Clean up crypto.py

* Remove chained certs since we don't use them * Make get_vpn use the existing generate call instead of shell script * (Bonus: we can revoke vpn certs now) Change-Id: I8e118c5bd3dee6ba7c6a2a1390874b69008c436b
2012-01-18 21:51:30 -08:00 · 2012-01-18 21:51:30 -08:00 · 1eba47cff9
commit 1eba47cff9
parent a444e8ff39
3 changed files with 14 additions and 76 deletions
--- a/nova/CA/genvpn.sh
+++ b/nova/CA/genvpn.sh
@ -1,36 +0,0 @@
-#!/bin/bash
-# vim: tabstop=4 shiftwidth=4 softtabstop=4
-
-# Copyright 2010 United States Government as represented by the
-# Administrator of the National Aeronautics and Space Administration.
-# All Rights Reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-# This gets zipped and run on the cloudpipe-managed OpenVPN server
-NAME=$1
-SUBJ=$2
-
-mkdir -p projects/$NAME
-cd projects/$NAME
-
-# generate a server priv key
-openssl genrsa -out server.key 2048
-
-# generate a server CSR
-openssl req -new -key server.key -out server.csr -batch -subj "$SUBJ"
-
-novauid=`getent passwd nova | awk -F: '{print $3}'`
-if [ ! -z "${novauid}" ] && [ "`id -u`" != "${novauid}" ]; then
-    sudo chown -R nova:nogroup .
-fi
--- a/nova/crypto.py
+++ b/nova/crypto.py
@ -69,11 +69,6 @@ flags.DEFINE_string('project_cert_subject',
                    'OU=NovaDev/CN=project-ca-%s-%s',
                    _('Subject for certificate for projects, '
                    '%s for project, timestamp'))
-flags.DEFINE_string('vpn_cert_subject',
-                    '/C=US/ST=California/L=MountainView/O=AnsoLabs/'
-                    'OU=NovaDev/CN=project-vpn-%s-%s',
-                    _('Subject for certificate for vpns, '
-                    '%s for project, timestamp'))


 def ca_folder(project_id=None):
@ -90,18 +85,11 @@ def key_path(project_id=None):
    return os.path.join(ca_folder(project_id), FLAGS.key_file)


-def fetch_ca(project_id=None, chain=True):
+def fetch_ca(project_id=None):
    if not FLAGS.use_project_ca:
        project_id = None
-    buffer = ''
-    if project_id:
-        with open(ca_path(project_id), 'r') as cafile:
-            buffer += cafile.read()
-        if not chain:
-            return buffer
-    with open(ca_path(None), 'r') as cafile:
-        buffer += cafile.read()
-    return buffer
+    with open(ca_path(project_id), 'r') as cafile:
+        return cafile.read()


 def _generate_fingerprint(public_key_file):
@ -201,11 +189,6 @@ def _project_cert_subject(project_id):
    return FLAGS.project_cert_subject % (project_id, utils.isotime())


-def _vpn_cert_subject(project_id):
-    """Helper to generate user cert subject."""
-    return FLAGS.vpn_cert_subject % (project_id, utils.isotime())
-
-
 def _user_cert_subject(user_id, project_id):
    """Helper to generate user cert subject."""
    return FLAGS.user_cert_subject % (project_id, user_id, utils.isotime())
@ -246,26 +229,21 @@ def _ensure_project_folder(project_id):

 def generate_vpn_files(project_id):
    project_folder = ca_folder(project_id)
-    csr_fn = os.path.join(project_folder, 'server.csr')
+    key_fn = os.path.join(project_folder, 'server.key')
    crt_fn = os.path.join(project_folder, 'server.crt')

-    genvpn_sh_path = os.path.join(os.path.dirname(__file__),
-                                  'CA',
-                                  'genvpn.sh')
    if os.path.exists(crt_fn):
        return
-    _ensure_project_folder(project_id)
-    start = os.getcwd()
-    os.chdir(ca_folder())
-    # TODO(vish): the shell scripts could all be done in python
-    utils.execute('sh', genvpn_sh_path,
-                  project_id, _vpn_cert_subject(project_id))
-    with open(csr_fn, 'r') as csrfile:
-        csr_text = csrfile.read()
-    (serial, signed_csr) = sign_csr(csr_text, project_id)
+    # NOTE(vish): The 2048 is to maintain compatibility with the old script.
+    #             We are using "project-vpn" as the user_id for the cert
+    #             even though that user may not really exist. Ultimately
+    #             this will be changed to be launched by a real user.  At
+    #             that point we will can delete this helper method.
+    key, csr = generate_x509_cert('project-vpn', project_id, 2048)
+    with open(key_fn, 'f') as keyfile:
+        keyfile.write(key)
    with open(crt_fn, 'w') as crtfile:
-        crtfile.write(signed_csr)
-    os.chdir(start)
+        crtfile.write(csr)


 def sign_csr(csr_text, project_id=None):
--- a/nova/tests/test_auth.py
+++ b/nova/tests/test_auth.py
@ -255,15 +255,11 @@ class _AuthManagerBaseTestCase(test.TestCase):
            _key, cert_str = crypto.generate_x509_cert(user.id, project.id)
            LOG.debug(cert_str)

-            full_chain = crypto.fetch_ca(project_id=project.id, chain=True)
-            int_cert = crypto.fetch_ca(project_id=project.id, chain=False)
+            int_cert = crypto.fetch_ca(project_id=project.id)
            cloud_cert = crypto.fetch_ca()
-            LOG.debug("CA chain:\n\n =====\n%s\n\n=====", full_chain)
            signed_cert = X509.load_cert_string(cert_str)
-            chain_cert = X509.load_cert_string(full_chain)
            int_cert = X509.load_cert_string(int_cert)
            cloud_cert = X509.load_cert_string(cloud_cert)
-            self.assertTrue(signed_cert.verify(chain_cert.get_pubkey()))
            self.assertTrue(signed_cert.verify(int_cert.get_pubkey()))

            if not FLAGS.use_project_ca: