Yedidyah Bar David has uploaded a new change for review.
Change subject: packaging: setup: pki: Prompt before renewal
......................................................................
packaging: setup: pki: Prompt before renewal
Change-Id: Idca01632ac1ea7895bba54d7f3f8bb0d9b2c90d4
Signed-off-by: Yedidyah Bar David <d...@redhat.com>
---
M packaging/setup/ovirt_engine_setup/engine/constants.py
M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
2 files changed, 140 insertions(+), 63 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/76/41876/3
diff --git a/packaging/setup/ovirt_engine_setup/engine/constants.py
b/packaging/setup/ovirt_engine_setup/engine/constants.py
index a825a92..a6a43cc 100644
--- a/packaging/setup/ovirt_engine_setup/engine/constants.py
+++ b/packaging/setup/ovirt_engine_setup/engine/constants.py
@@ -550,6 +550,14 @@
ENGINE_SSH_PUBLIC_KEY = 'OVESETUP_PKI/sshPublicKey'
+ @osetupattrs(
+ answerfile=True,
+ summary=True,
+ description=_('Renew PKI'),
+ )
+ def RENEW(self):
+ return 'OVESETUP_PKI/renew'
+
@util.export
@util.codegen
diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
index 1a73b60..7703115 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/ca.py
@@ -41,6 +41,7 @@
from ovirt_engine_setup import constants as osetupcons
+from ovirt_engine_setup import dialog
from ovirt_engine_setup.engine import constants as oenginecons
from ovirt_engine_setup.engine_common import constants as oengcommcons
from ovirt_engine_setup.engine import vdcoption
@@ -181,6 +182,39 @@
)
)
+ _PKI_ENTRIES = (
+ {
+ 'name': 'engine',
+ 'extract': False,
+ 'user': osetupcons.SystemEnv.USER_ENGINE,
+ 'keepKey': True,
+ },
+ {
+ 'name': 'jboss',
+ 'extract': False,
+ 'user': osetupcons.SystemEnv.USER_ENGINE,
+ 'keepKey': False,
+ },
+ {
+ 'name': 'websocket-proxy',
+ 'extract': True,
+ 'user': osetupcons.SystemEnv.USER_ENGINE,
+ 'keepKey': False,
+ },
+ {
+ 'name': 'apache',
+ 'extract': True,
+ 'user': oengcommcons.SystemEnv.USER_ROOT,
+ 'keepKey': False,
+ },
+ {
+ 'name': 'reports',
+ 'extract': True,
+ 'user': oengcommcons.SystemEnv.USER_ROOT,
+ 'keepKey': False,
+ },
+ )
+
def _expired(self, x509):
#
# LEGACY NOTE
@@ -198,39 +232,43 @@
)
)
+ def _ok_to_renew_cert(self, pkcs12, name, extract):
+ res = False
+ if os.path.exists(pkcs12):
+ x509 = self._extractPKCS12Certificate(pkcs12)
+ if self._expired(x509):
+ if not extract:
+ res = True
+ else:
+ if x509.verify(
+ X509.load_cert(
+ oenginecons.FileLocations.
+ OVIRT_ENGINE_PKI_ENGINE_CA_CERT
+ ).get_pubkey()
+ ):
+ self.logger.debug(
+ 'certificate is an internal certificate'
+ )
+
+ # sanity check, make sure user did not manually
+ # change cert
+ x509x = X509.load_cert(
+ os.path.join(
+ (
+ oenginecons.FileLocations.
+ OVIRT_ENGINE_PKICERTSDIR
+ ),
+ '%s.cer' % name,
+ )
+ )
+
+ if x509x.as_pem() == x509.as_pem():
+ self.logger.debug('certificate is sane')
+ res = True
+ return res
+
def _enrollCertificates(self, renew, uninstall_files):
- for entry in (
- {
- 'name': 'engine',
- 'extract': False,
- 'user': osetupcons.SystemEnv.USER_ENGINE,
- 'keepKey': True,
- },
- {
- 'name': 'jboss',
- 'extract': False,
- 'user': osetupcons.SystemEnv.USER_ENGINE,
- 'keepKey': False,
- },
- {
- 'name': 'websocket-proxy',
- 'extract': True,
- 'user': osetupcons.SystemEnv.USER_ENGINE,
- 'keepKey': False,
- },
- {
- 'name': 'apache',
- 'extract': True,
- 'user': oengcommcons.SystemEnv.USER_ROOT,
- 'keepKey': False,
- },
- {
- 'name': 'reports',
- 'extract': True,
- 'user': oengcommcons.SystemEnv.USER_ROOT,
- 'keepKey': False,
- },
- ):
+ for entry in self._PKI_ENTRIES:
self.logger.debug(
"processing: '%s'[renew=%s]",
entry['name'],
@@ -252,36 +290,11 @@
enroll = not renew
if not enroll:
- x509 = self._extractPKCS12Certificate(pkcs12)
- if self._expired(x509):
- if not entry['extract']:
- enroll = True
- else:
- if x509.verify(
- X509.load_cert(
- oenginecons.FileLocations.
- OVIRT_ENGINE_PKI_ENGINE_CA_CERT
- ).get_pubkey()
- ):
- self.logger.debug(
- 'certificate is an internal certificate'
- )
-
- # sanity check, make sure user did not manually
- # change cert
- x509x = X509.load_cert(
- os.path.join(
- (
- oenginecons.FileLocations.
- OVIRT_ENGINE_PKICERTSDIR
- ),
- '%s.cer' % entry['name'],
- )
- )
-
- if x509x.as_pem() == x509.as_pem():
- self.logger.debug('certificate is sane')
- enroll = True
+ enroll = self._ok_to_renew_cert(
+ pkcs12,
+ entry['name'],
+ entry['extract']
+ )
if enroll:
self.logger.info(
@@ -340,6 +353,10 @@
oenginecons.PKIEnv.ORG,
None
)
+ self.environment.setdefault(
+ oenginecons.PKIEnv.RENEW,
+ None
+ )
@plugin.event(
stage=plugin.Stages.STAGE_SETUP,
@@ -383,13 +400,65 @@
)
@plugin.event(
- stage=plugin.Stages.STAGE_MISC,
+ stage=plugin.Stages.STAGE_CUSTOMIZATION,
+ before=(
+ oengcommcons.Stages.DIALOG_TITLES_E_PKI,
+ ),
+ after=(
+ osetupcons.Stages.CONFIG_PROTOCOLS_CUSTOMIZATION,
+ oengcommcons.Stages.DIALOG_TITLES_S_PKI,
+ ),
condition=lambda self: (
self.environment[oenginecons.CoreEnv.ENABLE] and
os.path.exists(
oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT
)
),
+ )
+ def _customization_upgrade(self):
+ if True in [
+ self._expired(
+ X509.load_cert(
+ oenginecons.FileLocations.OVIRT_ENGINE_PKI_ENGINE_CA_CERT
+ )
+ )
+ ] + [
+ self._ok_to_renew_cert(
+ os.path.join(
+ oenginecons.FileLocations.OVIRT_ENGINE_PKIKEYSDIR,
+ '%s.p12' % entry['name']
+ ),
+ entry['name'],
+ entry['extract']
+ )
+ for entry in self._PKI_ENTRIES
+ ]:
+ if self.environment[oenginecons.PKIEnv.RENEW] is None:
+ self.environment[
+ oenginecons.PKIEnv.RENEW
+ ] = dialog.queryBoolean(
+ dialog=self.dialog,
+ name='OVESETUP_RENEW_PKI',
+ note=_(
+ 'One or more of the certificates should be renewed, '
+ 'because they expire soon or include an invalid '
+ 'expiry date, which is rejected by recent browsers.\n'
+ 'See {url} for more details.\n'
+ 'Renew certificates? '
+ '(@VALUES@) [@DEFAULT@]: '
+ ).format(
+ url=(
+ 'http://www.ovirt.org/OVirt_3.5.3_Release_Notes'
+ '#PKI'
+ ),
+ ),
+ prompt=True,
+ default=None,
+ )
+
+ @plugin.event(
+ stage=plugin.Stages.STAGE_MISC,
+ condition=lambda self: self.environment[oenginecons.PKIEnv.RENEW],
before=(
oenginecons.Stages.CA_AVAILABLE,
),
--
To view, visit https://gerrit.ovirt.org/41876
To unsubscribe, visit https://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Idca01632ac1ea7895bba54d7f3f8bb0d9b2c90d4
Gerrit-PatchSet: 3
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Yedidyah Bar David <d...@redhat.com>
Gerrit-Reviewer: Alon Bar-Lev <alo...@redhat.com>
Gerrit-Reviewer: Jenkins CI
Gerrit-Reviewer: Sandro Bonazzola <sbona...@redhat.com>
Gerrit-Reviewer: Simone Tiraboschi <stira...@redhat.com>
Gerrit-Reviewer: Yedidyah Bar David <d...@redhat.com>
Gerrit-Reviewer: automat...@ovirt.org
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
