diff options
-rw-r--r-- | etc/certmaster.conf | 1 | ||||
-rw-r--r-- | etc/minion.conf | 2 | ||||
-rwxr-xr-x | func/certmaster.py | 77 | ||||
-rwxr-xr-x | scripts/certmaster-ca | 9 |
4 files changed, 27 insertions, 62 deletions
diff --git a/etc/certmaster.conf b/etc/certmaster.conf index 96c6130..ded4de6 100644 --- a/etc/certmaster.conf +++ b/etc/certmaster.conf @@ -1,3 +1,4 @@ +[main] listen_addr = listen_port = 51235 cadir = /etc/pki/func/ca diff --git a/etc/minion.conf b/etc/minion.conf index bcbe6a7..9630571 100644 --- a/etc/minion.conf +++ b/etc/minion.conf @@ -1,6 +1,6 @@ # configuration for minions -[general] +[main] overlord_server = funcmaster log_level = DEBUG certmaster = http://certmaster:51235/ diff --git a/func/certmaster.py b/func/certmaster.py index ab0bc73..a0598be 100755 --- a/func/certmaster.py +++ b/func/certmaster.py @@ -1,6 +1,5 @@ #!/usr/bin/python -# FIXME: Perms checked and okayed on all csr, certs and keys, everywhere # FIXME: picky about bogus CN names ../ ../ ./ etc, etc to avoid stupid attacks # FIXME: more intelligent fault raises @@ -28,41 +27,22 @@ import sha import glob #from func.server import codes -import func -import func.certs -import func.codes -import func.utils - -class SimpleConfigFile(object): - """simple config file object: - reads in key=value pairs from a file and stores each as an attribute""" - - def __init__(self, filename, defaults={}): - self.fn = filename - fo = open(filename, 'r') - for line in fo.readlines(): - if line.startswith('#'): continue - if line.strip() == '': continue - (key, val) = line.split('=') - key = key.strip().lower() - val = val.strip() - setattr(self, key, val) - for k,v in defaults.items(): - if not hasattr(self, k): - setattr(self, k, v) - fo.close() - +import certs +import codes +import utils +from config import BaseConfig, BoolOption, IntOption, Option, ConfigError, read_config, ListOption + +class CMConfig(BaseConfig): + listen_addr = Option('') + listen_port = IntOption(51235) + cadir = Option('/etc/pki/func/ca') + certroot = Option('/var/lib/func/certmaster/certs') + csrroot = Option('/var/lib/func/certmaster/csrs') + autosign = BoolOption(False) class CertMaster(object): - def __init__(self, conf_file, defaults={}): - self.cfg = SimpleConfigFile(conf_file, defaults) - if hasattr(self.cfg, 'autosign'): - if getattr(self.cfg, 'autosign').lower() in ['yes', 'true', 1, 'on']: - self.cfg.autosign = True - elif getattr(self.cfg, 'autosign').lower() in ['no', 'false', 0, 'off']: - self.cfg.autosign = False - else: - self.cfg.autosign = False + def __init__(self, conf_file): + self.cfg = read_config(conf_file, CMConfig) self.cfg.listen_port = int(self.cfg.listen_port) self.ca_key_file = '%s/funcmaster.key' % self.cfg.cadir self.ca_cert_file = '%s/funcmaster.crt' % self.cfg.cadir @@ -71,15 +51,15 @@ class CertMaster(object): os.makedirs(self.cfg.cadir) # fixme - should we creating these separately? if not os.path.exists(self.ca_key_file) and not os.path.exists(self.ca_cert_file): - func.certs.create_ca(ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file) + certs.create_ca(ca_key_file=self.ca_key_file, ca_cert_file=self.ca_cert_file) except (IOError, OSError), e: print 'Cannot make certmaster certificate authority keys/certs, aborting: %s' % e sys.exit(1) # open up the cakey and cacert so we have them available - self.cakey = func.certs.retrieve_key_from_file(self.ca_key_file) - self.cacert = func.certs.retrieve_cert_from_file(self.ca_cert_file) + self.cakey = certs.retrieve_key_from_file(self.ca_key_file) + self.cacert = certs.retrieve_cert_from_file(self.ca_cert_file) for dirpath in [self.cfg.cadir, self.cfg.certroot, self.cfg.csrroot]: if not os.path.exists(dirpath): @@ -97,7 +77,7 @@ class CertMaster(object): if method in self.handlers.keys(): return self.handlers[method](*params) else: - raise func.codes.InvalidMethodException + raise codes.InvalidMethodException def wait_for_cert(self, csrbuf): @@ -135,7 +115,7 @@ class CertMaster(object): # look for a cert: # if we have it, then return True, etc, etc if os.path.exists(certfile): - slavecert = func.certs.retrieve_cert_from_file(certfile) + slavecert = certs.retrieve_cert_from_file(certfile) cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, slavecert) cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert) return True, cert_buf, cacert_buf @@ -146,7 +126,7 @@ class CertMaster(object): if self.cfg.autosign: cert_fn = self.sign_this_csr(csrreq) - cert = func.certs.retrieve_cert_from_file(cert_fn) + cert = certs.retrieve_cert_from_file(cert_fn) cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert) return True, cert_buf, cacert_buf @@ -200,7 +180,7 @@ class CertMaster(object): csrreq = csr requesting_host = csrreq.get_subject().CN certfile = '%s/%s.cert' % (self.cfg.certroot, requesting_host) - thiscert = func.certs.create_slave_certificate(csrreq, self.cakey, self.cacert, self.cfg.cadir) + thiscert = certs.create_slave_certificate(csrreq, self.cakey, self.cacert, self.cfg.cadir) destfo = open(certfile, 'w') destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, thiscert)) destfo.close() @@ -231,19 +211,10 @@ def serve(xmlrpcinstance): def main(argv): - defaults = { 'listen_addr': 'localhost', - 'listen_port': '51235', - 'cadir': '/etc/pki/func/ca', - 'certroot': '/var/lib/func/certmaster/certs', - 'csrroot': '/var/lib/func/certmaster/csrs', - 'autosign': 'false' - } - - - cm = CertMaster('/etc/func/certmaster.conf', defaults) + cm = CertMaster('/etc/func/certmaster.conf') if "daemon" in argv or "--daemon" in argv: - func.utils.daemonize("/var/run/certmaster.pid") + utils.daemonize("/var/run/certmaster.pid") else: print "serving...\n" @@ -254,6 +225,6 @@ def main(argv): if __name__ == "__main__": - textdomain(I18N_DOMAIN) + #textdomain(I18N_DOMAIN) main(sys.argv) diff --git a/scripts/certmaster-ca b/scripts/certmaster-ca index 14f7c2f..d103265 100755 --- a/scripts/certmaster-ca +++ b/scripts/certmaster-ca @@ -14,13 +14,6 @@ import func.certmaster from optparse import OptionParser -defaults = { 'listen_addr': 'localhost', - 'listen_port': '51235', - 'cadir': '/etc/pki/func/ca', - 'certroot': '/var/lib/func/certmaster/certs', - 'csrroot': '/var/lib/func/certmaster/csrs', - 'autosign': 'false' - } def errorprint(stuff): print >> sys.stderr, stuff @@ -41,7 +34,7 @@ def parseargs(args): return (opts, args) def main(args): - cm = func.certmaster.CertMaster('/etc/func/certmaster.conf', defaults) + cm = func.certmaster.CertMaster('/etc/func/certmaster.conf') (opts, args) = parseargs(args) if opts.list: |