def test_generate_signed_ssl_certkey(tmpdir): from jans.pycloudlib.utils import generate_ssl_ca_certkey from jans.pycloudlib.utils import generate_signed_ssl_certkey base_dir = tmpdir.mkdir("certs") ca_cert, ca_key = generate_ssl_ca_certkey( "cert-auth", "*****@*****.**", "my.org.local", "org", "US", "TX", "Austin", base_dir=str(base_dir), ) generate_signed_ssl_certkey( "my-suffix", ca_key, ca_cert, "*****@*****.**", "my.org.local", "org", "US", "TX", "Austin", base_dir=str(base_dir), extra_dns=["custom.org.local"], extra_ips=["127.0.0.1"], ) assert os.path.isfile(str(base_dir.join("my-suffix.crt"))) assert os.path.isfile(str(base_dir.join("my-suffix.csr"))) assert os.path.isfile(str(base_dir.join("my-suffix.key")))
def test_generate_ssl_ca_certkey(tmpdir): from jans.pycloudlib.utils import generate_ssl_ca_certkey base_dir = tmpdir.mkdir("certs") generate_ssl_ca_certkey( "cert-auth", "*****@*****.**", "my.org.local", "org", "US", "TX", "Austin", base_dir=str(base_dir), ) assert os.path.isfile(str(base_dir.join("cert-auth.crt"))) assert os.path.isfile(str(base_dir.join("cert-auth.key")))
def patch(self): source = self.opts.get("source", "") ssl_cert = "/etc/certs/web_https.crt" ssl_key = "/etc/certs/web_https.key" ssl_csr = "/etc/certs/web_https.csr" ssl_ca_cert = "/etc/certs/ca.crt" ssl_ca_key = "/etc/certs/ca.key" if source == "from-files": if not any([os.path.isfile(ssl_cert), os.path.isfile(ssl_key)]): logger.warning(f"Unable to find existing {ssl_cert} or {ssl_key}") else: logger.info(f"Using existing {ssl_cert} and {ssl_key}") else: email = self.manager.config.get("admin_email") hostname = self.manager.config.get("hostname") org_name = self.manager.config.get("orgName") country_code = self.manager.config.get("country_code") state = self.manager.config.get("state") city = self.manager.config.get("city") logger.info(f"Creating self-generated {ssl_ca_cert} and {ssl_ca_key}") ca_cert, ca_key = generate_ssl_ca_certkey( "ca", email, "Janssen CA", org_name, country_code, state, city, ) logger.info(f"Creating self-generated {ssl_csr}, {ssl_cert}, and {ssl_key}") generate_signed_ssl_certkey( "web_https", ca_key, ca_cert, email, hostname, org_name, country_code, state, city, ) if not self.dry_run: if os.path.isfile(ssl_ca_key): self.manager.secret.from_file("ssl_ca_key", ssl_ca_key) if os.path.isfile(ssl_ca_cert): self.manager.secret.from_file("ssl_ca_cert", ssl_ca_cert) if os.path.isfile(ssl_cert): self.manager.secret.from_file("ssl_cert", ssl_cert) if os.path.isfile(ssl_key): self.manager.secret.from_file("ssl_key", ssl_key) if os.path.isfile(ssl_csr): self.manager.secret.from_file("ssl_csr", ssl_csr)
def web_ctx(self): ssl_cert = "/etc/certs/web_https.crt" ssl_key = "/etc/certs/web_https.key" ssl_csr = "/etc/certs/web_https.csr" ssl_ca_cert = "/etc/certs/ca.crt" ssl_ca_key = "/etc/certs/ca.key" # get cert and key (if available) with priorities below: # # 1. from mounted files # 2. from fronted (key file is an empty file) # 3. self-generate files logger.info(f"Resolving {ssl_cert} and {ssl_key}") # check from mounted files if not (os.path.isfile(ssl_cert) and os.path.isfile(ssl_key)): # no mounted files, hence download from frontend ingress_addr = "" if "CN_INGRESS_ADDRESS" in os.environ: ingress_addr = os.environ.get("CN_INGRESS_ADDRESS") ingress_servername = os.environ.get( "CN_INGRESS_SERVERNAME") or ingress_addr if ingress_addr and ingress_servername: logger.warning( f"Unable to find mounted {ssl_cert} and {ssl_key}; " f"trying to download from {ingress_addr}:443 (servername {ingress_servername})" # noqa: C812 ) try: # cert will be downloaded into `ssl_cert` path get_server_certificate(ingress_addr, 443, ssl_cert, ingress_servername) # since cert is downloaded, key must mounted # or generate empty file if not os.path.isfile(ssl_key): with open(ssl_key, "w") as f: f.write("") except (socket.gaierror, socket.timeout, OSError) as exc: # address not resolved or timed out logger.warning(f"Unable to download cert; reason={exc}") # no mounted nor downloaded files, hence we need to create self-generated files if not (os.path.isfile(ssl_cert) and os.path.isfile(ssl_key)): hostname = self.get_config("hostname") email = self.get_config("admin_email") org_name = self.get_config("orgName") country_code = self.get_config("country_code") state = self.get_config("state") city = self.get_config("city") logger.info( f"Creating self-generated {ssl_ca_cert} and {ssl_ca_key}") ca_cert, ca_key = generate_ssl_ca_certkey( "ca", email, "Janssen CA", org_name, country_code, state, city, ) logger.info( f"Creating self-generated {ssl_csr}, {ssl_cert}, and {ssl_key}" ) generate_signed_ssl_certkey( "web_https", ca_key, ca_cert, email, hostname, org_name, country_code, state, city, ) try: with open(ssl_ca_cert) as f: self.set_secret("ssl_ca_cert", f.read) except FileNotFoundError: self.set_secret("ssl_ca_cert", "") try: with open(ssl_ca_key) as f: self.set_secret("ssl_ca_key", f.read) except FileNotFoundError: self.set_secret("ssl_ca_key", "") try: with open(ssl_csr) as f: self.set_secret("ssl_csr", f.read) except FileNotFoundError: self.set_secret("ssl_csr", "") with open(ssl_cert) as f: self.set_secret("ssl_cert", f.read) with open(ssl_key) as f: self.set_secret("ssl_key", f.read)