openstack/nova
Code Issues Proposed changes

config options: Move crypto options into a group

Browse Source 
Move all crypto configuration into [crypto] group. Update references to
these configuration options to reflect new group.

Change-Id: I660b5c20e2b33f276a9d4c49b0e6279d7d8e41c7
This commit is contained in:
Stephen Finucane 2016-04-04 13:37:06 +01:00
parent ac0fee5d6b
commit e301ed2457
8 changed files with 46 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nova/api/openstack/compute/cloudpipe.py
View File

@ -52,7 +52,7 @@ class CloudpipeController(wsgi.Controller):
# NOTE(vish): One of the drawbacks of doing this in the api is
# the keys will only be on the api node that launched
# the cloudpipe.
fileutils.ensure_tree(CONF.keys_path)
fileutils.ensure_tree(CONF.crypto.keys_path)
def _get_all_cloudpipes(self, context):
"""Get all cloudpipes."""

2
nova/api/openstack/compute/legacy_v2/contrib/cloudpipe.py
View File

@ -47,7 +47,7 @@ class CloudpipeController(object):
# NOTE(vish): One of the drawbacks of doing this in the api is
# the keys will only be on the api node that launched
# the cloudpipe.
fileutils.ensure_tree(CONF.keys_path)
fileutils.ensure_tree(CONF.crypto.keys_path)
def _get_all_cloudpipes(self, context):
"""Get all cloudpipes."""

2
nova/cloudpipe/pipelib.py
View File

@ -135,7 +135,7 @@ class CloudPipe(object):
result, private_key = keypair_api.create_key_pair(context,
context.user_id,
key_name)
key_dir = os.path.join(CONF.keys_path, context.user_id)
key_dir = os.path.join(CONF.crypto.keys_path, context.user_id)
fileutils.ensure_tree(key_dir)
key_path = os.path.join(key_dir, '%s.pem' % key_name)
with open(key_path, 'w') as f:

17
nova/conf/crypto.py
View File

@ -19,48 +19,61 @@ from oslo_config import cfg
from nova.i18n import _
from nova import paths
crypto_opts_group = cfg.OptGroup(
'crypto',
title='Crypto Options')
crypto_opts = [
cfg.StrOpt(
'ca_file',
default='cacert.pem',
deprecated_group='DEFAULT',
help=_('Filename of root CA')),
cfg.StrOpt(
'key_file',
default=os.path.join('private', 'cakey.pem'),
deprecated_group='DEFAULT',
help=_('Filename of private key')),
cfg.StrOpt(
'crl_file',
default='crl.pem',
deprecated_group='DEFAULT',
help=_('Filename of root Certificate Revocation List')),
cfg.StrOpt(
'keys_path',
default=paths.state_path_def('keys'),
deprecated_group='DEFAULT',
help=_('Where we keep our keys')),
cfg.StrOpt(
'ca_path',
default=paths.state_path_def('CA'),
deprecated_group='DEFAULT',
help=_('Where we keep our root CA')),
cfg.BoolOpt(
'use_project_ca',
default=False,
deprecated_group='DEFAULT',
help=_('Should we use a CA for each project?')),
cfg.StrOpt(
'user_cert_subject',
default='/C=US/ST=California/O=OpenStack/'
'OU=NovaDev/CN=%.16s-%.16s-%s',
deprecated_group='DEFAULT',
help=_('Subject for certificate for users, %s for '
'project, user, timestamp')),
cfg.StrOpt(
'project_cert_subject',
default='/C=US/ST=California/O=OpenStack/'
'OU=NovaDev/CN=project-ca-%.16s-%s',
deprecated_group='DEFAULT',
help=_('Subject for certificate for projects, %s for '
'project, timestamp'))]
def register_opts(conf):
conf.register_opts(crypto_opts)
conf.register_group(crypto_opts_group)
conf.register_opts(crypto_opts, crypto_opts_group)
def list_opts():
return {'DEFAULT': crypto_opts}
return {crypto_opts_group: crypto_opts}

25
nova/crypto.py
View File

@ -54,25 +54,25 @@ CONF = nova.conf.CONF
def ca_folder(project_id=None):
if CONF.use_project_ca and project_id:
return os.path.join(CONF.ca_path, 'projects', project_id)
return CONF.ca_path
if CONF.crypto.use_project_ca and project_id:
return os.path.join(CONF.crypto.ca_path, 'projects', project_id)
return CONF.crypto.ca_path
def ca_path(project_id=None):
return os.path.join(ca_folder(project_id), CONF.ca_file)
return os.path.join(ca_folder(project_id), CONF.crypto.ca_file)
def key_path(project_id=None):
return os.path.join(ca_folder(project_id), CONF.key_file)
return os.path.join(ca_folder(project_id), CONF.crypto.key_file)
def crl_path(project_id=None):
return os.path.join(ca_folder(project_id), CONF.crl_file)
return os.path.join(ca_folder(project_id), CONF.crypto.crl_file)
def fetch_ca(project_id=None):
if not CONF.use_project_ca:
if not CONF.crypto.use_project_ca:
project_id = None
ca_file_path = ca_path(project_id)
if not os.path.exists(ca_file_path):
@ -160,7 +160,7 @@ def generate_key_pair(bits=2048):
def fetch_crl(project_id):
"""Get crl file for project."""
if not CONF.use_project_ca:
if not CONF.crypto.use_project_ca:
project_id = None
crl_file_path = crl_path(project_id)
if not os.path.exists(crl_file_path):
@ -206,7 +206,7 @@ def revoke_cert(project_id, file_name):
utils.execute('openssl', 'ca', '-config', './openssl.cnf', '-revoke',
file_name, cwd=ca_folder(project_id))
utils.execute('openssl', 'ca', '-gencrl', '-config', './openssl.cnf',
'-out', CONF.crl_file, cwd=ca_folder(project_id))
'-out', CONF.crypto.crl_file, cwd=ca_folder(project_id))
except OSError:
raise exception.ProjectNotFound(project_id=project_id)
except processutils.ProcessExecutionError:
@ -239,12 +239,13 @@ def revoke_certs_by_user_and_project(user_id, project_id):
def _project_cert_subject(project_id):
"""Helper to generate user cert subject."""
return CONF.project_cert_subject % (project_id, utils.isotime())
return CONF.crypto.project_cert_subject % (project_id, utils.isotime())
def _user_cert_subject(user_id, project_id):
"""Helper to generate user cert subject."""
return CONF.user_cert_subject % (project_id, user_id, utils.isotime())
return CONF.crypto.user_cert_subject % (project_id, user_id,
utils.isotime())
def generate_x509_cert(user_id, project_id, bits=2048):
@ -342,7 +343,7 @@ def generate_vpn_files(project_id):
def sign_csr(csr_text, project_id=None):
if not CONF.use_project_ca:
if not CONF.crypto.use_project_ca:
project_id = None
if not project_id:
return _sign_csr(csr_text, ca_folder())

16
nova/tests/unit/test_crypto.py
View File

@ -36,7 +36,7 @@ class X509Test(test.NoDBTestCase):
@mock.patch('nova.db.certificate_create')
def test_can_generate_x509(self, mock_create):
with utils.tempdir() as tmpdir:
self.flags(ca_path=tmpdir)
self.flags(ca_path=tmpdir, group='crypto')
crypto.ensure_ca_filesystem()
_key, cert_str = crypto.generate_x509_cert('fake', 'fake')
@ -56,7 +56,7 @@ class X509Test(test.NoDBTestCase):
def test_encrypt_decrypt_x509(self):
with utils.tempdir() as tmpdir:
self.flags(ca_path=tmpdir)
self.flags(ca_path=tmpdir, group='crypto')
project_id = "fake"
crypto.ensure_ca_filesystem()
@ -85,7 +85,7 @@ class X509Test(test.NoDBTestCase):
side_effect=processutils.ProcessExecutionError)
def test_ensure_ca_filesystem_chdir(self, *args, **kargs):
with utils.tempdir() as tmpdir:
self.flags(ca_path=tmpdir)
self.flags(ca_path=tmpdir, group='crypto')
start = os.getcwd()
self.assertRaises(processutils.ProcessExecutionError,
crypto.ensure_ca_filesystem)
@ -156,7 +156,7 @@ class RevokeCertsTest(test.NoDBTestCase):
2, 'test_file')
def test_revoke_cert_project_not_found_chdir_fails(self, *args, **kargs):
self.flags(use_project_ca=True)
self.flags(use_project_ca=True, group='crypto')
self.assertRaises(exception.ProjectNotFound, crypto.revoke_cert,
str(uuid.uuid4()), 'test_file')
@ -164,16 +164,16 @@ class RevokeCertsTest(test.NoDBTestCase):
class CertExceptionTests(test.NoDBTestCase):
def test_fetch_ca_file_not_found(self):
with utils.tempdir() as tmpdir:
self.flags(ca_path=tmpdir)
self.flags(use_project_ca=True)
self.flags(ca_path=tmpdir, group='crypto')
self.flags(use_project_ca=True, group='crypto')
self.assertRaises(exception.CryptoCAFileNotFound, crypto.fetch_ca,
project_id='fake')
def test_fetch_crl_file_not_found(self):
with utils.tempdir() as tmpdir:
self.flags(ca_path=tmpdir)
self.flags(use_project_ca=True)
self.flags(ca_path=tmpdir, group='crypto')
self.flags(use_project_ca=True, group='crypto')
self.assertRaises(exception.CryptoCRLFileNotFound,
crypto.fetch_crl, project_id='fake')

6
nova/tests/unit/test_pipelib.py
View File

@ -34,7 +34,7 @@ class PipelibTest(test.TestCase):
def test_get_encoded_zip(self):
with utils.tempdir() as tmpdir:
self.flags(ca_path=tmpdir)
self.flags(ca_path=tmpdir, group='crypto')
crypto.ensure_ca_filesystem()
ret = self.cloudpipe.get_encoded_zip(self.project)
@ -45,7 +45,7 @@ class PipelibTest(test.TestCase):
"create",
lambda *a, **kw: (None, "r-fakeres"))
with utils.tempdir() as tmpdir:
self.flags(ca_path=tmpdir, keys_path=tmpdir)
self.flags(ca_path=tmpdir, keys_path=tmpdir, group='crypto')
crypto.ensure_ca_filesystem()
self.cloudpipe.launch_vpn_instance(self.context)
@ -63,7 +63,7 @@ class PipelibTest(test.TestCase):
def test_setup_key_pair(self):
key_name = "%s%s" % (self.project, CONF.vpn_key_suffix)
with utils.tempdir() as tmpdir:
self.flags(keys_path=tmpdir)
self.flags(keys_path=tmpdir, group='crypto')
# First attempt, key does not exist (thus it is generated)
res1_key = self.cloudpipe.setup_key_pair(self.context)

4
releasenotes/notes/add-crypto-config-to-crypto-group-ac6c75ccf3c815f1.yaml Normal file
View File

@ -0,0 +1,4 @@
---
upgrade:
- All crypto configuration options have been added to the 'crypto'
group. They should no longer be included in the 'DEFAULT' group.