diff options
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Packages/__init__.py | 18 | ||||
| -rw-r--r-- | src/lib/Bcfg2/Server/Plugins/SSHbase.py | 88 | ||||
| -rw-r--r-- | src/lib/Bcfg2/Server/Plugins/SSLCA.py | 85 |
3 files changed, 106 insertions, 85 deletions
diff --git a/src/lib/Bcfg2/Server/Plugins/Packages/__init__.py b/src/lib/Bcfg2/Server/Plugins/Packages/__init__.py index 628ba929f..c8f643415 100644 --- a/src/lib/Bcfg2/Server/Plugins/Packages/__init__.py +++ b/src/lib/Bcfg2/Server/Plugins/Packages/__init__.py @@ -34,7 +34,7 @@ class Packages(Bcfg2.Server.Plugin.Plugin, or defer to package manager libraries for truly dynamic resolution. - .. private-include: _build_packages, _get_collection""" + .. private-include: _build_packages""" #: Packages is an alternative to #: :mod:`Bcfg2.Server.Plugins.Pkgmgr` and conflicts with it. @@ -177,7 +177,7 @@ class Packages(Bcfg2.Server.Plugin.Plugin, perms='0644', important='true') - collection = self._get_collection(metadata) + collection = self.get_collection(metadata) entry.text = collection.get_config() for (key, value) in list(attrib.items()): entry.attrib.__setitem__(key, value) @@ -199,7 +199,7 @@ class Packages(Bcfg2.Server.Plugin.Plugin, :return: lxml.etree._Element - The fully bound entry """ if entry.tag == 'Package': - collection = self._get_collection(metadata) + collection = self.get_collection(metadata) entry.set('version', self.core.setup.cfp.get("packages", "version", default="auto")) @@ -230,7 +230,7 @@ class Packages(Bcfg2.Server.Plugin.Plugin, if entry.tag == 'Package': if self.core.setup.cfp.getboolean("packages", "magic_groups", default=False): - collection = self._get_collection(metadata) + collection = self.get_collection(metadata) if collection.magic_groups_match(): return True else: @@ -275,7 +275,7 @@ class Packages(Bcfg2.Server.Plugin.Plugin, :type structures: list of lxml.etree._Element objects :returns: None """ - collection = self._get_collection(metadata) + collection = self.get_collection(metadata) indep = lxml.etree.Element('Independent') self._build_packages(metadata, indep, structures, collection=collection) @@ -301,7 +301,7 @@ class Packages(Bcfg2.Server.Plugin.Plugin, :type structures: list of lxml.etree._Element objects :param collection: The collection of sources for this client. If none is given, one will be created with - :func:`_get_collection` + :func:`get_collection` :type collection: Bcfg2.Server.Plugins.Packages.Collection.Collection """ if self.disableResolver: @@ -309,7 +309,7 @@ class Packages(Bcfg2.Server.Plugin.Plugin, return if collection is None: - collection = self._get_collection(metadata) + collection = self.get_collection(metadata) # initial is the set of packages that are explicitly specified # in the configuration initial = set() @@ -442,7 +442,7 @@ class Packages(Bcfg2.Server.Plugin.Plugin, if kfile not in keyfiles: os.unlink(kfile) - def _get_collection(self, metadata): + def get_collection(self, metadata): """ Get a :class:`Bcfg2.Server.Plugins.Packages.Collection.Collection` object for this client. @@ -508,7 +508,7 @@ class Packages(Bcfg2.Server.Plugin.Plugin, :type metadata: Bcfg2.Server.Plugins.Metadata.ClientMetadata :return: dict of lists of ``url_map`` data """ - collection = self._get_collection(metadata) + collection = self.get_collection(metadata) return dict(sources=collection.get_additional_data()) def end_client_run(self, metadata): diff --git a/src/lib/Bcfg2/Server/Plugins/SSHbase.py b/src/lib/Bcfg2/Server/Plugins/SSHbase.py index 1d5fb87c2..0d6b47807 100644 --- a/src/lib/Bcfg2/Server/Plugins/SSHbase.py +++ b/src/lib/Bcfg2/Server/Plugins/SSHbase.py @@ -9,11 +9,14 @@ import logging import tempfile from subprocess import Popen, PIPE import Bcfg2.Server.Plugin -from Bcfg2.Compat import u_str, reduce, b64encode +from Bcfg2.Compat import u_str, reduce, b64encode # pylint: disable=W0622 + +LOGGER = logging.getLogger(__name__) -logger = logging.getLogger(__name__) class KeyData(Bcfg2.Server.Plugin.SpecificData): + """ class to handle key data for HostKeyEntrySet """ + def __init__(self, name, specific, encoding): Bcfg2.Server.Plugin.SpecificData.__init__(self, name, @@ -24,7 +27,14 @@ class KeyData(Bcfg2.Server.Plugin.SpecificData): def __lt__(self, other): return self.name < other.name - def bind_entry(self, entry, metadata): + def bind_entry(self, entry, _): + """ Bind the entry with the data of this key + + :param entry: The abstract entry to bind. This will be + modified in place. + :type entry: lxml.etree._Element + :returns: None + """ entry.set('type', 'file') if entry.get('encoding') == 'base64': entry.text = b64encode(self.data) @@ -32,22 +42,24 @@ class KeyData(Bcfg2.Server.Plugin.SpecificData): try: entry.text = u_str(self.data, self.encoding) except UnicodeDecodeError: - e = sys.exc_info()[1] - logger.error("Failed to decode %s: %s" % (entry.get('name'), e)) - logger.error("Please verify you are using the proper encoding.") - raise Bcfg2.Server.Plugin.PluginExecutionError + msg = "Failed to decode %s: %s" % (entry.get('name'), + sys.exc_info()[1]) + LOGGER.error(msg) + LOGGER.error("Please verify you are using the proper encoding") + raise Bcfg2.Server.Plugin.PluginExecutionError(msg) except ValueError: - e = sys.exc_info()[1] - logger.error("Error in specification for %s" % + msg = "Error in specification for %s: %s" % (entry.get('name'), + sys.exc_info()[1]) + LOGGER.error(msg) + LOGGER.error("You need to specify base64 encoding for %s" % entry.get('name')) - logger.error(str(e)) - logger.error("You need to specify base64 encoding for %s." % - entry.get('name')) - raise Bcfg2.Server.Plugin.PluginExecutionError + raise Bcfg2.Server.Plugin.PluginExecutionError(msg) if entry.text in ['', None]: entry.set('empty', 'true') + class HostKeyEntrySet(Bcfg2.Server.Plugin.EntrySet): + """ EntrySet to handle all kinds of host keys """ def __init__(self, basename, path): if basename.startswith("ssh_host_key"): encoding = "base64" @@ -67,6 +79,7 @@ class HostKeyEntrySet(Bcfg2.Server.Plugin.EntrySet): class KnownHostsEntrySet(Bcfg2.Server.Plugin.EntrySet): + """ EntrySet to handle the ssh_known_hosts file """ def __init__(self, path): Bcfg2.Server.Plugin.EntrySet.__init__(self, "ssh_known_hosts", path, KeyData, None) @@ -128,11 +141,12 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin, self.entries = dict() self.Entries['Path'] = dict() - self.entries['/etc/ssh/ssh_known_hosts'] = KnownHostsEntrySet(self.data) + self.entries['/etc/ssh/ssh_known_hosts'] = \ + KnownHostsEntrySet(self.data) self.Entries['Path']['/etc/ssh/ssh_known_hosts'] = self.build_skn for keypattern in self.keypatterns: - self.entries["/etc/ssh/" + keypattern] = HostKeyEntrySet(keypattern, - self.data) + self.entries["/etc/ssh/" + keypattern] = \ + HostKeyEntrySet(keypattern, self.data) self.Entries['Path']["/etc/ssh/" + keypattern] = self.build_hk def get_skn(self): @@ -159,17 +173,19 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin, newnames.add(name.split('.')[0]) try: newips.add(self.get_ipcache_entry(name)[0]) - except: + except: # pylint: disable=W0702 continue names[cmeta.hostname].update(newnames) names[cmeta.hostname].update(cmeta.addresses) names[cmeta.hostname].update(newips) - # TODO: Only perform reverse lookups on IPs if an option is set. + # TODO: Only perform reverse lookups on IPs if an + # option is set. if True: for ip in newips: try: - names[cmeta.hostname].update(self.get_namecache_entry(ip)) - except: + names[cmeta.hostname].update( + self.get_namecache_entry(ip)) + except: # pylint: disable=W0702 continue names[cmeta.hostname] = sorted(names[cmeta.hostname]) @@ -178,7 +194,8 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin, pubkeys.sort() for pubkey in pubkeys: for entry in sorted(self.entries[pubkey].entries.values(), - key=lambda e: e.specific.hostname or e.specific.group): + key=lambda e: (e.specific.hostname or + e.specific.group)): specific = entry.specific hostnames = [] if specific.hostname and specific.hostname in names: @@ -251,9 +268,8 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin, del self.static[event.filename] self.skn = False else: - self.static[event.filename] = \ - Bcfg2.Server.Plugin.FileBacked(os.path.join(self.data, - event.filename)) + self.static[event.filename] = Bcfg2.Server.Plugin.FileBacked( + os.path.join(self.data, event.filename)) self.static[event.filename].HandleEvent(event) self.skn = False return @@ -304,28 +320,29 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin, return self.namecache[cip] except socket.gaierror: self.namecache[cip] = False - self.logger.error("Failed to find any names associated with IP address %s" % cip) + self.logger.error("Failed to find any names associated with " + "IP address %s" % cip) raise def build_skn(self, entry, metadata): """This function builds builds a host specific known_hosts file.""" try: - rv = self.entries[entry.get('name')].bind_entry(entry, metadata) + self.entries[entry.get('name')].bind_entry(entry, metadata) except Bcfg2.Server.Plugin.PluginExecutionError: - client = metadata.hostname entry.text = self.skn hostkeys = [] - for k in self.keypatterns: - if k.endswith(".pub"): + for key in self.keypatterns: + if key.endswith(".pub"): try: - hostkeys.append(self.entries["/etc/ssh/" + - k].best_matching(metadata)) + hostkeys.append( + self.entries["/etc/ssh/" + + key].best_matching(metadata)) except Bcfg2.Server.Plugin.PluginExecutionError: pass hostkeys.sort() for hostkey in hostkeys: - entry.text += "localhost,localhost.localdomain,127.0.0.1 %s" % \ - (hostkey.data) + entry.text += "localhost,localhost.localdomain,127.0.0.1 %s" \ + % hostkey.data self.entries[entry.get('name')].bind_info_to_entry(entry, metadata) def build_hk(self, entry, metadata): @@ -410,5 +427,6 @@ class SSHbase(Bcfg2.Server.Plugin.Plugin, if log: print("Wrote file %s" % filename) except KeyError: - self.logger.error("Failed to pull %s. This file does not currently " - "exist on the client" % entry.get('name')) + self.logger.error("Failed to pull %s. This file does not " + "currently exist on the client" % + entry.get('name')) diff --git a/src/lib/Bcfg2/Server/Plugins/SSLCA.py b/src/lib/Bcfg2/Server/Plugins/SSLCA.py index 8ca95ff62..666f27e53 100644 --- a/src/lib/Bcfg2/Server/Plugins/SSLCA.py +++ b/src/lib/Bcfg2/Server/Plugins/SSLCA.py @@ -1,7 +1,9 @@ +""" The SSLCA generator handles the creation and management of ssl +certificates and their keys. """ + import Bcfg2.Server.Plugin import Bcfg2.Options import lxml.etree -import posixpath import tempfile import os from subprocess import Popen, PIPE, STDOUT @@ -9,11 +11,8 @@ from Bcfg2.Compat import ConfigParser, md5 class SSLCA(Bcfg2.Server.Plugin.GroupSpool): - """ - The SSLCA generator handles the creation and - management of ssl certificates and their keys. - """ - name = 'SSLCA' + """ The SSLCA generator handles the creation and management of ssl + certificates and their keys. """ __author__ = 'g.hagger@gmail.com' __child__ = Bcfg2.Server.Plugin.FileBacked key_specs = {} @@ -34,7 +33,7 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): return epath = "".join([self.data, self.handles[event.requestID], event.filename]) - if posixpath.isdir(epath): + if os.path.isdir(epath): ident = self.handles[event.requestID] + event.filename else: ident = self.handles[event.requestID][:-1] @@ -44,16 +43,20 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): if event.filename.endswith('.xml'): if action in ['exists', 'created', 'changed']: if event.filename.endswith('key.xml'): - key_spec = dict(list(lxml.etree.parse(epath, - parser=Bcfg2.Server.XMLParser).find('Key').items())) + key_spec = dict(list(lxml.etree.parse( + epath, + parser=Bcfg2.Server.XMLParser + ).find('Key').items())) self.key_specs[ident] = { 'bits': key_spec.get('bits', 2048), 'type': key_spec.get('type', 'rsa') } self.Entries['Path'][ident] = self.get_key elif event.filename.endswith('cert.xml'): - cert_spec = dict(list(lxml.etree.parse(epath, - parser=Bcfg2.Server.XMLParser).find('Cert').items())) + cert_spec = dict(list(lxml.etree.parse( + epath, + parser=Bcfg2.Server.XMLParser + ).find('Cert').items())) ca = cert_spec.get('ca', 'default') self.cert_specs[ident] = { 'ca': ca, @@ -67,9 +70,9 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): 'O': cert_spec.get('o'), 'emailAddress': cert_spec.get('emailaddress') } - cp = ConfigParser.ConfigParser() - cp.read(self.core.cfile) - self.CAs[ca] = dict(cp.items('sslca_' + ca)) + cfp = ConfigParser.ConfigParser() + cfp.read(self.core.cfile) + self.CAs[ca] = dict(cfp.items('sslca_' + ca)) self.Entries['Path'][ident] = self.get_cert elif event.filename.endswith("info.xml"): self.infoxml[ident] = Bcfg2.Server.Plugin.InfoXML(epath) @@ -79,9 +82,9 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): del self.Entries['Path'][ident] else: if action in ['exists', 'created']: - if posixpath.isdir(epath): + if os.path.isdir(epath): self.AddDirectoryMonitor(epath[len(self.data):]) - if ident not in self.entries and posixpath.isfile(epath): + if ident not in self.entries and os.path.isfile(epath): self.entries[fname] = self.__child__(epath) self.entries[fname].HandleEvent(event) if action == 'changed': @@ -103,7 +106,7 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): filename = os.path.join(path, "%s.H_%s" % (os.path.basename(path), metadata.hostname)) if filename not in list(self.entries.keys()): - key = self.build_key(filename, entry, metadata) + key = self.build_key(entry) open(self.data + filename, 'w').write(key) entry.text = key self.entries[filename] = self.__child__(self.data + filename) @@ -118,18 +121,15 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): else: Bcfg2.Server.Plugin.bind_info(entry, metadata) - def build_key(self, filename, entry, metadata): - """ - generates a new key according the the specification - """ - type = self.key_specs[entry.get('name')]['type'] + def build_key(self, entry): + """ generates a new key according the the specification """ + ktype = self.key_specs[entry.get('name')]['type'] bits = self.key_specs[entry.get('name')]['bits'] - if type == 'rsa': + if ktype == 'rsa': cmd = ["openssl", "genrsa", bits] - elif type == 'dsa': + elif ktype == 'dsa': cmd = ["openssl", "dsaparam", "-noout", "-genkey", bits] - key = Popen(cmd, stdout=PIPE).stdout.read() - return key + return Popen(cmd, stdout=PIPE).stdout.read() def get_cert(self, entry, metadata): """ @@ -145,12 +145,12 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): key_filename = os.path.join(key, "%s.H_%s" % (os.path.basename(key), metadata.hostname)) if key_filename not in self.entries: - e = lxml.etree.Element('Path') - e.set('name', key) - self.core.Bind(e, metadata) + el = lxml.etree.Element('Path') + el.set('name', key) + self.core.Bind(el, metadata) # check if we have a valid hostfile - if (filename in list(self.entries.keys()) and + if (filename in list(self.entries.keys()) and self.verify_cert(filename, key_filename, entry)): entry.text = self.entries[filename].data else: @@ -168,6 +168,8 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): Bcfg2.Server.Plugin.bind_info(entry, metadata) def verify_cert(self, filename, key_filename, entry): + """ Perform certification verification against the CA and + against the key """ ca = self.CAs[self.cert_specs[entry.get('name')]['ca']] do_verify = ca.get('chaincert') if do_verify: @@ -253,8 +255,8 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): """ # create temp request config file conffile = open(tempfile.mkstemp()[1], 'w') - cp = ConfigParser.ConfigParser({}) - cp.optionxform = str + cfp = ConfigParser.ConfigParser({}) + cfp.optionxform = str defaults = { 'req': { 'default_md': 'sha1', @@ -270,20 +272,21 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): 'alt_names': {} } for section in list(defaults.keys()): - cp.add_section(section) + cfp.add_section(section) for key in defaults[section]: - cp.set(section, key, defaults[section][key]) - x = 1 + cfp.set(section, key, defaults[section][key]) + altnamenum = 1 altnames = list(metadata.aliases) altnames.append(metadata.hostname) for altname in altnames: - cp.set('alt_names', 'DNS.' + str(x), altname) - x += 1 + cfp.set('alt_names', 'DNS.' + str(altnamenum), altname) + altnamenum += 1 for item in ['C', 'L', 'ST', 'O', 'OU', 'emailAddress']: if self.cert_specs[entry.get('name')][item]: - cp.set('req_distinguished_name', item, self.cert_specs[entry.get('name')][item]) - cp.set('req_distinguished_name', 'CN', metadata.hostname) - cp.write(conffile) + cfp.set('req_distinguished_name', item, + self.cert_specs[entry.get('name')][item]) + cfp.set('req_distinguished_name', 'CN', metadata.hostname) + cfp.write(conffile) conffile.close() return conffile.name @@ -296,5 +299,5 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool): key = self.data + key_filename cmd = ["openssl", "req", "-new", "-config", req_config, "-days", days, "-key", key, "-text", "-out", req] - res = Popen(cmd, stdout=PIPE).stdout.read() + Popen(cmd, stdout=PIPE).wait() return req |