Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
slapos
Commits
d045148e
Commit
d045148e
authored
Jul 08, 2011
by
Vivien Alger
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Adding everything for SSL support
parent
e3cbb2d8
Changes
3
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
540 additions
and
3 deletions
+540
-3
slapos/recipe/kvm/__init__.py
slapos/recipe/kvm/__init__.py
+78
-3
slapos/recipe/kvm/certificate_authority.py
slapos/recipe/kvm/certificate_authority.py
+112
-0
slapos/recipe/kvm/template/openssl.cnf.ca.in
slapos/recipe/kvm/template/openssl.cnf.ca.in
+350
-0
No files found.
slapos/recipe/kvm/__init__.py
View file @
d045148e
...
...
@@ -32,7 +32,8 @@ import binascii
import
random
import
zc.buildout
import
pkg_resources
import
ConfigParser
import
hashlib
class
Recipe
(
BaseSlapRecipe
):
...
...
@@ -59,7 +60,7 @@ class Recipe(BaseSlapRecipe):
self
.
linkBinary
()
self
.
computer_partition
.
setConnectionDict
(
dict
(
vnc_connection_string
=
"https://[%s]:%s"
%
(
noVNC_conf
[
'source_ip'
],
vnc_connection_string
=
"https://[%s]:%s
/vnc.html
"
%
(
noVNC_conf
[
'source_ip'
],
noVNC_conf
[
'source_port'
],
)))
...
...
@@ -161,7 +162,10 @@ class Recipe(BaseSlapRecipe):
noVNC_conf
[
'target_ip'
]
=
target_ip
noVNC_conf
[
'target_port'
]
=
target_port
noVNC_conf
[
'python_path'
]
=
python_path
noVNC_conf
[
'ca_conf'
]
=
self
.
installCertificateAuthority
()
noVNC_conf
[
'key_path'
],
noVNC_conf
[
'certificate_path'
]
=
self
.
requestCertificate
(
'noVNC'
)
# Instanciate Websockify
websockify_runner_path
=
self
.
instanciate_wrapper
(
"websockify"
,
noVNC_conf
)
...
...
@@ -211,3 +215,74 @@ class Recipe(BaseSlapRecipe):
os
.
symlink
(
target
,
link
)
self
.
logger
.
debug
(
'Created link %r -> %r'
%
(
link
,
target
))
self
.
path_list
.
append
(
link
)
def
installCertificateAuthority
(
self
,
ca_country_code
=
'XX'
,
ca_email
=
'xx@example.com'
,
ca_state
=
'State'
,
ca_city
=
'City'
,
ca_company
=
'Company'
):
backup_path
=
self
.
createBackupDirectory
(
'ca'
)
self
.
ca_dir
=
os
.
path
.
join
(
self
.
data_root_directory
,
'ca'
)
self
.
_createDirectory
(
self
.
ca_dir
)
self
.
ca_request_dir
=
os
.
path
.
join
(
self
.
ca_dir
,
'requests'
)
self
.
_createDirectory
(
self
.
ca_request_dir
)
config
=
dict
(
ca_dir
=
self
.
ca_dir
,
request_dir
=
self
.
ca_request_dir
)
self
.
ca_private
=
os
.
path
.
join
(
self
.
ca_dir
,
'private'
)
self
.
ca_certs
=
os
.
path
.
join
(
self
.
ca_dir
,
'certs'
)
self
.
ca_crl
=
os
.
path
.
join
(
self
.
ca_dir
,
'crl'
)
self
.
ca_newcerts
=
os
.
path
.
join
(
self
.
ca_dir
,
'newcerts'
)
self
.
ca_key_ext
=
'.key'
self
.
ca_crt_ext
=
'.crt'
for
d
in
[
self
.
ca_private
,
self
.
ca_crl
,
self
.
ca_newcerts
,
self
.
ca_certs
]:
self
.
_createDirectory
(
d
)
for
f
in
[
'crlnumber'
,
'serial'
]:
if
not
os
.
path
.
exists
(
os
.
path
.
join
(
self
.
ca_dir
,
f
)):
open
(
os
.
path
.
join
(
self
.
ca_dir
,
f
),
'w'
).
write
(
'01'
)
if
not
os
.
path
.
exists
(
os
.
path
.
join
(
self
.
ca_dir
,
'index.txt'
)):
open
(
os
.
path
.
join
(
self
.
ca_dir
,
'index.txt'
),
'w'
).
write
(
''
)
openssl_configuration
=
os
.
path
.
join
(
self
.
ca_dir
,
'openssl.cnf'
)
config
.
update
(
working_directory
=
self
.
ca_dir
,
country_code
=
ca_country_code
,
state
=
ca_state
,
city
=
ca_city
,
company
=
ca_company
,
email_address
=
ca_email
,
)
self
.
_writeFile
(
openssl_configuration
,
pkg_resources
.
resource_string
(
__name__
,
'template/openssl.cnf.ca.in'
)
%
config
)
self
.
path_list
.
extend
(
zc
.
buildout
.
easy_install
.
scripts
([
(
'certificate_authority'
,
__name__
+
'.certificate_authority'
,
'runCertificateAuthority'
)],
self
.
ws
,
sys
.
executable
,
self
.
wrapper_directory
,
arguments
=
[
dict
(
openssl_configuration
=
openssl_configuration
,
openssl_binary
=
self
.
options
[
'openssl_binary'
],
certificate
=
os
.
path
.
join
(
self
.
ca_dir
,
'cacert.pem'
),
key
=
os
.
path
.
join
(
self
.
ca_private
,
'cakey.pem'
),
crl
=
os
.
path
.
join
(
self
.
ca_crl
),
request_dir
=
self
.
ca_request_dir
)]))
# configure backup
backup_cron
=
os
.
path
.
join
(
self
.
cron_d
,
'ca_rdiff_backup'
)
open
(
backup_cron
,
'w'
).
write
(
'''0 0 * * * %(rdiff_backup)s %(source)s %(destination)s'''
%
dict
(
rdiff_backup
=
self
.
options
[
'rdiff_backup_binary'
],
source
=
self
.
ca_dir
,
destination
=
backup_path
))
self
.
path_list
.
append
(
backup_cron
)
return
dict
(
ca_certificate
=
os
.
path
.
join
(
config
[
'ca_dir'
],
'cacert.pem'
),
ca_crl
=
os
.
path
.
join
(
config
[
'ca_dir'
],
'crl'
),
certificate_authority_path
=
config
[
'ca_dir'
]
)
def
requestCertificate
(
self
,
name
):
hash
=
hashlib
.
sha512
(
name
).
hexdigest
()
key
=
os
.
path
.
join
(
self
.
ca_private
,
hash
+
self
.
ca_key_ext
)
certificate
=
os
.
path
.
join
(
self
.
ca_certs
,
hash
+
self
.
ca_crt_ext
)
parser
=
ConfigParser
.
RawConfigParser
()
parser
.
add_section
(
'certificate'
)
parser
.
set
(
'certificate'
,
'name'
,
name
)
parser
.
set
(
'certificate'
,
'key_file'
,
key
)
parser
.
set
(
'certificate'
,
'certificate_file'
,
certificate
)
parser
.
write
(
open
(
os
.
path
.
join
(
self
.
ca_request_dir
,
hash
),
'w'
))
return
key
,
certificate
slapos/recipe/kvm/certificate_authority.py
0 → 100755
View file @
d045148e
import
os
import
subprocess
import
time
import
ConfigParser
def
popenCommunicate
(
command_list
,
input
=
None
):
subprocess_kw
=
dict
(
stdout
=
subprocess
.
PIPE
,
stderr
=
subprocess
.
STDOUT
)
if
input
is
not
None
:
subprocess_kw
.
update
(
stdin
=
subprocess
.
PIPE
)
popen
=
subprocess
.
Popen
(
command_list
,
**
subprocess_kw
)
result
=
popen
.
communicate
(
input
)[
0
]
if
popen
.
returncode
is
None
:
popen
.
kill
()
if
popen
.
returncode
!=
0
:
raise
ValueError
(
'Issue during calling %r, result was:
\
n
%s'
%
(
command_list
,
result
))
return
result
class
CertificateAuthority
:
def
__init__
(
self
,
key
,
certificate
,
openssl_binary
,
openssl_configuration
,
request_dir
):
self
.
key
=
key
self
.
certificate
=
certificate
self
.
openssl_binary
=
openssl_binary
self
.
openssl_configuration
=
openssl_configuration
self
.
request_dir
=
request_dir
def
checkAuthority
(
self
):
file_list
=
[
self
.
key
,
self
.
certificate
]
ca_ready
=
True
for
f
in
file_list
:
if
not
os
.
path
.
exists
(
f
):
ca_ready
=
False
break
if
ca_ready
:
return
for
f
in
file_list
:
if
os
.
path
.
exists
(
f
):
os
.
unlink
(
f
)
try
:
# no CA, let us create new one
popenCommunicate
([
self
.
openssl_binary
,
'req'
,
'-nodes'
,
'-config'
,
self
.
openssl_configuration
,
'-new'
,
'-x509'
,
'-extensions'
,
'v3_ca'
,
'-keyout'
,
self
.
key
,
'-out'
,
self
.
certificate
,
'-days'
,
'10950'
],
'Automatic Certificate Authority
\
n
'
)
except
:
try
:
for
f
in
file_list
:
if
os
.
path
.
exists
(
f
):
os
.
unlink
(
f
)
except
:
# do not raise during cleanup
pass
raise
def
_checkCertificate
(
self
,
common_name
,
key
,
certificate
):
file_list
=
[
key
,
certificate
]
ready
=
True
for
f
in
file_list
:
if
not
os
.
path
.
exists
(
f
):
ready
=
False
break
if
ready
:
return
False
for
f
in
file_list
:
if
os
.
path
.
exists
(
f
):
os
.
unlink
(
f
)
csr
=
certificate
+
'.csr'
try
:
popenCommunicate
([
self
.
openssl_binary
,
'req'
,
'-config'
,
self
.
openssl_configuration
,
'-nodes'
,
'-new'
,
'-keyout'
,
key
,
'-out'
,
csr
,
'-days'
,
'3650'
],
common_name
+
'
\
n
'
)
try
:
popenCommunicate
([
self
.
openssl_binary
,
'ca'
,
'-batch'
,
'-config'
,
self
.
openssl_configuration
,
'-out'
,
certificate
,
'-infiles'
,
csr
])
finally
:
if
os
.
path
.
exists
(
csr
):
os
.
unlink
(
csr
)
except
:
try
:
for
f
in
file_list
:
if
os
.
path
.
exists
(
f
):
os
.
unlink
(
f
)
except
:
# do not raise during cleanup
pass
raise
else
:
return
True
def
checkRequestDir
(
self
):
for
request_file
in
os
.
listdir
(
self
.
request_dir
):
parser
=
ConfigParser
.
RawConfigParser
()
parser
.
readfp
(
open
(
os
.
path
.
join
(
self
.
request_dir
,
request_file
),
'r'
))
if
self
.
_checkCertificate
(
parser
.
get
(
'certificate'
,
'name'
),
parser
.
get
(
'certificate'
,
'key_file'
),
parser
.
get
(
'certificate'
,
'certificate_file'
)):
print
'Created certificate %r'
%
parser
.
get
(
'certificate'
,
'name'
)
def
runCertificateAuthority
(
args
):
ca_conf
=
args
[
0
]
ca
=
CertificateAuthority
(
ca_conf
[
'key'
],
ca_conf
[
'certificate'
],
ca_conf
[
'openssl_binary'
],
ca_conf
[
'openssl_configuration'
],
ca_conf
[
'request_dir'
])
while
True
:
ca
.
checkAuthority
()
ca
.
checkRequestDir
()
time
.
sleep
(
60
)
slapos/recipe/kvm/template/openssl.cnf.ca.in
0 → 100644
View file @
d045148e
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment