osc-included image signing (using openstacksdk)
This extension adds image signing functionality to the "image create" command. Therefore, new CLI options --sign-key-path and --sign-cert-id have been added. This patch uses openstacksdk as the signing backend library instead of cursive. Therefore, requirements and lower_constraints have been updated to use the openstacksdk version 0.17 or higher. Depends-On: Idc15b9a12d408bd4b2e096da8402c374be56f9fa Change-Id: Ia20bc02a49c3fbeb9222e485e3396395f4ab817a Story: 2002128 Co-Authored-By: Markus Hentsch <markus.hentsch@secustack.com>
This commit is contained in:
parent
f77ca68d53
commit
1981eb2250
@ -50,7 +50,7 @@ msgpack-python==0.4.0
|
|||||||
munch==2.1.0
|
munch==2.1.0
|
||||||
netaddr==0.7.18
|
netaddr==0.7.18
|
||||||
netifaces==0.10.4
|
netifaces==0.10.4
|
||||||
openstacksdk==0.11.2
|
openstacksdk==0.17.0
|
||||||
os-client-config==1.28.0
|
os-client-config==1.28.0
|
||||||
os-service-types==1.2.0
|
os-service-types==1.2.0
|
||||||
os-testr==1.0.0
|
os-testr==1.0.0
|
||||||
|
@ -16,9 +16,11 @@
|
|||||||
"""Image V2 Action Implementations"""
|
"""Image V2 Action Implementations"""
|
||||||
|
|
||||||
import argparse
|
import argparse
|
||||||
|
from base64 import b64encode
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
from glanceclient.common import utils as gc_utils
|
from glanceclient.common import utils as gc_utils
|
||||||
|
from openstack.image import image_signer
|
||||||
from osc_lib.cli import parseractions
|
from osc_lib.cli import parseractions
|
||||||
from osc_lib.command import command
|
from osc_lib.command import command
|
||||||
from osc_lib import exceptions
|
from osc_lib import exceptions
|
||||||
@ -183,6 +185,22 @@ class CreateImage(command.ShowOne):
|
|||||||
help=_("Force image creation if volume is in use "
|
help=_("Force image creation if volume is in use "
|
||||||
"(only meaningful with --volume)"),
|
"(only meaningful with --volume)"),
|
||||||
)
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
'--sign-key-path',
|
||||||
|
metavar="<sign-key-path>",
|
||||||
|
default=[],
|
||||||
|
help=_("Sign the image using the specified private key. "
|
||||||
|
"Only use in combination with --sign-cert-id")
|
||||||
|
)
|
||||||
|
parser.add_argument(
|
||||||
|
'--sign-cert-id',
|
||||||
|
metavar="<sign-cert-id>",
|
||||||
|
default=[],
|
||||||
|
help=_("The specified certificate UUID is a reference to "
|
||||||
|
"the certificate in the key manager that corresponds "
|
||||||
|
"to the public key and is used for signature validation. "
|
||||||
|
"Only use in combination with --sign-key-path")
|
||||||
|
)
|
||||||
protected_group = parser.add_mutually_exclusive_group()
|
protected_group = parser.add_mutually_exclusive_group()
|
||||||
protected_group.add_argument(
|
protected_group.add_argument(
|
||||||
"--protected",
|
"--protected",
|
||||||
@ -335,6 +353,46 @@ class CreateImage(command.ShowOne):
|
|||||||
parsed_args.project_domain,
|
parsed_args.project_domain,
|
||||||
).id
|
).id
|
||||||
|
|
||||||
|
# sign an image using a given local private key file
|
||||||
|
if parsed_args.sign_key_path or parsed_args.sign_cert_id:
|
||||||
|
if not parsed_args.file:
|
||||||
|
msg = (_("signing an image requires the --file option, "
|
||||||
|
"passing files via stdin when signing is not "
|
||||||
|
"supported."))
|
||||||
|
raise exceptions.CommandError(msg)
|
||||||
|
if (len(parsed_args.sign_key_path) < 1 or
|
||||||
|
len(parsed_args.sign_cert_id) < 1):
|
||||||
|
msg = (_("'sign-key-path' and 'sign-cert-id' must both be "
|
||||||
|
"specified when attempting to sign an image."))
|
||||||
|
raise exceptions.CommandError(msg)
|
||||||
|
else:
|
||||||
|
sign_key_path = parsed_args.sign_key_path
|
||||||
|
sign_cert_id = parsed_args.sign_cert_id
|
||||||
|
signer = image_signer.ImageSigner()
|
||||||
|
try:
|
||||||
|
pw = utils.get_password(
|
||||||
|
self.app.stdin,
|
||||||
|
prompt=("Please enter private key password, leave "
|
||||||
|
"empty if none: "),
|
||||||
|
confirm=False)
|
||||||
|
if not pw or len(pw) < 1:
|
||||||
|
pw = None
|
||||||
|
signer.load_private_key(
|
||||||
|
sign_key_path,
|
||||||
|
password=pw)
|
||||||
|
except Exception:
|
||||||
|
msg = (_("Error during sign operation: private key could "
|
||||||
|
"not be loaded."))
|
||||||
|
raise exceptions.CommandError(msg)
|
||||||
|
|
||||||
|
signature = signer.generate_signature(fp)
|
||||||
|
signature_b64 = b64encode(signature)
|
||||||
|
kwargs['img_signature'] = signature_b64
|
||||||
|
kwargs['img_signature_certificate_uuid'] = sign_cert_id
|
||||||
|
kwargs['img_signature_hash_method'] = signer.hash_method
|
||||||
|
if signer.padding_method:
|
||||||
|
kwargs['img_signature_key_type'] = signer.padding_method
|
||||||
|
|
||||||
# If a volume is specified.
|
# If a volume is specified.
|
||||||
if parsed_args.volume:
|
if parsed_args.volume:
|
||||||
volume_client = self.app.client_manager.volume
|
volume_client = self.app.client_manager.volume
|
||||||
|
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Add options ``--sign-key-path`` and ``--sign-cert-id`` to the ``image create``
|
||||||
|
command. Tthe image must be present on disk, therefore the ``file`` option
|
||||||
|
is required:
|
||||||
|
|
||||||
|
``image create --file <filename> --sign-key-path <key-path> --sign-cert-id <secret-id>``.
|
||||||
|
|
||||||
|
A prompt for a password ensures, that the private key can be protected too.
|
||||||
|
[Bug `2002128 <https://storyboard.openstack.org/#!/story/2002128>`_]
|
@ -7,7 +7,7 @@ six>=1.10.0 # MIT
|
|||||||
Babel!=2.4.0,>=2.3.4 # BSD
|
Babel!=2.4.0,>=2.3.4 # BSD
|
||||||
cliff!=2.9.0,>=2.8.0 # Apache-2.0
|
cliff!=2.9.0,>=2.8.0 # Apache-2.0
|
||||||
keystoneauth1>=3.4.0 # Apache-2.0
|
keystoneauth1>=3.4.0 # Apache-2.0
|
||||||
openstacksdk>=0.11.2 # Apache-2.0
|
openstacksdk>=0.17.0 # Apache-2.0
|
||||||
osc-lib>=1.10.0 # Apache-2.0
|
osc-lib>=1.10.0 # Apache-2.0
|
||||||
oslo.i18n>=3.15.3 # Apache-2.0
|
oslo.i18n>=3.15.3 # Apache-2.0
|
||||||
oslo.utils>=3.33.0 # Apache-2.0
|
oslo.utils>=3.33.0 # Apache-2.0
|
||||||
|
Loading…
x
Reference in New Issue
Block a user