{
    "info": {
        "author": "OpenStack Security Group",
        "author_email": "openstack-dev@lists.openstack.org",
        "bugtrack_url": null,
        "classifiers": [
            "Environment :: OpenStack",
            "Intended Audience :: Developers",
            "Intended Audience :: Information Technology",
            "Intended Audience :: System Administrators",
            "License :: OSI Approved :: Apache Software License",
            "Operating System :: MacOS :: MacOS X",
            "Operating System :: POSIX :: Linux",
            "Programming Language :: Python",
            "Programming Language :: Python :: 2",
            "Programming Language :: Python :: 2.7",
            "Programming Language :: Python :: 3",
            "Programming Language :: Python :: 3.4",
            "Topic :: Security"
        ],
        "description": "Anchor\n======\n\n.. image:: https://img.shields.io/pypi/v/anchor.svg\n    :target: https://pypi.python.org/pypi/anchor/\n    :alt: Latest Version\n\n.. image:: https://img.shields.io/pypi/pyversions/anchor.svg\n    :target: https://pypi.python.org/pypi/anchor/\n    :alt: Python Versions\n\n.. image:: https://img.shields.io/pypi/format/anchor.svg\n    :target: https://pypi.python.org/pypi/anchor/\n    :alt: Format\n\n.. image:: https://img.shields.io/badge/license-Apache%202-blue.svg\n    :target: https://git.openstack.org/cgit/openstack/anchor/plain/LICENSE\n    :alt: License\n\nAnchor is an ephemeral PKI service that, based on certain conditions,\nautomates the verification of CSRs and signs certificates for clients.\nThe validity period can be set in the config file with hour resolution.\n\nIdeas behind Anchor\n===================\n\nA critical capability within PKI is to revoke a certificate - to ensure\nthat it is no longer trusted by any peer. Unfortunately research has\ndemonstrated that the two typical methods of revocation (Certificate\nRevocation Lists and Online Certificate Status Protocol) both have\nfailings that make them unreliable, especially when attempting to\nleverage PKI outside of web-browser software.\n\nThrough the use of short-lifetime certificates Anchor introduces the\nconcept of \"passive revocation\". By issuing certificates with lifetimes\nmeasured in hours, revocation can be achieved by simply not re-issuing\ncertificates to clients.\n\nThe benefits of using Anchor instead of manual long-term certificates\nare:\n\n* quick certificate revoking / rotation\n* always tested certificate update mechanism (used daily)\n* easy integration with certmonger for service restarting\n* certificates are signed only when validation is passed\n* signing certificates follows consistent process\n\nInstallation\n============\n\nIn order to install Anchor from source, the following system\ndependencies need to be present:\n\n* python 2.7\n* python (dev files)\n* libffi (dev)\n* libssl (dev)\n\nWhen everything is in place, Anchor can be installed in one of three\nways: a local development instance in a python virtual environment, a local\nproduction instance or a test instance in a docker container.\n\nFor a development instance with virtualenv, run:\n\n    virtualenv .venv && source .venv/bin/activate && pip install .\n\nFor installing in production, either install a perpared system package,\nor install globally in the system:\n\n    python setup.py install\n\nRunning the service\n===================\n\nIn order to run the service, it needs to be started via the `pecan`\napplication server. The only extra parameter is a config file:\n\n    pecan serve config.py\n\nFor development, an additional `--reload` parameter may be used. It will\ncause the service to reload every time a source file is changed, however\nit requires installing an additional `watchdog` python module.\n\nIn the default configuration, Anchor will wait for web requests on port\n5016 on local network interface. This can be adjusted in the `config.py`\nfile.\n\nPreparing a test environment\n============================\n\nIn order to test Anchor with the default configuration, the following\ncan be done to create a test CA. The test certificate can be then used\nto sign the new certificates.\n\n    openssl req -out CA/root-ca.crt -keyout CA/root-ca-unwrapped.key \\\n        -newkey rsa:4096 -subj \"/CN=Anchor Test CA\" -nodes -x509 -days 365\n    chmod 0400 CA/root-ca-unwrapped.key\n\nNext, a new certificate request may be generated:\n\n    openssl req -out anchor-test.example.com.csr -nodes \\\n        -keyout anchor-test.example.com.key -newkey rsa:2048 \\\n        -subj \"/CN=anchor-test.example.com\"\n\nThat reqest can be submitted using curl (while `pecan serve config.py`\nis running):\n\n    curl http://0.0.0.0:5016/v1/sign/default -F user='myusername' \\\n        -F secret='simplepassword' -F encoding=pem \\\n        -F 'csr=<anchor-test.example.com.csr'\n\nThis will result in the signed request being created in the `certs`\ndirectory.\n\nDocker test environment\n=======================\nWe have provided a Dockerfile that can be used to build a container that\nwill run anchor\n\nThese instructions expect the reader to have a working Docker install\nalready. Docker should *not* be used to serve Anchor in any production\nenvironments.\n\nAssuming you are already in the anchor directory, build a container\ncalled 'anchor' that runs the anchor service, with any local changes\nthat have been made in the repo:\n\n    docker build -t anchor .\n\nTo start the service in the container and serve Anchor on port 5016:\n\n    docker run -p 5016:5016 anchor\n\nThe anchor application should be accessible on port 5016. If you are\nrunning docker natively on Linux, that will be 5016 on localhost\n(127.0.0.1). If you are running docker under Microsoft Windows or Apple\nOSX it will be running in a docker machine. To find the docker machine\nIP address run:\n\n    docker-machine ip default\n\nRunning Anchor in production\n============================\n\nAnchor shouldn't be exposed directly to the network. It's running via an\napplication server (Pecan) and doesn't have all the features you'd\nnormally expect from a http proxy - for example dealing well with\ndeliberately slow connections, or using multiple workers. Anchor can\nhowever be run in production using a better frontend.\n\nTo run Anchor using uwsgi you can use the following command:\n\n    uwsgi --http-socket :5016 --venv path/to/venv --pecan config.py -p 4\n\nIn case a more complex scripted configuration is needed, for example to\nhandle custom headers, rate limiting, or source filtering a complete\nHTTP proxy like Nginx may be needed. This is however out of scope for\nAnchor project. You can read more about production deployment in\n[Pecan documentation](http://pecan.readthedocs.org/en/latest/deployment.html).\n\nAdditionally, using an AppArmor profile for Anchor is a good idea to\nprevent exploits relying on one of the native libraries used by Anchor\n(for example OpenSSL). This can be done with sample profiles which you\ncan find in the `tools/apparmor.anchor_*` files. The used file needs to\nbe reviewed and updated with the right paths depending on the deployment\nlocation.\n\nValidators\n==========\n\nOne of the main features of Anchor are the validators which make sure\nthat all requests match a given set of rules. They're configured in\n`config.json` and the sample configuration includes a few of them.\n\nEach validator takes a dictionary of options which provide the specific\nmatching conditions.\n\nCurrently available validators are:\n\n* `common_name` ensures CN matches one of names in `allowed_domains` or\nranges in `allowed_networks`\n\n* `alternative_names` ensures alternative names match one of the names\nin `allowed_domains`\n\n* `alternative_names_ip` ensures alternative names match one of the\nnames in `allowed_domains` or IP ranges in `allowed_networks`\n\n* `blacklist_names` ensures CN and alternative names do not contain any\nof the configured `domains`\n\n* `server_group` ensures the group the requester is contained within\n  `group_prefixes`\n\n* `extensions` ensures only `allowed_extensions` are present in the\nrequest\n\n* `key_usage` ensures only `allowed_usage` is requested for the\ncertificate\n\n* `ca_status` ensures the request does/doesn't require the CA flag\n\n* `source_cidrs` ensures the request comes from one of the ranges in\n`cidrs`\n\nA configuration entry for a validator might look like one from the\nsample config:\n\n    \"key_usage\": {\n      \"allowed_usage\": [\n        \"Digital Signature\",\n        \"Key Encipherment\",\n        \"Non Repudiation\"\n      ]\n    }\n\nAuthentication\n==============\n\nAnchor can use one of the following authentication modules: static,\nkeystone, ldap.\n\nStatic: Username and password are present in `config.json`. This mode\nshould be used only for development and testing.\n\n  \"auth\": {\n    \"static\": {\n      \"secret\": \"simplepassword\",\n      \"user\": \"myusername\"\n    }\n  }\n\nKeystone: Username is ignored, but password is a token valid in the\nconfigured keystone location.\n\n  \"auth\": {\n    \"keystone\": {\n      \"url\": \"https://keystone.example.com\"\n    }\n  }\n\nLDAP: Username and password are used to bind to an LDAP user in a\nconfigured domain. User's groups for the `server_group` filter are\nretrieved from attribute `memberOf` in search for\n`(sAMAccountName=username@domain)`. The search is done in the configured\nbase.\n\n    \"auth\": {\n      \"ldap\": {\n        \"host\": \"ldap.example.com\",\n        \"base\": \"ou=Users,dc=example,dc=com\",\n        \"domain\": \"example.com\"\n        \"port\": 636,\n        \"ssl\": true\n      }\n    }\n\nSigning backends\n================\n\nAnchor allows the use of configurable signing backend. Currently it provides two\nimplementation: one based on cryptography.io (\"anchor\"), the other using PKCS#11\nlibraries (\"pkcs11\"). The first one is used in the sample config. Other backends\nmay have extra dependencies: pkcs11 requires the PyKCS11 module, not required by\nanchor by default.\n\nThe resulting certificate is stored locally if the `output_path` is set\nto any string. This does not depend on the configured backend.\n\nBackends can specify their own options - please refer to the backend\ndocumentation for the specific list. The default backend takes the\nfollowing options:\n\n* `cert_path`: path where local CA certificate can be found\n\n* `key_path`: path to the key for that certificate\n\n* `signing_hash`: which hash method to use when producing signatures\n\n* `valid_hours`: number of hours the signed certificates are valid for\n\nSample configuration for the default backend:\n\n    \"ca\": {\n      \"backend\": \"anchor\"\n      \"cert_path\": \"CA/root-ca.crt\",\n      \"key_path\": \"CA/root-ca-unwrapped.key\",\n      \"output_path\": \"certs\",\n      \"signing_hash\": \"sha256\",\n      \"valid_hours\": 24\n    }\n\nOther backends may be created too. For more information, please refer to the\ndocumentation.\n\nFixups\n======\n\nAnchor can modify the submitted CSRs in order to enforce some rules,\nremove deprecated elements, or just add information. Submitted CSR may\nbe modified or entirely redone. Fixup are loaded from \"anchor.fixups\"\nnamespace and can take parameters just like validators.\n\nReporting bugs and contributing\n===============================\n\nFor bug reporting and contributing, please check the CONTRIBUTING.rst\nfile.",
        "description_content_type": null,
        "docs_url": null,
        "download_url": null,
        "downloads": {
            "last_day": -1,
            "last_month": -1,
            "last_week": -1
        },
        "home_page": "https://wiki.openstack.org/wiki/Security/Projects/Anchor",
        "keywords": null,
        "license": null,
        "maintainer": null,
        "maintainer_email": null,
        "name": "anchor",
        "package_url": "https://pypi.org/project/anchor/",
        "platform": "UNKNOWN",
        "project_url": "https://pypi.org/project/anchor/",
        "project_urls": {
            "Homepage": "https://wiki.openstack.org/wiki/Security/Projects/Anchor"
        },
        "release_url": "https://pypi.org/project/anchor/0.4.0/",
        "requires_dist": [
            "Paste",
            "WebOb (>=1.2.3)",
            "cryptography (>=1.0)",
            "ldap3 (>=0.9.8.2)",
            "netaddr (>=0.7.12,!=0.7.16)",
            "oslo.config (>=3.7.0)",
            "oslo.messaging (>=4.0.0)",
            "oslo.utils (>=3.5.0)",
            "pecan (>=1.0.0)",
            "pyasn1",
            "pyasn1-modules",
            "pycadf (>=1.1.0,!=2.0.0)",
            "requests (>=2.8.1,!=2.9.0)",
            "stevedore (>=1.5.0)"
        ],
        "requires_python": null,
        "summary": "Webservice to auto-sign certificates for short amount of time",
        "version": "0.4.0"
    },
    "last_serial": 2017945,
    "releases": {
        "0.3": [],
        "0.4.0": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "71dd6a2ea934b447afa17dc48af06aac",
                    "sha256": "64deb2a53eac826a4db3c65a669aec1b02d211bc7bf2433a4e9c09f3100c1fa0"
                },
                "downloads": -1,
                "filename": "anchor-0.4.0-py2-none-any.whl",
                "has_sig": false,
                "md5_digest": "71dd6a2ea934b447afa17dc48af06aac",
                "packagetype": "bdist_wheel",
                "python_version": "py2",
                "requires_python": null,
                "size": 86762,
                "upload_time": "2016-03-21T05:03:44",
                "url": "https://files.pythonhosted.org/packages/69/8c/5ab315c2d4490278ad71e08e5c970a8800c14269b8265b81eed30ed1cf94/anchor-0.4.0-py2-none-any.whl"
            },
            {
                "comment_text": "",
                "digests": {
                    "md5": "cf737657c31947560258be8b2d41d893",
                    "sha256": "4c51b20802028453289f5661c03bef65a66afaa9c9807445f9f4c4610cc8a8ea"
                },
                "downloads": -1,
                "filename": "anchor-0.4.0.tar.gz",
                "has_sig": false,
                "md5_digest": "cf737657c31947560258be8b2d41d893",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 126312,
                "upload_time": "2016-03-21T05:03:51",
                "url": "https://files.pythonhosted.org/packages/ca/7d/4d4c7118756e2fa85b456dbd8f98f009aba8460439964bd83265e9c374a8/anchor-0.4.0.tar.gz"
            }
        ]
    },
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "71dd6a2ea934b447afa17dc48af06aac",
                "sha256": "64deb2a53eac826a4db3c65a669aec1b02d211bc7bf2433a4e9c09f3100c1fa0"
            },
            "downloads": -1,
            "filename": "anchor-0.4.0-py2-none-any.whl",
            "has_sig": false,
            "md5_digest": "71dd6a2ea934b447afa17dc48af06aac",
            "packagetype": "bdist_wheel",
            "python_version": "py2",
            "requires_python": null,
            "size": 86762,
            "upload_time": "2016-03-21T05:03:44",
            "url": "https://files.pythonhosted.org/packages/69/8c/5ab315c2d4490278ad71e08e5c970a8800c14269b8265b81eed30ed1cf94/anchor-0.4.0-py2-none-any.whl"
        },
        {
            "comment_text": "",
            "digests": {
                "md5": "cf737657c31947560258be8b2d41d893",
                "sha256": "4c51b20802028453289f5661c03bef65a66afaa9c9807445f9f4c4610cc8a8ea"
            },
            "downloads": -1,
            "filename": "anchor-0.4.0.tar.gz",
            "has_sig": false,
            "md5_digest": "cf737657c31947560258be8b2d41d893",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 126312,
            "upload_time": "2016-03-21T05:03:51",
            "url": "https://files.pythonhosted.org/packages/ca/7d/4d4c7118756e2fa85b456dbd8f98f009aba8460439964bd83265e9c374a8/anchor-0.4.0.tar.gz"
        }
    ]
}