Commit ffaf4491 authored by Alain Takoudjou's avatar Alain Takoudjou

fixup: certificate generation for instance

parent a30ef074
...@@ -1216,7 +1216,7 @@ class SlapTool(BaseTool): ...@@ -1216,7 +1216,7 @@ class SlapTool(BaseTool):
for certificate_id in instance.contentValues( for certificate_id in instance.contentValues(
portal_type='Certificate Access ID', validation_state='validated'): portal_type='Certificate Access ID', validation_state='validated'):
if certificate_id.getValidationState() == 'validated': if certificate_id.getValidationState() == 'validated':
instance.revokeCertificate(certificate_id.getReference()) instance.revokeCertificate(certificate_id)
if instance.getValidationState() == 'validated': if instance.getValidationState() == 'validated':
instance.invalidate() instance.invalidate()
......
...@@ -36,6 +36,7 @@ import sys ...@@ -36,6 +36,7 @@ import sys
import pkg_resources import pkg_resources
import requests import requests
import uuid import uuid
import urllib
from slapos.cli.command import Command, must_be_root from slapos.cli.command import Command, must_be_root
from slapos.certificate import (parse_certificate_from_html, from slapos.certificate import (parse_certificate_from_html,
......
...@@ -39,9 +39,11 @@ import tempfile ...@@ -39,9 +39,11 @@ import tempfile
import time import time
import xmlrpclib import xmlrpclib
import uuid import uuid
import errno
from supervisor import xmlrpc from supervisor import xmlrpc
from slapos.grid.utils import (md5digest, getCleanEnvironment, from slapos.grid.utils import (md5digest, getCleanEnvironment,
SlapPopen, dropPrivileges, updateFile) SlapPopen, dropPrivileges, updateFile)
from slapos.grid import utils # for methods that could be mocked, access them through the module from slapos.grid import utils # for methods that could be mocked, access them through the module
...@@ -54,6 +56,7 @@ from slapos.human import bytes2human ...@@ -54,6 +56,7 @@ from slapos.human import bytes2human
from slapos.certificate import (generateCertificateRequest, from slapos.certificate import (generateCertificateRequest,
generatePrivatekey, generatePrivatekey,
validateCertAndKey) validateCertAndKey)
from OpenSSL import crypto
WATCHDOG_MARK = '-on-watch' WATCHDOG_MARK = '-on-watch'
...@@ -417,18 +420,15 @@ class Partition(object): ...@@ -417,18 +420,15 @@ class Partition(object):
The node generate the private key and send The node generate the private key and send
""" """
try: if os.path.exists(self.cert_file):
cert_fd = os.open(self.cert_file, if not os.stat(self.cert_file).st_size:
os.O_CREAT|os.O_WRONLY|os.O_EXCL|os.O_TRUNC, os.unlink(self.cert_file)
0600) else:
except OSError, e: # the certificate exists, no need to download it
if e.errno != errno.EEXIST: return
raise
# the certificate exists, no need to download it
return
uid, gid = self.getUserGroupId() uid, gid = self.getUserGroupId()
key_string = generatePrivatekey(self.key_file, uid, gid) key_string = generatePrivatekey(self.key_file, uid=uid, gid=gid)
csr_string = generateCertificateRequest(key_string, cn=str(uuid.uuid4())) csr_string = generateCertificateRequest(key_string, cn=str(uuid.uuid4()))
try: try:
partition_certificate = self.computer_partition.getCertificate( partition_certificate = self.computer_partition.getCertificate(
...@@ -437,14 +437,14 @@ class Partition(object): ...@@ -437,14 +437,14 @@ class Partition(object):
raise NotFoundError('Partition %s is not known by SlapOS Master.' % raise NotFoundError('Partition %s is not known by SlapOS Master.' %
self.partition_id) self.partition_id)
os.write(cert_fd, partition_certificate) cert_fd = os.open(self.cert_file, os.O_CREAT|os.O_WRONLY|os.O_TRUNC, 0600)
os.write(cert_fd, partition_certificate['certificate'])
os.close(cert_fd) os.close(cert_fd)
os.chown(self.cert_file, uid, gid) os.chown(self.cert_file, uid, gid)
self.logger.info('Certificate file saved at %r' % self.cert_file)
# Check that certificate and key are OK # Check that certificate and key are OK
try: try:
validateCertAndKey(self.key_file, self.cert_file) validateCertAndKey(self.cert_file, self.key_file)
except crypto.Error: except crypto.Error:
# Invalid Certificate file # Invalid Certificate file
if os.path.exists(self.cert_file): if os.path.exists(self.cert_file):
...@@ -452,7 +452,7 @@ class Partition(object): ...@@ -452,7 +452,7 @@ class Partition(object):
raise raise
# except SSL.Error # except SSL.Error
# Raise when certificate and key didn't match # Raise when certificate and key didn't match
self.logger.info('Certificate file saved at %r' % self.cert_file)
def getUserGroupId(self): def getUserGroupId(self):
"""Returns tuple of (uid, gid) of partition""" """Returns tuple of (uid, gid) of partition"""
...@@ -711,10 +711,6 @@ class Partition(object): ...@@ -711,10 +711,6 @@ class Partition(object):
raise subprocess.CalledProcessError(message, process_handler.output) raise subprocess.CalledProcessError(message, process_handler.output)
# Manually cleans what remains # Manually cleans what remains
try: try:
for f in [self.key_file, self.cert_file]:
if f:
if os.path.exists(f):
os.unlink(f)
# better to manually remove symlinks because rmtree might choke on them # better to manually remove symlinks because rmtree might choke on them
sr_symlink = os.path.join(self.instance_path, 'software_release') sr_symlink = os.path.join(self.instance_path, 'software_release')
...@@ -739,6 +735,10 @@ class Partition(object): ...@@ -739,6 +735,10 @@ class Partition(object):
if os.path.exists(self.supervisord_partition_configuration_path): if os.path.exists(self.supervisord_partition_configuration_path):
os.remove(self.supervisord_partition_configuration_path) os.remove(self.supervisord_partition_configuration_path)
for f in [self.key_file, self.cert_file]:
if f:
if os.path.exists(f):
os.unlink(f)
self.updateSupervisor() self.updateSupervisor()
except IOError as exc: except IOError as exc:
raise IOError("I/O error while freeing partition (%s): %s" % (self.instance_path, exc)) raise IOError("I/O error while freeing partition (%s): %s" % (self.instance_path, exc))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment