Clean up crypto.py
* Remove chained certs since we don't use them * Make get_vpn use the existing generate call instead of shell script * (Bonus: we can revoke vpn certs now) Change-Id: I8e118c5bd3dee6ba7c6a2a1390874b69008c436b
This commit is contained in:
parent
a444e8ff39
commit
1eba47cff9
@ -1,36 +0,0 @@
|
||||
#!/bin/bash
|
||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||
|
||||
# Copyright 2010 United States Government as represented by the
|
||||
# Administrator of the National Aeronautics and Space Administration.
|
||||
# All Rights Reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
# This gets zipped and run on the cloudpipe-managed OpenVPN server
|
||||
NAME=$1
|
||||
SUBJ=$2
|
||||
|
||||
mkdir -p projects/$NAME
|
||||
cd projects/$NAME
|
||||
|
||||
# generate a server priv key
|
||||
openssl genrsa -out server.key 2048
|
||||
|
||||
# generate a server CSR
|
||||
openssl req -new -key server.key -out server.csr -batch -subj "$SUBJ"
|
||||
|
||||
novauid=`getent passwd nova | awk -F: '{print $3}'`
|
||||
if [ ! -z "${novauid}" ] && [ "`id -u`" != "${novauid}" ]; then
|
||||
sudo chown -R nova:nogroup .
|
||||
fi
|
@ -69,11 +69,6 @@ flags.DEFINE_string('project_cert_subject',
|
||||
'OU=NovaDev/CN=project-ca-%s-%s',
|
||||
_('Subject for certificate for projects, '
|
||||
'%s for project, timestamp'))
|
||||
flags.DEFINE_string('vpn_cert_subject',
|
||||
'/C=US/ST=California/L=MountainView/O=AnsoLabs/'
|
||||
'OU=NovaDev/CN=project-vpn-%s-%s',
|
||||
_('Subject for certificate for vpns, '
|
||||
'%s for project, timestamp'))
|
||||
|
||||
|
||||
def ca_folder(project_id=None):
|
||||
@ -90,18 +85,11 @@ def key_path(project_id=None):
|
||||
return os.path.join(ca_folder(project_id), FLAGS.key_file)
|
||||
|
||||
|
||||
def fetch_ca(project_id=None, chain=True):
|
||||
def fetch_ca(project_id=None):
|
||||
if not FLAGS.use_project_ca:
|
||||
project_id = None
|
||||
buffer = ''
|
||||
if project_id:
|
||||
with open(ca_path(project_id), 'r') as cafile:
|
||||
buffer += cafile.read()
|
||||
if not chain:
|
||||
return buffer
|
||||
with open(ca_path(None), 'r') as cafile:
|
||||
buffer += cafile.read()
|
||||
return buffer
|
||||
return cafile.read()
|
||||
|
||||
|
||||
def _generate_fingerprint(public_key_file):
|
||||
@ -201,11 +189,6 @@ def _project_cert_subject(project_id):
|
||||
return FLAGS.project_cert_subject % (project_id, utils.isotime())
|
||||
|
||||
|
||||
def _vpn_cert_subject(project_id):
|
||||
"""Helper to generate user cert subject."""
|
||||
return FLAGS.vpn_cert_subject % (project_id, utils.isotime())
|
||||
|
||||
|
||||
def _user_cert_subject(user_id, project_id):
|
||||
"""Helper to generate user cert subject."""
|
||||
return FLAGS.user_cert_subject % (project_id, user_id, utils.isotime())
|
||||
@ -246,26 +229,21 @@ def _ensure_project_folder(project_id):
|
||||
|
||||
def generate_vpn_files(project_id):
|
||||
project_folder = ca_folder(project_id)
|
||||
csr_fn = os.path.join(project_folder, 'server.csr')
|
||||
key_fn = os.path.join(project_folder, 'server.key')
|
||||
crt_fn = os.path.join(project_folder, 'server.crt')
|
||||
|
||||
genvpn_sh_path = os.path.join(os.path.dirname(__file__),
|
||||
'CA',
|
||||
'genvpn.sh')
|
||||
if os.path.exists(crt_fn):
|
||||
return
|
||||
_ensure_project_folder(project_id)
|
||||
start = os.getcwd()
|
||||
os.chdir(ca_folder())
|
||||
# TODO(vish): the shell scripts could all be done in python
|
||||
utils.execute('sh', genvpn_sh_path,
|
||||
project_id, _vpn_cert_subject(project_id))
|
||||
with open(csr_fn, 'r') as csrfile:
|
||||
csr_text = csrfile.read()
|
||||
(serial, signed_csr) = sign_csr(csr_text, project_id)
|
||||
# NOTE(vish): The 2048 is to maintain compatibility with the old script.
|
||||
# We are using "project-vpn" as the user_id for the cert
|
||||
# even though that user may not really exist. Ultimately
|
||||
# this will be changed to be launched by a real user. At
|
||||
# that point we will can delete this helper method.
|
||||
key, csr = generate_x509_cert('project-vpn', project_id, 2048)
|
||||
with open(key_fn, 'f') as keyfile:
|
||||
keyfile.write(key)
|
||||
with open(crt_fn, 'w') as crtfile:
|
||||
crtfile.write(signed_csr)
|
||||
os.chdir(start)
|
||||
crtfile.write(csr)
|
||||
|
||||
|
||||
def sign_csr(csr_text, project_id=None):
|
||||
|
@ -255,15 +255,11 @@ class _AuthManagerBaseTestCase(test.TestCase):
|
||||
_key, cert_str = crypto.generate_x509_cert(user.id, project.id)
|
||||
LOG.debug(cert_str)
|
||||
|
||||
full_chain = crypto.fetch_ca(project_id=project.id, chain=True)
|
||||
int_cert = crypto.fetch_ca(project_id=project.id, chain=False)
|
||||
int_cert = crypto.fetch_ca(project_id=project.id)
|
||||
cloud_cert = crypto.fetch_ca()
|
||||
LOG.debug("CA chain:\n\n =====\n%s\n\n=====", full_chain)
|
||||
signed_cert = X509.load_cert_string(cert_str)
|
||||
chain_cert = X509.load_cert_string(full_chain)
|
||||
int_cert = X509.load_cert_string(int_cert)
|
||||
cloud_cert = X509.load_cert_string(cloud_cert)
|
||||
self.assertTrue(signed_cert.verify(chain_cert.get_pubkey()))
|
||||
self.assertTrue(signed_cert.verify(int_cert.get_pubkey()))
|
||||
|
||||
if not FLAGS.use_project_ca:
|
||||
|
Loading…
Reference in New Issue
Block a user