def __call__(self): ''' Grab cert and key from configuration for SSL config ''' ctxt = {'ssl_configured': False} use_local_ca = True for rid in relation_ids('certificates'): if related_units(rid): use_local_ca = False if use_local_ca: ca_cert = get_ca_cert() if not ca_cert: return ctxt install_ca_cert(b64decode(ca_cert)) ssl_cert, ssl_key = get_cert() if all([ssl_cert, ssl_key]): with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out: cert_out.write(b64decode(ssl_cert)) with open('/etc/ssl/private/dashboard.key', 'w') as key_out: key_out.write(b64decode(ssl_key)) os.chmod('/etc/ssl/private/dashboard.key', 0600) ctxt = { 'ssl_configured': True, 'ssl_cert': '/etc/ssl/certs/dashboard.cert', 'ssl_key': '/etc/ssl/private/dashboard.key', } else: if os.path.exists(SSL_CERT_FILE) and os.path.exists(SSL_KEY_FILE): ctxt = { 'ssl_configured': True, 'ssl_cert': SSL_CERT_FILE, 'ssl_key': SSL_KEY_FILE, } return ctxt
def test_get_cert_from_config(self): '''Ensure cert and key from charm config override relation''' self.config_get.side_effect = [ 'some_ca_cert', # config_get('ssl_cert') 'some_ca_key', # config_Get('ssl_key') ] result = apache_utils.get_cert('test-cn') self.assertEquals(('some_ca_cert', 'some_ca_key'), result)
def test_get_cert_from_relation_deprecated(self): self.config_get.return_value = None rel = FakeRelation(IDENTITY_OLD_STYLE_CERTS) self.relation_ids.side_effect = rel.relation_ids self.relation_list.side_effect = rel.relation_units self.relation_get.side_effect = rel.get result = apache_utils.get_cert() self.assertEquals(('keystone_provided_cert', 'keystone_provided_key'), result)
def configure_cert(self, cn=None): ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace) mkdir(path=ssl_dir) cert, key = get_cert(cn) if cn: cert_filename = 'cert_{}'.format(cn) key_filename = 'key_{}'.format(cn) else: cert_filename = 'cert' key_filename = 'key' write_file(path=os.path.join(ssl_dir, cert_filename), content=b64decode(cert)) write_file(path=os.path.join(ssl_dir, key_filename), content=b64decode(key))
def __call__(self): ''' Grab cert and key from configuraton for SSL config ''' ctxt = {'http_port': 70, 'https_port': 433} if config('enforce-ssl'): # NOTE(dosaboy): if ssl is not configured we shouldn't allow this if all(get_cert()): ctxt['ssl_addr'] = resolve_address() else: log( "Enforce ssl redirect requested but ssl not configured - " "skipping redirect", level=WARNING) return ctxt
def configure_cert(self): if not os.path.isdir('/etc/apache2/ssl'): os.mkdir('/etc/apache2/ssl') ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace) if not os.path.isdir(ssl_dir): os.mkdir(ssl_dir) cert, key = get_cert() with open(os.path.join(ssl_dir, 'cert'), 'w') as cert_out: cert_out.write(b64decode(cert)) with open(os.path.join(ssl_dir, 'key'), 'w') as key_out: key_out.write(b64decode(key)) ca_cert = get_ca_cert() if ca_cert: with open(CA_CERT_PATH, 'w') as ca_out: ca_out.write(b64decode(ca_cert)) check_call(['update-ca-certificates'])
def configure_cert(self): if not os.path.isdir("/etc/apache2/ssl"): os.mkdir("/etc/apache2/ssl") ssl_dir = os.path.join("/etc/apache2/ssl/", self.service_namespace) if not os.path.isdir(ssl_dir): os.mkdir(ssl_dir) cert, key = get_cert() with open(os.path.join(ssl_dir, "cert"), "w") as cert_out: cert_out.write(b64decode(cert)) with open(os.path.join(ssl_dir, "key"), "w") as key_out: key_out.write(b64decode(key)) ca_cert = get_ca_cert() if ca_cert: with open(CA_CERT_PATH, "w") as ca_out: ca_out.write(b64decode(ca_cert)) check_call(["update-ca-certificates"])
def __call__(self): ''' Grab cert and key from configuraton for SSL config ''' ctxt = { 'http_port': 70, 'https_port': 433, 'enforce_ssl': False, 'hsts_max_age_seconds': config('hsts-max-age-seconds'), "custom_theme": config('custom-theme'), } if config('enforce-ssl'): # NOTE(dosaboy): if ssl is not configured we shouldn't allow this if all(get_cert()): ctxt['enforce_ssl'] = True else: log("Enforce ssl redirect requested but ssl not configured - " "skipping redirect", level=WARNING) return ctxt
def __call__(self): ''' Grab cert and key from configuration for SSL config ''' (ssl_cert, ssl_key) = get_cert() if None not in [ssl_cert, ssl_key]: with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out: cert_out.write(b64decode(ssl_cert)) with open('/etc/ssl/private/dashboard.key', 'w') as key_out: key_out.write(b64decode(ssl_key)) os.chmod('/etc/ssl/private/dashboard.key', 0600) ctxt = { 'ssl_configured': True, 'ssl_cert': '/etc/ssl/certs/dashboard.cert', 'ssl_key': '/etc/ssl/private/dashboard.key', } else: # Use snakeoil ones by default ctxt = { 'ssl_configured': False, } return ctxt
def configure_cert(self): if not os.path.isdir('/etc/apache2/ssl'): os.mkdir('/etc/apache2/ssl') ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace) if not os.path.isdir(ssl_dir): os.mkdir(ssl_dir) cert, key = get_cert() # Swift specific - generate a cert by default if not using # a) user supplied cert or b) keystone signed cert if None in [cert, key]: cert, key = generate_cert() with open(os.path.join(ssl_dir, 'cert'), 'w') as cert_out: cert_out.write(b64decode(cert)) with open(os.path.join(ssl_dir, 'key'), 'w') as key_out: key_out.write(b64decode(key)) ca_cert = get_ca_cert() if ca_cert: with open(CA_CERT_PATH, 'w') as ca_out: ca_out.write(b64decode(ca_cert)) subprocess.check_call(['update-ca-certificates'])
def __call__(self): ''' Grab cert and key from configuraton for SSL config ''' ctxt = { 'http_port': 70, 'https_port': 433 } if config('enforce-ssl'): # NOTE(dosaboy): if ssl is not configured we shouldn't allow this if all(get_cert()): if config('vip'): addr = config('vip') elif config('prefer-ipv6'): addr = format_ipv6_addr(get_ipv6_addr()[0]) else: addr = get_host_ip(unit_get('private-address')) ctxt['ssl_addr'] = addr else: log("Enforce ssl redirect requested but ssl not configured - " "skipping redirect", level=WARNING) return ctxt
def __call__(self): ''' Grab cert and key from configuration for SSL config ''' ca_cert = get_ca_cert() if ca_cert: install_ca_cert(b64decode(ca_cert)) ssl_cert, ssl_key = get_cert() if all([ssl_cert, ssl_key]): with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out: cert_out.write(b64decode(ssl_cert)) with open('/etc/ssl/private/dashboard.key', 'w') as key_out: key_out.write(b64decode(ssl_key)) os.chmod('/etc/ssl/private/dashboard.key', 0600) ctxt = { 'ssl_configured': True, 'ssl_cert': '/etc/ssl/certs/dashboard.cert', 'ssl_key': '/etc/ssl/private/dashboard.key', } else: # Use snakeoil ones by default ctxt = { 'ssl_configured': False, } return ctxt