Andrew Bogott has submitted this change and it was merged. Change subject: puppetsigner: Clean up certs and salt keys for instances we can't find in ldap ......................................................................
puppetsigner: Clean up certs and salt keys for instances we can't find in ldap Bug T95519 Change-Id: I459c77a76c8e9656bd6bc0563282897deaf92294 --- M modules/puppetmaster/files/puppetsigner.py 1 file changed, 46 insertions(+), 17 deletions(-) Approvals: Andrew Bogott: Looks good to me, approved Yuvipanda: Looks good to me, but someone else must approve jenkins-bot: Verified diff --git a/modules/puppetmaster/files/puppetsigner.py b/modules/puppetmaster/files/puppetsigner.py index f33f3bd..e65ab81 100755 --- a/modules/puppetmaster/files/puppetsigner.py +++ b/modules/puppetmaster/files/puppetsigner.py @@ -33,35 +33,49 @@ basedn = ldapSupportLib.getLdapInfo('base') try: - puppet_output = subprocess.check_output(['/usr/bin/puppet', 'cert', 'list']) - hosts = puppet_output.split() - for host in hosts: + puppet_output = subprocess.check_output(['/usr/bin/puppet', 'cert', 'list', '--all']) + hosts = puppet_output.strip().split("\n") + for host_string in hosts: + host = host_string.split() # check to make sure hostname is actual hostname, to prevent # ldap injection attacks if host[0] == "(": continue # FIXME: WAT - host = host.strip('"') # FIXME: WAT - if not re.match(r'^[a-zA-Z0-9_-]+\.eqiad\.wmflabs$', host): - print 'Invalid hostname', host - sys.exit(-1) - query = "(&(objectclass=puppetclient)(|(dc=" + host + ")(cnamerecord=" + host + ")(associateddomain=" + host + ")))" + if host[0] == '-': + # Already marked as invalid or revoked + continue + if host[0] == '+': + # Already signed + signed = True + hostname = host[1].strip('"') + else: + signed = False + hostname = host[0].strip('"') + + # Skip pathological hostnames -- possible attack vector. + if not re.match(r'^[a-zA-Z0-9_-]+\.eqiad\.wmflabs$', hostname): + sys.stderr.write('Invalid hostname %s' % hostname) + continue + + # Erase keys that don't correspond to ldap; sign those that do + query = "(&(objectclass=puppetclient)(|(dc=" + hostname + ")(cnamerecord=" + hostname + ")(associateddomain=" + hostname + ")))" host_info = ds.search_s(basedn, ldap.SCOPE_SUBTREE, query) if not host_info: - path = getPuppetInfo('ssldir') + '/ca/requests/' + host + '.pem' - try: - os.remove(path) - except Exception: - # FIXME: WAT - sys.stderr.write('Failed to remove the certificate: ' + path + '\n') - else: - subprocess.check_call(['/usr/bin/puppet', 'cert', 'sign', host]) + signed_key_path = getPuppetInfo('ssldir') + '/ca/signed/' + hostname + '.pem' + sys.stderr.write('Removing stale cert %s' % hostname) + os.remove(signed_key_path) + elif not signed: + sys.stderr.write('Signing new cert %s' % hostname) + subprocess.check_call(['/usr/bin/puppet', 'cert', 'sign', hostname]) subprocess.check_call(['/usr/bin/php', '/srv/org/wikimedia/controller/wikis/w/extensions/OpenStackManager/maintenance/onInstanceActionCompletion.php', '--action', 'build', - '--instance', host]) + '--instance', hostname]) + salt_output = subprocess.check_output(['/usr/bin/salt-key', '--list', 'unaccepted', '--out', 'json']) + # Sign or delete unaccepted keys hosts = json.loads(salt_output) for host in hosts["minions_pre"]: if not re.match(r'^[a-zA-Z0-9_-]+\.eqiad\.wmflabs$', host): @@ -73,5 +87,20 @@ subprocess.check_call(['/usr/bin/salt-key', '-y', '-d', host]) else: subprocess.check_call(['/usr/bin/salt-key', '-y', '-a', host]) + + # Purge accepted but unused keys + salt_output = subprocess.check_output(['/usr/bin/salt-key', + '--list', 'accepted', + '--out', 'json']) + hosts = json.loads(salt_output) + for host in hosts["minions"]: + if not re.match(r'^[a-zA-Z0-9_-]+\.eqiad\.wmflabs$', host): + print 'Invalid hostname', host + sys.exit(-1) + query = "(&(objectclass=puppetclient)(|(dc=" + host + ")(cnamerecord=" + host + ")(associateddomain=" + host + ")))" + host_result = ds.search_s(basedn, ldap.SCOPE_SUBTREE, query) + if not host_result: + sys.stderr.write('Removing stale salt key %s' % host) + subprocess.check_call(['/usr/bin/salt-key', '-y', '-d', host]) finally: ds.unbind() -- To view, visit https://gerrit.wikimedia.org/r/205897 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I459c77a76c8e9656bd6bc0563282897deaf92294 Gerrit-PatchSet: 11 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: Yuvipanda <yuvipa...@gmail.com> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits