Certificates needs to be chanined and bundled

in the order (certfile, keyfile and cacert). 1. Chaining in the certificate in correct order 2. Making certfile/keyfile optional Closes-Bug: 1639426 Closes-Bug: 1630513 Getting certs as argument to the VncApi class and creating unique certbundle for request to different api-servers. Closes-Bug: 1644713 Closes-Bug: 1644707 Change-Id: Ib5e66bfdd27795bd090c3b3b49207241cbc5f0ae (cherry picked from commit df192ce) (cherry picked from commit d49aec8)
Juniper · Dec 14, 2016 · 18a920d · 18a920d
1 parent adbb119
commit 18a920d
Show file tree

Hide file tree

Showing 4 changed files with 60 additions and 45 deletions.
diff --git a/src/api-lib/vnc_api.py b/src/api-lib/vnc_api.py
@@ -109,8 +109,8 @@ class VncApi(object):
     # ssl termination on port 8082(default contrail-api port)
     _DEFAULT_API_SERVER_CONNECT="http"
     _DEFAULT_API_SERVER_SSL_CONNECT="https"
-    _DEFAULT_KS_CERT_BUNDLE="/tmp/keystonecertbundle.pem"
-    _DEFAULT_API_CERT_BUNDLE="/tmp/apiservercertbundle.pem"
+    _DEFAULT_KS_CERT_BUNDLE="keystonecertbundle.pem"
+    _DEFAULT_API_CERT_BUNDLE="apiservercertbundle.pem"
 
     # Connection to api-server through Quantum
     _DEFAULT_WEB_PORT = 8082
@@ -130,7 +130,9 @@ def __init__(self, username=None, password=None, tenant_name=None,
                  auth_token=None, auth_host=None, auth_port=None,
                  auth_protocol = None, auth_url=None, auth_type=None,
                  wait_for_connect=False, api_server_use_ssl=False,
-                 domain_name=None):
+                 domain_name=None, apicertfile=None, apikeyfile=None,
+                 apicafile=None, kscertfile=None, kskeyfile=None,
+                 kscafile=None,):
         # TODO allow for username/password to be present in creds file
 
         self._obj_serializer = self._obj_serializer_diff
@@ -164,6 +166,12 @@ def __init__(self, username=None, password=None, tenant_name=None,
         if use_ssl:
              self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_SSL_CONNECT
 
+        if not api_server_host:
+            self._web_host = _read_cfg(cfg_parser, 'global', 'WEB_SERVER',
+                                       self._DEFAULT_WEB_SERVER)
+        else:
+            self._web_host = api_server_host
+
         # keystone
         self._authn_type = auth_type or \
             _read_cfg(cfg_parser, 'auth', 'AUTHN_TYPE',
@@ -202,22 +210,24 @@ def __init__(self, username=None, password=None, tenant_name=None,
                     ConfigParser.NoOptionError,
                     ConfigParser.NoSectionError):
                self._apiinsecure = False
-            apicertfile=_read_cfg(cfg_parser,'global','certfile','')
-            apikeyfile=_read_cfg(cfg_parser,'global','keyfile','')
-            apicafile=_read_cfg(cfg_parser,'global','cafile','')
+            apicertfile = (apicertfile or
+                           _read_cfg(cfg_parser,'global','certfile',''))
+            apikeyfile = (apikeyfile or
+                          _read_cfg(cfg_parser,'global','keyfile',''))
+            apicafile = (apicafile or
+                         _read_cfg(cfg_parser,'global','cafile',''))
 
             self._use_api_certs=False
-            if api_server_use_ssl:
-                certs = []
-                if apicafile:
-                    certs.append(apicafile)
-                if apicertfile:
-                    certs.append(apicertfile)
-                if apikeyfile:
-                    certs.append(apikeyfile)
-                if certs:
-                    self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs)
-                    self._use_api_certs=True
+            if apicafile and api_server_use_ssl:
+                certs=[apicafile]
+                if apikeyfile and apicertfile:
+                    certs=[apicertfile, apikeyfile, apicafile]
+                apicertbundle = os.path.join(
+                    '/tmp', self._web_host.replace('.', '_'),
+                     VncApi._DEFAULT_API_CERT_BUNDLE)
+                self._apicertbundle=utils.getCertKeyCaBundle(apicertbundle,
+                                                             certs)
+                self._use_api_certs=True
 
             # keystone SSL support
             try:
@@ -226,22 +236,24 @@ def __init__(self, username=None, password=None, tenant_name=None,
                     ConfigParser.NoOptionError,
                     ConfigParser.NoSectionError):
               self._ksinsecure = False
-            kscertfile=_read_cfg(cfg_parser,'auth','certfile','')
-            kskeyfile=_read_cfg(cfg_parser,'auth','keyfile','')
-            kscafile=_read_cfg(cfg_parser,'auth','cafile','')
+            kscertfile = (kscertfile or
+                          _read_cfg(cfg_parser,'auth','certfile',''))
+            kskeyfile = (kskeyfile or
+                         _read_cfg(cfg_parser,'auth','keyfile',''))
+            kscafile = (kscafile or
+                        _read_cfg(cfg_parser,'auth','cafile',''))
 
             self._use_ks_certs=False
-            if self._authn_protocol == 'https':
-                certs = []
-                if kscafile:
-                    certs.append(kscafile)
-                if kscertfile:
-                    certs.append(kscertfile)
-                if kskeytfile:
-                    certs.append(kskeyfile)
-                if certs:
-                   self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs)
-                   self._use_ks_certs=True
+            if kscafile and self._authn_protocol == 'https':
+                certs=[kscafile]
+                if kskeyfile and kscertfile:
+                    certs=[kscertfile, kskeyfile, kscafile]
+                kscertbundle = os.path.join(
+                        '/tmp', self._web_host.replace('.', '_'),
+                        VncApi._DEFAULT_KS_CERT_BUNDLE)
+                self._kscertbundle=utils.getCertKeyCaBundle(kscertbundle,
+                                                            certs)
+                self._use_ks_certs=True
 
             if 'v2' in self._authn_url:
                 self._authn_body = \
@@ -271,12 +283,6 @@ def __init__(self, username=None, password=None, tenant_name=None,
                      '}'
             self._user_info = user_info
 
-        if not api_server_host:
-            self._web_host = _read_cfg(cfg_parser, 'global', 'WEB_SERVER',
-                                       self._DEFAULT_WEB_SERVER)
-        else:
-            self._web_host = api_server_host
-
         if not api_server_port:
             self._web_port = _read_cfg(cfg_parser, 'global', 'WEB_PORT',
                                        self._DEFAULT_WEB_PORT)

diff --git a/src/config/api-server/vnc_auth_keystone.py b/src/config/api-server/vnc_auth_keystone.py
@@ -139,10 +139,11 @@ class AuthServiceKeystone(object):
 
     def __init__(self, server_mgr, args):
         _kscertbundle=''
-        if args.certfile and args.keyfile and args.cafile \
-           and args.auth_protocol == 'https':
-               certs=[args.certfile, args.keyfile, args.cafile]
-               _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
+        if args.auth_protocol == 'https' and args.cafile:
+            certs=[args.cafile]
+            if args.keyfile and args.certfile:
+                certs=[args.certfile, args.keyfile, args.cafile]
+            _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
         identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port)
         self._conf_info = {
             'auth_host': args.auth_host,

diff --git a/src/config/common/utils.py b/src/config/common/utils.py
@@ -22,6 +22,7 @@
 
 
 import os
+import errno
 import urllib
 from collections import OrderedDict
 import sys
@@ -148,6 +149,11 @@ def getCertKeyCaBundle(bundle, certs):
         if not bundle_is_stale:
             return bundle
 
+    try:
+        os.makedirs(os.path.dirname(bundle))
+    except OSError as e:
+        if e.errno != errno.EEXIST:
+            raise
     with open(bundle, 'w') as ofile:
         for cert in certs:
             with open(cert) as ifile:

diff --git a/src/config/vnc_openstack/vnc_openstack/__init__.py b/src/config/vnc_openstack/vnc_openstack/__init__.py
@@ -78,10 +78,12 @@ def fill_keystone_opts(obj, conf_sections):
 
     obj._kscertbundle=''
     obj._use_certs=False
-    if obj._certfile and obj._keyfile and obj._cafile:
-       certs=[obj._certfile,obj._keyfile,obj._cafile]
-       obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
-       obj._use_certs=True
+    if obj._certfile:
+        certs = [obj._certfile]
+        if obj._keyfile and obj._cafile:
+            certs=[obj._certfile,obj._keyfile,obj._cafile]
+        obj._kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
+        obj._use_certs=True
 
     try:
         obj._auth_url = conf_sections.get('KEYSTONE', 'auth_url')