def db_maybe_launch_https_workers(self, session):
config = ConfigFactory(session, 1)
# If root_tenant is disabled do not start https
on = config.get_val(u'https_enabled')
if not on:
log.info("Not launching workers")
return defer.succeed(None)
site_cfgs = load_tls_dict_list(session)
valid_cfgs, err = [], None
# Determine which site_cfgs are valid and only pass those to the child.
for db_cfg in site_cfgs:
chnv = tls.ChainValidator()
ok, err = chnv.validate(db_cfg,
must_be_disabled=False,
check_expiration=False)
if ok and err is None:
valid_cfgs.append(db_cfg)
self.tls_cfg['site_cfgs'] = valid_cfgs
if not valid_cfgs:
log.info("Not launching https workers due to %s", err)
return defer.fail(err)
log.info("Decided to launch https workers")
return self.launch_https_workers()
def test_duplicated_cert_as_chain(self):
chn_v = tls.ChainValidator()
self.cfg['ssl_key'] = self.valid_setup['key'].encode()
self.cfg['ssl_cert'] = self.valid_setup['cert'].encode()
self.cfg['ssl_intermediate'] = self.valid_setup['cert'].encode('utf-8')
ok, err = chn_v.validate(self.cfg)
self.assertFalse(ok)
self.assertIsNotNone(err)
def test_check_expiration(self):
chn_v = tls.ChainValidator()
self.cfg['ssl_key'] = self.valid_setup['key'].encode()
p = os.path.join(self.test_data_dir, 'invalid/expired_cert_with_valid_prv.pem')
with open(p, 'rb') as f:
self.cfg['ssl_cert'] = f.read()
ok, err = chn_v.validate(self.cfg, check_expiration=True)
self.assertFalse(ok)
self.assertTrue(isinstance(err, tls.ValidationException))
def try_to_enable_https(store):
prv_fact = PrivateFactory(store)
cv = tls.ChainValidator()
db_cfg = load_tls_dict(store)
db_cfg['https_enabled'] = False
ok, err = cv.validate(db_cfg)
if ok:
prv_fact.set_val('https_enabled', True)
GLSettings.memory_copy.private.https_enabled = True
else:
raise err
def try_to_enable_https(session, tid):
config = ConfigFactory(session, tid)
cv = tls.ChainValidator()
db_cfg = load_tls_dict(session, tid)
db_cfg['https_enabled'] = False
ok, _ = cv.validate(db_cfg)
if not ok:
raise errors.InputValidationError()
config.set_val(u'https_enabled', True)
State.tenant_cache[tid].https_enabled = True
def try_to_enable_https(session, tid):
config = ConfigFactory(session, tid, 'node')
cv = tls.ChainValidator()
db_cfg = load_tls_dict(session, tid)
db_cfg['https_enabled'] = False
ok, err = cv.validate(db_cfg)
if ok:
config.set_val(u'https_enabled', True)
State.tenant_cache[tid].https_enabled = True
else:
raise err
def try_to_enable_https(store):
prv_fact = PrivateFactory(store)
cv = tls.ChainValidator()
db_cfg = load_tls_dict(store)
db_cfg['https_enabled'] = False
ok, err = cv.validate(db_cfg)
if ok:
prv_fact.set_val(u'https_enabled', True)
State.tenant_cache[1].private.https_enabled = True
else:
raise err
def test_chain_valid(self):
chn_v = tls.ChainValidator()
self.cfg['ssl_key'] = self.valid_setup['key'].encode()
self.cfg['ssl_cert'] = self.valid_setup['cert'].encode()
p = os.path.join(self.test_data_dir, 'valid', 'chains/comodo.pem')
with open(p, 'rb') as f:
self.cfg['ssl_intermediate'] = f.read()
ok, err = chn_v.validate(self.cfg)
self.assertTrue(ok)
self.assertIsNone(err)
def test_chain_invalid(self):
chn_v = tls.ChainValidator()
self.cfg['ssl_dh'] = self.valid_setup['dh_params']
self.cfg['ssl_key'] = self.valid_setup['key']
self.cfg['ssl_cert'] = self.valid_setup['cert']
exceptions_from_validation = {'empty.txt'}
for fname in self.invalid_files:
p = os.path.join(self.test_data_dir, 'invalid', fname)
with open(p, 'r') as f:
self.cfg['ssl_intermediate'] = f.read()
ok, err = chn_v.validate(self.cfg)
if not fname in exceptions_from_validation:
self.assertFalse(ok)
self.assertIsNotNone(err)
else:
self.assertTrue(ok)
self.assertIsNone(err)
def db_maybe_launch_https_workers(self, store):
privFact = PrivateFactory(store)
on = privFact.get_val('https_enabled')
if not on:
log.info("Not launching workers")
yield defer.succeed(None)
return
db_cfg = load_tls_dict(store)
self.tls_cfg.update(db_cfg)
chnv = tls.ChainValidator()
ok, err = chnv.validate(db_cfg, must_be_disabled=False)
if ok and err is None:
log.info("Decided to launch https workers")
yield self.launch_https_workers()
else:
log.info("Not launching https workers due to %s" % err)
yield defer.fail(err)