Merge pull request #146 from pvarki/mtls_init_robustness

Make startup mTLS client cert creation more robust, update deps

Author: rambo

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.12.0
+current_version = 1.12.1
 commit = False
 tag = False
 

poetry.lock

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "rasenmaeher_api"
-version = "1.12.0"
+version = "1.12.1"
 description = "python-rasenmaeher-api"
 authors = [
     "Aciid <703382+Aciid@users.noreply.github.com>",
@@ -96,7 +96,7 @@ brotli = "^1.0"
 cchardet = { version="^2.1", python="<=3.10"}
 filelock = "^3.12"
 python-keycloak = "^4.2.0"
-sqlmodel = ">=0.0.22,<1.0"
+sqlmodel = ">=0.0.37,<1.0"
 psycopg2-binary = "^2.9"
 
 [tool.poetry.group.dev.dependencies]

pyproject.toml

@@ -1,3 +1,3 @@
 """python-rasenmaeher-api"""
 
-__version__ = "1.12.0"  # NOTE Use `bump2version --config-file patch` to bump versions correctly
+__version__ = "1.12.1"  # NOTE Use `bump2version --config-file patch` to bump versions correctly

src/rasenmaeher_api/__init__.py

@@ -1,72 +1 @@
-"""Certificate operations module with configurable backend."""
-
-# pylint: disable=duplicate-code  # Re-exports same API from selected backend
-
-from .errors import CertError, NoResult, ErrorResult, DBLocked, NoValue
-from ..rmsettings import RMSettings, CertBackend
-
-_backend = RMSettings.singleton().cert_backend
-
-if _backend == CertBackend.CERT_MANAGER:
-    from .cert_manager import (
-        get_ca,
-        get_bundle,
-        get_crl,
-        get_ocsprest_crl,
-        sign_csr,
-        revoke_pem,
-        revoke_serial,
-        validate_reason,
-        refresh_ocsp,
-        dump_crlfiles,
-        sign_ocsp,
-        certadd_pem,
-        anon_sign_csr,
-        ReasonTypes,
-    )
-elif _backend == CertBackend.CFSSL:
-    from .cfssl import (
-        get_ca,
-        get_bundle,
-        get_crl,
-        get_ocsprest_crl,
-        sign_csr,
-        revoke_pem,
-        revoke_serial,
-        validate_reason,
-        refresh_ocsp,
-        dump_crlfiles,
-        sign_ocsp,
-        certadd_pem,
-        anon_sign_csr,
-        ReasonTypes,
-    )
-else:
-    raise ValueError(f"Unknown cert backend: {_backend}")
-
-__all__ = [
-    # Errors (always available)
-    "CertError",
-    "NoResult",
-    "ErrorResult",
-    "DBLocked",
-    "NoValue",
-    # Public functions
-    "get_ca",
-    "get_bundle",
-    "get_crl",
-    "get_ocsprest_crl",
-    # Private functions
-    "sign_csr",
-    "revoke_pem",
-    "revoke_serial",
-    "validate_reason",
-    "refresh_ocsp",
-    "dump_crlfiles",
-    "sign_ocsp",
-    "certadd_pem",
-    # Anonymous functions
-    "anon_sign_csr",
-    # Types
-    "ReasonTypes",
-]
+"""Certificate handling backend plugins"""

src/rasenmaeher_api/cert/__init__.py

@@ -0,0 +1,72 @@
+"""Certificate operations module with configurable backend."""
+
+# pylint: disable=duplicate-code  # Re-exports same API from selected backend
+
+from .errors import CertError, NoResult, ErrorResult, DBLocked, NoValue
+from ..rmsettings import RMSettings, CertBackend
+
+_backend = RMSettings.singleton().cert_backend
+
+if _backend == CertBackend.CERT_MANAGER:
+    from .cert_manager import (
+        get_ca,
+        get_bundle,
+        get_crl,
+        get_ocsprest_crl,
+        sign_csr,
+        revoke_pem,
+        revoke_serial,
+        validate_reason,
+        refresh_ocsp,
+        dump_crlfiles,
+        sign_ocsp,
+        certadd_pem,
+        anon_sign_csr,
+        ReasonTypes,
+    )
+elif _backend == CertBackend.CFSSL:
+    from .cfssl import (
+        get_ca,
+        get_bundle,
+        get_crl,
+        get_ocsprest_crl,
+        sign_csr,
+        revoke_pem,
+        revoke_serial,
+        validate_reason,
+        refresh_ocsp,
+        dump_crlfiles,
+        sign_ocsp,
+        certadd_pem,
+        anon_sign_csr,
+        ReasonTypes,
+    )
+else:
+    raise ValueError(f"Unknown cert backend: {_backend}")
+
+__all__ = [
+    # Errors (always available)
+    "CertError",
+    "NoResult",
+    "ErrorResult",
+    "DBLocked",
+    "NoValue",
+    # Public functions
+    "get_ca",
+    "get_bundle",
+    "get_crl",
+    "get_ocsprest_crl",
+    # Private functions
+    "sign_csr",
+    "revoke_pem",
+    "revoke_serial",
+    "validate_reason",
+    "refresh_ocsp",
+    "dump_crlfiles",
+    "sign_ocsp",
+    "certadd_pem",
+    # Anonymous functions
+    "anon_sign_csr",
+    # Types
+    "ReasonTypes",
+]

src/rasenmaeher_api/cert/backend.py

@@ -23,7 +23,7 @@
 from .base import ORMBaseModel, utcnow
 from ..web.api.middleware.datatypes import MTLSorJWTPayload
 from .errors import NotFound, Deleted, BackendError, CallsignReserved
-from ..cert import sign_csr, revoke_pem, validate_reason, ReasonTypes, refresh_ocsp
+from ..cert.backend import sign_csr, revoke_pem, validate_reason, ReasonTypes, refresh_ocsp
 from ..productapihelpers import post_to_all_products
 from ..rmsettings import RMSettings
 from ..kchelpers import KCClient, KCUserData

src/rasenmaeher_api/db/people.py

@@ -1,5 +1,6 @@
 """Init mTLS client cert for RASENMAEHER itself"""
 
+from typing import Optional
 import asyncio
 from pathlib import Path
 import logging
@@ -10,8 +11,8 @@
 import aiohttp
 import filelock
 
-
-from .rmsettings import switchme_to_singleton_call, RMSettings, CertBackend
+from .cert.errors import CertError
+from .rmsettings import RMSettings, CertBackend
 
 LOGGER = logging.getLogger(__name__)
 
@@ -39,26 +40,24 @@ async def _anon_sign_csr(csr: str) -> str:
 def check_settings_clientpaths() -> bool:
     """Make sure the paths are defined, to defaults if needed, return True if setting was changed"""
     changed = False
-    if not switchme_to_singleton_call.mtls_client_cert_path:
-        switchme_to_singleton_call.mtls_client_cert_path = str(
-            Path(switchme_to_singleton_call.persistent_data_dir) / "public" / f"{CERT_NAME_PREFIX}.pem"
-        )
+    config = RMSettings.singleton()
+    if not config.mtls_client_cert_path:
+        config.mtls_client_cert_path = str(Path(config.persistent_data_dir) / "public" / f"{CERT_NAME_PREFIX}.pem")
         changed = True
-    if not switchme_to_singleton_call.mtls_client_key_path:
-        switchme_to_singleton_call.mtls_client_key_path = str(
-            Path(switchme_to_singleton_call.persistent_data_dir) / "private" / f"{CERT_NAME_PREFIX}.key"
-        )
+    if not config.mtls_client_key_path:
+        config.mtls_client_key_path = str(Path(config.persistent_data_dir) / "private" / f"{CERT_NAME_PREFIX}.key")
         changed = True
     return changed
 
 
 def check_mtls_init() -> bool:
     """Check if we have the cert and key"""
     check_settings_clientpaths()
-    assert switchme_to_singleton_call.mtls_client_cert_path is not None
-    assert switchme_to_singleton_call.mtls_client_key_path is not None
-    cert_path = Path(switchme_to_singleton_call.mtls_client_cert_path)
-    key_path = Path(switchme_to_singleton_call.mtls_client_key_path)
+    config = RMSettings.singleton()
+    assert config.mtls_client_cert_path is not None
+    assert config.mtls_client_key_path is not None
+    cert_path = Path(config.mtls_client_cert_path)
+    key_path = Path(config.mtls_client_key_path)
     LOGGER.debug("cert_path={}  exits={}".format(cert_path, cert_path.exists()))
     LOGGER.debug("key_path={}  exits={}".format(key_path, key_path.exists()))
     if cert_path.exists() and key_path.exists():
@@ -71,45 +70,57 @@ async def mtls_init() -> None:
     if check_mtls_init():
         return
     privkeypath, pubkeypath, csrpath = resolve_filepaths(
-        Path(switchme_to_singleton_call.persistent_data_dir), CERT_NAME_PREFIX
+        Path(RMSettings.singleton().persistent_data_dir), CERT_NAME_PREFIX
     )
     check_settings_clientpaths()
-    assert switchme_to_singleton_call.mtls_client_key_path is not None
-    assert switchme_to_singleton_call.mtls_client_cert_path is not None
-    if (pth := Path(switchme_to_singleton_call.mtls_client_key_path)) != privkeypath:
+    config = RMSettings.singleton()
+    assert config.mtls_client_key_path is not None
+    assert config.mtls_client_cert_path is not None
+    if (pth := Path(config.mtls_client_key_path)) != privkeypath:
         privkeypath = pth
     certpath = pubkeypath.parent / f"{CERT_NAME_PREFIX}.pem"
-    if (pth := Path(switchme_to_singleton_call.mtls_client_cert_path)) != certpath:
+    if (pth := Path(config.mtls_client_cert_path)) != certpath:
         certpath = pth
     lockpath = privkeypath.with_suffix(".lock")
     # Random sleep to avoid race conditions on these file accesses
     await asyncio.sleep(random.random() * 3.0)  # nosec
     lock = filelock.FileLock(lockpath)
+    csrpem: Optional[str] = None
     try:
         lock.acquire(timeout=0.0)
         # Check the privkey again to avoid overwriting.
-        if privkeypath.exists():
-            return None
-        LOGGER.info("No mTLS client cert yet, creating it, this will take a moment")
-        keypair = await async_create_keypair(privkeypath, pubkeypath)
-        csrpem = await async_create_client_csr(keypair, csrpath, {"CN": switchme_to_singleton_call.mtls_client_cert_cn})
-        certpem = (await _anon_sign_csr(csrpem)).replace("\\n", "\n")
+        if not privkeypath.exists():
+            LOGGER.info("No mTLS client cert yet, creating it, this will take a moment")
+            keypair = await async_create_keypair(privkeypath, pubkeypath)
+            LOGGER.debug("Creating mTLS client CSR")
+            csrpem = await async_create_client_csr(keypair, csrpath, {"CN": config.mtls_client_cert_cn})
+        if not certpath.exists():
+            if not csrpem:
+                LOGGER.debug("Loading mTLS client CSR from {}".format(csrpath))
+                csrpem = csrpath.read_text()
+            try:
+                LOGGER.debug("Getting CSR signed")
+                certpem = (await _anon_sign_csr(csrpem)).replace("\\n", "\n")
+                LOGGER.debug("Saving mTLS cert to {}".format(certpath))
+                certpath.write_text(certpem, encoding="ascii")
+            except CertError as exc:
+                LOGGER.exception("Signing failed: {}".format(exc))
     except filelock.Timeout:
         LOGGER.warning("Someone has already locked {}".format(lockpath))
         LOGGER.debug("Sleeping for ~5s and then recursing")
         await asyncio.sleep(5.0 + random.random())  # nosec
         return await mtls_init()
     finally:
         lock.release()
-    certpath.write_text(certpem, encoding="ascii")
 
 
 async def get_session_winit() -> aiohttp.ClientSession:
     """wrap libpvarki get_session to init checks"""
     await mtls_init()
     check_settings_clientpaths()
-    assert switchme_to_singleton_call.mtls_client_cert_path is not None
-    assert switchme_to_singleton_call.mtls_client_key_path is not None
-    cert_path = Path(switchme_to_singleton_call.mtls_client_cert_path)
-    key_path = Path(switchme_to_singleton_call.mtls_client_key_path)
+    config = RMSettings.singleton()
+    assert config.mtls_client_cert_path is not None
+    assert config.mtls_client_key_path is not None
+    cert_path = Path(config.mtls_client_cert_path)
+    key_path = Path(config.mtls_client_key_path)
     return libsession((cert_path, key_path))

src/rasenmaeher_api/mtlsinit.py

@@ -12,7 +12,7 @@
 
 from .rmsettings import RMSettings
 from .mtlsinit import get_session_winit
-from .cert import refresh_ocsp
+from .cert.backend import refresh_ocsp
 
 LOGGER = logging.getLogger(__name__)
 

src/rasenmaeher_api/productapihelpers.py

@@ -18,7 +18,7 @@
 from ....db.nonces import SeenToken
 from ....db.errors import NotFound
 from ....db import Person
-from ....cert import get_ca, get_bundle, sign_csr, revoke_pem, CertError
+from ....cert.backend import get_ca, get_bundle, sign_csr, revoke_pem, CertError
 from ....rmsettings import RMSettings
 from ....kchelpers import KCClient
 from ....productapihelpers import post_to_product