forked from hswaw/hscloud
clustercfg: extract cfssl handling to separate function
This commit is contained in:
parent
acd001bf83
commit
598a079f57
1 changed files with 22 additions and 16 deletions
|
@ -1,3 +1,4 @@
|
|||
# encoding: utf-8
|
||||
import json
|
||||
import logging
|
||||
import os
|
||||
|
@ -89,6 +90,22 @@ class CA(object):
|
|||
with open(self._cert) as f:
|
||||
return f.read()
|
||||
|
||||
def _cfssl_call(self, args, obj=None, stdin=None):
|
||||
p = subprocess.Popen(['cfssl'] + args,
|
||||
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE)
|
||||
if obj:
|
||||
stdin = json.dumps(stdin)
|
||||
|
||||
outs, errs = p.communicate(stdin.encode())
|
||||
if p.returncode != 0:
|
||||
raise Exception(
|
||||
'cfssl failed. stderr: %r, stdout: %r, code: %r' % (
|
||||
errs, outs, p.returncode))
|
||||
|
||||
out = json.loads(outs)
|
||||
return out
|
||||
|
||||
def _init_ca(self):
|
||||
if self.ss.exists(self._secret_key):
|
||||
return
|
||||
|
@ -97,11 +114,7 @@ class CA(object):
|
|||
ca_csr['CN'] = self.cn
|
||||
|
||||
logger.info("{}: Generating CA...".format(self))
|
||||
p = subprocess.Popen(['cfssl', 'gencert', '-initca', '-'],
|
||||
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE)
|
||||
outs, errs = p.communicate(json.dumps(ca_csr).encode())
|
||||
out = json.loads(outs)
|
||||
out = self._cfssl_call(['gencert', '-initca', '-'], obj=ca_csr)
|
||||
|
||||
f = self.ss.open(self._secret_key, 'w')
|
||||
f.write(out['key'])
|
||||
|
@ -132,11 +145,8 @@ class CA(object):
|
|||
}
|
||||
cfg.update(_ca_config)
|
||||
logger.info("{}: Generating key/CSR for {}".format(self, hosts))
|
||||
p = subprocess.Popen(['cfssl', 'genkey', '-'],
|
||||
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE)
|
||||
outs, errs = p.communicate(json.dumps(cfg).encode())
|
||||
out = json.loads(outs)
|
||||
out = self._cfssl_call(['genkey', '-'], obj=cfg)
|
||||
|
||||
key, csr = out['key'], out['csr']
|
||||
if save is not None:
|
||||
logging.info("{}: Saving new key to secret {}".format(self, save))
|
||||
|
@ -150,12 +160,8 @@ class CA(object):
|
|||
logging.info("{}: Signing CSR".format(self))
|
||||
ca = self._cert
|
||||
cakey = self.ss.plaintext(self._secret_key)
|
||||
p = subprocess.Popen(['cfssl', 'sign', '-ca=' + ca, '-ca-key=' + cakey,
|
||||
'-profile=client-server', '-'],
|
||||
stdin=subprocess.PIPE, stdout=subprocess.PIPE,
|
||||
stderr=subprocess.PIPE)
|
||||
outs, errs = p.communicate(csr.encode())
|
||||
out = json.loads(outs)
|
||||
out = self._cfssl_call(['sign', '-ca=' + ca, '-ca-key=' + cakey,
|
||||
'-profile=client-server', '-'], stdin=csr)
|
||||
cert = out['cert']
|
||||
if save is not None:
|
||||
name = os.path.join(self.cdir, save)
|
||||
|
|
Loading…
Reference in a new issue