def setup_apache2(self):
os.makedirs('/etc/apache2/ssl', exist_ok=True)
ssl.generate_selfsigned(keyfile='/etc/apache2/ssl/private.key',
certfile='/etc/apache2/ssl/cert.crt',
keysize=2048,
cn=get_unit_hostname())
ctxt_gens = [{
'template': 'apache2/ports.conf.j2',
'output': '/etc/apache2/ports.conf',
'context': {
'http_port': self.config['http-port'],
'https_port': self.config['https-port']
}
}, {
'template': 'apache2/simplesamlphp.conf.j2',
'output': '/etc/apache2/sites-available/simplesamlphp.conf',
'context': {
'http_port': self.config['http-port'],
'https_port': self.config['https-port']
}
}]
render_configs(ctxt_gens)
subprocess.check_call(['a2enmod', 'ssl'])
subprocess.check_call(
['a2dissite', '000-default.conf', 'default-ssl.conf'])
subprocess.check_call(['a2ensite', 'simplesamlphp.conf'])
service_restart('apache2')
def test_generate_selfsigned_file(self, mock_call):
ssl.generate_selfsigned("mykey.key", "mycert.crt", config="test.cnf")
mock_call.assert_called_with([
'/usr/bin/openssl', 'req', '-new', '-newkey', 'rsa:1024', '-days',
'365', '-nodes', '-x509', '-keyout', 'mykey.key', '-out',
'mycert.crt', '-config', 'test.cnf'
])
def test_generate_selfsigned_cn_key(self, mock_call):
ssl.generate_selfsigned("mykey.key",
"mycert.crt",
keysize="2048",
cn="mysite.example.com")
mock_call.assert_called_with([
'/usr/bin/openssl', 'req', '-new', '-newkey', 'rsa:2048', '-days',
'365', '-nodes', '-x509', '-keyout', 'mykey.key', '-out',
'mycert.crt', '-subj', '/CN=mysite.example.com'
])
def generate_cert(common_name=None,
key='/srv/kubernetes/apiserver.key',
cert='/srv/kubernetes/apiserver.crt'):
"""
Create the certificate and key for the Kubernetes tls enablement.
"""
hookenv.log('Generating new self signed certificate and key', 'INFO')
if not common_name:
common_name = hookenv.unit_get('public-address')
if os.path.isfile(key) or os.path.isfile(cert):
hookenv.log('Overwriting the existing certificate or key', 'WARNING')
hookenv.log('Generating certificate for {0}'.format(common_name), 'INFO')
# Generate the self signed certificate with the public address as CN.
# https://pythonhosted.org/charmhelpers/api/charmhelpers.contrib.ssl.html
ssl.generate_selfsigned(key, cert, cn=common_name)
def generate_cert(common_name=None,
key='/srv/kubernetes/apiserver.key',
cert='/srv/kubernetes/apiserver.crt'):
"""
Create the certificate and key for the Kubernetes tls enablement.
"""
hookenv.log('Generating new self signed certificate and key', 'INFO')
if not common_name:
common_name = hookenv.unit_get('public-address')
if os.path.isfile(key) or os.path.isfile(cert):
hookenv.log('Overwriting the existing certificate or key', 'WARNING')
hookenv.log('Generating certificate for {0}'.format(common_name), 'INFO')
# Generate the self signed certificate with the public address as CN.
# https://pythonhosted.org/charmhelpers/api/charmhelpers.contrib.ssl.html
ssl.generate_selfsigned(key, cert, cn=common_name)
def test_generate_selfsigned_failure(self, mock_log):
# This is NOT enough, function requires cn key
subject = {"country": "UK", "locality": "my_locality"}
result = ssl.generate_selfsigned("mykey.key",
"mycert.crt",
subject=subject)
self.assertFalse(result)
def test_generate_selfsigned_dict(self, mock_call):
subject = {
"country": "UK",
"locality": "my_locality",
"state": "my_state",
"organization": "my_organization",
"organizational_unit": "my_unit",
"cn": "mysite.example.com",
"email": "*****@*****.**"
}
ssl.generate_selfsigned("mykey.key", "mycert.crt", subject=subject)
mock_call.assert_called_with([
'/usr/bin/openssl', 'req', '-new', '-newkey', 'rsa:1024', '-days',
'365', '-nodes', '-x509', '-keyout', 'mykey.key', '-out',
'mycert.crt', '-subj', '/C=UK/ST=my_state/L=my_locality'
'/O=my_organization/OU=my_unit'
'/CN=mysite.example.com'
'/[email protected]'
])
def setup_simplesamlphp(self):
if os.path.exists(self.DEST_DIR):
os.rmdir(self.DEST_DIR)
version = self.config.get('simple-saml-php-version')
archive_handler = ArchiveUrlFetchHandler()
retry_on_error()(archive_handler.install)(
source='{0}/v{1}/simplesamlphp-{1}.tar.gz'.format(
self.BASE_DOWNLOAD_URL, version),
dest=os.path.dirname(self.DEST_DIR))
os.rename('{0}-{1}'.format(self.DEST_DIR, version), self.DEST_DIR)
key_file = '{0}/cert/server.pem'.format(self.DEST_DIR)
cert_file = '{0}/cert/server.crt'.format(self.DEST_DIR)
ssl.generate_selfsigned(keyfile=key_file,
certfile=cert_file,
keysize=2048,
cn=get_unit_hostname())
uid = pwd.getpwnam(self.APACHE_USER).pw_uid
gid = grp.getgrnam(self.APACHE_GROUP).gr_gid
os.chown(key_file, uid, gid)
os.chown(cert_file, uid, gid)