From e301ed2457996d5143e8a6a8cba1a97b29098485 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Mon, 4 Apr 2016 13:37:06 +0100 Subject: [PATCH] config options: Move crypto options into a group Move all crypto configuration into [crypto] group. Update references to these configuration options to reflect new group. Change-Id: I660b5c20e2b33f276a9d4c49b0e6279d7d8e41c7 --- nova/api/openstack/compute/cloudpipe.py | 2 +- .../compute/legacy_v2/contrib/cloudpipe.py | 2 +- nova/cloudpipe/pipelib.py | 2 +- nova/conf/crypto.py | 17 +++++++++++-- nova/crypto.py | 25 ++++++++++--------- nova/tests/unit/test_crypto.py | 16 ++++++------ nova/tests/unit/test_pipelib.py | 6 ++--- ...nfig-to-crypto-group-ac6c75ccf3c815f1.yaml | 4 +++ 8 files changed, 46 insertions(+), 28 deletions(-) create mode 100644 releasenotes/notes/add-crypto-config-to-crypto-group-ac6c75ccf3c815f1.yaml diff --git a/nova/api/openstack/compute/cloudpipe.py b/nova/api/openstack/compute/cloudpipe.py index 36eb4bf132b9..026343a8973a 100644 --- a/nova/api/openstack/compute/cloudpipe.py +++ b/nova/api/openstack/compute/cloudpipe.py @@ -52,7 +52,7 @@ class CloudpipeController(wsgi.Controller): # NOTE(vish): One of the drawbacks of doing this in the api is # the keys will only be on the api node that launched # the cloudpipe. - fileutils.ensure_tree(CONF.keys_path) + fileutils.ensure_tree(CONF.crypto.keys_path) def _get_all_cloudpipes(self, context): """Get all cloudpipes.""" diff --git a/nova/api/openstack/compute/legacy_v2/contrib/cloudpipe.py b/nova/api/openstack/compute/legacy_v2/contrib/cloudpipe.py index 7fb1a7d4241f..2c46b864a243 100644 --- a/nova/api/openstack/compute/legacy_v2/contrib/cloudpipe.py +++ b/nova/api/openstack/compute/legacy_v2/contrib/cloudpipe.py @@ -47,7 +47,7 @@ class CloudpipeController(object): # NOTE(vish): One of the drawbacks of doing this in the api is # the keys will only be on the api node that launched # the cloudpipe. - fileutils.ensure_tree(CONF.keys_path) + fileutils.ensure_tree(CONF.crypto.keys_path) def _get_all_cloudpipes(self, context): """Get all cloudpipes.""" diff --git a/nova/cloudpipe/pipelib.py b/nova/cloudpipe/pipelib.py index 53d87eb5fe77..2f08e1df17aa 100644 --- a/nova/cloudpipe/pipelib.py +++ b/nova/cloudpipe/pipelib.py @@ -135,7 +135,7 @@ class CloudPipe(object): result, private_key = keypair_api.create_key_pair(context, context.user_id, key_name) - key_dir = os.path.join(CONF.keys_path, context.user_id) + key_dir = os.path.join(CONF.crypto.keys_path, context.user_id) fileutils.ensure_tree(key_dir) key_path = os.path.join(key_dir, '%s.pem' % key_name) with open(key_path, 'w') as f: diff --git a/nova/conf/crypto.py b/nova/conf/crypto.py index 9d85e3311cb2..060e94d9fb99 100644 --- a/nova/conf/crypto.py +++ b/nova/conf/crypto.py @@ -19,48 +19,61 @@ from oslo_config import cfg from nova.i18n import _ from nova import paths +crypto_opts_group = cfg.OptGroup( + 'crypto', + title='Crypto Options') + crypto_opts = [ cfg.StrOpt( 'ca_file', default='cacert.pem', + deprecated_group='DEFAULT', help=_('Filename of root CA')), cfg.StrOpt( 'key_file', default=os.path.join('private', 'cakey.pem'), + deprecated_group='DEFAULT', help=_('Filename of private key')), cfg.StrOpt( 'crl_file', default='crl.pem', + deprecated_group='DEFAULT', help=_('Filename of root Certificate Revocation List')), cfg.StrOpt( 'keys_path', default=paths.state_path_def('keys'), + deprecated_group='DEFAULT', help=_('Where we keep our keys')), cfg.StrOpt( 'ca_path', default=paths.state_path_def('CA'), + deprecated_group='DEFAULT', help=_('Where we keep our root CA')), cfg.BoolOpt( 'use_project_ca', default=False, + deprecated_group='DEFAULT', help=_('Should we use a CA for each project?')), cfg.StrOpt( 'user_cert_subject', default='/C=US/ST=California/O=OpenStack/' 'OU=NovaDev/CN=%.16s-%.16s-%s', + deprecated_group='DEFAULT', help=_('Subject for certificate for users, %s for ' 'project, user, timestamp')), cfg.StrOpt( 'project_cert_subject', default='/C=US/ST=California/O=OpenStack/' 'OU=NovaDev/CN=project-ca-%.16s-%s', + deprecated_group='DEFAULT', help=_('Subject for certificate for projects, %s for ' 'project, timestamp'))] def register_opts(conf): - conf.register_opts(crypto_opts) + conf.register_group(crypto_opts_group) + conf.register_opts(crypto_opts, crypto_opts_group) def list_opts(): - return {'DEFAULT': crypto_opts} + return {crypto_opts_group: crypto_opts} diff --git a/nova/crypto.py b/nova/crypto.py index eb954d19a0fd..e92438146dbc 100644 --- a/nova/crypto.py +++ b/nova/crypto.py @@ -54,25 +54,25 @@ CONF = nova.conf.CONF def ca_folder(project_id=None): - if CONF.use_project_ca and project_id: - return os.path.join(CONF.ca_path, 'projects', project_id) - return CONF.ca_path + if CONF.crypto.use_project_ca and project_id: + return os.path.join(CONF.crypto.ca_path, 'projects', project_id) + return CONF.crypto.ca_path def ca_path(project_id=None): - return os.path.join(ca_folder(project_id), CONF.ca_file) + return os.path.join(ca_folder(project_id), CONF.crypto.ca_file) def key_path(project_id=None): - return os.path.join(ca_folder(project_id), CONF.key_file) + return os.path.join(ca_folder(project_id), CONF.crypto.key_file) def crl_path(project_id=None): - return os.path.join(ca_folder(project_id), CONF.crl_file) + return os.path.join(ca_folder(project_id), CONF.crypto.crl_file) def fetch_ca(project_id=None): - if not CONF.use_project_ca: + if not CONF.crypto.use_project_ca: project_id = None ca_file_path = ca_path(project_id) if not os.path.exists(ca_file_path): @@ -160,7 +160,7 @@ def generate_key_pair(bits=2048): def fetch_crl(project_id): """Get crl file for project.""" - if not CONF.use_project_ca: + if not CONF.crypto.use_project_ca: project_id = None crl_file_path = crl_path(project_id) if not os.path.exists(crl_file_path): @@ -206,7 +206,7 @@ def revoke_cert(project_id, file_name): utils.execute('openssl', 'ca', '-config', './openssl.cnf', '-revoke', file_name, cwd=ca_folder(project_id)) utils.execute('openssl', 'ca', '-gencrl', '-config', './openssl.cnf', - '-out', CONF.crl_file, cwd=ca_folder(project_id)) + '-out', CONF.crypto.crl_file, cwd=ca_folder(project_id)) except OSError: raise exception.ProjectNotFound(project_id=project_id) except processutils.ProcessExecutionError: @@ -239,12 +239,13 @@ def revoke_certs_by_user_and_project(user_id, project_id): def _project_cert_subject(project_id): """Helper to generate user cert subject.""" - return CONF.project_cert_subject % (project_id, utils.isotime()) + return CONF.crypto.project_cert_subject % (project_id, utils.isotime()) def _user_cert_subject(user_id, project_id): """Helper to generate user cert subject.""" - return CONF.user_cert_subject % (project_id, user_id, utils.isotime()) + return CONF.crypto.user_cert_subject % (project_id, user_id, + utils.isotime()) def generate_x509_cert(user_id, project_id, bits=2048): @@ -342,7 +343,7 @@ def generate_vpn_files(project_id): def sign_csr(csr_text, project_id=None): - if not CONF.use_project_ca: + if not CONF.crypto.use_project_ca: project_id = None if not project_id: return _sign_csr(csr_text, ca_folder()) diff --git a/nova/tests/unit/test_crypto.py b/nova/tests/unit/test_crypto.py index b66e452affeb..ee733b0c5923 100644 --- a/nova/tests/unit/test_crypto.py +++ b/nova/tests/unit/test_crypto.py @@ -36,7 +36,7 @@ class X509Test(test.NoDBTestCase): @mock.patch('nova.db.certificate_create') def test_can_generate_x509(self, mock_create): with utils.tempdir() as tmpdir: - self.flags(ca_path=tmpdir) + self.flags(ca_path=tmpdir, group='crypto') crypto.ensure_ca_filesystem() _key, cert_str = crypto.generate_x509_cert('fake', 'fake') @@ -56,7 +56,7 @@ class X509Test(test.NoDBTestCase): def test_encrypt_decrypt_x509(self): with utils.tempdir() as tmpdir: - self.flags(ca_path=tmpdir) + self.flags(ca_path=tmpdir, group='crypto') project_id = "fake" crypto.ensure_ca_filesystem() @@ -85,7 +85,7 @@ class X509Test(test.NoDBTestCase): side_effect=processutils.ProcessExecutionError) def test_ensure_ca_filesystem_chdir(self, *args, **kargs): with utils.tempdir() as tmpdir: - self.flags(ca_path=tmpdir) + self.flags(ca_path=tmpdir, group='crypto') start = os.getcwd() self.assertRaises(processutils.ProcessExecutionError, crypto.ensure_ca_filesystem) @@ -156,7 +156,7 @@ class RevokeCertsTest(test.NoDBTestCase): 2, 'test_file') def test_revoke_cert_project_not_found_chdir_fails(self, *args, **kargs): - self.flags(use_project_ca=True) + self.flags(use_project_ca=True, group='crypto') self.assertRaises(exception.ProjectNotFound, crypto.revoke_cert, str(uuid.uuid4()), 'test_file') @@ -164,16 +164,16 @@ class RevokeCertsTest(test.NoDBTestCase): class CertExceptionTests(test.NoDBTestCase): def test_fetch_ca_file_not_found(self): with utils.tempdir() as tmpdir: - self.flags(ca_path=tmpdir) - self.flags(use_project_ca=True) + self.flags(ca_path=tmpdir, group='crypto') + self.flags(use_project_ca=True, group='crypto') self.assertRaises(exception.CryptoCAFileNotFound, crypto.fetch_ca, project_id='fake') def test_fetch_crl_file_not_found(self): with utils.tempdir() as tmpdir: - self.flags(ca_path=tmpdir) - self.flags(use_project_ca=True) + self.flags(ca_path=tmpdir, group='crypto') + self.flags(use_project_ca=True, group='crypto') self.assertRaises(exception.CryptoCRLFileNotFound, crypto.fetch_crl, project_id='fake') diff --git a/nova/tests/unit/test_pipelib.py b/nova/tests/unit/test_pipelib.py index 9f8d65e234da..028e042a0e32 100644 --- a/nova/tests/unit/test_pipelib.py +++ b/nova/tests/unit/test_pipelib.py @@ -34,7 +34,7 @@ class PipelibTest(test.TestCase): def test_get_encoded_zip(self): with utils.tempdir() as tmpdir: - self.flags(ca_path=tmpdir) + self.flags(ca_path=tmpdir, group='crypto') crypto.ensure_ca_filesystem() ret = self.cloudpipe.get_encoded_zip(self.project) @@ -45,7 +45,7 @@ class PipelibTest(test.TestCase): "create", lambda *a, **kw: (None, "r-fakeres")) with utils.tempdir() as tmpdir: - self.flags(ca_path=tmpdir, keys_path=tmpdir) + self.flags(ca_path=tmpdir, keys_path=tmpdir, group='crypto') crypto.ensure_ca_filesystem() self.cloudpipe.launch_vpn_instance(self.context) @@ -63,7 +63,7 @@ class PipelibTest(test.TestCase): def test_setup_key_pair(self): key_name = "%s%s" % (self.project, CONF.vpn_key_suffix) with utils.tempdir() as tmpdir: - self.flags(keys_path=tmpdir) + self.flags(keys_path=tmpdir, group='crypto') # First attempt, key does not exist (thus it is generated) res1_key = self.cloudpipe.setup_key_pair(self.context) diff --git a/releasenotes/notes/add-crypto-config-to-crypto-group-ac6c75ccf3c815f1.yaml b/releasenotes/notes/add-crypto-config-to-crypto-group-ac6c75ccf3c815f1.yaml new file mode 100644 index 000000000000..8ce45979761a --- /dev/null +++ b/releasenotes/notes/add-crypto-config-to-crypto-group-ac6c75ccf3c815f1.yaml @@ -0,0 +1,4 @@ +--- +upgrade: + - All crypto configuration options have been added to the 'crypto' + group. They should no longer be included in the 'DEFAULT' group.