def configure_rabbit_ssl(): """ The legacy config support adds some additional complications. ssl_enabled = True, ssl = off -> ssl enabled ssl_enabled = False, ssl = on -> ssl enabled """ ssl_mode, external_ca = _get_ssl_mode() if ssl_mode == 'off': if os.path.exists(rabbit.RABBITMQ_CONF): os.remove(rabbit.RABBITMQ_CONF) close_port(config('ssl_port')) reconfigure_client_ssl() return ssl_key = _convert_from_base64(config('ssl_key')) ssl_cert = _convert_from_base64(config('ssl_cert')) ssl_ca = _convert_from_base64(config('ssl_ca')) ssl_port = config('ssl_port') # If external managed certs then we need all the fields. if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert)) and not all((ssl_key, ssl_cert))): log('If ssl_key or ssl_cert are specified both are required.', level=ERROR) sys.exit(1) if not external_ca: ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert() rabbit.enable_ssl( ssl_key, ssl_cert, ssl_port, ssl_ca, ssl_only=(ssl_mode == "only"), ssl_client=False) reconfigure_client_ssl(True) open_port(ssl_port)
class CA(object): """ Represents the certificate authority for use in RabbitMQ amulet tests. """ # The name of the rabbit certificate authority. CA_NAME = 'rabbit-server-ca' # Put the certificate authority in a temporary location since # it is rebuilt for each amulet run. CA_PATH = '/tmp/rabbit-server-ca' # The common name for the certificate itself. COMMON_NAME = 'rabbitmq-server' def __init__(self): self.ca = ServiceCA(self.CA_NAME, self.CA_PATH) self.ca.init() self.ca.get_or_create_cert(self.COMMON_NAME) def _load_file(self, path): contents = None with open(path) as f: contents = f.read() return contents def get_key(self): """ Returns the contents of the rabbitmq private key. """ key_path = os.path.join(self.CA_PATH, 'certs', 'rabbitmq-server.key') return self._load_file(key_path) def get_cert(self): """ Returns the contents of the rabbitmq certificate. """ cert_path = os.path.join(self.CA_PATH, 'certs', 'rabbitmq-server.crt') return self._load_file(cert_path) def ca_cert_path(self): """ Returns the certificate authority certificate path. """ return os.path.join(self.CA_PATH, 'cacert.pem')
def configure_client_ssl(relation_data): """Configure client with ssl """ ssl_mode, external_ca = get_ssl_mode() if ssl_mode == 'off': return relation_data['ssl_port'] = config('ssl_port') if external_ca: if config('ssl_ca'): relation_data['ssl_ca'] = base64.b64encode(config('ssl_ca')) return ca = ServiceCA.get_ca() relation_data['ssl_ca'] = base64.b64encode(ca.get_ca_bundle())
def __call__(self): """ The legacy config support adds some additional complications. ssl_enabled = True, ssl = off -> ssl enabled ssl_enabled = False, ssl = on -> ssl enabled """ ssl_mode, external_ca = ssl_utils.get_ssl_mode() ctxt = { 'ssl_mode': ssl_mode, } if ssl_mode == 'off': close_port(config('ssl_port')) ssl_utils.reconfigure_client_ssl() return ctxt if ssl_mode == ssl_utils.CERTS_FROM_RELATION: relation_certs = ssl_utils.get_relation_cert_data() ctxt['ssl_mode'] = 'on' ssl_key = convert_from_base64(relation_certs['key']) ssl_cert = convert_from_base64(relation_certs['cert']) ssl_ca = convert_from_base64(relation_certs['ca']) ssl_port = config('ssl_port') else: ssl_key = convert_from_base64(config('ssl_key')) ssl_cert = convert_from_base64(config('ssl_cert')) ssl_ca = convert_from_base64(config('ssl_ca')) ssl_port = config('ssl_port') # If external managed certs then we need all the fields. if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert)) and not all((ssl_key, ssl_cert))): log('If ssl_key or ssl_cert are specified both are required.', level=ERROR) sys.exit(1) if not external_ca: ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert() ctxt.update( self.enable_ssl(ssl_key, ssl_cert, ssl_port, ssl_ca, ssl_only=(ssl_mode == "only"), ssl_client=False)) ssl_utils.reconfigure_client_ssl(True) open_port(ssl_port) return ctxt
def configure_client_ssl(relation_data): """Configure client with ssl """ ssl_mode, external_ca = _get_ssl_mode() if ssl_mode == 'off': return relation_data['ssl_port'] = config('ssl_port') if external_ca: if config('ssl_ca'): relation_data['ssl_ca'] = base64.b64encode( config('ssl_ca')) return ca = ServiceCA.get_ca() relation_data['ssl_ca'] = base64.b64encode(ca.get_ca_bundle())
def __call__(self): """ The legacy config support adds some additional complications. ssl_enabled = True, ssl = off -> ssl enabled ssl_enabled = False, ssl = on -> ssl enabled """ ssl_mode, external_ca = ssl_utils.get_ssl_mode() ctxt = { 'ssl_mode': ssl_mode, } if ssl_mode == 'off': close_port(config('ssl_port')) ssl_utils.reconfigure_client_ssl() return ctxt if ssl_mode == ssl_utils.CERTS_FROM_RELATION: relation_certs = ssl_utils.get_relation_cert_data() ctxt['ssl_mode'] = 'on' ssl_key = convert_from_base64(relation_certs['key']) ssl_cert = convert_from_base64(relation_certs['cert']) ssl_ca = convert_from_base64(relation_certs['ca']) ssl_port = config('ssl_port') else: ssl_key = convert_from_base64(config('ssl_key')) ssl_cert = convert_from_base64(config('ssl_cert')) ssl_ca = convert_from_base64(config('ssl_ca')) ssl_port = config('ssl_port') # If external managed certs then we need all the fields. if (ssl_mode in ('on', 'only') and any((ssl_key, ssl_cert)) and not all((ssl_key, ssl_cert))): log('If ssl_key or ssl_cert are specified both are required.', level=ERROR) sys.exit(1) if not external_ca: ssl_cert, ssl_key, ssl_ca = ServiceCA.get_service_cert() ctxt.update(self.enable_ssl( ssl_key, ssl_cert, ssl_port, ssl_ca, ssl_only=(ssl_mode == "only"), ssl_client=False )) ssl_utils.reconfigure_client_ssl(True) open_port(ssl_port) return ctxt
def configure_client_ssl(relation_data): """Configure client with ssl """ ssl_mode, external_ca = get_ssl_mode() if ssl_mode == 'off': return relation_data['ssl_port'] = config('ssl_port') if ssl_mode == CERTS_FROM_RELATION: relation_certs = get_relation_cert_data() ca_data = relation_certs['ca'] if relation_certs.get('chain'): ca_data = ca_data + relation_certs.get('chain') relation_data['ssl_ca'] = b64encoded_string(ca_data) else: if external_ca: if config('ssl_ca'): if "BEGIN CERTIFICATE" in config('ssl_ca'): ssl_ca_encoded = b64encoded_string(config('ssl_ca')) else: ssl_ca_encoded = config('ssl_ca') relation_data['ssl_ca'] = ssl_ca_encoded return ca = ServiceCA.get_ca() relation_data['ssl_ca'] = b64encoded_string(ca.get_ca_bundle())
def __init__(self): self.ca = ServiceCA(self.CA_NAME, self.CA_PATH) self.ca.init() self.ca.get_or_create_cert(self.COMMON_NAME)