clustercfg: extract cfssl handling to separate function

2019-04-09 13:28:46 +02:00 · 2019-04-09 13:28:46 +02:00 · 598a079f57
parent acd001bf83
commit 598a079f57
1 changed files with 22 additions and 16 deletions
--- a/cluster/clustercfg/ca.py
+++ b/cluster/clustercfg/ca.py
@ -1,3 +1,4 @@
+# encoding: utf-8
 import json
 import logging
 import os
@ -89,6 +90,22 @@ class CA(object):
        with open(self._cert) as f:
            return f.read()

+    def _cfssl_call(self, args, obj=None, stdin=None):
+        p = subprocess.Popen(['cfssl'] + args,
+                             stdin=subprocess.PIPE, stdout=subprocess.PIPE,
+                             stderr=subprocess.PIPE)
+        if obj:
+            stdin = json.dumps(stdin)
+
+        outs, errs = p.communicate(stdin.encode())
+        if p.returncode != 0:
+            raise Exception(
+                'cfssl failed. stderr: %r, stdout: %r, code: %r' % (
+                    errs, outs, p.returncode))
+
+        out = json.loads(outs)
+        return out
+
    def _init_ca(self):
        if self.ss.exists(self._secret_key):
            return
@ -97,11 +114,7 @@ class CA(object):
        ca_csr['CN'] = self.cn

        logger.info("{}: Generating CA...".format(self))
-        p = subprocess.Popen(['cfssl', 'gencert', '-initca', '-'],
-                             stdin=subprocess.PIPE, stdout=subprocess.PIPE,
-                             stderr=subprocess.PIPE)
-        outs, errs = p.communicate(json.dumps(ca_csr).encode())
-        out = json.loads(outs)
+        out = self._cfssl_call(['gencert', '-initca', '-'], obj=ca_csr)

        f = self.ss.open(self._secret_key, 'w')
        f.write(out['key'])
@ -132,11 +145,8 @@ class CA(object):
        }
        cfg.update(_ca_config)
        logger.info("{}: Generating key/CSR for {}".format(self, hosts))
-        p = subprocess.Popen(['cfssl', 'genkey', '-'],
-                             stdin=subprocess.PIPE, stdout=subprocess.PIPE,
-                             stderr=subprocess.PIPE)
-        outs, errs = p.communicate(json.dumps(cfg).encode())
-        out = json.loads(outs)
+        out = self._cfssl_call(['genkey', '-'], obj=cfg)
+
        key, csr = out['key'], out['csr']
        if save is not None:
            logging.info("{}: Saving new key to secret {}".format(self, save))
@ -150,12 +160,8 @@ class CA(object):
        logging.info("{}: Signing CSR".format(self))
        ca = self._cert
        cakey = self.ss.plaintext(self._secret_key)
-        p = subprocess.Popen(['cfssl', 'sign', '-ca=' + ca, '-ca-key=' + cakey,
-                              '-profile=client-server', '-'],
-                             stdin=subprocess.PIPE, stdout=subprocess.PIPE,
-                             stderr=subprocess.PIPE)
-        outs, errs = p.communicate(csr.encode())
-        out = json.loads(outs)
+        out = self._cfssl_call(['sign', '-ca=' + ca, '-ca-key=' + cakey,
+                                '-profile=client-server', '-'], stdin=csr)
        cert = out['cert']
        if save is not None:
            name = os.path.join(self.cdir, save)