Merge pull request #6745 from ryanpetrello/fix-6659

RFC: install a randomized RSA key for controller -> isolated rampart auth

awx/main/conf.py

@@ -173,6 +173,29 @@ register(
     category_slug='jobs',
 )
 
+register(
+    'AWX_ISOLATED_PRIVATE_KEY',
+    field_class=fields.CharField,
+    default='',
+    allow_blank=True,
+    encrypted=True,
+    label=_('The RSA private key for SSH traffic to isolated instances'),
+    help_text=_('The RSA private key for SSH traffic to isolated instances'),  # noqa
+    category=_('Jobs'),
+    category_slug='jobs',
+)
+
+register(
+    'AWX_ISOLATED_PUBLIC_KEY',
+    field_class=fields.CharField,
+    default='',
+    allow_blank=True,
+    label=_('The RSA public key for SSH traffic to isolated instances'),
+    help_text=_('The RSA public key for SSH traffic to isolated instances'),  # noqa
+    category=_('Jobs'),
+    category_slug='jobs',
+)
+
 register(
     'STDOUT_MAX_BYTES_DISPLAY',
     field_class=fields.IntegerField,

awx/main/isolated/isolated_manager.py

@@ -5,7 +5,9 @@ import StringIO
 import json
 import os
 import re
+import shutil
 import stat
+import tempfile
 import time
 import logging
 
@@ -141,7 +143,7 @@ class IsolatedManager(object):
             args.append('-%s' % ('v' * min(5, self.instance.verbosity)))
         buff = StringIO.StringIO()
         logger.debug('Starting job on isolated host with `run_isolated.yml` playbook.')
-        status, rc = run.run_pexpect(
+        status, rc = IsolatedManager.run_pexpect(
             args, self.awx_playbook_path(), self.env, buff,
             expect_passwords={
                 re.compile(r'Secret:\s*?$', re.M): base64.b64encode(json.dumps(secrets))
@@ -154,6 +156,22 @@ class IsolatedManager(object):
             self.stdout_handle.write(buff.getvalue())
         return status, rc
 
+    @classmethod
+    def run_pexpect(cls, pexpect_args, *args, **kw):
+        isolated_ssh_path = None
+        try:
+            if getattr(settings, 'AWX_ISOLATED_PRIVATE_KEY', None):
+                isolated_ssh_path = tempfile.mkdtemp(prefix='ansible_tower_isolated')
+                os.chmod(isolated_ssh_path, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)
+                isolated_key = os.path.join(isolated_ssh_path, '.isolated')
+                ssh_sock = os.path.join(isolated_ssh_path, '.isolated_ssh_auth.sock')
+                run.open_fifo_write(isolated_key, settings.AWX_ISOLATED_PRIVATE_KEY)
+                pexpect_args = run.wrap_args_with_ssh_agent(pexpect_args, isolated_key, ssh_sock)
+            return run.run_pexpect(pexpect_args, *args, **kw)
+        finally:
+            if isolated_ssh_path:
+                shutil.rmtree(isolated_ssh_path)
+
     def build_isolated_job_data(self):
         '''
         Write the playbook and metadata into a collection of files on the local
@@ -251,7 +269,7 @@ class IsolatedManager(object):
 
             buff = cStringIO.StringIO()
             logger.debug('Checking job on isolated host with `check_isolated.yml` playbook.')
-            status, rc = run.run_pexpect(
+            status, rc = IsolatedManager.run_pexpect(
                 args, self.awx_playbook_path(), self.env, buff,
                 cancelled_callback=self.cancelled_callback,
                 idle_timeout=remaining,
@@ -302,7 +320,7 @@ class IsolatedManager(object):
                 json.dumps(extra_vars)]
         logger.debug('Cleaning up job on isolated host with `clean_isolated.yml` playbook.')
         buff = cStringIO.StringIO()
-        status, rc = run.run_pexpect(
+        status, rc = IsolatedManager.run_pexpect(
             args, self.awx_playbook_path(), self.env, buff,
             idle_timeout=60, job_timeout=60,
             pexpect_timeout=5
@@ -333,7 +351,7 @@ class IsolatedManager(object):
         env['ANSIBLE_STDOUT_CALLBACK'] = 'json'
 
         buff = cStringIO.StringIO()
-        status, rc = run.run_pexpect(
+        status, rc = IsolatedManager.run_pexpect(
             args, cls.awx_playbook_path(), env, buff,
             idle_timeout=60, job_timeout=60,
             pexpect_timeout=5

awx/main/management/commands/generate_isolated_key.py

@@ -0,0 +1,45 @@
+# Copyright (c) 2015 Ansible, Inc.
+# All Rights Reserved
+import datetime
+import sys
+
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from django.conf import settings
+from django.core.management.base import BaseCommand
+
+from awx.conf.models import Setting
+
+
+class Command(BaseCommand):
+    """Generate and store a randomized RSA key for SSH traffic to isolated instances"""
+    help = 'Generates and stores a randomized RSA key for SSH traffic to isolated instances'
+
+    def handle(self, *args, **kwargs):
+        if getattr(settings, 'AWX_ISOLATED_PRIVATE_KEY', False):
+            print settings.AWX_ISOLATED_PUBLIC_KEY
+            sys.exit(1)
+
+        key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=4096,
+            backend=default_backend()
+        )
+        Setting.objects.create(
+            key='AWX_ISOLATED_PRIVATE_KEY',
+            value=key.private_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PrivateFormat.TraditionalOpenSSL,
+                encryption_algorithm=serialization.NoEncryption()
+            )
+        ).save()
+        pemfile = Setting.objects.create(
+            key='AWX_ISOLATED_PUBLIC_KEY',
+            value=key.public_key().public_bytes(
+                encoding=serialization.Encoding.OpenSSH,
+                format=serialization.PublicFormat.OpenSSH
+            ) + " generated-by-awx@%s" % datetime.datetime.utcnow().isoformat()
+        )
+        pemfile.save()
+        print pemfile.value