Commit ffaf4491 authored by Alain Takoudjou's avatar Alain Takoudjou

fixup: certificate generation for instance

parent a30ef074
......@@ -1216,7 +1216,7 @@ class SlapTool(BaseTool):
for certificate_id in instance.contentValues(
portal_type='Certificate Access ID', validation_state='validated'):
if certificate_id.getValidationState() == 'validated':
instance.revokeCertificate(certificate_id.getReference())
instance.revokeCertificate(certificate_id)
if instance.getValidationState() == 'validated':
instance.invalidate()
......
......@@ -36,6 +36,7 @@ import sys
import pkg_resources
import requests
import uuid
import urllib
from slapos.cli.command import Command, must_be_root
from slapos.certificate import (parse_certificate_from_html,
......
......@@ -39,9 +39,11 @@ import tempfile
import time
import xmlrpclib
import uuid
import errno
from supervisor import xmlrpc
from slapos.grid.utils import (md5digest, getCleanEnvironment,
SlapPopen, dropPrivileges, updateFile)
from slapos.grid import utils # for methods that could be mocked, access them through the module
......@@ -54,6 +56,7 @@ from slapos.human import bytes2human
from slapos.certificate import (generateCertificateRequest,
generatePrivatekey,
validateCertAndKey)
from OpenSSL import crypto
WATCHDOG_MARK = '-on-watch'
......@@ -417,18 +420,15 @@ class Partition(object):
The node generate the private key and send
"""
try:
cert_fd = os.open(self.cert_file,
os.O_CREAT|os.O_WRONLY|os.O_EXCL|os.O_TRUNC,
0600)
except OSError, e:
if e.errno != errno.EEXIST:
raise
# the certificate exists, no need to download it
return
if os.path.exists(self.cert_file):
if not os.stat(self.cert_file).st_size:
os.unlink(self.cert_file)
else:
# the certificate exists, no need to download it
return
uid, gid = self.getUserGroupId()
key_string = generatePrivatekey(self.key_file, uid, gid)
key_string = generatePrivatekey(self.key_file, uid=uid, gid=gid)
csr_string = generateCertificateRequest(key_string, cn=str(uuid.uuid4()))
try:
partition_certificate = self.computer_partition.getCertificate(
......@@ -437,14 +437,14 @@ class Partition(object):
raise NotFoundError('Partition %s is not known by SlapOS Master.' %
self.partition_id)
os.write(cert_fd, partition_certificate)
cert_fd = os.open(self.cert_file, os.O_CREAT|os.O_WRONLY|os.O_TRUNC, 0600)
os.write(cert_fd, partition_certificate['certificate'])
os.close(cert_fd)
os.chown(self.cert_file, uid, gid)
self.logger.info('Certificate file saved at %r' % self.cert_file)
# Check that certificate and key are OK
try:
validateCertAndKey(self.key_file, self.cert_file)
validateCertAndKey(self.cert_file, self.key_file)
except crypto.Error:
# Invalid Certificate file
if os.path.exists(self.cert_file):
......@@ -452,7 +452,7 @@ class Partition(object):
raise
# except SSL.Error
# Raise when certificate and key didn't match
self.logger.info('Certificate file saved at %r' % self.cert_file)
def getUserGroupId(self):
"""Returns tuple of (uid, gid) of partition"""
......@@ -711,10 +711,6 @@ class Partition(object):
raise subprocess.CalledProcessError(message, process_handler.output)
# Manually cleans what remains
try:
for f in [self.key_file, self.cert_file]:
if f:
if os.path.exists(f):
os.unlink(f)
# better to manually remove symlinks because rmtree might choke on them
sr_symlink = os.path.join(self.instance_path, 'software_release')
......@@ -739,6 +735,10 @@ class Partition(object):
if os.path.exists(self.supervisord_partition_configuration_path):
os.remove(self.supervisord_partition_configuration_path)
for f in [self.key_file, self.cert_file]:
if f:
if os.path.exists(f):
os.unlink(f)
self.updateSupervisor()
except IOError as exc:
raise IOError("I/O error while freeing partition (%s): %s" % (self.instance_path, exc))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment