Certificate generation and sync, implemented proper grant and revocation flows. Pubkey uploading. Added openssh-client to Dockerfile

app/apps/keys/admin.py

@@ -8,7 +8,7 @@ except ImportError:  # Fallback for older Unfold builds without guardian admin s
     class GuardedModelAdmin(GuardianGuardedModelAdmin, UnfoldModelAdmin):
         pass
 
-from .models import SSHKey
+from .models import SSHCertificate, SSHCertificateAuthority, SSHKey
 
 
 @admin.register(SSHKey)
@@ -17,3 +17,21 @@ class SSHKeyAdmin(GuardedModelAdmin):
     list_filter = ("is_active", "key_type")
     search_fields = ("name", "user__username", "user__email", "fingerprint")
     ordering = ("-created_at",)
+
+
+@admin.register(SSHCertificateAuthority)
+class SSHCertificateAuthorityAdmin(admin.ModelAdmin):
+    list_display = ("name", "fingerprint", "is_active", "created_at", "revoked_at")
+    list_filter = ("is_active",)
+    search_fields = ("name", "fingerprint")
+    readonly_fields = ("created_at", "revoked_at", "fingerprint", "public_key", "private_key")
+    ordering = ("-created_at",)
+
+
+@admin.register(SSHCertificate)
+class SSHCertificateAdmin(admin.ModelAdmin):
+    list_display = ("id", "user", "key", "serial", "is_active", "valid_before", "created_at")
+    list_filter = ("is_active",)
+    search_fields = ("user__username", "user__email", "serial")
+    readonly_fields = ("created_at", "revoked_at", "certificate")
+    ordering = ("-created_at",)

app/apps/keys/certificates.py

@@ -0,0 +1,148 @@
+from __future__ import annotations
+
+import os
+import re
+import secrets
+import subprocess
+import tempfile
+from datetime import timedelta
+
+from django.conf import settings
+from django.utils import timezone
+
+from .models import SSHCertificate, SSHCertificateAuthority, SSHKey
+from .utils import render_system_username
+
+
+def get_active_ca(created_by=None) -> SSHCertificateAuthority:
+    ca = (
+        SSHCertificateAuthority.objects.filter(is_active=True, revoked_at__isnull=True)
+        .order_by("-created_at")
+        .first()
+    )
+    if not ca:
+        ca = SSHCertificateAuthority(created_by=created_by)
+    ca.ensure_material()
+    ca.save()
+    return ca
+
+
+def issue_certificate_for_key(key: SSHKey, created_by=None) -> SSHCertificate:
+    if not key or not key.user_id:
+        raise ValueError("key must have a user")
+    ca = get_active_ca(created_by=created_by)
+    principal = render_system_username(key.user.username, key.user_id)
+    now = timezone.now()
+    valid_before = now + timedelta(days=settings.KEYWARDEN_USER_CERT_VALIDITY_DAYS)
+    serial = secrets.randbits(63)
+    safe_name = _sanitize_label(key.name or "key")
+    identity = f"keywarden-cert-{key.user_id}-{safe_name}-{key.id}"
+    cert_text = _sign_public_key(
+        ca_private_key=ca.private_key,
+        ca_public_key=ca.public_key,
+        public_key=key.public_key,
+        identity=identity,
+        principal=principal,
+        serial=serial,
+        validity_days=settings.KEYWARDEN_USER_CERT_VALIDITY_DAYS,
+        comment=identity,
+    )
+    cert, _ = SSHCertificate.objects.update_or_create(
+        key=key,
+        defaults={
+            "user": key.user,
+            "certificate": cert_text,
+            "serial": serial,
+            "principals": [principal],
+            "valid_after": now,
+            "valid_before": valid_before,
+            "revoked_at": None,
+            "is_active": True,
+        },
+    )
+    return cert
+
+
+def revoke_certificate_for_key(key: SSHKey) -> None:
+    if not key:
+        return
+    try:
+        cert = key.certificate
+    except SSHCertificate.DoesNotExist:
+        return
+    cert.revoke()
+    cert.save(update_fields=["is_active", "revoked_at"])
+
+
+def _sign_public_key(
+    ca_private_key: str,
+    ca_public_key: str,
+    public_key: str,
+    identity: str,
+    principal: str,
+    serial: int,
+    validity_days: int,
+    comment: str,
+) -> str:
+    if not ca_private_key or not ca_public_key:
+        raise RuntimeError("CA material missing")
+    with tempfile.TemporaryDirectory() as tmpdir:
+        ca_path = os.path.join(tmpdir, "user_ca")
+        pubkey_path = os.path.join(tmpdir, "user.pub")
+        _write_file(ca_path, ca_private_key, 0o600)
+        _write_file(ca_path + ".pub", ca_public_key.strip() + "\n", 0o644)
+        pubkey_with_comment = _ensure_comment(public_key, comment)
+        _write_file(pubkey_path, pubkey_with_comment + "\n", 0o644)
+        cmd = [
+            "ssh-keygen",
+            "-s",
+            ca_path,
+            "-I",
+            identity,
+            "-n",
+            principal,
+            "-V",
+            f"+{validity_days}d",
+            "-z",
+            str(serial),
+            pubkey_path,
+        ]
+        try:
+            result = subprocess.run(cmd, check=True, capture_output=True)
+        except FileNotFoundError as exc:
+            raise RuntimeError("ssh-keygen not available") from exc
+        except subprocess.CalledProcessError as exc:
+            raise RuntimeError(f"ssh-keygen failed: {exc.stderr.decode('utf-8', 'ignore')}") from exc
+        cert_path = pubkey_path
+        if cert_path.endswith(".pub"):
+            cert_path = cert_path[: -len(".pub")]
+        cert_path += "-cert.pub"
+        if not os.path.exists(cert_path):
+            stderr = result.stderr.decode("utf-8", "ignore")
+            raise RuntimeError(f"ssh-keygen output missing: {cert_path} {stderr}")
+    with open(cert_path, "r", encoding="utf-8") as handle:
+        return handle.read().strip()
+
+
+def _ensure_comment(public_key: str, comment: str) -> str:
+    parts = (public_key or "").strip().split()
+    if len(parts) < 2:
+        return public_key.strip()
+    key_type, key_b64 = parts[0], parts[1]
+    if not comment:
+        return f"{key_type} {key_b64}"
+    return f"{key_type} {key_b64} {comment}"
+
+
+def _sanitize_label(value: str) -> str:
+    cleaned = re.sub(r"[^a-zA-Z0-9_-]+", "-", (value or "").strip())
+    cleaned = cleaned.strip("-_")
+    if cleaned:
+        return cleaned.lower()
+    return "key"
+
+
+def _write_file(path: str, data: str, mode: int) -> None:
+    with open(path, "w", encoding="utf-8") as handle:
+        handle.write(data)
+    os.chmod(path, mode)

app/apps/keys/migrations/0002_ssh_certificates.py

@@ -0,0 +1,86 @@
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import django.utils.timezone
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("keys", "0001_initial"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="SSHCertificateAuthority",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("name", models.CharField(default="Keywarden User SSH CA", max_length=128)),
+                ("public_key", models.TextField(blank=True)),
+                ("private_key", models.TextField(blank=True)),
+                ("fingerprint", models.CharField(blank=True, max_length=128)),
+                ("created_at", models.DateTimeField(default=django.utils.timezone.now, editable=False)),
+                ("revoked_at", models.DateTimeField(blank=True, null=True)),
+                ("is_active", models.BooleanField(db_index=True, default=True)),
+                (
+                    "created_by",
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="ssh_certificate_authorities",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SSH certificate authority",
+                "verbose_name_plural": "SSH certificate authorities",
+                "ordering": ["-created_at"],
+            },
+        ),
+        migrations.CreateModel(
+            name="SSHCertificate",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("certificate", models.TextField()),
+                ("serial", models.BigIntegerField()),
+                ("principals", models.JSONField(blank=True, default=list)),
+                ("valid_after", models.DateTimeField()),
+                ("valid_before", models.DateTimeField()),
+                ("created_at", models.DateTimeField(default=django.utils.timezone.now, editable=False)),
+                ("revoked_at", models.DateTimeField(blank=True, null=True)),
+                ("is_active", models.BooleanField(db_index=True, default=True)),
+                (
+                    "key",
+                    models.OneToOneField(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="certificate",
+                        to="keys.sshkey",
+                    ),
+                ),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="ssh_certificates",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "SSH certificate",
+                "verbose_name_plural": "SSH certificates",
+                "ordering": ["-created_at"],
+            },
+        ),
+        migrations.AddIndex(
+            model_name="sshcertificate",
+            index=models.Index(fields=["user", "is_active"], name="keys_cert_user_active_idx"),
+        ),
+        migrations.AddIndex(
+            model_name="sshcertificate",
+            index=models.Index(fields=["valid_before"], name="keys_cert_valid_before_idx"),
+        ),
+    ]

app/apps/keys/models.py

@@ -3,6 +3,9 @@ from __future__ import annotations
 import base64
 import binascii
 import hashlib
+import os
+import subprocess
+import tempfile
 
 from django.conf import settings
 from django.core.exceptions import ValidationError
@@ -61,6 +64,107 @@ class SSHKey(models.Model):
     def revoke(self) -> None:
         self.is_active = False
         self.revoked_at = timezone.now()
+        try:
+            cert = self.certificate
+        except SSHCertificate.DoesNotExist:
+            return
+        cert.revoke()
+        cert.save(update_fields=["is_active", "revoked_at"])
 
     def __str__(self) -> str:
         return f"{self.name} ({self.user_id})"
+
+
+class SSHCertificateAuthority(models.Model):
+    name = models.CharField(max_length=128, default="Keywarden User SSH CA")
+    public_key = models.TextField(blank=True)
+    private_key = models.TextField(blank=True)
+    fingerprint = models.CharField(max_length=128, blank=True)
+    created_at = models.DateTimeField(default=timezone.now, editable=False)
+    revoked_at = models.DateTimeField(null=True, blank=True)
+    is_active = models.BooleanField(default=True, db_index=True)
+    created_by = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="ssh_certificate_authorities",
+    )
+
+    class Meta:
+        verbose_name = "SSH certificate authority"
+        verbose_name_plural = "SSH certificate authorities"
+        ordering = ["-created_at"]
+
+    def __str__(self) -> str:
+        status = "active" if self.is_active and not self.revoked_at else "revoked"
+        return f"{self.name} ({status})"
+
+    def revoke(self) -> None:
+        self.is_active = False
+        self.revoked_at = timezone.now()
+
+    def ensure_material(self) -> None:
+        if self.public_key and self.private_key:
+            if not self.fingerprint:
+                _, _, fingerprint = parse_public_key(self.public_key)
+                self.fingerprint = fingerprint
+            return
+        with tempfile.TemporaryDirectory() as tmpdir:
+            key_path = os.path.join(tmpdir, "keywarden_user_ca")
+            cmd = [
+                "ssh-keygen",
+                "-t",
+                "ed25519",
+                "-f",
+                key_path,
+                "-C",
+                self.name,
+                "-N",
+                "",
+            ]
+            try:
+                subprocess.run(cmd, check=True, capture_output=True)
+            except FileNotFoundError as exc:
+                raise RuntimeError("ssh-keygen not available") from exc
+            except subprocess.CalledProcessError as exc:
+                raise RuntimeError(f"ssh-keygen failed: {exc.stderr.decode('utf-8', 'ignore')}") from exc
+            with open(key_path, "r", encoding="utf-8") as handle:
+                self.private_key = handle.read()
+            with open(key_path + ".pub", "r", encoding="utf-8") as handle:
+                self.public_key = handle.read().strip()
+        _, _, fingerprint = parse_public_key(self.public_key)
+        self.fingerprint = fingerprint
+
+
+class SSHCertificate(models.Model):
+    key = models.OneToOneField(
+        SSHKey, on_delete=models.CASCADE, related_name="certificate"
+    )
+    user = models.ForeignKey(
+        settings.AUTH_USER_MODEL, on_delete=models.CASCADE, related_name="ssh_certificates"
+    )
+    certificate = models.TextField()
+    serial = models.BigIntegerField()
+    principals = models.JSONField(default=list, blank=True)
+    valid_after = models.DateTimeField()
+    valid_before = models.DateTimeField()
+    created_at = models.DateTimeField(default=timezone.now, editable=False)
+    revoked_at = models.DateTimeField(null=True, blank=True)
+    is_active = models.BooleanField(default=True, db_index=True)
+
+    class Meta:
+        verbose_name = "SSH certificate"
+        verbose_name_plural = "SSH certificates"
+        indexes = [
+            models.Index(fields=["user", "is_active"], name="keys_cert_user_active_idx"),
+            models.Index(fields=["valid_before"], name="keys_cert_valid_before_idx"),
+        ]
+        ordering = ["-created_at"]
+
+    def revoke(self) -> None:
+        self.is_active = False
+        self.revoked_at = timezone.now()
+
+    def __str__(self) -> str:
+        return f"{self.user_id} ({self.serial})"

app/apps/keys/utils.py

@@ -0,0 +1,29 @@
+from __future__ import annotations
+
+import re
+
+from django.conf import settings
+
+MAX_USERNAME_LEN = 32
+_SANITIZE_RE = re.compile(r"[^a-z0-9_-]")
+
+
+def render_system_username(username: str, user_id: int) -> str:
+    template = settings.KEYWARDEN_ACCOUNT_USERNAME_TEMPLATE
+    raw = template.replace("{{username}}", username or "")
+    raw = raw.replace("{{user_id}}", str(user_id))
+    cleaned = sanitize_username(raw)
+    if len(cleaned) > MAX_USERNAME_LEN:
+        cleaned = cleaned[:MAX_USERNAME_LEN]
+    if cleaned:
+        return cleaned
+    return f"kw_{user_id}"
+
+
+def sanitize_username(raw: str) -> str:
+    raw = (raw or "").lower()
+    raw = _SANITIZE_RE.sub("_", raw)
+    raw = raw.strip("-_")
+    if raw.startswith("-"):
+        return "kw" + raw
+    return raw