Merge "Policy plugin: Add devstack/admin-utils for client auth"
This commit is contained in:
commit
d7c6466204
@ -201,6 +201,13 @@ function nsxp_configure_service {
|
||||
_nsxp_ini_set retries $NSX_RETRIES
|
||||
_nsxp_ini_set insecure $NSX_INSECURE
|
||||
_nsxp_ini_set ca_file $NSX_CA_FILE
|
||||
|
||||
if [[ "$NSX_USE_CLIENT_CERT_AUTH" == "True" ]]; then
|
||||
_nsxp_ini_set nsx_use_client_auth "True"
|
||||
_nsxp_ini_set nsx_client_cert_file "$CLIENT_CERT_FILE"
|
||||
_nsxp_ini_set nsx_client_cert_storage "nsx-db"
|
||||
_nsxp_ini_set nsx_client_cert_pk_password "openstack"
|
||||
fi
|
||||
}
|
||||
|
||||
function init_vmware_nsx_p {
|
||||
|
@ -597,6 +597,29 @@ NSX Policy Plugin
|
||||
nsxadmin -r routers -o list
|
||||
|
||||
|
||||
Client Certificate
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
- Generate new client certificate (this command will delete previous certificate if exists)::
|
||||
|
||||
nsxadmin -r certificate -o generate [--property username=<username> --property password=<password> --property key-size=<size> --property sig-alg=<alg> --property valid-days=<days> --property country=<country> --property state=<state> --property org=<organization> --property unit=<unit> --property host=<hostname>]
|
||||
|
||||
- Delete client certificate::
|
||||
|
||||
nsxadmin -r certificate -o clean
|
||||
|
||||
- Show client certificate details::
|
||||
|
||||
nsxadmin -r certificate -o show
|
||||
|
||||
- Import external certificate to NSX::
|
||||
|
||||
nsxadmin -r certificate -o import [--property username=<username> --property password=<password> --property filename=<cert filename>]
|
||||
|
||||
- List certificates associated with openstack principal identity in NSX::
|
||||
|
||||
nsxadmin -r certificate -o nsx-list
|
||||
|
||||
Upgrade Steps (NSX-T Version 1.0.0 to Version 1.1.0)
|
||||
----------------------------------------------------
|
||||
|
||||
|
@ -137,26 +137,29 @@ def get_client_cert_provider(conf_path=cfg.CONF.nsx_v3):
|
||||
return DbCertProvider
|
||||
|
||||
|
||||
def get_nsxlib_wrapper(nsx_username=None, nsx_password=None, basic_auth=False):
|
||||
def get_nsxlib_wrapper(nsx_username=None, nsx_password=None, basic_auth=False,
|
||||
plugin_conf=None):
|
||||
client_cert_provider = None
|
||||
if not basic_auth:
|
||||
# if basic auth requested, dont use cert file even if provided
|
||||
client_cert_provider = get_client_cert_provider()
|
||||
|
||||
if not plugin_conf:
|
||||
plugin_conf = cfg.CONF.nsx_v3
|
||||
nsxlib_config = config.NsxLibConfig(
|
||||
username=nsx_username or cfg.CONF.nsx_v3.nsx_api_user,
|
||||
password=nsx_password or cfg.CONF.nsx_v3.nsx_api_password,
|
||||
username=nsx_username or plugin_conf.nsx_api_user,
|
||||
password=nsx_password or plugin_conf.nsx_api_password,
|
||||
client_cert_provider=client_cert_provider,
|
||||
retries=cfg.CONF.nsx_v3.http_retries,
|
||||
insecure=cfg.CONF.nsx_v3.insecure,
|
||||
ca_file=cfg.CONF.nsx_v3.ca_file,
|
||||
concurrent_connections=cfg.CONF.nsx_v3.concurrent_connections,
|
||||
http_timeout=cfg.CONF.nsx_v3.http_timeout,
|
||||
http_read_timeout=cfg.CONF.nsx_v3.http_read_timeout,
|
||||
conn_idle_timeout=cfg.CONF.nsx_v3.conn_idle_timeout,
|
||||
retries=plugin_conf.http_retries,
|
||||
insecure=plugin_conf.insecure,
|
||||
ca_file=plugin_conf.ca_file,
|
||||
concurrent_connections=plugin_conf.concurrent_connections,
|
||||
http_timeout=plugin_conf.http_timeout,
|
||||
http_read_timeout=plugin_conf.http_read_timeout,
|
||||
conn_idle_timeout=plugin_conf.conn_idle_timeout,
|
||||
http_provider=None,
|
||||
max_attempts=cfg.CONF.nsx_v3.retries,
|
||||
nsx_api_managers=cfg.CONF.nsx_v3.nsx_api_managers,
|
||||
max_attempts=plugin_conf.retries,
|
||||
nsx_api_managers=plugin_conf.nsx_api_managers,
|
||||
plugin_scope=OS_NEUTRON_ID_SCOPE,
|
||||
plugin_tag=NSX_NEUTRON_PLUGIN,
|
||||
plugin_ver=n_version.version_info.release_string(),
|
||||
|
250
vmware_nsx/shell/admin/plugins/common/v3_common_cert.py
Normal file
250
vmware_nsx/shell/admin/plugins/common/v3_common_cert.py
Normal file
@ -0,0 +1,250 @@
|
||||
# Copyright 2018 VMware, Inc. All rights reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
|
||||
from oslo_log import log as logging
|
||||
|
||||
from neutron_lib import context
|
||||
|
||||
from vmware_nsx.plugins.nsx_v3 import cert_utils
|
||||
from vmware_nsx.shell.admin.plugins.common import utils as admin_utils
|
||||
from vmware_nsx.shell.admin.plugins.nsxv3.resources import utils
|
||||
from vmware_nsxlib.v3 import client_cert
|
||||
from vmware_nsxlib.v3 import exceptions
|
||||
from vmware_nsxlib.v3 import trust_management
|
||||
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
CERT_DEFAULTS = {'key-size': 2048,
|
||||
'sig-alg': 'sha256',
|
||||
'valid-days': 3650,
|
||||
'country': 'US',
|
||||
'state': 'California',
|
||||
'org': 'default org',
|
||||
'unit': 'default unit',
|
||||
'host': 'defaulthost.org'}
|
||||
|
||||
|
||||
def get_nsx_trust_management(plugin_conf, **kwargs):
|
||||
username, password = None, None
|
||||
if kwargs.get('property'):
|
||||
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
|
||||
username = properties.get('user')
|
||||
password = properties.get('password')
|
||||
|
||||
nsx_client = utils.get_nsxv3_client(username, password, True,
|
||||
plugin_conf=plugin_conf)
|
||||
nsx_trust = trust_management.NsxLibTrustManagement(nsx_client, {})
|
||||
return nsx_trust
|
||||
|
||||
|
||||
def get_certificate_manager(plugin_conf, **kwargs):
|
||||
storage_driver_type = plugin_conf.nsx_client_cert_storage.lower()
|
||||
LOG.info("Certificate storage is %s", storage_driver_type)
|
||||
if storage_driver_type == 'nsx-db':
|
||||
storage_driver = cert_utils.DbCertificateStorageDriver(
|
||||
context.get_admin_context())
|
||||
elif storage_driver_type == 'none':
|
||||
storage_driver = cert_utils.DummyCertificateStorageDriver()
|
||||
# TODO(annak) - add support for barbican storage driver
|
||||
|
||||
return client_cert.ClientCertificateManager(
|
||||
cert_utils.NSX_OPENSTACK_IDENTITY,
|
||||
get_nsx_trust_management(plugin_conf, **kwargs),
|
||||
storage_driver)
|
||||
|
||||
|
||||
def verify_client_cert_on(plugin_conf):
|
||||
if plugin_conf.nsx_use_client_auth:
|
||||
return True
|
||||
|
||||
LOG.info("Operation not applicable since client authentication "
|
||||
"is disabled")
|
||||
return False
|
||||
|
||||
|
||||
def generate_cert(plugin_conf, **kwargs):
|
||||
"""Generate self signed client certificate and private key
|
||||
"""
|
||||
|
||||
if not verify_client_cert_on(plugin_conf):
|
||||
return
|
||||
|
||||
if plugin_conf.nsx_client_cert_storage.lower() == "none":
|
||||
LOG.info("Generate operation is not supported "
|
||||
"with storage type 'none'")
|
||||
return
|
||||
|
||||
# update cert defaults based on user input
|
||||
properties = CERT_DEFAULTS.copy()
|
||||
if kwargs.get('property'):
|
||||
properties.update(admin_utils.parse_multi_keyval_opt(
|
||||
kwargs['property']))
|
||||
|
||||
try:
|
||||
prop = 'key-size'
|
||||
key_size = int(properties.get(prop))
|
||||
prop = 'valid-days'
|
||||
valid_for_days = int(properties.get(prop))
|
||||
except ValueError:
|
||||
LOG.info("%s property must be a number", prop)
|
||||
return
|
||||
|
||||
signature_alg = properties.get('sig-alg')
|
||||
subject = {}
|
||||
subject[client_cert.CERT_SUBJECT_COUNTRY] = properties.get('country')
|
||||
subject[client_cert.CERT_SUBJECT_STATE] = properties.get('state')
|
||||
subject[client_cert.CERT_SUBJECT_ORG] = properties.get('org')
|
||||
subject[client_cert.CERT_SUBJECT_UNIT] = properties.get('org')
|
||||
subject[client_cert.CERT_SUBJECT_HOST] = properties.get('host')
|
||||
|
||||
regenerate = False
|
||||
with get_certificate_manager(plugin_conf, **kwargs) as cert:
|
||||
if cert.exists():
|
||||
LOG.info("Deleting existing certificate")
|
||||
# Need to delete cert first
|
||||
cert.delete()
|
||||
regenerate = True
|
||||
|
||||
try:
|
||||
cert.generate(subject, key_size, valid_for_days, signature_alg)
|
||||
except exceptions.NsxLibInvalidInput as e:
|
||||
LOG.info(e)
|
||||
return
|
||||
|
||||
LOG.info("Client certificate generated successfully")
|
||||
if not regenerate:
|
||||
# No certificate existed, so client authentication service was likely
|
||||
# changed to true just now. The user must restart neutron to avoid
|
||||
# failures.
|
||||
LOG.info("Please restart neutron service")
|
||||
|
||||
|
||||
def delete_cert(plugin_conf, **kwargs):
|
||||
"""Delete client certificate and private key """
|
||||
if not verify_client_cert_on(plugin_conf):
|
||||
return
|
||||
|
||||
with get_certificate_manager(plugin_conf, **kwargs) as cert:
|
||||
if plugin_conf.nsx_client_cert_storage.lower() == "none":
|
||||
filename = get_cert_filename(plugin_conf, **kwargs)
|
||||
if not filename:
|
||||
LOG.info("Please specify file containing the certificate "
|
||||
"using filename property")
|
||||
return
|
||||
cert.delete_pem(filename)
|
||||
else:
|
||||
if not cert.exists():
|
||||
LOG.info("Nothing to clean")
|
||||
return
|
||||
|
||||
cert.delete()
|
||||
LOG.info("Client certificate deleted successfully")
|
||||
|
||||
|
||||
def show_cert(plugin_conf, **kwargs):
|
||||
"""Show client certificate details """
|
||||
|
||||
if not verify_client_cert_on(plugin_conf):
|
||||
return
|
||||
|
||||
with get_certificate_manager(plugin_conf, **kwargs) as cert:
|
||||
if cert.exists():
|
||||
cert_pem, key_pem = cert.get_pem()
|
||||
expires_on = cert.expires_on()
|
||||
expires_in_days = cert.expires_in_days()
|
||||
cert_data = cert.get_subject()
|
||||
cert_data['alg'] = cert.get_signature_alg()
|
||||
cert_data['key_size'] = cert.get_key_size()
|
||||
if expires_in_days >= 0:
|
||||
LOG.info("Client certificate is valid. "
|
||||
"Expires on %(date)s UTC (in %(days)d days).",
|
||||
{'date': expires_on,
|
||||
'days': expires_in_days})
|
||||
|
||||
else:
|
||||
LOG.info("Client certificate expired on %s.", expires_on)
|
||||
|
||||
LOG.info("Key Size %(key_size)s, "
|
||||
"Signature Algorithm %(alg)s\n"
|
||||
"Subject: Country %(country)s, State %(state)s, "
|
||||
"Organization %(organization)s, Unit %(unit)s, "
|
||||
"Common Name %(hostname)s", cert_data)
|
||||
|
||||
LOG.info(cert_pem)
|
||||
else:
|
||||
LOG.info("Client certificate is not registered "
|
||||
"in storage")
|
||||
|
||||
|
||||
def get_cert_filename(plugin_conf, **kwargs):
|
||||
filename = plugin_conf.nsx_client_cert_file
|
||||
if kwargs.get('property'):
|
||||
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
|
||||
filename = properties.get('filename', filename)
|
||||
|
||||
if not filename:
|
||||
LOG.info("Please specify file containing the certificate "
|
||||
"using filename property")
|
||||
return filename
|
||||
|
||||
|
||||
def import_cert(plugin_conf, **kwargs):
|
||||
"""Import client certificate that was generated externally"""
|
||||
if not verify_client_cert_on(plugin_conf):
|
||||
return
|
||||
|
||||
if plugin_conf.nsx_client_cert_storage.lower() != "none":
|
||||
LOG.info("Import operation is supported "
|
||||
"with storage type 'none' only")
|
||||
return
|
||||
|
||||
with get_certificate_manager(plugin_conf, **kwargs) as cert:
|
||||
if cert.exists():
|
||||
LOG.info("Deleting existing certificate")
|
||||
cert.delete()
|
||||
|
||||
filename = get_cert_filename(plugin_conf, **kwargs)
|
||||
if not filename:
|
||||
return
|
||||
cert.import_pem(filename)
|
||||
|
||||
LOG.info("Client certificate imported successfully")
|
||||
|
||||
|
||||
def show_nsx_certs(plugin_conf, **kwargs):
|
||||
"""Show client certificates associated with openstack identity in NSX"""
|
||||
|
||||
# Note - this operation is supported even if the feature is disabled
|
||||
nsx_trust = get_nsx_trust_management(plugin_conf, **kwargs)
|
||||
|
||||
ids = nsx_trust.get_identities(cert_utils.NSX_OPENSTACK_IDENTITY)
|
||||
if not ids:
|
||||
LOG.info("Principal identity %s not found",
|
||||
cert_utils.NSX_OPENSTACK_IDENTITY)
|
||||
return
|
||||
|
||||
LOG.info("Certificate(s) associated with principal identity %s\n",
|
||||
cert_utils.NSX_OPENSTACK_IDENTITY)
|
||||
|
||||
cert = None
|
||||
for identity in ids:
|
||||
if 'certificate_id' in identity:
|
||||
cert = nsx_trust.get_cert(identity['certificate_id'])
|
||||
|
||||
LOG.info(cert['pem_encoded'])
|
||||
|
||||
if not cert:
|
||||
LOG.info("No certificates found")
|
@ -0,0 +1,73 @@
|
||||
# Copyright 2018 VMware, Inc. All rights reserved.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
from vmware_nsx.shell.admin.plugins.common import constants
|
||||
from vmware_nsx.shell.admin.plugins.common import utils as admin_utils
|
||||
from vmware_nsx.shell.admin.plugins.common import v3_common_cert
|
||||
from vmware_nsx.shell import resources as shell
|
||||
|
||||
from neutron_lib.callbacks import registry
|
||||
from oslo_config import cfg
|
||||
|
||||
|
||||
@admin_utils.output_header
|
||||
def generate_cert(resource, event, trigger, **kwargs):
|
||||
"""Generate self signed client certificate and private key
|
||||
"""
|
||||
return v3_common_cert.generate_cert(cfg.CONF.nsx_p, **kwargs)
|
||||
|
||||
|
||||
@admin_utils.output_header
|
||||
def delete_cert(resource, event, trigger, **kwargs):
|
||||
"""Delete client certificate and private key """
|
||||
return v3_common_cert.delete_cert(cfg.CONF.nsx_p, **kwargs)
|
||||
|
||||
|
||||
@admin_utils.output_header
|
||||
def show_cert(resource, event, trigger, **kwargs):
|
||||
"""Show client certificate details """
|
||||
return v3_common_cert.show_cert(cfg.CONF.nsx_p, **kwargs)
|
||||
|
||||
|
||||
@admin_utils.output_header
|
||||
def import_cert(resource, event, trigger, **kwargs):
|
||||
"""Import client certificate that was generated externally"""
|
||||
return v3_common_cert.import_cert(cfg.CONF.nsx_p, **kwargs)
|
||||
|
||||
|
||||
@admin_utils.output_header
|
||||
def show_nsx_certs(resource, event, trigger, **kwargs):
|
||||
"""Show client certificates associated with openstack identity in NSX"""
|
||||
return v3_common_cert.show_nsx_certs(cfg.CONF.nsx_p, **kwargs)
|
||||
|
||||
|
||||
registry.subscribe(generate_cert,
|
||||
constants.CERTIFICATE,
|
||||
shell.Operations.GENERATE.value)
|
||||
|
||||
registry.subscribe(show_cert,
|
||||
constants.CERTIFICATE,
|
||||
shell.Operations.SHOW.value)
|
||||
|
||||
registry.subscribe(delete_cert,
|
||||
constants.CERTIFICATE,
|
||||
shell.Operations.CLEAN.value)
|
||||
|
||||
registry.subscribe(import_cert,
|
||||
constants.CERTIFICATE,
|
||||
shell.Operations.IMPORT.value)
|
||||
|
||||
registry.subscribe(show_nsx_certs,
|
||||
constants.CERTIFICATE,
|
||||
shell.Operations.NSX_LIST.value)
|
@ -13,248 +13,44 @@
|
||||
# under the License.
|
||||
|
||||
|
||||
from oslo_log import log as logging
|
||||
|
||||
from vmware_nsx.plugins.nsx_v3 import cert_utils
|
||||
from vmware_nsx.shell.admin.plugins.common import constants
|
||||
from vmware_nsx.shell.admin.plugins.common import utils as admin_utils
|
||||
from vmware_nsx.shell.admin.plugins.nsxv3.resources import utils
|
||||
from vmware_nsx.shell.admin.plugins.common import v3_common_cert
|
||||
from vmware_nsx.shell import resources as shell
|
||||
from vmware_nsxlib.v3 import client_cert
|
||||
from vmware_nsxlib.v3 import exceptions
|
||||
from vmware_nsxlib.v3 import trust_management
|
||||
|
||||
from neutron_lib.callbacks import registry
|
||||
from neutron_lib import context
|
||||
from oslo_config import cfg
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
CERT_DEFAULTS = {'key-size': 2048,
|
||||
'sig-alg': 'sha256',
|
||||
'valid-days': 3650,
|
||||
'country': 'US',
|
||||
'state': 'California',
|
||||
'org': 'default org',
|
||||
'unit': 'default unit',
|
||||
'host': 'defaulthost.org'}
|
||||
|
||||
|
||||
def get_nsx_trust_management(**kwargs):
|
||||
username, password = None, None
|
||||
if kwargs.get('property'):
|
||||
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
|
||||
username = properties.get('user')
|
||||
password = properties.get('password')
|
||||
|
||||
nsx_client = utils.get_nsxv3_client(username, password, True)
|
||||
nsx_trust = trust_management.NsxLibTrustManagement(nsx_client, {})
|
||||
return nsx_trust
|
||||
|
||||
|
||||
def get_certificate_manager(**kwargs):
|
||||
storage_driver_type = cfg.CONF.nsx_v3.nsx_client_cert_storage.lower()
|
||||
LOG.info("Certificate storage is %s", storage_driver_type)
|
||||
if storage_driver_type == 'nsx-db':
|
||||
storage_driver = cert_utils.DbCertificateStorageDriver(
|
||||
context.get_admin_context())
|
||||
elif storage_driver_type == 'none':
|
||||
storage_driver = cert_utils.DummyCertificateStorageDriver()
|
||||
# TODO(annak) - add support for barbican storage driver
|
||||
|
||||
return client_cert.ClientCertificateManager(
|
||||
cert_utils.NSX_OPENSTACK_IDENTITY,
|
||||
get_nsx_trust_management(**kwargs),
|
||||
storage_driver)
|
||||
|
||||
|
||||
def verify_client_cert_on():
|
||||
if cfg.CONF.nsx_v3.nsx_use_client_auth:
|
||||
return True
|
||||
|
||||
LOG.info("Operation not applicable since client authentication "
|
||||
"is disabled")
|
||||
return False
|
||||
|
||||
|
||||
@admin_utils.output_header
|
||||
def generate_cert(resource, event, trigger, **kwargs):
|
||||
"""Generate self signed client certificate and private key
|
||||
"""
|
||||
|
||||
if not verify_client_cert_on():
|
||||
return
|
||||
|
||||
if cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() == "none":
|
||||
LOG.info("Generate operation is not supported "
|
||||
"with storage type 'none'")
|
||||
return
|
||||
|
||||
# update cert defaults based on user input
|
||||
properties = CERT_DEFAULTS.copy()
|
||||
if kwargs.get('property'):
|
||||
properties.update(admin_utils.parse_multi_keyval_opt(
|
||||
kwargs['property']))
|
||||
|
||||
try:
|
||||
prop = 'key-size'
|
||||
key_size = int(properties.get(prop))
|
||||
prop = 'valid-days'
|
||||
valid_for_days = int(properties.get(prop))
|
||||
except ValueError:
|
||||
LOG.info("%s property must be a number", prop)
|
||||
return
|
||||
|
||||
signature_alg = properties.get('sig-alg')
|
||||
subject = {}
|
||||
subject[client_cert.CERT_SUBJECT_COUNTRY] = properties.get('country')
|
||||
subject[client_cert.CERT_SUBJECT_STATE] = properties.get('state')
|
||||
subject[client_cert.CERT_SUBJECT_ORG] = properties.get('org')
|
||||
subject[client_cert.CERT_SUBJECT_UNIT] = properties.get('org')
|
||||
subject[client_cert.CERT_SUBJECT_HOST] = properties.get('host')
|
||||
|
||||
regenerate = False
|
||||
with get_certificate_manager(**kwargs) as cert:
|
||||
if cert.exists():
|
||||
LOG.info("Deleting existing certificate")
|
||||
# Need to delete cert first
|
||||
cert.delete()
|
||||
regenerate = True
|
||||
|
||||
try:
|
||||
cert.generate(subject, key_size, valid_for_days, signature_alg)
|
||||
except exceptions.NsxLibInvalidInput as e:
|
||||
LOG.info(e)
|
||||
return
|
||||
|
||||
LOG.info("Client certificate generated successfully")
|
||||
if not regenerate:
|
||||
# No certificate existed, so client authentication service was likely
|
||||
# changed to true just now. The user must restart neutron to avoid
|
||||
# failures.
|
||||
LOG.info("Please restart neutron service")
|
||||
return v3_common_cert.generate_cert(cfg.CONF.nsx_v3, **kwargs)
|
||||
|
||||
|
||||
@admin_utils.output_header
|
||||
def delete_cert(resource, event, trigger, **kwargs):
|
||||
"""Delete client certificate and private key """
|
||||
if not verify_client_cert_on():
|
||||
return
|
||||
|
||||
with get_certificate_manager(**kwargs) as cert:
|
||||
if cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() == "none":
|
||||
filename = get_cert_filename(**kwargs)
|
||||
if not filename:
|
||||
LOG.info("Please specify file containing the certificate "
|
||||
"using filename property")
|
||||
return
|
||||
cert.delete_pem(filename)
|
||||
else:
|
||||
if not cert.exists():
|
||||
LOG.info("Nothing to clean")
|
||||
return
|
||||
|
||||
cert.delete()
|
||||
LOG.info("Client certificate deleted successfully")
|
||||
return v3_common_cert.delete_cert(cfg.CONF.nsx_v3, **kwargs)
|
||||
|
||||
|
||||
@admin_utils.output_header
|
||||
def show_cert(resource, event, trigger, **kwargs):
|
||||
"""Show client certificate details """
|
||||
|
||||
if not verify_client_cert_on():
|
||||
return
|
||||
|
||||
with get_certificate_manager(**kwargs) as cert:
|
||||
if cert.exists():
|
||||
cert_pem, key_pem = cert.get_pem()
|
||||
expires_on = cert.expires_on()
|
||||
expires_in_days = cert.expires_in_days()
|
||||
cert_data = cert.get_subject()
|
||||
cert_data['alg'] = cert.get_signature_alg()
|
||||
cert_data['key_size'] = cert.get_key_size()
|
||||
if expires_in_days >= 0:
|
||||
LOG.info("Client certificate is valid. "
|
||||
"Expires on %(date)s UTC (in %(days)d days).",
|
||||
{'date': expires_on,
|
||||
'days': expires_in_days})
|
||||
|
||||
else:
|
||||
LOG.info("Client certificate expired on %s.", expires_on)
|
||||
|
||||
LOG.info("Key Size %(key_size)s, "
|
||||
"Signature Algorithm %(alg)s\n"
|
||||
"Subject: Country %(country)s, State %(state)s, "
|
||||
"Organization %(organization)s, Unit %(unit)s, "
|
||||
"Common Name %(hostname)s", cert_data)
|
||||
|
||||
LOG.info(cert_pem)
|
||||
else:
|
||||
LOG.info("Client certificate is not registered "
|
||||
"in storage")
|
||||
|
||||
|
||||
def get_cert_filename(**kwargs):
|
||||
filename = cfg.CONF.nsx_v3.nsx_client_cert_file
|
||||
if kwargs.get('property'):
|
||||
properties = admin_utils.parse_multi_keyval_opt(kwargs['property'])
|
||||
filename = properties.get('filename', filename)
|
||||
|
||||
if not filename:
|
||||
LOG.info("Please specify file containing the certificate "
|
||||
"using filename property")
|
||||
return filename
|
||||
return v3_common_cert.show_cert(cfg.CONF.nsx_v3, **kwargs)
|
||||
|
||||
|
||||
@admin_utils.output_header
|
||||
def import_cert(resource, event, trigger, **kwargs):
|
||||
"""Import client certificate that was generated externally"""
|
||||
if not verify_client_cert_on():
|
||||
return
|
||||
|
||||
if cfg.CONF.nsx_v3.nsx_client_cert_storage.lower() != "none":
|
||||
LOG.info("Import operation is supported "
|
||||
"with storage type 'none' only")
|
||||
return
|
||||
|
||||
with get_certificate_manager(**kwargs) as cert:
|
||||
if cert.exists():
|
||||
LOG.info("Deleting existing certificate")
|
||||
cert.delete()
|
||||
|
||||
filename = get_cert_filename(**kwargs)
|
||||
if not filename:
|
||||
return
|
||||
cert.import_pem(filename)
|
||||
|
||||
LOG.info("Client certificate imported successfully")
|
||||
return v3_common_cert.import_cert(cfg.CONF.nsx_v3, **kwargs)
|
||||
|
||||
|
||||
@admin_utils.output_header
|
||||
def show_nsx_certs(resource, event, trigger, **kwargs):
|
||||
"""Show client certificates associated with openstack identity in NSX"""
|
||||
|
||||
# Note - this operation is supported even if the feature is disabled
|
||||
nsx_trust = get_nsx_trust_management(**kwargs)
|
||||
|
||||
ids = nsx_trust.get_identities(cert_utils.NSX_OPENSTACK_IDENTITY)
|
||||
if not ids:
|
||||
LOG.info("Principal identity %s not found",
|
||||
cert_utils.NSX_OPENSTACK_IDENTITY)
|
||||
return
|
||||
|
||||
LOG.info("Certificate(s) associated with principal identity %s\n",
|
||||
cert_utils.NSX_OPENSTACK_IDENTITY)
|
||||
|
||||
cert = None
|
||||
for identity in ids:
|
||||
if 'certificate_id' in identity:
|
||||
cert = nsx_trust.get_cert(identity['certificate_id'])
|
||||
|
||||
LOG.info(cert['pem_encoded'])
|
||||
|
||||
if not cert:
|
||||
LOG.info("No certificates found")
|
||||
return v3_common_cert.show_nsx_certs(cfg.CONF.nsx_v3, **kwargs)
|
||||
|
||||
|
||||
registry.subscribe(generate_cert,
|
||||
|
@ -44,24 +44,28 @@ _NSXLIB = None
|
||||
|
||||
|
||||
def get_nsxv3_client(nsx_username=None, nsx_password=None,
|
||||
use_basic_auth=False):
|
||||
use_basic_auth=False,
|
||||
plugin_conf=None):
|
||||
|
||||
return get_connected_nsxlib(nsx_username,
|
||||
nsx_password,
|
||||
use_basic_auth).client
|
||||
use_basic_auth,
|
||||
plugin_conf).client
|
||||
|
||||
|
||||
def get_connected_nsxlib(nsx_username=None, nsx_password=None,
|
||||
use_basic_auth=False):
|
||||
use_basic_auth=False,
|
||||
plugin_conf=None):
|
||||
global _NSXLIB
|
||||
|
||||
# for non-default agruments, initiate new lib
|
||||
if nsx_username or use_basic_auth:
|
||||
return v3_utils.get_nsxlib_wrapper(nsx_username,
|
||||
nsx_password,
|
||||
use_basic_auth)
|
||||
use_basic_auth,
|
||||
plugin_conf)
|
||||
if _NSXLIB is None:
|
||||
_NSXLIB = v3_utils.get_nsxlib_wrapper()
|
||||
_NSXLIB = v3_utils.get_nsxlib_wrapper(plugin_conf=plugin_conf)
|
||||
return _NSXLIB
|
||||
|
||||
|
||||
|
@ -248,6 +248,12 @@ nsxp_resources = {
|
||||
[Operations.LIST.value]),
|
||||
constants.ROUTERS: Resource(constants.ROUTERS,
|
||||
[Operations.LIST.value]),
|
||||
constants.CERTIFICATE: Resource(constants.CERTIFICATE,
|
||||
[Operations.GENERATE.value,
|
||||
Operations.SHOW.value,
|
||||
Operations.CLEAN.value,
|
||||
Operations.IMPORT.value,
|
||||
Operations.NSX_LIST.value]),
|
||||
}
|
||||
|
||||
nsxv3_resources_names = list(nsxv3_resources.keys())
|
||||
|
Loading…
Reference in New Issue
Block a user