Handle SSL setup when downgrading
[ganeti-github.git] / lib / tools / ssl_update.py
1 #
2 #
3
4 # Copyright (C) 2015 Google Inc.
5 # All rights reserved.
6 #
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions are
9 # met:
10 #
11 # 1. Redistributions of source code must retain the above copyright notice,
12 # this list of conditions and the following disclaimer.
13 #
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
17 #
18 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
19 # IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
20 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
22 # CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
23 # EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
24 # PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
25 # PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
26 # LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
27 # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29
30 """Script to recreate and sign the client SSL certificates.
31
32 """
33
34 import os
35 import os.path
36 import optparse
37 import sys
38 import logging
39
40 from ganeti import cli
41 from ganeti import constants
42 from ganeti import errors
43 from ganeti import utils
44 from ganeti import ht
45 from ganeti import pathutils
46 from ganeti.tools import common
47
48
49 _DATA_CHECK = ht.TStrictDict(False, True, {
50 constants.NDS_CLUSTER_NAME: ht.TNonEmptyString,
51 constants.NDS_NODE_DAEMON_CERTIFICATE: ht.TNonEmptyString,
52 constants.NDS_NODE_NAME: ht.TNonEmptyString,
53 constants.NDS_ACTION: ht.TNonEmptyString,
54 })
55
56
57 class SslSetupError(errors.GenericError):
58 """Local class for reporting errors.
59
60 """
61
62
63 def ParseOptions():
64 """Parses the options passed to the program.
65
66 @return: Options and arguments
67
68 """
69 parser = optparse.OptionParser(usage="%prog [--dry-run]",
70 prog=os.path.basename(sys.argv[0]))
71 parser.add_option(cli.DEBUG_OPT)
72 parser.add_option(cli.VERBOSE_OPT)
73 parser.add_option(cli.DRY_RUN_OPT)
74
75 (opts, args) = parser.parse_args()
76
77 return common.VerifyOptions(parser, opts, args)
78
79
80 def DeleteClientCertificate():
81 """Deleting the client certificate. This is necessary for downgrades."""
82 if os.path.exists(pathutils.NODED_CLIENT_CERT_FILE):
83 os.remove(pathutils.NODED_CLIENT_CERT_FILE)
84 else:
85 logging.debug("Trying to delete the client certificate '%s' which did not"
86 " exist.", pathutils.NODED_CLIENT_CERT_FILE)
87
88
89 def ClearMasterCandidateSsconfList():
90 """Clear the ssconf list of master candidate certs.
91
92 This is necessary when deleting the client certificates for a downgrade,
93 because otherwise the master cannot distribute the configuration to the
94 nodes via RPC during a downgrade anymore.
95
96 """
97 ssconf_file = os.path.join(
98 pathutils.DATA_DIR,
99 "%s%s" % (constants.SSCONF_FILEPREFIX,
100 constants.SS_MASTER_CANDIDATES_CERTS))
101 if os.path.exists:
102 os.remove(ssconf_file)
103 else:
104 logging.debug("Trying to delete the ssconf file '%s' which does not"
105 " exist.", ssconf_file)
106
107
108 # pylint: disable=E1103
109 # This pyling message complains about 'data' as 'bool' not having a get
110 # member, but obviously the type is wrongly inferred.
111 def Main():
112 """Main routine.
113
114 """
115 opts = ParseOptions()
116
117 utils.SetupToolLogging(opts.debug, opts.verbose)
118
119 try:
120 data = common.LoadData(sys.stdin.read(), _DATA_CHECK)
121
122 common.VerifyClusterName(data, SslSetupError)
123
124 # Verifies whether the server certificate of the caller
125 # is the same as on this node.
126 common.VerifyCertificate(data, SslSetupError)
127
128 action = data.get(constants.NDS_ACTION)
129 if not action:
130 raise SslSetupError("No Action specified.")
131
132 if action == constants.CRYPTO_ACTION_CREATE:
133 common.GenerateClientCertificate(data, SslSetupError)
134 elif action == constants.CRYPTO_ACTION_DELETE:
135 DeleteClientCertificate()
136 ClearMasterCandidateSsconfList()
137 else:
138 raise SslSetupError("Unsupported action: %s." % action)
139
140 except Exception, err: # pylint: disable=W0703
141 logging.debug("Caught unhandled exception", exc_info=True)
142
143 (retcode, message) = cli.FormatError(err)
144 logging.error(message)
145
146 return retcode
147 else:
148 return constants.EXIT_SUCCESS