def test_generate_signed_ssl_certkey(tmpdir):
from jans.pycloudlib.utils import generate_ssl_ca_certkey
from jans.pycloudlib.utils import generate_signed_ssl_certkey
base_dir = tmpdir.mkdir("certs")
ca_cert, ca_key = generate_ssl_ca_certkey(
"cert-auth",
"*****@*****.**",
"my.org.local",
"org",
"US",
"TX",
"Austin",
base_dir=str(base_dir),
)
generate_signed_ssl_certkey(
"my-suffix",
ca_key,
ca_cert,
"*****@*****.**",
"my.org.local",
"org",
"US",
"TX",
"Austin",
base_dir=str(base_dir),
extra_dns=["custom.org.local"],
extra_ips=["127.0.0.1"],
)
assert os.path.isfile(str(base_dir.join("my-suffix.crt")))
assert os.path.isfile(str(base_dir.join("my-suffix.csr")))
assert os.path.isfile(str(base_dir.join("my-suffix.key")))
def test_generate_ssl_ca_certkey(tmpdir):
from jans.pycloudlib.utils import generate_ssl_ca_certkey
base_dir = tmpdir.mkdir("certs")
generate_ssl_ca_certkey(
"cert-auth",
"*****@*****.**",
"my.org.local",
"org",
"US",
"TX",
"Austin",
base_dir=str(base_dir),
)
assert os.path.isfile(str(base_dir.join("cert-auth.crt")))
assert os.path.isfile(str(base_dir.join("cert-auth.key")))
def patch(self):
source = self.opts.get("source", "")
ssl_cert = "/etc/certs/web_https.crt"
ssl_key = "/etc/certs/web_https.key"
ssl_csr = "/etc/certs/web_https.csr"
ssl_ca_cert = "/etc/certs/ca.crt"
ssl_ca_key = "/etc/certs/ca.key"
if source == "from-files":
if not any([os.path.isfile(ssl_cert), os.path.isfile(ssl_key)]):
logger.warning(f"Unable to find existing {ssl_cert} or {ssl_key}")
else:
logger.info(f"Using existing {ssl_cert} and {ssl_key}")
else:
email = self.manager.config.get("admin_email")
hostname = self.manager.config.get("hostname")
org_name = self.manager.config.get("orgName")
country_code = self.manager.config.get("country_code")
state = self.manager.config.get("state")
city = self.manager.config.get("city")
logger.info(f"Creating self-generated {ssl_ca_cert} and {ssl_ca_key}")
ca_cert, ca_key = generate_ssl_ca_certkey(
"ca",
email,
"Janssen CA",
org_name,
country_code,
state,
city,
)
logger.info(f"Creating self-generated {ssl_csr}, {ssl_cert}, and {ssl_key}")
generate_signed_ssl_certkey(
"web_https",
ca_key,
ca_cert,
email,
hostname,
org_name,
country_code,
state,
city,
)
if not self.dry_run:
if os.path.isfile(ssl_ca_key):
self.manager.secret.from_file("ssl_ca_key", ssl_ca_key)
if os.path.isfile(ssl_ca_cert):
self.manager.secret.from_file("ssl_ca_cert", ssl_ca_cert)
if os.path.isfile(ssl_cert):
self.manager.secret.from_file("ssl_cert", ssl_cert)
if os.path.isfile(ssl_key):
self.manager.secret.from_file("ssl_key", ssl_key)
if os.path.isfile(ssl_csr):
self.manager.secret.from_file("ssl_csr", ssl_csr)
def web_ctx(self):
ssl_cert = "/etc/certs/web_https.crt"
ssl_key = "/etc/certs/web_https.key"
ssl_csr = "/etc/certs/web_https.csr"
ssl_ca_cert = "/etc/certs/ca.crt"
ssl_ca_key = "/etc/certs/ca.key"
# get cert and key (if available) with priorities below:
#
# 1. from mounted files
# 2. from fronted (key file is an empty file)
# 3. self-generate files
logger.info(f"Resolving {ssl_cert} and {ssl_key}")
# check from mounted files
if not (os.path.isfile(ssl_cert) and os.path.isfile(ssl_key)):
# no mounted files, hence download from frontend
ingress_addr = ""
if "CN_INGRESS_ADDRESS" in os.environ:
ingress_addr = os.environ.get("CN_INGRESS_ADDRESS")
ingress_servername = os.environ.get(
"CN_INGRESS_SERVERNAME") or ingress_addr
if ingress_addr and ingress_servername:
logger.warning(
f"Unable to find mounted {ssl_cert} and {ssl_key}; "
f"trying to download from {ingress_addr}:443 (servername {ingress_servername})" # noqa: C812
)
try:
# cert will be downloaded into `ssl_cert` path
get_server_certificate(ingress_addr, 443, ssl_cert,
ingress_servername)
# since cert is downloaded, key must mounted
# or generate empty file
if not os.path.isfile(ssl_key):
with open(ssl_key, "w") as f:
f.write("")
except (socket.gaierror, socket.timeout, OSError) as exc:
# address not resolved or timed out
logger.warning(f"Unable to download cert; reason={exc}")
# no mounted nor downloaded files, hence we need to create self-generated files
if not (os.path.isfile(ssl_cert) and os.path.isfile(ssl_key)):
hostname = self.get_config("hostname")
email = self.get_config("admin_email")
org_name = self.get_config("orgName")
country_code = self.get_config("country_code")
state = self.get_config("state")
city = self.get_config("city")
logger.info(
f"Creating self-generated {ssl_ca_cert} and {ssl_ca_key}")
ca_cert, ca_key = generate_ssl_ca_certkey(
"ca",
email,
"Janssen CA",
org_name,
country_code,
state,
city,
)
logger.info(
f"Creating self-generated {ssl_csr}, {ssl_cert}, and {ssl_key}"
)
generate_signed_ssl_certkey(
"web_https",
ca_key,
ca_cert,
email,
hostname,
org_name,
country_code,
state,
city,
)
try:
with open(ssl_ca_cert) as f:
self.set_secret("ssl_ca_cert", f.read)
except FileNotFoundError:
self.set_secret("ssl_ca_cert", "")
try:
with open(ssl_ca_key) as f:
self.set_secret("ssl_ca_key", f.read)
except FileNotFoundError:
self.set_secret("ssl_ca_key", "")
try:
with open(ssl_csr) as f:
self.set_secret("ssl_csr", f.read)
except FileNotFoundError:
self.set_secret("ssl_csr", "")
with open(ssl_cert) as f:
self.set_secret("ssl_cert", f.read)
with open(ssl_key) as f:
self.set_secret("ssl_key", f.read)