Yedidyah Bar David has uploaded a new change for review. Change subject: packaging: setup: Use common code for remote engine pki ......................................................................
packaging: setup: Use common code for remote engine pki Requires http://gerrit.ovirt.org/33023 Bug-Url: https://bugzilla.redhat.com/1142267 Change-Id: Ia7a549d09dc85293beba24327ea44ef1dcaf4a55 Signed-off-by: Yedidyah Bar David <[email protected]> (cherry picked from commit 8e9eba398d796a941b8108f32655d24c6e4b265d) --- M packaging/setup/ovirt_engine_setup/reports/constants.py M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/apache.py M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/jboss.py 3 files changed, 92 insertions(+), 388 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-reports refs/changes/42/33242/1 diff --git a/packaging/setup/ovirt_engine_setup/reports/constants.py b/packaging/setup/ovirt_engine_setup/reports/constants.py index 2c7969a..a833bde 100644 --- a/packaging/setup/ovirt_engine_setup/reports/constants.py +++ b/packaging/setup/ovirt_engine_setup/reports/constants.py @@ -354,9 +354,6 @@ LEGACY_REPORTS_WAR = 'OVESETUP_REPORTS_CONFIG/legacyReportsWar' KEY_SIZE = 'OVESETUP_REPORTS_CONFIG/keySize' - JBOSS_CERTIFICATE_CHAIN = 'OVESETUP_REPORTS_CONFIG/jbossCertificateChain' - APACHE_CERTIFICATE = 'OVESETUP_REPORTS_CONFIG/apacheCertificate' - APACHE_CA_CERTIFICATE = 'OVESETUP_REPORTS_CONFIG/apacheCACertificate' # Eventual public http/s ports - either apache or jboss # Commented 'internal use' in engine, perhaps it means they should not diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/apache.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/apache.py index 58508ba..6a62a9e 100644 --- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/apache.py +++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/apache.py @@ -21,8 +21,8 @@ import contextlib import os -import tempfile import urllib2 +import time import gettext @@ -41,6 +41,7 @@ from ovirt_engine_setup import constants as osetupcons +from ovirt_engine_setup import remote_engine from ovirt_engine_setup.engine_common import constants as oengcommcons from ovirt_engine_setup.reports import constants as oreportscons @@ -49,41 +50,17 @@ class Plugin(plugin.PluginBase): """apache pki plugin.""" - def _genReq(self): - - rsa = RSA.gen_key( - self.environment[oreportscons.ConfigEnv.KEY_SIZE], - 65537, - ) - rsapem = rsa.as_pem(cipher=None) - evp = EVP.PKey() - evp.assign_rsa(rsa) - rsa = None # should not be freed here - req = X509.Request() - req.set_pubkey(evp) - req.sign(evp, 'sha1') - return rsapem, req.as_pem(), req.get_pubkey().as_pem(cipher=None) - def __init__(self, context): super(Plugin, self).__init__(context=context) self._enabled = False - self._need_key = False - self._need_cert = False + self._enrolldata = None self._need_ca_cert = False - self._csr_file = None + self._apache_ca_cert = None @plugin.event( stage=plugin.Stages.STAGE_INIT, ) def _init(self): - self.environment.setdefault( - oreportscons.ConfigEnv.APACHE_CERTIFICATE, - None - ) - self.environment.setdefault( - oreportscons.ConfigEnv.APACHE_CA_CERTIFICATE, - None - ) self.environment.setdefault( oreportscons.ConfigEnv.PKI_APACHE_CSR_FILENAME, None @@ -123,130 +100,41 @@ ) if not engine_apache_pki_found: - self._need_cert = not os.path.exists( - oreportscons.FileLocations. - OVIRT_ENGINE_PKI_REPORTS_APACHE_CERT + self._enrolldata = remote_engine.EnrollCert( + remote_engine=self.environment[osetupcons.CoreEnv.REMOTE_ENGINE], + engine_fqdn=self.environment[ + oreportscons.EngineConfigEnv.ENGINE_FQDN + ], + base_name=oreportscons.Const.PKI_REPORTS_APACHE_CERT_NAME, + base_touser=_('Apache'), + key_file=oreportscons.FileLocations. + OVIRT_ENGINE_PKI_REPORTS_APACHE_KEY, + cert_file=oreportscons.FileLocations. + OVIRT_ENGINE_PKI_REPORTS_APACHE_CERT, + csr_fname_envkey=oreportscons.ConfigEnv.PKI_APACHE_CSR_FILENAME, + engine_ca_cert_file=os.path.join( + oreportscons.FileLocations.OVIRT_ENGINE_PKIDIR, + 'ca.pem' + ), + engine_pki_requests_dir=oreportscons.FileLocations. + OVIRT_ENGINE_PKIREQUESTSDIR, + engine_pki_certs_dir=oreportscons.FileLocations. + OVIRT_ENGINE_PKICERTSDIR, + key_size=self.environment[oreportscons.ConfigEnv.KEY_SIZE], + url="http://www.ovirt.org/Features/Separate-Reports-Host";, ) - self._need_key = not os.path.exists( - oreportscons.FileLocations. - OVIRT_ENGINE_PKI_REPORTS_APACHE_KEY - ) + self._enrolldata.enroll_cert() + self._need_ca_cert = not os.path.exists( oreportscons.FileLocations. OVIRT_ENGINE_PKI_REPORTS_APACHE_CA_CERT ) - if self._need_key: - self._key, req, my_pubk = self._genReq() - self._need_cert = True - - if ( - self._need_cert and - self.environment[ - oreportscons.ConfigEnv.APACHE_CERTIFICATE - ] is None - ): - csr_fname = self.environment[ - oreportscons.ConfigEnv.PKI_APACHE_CSR_FILENAME - ] - with ( - open(csr_fname, 'w') if csr_fname - else tempfile.NamedTemporaryFile(mode='w', delete=False) - ) as self._csr_file: - self._csr_file.write(req) - - remote_name = '{name}-{fqdn}'.format( - name=oreportscons.Const.PKI_REPORTS_APACHE_CERT_NAME, - fqdn=self.environment[osetupcons.ConfigEnv.FQDN], - ) - enroll_command = ( - " /usr/share/ovirt-engine/bin/pki-enroll-request.sh \\\n" - " --name={remote_name} \\\n" - " --subject=\"" - "$(openssl x509 -in {pkidir}/ca.pem -noout " - "-subject | sed 's;subject= \(/C=[^/]*/O=[^/]*\)/.*;\\1;')" - "/CN={fqdn}\"" - ).format( - remote_name=remote_name, - pkidir=oreportscons.FileLocations.OVIRT_ENGINE_PKIDIR, - fqdn=self.environment[osetupcons.ConfigEnv.FQDN], - ) - - self.dialog.note( - text=_( - "\nTo sign the Apache certificate on the engine server, " - "please:\n\n" - "1. Copy {tmpcsr} from here to {enginecsr} on the engine " - "server.\n\n" - "2. Run on the engine server:\n\n" - "{enroll_command}\n\n" - "3. Copy {enginecert} from the engine server to some file " - "here. Provide the file name below.\n\n" - "See {url} for more details, including using an external " - "certificate authority." - ).format( - tmpcsr=self._csr_file.name, - enginecsr='{pkireqdir}/{remote_name}.req'.format( - pkireqdir=oreportscons.FileLocations. - OVIRT_ENGINE_PKIREQUESTSDIR, - remote_name=remote_name, - ), - enroll_command=enroll_command, - enginecert='{pkicertdir}/{remote_name}.cer'.format( - pkicertdir=oreportscons.FileLocations. - OVIRT_ENGINE_PKICERTSDIR, - remote_name=remote_name, - ), - url="http://www.ovirt.org/Features/Separate-Reports-Host";, - ), - ) - - goodcert = False - while not goodcert: - filename = self.dialog.queryString( - name='REPORTS_APACHE_CERT_FILENAME', - note=_( - '\nPlease input the location of the file where you ' - 'copied the signed certificate in step 3 above: ' - ), - prompt=True, - ) - try: - with open(filename) as f: - cert = f.read() - goodcert = my_pubk == X509.load_cert_string( - cert - ).get_pubkey().as_pem(cipher=None) - self.environment[ - oreportscons.ConfigEnv.APACHE_CERTIFICATE - ] = cert - if not goodcert: - self.logger.error( - _( - 'The certificate in {cert} does not match ' - 'the request in {req}. Please try again.' - ).format( - cert=filename, - req=self._csr_file.name, - ) - ) - except: - self.logger.error( - _( - 'Error while reading or parsing {cert}. ' - 'Please try again.' - ).format( - cert=filename, - ) - ) - self.logger.debug('Error reading cert', exc_info=True) - self.logger.info(_('Apache certificate read successfully')) - + tries_left = 30 while ( self._need_ca_cert and - self.environment[ - oreportscons.ConfigEnv.APACHE_CA_CERTIFICATE - ] is None + self._apache_ca_cert is None and + tries_left > 0 ): remote_engine_host = self.environment[ oreportscons.EngineConfigEnv.ENGINE_FQDN @@ -263,16 +151,19 @@ ) as urlObj: engine_ca_cert = urlObj.read() if engine_ca_cert: - self.environment[ - oreportscons.ConfigEnv.APACHE_CA_CERTIFICATE - ] = engine_ca_cert + self._apache_ca_cert = engine_ca_cert else: self.logger.error( _( 'Failed to get CA Certificate from engine. ' - 'Please try again.' + 'Please check access to the engine and its ' + 'status.' ) ) + time.sleep(10) + tries_left -= 1 + if self._need_ca_cert and self._apache_ca_cert is None: + raise RuntimeError(_('Failed to get CA Certificate from engine')) @plugin.event( stage=plugin.Stages.STAGE_MISC, @@ -285,6 +176,10 @@ ), ) def _misc_pki(self): + self._enrolldata.add_to_transaction( + uninstall_group_name='ca_pki_reports', + uninstall_group_desc='Reports PKI keys', + ) uninstall_files = [] self.environment[ osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS @@ -296,41 +191,9 @@ group='ca_pki_reports', fileList=uninstall_files, ) - - if self._need_key: - self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( - filetransaction.FileTransaction( - name=oreportscons.FileLocations. - OVIRT_ENGINE_PKI_REPORTS_APACHE_KEY, - mode=0o600, - owner=self.environment[osetupcons.SystemEnv.USER_ENGINE], - enforcePermissions=True, - content=self._key, - modifiedList=uninstall_files, - ) - ) - os.symlink( - oreportscons.FileLocations.OVIRT_ENGINE_PKI_REPORTS_APACHE_KEY, - oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY - ) - uninstall_files.append( - oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY - ) - - if self._need_cert: - self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( - filetransaction.FileTransaction( - name=oreportscons.FileLocations. - OVIRT_ENGINE_PKI_REPORTS_APACHE_CERT, - mode=0o600, - owner=self.environment[osetupcons.SystemEnv.USER_ENGINE], - enforcePermissions=True, - content=self.environment[ - oreportscons.ConfigEnv.APACHE_CERTIFICATE - ], - modifiedList=uninstall_files, - ) - ) + if not os.path.exists( + oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT + ): os.symlink( oreportscons.FileLocations. OVIRT_ENGINE_PKI_REPORTS_APACHE_CERT, @@ -338,6 +201,16 @@ ) uninstall_files.append( oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_CERT + ) + if not os.path.exists( + oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY + ): + os.symlink( + oreportscons.FileLocations.OVIRT_ENGINE_PKI_REPORTS_APACHE_KEY, + oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY + ) + uninstall_files.append( + oreportscons.FileLocations.OVIRT_ENGINE_PKI_APACHE_KEY ) if self._need_ca_cert: @@ -348,9 +221,7 @@ mode=0o600, owner=self.environment[osetupcons.SystemEnv.USER_ENGINE], enforcePermissions=True, - content=self.environment[ - oreportscons.ConfigEnv.APACHE_CA_CERTIFICATE - ], + content=self._apache_ca_cert, modifiedList=uninstall_files, ) ) @@ -365,17 +236,12 @@ @plugin.event( stage=plugin.Stages.STAGE_CLEANUP, + condition=lambda self: ( + self._enabled + ), ) def _cleanup(self): - if self._csr_file is not None: - try: - os.unlink(self._csr_file.name) - except OSError as e: - self.logger.debug( - "Failed to delete '%s'", - self._csr_file.name, - exc_info=True, - ) + self._enrolldata.cleanup() # vim: expandtab tabstop=4 shiftwidth=4 diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/jboss.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/jboss.py index 74e9dfa..481607b 100644 --- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/jboss.py +++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-reports/pki/jboss.py @@ -20,16 +20,10 @@ import os -import tempfile import gettext _ = lambda m: gettext.dgettext(message=m, domain='ovirt-engine-reports') - - -from M2Crypto import X509 -from M2Crypto import EVP -from M2Crypto import RSA from otopi import constants as otopicons @@ -39,6 +33,7 @@ from ovirt_engine_setup import constants as osetupcons +from ovirt_engine_setup import remote_engine from ovirt_engine_setup.engine_common import constants as oengcommcons from ovirt_engine_setup.reports import constants as oreportscons @@ -47,37 +42,15 @@ class Plugin(plugin.PluginBase): """jboss pki plugin.""" - def _genReq(self): - - rsa = RSA.gen_key( - self.environment[oreportscons.ConfigEnv.KEY_SIZE], - 65537, - ) - rsapem = rsa.as_pem(cipher=None) - evp = EVP.PKey() - evp.assign_rsa(rsa) - rsa = None # should not be freed here - req = X509.Request() - req.set_pubkey(evp) - req.sign(evp, 'sha1') - return rsapem, req.as_pem(), req.get_pubkey().as_pem(cipher=None) - def __init__(self, context): super(Plugin, self).__init__(context=context) self._enabled = False - self._need_key = False - self._need_cert = False - self._on_separate_h = False - self._csr_file = None + self._enrolldata = None @plugin.event( stage=plugin.Stages.STAGE_INIT, ) def _init(self): - self.environment.setdefault( - oreportscons.ConfigEnv.JBOSS_CERTIFICATE_CHAIN, - None - ) self.environment.setdefault( oreportscons.ConfigEnv.PKI_JBOSS_CSR_FILENAME, None @@ -105,122 +78,30 @@ ) def _customization(self): self._enabled = True - - self._need_cert = not os.path.exists( - oreportscons.FileLocations. - OVIRT_ENGINE_PKI_REPORTS_JBOSS_CERT + self._enrolldata = remote_engine.EnrollCert( + remote_engine=self.environment[osetupcons.CoreEnv.REMOTE_ENGINE], + engine_fqdn=self.environment[ + oreportscons.EngineConfigEnv.ENGINE_FQDN + ], + base_name=oreportscons.Const.PKI_REPORTS_JBOSS_CERT_NAME, + base_touser=_('Reports'), + key_file=oreportscons.FileLocations. + OVIRT_ENGINE_PKI_REPORTS_JBOSS_KEY, + cert_file=oreportscons.FileLocations. + OVIRT_ENGINE_PKI_REPORTS_JBOSS_CERT, + csr_fname_envkey=oreportscons.ConfigEnv.PKI_JBOSS_CSR_FILENAME, + engine_ca_cert_file=os.path.join( + oreportscons.FileLocations.OVIRT_ENGINE_PKIDIR, + 'ca.pem' + ), + engine_pki_requests_dir=oreportscons.FileLocations. + OVIRT_ENGINE_PKIREQUESTSDIR, + engine_pki_certs_dir=oreportscons.FileLocations. + OVIRT_ENGINE_PKICERTSDIR, + key_size=self.environment[oreportscons.ConfigEnv.KEY_SIZE], + url="http://www.ovirt.org/Features/Separate-Reports-Host";, ) - - self._need_key = not os.path.exists( - oreportscons.FileLocations. - OVIRT_ENGINE_PKI_REPORTS_JBOSS_KEY - ) - - if self._need_key: - self._key, req, my_pubk = self._genReq() - self._need_cert = True - - if ( - self._need_cert and - self.environment[ - oreportscons.ConfigEnv.JBOSS_CERTIFICATE_CHAIN - ] is None - ): - csr_fname = self.environment[ - oreportscons.ConfigEnv.PKI_JBOSS_CSR_FILENAME - ] - with ( - open(csr_fname, 'w') if csr_fname - else tempfile.NamedTemporaryFile(mode='w', delete=False) - ) as self._csr_file: - self._csr_file.write(req) - - remote_name = '{name}-{fqdn}'.format( - name=oreportscons.Const.PKI_REPORTS_JBOSS_CERT_NAME, - fqdn=self.environment[osetupcons.ConfigEnv.FQDN], - ) - enroll_command = ( - " /usr/share/ovirt-engine/bin/pki-enroll-request.sh \\\n" - " --name={remote_name} \\\n" - " --subject=\"" - "$(openssl x509 -in {pkidir}/ca.pem -noout " - "-subject | sed 's;subject= \(/C=[^/]*/O=[^/]*\)/.*;\\1;')" - "/CN={fqdn}\"" - ).format( - remote_name=remote_name, - pkidir=oreportscons.FileLocations.OVIRT_ENGINE_PKIDIR, - fqdn=self.environment[osetupcons.ConfigEnv.FQDN], - ) - - self.dialog.note( - text=_( - "\nTo sign the Reports certificate on the engine server, " - "please:\n\n" - "1. Copy {tmpcsr} from here to {enginecsr} on the engine " - "server.\n\n" - "2. Run on the engine server:\n\n" - "{enroll_command}\n\n" - "3. Copy {enginecert} from the engine server to some file " - "here. Provide the file name below.\n\n" - "See {url} for more details, including using an external " - "certificate authority." - ).format( - tmpcsr=self._csr_file.name, - enginecsr='{pkireqdir}/{remote_name}.req'.format( - pkireqdir=oreportscons.FileLocations. - OVIRT_ENGINE_PKIREQUESTSDIR, - remote_name=remote_name, - ), - enroll_command=enroll_command, - enginecert='{pkicertdir}/{remote_name}.cer'.format( - pkicertdir=oreportscons.FileLocations. - OVIRT_ENGINE_PKICERTSDIR, - remote_name=remote_name, - ), - url="http://www.ovirt.org/Features/Separate-Reports-Host";, - ), - ) - - goodcert = False - while not goodcert: - filename = self.dialog.queryString( - name='REPORTS_JBOSS_CERT_FILENAME', - note=_( - '\nPlease input the location of the file where you ' - 'copied the signed certificate in step 3 above: ' - ), - prompt=True, - ) - try: - with open(filename) as f: - cert = f.read() - goodcert = my_pubk == X509.load_cert_string( - cert - ).get_pubkey().as_pem(cipher=None) - self.environment[ - oreportscons.ConfigEnv.JBOSS_CERTIFICATE_CHAIN - ] = cert - if not goodcert: - self.logger.error( - _( - 'The certificate in {cert} does not match ' - 'the request in {req}. Please try again.' - ).format( - cert=filename, - req=self._csr_file.name, - ) - ) - except: - self.logger.error( - _( - 'Error while reading or parsing {cert}. ' - 'Please try again.' - ).format( - cert=filename, - ) - ) - self.logger.debug('Error reading cert', exc_info=True) - self.logger.info(_('Reports certificate read successfully')) + self._enrolldata.enroll_cert() @plugin.event( stage=plugin.Stages.STAGE_MISC, @@ -230,62 +111,22 @@ after=( oreportscons.Stages.CA_AVAILABLE, oreportscons.Stages.PKI_MISC, - oreportscons.Stages.ENGINE_CORE_ENABLE, ), ) def _misc_pki(self): - uninstall_files = [] - self.environment[ - osetupcons.CoreEnv.REGISTER_UNINSTALL_GROUPS - ].createGroup( - group='ca_pki_reports', - description='Reports PKI keys', - optional=True, - ).addFiles( - group='ca_pki_reports', - fileList=uninstall_files, + self._enrolldata.add_to_transaction( + uninstall_group_name='ca_pki_reports', + uninstall_group_desc='Reports PKI keys', ) - if self._need_key: - self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( - filetransaction.FileTransaction( - name=oreportscons.FileLocations. - OVIRT_ENGINE_PKI_REPORTS_JBOSS_KEY, - mode=0o600, - owner=self.environment[osetupcons.SystemEnv.USER_ENGINE], - enforcePermissions=True, - content=self._key, - modifiedList=uninstall_files, - ) - ) - - if self._need_cert: - self.environment[otopicons.CoreEnv.MAIN_TRANSACTION].append( - filetransaction.FileTransaction( - name=oreportscons.FileLocations. - OVIRT_ENGINE_PKI_REPORTS_JBOSS_CERT, - mode=0o600, - owner=self.environment[osetupcons.SystemEnv.USER_ENGINE], - enforcePermissions=True, - content=self.environment[ - oreportscons.ConfigEnv.JBOSS_CERTIFICATE_CHAIN - ], - modifiedList=uninstall_files, - ) - ) @plugin.event( stage=plugin.Stages.STAGE_CLEANUP, + condition=lambda self: ( + self._enabled + ), ) def _cleanup(self): - if self._csr_file is not None: - try: - os.unlink(self._csr_file.name) - except OSError as e: - self.logger.debug( - "Failed to delete '%s'", - self._csr_file.name, - exc_info=True, - ) + self._enrolldata.cleanup() # vim: expandtab tabstop=4 shiftwidth=4 -- To view, visit http://gerrit.ovirt.org/33242 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ia7a549d09dc85293beba24327ea44ef1dcaf4a55 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-reports Gerrit-Branch: ovirt-engine-reports-3.5 Gerrit-Owner: Yedidyah Bar David <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
