Commit b3b4ebf1 authored by Vincent Pelletier's avatar Vincent Pelletier

client: Promote updateCAFile and updateCRLFile to class methods.

So that they do not hardcode the class to instanciate.
This prepares further class tweaking.
Also, update users.
parent e72324c6
...@@ -34,8 +34,6 @@ from .client import ( ...@@ -34,8 +34,6 @@ from .client import (
CaucaseError, CaucaseError,
CaucaseClient, CaucaseClient,
HTTPSOnlyCaucaseClient, HTTPSOnlyCaucaseClient,
updateCAFile,
updateCRLFile,
) )
_cryptography_backend = default_backend() _cryptography_backend = default_backend()
...@@ -492,10 +490,10 @@ def main(argv=None): ...@@ -492,10 +490,10 @@ def main(argv=None):
try: try:
# Get a working, up-to-date CAS CA certificate file. # Get a working, up-to-date CAS CA certificate file.
updated |= updateCAFile(cas_url, args.ca_crt) updated |= CaucaseClient.updateCAFile(cas_url, args.ca_crt)
# --update-user, CA part # --update-user, CA part
if args.update_user or args.mode == MODE_USER: if args.update_user or args.mode == MODE_USER:
updated |= updateCAFile(cau_url, args.user_ca_crt) updated |= CaucaseClient.updateCAFile(cau_url, args.user_ca_crt)
client = CLICaucaseClient( client = CLICaucaseClient(
client=CaucaseClient( client=CaucaseClient(
...@@ -538,13 +536,13 @@ def main(argv=None): ...@@ -538,13 +536,13 @@ def main(argv=None):
if args.list_csr: if args.list_csr:
client.listCSR(args.mode) client.listCSR(args.mode)
# update our CRL after all revocations we were requested # update our CRL after all revocations we were requested
updated |= updateCRLFile(cas_url, args.crl, [ updated |= CaucaseClient.updateCRLFile(cas_url, args.crl, [
utils.load_ca_certificate(x) utils.load_ca_certificate(x)
for x in utils.getCertList(args.ca_crt) for x in utils.getCertList(args.ca_crt)
]) ])
# --update-user, CRL part # --update-user, CRL part
if args.update_user: if args.update_user:
updated |= updateCRLFile(cau_url, args.user_crl, [ updated |= CaucaseClient.updateCRLFile(cau_url, args.user_crl, [
utils.load_ca_certificate(x) utils.load_ca_certificate(x)
for x in utils.getCertList(args.user_ca_crt) for x in utils.getCertList(args.user_ca_crt)
]) ])
...@@ -695,7 +693,10 @@ def updater(argv=None, until=utils.until): ...@@ -695,7 +693,10 @@ def updater(argv=None, until=utils.until):
}[args.mode] }[args.mode]
threshold = datetime.timedelta(args.threshold, 0) threshold = datetime.timedelta(args.threshold, 0)
max_sleep = datetime.timedelta(args.max_sleep, 0) max_sleep = datetime.timedelta(args.max_sleep, 0)
updated = updateCAFile(cas_url, args.cas_ca) and args.cas_ca == args.ca updated = CaucaseClient.updateCAFile(
cas_url,
args.cas_ca,
) and args.cas_ca == args.ca
client = CaucaseClient( client = CaucaseClient(
ca_url=ca_url, ca_url=ca_url,
ca_crt_pem_list=utils.getCertList(args.cas_ca) ca_crt_pem_list=utils.getCertList(args.cas_ca)
...@@ -732,12 +733,15 @@ def updater(argv=None, until=utils.until): ...@@ -732,12 +733,15 @@ def updater(argv=None, until=utils.until):
) )
now = until(next_deadline) now = until(next_deadline)
next_deadline = now + max_sleep next_deadline = now + max_sleep
if args.cas_ca != args.ca and updateCAFile(cas_url, args.cas_ca): if args.cas_ca != args.ca and CaucaseClient.updateCAFile(
cas_url,
args.cas_ca,
):
client = CaucaseClient( client = CaucaseClient(
ca_url=ca_url, ca_url=ca_url,
ca_crt_pem_list=utils.getCertList(args.cas_ca) ca_crt_pem_list=utils.getCertList(args.cas_ca)
) )
if updateCAFile(ca_url, args.ca): if CaucaseClient.updateCAFile(ca_url, args.ca):
print 'Got new CA' print 'Got new CA'
updated = True updated = True
# Note: CRL expiration should happen several time during CA renewal # Note: CRL expiration should happen several time during CA renewal
...@@ -747,7 +751,7 @@ def updater(argv=None, until=utils.until): ...@@ -747,7 +751,7 @@ def updater(argv=None, until=utils.until):
utils.load_ca_certificate(x) utils.load_ca_certificate(x)
for x in utils.getCertList(args.ca) for x in utils.getCertList(args.ca)
] ]
if updateCRLFile(ca_url, args.crl, ca_crt_list): if CaucaseClient.updateCRLFile(ca_url, args.crl, ca_crt_list):
print 'Got new CRL' print 'Got new CRL'
updated = True updated = True
next_deadline = min( next_deadline = min(
......
...@@ -35,8 +35,6 @@ __all__ = ( ...@@ -35,8 +35,6 @@ __all__ = (
'CaucaseError', 'CaucaseError',
'CaucaseClient', 'CaucaseClient',
'HTTPSOnlyCaucaseClient', 'HTTPSOnlyCaucaseClient',
'updateCAFile',
'updateCRLFile',
) )
_cryptography_backend = default_backend() _cryptography_backend = default_backend()
...@@ -47,7 +45,15 @@ class CaucaseError(Exception): ...@@ -47,7 +45,15 @@ class CaucaseError(Exception):
""" """
pass pass
def updateCAFile(url, ca_crt_path): class CaucaseClient(object):
"""
Caucase HTTP(S) client.
Expose caucase REST API as pythonic methods.
"""
@classmethod
def updateCAFile(cls, url, ca_crt_path):
""" """
Bootstrap anf maintain a CA file up-to-date. Bootstrap anf maintain a CA file up-to-date.
...@@ -60,9 +66,7 @@ def updateCAFile(url, ca_crt_path): ...@@ -60,9 +66,7 @@ def updateCAFile(url, ca_crt_path):
certificate expired and was discarded). certificate expired and was discarded).
""" """
if not os.path.exists(ca_crt_path): if not os.path.exists(ca_crt_path):
ca_pem = CaucaseClient( ca_pem = cls(ca_url=url).getCACertificate()
ca_url=url,
).getCACertificate()
with open(ca_crt_path, 'w') as ca_crt_file: with open(ca_crt_path, 'w') as ca_crt_file:
ca_crt_file.write(ca_pem) ca_crt_file.write(ca_pem)
updated = True updated = True
...@@ -76,10 +80,7 @@ def updateCAFile(url, ca_crt_path): ...@@ -76,10 +80,7 @@ def updateCAFile(url, ca_crt_path):
if utils.load_ca_certificate(x).not_valid_after > now if utils.load_ca_certificate(x).not_valid_after > now
] ]
ca_pem_list.extend( ca_pem_list.extend(
CaucaseClient( cls(ca_url=url, ca_crt_pem_list=ca_pem_list).getCACertificateChain(),
ca_url=url,
ca_crt_pem_list=ca_pem_list,
).getCACertificateChain(),
) )
if ca_pem_list != loaded_ca_pem_list: if ca_pem_list != loaded_ca_pem_list:
data = ''.join(ca_pem_list) data = ''.join(ca_pem_list)
...@@ -88,7 +89,8 @@ def updateCAFile(url, ca_crt_path): ...@@ -88,7 +89,8 @@ def updateCAFile(url, ca_crt_path):
updated = True updated = True
return updated return updated
def updateCRLFile(url, crl_path, ca_list): @classmethod
def updateCRLFile(cls, url, crl_path, ca_list):
""" """
Bootstrap anf maintain a CRL file up-to-date. Bootstrap anf maintain a CRL file up-to-date.
...@@ -106,9 +108,7 @@ def updateCRLFile(url, crl_path, ca_list): ...@@ -106,9 +108,7 @@ def updateCRLFile(url, crl_path, ca_list):
my_crl = utils.load_crl(open(crl_path).read(), ca_list) my_crl = utils.load_crl(open(crl_path).read(), ca_list)
else: else:
my_crl = None my_crl = None
latest_crl_pem = CaucaseClient( latest_crl_pem = cls(ca_url=url).getCertificateRevocationList()
ca_url=url,
).getCertificateRevocationList()
latest_crl = utils.load_crl(latest_crl_pem, ca_list) latest_crl = utils.load_crl(latest_crl_pem, ca_list)
if my_crl is None or latest_crl.signature != my_crl.signature: if my_crl is None or latest_crl.signature != my_crl.signature:
with open(crl_path, 'w') as crl_file: with open(crl_path, 'w') as crl_file:
...@@ -116,12 +116,6 @@ def updateCRLFile(url, crl_path, ca_list): ...@@ -116,12 +116,6 @@ def updateCRLFile(url, crl_path, ca_list):
return True return True
return False return False
class CaucaseClient(object):
"""
Caucase HTTP(S) client.
Expose caucase REST API as pythonic methods.
"""
def __init__(self, ca_url, ca_crt_pem_list=None, user_key=None): def __init__(self, ca_url, ca_crt_pem_list=None, user_key=None):
# XXX: set timeout to HTTP connections ? # XXX: set timeout to HTTP connections ?
http_url = urlparse(ca_url) http_url = urlparse(ca_url)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment