[Engine-patches] Change in ovirt-host-deploy[master]: vdsm: pki: enroll pending certificate in separate file

[Alon Bar-Lev]

Alon Bar-Lev has uploaded a new change for review.

Change subject: vdsm: pki: enroll pending certificate in separate file
......................................................................

vdsm: pki: enroll pending certificate in separate file

This will enable existing key to be used until we have the certificate
available.

Change-Id: I8d3c7850900870e43bf102bd9365b171083cfe56
Signed-off-by: Alon Bar-Lev <alo...@redhat.com>
---
M src/ovirt_host_deploy/constants.py
M src/plugins/ovirt-host-deploy/vdsm/pki.py
2 files changed, 54 insertions(+), 20 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-host-deploy 
refs/changes/43/10043/1

diff --git a/src/ovirt_host_deploy/constants.py 
b/src/ovirt_host_deploy/constants.py
index b3fd72c..28f8686 100644
--- a/src/ovirt_host_deploy/constants.py
+++ b/src/ovirt_host_deploy/constants.py
@@ -36,6 +36,7 @@
     VDSM_CA_FILE = 'certs/cacert.pem'
     VDSM_CERT_FILE = 'certs/vdsmcert.pem'
     VDSM_KEY_FILE = 'keys/vdsmkey.pem'
+    VDSM_KEY_PENDING_FILE = 'keys/vdsmkey.pending.pem'
     VDSM_ID_FILE = '/etc/vdsm/vdsm.id'
 
     VDSM_DATA_DIR = '/usr/share/vdsm'
diff --git a/src/plugins/ovirt-host-deploy/vdsm/pki.py 
b/src/plugins/ovirt-host-deploy/vdsm/pki.py
index d3f11d8..eea7a89 100644
--- a/src/plugins/ovirt-host-deploy/vdsm/pki.py
+++ b/src/plugins/ovirt-host-deploy/vdsm/pki.py
@@ -198,6 +198,13 @@
         ] != odeploycons.Const.CERTIFICATE_ENROLLMENT_NONE,
     )
     def _validation(self):
+        if (
+            self.environment[
+                odeploycons.VdsmEnv.CERTIFICATE_ENROLLMENT
+            ] == odeploycons.Const.CERTIFICATE_ENROLLMENT_ACCEPT and
+            not os.path.exists(odeploycons.Const.VDSM_KEY_PENDING_FILE)
+        ):
+            raise RuntimeError(_('PKI accept mode while no pending request'))
         self._enabled = True
 
     @plugin.event(
@@ -229,16 +236,10 @@
             odeploycons.VdsmEnv.CERTIFICATE_ENROLLMENT
         ]
 
-        if enrollment == odeploycons.Const.CERTIFICATE_ENROLLMENT_REQUEST:
-            self.environment[odeploycons.CoreEnv.INSTALL_INCOMPLETE] = True
-            self.environment[
-                odeploycons.CoreEnv.INSTALL_INCOMPLETE_REASONS
-            ].append(_('Certificate enrollment required'))
-
-        if enrollment in (
-            odeploycons.Const.CERTIFICATE_ENROLLMENT_REQUEST,
-            odeploycons.Const.CERTIFICATE_ENROLLMENT_INLINE,
-        ):
+        if enrollment == odeploycons.Const.CERTIFICATE_ENROLLMENT_ACCEPT:
+            with open(odeploycons.Const.VDSM_KEY_PENDING_FILE, 'r') as f:
+                vdsmkey = f.read()
+        else:
             if useM2Crypto:
                 vdsmkey, req = self._genReqM2Crypto()
             else:
@@ -253,18 +254,23 @@
                 ),
             )
 
+        if enrollment == odeploycons.Const.CERTIFICATE_ENROLLMENT_REQUEST:
+            self.environment[odeploycons.CoreEnv.INSTALL_INCOMPLETE] = True
+            self.environment[
+                odeploycons.CoreEnv.INSTALL_INCOMPLETE_REASONS
+            ].append(_('Certificate enrollment required'))
+
             self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
                 filetransaction.FileTransaction(
                     name=os.path.join(
                         vdsmTrustStore,
-                        odeploycons.Const.VDSM_KEY_FILE,
+                        odeploycons.Const.VDSM_KEY_PENDING_FILE,
                     ),
-                    owner='vdsm',
-                    group='kvm',
+                    owner='root',
                     downer='vdsm',
                     dgroup='kvm',
-                    mode=0o440,
-                    dmode=0o750,
+                    mode=0o400,
+                    dmode=0o700,
                     enforcePermissions=True,
                     content=vdsmkey,
                     modifiedList=self.environment[
@@ -272,11 +278,7 @@
                     ],
                 )
             )
-
-        if enrollment in (
-            odeploycons.Const.CERTIFICATE_ENROLLMENT_ACCEPT,
-            odeploycons.Const.CERTIFICATE_ENROLLMENT_INLINE,
-        ):
+        else:
             chain = self.environment[
                 odeploycons.VdsmEnv.CERTIFICATE_CHAIN
             ]
@@ -324,3 +326,34 @@
                     ],
                 )
             )
+
+            self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append(
+                filetransaction.FileTransaction(
+                    name=os.path.join(
+                        vdsmTrustStore,
+                        odeploycons.Const.VDSM_KEY_FILE,
+                    ),
+                    owner='vdsm',
+                    group='kvm',
+                    downer='vdsm',
+                    dgroup='kvm',
+                    mode=0o440,
+                    dmode=0o750,
+                    enforcePermissions=True,
+                    content=vdsmkey,
+                    modifiedList=self.environment[
+                        otopicons.CoreEnv.MODIFIED_FILES
+                    ],
+                )
+            )
+
+    @plugin.event(
+        stage=plugin.Stages.STAGE_CLOSEUP,
+        condition=lambda self: self._enabled,
+    )
+    def _closeup(self):
+        if self.environment[
+            odeploycons.VdsmEnv.CERTIFICATE_ENROLLMENT
+        ] != odeploycons.Const.CERTIFICATE_ENROLLMENT_REQUEST:
+            if os.path.exists(odeploycons.Const.VDSM_KEY_PENDING_FILE):
+                os.unlink(odeploycons.Const.VDSM_KEY_PENDING_FILE)


--
To view, visit http://gerrit.ovirt.org/10043
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I8d3c7850900870e43bf102bd9365b171083cfe56
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-host-deploy
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <alo...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches