Revision 24d70417 lib/cmdlib.py
b/lib/cmdlib.py | ||
---|---|---|
923 | 923 |
return faulty |
924 | 924 |
|
925 | 925 |
|
926 |
def _FormatTimestamp(secs): |
|
927 |
"""Formats a Unix timestamp with the local timezone. |
|
928 |
|
|
929 |
""" |
|
930 |
return time.strftime("%F %T %Z", time.gmtime(secs)) |
|
931 |
|
|
932 |
|
|
933 | 926 |
class LUPostInitCluster(LogicalUnit): |
934 | 927 |
"""Logical unit for running hooks after cluster initialization. |
935 | 928 |
|
... | ... | |
1021 | 1014 |
return master |
1022 | 1015 |
|
1023 | 1016 |
|
1024 |
def _VerifyCertificateInner(filename, expired, not_before, not_after, now, |
|
1025 |
warn_days=constants.SSL_CERT_EXPIRATION_WARN, |
|
1026 |
error_days=constants.SSL_CERT_EXPIRATION_ERROR): |
|
1027 |
"""Verifies certificate details for LUVerifyCluster. |
|
1028 |
|
|
1029 |
""" |
|
1030 |
if expired: |
|
1031 |
msg = "Certificate %s is expired" % filename |
|
1032 |
|
|
1033 |
if not_before is not None and not_after is not None: |
|
1034 |
msg += (" (valid from %s to %s)" % |
|
1035 |
(_FormatTimestamp(not_before), |
|
1036 |
_FormatTimestamp(not_after))) |
|
1037 |
elif not_before is not None: |
|
1038 |
msg += " (valid from %s)" % _FormatTimestamp(not_before) |
|
1039 |
elif not_after is not None: |
|
1040 |
msg += " (valid until %s)" % _FormatTimestamp(not_after) |
|
1041 |
|
|
1042 |
return (LUVerifyCluster.ETYPE_ERROR, msg) |
|
1043 |
|
|
1044 |
elif not_before is not None and not_before > now: |
|
1045 |
return (LUVerifyCluster.ETYPE_WARNING, |
|
1046 |
"Certificate %s not yet valid (valid from %s)" % |
|
1047 |
(filename, _FormatTimestamp(not_before))) |
|
1048 |
|
|
1049 |
elif not_after is not None: |
|
1050 |
remaining_days = int((not_after - now) / (24 * 3600)) |
|
1051 |
|
|
1052 |
msg = ("Certificate %s expires in %d days" % (filename, remaining_days)) |
|
1053 |
|
|
1054 |
if remaining_days <= error_days: |
|
1055 |
return (LUVerifyCluster.ETYPE_ERROR, msg) |
|
1056 |
|
|
1057 |
if remaining_days <= warn_days: |
|
1058 |
return (LUVerifyCluster.ETYPE_WARNING, msg) |
|
1059 |
|
|
1060 |
return (None, None) |
|
1061 |
|
|
1062 |
|
|
1063 | 1017 |
def _VerifyCertificate(filename): |
1064 | 1018 |
"""Verifies a certificate for LUVerifyCluster. |
1065 | 1019 |
|
... | ... | |
1074 | 1028 |
return (LUVerifyCluster.ETYPE_ERROR, |
1075 | 1029 |
"Failed to load X509 certificate %s: %s" % (filename, err)) |
1076 | 1030 |
|
1077 |
# Depending on the pyOpenSSL version, this can just return (None, None) |
|
1078 |
(not_before, not_after) = utils.GetX509CertValidity(cert) |
|
1031 |
(errcode, msg) = \ |
|
1032 |
utils.VerifyX509Certificate(cert, constants.SSL_CERT_EXPIRATION_WARN, |
|
1033 |
constants.SSL_CERT_EXPIRATION_ERROR) |
|
1034 |
|
|
1035 |
if msg: |
|
1036 |
fnamemsg = "While verifying %s: %s" % (filename, msg) |
|
1037 |
else: |
|
1038 |
fnamemsg = None |
|
1039 |
|
|
1040 |
if errcode is None: |
|
1041 |
return (None, fnamemsg) |
|
1042 |
elif errcode == utils.CERT_WARNING: |
|
1043 |
return (LUVerifyCluster.ETYPE_WARNING, fnamemsg) |
|
1044 |
elif errcode == utils.CERT_ERROR: |
|
1045 |
return (LUVerifyCluster.ETYPE_ERROR, fnamemsg) |
|
1079 | 1046 |
|
1080 |
return _VerifyCertificateInner(filename, cert.has_expired(), |
|
1081 |
not_before, not_after, time.time()) |
|
1047 |
raise errors.ProgrammerError("Unhandled certificate error code %r" % errcode) |
|
1082 | 1048 |
|
1083 | 1049 |
|
1084 | 1050 |
class LUVerifyCluster(LogicalUnit): |
Also available in: Unified diff