finish vagrant configuration

- ignore collected assets
- setup virtualenv and environment variables
- import additional salt state modules

roots/_states/rsa_key.py

@@ -0,0 +1,117 @@
+# -*- coding: utf-8 -*-
+#
+# some internal functions are copied from salt.states.file
+
+from Crypto.PublicKey import RSA
+import os
+
+
+def _check_user(user, group):
+    '''
+    Checks if the named user and group are present on the minion
+    '''
+    err = ''
+    if user:
+        uid = __salt__['file.user_to_uid'](user)
+        if uid == '':
+            err += 'User {0} is not available '.format(user)
+    if group:
+        gid = __salt__['file.group_to_gid'](group)
+        if gid == '':
+            err += 'Group {0} is not available'.format(group)
+    return err
+
+
+def _error(ret, err_msg):
+    ret['result'] = False
+    ret['comment'] = err_msg
+    return ret
+
+
+def _calculate_umask(mode):
+    mode = str(mode).lstrip('0')
+    if not mode:
+        mode = '0'
+    modeint = int(mode, 8)
+    return modeint ^ 0777
+
+
+def valid_key(name, bits=2048, user=None, group=None, mode='0700'):
+    """
+    Make sure that the given key file exists and contains a valid RSA key.
+
+    name
+        The name of the key file to check
+
+    bits
+        Minimum bits for the RSA key
+
+    user
+        The user to own the file, this defaults to the user salt is running as
+        on the minion
+
+    group
+        The group ownership set for the file, this defaults to the group salt
+        is running on the minion
+
+    mode
+        The permissions set on the file, this defaults to 0600
+    """
+
+    mode = __salt__['config.manage_mode'](mode)
+
+    ret = {
+        'name': name,
+        'changes': {},
+        'result': None,
+        'comment': ''}
+    if not os.path.isfile(name) and __opts__['test']:
+        ret['comment'] = 'would create RSA key in file {0}'.format(name)
+        return ret
+
+    u_check = _check_user(user, group)
+    if u_check:
+        return _error(ret, u_check)
+    if not os.path.isabs(name):
+        return _error(
+            ret, 'Specified file {0} is not an absolute path'.format(name))
+    if os.path.isdir(name):
+        return _error(
+            ret, 'Specified target {0} is a directory'.format(name))
+    if os.path.exists(name):
+        ret, perms = __salt__['file.check_perms'](
+            name, ret, user, group, mode)
+        if __opts__['test']:
+            ret['comment'] = 'File {0} not updated'.format(name)
+            return ret
+
+    if not os.path.isfile(name):
+        rsa = RSA.generate(bits)
+        oldumask = os.umask(_calculate_umask(mode))
+        with open(name, 'w') as rsafile:
+            rsafile.write(rsa.exportKey())
+        os.umask(oldumask)
+        ret['comment'] = 'created new RSA key and saved PEM file {0}'.format(
+            name)
+        ret['changes']['created'] = name
+        ret['result'] = True
+        return ret
+    try:
+        with open(name, 'r') as rsafile:
+            rsa = RSA.importKey(rsafile.read())
+    except Exception as e:
+        ret['comment'] = 'error loading RSA key from file {0}: {1}'.format(
+            name, e)
+        ret['result'] = False
+        return ret
+    keysize = rsa.size() + 1
+    if keysize < bits:
+        ret['comment'] = (
+            'RSA key in {0} is only {1} bits, which is less than the '
+            'required {2} bits'.format(name, keysize, bits))
+        ret['result'] = False
+    else:
+        ret['comment'] = 'RSA key in file {0} is ok ({1} bits)'.format(
+            name, keysize)
+        ret['result'] = True
+    return ret

roots/_states/x509_certificate.py

@@ -0,0 +1,61 @@
+# -*- coding: utf8 -*-
+'''
+Manage X.509 certificate life cycle
+===================================
+
+This state is useful for managing X.509 certificates' life cycles.
+
+Copyright (c) 2014 Jan Dittberner <jan@dittberner.info>
+'''
+
+from M2Crypto import X509
+from datetime import datetime
+import os
+
+
+def _error(ret, err_msg):
+    ret['result'] = False
+    ret['comment'] = err_msg
+    return ret
+
+
+def valid_certificate(
+    name, mindays=14, keyfile=None,
+    checkchain=False, trustedcerts=None):
+    '''
+    Checks whether the given certificate file is valid.
+
+    name
+        The name of the certificate file to check
+    mindays
+        Mark the certificate as invalid if it is valid for less then this many
+        days
+    '''
+    ret = {
+        'name': name,
+        'changes': {},
+        'result': None,
+        'comment': ''}
+    if not os.path.isfile(name):
+        return _error(
+            ret, 'certificate file {0} does not exist'.format(name))
+    try:
+        cert = X509.load_cert(name)
+    except Exception as e:
+        return _error(
+            ret,
+            'error loading certificate {0}: {1}'.format(name, e))
+    notafter = cert.get_not_after().get_datetime()
+    delta = notafter - datetime.now(notafter.tzinfo)
+    if delta.days < mindays:
+        return _error(
+            ret,
+            'certificate {0} is only valid for {1} more day(s)'.format(
+                name, delta.days))
+    # TODO: check keyfile match
+    # TODO: check trust chain
+    ret['comment'] = (
+        'certificate {0} is ok and still valid for {1} days'.format(
+            name, delta.days))
+    ret['result'] = True
+    return ret