def test_install_ca_cert_old_cert(self, _retrieve_ca_cert):
_retrieve_ca_cert.return_value = cert
with patch_open() as (_open, _file):
apache_utils.install_ca_cert(cert)
self.assertFalse(_open.called)
self.assertFalse(_file.called)
self.assertFalse(self.subprocess.check_call.called)
def process_certificates(service_name, relation_id, unit,
custom_hostname_link=None, user='******', group='root'):
"""Process the certificates supplied down the relation
:param service_name: str Name of service the certifcates are for.
:param relation_id: str Relation id providing the certs
:param unit: str Unit providing the certs
:param custom_hostname_link: str Name of custom link to create
:param user: (Optional) Owner of certificate files. Defaults to 'root'
:type user: str
:param group: (Optional) Group of certificate files. Defaults to 'root'
:type group: str
"""
data = relation_get(rid=relation_id, unit=unit)
ssl_dir = os.path.join('/etc/apache2/ssl/', service_name)
mkdir(path=ssl_dir)
name = local_unit().replace('/', '_')
certs = data.get('{}.processed_requests'.format(name))
chain = data.get('chain')
ca = data.get('ca')
if certs:
certs = json.loads(certs)
install_ca_cert(ca.encode())
install_certs(ssl_dir, certs, chain, user=user, group=group)
create_ip_cert_links(
ssl_dir,
custom_hostname_link=custom_hostname_link)
def nm_changed():
CONFIGS.write_all()
if relation_get('ca_cert'):
ca_crt = b64decode(relation_get('ca_cert'))
install_ca_cert(ca_crt)
if config('ha-legacy-mode'):
cache_env_data()
# Disable nova metadata if possible,
if disable_nova_metadata():
remove_legacy_nova_metadata()
else:
# NOTE: nova-api-metadata needs to be restarted
# once the nova-conductor is up and running
# on the nova-cc units.
restart_nonce = relation_get('restart_trigger')
if restart_nonce is not None:
db = kv()
previous_nonce = db.get('restart_nonce')
if previous_nonce != restart_nonce:
if not is_unit_paused_set():
service_restart('nova-api-metadata')
db.set('restart_nonce', restart_nonce)
db.flush()
def process_certificates(service_name,
relation_id,
unit,
custom_hostname_link=None,
user='******',
group='root'):
"""Process the certificates supplied down the relation
:param service_name: str Name of service the certifcates are for.
:param relation_id: str Relation id providing the certs
:param unit: str Unit providing the certs
:param custom_hostname_link: str Name of custom link to create
:param user: (Optional) Owner of certificate files. Defaults to 'root'
:type user: str
:param group: (Optional) Group of certificate files. Defaults to 'root'
:type group: str
"""
data = relation_get(rid=relation_id, unit=unit)
ssl_dir = os.path.join('/etc/apache2/ssl/', service_name)
mkdir(path=ssl_dir)
name = local_unit().replace('/', '_')
certs = data.get('{}.processed_requests'.format(name))
chain = data.get('chain')
ca = data.get('ca')
if certs:
certs = json.loads(certs)
install_ca_cert(ca.encode())
install_certs(ssl_dir, certs, chain, user=user, group=group)
create_ip_cert_links(ssl_dir,
custom_hostname_link=custom_hostname_link)
def configure_ca(self):
from keystone_utils import (
SSH_USER,
get_ca,
ensure_permissions,
is_ssl_cert_master,
)
if not is_cert_provided_in_config() and not is_ssl_cert_master():
log(
"Not ssl-cert-master - skipping apache ca config until "
"master is elected",
level=INFO)
return
ca_cert = config('ssl_ca')
if ca_cert is None:
ca = get_ca(user=SSH_USER)
ca_cert = ca.get_ca_bundle()
else:
ca_cert = b64decode(ca_cert)
# Ensure accessible by keystone ssh user and group (unison)
install_ca_cert(ca_cert)
ensure_permissions(CA_CERT_PATH,
user=SSH_USER,
group='keystone',
perms=0o0644)
def nm_changed():
CONFIGS.write_all()
if relation_get('ca_cert'):
ca_crt = b64decode(relation_get('ca_cert'))
install_ca_cert(ca_crt)
if config('ha-legacy-mode'):
cache_env_data()
# Disable nova metadata if possible,
if disable_nova_metadata():
remove_legacy_nova_metadata()
else:
# NOTE: nova-api-metadata needs to be restarted
# once the nova-conductor is up and running
# on the nova-cc units.
restart_nonce = relation_get('restart_trigger')
if restart_nonce is not None:
db = kv()
previous_nonce = db.get('restart_nonce')
if previous_nonce != restart_nonce:
if not is_unit_paused_set():
service_restart('nova-api-metadata')
db.set('restart_nonce', restart_nonce)
db.flush()
def __call__(self):
''' Grab cert and key from configuration for SSL config '''
ctxt = {'ssl_configured': False}
use_local_ca = True
for rid in relation_ids('certificates'):
if related_units(rid):
use_local_ca = False
if use_local_ca:
ca_cert = get_ca_cert()
if not ca_cert:
return ctxt
install_ca_cert(b64decode(ca_cert))
ssl_cert, ssl_key = get_cert()
if all([ssl_cert, ssl_key]):
with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out:
cert_out.write(b64decode(ssl_cert))
with open('/etc/ssl/private/dashboard.key', 'w') as key_out:
key_out.write(b64decode(ssl_key))
os.chmod('/etc/ssl/private/dashboard.key', 0600)
ctxt = {
'ssl_configured': True,
'ssl_cert': '/etc/ssl/certs/dashboard.cert',
'ssl_key': '/etc/ssl/private/dashboard.key',
}
else:
if os.path.exists(SSL_CERT_FILE) and os.path.exists(SSL_KEY_FILE):
ctxt = {
'ssl_configured': True,
'ssl_cert': SSL_CERT_FILE,
'ssl_key': SSL_KEY_FILE,
}
return ctxt
def nm_changed():
CONFIGS.write_all()
if relation_get('ca_cert'):
ca_crt = b64decode(relation_get('ca_cert'))
install_ca_cert(ca_crt)
if config('ha-legacy-mode'):
cache_env_data()
def test_install_ca_cert(self):
with patch_open() as (_open, _file):
apache_utils.install_ca_cert(cert)
_open.assert_called_with(
'/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt',
'w')
_file.write.assert_called_with(cert)
self.subprocess.assertCalledWith(['update-ca-certificates', '--fresh'])
def nm_changed():
CONFIGS.write_all()
if relation_get('ca_cert'):
ca_crt = b64decode(relation_get('ca_cert'))
install_ca_cert(ca_crt)
if config('ha-legacy-mode'):
cache_env_data()
def certs_changed(relation_id=None, unit=None):
if not service_enabled('api'):
# Install CA cert to communicate with Keystone and Glance
data = relation_get(rid=relation_id, unit=unit)
ca = data.get('ca')
if ca:
install_ca_cert(ca.encode())
return
process_certificates('cinder', relation_id, unit)
configure_https()
def test_install_ca_cert_new_cert(self, _retrieve_ca_cert):
_retrieve_ca_cert.return_value = None
with patch_open() as (_open, _file):
apache_utils.install_ca_cert(cert)
_open.assert_called_once_with(
'/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt',
'wb')
_file.write.assert_called_with(cert)
self.subprocess.check_call.assert_called_with(
['update-ca-certificates', '--fresh'])
def __call__(self):
''' Grab cert and key from configuration for SSL config '''
ca_cert = get_ca_cert()
if ca_cert:
install_ca_cert(b64decode(ca_cert))
(ssl_cert, ssl_key) = get_cert()
if None not in [ssl_cert, ssl_key]:
with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out:
cert_out.write(b64decode(ssl_cert))
with open('/etc/ssl/private/dashboard.key', 'w') as key_out:
key_out.write(b64decode(ssl_key))
os.chmod('/etc/ssl/private/dashboard.key', 0600)
ctxt = {
'ssl_configured': True,
'ssl_cert': '/etc/ssl/certs/dashboard.cert',
'ssl_key': '/etc/ssl/private/dashboard.key',
}
else:
# Use snakeoil ones by default
ctxt = {
'ssl_configured': False,
}
return ctxt
def configure_ca(self):
from keystone_utils import (
SSH_USER,
get_ca,
ensure_permissions,
is_ssl_cert_master,
KEYSTONE_USER,
)
if not is_cert_provided_in_config() and not is_ssl_cert_master():
log(
"Not ssl-cert-master - skipping apache ca config until "
"master is elected",
level=INFO)
return
cert = config('ssl_cert')
key = config('ssl_key')
ca_cert = config('ssl_ca')
if ca_cert:
ca_cert = b64decode(ca_cert)
elif not (cert and key):
# NOTE(hopem): if a cert and key are provided as config we don't
# mandate that a CA is also provided since it isn't necessarily
# needed. As a result we only generate a custom CA if we are also
# generating cert and key.
ca = get_ca(user=SSH_USER)
ca_cert = ca.get_ca_bundle()
if ca_cert:
# Ensure accessible by keystone ssh user and group (unison)
install_ca_cert(ca_cert)
ensure_permissions(CA_CERT_PATH,
user=SSH_USER,
group=KEYSTONE_USER,
perms=0o0644)
def __call__(self):
''' Grab cert and key from configuration for SSL config '''
ca_cert = get_ca_cert()
if ca_cert:
install_ca_cert(b64decode(ca_cert))
ssl_cert, ssl_key = get_cert()
if all([ssl_cert, ssl_key]):
with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out:
cert_out.write(b64decode(ssl_cert))
with open('/etc/ssl/private/dashboard.key', 'w') as key_out:
key_out.write(b64decode(ssl_key))
os.chmod('/etc/ssl/private/dashboard.key', 0600)
ctxt = {
'ssl_configured': True,
'ssl_cert': '/etc/ssl/certs/dashboard.cert',
'ssl_key': '/etc/ssl/private/dashboard.key',
}
else:
# Use snakeoil ones by default
ctxt = {
'ssl_configured': False,
}
return ctxt
def configure_ca(self):
from keystone_utils import (
SSH_USER,
get_ca,
ensure_permissions,
is_ssl_cert_master,
)
if not is_cert_provided_in_config() and not is_ssl_cert_master():
log("Not ssl-cert-master - skipping apache ca config until "
"master is elected", level=INFO)
return
ca_cert = config('ssl_ca')
if ca_cert is None:
ca = get_ca(user=SSH_USER)
ca_cert = ca.get_ca_bundle()
else:
ca_cert = b64decode(ca_cert)
# Ensure accessible by keystone ssh user and group (unison)
install_ca_cert(ca_cert)
ensure_permissions(CA_CERT_PATH, user=SSH_USER, group='keystone',
perms=0o0644)
def configure_ca(self):
ca_cert = get_ca_cert()
if ca_cert:
install_ca_cert(b64decode(ca_cert))
def keystone_changed():
CONFIGS.write_all()
if relation_get('ca_cert'):
install_ca_cert(b64decode(relation_get('ca_cert')))
def nm_changed():
CONFIGS.write_all()
if relation_get('ca_cert'):
install_ca_cert(relation_get('ca_cert'))
def keystone_changed():
CONFIGS.write(LOCAL_SETTINGS)
if relation_get('ca_cert'):
install_ca_cert(relation_get('ca_cert'))
def configure_ca(self):
ca_cert = get_ca_cert()
if ca_cert:
install_ca_cert(b64decode(ca_cert))
def keystone_changed():
CONFIGS.write_all()
if relation_get('ca_cert'):
install_ca_cert(b64decode(relation_get('ca_cert')))
def keystone_changed():
CONFIGS.write(LOCAL_SETTINGS)
if relation_get('ca_cert'):
install_ca_cert(b64decode(relation_get('ca_cert')))
