Oved Ourfali has uploaded a new change for review.
Change subject: WIP Support foreman SSL provider
......................................................................
WIP Support foreman SSL provider
This patch adds support for SSL provider in Foreman.
In order to do that I added two new config items, an external trust
store, and the password for this truststore. These parameters are used
when the URL starts with https.
Change-Id: I35343409d74a4f90aae726b46781f27ce08a981a
Signed-off-by: Oved Ourfali <oourf...@redhat.com>
---
M
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/ForemanHostProviderProxy.java
A
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/SecuredHostHttpClient.java
M
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/EngineLocalConfig.java
M packaging/conf/engine.conf.defaults.in
M packaging/fedora/setup/basedefs.py
M packaging/fedora/setup/common_utils.py
M packaging/fedora/setup/engine-cleanup.py
M packaging/fedora/setup/engine-setup.py
M packaging/fedora/setup/engine-upgrade.py
M packaging/setup/plugins/ovirt-engine-setup/config/ca.py
10 files changed, 78 insertions(+), 8 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/28/15128/1
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/ForemanHostProviderProxy.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/ForemanHostProviderProxy.java
index 1ae14e0..b9cc72f 100644
---
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/ForemanHostProviderProxy.java
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/ForemanHostProviderProxy.java
@@ -2,6 +2,8 @@
import java.io.IOException;
import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
+import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -18,6 +20,7 @@
import org.ovirt.engine.core.common.businessentities.VDS;
import org.ovirt.engine.core.common.errors.VdcBLLException;
import org.ovirt.engine.core.common.errors.VdcBllErrors;
+import org.ovirt.engine.core.utils.EngineLocalConfig;
import org.codehaus.jackson.JsonParseException;
import org.codehaus.jackson.map.JsonMappingException;
import org.codehaus.jackson.map.ObjectMapper;
@@ -27,7 +30,7 @@
private Provider hostProvider;
- private HttpClient httpClient = new HttpClient();
+ private HttpClient httpClient;
private ObjectMapper objectMapper = new ObjectMapper();
private static final String ERROR_MESSAGE = "Failed connecting to
provider. ";
@@ -37,14 +40,28 @@
private static final String ALL_HOSTS_QUERY = HOSTS_ENTRY_POINT + "?" +
JSON_FORMAT;
private static final String SEARCH_SECTION_FORMAT = "search=%1$s";
private static final String SEARCH_QUERY_FORMAT = "?" +
SEARCH_SECTION_FORMAT + "&" + JSON_FORMAT;
+ private static final String HTTPS_PROTOCOL = "https";
+ private static final String FILE_URL_PREFIX = "file:";
public ForemanHostProviderProxy(Provider hostProvider) {
this.hostProvider = hostProvider;
- objectMapper.configure(Feature.FAIL_ON_UNKNOWN_PROPERTIES, false);
- Credentials hostProviderCredentials = new
UsernamePasswordCredentials(hostProvider.getUsername(),
hostProvider.getPassword());
- httpClient.getState().setCredentials(AuthScope.ANY,
hostProviderCredentials);
- // Required when working with foreman's /api rather than accessing
directly to /hosts
- httpClient.getState().setAuthenticationPreemptive(true);
+ try {
+ URL hostUrl = new URL(hostProvider.getUrl());
+ if (hostUrl.getProtocol().equalsIgnoreCase(HTTPS_PROTOCOL)) {
+ String trustStorePath = FILE_URL_PREFIX +
EngineLocalConfig.getInstance().getPKIExternalTrustStore();
+ String trustStorePassword =
EngineLocalConfig.getInstance().getPKIExternalTrustStorePassword();
+ httpClient = new SecuredHostHttpClient(hostUrl, new
URL(trustStorePath), trustStorePassword, false);
+ } else {
+ httpClient = new HttpClient();
+ }
+ objectMapper.configure(Feature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+ Credentials hostProviderCredentials = new
UsernamePasswordCredentials(hostProvider.getUsername(),
hostProvider.getPassword());
+ httpClient.getState().setCredentials(AuthScope.ANY,
hostProviderCredentials);
+ // Required when working with foreman's /api rather than accessing
directly to /hosts
+ httpClient.getState().setAuthenticationPreemptive(true);
+ } catch (MalformedURLException e) {
+ throw new VdcBLLException(VdcBllErrors.PROVIDER_FAILURE,
e.getMessage());
+ }
}
@Override
@@ -91,7 +108,7 @@
@Override
public void testConnection() {
- HttpMethod httpMethod = new GetMethod(hostProvider.getUrl());
+ HttpMethod httpMethod = new GetMethod(hostProvider.getUrl() +
API_ENTRY_POINT);
runHttpMethod(httpClient, httpMethod);
}
diff --git
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/SecuredHostHttpClient.java
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/SecuredHostHttpClient.java
new file mode 100644
index 0000000..1b0f629
--- /dev/null
+++
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/host/provider/foreman/SecuredHostHttpClient.java
@@ -0,0 +1,24 @@
+package org.ovirt.engine.core.bll.host.provider.foreman;
+
+import java.net.URL;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.protocol.Protocol;
+import org.ovirt.engine.core.utils.ssl.AuthSSLProtocolSocketFactory;
+
+public class SecuredHostHttpClient extends HttpClient {
+
+ private static final int DEFAULT_SECURED_PORT = 443;
+ public SecuredHostHttpClient(URL hostUrl, URL trustStorePath, String
trustStorePassword, boolean enableSniExtension) {
+ super();
+ System.setProperty ("jsse.enableSNIExtension",
String.valueOf(enableSniExtension));
+ int hostPort = hostUrl.getPort();
+ if (hostPort == -1) {
+ hostPort = DEFAULT_SECURED_PORT;
+ }
+ Protocol httpsProtocol = new Protocol("https", new
AuthSSLProtocolSocketFactory(null, null, trustStorePath, trustStorePassword),
hostPort);
+ Protocol.registerProtocol("https", httpsProtocol);
+ getHostConfiguration().setHost(hostUrl.getHost(), hostUrl.getPort(),
httpsProtocol);
+ }
+
+}
diff --git
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/EngineLocalConfig.java
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/EngineLocalConfig.java
index 0ddbf67..032c1da 100644
---
a/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/EngineLocalConfig.java
+++
b/backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/EngineLocalConfig.java
@@ -161,6 +161,14 @@
return getProperty("ENGINE_PKI_TRUST_STORE_PASSWORD");
}
+ public File getPKIExternalTrustStore() {
+ return getFile("ENGINE_PKI_EXTERNAL_TRUST_STORE");
+ }
+
+ public String getPKIExternalTrustStorePassword() {
+ return getProperty("ENGINE_PKI_EXTERNAL_TRUST_STORE_PASSWORD");
+ }
+
public File getPKIEngineStore() {
return getFile("ENGINE_PKI_ENGINE_STORE");
}
diff --git a/packaging/conf/engine.conf.defaults.in
b/packaging/conf/engine.conf.defaults.in
index bab73ea..72bd70e 100644
--- a/packaging/conf/engine.conf.defaults.in
+++ b/packaging/conf/engine.conf.defaults.in
@@ -172,7 +172,7 @@
#
# PKI artifacts
#
-SENSITIVE_KEYS="${SENSITIVE_KEYS},ENGINE_PKI_TRUST_STORE_PASSWORD,ENGINE_PKI_ENGINE_STORE_PASSWORD"
+SENSITIVE_KEYS="${SENSITIVE_KEYS},ENGINE_PKI_TRUST_STORE_PASSWORD,ENGINE_PKI_ENGINE_STORE_PASSWORD,ENGINE_PKI_EXTERNAL_TRUST_STORE_PASSWORD"
ENGINE_PKI_CA=${ENGINE_PKI}/ca.pem
ENGINE_PKI_ENGINE_CERT=${ENGINE_PKI}/certs/engine.cer
ENGINE_PKI_TRUST_STORE=${ENGINE_PKI}/.truststore
@@ -180,3 +180,5 @@
ENGINE_PKI_ENGINE_STORE=${ENGINE_PKI}/keys/engine.p12
ENGINE_PKI_ENGINE_STORE_PASSWORD=
ENGINE_PKI_ENGINE_STORE_ALIAS=1
+ENGINE_PKI_EXTERNAL_TRUST_STORE=${ENGINE_PKI}/.external_truststore
+ENGINE_PKI_EXTERNAL_TRUST_STORE_PASSWORD=
diff --git a/packaging/fedora/setup/basedefs.py
b/packaging/fedora/setup/basedefs.py
index 375aad4..1aee06c 100644
--- a/packaging/fedora/setup/basedefs.py
+++ b/packaging/fedora/setup/basedefs.py
@@ -95,6 +95,7 @@
FILE_NFS_BACKUP="%s/ovirt-engine/backups/nfs.backup" % DIR_VAR_LIB
FILE_ETC_EXPORTS="/etc/exports"
FILE_TRUSTSTORE="%s/.truststore"%(DIR_OVIRT_PKI)
+FILE_EXTERNAL_TRUSTSTORE="%s/.truststore_external"%(DIR_OVIRT_PKI)
FILE_ENGINE_KEYSTORE="%s/keys/engine.p12"%(DIR_OVIRT_PKI)
FILE_APACHE_KEYSTORE="%s/keys/apache.p12"%(DIR_OVIRT_PKI)
FILE_JBOSS_KEYSTORE="%s/keys/jboss.p12"%(DIR_OVIRT_PKI)
diff --git a/packaging/fedora/setup/common_utils.py
b/packaging/fedora/setup/common_utils.py
index eeab3c4..5ec4257 100755
--- a/packaging/fedora/setup/common_utils.py
+++ b/packaging/fedora/setup/common_utils.py
@@ -1281,6 +1281,8 @@
engineCerticate,
trustStore,
trustStorePassword,
+ externalTrustStore,
+ externalTrustStorePassword,
):
# Load the file:
handler = TextConfigFileHandler(basedefs.FILE_ENGINE_CONF_PKI,
readExisting=False)
@@ -1293,6 +1295,8 @@
handler.editParam("ENGINE_PKI_ENGINE_STORE_ALIAS", engineStoreAlias)
handler.editParam("ENGINE_PKI_TRUST_STORE", trustStore)
handler.editParam("ENGINE_PKI_TRUST_STORE_PASSWORD", trustStorePassword)
+ handler.editParam("ENGINE_PKI_EXTERNAL_TRUST_STORE", externalTrustStore)
+ handler.editParam("ENGINE_PKI_EXTERNAL_TRUST_STORE_PASSWORD",
externalTrustStorePassword)
handler.close()
chownToEngine(basedefs.FILE_ENGINE_CONF_PKI)
diff --git a/packaging/fedora/setup/engine-cleanup.py
b/packaging/fedora/setup/engine-cleanup.py
index 9e4493b..3e14577 100755
--- a/packaging/fedora/setup/engine-cleanup.py
+++ b/packaging/fedora/setup/engine-cleanup.py
@@ -308,6 +308,7 @@
basedefs.FILE_JBOSS_KEYSTORE,
basedefs.FILE_APACHE_PRIVATE_KEY,
basedefs.FILE_SSH_PRIVATE_KEY
+ basedefs.FILE_EXTERNAL_TRUSTSTORE,
):
try:
logging.debug("Removing %s", f)
diff --git a/packaging/fedora/setup/engine-setup.py
b/packaging/fedora/setup/engine-setup.py
index 613e4cc..894a612 100755
--- a/packaging/fedora/setup/engine-setup.py
+++ b/packaging/fedora/setup/engine-setup.py
@@ -2162,6 +2162,8 @@
engineCerticate=basedefs.FILE_ENGINE_CERT,
trustStore=basedefs.FILE_TRUSTSTORE,
trustStorePassword=basedefs.CONST_KEY_PASS,
+ trustStore=basedefs.FILE_EXTERNAL_TRUSTSTORE,
+ trustStorePassword=basedefs.CONST_KEY_PASS,
)
def startRhevmDbRelatedServices():
diff --git a/packaging/fedora/setup/engine-upgrade.py
b/packaging/fedora/setup/engine-upgrade.py
index e72b6fd..12a3818 100755
--- a/packaging/fedora/setup/engine-upgrade.py
+++ b/packaging/fedora/setup/engine-upgrade.py
@@ -586,6 +586,8 @@
engineCerticate=basedefs.FILE_ENGINE_CERT,
trustStore=basedefs.FILE_TRUSTSTORE,
trustStorePassword=basedefs.CONST_KEY_PASS,
+ externalTrustStore=basedefs.FILE_EXTERNAL_TRUSTSTORE,
+ externalTrustStorePassword=basedefs.CONST_KEY_PASS,
)
if os.path.exists(self.JKSKEYSTORE):
diff --git a/packaging/setup/plugins/ovirt-engine-setup/config/ca.py
b/packaging/setup/plugins/ovirt-engine-setup/config/ca.py
index d4633b2..1613e10 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/config/ca.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/config/ca.py
@@ -82,6 +82,10 @@
'"{engine_store_password}"\n'
) +
'ENGINE_PKI_ENGINE_STORE_ALIAS="{engine_store_alias}"\n'
+
'ENGINE_PKI_EXTERNAL_TRUST_STORE="{external_trust_store}"\n'
+ 'ENGINE_PKI_EXTERNALTRUST_STORE_PASSWORD=' + (
+ '"{external_trust_store_password}"\n'
+ )
).format(
pki_dir=(
osetupcons.FileLocations.
@@ -106,6 +110,11 @@
),
engine_store_password=osetupcons.Const.PKI_PASSWORD,
engine_store_alias='1',
+ external_trust_store=(
+ osetupcons.FileLocations.
+ OVIRT_ENGINE_PKI_EXTERNAL_TRUST_STORE
+ ),
+ trust_store_password=osetupcons.Const.PKI_PASSWORD
),
modifiedList=uninstall_files,
)
--
To view, visit http://gerrit.ovirt.org/15128
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I35343409d74a4f90aae726b46781f27ce08a981a
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Oved Ourfali <oourf...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
