Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
isaak yansane-sisk
slapos
Commits
ef936b2a
Commit
ef936b2a
authored
Apr 09, 2015
by
Alain Takoudjou
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
re6st recipe: Add script to revoke certificate when instance is destroyed
parent
f45fa313
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
73 additions
and
13 deletions
+73
-13
slapos/recipe/re6stnet/__init__.py
slapos/recipe/re6stnet/__init__.py
+20
-3
slapos/recipe/re6stnet/re6stnet.py
slapos/recipe/re6stnet/re6stnet.py
+49
-9
slapos/test/recipe/test_re6stnet.py
slapos/test/recipe/test_re6stnet.py
+4
-1
No files found.
slapos/recipe/re6stnet/__init__.py
View file @
ef936b2a
...
@@ -96,7 +96,7 @@ class Recipe(GenericBaseRecipe):
...
@@ -96,7 +96,7 @@ class Recipe(GenericBaseRecipe):
if
not
reference
in
token_dict
:
if
not
reference
in
token_dict
:
# we generate new token
# we generate new token
number
=
reference
.
split
(
'-'
)[
1
]
number
=
reference
.
split
(
'-'
)[
1
]
new_token
=
number
+
''
.
join
(
random
.
sample
(
string
.
ascii_lowercase
,
15
))
new_token
=
number
+
''
.
join
(
random
.
sample
(
string
.
ascii_lowercase
,
20
))
token_dict
[
reference
]
=
new_token
token_dict
[
reference
]
=
new_token
to_add_dict
[
reference
]
=
new_token
to_add_dict
[
reference
]
=
new_token
...
@@ -127,6 +127,17 @@ class Recipe(GenericBaseRecipe):
...
@@ -127,6 +127,17 @@ class Recipe(GenericBaseRecipe):
return
content
return
content
return
''
return
''
def
genHash
(
self
,
length
):
hash_path
=
os
.
path
.
join
(
self
.
options
[
'conf-dir'
],
'%s-hash'
%
length
)
if
not
os
.
path
.
exists
(
hash_path
):
pool
=
string
.
letters
+
string
.
digits
hash_string
=
''
.
join
(
random
.
choice
(
pool
)
for
i
in
xrange
(
length
))
self
.
writeFile
(
hash_path
,
hash_string
)
else
:
hash_string
=
self
.
readFile
(
hash_path
)
return
hash_string
def
install
(
self
):
def
install
(
self
):
path_list
=
[]
path_list
=
[]
token_save_path
=
os
.
path
.
join
(
self
.
options
[
'conf-dir'
],
'token.json'
)
token_save_path
=
os
.
path
.
join
(
self
.
options
[
'conf-dir'
],
'token.json'
)
...
@@ -156,7 +167,7 @@ class Recipe(GenericBaseRecipe):
...
@@ -156,7 +167,7 @@ class Recipe(GenericBaseRecipe):
path
=
os
.
path
.
join
(
token_list_path
,
'%s.remove'
%
reference
)
path
=
os
.
path
.
join
(
token_list_path
,
'%s.remove'
%
reference
)
if
not
os
.
path
.
exists
(
path
):
if
not
os
.
path
.
exists
(
path
):
self
.
createFile
(
path
,
rm_token_dict
[
reference
])
self
.
createFile
(
path
,
rm_token_dict
[
reference
])
# remove request add
file
if exists
# remove request add
token
if exists
add_path
=
os
.
path
.
join
(
token_list_path
,
'%s.add'
%
reference
)
add_path
=
os
.
path
.
join
(
token_list_path
,
'%s.add'
%
reference
)
if
os
.
path
.
exists
(
add_path
):
if
os
.
path
.
exists
(
add_path
):
os
.
unlink
(
add_path
)
os
.
unlink
(
add_path
)
...
@@ -191,6 +202,12 @@ class Recipe(GenericBaseRecipe):
...
@@ -191,6 +202,12 @@ class Recipe(GenericBaseRecipe):
)
)
path_list
.
append
(
request_check
)
path_list
.
append
(
request_check
)
revoke_check
=
self
.
createPythonScript
(
self
.
options
[
'revoke-service-wrapper'
].
strip
(),
'%s.re6stnet.requestRevoqueCertificate'
%
__name__
,
service_dict
)
path_list
.
append
(
revoke_check
)
# Send connection parameters of slave instances
# Send connection parameters of slave instances
if
token_dict
:
if
token_dict
:
self
.
slap
.
initializeConnection
(
self
.
server_url
,
self
.
key_file
,
self
.
slap
.
initializeConnection
(
self
.
server_url
,
self
.
key_file
,
...
@@ -211,7 +228,7 @@ class Recipe(GenericBaseRecipe):
...
@@ -211,7 +228,7 @@ class Recipe(GenericBaseRecipe):
computer_partition
.
setConnectionDict
(
computer_partition
.
setConnectionDict
(
{
'token'
:
token
,
'1_info'
:
msg
},
{
'token'
:
token
,
'1_info'
:
msg
},
slave_reference
)
slave_reference
)
except
:
except
Exception
:
self
.
logger
.
fatal
(
"Error while sending slave %s informations: %s"
,
self
.
logger
.
fatal
(
"Error while sending slave %s informations: %s"
,
slave_reference
,
traceback
.
format_exc
())
slave_reference
,
traceback
.
format_exc
())
...
...
slapos/recipe/re6stnet/re6stnet.py
View file @
ef936b2a
...
@@ -5,8 +5,10 @@ import os
...
@@ -5,8 +5,10 @@ import os
import
time
import
time
import
sqlite3
import
sqlite3
import
slapos
import
slapos
import
traceback
from
re6st
import
registry
from
re6st
import
registry
,
x509
from
OpenSSL
import
crypto
log
=
logging
.
getLogger
(
'SLAPOS-RE6STNET'
)
log
=
logging
.
getLogger
(
'SLAPOS-RE6STNET'
)
logging
.
basicConfig
(
level
=
logging
.
DEBUG
)
logging
.
basicConfig
(
level
=
logging
.
DEBUG
)
...
@@ -50,6 +52,7 @@ def bang(args):
...
@@ -50,6 +52,7 @@ def bang(args):
partition
.
bang
(
message
=
'Published parameters changed!'
)
partition
.
bang
(
message
=
'Published parameters changed!'
)
log
.
info
(
"Bang with message 'parameters changed'..."
)
log
.
info
(
"Bang with message 'parameters changed'..."
)
def
requestAddToken
(
args
,
can_bang
=
True
):
def
requestAddToken
(
args
,
can_bang
=
True
):
time
.
sleep
(
3
)
time
.
sleep
(
3
)
...
@@ -69,12 +72,13 @@ def requestAddToken(args, can_bang=True):
...
@@ -69,12 +72,13 @@ def requestAddToken(args, can_bang=True):
token
=
readFile
(
request_file
)
token
=
readFile
(
request_file
)
if
token
:
if
token
:
reference
=
reference_key
.
split
(
'.'
)[
0
]
reference
=
reference_key
.
split
(
'.'
)[
0
]
# email is unique as reference is also unique
email
=
'%s@slapos'
%
reference
.
lower
()
email
=
'%s@slapos'
%
reference
.
lower
()
try
:
try
:
result
=
client
.
requestAddToken
(
token
,
email
)
result
=
client
.
requestAddToken
(
token
,
email
)
except
Exception
,
e
:
except
Exception
:
log
.
debug
(
'Request add token fail for %s...
\
n
%s'
%
(
request_file
,
log
.
debug
(
'Request add token fail for %s...
\
n
%s'
%
(
request_file
,
str
(
e
)))
traceback
.
format_exc
(
)))
continue
continue
if
result
and
result
==
token
:
if
result
and
result
==
token
:
# update information
# update information
...
@@ -97,7 +101,7 @@ def requestRemoveToken(args):
...
@@ -97,7 +101,7 @@ def requestRemoveToken(args):
if
not
path_list
:
if
not
path_list
:
log
.
info
(
"No token to delete. Exiting..."
)
log
.
info
(
"No token to delete. Exiting..."
)
return
return
client
=
registry
.
RegistryClient
(
args
[
'registry_url'
])
client
=
registry
.
RegistryClient
(
args
[
'registry_url'
])
for
reference_key
in
path_list
:
for
reference_key
in
path_list
:
request_file
=
os
.
path
.
join
(
base_token_path
,
reference_key
)
request_file
=
os
.
path
.
join
(
base_token_path
,
reference_key
)
...
@@ -106,23 +110,58 @@ def requestRemoveToken(args):
...
@@ -106,23 +110,58 @@ def requestRemoveToken(args):
reference
=
reference_key
.
split
(
'.'
)[
0
]
reference
=
reference_key
.
split
(
'.'
)[
0
]
try
:
try
:
result
=
client
.
requestDeleteToken
(
token
)
result
=
client
.
requestDeleteToken
(
token
)
except
Exception
,
e
:
except
Exception
:
log
.
debug
(
'Request delete token fail for %s...
\
n
%s'
%
(
request_file
,
log
.
debug
(
'Request delete token fail for %s...
\
n
%s'
%
(
request_file
,
str
(
e
)))
traceback
.
format_exc
(
)))
continue
continue
else
:
# certificate is invalidated, it will be revoked
writeFile
(
os
.
path
.
join
(
base_token_path
,
'%s.revoke'
%
reference
),
''
)
if
result
==
'True'
:
if
result
==
'True'
:
# update information
# update information
log
.
info
(
"Token deleted for slave instance %s. Clean up file status..."
%
log
.
info
(
"Token deleted for slave instance %s. Clean up file status..."
%
reference
)
reference
)
if
result
in
[
'True'
,
'False'
]:
os
.
unlink
(
request_file
)
os
.
unlink
(
request_file
)
status_file
=
os
.
path
.
join
(
base_token_path
,
'%s.status'
%
reference
)
status_file
=
os
.
path
.
join
(
base_token_path
,
'%s.status'
%
reference
)
if
os
.
path
.
exists
(
status_file
):
if
os
.
path
.
exists
(
status_file
):
os
.
unlink
(
status_file
)
os
.
unlink
(
status_file
)
else
:
log
.
debug
(
'Request delete token fail for %s...'
%
request_file
)
else
:
else
:
log
.
debug
(
'Bad token. Request add token fail for %s...'
%
request_file
)
log
.
debug
(
'Bad token. Request add token fail for %s...'
%
request_file
)
def
requestRevoqueCertificate
(
args
):
base_token_path
=
args
[
'token_base_path'
]
db
=
getDb
(
args
[
'db'
])
path_list
=
[
x
for
x
in
os
.
listdir
(
base_token_path
)
if
x
.
endswith
(
'.revoke'
)]
client
=
registry
.
RegistryClient
(
args
[
'registry_url'
])
for
reference_key
in
path_list
:
reference
=
reference_key
.
split
(
'.'
)[
0
]
# XXX - email is always unique
email
=
'%s@slapos'
%
reference
.
lower
()
cert_string
=
''
try
:
cert_string
,
=
db
.
execute
(
"SELECT cert FROM cert WHERE email = ?"
,
(
email
,)).
next
()
except
StopIteration
:
# Certificate was not generated yet !!!
pass
try
:
if
cert_string
:
cert
=
crypto
.
load_certificate
(
crypto
.
FILETYPE_PEM
,
cert_string
)
cn
=
x509
.
subnetFromCert
(
cert
)
result
=
client
.
revoke
(
str
(
cn
))
time
.
sleep
(
2
)
except
Exception
:
log
.
debug
(
'Request revoke certificate fail for %s...
\
n
%s'
%
(
reference
,
traceback
.
format_exc
()))
continue
else
:
os
.
unlink
(
os
.
path
.
join
(
base_token_path
,
reference_key
))
log
.
info
(
"Certificate revoked for slave instance %s."
%
reference
)
def
checkService
(
args
,
can_bang
=
True
):
def
checkService
(
args
,
can_bang
=
True
):
base_token_path
=
args
[
'token_base_path'
]
base_token_path
=
args
[
'token_base_path'
]
token_dict
=
loadJsonFile
(
args
[
'token_json'
])
token_dict
=
loadJsonFile
(
args
[
'token_json'
])
...
@@ -164,7 +203,7 @@ def checkService(args, can_bang=True):
...
@@ -164,7 +203,7 @@ def checkService(args, can_bang=True):
time
.
sleep
(
1
)
time
.
sleep
(
1
)
writeFile
(
status_file
,
'TOKEN_USED'
)
writeFile
(
status_file
,
'TOKEN_USED'
)
log
.
info
(
"Token status of %s updated to 'used'."
%
slave_reference
)
log
.
info
(
"Token status of %s updated to 'used'."
%
slave_reference
)
except
IOError
,
e
:
except
IOError
:
# XXX- this file should always exists
# XXX- this file should always exists
log
.
debug
(
'Error when writing in file %s. Clould not update status of %s...'
%
log
.
debug
(
'Error when writing in file %s. Clould not update status of %s...'
%
(
status_file
,
slave_reference
))
(
status_file
,
slave_reference
))
...
@@ -181,3 +220,4 @@ def manage(args):
...
@@ -181,3 +220,4 @@ def manage(args):
# check status of all token
# check status of all token
checkService
(
args
)
checkService
(
args
)
slapos/test/recipe/test_re6stnet.py
View file @
ef936b2a
...
@@ -36,6 +36,7 @@ class Re6stnetTest(unittest.TestCase):
...
@@ -36,6 +36,7 @@ class Re6stnetTest(unittest.TestCase):
'manager-wrapper'
:
os
.
path
.
join
(
self
.
base_dir
,
'manager_wrapper'
),
'manager-wrapper'
:
os
.
path
.
join
(
self
.
base_dir
,
'manager_wrapper'
),
'drop-service-wrapper'
:
os
.
path
.
join
(
self
.
base_dir
,
'drop_wrapper'
),
'drop-service-wrapper'
:
os
.
path
.
join
(
self
.
base_dir
,
'drop_wrapper'
),
'check-service-wrapper'
:
os
.
path
.
join
(
self
.
base_dir
,
'check_wrapper'
),
'check-service-wrapper'
:
os
.
path
.
join
(
self
.
base_dir
,
'check_wrapper'
),
'revoke-service-wrapper'
:
os
.
path
.
join
(
self
.
base_dir
,
'revoke_wrapper'
),
'slave-instance-list'
:
'{}'
'slave-instance-list'
:
'{}'
}
}
...
@@ -96,7 +97,7 @@ class Re6stnetTest(unittest.TestCase):
...
@@ -96,7 +97,7 @@ class Re6stnetTest(unittest.TestCase):
with
open
(
path
,
'r'
)
as
f
:
with
open
(
path
,
'r'
)
as
f
:
content
=
f
.
read
()
content
=
f
.
read
()
self
.
assertIn
(
"@%s"
%
config_file
,
content
)
self
.
assertIn
(
"@%s"
%
config_file
,
content
)
def
test_generateCertificates
(
self
):
def
test_generateCertificates
(
self
):
self
.
options
[
'ipv6-prefix'
]
=
'2001:db8:24::/48'
self
.
options
[
'ipv6-prefix'
]
=
'2001:db8:24::/48'
...
@@ -175,6 +176,7 @@ class Re6stnetTest(unittest.TestCase):
...
@@ -175,6 +176,7 @@ class Re6stnetTest(unittest.TestCase):
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'manager_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'manager_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'drop_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'drop_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'check_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'check_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'revoke_wrapper'
))
self
.
checkRegistryWrapper
()
self
.
checkRegistryWrapper
()
# Remove one element
# Remove one element
...
@@ -218,5 +220,6 @@ class Re6stnetTest(unittest.TestCase):
...
@@ -218,5 +220,6 @@ class Re6stnetTest(unittest.TestCase):
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'manager_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'manager_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'drop_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'drop_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'check_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'check_wrapper'
))
self
.
checkWrapper
(
os
.
path
.
join
(
self
.
base_dir
,
'revoke_wrapper'
))
self
.
checkRegistryWrapper
()
self
.
checkRegistryWrapper
()
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment