Alon Bar-Lev has uploaded a new change for review. Change subject: pki: cleanup the ca interface ......................................................................
pki: cleanup the ca interface VdsInstaller is about the retire, but it contains some dirty code that is actually belongs to the ca internals. In this patch we move this code into the ca interface so that the VdsInstaller replacement will not contain any knowledge of the ca internals. Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=875528 Change-Id: If8c9285ed3a0640fea17a4ce629d6deb532430c4 Signed-off-by: Alon Bar-Lev <[email protected]> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsInstaller.java M backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java 2 files changed, 95 insertions(+), 29 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/62/9162/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsInstaller.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsInstaller.java index fac007f..840c899 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsInstaller.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/VdsInstaller.java @@ -64,7 +64,6 @@ private String _bootstrapCommand; protected final VdsInstallerSSH _wrapper = new VdsInstallerSSH(); - private final OpenSslCAWrapper _caWrapper = new OpenSslCAWrapper(); protected String _serverName; private boolean _rebootAfterInstallation; private final String _rootPassword; @@ -73,6 +72,9 @@ private boolean isAddOvirtFlow = false; private boolean supportVirt = false; private boolean supportGluster = false; + + private String _request; + private String _certificate; protected static final java.util.HashMap<VdsInstallStages, String> _translatedMessages = new java.util.HashMap<VdsInstallStages, String>(); @@ -344,41 +346,58 @@ break; } case DownloadCertificateRequest: { - // First parameter will always run on Linux, so use path.combine - // just for the second param. - Boolean fRes = _wrapper.receiveFile(_remoteDirectory + "/" + _certRequestFileName, - buildCAPath(_requestsDirectory, _certRequestFileName)); - log.infoFormat(" DownloadCertificateRequest ended:" + fRes.toString()); + File req = null; + try { + req = File.createTempFile("req", ".pem"); + _executionSucceded = _wrapper.receiveFile( + _remoteDirectory + "/" + _certRequestFileName, + req.getPath() + ); + _request = FileUtil.readAllText(req.getPath()); + } + catch (Exception e) { + _executionSucceded = false; + } + finally { + if (req != null) { + req.delete(); + } + } + + log.infoFormat(" DownloadCertificateRequest ended:" + _executionSucceded); break; } case SignCertificateRequest: { - _executionSucceded = _caWrapper.SignCertificateRequest(_certRequestFileName, - Config.<Integer> GetValue(ConfigValues.VdsCertificateValidityInYears) * 365, _certFileNameLocal); - log.infoFormat(" SignCertificateRequest ended:" + _executionSucceded); - if (_executionSucceded) { - String currRequest = buildCAPath(_requestsDirectory, _certRequestFileName); - try { - FileUtil.deleteFile(currRequest); - } catch (RuntimeException exp) { - log.errorFormat( - "Installation of {0}. Could not delete certificate request file from: {1}. error: {2}. (Stage: {3}", - _serverName, - currRequest, - exp.getMessage(), - getCurrentInstallStage()); - } + try { + _certificate = OpenSslCAWrapper.SignCertificateRequest( + _request, + _vds.gethost_name() + ); + + _executionSucceded = true; _currentInstallStage = VdsInstallStages.forValue(_currentInstallStage.getValue() + 1); - } else { - log.error("Error signing certificate request"); } + catch (Exception e) { + _executionSucceded = false; + + log.errorFormat( + "Installation of {0}. Could not issue certificate. error: {1}. (Stage: {2}", + _serverName, + e.getMessage(), + getCurrentInstallStage() + ); + log.error(e); + } + + log.infoFormat(" SignCertificateRequest ended:" + _executionSucceded); break; } case UploadSignedCertificate: { - // Second parameter will always run on Linux, so use - // path.combine just for the first param. - Boolean fRes = _wrapper.sendFile(buildCAPath(_certificatesDirectory, _certFileNameLocal), - _remoteDirectory + "/" + _certFileName); - log.infoFormat(" UploadSignedCertificate ended:" + fRes.toString()); + _executionSucceded = uploadStringAsFile(_certificate, _remoteDirectory + "/" + _certFileName); + log.infoFormat(" UploadSignedCertificate ended:" + _executionSucceded); + if (_executionSucceded) { + _currentInstallStage = VdsInstallStages.forValue(_currentInstallStage.getValue() + 1); + } break; } case UploadCA: { @@ -555,7 +574,6 @@ public void endTransfer() { if (_currentInstallStage == VdsInstallStages.UploadScript //iso upload || _currentInstallStage == VdsInstallStages.DownloadCertificateRequest - || _currentInstallStage == VdsInstallStages.UploadSignedCertificate || _currentInstallStage == VdsInstallStages.UploadCA) { log.infoFormat("Installation of {0}. successfully done sftp operation ( Stage: {1})", _serverName, _translatedMessages.get(_currentInstallStage)); diff --git a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java index edf0b24..2ab9c1e 100644 --- a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java +++ b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/hostinstall/OpenSslCAWrapper.java @@ -1,8 +1,13 @@ package org.ovirt.engine.core.utils.hostinstall; import java.io.BufferedReader; +import java.io.File; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStreamReader; +import java.io.OutputStream; +import java.io.UnsupportedEncodingException; import java.text.SimpleDateFormat; import java.util.Calendar; import java.util.TimeZone; @@ -14,6 +19,49 @@ import org.ovirt.engine.core.utils.FileUtil; public class OpenSslCAWrapper { + + public static String SignCertificateRequest(String request, String label) + throws FileNotFoundException, UnsupportedEncodingException, IOException { + + File pkicertdir = new File(Config.resolveCABasePath(), "certs"); + File pkireqdir = new File(Config.resolveCABasePath(), "requests"); + String reqFileName = String.format("%1$sreq.pem", label); + String certFileName = String.format("%1$scert.pem", label); + + OutputStream os = null; + try { + os = new FileOutputStream( + new File( + pkireqdir, + reqFileName + ) + ); + os.write(request.getBytes("UTF-8")); + } + finally { + if (os == null) { + try { + os.close(); + } + catch (IOException e) { + log.error("error during close", e); + } + } + } + + if ( + !new OpenSslCAWrapper().SignCertificateRequest( + reqFileName, + Config.<Integer> GetValue(ConfigValues.VdsCertificateValidityInYears) * 365, + certFileName + ) + ) { + throw new RuntimeException("Certificate enrollment failed"); + } + + return FileUtil.readAllText(new File(pkicertdir, certFileName).getPath()); + } + public final boolean SignCertificateRequest(String requestFileName, int days, String signedCertificateFileName) { log.debug("Entered SignCertificateRequest"); boolean returnValue = true; -- To view, visit http://gerrit.ovirt.org/9162 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: If8c9285ed3a0640fea17a4ce629d6deb532430c4 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
