コード例 #1
0
 def test_install_ca_cert_old_cert(self, _retrieve_ca_cert):
     _retrieve_ca_cert.return_value = cert
     with patch_open() as (_open, _file):
         apache_utils.install_ca_cert(cert)
         self.assertFalse(_open.called)
         self.assertFalse(_file.called)
     self.assertFalse(self.subprocess.check_call.called)
コード例 #2
0
def process_certificates(service_name, relation_id, unit,
                         custom_hostname_link=None, user='******', group='root'):
    """Process the certificates supplied down the relation

    :param service_name: str Name of service the certifcates are for.
    :param relation_id: str Relation id providing the certs
    :param unit: str Unit providing the certs
    :param custom_hostname_link: str Name of custom link to create
    :param user: (Optional) Owner of certificate files. Defaults to 'root'
    :type user: str
    :param group: (Optional) Group of certificate files. Defaults to 'root'
    :type group: str
    """
    data = relation_get(rid=relation_id, unit=unit)
    ssl_dir = os.path.join('/etc/apache2/ssl/', service_name)
    mkdir(path=ssl_dir)
    name = local_unit().replace('/', '_')
    certs = data.get('{}.processed_requests'.format(name))
    chain = data.get('chain')
    ca = data.get('ca')
    if certs:
        certs = json.loads(certs)
        install_ca_cert(ca.encode())
        install_certs(ssl_dir, certs, chain, user=user, group=group)
        create_ip_cert_links(
            ssl_dir,
            custom_hostname_link=custom_hostname_link)
コード例 #3
0
def nm_changed():
    CONFIGS.write_all()
    if relation_get('ca_cert'):
        ca_crt = b64decode(relation_get('ca_cert'))
        install_ca_cert(ca_crt)

    if config('ha-legacy-mode'):
        cache_env_data()

    # Disable nova metadata if possible,
    if disable_nova_metadata():
        remove_legacy_nova_metadata()
    else:
        # NOTE: nova-api-metadata needs to be restarted
        #       once the nova-conductor is up and running
        #       on the nova-cc units.
        restart_nonce = relation_get('restart_trigger')
        if restart_nonce is not None:
            db = kv()
            previous_nonce = db.get('restart_nonce')
            if previous_nonce != restart_nonce:
                if not is_unit_paused_set():
                    service_restart('nova-api-metadata')
                db.set('restart_nonce', restart_nonce)
                db.flush()
コード例 #4
0
def process_certificates(service_name,
                         relation_id,
                         unit,
                         custom_hostname_link=None,
                         user='******',
                         group='root'):
    """Process the certificates supplied down the relation

    :param service_name: str Name of service the certifcates are for.
    :param relation_id: str Relation id providing the certs
    :param unit: str Unit providing the certs
    :param custom_hostname_link: str Name of custom link to create
    :param user: (Optional) Owner of certificate files. Defaults to 'root'
    :type user: str
    :param group: (Optional) Group of certificate files. Defaults to 'root'
    :type group: str
    """
    data = relation_get(rid=relation_id, unit=unit)
    ssl_dir = os.path.join('/etc/apache2/ssl/', service_name)
    mkdir(path=ssl_dir)
    name = local_unit().replace('/', '_')
    certs = data.get('{}.processed_requests'.format(name))
    chain = data.get('chain')
    ca = data.get('ca')
    if certs:
        certs = json.loads(certs)
        install_ca_cert(ca.encode())
        install_certs(ssl_dir, certs, chain, user=user, group=group)
        create_ip_cert_links(ssl_dir,
                             custom_hostname_link=custom_hostname_link)
コード例 #5
0
    def configure_ca(self):
        from keystone_utils import (
            SSH_USER,
            get_ca,
            ensure_permissions,
            is_ssl_cert_master,
        )

        if not is_cert_provided_in_config() and not is_ssl_cert_master():
            log(
                "Not ssl-cert-master - skipping apache ca config until "
                "master is elected",
                level=INFO)
            return

        ca_cert = config('ssl_ca')
        if ca_cert is None:
            ca = get_ca(user=SSH_USER)
            ca_cert = ca.get_ca_bundle()
        else:
            ca_cert = b64decode(ca_cert)

        # Ensure accessible by keystone ssh user and group (unison)
        install_ca_cert(ca_cert)
        ensure_permissions(CA_CERT_PATH,
                           user=SSH_USER,
                           group='keystone',
                           perms=0o0644)
コード例 #6
0
def nm_changed():
    CONFIGS.write_all()
    if relation_get('ca_cert'):
        ca_crt = b64decode(relation_get('ca_cert'))
        install_ca_cert(ca_crt)

    if config('ha-legacy-mode'):
        cache_env_data()

    # Disable nova metadata if possible,
    if disable_nova_metadata():
        remove_legacy_nova_metadata()
    else:
        # NOTE: nova-api-metadata needs to be restarted
        #       once the nova-conductor is up and running
        #       on the nova-cc units.
        restart_nonce = relation_get('restart_trigger')
        if restart_nonce is not None:
            db = kv()
            previous_nonce = db.get('restart_nonce')
            if previous_nonce != restart_nonce:
                if not is_unit_paused_set():
                    service_restart('nova-api-metadata')
                db.set('restart_nonce', restart_nonce)
                db.flush()
コード例 #7
0
    def __call__(self):
        ''' Grab cert and key from configuration for SSL config '''
        ctxt = {'ssl_configured': False}
        use_local_ca = True
        for rid in relation_ids('certificates'):
            if related_units(rid):
                use_local_ca = False

        if use_local_ca:
            ca_cert = get_ca_cert()
            if not ca_cert:
                return ctxt
            install_ca_cert(b64decode(ca_cert))

            ssl_cert, ssl_key = get_cert()
            if all([ssl_cert, ssl_key]):
                with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out:
                    cert_out.write(b64decode(ssl_cert))
                with open('/etc/ssl/private/dashboard.key', 'w') as key_out:
                    key_out.write(b64decode(ssl_key))
                os.chmod('/etc/ssl/private/dashboard.key', 0600)
                ctxt = {
                    'ssl_configured': True,
                    'ssl_cert': '/etc/ssl/certs/dashboard.cert',
                    'ssl_key': '/etc/ssl/private/dashboard.key',
                }
        else:
            if os.path.exists(SSL_CERT_FILE) and os.path.exists(SSL_KEY_FILE):
                ctxt = {
                    'ssl_configured': True,
                    'ssl_cert': SSL_CERT_FILE,
                    'ssl_key': SSL_KEY_FILE,
                }
        return ctxt
コード例 #8
0
def nm_changed():
    CONFIGS.write_all()
    if relation_get('ca_cert'):
        ca_crt = b64decode(relation_get('ca_cert'))
        install_ca_cert(ca_crt)

    if config('ha-legacy-mode'):
        cache_env_data()
コード例 #9
0
 def test_install_ca_cert(self):
     with patch_open() as (_open, _file):
         apache_utils.install_ca_cert(cert)
         _open.assert_called_with(
             '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt',
             'w')
         _file.write.assert_called_with(cert)
     self.subprocess.assertCalledWith(['update-ca-certificates', '--fresh'])
コード例 #10
0
def nm_changed():
    CONFIGS.write_all()
    if relation_get('ca_cert'):
        ca_crt = b64decode(relation_get('ca_cert'))
        install_ca_cert(ca_crt)

    if config('ha-legacy-mode'):
        cache_env_data()
コード例 #11
0
ファイル: cinder_hooks.py プロジェクト: phausman/charm-cinder
def certs_changed(relation_id=None, unit=None):
    if not service_enabled('api'):
        # Install CA cert to communicate with Keystone and Glance
        data = relation_get(rid=relation_id, unit=unit)
        ca = data.get('ca')
        if ca:
            install_ca_cert(ca.encode())
        return
    process_certificates('cinder', relation_id, unit)
    configure_https()
コード例 #12
0
 def test_install_ca_cert_new_cert(self, _retrieve_ca_cert):
     _retrieve_ca_cert.return_value = None
     with patch_open() as (_open, _file):
         apache_utils.install_ca_cert(cert)
         _open.assert_called_once_with(
             '/usr/local/share/ca-certificates/keystone_juju_ca_cert.crt',
             'wb')
         _file.write.assert_called_with(cert)
     self.subprocess.check_call.assert_called_with(
         ['update-ca-certificates', '--fresh'])
コード例 #13
0
 def __call__(self):
     ''' Grab cert and key from configuration for SSL config '''
     ca_cert = get_ca_cert()
     if ca_cert:
         install_ca_cert(b64decode(ca_cert))
     (ssl_cert, ssl_key) = get_cert()
     if None not in [ssl_cert, ssl_key]:
         with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out:
             cert_out.write(b64decode(ssl_cert))
         with open('/etc/ssl/private/dashboard.key', 'w') as key_out:
             key_out.write(b64decode(ssl_key))
         os.chmod('/etc/ssl/private/dashboard.key', 0600)
         ctxt = {
             'ssl_configured': True,
             'ssl_cert': '/etc/ssl/certs/dashboard.cert',
             'ssl_key': '/etc/ssl/private/dashboard.key',
         }
     else:
         # Use snakeoil ones by default
         ctxt = {
             'ssl_configured': False,
         }
     return ctxt
コード例 #14
0
    def configure_ca(self):
        from keystone_utils import (
            SSH_USER,
            get_ca,
            ensure_permissions,
            is_ssl_cert_master,
            KEYSTONE_USER,
        )

        if not is_cert_provided_in_config() and not is_ssl_cert_master():
            log(
                "Not ssl-cert-master - skipping apache ca config until "
                "master is elected",
                level=INFO)
            return

        cert = config('ssl_cert')
        key = config('ssl_key')

        ca_cert = config('ssl_ca')
        if ca_cert:
            ca_cert = b64decode(ca_cert)
        elif not (cert and key):
            # NOTE(hopem): if a cert and key are provided as config we don't
            # mandate that a CA is also provided since it isn't necessarily
            # needed. As a result we only generate a custom CA if we are also
            # generating cert and key.
            ca = get_ca(user=SSH_USER)
            ca_cert = ca.get_ca_bundle()

        if ca_cert:
            # Ensure accessible by keystone ssh user and group (unison)
            install_ca_cert(ca_cert)
            ensure_permissions(CA_CERT_PATH,
                               user=SSH_USER,
                               group=KEYSTONE_USER,
                               perms=0o0644)
コード例 #15
0
    def __call__(self):
        ''' Grab cert and key from configuration for SSL config '''
        ca_cert = get_ca_cert()
        if ca_cert:
            install_ca_cert(b64decode(ca_cert))

        ssl_cert, ssl_key = get_cert()
        if all([ssl_cert, ssl_key]):
            with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out:
                cert_out.write(b64decode(ssl_cert))
            with open('/etc/ssl/private/dashboard.key', 'w') as key_out:
                key_out.write(b64decode(ssl_key))
            os.chmod('/etc/ssl/private/dashboard.key', 0600)
            ctxt = {
                'ssl_configured': True,
                'ssl_cert': '/etc/ssl/certs/dashboard.cert',
                'ssl_key': '/etc/ssl/private/dashboard.key',
            }
        else:
            # Use snakeoil ones by default
            ctxt = {
                'ssl_configured': False,
            }
        return ctxt
コード例 #16
0
    def configure_ca(self):
        from keystone_utils import (
            SSH_USER,
            get_ca,
            ensure_permissions,
            is_ssl_cert_master,
        )

        if not is_cert_provided_in_config() and not is_ssl_cert_master():
            log("Not ssl-cert-master - skipping apache ca config until "
                "master is elected", level=INFO)
            return

        ca_cert = config('ssl_ca')
        if ca_cert is None:
            ca = get_ca(user=SSH_USER)
            ca_cert = ca.get_ca_bundle()
        else:
            ca_cert = b64decode(ca_cert)

        # Ensure accessible by keystone ssh user and group (unison)
        install_ca_cert(ca_cert)
        ensure_permissions(CA_CERT_PATH, user=SSH_USER, group='keystone',
                           perms=0o0644)
コード例 #17
0
 def configure_ca(self):
     ca_cert = get_ca_cert()
     if ca_cert:
         install_ca_cert(b64decode(ca_cert))
コード例 #18
0
def keystone_changed():
    CONFIGS.write_all()
    if relation_get('ca_cert'):
        install_ca_cert(b64decode(relation_get('ca_cert')))
コード例 #19
0
def nm_changed():
    CONFIGS.write_all()
    if relation_get('ca_cert'):
        install_ca_cert(relation_get('ca_cert'))
コード例 #20
0
def keystone_changed():
    CONFIGS.write(LOCAL_SETTINGS)
    if relation_get('ca_cert'):
        install_ca_cert(relation_get('ca_cert'))
コード例 #21
0
ファイル: context.py プロジェクト: wuwenbin2/onos-controller
 def configure_ca(self):
     ca_cert = get_ca_cert()
     if ca_cert:
         install_ca_cert(b64decode(ca_cert))
コード例 #22
0
def keystone_changed():
    CONFIGS.write_all()
    if relation_get('ca_cert'):
        install_ca_cert(b64decode(relation_get('ca_cert')))
コード例 #23
0
def keystone_changed():
    CONFIGS.write(LOCAL_SETTINGS)
    if relation_get('ca_cert'):
        install_ca_cert(b64decode(relation_get('ca_cert')))