Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge #41

Open
wants to merge 94 commits into
base: lyft-host-certificate-lambda
Choose a base branch
from
Open
Changes from 1 commit
Commits
Show all changes
94 commits
Select commit Hold shift + click to select a range
7271307
fixes #30 : add coveralls for test coverage reporting
Dec 22, 2016
69adbb7
Squashed Lyft Changes
Feb 4, 2017
ba6dc07
Make the 'extensions' included in the cert configurable
nielslaukens Feb 15, 2017
17e5336
Moving pinned packages out of setup.py and into requirements.txt.
russell-lewis Feb 24, 2017
bc6b3bf
Adding a few changes after syncing with lyft's BLESS fork.
russell-lewis Feb 24, 2017
9962238
Bumping version number to reflect the change in the BLESS request of …
russell-lewis Feb 24, 2017
290801b
added a flag for bypassing validity check
vivianho Feb 24, 2017
55d3561
Merge pull request #34 from lyft/bypass-validity-check
vivianho Feb 24, 2017
a960865
Merge branch 'lyft_base' of github.com:lyft/bless into lyft-sync
russell-lewis Feb 24, 2017
5f264d5
Updating the "test_user" certificate test case.
russell-lewis Feb 24, 2017
d8befc1
Merge remote-tracking branch 'vrtdev/configurable-extensions' into ly…
russell-lewis Mar 1, 2017
79c3463
Updates after pulling in PR#33. Renamed extensions to certificate_ex…
russell-lewis Mar 1, 2017
0f68e42
Merge pull request #31 from mayn/ISSUE-30
russell-lewis Mar 1, 2017
19cf02f
Merge branch 'master' of github.com:Netflix/bless into lyft-sync
russell-lewis Mar 1, 2017
9f75ccf
Adding the coverage report to the travis bulid output.
russell-lewis Mar 1, 2017
909d955
Additional commit for BLESS v.0.2.0 which changes the format of BLESS…
russell-lewis Mar 1, 2017
bf9a364
Merge pull request #38 from russell-lewis/addressing-open-issues
russell-lewis Mar 7, 2017
4d2e674
Add support to compile dependencies in container
diasjorge Mar 9, 2017
c387868
Copy lib64 packages
Mar 9, 2017
07c9866
Update README.md
diasjorge Mar 9, 2017
fcde42a
Merge pull request #41 from diasjorge/patch-1
russell-lewis Mar 10, 2017
b4eadab
Merge pull request #40 from diasjorge/compilation
russell-lewis Mar 10, 2017
d8e879d
[HOTFIX] Fixes while merge testing
Mar 15, 2017
8df7f6d
Merge pull request #44 from lyft/hotfix-fixes-for-merge
russell-lewis Mar 15, 2017
24f4aba
Remove unused option 'kms_key_id'
benbridts Mar 17, 2017
63cbac9
Merge pull request #46 from ikben/unused-option
russell-lewis Mar 21, 2017
62fe7fc
Decouple configuration from deployment artifact (#45)
benbridts Mar 21, 2017
485663c
Removing an unneeded reference to kms_key_id. (#47)
russell-lewis Mar 21, 2017
21a417b
Add support for debian username validations
diasjorge Mar 14, 2017
b87bbab
Add support for relaxed username validations
diasjorge Mar 14, 2017
329e8dc
Load username_validation configuration value
diasjorge Mar 14, 2017
c050a48
Refactor username_validation configuration
diasjorge Mar 14, 2017
9f3c7c1
Set username_validation when calling lambda
diasjorge Mar 14, 2017
c58b328
Add support to disable username validation
diasjorge Mar 14, 2017
6f91bb6
Use schema context for username validation
diasjorge Mar 21, 2017
8e80230
Add test for username_validation environment value
diasjorge Mar 21, 2017
4340737
Enhancing PR#43 to include support for configurable remote_usernames …
russell-lewis Mar 22, 2017
32e4f4b
Fixing https://github.com/Netflix/bless/issues/48 and moving the expe…
russell-lewis Mar 22, 2017
95693c4
Replace non word characters in environment key
diasjorge Mar 22, 2017
e8af1ca
Merge pull request #51 from diasjorge/fix-invalid-environment-variable
russell-lewis Mar 22, 2017
1393a84
Revising the certifiace key_id to keep consistency in the key[value] …
russell-lewis Mar 23, 2017
7c025fb
Merge pull request #52 from russell-lewis/update-keyid-and-logs
russell-lewis Mar 23, 2017
c543416
Thanks to @Stype:
russell-lewis Mar 29, 2017
4aef80c
Merge pull request #54 from russell-lewis/fix-issue-53
russell-lewis Mar 29, 2017
d8f6d1e
Fixing typos in readme.
russell-lewis Apr 5, 2017
a2cf52d
Merge pull request #56 from russell-lewis/fix-typo
russell-lewis Apr 5, 2017
6c122ba
Merge pull request #1 from russell-lewis/PR43_enhancements
diasjorge Apr 6, 2017
dc02dc7
Merge pull request #43 from diasjorge/username_validation_disabled
russell-lewis Apr 19, 2017
d5a1c1f
Fixing test key paths after merging https://github.com/Netflix/bless/…
russell-lewis Apr 19, 2017
7cd1515
base kmsauth token on bastion_user instead of remote_usernames
djcrabhat Apr 30, 2017
9ad57e0
enforce that bastion_user == remote_usernames by default. add config…
djcrabhat May 7, 2017
3b268a6
add tests for allowing remote_usernames to differ
djcrabhat May 7, 2017
5b452d1
eek out some test coverage
djcrabhat May 7, 2017
cadd803
make sure all requested remote_usernames are allowed to be used
djcrabhat May 7, 2017
f32b9a1
Updating the SSH Certificate comment when no public key comment is se…
russell-lewis Jun 8, 2017
d2bee45
Updating dependencies prior to release.
russell-lewis Jun 8, 2017
fd1d802
Allows username validation against IAM groups
hughtopping Jun 23, 2017
3f37e17
Compressed CA private key support
avoidik Nov 29, 2017
ed54668
Fixing https://github.com/Netflix/bless/issues/72 thanks @Immortalin …
russell-lewis Jul 13, 2018
cdde67a
Add support for loading ED25519 public keys
jnewbigin Jun 10, 2018
f1e2a30
Add certificate builder and test ED25519 signed by RSA
jnewbigin Jun 10, 2018
ba55021
Allowing BLESS lambda to accept ed25519 keys, completing https://gith…
russell-lewis Jul 14, 2018
cf26b72
Moving BLESS to python 3.6. (#75)
russell-lewis Jul 25, 2018
013dd15
Merge branch 'master' into master
russell-lewis Jul 25, 2018
cff5544
Merge pull request #62 from hughtopping/master
russell-lewis Jul 25, 2018
1e01e1d
bless_client.py: fix argv unpacking when using a kmsauth token (#63)
Preston4tw Jul 25, 2018
467eaa8
Add the FileSync flag to the zip command (#76)
kubrickfr Jul 25, 2018
5830630
Make lambda_configs dir optional for publish make target (#69)
acmcelwee Jul 25, 2018
87f9de4
Adding a blacklisted remote_usernames option. This would prevent par…
russell-lewis Jul 19, 2018
a9ad291
Refactored BLESS to cache KMS decrypt results for the ca private key …
russell-lewis Jul 25, 2018
b685728
Merge remote-tracking branch 'avoidik/feature-compressed-key'
russell-lewis Jul 26, 2018
dfbec61
Merge pull request #67 from avoidik/feature-compressed-key
russell-lewis Jul 26, 2018
0b97ba2
Move development to pipenv
pecigonzalo Jul 23, 2018
f82e2a9
Bumping to Release v.0.3.0
russell-lewis Jul 31, 2018
242a586
Add host cert issue hanlder
pecigonzalo Aug 3, 2018
ed85a7f
Add validations for hostnames and tests
pecigonzalo Aug 4, 2018
910f8f9
Add link to Amazon Linux repository
pkoch Apr 23, 2019
679fe9c
Merge pull request #88 from pkoch/patch-1
hosseinsh Apr 23, 2019
f04f83a
Remove the -it flag from lambda-deps docker build
asiragusa Oct 31, 2018
a7b454a
Fix boolean value check on KMSAUTH_SECTION options
paolodedios Feb 14, 2019
5d92a03
Updating code and dependencies to run as a Python 3.7 lambda with the…
russell-lewis May 20, 2019
7ca78b4
Resolving https://github.com/Netflix/bless/pull/80 .
russell-lewis May 20, 2019
cad1dbf
Typo on #133
kant Nov 3, 2018
68a45d1
Removing the Travis sudo tag.
russell-lewis May 20, 2019
9a310ca
Additional fixes after https://github.com/Netflix/bless/pull/85 . Tr…
russell-lewis May 20, 2019
36fc01b
Updating readme to indicate that only PEM private keys are supported.
russell-lewis May 20, 2019
d77ed00
Merge remote-tracking branch 'pecigonzalo/feature/split_host_provider…
russell-lewis May 21, 2019
3d8b0c9
Refactored https://github.com/Netflix/bless/pull/79 and split out use…
russell-lewis May 21, 2019
c03b8d1
Merge pull request #94 from russell-lewis/lambda-host-split
russell-lewis May 22, 2019
03666f8
Adding a sample client that can validte the BLESS host cert lambda.
russell-lewis May 22, 2019
a207d1b
Bumping to Release v.0.4.0
russell-lewis May 22, 2019
80f3c1b
Merge pull request #95 from russell-lewis/release-prep
russell-lewis May 22, 2019
8527924
Merge pull request #39 from lyft/refresh-netflix-code
Dec 10, 2019
fde260b
Wip
surbhishah Jan 22, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add certificate builder and test ED25519 signed by RSA
jnewbigin authored and russell-lewis committed Jul 13, 2018
commit f1e2a30cd5fcf814bdb6875e0f8873cfe53ea3e7
39 changes: 39 additions & 0 deletions bless/ssh/certificates/ed25519_certificate_builder.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
"""
.. module: bless.ssh.certificates.ed25519_certificate_builder
:copyright: (c) 2016 by Netflix Inc., see AUTHORS for more
:license: Apache, see LICENSE for more details.
"""
from bless.ssh.certificates.ssh_certificate_builder import \
SSHCertificateBuilder, SSHCertifiedKeyType
from bless.ssh.protocol.ssh_protocol import pack_ssh_string


class ED25519CertificateBuilder(SSHCertificateBuilder):
def __init__(self, ca, cert_type, ssh_public_key_ed25519):
"""
Produces an SSH certificate for ED25519 public keys.
:param ca: The SSHCertificateAuthority that will sign the certificate. The
SSHCertificateAuthority type does not need to be the same type as the
SSHCertificateBuilder.
:param cert_type: The SSHCertificateType. Is this a User or Host certificate? Some of
the SSH Certificate fields do not apply or have a slightly different meaning depending on
the certificate type.
See http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys
:param ssh_public_key_ed25519: The ED25519PublicKey to issue a certificate for.
"""
super(ED25519CertificateBuilder, self).__init__(ca, cert_type)
self.cert_key_type = SSHCertifiedKeyType.ED25519
self.ssh_public_key = ssh_public_key_ed25519
self.public_key_comment = ssh_public_key_ed25519.key_comment
self.a = ssh_public_key_ed25519.a

def _serialize_ssh_public_key(self):
"""
Serialize the Public Key into a string. This is not specified in
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys
but https://tools.ietf.org/id/draft-ietf-curdle-ssh-ed25519-02.html
:return: The bytes that belong in the SSH Certificate between the nonce and the
certificate serial number.
"""
public_key = pack_ssh_string(self.a)
return public_key
4 changes: 4 additions & 0 deletions bless/ssh/certificates/ssh_certificate_builder_factory.py
Original file line number Diff line number Diff line change
@@ -5,6 +5,8 @@
"""
from bless.ssh.certificates.rsa_certificate_builder \
import RSACertificateBuilder
from bless.ssh.certificates.ed25519_certificate_builder \
import ED25519CertificateBuilder
from bless.ssh.public_keys.ssh_public_key import SSHPublicKeyType
from bless.ssh.public_keys.ssh_public_key_factory import get_ssh_public_key

@@ -23,5 +25,7 @@ def get_ssh_certificate_builder(ca, cert_type, public_key_to_sign):

if ssh_public_key.type is SSHPublicKeyType.RSA:
return RSACertificateBuilder(ca, cert_type, ssh_public_key)
elif ssh_public_key.type is SSHPublicKeyType.ED25519:
return ED25519CertificateBuilder(ca, cert_type, ssh_public_key)
else:
raise TypeError("Unsupported Public Key Type")
11 changes: 7 additions & 4 deletions tests/ssh/test_ssh_certificate_builder_factory.py
Original file line number Diff line number Diff line change
@@ -4,6 +4,7 @@
get_ssh_certificate_authority
from bless.ssh.certificates.rsa_certificate_builder import RSACertificateBuilder, \
SSHCertifiedKeyType
from bless.ssh.certificates.ed25519_certificate_builder import ED25519CertificateBuilder
from bless.ssh.certificates.ssh_certificate_builder import SSHCertificateType
from bless.ssh.certificates.ssh_certificate_builder_factory import get_ssh_certificate_builder
from tests.ssh.vectors import RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD, \
@@ -18,10 +19,12 @@ def test_valid_rsa_request():
assert cert.startswith(SSHCertifiedKeyType.RSA)


def test_invalid_ed25519_request():
with pytest.raises(TypeError):
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD)
get_ssh_certificate_builder(ca, SSHCertificateType.USER, EXAMPLE_ED25519_PUBLIC_KEY)
def test_valid_ed25519_request():
ca = get_ssh_certificate_authority(RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD)
cert_builder = get_ssh_certificate_builder(ca, SSHCertificateType.USER, EXAMPLE_ED25519_PUBLIC_KEY)
cert = cert_builder.get_cert_file()
assert isinstance(cert_builder, ED25519CertificateBuilder)
assert cert.startswith(SSHCertifiedKeyType.ED25519)


def test_invalid_key_request():
17 changes: 16 additions & 1 deletion tests/ssh/test_ssh_certificate_rsa.py
Original file line number Diff line number Diff line change
@@ -5,16 +5,19 @@

from bless.ssh.certificate_authorities.rsa_certificate_authority import RSACertificateAuthority
from bless.ssh.certificates.rsa_certificate_builder import RSACertificateBuilder
from bless.ssh.certificates.ed25519_certificate_builder import ED25519CertificateBuilder
from bless.ssh.certificates.ssh_certificate_builder import SSHCertificateType
from bless.ssh.public_keys.rsa_public_key import RSAPublicKey
from bless.ssh.public_keys.ed25519_public_key import ED25519PublicKey
from tests.ssh.vectors import RSA_CA_PRIVATE_KEY, RSA_CA_PRIVATE_KEY_PASSWORD, \
EXAMPLE_RSA_PUBLIC_KEY, EXAMPLE_RSA_PUBLIC_KEY_NO_DESCRIPTION, RSA_USER_CERT_MINIMAL, \
RSA_USER_CERT_DEFAULTS, RSA_USER_CERT_DEFAULTS_NO_PUBLIC_KEY_COMMENT, \
RSA_USER_CERT_MANY_PRINCIPALS, RSA_HOST_CERT_MANY_PRINCIPALS, \
RSA_USER_CERT_FORCE_COMMAND_AND_SOURCE_ADDRESS, \
RSA_USER_CERT_FORCE_COMMAND_AND_SOURCE_ADDRESS_KEY_ID, RSA_HOST_CERT_MANY_PRINCIPALS_KEY_ID, \
RSA_USER_CERT_MANY_PRINCIPALS_KEY_ID, RSA_USER_CERT_DEFAULTS_NO_PUBLIC_KEY_COMMENT_KEY_ID, \
RSA_USER_CERT_DEFAULTS_KEY_ID, SSH_CERT_DEFAULT_EXTENSIONS, SSH_CERT_CUSTOM_EXTENSIONS
RSA_USER_CERT_DEFAULTS_KEY_ID, SSH_CERT_DEFAULT_EXTENSIONS, SSH_CERT_CUSTOM_EXTENSIONS, \
EXAMPLE_ED25519_PUBLIC_KEY, ED25519_USER_CERT_DEFAULTS, ED25519_USER_CERT_DEFAULTS_KEY_ID

USER1 = 'user1'

@@ -219,3 +222,15 @@ def test_nonce():
cert_builder2.set_nonce()

assert cert_builder.nonce != cert_builder2.nonce


def test_ed25519_user_cert_defaults():
ca = get_basic_rsa_ca()
pub_key = ED25519PublicKey(EXAMPLE_ED25519_PUBLIC_KEY)
cert_builder = ED25519CertificateBuilder(ca, SSHCertificateType.USER, pub_key)
cert_builder.set_nonce(
nonce=extract_nonce_from_cert(ED25519_USER_CERT_DEFAULTS))
cert_builder.set_key_id(ED25519_USER_CERT_DEFAULTS_KEY_ID)

cert = cert_builder.get_cert_file()
assert ED25519_USER_CERT_DEFAULTS == cert
4 changes: 4 additions & 0 deletions tests/ssh/vectors.py
Original file line number Diff line number Diff line change
@@ -51,3 +51,7 @@

SSH_CERT_CUSTOM_EXTENSIONS = base64.b64decode(
'AAAAFnBlcm1pdC1wb3J0LWZvcndhcmRpbmcAAAAAAAAACnBlcm1pdC1wdHkAAAAAAAAADnBlcm1pdC11c2VyLXJjAAAAAA==')

# ssh-keygen -s test-rsa-ca -I "ssh-keygen -s test-rsa-ca -I '' test-ed25519-user-all-defaults.pub" test-ed25519-user-all-defaults.pub
ED25519_USER_CERT_DEFAULTS = '[email protected] AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAINa9ZmyR9YBRNfC464IJE2AlDa0xU02tVbY37AlRr79/AAAAIG7+cAbT4EFSPs87oS4kDYStQ0KL0xwHWqVSZ2bYHIApAAAAAAAAAAAAAAABAAAAQnNzaC1rZXlnZW4gLXMgdGVzdC1yc2EtY2EgLUkgJycgdGVzdC1lZDI1NTE5LXVzZXItYWxsLWRlZmF1bHRzLnB1YgAAAAAAAAAAAAAAAP//////////AAAAAAAAAIIAAAAVcGVybWl0LVgxMS1mb3J3YXJkaW5nAAAAAAAAABdwZXJtaXQtYWdlbnQtZm9yd2FyZGluZwAAAAAAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOcGVybWl0LXVzZXItcmMAAAAAAAAAAAAAAhcAAAAHc3NoLXJzYQAAAAMBAAEAAAIBAOI0JnxeJSdtUXtHu7x3MVVLdDN2iFCr8B8xCSGsdmJ+VdI2sBF0xc7l5/HZVyATgCBTt9dT7eG6zFCnQhPJUUB+uhUu9EeKwu3Pqw9mWnTXy/sa/R++yswFjU1Syxws+iBbiG9IG1BIqXY+eOuXaf+8kEFi877bjU4Nrl0U/KL2qpCJwhFh3vu5XBQ26ih/TcZVRaPyOTBVqOD0MNeVXs0JkVc/gd4mLHWgFvcIrTNmmKwR0HNSDPpYbLxol+3DbfaY9CE/sUetLA6OxO4EF38PQKPY+Ud2/yypc4uC/GT1VfEc4ALZVCZYC8Cut3hYb5ef3xdab7W4ikXIyU2vtPR/n1Ju/5nXVFX1Y0F5u0ShZkz8SI7/BLF2i4SIMiZhNTgqVj8mr2LpwSHB04m68d9GsPnD1mQQxlcfx7pbfOAjXmnTV3mQmn4TnW1KxKH0n7NJE1jvRy31n3Crs3aMJ6cuq6+gxbK4cg/X48Q16PnpuYzOiTtD5hEuu4RL4cg86Mi57DmchNwb1CsvxFJrueJB65J4efIDTqmuppDQVjkZOzH2URzRzGE2azdcQPgcV5aQQiZuiqeZ5xG9oEwB/2kNVu3hsM49ugJ9OBGHtlDoemC4YkQkJe0ejFJVc8uKOzGmXfjGcXKi21Aq5jGvEsDRb3DcuLEceOfXRpU/59OpAAACDwAAAAdzc2gtcnNhAAACACnir9y/PhoKvLNvs4fMkS24mrHyGxc24nTxaKJO9OBGr4PY3Glg90hKaZvC/cLN0wSAeIYzigp/PGm1PNIM342NqxMkIx7yUKrEbcIQaommn8kfThMIcLJo9QOpDoMAxOsfAtZrtWQKMMYM6s8hZKrb3OT8k0le/x4S2GttHMb9z006nZgyTUI4cniq+ZxwcL4l5/wzaXamQUsod/JRysEBZdLF88A50iCiSC+4NQUqquPBs76UmTpU+Lv3OEvVBwMil7Hxkzv8kqit2Xal0Ou9n/+CC1G9l/dpTO1TgaNtNERQT3rQOhkjqwmgN3wbh1sRkc1+zSenWsNrHkFBnVTJPxLwXbFeAvstDWDxTvNCpygsTfz/ejUnKfqZ1rAWfNRhzrSIz1D1+/GQbOdtM3xq3r6CVjVxE0KTLsdR1hyOd5SmszubE1UAkKWF7NRyHcgma/9hkOXc6a/4ylBcOj0yUFnjVq7Jb6C33ba0Ra6LnopZWUS7lr02dt7aYG/Qhd8OtJx7R+XiRYRnfsuJH+L18UxM34xqj9qlMPA5p1nUB2ZnklKyueLhrp0/thuWsdKCv4w66A8rOthbDtLip6TYtKwDDMBupq5ROoRHYXb6nYthHJYCX1QuDIzmoBjTlkWa7aVohggQWezYhGGo0owulURxkFNZBNi1Lc/aRuDs Test ED25519 User Key'
ED25519_USER_CERT_DEFAULTS_KEY_ID = 'ssh-keygen -s test-rsa-ca -I \'\' test-ed25519-user-all-defaults.pub'