Merge "Move project secrets key loading to key storage"

2021-04-13 18:00:21 +00:00 · 2021-04-13 18:00:21 +00:00 · 7620289087
parent 5087f54f5d 2dfc57d038
commit 7620289087
3 changed files with 54 additions and 48 deletions
--- a/zuul/configloader.py
+++ b/zuul/configloader.py
@ -1686,57 +1686,15 @@ class TenantParser(object):
        tpc.branches = branches

    def _loadProjectKeys(self, connection_name, project):
-        project.private_secrets_key_file = \
-            self.keystorage.getProjectSecretsKeyFile(
-                connection_name, project.name)
-        project.private_ssh_key_file = \
-            self.keystorage.getProjectSSHKeyFile(
-                connection_name, project.name)
+        project.private_secrets_key, project.public_secrets_key = (
+            self.keystorage.getProjectSecretsKeys(
+                connection_name, project.name
+            )
+        )

-        self._generateKeys(project)
-        self._loadKeys(project)
-
-        (project.private_ssh_key, project.public_ssh_key) = \
+        project.private_ssh_key, project.public_ssh_key = (
            self.keystorage.getProjectSSHKeys(connection_name, project.name)
-
-    def _generateKeys(self, project):
-        filename = project.private_secrets_key_file
-        if os.path.isfile(filename):
-            return
-
-        key_dir = os.path.dirname(filename)
-        if not os.path.isdir(key_dir):
-            os.makedirs(key_dir, 0o700)
-
-        self.log.info(
-            "Generating RSA keypair for project %s" % (project.name,)
        )
-        private_key, public_key = encryption.generate_rsa_keypair()
-        pem_private_key = encryption.serialize_rsa_private_key(private_key)
-
-        # Dump keys to filesystem.  We only save the private key
-        # because the public key can be constructed from it.
-        self.log.info(
-            "Saving RSA keypair for project %s to %s" % (
-                project.name, filename)
-        )
-
-        # Ensure private key is read/write for zuul user only.
-        with open(os.open(filename,
-                          os.O_CREAT | os.O_WRONLY, 0o600), 'wb') as f:
-            f.write(pem_private_key)
-
-    def _loadKeys(self, project):
-        # Check the key files specified are there
-        if not os.path.isfile(project.private_secrets_key_file):
-            raise Exception(
-                'Private key file {0} not found'.format(
-                    project.private_secrets_key_file))
-
-        # Load keypair
-        with open(project.private_secrets_key_file, "rb") as f:
-            (project.private_secrets_key, project.public_secrets_key) = \
-                encryption.deserialize_rsa_keypair(f.read())

    @staticmethod
    def _getProject(source, conf, current_include):
--- a/zuul/lib/keystorage.py
+++ b/zuul/lib/keystorage.py
@ -18,6 +18,8 @@ import os

 import paramiko

+from zuul.lib import encryption
+
 RSA_KEY_SIZE = 2048


@ -176,3 +178,45 @@ class KeyStorage(object):

        pk = paramiko.RSAKey.generate(bits=RSA_KEY_SIZE)
        pk.write_private_key_file(fn)
+
+    def getProjectSecretsKeys(self, connection_name, project_name):
+        """Return the private and public secrets keys for the project
+
+        A new key will be created if necessary.
+
+        :returns: A tuple (private_key, public_key)
+        """
+
+        private_key_file = self._ensureKeyFile(connection_name, project_name)
+
+        # Load keypair
+        with open(private_key_file, "rb") as f:
+            return encryption.deserialize_rsa_keypair(f.read())
+
+    def _ensureKeyFile(self, connection_name, project_name):
+        filename = self.getProjectSecretsKeyFile(
+            connection_name, project_name
+        )
+        if os.path.isfile(filename):
+            return filename
+
+        key_dir = os.path.dirname(filename)
+        if not os.path.isdir(key_dir):
+            os.makedirs(key_dir, 0o700)
+
+        self.log.info("Generating RSA keypair for project %s", project_name)
+        private_key, public_key = encryption.generate_rsa_keypair()
+        pem_private_key = encryption.serialize_rsa_private_key(private_key)
+
+        # Dump keys to filesystem.  We only save the private key
+        # because the public key can be constructed from it.
+        self.log.info(
+            "Saving RSA keypair for project %s to %s", project_name, filename
+        )
+
+        # Ensure private key is read/write for zuul user only.
+        with open(os.open(filename,
+                          os.O_CREAT | os.O_WRONLY, 0o600), 'wb') as f:
+            f.write(pem_private_key)
+
+        return filename
--- a/zuul/model.py
+++ b/zuul/model.py
@ -542,6 +542,10 @@ class Project(object):
        self.connection_name = source.connection.connection_name
        self.canonical_hostname = source.canonical_hostname
        self.canonical_name = source.canonical_hostname + '/' + name
+        self.private_secrets_key = None
+        self.public_secrets_key = None
+        self.private_ssh_key = None
+        self.public_ssh_key = None
        # foreign projects are those referenced in dependencies
        # of layout projects, this should matter
        # when deciding whether to enqueue their changes