Synnefo » snf-ganeti

  (errcode, msg) = \

    utils.VerifyX509Certificate(cert, constants.SSL_CERT_EXPIRATION_WARN,

                                constants.SSL_CERT_EXPIRATION_ERROR)

  if msg:

    fnamemsg = "While verifying %s: %s" % (filename, msg)

  else:

    fnamemsg = None

  if errcode is None:

    return (None, fnamemsg)

  elif errcode == utils.CERT_WARNING:

    return (LUVerifyCluster.ETYPE_WARNING, fnamemsg)

  elif errcode == utils.CERT_ERROR:

    return (LUVerifyCluster.ETYPE_ERROR, fnamemsg)

  raise errors.ProgrammerError("Unhandled certificate error code %r" % errcode)

# Certificate verification results

(CERT_WARNING,

 CERT_ERROR) = range(1, 3)

def FormatTimestampWithTZ(secs):

  """Formats a Unix timestamp with the local timezone.

  """

  return time.strftime("%F %T %Z", time.gmtime(secs))

def _VerifyCertificateInner(expired, not_before, not_after, now,

                            warn_days, error_days):

  """Verifies certificate validity.

  @type expired: bool

  @param expired: Whether pyOpenSSL considers the certificate as expired

  @type not_before: number or None

  @param not_before: Unix timestamp before which certificate is not valid

  @type not_after: number or None

  @param not_after: Unix timestamp after which certificate is invalid

  @type now: number

  @param now: Current time as Unix timestamp

  @type warn_days: number or None

  @param warn_days: How many days before expiration a warning should be reported

  @type error_days: number or None

  @param error_days: How many days before expiration an error should be reported

  """

  if expired:

    msg = "Certificate is expired"

    if not_before is not None and not_after is not None:

      msg += (" (valid from %s to %s)" %

              (FormatTimestampWithTZ(not_before),

               FormatTimestampWithTZ(not_after)))

    elif not_before is not None:

      msg += " (valid from %s)" % FormatTimestampWithTZ(not_before)

    elif not_after is not None:

      msg += " (valid until %s)" % FormatTimestampWithTZ(not_after)

    return (CERT_ERROR, msg)

  elif not_before is not None and not_before > now:

    return (CERT_WARNING,

            "Certificate not yet valid (valid from %s)" %

            FormatTimestampWithTZ(not_before))

  elif not_after is not None:

    remaining_days = int((not_after - now) / (24 * 3600))

    msg = "Certificate expires in about %d days" % remaining_days

    if error_days is not None and remaining_days <= error_days:

      return (CERT_ERROR, msg)

    if warn_days is not None and remaining_days <= warn_days:

      return (CERT_WARNING, msg)

  return (None, None)

def VerifyX509Certificate(cert, warn_days, error_days):

  """Verifies a certificate for LUVerifyCluster.

  @type cert: OpenSSL.crypto.X509

  @param cert: X509 certificate object

  @type warn_days: number or None

  @param warn_days: How many days before expiration a warning should be reported

  @type error_days: number or None

  @param error_days: How many days before expiration an error should be reported

  """

  # Depending on the pyOpenSSL version, this can just return (None, None)

  (not_before, not_after) = GetX509CertValidity(cert)

  return _VerifyCertificateInner(cert.has_expired(), not_before, not_after,

                                 time.time(), warn_days, error_days)

    invalid_cert = self._TestDataFilename("bdev-net.txt")

class TestCertVerification(testutils.GanetiTestCase):

  def setUp(self):

    testutils.GanetiTestCase.setUp(self)

    self.tmpdir = tempfile.mkdtemp()

  def tearDown(self):

    shutil.rmtree(self.tmpdir)

  def testVerifyCertificate(self):

    cert_pem = utils.ReadFile(self._TestDataFilename("cert1.pem"))

    cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM,

                                           cert_pem)

    # Not checking return value as this certificate is expired

    utils.VerifyX509Certificate(cert, 30, 7)

class TestVerifyCertificateInner(unittest.TestCase):

  def test(self):

    vci = utils._VerifyCertificateInner

    # Valid

    self.assertEqual(vci(False, 1263916313, 1298476313, 1266940313, 30, 7),

                     (None, None))

    # Not yet valid

    (errcode, msg) = vci(False, 1266507600, 1267544400, 1266075600, 30, 7)

    self.assertEqual(errcode, utils.CERT_WARNING)

    # Expiring soon

    (errcode, msg) = vci(False, 1266507600, 1267544400, 1266939600, 30, 7)

    self.assertEqual(errcode, utils.CERT_ERROR)

    (errcode, msg) = vci(False, 1266507600, 1267544400, 1266939600, 30, 1)

    self.assertEqual(errcode, utils.CERT_WARNING)

    (errcode, msg) = vci(False, 1266507600, None, 1266939600, 30, 7)

    self.assertEqual(errcode, None)

    # Expired

    (errcode, msg) = vci(True, 1266507600, 1267544400, 1266939600, 30, 7)

    self.assertEqual(errcode, utils.CERT_ERROR)

    (errcode, msg) = vci(True, None, 1267544400, 1266939600, 30, 7)

    self.assertEqual(errcode, utils.CERT_ERROR)

    (errcode, msg) = vci(True, 1266507600, None, 1266939600, 30, 7)

    self.assertEqual(errcode, utils.CERT_ERROR)

    (errcode, msg) = vci(True, None, None, 1266939600, 30, 7)

    self.assertEqual(errcode, utils.CERT_ERROR)