Yedidyah Bar David has uploaded a new change for review.
Change subject: packaging: setup: Use common code for remote engine pki
......................................................................
packaging: setup: Use common code for remote engine pki
Change-Id: Ia7a549d09dc85293beba24327ea44ef1dcaf4a55
Require: TODO
Signed-off-by: Yedidyah Bar David <d...@redhat.com>
---
M packaging/setup/ovirt_engine_setup/reports/constants.py
M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/apache.py
M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/jboss.py
3 files changed, 83 insertions(+), 406 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-reports refs/changes/24/33024/1
diff --git a/packaging/setup/ovirt_engine_setup/reports/constants.py
b/packaging/setup/ovirt_engine_setup/reports/constants.py
index e113838..567e5b6 100644
--- a/packaging/setup/ovirt_engine_setup/reports/constants.py
+++ b/packaging/setup/ovirt_engine_setup/reports/constants.py
@@ -394,9 +394,6 @@
LEGACY_REPORTS_WAR = 'OVESETUP_REPORTS_CONFIG/legacyReportsWar'
KEY_SIZE = 'OVESETUP_REPORTS_CONFIG/keySize'
- JBOSS_CERTIFICATE_CHAIN = 'OVESETUP_REPORTS_CONFIG/jbossCertificateChain'
- APACHE_CERTIFICATE = 'OVESETUP_REPORTS_CONFIG/apacheCertificate'
- APACHE_CA_CERTIFICATE = 'OVESETUP_REPORTS_CONFIG/apacheCACertificate'
# Eventual public http/s ports - either apache or jboss
# Commented 'internal use' in engine, perhaps it means they should not
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/apache.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/apache.py
index 58508ba..cb89a72 100644
---
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/apache.py
+++
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/apache.py
@@ -21,8 +21,8 @@
import contextlib
import os
-import tempfile
import urllib2
+import time
import gettext
@@ -41,6 +41,7 @@
from ovirt_engine_setup import constants as osetupcons
+from ovirt_engine_setup import remote_engine
from ovirt_engine_setup.engine_common import constants as oengcommcons
from ovirt_engine_setup.reports import constants as oreportscons
@@ -49,41 +50,17 @@
class Plugin(plugin.PluginBase):
"""apache pki plugin."""
- def _genReq(self):
-
- rsa = RSA.gen_key(
- self.environment[oreportscons.ConfigEnv.KEY_SIZE],
- 65537,
- )
- rsapem = rsa.as_pem(cipher=None)
- evp = EVP.PKey()
- evp.assign_rsa(rsa)
- rsa = None # should not be freed here
- req = X509.Request()
- req.set_pubkey(evp)
- req.sign(evp, 'sha1')
- return rsapem, req.as_pem(), req.get_pubkey().as_pem(cipher=None)
-
def __init__(self, context):
super(Plugin, self).__init__(context=context)
self._enabled = False
- self._need_key = False
- self._need_cert = False
+ self._enrolldata = None
self._need_ca_cert = False
- self._csr_file = None
+ self._apache_ca_cert = None
@plugin.event(
stage=plugin.Stages.STAGE_INIT,
)
def _init(self):
- self.environment.setdefault(
- oreportscons.ConfigEnv.APACHE_CERTIFICATE,
- None
- )
- self.environment.setdefault(
- oreportscons.ConfigEnv.APACHE_CA_CERTIFICATE,
- None
- )
self.environment.setdefault(
oreportscons.ConfigEnv.PKI_APACHE_CSR_FILENAME,
None
@@ -123,130 +100,41 @@
)
if not engine_apache_pki_found:
- self._need_cert = not os.path.exists(
- oreportscons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_APACHE_CERT
+ self._enrolldata = remote_engine.EnrollRemoteEngine(
+
remote_engine=self.environment[osetupcons.CoreEnv.REMOTE_ENGINE],
+ engine_fqdn=self.environment[
+ oreportscons.EngineConfigEnv.ENGINE_FQDN
+ ],
+ base_name=oreportscons.Const.PKI_REPORTS_APACHE_CERT_NAME,
+ base_touser=_('Apache'),
+ key_file=oreportscons.FileLocations.
+ OVIRT_ENGINE_PKI_REPORTS_APACHE_KEY,
+ cert_file=oreportscons.FileLocations.
+ OVIRT_ENGINE_PKI_REPORTS_APACHE_CERT,
+
csr_fname_envkey=oreportscons.ConfigEnv.PKI_APACHE_CSR_FILENAME,
+ engine_ca_cert_file=os.path.join(
+ oreportscons.FileLocations.OVIRT_ENGINE_PKIDIR,
+ 'ca.pem'
+ ),
+ engine_pki_requests_dir=oreportscons.FileLocations.
+ OVIRT_ENGINE_PKIREQUESTSDIR,
+ engine_pki_certs_dir=oreportscons.FileLocations.
+ OVIRT_ENGINE_PKICERTSDIR,
+ key_size=self.environment[oreportscons.ConfigEnv.KEY_SIZE],
+ url="http://www.ovirt.org/Features/Separate-Reports-Host";,
)
- self._need_key = not os.path.exists(
- oreportscons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_APACHE_KEY
- )
+ self._enrolldata.enroll_cert()
+
self._need_ca_cert = not os.path.exists(
oreportscons.FileLocations.
OVIRT_ENGINE_PKI_REPORTS_APACHE_CA_CERT
)
- if self._need_key:
- self._key, req, my_pubk = self._genReq()
- self._need_cert = True
-
- if (
- self._need_cert and
- self.environment[
- oreportscons.ConfigEnv.APACHE_CERTIFICATE
- ] is None
- ):
- csr_fname = self.environment[
- oreportscons.ConfigEnv.PKI_APACHE_CSR_FILENAME
- ]
- with (
- open(csr_fname, 'w') if csr_fname
- else tempfile.NamedTemporaryFile(mode='w', delete=False)
- ) as self._csr_file:
- self._csr_file.write(req)
-
- remote_name = '{name}-{fqdn}'.format(
- name=oreportscons.Const.PKI_REPORTS_APACHE_CERT_NAME,
- fqdn=self.environment[osetupcons.ConfigEnv.FQDN],
- )
- enroll_command = (
- " /usr/share/ovirt-engine/bin/pki-enroll-request.sh \\\n"
- " --name={remote_name} \\\n"
- " --subject=\""
- "$(openssl x509 -in {pkidir}/ca.pem -noout "
- "-subject | sed 's;subject= \(/C=[^/]*/O=[^/]*\)/.*;\\1;')"
- "/CN={fqdn}\""
- ).format(
- remote_name=remote_name,
- pkidir=oreportscons.FileLocations.OVIRT_ENGINE_PKIDIR,
- fqdn=self.environment[osetupcons.ConfigEnv.FQDN],
- )
-
- self.dialog.note(
- text=_(
- "\nTo sign the Apache certificate on the engine server, "
- "please:\n\n"
- "1. Copy {tmpcsr} from here to {enginecsr} on the engine "
- "server.\n\n"
- "2. Run on the engine server:\n\n"
- "{enroll_command}\n\n"
- "3. Copy {enginecert} from the engine server to some file "
- "here. Provide the file name below.\n\n"
- "See {url} for more details, including using an external "
- "certificate authority."
- ).format(
- tmpcsr=self._csr_file.name,
- enginecsr='{pkireqdir}/{remote_name}.req'.format(
- pkireqdir=oreportscons.FileLocations.
- OVIRT_ENGINE_PKIREQUESTSDIR,
- remote_name=remote_name,
- ),
- enroll_command=enroll_command,
- enginecert='{pkicertdir}/{remote_name}.cer'.format(
- pkicertdir=oreportscons.FileLocations.
- OVIRT_ENGINE_PKICERTSDIR,
- remote_name=remote_name,
- ),
- url="http://www.ovirt.org/Features/Separate-Reports-Host";,
- ),
- )
-
- goodcert = False
- while not goodcert:
- filename = self.dialog.queryString(
- name='REPORTS_APACHE_CERT_FILENAME',
- note=_(
- '\nPlease input the location of the file where you '
- 'copied the signed certificate in step 3 above: '
- ),
- prompt=True,
- )
- try:
- with open(filename) as f:
- cert = f.read()
- goodcert = my_pubk == X509.load_cert_string(
- cert
- ).get_pubkey().as_pem(cipher=None)
- self.environment[
- oreportscons.ConfigEnv.APACHE_CERTIFICATE
- ] = cert
- if not goodcert:
- self.logger.error(
- _(
- 'The certificate in {cert} does not match '
- 'the request in {req}. Please try again.'
- ).format(
- cert=filename,
- req=self._csr_file.name,
- )
- )
- except:
- self.logger.error(
- _(
- 'Error while reading or parsing {cert}. '
- 'Please try again.'
- ).format(
- cert=filename,
- )
- )
- self.logger.debug('Error reading cert', exc_info=True)
- self.logger.info(_('Apache certificate read successfully'))
-
+ tries_left = 30
while (
self._need_ca_cert and
- self.environment[
- oreportscons.ConfigEnv.APACHE_CA_CERTIFICATE
- ] is None
+ self._apache_ca_cert is None and
+ tries_left > 0
):
remote_engine_host = self.environment[
oreportscons.EngineConfigEnv.ENGINE_FQDN
@@ -263,16 +151,19 @@
) as urlObj:
engine_ca_cert = urlObj.read()
if engine_ca_cert:
- self.environment[
- oreportscons.ConfigEnv.APACHE_CA_CERTIFICATE
- ] = engine_ca_cert
+ self._apache_ca_cert = engine_ca_cert
else:
self.logger.error(
_(
'Failed to get CA Certificate from engine. '
- 'Please try again.'
+ 'Please check access to the engine and its '
+ 'status.'
)
)
+ time.sleep(10)
+ tries_left -= 1
+ if self._need_ca_cert and self._apache_ca_cert is None:
+ raise RuntimeError(_('Failed to get CA Certificate from engine'))
@plugin.event(
stage=plugin.Stages.STAGE_MISC,
@@ -285,62 +176,23 @@
),
)
def _misc_pki(self):
- uninstall_files = []
- self.environment[
- osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
- ].createGroup(
- group='ca_pki_reports',
- description='Reports PKI keys',
- optional=True,
- ).addFiles(
- group='ca_pki_reports',
- fileList=uninstall_files,
+ self._enrolldata.add_to_transaction(
+ uninstall_group_name='ca_pki_reports',
+ uninstall_group_desc='Reports PKI keys',
)
- if self._need_key:
- self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
- filetransaction.FileTransaction(
- name=oreportscons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_APACHE_KEY,
- mode=0o600,
- owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
- enforcePermissions=True,
- content=self._key,
- modifiedList=uninstall_files,
- )
- )
- os.symlink(
- oreportscons.FileLocations.OVIRT_ENGINE_PKI_REPORTS_APACHE_KEY,
- oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY
- )
- uninstall_files.append(
- oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY
- )
-
- if self._need_cert:
- self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
- filetransaction.FileTransaction(
- name=oreportscons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_APACHE_CERT,
- mode=0o600,
- owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
- enforcePermissions=True,
- content=self.environment[
- oreportscons.ConfigEnv.APACHE_CERTIFICATE
- ],
- modifiedList=uninstall_files,
- )
- )
- os.symlink(
- oreportscons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_APACHE_CERT,
- oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT
- )
- uninstall_files.append(
- oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT
- )
-
if self._need_ca_cert:
+ uninstall_files = []
+ self.environment[
+ osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
+ ].createGroup(
+ group='ca_pki_reports',
+ description='Reports PKI keys',
+ optional=True,
+ ).addFiles(
+ group='ca_pki_reports',
+ fileList=uninstall_files,
+ )
self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
filetransaction.FileTransaction(
name=oreportscons.FileLocations.
@@ -348,9 +200,7 @@
mode=0o600,
owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
enforcePermissions=True,
- content=self.environment[
- oreportscons.ConfigEnv.APACHE_CA_CERTIFICATE
- ],
+ content=self._apache_ca_cert,
modifiedList=uninstall_files,
)
)
@@ -367,15 +217,7 @@
stage=plugin.Stages.STAGE_CLEANUP,
)
def _cleanup(self):
- if self._csr_file is not None:
- try:
- os.unlink(self._csr_file.name)
- except OSError as e:
- self.logger.debug(
- "Failed to delete '%s'",
- self._csr_file.name,
- exc_info=True,
- )
+ self._enrolldata.cleanup()
# vim: expandtab tabstop=4 shiftwidth=4
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/jboss.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/jboss.py
index 74e9dfa..12199e0 100644
---
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/jboss.py
+++
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/jboss.py
@@ -20,16 +20,10 @@
import os
-import tempfile
import gettext
_ = lambda m: gettext.dgettext(message=m, domain='ovirt-engine-reports')
-
-
-from M2Crypto import X509
-from M2Crypto import EVP
-from M2Crypto import RSA
from otopi import constants as otopicons
@@ -39,6 +33,7 @@
from ovirt_engine_setup import constants as osetupcons
+from ovirt_engine_setup import remote_engine
from ovirt_engine_setup.engine_common import constants as oengcommcons
from ovirt_engine_setup.reports import constants as oreportscons
@@ -47,37 +42,15 @@
class Plugin(plugin.PluginBase):
"""jboss pki plugin."""
- def _genReq(self):
-
- rsa = RSA.gen_key(
- self.environment[oreportscons.ConfigEnv.KEY_SIZE],
- 65537,
- )
- rsapem = rsa.as_pem(cipher=None)
- evp = EVP.PKey()
- evp.assign_rsa(rsa)
- rsa = None # should not be freed here
- req = X509.Request()
- req.set_pubkey(evp)
- req.sign(evp, 'sha1')
- return rsapem, req.as_pem(), req.get_pubkey().as_pem(cipher=None)
-
def __init__(self, context):
super(Plugin, self).__init__(context=context)
self._enabled = False
- self._need_key = False
- self._need_cert = False
- self._on_separate_h = False
- self._csr_file = None
+ self._enrolldata = None
@plugin.event(
stage=plugin.Stages.STAGE_INIT,
)
def _init(self):
- self.environment.setdefault(
- oreportscons.ConfigEnv.JBOSS_CERTIFICATE_CHAIN,
- None
- )
self.environment.setdefault(
oreportscons.ConfigEnv.PKI_JBOSS_CSR_FILENAME,
None
@@ -105,122 +78,30 @@
)
def _customization(self):
self._enabled = True
-
- self._need_cert = not os.path.exists(
- oreportscons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_JBOSS_CERT
+ self._enrolldata = remote_engine.EnrollRemoteEngine(
+ remote_engine=self.environment[osetupcons.CoreEnv.REMOTE_ENGINE],
+ engine_fqdn=self.environment[
+ oreportscons.EngineConfigEnv.ENGINE_FQDN
+ ],
+ base_name=oreportscons.Const.PKI_REPORTS_JBOSS_CERT_NAME,
+ base_touser=_('Reports'),
+ key_file=oreportscons.FileLocations.
+ OVIRT_ENGINE_PKI_REPORTS_JBOSS_KEY,
+ cert_file=oreportscons.FileLocations.
+ OVIRT_ENGINE_PKI_REPORTS_JBOSS_CERT,
+ csr_fname_envkey=oreportscons.ConfigEnv.PKI_JBOSS_CSR_FILENAME,
+ engine_ca_cert_file=os.path.join(
+ oreportscons.FileLocations.OVIRT_ENGINE_PKIDIR,
+ 'ca.pem'
+ ),
+ engine_pki_requests_dir=oreportscons.FileLocations.
+ OVIRT_ENGINE_PKIREQUESTSDIR,
+ engine_pki_certs_dir=oreportscons.FileLocations.
+ OVIRT_ENGINE_PKICERTSDIR,
+ key_size=self.environment[oreportscons.ConfigEnv.KEY_SIZE],
+ url="http://www.ovirt.org/Features/Separate-Reports-Host";,
)
-
- self._need_key = not os.path.exists(
- oreportscons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_JBOSS_KEY
- )
-
- if self._need_key:
- self._key, req, my_pubk = self._genReq()
- self._need_cert = True
-
- if (
- self._need_cert and
- self.environment[
- oreportscons.ConfigEnv.JBOSS_CERTIFICATE_CHAIN
- ] is None
- ):
- csr_fname = self.environment[
- oreportscons.ConfigEnv.PKI_JBOSS_CSR_FILENAME
- ]
- with (
- open(csr_fname, 'w') if csr_fname
- else tempfile.NamedTemporaryFile(mode='w', delete=False)
- ) as self._csr_file:
- self._csr_file.write(req)
-
- remote_name = '{name}-{fqdn}'.format(
- name=oreportscons.Const.PKI_REPORTS_JBOSS_CERT_NAME,
- fqdn=self.environment[osetupcons.ConfigEnv.FQDN],
- )
- enroll_command = (
- " /usr/share/ovirt-engine/bin/pki-enroll-request.sh \\\n"
- " --name={remote_name} \\\n"
- " --subject=\""
- "$(openssl x509 -in {pkidir}/ca.pem -noout "
- "-subject | sed 's;subject= \(/C=[^/]*/O=[^/]*\)/.*;\\1;')"
- "/CN={fqdn}\""
- ).format(
- remote_name=remote_name,
- pkidir=oreportscons.FileLocations.OVIRT_ENGINE_PKIDIR,
- fqdn=self.environment[osetupcons.ConfigEnv.FQDN],
- )
-
- self.dialog.note(
- text=_(
- "\nTo sign the Reports certificate on the engine server, "
- "please:\n\n"
- "1. Copy {tmpcsr} from here to {enginecsr} on the engine "
- "server.\n\n"
- "2. Run on the engine server:\n\n"
- "{enroll_command}\n\n"
- "3. Copy {enginecert} from the engine server to some file "
- "here. Provide the file name below.\n\n"
- "See {url} for more details, including using an external "
- "certificate authority."
- ).format(
- tmpcsr=self._csr_file.name,
- enginecsr='{pkireqdir}/{remote_name}.req'.format(
- pkireqdir=oreportscons.FileLocations.
- OVIRT_ENGINE_PKIREQUESTSDIR,
- remote_name=remote_name,
- ),
- enroll_command=enroll_command,
- enginecert='{pkicertdir}/{remote_name}.cer'.format(
- pkicertdir=oreportscons.FileLocations.
- OVIRT_ENGINE_PKICERTSDIR,
- remote_name=remote_name,
- ),
- url="http://www.ovirt.org/Features/Separate-Reports-Host";,
- ),
- )
-
- goodcert = False
- while not goodcert:
- filename = self.dialog.queryString(
- name='REPORTS_JBOSS_CERT_FILENAME',
- note=_(
- '\nPlease input the location of the file where you '
- 'copied the signed certificate in step 3 above: '
- ),
- prompt=True,
- )
- try:
- with open(filename) as f:
- cert = f.read()
- goodcert = my_pubk == X509.load_cert_string(
- cert
- ).get_pubkey().as_pem(cipher=None)
- self.environment[
- oreportscons.ConfigEnv.JBOSS_CERTIFICATE_CHAIN
- ] = cert
- if not goodcert:
- self.logger.error(
- _(
- 'The certificate in {cert} does not match '
- 'the request in {req}. Please try again.'
- ).format(
- cert=filename,
- req=self._csr_file.name,
- )
- )
- except:
- self.logger.error(
- _(
- 'Error while reading or parsing {cert}. '
- 'Please try again.'
- ).format(
- cert=filename,
- )
- )
- self.logger.debug('Error reading cert', exc_info=True)
- self.logger.info(_('Reports certificate read successfully'))
+ self._enrolldata.enroll_cert()
@plugin.event(
stage=plugin.Stages.STAGE_MISC,
@@ -230,62 +111,19 @@
after=(
oreportscons.Stages.CA_AVAILABLE,
oreportscons.Stages.PKI_MISC,
- oreportscons.Stages.ENGINE_CORE_ENABLE,
),
)
def _misc_pki(self):
- uninstall_files = []
- self.environment[
- osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
- ].createGroup(
- group='ca_pki_reports',
- description='Reports PKI keys',
- optional=True,
- ).addFiles(
- group='ca_pki_reports',
- fileList=uninstall_files,
+ self._enrolldata.add_to_transaction(
+ uninstall_group_name='ca_pki_reports',
+ uninstall_group_desc='Reports PKI keys',
)
- if self._need_key:
- self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
- filetransaction.FileTransaction(
- name=oreportscons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_JBOSS_KEY,
- mode=0o600,
- owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
- enforcePermissions=True,
- content=self._key,
- modifiedList=uninstall_files,
- )
- )
-
- if self._need_cert:
- self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
- filetransaction.FileTransaction(
- name=oreportscons.FileLocations.
- OVIRT_ENGINE_PKI_REPORTS_JBOSS_CERT,
- mode=0o600,
- owner=self.environment[osetupcons.SystemEnv.USER_ENGINE],
- enforcePermissions=True,
- content=self.environment[
- oreportscons.ConfigEnv.JBOSS_CERTIFICATE_CHAIN
- ],
- modifiedList=uninstall_files,
- )
- )
@plugin.event(
stage=plugin.Stages.STAGE_CLEANUP,
)
def _cleanup(self):
- if self._csr_file is not None:
- try:
- os.unlink(self._csr_file.name)
- except OSError as e:
- self.logger.debug(
- "Failed to delete '%s'",
- self._csr_file.name,
- exc_info=True,
- )
+ self._enrolldata.cleanup()
# vim: expandtab tabstop=4 shiftwidth=4
--
To view, visit http://gerrit.ovirt.org/33024
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia7a549d09dc85293beba24327ea44ef1dcaf4a55
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-reports
Gerrit-Branch: master
Gerrit-Owner: Yedidyah Bar David <d...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
