diff options
| -rw-r--r-- | lib/leap_cli/commands/compile.rb | 44 | ||||
| -rw-r--r-- | lib/leap_cli/macros/core.rb | 7 | ||||
| -rw-r--r-- | lib/leap_cli/macros/files.rb | 94 | ||||
| -rw-r--r-- | lib/leap_cli/macros/keys.rb | 42 | ||||
| -rw-r--r-- | platform.rb | 3 | ||||
| -rw-r--r-- | provider_base/services/mx.json | 10 | ||||
| -rw-r--r-- | puppet/modules/opendkim/manifests/init.pp | 13 | ||||
| -rw-r--r-- | puppet/modules/opendkim/templates/opendkim.conf | 3 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/x509/dkim/key.pp | 13 |
9 files changed, 156 insertions, 73 deletions
diff --git a/lib/leap_cli/commands/compile.rb b/lib/leap_cli/commands/compile.rb index 44b97d4a..b98d591f 100644 --- a/lib/leap_cli/commands/compile.rb +++ b/lib/leap_cli/commands/compile.rb @@ -298,6 +298,7 @@ remove this directory if you don't use it. nodes = manager.nodes[:environment => env] next unless nodes.any? spf = nil + dkim = nil lines << ENV_HEADER % (env.nil? ? 'default' : env) nodes.each_node do |node| if node.dns.public @@ -314,9 +315,11 @@ remove this directory if you don't use it. mx_domain = relative_hostname(node.domain.full_suffix, provider) lines << [mx_domain, "IN MX 10 #{relative_hostname(node.domain.full, provider)}"] spf ||= [mx_domain, spf_record(node)] + dkim ||= dkim_record(node) end end lines << spf if spf + lines << dkim if dkim end # print the lines @@ -331,6 +334,8 @@ remove this directory if you don't use it. end end + private + # # allow mail from any mx node, plus the webapp nodes. # @@ -346,6 +351,43 @@ remove this directory if you don't use it. %(IN TXT "#{strings}") end + # + # for example: + # + # selector._domainkey IN TXT "v=DKIM1;h=sha256;k=rsa;s=email;p=MIGfMA0GCSq...GSIb3DQ" + # + # specification: http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.7.4 + # + def dkim_record(node) + # PEM encoded public key (base64), without the ---PUBLIC KEY--- armor parts. + assert_files_exist! :dkim_pub_key + dkim_pub_key = Path.named_path(:dkim_pub_key) + public_key = File.readlines(dkim_pub_key).grep(/^[^\-]+/).join + + host = node.mx.dkim.selector + "._domainkey" + attrs = [ + "v=DKIM1", + "h=sha256", + "k=rsa", + "s=email", + "p=" + public_key + ] + + return [host, "IN TXT " + txt_wrap(attrs.join(';'))] + end + + # + # DNS TXT records cannot be longer than 255 characters. + # + # However, multiple responses will be concatenated together. + # It looks like this: + # + # IN TXT "v=spf1 .... first" "second string..." + # + def txt_wrap(str) + '"' + str.scan(/.{1,255}/).join('" "') + '"' + end + ENV_HEADER = %[ ;; ;; ENVIRONMENT %s @@ -381,6 +423,8 @@ $ORIGIN %{domain}. ## FIREWALL ## + public + def compile_firewall manager.nodes.each_node(&:evaluate) diff --git a/lib/leap_cli/macros/core.rb b/lib/leap_cli/macros/core.rb index 7de50f2f..ebea3a6e 100644 --- a/lib/leap_cli/macros/core.rb +++ b/lib/leap_cli/macros/core.rb @@ -4,13 +4,6 @@ module LeapCli module Macro # - # return a fingerprint for a x509 certificate - # - def fingerprint(filename) - "SHA256: " + X509.fingerprint("SHA256", Path.named_path(filename)) - end - - # # Creates a hash from the ssh key info in users directory, for use in # updating authorized_keys file. Additionally, the 'monitor' public key is # included, which is used by the monitor nodes to run particular commands diff --git a/lib/leap_cli/macros/files.rb b/lib/leap_cli/macros/files.rb index 958958bc..d3972485 100644 --- a/lib/leap_cli/macros/files.rb +++ b/lib/leap_cli/macros/files.rb @@ -37,18 +37,10 @@ module LeapCli end # - # returns what the file path will be, once the file is rsynced to the server. - # an internal list of discovered file paths is saved, in order to rsync these files when needed. + # returns the location of a file that is stored on the local + # host, under PROVIDER_DIR/files. # - # notes: - # - # * argument 'path' is relative to Path.provider/files or Path.provider_base/files - # * the path returned by this method is absolute - # * the path stored for use later by rsync is relative to Path.provider - # * if the path does not exist locally, but exists in provider_base, then the default file from - # provider_base is copied locally. this is required for rsync to work correctly. - # - def file_path(path, options={}) + def local_file_path(path, options={}) if path.is_a? Symbol path = [path, @node.name] elsif path.is_a? String @@ -57,32 +49,72 @@ module LeapCli path = "files/" + path end end - actual_path = Path.find_file(path) - if actual_path.nil? + local_path = Path.find_file(path) + if local_path.nil? if options[:missing] raise FileMissing.new(Path.named_path(path), options) + elsif block_given? + yield + return local_file_path(path, options) # try again. else - Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file." + Util::log 2, :skipping, "local_file_path(\"#{path}\") because there is no such file." + return nil end - nil else - if actual_path =~ /^#{Regexp.escape(Path.provider_base)}/ - # if file is under Path.provider_base, we must copy the default file to - # to Path.provider in order for rsync to be able to sync the file. - local_provider_path = actual_path.sub(/^#{Regexp.escape(Path.provider_base)}/, Path.provider) - FileUtils.mkdir_p File.dirname(local_provider_path), :mode => 0700 - FileUtils.install actual_path, local_provider_path, :mode => 0600 - Util.log :created, Path.relative_path(local_provider_path) - actual_path = local_provider_path - end - if File.directory?(actual_path) && actual_path !~ /\/$/ - actual_path += '/' # ensure directories end with /, important for building rsync command - end - relative_path = Path.relative_path(actual_path) - relative_path.sub!(/^files\//, '') # remove "files/" prefix - @node.file_paths << relative_path - File.join(Leap::Platform.files_dir, relative_path) + local_path + end + end + + # + # Returns the location of a file once it is deployed via rsync to the a + # remote server. An internal list of discovered file paths is saved, in + # order to rsync these files when needed. + # + # If there is a block given and the file does not actually exist, the + # block will be yielded to give an opportunity for some code to create the + # file. + # + # For example: + # + # file_path(:dkim_priv_key) {generate_dkim_key} + # + # notes: + # + # * argument 'path' is relative to Path.provider/files or + # Path.provider_base/files + # * the path returned by this method is absolute + # * the path stored for use later by rsync is relative to Path.provider + # * if the path does not exist locally, but exists in provider_base, + # then the default file from provider_base is copied locally. this + # is required for rsync to work correctly. + # + def remote_file_path(path, options={}, &block) + local_path = local_file_path(path, options, &block) + + # if file is under Path.provider_base, we must copy the default file to + # to Path.provider in order for rsync to be able to sync the file. + if local_path =~ /^#{Regexp.escape(Path.provider_base)}/ + local_provider_path = local_path.sub(/^#{Regexp.escape(Path.provider_base)}/, Path.provider) + FileUtils.mkdir_p File.dirname(local_provider_path), :mode => 0700 + FileUtils.install local_path, local_provider_path, :mode => 0600 + Util.log :created, Path.relative_path(local_provider_path) + local_path = local_provider_path + end + + # ensure directories end with /, important for building rsync command + if File.directory?(local_path) && local_path !~ /\/$/ + local_path += '/' end + + relative_path = Path.relative_path(local_path) + relative_path.sub!(/^files\//, '') # remove "files/" prefix + @node.file_paths << relative_path + File.join(Leap::Platform.files_dir, relative_path) + end + + # deprecated + def file_path(path, options={}) + remote_file_path(path, options) end end diff --git a/lib/leap_cli/macros/keys.rb b/lib/leap_cli/macros/keys.rb index 0ed7ccd0..e7a75cfb 100644 --- a/lib/leap_cli/macros/keys.rb +++ b/lib/leap_cli/macros/keys.rb @@ -8,17 +8,28 @@ module LeapCli module Macro # + # return a fingerprint for a key or certificate + # + def fingerprint(filename, options={}) + options[:mode] ||= :x509 + if options[:mode] == :x509 + "SHA256: " + X509.fingerprint("SHA256", Path.named_path(filename)) + elsif options[:mode] == :rsa + key = OpenSSL::PKey::RSA.new(File.read(filename)) + Digest::SHA1.new.hexdigest(key.to_der) + end + end + + ## + ## TOR + ## + + # # return the path to the tor public key # generating key if it is missing # def tor_public_key_path(path_name, key_type) - path = file_path(path_name) - if path.nil? - generate_tor_key(key_type) - file_path(path_name) - else - path - end + file_path(path_name) { generate_tor_key(key_type) } end # @@ -26,13 +37,7 @@ module LeapCli # generating key if it is missing # def tor_private_key_path(path_name, key_type) - path = file_path(path_name) - if path.nil? - generate_tor_key(key_type) - file_path(path_name) - else - path - end + file_path(path_name) { generate_tor_key(key_type) } end # @@ -62,6 +67,15 @@ module LeapCli end end + def generate_dkim_key(bit_size=2048) + LeapCli.log :generating, "%s bit RSA DKIM key" % bit_size do + private_key = OpenSSL::PKey::RSA.new(bit_size) + public_key = private_key.public_key + LeapCli::Util.write_file! :dkim_priv_key, private_key.to_pem + LeapCli::Util.write_file! :dkim_pub_key, public_key.to_pem + end + end + private def generate_tor_key(key_type) diff --git a/platform.rb b/platform.rb index 51ddd98f..8433416e 100644 --- a/platform.rb +++ b/platform.rb @@ -76,6 +76,9 @@ Leap::Platform.define do :commercial_key => 'files/cert/#{arg}.key', :commercial_csr => 'files/cert/#{arg}.csr', :commercial_cert => 'files/cert/#{arg}.crt', + :dkim_priv_key => 'files/mx/dkim.key', + :dkim_pub_key => 'files/mx/dkim.pub', + :commercial_ca_cert => 'files/cert/commercial_ca.crt', :vagrantfile => 'test/Vagrantfile', :static_web_provider_json => 'files/web/bootstrap/#{arg}/provider.json', diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 70acf5cb..676e075b 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -4,7 +4,15 @@ // these are in *addition* to the standard reserved aliases for root and postmaster, etc. "aliases": {}, // this is the domain that is used for the OpenPGP header - "key_lookup_domain": "= global.services[:webapp].webapp.domain" + "key_lookup_domain": "= global.services[:webapp].webapp.domain", + "dkim": { + // bit sizes larger than 2048 are not necessarily supported + "bit_size": 2048, + "public_key": "= remote_file_path(:dkim_pub_key) { generate_dkim_key(mx.dkim.bit_size) }", + "private_key": "= remote_file_path(:dkim_priv_key) { generate_dkim_key(mx.dkim.bit_size) }", + // generate selector based on first ten digits of pub key fingerprint: + "selector": "= fingerprint(local_file_path(:dkim_pub_key) { generate_dkim_key(mx.dkim.bit_size) }, :mode => :rsa).slice(0,10)" + } }, "stunnel": { "clients": { diff --git a/puppet/modules/opendkim/manifests/init.pp b/puppet/modules/opendkim/manifests/init.pp index 9e67569e..e2e766e7 100644 --- a/puppet/modules/opendkim/manifests/init.pp +++ b/puppet/modules/opendkim/manifests/init.pp @@ -1,13 +1,15 @@ -# configure opendkim service (#5924) +# +# I am not sure about what issues might arise with DKIM key sizes +# larger than 2048. It might or might not be supported. See: +# http://dkim.org/specs/rfc4871-dkimbase.html#rfc.section.3.3.3 +# class opendkim { $domain_hash = hiera('domain') $domain = $domain_hash['full_suffix'] $dkim = hiera('dkim') - $selector = $dkim['dkim_selector'] - - include site_config::x509::dkim::key - $dkim_key = "${x509::variables::keys}/dkim.key" + $selector = $dkim['selector'] + $dkim_key = $dkim['private_key'] ensure_packages(['opendkim', 'libopendkim7', 'libvbr2']) @@ -23,7 +25,6 @@ class opendkim { enable => true, hasstatus => true, hasrestart => true, - require => Class['Site_config::X509::Dkim::Key'], subscribe => File[$dkim_key]; } diff --git a/puppet/modules/opendkim/templates/opendkim.conf b/puppet/modules/opendkim/templates/opendkim.conf index 46ddb7a8..5a948229 100644 --- a/puppet/modules/opendkim/templates/opendkim.conf +++ b/puppet/modules/opendkim/templates/opendkim.conf @@ -18,7 +18,6 @@ SubDomains yes # can we generate a larger key and get it in dns? KeyFile <%= @dkim_key %> -# what selector do we use? Selector <%= @selector %> # Commonly-used options; the commented-out versions show the defaults. @@ -26,6 +25,8 @@ Canonicalization relaxed #Mode sv #ADSPDiscard no +SignatureAlgorithm rsa-sha256 + # Always oversign From (sign using actual From and a null From to prevent # malicious signatures header fields (From and/or others) between the signer # and the verifier. From is oversigned by default in the Debian pacakge diff --git a/puppet/modules/site_config/manifests/x509/dkim/key.pp b/puppet/modules/site_config/manifests/x509/dkim/key.pp deleted file mode 100644 index c63a7e94..00000000 --- a/puppet/modules/site_config/manifests/x509/dkim/key.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_config::x509::dkim::key { - - ## - ## This is for the DKIM key that is used exclusively for DKIM - ## signing - - $x509 = hiera('x509') - $key = $x509['dkim_key'] - - x509::key { 'dkim': - content => $key - } -} |