diff options
Diffstat (limited to 'src')
| -rwxr-xr-x | src/fedora-cert.py | 77 | ||||
| -rw-r--r-- | src/lib/fedora-cert.py | 104 | ||||
| -rw-r--r-- | src/rpmbuild-md5 | 2 |
3 files changed, 161 insertions, 22 deletions
diff --git a/src/fedora-cert.py b/src/fedora-cert.py index 8d8223f..dc4b6d3 100755 --- a/src/fedora-cert.py +++ b/src/fedora-cert.py @@ -3,41 +3,72 @@ import optparse import os import sys import getpass -from fedora.accounts.fas2 import AccountSystem -from fedora.accounts.fas2 import CLAError -from fedora.tg.client import AuthError, ServerError +from fedora.client.fas2 import AccountSystem +from fedora.client.fas2 import CLAError +from fedora.client import AuthError, ServerError from OpenSSL import crypto +import urlgrabber -def read_cert_user(): - """ - Figure out the Fedora user name from ~/.fedora.cert +def _open_cert(): + """ + Read in the certificate so we dont duplicate the code """ - # Make sure we can even read the thing. + # Make sure we can even read the thing. cert_file = os.path.join(os.path.expanduser('~'), ".fedora.cert") if not os.access(cert_file, os.R_OK): print "!!! cannot read your ~/.fedora.cert file !!!" print "!!! Ensure the file is readable and try again !!!" sys.exit(1) - FILE = open(cert_file) - my_buf = FILE.read() - FILE.close() - my_cert = crypto.load_certificate(crypto.FILETYPE_PEM, my_buf) + raw_cert = open(cert_file).read() + my_cert = crypto.load_certificate(crypto.FILETYPE_PEM, raw_cert) + return my_cert + +def verify_cert(): + """ + Check that the user cert is valid. + things to check/return + not revoked + Expiry time warn if less than 21 days + """ + my_cert = _open_cert() + serial_no = my_cert.get_serial_number() + valid_until = my_cert.get_notAfter() + crl = urlgrabber.urlread("https://admin.fedoraproject.org/ca/crl.pem") + + +def certificate_expired(): + """ + Check to see if ~/.fedora.cert is expired + Returns True or False + + """ + my_cert = _open_cert() + + if my_cert.has_expired(): + return True + else: + return False + +def read_user_cert(): + """ + Figure out the Fedora user name from ~/.fedora.cert + + """ + my_cert = _open_cert() subject = str(my_cert.get_subject()) subject_line = subject.split("CN=") cn_parts = subject_line[1].split("/") username = cn_parts[0] - - if my_cert.has_expired(): + if certificate_expired(): print "Certificate expired; Lets get a new one." create_user_cert(username) return username - def create_user_cert(username): - if not username is None: + if not username: username = raw_input('FAS Username: ') password = getpass.getpass('FAS Password: ') try: @@ -56,7 +87,9 @@ def create_user_cert(username): sys.exit(1) cert_file = os.path.join(os.path.expanduser('~'), ".fedora.cert") if not os.access(cert_file, os.W_OK): - print "Can not open cert file for writing" + print """Can not open cert file for writing. +Please paste certificate into ~/.fedora.cert""" + print cert sys.exit(1) else: @@ -77,7 +110,7 @@ def main(opts): else: username = opts.username #has cert expired? do we force a new cert? get a new one - if opts.new_cert: + if opts.newcert: print "Getting a new User Certificate" create_user_cert(username) sys.exit(0) @@ -85,19 +118,19 @@ def main(opts): print "Certificate has expired, getting a new one" create_user_cert(username) sys.exit(0) - if opts.verify-cert: + if opts.verifycert: print "Verifying Certificate" if __name__ == '__main__': opt_p = optparse.OptionParser(usage="%prog [OPTIONS] ") opt_p.add_option('-u', '--username', action='store_true', dest='username', - help="FAS Username.") + default=False, help="FAS Username.") opt_p.add_option('-n', '--new-cert', action='store_true', dest='newcert', - help="Generate a new Fedora Certificate.") + default=False, help="Generate a new Fedora Certificate.") opt_p.add_option('-v', '--verify-cert', action='store_true', dest='verifycert', - help="Verify Certificate.") + default=False, help="Verify Certificate.") - opts = opt_p.parse_args() + (opts, args) = opt_p.parse_args() main(opts) diff --git a/src/lib/fedora-cert.py b/src/lib/fedora-cert.py new file mode 100644 index 0000000..21cea9d --- /dev/null +++ b/src/lib/fedora-cert.py @@ -0,0 +1,104 @@ +#!/usr/bin/python +import optparse +import os +import sys +import getpass +from fedora.client.fas2 import AccountSystem +from fedora.client.fas2 import CLAError +from fedora.client import AuthError, ServerError +from OpenSSL import crypto + +def read_cert_user(): + """ + Figure out the Fedora user name from ~/.fedora.cert + + """ + # Make sure we can even read the thing. + cert_file = os.path.join(os.path.expanduser('~'), ".fedora.cert") + if not os.access(cert_file, os.R_OK): + print "!!! cannot read your ~/.fedora.cert file !!!" + print "!!! Ensure the file is readable and try again !!!" + sys.exit(1) + FILE = open(cert_file) + my_buf = FILE.read() + FILE.close() + my_cert = crypto.load_certificate(crypto.FILETYPE_PEM, my_buf) + + subject = str(my_cert.get_subject()) + subject_line = subject.split("CN=") + cn_parts = subject_line[1].split("/") + username = cn_parts[0] + + if my_cert.has_expired(): + print "Certificate expired; Lets get a new one." + create_user_cert(username) + + return username + + +def create_user_cert(username): + if not username is None: + username = raw_input('FAS Username: ') + password = getpass.getpass('FAS Password: ') + try: + fas = AccountSystem('https://admin.fedoraproject.org/', username, password) + except AuthError: + print "Invalid username/password." + sys.exit(1) + + try: + cert = fas.user_gencert() + fas.logout() + except CLAError: + print "You must sign the CLA before you can generate your certificate.\n" \ + "To do this, go to https://admin.fedoraproject.org/accounts/cla/" + fas.logout() + sys.exit(1) + cert_file = os.path.join(os.path.expanduser('~'), ".fedora.cert") + if not os.access(cert_file, os.W_OK): + print "Can not open cert file for writing" + print cert + sys.exit(1) + else: + FILE = open(cert_file,"w") + FILE.write(cert) + FILE.close() + +def main(opts): + # lets read in the existing cert if it exists. + # gets us existing acc info + print opts + if not opts.username: + try: + username = read_user_cert() + except : + print "Can't determine fas name, lets get a new cert" + create_user_cert(None) + sys.exit(0) + else: + username = opts.username + #has cert expired? do we force a new cert? get a new one + if opts.new_cert: + print "Getting a new User Certificate" + create_user_cert(username) + sys.exit(0) + if certificate_expired(): + print "Certificate has expired, getting a new one" + create_user_cert(username) + sys.exit(0) + if opts.verify-cert: + print "Verifying Certificate" + + +if __name__ == '__main__': + opt_p = optparse.OptionParser(usage="%prog [OPTIONS] ") + opt_p.add_option('-u', '--username', action='store_true', dest='username', + default=False, help="FAS Username.") + opt_p.add_option('-n', '--new-cert', action='store_true', dest='newcert', + help="Generate a new Fedora Certificate.") + opt_p.add_option('-v', '--verify-cert', action='store_true', dest='verifycert', + help="Verify Certificate.") + + opts = opt_p.parse_args() + + main(opts) diff --git a/src/rpmbuild-md5 b/src/rpmbuild-md5 new file mode 100644 index 0000000..11fdb21 --- /dev/null +++ b/src/rpmbuild-md5 @@ -0,0 +1,2 @@ +#!/bin/bash +rpmbuild --define "_source_filedigest_algorithm md5" --define "_binary_filedigest_algorithm md5" $@ |