[Engine-patches] Change in ovirt-engine[ovirt-engine-3.5]: packaging: setup: pki: upgrade cert templates

Mon, 13 Apr 2015 12:49:30 -0700 

Alon Bar-Lev has uploaded a new change for review.

Change subject: packaging: setup: pki: upgrade cert templates
......................................................................

packaging: setup: pki: upgrade cert templates

the certificate template may be modified over time, and has recently.
due to legacy pki approach and until we rewrite the pki, we must
regenerate configuration taking the AIA from existing template.

Related-To: https://bugzilla.redhat.com/show_bug.cgi?id=1210486
Change-Id: Ia975aad12e97ce0287cd6414e7ab91ea2ca6c0f9
Signed-off-by: Alon Bar-Lev <alo...@redhat.com>
---
M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
1 file changed, 79 insertions(+), 11 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/15/39815/1

diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py 
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
index 523c3cd..83d64db 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
@@ -74,6 +74,18 @@
     def _subjectComponentEscape(self, s):
         return outil.escape(s, '/\\')
 
+    def _setupUninstall(self, files):
+        self.environment[
+            osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
+        ].createGroup(
+            group='ca_pki',
+            description='PKI keys',
+            optional=True,
+        ).addFiles(
+            group='ca_pki',
+            fileList=files,
+        )
+
     def __init__(self, context):
         super(Plugin, self).__init__(context=context)
         self._enabled = False
@@ -142,6 +154,72 @@
 
     @plugin.event(
         stage=plugin.Stages.STAGE_MISC,
+        condition=lambda self: (
+            self.environment[oenginecons.CoreEnv.ENABLE] and
+            os.path.exists(
+                oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT
+            )
+        ),
+    )
+    def _miscUpgrade(self):
+        self.logger.info(_('Upgrading CA'))
+
+        #
+        # LEGACY NOTE
+        # Since 3.0 and maybe before the method of
+        # allowing user to override AIA was to explict
+        # edit files. Until we rewrite the entire PKI
+        # we must preserve this approach.
+        # The template may change over time, so regenerate.
+        #
+        aia = None
+        template = oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE[
+            :-len('.in')
+        ]
+        if os.path.exists(template):
+            with open(template) as f:
+                PREFIX = 'caIssuers;URI:'
+                for l in f.readlines():
+                    if l.startswith('authorityInfoAccess'):
+                        aia = l[l.find(PREFIX)+len(PREFIX):]
+                        break
+
+        uninstall_files = []
+        self._setupUninstall(uninstall_files)
+        if aia is not None:
+            localtransaction = transaction.Transaction()
+            with localtransaction:
+                for name in (
+                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CA_TEMPLATE,
+                    oenginecons.FileLocations.OVIRT_ENGINE_PKI_CERT_TEMPLATE,
+                ):
+                    localtransaction.append(
+                        filetransaction.FileTransaction(
+                            name=name[:-len('.in')],
+                            content=outil.processTemplate(
+                                name,
+                                {
+                                    '@AIA@': aia,
+                                }
+                            ),
+                            modifiedList=uninstall_files,
+                        ),
+                    )
+                    localtransaction.append(
+                        filetransaction.FileTransaction(
+                            name=name[:-len('.template.in')] + '.conf',
+                            content=outil.processTemplate(
+                                name,
+                                {
+                                    '@AIA@': aia,
+                                }
+                            ),
+                            modifiedList=uninstall_files,
+                        ),
+                    )
+
+    @plugin.event(
+        stage=plugin.Stages.STAGE_MISC,
         name=oenginecons.Stages.CA_AVAILABLE,
         condition=lambda self: (
             self.environment[oenginecons.CoreEnv.ENABLE] and
@@ -159,22 +237,12 @@
         # need to work this out to allow transactional
         # for now just delete files if we fail
         uninstall_files = []
+        self._setupUninstall(uninstall_files)
         self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
             self.CATransaction(
                 parent=self,
                 uninstall_files=uninstall_files,
             )
-        )
-
-        self.environment[
-            osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS
-        ].createGroup(
-            group='ca_pki',
-            description='PKI keys',
-            optional=True,
-        ).addFiles(
-            group='ca_pki',
-            fileList=uninstall_files,
         )
 
         # LEGACY NOTE


-- 
To view, visit https://gerrit.ovirt.org/39815
To unsubscribe, visit https://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia975aad12e97ce0287cd6414e7ab91ea2ca6c0f9
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: ovirt-engine-3.5
Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to