Merge "Move project secrets key loading to key storage"
This commit is contained in:
commit
7620289087
|
@ -1686,57 +1686,15 @@ class TenantParser(object):
|
|||
tpc.branches = branches
|
||||
|
||||
def _loadProjectKeys(self, connection_name, project):
|
||||
project.private_secrets_key_file = \
|
||||
self.keystorage.getProjectSecretsKeyFile(
|
||||
connection_name, project.name)
|
||||
project.private_ssh_key_file = \
|
||||
self.keystorage.getProjectSSHKeyFile(
|
||||
connection_name, project.name)
|
||||
project.private_secrets_key, project.public_secrets_key = (
|
||||
self.keystorage.getProjectSecretsKeys(
|
||||
connection_name, project.name
|
||||
)
|
||||
)
|
||||
|
||||
self._generateKeys(project)
|
||||
self._loadKeys(project)
|
||||
|
||||
(project.private_ssh_key, project.public_ssh_key) = \
|
||||
project.private_ssh_key, project.public_ssh_key = (
|
||||
self.keystorage.getProjectSSHKeys(connection_name, project.name)
|
||||
|
||||
def _generateKeys(self, project):
|
||||
filename = project.private_secrets_key_file
|
||||
if os.path.isfile(filename):
|
||||
return
|
||||
|
||||
key_dir = os.path.dirname(filename)
|
||||
if not os.path.isdir(key_dir):
|
||||
os.makedirs(key_dir, 0o700)
|
||||
|
||||
self.log.info(
|
||||
"Generating RSA keypair for project %s" % (project.name,)
|
||||
)
|
||||
private_key, public_key = encryption.generate_rsa_keypair()
|
||||
pem_private_key = encryption.serialize_rsa_private_key(private_key)
|
||||
|
||||
# Dump keys to filesystem. We only save the private key
|
||||
# because the public key can be constructed from it.
|
||||
self.log.info(
|
||||
"Saving RSA keypair for project %s to %s" % (
|
||||
project.name, filename)
|
||||
)
|
||||
|
||||
# Ensure private key is read/write for zuul user only.
|
||||
with open(os.open(filename,
|
||||
os.O_CREAT | os.O_WRONLY, 0o600), 'wb') as f:
|
||||
f.write(pem_private_key)
|
||||
|
||||
def _loadKeys(self, project):
|
||||
# Check the key files specified are there
|
||||
if not os.path.isfile(project.private_secrets_key_file):
|
||||
raise Exception(
|
||||
'Private key file {0} not found'.format(
|
||||
project.private_secrets_key_file))
|
||||
|
||||
# Load keypair
|
||||
with open(project.private_secrets_key_file, "rb") as f:
|
||||
(project.private_secrets_key, project.public_secrets_key) = \
|
||||
encryption.deserialize_rsa_keypair(f.read())
|
||||
|
||||
@staticmethod
|
||||
def _getProject(source, conf, current_include):
|
||||
|
|
|
@ -18,6 +18,8 @@ import os
|
|||
|
||||
import paramiko
|
||||
|
||||
from zuul.lib import encryption
|
||||
|
||||
RSA_KEY_SIZE = 2048
|
||||
|
||||
|
||||
|
@ -176,3 +178,45 @@ class KeyStorage(object):
|
|||
|
||||
pk = paramiko.RSAKey.generate(bits=RSA_KEY_SIZE)
|
||||
pk.write_private_key_file(fn)
|
||||
|
||||
def getProjectSecretsKeys(self, connection_name, project_name):
|
||||
"""Return the private and public secrets keys for the project
|
||||
|
||||
A new key will be created if necessary.
|
||||
|
||||
:returns: A tuple (private_key, public_key)
|
||||
"""
|
||||
|
||||
private_key_file = self._ensureKeyFile(connection_name, project_name)
|
||||
|
||||
# Load keypair
|
||||
with open(private_key_file, "rb") as f:
|
||||
return encryption.deserialize_rsa_keypair(f.read())
|
||||
|
||||
def _ensureKeyFile(self, connection_name, project_name):
|
||||
filename = self.getProjectSecretsKeyFile(
|
||||
connection_name, project_name
|
||||
)
|
||||
if os.path.isfile(filename):
|
||||
return filename
|
||||
|
||||
key_dir = os.path.dirname(filename)
|
||||
if not os.path.isdir(key_dir):
|
||||
os.makedirs(key_dir, 0o700)
|
||||
|
||||
self.log.info("Generating RSA keypair for project %s", project_name)
|
||||
private_key, public_key = encryption.generate_rsa_keypair()
|
||||
pem_private_key = encryption.serialize_rsa_private_key(private_key)
|
||||
|
||||
# Dump keys to filesystem. We only save the private key
|
||||
# because the public key can be constructed from it.
|
||||
self.log.info(
|
||||
"Saving RSA keypair for project %s to %s", project_name, filename
|
||||
)
|
||||
|
||||
# Ensure private key is read/write for zuul user only.
|
||||
with open(os.open(filename,
|
||||
os.O_CREAT | os.O_WRONLY, 0o600), 'wb') as f:
|
||||
f.write(pem_private_key)
|
||||
|
||||
return filename
|
||||
|
|
|
@ -542,6 +542,10 @@ class Project(object):
|
|||
self.connection_name = source.connection.connection_name
|
||||
self.canonical_hostname = source.canonical_hostname
|
||||
self.canonical_name = source.canonical_hostname + '/' + name
|
||||
self.private_secrets_key = None
|
||||
self.public_secrets_key = None
|
||||
self.private_ssh_key = None
|
||||
self.public_ssh_key = None
|
||||
# foreign projects are those referenced in dependencies
|
||||
# of layout projects, this should matter
|
||||
# when deciding whether to enqueue their changes
|
||||
|
|
Loading…
Reference in New Issue