[MediaWiki-commits] [Gerrit] puppetsigner: Clean up certs and salt keys for instances w... - change (operations/puppet)

Mon, 04 May 2015 06:53:11 -0700 

Andrew Bogott has submitted this change and it was merged.

Change subject: puppetsigner:  Clean up certs  and salt keys for instances we 
can't find in ldap
......................................................................


puppetsigner:  Clean up certs  and salt keys for instances we can't find in ldap

Bug T95519

Change-Id: I459c77a76c8e9656bd6bc0563282897deaf92294
---
M modules/puppetmaster/files/puppetsigner.py
1 file changed, 46 insertions(+), 17 deletions(-)

Approvals:
  Andrew Bogott: Looks good to me, approved
  Yuvipanda: Looks good to me, but someone else must approve
  jenkins-bot: Verified



diff --git a/modules/puppetmaster/files/puppetsigner.py 
b/modules/puppetmaster/files/puppetsigner.py
index f33f3bd..e65ab81 100755
--- a/modules/puppetmaster/files/puppetsigner.py
+++ b/modules/puppetmaster/files/puppetsigner.py
@@ -33,35 +33,49 @@
 basedn = ldapSupportLib.getLdapInfo('base')
 
 try:
-    puppet_output = subprocess.check_output(['/usr/bin/puppet', 'cert', 
'list'])
-    hosts = puppet_output.split()
-    for host in hosts:
+    puppet_output = subprocess.check_output(['/usr/bin/puppet', 'cert', 
'list', '--all'])
+    hosts = puppet_output.strip().split("\n")
+    for host_string in hosts:
+        host = host_string.split()
         # check to make sure hostname is actual hostname, to prevent
         # ldap injection attacks
         if host[0] == "(":
             continue  # FIXME: WAT
-        host = host.strip('"')  # FIXME: WAT
-        if not re.match(r'^[a-zA-Z0-9_-]+\.eqiad\.wmflabs$', host):
-            print 'Invalid hostname', host
-            sys.exit(-1)
-        query = "(&(objectclass=puppetclient)(|(dc=" + host + ")(cnamerecord=" 
+ host + ")(associateddomain=" + host + ")))"
+        if host[0] == '-':
+            # Already marked as invalid or revoked
+            continue
+        if host[0] == '+':
+            # Already signed
+            signed = True
+            hostname = host[1].strip('"')
+        else:
+            signed = False
+            hostname = host[0].strip('"')
+
+        # Skip pathological hostnames -- possible attack vector.
+        if not re.match(r'^[a-zA-Z0-9_-]+\.eqiad\.wmflabs$', hostname):
+            sys.stderr.write('Invalid hostname %s' % hostname)
+            continue
+
+        # Erase keys that don't correspond to ldap; sign those that do
+        query = "(&(objectclass=puppetclient)(|(dc=" + hostname + 
")(cnamerecord=" + hostname + ")(associateddomain=" + hostname + ")))"
         host_info = ds.search_s(basedn, ldap.SCOPE_SUBTREE, query)
         if not host_info:
-            path = getPuppetInfo('ssldir') + '/ca/requests/' + host + '.pem'
-            try:
-                os.remove(path)
-            except Exception:
-                # FIXME: WAT
-                sys.stderr.write('Failed to remove the certificate: ' + path + 
'\n')
-        else:
-            subprocess.check_call(['/usr/bin/puppet', 'cert', 'sign', host])
+            signed_key_path = getPuppetInfo('ssldir') + '/ca/signed/' + 
hostname + '.pem'
+            sys.stderr.write('Removing stale cert %s' % hostname)
+            os.remove(signed_key_path)
+        elif not signed:
+            sys.stderr.write('Signing new cert %s' % hostname)
+            subprocess.check_call(['/usr/bin/puppet', 'cert', 'sign', 
hostname])
             subprocess.check_call(['/usr/bin/php',
                                    
'/srv/org/wikimedia/controller/wikis/w/extensions/OpenStackManager/maintenance/onInstanceActionCompletion.php',
                                    '--action', 'build',
-                                   '--instance', host])
+                                   '--instance', hostname])
+
     salt_output = subprocess.check_output(['/usr/bin/salt-key',
                                            '--list', 'unaccepted',
                                            '--out', 'json'])
+    # Sign or delete unaccepted keys
     hosts = json.loads(salt_output)
     for host in hosts["minions_pre"]:
         if not re.match(r'^[a-zA-Z0-9_-]+\.eqiad\.wmflabs$', host):
@@ -73,5 +87,20 @@
             subprocess.check_call(['/usr/bin/salt-key', '-y', '-d', host])
         else:
             subprocess.check_call(['/usr/bin/salt-key', '-y', '-a', host])
+
+    # Purge accepted but unused keys
+    salt_output = subprocess.check_output(['/usr/bin/salt-key',
+                                           '--list', 'accepted',
+                                           '--out', 'json'])
+    hosts = json.loads(salt_output)
+    for host in hosts["minions"]:
+        if not re.match(r'^[a-zA-Z0-9_-]+\.eqiad\.wmflabs$', host):
+            print 'Invalid hostname', host
+            sys.exit(-1)
+        query = "(&(objectclass=puppetclient)(|(dc=" + host + ")(cnamerecord=" 
+ host + ")(associateddomain=" + host + ")))"
+        host_result = ds.search_s(basedn, ldap.SCOPE_SUBTREE, query)
+        if not host_result:
+            sys.stderr.write('Removing stale salt key %s' % host)
+            subprocess.check_call(['/usr/bin/salt-key', '-y', '-d', host])
 finally:
     ds.unbind()

-- 
To view, visit https://gerrit.wikimedia.org/r/205897
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I459c77a76c8e9656bd6bc0563282897deaf92294
Gerrit-PatchSet: 11
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org>
Gerrit-Reviewer: Yuvipanda <yuvipa...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to