class EzCAHandler:
TABLE_NAME = "_EZ_CA_"
SERVER_CERT_NAME = "EzCAService"
PERSIST_MODE = "ezca.persist.mode"
CLIENT_CERTS = "ezca.autogen.clients"
CLIENT_CERT_O = "ezca.autogen.clients.out"
CLIENT_CERT_O_DEF = "gen"
def __init__(self, ca_name, ezconfig=EzConfiguration().getProperties()):
mode = ezconfig.get(EzCAHandler.PERSIST_MODE, "file")
if mode == "file":
store = FilePersist(EzCAHandler.TABLE_NAME)
elif mode == "accumulo":
raise NotImplementedError("accumulo persistance not supported by EzCA yet")
else:
store = MemoryPersist()
EzbakeCA.setup(store=store)
Cert.setup(store=store)
self.store = store
try:
logger.info("Reading CA certificate {}".format(ca_name))
self.ca = EzbakeCA.get_named(ca_name)
except KeyError:
self.ca = EzbakeCA(name=ca_name)
self.ca.save()
def _server_certs(self):
"""returns a dict of {ca_certs, certs, key} and their values"""
ca_certs = ezbakeca.ca.pem_cert(self.ca.ca_cert)
cert = Cert.get_named(self.SERVER_CERT_NAME)
if not cert.cert:
cert.cert = self.ca.sign_csr(cert.csr())
cert.save()
key = ezbakeca.ca.pem_key(cert.private_key)
cert = ezbakeca.ca.pem_cert(cert.cert)
return {'ca_certs': ca_certs, 'cert': cert, 'key': key}
def ping(self):
return True
def getMetricRegistryThrift(self):
return ezmetrics.ttypes.MetricRegistryThrift()
def csr(self, token, csr):
csr = ezbakeca.ca.load_csr(csr)
# but since this is a Protect component, and we are only allowing
# access to this service by trusted cert CNs, I can accept that.
# still, we must log what's happening.
logger.info("CSR signing request for Subject: {}. Token security ID: {}, "
"target security ID: {}, userInfo: {}".format(csr.get_subject(),
token.validity.issuedTo,
token.validity.issuedFor,
token.tokenPrincipal.principal))
# sign the csr and get the cert
cert = self.ca.sign_csr(csr)
# return the cert as pem
return ezbakeca.ca.pem_cert(cert)
class EzCAHandler:
TABLE_NAME = "_EZ_CA_"
SERVER_CERT_NAME = "EzCAService"
PERSIST_MODE = "ezca.persist.mode"
CLIENT_CERTS = "ezca.autogen.clients"
CLIENT_CERT_O = "ezca.autogen.clients.out"
CLIENT_CERT_O_DEF = "gen"
def __init__(self, ca_name, ezconfig=EzConfiguration().getProperties()):
mode = ezconfig.get(EzCAHandler.PERSIST_MODE, "file")
if mode == "file":
store = FilePersist(EzCAHandler.TABLE_NAME)
elif mode == "accumulo":
raise NotImplementedError("accumulo persistance not supported by EzCA yet")
else:
store = MemoryPersist()
EzbakeCA.setup(store=store)
Cert.setup(store=store)
self.store = store
try:
logger.info("Reading CA certificate {}".format(ca_name))
self.ca = EzbakeCA.get_named(ca_name)
except KeyError:
self.ca = EzbakeCA(name=ca_name)
self.ca.save()
def _server_certs(self):
"""returns a dict of {ca_certs, certs, key} and their values"""
ca_certs = ezbakeca.ca.pem_cert(self.ca.ca_cert)
cert = Cert.get_named(self.SERVER_CERT_NAME)
if not cert.cert:
cert.cert = self.ca.sign_csr(cert.csr())
cert.save()
key = ezbakeca.ca.pem_key(cert.private_key)
cert = ezbakeca.ca.pem_cert(cert.cert)
return {'ca_certs': ca_certs, 'cert': cert, 'key': key}
def ping(self):
return True
def csr(self, token, csr):
csr = ezbakeca.ca.load_csr(csr)
# but since this is a Protect component, and we are only allowing
# access to this service by trusted cert CNs, I can accept that.
# still, we must log what's happening.
logger.info("CSR signing request for Subject: {}. Token security ID: {}, "
"target security ID: {}, userInfo: {}".format(csr.get_subject(),
token.validity.issuedTo,
token.validity.issuedFor,
token.tokenPrincipal.principal))
# sign the csr and get the cert
cert = self.ca.sign_csr(csr)
# return the cert as pem
return ezbakeca.ca.pem_cert(cert)
def __init__(self, ca_name, ezconfig=EzConfiguration().getProperties()):
mode = ezconfig.get(EzCAHandler.PERSIST_MODE, "file")
if mode == "file":
store = FilePersist(EzCAHandler.TABLE_NAME)
elif mode == "accumulo":
raise NotImplementedError("accumulo persistance not supported by EzCA yet")
else:
store = MemoryPersist()
EzbakeCA.setup(store=store)
Cert.setup(store=store)
self.store = store
try:
logger.info("Reading CA certificate {}".format(ca_name))
self.ca = EzbakeCA.get_named(ca_name)
except KeyError:
self.ca = EzbakeCA(name=ca_name)
self.ca.save()
def __init__(self, ca_name, ezconfig=EzConfiguration().getProperties()):
mode = ezconfig.get(EzCAHandler.PERSIST_MODE, "file")
if mode == "file":
store = FilePersist(EzCAHandler.TABLE_NAME)
elif mode == "accumulo":
raise NotImplementedError("accumulo persistance not supported by EzCA yet")
else:
store = MemoryPersist()
EzbakeCA.setup(store=store)
Cert.setup(store=store)
self.store = store
try:
logger.info("Reading CA certificate {}".format(ca_name))
self.ca = EzbakeCA.get_named(ca_name)
except KeyError:
self.ca = EzbakeCA(name=ca_name)
self.ca.save()
def init(config):
ezConfig = load_configuration("config")
setup_logging(config.verbose, ezConfig)
clients = config.clients.split(',')
# initialize the daos
store = ezpersist_instance("file")
EzbakeCA.setup(store=store)
Cert.setup(store=store)
if config.force:
store.delete(config.name)
try:
# Try to get it first, to see if it already exists
ca = EzbakeCA.get_named(config.name)
logger.info("CA %s not regenerated because it already exists", config.name)
except KeyError:
# Create the CA
ca = EzbakeCA(name=config.name, environment=config.env)
ca.save()
gen_client_certs(ca, clients, directory=config.outdir, force=config.force)
def init(config):
ezConfig = load_configuration("config")
setup_logging(config.verbose, ezConfig)
clients = config.clients.split(',')
# initialize the daos
store = ezpersist_instance("file")
EzbakeCA.setup(store=store)
Cert.setup(store=store)
if config.force:
store.delete(config.name)
try:
# Try to get it first, to see if it already exists
ca = EzbakeCA.get_named(config.name)
logger.info("CA %s not regenerated because it already exists", config.name)
except KeyError:
# Create the CA
ca = EzbakeCA(name=config.name, environment=config.env)
ca.save()
gen_client_certs(ca, clients, directory=config.outdir, force=config.force)
