Source Code for Module ganeti.tools.ssl_update

  1  # 
  2  # 
  3   
  4  # Copyright (C) 2015 Google Inc. 
  5  # All rights reserved. 
  6  # 
  7  # Redistribution and use in source and binary forms, with or without 
  8  # modification, are permitted provided that the following conditions are 
  9  # met: 
 10  # 
 11  # 1. Redistributions of source code must retain the above copyright notice, 
 12  # this list of conditions and the following disclaimer. 
 13  # 
 14  # 2. Redistributions in binary form must reproduce the above copyright 
 15  # notice, this list of conditions and the following disclaimer in the 
 16  # documentation and/or other materials provided with the distribution. 
 17  # 
 18  # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS 
 19  # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 
 20  # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
 21  # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR 
 22  # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 
 23  # EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 
 24  # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
 25  # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 
 26  # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 
 27  # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
 28  # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
 29   
 30  """Script to recreate and sign the client SSL certificates. 
 31   
 32  """ 
 33   
 34  import os 
 35  import os.path 
 36  import optparse 
 37  import sys 
 38  import logging 
 39   
 40  from ganeti import cli 
 41  from ganeti import constants 
 42  from ganeti import errors 
 43  from ganeti import utils 
 44  from ganeti import ht 
 45  from ganeti import pathutils 
 46  from ganeti.tools import common 
 47   
 48   
 49  _DATA_CHECK = ht.TStrictDict(False, True, { 
 50    constants.NDS_CLUSTER_NAME: ht.TNonEmptyString, 
 51    constants.NDS_NODE_DAEMON_CERTIFICATE: ht.TNonEmptyString, 
 52    constants.NDS_NODE_NAME: ht.TNonEmptyString, 
 53    constants.NDS_ACTION: ht.TNonEmptyString, 
 54    }) 
 55   
 56   
 57 -class SslSetupError(errors.GenericError): 
 58    """Local class for reporting errors. 
 59   
 60    """ 
 61   
 62   
 63 -def ParseOptions(): 
 64    """Parses the options passed to the program. 
 65   
 66    @return: Options and arguments 
 67   
 68    """ 
 69    parser = optparse.OptionParser(usage="%prog [--dry-run]", 
 70                                   prog=os.path.basename(sys.argv[0])) 
 71    parser.add_option(cli.DEBUG_OPT) 
 72    parser.add_option(cli.VERBOSE_OPT) 
 73    parser.add_option(cli.DRY_RUN_OPT) 
 74   
 75    (opts, args) = parser.parse_args() 
 76   
 77    return common.VerifyOptions(parser, opts, args) 
 78   
 79   
 80 -def DeleteClientCertificate(): 
 81    """Deleting the client certificate. This is necessary for downgrades.""" 
 82    if os.path.exists(pathutils.NODED_CLIENT_CERT_FILE): 
 83      os.remove(pathutils.NODED_CLIENT_CERT_FILE) 
 84    else: 
 85      logging.debug("Trying to delete the client certificate '%s' which did not" 
 86                    " exist.", pathutils.NODED_CLIENT_CERT_FILE) 
 87   
 88   
 89 -def ClearMasterCandidateSsconfList(): 
 90    """Clear the ssconf list of master candidate certs. 
 91   
 92    This is necessary when deleting the client certificates for a downgrade, 
 93    because otherwise the master cannot distribute the configuration to the 
 94    nodes via RPC during a downgrade anymore. 
 95   
 96    """ 
 97    ssconf_file = os.path.join( 
 98      pathutils.DATA_DIR, 
 99      "%s%s" % (constants.SSCONF_FILEPREFIX, 
100                constants.SS_MASTER_CANDIDATES_CERTS)) 
101    if os.path.exists: 
102      os.remove(ssconf_file) 
103    else: 
104      logging.debug("Trying to delete the ssconf file '%s' which does not" 
105                    " exist.", ssconf_file) 
106   
107   
108  # pylint: disable=E1103 
109  # This pyling message complains about 'data' as 'bool' not having a get 
110  # member, but obviously the type is wrongly inferred. 
111 -def Main(): 
112    """Main routine. 
113   
114    """ 
115    opts = ParseOptions() 
116   
117    utils.SetupToolLogging( 
118        opts.debug, opts.verbose, 
119        toolname=os.path.splitext(os.path.basename(__file__))[0]) 
120   
121    try: 
122      data = common.LoadData(sys.stdin.read(), _DATA_CHECK) 
123   
124      common.VerifyClusterName(data, SslSetupError, constants.NDS_CLUSTER_NAME) 
125   
126      # Verifies whether the server certificate of the caller 
127      # is the same as on this node. 
128      common.VerifyCertificateStrong(data, SslSetupError) 
129   
130      action = data.get(constants.NDS_ACTION) 
131      if not action: 
132        raise SslSetupError("No Action specified.") 
133   
134      if action == constants.CRYPTO_ACTION_CREATE: 
135        common.GenerateClientCertificate(data, SslSetupError) 
136      elif action == constants.CRYPTO_ACTION_DELETE: 
137        DeleteClientCertificate() 
138        ClearMasterCandidateSsconfList() 
139      else: 
140        raise SslSetupError("Unsupported action: %s." % action) 
141   
142    except Exception, err: # pylint: disable=W0703 
143      logging.debug("Caught unhandled exception", exc_info=True) 
144   
145      (retcode, message) = cli.FormatError(err) 
146      logging.error(message) 
147   
148      return retcode 
149    else: 
150      return constants.EXIT_SUCCESS 
151