particle-os/debian-koji
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove dead client CA code

Browse source 
The client CA is only needed to for authentication on the server side,
not for authentication on the client side. Therefore remove it from all
client login code.
This commit is contained in:
Till Maas 2015-02-17 19:16:47 +01:00 committed by Mike McLean
parent c54ea3312a
commit ffcf1a30eb
15 changed files with 19 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

4
builder/kojid
View file

@ -4543,7 +4543,7 @@ def get_options():
'failed_buildroot_lifetime' : 3600 * 4,
'rpmbuild_timeout' : 3600 * 24,
'cert': '/etc/kojid/client.crt',
'ca': '/etc/kojid/clientca.crt',
'ca': '', # FIXME: Unused, remove in next major release
'serverca': '/etc/kojid/serverca.crt'}
if config.has_section('kojid'):
for name, value in config.items('kojid'):
@ -4642,7 +4642,7 @@ if __name__ == "__main__":
if os.path.isfile(options.cert):
try:
# authenticate using SSL client certificates
session.ssl_login(options.cert, options.ca,
session.ssl_login(options.cert, None,
options.serverca)
except koji.AuthError, e:
quit("Error: Unable to log in: %s" % e)

3
builder/kojid.conf
View file

@ -81,8 +81,5 @@ from_addr=Koji Build System <buildsys@example.com>
;client certificate
;cert = /etc/kojid/client.crt
;certificate of the CA that issued the client certificate
;ca = /etc/kojid/clientca.crt
;certificate of the CA that issued the HTTP server certificate
;serverca = /etc/kojid/serverca.crt

6
cli/koji
View file

@ -211,7 +211,7 @@ def get_options():
'poll_interval': 5,
'krbservice': 'host',
'cert': '~/.koji/client.crt',
'ca': '~/.koji/clientca.crt',
'ca': '', # FIXME: remove in next major release
'serverca': '~/.koji/serverca.crt',
'authtype': None
}
@ -265,7 +265,7 @@ def get_options():
for name, value in defaults.iteritems():
if getattr(options, name, None) is None:
setattr(options, name, value)
dir_opts = ('topdir', 'cert', 'ca', 'serverca')
dir_opts = ('topdir', 'cert', 'serverca')
for name in dir_opts:
# expand paths here, so we don't have to worry about it later
value = os.path.expanduser(getattr(options, name))
@ -6831,7 +6831,7 @@ def activate_session(session):
pass
elif options.authtype == "ssl" or os.path.isfile(options.cert) and options.authtype is None:
# authenticate using SSL client cert
session.ssl_login(options.cert, options.ca, options.serverca, proxyuser=options.runas)
session.ssl_login(options.cert, None, options.serverca, proxyuser=options.runas)
elif options.authtype == "password" or options.user and options.authtype is None:
# authenticate using user/password
session.login()

3
cli/koji.conf
View file

@ -24,8 +24,5 @@
;client certificate
;cert = ~/.koji/client.crt
;certificate of the CA that issued the client certificate
;ca = ~/.koji/clientca.crt
;certificate of the CA that issued the HTTP server certificate
;serverca = ~/.koji/serverca.crt

3
koji/__init__.py
View file

@ -1745,8 +1745,9 @@ class ClientSession(object):
def ssl_login(self, cert, ca, serverca, proxyuser=None):
certs = {}
certs['key_and_cert'] = cert
certs['ca_cert'] = ca
certs['peer_ca_cert'] = serverca
# FIXME: ca is not useful here and therefore ignored, can be removed
# when API is changed
ctx = ssl.SSLCommon.CreateSSLContext(certs)
self._cnxOpts = {'ssl_context' : ctx}

4
koji/ssl/SSLCommon.py
View file

@ -31,16 +31,14 @@ def our_verify(connection, x509, errNum, errDepth, preverifyOK):
def CreateSSLContext(certs):
key_and_cert = certs['key_and_cert']
ca_cert = certs['ca_cert']
peer_ca_cert = certs['peer_ca_cert']
for f in key_and_cert, ca_cert, peer_ca_cert:
for f in key_and_cert, peer_ca_cert:
if f and not os.access(f, os.R_OK):
raise StandardError, "%s does not exist or is not readable" % f
ctx = SSL.Context(SSL.SSLv23_METHOD) # Use best possible TLS Method
ctx.use_certificate_file(key_and_cert)
ctx.use_privatekey_file(key_and_cert)
ctx.load_client_ca(ca_cert)
ctx.load_verify_locations(peer_ca_cert)
verify = SSL.VERIFY_PEER | SSL.VERIFY_FAIL_IF_NO_PEER_CERT
ctx.set_verify(verify, our_verify)

3
koji/ssl/XMLRPCServerProxy.py
View file

@ -146,12 +146,11 @@ class TimeoutCounter:
if __name__ == '__main__':
if len(sys.argv) < 4:
print "Usage: python XMLRPCServerProxy.py key_and_cert ca_cert peer_ca_cert"
print "Usage: python XMLRPCServerProxy.py key_and_cert peer_ca_cert"
sys.exit(1)
certs = {}
certs['key_and_cert'] = sys.argv[1]
certs['ca_cert'] = sys.argv[2]
certs['peer_ca_cert'] = sys.argv[3]
tm = TimeoutCounter()

8
util/koji-gc
View file

@ -91,8 +91,8 @@ def get_options():
help=_("enable hackish workaround for broken networks"))
parser.add_option("--cert", default='/etc/koji-gc/client.crt',
help=_("Client SSL certificate file for authentication"))
parser.add_option("--ca", default='/etc/koji-gc/clientca.crt',
help=_("CA cert file that issued the client certificate"))
parser.add_option("--ca", default='',
help=_("ignored")) # FIXME: remove in next major release
parser.add_option("--serverca", default='/etc/koji-gc/serverca.crt',
help=_("CA cert file that issued the hub certificate"))
parser.add_option("-n", "--test", action="store_true", default=False,
@ -165,7 +165,7 @@ def get_options():
['password', None, 'string'],
['noauth', None, 'boolean'],
['cert', None, 'string'],
['ca', None, 'string'],
['ca', None, 'string'], # FIXME: remove in next major release
['serverca', None, 'string'],
['server', None, 'string'],
['weburl', None, 'string'],
@ -373,7 +373,7 @@ def activate_session(session):
pass
elif os.path.isfile(options.cert):
# authenticate using SSL client cert
session.ssl_login(options.cert, options.ca, options.serverca, proxyuser=options.runas)
session.ssl_login(options.cert, None, options.serverca, proxyuser=options.runas)
elif options.user:
#authenticate using user/password
session.login()

6
util/kojira
View file

@ -727,7 +727,7 @@ def get_options():
#XXX should really be called expired_repo_lifetime
'sleeptime' : 15,
'cert': '/etc/kojira/client.crt',
'ca': '/etc/kojira/clientca.crt',
'ca': '', # FIXME: unused, remove in next major release
'serverca': '/etc/kojira/serverca.crt'
}
if config.has_section(section):
@ -735,7 +735,7 @@ def get_options():
'retry_interval', 'max_retries', 'offline_retry_interval',
'max_delete_processes', 'max_repo_tasks_maven', 'delete_batch_size', )
str_opts = ('topdir', 'server', 'user', 'password', 'logfile', 'principal', 'keytab', 'krbservice',
'cert', 'ca', 'serverca', 'debuginfo_tags', 'source_tags')
'cert', 'ca', 'serverca', 'debuginfo_tags', 'source_tags') # FIXME: remove ca here
bool_opts = ('with_src','verbose','debug','ignore_stray_repos', 'offline_retry')
for name in config.options(section):
if name in int_opts:
@ -797,7 +797,7 @@ if __name__ == "__main__":
session = koji.ClientSession(options.server,session_opts)
if os.path.isfile(options.cert):
# authenticate using SSL client certificates
session.ssl_login(options.cert, options.ca, options.serverca)
session.ssl_login(options.cert, None, options.serverca)
elif options.user:
# authenticate using user/password
session.login()

3
util/kojira.conf
View file

@ -37,8 +37,5 @@ with_src=no
;client certificate
;cert = /etc/kojira/client.crt
;certificate of the CA that issued the client certificate
;ca = /etc/kojira/clientca.crt
;certificate of the CA that issued the HTTP server certificate
;serverca = /etc/kojira/serverca.crt

4
vm/kojivmd
View file

@ -130,7 +130,7 @@ def get_options():
'offline_retry_interval': 120,
'allowed_scms': '',
'cert': '/etc/kojivmd/client.crt',
'ca': '/etc/kojivmd/clientca.crt',
'ca': '', # FIXME: Remove in next major release
'serverca': '/etc/kojivmd/serverca.crt'}
if config.has_section('kojivmd'):
for name, value in config.items('kojivmd'):
@ -1066,7 +1066,7 @@ if __name__ == "__main__":
if os.path.isfile(options.cert):
try:
# authenticate using SSL client certificates
session.ssl_login(options.cert, options.ca,
session.ssl_login(options.cert, None,
options.serverca)
except koji.AuthError, e:
quit("Error: Unable to log in: %s" % e)

3
vm/kojivmd.conf
View file

@ -50,8 +50,5 @@ from_addr=Koji Build System <buildsys@example.com>
;client certificate
;cert = /etc/kojivmd/client.crt
;certificate of the CA that issued the client certificate
;ca = /etc/kojivmd/clientca.crt
;certificate of the CA that issued the HTTP server certificate
;serverca = /etc/kojivmd/serverca.crt

1
www/conf/web.conf
View file

@ -15,7 +15,6 @@ KojiFilesURL = http://server.example.com/kojifiles
# SSL authentication options
# WebCert = /etc/kojiweb/kojiweb.crt
# ClientCA = /etc/kojiweb/clientca.crt
# KojiHubCA = /etc/kojiweb/kojihubca.crt
LoginTimeout = 72

3
www/kojiweb/index.py
View file

@ -122,10 +122,9 @@ def _krbLogin(environ, session, principal):
def _sslLogin(environ, session, username):
options = environ['koji.options']
client_cert = options['WebCert']
client_ca = options['ClientCA']
server_ca = options['KojiHubCA']
return session.ssl_login(client_cert, client_ca, server_ca,
return session.ssl_login(client_cert, None, server_ca,
proxyuser=username)
def _assertLogin(environ):

1
www/kojiweb/wsgi_publisher.py
View file

@ -77,7 +77,6 @@ class Dispatcher(object):
['KrbService', 'string', 'host'],
['WebCert', 'string', None],
['ClientCA', 'string', '/etc/kojiweb/clientca.crt'],
['KojiHubCA', 'string', '/etc/kojiweb/kojihubca.crt'],
['PythonDebug', 'boolean', False],