summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/leap_cli/commands/compile.rb44
-rw-r--r--lib/leap_cli/macros/core.rb7
-rw-r--r--lib/leap_cli/macros/files.rb94
-rw-r--r--lib/leap_cli/macros/keys.rb42
-rw-r--r--platform.rb3
-rw-r--r--provider_base/services/mx.json10
-rw-r--r--puppet/modules/opendkim/manifests/init.pp13
-rw-r--r--puppet/modules/opendkim/templates/opendkim.conf3
-rw-r--r--puppet/modules/site_config/manifests/x509/dkim/key.pp13
9 files changed, 156 insertions, 73 deletions
diff --git a/lib/leap_cli/commands/compile.rb b/lib/leap_cli/commands/compile.rb
index 44b97d4a..b98d591f 100644
--- a/lib/leap_cli/commands/compile.rb
+++ b/lib/leap_cli/commands/compile.rb
@@ -298,6 +298,7 @@ remove this directory if you don't use it.
nodes = manager.nodes[:environment => env]
next unless nodes.any?
spf = nil
+ dkim = nil
lines << ENV_HEADER % (env.nil? ? 'default' : env)
nodes.each_node do |node|
if node.dns.public
@@ -314,9 +315,11 @@ remove this directory if you don't use it.
mx_domain = relative_hostname(node.domain.full_suffix, provider)
lines << [mx_domain, "IN MX 10 #{relative_hostname(node.domain.full, provider)}"]
spf ||= [mx_domain, spf_record(node)]
+ dkim ||= dkim_record(node)
end
end
lines << spf if spf
+ lines << dkim if dkim
end
# print the lines
@@ -331,6 +334,8 @@ remove this directory if you don't use it.
end
end
+ private
+
#
# allow mail from any mx node, plus the webapp nodes.
#
@@ -346,6 +351,43 @@ remove this directory if you don't use it.
%(IN TXT "#{strings}")
end
+ #
+ # for example:
+ #
+ # selector._domainkey IN TXT "v=DKIM1;h=sha256;k=rsa;s=email;p=MIGfMA0GCSq...GSIb3DQ"
+ #
+ # specification: http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.7.4
+ #
+ def dkim_record(node)
+ # PEM encoded public key (base64), without the ---PUBLIC KEY--- armor parts.
+ assert_files_exist! :dkim_pub_key
+ dkim_pub_key = Path.named_path(:dkim_pub_key)
+ public_key = File.readlines(dkim_pub_key).grep(/^[^\-]+/).join
+
+ host = node.mx.dkim.selector + "._domainkey"
+ attrs = [
+ "v=DKIM1",
+ "h=sha256",
+ "k=rsa",
+ "s=email",
+ "p=" + public_key
+ ]
+
+ return [host, "IN TXT " + txt_wrap(attrs.join(';'))]
+ end
+
+ #
+ # DNS TXT records cannot be longer than 255 characters.
+ #
+ # However, multiple responses will be concatenated together.
+ # It looks like this:
+ #
+ # IN TXT "v=spf1 .... first" "second string..."
+ #
+ def txt_wrap(str)
+ '"' + str.scan(/.{1,255}/).join('" "') + '"'
+ end
+
ENV_HEADER = %[
;;
;; ENVIRONMENT %s
@@ -381,6 +423,8 @@ $ORIGIN %{domain}.
## FIREWALL
##
+ public
+
def compile_firewall
manager.nodes.each_node(&:evaluate)
diff --git a/lib/leap_cli/macros/core.rb b/lib/leap_cli/macros/core.rb
index 7de50f2f..ebea3a6e 100644
--- a/lib/leap_cli/macros/core.rb
+++ b/lib/leap_cli/macros/core.rb
@@ -4,13 +4,6 @@ module LeapCli
module Macro
#
- # return a fingerprint for a x509 certificate
- #
- def fingerprint(filename)
- "SHA256: " + X509.fingerprint("SHA256", Path.named_path(filename))
- end
-
- #
# Creates a hash from the ssh key info in users directory, for use in
# updating authorized_keys file. Additionally, the 'monitor' public key is
# included, which is used by the monitor nodes to run particular commands
diff --git a/lib/leap_cli/macros/files.rb b/lib/leap_cli/macros/files.rb
index 958958bc..d3972485 100644
--- a/lib/leap_cli/macros/files.rb
+++ b/lib/leap_cli/macros/files.rb
@@ -37,18 +37,10 @@ module LeapCli
end
#
- # returns what the file path will be, once the file is rsynced to the server.
- # an internal list of discovered file paths is saved, in order to rsync these files when needed.
+ # returns the location of a file that is stored on the local
+ # host, under PROVIDER_DIR/files.
#
- # notes:
- #
- # * argument 'path' is relative to Path.provider/files or Path.provider_base/files
- # * the path returned by this method is absolute
- # * the path stored for use later by rsync is relative to Path.provider
- # * if the path does not exist locally, but exists in provider_base, then the default file from
- # provider_base is copied locally. this is required for rsync to work correctly.
- #
- def file_path(path, options={})
+ def local_file_path(path, options={})
if path.is_a? Symbol
path = [path, @node.name]
elsif path.is_a? String
@@ -57,32 +49,72 @@ module LeapCli
path = "files/" + path
end
end
- actual_path = Path.find_file(path)
- if actual_path.nil?
+ local_path = Path.find_file(path)
+ if local_path.nil?
if options[:missing]
raise FileMissing.new(Path.named_path(path), options)
+ elsif block_given?
+ yield
+ return local_file_path(path, options) # try again.
else
- Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file."
+ Util::log 2, :skipping, "local_file_path(\"#{path}\") because there is no such file."
+ return nil
end
- nil
else
- if actual_path =~ /^#{Regexp.escape(Path.provider_base)}/
- # if file is under Path.provider_base, we must copy the default file to
- # to Path.provider in order for rsync to be able to sync the file.
- local_provider_path = actual_path.sub(/^#{Regexp.escape(Path.provider_base)}/, Path.provider)
- FileUtils.mkdir_p File.dirname(local_provider_path), :mode => 0700
- FileUtils.install actual_path, local_provider_path, :mode => 0600
- Util.log :created, Path.relative_path(local_provider_path)
- actual_path = local_provider_path
- end
- if File.directory?(actual_path) && actual_path !~ /\/$/
- actual_path += '/' # ensure directories end with /, important for building rsync command
- end
- relative_path = Path.relative_path(actual_path)
- relative_path.sub!(/^files\//, '') # remove "files/" prefix
- @node.file_paths << relative_path
- File.join(Leap::Platform.files_dir, relative_path)
+ local_path
+ end
+ end
+
+ #
+ # Returns the location of a file once it is deployed via rsync to the a
+ # remote server. An internal list of discovered file paths is saved, in
+ # order to rsync these files when needed.
+ #
+ # If there is a block given and the file does not actually exist, the
+ # block will be yielded to give an opportunity for some code to create the
+ # file.
+ #
+ # For example:
+ #
+ # file_path(:dkim_priv_key) {generate_dkim_key}
+ #
+ # notes:
+ #
+ # * argument 'path' is relative to Path.provider/files or
+ # Path.provider_base/files
+ # * the path returned by this method is absolute
+ # * the path stored for use later by rsync is relative to Path.provider
+ # * if the path does not exist locally, but exists in provider_base,
+ # then the default file from provider_base is copied locally. this
+ # is required for rsync to work correctly.
+ #
+ def remote_file_path(path, options={}, &block)
+ local_path = local_file_path(path, options, &block)
+
+ # if file is under Path.provider_base, we must copy the default file to
+ # to Path.provider in order for rsync to be able to sync the file.
+ if local_path =~ /^#{Regexp.escape(Path.provider_base)}/
+ local_provider_path = local_path.sub(/^#{Regexp.escape(Path.provider_base)}/, Path.provider)
+ FileUtils.mkdir_p File.dirname(local_provider_path), :mode => 0700
+ FileUtils.install local_path, local_provider_path, :mode => 0600
+ Util.log :created, Path.relative_path(local_provider_path)
+ local_path = local_provider_path
+ end
+
+ # ensure directories end with /, important for building rsync command
+ if File.directory?(local_path) && local_path !~ /\/$/
+ local_path += '/'
end
+
+ relative_path = Path.relative_path(local_path)
+ relative_path.sub!(/^files\//, '') # remove "files/" prefix
+ @node.file_paths << relative_path
+ File.join(Leap::Platform.files_dir, relative_path)
+ end
+
+ # deprecated
+ def file_path(path, options={})
+ remote_file_path(path, options)
end
end
diff --git a/lib/leap_cli/macros/keys.rb b/lib/leap_cli/macros/keys.rb
index 0ed7ccd0..e7a75cfb 100644
--- a/lib/leap_cli/macros/keys.rb
+++ b/lib/leap_cli/macros/keys.rb
@@ -8,17 +8,28 @@ module LeapCli
module Macro
#
+ # return a fingerprint for a key or certificate
+ #
+ def fingerprint(filename, options={})
+ options[:mode] ||= :x509
+ if options[:mode] == :x509
+ "SHA256: " + X509.fingerprint("SHA256", Path.named_path(filename))
+ elsif options[:mode] == :rsa
+ key = OpenSSL::PKey::RSA.new(File.read(filename))
+ Digest::SHA1.new.hexdigest(key.to_der)
+ end
+ end
+
+ ##
+ ## TOR
+ ##
+
+ #
# return the path to the tor public key
# generating key if it is missing
#
def tor_public_key_path(path_name, key_type)
- path = file_path(path_name)
- if path.nil?
- generate_tor_key(key_type)
- file_path(path_name)
- else
- path
- end
+ file_path(path_name) { generate_tor_key(key_type) }
end
#
@@ -26,13 +37,7 @@ module LeapCli
# generating key if it is missing
#
def tor_private_key_path(path_name, key_type)
- path = file_path(path_name)
- if path.nil?
- generate_tor_key(key_type)
- file_path(path_name)
- else
- path
- end
+ file_path(path_name) { generate_tor_key(key_type) }
end
#
@@ -62,6 +67,15 @@ module LeapCli
end
end
+ def generate_dkim_key(bit_size=2048)
+ LeapCli.log :generating, "%s bit RSA DKIM key" % bit_size do
+ private_key = OpenSSL::PKey::RSA.new(bit_size)
+ public_key = private_key.public_key
+ LeapCli::Util.write_file! :dkim_priv_key, private_key.to_pem
+ LeapCli::Util.write_file! :dkim_pub_key, public_key.to_pem
+ end
+ end
+
private
def generate_tor_key(key_type)
diff --git a/platform.rb b/platform.rb
index 51ddd98f..8433416e 100644
--- a/platform.rb
+++ b/platform.rb
@@ -76,6 +76,9 @@ Leap::Platform.define do
:commercial_key => 'files/cert/#{arg}.key',
:commercial_csr => 'files/cert/#{arg}.csr',
:commercial_cert => 'files/cert/#{arg}.crt',
+ :dkim_priv_key => 'files/mx/dkim.key',
+ :dkim_pub_key => 'files/mx/dkim.pub',
+
:commercial_ca_cert => 'files/cert/commercial_ca.crt',
:vagrantfile => 'test/Vagrantfile',
:static_web_provider_json => 'files/web/bootstrap/#{arg}/provider.json',
diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index 70acf5cb..676e075b 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -4,7 +4,15 @@
// these are in *addition* to the standard reserved aliases for root and postmaster, etc.
"aliases": {},
// this is the domain that is used for the OpenPGP header
- "key_lookup_domain": "= global.services[:webapp].webapp.domain"
+ "key_lookup_domain": "= global.services[:webapp].webapp.domain",
+ "dkim": {
+ // bit sizes larger than 2048 are not necessarily supported
+ "bit_size": 2048,
+ "public_key": "= remote_file_path(:dkim_pub_key) { generate_dkim_key(mx.dkim.bit_size) }",
+ "private_key": "= remote_file_path(:dkim_priv_key) { generate_dkim_key(mx.dkim.bit_size) }",
+ // generate selector based on first ten digits of pub key fingerprint:
+ "selector": "= fingerprint(local_file_path(:dkim_pub_key) { generate_dkim_key(mx.dkim.bit_size) }, :mode => :rsa).slice(0,10)"
+ }
},
"stunnel": {
"clients": {
diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp
index 9e67569e..e2e766e7 100644
--- a/puppet/modules/opendkim/manifests/init.pp
+++ b/puppet/modules/opendkim/manifests/init.pp
@@ -1,13 +1,15 @@
-# configure opendkim service (#5924)
+#
+# I am not sure about what issues might arise with DKIM key sizes
+# larger than 2048. It might or might not be supported. See:
+# http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.3.3.3
+#
class opendkim {
$domain_hash = hiera('domain')
$domain = $domain_hash['full_suffix']
$dkim = hiera('dkim')
- $selector = $dkim['dkim_selector']
-
- include site_config::x509::dkim::key
- $dkim_key = "${x509::variables::keys}/dkim.key"
+ $selector = $dkim['selector']
+ $dkim_key = $dkim['private_key']
ensure_packages(['opendkim', 'libopendkim7', 'libvbr2'])
@@ -23,7 +25,6 @@ class opendkim {
enable => true,
hasstatus => true,
hasrestart => true,
- require => Class['Site_config::X509::Dkim::Key'],
subscribe => File[$dkim_key];
}
diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf
index 46ddb7a8..5a948229 100644
--- a/puppet/modules/opendkim/templates/opendkim.conf
+++ b/puppet/modules/opendkim/templates/opendkim.conf
@@ -18,7 +18,6 @@ SubDomains yes
# can we generate a larger key and get it in dns?
KeyFile <%= @dkim_key %>
-# what selector do we use?
Selector <%= @selector %>
# Commonly-used options; the commented-out versions show the defaults.
@@ -26,6 +25,8 @@ Canonicalization relaxed
#Mode sv
#ADSPDiscard no
+SignatureAlgorithm rsa-sha256
+
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
diff --git a/puppet/modules/site_config/manifests/x509/dkim/key.pp b/puppet/modules/site_config/manifests/x509/dkim/key.pp
deleted file mode 100644
index c63a7e94..00000000
--- a/puppet/modules/site_config/manifests/x509/dkim/key.pp
+++ /dev/null
@@ -1,13 +0,0 @@
-class site_config::x509::dkim::key {
-
- ##
- ## This is for the DKIM key that is used exclusively for DKIM
- ## signing
-
- $x509 = hiera('x509')
- $key = $x509['dkim_key']
-
- x509::key { 'dkim':
- content => $key
- }
-}