diff --git a/states/_states/rsa_key.py b/states/_states/rsa_key.py index f348891..54137b4 100644 --- a/states/_states/rsa_key.py +++ b/states/_states/rsa_key.py @@ -9,36 +9,36 @@ import os def _check_user(user, group): - ''' + """ Checks if the named user and group are present on the minion - ''' - err = '' + """ + err = "" if user: - uid = __salt__['file.user_to_uid'](user) - if uid == '': - err += 'User {0} is not available '.format(user) + uid = __salt__["file.user_to_uid"](user) + if uid == "": + err += "User {0} is not available ".format(user) if group: - gid = __salt__['file.group_to_gid'](group) - if gid == '': - err += 'Group {0} is not available'.format(group) + gid = __salt__["file.group_to_gid"](group) + if gid == "": + err += "Group {0} is not available".format(group) return err def _error(ret, err_msg): - ret['result'] = False - ret['comment'] = err_msg + ret["result"] = False + ret["comment"] = err_msg return ret def _calculate_umask(mode): - mode = str(mode).lstrip('0') + mode = str(mode).lstrip("0") if not mode: - mode = '0' + mode = "0" modeint = int(mode, 8) - return modeint ^ 0777 + return modeint ^ 0o777 -def valid_key(name, bits=2048, user=None, group=None, mode='0700'): +def valid_key(name, bits=2048, user=None, group=None, mode="0700"): """ Make sure that the given key file exists and contains a valid RSA key. @@ -60,69 +60,62 @@ def valid_key(name, bits=2048, user=None, group=None, mode='0700'): The permissions set on the file, this defaults to 0600 """ - mode = __salt__['config.manage_mode'](mode) + mode = __salt__["config.manage_mode"](mode) - ret = { - 'name': name, - 'changes': {}, - 'result': None, - 'comment': ''} - if not os.path.isfile(name) and __opts__['test']: - ret['comment'] = 'would create RSA key in file {0}'.format(name) + ret = {"name": name, "changes": {}, "result": None, "comment": ""} + if not os.path.isfile(name) and __opts__["test"]: + ret["comment"] = "would create RSA key in file {0}".format(name) return ret u_check = _check_user(user, group) if u_check: return _error(ret, u_check) if not os.path.isabs(name): - return _error( - ret, 'Specified file {0} is not an absolute path'.format(name)) + return _error(ret, "Specified file {0} is not an absolute path".format(name)) if os.path.isdir(name): - return _error( - ret, 'Specified target {0} is a directory'.format(name)) + return _error(ret, "Specified target {0} is a directory".format(name)) if os.path.exists(name): - ret, perms = __salt__['file.check_perms']( - name, ret, user, group, mode) - if __opts__['test']: - ret['comment'] = 'File {0} not updated'.format(name) + ret, perms = __salt__["file.check_perms"](name, ret, user, group, mode) + if __opts__["test"]: + ret["comment"] = "File {0} not updated".format(name) return ret if not os.path.isfile(name): rsakey = rsa.generate_private_key( - public_exponent=65537, - key_size=bits, - backend=default_backend()) + public_exponent=65537, key_size=bits, backend=default_backend() + ) oldumask = os.umask(_calculate_umask(mode)) - with open(name, 'w') as rsafile: - rsafile.write(rsakey.private_bytes( - encoding=serialization.Encoding.PEM, - format=serialization.PrivateFormat.PKCS8, - encryption_algorithm=serialization.NoEncryption() - )) + with open(name, "wb") as rsafile: + rsafile.write( + rsakey.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.PKCS8, + encryption_algorithm=serialization.NoEncryption(), + ) + ) os.umask(oldumask) - ret['comment'] = 'created new RSA key and saved PEM file {0}'.format( - name) - ret['changes']['created'] = name - ret['result'] = True + ret["comment"] = "created new RSA key and saved PEM file {0}".format(name) + ret["changes"]["created"] = name + ret["result"] = True return ret try: - with open(name, 'r') as rsafile: + with open(name, "rb") as rsafile: rsakey = serialization.load_pem_private_key( - rsafile.read(), - password=None, - backend=default_backend()) + rsafile.read(), password=None, backend=default_backend() + ) except Exception as e: - ret['comment'] = 'error loading RSA key from file {0}: {1}'.format( - name, e) - ret['result'] = False + ret["comment"] = "error loading RSA key from file {0}: {1}".format(name, e) + ret["result"] = False return ret if rsakey.key_size < bits: - ret['comment'] = ( - 'RSA key in {0} is only {1} bits, which is less than the ' - 'required {2} bits'.format(name, rsakey.key_size, bits)) - ret['result'] = False + ret["comment"] = ( + "RSA key in {0} is only {1} bits, which is less than the " + "required {2} bits".format(name, rsakey.key_size, bits) + ) + ret["result"] = False else: - ret['comment'] = 'RSA key in file {0} is ok ({1} bits)'.format( - name, rsakey.key_size) - ret['result'] = True + ret["comment"] = "RSA key in file {0} is ok ({1} bits)".format( + name, rsakey.key_size + ) + ret["result"] = True return ret diff --git a/states/_states/x509_certificate.py b/states/_states/x509_certificate.py index 099920e..53a7335 100644 --- a/states/_states/x509_certificate.py +++ b/states/_states/x509_certificate.py @@ -1,12 +1,12 @@ # -*- coding: utf8 -*- -''' +""" Manage X.509 certificate life cycle =================================== This state is useful for managing X.509 certificates' life cycles. -Copyright (c) 2014, 2016 Jan Dittberner -''' +Copyright (c) 2014-2020 Jan Dittberner +""" from cryptography import x509 from cryptography.hazmat.backends import default_backend @@ -15,15 +15,15 @@ import os def _error(ret, err_msg): - ret['result'] = False - ret['comment'] = err_msg + ret["result"] = False + ret["comment"] = err_msg return ret def valid_certificate( - name, mindays=14, keyfile=None, - checkchain=False, trustedcerts=None): - ''' + name, mindays=14, keyfile=None, checkchain=False, trustedcerts=None +): + """ Checks whether the given certificate file is valid. name @@ -31,33 +31,28 @@ def valid_certificate( mindays Mark the certificate as invalid if it is valid for less then this many days - ''' - ret = { - 'name': name, - 'changes': {}, - 'result': None, - 'comment': ''} + """ + ret = {"name": name, "changes": {}, "result": None, "comment": ""} if not os.path.isfile(name): - return _error( - ret, 'certificate file {0} does not exist'.format(name)) - with open(name) as pemfile: + return _error(ret, "certificate file {0} does not exist".format(name)) + with open(name, "rb") as pemfile: try: - cert = x509.load_pem_x509_certificate(pemfile.read(), - default_backend()) + cert = x509.load_pem_x509_certificate(pemfile.read(), default_backend()) except Exception as e: - return _error( - ret, 'error loading certificate {0}: {1}'.format(name, e)) + return _error(ret, "error loading certificate {0}: {1}".format(name, e)) notafter = cert.not_valid_after delta = notafter - datetime.utcnow() if delta.days < mindays: return _error( ret, - 'certificate {0} is only valid for {1} more day(s)'.format( - name, delta.days)) + "certificate {0} is only valid for {1} more day(s)".format( + name, delta.days + ), + ) # TODO: check keyfile match # TODO: check trust chain - ret['comment'] = ( - 'certificate {0} is ok and still valid for {1} days'.format( - name, delta.days)) - ret['result'] = True + ret["comment"] = "certificate {0} is ok and still valid for {1} days".format( + name, delta.days + ) + ret["result"] = True return ret