From 1eba47cff9cce4e040203b2af8ad70776bf79d12 Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Wed, 18 Jan 2012 21:51:30 -0800 Subject: [PATCH] Clean up crypto.py * Remove chained certs since we don't use them * Make get_vpn use the existing generate call instead of shell script * (Bonus: we can revoke vpn certs now) Change-Id: I8e118c5bd3dee6ba7c6a2a1390874b69008c436b --- nova/CA/genvpn.sh | 36 ------------------------------- nova/crypto.py | 48 +++++++++++------------------------------ nova/tests/test_auth.py | 6 +----- 3 files changed, 14 insertions(+), 76 deletions(-) delete mode 100755 nova/CA/genvpn.sh diff --git a/nova/CA/genvpn.sh b/nova/CA/genvpn.sh deleted file mode 100755 index 7e7db185d691..000000000000 --- a/nova/CA/genvpn.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash -# vim: tabstop=4 shiftwidth=4 softtabstop=4 - -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. - -# This gets zipped and run on the cloudpipe-managed OpenVPN server -NAME=$1 -SUBJ=$2 - -mkdir -p projects/$NAME -cd projects/$NAME - -# generate a server priv key -openssl genrsa -out server.key 2048 - -# generate a server CSR -openssl req -new -key server.key -out server.csr -batch -subj "$SUBJ" - -novauid=`getent passwd nova | awk -F: '{print $3}'` -if [ ! -z "${novauid}" ] && [ "`id -u`" != "${novauid}" ]; then - sudo chown -R nova:nogroup . -fi diff --git a/nova/crypto.py b/nova/crypto.py index e7c4430d0f95..0ddc9e8e7aa6 100644 --- a/nova/crypto.py +++ b/nova/crypto.py @@ -69,11 +69,6 @@ flags.DEFINE_string('project_cert_subject', 'OU=NovaDev/CN=project-ca-%s-%s', _('Subject for certificate for projects, ' '%s for project, timestamp')) -flags.DEFINE_string('vpn_cert_subject', - '/C=US/ST=California/L=MountainView/O=AnsoLabs/' - 'OU=NovaDev/CN=project-vpn-%s-%s', - _('Subject for certificate for vpns, ' - '%s for project, timestamp')) def ca_folder(project_id=None): @@ -90,18 +85,11 @@ def key_path(project_id=None): return os.path.join(ca_folder(project_id), FLAGS.key_file) -def fetch_ca(project_id=None, chain=True): +def fetch_ca(project_id=None): if not FLAGS.use_project_ca: project_id = None - buffer = '' - if project_id: - with open(ca_path(project_id), 'r') as cafile: - buffer += cafile.read() - if not chain: - return buffer - with open(ca_path(None), 'r') as cafile: - buffer += cafile.read() - return buffer + with open(ca_path(project_id), 'r') as cafile: + return cafile.read() def _generate_fingerprint(public_key_file): @@ -201,11 +189,6 @@ def _project_cert_subject(project_id): return FLAGS.project_cert_subject % (project_id, utils.isotime()) -def _vpn_cert_subject(project_id): - """Helper to generate user cert subject.""" - return FLAGS.vpn_cert_subject % (project_id, utils.isotime()) - - def _user_cert_subject(user_id, project_id): """Helper to generate user cert subject.""" return FLAGS.user_cert_subject % (project_id, user_id, utils.isotime()) @@ -246,26 +229,21 @@ def _ensure_project_folder(project_id): def generate_vpn_files(project_id): project_folder = ca_folder(project_id) - csr_fn = os.path.join(project_folder, 'server.csr') + key_fn = os.path.join(project_folder, 'server.key') crt_fn = os.path.join(project_folder, 'server.crt') - genvpn_sh_path = os.path.join(os.path.dirname(__file__), - 'CA', - 'genvpn.sh') if os.path.exists(crt_fn): return - _ensure_project_folder(project_id) - start = os.getcwd() - os.chdir(ca_folder()) - # TODO(vish): the shell scripts could all be done in python - utils.execute('sh', genvpn_sh_path, - project_id, _vpn_cert_subject(project_id)) - with open(csr_fn, 'r') as csrfile: - csr_text = csrfile.read() - (serial, signed_csr) = sign_csr(csr_text, project_id) + # NOTE(vish): The 2048 is to maintain compatibility with the old script. + # We are using "project-vpn" as the user_id for the cert + # even though that user may not really exist. Ultimately + # this will be changed to be launched by a real user. At + # that point we will can delete this helper method. + key, csr = generate_x509_cert('project-vpn', project_id, 2048) + with open(key_fn, 'f') as keyfile: + keyfile.write(key) with open(crt_fn, 'w') as crtfile: - crtfile.write(signed_csr) - os.chdir(start) + crtfile.write(csr) def sign_csr(csr_text, project_id=None): diff --git a/nova/tests/test_auth.py b/nova/tests/test_auth.py index 1b3166af78a0..b1feb08567ac 100644 --- a/nova/tests/test_auth.py +++ b/nova/tests/test_auth.py @@ -255,15 +255,11 @@ class _AuthManagerBaseTestCase(test.TestCase): _key, cert_str = crypto.generate_x509_cert(user.id, project.id) LOG.debug(cert_str) - full_chain = crypto.fetch_ca(project_id=project.id, chain=True) - int_cert = crypto.fetch_ca(project_id=project.id, chain=False) + int_cert = crypto.fetch_ca(project_id=project.id) cloud_cert = crypto.fetch_ca() - LOG.debug("CA chain:\n\n =====\n%s\n\n=====", full_chain) signed_cert = X509.load_cert_string(cert_str) - chain_cert = X509.load_cert_string(full_chain) int_cert = X509.load_cert_string(int_cert) cloud_cert = X509.load_cert_string(cloud_cert) - self.assertTrue(signed_cert.verify(chain_cert.get_pubkey())) self.assertTrue(signed_cert.verify(int_cert.get_pubkey())) if not FLAGS.use_project_ca: