Create nova cert worker for x509 support

* Adds new worker for cert management
 * Makes decrypt use an rpc to the worker
 * Moves CA filesystem creation out of cloud.setup
 * Moves test for X509 into crypto
 * Adds test for encrypting and decrypting using cert
 * Cleans up extra code in cloudpipe
 * Fixes bug 918563
 * Prepares for a future patch that will fix bug 903345

Change-Id: I4693c50c8f432706f97395af39e736f49d60e719

bin/nova-all

@@ -65,7 +65,7 @@ if __name__ == '__main__':
     except (Exception, SystemExit):
         logging.exception(_('Failed to load %s') % 'objectstore-wsgi')
     for binary in ['nova-xvpvncproxy', 'nova-compute', 'nova-volume',
-                   'nova-network', 'nova-scheduler', 'nova-vsa']:
+                   'nova-network', 'nova-scheduler', 'nova-vsa', 'nova-cert']:
         try:
             servers.append(service.Service.create(binary=binary))
         except (Exception, SystemExit):

bin/nova-cert

@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2012 OpenStack, LLC.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+"""Starter script for Nova Cert."""
+
+import eventlet
+eventlet.monkey_patch()
+
+import os
+import sys
+
+# If ../nova/__init__.py exists, add ../ to Python search path, so that
+# it will override what happens to be installed in /usr/(local/)lib/python...
+POSSIBLE_TOPDIR = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]),
+                                   os.pardir,
+                                   os.pardir))
+if os.path.exists(os.path.join(POSSIBLE_TOPDIR, 'nova', '__init__.py')):
+    sys.path.insert(0, POSSIBLE_TOPDIR)
+
+
+from nova import flags
+from nova import log as logging
+from nova import service
+from nova import utils
+
+if __name__ == '__main__':
+    utils.default_flagfile()
+    flags.FLAGS(sys.argv)
+    logging.setup()
+    utils.monkey_patch()
+    server = service.Service.create(binary='nova-cert')
+    service.serve(server)
+    service.wait()

nova/exception.py

@@ -179,6 +179,10 @@ class NovaException(Exception):
         super(NovaException, self).__init__(message)
 
 
+class DecryptionFailure(NovaException):
+    message = _("Failed to decrypt text")
+
+
 class ImagePaginationFailed(NovaException):
     message = _("Failed to paginate through images from image service")
 

nova/flags.py

@@ -275,6 +275,7 @@ DEFINE_integer('glance_num_retries', 0,
 DEFINE_integer('s3_port', 3333, 's3 port')
 DEFINE_string('s3_host', '$my_ip', 's3 host (for infrastructure)')
 DEFINE_string('s3_dmz', '$my_ip', 's3 dmz ip (for instances)')
+DEFINE_string('cert_topic', 'cert', 'the topic cert nodes listen on')
 DEFINE_string('compute_topic', 'compute', 'the topic compute nodes listen on')
 DEFINE_string('console_topic', 'console',
               'the topic console proxy nodes listen on')
@@ -367,6 +368,8 @@ DEFINE_string('compute_manager', 'nova.compute.manager.ComputeManager',
               'Manager for compute')
 DEFINE_string('console_manager', 'nova.console.manager.ConsoleProxyManager',
               'Manager for console proxy')
+DEFINE_string('cert_manager', 'nova.cert.manager.CertManager',
+              'Manager for cert')
 DEFINE_string('instance_dns_manager',
               'nova.network.dns_driver.DNSDriver',
               'DNS Manager for instance IPs')

nova/tests/test_auth.py

@@ -16,7 +16,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-from M2Crypto import X509
 import unittest
 
 from nova import crypto
@@ -245,28 +244,6 @@ class _AuthManagerBaseTestCase(test.TestCase):
                                                        project))
                 self.assertFalse(self.manager.is_project_member(user, project))
 
-    def test_can_generate_x509(self):
-        # NOTE(todd): this doesn't assert against the auth manager
-        #             so it probably belongs in crypto_unittest
-        #             but I'm leaving it where I found it.
-        with user_and_project_generator(self.manager) as (user, project):
-            # NOTE(vish): Setup runs genroot.sh if it hasn't been run
-            cloud.CloudController().setup()
-            _key, cert_str = crypto.generate_x509_cert(user.id, project.id)
-            LOG.debug(cert_str)
-
-            int_cert = crypto.fetch_ca(project_id=project.id)
-            cloud_cert = crypto.fetch_ca()
-            signed_cert = X509.load_cert_string(cert_str)
-            int_cert = X509.load_cert_string(int_cert)
-            cloud_cert = X509.load_cert_string(cloud_cert)
-            self.assertTrue(signed_cert.verify(int_cert.get_pubkey()))
-
-            if not FLAGS.use_project_ca:
-                self.assertTrue(signed_cert.verify(cloud_cert.get_pubkey()))
-            else:
-                self.assertFalse(signed_cert.verify(cloud_cert.get_pubkey()))
-
     def test_adding_role_to_project_is_ignored_unless_added_to_user(self):
         with user_and_project_generator(self.manager) as (user, project):
             self.assertFalse(self.manager.has_role(user, 'sysadmin', project))

setup.py

@@ -89,6 +89,7 @@ setup(name='nova',
                'bin/nova-api-metadata',
                'bin/nova-api-os-compute',
                'bin/nova-api-os-volume',
+               'bin/nova-cert',
                'bin/nova-compute',
                'bin/nova-console',
                'bin/nova-consoleauth',