Added the Anchor Driver
Anchor is the evolution of eca. It has a different API and different rulesets. Patch tested against the current Anchor Master and docker container Change-Id: I6b04ae50fb7e4e81dc414ef4ea361b3a673bffaa
This commit is contained in:
parent
a1a92b60bf
commit
3487de6c8a
|
@ -0,0 +1,58 @@
|
|||
# (c) Copyright 2015 Hewlett-Packard Development Company, L.P.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import datetime
|
||||
import logging
|
||||
|
||||
import requests
|
||||
|
||||
from cathead import cadriver
|
||||
from cathead import x509
|
||||
|
||||
LOG = logging.getLogger(__name__)
|
||||
|
||||
class AnchorDriver(cadriver.CaDriver):
|
||||
|
||||
def __init__(self, host, port,
|
||||
user, secret, root='default', scheme='http'):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.user = user
|
||||
self.secret = secret
|
||||
self.scheme = scheme
|
||||
self.root = root
|
||||
|
||||
def sign(self, csr):
|
||||
url = "{scheme}://{host}:{port}/v1/sign/{root}".format(**self.__dict__)
|
||||
LOG.info("Sending CSR to %s" % url)
|
||||
params = {"user": self.user,
|
||||
"secret": self.secret,
|
||||
"encoding": "pem",
|
||||
"csr": csr,
|
||||
"root": self.root}
|
||||
r = requests.post(url, data=params)
|
||||
cert = r.text
|
||||
LOG.debug("Received from Anchor server:\n%s" % cert)
|
||||
if self._is_valid_cert(cert):
|
||||
return cert
|
||||
else:
|
||||
LOG.info("Received invalid certificate from Anchor")
|
||||
|
||||
def _is_valid_cert(self, cert):
|
||||
try:
|
||||
expire = x509.get_expire_date(cert)
|
||||
return expire > datetime.datetime.now()
|
||||
except Exception as e:
|
||||
LOG.info("invalid cert, failed check date with:\n%s", e)
|
||||
return False
|
|
@ -12,6 +12,9 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# The anchor driver is setup to use the default configuration
|
||||
# of anchor when running in a container
|
||||
|
||||
CONF = {
|
||||
'failure_refresh_timeout': 10,
|
||||
'drivers': [
|
||||
|
@ -21,20 +24,21 @@ CONF = {
|
|||
'ca_key_file': 'ca.p.key',
|
||||
},
|
||||
{
|
||||
'name': 'eca',
|
||||
'driver': 'cathead.drivers.eca.EcaDriver',
|
||||
'host': '127.0.0.1',
|
||||
'port': 5000,
|
||||
'name': 'anchor',
|
||||
'driver': 'cathead.drivers.anchor.AnchorDriver',
|
||||
'host': '192.168.99.100',
|
||||
'port': 5016,
|
||||
'user': 'woot',
|
||||
'secret': 'woot',
|
||||
'root': 'default'
|
||||
}
|
||||
],
|
||||
'certs': [
|
||||
{
|
||||
'driver': 'eca',
|
||||
'key': 'ca.p.key',
|
||||
'cert': 'newcrt.crt',
|
||||
'refresh_window': None,
|
||||
'driver': 'anchor',
|
||||
'key': 'tmp/anchor-test.example.com.key',
|
||||
'cert': 'tmp/anchor-test.example.com.crt',
|
||||
'refresh_window': 1,
|
||||
'common_name': '127.0.0.1',
|
||||
'on_refresh_success': 'hello_system',
|
||||
}
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
import unittest
|
||||
|
||||
from cathead import cadriver
|
||||
from cathead.drivers import anchor
|
||||
|
||||
|
||||
class AnchorDriverTestCase(unittest.TestCase):
|
||||
|
||||
def test_sign(self):
|
||||
driver = anchor.AnchorDriver("host", "port", "user", "password",root="default")
|
||||
self.assertTrue(isinstance(driver, cadriver.CaDriver))
|
||||
|
||||
#TODO(hyakuhei) functional tests - spin up anchor container maybe?
|
Loading…
Reference in New Issue