Revision 24d70417 lib/cmdlib.py
| b/lib/cmdlib.py | ||
|---|---|---|
| 923 | 923 |
return faulty |
| 924 | 924 |
|
| 925 | 925 |
|
| 926 |
def _FormatTimestamp(secs): |
|
| 927 |
"""Formats a Unix timestamp with the local timezone. |
|
| 928 |
|
|
| 929 |
""" |
|
| 930 |
return time.strftime("%F %T %Z", time.gmtime(secs))
|
|
| 931 |
|
|
| 932 |
|
|
| 933 | 926 |
class LUPostInitCluster(LogicalUnit): |
| 934 | 927 |
"""Logical unit for running hooks after cluster initialization. |
| 935 | 928 |
|
| ... | ... | |
| 1021 | 1014 |
return master |
| 1022 | 1015 |
|
| 1023 | 1016 |
|
| 1024 |
def _VerifyCertificateInner(filename, expired, not_before, not_after, now, |
|
| 1025 |
warn_days=constants.SSL_CERT_EXPIRATION_WARN, |
|
| 1026 |
error_days=constants.SSL_CERT_EXPIRATION_ERROR): |
|
| 1027 |
"""Verifies certificate details for LUVerifyCluster. |
|
| 1028 |
|
|
| 1029 |
""" |
|
| 1030 |
if expired: |
|
| 1031 |
msg = "Certificate %s is expired" % filename |
|
| 1032 |
|
|
| 1033 |
if not_before is not None and not_after is not None: |
|
| 1034 |
msg += (" (valid from %s to %s)" %
|
|
| 1035 |
(_FormatTimestamp(not_before), |
|
| 1036 |
_FormatTimestamp(not_after))) |
|
| 1037 |
elif not_before is not None: |
|
| 1038 |
msg += " (valid from %s)" % _FormatTimestamp(not_before) |
|
| 1039 |
elif not_after is not None: |
|
| 1040 |
msg += " (valid until %s)" % _FormatTimestamp(not_after) |
|
| 1041 |
|
|
| 1042 |
return (LUVerifyCluster.ETYPE_ERROR, msg) |
|
| 1043 |
|
|
| 1044 |
elif not_before is not None and not_before > now: |
|
| 1045 |
return (LUVerifyCluster.ETYPE_WARNING, |
|
| 1046 |
"Certificate %s not yet valid (valid from %s)" % |
|
| 1047 |
(filename, _FormatTimestamp(not_before))) |
|
| 1048 |
|
|
| 1049 |
elif not_after is not None: |
|
| 1050 |
remaining_days = int((not_after - now) / (24 * 3600)) |
|
| 1051 |
|
|
| 1052 |
msg = ("Certificate %s expires in %d days" % (filename, remaining_days))
|
|
| 1053 |
|
|
| 1054 |
if remaining_days <= error_days: |
|
| 1055 |
return (LUVerifyCluster.ETYPE_ERROR, msg) |
|
| 1056 |
|
|
| 1057 |
if remaining_days <= warn_days: |
|
| 1058 |
return (LUVerifyCluster.ETYPE_WARNING, msg) |
|
| 1059 |
|
|
| 1060 |
return (None, None) |
|
| 1061 |
|
|
| 1062 |
|
|
| 1063 | 1017 |
def _VerifyCertificate(filename): |
| 1064 | 1018 |
"""Verifies a certificate for LUVerifyCluster. |
| 1065 | 1019 |
|
| ... | ... | |
| 1074 | 1028 |
return (LUVerifyCluster.ETYPE_ERROR, |
| 1075 | 1029 |
"Failed to load X509 certificate %s: %s" % (filename, err)) |
| 1076 | 1030 |
|
| 1077 |
# Depending on the pyOpenSSL version, this can just return (None, None) |
|
| 1078 |
(not_before, not_after) = utils.GetX509CertValidity(cert) |
|
| 1031 |
(errcode, msg) = \ |
|
| 1032 |
utils.VerifyX509Certificate(cert, constants.SSL_CERT_EXPIRATION_WARN, |
|
| 1033 |
constants.SSL_CERT_EXPIRATION_ERROR) |
|
| 1034 |
|
|
| 1035 |
if msg: |
|
| 1036 |
fnamemsg = "While verifying %s: %s" % (filename, msg) |
|
| 1037 |
else: |
|
| 1038 |
fnamemsg = None |
|
| 1039 |
|
|
| 1040 |
if errcode is None: |
|
| 1041 |
return (None, fnamemsg) |
|
| 1042 |
elif errcode == utils.CERT_WARNING: |
|
| 1043 |
return (LUVerifyCluster.ETYPE_WARNING, fnamemsg) |
|
| 1044 |
elif errcode == utils.CERT_ERROR: |
|
| 1045 |
return (LUVerifyCluster.ETYPE_ERROR, fnamemsg) |
|
| 1079 | 1046 |
|
| 1080 |
return _VerifyCertificateInner(filename, cert.has_expired(), |
|
| 1081 |
not_before, not_after, time.time()) |
|
| 1047 |
raise errors.ProgrammerError("Unhandled certificate error code %r" % errcode)
|
|
| 1082 | 1048 |
|
| 1083 | 1049 |
|
| 1084 | 1050 |
class LUVerifyCluster(LogicalUnit): |
Also available in: Unified diff