caddy-frontend: Assert nothing is to sign on caucase

9ff5eccf · Łukasz Nowak · 615bfd3e · 9ff5eccf · 9ff5eccf · 9ff5eccf
Commit 9ff5eccf authored Feb 23, 2022 by Łukasz Nowak
22 changed files
--- a/software/caddy-frontend/buildout.hash.cfg
+++ b/software/caddy-frontend/buildout.hash.cfg
@@ -26,7 +26,7 @@ md5sum = 334d0613557849cdbdea769510ba0cca
 [profile-caddy-replicate]
 filename = instance-apache-replicate.cfg.in
-md5sum = bd784414ab53978820a50242f125b8fd
+md5sum = c028f1c5947494e7f25cf8266a3ecd2d
 [profile-slave-list]
 _update_hash_filename_ = templates/apache-custom-slave-list.cfg.in
@@ -94,11 +94,11 @@ md5sum = 8c150e1e6c993708d31936742f3a7302
 [caddyprofiledeps-setup]
 filename = setup.py
-md5sum = edc8cfd96d331f79648014b6a0e8d184
+md5sum = 6aad2b4c271294f524214192ee197c15
 [caddyprofiledeps-dummy]
 filename = caddyprofiledummy.py
-md5sum = 119380238fd72436fbe54ac72af65491
+md5sum = b41b8de115ad815d0b0db306ad650365
 [profile-kedifa]
 filename = instance-kedifa.cfg.in

--- a/software/caddy-frontend/caddyprofiledummy.py
+++ b/software/caddy-frontend/caddyprofiledummy.py
@@ -112,3 +112,12 @@ def smart_sign():
    _mark_done(done_file)
  else:
    print('Failed to sign %s' % (csr_url,))
+def caucase_csr_sign_check():
+  ca_url, ca_crt, user_key = sys.argv[1:]
+  if len(_get_caucase_csr_list(ca_url, ca_crt, user_key)) != 0:
+    print('ERR There are CSR to sign on %s' % (ca_url,))
+    sys.exit(1)
+  else:
+    print('OK No CSR to sign on %s' % (ca_url,))
--- a/software/caddy-frontend/instance-apache-replicate.cfg.in
+++ b/software/caddy-frontend/instance-apache-replicate.cfg.in
@@ -577,6 +577,20 @@ command =
     mode='user',
 )}}
+[aikc-sign-promise-wrapper]
+recipe = slapos.cookbook:wrapper
+command-line = {{ software_parameter_dict['caucase_csr_sign_check'] }}
+  ${aikc-config:caucase-url}
+  ${aikc-config:ca-certificate}
+  ${aikc-config:key}
+wrapper-path = ${directory:bin}/aikc-caucase-csr-sign-check
+{% do part_list.append('aikc-sign-promise') %}
+[aikc-sign-promise]
+<= monitor-promise-base
+promise = check_command_execute
+name = ${:_buildout_section_name_}.py
+config-command = ${aikc-sign-promise-wrapper:wrapper-path}
 {% for csr in frontend_list + ['kedifa'] %}
 [aikc-{{ csr }}-wrapper]
@@ -690,6 +704,21 @@ command =
     mode='user',
 )}}
+[aibcc-sign-promise-wrapper]
+recipe = slapos.cookbook:wrapper
+command-line = {{ software_parameter_dict['caucase_csr_sign_check'] }}
+  ${aibcc-config:caucase-url}
+  ${aibcc-config:ca-certificate}
+  ${aibcc-config:key}
+wrapper-path = ${directory:bin}/aibcc-caucase-csr-sign-check
+{% do part_list.append('aibcc-sign-promise') %}
+[aibcc-sign-promise]
+<= monitor-promise-base
+promise = check_command_execute
+name = ${:_buildout_section_name_}.py
+config-command = ${aibcc-sign-promise-wrapper:wrapper-path}
 {% for csr in frontend_list %}
 [aibcc-{{ csr }}-wrapper]
 recipe = slapos.cookbook:wrapper

--- a/software/caddy-frontend/setup.py
+++ b/software/caddy-frontend/setup.py
@@ -16,7 +16,8 @@ setup(
      'default = caddyprofiledummy:Recipe',
    ],
    'console_scripts': [
-      'smart-caucase-signer = caddyprofiledummy:smart_sign'
+      'smart-caucase-signer = caddyprofiledummy:smart_sign',
+      'caucase-csr-sign-check = caddyprofiledummy:caucase_csr_sign_check'
    ]
  }
 )
--- a/software/caddy-frontend/software.cfg
+++ b/software/caddy-frontend/software.cfg
@@ -124,6 +124,7 @@ kedifa-csr = ${:bin_directory}/kedifa-csr
 xz_location = ${xz-utils:location}
 htpasswd = ${:bin_directory}/htpasswd
 smart_caucase_signer = ${:bin_directory}/smart-caucase-signer
+caucase_csr_sign_check = ${:bin_directory}/caucase-csr-sign-check
 [template]
 recipe = slapos.recipe.template:jinja2

--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlave.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultDefaultSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlave.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestEnableHttp2ByDefaultFalseSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequest.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestMasterRequestDomain.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlDefaultSlave.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestRe6stVerificationUrlSlave.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestReplicateSlave.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlave.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveCiphers.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveGlobalDisableHttp2.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestSlaveHealthCheck.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveHealthCheck.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestSlaveHostHaproxyClash.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveHostHaproxyClash.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibility.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityOverrideMaster.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py

--- a/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_plugin-CADDY.txt
+++ b/software/caddy-frontend/test/test_data/test.TestSlaveSlapOSMasterCertificateCompatibilityUpdate.test_file_list_plugin-CADDY.txt
 T-0/etc/plugin/__init__.py
+T-0/etc/plugin/aibcc-sign-promise.py
 T-0/etc/plugin/aibcc-user-caucase-updater.py
+T-0/etc/plugin/aikc-sign-promise.py
 T-0/etc/plugin/aikc-user-caucase-updater.py
 T-0/etc/plugin/buildout-T-0-status.py
 T-0/etc/plugin/caucased-backend-client.py