integrateai
diff --git a/‎.circleci/config.yml
Lines changed: 106 additions & 0 deletions b/‎.circleci/config.yml
Lines changed: 106 additions & 0 deletions
diff --git a/‎.editorconfig
Lines changed: 25 additions & 0 deletions b/‎.editorconfig
Lines changed: 25 additions & 0 deletions
diff --git a/‎pykerberize/__init__.py b/‎pykerberize/__init__.py
diff --git a/‎pykerberize/pykerberize.py
Lines changed: 152 additions & 0 deletions b/‎pykerberize/pykerberize.py
Lines changed: 152 additions & 0 deletions
diff --git a/‎pykerberize/test/__init__.py
Lines changed: 1 addition & 0 deletions b/‎pykerberize/test/__init__.py
Lines changed: 1 addition & 0 deletions
diff --git a/‎pykerberize/test/test_pykerberize.py
Lines changed: 49 additions & 0 deletions b/‎pykerberize/test/test_pykerberize.py
Lines changed: 49 additions & 0 deletions
@@ -0,0 +1,106 @@
+version: 2
+jobs:
+  test:
+    docker:
+      - image: circleci/python:3.6.1
+    steps:
+      - checkout
+      - restore_cache:
+          keys:
+          - v1-dependencies-{{ checksum "requirements.txt" }}
+          - v1-dependencies-
+      - run:
+          name: Establish secure tunnel
+          command: |
+            SSH_PARAMS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ServerAliveInterval=10"
+            ssh $SSH_PARAMS -f -N -L 4443:python.internal.integrateai.net:443 ansible@ansible.integrateai.net
+      - run:
+          name: install dependencies
+          command: |
+            python3 -m venv venv
+            . venv/bin/activate
+            pip install -r requirements.txt --extra-index-url https://localhost:4443 --trusted-host localhost:4443
+      - save_cache:
+          paths:
+            - ./venv
+          key: v1-dependencies-{{ checksum "requirements.txt" }}
+      - run:
+          name: run tests
+          command: |
+            . venv/bin/activate
+            pytest
+
+  build-ami:
+    docker:
+      - image: circleci/python:3.6.1
+    steps:
+      - checkout
+      - restore_cache:
+          keys:
+          - v1-dependencies-{{ checksum "requirements.txt" }}
+          - v1-dependencies-
+      - run:
+          name: install dependencies
+          command: |
+            python3 -m venv venv
+            . venv/bin/activate
+            pip install awscli
+      - run:
+          name: Deploy and Build AMI
+          # Connect to Ansible and run deployment
+          command: |
+            SSH_PARAMS="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ServerAliveInterval=10"
+            ssh $SSH_PARAMS ansible@ansible.integrateai.net git -C ~ansible/deployment pull origin master
+            ssh $SSH_PARAMS ansible@ansible.integrateai.net << EOF
+              cd deployment
+              python3 deploy.py --direct model-registry $CIRCLE_TAG
+            EOF
+
+  deploy-to-s3:
+    docker:
+      - image: circleci/python:3.6.1
+    steps:
+      - checkout
+      - restore_cache:
+          keys:
+          - v1-dependencies-{{ checksum "requirements.txt" }}
+          - v1-dependencies-
+      - run:
+          name: install dependencies
+          command: |
+            python3 -m venv venv
+            . venv/bin/activate
+            pip install awscli
+      - run:
+          name: Deploy to S3
+          command: |
+            . venv/bin/activate
+            python3 setup.py sdist
+            aws s3 cp ~/project/dist/iai-model-registry-*.tar.gz s3://deployment.integrate.ai/python/iai-model-registry/
+
+workflows:
+  version: 2
+  test-and-deploy:
+    jobs:
+      - test:
+          filters:
+            tags:
+              only:
+                - /^beta-.*$/
+                - /^release-.*$/
+      - build-ami:
+          requires:
+            - test
+          filters:
+            tags:
+              only:
+                - /^beta-.*$/
+                - /^release-.*$/
+            branches:
+              ignore: /.*/
+      - deploy-to-s3:
+          requires:
+            - test
+          filters:
+            branches:
+              only: master
@@ -0,0 +1,25 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = 4
+insert_final_newline = true
+trim_trailing_whitespace = true
+end_of_line = lf
+charset = utf-8
+
+[*.py]
+max_line_length = 120
+
+# Use 2 spaces for the HTML files
+[*.html]
+indent_size = 2
+
+# The JSON files contain newlines inconsistently
+[*.{json,yml}]
+indent_size = 2
+insert_final_newline = ignore
+
+# Makefiles always use tabs for indentation
+[Makefile]
+indent_style = tab
@@ -0,0 +1,152 @@
+## (c) 2018 integrate.ai
+## Helper module for use in EMR bootstrap actions and in 
+## Corporate Realm machines that require keytabs
+##
+## Assumes SSM parameters in region like:
+##
+##  <customer_identifier>-realm-name
+##  <customer_indentifier>-realm-principal
+##  <customer_identifier>-realm-principal-creds
+##
+##  see github.com/deployment/terraform/emr/<customer_identifier>/ssm.tf
+##
+##  If no customer identifier is passed, assumes:
+##  
+##  corp-iai-realm-name
+##  corp-iai-realm-principal
+##  corp-iai-realm-principal-creds
+##
+##  Machine EC2 role must have access to decryption key
+##  for these SSM Parameters in order to execute this 
+##  script successful. These keys are assumed, not checked
+##  for.
+##  
+##  see github.com/deployment/terraform/network/auth_services.tf
+##
+## Only one public method:
+##      create_host_principal_keytab( customer, keytabfilename )
+
+import logging
+import boto3
+import kadmin
+import socket
+
+
+## Creates or gets the Host Principal and then makes a new
+## keytab file using the keytabfilename parameter
+## throws an exception if the keytabfilename exists and 
+## contains an existing keytab
+def create_host_principal_keytab( customer, keytabfilename ):
+    return create_service_principal_keytab( customer, "host", keytabfilename)
+
+def create_service_principal_keytab( customer, service, keytabfilename ):
+    
+    result = False
+    realm = _get_realm_name( customer )
+    admin_principal_name = _get_realm_admin_princ_name(customer)
+    admin_cred = _get_realm_admin_princ_cred(customer)
+
+    kadm_sess = _get_kadm_session (admin_principal_name, admin_cred)
+    
+    srv_princ_name = _get_principal_name(realm, service)
+
+    if not _principal_exists(kadm_sess, srv_princ_name):
+        _create_principal(kadm_sess, srv_princ_name)
+    
+    srv_principal = _get_principal(kadm_sess, srv_princ_name)
+    
+    if srv_principal is not None:
+        result = _kadmin_ktadd(kadm_sess, srv_principal.principal, keytabfilename )
+        
+    logging.info("keytab file %s created", keytabfilename)
+    
+    return result;
+
+
+### get param values from SSM
+def _get_ssm_param_value ( param_name, decrypt_flag ):
+    ssmClient = boto3.client("ssm")
+    response = ssmClient.get_parameter(Name = param_name, WithDecryption = decrypt_flag );
+    
+    return  response["Parameter"]["Value"]
+
+## use socket.getfqdn to build host principal name
+def _get_principal_name(realm, prefix = None):
+    if prefix is None:
+        prefix = "host";
+
+    host_fqdn = socket.getfqdn()
+    return prefix + "/" + host_fqdn + "@" + realm
+
+## get kadm session
+def _get_kadm_session( user_name, user_cred ):
+    return kadmin.init_with_password(user_name, user_cred)
+
+## get realm from SSM key prefixed by iai_realm_name
+def _get_realm_name( customer = None ):
+    if customer is None:
+        customer = "corp-iai"
+
+    sparam = customer + "-realm-name"
+
+    return _get_ssm_param_value( sparam, True )
+
+## get realm admin name from SSM key prefixed by iai_realm_amdin_principal_ 
+## This does not need to be full admin - but should be able to create
+## principals, look up principals and export keys (so nearly a full admin)
+def _get_realm_admin_princ_name( customer = None ):
+    if customer is None:
+        customer = "corp-iai"
+
+    sparam = customer + "-realm-principal"
+
+    return _get_ssm_param_value( sparam, True )
+
+## get realm admin credential value - this is a password for now
+## but it could be a base64 keytab in the future
+def _get_realm_admin_princ_cred( customer = None ):
+    if customer is None:
+        customer = "corp-iai"
+
+    sparam = customer + "-realm-principal-creds"
+
+    return _get_ssm_param_value( sparam, True )
+
+## Returns the specifically named principal
+def _get_principal ( kadm_sess, principal_name ):
+    if kadm_sess is not None:
+        principal = kadm_sess.getprinc(principal_name)
+        return principal
+    else:
+        return None #TODO: Throw here!
+
+## Checks if the principal exists
+def _principal_exists( kadm_sess, principal_name ):
+    exists = False
+    if kadm_sess is not None:
+        exists = kadm_sess.principal_exists(principal_name)
+    
+    return exists
+
+## Creates principal - throws DuplicateError if principal exists
+def _create_principal( kadm_sess, princ_name ):
+    created = False
+    if kadm_sess is not None:
+        try:
+            created = kadm_sess.add_principal(princ_name, None)
+        except kadmin.DuplicateError:
+            created = True
+    
+    return created
+
+## Creates Keytab file - uses enhanced python-kadmin library
+## github.com/integrateai/python-kadmin
+##    forked from rjancewicz/python-kadmin 
+##    and enhanced with very based ktadd functionality
+##
+def _kadmin_ktadd( kadm_sess, princ_name, ktname ):
+    created = False
+    if kadm_sess is not None:
+        created = kadm_sess.ktadd(princ_name, ktname) 
+
+    return created
@@ -0,0 +1 @@
+
@@ -0,0 +1,49 @@
+from pykerberize import pykerberize
+
+def test_get_ssm_param_value( ):
+    assert pykerberize._get_ssm_param_value("corp-iai-domain-name", True) == "corp.integrateai.net"
+
+def test_get_host_principal_name( ):
+    assert pykerberize._get_principal_name("host","@CORP.INTEGRATEAI.NET") is not None
+
+def test_get_kadm_session( ):
+    assert pykerberize._get_kadm_session("admin@CORP.INTEGRATEAI.NET", "bordercollie") is not None
+
+def test_get_principal( ):
+    sess = pykerberize._get_kadm_session("admin@CORP.INTEGRATEAI.NET", "bordercollie")
+    assert sess is not None
+
+    principal = pykerberize._get_principal(sess, "host/test.corp.integrateai.net@CORP.INTEGRATEAI.NET")
+    assert principal is not None
+
+    principal = pykerberize._get_principal(sess, "madeup@CORP.INTEGRATEAI.NET")
+    assert principal is None
+
+def test_get_realm_name( ):
+    assert pykerberize._get_realm_name() is not None
+
+def test_principal_exists( ):
+    sess = pykerberize._get_kadm_session("admin@CORP.INTEGRATEAI.NET", "bordercollie")
+    assert sess is not None
+
+    exists = pykerberize._principal_exists(sess, "host/test.corp.integrateai.net@CORP.INTEGRATEAI.NET")
+    assert exists == True
+
+    exists = pykerberize._principal_exists(sess, "FakeId@CORP.INTEGRATEAI.NET")
+    assert exists == False
+
+def test_create_principal( ):
+    sess = pykerberize._get_kadm_session("admin@CORP.INTEGRATEAI.NET", "bordercollie")
+    assert sess is not None
+
+    created = pykerberize._create_principal(sess,"host/test.corp.integrateai.net@CORP.INTEGRATEAI.NET")
+    assert created == True
+
+def test_kadmin_ktadd( ):
+    sess = pykerberize._get_kadm_session("admin@CORP.INTEGRATEAI.NET", "bordercollie")
+    assert sess is not None
+
+    kt = pykerberize._kadmin_ktadd(sess, "host/test.corp.integrateai.net@CORP.INTEGRATEAI.NET", "FILE:/root/pytest.keytab")
+    assert kt 
+
+