def generate(cls, directory, control_hostname, num_nodes, cluster_id=None):
"""
Generate certificates in the given directory.
:param FilePath directory: Directory to use for certificate authority.
:param bytes control_hostname: The hostname of the control service.
:param int num_nodes: Number of nodes in the cluster.
:param UUID cluster_id: The unique identifier of the cluster for which
the certificates are being generated. If not given, a random
identifier will be generated.
:return: ``Certificates`` instance.
"""
RootCredential.initialize(
directory, b"acceptance-cluster", cluster_id=cluster_id,
)
def run(*arguments):
check_call([b"flocker-ca"] + list(arguments), cwd=directory.path)
run(b"create-control-certificate", control_hostname)
run(b"create-api-certificate", b"allison")
# Rename to user.crt/user.key so we can use this folder directly
# from flocker-deploy and other clients:
directory.child(b"allison.crt").moveTo(directory.child(b"user.crt"))
directory.child(b"allison.key").moveTo(directory.child(b"user.key"))
for i in range(num_nodes):
run(b"create-node-certificate")
for i, child in enumerate(
directory.globChildren(b"????????-????-*.crt")):
sibling = FilePath(child.path[:-3] + b"key")
child.moveTo(directory.child(b"node-%d.crt" % (i,)))
sibling.moveTo(directory.child(b"node-%d.key" % (i,)))
return cls(directory)
def test_verify_ca_path_no_match_fails(self):
"""
With a CA file that does not match any CA, connection to the
OpenStack servers fails.
"""
path = self.make_temporary_directory()
RootCredential.initialize(path, b"mycluster")
session = self.session_for_test(
config_override={"peer_verify": True, "peer_ca_path": path.child(AUTHORITY_CERTIFICATE_FILENAME).path}
)
self.assertRaises(BadRequest, session.get_token)
def test_verify_ca_path_no_match_fails(self):
"""
With a CA file that does not match any CA, connection to the
OpenStack servers fails.
"""
path = self.make_temporary_directory()
RootCredential.initialize(path, b"mycluster")
session = self.session_for_test(
config_override={
'peer_verify': True,
'peer_ca_path': path.child(AUTHORITY_CERTIFICATE_FILENAME).path
})
self.assertRaises(BadRequest, session.get_token)
def test_verify_ca_path_no_match_fails(self):
"""
With a CA file that does not match any CA, connection to the
OpenStack servers fails.
"""
path = FilePath(self.mktemp())
path.makedirs()
RootCredential.initialize(path, b"mycluster")
try:
cls, kwargs = get_blockdeviceapi_args(
ProviderType.openstack, backend='openstack',
auth_plugin='password', password='******', peer_verify=True,
peer_ca_path=path.child(AUTHORITY_CERTIFICATE_FILENAME).path)
except InvalidConfig as e:
raise SkipTest(str(e))
self.assertFalse(self._authenticates_ok(kwargs['cinder_client']))
def create_credentials():
"""
Create PKI credentials for TLS access to libvirtd.
Credentials are not signed by the host CA. This only allows
unverified access but removes the need to transfer files
between the host and the guest.
"""
path = FilePath(tempfile.mkdtemp())
try:
ca = RootCredential.initialize(path, b"mycluster")
NodeCredential.initialize(path, ca, uuid='client')
ca_dir = FilePath('/etc/pki/CA')
if not ca_dir.exists():
ca_dir.makedirs()
path.child(AUTHORITY_CERTIFICATE_FILENAME).copyTo(
FilePath('/etc/pki/CA/cacert.pem')
)
client_key_dir = FilePath('/etc/pki/libvirt/private')
if not client_key_dir.exists():
client_key_dir.makedirs()
client_key_dir.chmod(0700)
path.child('client.key').copyTo(
client_key_dir.child('clientkey.pem')
)
path.child('client.crt').copyTo(
FilePath('/etc/pki/libvirt/clientcert.pem')
)
finally:
path.remove()
def test_verify_ca_path_no_match_fails(self):
"""
With a CA file that does not match any CA, connection to the
OpenStack servers fails.
"""
path = FilePath(self.mktemp())
path.makedirs()
RootCredential.initialize(path, b"mycluster")
try:
cls, kwargs = get_blockdeviceapi_args(
ProviderType.openstack, backend='openstack',
auth_plugin='password', password='******', peer_verify=True,
peer_ca_path=path.child(AUTHORITY_CERTIFICATE_FILENAME).path)
except InvalidConfig as e:
raise SkipTest(str(e))
self.assertFalse(self._authenticates_ok(kwargs['cinder_client']))
def generate(cls,
directory,
control_hostname,
num_nodes,
cluster_name,
cluster_id=None):
"""
Generate certificates in the given directory.
:param FilePath directory: Directory to use for certificate authority.
:param bytes control_hostname: The hostname of the control service.
:param int num_nodes: Number of nodes in the cluster.
:param UUID cluster_id: The unique identifier of the cluster for which
the certificates are being generated. If not given, a random
identifier will be generated.
:return: ``Certificates`` instance.
"""
RootCredential.initialize(
directory,
cluster_name,
cluster_id=cluster_id,
)
def run(*arguments):
check_call([b"flocker-ca"] + list(arguments), cwd=directory.path)
run(b"create-control-certificate", control_hostname)
run(b"create-api-certificate", b"allison")
# Rename to user.crt/user.key so we can use this folder directly
# from clients:
directory.child(b"allison.crt").moveTo(directory.child(b"user.crt"))
directory.child(b"allison.key").moveTo(directory.child(b"user.key"))
for i in range(num_nodes):
run(b"create-node-certificate")
for i, child in enumerate(
directory.globChildren(b"????????-????-*.crt")):
sibling = FilePath(child.path[:-3] + b"key")
child.moveTo(directory.child(b"node-%d.crt" % (i, )))
sibling.moveTo(directory.child(b"node-%d.key" % (i, )))
return cls(directory)
def test_verify_ca_path_no_match_fails(self):
"""
With a CA file that does not match any CA, connection to the
OpenStack servers fails.
"""
path = FilePath(self.mktemp())
path.makedirs()
RootCredential.initialize(path, b"mycluster")
try:
config = get_blockdevice_config(ProviderType.openstack)
except InvalidConfig as e:
raise SkipTest(str(e))
config['backend'] = 'openstack'
config['auth_plugin'] = 'password'
config['password'] = '******'
config['peer_verify'] = True
config['peer_ca_path'] = path.child(
AUTHORITY_CERTIFICATE_FILENAME).path
session = get_keystone_session(**config)
region = get_openstack_region_for_test()
cinder_client = get_cinder_v1_client(session, region)
self.assertFalse(self._authenticates_ok(cinder_client))
def test_verify_ca_path_no_match_fails(self):
"""
With a CA file that does not match any CA, connection to the
OpenStack servers fails.
"""
path = FilePath(self.mktemp())
path.makedirs()
RootCredential.initialize(path, b"mycluster")
try:
config = get_blockdevice_config(ProviderType.openstack)
except InvalidConfig as e:
self.skipTest(str(e))
config['backend'] = 'openstack'
config['auth_plugin'] = 'password'
config['password'] = '******'
config['peer_verify'] = True
config['peer_ca_path'] = path.child(
AUTHORITY_CERTIFICATE_FILENAME).path
session = get_keystone_session(**config)
region = get_openstack_region_for_test()
cinder_client = get_cinder_v1_client(session, region)
self.assertFalse(self._authenticates_ok(cinder_client))
def create_credentials(path):
"""
Create PKI credentials for TLS access to libvirtd.
Credentials are not signed by the host CA. This only allows
unverified access but removes the need to transfer files
between the host and the guest.
"""
# Create CA and client key pairs
ca = RootCredential.initialize(path, b"CA")
ca_file = path.child(AUTHORITY_CERTIFICATE_FILENAME)
NodeCredential.initialize(path, ca, uuid='client')
# Files must have specific names in the pkipath directory
ca_file.moveTo(path.child('cacert.pem'))
path.child('client.key').moveTo(path.child('clientkey.pem'))
path.child('client.crt').moveTo(path.child('clientcert.pem'))
def create_credentials(path):
"""
Create PKI credentials for TLS access to libvirtd.
Credentials are not signed by the host CA. This only allows
unverified access but removes the need to transfer files
between the host and the guest.
"""
# Create CA and client key pairs
ca = RootCredential.initialize(path, b"CA")
ca_file = path.child(AUTHORITY_CERTIFICATE_FILENAME)
NodeCredential.initialize(path, ca, uuid='client')
# Files must have specific names in the pkipath directory
ca_file.moveTo(path.child('cacert.pem'))
path.child('client.key').moveTo(path.child('clientkey.pem'))
path.child('client.crt').moveTo(path.child('clientcert.pem'))
