add new stack certificate authority with support for CA web mode

Auth server is an apache httpd which validate client certificate for authentification. It autmatically request certificate to CA web (required to this work on SlapOS)

add new stack certificate authority with support for CA web mode
Auth server is an apache httpd which validate client certificate for authentification. It autmatically request certificate to CA web (required to this work on SlapOS)
428b69b7 · Alain Takoudjou · a9fbc474 · 428b69b7 · 428b69b7 · 428b69b7
Commit 428b69b7 authored Nov 21, 2016 by Alain Takoudjou
5 changed files
--- a/stack/certificate-authority/buildout.cfg
+++ b/stack/certificate-authority/buildout.cfg
+[buildout]
+
+extends =
+  ../../component/apache/buildout.cfg
+  ../../component/curl/buildout.cfg
+  ../../component/dash/buildout.cfg
+  ../../component/dcron/buildout.cfg
+  ../../component/openssl/buildout.cfg
+  ../../component/gzip/buildout.cfg
+  ../../component/lxml-python/buildout.cfg
+  ../../component/pycurl/buildout.cfg
+  ../../component/python-cryptography/buildout.cfg
+  ../../stack/logrotate/buildout.cfg
+
+
+parts =
+  template-logrotate-base
+
+[extra-eggs]
+recipe = zc.recipe.egg
+eggs =
+  slapos.toolbox
+  plone.recipe.command
+  collective.recipe.template
+
+[template-ca-download-base]
+recipe = hexagonit.recipe.download
+ignore-existing = true
+download-only = true
+url = ${:_profile_base_location_}/template/${:filename}
+mode = 0644
+
+[template-httpd-auth-conf]
+<= template-ca-download-base
+md5sum = ea445b0a9b143d12b5700a71ac06293c
+filename = template-httpd-auth.conf.in
+
+[template-openssl-cnf]
+<= template-ca-download-base
+md5sum = ddbff3b56db7e0f9e88c8905e9c3678b
+filename = openssl.cnf.in
+
+[template-authenticated-server]
+recipe = slapos.recipe.template:jinja2
+filename = template-authenticated-server.cfg
+template = ${:_profile_base_location_}/instance-auth-server.cfg.jinja2.in
+rendered = ${buildout:directory}/template-authenticated-server.cfg
+md5sum = 7677333023b89dc345c18eace252e34a
+context =
+  key apache_location apache:location
+  key gzip_location gzip:location
+  key template_logrotate_base template-logrotate-base:rendered
+  raw certificate_request_bin ${buildout:directory}/bin/ca-web-request 
+  raw curl_executable_location ${curl:location}/bin/curl
+  raw dash_executable_location ${dash:location}/bin/dash
+  raw dcron_executable_location ${dcron:location}/sbin/crond
+  raw slapos_kill_bin ${buildout:directory}/bin/slapos-kill
+  raw template_httpd_auth_template ${template-httpd-auth-conf:location}/${template-httpd-auth-conf:filename}
+  raw openssl_executable_location ${openssl:location}/bin/openssl
+  raw python_executable ${buildout:executable}
+depends = 
+  ${extra-eggs:eggs}
+
+[template-certificate-authority]
+recipe = slapos.recipe.template:jinja2
+filename = template-certificate-authority.cfg
+template = ${:_profile_base_location_}/instance-certificate-authority.cfg.jinja2.in
+rendered = ${buildout:directory}/template-certificate-authority.cfg
+md5sum = 6403eec50f70a1a989480052df42d025
+context =
+  key template_logrotate_base template-logrotate-base:rendered
+  raw curl_executable_location ${curl:location}/bin/curl
+  raw certificate_authority_bin ${buildout:directory}/bin/certificate_authority
+  raw dash_executable_location ${dash:location}/bin/dash
+  raw openssl_executable_location ${openssl:location}/bin/openssl
+  raw template_openssl_conf ${template-openssl-cnf:location}/${template-openssl-cnf:filename}
+depends = 
+  ${extra-eggs:eggs}
--- a/stack/certificate-authority/instance-auth-server.cfg.jinja2.in
+++ b/stack/certificate-authority/instance-auth-server.cfg.jinja2.in
+[buildout]
+
+extends =
+  {{ template_logrotate_base }}
+
+parts = 
+  authenticated-httpd-server
+
+[authenticated-server-parameters]
+ca-url = 
+common-name = instance@${slap-configuration:instance-title}
+server-port = 8286
+custom-httpd-file = 
+web-directory = ${directory:document-root}
+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+etc = ${buildout:directory}/etc
+bin = ${buildout:directory}/bin
+srv = ${buildout:directory}/srv
+var = ${buildout:directory}/var
+ssl = ${:etc}/ssl
+run = ${:var}/run
+log = ${:var}/log
+scripts = ${:etc}/run
+services = ${:etc}/service
+promises = ${:etc}/promise
+document-root = ${:srv}/private
+
+[server-certificate-request]
+recipe = slapos.cookbook:wrapper
+wrapper-path = ${directory:scripts}/request-instance-certificate
+cert-file = ${directory:ssl}/instance.cert.pem
+key-file = ${directory:ssl}/instance.key.pem
+ca-cert = ${directory:ssl}/cacert.pem
+command-line = {{ certificate_request_bin }}
+  --cert_file ${:cert-file}
+  --key_file ${:key-file}
+  --cn ${authenticated-server-parameters:common-name}
+  --ca_url ${authenticated-server-parameters:ca-url}
+  --ca_cert_file ${:ca-cert}
+
+[authenticated-httpd-conf-parameter]
+ip = ${slap-configuration:ipv6-random}
+port = ${authenticated-server-parameters:server-port}
+pid-file = ${directory:run}/httpd-auth.pid
+dav-lock = ${directory:var}/DavLockdb
+access-log = ${directory:log}/httpd-auth-access.log
+error-log = ${directory:log}/httpd-auth-error.log
+cert-file = ${server-certificate-request:cert-file}
+key-file = ${server-certificate-request:key-file}
+ca-cert = ${server-certificate-request:ca-cert}
+url = https://[${:ip}]:${:port}
+private = ${authenticated-server-parameters:web-directory}
+httpd-include-file = ${authenticated-server-parameters:custom-httpd-file}
+crl = 
+
+[authenticated-httpd-conf]
+recipe = slapos.recipe.template:jinja2
+template = {{ template_httpd_auth_template }}
+rendered = ${directory:etc}/httpd-auth.conf
+mode = 0744
+context =
+  section parameter_dict authenticated-httpd-conf-parameter
+
+[authenticated-httpd-graceful]
+recipe = collective.recipe.template
+input = inline:
+  #!{{ dash_executable_location }}
+  kill -USR1 $(cat ${authenticated-httpd-conf-parameter:pid-file})
+
+output = ${directory:scripts}/authenticated-httpd-graceful
+mode = 700
+
+[authenticated-httpd-server]
+recipe = slapos.cookbook:wrapper
+command-line = {{ apache_location }}/bin/httpd -f ${authenticated-httpd-conf:rendered} -DFOREGROUND
+wrapper-path = ${directory:services}/authenticated-httpd-server
+wait-for-files =
+  ${server-certificate-request:cert-file}
+  ${server-certificate-request:key-file}
+  ${server-certificate-request:ca-cert}
+
+url = ${authenticated-httpd-conf-parameter:url}
+
+depends = 
+  ${authenticated-httpd-promise:filename}
+  ${authenticated-httpd-graceful:output}
+  ${logrotate-authenticated-httpd:name}
+
+[logrotate-authenticated-httpd]
+< = logrotate-entry-base
+name = authenticated-httpd-server
+log = ${authenticated-httpd-conf-parameter:access-log} ${authenticated-httpd-conf-parameter:access-log}
+post = {{ slapos_kill_bin }} --pidfile ${authenticated-httpd-conf-parameter:pid-file} -s USR1
+
+[authenticated-httpd-promise]
+recipe = slapos.cookbook:check_url_available
+path = ${directory:promises}/${:filename}
+filename = authenticated-httpd-is-available
+url = ${authenticated-httpd-conf-parameter:url}
+check-secure = 1
+dash_path = {{ dash_executable_location }}
+curl_path = {{ curl_executable_location }}
+cert-file = ${server-certificate-request:cert-file}
+key-file = ${server-certificate-request:key-file}
+ca-cert-file = ${server-certificate-request:ca-cert}
+
+[slap-configuration]
+recipe = slapos.cookbook:slapconfiguration.serialised
+computer = ${slap-connection:computer-id}
+partition = ${slap-connection:partition-id}
+url = ${slap-connection:server-url}
+key = ${slap-connection:key-file}
+cert = ${slap-connection:cert-file}
--- a/stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in
+++ b/stack/certificate-authority/instance-certificate-authority.cfg.jinja2.in
+[buildout]
+
+extends =
+  {{ template_logrotate_base }}
+
+parts = 
+  certificate-authority
+  certificate-authority-web
+
+[certificate-authority-parameters]
+server-port = 8009
+crl-url = http://[${slap-configuration:ipv6-random}]:${:server-port}/cacrl.pem
+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+etc = ${buildout:directory}/etc
+bin = ${buildout:directory}/bin
+srv = ${buildout:directory}/srv
+var = ${buildout:directory}/var
+run = ${:var}/run
+log = ${:var}/log
+scripts = ${:etc}/run
+services = ${:etc}/service
+promises = ${:etc}/promise
+
+[ca-directory]
+recipe = slapos.cookbook:mkdirectory
+root = ${directory:srv}/ssl
+ca-web = ${directory:srv}/ca
+requests = ${:root}/requests
+private = ${:root}/private
+certs = ${:root}/certs
+newcerts = ${:root}/newcerts
+crl = ${:root}/crl
+
+[certificate-authority]
+recipe = slapos.cookbook:certificate_authority
+openssl-binary = {{ openssl_executable_location }}
+ca-dir = ${ca-directory:root}
+requests-directory = ${ca-directory:requests}
+wrapper = ${directory:services}/certificate_authority
+ca-private = ${ca-directory:private}
+ca-certs = ${ca-directory:certs}
+ca-newcerts = ${ca-directory:newcerts}
+ca-crl = ${ca-directory:crl}
+
+[openssl-parameter-dict]
+ca-dir = ${ca-directory:ca-web}
+cert-days = 3650
+country-code = XX
+state = ('State',)
+city = City
+compagny = Company
+# common-name = XXX
+email = xx@example.com
+crl-url = ${certificate-authority-parameters:crl-url}
+
+[openssl-conf]
+recipe = slapos.recipe.template:jinja2
+template = {{ template_openssl_conf }}
+rendered = ${ca-directory:ca-web}/openssl.cnf
+mode = 700
+context = 
+  section parameter_dict openssl-parameter-dict
+
+[certificate-authority-web]
+recipe = slapos.cookbook:wrapper
+host = ${slap-configuration:ipv6-random}
+port = ${certificate-authority-parameters:server-port}
+wrapper-path = ${directory:services}/certificate-authority-web
+command-line = {{ certificate_authority_bin }}
+  --ca_dir ${ca-directory:ca-web}
+  --openssl_bin "{{ openssl_executable_location }}"
+  --config_file "${openssl-conf:rendered}"
+  --host "${:host}"
+  --port "${:port}"
+  --log_file "${directory:log}/ca-web.log"
+  --trusted_host ${:host}
+
+url = http://[${:host}]:${:port}
+depends = 
+  ${certificate-authority-web-promise:filename}
+
+[certificate-authority-web-promise]
+recipe = slapos.cookbook:check_url_available
+path = ${directory:promises}/${:filename}
+filename = certificate-authority-web-listening-on-tcp
+url = http://[${slap-configuration:ipv6-random}]:${certificate-authority-parameters:server-port}
+check-secure = 1
+dash_path = {{ dash_executable_location }}
+curl_path = {{ curl_executable_location }}
+
+[slap-configuration]
+recipe = slapos.cookbook:slapconfiguration.serialised
+computer = ${slap-connection:computer-id}
+partition = ${slap-connection:partition-id}
+url = ${slap-connection:server-url}
+key = ${slap-connection:key-file}
+cert = ${slap-connection:cert-file}
--- a/stack/certificate-authority/template/openssl.cnf.in
+++ b/stack/certificate-authority/template/openssl.cnf.in
--- a/stack/certificate-authority/template/template-httpd-auth.conf.in
+++ b/stack/certificate-authority/template/template-httpd-auth.conf.in
+Listen [{{ parameter_dict['ip'] }}]:{{ parameter_dict['port'] }}
+
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule ssl_module modules/mod_ssl.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule proxy_module      modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule env_module modules/mod_env.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule dav_module modules/mod_dav.so
+LoadModule dav_fs_module modules/mod_dav_fs.so
+
+ServerAdmin admin@
+TypesConfig conf/mime.types
+AddType application/x-compress .Z
+AddType application/x-gzip .gz .tgz
+
+ServerTokens Prod
+ServerSignature Off
+TraceEnable Off
+
+PidFile "{{ parameter_dict['pid-file'] }}"
+ErrorLog "{{ parameter_dict['error-log'] }}"
+# Default apache log format with request time in microsecond at the end
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
+CustomLog "{{ parameter_dict['access-log'] }}" combined
+
+# SSL Configuration
+Define SSLConfigured
+SSLCertificateFile {{ parameter_dict['cert-file'] }}
+SSLCertificateKeyFile {{ parameter_dict['key-file'] }}
+SSLRandomSeed startup builtin
+SSLRandomSeed connect builtin
+SSLRandomSeed startup /dev/urandom 256
+SSLRandomSeed connect builtin
+SSLProtocol all -SSLv2 -SSLv3
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
+SSLHonorCipherOrder on
+
+SSLEngine   On
+
+
+<Directory />
+  Options FollowSymLinks
+  AllowOverride None
+  Allow from all
+</Directory>
+
+<VirtualHost *:{{ parameter_dict['port'] }}>
+
+  DavLockDB {{ parameter_dict['dav-lock'] }}
+
+  SSLVerifyClient require
+  RequestHeader set REMOTE_USER %{SSL_CLIENT_S_DN_CN}s
+  SSLCACertificateFile {{ parameter_dict['ca-cert'] }}
+  {% if parameter_dict['crl'] -%}
+  SSLCARevocationCheck chain
+  SSLCARevocationFile {{ parameter_dict['crl'] }}
+  {%- endif %}
+
+  Alias / {{ parameter_dict['private'] }}/
+  <Directory {{ parameter_dict['private'] }}>
+    DirectoryIndex disabled
+    DAV On
+    Options Indexes FollowSymLinks
+    Order Allow,Deny
+    Allow from all
+  </Directory>
+
+</VirtualHost>
+
+{% if parameter_dict.get('httpd-include-file', '') -%}
+# Custom apache configuration here
+Include {{ parameter_dict['httpd-include-file'] }}
+{% endif -%}