Merge pull request #361 from mdellweg/install_token_keys

Import or generate key for token authentication

CHANGES/7098.feature

@@ -0,0 +1 @@
+A key for token authentication is installed from either a specified file or a newly generated one.

roles/pulp_api/README.md

@@ -6,12 +6,14 @@ Install, configure, and set the state of the pulp API service.
 Role Variables
 --------------
 
-* `pulp_api_bind` Interface and Port where Pulp Content `gunicorn` service will listen. Defaults to
+* `pulp_api_bind`: Interface and Port where Pulp Content `gunicorn` service will listen. Defaults to
   '127.0.0.1:24817'. This variable is the value used to render the `pulpcore-api.service.j2` template
   passing to the `--bind` parameter of the `gunicorn` service.
 * `pulp_api_workers`: Number of Pulp Content `gunicorn` processes for handling requests. Defaults to 1.
   Used to render the `pulpcore-api.service.j2` template, passing to the `--workers` parameter of the
   gunicorn service.
+* `pulp_token_auth_key`: Location of the openssl private key (in pem format) to use for token
+  authentication. If not specified, a new key wil be generated.
 
 Shared variables
 ----------------

roles/pulp_api/tasks/generate_token_auth_key.yml

@@ -0,0 +1,21 @@
+---
+- name: Look for token authentication key
+  stat:
+    path: "{{ __pulp_common_pulp_pki_dir }}/token_private_key.pem"
+    get_attributes: false
+    get_checksum: false
+    get_mime: false
+  become: true
+  become_user: "{{ pulp_user }}"
+  register: __pulp_token_auth_key
+
+- name: Generate token authentication private key
+  openssl_privatekey:
+    path: "{{ __pulp_common_pulp_pki_dir }}/token_private_key.pem"
+    type: ECC
+    curve: secp256r1
+    owner: "{{ pulp_user }}"
+    group: "{{ pulp_group }}"
+  become: true
+  become_user: "{{ pulp_user }}"
+  when: not __pulp_token_auth_key.stat.exists

roles/pulp_api/tasks/import_token_auth_key.yml

@@ -0,0 +1,10 @@
+---
+- name: Import specified token authentication key
+  copy:
+    src: "{{ pulp_token_auth_key }}"
+    dest: "{{ __pulp_common_pulp_pki_dir }}/token_private_key.pem"
+    owner: "{{ pulp_user }}"
+    group: "{{ pulp_group }}"
+    mode: 0600
+  become: true
+  become_user: "{{ pulp_user }}"

roles/pulp_api/tasks/main.yml

@@ -20,4 +20,45 @@
         daemon_reload: true
       become: true
 
-  when: pulp_install_api_service |bool
+    - name: Ensure python-cryptography is installed
+      package:
+        name: '{{ pulp_python_cryptography }}'
+      become: true
+
+    - name: Create cert directory to hold token authentication key
+      file:
+        path: "{{ __pulp_common_pulp_pki_dir }}"
+        state: directory
+        owner: "{{ pulp_user }}"
+        group: "{{ pulp_group }}"
+        mode: 0700
+      become: true
+
+    - import_tasks: generate_token_auth_key.yml
+      when: pulp_token_auth_key is undefined
+
+    - import_tasks: import_token_auth_key.yml
+      when: pulp_token_auth_key is defined
+
+    - name: Extract token authentication public key
+      openssl_publickey:
+        path: "{{ __pulp_common_pulp_pki_dir }}/token_public_key.pem"
+        privatekey_path: "{{ __pulp_common_pulp_pki_dir }}/token_private_key.pem"
+        owner: "{{ pulp_user }}"
+        group: "{{ pulp_group }}"
+      become: true
+      become_user: "{{ pulp_user }}"
+      when:
+        - (ansible_version.major > 2) or (ansible_version.major == 2 and ansible_version.minor >= 9)
+
+    - name: Extract token authentication public key (ansible 2.8 workaround)
+      command:
+        cmd: "openssl ec -in {{ __pulp_common_pulp_pki_dir }}/token_private_key.pem -pubout -out {{ __pulp_common_pulp_pki_dir }}/token_public_key.pem"
+        creates: "{{ __pulp_common_pulp_pki_dir }}/token_public_key.pem"
+      become: true
+      become_user: "{{ pulp_user }}"
+      when:
+        - ansible_version.major == 2
+        - ansible_version.minor < 9
+
+  when: pulp_install_api_service | bool

roles/pulp_common/vars/CentOS-7.yml

@@ -9,3 +9,5 @@ pulp_preq_packages:
   - gcc                # For psycopg2
   - make               # For make docs
 pulp_python_interpreter: /usr/bin/python3.6
+pulp_python_cryptography:
+  - python-cryptography

roles/pulp_common/vars/Debian.yml

@@ -8,3 +8,5 @@ pulp_preq_packages:
 
 # Pulp requires Python 3.6+.
 pulp_python_interpreter: /usr/bin/python3
+pulp_python_cryptography:
+  - python3-cryptography

roles/pulp_common/vars/Fedora.yml

@@ -9,3 +9,5 @@ pulp_preq_packages:
 
 # Pulp requires Python 3.6+.
 pulp_python_interpreter: /usr/bin/python3
+pulp_python_cryptography:
+  - python3-cryptography

roles/pulp_common/vars/Ubuntu.yml

@@ -8,3 +8,5 @@ pulp_preq_packages:
 
 # Pulp requires Python 3.6+.
 pulp_python_interpreter: /usr/bin/python3
+pulp_python_cryptography:
+  - python3-cryptography

roles/pulp_common/vars/main.yml

@@ -10,6 +10,7 @@ pulp_install_plugins_normalized_yml: |-
 # A pulp_install_plugins but with the plugin names corrected:
 # pip/PyPI only uses dashes, not underscores.
 pulp_install_plugins_normalized: "{{ pulp_install_plugins_normalized_yml | from_yaml }}"
+__pulp_common_pulp_pki_dir: "{{ pulp_config_dir }}/certs"
 # Users should not set this variable, instead using `pulp_settings`
 __pulp_common_pulp_settings_defaults:
   databases:
@@ -19,4 +20,8 @@ __pulp_common_pulp_settings_defaults:
       NAME: pulp
       USER: pulp
       PASSWORD: pulp
+  private_key_path: "{{ __pulp_common_pulp_pki_dir }}/token_private_key.pem"
+  public_key_path: "{{ __pulp_common_pulp_pki_dir }}/token_public_key.pem"
+  token_server: "https://{{ ansible_fqdn }}/token"
+  token_signature_algorithm: ES256
 __pulp_common_merged_pulp_settings: "{{ __pulp_common_pulp_settings_defaults|combine(pulp_settings, recursive=True) }}"