def _update_certificates(self):
"""Delete and insert certificates needed for syncing from CDN repositories."""
# Remove all previously used certs/keys
self._remove_certificates()
# Read RHSM cert
f = open(constants.CA_CERT_PATH, 'r')
try:
ca_cert = f.read()
finally:
if f is not None:
f.close()
if not satCerts.verify_certificate_dates(str(ca_cert)):
log2(0, 0, "WARNING: '%s' certificate is not valid." % constants.CA_CERT_PATH, stream=sys.stderr)
# Insert RHSM cert and certs from manifest into DB
satCerts.store_rhnCryptoKey(
constants.CA_CERT_NAME, ca_cert, None)
for entitlement in self.manifest.get_all_entitlements():
creds = entitlement.get_credentials()
cert_name = constants.CLIENT_CERT_PREFIX + creds.get_id()
key_name = constants.CLIENT_KEY_PREFIX + creds.get_id()
if not satCerts.verify_certificate_dates(str(creds.get_cert())):
log2(0, 0, "WARNING: '%s' certificate is not valid." % cert_name, stream=sys.stderr)
satCerts.store_rhnCryptoKey(cert_name, creds.get_cert(), None)
satCerts.store_rhnCryptoKey(key_name, creds.get_key(), None)
def get_single_ssl_set(keys, check_dates=False):
"""Picks one of available SSL sets for given repository."""
if check_dates:
for ssl_set in keys:
if verify_certificate_dates(str(ssl_set['ca_cert'])) and \
(not ssl_set['client_cert'] or
verify_certificate_dates(str(ssl_set['client_cert']))):
return ssl_set
# Get first
else:
return keys[0]
return None
def get_crypto_keys(self, check_dates=False):
ssl_query = rhnSQL.prepare("""
select description, key from rhnCryptoKey where id = :id
""")
keys = {}
ssl_query.execute(id=self.ca_cert)
row = ssl_query.fetchone_dict()
keys['ca_cert'] = (str(row['description']), str(row['key']))
ssl_query.execute(id=self.client_cert)
row = ssl_query.fetchone_dict()
keys['client_cert'] = (str(row['description']), str(row['key']))
ssl_query.execute(id=self.client_key)
row = ssl_query.fetchone_dict()
keys['client_key'] = (str(row['description']), str(row['key']))
# Check if SSL certificates are usable
if check_dates:
failed = 0
for key in (keys['ca_cert'], keys['client_cert']):
if not verify_certificate_dates(key[1]):
log(
1, "WARNING: Problem with dates in certificate '%s'. "
"Please check validity of this certificate." % key[0])
failed += 1
if failed:
return {}
return keys
def get_crypto_keys(self, check_dates=False):
ssl_query = rhnSQL.prepare("""
select description, key, org_id from rhnCryptoKey where id = :id
""")
keys = {}
ssl_query.execute(id=self.ca_cert)
row = ssl_query.fetchone_dict()
keys['ca_cert'] = (str(row['description']), str(row['key']), row['org_id'])
ssl_query.execute(id=self.client_cert)
row = ssl_query.fetchone_dict()
keys['client_cert'] = (str(row['description']), str(row['key']), row['org_id'])
ssl_query.execute(id=self.client_key)
row = ssl_query.fetchone_dict()
keys['client_key'] = (str(row['description']), str(row['key']), row['org_id'])
# Check if SSL certificates are usable
if check_dates:
failed = 0
for key in (keys['ca_cert'], keys['client_cert']):
if not verify_certificate_dates(key[1]):
log(1, "WARNING: Problem with dates in certificate '%s'. "
"Please check validity of this certificate." % key[0])
failed += 1
if failed:
return {}
return keys
def print_cdn_certificates_info(self, repos=False):
keys = self._get_cdn_certificate_keys_and_certs()
if not keys:
log2(
0,
0,
"No SSL certificates were found. Is your %s activated for CDN?"
% PRODUCT_NAME,
stream=sys.stderr)
sys.exit(1)
for key in keys:
log(0, "======================================")
log(0, "| Certificate/Key: %s" % key['description'])
log(0, "======================================")
if constants.CA_CERT_NAME == key[
'description'] or constants.CLIENT_CERT_PREFIX in key[
'description']:
if not verify_certificate_dates(str(key['key'])):
log(0, "WARNING: This certificate is not valid.")
cn, serial_number, not_before, not_after = get_certificate_info(
str(key['key']))
log(0, "Common name: %s" % str(cn))
log(0, "Serial number: %s" % str(serial_number))
log(0, "Valid from: %s" % str(not_before))
log(0, "Valid to: %s" % str(not_after))
if constants.CLIENT_CERT_PREFIX in key['description']:
manager = CdnRepositoryManager(client_cert_id=int(key['id']))
self.cdn_repository_manager = manager
log(0, "Provided channels:")
channel_tree, not_available_channels = self._tree_available_channels(
)
if not channel_tree:
log(0, " NONE")
for base_channel in sorted(channel_tree):
if base_channel not in not_available_channels:
log(0, " * %s" % base_channel)
elif channel_tree[base_channel]:
log(
0, " * %s (only child channels provided)" %
base_channel)
for child_channel in sorted(channel_tree[base_channel]):
log(0, " * %s" % child_channel)
if repos:
log(0, "Provided repositories:")
provided_repos = self.cdn_repository_manager.list_provided_repos(
key['id'])
for repo in sorted(provided_repos):
log(0, " %s" % repo)
log(0, "")
def print_cdn_certificates_info(self, repos=False):
h = rhnSQL.prepare("""
SELECT ck.id, ck.description, ck.key
FROM rhnCryptoKeyType ckt,
rhnCryptoKey ck
WHERE ckt.label = 'SSL'
AND ckt.id = ck.crypto_key_type_id
AND ck.description LIKE 'CDN_%'
AND ck.org_id is NULL
ORDER BY ck.description
""")
h.execute()
keys = h.fetchall_dict() or []
if not keys:
log2(0, 0, "No SSL certificates were found. Is your %s activated for CDN?"
% PRODUCT_NAME, stream=sys.stderr)
return
for key in keys:
log(0, "======================================")
log(0, "| Certificate/Key: %s" % key['description'])
log(0, "======================================")
if constants.CA_CERT_NAME == key['description'] or constants.CLIENT_CERT_PREFIX in key['description']:
if not verify_certificate_dates(str(key['key'])):
log(0, "WARNING: This certificate is not valid.")
cn, serial_number, not_before, not_after = get_certificate_info(str(key['key']))
log(0, "Common name: %s" % str(cn))
log(0, "Serial number: %s" % str(serial_number))
log(0, "Valid from: %s" % str(not_before))
log(0, "Valid to: %s" % str(not_after))
if constants.CLIENT_CERT_PREFIX in key['description']:
manager = CdnRepositoryManager(client_cert_id=int(key['id']))
self.cdn_repository_manager = manager
log(0, "Provided channels:")
channel_tree, not_available_channels = self._tree_available_channels()
if not channel_tree:
log(0, " NONE")
for base_channel in sorted(channel_tree):
if base_channel not in not_available_channels:
log(0, " * %s" % base_channel)
elif channel_tree[base_channel]:
log(0, " * %s (only child channels provided)" % base_channel)
for child_channel in sorted(channel_tree[base_channel]):
log(0, " * %s" % child_channel)
if repos:
log(0, "Provided repositories:")
provided_repos = self.cdn_repository_manager.list_provided_repos(key['id'])
for repo in sorted(provided_repos):
log(0, " %s" % repo)
log(0, "")
def _msg_array_if_not_activated(self):
error_messages = []
keys = self._get_cdn_certificate_keys_and_certs()
if not keys:
error_messages.append("ERROR: Your %s is not activated for CDN\n"
"(to see details about currently used SSL certificates for accessing CDN:"
" /usr/bin/cdn-sync --cdn-certs)" % PRODUCT_NAME)
else:
found_valid_key = False
for key in keys:
if not found_valid_key:
if (constants.CA_CERT_NAME == key['description']
or constants.CLIENT_CERT_PREFIX in key['description']):
if verify_certificate_dates(str(key['key'])):
found_valid_key = True
if not found_valid_key:
error_messages.append("ERROR: Your %s has no valid SSL certificates for accessing CDN\n"
"(to see details about currently used SSL certificates for accessing CDN:"
" /usr/bin/cdn-sync --cdn-certs)" % PRODUCT_NAME)
return error_messages
def _msg_array_if_not_activated(self):
error_messages = []
keys = self._get_cdn_certificate_keys_and_certs()
if not keys:
error_messages.append("ERROR: Your %s is not activated for CDN\n"
"(to see details about currently used SSL certificates for accessing CDN:"
" /usr/bin/cdn-sync --cdn-certs)" % PRODUCT_NAME)
else:
found_valid_key = False
for key in keys:
if not found_valid_key:
if (constants.CA_CERT_NAME == key['description']
or constants.CLIENT_CERT_PREFIX in key['description']):
if verify_certificate_dates(str(key['key'])):
found_valid_key = True
if not found_valid_key:
error_messages.append("ERROR: Your %s has no valid SSL certificates for accessing CDN\n"
"(to see details about currently used SSL certificates for accessing CDN:"
" /usr/bin/cdn-sync --cdn-certs)" % PRODUCT_NAME)
return error_messages
def print_cdn_certificates_info(self, repos=False):
keys = self._get_cdn_certificate_keys_and_certs()
if not keys:
log2(0, 0, "No SSL certificates were found. Is your %s activated for CDN?"
% PRODUCT_NAME, stream=sys.stderr)
sys.exit(1)
for key in keys:
log(0, "======================================")
log(0, "| Certificate/Key: %s" % key['description'])
log(0, "======================================")
if constants.CA_CERT_NAME == key['description'] or constants.CLIENT_CERT_PREFIX in key['description']:
if not verify_certificate_dates(str(key['key'])):
log(0, "WARNING: This certificate is not valid.")
cn, serial_number, not_before, not_after = get_certificate_info(str(key['key']))
log(0, "Common name: %s" % str(cn))
log(0, "Serial number: %s" % str(serial_number))
log(0, "Valid from: %s" % str(not_before))
log(0, "Valid to: %s" % str(not_after))
if constants.CLIENT_CERT_PREFIX in key['description']:
manager = CdnRepositoryManager(client_cert_id=int(key['id']))
self.cdn_repository_manager = manager
log(0, "Provided channels:")
channel_tree, not_available_channels = self._tree_available_channels()
if not channel_tree:
log(0, " NONE")
for base_channel in sorted(channel_tree):
if base_channel not in not_available_channels:
log(0, " * %s" % base_channel)
elif channel_tree[base_channel]:
log(0, " * %s (only child channels provided)" % base_channel)
for child_channel in sorted(channel_tree[base_channel]):
log(0, " * %s" % child_channel)
if repos:
log(0, "Provided repositories:")
provided_repos = self.cdn_repository_manager.list_provided_repos(key['id'])
for repo in sorted(provided_repos):
log(0, " %s" % repo)
log(0, "")
def print_cdn_certificates_info(self, repos=False):
h = rhnSQL.prepare("""
SELECT ck.id, ck.description, ck.key
FROM rhnCryptoKeyType ckt,
rhnCryptoKey ck
WHERE ckt.label = 'SSL'
AND ckt.id = ck.crypto_key_type_id
AND ck.description LIKE 'CDN_%'
AND ck.org_id is NULL
ORDER BY ck.description
""")
h.execute()
keys = h.fetchall_dict() or []
if not keys:
log2(
0,
0,
"No SSL certificates were found. Is your %s activated for CDN?"
% PRODUCT_NAME,
stream=sys.stderr)
return
for key in keys:
log(0, "======================================")
log(0, "| Certificate/Key: %s" % key['description'])
log(0, "======================================")
if constants.CA_CERT_NAME == key[
'description'] or constants.CLIENT_CERT_PREFIX in key[
'description']:
if not verify_certificate_dates(str(key['key'])):
log(0, "WARNING: This certificate is not valid.")
cn, serial_number, not_before, not_after = get_certificate_info(
str(key['key']))
log(0, "Common name: %s" % str(cn))
log(0, "Serial number: %s" % str(serial_number))
log(0, "Valid from: %s" % str(not_before))
log(0, "Valid to: %s" % str(not_after))
if constants.CLIENT_CERT_PREFIX in key['description']:
manager = CdnRepositoryManager(client_cert_id=int(key['id']))
self.cdn_repository_manager = manager
log(0, "Provided channels:")
channel_tree, not_available_channels = self._tree_available_channels(
)
if not channel_tree:
log(0, " NONE")
for base_channel in sorted(channel_tree):
if base_channel not in not_available_channels:
log(0, " * %s" % base_channel)
elif channel_tree[base_channel]:
log(
0, " * %s (only child channels provided)" %
base_channel)
for child_channel in sorted(channel_tree[base_channel]):
log(0, " * %s" % child_channel)
if repos:
log(0, "Provided repositories:")
provided_repos = self.cdn_repository_manager.list_provided_repos(
key['id'])
for repo in sorted(provided_repos):
log(0, " %s" % repo)
log(0, "")
