openstack/puppet-tripleo
Code Issues Proposed changes
5f6da8717a
puppet-tripleo/files/cm_ipa_subca_wrapper.py
Oliver Walsh ceb4faebe1 Add support for libvirt VNC TLS with option of a dedicated CA 
Configures ca/certs/key for nova-novnc vencrypt.

A dedicated IPA sub-CA can optionally be used to restrict access.
A custom certmonger helper is used to support this as certmonger currently
has limited support for IPA sub-CAs.

Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5
Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
2018-02-14 10:23:26 +00:00

76 lines
2.2 KiB
Python
Raw Blame History

#!/usr/bin/python
from __future__ import print_function
try:
import ConfigParser as configparser
except ImportError:
import configparser
import os
import sys
import subprocess
CM_SUBMIT_STATUS_ISSUED = 0
CM_SUBMIT_STATUS_UNCONFIGURED = 4
def main():
if len(sys.argv) < 3:
return CM_SUBMIT_STATUS_UNCONFIGURED
sub_ca = sys.argv[1]
wrapped_command = sys.argv[2:]
operation = os.environ.get('CERTMONGER_OPERATION')
os.environ['CERTMONGER_CA_NICKNAME'] = 'IPA'
if operation == 'FETCH-ROOTS' and sub_ca.lower() != 'ipa':
config = configparser.ConfigParser()
try:
with open('/etc/ipa/default.conf') as fp:
config.readfp(fp)
except:
return CM_SUBMIT_STATUS_UNCONFIGURED
host = config.get('global', 'host')
realm = config.get('global', 'realm')
if host is None or realm is None:
return CM_SUBMIT_STATUS_UNCONFIGURED
principal = 'host/{}@{}'.format(host, realm)
os.environ['KRB5CCNAME'] = '/tmp/krb5cc_cm_ipa_subca_wrapper'
try:
subprocess.check_call([
'/usr/bin/kinit', '-k', principal
])
except:
return CM_SUBMIT_STATUS_UNCONFIGURED
try:
data = subprocess.check_output([
'/usr/bin/ipa', 'ca-show', sub_ca
])
except:
return CM_SUBMIT_STATUS_ISSUED
config = {}
for line in data.split('\n'):
line = line.strip()
try:
key, value = line.split(': ')
except:
continue
config[key] = value
if config.get('Name').lower() != sub_ca.lower():
return CM_SUBMIT_STATUS_ISSUED
print(realm, sub_ca, 'CA')
print('-----BEGIN CERTIFICATE-----')
certificate = config['Certificate']
for i in range((len(certificate)/64) + 1):
print(certificate[i*64:(i+1)*64])
print('-----END CERTIFICATE-----')
sys.stdout.flush()
else:
os.environ['CERTMONGER_CA_ISSUER'] = sub_ca
os.execl(wrapped_command[0], *wrapped_command)
if __name__ == '__main__':
main()
View Git Blame Copy Permalink