starlingx
/
config
Code Issues Proposed changes

Change error handling for cert validity check 

Before this change the code was doing the cert validity check
and stopping the execution if any of the certificates in the
passed in file were invalid.

This change removes the invalid certificate from the PEM
bundle being installed and allows the remaining valid certs
to be installed. The error message is stored and returned at
the end.

Closes-Bug: 1939917
Change-Id: Ic9c45ac15f081576a71472853e6e00ca0017336e
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
This commit is contained in:
Rei Oliveira 2021-08-17 07:43:30 -03:00
parent 2cd10430d1
commit 68f05dcf23
3 changed files with 48 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
sysinv/cgts-client/cgts-client/cgtsclient/v1/certificate_shell.py
View File

@ -90,9 +90,6 @@ def do_certificate_install(cc, args):
try:
response = cc.certificate.certificate_install(sec_file, data=data)
error = response.get('error')
if error:
raise exc.CommandError("%s" % error)
except exc.HTTPNotFound:
raise exc.CommandError('Certificate not installed %s. No response.' %
certificate_file)
@ -101,13 +98,21 @@ def do_certificate_install(cc, args):
(certificate_file, e))
else:
certificates = response.get('certificates')
for certificate in certificates:
_print_certificate_show(certificate)
try:
os.remove(certificate_file)
except OSError:
raise exc.CommandError('Error: Could not remove the '
'certificate %s' % certificate_file)
if certificates:
for certificate in certificates:
_print_certificate_show(certificate)
error = response.get('error')
if error:
print("WARNING: Some certificates were not installed.")
print(error)
else:
try:
os.remove(certificate_file)
except OSError:
raise exc.CommandError('Error: Could not remove the '
'certificate %s' % certificate_file)
@utils.arg('certificate_uuid', metavar='<certificate_uuid>',
help="UUID of certificate to uninstall")

28
sysinv/sysinv/sysinv/sysinv/api/controllers/v1/certificate.py
View File

@ -378,10 +378,31 @@ class CertificateController(rest.RestController):
return dict(success="", error=msg)
hash_issuers = []
cert_validity_error = None
for index, cert in enumerate(certs):
msg = self._check_cert_validity(cert)
if msg is not True:
return dict(success="", error=msg)
# If file has only one cert fails right away
# if file has multiple certs continues execution for
# other certs and saves the error to be returned later
if len(certs) == 1:
return dict(success="", error=msg)
msg = "Error with cert number %s in the file: " \
% (index + 1) + msg
if cert_validity_error:
cert_validity_error += "\n" + msg
else:
cert_validity_error = msg
LOG.info(msg)
# gets certificate in PEM format
# removes expired certificates from pem_contents
pem_cert = cutils.get_public_bytes(cert)
pem_contents = pem_contents.replace(pem_cert, "")
continue
# validation checking for ssl, tpm_mode, docker_registry
# and openstack certficcates
@ -514,7 +535,10 @@ class CertificateController(rest.RestController):
log_end = cutils.timestamped("certificate_do_post_end")
LOG.info("certificate %s" % log_end)
return dict(success="", error="", body="",
error = ""
if cert_validity_error:
error = cert_validity_error
return dict(success="", error=error, body="",
certificates=certificate_dicts)
@wsme_pecan.wsexpose(RequestResult, body=RenewCertificate)

7
sysinv/sysinv/sysinv/sysinv/common/utils.py
View File

@ -2640,6 +2640,13 @@ def extract_ca_crt_bytes_from_pem(pem_content):
return base64_crt
def get_public_bytes(cert):
""" Returns the PEM file text from x509 cert object
"""
cert_bytes = cert.public_bytes(encoding=serialization.Encoding.PEM)
return cert_bytes.decode('utf-8')
def extract_certs_from_pem(pem_contents):
"""
Extract certificates from a pem string