Esempio n. 1
0
def delete_certificates_from_bay(bay):
    """Delete ca cert and magnum client cert from bay

    :param bay: The bay which has certs
    """
    for cert_ref in [bay.ca_cert_ref, bay.magnum_cert_ref]:
        try:
            if cert_ref:
                cert_manager.get_backend().CertManager.delete_cert(cert_ref)
        except Exception:
            LOG.warn(_LW("Deleting cert is failed: %s") % cert_ref)
Esempio n. 2
0
def delete_certificates_from_bay(bay, context=None):
    """Delete ca cert and magnum client cert from bay

    :param bay: The bay which has certs
    """
    for cert_ref in ['ca_cert_ref', 'magnum_cert_ref']:
        try:
            cert_ref = getattr(bay, cert_ref, None)
            if cert_ref:
                cert_manager.get_backend().CertManager.delete_cert(
                    cert_ref, resource_ref=bay.uuid, context=context)
        except Exception:
            LOG.warning(_LW("Deleting certs is failed for Bay %s"), bay.uuid)
Esempio n. 3
0
def delete_certificates_from_bay(bay, context=None):
    """Delete ca cert and magnum client cert from bay

    :param bay: The bay which has certs
    """
    for cert_ref in ['ca_cert_ref', 'magnum_cert_ref']:
        try:
            cert_ref = getattr(bay, cert_ref, None)
            if cert_ref:
                cert_manager.get_backend().CertManager.delete_cert(
                    cert_ref, resource_ref=bay.uuid, context=context)
        except Exception:
            LOG.warning(_LW("Deleting certs is failed for Bay %s"), bay.uuid)
Esempio n. 4
0
def delete_certificates_from_cluster(cluster, context=None):
    """Delete ca cert and magnum client cert from cluster

    :param cluster: The cluster which has certs
    """
    for cert_ref in ['ca_cert_ref', 'magnum_cert_ref']:
        try:
            cert_ref = getattr(cluster, cert_ref, None)
            if cert_ref:
                cert_manager.get_backend().CertManager.delete_cert(
                    cert_ref, resource_ref=cluster.uuid, context=context)
        except Exception:
            LOG.warning(_LW("Deleting certs is failed for Cluster %s"),
                        cluster.uuid)
Esempio n. 5
0
def delete_certificates_from_cluster(cluster, context=None):
    """Delete ca cert and magnum client cert from cluster

    :param cluster: The cluster which has certs
    """
    for cert_ref in ['ca_cert_ref', 'magnum_cert_ref']:
        try:
            cert_ref = getattr(cluster, cert_ref, None)
            if cert_ref:
                cert_manager.get_backend().CertManager.delete_cert(
                    cert_ref, resource_ref=cluster.uuid, context=context)
        except Exception:
            LOG.warning("Deleting certs is failed for Cluster %s",
                        cluster.uuid)
Esempio n. 6
0
def sign_node_certificate(bay, csr):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        bay.ca_cert_ref, resource_ref=bay.uuid)

    node_cert = x509.sign(csr, bay.name, ca_cert.get_private_key(),
                          ca_cert.get_private_key_passphrase())
    return node_cert
Esempio n. 7
0
def get_bay_magnum_cert(bay):
    magnum_cert = cert_manager.get_backend().CertManager.get_cert(
        bay.magnum_cert_ref,
        resource_ref=bay.uuid
    )

    return magnum_cert
Esempio n. 8
0
def _generate_client_cert(issuer_name, ca_cert, ca_password, context=None):
    """Generate and store magnum_client_cert

    :param issuer_name: CA subject name
    :param ca_cert: CA certificate
    :param ca_password: CA private key password
    :returns: Magnum client cert uuid
    """
    client_password = short_id.generate_id()
    client_cert = x509.generate_client_certificate(
        issuer_name,
        CONDUCTOR_CLIENT_NAME,
        ca_cert['private_key'],
        encryption_password=client_password,
        ca_key_password=ca_password,
    )
    magnum_cert_ref = cert_manager.get_backend().CertManager.store_cert(
        certificate=client_cert['certificate'],
        private_key=client_cert['private_key'],
        private_key_passphrase=client_password,
        name=CONDUCTOR_CLIENT_NAME,
        context=context
    )
    LOG.debug('Magnum client cert is created: %s', magnum_cert_ref)
    return magnum_cert_ref
Esempio n. 9
0
def get_bay_magnum_cert(bay):
    magnum_cert = cert_manager.get_backend().CertManager.get_cert(
        bay.magnum_cert_ref,
        resource_ref=bay.uuid
    )

    return magnum_cert
Esempio n. 10
0
def _generate_client_cert(issuer_name, ca_cert, ca_password, context=None):
    """Generate and store magnum_client_cert

    :param issuer_name: CA subject name
    :param ca_cert: CA certificate
    :param ca_password: CA private key password
    :returns: Magnum client cert uuid
    """
    client_password = short_id.generate_id()
    # TODO(strigazi): set subject name and organization per driver
    # For RBAC kubernetes cluster we need the client to have:
    # subject_name: admin
    # organization_name system:masters
    # Non kubernetes drivers are not using the certificates fields
    # for authorization
    subject_name = 'admin'
    organization_name = 'system:masters'
    client_cert = x509.generate_client_certificate(
        issuer_name,
        subject_name,
        organization_name,
        ca_cert['private_key'],
        encryption_password=client_password,
        ca_key_password=ca_password,
    )
    magnum_cert_ref = cert_manager.get_backend().CertManager.store_cert(
        certificate=client_cert['certificate'],
        private_key=client_cert['private_key'],
        private_key_passphrase=client_password,
        name=CONDUCTOR_CLIENT_NAME,
        context=context
    )
    LOG.debug('Magnum client cert is created: %s', magnum_cert_ref)
    return magnum_cert_ref
Esempio n. 11
0
def get_bay_ca_certificate(bay):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        bay.ca_cert_ref,
        resource_ref=bay.uuid
    )

    return ca_cert.get_certificate()
Esempio n. 12
0
def _generate_client_cert(issuer_name, ca_cert, ca_password, context=None):
    """Generate and store magnum_client_cert

    :param issuer_name: CA subject name
    :param ca_cert: CA certificate
    :param ca_password: CA private key password
    :returns: Magnum client cert uuid
    """
    client_password = short_id.generate_id()
    # TODO(strigazi): set subject name and organization per driver
    # For RBAC kubernetes cluster we need the client to have:
    # subject_name: admin
    # organization_name system:masters
    # Non kubernetes drivers are not using the certificates fields
    # for authorization
    subject_name = 'admin'
    organization_name = 'system:masters'
    client_cert = x509.generate_client_certificate(
        issuer_name,
        subject_name,
        organization_name,
        ca_cert['private_key'],
        encryption_password=client_password,
        ca_key_password=ca_password,
    )
    magnum_cert_ref = cert_manager.get_backend().CertManager.store_cert(
        certificate=client_cert['certificate'],
        private_key=client_cert['private_key'],
        private_key_passphrase=client_password,
        name=CONDUCTOR_CLIENT_NAME,
        context=context)
    LOG.debug('Magnum client cert is created: %s', magnum_cert_ref)
    return magnum_cert_ref
Esempio n. 13
0
def get_bay_ca_certificate(bay):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        bay.ca_cert_ref,
        resource_ref=bay.uuid
    )

    return ca_cert
Esempio n. 14
0
def get_cluster_magnum_cert(cluster, context=None):
    magnum_cert = cert_manager.get_backend().CertManager.get_cert(
        cluster.magnum_cert_ref,
        resource_ref=cluster.uuid,
        context=context
    )

    return magnum_cert
Esempio n. 15
0
def get_cluster_ca_certificate(cluster, context=None):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        cluster.ca_cert_ref,
        resource_ref=cluster.uuid,
        context=context
    )

    return ca_cert
Esempio n. 16
0
def get_bay_magnum_cert(bay, context=None):
    magnum_cert = cert_manager.get_backend().CertManager.get_cert(
        bay.magnum_cert_ref,
        resource_ref=bay.uuid,
        context=context
    )

    return magnum_cert
Esempio n. 17
0
def sign_node_certificate(cluster, csr, context=None):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        cluster.ca_cert_ref, resource_ref=cluster.uuid, context=context)

    node_cert = x509.sign(csr, _get_issuer_name(cluster),
                          ca_cert.get_private_key(),
                          ca_cert.get_private_key_passphrase())
    return node_cert
Esempio n. 18
0
def get_cluster_magnum_cert(cluster, context=None):
    magnum_cert = cert_manager.get_backend().CertManager.get_cert(
        cluster.magnum_cert_ref,
        resource_ref=cluster.uuid,
        context=context
    )

    return magnum_cert
Esempio n. 19
0
def get_cluster_ca_certificate(cluster, context=None):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        cluster.ca_cert_ref,
        resource_ref=cluster.uuid,
        context=context
    )

    return ca_cert
Esempio n. 20
0
def get_bay_ca_certificate(bay, context=None):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        bay.ca_cert_ref,
        resource_ref=bay.uuid,
        context=context
    )

    return ca_cert
Esempio n. 21
0
def sign_node_certificate(bay, csr):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        bay.ca_cert_ref,
        resource_ref=bay.uuid
    )

    node_cert = x509.sign(csr, bay.name, ca_cert.get_private_key(),
                          ca_cert.get_private_key_passphrase())
    return node_cert
Esempio n. 22
0
def get_cluster_ca_certificate(cluster, context=None, ca_cert_type=None):
    ref = cluster.ca_cert_ref
    if ca_cert_type == "etcd":
        ref = cluster.etcd_ca_cert_ref
    elif ca_cert_type in ["front_proxy", "front-proxy"]:
        ref = cluster.front_proxy_ca_cert_ref

    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        ref, resource_ref=cluster.uuid, context=context)

    return ca_cert
Esempio n. 23
0
def sign_node_certificate(cluster, csr, context=None):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        cluster.ca_cert_ref,
        resource_ref=cluster.uuid,
        context=context
    )

    node_cert = x509.sign(csr,
                          _get_issuer_name(cluster),
                          ca_cert.get_private_key(),
                          ca_cert.get_private_key_passphrase())
    return node_cert
Esempio n. 24
0
    def _create_certificate_files(self, bay):
        """Read certificate and key for a bay and stores in files.

        :param bay: Bay object
        """
        magnum_cert_obj = cert_manager.get_backend().CertManager.get_cert(
            bay.magnum_cert_ref, resource_ref=bay.uuid)
        self.cert_file = self._create_temp_file_with_content(
            magnum_cert_obj.get_certificate())
        private_key = serialization.load_pem_private_key(
            magnum_cert_obj.get_private_key(),
            password=magnum_cert_obj.get_private_key_passphrase(),
            backend=default_backend(),
        )
        private_key = private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.PKCS8,
            encryption_algorithm=serialization.NoEncryption())
        self.key_file = self._create_temp_file_with_content(private_key)
        ca_cert_obj = cert_manager.get_backend().CertManager.get_cert(
            bay.ca_cert_ref, resource_ref=bay.uuid)
        self.ca_file = self._create_temp_file_with_content(
            ca_cert_obj.get_certificate())
Esempio n. 25
0
def sign_node_certificate(cluster, csr, ca_cert_type=None, context=None):
    ref = cluster.ca_cert_ref
    if ca_cert_type == "etcd":
        ref = cluster.etcd_ca_cert_ref
    elif ca_cert_type in ["front_proxy", "front-proxy"]:
        ref = cluster.front_proxy_ca_cert_ref

    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        ref, resource_ref=cluster.uuid, context=context)

    node_cert = x509.sign(csr, _get_issuer_name(cluster),
                          ca_cert.get_private_key(),
                          ca_cert.get_private_key_passphrase())
    return node_cert
Esempio n. 26
0
    def _create_certificate_files(self, bay):
        """Read certificate and key for a bay and stores in files.

        :param bay: Bay object
        """
        magnum_cert_obj = cert_manager.get_backend().CertManager.get_cert(
            bay.magnum_cert_ref, resource_ref=bay.uuid)
        self.cert_file = self._create_temp_file_with_content(
            magnum_cert_obj.get_certificate())
        private_key = serialization.load_pem_private_key(
            magnum_cert_obj.get_private_key(),
            password=magnum_cert_obj.get_private_key_passphrase(),
            backend=default_backend(),
        )
        private_key = private_key.private_bytes(
            encoding=serialization.Encoding.PEM,
            format=serialization.PrivateFormat.PKCS8,
            encryption_algorithm=serialization.NoEncryption())
        self.key_file = self._create_temp_file_with_content(
            private_key)
        ca_cert_obj = cert_manager.get_backend().CertManager.get_cert(
            bay.ca_cert_ref, resource_ref=bay.uuid)
        self.ca_file = self._create_temp_file_with_content(
            ca_cert_obj.get_certificate())
Esempio n. 27
0
def _generate_ca_cert(issuer_name):
    """Generate and store ca_cert

    :param issuer_name: CA subject name
    :returns: CA cert uuid and CA cert, CA private key password
    """
    ca_password = short_id.generate_id()
    ca_cert = x509.generate_ca_certificate(issuer_name,
                                           encryption_password=ca_password)
    ca_cert_ref = cert_manager.get_backend().CertManager.store_cert(
        certificate=ca_cert['certificate'],
        private_key=ca_cert['private_key'],
        private_key_passphrase=ca_password,
        name=issuer_name,
    )
    LOG.debug('CA cert is created: %s' % ca_cert_ref)
    return ca_cert_ref, ca_cert, ca_password
Esempio n. 28
0
def _generate_ca_cert(issuer_name):
    """Generate and store ca_cert

    :param issuer_name: CA subject name
    :returns: CA cert uuid and CA cert, CA private key password
    """
    ca_password = short_id.generate_id()
    ca_cert = x509.generate_ca_certificate(issuer_name,
                                           encryption_password=ca_password)
    ca_cert_ref = cert_manager.get_backend().CertManager.store_cert(
        certificate=ca_cert['certificate'],
        private_key=ca_cert['private_key'],
        private_key_passphrase=ca_password,
        name=issuer_name,
    )
    LOG.debug('CA cert is created: %s' % ca_cert_ref)
    return ca_cert_ref, ca_cert, ca_password
Esempio n. 29
0
def _generate_client_cert(issuer_name, ca_cert, ca_password, context=None):
    """Generate and store magnum_client_cert

    :param issuer_name: CA subject name
    :param ca_cert: CA certificate
    :param ca_password: CA private key password
    :returns: Magnum client cert uuid
    """
    client_password = short_id.generate_id()
    client_cert = x509.generate_client_certificate(
        issuer_name,
        CONDUCTOR_CLIENT_NAME,
        ca_cert['private_key'],
        encryption_password=client_password,
        ca_key_password=ca_password,
    )
    magnum_cert_ref = cert_manager.get_backend().CertManager.store_cert(
        certificate=client_cert['certificate'],
        private_key=client_cert['private_key'],
        private_key_passphrase=client_password,
        name=CONDUCTOR_CLIENT_NAME,
        context=context)
    LOG.debug('Magnum client cert is created: %s', magnum_cert_ref)
    return magnum_cert_ref
Esempio n. 30
0
def get_bay_magnum_cert(bay, context=None):
    magnum_cert = cert_manager.get_backend().CertManager.get_cert(
        bay.magnum_cert_ref, resource_ref=bay.uuid, context=context)

    return magnum_cert
Esempio n. 31
0
def get_bay_ca_certificate(bay):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(bay.ca_cert_ref)
    return ca_cert.get_certificate()
Esempio n. 32
0
 def test_local_cert_manager(self):
     fixture.Config().config(group='certificates',
                             cert_manager_type='local')
     self.assertEqual(get_backend().CertManager, lcm.CertManager)
Esempio n. 33
0
def get_bay_ca_certificate(bay, context=None):
    ca_cert = cert_manager.get_backend().CertManager.get_cert(
        bay.ca_cert_ref, resource_ref=bay.uuid, context=context)

    return ca_cert
Esempio n. 34
0
 def test_barbican_cert_manager(self):
     fixture.Config().config(group='certificates',
                             cert_manager_type='barbican')
     self.assertEqual(get_backend().CertManager, bcm.CertManager)
Esempio n. 35
0
 def test_barbican_cert_manager(self):
     fixture.Config().config(group='certificates',
                             cert_manager_type='barbican')
     self.assertEqual(get_backend().CertManager,
                      bcm.CertManager)
Esempio n. 36
0
 def test_local_cert_manager(self):
     fixture.Config().config(group='certificates',
                             cert_manager_type='local')
     self.assertEqual(get_backend().CertManager,
                      lcm.CertManager)