authentik/authentik/crypto/builder.py

"""Create self-signed certificates"""
import datetime
import uuid
from typing import Optional

from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.x509.oid import NameOID

from authentik import __version__
from authentik.crypto.models import CertificateKeyPair


class CertificateBuilder:
    """Build self-signed certificates"""

    __public_key = None
    __private_key = None
    __builder = None
    __certificate = None

    common_name: str

    def __init__(self):
        self.__public_key = None
        self.__private_key = None
        self.__builder = None
        self.__certificate = None
        self.common_name = "authentik Self-signed Certificate"

    def save(self) -> Optional[CertificateKeyPair]:
        """Save generated certificate as model"""
        if not self.__certificate:
            raise ValueError("Certificated hasn't been built yet")
        return CertificateKeyPair.objects.create(
            name=self.common_name,
            certificate_data=self.certificate,
            key_data=self.private_key,
        )

    def build(
        self,
        validity_days: int = 365,
        subject_alt_names: Optional[list[str]] = None,
    ):
        """Build self-signed certificate"""
        one_day = datetime.timedelta(1, 0, 0)
        self.__private_key = rsa.generate_private_key(
            public_exponent=65537, key_size=2048, backend=default_backend()
        )
        self.__public_key = self.__private_key.public_key()
        alt_names: list[x509.GeneralName] = [
            x509.DNSName(x) for x in subject_alt_names or []
        ]
        self.__builder = (
            x509.CertificateBuilder()
            .subject_name(
                x509.Name(
                    [
                        x509.NameAttribute(
                            NameOID.COMMON_NAME,
                            self.common_name,
                        ),
                        x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),
                        x509.NameAttribute(
                            NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"
                        ),
                    ]
                )
            )
            .issuer_name(
                x509.Name(
                    [
                        x509.NameAttribute(
                            NameOID.COMMON_NAME,
                            f"authentik {__version__}",
                        ),
                    ]
                )
            )
            .add_extension(x509.SubjectAlternativeName(alt_names), critical=True)
            .not_valid_before(datetime.datetime.today() - one_day)
            .not_valid_after(
                datetime.datetime.today() + datetime.timedelta(days=validity_days)
            )
            .serial_number(int(uuid.uuid4()))
            .public_key(self.__public_key)
        )
        self.__certificate = self.__builder.sign(
            private_key=self.__private_key,
            algorithm=hashes.SHA256(),
            backend=default_backend(),
        )

    @property
    def private_key(self):
        """Return private key in PEM format"""
        return self.__private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.TraditionalOpenSSL,
            encryption_algorithm=serialization.NoEncryption(),
        ).decode("utf-8")

    @property
    def certificate(self):
        """Return certificate in PEM format"""
        return self.__certificate.public_bytes(
            encoding=serialization.Encoding.PEM,
        ).decode("utf-8")
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`"""Create self-signed certificates"""`
			`import datetime`
			`import uuid`
admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`from typing import Optional`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00
			`from cryptography import x509`
			`from cryptography.hazmat.backends import default_backend`
			`from cryptography.hazmat.primitives import hashes, serialization`
			`from cryptography.hazmat.primitives.asymmetric import rsa`
			`from cryptography.x509.oid import NameOID`

admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`from authentik import __version__`
			`from authentik.crypto.models import CertificateKeyPair`

crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00
			`class CertificateBuilder:`
			`"""Build self-signed certificates"""`

			`__public_key = None`
			`__private_key = None`
			`__builder = None`
			`__certificate = None`

admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`common_name: str`

crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`def __init__(self):`
			`self.__public_key = None`
			`self.__private_key = None`
			`self.__builder = None`
			`self.__certificate = None`
admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`self.common_name = "authentik Self-signed Certificate"`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00
admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`def save(self) -> Optional[CertificateKeyPair]:`
			`"""Save generated certificate as model"""`
			`if not self.__certificate:`
lib: add more tests Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-04-27 13:20:23 +00:00			`raise ValueError("Certificated hasn't been built yet")`
admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`return CertificateKeyPair.objects.create(`
			`name=self.common_name,`
			`certificate_data=self.certificate,`
			`key_data=self.private_key,`
			`)`

			`def build(`
			`self,`
			`validity_days: int = 365,`
			`subject_alt_names: Optional[list[str]] = None,`
			`):`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`"""Build self-signed certificate"""`
			`one_day = datetime.timedelta(1, 0, 0)`
			`self.__private_key = rsa.generate_private_key(`
			`public_exponent=65537, key_size=2048, backend=default_backend()`
			`)`
			`self.__public_key = self.__private_key.public_key()`
admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`alt_names: list[x509.GeneralName] = [`
			`x509.DNSName(x) for x in subject_alt_names or []`
			`]`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`self.__builder = (`
			`x509.CertificateBuilder()`
			`.subject_name(`
			`x509.Name(`
			`[`
			`x509.NameAttribute(`
*: apply new black styling 2020-09-30 17:34:22 +00:00			`NameOID.COMMON_NAME,`
admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`self.common_name,`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`),`
wip: rename to authentik (#361) * root: initial rename * web: rename custom element prefix * root: rename external functions with pb_ prefix * root: fix formatting * root: replace domain with goauthentik.io * proxy: update path * root: rename remaining prefixes * flows: rename file extension * root: pbadmin -> akadmin * docs: fix image filenames * lifecycle: ignore migration files * ci: copy default config from current source before loading last tagged * : new sentry dsn tests: fix missing python3.9-dev package * root: add additional migrations for service accounts created by outposts * core: mark system-created service accounts with attribute * policies/expression: fix pb_ replacement not working * web: fix last linting errors, add lit-analyse * policies/expressions: fix lint errors * web: fix sidebar display on screens where not all items fit * proxy: attempt to fix proxy pipeline * proxy: use go env GOPATH to get gopath * lib: fix user_default naming inconsistency * docs: add upgrade docs * docs: update screenshots to use authentik * admin: fix create button on empty-state of outpost * web: fix modal submit not refreshing SiteShell and Table * web: fix height of app-card and height of generic icon * web: fix rendering of subtext * admin: fix version check error not being caught * web: fix worker count not being shown * docs: update screenshots * root: new icon * web: fix lint error * admin: fix linting error * root: migrate coverage config to pyproject 2020-12-05 21:08:42 +00:00			`x509.NameAttribute(NameOID.ORGANIZATION_NAME, "authentik"),`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`x509.NameAttribute(`
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/: fix flow executor URL flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/: update docstrings of models core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting 2020-06-07 14:35:08 +00:00			`NameOID.ORGANIZATIONAL_UNIT_NAME, "Self-signed"`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`),`
			`]`
			`)`
			`)`
			`.issuer_name(`
			`x509.Name(`
			`[`
			`x509.NameAttribute(`
*: apply new black styling 2020-09-30 17:34:22 +00:00			`NameOID.COMMON_NAME,`
admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`f"authentik {__version__}",`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`),`
			`]`
			`)`
			`)`
admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`.add_extension(x509.SubjectAlternativeName(alt_names), critical=True)`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`.not_valid_before(datetime.datetime.today() - one_day)`
admin: add button to generate certificate-key pair 2021-02-07 15:15:55 +00:00			`.not_valid_after(`
			`datetime.datetime.today() + datetime.timedelta(days=validity_days)`
			`)`
crypto: implement simple certificate-key pair for easier management 2020-03-03 22:35:25 +00:00			`.serial_number(int(uuid.uuid4()))`
			`.public_key(self.__public_key)`
			`)`
			`self.__certificate = self.__builder.sign(`
			`private_key=self.__private_key,`
			`algorithm=hashes.SHA256(),`
			`backend=default_backend(),`
			`)`

			`@property`
			`def private_key(self):`
			`"""Return private key in PEM format"""`
			`return self.__private_key.private_bytes(`
			`encoding=serialization.Encoding.PEM,`
			`format=serialization.PrivateFormat.TraditionalOpenSSL,`
			`encryption_algorithm=serialization.NoEncryption(),`
			`).decode("utf-8")`

			`@property`
			`def certificate(self):`
			`"""Return certificate in PEM format"""`
			`return self.__certificate.public_bytes(`
			`encoding=serialization.Encoding.PEM,`
			`).decode("utf-8")`