Deprecate,add new system certificate commands
Deprecate the existing system certificate commands and add new commands Testcases: PASS: Bootstrap the system with changes and verify that system is installed successfully PASS: Run update_platform_certificates and verify it is successful PASS: Verify the following commands are not working anymore system modify --https_enabled=True system modify --https_enabled=False PASS: Verify new following ca commands system ca-certificate-install <pemfile> system ca-certificate-list system ca-certificate-show <UUID> system ca-certificate-uninstall PASS: Verify new openstack commands are working system os-certificate-install --mode < server | ca > <pemfile> system os-certificate-list system os-certificate-show <UUID> PASS: Verify the following are not working anymore system certificate-install -m ssl <pemfile> system certificate-install -m openstack <penfile> system certificate-install -m openstack_ca <pemfile> system certificate-install -m ssl_ca <pemfile> system certificate-install -m docker_registry <penfile> system certificate-uninstall -m ssl_ca <penfile> Story: 2010848 Task: 48474 Change-Id: Ic5d4f3c60b196f5be0602502dcd8a3af50cc8e62 Signed-off-by: amantri <ayyappa.mantri@windriver.com>
This commit is contained in:
parent
7299fa6118
commit
732437f3cd
|
@ -34,58 +34,12 @@ def _print_certificate_show(certificate):
|
||||||
utils.print_tuple_list(data)
|
utils.print_tuple_list(data)
|
||||||
|
|
||||||
|
|
||||||
@utils.arg('certificate_uuid', metavar='<certificate_uuid>',
|
def _install_cert(cc, certificate_file, data):
|
||||||
help="UUID of certificate")
|
|
||||||
def do_certificate_show(cc, args):
|
|
||||||
"""Show Certificate details."""
|
|
||||||
certificate = cc.certificate.get(args.certificate_uuid)
|
|
||||||
if certificate:
|
|
||||||
_print_certificate_show(certificate)
|
|
||||||
else:
|
|
||||||
print("No Certificates installed")
|
|
||||||
|
|
||||||
|
|
||||||
def do_certificate_list(cc, args):
|
|
||||||
"""List certificates."""
|
|
||||||
certificates = cc.certificate.list()
|
|
||||||
fields = ['uuid', 'certtype', 'expiry_date', 'subject']
|
|
||||||
field_labels = fields
|
|
||||||
for certificate in certificates:
|
|
||||||
if certificate.subject and len(certificate.subject) > 20:
|
|
||||||
certificate.subject = certificate.subject[:20] + "..."
|
|
||||||
utils.print_list(certificates, fields, field_labels, sortby=0)
|
|
||||||
|
|
||||||
|
|
||||||
@utils.arg('certificate_file',
|
|
||||||
metavar='<certificate_file>',
|
|
||||||
help='Path to Certificate file (PEM format) to install. '
|
|
||||||
'WARNING: For security reasons, the original certificate_file '
|
|
||||||
'will be removed. Installing an invalid certificate '
|
|
||||||
'could cause service interruption.')
|
|
||||||
@utils.arg('-p', '--passphrase',
|
|
||||||
metavar='<passphrase>',
|
|
||||||
help='The passphrase for the PEM file')
|
|
||||||
@utils.arg('-m', '--mode',
|
|
||||||
metavar='<mode>',
|
|
||||||
help="optional mode: 'docker_registry', "
|
|
||||||
"'openstack', 'openstack_ca', 'ssl_ca'. "
|
|
||||||
"Default is 'ssl'.")
|
|
||||||
def do_certificate_install(cc, args):
|
|
||||||
"""Install certificate."""
|
|
||||||
|
|
||||||
certificate_file = args.certificate_file
|
|
||||||
try:
|
try:
|
||||||
sec_file = open(certificate_file, 'rb')
|
sec_file = open(certificate_file, 'rb')
|
||||||
except Exception:
|
except Exception:
|
||||||
raise exc.CommandError("Error: Could not open file %s." %
|
raise exc.CommandError("Error: Could not open file %s." %
|
||||||
certificate_file)
|
certificate_file)
|
||||||
|
|
||||||
data = {'passphrase': args.passphrase,
|
|
||||||
'mode': args.mode}
|
|
||||||
|
|
||||||
if data['mode'] in ['openldap', 'openldap_ca']:
|
|
||||||
raise exc.CommandError('Warning: Invalid mode: %s' % data['mode'])
|
|
||||||
|
|
||||||
has_private_key = False
|
has_private_key = False
|
||||||
try:
|
try:
|
||||||
with open(certificate_file, 'r') as reader:
|
with open(certificate_file, 'r') as reader:
|
||||||
|
@ -128,18 +82,146 @@ def do_certificate_install(cc, args):
|
||||||
|
|
||||||
|
|
||||||
@utils.arg('certificate_uuid', metavar='<certificate_uuid>',
|
@utils.arg('certificate_uuid', metavar='<certificate_uuid>',
|
||||||
help="UUID of certificate to uninstall")
|
help="UUID of certificate")
|
||||||
|
def do_certificate_show(cc, args):
|
||||||
|
"""Show Certificate details."""
|
||||||
|
certificate = cc.certificate.get(args.certificate_uuid)
|
||||||
|
if certificate:
|
||||||
|
_print_certificate_show(certificate)
|
||||||
|
else:
|
||||||
|
print("No Certificates installed")
|
||||||
|
|
||||||
|
|
||||||
|
def do_certificate_list(cc, args):
|
||||||
|
"""List certificates."""
|
||||||
|
certificates = cc.certificate.list()
|
||||||
|
fields = ['uuid', 'certtype', 'expiry_date', 'subject']
|
||||||
|
field_labels = fields
|
||||||
|
for certificate in certificates:
|
||||||
|
if certificate.subject and len(certificate.subject) > 20:
|
||||||
|
certificate.subject = certificate.subject[:20] + "..."
|
||||||
|
utils.print_list(certificates, fields, field_labels, sortby=0)
|
||||||
|
|
||||||
|
|
||||||
|
@utils.arg('certificate_file',
|
||||||
|
metavar='<certificate_file>',
|
||||||
|
help='Path to Certificate file (PEM format) to install. '
|
||||||
|
'WARNING: For security reasons, the original certificate_file '
|
||||||
|
'will be removed. Installing an invalid certificate '
|
||||||
|
'could cause service interruption.')
|
||||||
|
@utils.arg('-p', '--passphrase',
|
||||||
|
metavar='<passphrase>',
|
||||||
|
help='The passphrase for the PEM file')
|
||||||
@utils.arg('-m', '--mode',
|
@utils.arg('-m', '--mode',
|
||||||
metavar='<mode>',
|
metavar='<mode>',
|
||||||
help="Supported mode: 'ssl_ca'.")
|
help="optional mode: 'server', 'ca'. ")
|
||||||
def do_certificate_uninstall(cc, args):
|
def do_os_certificate_install(cc, args):
|
||||||
"""Uninstall certificate."""
|
"""Install certificate."""
|
||||||
|
certificate_file = args.certificate_file
|
||||||
|
|
||||||
supported_modes = ['ssl_ca']
|
data = {'passphrase': args.passphrase,
|
||||||
if args.mode not in supported_modes:
|
'mode': args.mode}
|
||||||
msg = ("Unsupported mode: {}\nPlease use certificate-install"
|
|
||||||
" instead to update the existing certificate").format(args.mode)
|
if not data['mode']:
|
||||||
|
raise exc.CommandError('Warning: Need to specify a valid mode: server or ca')
|
||||||
|
|
||||||
|
if data['mode'] == 'server':
|
||||||
|
data['mode'] = 'openstack'
|
||||||
|
elif data['mode'] == 'ca':
|
||||||
|
data['mode'] = 'openstack_ca'
|
||||||
|
else:
|
||||||
|
raise exc.CommandError('Warning: Invalid mode: %s' % data['mode'])
|
||||||
|
|
||||||
|
_install_cert(cc, certificate_file, data)
|
||||||
|
|
||||||
|
|
||||||
|
def do_os_certificate_list(cc, args):
|
||||||
|
"""List openstack certificates."""
|
||||||
|
os_cert_types = ['openstack', 'openstack_ca']
|
||||||
|
certificates = []
|
||||||
|
for certificate in cc.certificate.list():
|
||||||
|
if certificate.certtype in os_cert_types:
|
||||||
|
if certificate.certtype == "openstack":
|
||||||
|
certificate.certtype = "server"
|
||||||
|
elif certificate.certtype == "openstack_ca":
|
||||||
|
certificate.certtype = "ca"
|
||||||
|
certificates.append(certificate)
|
||||||
|
|
||||||
|
fields = ['uuid', 'certtype', 'expiry_date', 'subject']
|
||||||
|
field_labels = fields
|
||||||
|
for certificate in certificates:
|
||||||
|
if certificate.subject and len(certificate.subject) > 20:
|
||||||
|
certificate.subject = certificate.subject[:20] + "..."
|
||||||
|
utils.print_list(certificates, fields, field_labels, sortby=0)
|
||||||
|
|
||||||
|
|
||||||
|
@utils.arg('certificate_uuid', metavar='<certificate_uuid>',
|
||||||
|
help="UUID of certificate")
|
||||||
|
def do_os_certificate_show(cc, args):
|
||||||
|
"""Show Openstack Certificate details."""
|
||||||
|
certificate = cc.certificate.get(args.certificate_uuid)
|
||||||
|
if certificate.certtype in ['openstack', 'openstack_ca']:
|
||||||
|
if certificate.certtype == "openstack":
|
||||||
|
certificate.certtype = "server"
|
||||||
|
elif certificate.certtype == "openstack_ca":
|
||||||
|
certificate.certtype = "ca"
|
||||||
|
_print_certificate_show(certificate)
|
||||||
|
else:
|
||||||
|
print('No certificate of type "openstack" is installed '
|
||||||
|
'with this uuid: %s' % (args.certificate_uuid))
|
||||||
|
|
||||||
|
|
||||||
|
@utils.arg('certificate_file',
|
||||||
|
metavar='<certificate_file>',
|
||||||
|
help='Path to Certificate file (PEM format) to install. '
|
||||||
|
'WARNING: For security reasons, the original certificate_file '
|
||||||
|
'will be removed. Installing an invalid certificate '
|
||||||
|
'could cause service interruption.')
|
||||||
|
@utils.arg('-p', '--passphrase',
|
||||||
|
metavar='<passphrase>',
|
||||||
|
help='The passphrase for the PEM file')
|
||||||
|
def do_ca_certificate_install(cc, args):
|
||||||
|
"""Install certificate."""
|
||||||
|
certificate_file = args.certificate_file
|
||||||
|
|
||||||
|
data = {'passphrase': args.passphrase,
|
||||||
|
'mode': 'ssl_ca'}
|
||||||
|
|
||||||
|
_install_cert(cc, certificate_file, data)
|
||||||
|
|
||||||
|
|
||||||
|
@utils.arg('certificate_uuid', metavar='<certificate_uuid>',
|
||||||
|
help="UUID of certificate to uninstall")
|
||||||
|
def do_ca_certificate_uninstall(cc, args):
|
||||||
|
"""Uninstall ca certificate."""
|
||||||
|
certificate = cc.certificate.get(args.certificate_uuid)
|
||||||
|
if certificate.certtype == 'ssl_ca':
|
||||||
|
cc.certificate.certificate_uninstall(args.certificate_uuid)
|
||||||
|
print('Uninstalled certificate: %s' % (args.certificate_uuid))
|
||||||
|
else:
|
||||||
|
msg = "Only ssl_ca type certs can be uninstalled using this command"
|
||||||
raise exc.CommandError(msg)
|
raise exc.CommandError(msg)
|
||||||
|
|
||||||
cc.certificate.certificate_uninstall(args.certificate_uuid)
|
|
||||||
print('Uninstalled certificate: %s' % (args.certificate_uuid))
|
def do_ca_certificate_list(cc, args):
|
||||||
|
"""List certificates."""
|
||||||
|
certificates = [certificate for certificate in cc.certificate.list()
|
||||||
|
if certificate.certtype == 'ssl_ca']
|
||||||
|
fields = ['uuid', 'expiry_date', 'subject']
|
||||||
|
field_labels = fields
|
||||||
|
for certificate in certificates:
|
||||||
|
if certificate.subject and len(certificate.subject) > 20:
|
||||||
|
certificate.subject = certificate.subject[:20] + "..."
|
||||||
|
utils.print_list(certificates, fields, field_labels, sortby=0)
|
||||||
|
|
||||||
|
|
||||||
|
@utils.arg('certificate_uuid', metavar='<certificate_uuid>',
|
||||||
|
help="UUID of certificate")
|
||||||
|
def do_ca_certificate_show(cc, args):
|
||||||
|
"""Show Certificate details."""
|
||||||
|
certificate = cc.certificate.get(args.certificate_uuid)
|
||||||
|
if certificate.certtype == 'ssl_ca':
|
||||||
|
_print_certificate_show(certificate)
|
||||||
|
else:
|
||||||
|
print('No certificate of type "ssl_ca" is installed with '
|
||||||
|
'this uuid: %s' % (args.certificate_uuid))
|
||||||
|
|
|
@ -82,10 +82,6 @@ def do_show(cc, args):
|
||||||
@utils.arg('-lo', '--longitude',
|
@utils.arg('-lo', '--longitude',
|
||||||
metavar='<longitude>',
|
metavar='<longitude>',
|
||||||
help='The longitude GEO location coordinate of the system')
|
help='The longitude GEO location coordinate of the system')
|
||||||
@utils.arg('-p', '--https_enabled',
|
|
||||||
metavar='<https_enabled>',
|
|
||||||
choices=['true', 'false', 'True', 'False'],
|
|
||||||
help='The HTTPS enabled or disabled flag')
|
|
||||||
@utils.arg('-v', '--vswitch_type',
|
@utils.arg('-v', '--vswitch_type',
|
||||||
metavar='<vswitch_type>',
|
metavar='<vswitch_type>',
|
||||||
help='The vswitch type for the system')
|
help='The vswitch type for the system')
|
||||||
|
@ -138,7 +134,7 @@ def do_modify(cc, args):
|
||||||
|
|
||||||
field_list = ['name', 'system_mode', 'description', 'location', 'latitude',
|
field_list = ['name', 'system_mode', 'description', 'location', 'latitude',
|
||||||
'longitude', 'contact', 'timezone', 'sdn_enabled',
|
'longitude', 'contact', 'timezone', 'sdn_enabled',
|
||||||
'https_enabled', 'vswitch_type', 'security_feature']
|
'vswitch_type', 'security_feature']
|
||||||
|
|
||||||
# use field list as filter
|
# use field list as filter
|
||||||
user_fields = dict((k, v) for (k, v) in vars(args).items()
|
user_fields = dict((k, v) for (k, v) in vars(args).items()
|
||||||
|
@ -146,34 +142,12 @@ def do_modify(cc, args):
|
||||||
configured_fields = isystem.__dict__
|
configured_fields = isystem.__dict__
|
||||||
configured_fields.update(user_fields)
|
configured_fields.update(user_fields)
|
||||||
|
|
||||||
print_https_warning = False
|
|
||||||
|
|
||||||
patch = []
|
patch = []
|
||||||
for (k, v) in user_fields.items():
|
for (k, v) in user_fields.items():
|
||||||
patch.append({'op': 'replace', 'path': '/' + k, 'value': v})
|
patch.append({'op': 'replace', 'path': '/' + k, 'value': v})
|
||||||
|
|
||||||
if k == "https_enabled" and v == "true":
|
|
||||||
print_https_warning = True
|
|
||||||
|
|
||||||
# If there is an existing ssl or tpm certificate in system, it will
|
|
||||||
# be used instead of installing the default self signed certificate.
|
|
||||||
if print_https_warning:
|
|
||||||
certificates = cc.certificate.list()
|
|
||||||
for certificate in certificates:
|
|
||||||
if certificate.certtype == 'ssl':
|
|
||||||
warning = ("Existing certificate %s is used for https."
|
|
||||||
% certificate.uuid)
|
|
||||||
break
|
|
||||||
else:
|
|
||||||
warning = "HTTPS enabled with a self-signed certificate.\nThis " \
|
|
||||||
"should be changed to a CA-signed certificate with " \
|
|
||||||
"'system certificate-install'. "
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
isystem = cc.isystem.update(isystem.uuid, patch)
|
isystem = cc.isystem.update(isystem.uuid, patch)
|
||||||
except exc.HTTPNotFound:
|
except exc.HTTPNotFound:
|
||||||
raise exc.CommandError('system not found: %s' % isystem.uuid)
|
raise exc.CommandError('system not found: %s' % isystem.uuid)
|
||||||
_print_isystem_show(isystem)
|
_print_isystem_show(isystem)
|
||||||
|
|
||||||
if print_https_warning:
|
|
||||||
print(warning)
|
|
||||||
|
|
|
@ -969,7 +969,7 @@ class DockerRegistryCredentialNotFound(NotFound):
|
||||||
|
|
||||||
class DockerRegistrySSLException(SysinvException):
|
class DockerRegistrySSLException(SysinvException):
|
||||||
message = _("Registry certificate signed by an unknown CA. "
|
message = _("Registry certificate signed by an unknown CA. "
|
||||||
"Install a trusted CA with 'system certificate-install -m ssl_ca'")
|
"Install a trusted CA with 'system ca-certificate-install'")
|
||||||
|
|
||||||
|
|
||||||
class DockerRegistryAPIException(SysinvException):
|
class DockerRegistryAPIException(SysinvException):
|
||||||
|
|
Loading…
Reference in New Issue