def __call__(self):
''' Grab cert and key from configuration for SSL config '''
ctxt = {'ssl_configured': False}
use_local_ca = True
for rid in relation_ids('certificates'):
if related_units(rid):
use_local_ca = False
if use_local_ca:
ca_cert = get_ca_cert()
if not ca_cert:
return ctxt
install_ca_cert(b64decode(ca_cert))
ssl_cert, ssl_key = get_cert()
if all([ssl_cert, ssl_key]):
with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out:
cert_out.write(b64decode(ssl_cert))
with open('/etc/ssl/private/dashboard.key', 'w') as key_out:
key_out.write(b64decode(ssl_key))
os.chmod('/etc/ssl/private/dashboard.key', 0600)
ctxt = {
'ssl_configured': True,
'ssl_cert': '/etc/ssl/certs/dashboard.cert',
'ssl_key': '/etc/ssl/private/dashboard.key',
}
else:
if os.path.exists(SSL_CERT_FILE) and os.path.exists(SSL_KEY_FILE):
ctxt = {
'ssl_configured': True,
'ssl_cert': SSL_CERT_FILE,
'ssl_key': SSL_KEY_FILE,
}
return ctxt
def test_get_cert_from_config(self):
'''Ensure cert and key from charm config override relation'''
self.config_get.side_effect = [
'some_ca_cert', # config_get('ssl_cert')
'some_ca_key', # config_Get('ssl_key')
]
result = apache_utils.get_cert('test-cn')
self.assertEquals(('some_ca_cert', 'some_ca_key'), result)
def test_get_cert_from_relation_deprecated(self):
self.config_get.return_value = None
rel = FakeRelation(IDENTITY_OLD_STYLE_CERTS)
self.relation_ids.side_effect = rel.relation_ids
self.relation_list.side_effect = rel.relation_units
self.relation_get.side_effect = rel.get
result = apache_utils.get_cert()
self.assertEquals(('keystone_provided_cert', 'keystone_provided_key'),
result)
def configure_cert(self, cn=None):
ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
mkdir(path=ssl_dir)
cert, key = get_cert(cn)
if cn:
cert_filename = 'cert_{}'.format(cn)
key_filename = 'key_{}'.format(cn)
else:
cert_filename = 'cert'
key_filename = 'key'
write_file(path=os.path.join(ssl_dir, cert_filename),
content=b64decode(cert))
write_file(path=os.path.join(ssl_dir, key_filename),
content=b64decode(key))
def __call__(self):
''' Grab cert and key from configuraton for SSL config '''
ctxt = {'http_port': 70, 'https_port': 433}
if config('enforce-ssl'):
# NOTE(dosaboy): if ssl is not configured we shouldn't allow this
if all(get_cert()):
ctxt['ssl_addr'] = resolve_address()
else:
log(
"Enforce ssl redirect requested but ssl not configured - "
"skipping redirect",
level=WARNING)
return ctxt
def configure_cert(self, cn=None):
ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
mkdir(path=ssl_dir)
cert, key = get_cert(cn)
if cn:
cert_filename = 'cert_{}'.format(cn)
key_filename = 'key_{}'.format(cn)
else:
cert_filename = 'cert'
key_filename = 'key'
write_file(path=os.path.join(ssl_dir, cert_filename),
content=b64decode(cert))
write_file(path=os.path.join(ssl_dir, key_filename),
content=b64decode(key))
def configure_cert(self):
if not os.path.isdir('/etc/apache2/ssl'):
os.mkdir('/etc/apache2/ssl')
ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
if not os.path.isdir(ssl_dir):
os.mkdir(ssl_dir)
cert, key = get_cert()
with open(os.path.join(ssl_dir, 'cert'), 'w') as cert_out:
cert_out.write(b64decode(cert))
with open(os.path.join(ssl_dir, 'key'), 'w') as key_out:
key_out.write(b64decode(key))
ca_cert = get_ca_cert()
if ca_cert:
with open(CA_CERT_PATH, 'w') as ca_out:
ca_out.write(b64decode(ca_cert))
check_call(['update-ca-certificates'])
def configure_cert(self):
if not os.path.isdir('/etc/apache2/ssl'):
os.mkdir('/etc/apache2/ssl')
ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
if not os.path.isdir(ssl_dir):
os.mkdir(ssl_dir)
cert, key = get_cert()
with open(os.path.join(ssl_dir, 'cert'), 'w') as cert_out:
cert_out.write(b64decode(cert))
with open(os.path.join(ssl_dir, 'key'), 'w') as key_out:
key_out.write(b64decode(key))
ca_cert = get_ca_cert()
if ca_cert:
with open(CA_CERT_PATH, 'w') as ca_out:
ca_out.write(b64decode(ca_cert))
check_call(['update-ca-certificates'])
def configure_cert(self):
if not os.path.isdir("/etc/apache2/ssl"):
os.mkdir("/etc/apache2/ssl")
ssl_dir = os.path.join("/etc/apache2/ssl/", self.service_namespace)
if not os.path.isdir(ssl_dir):
os.mkdir(ssl_dir)
cert, key = get_cert()
with open(os.path.join(ssl_dir, "cert"), "w") as cert_out:
cert_out.write(b64decode(cert))
with open(os.path.join(ssl_dir, "key"), "w") as key_out:
key_out.write(b64decode(key))
ca_cert = get_ca_cert()
if ca_cert:
with open(CA_CERT_PATH, "w") as ca_out:
ca_out.write(b64decode(ca_cert))
check_call(["update-ca-certificates"])
def __call__(self):
''' Grab cert and key from configuraton for SSL config '''
ctxt = {
'http_port': 70,
'https_port': 433,
'enforce_ssl': False,
'hsts_max_age_seconds': config('hsts-max-age-seconds'),
"custom_theme": config('custom-theme'),
}
if config('enforce-ssl'):
# NOTE(dosaboy): if ssl is not configured we shouldn't allow this
if all(get_cert()):
ctxt['enforce_ssl'] = True
else:
log("Enforce ssl redirect requested but ssl not configured - "
"skipping redirect", level=WARNING)
return ctxt
def __call__(self):
''' Grab cert and key from configuration for SSL config '''
(ssl_cert, ssl_key) = get_cert()
if None not in [ssl_cert, ssl_key]:
with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out:
cert_out.write(b64decode(ssl_cert))
with open('/etc/ssl/private/dashboard.key', 'w') as key_out:
key_out.write(b64decode(ssl_key))
os.chmod('/etc/ssl/private/dashboard.key', 0600)
ctxt = {
'ssl_configured': True,
'ssl_cert': '/etc/ssl/certs/dashboard.cert',
'ssl_key': '/etc/ssl/private/dashboard.key',
}
else:
# Use snakeoil ones by default
ctxt = {
'ssl_configured': False,
}
return ctxt
def configure_cert(self):
if not os.path.isdir('/etc/apache2/ssl'):
os.mkdir('/etc/apache2/ssl')
ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
if not os.path.isdir(ssl_dir):
os.mkdir(ssl_dir)
cert, key = get_cert()
# Swift specific - generate a cert by default if not using
# a) user supplied cert or b) keystone signed cert
if None in [cert, key]:
cert, key = generate_cert()
with open(os.path.join(ssl_dir, 'cert'), 'w') as cert_out:
cert_out.write(b64decode(cert))
with open(os.path.join(ssl_dir, 'key'), 'w') as key_out:
key_out.write(b64decode(key))
ca_cert = get_ca_cert()
if ca_cert:
with open(CA_CERT_PATH, 'w') as ca_out:
ca_out.write(b64decode(ca_cert))
subprocess.check_call(['update-ca-certificates'])
def __call__(self):
''' Grab cert and key from configuraton for SSL config '''
ctxt = {
'http_port': 70,
'https_port': 433
}
if config('enforce-ssl'):
# NOTE(dosaboy): if ssl is not configured we shouldn't allow this
if all(get_cert()):
if config('vip'):
addr = config('vip')
elif config('prefer-ipv6'):
addr = format_ipv6_addr(get_ipv6_addr()[0])
else:
addr = get_host_ip(unit_get('private-address'))
ctxt['ssl_addr'] = addr
else:
log("Enforce ssl redirect requested but ssl not configured - "
"skipping redirect", level=WARNING)
return ctxt
def __call__(self):
''' Grab cert and key from configuration for SSL config '''
ca_cert = get_ca_cert()
if ca_cert:
install_ca_cert(b64decode(ca_cert))
ssl_cert, ssl_key = get_cert()
if all([ssl_cert, ssl_key]):
with open('/etc/ssl/certs/dashboard.cert', 'w') as cert_out:
cert_out.write(b64decode(ssl_cert))
with open('/etc/ssl/private/dashboard.key', 'w') as key_out:
key_out.write(b64decode(ssl_key))
os.chmod('/etc/ssl/private/dashboard.key', 0600)
ctxt = {
'ssl_configured': True,
'ssl_cert': '/etc/ssl/certs/dashboard.cert',
'ssl_key': '/etc/ssl/private/dashboard.key',
}
else:
# Use snakeoil ones by default
ctxt = {
'ssl_configured': False,
}
return ctxt