mirror of
https://github.com/GAM-team/GAM.git
synced 2025-07-10 14:43:34 +00:00
small service account improvements
This commit is contained in:
@ -1240,9 +1240,8 @@ def doCheckServiceAccount(users):
|
|||||||
'get',
|
'get',
|
||||||
name=name,
|
name=name,
|
||||||
throw_reasons=[gapi_errors.ErrorReason.FOUR_O_THREE])
|
throw_reasons=[gapi_errors.ErrorReason.FOUR_O_THREE])
|
||||||
# Both Google and GAM set key valid after to day before creation
|
|
||||||
key_created = dateutil.parser.parse(
|
key_created = dateutil.parser.parse(
|
||||||
key['validAfterTime'], ignoretz=True) + datetime.timedelta(days=1)
|
key['validAfterTime'], ignoretz=True)
|
||||||
key_age = datetime.datetime.now() - key_created
|
key_age = datetime.datetime.now() - key_created
|
||||||
key_days = key_age.days
|
key_days = key_age.days
|
||||||
if key_days > 30:
|
if key_days > 30:
|
||||||
@ -7756,11 +7755,9 @@ def _generatePrivateKeyAndPublicCert(client_id, key_size):
|
|||||||
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, client_id)]))
|
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, client_id)]))
|
||||||
builder = builder.issuer_name(
|
builder = builder.issuer_name(
|
||||||
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, client_id)]))
|
x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, client_id)]))
|
||||||
not_valid_before = datetime.datetime.today() - datetime.timedelta(days=1)
|
builder = builder.not_valid_before(datetime.datetime.today())
|
||||||
not_valid_after = datetime.datetime.today() + datetime.timedelta(
|
# Google uses 12/31/9999 date for end time
|
||||||
days=365 * 10 - 1)
|
builder = builder.not_valid_after(datetime.datetime(9999, 12, 31, 23, 59))
|
||||||
builder = builder.not_valid_before(not_valid_before)
|
|
||||||
builder = builder.not_valid_after(not_valid_after)
|
|
||||||
builder = builder.serial_number(x509.random_serial_number())
|
builder = builder.serial_number(x509.random_serial_number())
|
||||||
builder = builder.public_key(public_key)
|
builder = builder.public_key(public_key)
|
||||||
builder = builder.add_extension(x509.BasicConstraints(ca=False,
|
builder = builder.add_extension(x509.BasicConstraints(ca=False,
|
||||||
@ -7943,10 +7940,18 @@ def doCreateOrRotateServiceAccountKeys(iam=None,
|
|||||||
name=sa_name,
|
name=sa_name,
|
||||||
body={'publicKeyData': publicKeyData})
|
body={'publicKeyData': publicKeyData})
|
||||||
break
|
break
|
||||||
except googleapiclient.errors.HttpError:
|
except googleapiclient.errors.HttpError as err:
|
||||||
print('WARNING: that key already exists.')
|
if hasattr(err, 'error_details') and \
|
||||||
result = {'name': oldPrivateKeyId}
|
err.error_details == 'The given public key already exists.':
|
||||||
break
|
print('WARNING: that key already exists.')
|
||||||
|
result = {'name': oldPrivateKeyId}
|
||||||
|
break
|
||||||
|
elif hasattr(err, 'error_details'):
|
||||||
|
controlflow.system_error_exit(
|
||||||
|
4, err.error_details)
|
||||||
|
else:
|
||||||
|
controlflow.system_error_exit(
|
||||||
|
4, err)
|
||||||
except gapi_errors.GapiNotFoundError as e:
|
except gapi_errors.GapiNotFoundError as e:
|
||||||
if i == max_retries:
|
if i == max_retries:
|
||||||
raise e
|
raise e
|
||||||
|
@ -7,6 +7,7 @@ from threading import Timer
|
|||||||
|
|
||||||
from cryptography.hazmat.primitives import hashes, serialization
|
from cryptography.hazmat.primitives import hashes, serialization
|
||||||
from cryptography.hazmat.primitives.asymmetric import padding
|
from cryptography.hazmat.primitives.asymmetric import padding
|
||||||
|
from smartcard.Exceptions import CardConnectionException
|
||||||
from ykman.device import connect_to_device
|
from ykman.device import connect_to_device
|
||||||
from ykman.piv import generate_self_signed_certificate, \
|
from ykman.piv import generate_self_signed_certificate, \
|
||||||
generate_chuid
|
generate_chuid
|
||||||
@ -46,7 +47,10 @@ class YubiKey():
|
|||||||
self.key_id = service_account_info.get('private_key_id')
|
self.key_id = service_account_info.get('private_key_id')
|
||||||
|
|
||||||
def _connect(self):
|
def _connect(self):
|
||||||
conn, _, _ = connect_to_device(self.serial_number)
|
try:
|
||||||
|
conn, _, _ = connect_to_device(self.serial_number)
|
||||||
|
except CardConnectionException as err:
|
||||||
|
controlflow.system_error_exit(9, f'YubiKey - {err}')
|
||||||
return conn
|
return conn
|
||||||
|
|
||||||
def get_certificate(self):
|
def get_certificate(self):
|
||||||
@ -62,7 +66,7 @@ class YubiKey():
|
|||||||
try:
|
try:
|
||||||
cert = session.get_certificate(self.slot)
|
cert = session.get_certificate(self.slot)
|
||||||
except ApduError as err:
|
except ApduError as err:
|
||||||
controlflow.system_error_exit(9, f'Yubikey = {err}')
|
controlflow.system_error_exit(9, f'YubiKey - {err}')
|
||||||
cert_pem = cert.public_bytes(
|
cert_pem = cert.public_bytes(
|
||||||
serialization.Encoding.PEM).decode()
|
serialization.Encoding.PEM).decode()
|
||||||
publicKeyData = b64encode(cert_pem.encode())
|
publicKeyData = b64encode(cert_pem.encode())
|
||||||
@ -78,7 +82,7 @@ class YubiKey():
|
|||||||
_, _, info = connect_to_device(self.serial_number)
|
_, _, info = connect_to_device(self.serial_number)
|
||||||
return info.serial
|
return info.serial
|
||||||
except ValueError as err:
|
except ValueError as err:
|
||||||
controlflow.system_error_exit(9, f'YubikKey = {err}')
|
controlflow.system_error_exit(9, f'YubiKey - {err}')
|
||||||
|
|
||||||
def reset_piv(self):
|
def reset_piv(self):
|
||||||
'''Resets YubiKey PIV app and generates new key for GAM to use.'''
|
'''Resets YubiKey PIV app and generates new key for GAM to use.'''
|
||||||
@ -101,7 +105,7 @@ class YubiKey():
|
|||||||
DEFAULT_MANAGEMENT_KEY)
|
DEFAULT_MANAGEMENT_KEY)
|
||||||
|
|
||||||
piv.verify_pin(new_pin)
|
piv.verify_pin(new_pin)
|
||||||
print('Yubikey is generating a non-exportable private key...')
|
print('YubiKey is generating a non-exportable private key...')
|
||||||
pubkey = piv.generate_key(SLOT.AUTHENTICATION,
|
pubkey = piv.generate_key(SLOT.AUTHENTICATION,
|
||||||
KEY_TYPE.RSA2048,
|
KEY_TYPE.RSA2048,
|
||||||
PIN_POLICY.ALWAYS,
|
PIN_POLICY.ALWAYS,
|
||||||
@ -123,7 +127,7 @@ class YubiKey():
|
|||||||
piv.put_object(OBJECT_ID.CHUID,
|
piv.put_object(OBJECT_ID.CHUID,
|
||||||
generate_chuid())
|
generate_chuid())
|
||||||
except ValueError as err:
|
except ValueError as err:
|
||||||
controlflow.system_error_exit(8, f'Yubikey - {err}')
|
controlflow.system_error_exit(8, f'YubiKey - {err}')
|
||||||
|
|
||||||
|
|
||||||
def sign(self, message):
|
def sign(self, message):
|
||||||
@ -145,7 +149,7 @@ class YubiKey():
|
|||||||
hash_algorithm=hashes.SHA256(),
|
hash_algorithm=hashes.SHA256(),
|
||||||
padding=padding.PKCS1v15())
|
padding=padding.PKCS1v15())
|
||||||
except ApduError as err:
|
except ApduError as err:
|
||||||
controlflow.system_error_exit(8, f'YubiKey = {err}')
|
controlflow.system_error_exit(8, f'YubiKey - {err}')
|
||||||
except ValueError as err:
|
except ValueError as err:
|
||||||
controlflow.system_error_exit(9, f'YubiKey - {err}')
|
controlflow.system_error_exit(9, f'YubiKey - {err}')
|
||||||
if 'mplock' in globals():
|
if 'mplock' in globals():
|
||||||
|
Reference in New Issue
Block a user