def deploy_ca_certs(file_path_list, remote_ip, user, password, dest_dir, no_delete=None): """ Copy files to remote node and remove local files """ CommonTools.remote_mkdir_with_mode(dest_dir, Constant.AUTH_COMMON_DIR_STR, remote_ip, user, password) for file_path in file_path_list: dest_file_path = os.path.join(dest_dir, os.path.basename(file_path)) status, output = CommonTools.remote_copy_files( remote_ip, user, password, file_path, dest_file_path) if status != 0: raise Exception(Errors.EXECUTE_RESULT['gauss_0406'] % (remote_ip, output)) g.logger.debug('Successfully copy [%s] to remote node[%s]' % (file_path, remote_ip)) if no_delete: file_path_list = [ file for file in file_path_list if file not in no_delete ] CommonTools.remove_files(file_path_list)
def prepare_ca_certificates(self): """ Generate server ca certificates. """ ca_root_file_path, ca_root_key_path, server_cert_path, server_key_path, agent_cert_path, \ agent_key_path = self.read_ca_cert_path() self.ca_info = self.param_dict.pop(Constant.CA_INFO) if not self.ca_info: raise Exception(Errors.PARAMETER['gauss_0201'] % 'ca root cert information') get_ca_root_cert_path = self.ca_info.get(Constant.CA_CERT_PATH) get_ca_root_key_path = self.ca_info.get(Constant.CA_KEY_PATH) get_ca_root_password = self.ca_info.get(Constant.CA_PASSWORD) if not all([ get_ca_root_cert_path, get_ca_root_key_path, get_ca_root_password ]): raise Exception(Errors.PARAMETER['gauss_0201'] % 'items info of ca root cert') # copy ca root cert and key files to path of configured g.logger.info('Start deploy ca root files.') CommonTools.remove_files([ca_root_file_path, ca_root_key_path]) CommonTools.mkdir_with_mode(os.path.dirname(ca_root_file_path), Constant.AUTH_COMMON_DIR_STR) CommonTools.copy_file_to_dest_path(get_ca_root_cert_path, ca_root_file_path) CommonTools.mkdir_with_mode(os.path.dirname(ca_root_key_path), Constant.AUTH_COMMON_DIR_STR) CommonTools.copy_file_to_dest_path(get_ca_root_key_path, ca_root_key_path) # get ssl password ssl_password = CertGenerator.get_rand_str() ca_config_path = os.path.join( os.path.dirname(os.path.realpath(__file__)), Constant.CA_CONFIG) server_ip = CommonTools.get_local_ip(ignore=True) g.logger.info('Get server ip:[%s].' % server_ip) # create server cert CertGenerator.create_ca_certificate_with_script(get_ca_root_password, ssl_password, ca_root_file_path, ca_root_key_path, ca_config_path, server_cert_path, server_key_path, server_ip, crt_type='server') g.logger.info('Successfully generate server ca certificate.') return get_ca_root_password, ssl_password, ca_root_file_path, ca_root_key_path, \ ca_config_path, agent_cert_path, agent_key_path
def create_root_certificate(ca_password, ca_crt_path, ca_key_path, config_path): """ function : create root ca file input : rand pass, dir path of certificates, config path output : NA """ if not os.path.isfile(config_path): raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] % config_path) CommonTools.mkdir_with_mode(os.path.dirname(ca_crt_path), Constant.AUTH_COMMON_DIR_STR) CommonTools.mkdir_with_mode(os.path.dirname(ca_key_path), Constant.AUTH_COMMON_DIR_STR) ca_req_path = os.path.realpath( os.path.join(os.path.dirname(ca_crt_path), Constant.CA_ROOT_REQ)) # create ca key file cmd = "%s echo '%s' |openssl genrsa -aes256 -passout stdin -out %s 2048" % ( Constant.CMD_PREFIX, ca_password, ca_key_path) cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % ( Constant.AUTH_COMMON_FILE_STR, ca_key_path) status, output = CommonTools.get_status_output_error(cmd, mixed=True) if status != 0: raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] % 'ca root key file') # 2 create ca req file cmd = "%s echo '%s' | openssl req -new -out %s -key %s -config %s -passin stdin" % ( Constant.CMD_PREFIX, ca_password, ca_req_path, ca_key_path, config_path) cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % ( Constant.AUTH_COMMON_FILE_STR, ca_req_path) status, output = CommonTools.get_status_output_error(cmd, mixed=True) if status != 0: raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] % 'ca root req file') # 3 create ca crt file cmd = "%s echo '%s' | openssl x509 -req -in %s " \ "-signkey %s -days %s -out %s -passin stdin" % ( Constant.CMD_PREFIX, ca_password, ca_req_path, ca_key_path, Constant.CA_ROOT_VALID_DATE, ca_crt_path) cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % ( Constant.AUTH_COMMON_FILE_STR, ca_crt_path) status, output = CommonTools.get_status_output_error(cmd, mixed=True) if status != 0: raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] % 'ca root crt file') CommonTools.remove_files([ca_req_path]) g.logger.info( 'Successfully generate ca root certificate, file path[%s].' % ca_crt_path)
def deploy_agent_certs(self): """ Copy file from temp dir to config path. """ file_list = self.read_ca_cert_path(agent_only=True) file_list.append(os.path.join(self.module_path, Constant.PWF_PATH)) temp_cert_list = os.listdir(TMP_CA_FILE) for dest_path in file_list: CommonTools.mkdir_with_mode(os.path.dirname(dest_path), Constant.AUTH_COMMON_DIR_STR) CommonTools.remove_files(file_list) g.logger.info('Successfully prepare the path:%s' % str(file_list)) for file_name in temp_cert_list: for dest_file in file_list: if file_name in dest_file: from_path = os.path.join(TMP_CA_FILE, file_name) CommonTools.copy_file_to_dest_path(from_path, dest_file) CommonTools.clean_dir(TMP_CA_FILE)
def create_ca_certificate(ca_password, ssl_password, ca_crt_path, ca_key_path, config_path, out_crt_path, out_key_path, ip, crt_type='server'): """ function : create server ca file or client ca file. input : rand pass, dir path of certificates, config path output : NA """ if not os.path.isfile(config_path): raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] % 'config file:%s' % config_path) if not os.path.isfile(ca_crt_path): raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] % 'ca crt file:%s' % ca_crt_path) if not os.path.isfile(ca_key_path): raise Exception(Errors.FILE_DIR_PATH['gauss_0102'] % 'ca key file:%s' % ca_key_path) CommonTools.mkdir_with_mode(os.path.dirname(out_key_path), Constant.AUTH_COMMON_DIR_STR) CommonTools.mkdir_with_mode(os.path.dirname(out_crt_path), Constant.AUTH_COMMON_DIR_STR) # create ca key file cmd = "%s echo '%s' | openssl genrsa -aes256 -passout stdin -out %s 2048" % ( Constant.CMD_PREFIX, ssl_password, out_key_path) cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % ( Constant.AUTH_COMMON_FILE_STR, out_key_path) status, output = CommonTools.get_status_output_error(cmd, mixed=True) if status != 0: raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] % 'ca key file' + output) ca_req_path = os.path.realpath( os.path.join(os.path.dirname(ca_crt_path), Constant.CA_REQ)) # create ca req file openssl_conf_env = "export OPENSSL_CONF=%s" % config_path cmd = '%s %s && echo "%s" | openssl req -new -out %s -key %s ' \ '-passin stdin -subj "/C=CN/ST=Some-State/O=%s/CN=%s"' % ( Constant.CMD_PREFIX, openssl_conf_env, ssl_password, ca_req_path, out_key_path, crt_type, ip) cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % ( Constant.AUTH_COMMON_FILE_STR, ca_req_path) status, output = CommonTools.get_status_output_error(cmd, mixed=True) if status != 0: raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] % 'ca req file' + output) # create server or client ca crt file cmd = '%s echo "%s" | openssl x509 -req -in %s -out %s -passin stdin ' \ '-sha256 -CAcreateserial -days %s -CA %s -CAkey %s' % ( Constant.CMD_PREFIX, ca_password, ca_req_path, out_crt_path, Constant.CA_VALID_DATE, ca_crt_path, ca_key_path) cmd += " && %s" % Constant.SHELL_CMD_DICT['changeMode'] % ( Constant.AUTH_COMMON_FILE_STR, out_crt_path) status, output = CommonTools.get_status_output_error(cmd, mixed=True) if status != 0: raise Exception(Errors.EXECUTE_RESULT['gauss_0414'] % 'ca crt file') CommonTools.remove_files([ca_req_path]) g.logger.info("Successfully generate %s ssl cert for node[%s]." % (crt_type, ip))