diff options
| author | Kenny Woodson <kwoodson@redhat.com> | 2017-02-21 20:15:28 -0500 |
|---|---|---|
| committer | Kenny Woodson <kwoodson@redhat.com> | 2017-02-21 20:15:28 -0500 |
| commit | 3effaa96c8e843a5820b98cf9c2dab608481c259 (patch) | |
| tree | 4e3bd99fbb72b15ce2e6066bac1fc60815e9e032 /roles/lib_openshift/library/oc_adm_ca_server_cert.py | |
| parent | 8200377dbb3d0e6aa2b35ea369cceb03976b508b (diff) | |
| download | openshift-3effaa96c8e843a5820b98cf9c2dab608481c259.tar.gz openshift-3effaa96c8e843a5820b98cf9c2dab608481c259.tar.bz2 openshift-3effaa96c8e843a5820b98cf9c2dab608481c259.tar.xz openshift-3effaa96c8e843a5820b98cf9c2dab608481c259.zip | |
Added backup feature. Fixed a bug with reading the certificate and verifying names. Added force option.
Diffstat (limited to 'roles/lib_openshift/library/oc_adm_ca_server_cert.py')
| -rw-r--r-- | roles/lib_openshift/library/oc_adm_ca_server_cert.py | 44 |
1 files changed, 32 insertions, 12 deletions
diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index 9c57435e7..8872cda3a 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -34,6 +34,8 @@ from __future__ import print_function import atexit import copy +# pylint: disable=unused-import +import time import json import os import re @@ -94,9 +96,9 @@ options: required: false default: None aliases: [] - overwrite: + force: description: - - Overwrite existing cert files if found. If false, any existing file will be left as-is. + - Force updating of the existing cert and key files required: false default: False aliases: [] @@ -1355,12 +1357,15 @@ class CAServerCert(OpenShiftCLI): # Added this here as a safegaurd for stomping on the # cert and key files if they exist if self.config.config_options['backup']['value']: + ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time())) + date_str = "%s_" + "%s" % ext + if os.path.exists(self.config.config_options['key']['value']): shutil.copy(self.config.config_options['key']['value'], - "%s.orig" % self.config.config_options['key']['value']) + date_str % self.config.config_options['key']['value']) if os.path.exists(self.config.config_options['cert']['value']): shutil.copy(self.config.config_options['cert']['value'], - "%s.orig" % self.config.config_options['cert']['value']) + date_str % self.config.config_options['cert']['value']) options = self.config.to_option_list() @@ -1378,13 +1383,28 @@ class CAServerCert(OpenShiftCLI): # Would prefer pyopenssl but is not installed. # When we verify it is, switch this code - proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path], + # Here is the code to get the subject and the SAN + # openssl x509 -text -noout -certopt \ + # no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux \ + # -in /etc/origin/master/registry.crt + # Instead of this solution we will use a regex. + cert_names = [] + hostnames = self.config.config_options['hostnames']['value'].split(',') + proc = subprocess.Popen(['openssl', 'x509', '-noout', '-text', '-in', cert_path], stdout=subprocess.PIPE, stderr=subprocess.PIPE) - stdout, _ = proc.communicate() + + x509output, _ = proc.communicate() if proc.returncode == 0: - for var in self.config.config_options['hostnames']['value'].split(','): - if var in stdout: - return True + regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE) + match = regex.search(x509output) # E501 + for entry in re.split(r", *", match.group(1)): + if entry.startswith('DNS') or entry.startswith('IP Address'): + cert_names.append(entry.split(':')[1]) + # now that we have cert names let's compare + cert_set = set(cert_names) + hname_set = set(hostnames) + if cert_set.issubset(hname_set) and hname_set.issubset(cert_set): + return True return False @@ -1396,7 +1416,7 @@ class CAServerCert(OpenShiftCLI): params['debug'], {'cert': {'value': params['cert'], 'include': True}, 'hostnames': {'value': ','.join(params['hostnames']), 'include': True}, - 'overwrite': {'value': params['overwrite'], 'include': True}, + 'overwrite': {'value': True, 'include': True}, 'key': {'value': params['key'], 'include': True}, 'signer_cert': {'value': params['signer_cert'], 'include': True}, 'signer_key': {'value': params['signer_key'], 'include': True}, @@ -1412,7 +1432,7 @@ class CAServerCert(OpenShiftCLI): ######## # Create ######## - if not server_cert.exists() or params['overwrite']: + if not server_cert.exists() or params['force']: if check_mode: return {'changed': True, @@ -1455,7 +1475,7 @@ def main(): signer_key=dict(default='/etc/origin/master/ca.key', type='str'), signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'), hostnames=dict(default=[], type='list'), - overwrite=dict(default=False, type='bool'), + force=dict(default=False, type='bool'), ), supports_check_mode=True, ) |