Making certfile/keyfile optional, so that vnc_api can rely on CA or C…

…A/CERT. Change-Id: Iffb9bf9d8cf23fe3943335565bf2adaf878c5df8 Partial-Bug: 1630513 (cherry picked from commit d7407a1) Issue: Password is displayed in the log files of the config daemon, during uncaught exceptions. Fix: cgitb sets sys.excepthook to format uncaught exceptions. Deriving the cgitb Hook and modifying the handle method to mask password along with formatting. Change-Id: I5b4251f2ebe0205465b15430a9ef38ef04b3a634 Closes-Bug: 1626317 (cherry picked from commit 6dc670c) Certificates needs to be chanined and bundled in the order (certfile, keyfile and cacert). 1. Chaining in the certificate in correct order 2. Making certfile/keyfile optional Closes-Bug: 1639426 Closes-Bug: 1630513 Getting certs as argument to the VncApi class and creating unique certbundle for request to different api-servers. Closes-Bug: 1644713 Closes-Bug: 1644707 Change-Id: Ib5e66bfdd27795bd090c3b3b49207241cbc5f0ae (cherry picked from commit df192ce) (cherry picked from commit d49aec8) (cherry picked from commit 18a920d) Conflicts: src/api-lib/vnc_api.py Adding the missing import, due to cherry-pick from a branch which has import os earlier to commit. Change-Id: Ibbdf7173ffd30d64526a7ecb525c109ff37098a3 Closes-Bug: 1644707 (cherry picked from commit 6223e65)
Juniper · Dec 15, 2016 · fa7307e · fa7307e
1 parent bb51132
commit fa7307e
Show file tree

Hide file tree

Showing 23 changed files with 222 additions and 142 deletions.
diff --git a/src/api-lib/vnc_api.py b/src/api-lib/vnc_api.py
@@ -1,6 +1,7 @@
 #
 # Copyright (c) 2013 Juniper Networks, Inc. All rights reserved.
 #
+import os
 import logging
 import requests
 from requests.exceptions import ConnectionError
@@ -109,8 +110,8 @@ class VncApi(object):
     # ssl termination on port 8082(default contrail-api port)
     _DEFAULT_API_SERVER_CONNECT="http"
     _DEFAULT_API_SERVER_SSL_CONNECT="https"
-    _DEFAULT_KS_CERT_BUNDLE="/tmp/keystonecertbundle.pem"
-    _DEFAULT_API_CERT_BUNDLE="/tmp/apiservercertbundle.pem"
+    _DEFAULT_KS_CERT_BUNDLE="keystonecertbundle.pem"
+    _DEFAULT_API_CERT_BUNDLE="apiservercertbundle.pem"
 
     # Connection to api-server through Quantum
     _DEFAULT_WEB_PORT = 8082
@@ -130,7 +131,9 @@ def __init__(self, username=None, password=None, tenant_name=None,
                  auth_token=None, auth_host=None, auth_port=None,
                  auth_protocol = None, auth_url=None, auth_type=None,
                  wait_for_connect=False, api_server_use_ssl=False,
-                 domain_name=None, auth_token_url=None):
+                 domain_name=None, auth_token_url=None,  apicertfile=None,
+                 apikeyfile=None, apicafile=None, kscertfile=None,
+                 kskeyfile=None, kscafile=None,):
         # TODO allow for username/password to be present in creds file
 
         self._obj_serializer = self._obj_serializer_diff
@@ -164,6 +167,12 @@ def __init__(self, username=None, password=None, tenant_name=None,
         if use_ssl:
              self._api_connect_protocol = VncApi._DEFAULT_API_SERVER_SSL_CONNECT
 
+        if not api_server_host:
+            self._web_host = _read_cfg(cfg_parser, 'global', 'WEB_SERVER',
+                                       self._DEFAULT_WEB_SERVER)
+        else:
+            self._web_host = api_server_host
+
         # keystone
         self._authn_type = auth_type or \
             _read_cfg(cfg_parser, 'auth', 'AUTHN_TYPE',
@@ -204,16 +213,24 @@ def __init__(self, username=None, password=None, tenant_name=None,
                     ConfigParser.NoOptionError,
                     ConfigParser.NoSectionError):
                self._apiinsecure = False
-            apicertfile=_read_cfg(cfg_parser,'global','certfile','')
-            apikeyfile=_read_cfg(cfg_parser,'global','keyfile','')
-            apicafile=_read_cfg(cfg_parser,'global','cafile','')
+            apicertfile = (apicertfile or
+                           _read_cfg(cfg_parser,'global','certfile',''))
+            apikeyfile = (apikeyfile or
+                          _read_cfg(cfg_parser,'global','keyfile',''))
+            apicafile = (apicafile or
+                         _read_cfg(cfg_parser,'global','cafile',''))
 
             self._use_api_certs=False
-            if apicertfile and apikeyfile \
-               and apicafile and api_server_use_ssl:
+            if apicafile and api_server_use_ssl:
+                certs=[apicafile]
+                if apikeyfile and apicertfile:
                     certs=[apicertfile, apikeyfile, apicafile]
-                    self._apicertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_API_CERT_BUNDLE,certs)
-                    self._use_api_certs=True
+                apicertbundle = os.path.join(
+                    '/tmp', self._web_host.replace('.', '_'),
+                     VncApi._DEFAULT_API_CERT_BUNDLE)
+                self._apicertbundle=utils.getCertKeyCaBundle(apicertbundle,
+                                                             certs)
+                self._use_api_certs=True
 
             # keystone SSL support
             try:
@@ -222,16 +239,24 @@ def __init__(self, username=None, password=None, tenant_name=None,
                     ConfigParser.NoOptionError,
                     ConfigParser.NoSectionError):
               self._ksinsecure = False
-            kscertfile=_read_cfg(cfg_parser,'auth','certfile','')
-            kskeyfile=_read_cfg(cfg_parser,'auth','keyfile','')
-            kscafile=_read_cfg(cfg_parser,'auth','cafile','')
+            kscertfile = (kscertfile or
+                          _read_cfg(cfg_parser,'auth','certfile',''))
+            kskeyfile = (kskeyfile or
+                         _read_cfg(cfg_parser,'auth','keyfile',''))
+            kscafile = (kscafile or
+                        _read_cfg(cfg_parser,'auth','cafile',''))
 
             self._use_ks_certs=False
-            if kscertfile and kskeyfile and kscafile \
-               and self._authn_protocol == 'https':
-                   certs=[kscertfile, kskeyfile, kscafile]
-                   self._kscertbundle=utils.getCertKeyCaBundle(VncApi._DEFAULT_KS_CERT_BUNDLE,certs)
-                   self._use_ks_certs=True
+            if kscafile and self._authn_protocol == 'https':
+                certs=[kscafile]
+                if kskeyfile and kscertfile:
+                    certs=[kscertfile, kskeyfile, kscafile]
+                kscertbundle = os.path.join(
+                        '/tmp', self._web_host.replace('.', '_'),
+                        VncApi._DEFAULT_KS_CERT_BUNDLE)
+                self._kscertbundle=utils.getCertKeyCaBundle(kscertbundle,
+                                                            certs)
+                self._use_ks_certs=True
 
             if 'v2' in self._authn_url:
                 self._authn_body = \
@@ -261,12 +286,6 @@ def __init__(self, username=None, password=None, tenant_name=None,
                      '}'
             self._user_info = user_info
 
-        if not api_server_host:
-            self._web_host = _read_cfg(cfg_parser, 'global', 'WEB_SERVER',
-                                       self._DEFAULT_WEB_SERVER)
-        else:
-            self._web_host = api_server_host
-
         if not api_server_port:
             self._web_port = _read_cfg(cfg_parser, 'global', 'WEB_PORT',
                                        self._DEFAULT_WEB_PORT)

diff --git a/src/config/api-server/db_manage.py b/src/config/api-server/db_manage.py
@@ -8,11 +8,11 @@
 from netaddr import IPAddress, IPNetwork
 import argparse
 from cStringIO import StringIO
-import cgitb
 
 import kazoo.client
 import kazoo.exceptions
 import cfgm_common
+from cfgm_common import vnc_cgitb
 from cfgm_common.utils import cgitb_hook
 from cfgm_common.ifmap.client import client
 from cfgm_common.ifmap.request import NewSessionRequest
@@ -1452,7 +1452,7 @@ def heal_security_groups_id(self):
 # end class DatabaseCleaner
 
 def db_check(args_str):
-    cgitb.enable(format='text')
+    vnc_cgitb.enable(format='text')
 
     db_checker = DatabaseChecker(args_str)
     # Mode and node count check across all nodes
@@ -1469,7 +1469,7 @@ def db_check(args_str):
 # end db_check
 
 def db_clean(args_str):
-    cgitb.enable(format='text')
+    vnc_cgitb.enable(format='text')
 
     db_cleaner = DatabaseCleaner(args_str)
     db_cleaner.clean_obj_missing_mandatory_fields()
@@ -1484,7 +1484,7 @@ def db_clean(args_str):
 # end db_clean
 
 def db_heal(args_str):
-    cgitb.enable(format='text')
+    vnc_cgitb.enable(format='text')
 
     db_healer = DatabaseHealer(args_str)
     db_healer.heal_fq_name_index()

diff --git a/src/config/api-server/tests/test_askip.py b/src/config/api-server/tests/test_askip.py
@@ -10,9 +10,6 @@
 import logging
 import coverage
 
-import cgitb
-cgitb.enable(format='text')
-
 import testtools
 from testtools.matchers import Equals, MismatchError, Not, Contains
 from testtools import content, content_type, ExpectedException
@@ -29,6 +26,8 @@
 import vnc_api.gen.vnc_api_test_gen
 from vnc_api.gen.resource_test import *
 import cfgm_common
+from cfgm_common import vnc_cgitb
+vnc_cgitb.enable(format='text')
 
 sys.path.append('../common/tests')
 from test_utils import *

diff --git a/src/config/api-server/tests/test_crud_basic.py b/src/config/api-server/tests/test_crud_basic.py
@@ -13,9 +13,6 @@
 import netaddr
 import tempfile
 
-import cgitb
-cgitb.enable(format='text')
-
 import fixtures
 import testtools
 from testtools.matchers import Equals, MismatchError, Not, Contains, LessThan
@@ -41,6 +38,8 @@
 import cfgm_common
 from cfgm_common import vnc_plugin_base
 from cfgm_common import imid
+from cfgm_common import vnc_cgitb
+vnc_cgitb.enable(format='text')
 
 sys.path.append('../common/tests')
 from test_utils import *

diff --git a/src/config/api-server/tests/test_ip_alloc.py b/src/config/api-server/tests/test_ip_alloc.py
@@ -10,9 +10,6 @@
 import logging
 import coverage
 
-import cgitb
-cgitb.enable(format='text')
-
 import testtools
 from testtools.matchers import Equals, MismatchError, Not, Contains
 from testtools import content, content_type, ExpectedException
@@ -29,6 +26,8 @@
 import vnc_api.gen.vnc_api_test_gen
 from vnc_api.gen.resource_test import *
 import cfgm_common
+from cfgm_common import vnc_cgitb
+vnc_cgitb.enable(format='text')
 
 sys.path.append('../common/tests')
 from test_utils import *

diff --git a/src/config/api-server/tests/test_logical_router.py b/src/config/api-server/tests/test_logical_router.py
@@ -10,8 +10,6 @@
 import logging
 import coverage
 
-import cgitb
-cgitb.enable(format='text')
 
 import testtools
 from testtools.matchers import Equals, MismatchError, Not, Contains
@@ -32,6 +30,8 @@
 from netaddr import IPNetwork, IPAddress
 
 import cfgm_common
+from cfgm_common import vnc_cgitb
+vnc_cgitb.enable(format='text')
 
 sys.path.append('../common/tests')
 from test_utils import *

diff --git a/src/config/api-server/tests/test_perms.py b/src/config/api-server/tests/test_perms.py
@@ -11,9 +11,6 @@
 import logging
 import coverage
 
-import cgitb
-cgitb.enable(format='text')
-
 import fixtures
 import testtools
 from testtools.matchers import Equals, MismatchError, Not, Contains
@@ -32,6 +29,8 @@
 
 from vnc_api.vnc_api import *
 import cfgm_common
+from cfgm_common import vnc_cgitb
+vnc_cgitb.enable(format='text')
 
 sys.path.append('../common/tests')
 import test_utils

diff --git a/src/config/api-server/tests/test_perms2.py b/src/config/api-server/tests/test_perms2.py
@@ -10,9 +10,6 @@
 import logging
 import coverage
 
-import cgitb
-cgitb.enable(format='text')
-
 import fixtures
 import testtools
 from testtools.matchers import Equals, MismatchError, Not, Contains
@@ -34,6 +31,8 @@
 from cfgm_common import rest, utils
 from cfgm_common.rbaclib import *
 import cfgm_common
+from cfgm_common import vnc_cgitb
+vnc_cgitb.enable(format='text')
 
 sys.path.append('../common/tests')
 import test_utils

diff --git a/src/config/api-server/tests/test_rbac.py b/src/config/api-server/tests/test_rbac.py
@@ -10,9 +10,6 @@
 import logging
 import coverage
 
-import cgitb
-cgitb.enable(format='text')
-
 import fixtures
 import testtools
 from testtools.matchers import Equals, MismatchError, Not, Contains
@@ -32,6 +29,8 @@
 from keystonemiddleware import auth_token
 from cfgm_common import rest, utils
 import cfgm_common
+from cfgm_common import vnc_cgitb
+vnc_cgitb.enable(format='text')
 
 sys.path.append('../common/tests')
 import test_utils

diff --git a/src/config/api-server/tests/test_subnet_ip_count.py b/src/config/api-server/tests/test_subnet_ip_count.py
@@ -10,8 +10,6 @@
 import logging
 import coverage
 
-import cgitb
-cgitb.enable(format='text')
 
 import testtools
 from testtools.matchers import Equals, MismatchError, Not, Contains
@@ -29,6 +27,8 @@
 import vnc_api.gen.vnc_api_test_gen
 from vnc_api.gen.resource_test import *
 import cfgm_common
+from cfgm_common import vnc_cgitb
+vnc_cgitb.enable(format='text')
 
 sys.path.append('../common/tests')
 from test_utils import *

diff --git a/src/config/api-server/vnc_auth_keystone.py b/src/config/api-server/vnc_auth_keystone.py
@@ -139,10 +139,11 @@ class AuthServiceKeystone(object):
 
     def __init__(self, server_mgr, args):
         _kscertbundle=''
-        if args.certfile and args.keyfile and args.cafile \
-           and args.auth_protocol == 'https':
-               certs=[args.certfile, args.keyfile, args.cafile]
-               _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
+        if args.auth_protocol == 'https' and args.cafile:
+            certs=[args.cafile]
+            if args.keyfile and args.certfile:
+                certs=[args.certfile, args.keyfile, args.cafile]
+            _kscertbundle=cfgmutils.getCertKeyCaBundle(_DEFAULT_KS_CERT_BUNDLE,certs)
         identity_uri = '%s://%s:%s' % (args.auth_protocol, args.auth_host, args.auth_port)
         self._conf_info = {
             'auth_host': args.auth_host,

diff --git a/src/config/api-server/vnc_cfg_api_server.py b/src/config/api-server/vnc_cfg_api_server.py
@@ -34,6 +34,8 @@
 from lxml import etree
 # import GreenletProfiler
 
+from cfgm_common import vnc_cgitb
+
 logger = logging.getLogger(__name__)
 
 """
@@ -3575,8 +3577,7 @@ def main(args_str=None):
 # end main
 
 def server_main(args_str=None):
-    import cgitb
-    cgitb.enable(format='text')
+    vnc_cgitb.enable(format='text')
 
     main()
 #server_main

diff --git a/src/config/common/SConscript b/src/config/common/SConscript
@@ -40,6 +40,7 @@ local_sources = [
                   'dependency_tracker.py',
                   'vnc_api_stats.py',
                   'ssl_adapter.py',
+                  'vnc_cgitb.py',
                  ]
 local_sources_rules = []
 for file in local_sources:

diff --git a/src/config/common/tests/test_common.py b/src/config/common/tests/test_common.py
@@ -24,6 +24,7 @@
 import cfgm_common.zkclient
 from cfgm_common.uve.vnc_api.ttypes import VncApiConfigLog
 from cfgm_common import imid
+from cfgm_common import vnc_cgitb
 from cfgm_common.utils import cgitb_hook
 
 from test_utils import *
@@ -148,8 +149,7 @@ def launch_disc_server(test_id, listen_ip, listen_port, http_server_port, conf_s
     args_str = args_str + "--log_local "
     args_str = args_str + "--log_file discovery_server_%s.log " % test_id
 
-    import cgitb
-    cgitb.enable(format='text')
+    vnc_cgitb.enable(format='text')
 
     with tempfile.NamedTemporaryFile() as conf, tempfile.NamedTemporaryFile() as logconf:
         cfg_parser = generate_conf_file_contents(conf_sections)
@@ -219,8 +219,7 @@ def launch_api_server(test_id, listen_ip, listen_port, http_server_port,
     args_str = args_str + "--log_local "
     args_str = args_str + "--log_file api_server_%s.log " %(test_id)
 
-    import cgitb
-    cgitb.enable(format='text')
+    vnc_cgitb.enable(format='text')
 
     with tempfile.NamedTemporaryFile() as conf, tempfile.NamedTemporaryFile() as logconf:
         cfg_parser = generate_conf_file_contents(conf_sections)
@@ -412,8 +411,7 @@ def __init__(self, *args, **kwargs):
         self.addOnException(self._add_detailed_traceback)
 
     def _add_detailed_traceback(self, exc_info):
-        import cgitb
-        cgitb.enable(format='text')
+        vnc_cgitb.enable(format='text')
         from cStringIO  import StringIO
 
         tmp_file = StringIO()