import errno
import tempfile
import requests
-from OpenSSL import crypto, SSL
from mgr_module import MgrModule, Option, CLIWriteCommand
import orchestrator
+from mgr_util import verify_tls_files, ServerConfigException
from .ansible_runner_svc import Client, PlayBookExecution, ExecutionStatusCode,\
AnsibleRunnerServiceError
configure properly the orchestrator
"""
- the_crt = None
- the_key = None
-
# Retrieve TLS content to use and check them
# First try to get certiticate and key content for this manager instance
# ex: mgr/ansible/mgr0/[crt/key]
self.client_cert_fname = generate_temp_file("crt", the_crt)
self.client_key_fname = generate_temp_file("key", the_key)
- self.status_message = verify_tls_files(self.client_cert_fname,
- self.client_key_fname)
+ try:
+ verify_tls_files(self.client_cert_fname, self.client_key_fname)
+ except ServerConfigException as e:
+ self.status_message = str(e)
if self.status_message:
self.log.error(self.status_message)
return fname
-def verify_tls_files(crt_file, key_file):
- """Basic checks for TLS certificate and key files
-
- :crt_file : Name of the certificate file
- :key_file : name of the certificate public key file
-
- :returns : String with error description
- """
- # Check we have files
- if not crt_file or not key_file:
- return "no certificate/key configured"
-
- if not os.path.isfile(crt_file):
- return "certificate {} does not exist".format(crt_file)
-
- if not os.path.isfile(key_file):
- return "Public key {} does not exist".format(key_file)
-
- # Do some validations to the private key and certificate:
- # - Check the type and format
- # - Check the certificate expiration date
- # - Check the consistency of the private key
- # - Check that the private key and certificate match up
- try:
- with open(crt_file) as fcrt:
- x509 = crypto.load_certificate(crypto.FILETYPE_PEM, fcrt.read())
- if x509.has_expired():
- return "Certificate {} has been expired".format(crt_file)
- except (ValueError, crypto.Error) as ex:
- return "Invalid certificate {}: {}".format(crt_file, str(ex))
- try:
- with open(key_file) as fkey:
- pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, fkey.read())
- pkey.check()
- except (ValueError, crypto.Error) as ex:
- return "Invalid private key {}: {}".format(key_file, str(ex))
- try:
- context = SSL.Context(SSL.TLSv1_METHOD)
- context.use_certificate_file(crt_file, crypto.FILETYPE_PEM)
- context.use_privatekey_file(key_file, crypto.FILETYPE_PEM)
- context.check_privatekey()
- except crypto.Error as ex:
- return "Private key {} and certificate {} do not match up: {}".format(
- key_file, crt_file, str(ex))
-
- # Everything OK
- return ""
import threading
import time
from uuid import uuid4
-from OpenSSL import crypto, SSL
+from OpenSSL import crypto
from mgr_module import MgrModule, MgrStandbyModule, Option, CLIWriteCommand
-from mgr_util import get_default_addr
+from mgr_util import get_default_addr, ServerConfigException, verify_tls_files
try:
import cherrypy
os._exit = os_exit_noop
-class ServerConfigException(Exception):
- pass
-
-
class CherryPyConfig(object):
"""
Class for common server configuration done by both active and
else:
pkey_fname = self.get_localized_module_option('key_file')
- if not cert_fname or not pkey_fname:
- raise ServerConfigException('no certificate configured')
- if not os.path.isfile(cert_fname):
- raise ServerConfigException('certificate %s does not exist' % cert_fname)
- if not os.path.isfile(pkey_fname):
- raise ServerConfigException('private key %s does not exist' % pkey_fname)
-
- # Do some validations to the private key and certificate:
- # - Check the type and format
- # - Check the certificate expiration date
- # - Check the consistency of the private key
- # - Check that the private key and certificate match up
- try:
- with open(cert_fname) as f:
- x509 = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
- if x509.has_expired():
- self.log.warning(
- 'Certificate {} has been expired'.format(cert_fname))
- except (ValueError, crypto.Error) as e:
- raise ServerConfigException(
- 'Invalid certificate {}: {}'.format(cert_fname, str(e)))
- try:
- with open(pkey_fname) as f:
- pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
- pkey.check()
- except (ValueError, crypto.Error) as e:
- raise ServerConfigException(
- 'Invalid private key {}: {}'.format(pkey_fname, str(e)))
- try:
- context = SSL.Context(SSL.TLSv1_METHOD)
- context.use_certificate_file(cert_fname, crypto.FILETYPE_PEM)
- context.use_privatekey_file(pkey_fname, crypto.FILETYPE_PEM)
- context.check_privatekey()
- except crypto.Error as e:
- self.log.warning(
- 'Private key {} and certificate {} do not match up: {}'.format(
- pkey_fname, cert_fname, str(e)))
+ verify_tls_files(cert_fname, pkey_fname)
config['server.ssl_module'] = 'builtin'
config['server.ssl_certificate'] = cert_fname
import contextlib
+import os
import socket
+import logging
(
BLACK,
BOLD_SEQ = "\033[1m"
UNDERLINE_SEQ = "\033[4m"
+logger = logging.getLogger(__name__)
+
def colorize(msg, color, dark=False):
"""
get_default_addr.result = result
return result
+
+class ServerConfigException(Exception):
+ pass
+
+
+def verify_tls_files(cert_fname, pkey_fname):
+ """Basic checks for TLS certificate and key files
+
+ Do some validations to the private key and certificate:
+ - Check the type and format
+ - Check the certificate expiration date
+ - Check the consistency of the private key
+ - Check that the private key and certificate match up
+
+ :param cert_fname: Name of the certificate file
+ :param pkey_fname: name of the certificate public key file
+
+ :raises ServerConfigException: An error with a message
+
+ """
+
+ if not cert_fname or not pkey_fname:
+ raise ServerConfigException('no certificate configured')
+ if not os.path.isfile(cert_fname):
+ raise ServerConfigException('certificate %s does not exist' % cert_fname)
+ if not os.path.isfile(pkey_fname):
+ raise ServerConfigException('private key %s does not exist' % pkey_fname)
+
+ from OpenSSL import crypto, SSL
+ try:
+ with open(cert_fname) as f:
+ x509 = crypto.load_certificate(crypto.FILETYPE_PEM, f.read())
+ if x509.has_expired():
+ logger.warning(
+ 'Certificate {} has been expired'.format(cert_fname))
+ except (ValueError, crypto.Error) as e:
+ raise ServerConfigException(
+ 'Invalid certificate {}: {}'.format(cert_fname, str(e)))
+ try:
+ with open(pkey_fname) as f:
+ pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, f.read())
+ pkey.check()
+ except (ValueError, crypto.Error) as e:
+ raise ServerConfigException(
+ 'Invalid private key {}: {}'.format(pkey_fname, str(e)))
+ try:
+ context = SSL.Context(SSL.TLSv1_METHOD)
+ context.use_certificate_file(cert_fname, crypto.FILETYPE_PEM)
+ context.use_privatekey_file(pkey_fname, crypto.FILETYPE_PEM)
+ context.check_privatekey()
+ except crypto.Error as e:
+ logger.warning(
+ 'Private key {} and certificate {} do not match up: {}'.format(
+ pkey_fname, cert_fname, str(e)))
projects / ceph.git / commitdiff