Import or generate key for token authentication

fixes #7098 https://pulp.plan.io/issues/7098
pulp · Jul 21, 2020 · ed5143d · ed5143d
1 parent aac334a
commit ed5143d
Show file tree

Hide file tree

Showing 10 changed files with 71 additions and 1 deletion.
diff --git a/CHANGES/7098.feature b/CHANGES/7098.feature
@@ -0,0 +1 @@
+A key for token authentication is installed from either a specified file or a newly generated one.
diff --git a/roles/pulp_api/README.md b/roles/pulp_api/README.md
@@ -8,12 +8,14 @@ Role Variables
 
 A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
 
-* `pulp_api_bind` Interface and Port where Pulp Content `gunicorn` service will listen. Defaults to
+* `pulp_api_bind`: Interface and Port where Pulp Content `gunicorn` service will listen. Defaults to
   '127.0.0.1:24817'. This variable is the value used to render the `pulpcore-api.service.j2` template
   passing to the `--bind` parameter of the `gunicorn` service.
 * `pulp_api_workers`: Number of Pulp Content `gunicorn` processes for handling requests. Defaults to 1.
   Used to render the `pulpcore-api.service.j2` template, passing to the `--workers` parameter of the
   gunicorn service.
+* `pulp_token_auth_key`: Location of the openssl private key (in pem format) to use for token
+  authentication. If not specified, a new key wil be generated.
 
 Shared variables
 ----------------

diff --git a/roles/pulp_api/tasks/generate_token_auth_key.yml b/roles/pulp_api/tasks/generate_token_auth_key.yml
@@ -0,0 +1,16 @@
+---
+- name: Look for token authentication key
+  stat:
+    path: "{{ __pulp_common_pulp_pki_path }}/private.pem"
+    get_attributes: false
+    get_checksum: false
+    get_mime: false
+  register: __pulp_token_auth_key
+
+- name: Generate token authentication private key
+  openssl_privatekey:
+    path: "{{ __pulp_common_pulp_pki_path }}/private.pem"
+    curve: secp256r1
+    owner: "{{ pulp_user }}"
+    group: "{{ pulp_group }}"
+  when: not __pulp_token_auth_key.stat.exists
diff --git a/roles/pulp_api/tasks/import_token_auth_key.yml b/roles/pulp_api/tasks/import_token_auth_key.yml
@@ -0,0 +1,8 @@
+---
+- name: Import specified token authentication key
+  copy:
+    src: "{{ pulp_token_auth_key }}"
+    dest: "{{ __pulp_common_pulp_pki_path }}/private.pem"
+    owner: "{{ pulp_user }}"
+    group: "{{ pulp_group }}"
+    mode: 0600
diff --git a/roles/pulp_api/tasks/main.yml b/roles/pulp_api/tasks/main.yml
@@ -20,4 +20,30 @@
         daemon_reload: true
       become: true
 
+    - name: Create cert directory to hold token authentication key
+      file:
+        path: "{{ __pulp_common_pulp_pki_path }}"
+        state: directory
+        owner: "{{ pulp_user }}"
+        group: "{{ pulp_group }}"
+        mode: 0700
+
+    - name: Ensure python-cryptography is installed
+      package:
+        name: '{{ pulp_common_python_cryptography }}'
+      become: true
+
+    - import_tasks: generate_token_auth_key.yml
+      when: pulp_token_auth_key is undefined
+
+    - import_tasks: import_token_auth_key.yml
+      when: pulp_token_auth_key is defined
+
+    - name: Extract token authentication public key
+      openssl_publickey:
+        path: "{{ __pulp_common_pulp_pki_path }}/public.pem"
+        privatekey_path: "{{ __pulp_common_pulp_pki_path }}/private.pem"
+        owner: "{{ pulp_user }}"
+        group: "{{ pulp_group }}"
+
   when: pulp_install_api_service |bool
diff --git a/roles/pulp_common/vars/CentOS-7.yml b/roles/pulp_common/vars/CentOS-7.yml
@@ -9,3 +9,6 @@ pulp_preq_packages:
   - gcc                # For psycopg2
   - make               # For make docs
 pulp_python_interpreter: /usr/bin/python3.6
+pulp_common_python_cryptography:
+  - python-cryptography
+  - pyOpenSSL
diff --git a/roles/pulp_common/vars/Debian.yml b/roles/pulp_common/vars/Debian.yml
@@ -8,3 +8,6 @@ pulp_preq_packages:
 
 # Pulp requires Python 3.6+.
 pulp_python_interpreter: /usr/bin/python3
+pulp_common_python_cryptography:
+  - python3-cryptography
+  - python3-openssl
diff --git a/roles/pulp_common/vars/Fedora.yml b/roles/pulp_common/vars/Fedora.yml
@@ -9,3 +9,6 @@ pulp_preq_packages:
 
 # Pulp requires Python 3.6+.
 pulp_python_interpreter: /usr/bin/python3
+pulp_common_python_cryptography:
+  - python3-cryptography
+  - python3-pyOpenSSL
diff --git a/roles/pulp_common/vars/Ubuntu.yml b/roles/pulp_common/vars/Ubuntu.yml
@@ -8,3 +8,6 @@ pulp_preq_packages:
 
 # Pulp requires Python 3.6+.
 pulp_python_interpreter: /usr/bin/python3
+pulp_common_python_cryptography:
+  - python3-cryptography
+  - python3-openssl
diff --git a/roles/pulp_common/vars/main.yml b/roles/pulp_common/vars/main.yml
@@ -10,6 +10,7 @@ pulp_install_plugins_normalized_yml: |-
 # A pulp_install_plugins but with the plugin names corrected:
 # pip/PyPI only uses dashes, not underscores.
 pulp_install_plugins_normalized: "{{ pulp_install_plugins_normalized_yml | from_yaml }}"
+__pulp_common_pulp_pki_path: "{{ pulp_user_home }}/cert"
 # Users should not set this variable, instead using `pulp_settings`
 __pulp_common_pulp_settings_defaults:
   databases:
@@ -19,4 +20,8 @@ __pulp_common_pulp_settings_defaults:
       NAME: pulp
       USER: pulp
       PASSWORD: pulp
+  private_key_path: "{{ __pulp_common_pulp_pki_path }}/private.pem"
+  public_key_path: "{{ __pulp_common_pulp_pki_path }}/public.pem"
+  token_server: "https://{{ ansible_fqdn }}/token"
+  token_signature_algorithm: ES256
 __pulp_common_merged_pulp_settings: "{{ __pulp_common_pulp_settings_defaults|combine(pulp_settings, recursive=True) }}"