fix register_image function
replacement of functions performed earlier with nova-cert service function decrypt_text copied from novaclient to image api certificates in devstack for uploading image to s3 are created by openssl Change-Id: Ibf7b90ea29085656005317c4aa0fd96f3313da0c
This commit is contained in:
parent
0e3627252e
commit
11b76a8812
@ -207,7 +207,8 @@ if [[ -n "$neutron_item" ]]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
wait $cirros_image_wget_pid
|
wait $cirros_image_wget_pid
|
||||||
if [[ "$?" -eq "0" ]]; then
|
if [[ "$?" -eq "0" && "$CA_CERT" && -e "$CA_CERT" ]]; then
|
||||||
|
sudo apt-get -fy install ruby
|
||||||
ID="$(cat /dev/urandom | tr -cd 'a-f0-9' | head -c 8)"
|
ID="$(cat /dev/urandom | tr -cd 'a-f0-9' | head -c 8)"
|
||||||
WORKING_DIR="/tmp/bi-$ID"
|
WORKING_DIR="/tmp/bi-$ID"
|
||||||
mkdir -p $WORKING_DIR
|
mkdir -p $WORKING_DIR
|
||||||
@ -219,16 +220,20 @@ if [[ "$?" -eq "0" ]]; then
|
|||||||
# IMPORTANT! bucket name should contain '.' - in this case ami-tools will not build s3 url with bucket name.
|
# IMPORTANT! bucket name should contain '.' - in this case ami-tools will not build s3 url with bucket name.
|
||||||
AWS_AMI_BUCKET="tmp-bundle.$ID"
|
AWS_AMI_BUCKET="tmp-bundle.$ID"
|
||||||
|
|
||||||
nova x509-get-root-cert $WORKING_DIR/cacert.pem
|
EC2_USER_ID=42424242424242 # ec2api does not use user id, but bundling requires it
|
||||||
nova x509-create-cert $WORKING_DIR/pk.pem $WORKING_DIR/cert.pem
|
EC2_PRIVATE_KEY="$WORKING_DIR/private/pk.pem"
|
||||||
|
EC2_CSR="$WORKING_DIR/cert.csr"
|
||||||
|
EC2_CERT="$WORKING_DIR/cert.pem"
|
||||||
|
|
||||||
export EC2_USER_ID=42424242424242 # ec2api does not use user id, but bundling requires it
|
mkdir -p "$WORKING_DIR/private/"
|
||||||
export EC2_PRIVATE_KEY=$WORKING_DIR/pk.pem
|
|
||||||
export EC2_CERT=$WORKING_DIR/cert.pem
|
# generate user certificate
|
||||||
export NOVA_CERT=$WORKING_DIR/cacert.pem
|
openssl genrsa -out "$EC2_PRIVATE_KEY" 2048
|
||||||
|
openssl req -new -key "$EC2_PRIVATE_KEY" -subj "/C=RU/ST=Moscow/L=Moscow/O=Progmatic/CN=functional-tests" -out "$EC2_CSR"
|
||||||
|
openssl x509 -req -in "$EC2_CSR" -CA "$CA_CERT" -CAkey "$CA_KEY" -CAcreateserial -out "$EC2_CERT" -days 365
|
||||||
|
|
||||||
mkdir -p "$IMAGES_DIR"
|
mkdir -p "$IMAGES_DIR"
|
||||||
$TOOLS_DIR/bin/ec2-bundle-image --cert $EC2_CERT --privatekey $EC2_PRIVATE_KEY --ec2cert $NOVA_CERT --image /tmp/$CIRROS_IMAGE_FNAME --prefix $CIRROS_IMAGE_FNAME --user $EC2_USER_ID --destination "$IMAGES_DIR" --arch x86_64
|
$TOOLS_DIR/bin/ec2-bundle-image --cert $EC2_CERT --privatekey $EC2_PRIVATE_KEY --ec2cert $CA_CERT --image /tmp/$CIRROS_IMAGE_FNAME --prefix $CIRROS_IMAGE_FNAME --user $EC2_USER_ID --destination "$IMAGES_DIR" --arch x86_64
|
||||||
if [[ "$?" -eq "0" ]]; then
|
if [[ "$?" -eq "0" ]]; then
|
||||||
$TOOLS_DIR/bin/ec2-upload-bundle --url "$S3_URL" --access-key $ec2_access_key --secret-key $ec2_secret_key --bucket "$AWS_AMI_BUCKET" --manifest "$IMAGES_DIR/$CIRROS_IMAGE_FNAME.manifest.xml" --acl "public-read" --sigv 2
|
$TOOLS_DIR/bin/ec2-upload-bundle --url "$S3_URL" --access-key $ec2_access_key --secret-key $ec2_secret_key --bucket "$AWS_AMI_BUCKET" --manifest "$IMAGES_DIR/$CIRROS_IMAGE_FNAME.manifest.xml" --acl "public-read" --sigv 2
|
||||||
if [[ "$?" -eq "0" ]]; then
|
if [[ "$?" -eq "0" ]]; then
|
||||||
|
@ -154,6 +154,17 @@ function configure_ec2api_networking {
|
|||||||
iniset $EC2API_CONF_FILE DEFAULT disable_ec2_classic True
|
iniset $EC2API_CONF_FILE DEFAULT disable_ec2_classic True
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function create_x509_server_key() {
|
||||||
|
export CA_KEY="$EC2API_STATE_PATH/private/ca_key.pem"
|
||||||
|
export CA_CERT="$EC2API_STATE_PATH/cacert.pem"
|
||||||
|
|
||||||
|
mkdir -p "$EC2API_STATE_PATH/private/"
|
||||||
|
|
||||||
|
# generate root certificate
|
||||||
|
openssl genrsa -out "$CA_KEY" 2048
|
||||||
|
openssl req -x509 -new -key "$CA_KEY" -days 365 -out "$CA_CERT" -subj "/C=RU/ST=Moscow/L=Moscow/O=Progmatic/CN=ec2api-devstack"
|
||||||
|
}
|
||||||
|
|
||||||
# Entry points
|
# Entry points
|
||||||
# ------------
|
# ------------
|
||||||
|
|
||||||
@ -221,6 +232,9 @@ function configure_ec2api {
|
|||||||
iniset $EC2API_CONF_FILE cache enabled True
|
iniset $EC2API_CONF_FILE cache enabled True
|
||||||
iniset $EC2API_CONF_FILE cache backend "$CACHE_BACKEND"
|
iniset $EC2API_CONF_FILE cache backend "$CACHE_BACKEND"
|
||||||
|
|
||||||
|
if create_x509_server_key; then
|
||||||
|
iniset $EC2API_CONF_FILE DEFAULT x509_root_private_key "$CA_KEY"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -12,7 +12,6 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
import base64
|
|
||||||
import binascii
|
import binascii
|
||||||
import json
|
import json
|
||||||
import os
|
import os
|
||||||
@ -23,6 +22,9 @@ import time
|
|||||||
|
|
||||||
import boto.s3.connection
|
import boto.s3.connection
|
||||||
from cinderclient import exceptions as cinder_exception
|
from cinderclient import exceptions as cinder_exception
|
||||||
|
from cryptography.hazmat import backends
|
||||||
|
from cryptography.hazmat.primitives.asymmetric import padding
|
||||||
|
from cryptography.hazmat.primitives import serialization
|
||||||
import eventlet
|
import eventlet
|
||||||
from glanceclient.common import exceptions as glance_exception
|
from glanceclient.common import exceptions as glance_exception
|
||||||
from lxml import etree
|
from lxml import etree
|
||||||
@ -60,6 +62,8 @@ s3_opts = [
|
|||||||
default=False,
|
default=False,
|
||||||
help='Whether to affix the tenant id to the access key '
|
help='Whether to affix the tenant id to the access key '
|
||||||
'when downloading from S3'),
|
'when downloading from S3'),
|
||||||
|
cfg.StrOpt('x509_root_private_key',
|
||||||
|
help='Path to ca private key file'),
|
||||||
]
|
]
|
||||||
|
|
||||||
CONF = cfg.CONF
|
CONF = cfg.CONF
|
||||||
@ -969,14 +973,13 @@ def _s3_decrypt_image(context, encrypted_filename, encrypted_key,
|
|||||||
encrypted_iv, decrypted_filename):
|
encrypted_iv, decrypted_filename):
|
||||||
encrypted_key = binascii.a2b_hex(encrypted_key)
|
encrypted_key = binascii.a2b_hex(encrypted_key)
|
||||||
encrypted_iv = binascii.a2b_hex(encrypted_iv)
|
encrypted_iv = binascii.a2b_hex(encrypted_iv)
|
||||||
cert_client = clients.nova_cert(context)
|
|
||||||
try:
|
try:
|
||||||
key = cert_client.decrypt_text(base64.b64encode(encrypted_key))
|
key = _decrypt_text(encrypted_key)
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
msg = _('Failed to decrypt private key: %s') % exc
|
msg = _('Failed to decrypt private key: %s') % exc
|
||||||
raise exception.EC2Exception(msg)
|
raise exception.EC2Exception(msg)
|
||||||
try:
|
try:
|
||||||
iv = cert_client.decrypt_text(base64.b64encode(encrypted_iv))
|
iv = _decrypt_text(encrypted_iv)
|
||||||
except Exception as exc:
|
except Exception as exc:
|
||||||
msg = _('Failed to decrypt initialization vector: %s') % exc
|
msg = _('Failed to decrypt initialization vector: %s') % exc
|
||||||
raise exception.EC2Exception(msg)
|
raise exception.EC2Exception(msg)
|
||||||
@ -1030,3 +1033,15 @@ def _s3_conn(context):
|
|||||||
calling_format=calling,
|
calling_format=calling,
|
||||||
port=CONF.s3_port,
|
port=CONF.s3_port,
|
||||||
host=CONF.s3_host)
|
host=CONF.s3_host)
|
||||||
|
|
||||||
|
|
||||||
|
def _decrypt_text(text):
|
||||||
|
private_key_file = CONF.x509_root_private_key
|
||||||
|
if not private_key_file:
|
||||||
|
msg = _("Path to ca private key isn't configured")
|
||||||
|
raise exception.EC2Exception(msg)
|
||||||
|
with open(private_key_file, 'rb') as f:
|
||||||
|
data = f.read()
|
||||||
|
priv_key = serialization.load_pem_private_key(
|
||||||
|
data, None, backends.default_backend())
|
||||||
|
return priv_key.decrypt(text, padding.PKCS1v15())
|
||||||
|
@ -14,11 +14,13 @@
|
|||||||
|
|
||||||
import json
|
import json
|
||||||
import os
|
import os
|
||||||
|
import six
|
||||||
import tempfile
|
import tempfile
|
||||||
|
|
||||||
from cinderclient import exceptions as cinder_exception
|
from cinderclient import exceptions as cinder_exception
|
||||||
import eventlet
|
import eventlet
|
||||||
import mock
|
import mock
|
||||||
|
from oslo_concurrency import processutils
|
||||||
|
|
||||||
from ec2api.api import image as image_api
|
from ec2api.api import image as image_api
|
||||||
from ec2api import exception
|
from ec2api import exception
|
||||||
@ -908,3 +910,31 @@ class S3TestCase(base.BaseTestCase):
|
|||||||
exception.EC2InvalidException,
|
exception.EC2InvalidException,
|
||||||
image_api._s3_test_for_malicious_tarball,
|
image_api._s3_test_for_malicious_tarball,
|
||||||
"/unused", os.path.join(os.path.dirname(__file__), 'rel.tar.gz'))
|
"/unused", os.path.join(os.path.dirname(__file__), 'rel.tar.gz'))
|
||||||
|
|
||||||
|
def test_decrypt_text(self):
|
||||||
|
public_key = os.path.join(os.path.dirname(__file__), 'test_cert.pem')
|
||||||
|
private_key = os.path.join(os.path.dirname(__file__),
|
||||||
|
'test_private_key.pem')
|
||||||
|
subject = "/C=RU/ST=Moscow/L=Moscow/O=Progmatic/CN=RootCA"
|
||||||
|
certificate_file = processutils.execute('openssl',
|
||||||
|
'req', '-x509', '-new',
|
||||||
|
'-key', private_key,
|
||||||
|
'-days', '365',
|
||||||
|
'-out', public_key,
|
||||||
|
'-subj', subject)
|
||||||
|
text = "some @#!%^* test text"
|
||||||
|
process_input = text.encode("ascii") if six.PY3 else text
|
||||||
|
enc, _err = processutils.execute('openssl',
|
||||||
|
'rsautl',
|
||||||
|
'-certin',
|
||||||
|
'-encrypt',
|
||||||
|
'-inkey', public_key,
|
||||||
|
process_input=process_input,
|
||||||
|
binary=True)
|
||||||
|
self.assertRaises(exception.EC2Exception, image_api._decrypt_text, enc)
|
||||||
|
self.configure(x509_root_private_key=private_key)
|
||||||
|
dec = image_api._decrypt_text(enc)
|
||||||
|
self.assertIsInstance(dec, bytes)
|
||||||
|
if six.PY3:
|
||||||
|
dec = dec.decode('ascii')
|
||||||
|
self.assertEqual(text, dec)
|
||||||
|
27
ec2api/tests/unit/test_private_key.pem
Normal file
27
ec2api/tests/unit/test_private_key.pem
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEogIBAAKCAQEA1+OySRkwliGtujemv7E4cqhJCxlF+4YULhmZaTWpmKUvKz5c
|
||||||
|
VC6wx/5A6Zz0XrZtuiFDgS7sIAGODcF18xpyKnp2Ign6zgCQpg0s+rss9q5vrSai
|
||||||
|
JR5iXdqA/vfemS9ptRyz6LSCI9O+EL/U7AaRHVBMQJEM2TfQeuowgi7XboKs8ljl
|
||||||
|
N4LpAu3HdtaFjHlBnegr7iJ2lq7rTj9deu1tJf/EbrLOclB2LwafT2kC0HQL2E0O
|
||||||
|
OphKu60qBR7sZ4M4tdUftCGZEAdd8+vvRd+YVK9TDtcYtSFSXh86a16504bPylCL
|
||||||
|
b/dF2bupLMe/zGLZIZ/hKbYPyfH6k5HFJIC12wIDAQABAoIBAH07F7BPbF+qKZxb
|
||||||
|
q96GbrgT5ksJ3g6JOCuFrffZqQdiynnLMsOiUemxEvZwlVBbgkr2ALJvBYmLXVud
|
||||||
|
XU4niRIa92vHXjUhHscz3WOUMADoLt/CCUx+05CdrzY3kmhJmIf2nmXeT594tEgC
|
||||||
|
/v/qz0Kx0YmimlFmjwi90GWzxkPTeKW1s8H9J0Xi/UX3urIfcCzRChumxY+f/sBq
|
||||||
|
CWJua3D6o3wx3B9oU0msC0R7ZIBY4PFhKyomcVyynD0HNe80NomyeRuJGm7NHHRB
|
||||||
|
MsVggZVgsFGkOZh00UkcaUHOKS+/7iyQAXuqms2amxGqLoxq/U11uoRW0NxOlC/7
|
||||||
|
YYElIAECgYEA8cXXQjt2KWWNWIn2L0mWm+EGF/ihkvGmEXZVcuiVnuwyNxf+VAMe
|
||||||
|
f1i3EF+Hqlmyv46j4ReTbdpeW7bv7VW0iMgW68K3eFiPznBzlRA/n3XULAy41oyt
|
||||||
|
9kGhxzy6565iQMF0FK4viAuDeA6EwBkcu5MAQNOZXAUoGk02+GKPN6ECgYEA5Jfw
|
||||||
|
OeHcodteQdP0KEvChjGrZ7LNz3QU0kxvBaOjIg4ElEvJbq6EzSBxdugT7L+blDEU
|
||||||
|
umu8RgRn2Z73608nNtagBAKjg+VQsmnXxC92Ht1VFJF+uLLpmOSWG32Q/9e4nPUM
|
||||||
|
bFW9PyakF9LOM+lnqomKBhY1/LDAf77sWiQpS/sCgYAuh9n+2DzMiMvkP2EPBsWi
|
||||||
|
qHMox+QoyLMiZzjYzaSGGoUrj0WWW6dR8PwCfbA5e9vn/AbUOlpYaQ+B7TpN3hHJ
|
||||||
|
xWCL7USsN7ctjvzfsmncQawc8jHcsOSGIWmGU8zQ7AHi3ph9pmxlbXnW8ExiQDME
|
||||||
|
cq04zMCWMjPeo/+xXB6eIQKBgF+zUGobKdBFU6/BeY1JMlYWA0l1rP41/eWRBEXb
|
||||||
|
HRfLwJUJKXqB660o8Pez72uFSDABYEkvg3HYtFWCXQ6RY7xsnC8xn50/aspWz3Md
|
||||||
|
35jKVq02wFO4610MDd/ScNr7SBnF6X6NYp5GohorMhK/m5vk2vjzYYS5xs10c+TF
|
||||||
|
ENjzAoGAMH+O2S7LFjBKNuIpaqdIj8bjFwUhKgOG74/YodhxxgYIcWaHf2xnImuX
|
||||||
|
L/dam7seSo4MFYXX60lph6tutTyppkxeS64cz3X8cYN+CJQseWVestPkwArcF4m4
|
||||||
|
M3mwEPCKoTqFUzaGbFbEl+TzEfQaKZwLn+AbsuMo6PBoAuD2fM4=
|
||||||
|
-----END RSA PRIVATE KEY-----
|
@ -4,6 +4,7 @@
|
|||||||
Babel!=2.4.0,>=2.3.4 # BSD
|
Babel!=2.4.0,>=2.3.4 # BSD
|
||||||
boto>=2.32.1 # MIT
|
boto>=2.32.1 # MIT
|
||||||
botocore>=1.0.0 # Apache-2.0
|
botocore>=1.0.0 # Apache-2.0
|
||||||
|
cryptography>=1.6 # BSD/Apache-2.0
|
||||||
eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT
|
eventlet!=0.18.3,!=0.20.1,<0.21.0,>=0.18.2 # MIT
|
||||||
greenlet>=0.3.2 # MIT
|
greenlet>=0.3.2 # MIT
|
||||||
httplib2>=0.7.5 # MIT
|
httplib2>=0.7.5 # MIT
|
||||||
|
Loading…
Reference in New Issue
Block a user