nixos/taskserver/helper: Assert CA existence

We want to make sure that the helper tool won't work if the automatic CA
wasn't properly set up. This not only avoids race conditions if the tool
is started before the actual service is running but it also fails if
something during CA setup has failed so the user can investigate what
went wrong.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2016-04-12 04:57:03 +02:00
parent 2ced6fcc75
commit 5062bf1b84
No known key found for this signature in database
GPG Key ID: D0EBD0EC8C2DC961

View File

@ -24,6 +24,10 @@ TASKD_USER = "@user@"
TASKD_GROUP = "@group@"
FQDN = "@fqdn@"
CA_KEY = os.path.join(TASKD_DATA_DIR, "keys", "ca.key")
CA_CERT = os.path.join(TASKD_DATA_DIR, "keys", "ca.cert")
CRL_FILE = os.path.join(TASKD_DATA_DIR, "keys", "server.crl")
RE_CONFIGUSER = re.compile(r'^\s*user\s*=(.*)$')
RE_USERKEY = re.compile(r'New user key: (.+)$', re.MULTILINE)
@ -151,8 +155,6 @@ def generate_key(org, user):
privkey = os.path.join(basedir, "private.key")
pubcert = os.path.join(basedir, "public.cert")
cakey = os.path.join(TASKD_DATA_DIR, "keys", "ca.key")
cacert = os.path.join(TASKD_DATA_DIR, "keys", "ca.cert")
try:
os.makedirs(basedir, mode=0700)
@ -172,8 +174,8 @@ def generate_key(org, user):
certtool_cmd(
"-c",
"--load-privkey", privkey,
"--load-ca-privkey", cakey,
"--load-ca-certificate", cacert,
"--load-ca-privkey", CA_KEY,
"--load-ca-certificate", CA_CERT,
"--template", template,
"--outfile", pubcert
)
@ -183,10 +185,6 @@ def generate_key(org, user):
def revoke_key(org, user):
cakey = os.path.join(TASKD_DATA_DIR, "keys", "ca.key")
cacert = os.path.join(TASKD_DATA_DIR, "keys", "ca.cert")
crl = os.path.join(TASKD_DATA_DIR, "keys", "server.crl")
basedir = os.path.join(TASKD_DATA_DIR, "keys", org, user)
if not os.path.exists(basedir):
raise OSError("Keyfile directory for {} doesn't exist.".format(user))
@ -197,16 +195,16 @@ def revoke_key(org, user):
with create_template([expiration]) as template:
oldcrl = NamedTemporaryFile(mode="wb", prefix="old-crl")
oldcrl.write(open(crl, "rb").read())
oldcrl.write(open(CRL_FILE, "rb").read())
oldcrl.flush()
certtool_cmd(
"--generate-crl",
"--load-crl", oldcrl.name,
"--load-ca-privkey", cakey,
"--load-ca-certificate", cacert,
"--load-ca-privkey", CA_KEY,
"--load-ca-certificate", CA_CERT,
"--load-certificate", pubcert,
"--template", template,
"--outfile", crl
"--outfile", CRL_FILE
)
oldcrl.close()
rmtree(basedir)
@ -432,11 +430,15 @@ ORGANISATION = OrganisationType()
@click.group()
def cli():
@click.pass_context
def cli(ctx):
"""
Manage Taskserver users and certificates
"""
pass
for path in (CA_KEY, CA_CERT, CRL_FILE):
if not os.path.exists(path):
msg = "CA setup not done or incomplete, missing file {}."
ctx.fail(msg.format(path))
@cli.command("list-users")