Auto-install system-local-ca RCA as trusted
TBD. Change-Id: I5a9cd1ad4063e24d8f5b976e922cc980aba2f612 Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
This commit is contained in:
parent
cd5f286b14
commit
051ccab49d
|
@ -709,6 +709,23 @@ def list_platform_certificates(token):
|
|||
return rest_api_request(token, "GET", api_cmd)
|
||||
|
||||
|
||||
def uninstall_ca_certificate(token, uuid, cert_type):
|
||||
"""Uninstall Trusted CA certificate using the sysinv API
|
||||
:param token: the token to access the sysinv API
|
||||
:param uuid: the installed certificate uuid
|
||||
:param cert_type: the type of the certificate. Currently only 'ssl_ca' is supported
|
||||
"""
|
||||
LOG.info('Uninstalling certificate %s.' % uuid)
|
||||
if cert_type != constants.CERT_MODE_SSL_CA:
|
||||
LOG.error('Cannot uninstall CA certificate of type %s.' % cert_type)
|
||||
return
|
||||
|
||||
sysinv_url = token.get_service_internal_url(constants.SERVICE_TYPE_PLATFORM,
|
||||
constants.SYSINV_USERNAME)
|
||||
api_cmd = sysinv_url + '/certificate/' + uuid
|
||||
rest_api_request(token, "DELETE", api_cmd)
|
||||
|
||||
|
||||
def update_platform_cert(token, cert_type, pem_file_path, force=False):
|
||||
"""Update a platform certificate using the sysinv API
|
||||
:param token: the token to access the sysinv API
|
||||
|
|
|
@ -706,6 +706,77 @@ class RootCARenew(CertificateRenew):
|
|||
raise Exception('Some secrets were not recreated successfully')
|
||||
|
||||
|
||||
class TrustedCARenew(CertificateRenew):
|
||||
"""Handles a renew event for a certificate that must be installed as a trusted platform cert.
|
||||
"""
|
||||
|
||||
def __init__(self, context, secret_name):
|
||||
super(TrustedCARenew, self).__init__(context)
|
||||
self.secret_name = secret_name
|
||||
LOG.info('%s init with secretname: %s' % (self.__class__.__name__, self.secret_name))
|
||||
|
||||
def check_filter(self, event_data):
|
||||
LOG.debug('%s: Received event_data %s' % (self.secret_name, event_data))
|
||||
if self.secret_name == event_data.secret_name:
|
||||
LOG.info('%s check_filter[%s], proceed on event_data: %s'
|
||||
% (self.__class__.__name__, self.secret_name, event_data))
|
||||
return self.certificate_is_ready(event_data)
|
||||
else:
|
||||
return False
|
||||
|
||||
def install_ca_certificate(self, event_data, cert_type, force=False, uninstall_subject_dup=False):
|
||||
"""Install CA certificate stored in a secret
|
||||
|
||||
Save the CA certificate from the secret into a PEM file and send it to the
|
||||
platform to be installed. If force=True, the platform semantic checks will be
|
||||
skipped.
|
||||
|
||||
:param event_data: the event_data that triggered this renew
|
||||
:param cert_type: the type of the certificate that is being updated
|
||||
:param force: whether to bypass semantic checks and force the update,
|
||||
defaults to False
|
||||
:param uninstall_subject_dup: whether to remove a existing cert with same subject.
|
||||
Installation will not succeed if another certificates with same subject is
|
||||
already installed as trusted and this flag is not enabled. Defauls to False.
|
||||
"""
|
||||
token = self.context.get_token()
|
||||
try:
|
||||
cert_to_be_installed = x509.load_pem_x509_certificate(event_data.ca_crt.encode(),
|
||||
default_backend())
|
||||
installed_certificates = utils.list_platform_certificates(token)
|
||||
|
||||
for certificate in installed_certificates['certificates']:
|
||||
if certificate['type'] != cert_type:
|
||||
continue
|
||||
|
||||
if str(cert_to_be_installed.serial_number) in certificate['signature']:
|
||||
LOG.info('Certificate %s is already installed. Skipping installation.' %
|
||||
certificate['signature'])
|
||||
return
|
||||
|
||||
if cert_to_be_installed.subject == certificate['subject']:
|
||||
LOG.warning("A different certificate with same subject as %s is \
|
||||
alredy installed as trusted." % certificate['signature'])
|
||||
if uninstall_subject_dup:
|
||||
LOG.warning("Uninstalling certificate %s, subject: %s" %
|
||||
(certificate['signature'], certificate['subject']))
|
||||
utils.uninstall_ca_certificate(token, certificate['uuid'], cert_type)
|
||||
else:
|
||||
msg = ("The CA certificate of %s cannot be installed as trusted. \
|
||||
The already installed certificate %s (uuid: %s) has the same \
|
||||
subject (%s), which is not allowed." %
|
||||
(self.secret_name, certificate['signature'],
|
||||
certificate['uuid'], certificate['subject']))
|
||||
raise Exception(msg)
|
||||
|
||||
pem_file_path = utils.update_pemfile(event_data.ca_crt, "")
|
||||
utils.update_platform_cert(token, cert_type, pem_file_path, force)
|
||||
|
||||
except Exception as e:
|
||||
LOG.error("Error when updating certificates: %s" % e)
|
||||
raise
|
||||
|
||||
|
||||
class PlatformCertRenew(CertificateRenew):
|
||||
"""Handles a renew event for a certificate that must be installed as a platform cert.
|
||||
"""
|
||||
|
@ -757,6 +828,18 @@ class PlatformCertRenew(CertificateRenew):
|
|||
raise
|
||||
|
||||
|
||||
class SystemLocalCARenew(TrustedCARenew):
|
||||
def __init__(self, context):
|
||||
super(SystemLocalCARenew, self).__init__(context, constants.LOCAL_CA_SECRET_NAME)
|
||||
|
||||
def update_certificate(self, event_data):
|
||||
LOG.info('SystemLocalCARenew: Secret changes detected. Initiating CA certificate install')
|
||||
self.install_ca_certificate(event_data,
|
||||
constants.CERT_MODE_SSL_CA,
|
||||
force=True,
|
||||
uninstall_subject_dup=True)
|
||||
|
||||
|
||||
class RestApiCertRenew(PlatformCertRenew):
|
||||
def __init__(self, context):
|
||||
super(RestApiCertRenew, self).__init__(context, constants.RESTAPI_CERT_SECRET_NAME)
|
||||
|
|
Loading…
Reference in New Issue