64 +import getpass +import os +import os.path +import re +import shutil +import subprocess +import sys +import tempfile + +try: + from passlib.context import CryptContext + import argon2 +except ImportError: + print('Missing passlib and/or argon2. Please do:\npip install passlib argon2_cffi', file=sys.stderr) + sys.exit(1) + +# see ../compliance-monitor/monitor.py +CRYPTCTX = CryptContext(schemes=('argon2', 'bcrypt'), deprecated='auto') +SSH_KEYGEN = shutil.which('ssh-keygen') +SUBJECT_RE = re.compile(r"[a-zA-Z0-9_\-]+") + + +def main(argv, cwd): + if len(argv) != 1: + raise RuntimeError("Need to supply precisely one argument: name of subject") + subject = argv[0] + print(f"Attempt to add subject {subject!r}") + keyfile_path = os.path.join(cwd, '.secret', 'keyfile') + tokenfile_path = os.path.join(cwd, '.secret', 'tokenfile') + if os.path.exists(keyfile_path): + raise RuntimeError(f"Keyfile {keyfile_path} already present. Please proceed manually") + if os.path.exists(tokenfile_path): + raise RuntimeError(f"Tokenfile {tokenfile_path} already present. Please proceed manually") + if not(SUBJECT_RE.fullmatch(subject)): + raise RuntimeError(f"Subject name {subject!r} using disallowed characters") + sanitized_subject = subject.replace('-', '_') + print("Creating API key...") + while True: + password = getpass.getpass("Enter passphrase: ") + if password == getpass.getpass("Repeat passphrase: "): + break + print("No match. Try again...") + token = base64.b64encode(f"{subject}:{password}".encode('utf-8')) + hash_ = CRYPTCTX.hash(password) + with open(tokenfile_path, "wb") as fileobj: + fileobj.write(token) + print("Creating key file using `ssh-keygen`...") + subprocess.check_call([SSH_KEYGEN, '-t', 'ed25519', '-C', sanitized_subject, '-f', keyfile_path, '-N', '', '-q']) + with open(keyfile_path + '.pub', "r") as fileobj: + pubkey_components = fileobj.readline().split() + print(f''' +The following SECRET files have been created: + + - {keyfile_path} + - {tokenfile_path} + +They are required for submitting test reports. You MUST keep them secure and safe. + +Insert the following snippet into compliance-monitor/bootstrap.yaml: + + - {subject}: + api_keys: + - "{hash_}" + keys: + - public_key: "{pubkey_components[1]}" + public_key_type: "{pubkey_components[0]}" + public_key_name: "primary" + +Make sure to submit a pull request with the changed file. Otherwise, the reports cannot be submitted. +''', end='') + + +if __name__ == "__main__": + try: + sys.exit(main(sys.argv[1:], cwd=os.path.dirname(sys.argv[0]) or os.getcwd()) or 0) + except RuntimeError as e: + print(str(e), file=sys.stderr) + sys.exit(1) + except KeyboardInterrupt: + print("Interrupted", file=sys.stderr) From be27f257e4daf9afd12ba91cd67a3275add55bbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20B=C3=BCchse?= Date: Fri, 8 Nov 2024 13:04:40 +0100 Subject: [PATCH 2/5] amendment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Matthias Büchse --- Tests/add_subject.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tests/add_subject.py b/Tests/add_subject.py index 3937b0234..3cbd64b2f 100755 --- a/Tests/add_subject.py +++ b/Tests/add_subject.py @@ -66,7 +66,7 @@ def main(argv, cwd): Insert the following snippet into compliance-monitor/bootstrap.yaml: - - {subject}: + - subject: {subject} api_keys: - "{hash_}" keys: From 560fba3e98fb8ad46875cddfdff702c0e5531860 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20B=C3=BCchse?= Date: Fri, 8 Nov 2024 13:06:42 +0100 Subject: [PATCH 3/5] Acquiesce flake8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Matthias Büchse --- Tests/add_subject.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Tests/add_subject.py b/Tests/add_subject.py index 3cbd64b2f..43322ef09 100755 --- a/Tests/add_subject.py +++ b/Tests/add_subject.py @@ -13,11 +13,10 @@ import shutil import subprocess import sys -import tempfile try: from passlib.context import CryptContext - import argon2 + import argon2 # noqa:F401 except ImportError: print('Missing passlib and/or argon2. Please do:\npip install passlib argon2_cffi', file=sys.stderr) sys.exit(1) @@ -39,7 +38,7 @@ def main(argv, cwd): raise RuntimeError(f"Keyfile {keyfile_path} already present. Please proceed manually") if os.path.exists(tokenfile_path): raise RuntimeError(f"Tokenfile {tokenfile_path} already present. Please proceed manually") - if not(SUBJECT_RE.fullmatch(subject)): + if not SUBJECT_RE.fullmatch(subject): raise RuntimeError(f"Subject name {subject!r} using disallowed characters") sanitized_subject = subject.replace('-', '_') print("Creating API key...") From ff8568d01e3d8d9f8c88e114c93355bcabf448ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20B=C3=BCchse?= Date: Tue, 26 Nov 2024 21:24:41 +0100 Subject: [PATCH 4/5] make tokenfile readable to user only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Matthias Büchse --- Tests/add_subject.py | 1 + 1 file changed, 1 insertion(+) diff --git a/Tests/add_subject.py b/Tests/add_subject.py index 43322ef09..18413eb01 100755 --- a/Tests/add_subject.py +++ b/Tests/add_subject.py @@ -50,6 +50,7 @@ def main(argv, cwd): token = base64.b64encode(f"{subject}:{password}".encode('utf-8')) hash_ = CRYPTCTX.hash(password) with open(tokenfile_path, "wb") as fileobj: + os.fchmod(fileobj.fileno(), 0o600) fileobj.write(token) print("Creating key file using `ssh-keygen`...") subprocess.check_call([SSH_KEYGEN, '-t', 'ed25519', '-C', sanitized_subject, '-f', keyfile_path, '-N', '', '-q']) From 571fd97597285ceb476423eb9d34d72e62812201 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matthias=20B=C3=BCchse?= Date: Tue, 26 Nov 2024 21:29:49 +0100 Subject: [PATCH 5/5] use correct exitcode upon ctrl-c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Kurt Garloff Signed-off-by: Matthias Büchse --- Tests/add_subject.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Tests/add_subject.py b/Tests/add_subject.py index 18413eb01..fabeb9932 100755 --- a/Tests/add_subject.py +++ b/Tests/add_subject.py @@ -11,6 +11,7 @@ import os.path import re import shutil +import signal import subprocess import sys @@ -86,3 +87,4 @@ def main(argv, cwd): sys.exit(1) except KeyboardInterrupt: print("Interrupted", file=sys.stderr) + sys.exit(128 + signal.SIGINT)