Source Code for Module ganeti.tools.ssl_update

  1  # 
  2  # 
  3   
  4  # Copyright (C) 2015 Google Inc. 
  5  # All rights reserved. 
  6  # 
  7  # Redistribution and use in source and binary forms, with or without 
  8  # modification, are permitted provided that the following conditions are 
  9  # met: 
 10  # 
 11  # 1. Redistributions of source code must retain the above copyright notice, 
 12  # this list of conditions and the following disclaimer. 
 13  # 
 14  # 2. Redistributions in binary form must reproduce the above copyright 
 15  # notice, this list of conditions and the following disclaimer in the 
 16  # documentation and/or other materials provided with the distribution. 
 17  # 
 18  # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS 
 19  # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 
 20  # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
 21  # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR 
 22  # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
 23  # EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
 24  # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
 25  # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 
 26  # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 
 27  # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
 28  # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 29   
 30  """Script to recreate and sign the client SSL certificates. 
 31   
 32  """ 
 33   
 34  import os 
 35  import os.path 
 36  import optparse 
 37  import sys 
 38  import logging 
 39   
 40  from ganeti import cli 
 41  from ganeti import constants 
 42  from ganeti import errors 
 43  from ganeti import utils 
 44  from ganeti import ht 
 45  from ganeti import pathutils 
 46  from ganeti.tools import common 
 47   
 48   
 49  _DATA_CHECK = ht.TStrictDict(False, True, { 
 50    constants.NDS_CLUSTER_NAME: ht.TNonEmptyString, 
 51    constants.NDS_NODE_DAEMON_CERTIFICATE: ht.TNonEmptyString, 
 52    constants.NDS_NODE_NAME: ht.TNonEmptyString, 
 53    constants.NDS_ACTION: ht.TNonEmptyString, 
 54    }) 
 55   
 56   
 57 -class SslSetupError(errors.GenericError): 
 58    """Local class for reporting errors. 
 59   
 60    """ 
 61   
 62   
 63 -def ParseOptions(): 
 64    """Parses the options passed to the program. 
 65   
 66    @return: Options and arguments 
 67   
 68    """ 
 69    parser = optparse.OptionParser(usage="%prog [--dry-run]", 
 70                                   prog=os.path.basename(sys.argv[0])) 
 71    parser.add_option(cli.DEBUG_OPT) 
 72    parser.add_option(cli.VERBOSE_OPT) 
 73    parser.add_option(cli.DRY_RUN_OPT) 
 74   
 75    (opts, args) = parser.parse_args() 
 76   
 77    return common.VerifyOptions(parser, opts, args) 
 78   
 79   
 80 -def DeleteClientCertificate(): 
 81    """Deleting the client certificate. This is necessary for downgrades.""" 
 82    if os.path.exists(pathutils.NODED_CLIENT_CERT_FILE): 
 83      os.remove(pathutils.NODED_CLIENT_CERT_FILE) 
 84    else: 
 85      logging.debug("Trying to delete the client certificate '%s' which did not" 
 86                    " exist.", pathutils.NODED_CLIENT_CERT_FILE) 
 87   
 88   
 89 -def ClearMasterCandidateSsconfList(): 
 90    """Clear the ssconf list of master candidate certs. 
 91   
 92    This is necessary when deleting the client certificates for a downgrade, 
 93    because otherwise the master cannot distribute the configuration to the 
 94    nodes via RPC during a downgrade anymore. 
 95   
 96    """ 
 97    ssconf_file = os.path.join( 
 98      pathutils.DATA_DIR, 
 99      "%s%s" % (constants.SSCONF_FILEPREFIX, 
100                constants.SS_MASTER_CANDIDATES_CERTS)) 
101    if os.path.exists: 
102      os.remove(ssconf_file) 
103    else: 
104      logging.debug("Trying to delete the ssconf file '%s' which does not" 
105                    " exist.", ssconf_file) 
106   
107   
108  # pylint: disable=E1103 
109  # This pyling message complains about 'data' as 'bool' not having a get 
110  # member, but obviously the type is wrongly inferred. 
111 -def Main(): 
112    """Main routine. 
113   
114    """ 
115    opts = ParseOptions() 
116   
117    utils.SetupToolLogging(opts.debug, opts.verbose) 
118   
119    try: 
120      data = common.LoadData(sys.stdin.read(), _DATA_CHECK) 
121   
122      common.VerifyClusterName(data, SslSetupError, constants.NDS_CLUSTER_NAME) 
123   
124      # Verifies whether the server certificate of the caller 
125      # is the same as on this node. 
126      common.VerifyCertificateStrong(data, SslSetupError) 
127   
128      action = data.get(constants.NDS_ACTION) 
129      if not action: 
130        raise SslSetupError("No Action specified.") 
131   
132      if action == constants.CRYPTO_ACTION_CREATE: 
133        common.GenerateClientCertificate(data, SslSetupError) 
134      elif action == constants.CRYPTO_ACTION_DELETE: 
135        DeleteClientCertificate() 
136        ClearMasterCandidateSsconfList() 
137      else: 
138        raise SslSetupError("Unsupported action: %s." % action) 
139   
140    except Exception, err: # pylint: disable=W0703 
141      logging.debug("Caught unhandled exception", exc_info=True) 
142   
143      (retcode, message) = cli.FormatError(err) 
144      logging.error(message) 
145   
146      return retcode 
147    else: 
148      return constants.EXIT_SUCCESS 
149