def _generate_x509_cert(self, uid, pid): """Generate x509 cert for user""" (private_key, csr) = crypto.generate_x509_cert( self.__cert_subject(uid)) # TODO(joshua): This should be async call back to the cloud controller signed_cert = crypto.sign_csr(csr, pid) return (private_key, signed_cert)
def test_can_generate_x509(self): # NOTE(todd): this doesn't assert against the auth manager # so it probably belongs in crypto_unittest # but I'm leaving it where I found it. with user_and_project_generator(self.manager) as (user, project): # NOTE(vish): Setup runs genroot.sh if it hasn't been run cloud.CloudController().setup() _key, cert_str = crypto.generate_x509_cert(user.id, project.id) LOG.debug(cert_str) full_chain = crypto.fetch_ca(project_id=project.id, chain=True) int_cert = crypto.fetch_ca(project_id=project.id, chain=False) cloud_cert = crypto.fetch_ca() LOG.debug("CA chain:\n\n =====\n%s\n\n=====", full_chain) signed_cert = X509.load_cert_string(cert_str) chain_cert = X509.load_cert_string(full_chain) int_cert = X509.load_cert_string(int_cert) cloud_cert = X509.load_cert_string(cloud_cert) self.assertTrue(signed_cert.verify(chain_cert.get_pubkey())) self.assertTrue(signed_cert.verify(int_cert.get_pubkey())) if not FLAGS.use_project_ca: self.assertTrue(signed_cert.verify(cloud_cert.get_pubkey())) else: self.assertFalse(signed_cert.verify(cloud_cert.get_pubkey()))
def get_credentials(self, user, project=None, use_dmz=True): """Get credential zip for user in project""" if not isinstance(user, User): user = self.get_user(user) if project is None: project = user.id pid = Project.safe_id(project) private_key, signed_cert = crypto.generate_x509_cert(user.id, pid) tmpdir = tempfile.mkdtemp() zf = os.path.join(tmpdir, "temp.zip") zippy = zipfile.ZipFile(zf, 'w') if use_dmz and FLAGS.region_list: regions = {} for item in FLAGS.region_list: region, _sep, region_host = item.partition("=") regions[region] = region_host else: regions = {'nova': FLAGS.ec2_host} for region, host in regions.iteritems(): rc = self.__generate_rc(user, pid, use_dmz, host) zippy.writestr(FLAGS.credential_rc_file % region, rc) zippy.writestr(FLAGS.credential_key_file, private_key) zippy.writestr(FLAGS.credential_cert_file, signed_cert) (vpn_ip, vpn_port) = self.get_project_vpn_data(project) if vpn_ip: configfile = open(FLAGS.vpn_client_template, "r") s = string.Template(configfile.read()) configfile.close() config = s.substitute(keyfile=FLAGS.credential_key_file, certfile=FLAGS.credential_cert_file, ip=vpn_ip, port=vpn_port) zippy.writestr(FLAGS.credential_vpn_file, config) else: LOG.warn(_("No vpn data for project %s"), pid) zippy.writestr(FLAGS.ca_file, crypto.fetch_ca(pid)) zippy.close() with open(zf, 'rb') as f: read_buffer = f.read() shutil.rmtree(tmpdir) return read_buffer
def test_can_generate_x509(self): with utils.tempdir() as tmpdir: self.flags(ca_path=tmpdir) crypto.ensure_ca_filesystem() _key, cert_str = crypto.generate_x509_cert("fake", "fake") project_cert = crypto.fetch_ca(project_id="fake") signed_cert_file = os.path.join(tmpdir, "signed") with open(signed_cert_file, "w") as keyfile: keyfile.write(cert_str) project_cert_file = os.path.join(tmpdir, "project") with open(project_cert_file, "w") as keyfile: keyfile.write(project_cert) enc, err = utils.execute("openssl", "verify", "-CAfile", project_cert_file, "-verbose", signed_cert_file) self.assertFalse(err)
def test_can_generate_x509(self): with utils.tempdir() as tmpdir: self.flags(ca_path=tmpdir) crypto.ensure_ca_filesystem() _key, cert_str = crypto.generate_x509_cert('fake', 'fake') project_cert = crypto.fetch_ca(project_id='fake') signed_cert_file = os.path.join(tmpdir, "signed") with open(signed_cert_file, 'w') as keyfile: keyfile.write(cert_str) project_cert_file = os.path.join(tmpdir, "project") with open(project_cert_file, 'w') as keyfile: keyfile.write(project_cert) enc, err = utils.execute('openssl', 'verify', '-CAfile', project_cert_file, '-verbose', signed_cert_file) self.assertFalse(err)
def test_can_generate_x509(self): tmpdir = tempfile.mkdtemp() self.flags(ca_path=tmpdir) try: crypto.ensure_ca_filesystem() _key, cert_str = crypto.generate_x509_cert('fake', 'fake') project_cert = crypto.fetch_ca(project_id='fake') cloud_cert = crypto.fetch_ca() # TODO(vish): This will need to be replaced with something else # when we remove M2Crypto signed_cert = X509.load_cert_string(cert_str) project_cert = X509.load_cert_string(project_cert) cloud_cert = X509.load_cert_string(cloud_cert) self.assertTrue(signed_cert.verify(project_cert.get_pubkey())) if not FLAGS.use_project_ca: self.assertTrue(signed_cert.verify(cloud_cert.get_pubkey())) else: self.assertFalse(signed_cert.verify(cloud_cert.get_pubkey())) finally: shutil.rmtree(tmpdir)
def generate_x509_cert(self, context, user_id, project_id): """Generate and sign a cert for user in project.""" return crypto.generate_x509_cert(user_id, project_id)
def generate_x509_cert(self, user, project): (private_key, csr) = crypto.generate_x509_cert( self.__cert_subject(User.safe_id(user))) # TODO - This should be async call back to the cloud controller signed_cert = crypto.sign_csr(csr, Project.safe_id(project)) return (private_key, signed_cert)
def generate_x509_cert(self, uid): (private_key, csr) = crypto.generate_x509_cert(self.__cert_subject(uid)) # TODO - This should be async call back to the cloud controller signed_cert = crypto.sign_csr(csr, uid) return (private_key, signed_cert)
def generate_x509_cert(self, user, project): (private_key, csr) = crypto.generate_x509_cert(self.__cert_subject(User.safe_id(user))) # TODO - This should be async call back to the cloud controller signed_cert = crypto.sign_csr(csr, Project.safe_id(project)) return (private_key, signed_cert)