Added backup feature. Fixed a bug with reading the certificate and verifying names. Added force option.

author: Kenny Woodson <kwoodson@redhat.com> 2017-02-21 20:15:28 -0500
committer: Kenny Woodson <kwoodson@redhat.com> 2017-02-21 20:15:28 -0500
commit: 3effaa96c8e843a5820b98cf9c2dab608481c259 (patch)
tree: 4e3bd99fbb72b15ce2e6066bac1fc60815e9e032 /roles/lib_openshift/library
parent: 8200377dbb3d0e6aa2b35ea369cceb03976b508b (diff)
14 files changed, 58 insertions, 12 deletions
diff --git a/roles/lib_openshift/library/oadm_manage_node.py b/roles/lib_openshift/library/oadm_manage_node.py
index 0ac233c72..d0bf553ae 100644
--- a/roles/lib_openshift/library/oadm_manage_node.py
+++ b/roles/lib_openshift/library/oadm_manage_node.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
index 9c57435e7..8872cda3a 100644
--- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py
+++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
@@ -94,9 +96,9 @@ options:
     required: false
     default: None
     aliases: []
-  overwrite:
+  force:
     description:
-    - Overwrite existing cert files if found.  If false, any existing file will be left as-is.
+    - Force updating of the existing cert and key files
     required: false
     default: False
     aliases: []
@@ -1355,12 +1357,15 @@ class CAServerCert(OpenShiftCLI):
         # Added this here as a safegaurd for stomping on the
         # cert and key files if they exist
         if self.config.config_options['backup']['value']:
+            ext = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time()))
+            date_str = "%s_" + "%s" % ext
+
             if os.path.exists(self.config.config_options['key']['value']):
                 shutil.copy(self.config.config_options['key']['value'],
-                            "%s.orig" % self.config.config_options['key']['value'])
+                            date_str % self.config.config_options['key']['value'])
             if os.path.exists(self.config.config_options['cert']['value']):
                 shutil.copy(self.config.config_options['cert']['value'],
-                            "%s.orig" % self.config.config_options['cert']['value'])
+                            date_str % self.config.config_options['cert']['value'])
 
         options = self.config.to_option_list()
 
@@ -1378,13 +1383,28 @@ class CAServerCert(OpenShiftCLI):
 
         # Would prefer pyopenssl but is not installed.
         # When we verify it is, switch this code
-        proc = subprocess.Popen(['openssl', 'x509', '-noout', '-subject', '-in', cert_path],
+        # Here is the code to get the subject and the SAN
+        # openssl x509 -text -noout -certopt \
+        #  no_header,no_version,no_serial,no_signame,no_validity,no_issuer,no_pubkey,no_sigdump,no_aux \
+        #  -in /etc/origin/master/registry.crt
+        # Instead of this solution we will use a regex.
+        cert_names = []
+        hostnames = self.config.config_options['hostnames']['value'].split(',')
+        proc = subprocess.Popen(['openssl', 'x509', '-noout', '-text', '-in', cert_path],
                                 stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-        stdout, _ = proc.communicate()
+
+        x509output, _ = proc.communicate()
         if proc.returncode == 0:
-            for var in self.config.config_options['hostnames']['value'].split(','):
-                if var in stdout:
-                    return True
+            regex = re.compile(r"^\s*X509v3 Subject Alternative Name:\s*?\n\s*(.*)\s*\n", re.MULTILINE)
+            match = regex.search(x509output)  # E501
+            for entry in re.split(r", *", match.group(1)):
+                if entry.startswith('DNS') or entry.startswith('IP Address'):
+                    cert_names.append(entry.split(':')[1])
+            # now that we have cert names let's compare
+            cert_set = set(cert_names)
+            hname_set = set(hostnames)
+            if cert_set.issubset(hname_set) and hname_set.issubset(cert_set):
+                return True
 
         return False
 
@@ -1396,7 +1416,7 @@ class CAServerCert(OpenShiftCLI):
                                     params['debug'],
                                     {'cert':          {'value': params['cert'], 'include': True},
                                      'hostnames':     {'value': ','.join(params['hostnames']), 'include': True},
-                                     'overwrite':     {'value': params['overwrite'], 'include': True},
+                                     'overwrite':     {'value': True, 'include': True},
                                      'key':           {'value': params['key'], 'include': True},
                                      'signer_cert':   {'value': params['signer_cert'], 'include': True},
                                      'signer_key':    {'value': params['signer_key'], 'include': True},
@@ -1412,7 +1432,7 @@ class CAServerCert(OpenShiftCLI):
             ########
             # Create
             ########
-            if not server_cert.exists() or params['overwrite']:
+            if not server_cert.exists() or params['force']:
 
                 if check_mode:
                     return {'changed': True,
@@ -1455,7 +1475,7 @@ def main():
             signer_key=dict(default='/etc/origin/master/ca.key', type='str'),
             signer_serial=dict(default='/etc/origin/master/ca.serial.txt', type='str'),
             hostnames=dict(default=[], type='list'),
-            overwrite=dict(default=False, type='bool'),
+            force=dict(default=False, type='bool'),
         ),
         supports_check_mode=True,
     )
diff --git a/roles/lib_openshift/library/oc_edit.py b/roles/lib_openshift/library/oc_edit.py
index 1b1faf496..2ead608ac 100644
--- a/roles/lib_openshift/library/oc_edit.py
+++ b/roles/lib_openshift/library/oc_edit.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_env.py b/roles/lib_openshift/library/oc_env.py
index 7c2ccb98f..49a03b0a7 100644
--- a/roles/lib_openshift/library/oc_env.py
+++ b/roles/lib_openshift/library/oc_env.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_label.py b/roles/lib_openshift/library/oc_label.py
index 0db8585a4..4bb67b2b5 100644
--- a/roles/lib_openshift/library/oc_label.py
+++ b/roles/lib_openshift/library/oc_label.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_obj.py b/roles/lib_openshift/library/oc_obj.py
index 6d0b391b9..a9bec980c 100644
--- a/roles/lib_openshift/library/oc_obj.py
+++ b/roles/lib_openshift/library/oc_obj.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_process.py b/roles/lib_openshift/library/oc_process.py
index a1ee79f6e..2565bd895 100644
--- a/roles/lib_openshift/library/oc_process.py
+++ b/roles/lib_openshift/library/oc_process.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_route.py b/roles/lib_openshift/library/oc_route.py
index 4b5c4460c..b1f97505e 100644
--- a/roles/lib_openshift/library/oc_route.py
+++ b/roles/lib_openshift/library/oc_route.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_scale.py b/roles/lib_openshift/library/oc_scale.py
index a37b2aba0..babf489ad 100644
--- a/roles/lib_openshift/library/oc_scale.py
+++ b/roles/lib_openshift/library/oc_scale.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_secret.py b/roles/lib_openshift/library/oc_secret.py
index c423e9442..020d1a89f 100644
--- a/roles/lib_openshift/library/oc_secret.py
+++ b/roles/lib_openshift/library/oc_secret.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_service.py b/roles/lib_openshift/library/oc_service.py
index 319ec4bd7..99829a5e2 100644
--- a/roles/lib_openshift/library/oc_service.py
+++ b/roles/lib_openshift/library/oc_service.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_serviceaccount.py b/roles/lib_openshift/library/oc_serviceaccount.py
index 0d1705414..ec2c24983 100644
--- a/roles/lib_openshift/library/oc_serviceaccount.py
+++ b/roles/lib_openshift/library/oc_serviceaccount.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_serviceaccount_secret.py b/roles/lib_openshift/library/oc_serviceaccount_secret.py
index 5f07528a0..1c7855f37 100644
--- a/roles/lib_openshift/library/oc_serviceaccount_secret.py
+++ b/roles/lib_openshift/library/oc_serviceaccount_secret.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
diff --git a/roles/lib_openshift/library/oc_version.py b/roles/lib_openshift/library/oc_version.py
index 9b660e1d3..8916dc0e0 100644
--- a/roles/lib_openshift/library/oc_version.py
+++ b/roles/lib_openshift/library/oc_version.py
@@ -34,6 +34,8 @@
 from __future__ import print_function
 import atexit
 import copy
+# pylint: disable=unused-import
+import time
 import json
 import os
 import re
author	Kenny Woodson <kwoodson@redhat.com>	2017-02-21 20:15:28 -0500
committer	Kenny Woodson <kwoodson@redhat.com>	2017-02-21 20:15:28 -0500
commit	3effaa96c8e843a5820b98cf9c2dab608481c259 (patch)
tree	4e3bd99fbb72b15ce2e6066bac1fc60815e9e032 /roles/lib_openshift/library
parent	8200377dbb3d0e6aa2b35ea369cceb03976b508b (diff)