Python 3 compatibility for custom states
This commit is contained in:
parent
bcb92e483d
commit
288acee379
2 changed files with 73 additions and 85 deletions
|
@ -9,36 +9,36 @@ import os
|
|||
|
||||
|
||||
def _check_user(user, group):
|
||||
'''
|
||||
"""
|
||||
Checks if the named user and group are present on the minion
|
||||
'''
|
||||
err = ''
|
||||
"""
|
||||
err = ""
|
||||
if user:
|
||||
uid = __salt__['file.user_to_uid'](user)
|
||||
if uid == '':
|
||||
err += 'User {0} is not available '.format(user)
|
||||
uid = __salt__["file.user_to_uid"](user)
|
||||
if uid == "":
|
||||
err += "User {0} is not available ".format(user)
|
||||
if group:
|
||||
gid = __salt__['file.group_to_gid'](group)
|
||||
if gid == '':
|
||||
err += 'Group {0} is not available'.format(group)
|
||||
gid = __salt__["file.group_to_gid"](group)
|
||||
if gid == "":
|
||||
err += "Group {0} is not available".format(group)
|
||||
return err
|
||||
|
||||
|
||||
def _error(ret, err_msg):
|
||||
ret['result'] = False
|
||||
ret['comment'] = err_msg
|
||||
ret["result"] = False
|
||||
ret["comment"] = err_msg
|
||||
return ret
|
||||
|
||||
|
||||
def _calculate_umask(mode):
|
||||
mode = str(mode).lstrip('0')
|
||||
mode = str(mode).lstrip("0")
|
||||
if not mode:
|
||||
mode = '0'
|
||||
mode = "0"
|
||||
modeint = int(mode, 8)
|
||||
return modeint ^ 0777
|
||||
return modeint ^ 0o777
|
||||
|
||||
|
||||
def valid_key(name, bits=2048, user=None, group=None, mode='0700'):
|
||||
def valid_key(name, bits=2048, user=None, group=None, mode="0700"):
|
||||
"""
|
||||
Make sure that the given key file exists and contains a valid RSA key.
|
||||
|
||||
|
@ -60,69 +60,62 @@ def valid_key(name, bits=2048, user=None, group=None, mode='0700'):
|
|||
The permissions set on the file, this defaults to 0600
|
||||
"""
|
||||
|
||||
mode = __salt__['config.manage_mode'](mode)
|
||||
mode = __salt__["config.manage_mode"](mode)
|
||||
|
||||
ret = {
|
||||
'name': name,
|
||||
'changes': {},
|
||||
'result': None,
|
||||
'comment': ''}
|
||||
if not os.path.isfile(name) and __opts__['test']:
|
||||
ret['comment'] = 'would create RSA key in file {0}'.format(name)
|
||||
ret = {"name": name, "changes": {}, "result": None, "comment": ""}
|
||||
if not os.path.isfile(name) and __opts__["test"]:
|
||||
ret["comment"] = "would create RSA key in file {0}".format(name)
|
||||
return ret
|
||||
|
||||
u_check = _check_user(user, group)
|
||||
if u_check:
|
||||
return _error(ret, u_check)
|
||||
if not os.path.isabs(name):
|
||||
return _error(
|
||||
ret, 'Specified file {0} is not an absolute path'.format(name))
|
||||
return _error(ret, "Specified file {0} is not an absolute path".format(name))
|
||||
if os.path.isdir(name):
|
||||
return _error(
|
||||
ret, 'Specified target {0} is a directory'.format(name))
|
||||
return _error(ret, "Specified target {0} is a directory".format(name))
|
||||
if os.path.exists(name):
|
||||
ret, perms = __salt__['file.check_perms'](
|
||||
name, ret, user, group, mode)
|
||||
if __opts__['test']:
|
||||
ret['comment'] = 'File {0} not updated'.format(name)
|
||||
ret, perms = __salt__["file.check_perms"](name, ret, user, group, mode)
|
||||
if __opts__["test"]:
|
||||
ret["comment"] = "File {0} not updated".format(name)
|
||||
return ret
|
||||
|
||||
if not os.path.isfile(name):
|
||||
rsakey = rsa.generate_private_key(
|
||||
public_exponent=65537,
|
||||
key_size=bits,
|
||||
backend=default_backend())
|
||||
public_exponent=65537, key_size=bits, backend=default_backend()
|
||||
)
|
||||
oldumask = os.umask(_calculate_umask(mode))
|
||||
with open(name, 'w') as rsafile:
|
||||
rsafile.write(rsakey.private_bytes(
|
||||
with open(name, "wb") as rsafile:
|
||||
rsafile.write(
|
||||
rsakey.private_bytes(
|
||||
encoding=serialization.Encoding.PEM,
|
||||
format=serialization.PrivateFormat.PKCS8,
|
||||
encryption_algorithm=serialization.NoEncryption()
|
||||
))
|
||||
encryption_algorithm=serialization.NoEncryption(),
|
||||
)
|
||||
)
|
||||
os.umask(oldumask)
|
||||
ret['comment'] = 'created new RSA key and saved PEM file {0}'.format(
|
||||
name)
|
||||
ret['changes']['created'] = name
|
||||
ret['result'] = True
|
||||
ret["comment"] = "created new RSA key and saved PEM file {0}".format(name)
|
||||
ret["changes"]["created"] = name
|
||||
ret["result"] = True
|
||||
return ret
|
||||
try:
|
||||
with open(name, 'r') as rsafile:
|
||||
with open(name, "rb") as rsafile:
|
||||
rsakey = serialization.load_pem_private_key(
|
||||
rsafile.read(),
|
||||
password=None,
|
||||
backend=default_backend())
|
||||
rsafile.read(), password=None, backend=default_backend()
|
||||
)
|
||||
except Exception as e:
|
||||
ret['comment'] = 'error loading RSA key from file {0}: {1}'.format(
|
||||
name, e)
|
||||
ret['result'] = False
|
||||
ret["comment"] = "error loading RSA key from file {0}: {1}".format(name, e)
|
||||
ret["result"] = False
|
||||
return ret
|
||||
if rsakey.key_size < bits:
|
||||
ret['comment'] = (
|
||||
'RSA key in {0} is only {1} bits, which is less than the '
|
||||
'required {2} bits'.format(name, rsakey.key_size, bits))
|
||||
ret['result'] = False
|
||||
ret["comment"] = (
|
||||
"RSA key in {0} is only {1} bits, which is less than the "
|
||||
"required {2} bits".format(name, rsakey.key_size, bits)
|
||||
)
|
||||
ret["result"] = False
|
||||
else:
|
||||
ret['comment'] = 'RSA key in file {0} is ok ({1} bits)'.format(
|
||||
name, rsakey.key_size)
|
||||
ret['result'] = True
|
||||
ret["comment"] = "RSA key in file {0} is ok ({1} bits)".format(
|
||||
name, rsakey.key_size
|
||||
)
|
||||
ret["result"] = True
|
||||
return ret
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
# -*- coding: utf8 -*-
|
||||
'''
|
||||
"""
|
||||
Manage X.509 certificate life cycle
|
||||
===================================
|
||||
|
||||
This state is useful for managing X.509 certificates' life cycles.
|
||||
|
||||
Copyright (c) 2014, 2016 Jan Dittberner <jan@dittberner.info>
|
||||
'''
|
||||
Copyright (c) 2014-2020 Jan Dittberner <jan@dittberner.info>
|
||||
"""
|
||||
|
||||
from cryptography import x509
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
|
@ -15,15 +15,15 @@ import os
|
|||
|
||||
|
||||
def _error(ret, err_msg):
|
||||
ret['result'] = False
|
||||
ret['comment'] = err_msg
|
||||
ret["result"] = False
|
||||
ret["comment"] = err_msg
|
||||
return ret
|
||||
|
||||
|
||||
def valid_certificate(
|
||||
name, mindays=14, keyfile=None,
|
||||
checkchain=False, trustedcerts=None):
|
||||
'''
|
||||
name, mindays=14, keyfile=None, checkchain=False, trustedcerts=None
|
||||
):
|
||||
"""
|
||||
Checks whether the given certificate file is valid.
|
||||
|
||||
name
|
||||
|
@ -31,33 +31,28 @@ def valid_certificate(
|
|||
mindays
|
||||
Mark the certificate as invalid if it is valid for less then this many
|
||||
days
|
||||
'''
|
||||
ret = {
|
||||
'name': name,
|
||||
'changes': {},
|
||||
'result': None,
|
||||
'comment': ''}
|
||||
"""
|
||||
ret = {"name": name, "changes": {}, "result": None, "comment": ""}
|
||||
if not os.path.isfile(name):
|
||||
return _error(
|
||||
ret, 'certificate file {0} does not exist'.format(name))
|
||||
with open(name) as pemfile:
|
||||
return _error(ret, "certificate file {0} does not exist".format(name))
|
||||
with open(name, "rb") as pemfile:
|
||||
try:
|
||||
cert = x509.load_pem_x509_certificate(pemfile.read(),
|
||||
default_backend())
|
||||
cert = x509.load_pem_x509_certificate(pemfile.read(), default_backend())
|
||||
except Exception as e:
|
||||
return _error(
|
||||
ret, 'error loading certificate {0}: {1}'.format(name, e))
|
||||
return _error(ret, "error loading certificate {0}: {1}".format(name, e))
|
||||
notafter = cert.not_valid_after
|
||||
delta = notafter - datetime.utcnow()
|
||||
if delta.days < mindays:
|
||||
return _error(
|
||||
ret,
|
||||
'certificate {0} is only valid for {1} more day(s)'.format(
|
||||
name, delta.days))
|
||||
"certificate {0} is only valid for {1} more day(s)".format(
|
||||
name, delta.days
|
||||
),
|
||||
)
|
||||
# TODO: check keyfile match
|
||||
# TODO: check trust chain
|
||||
ret['comment'] = (
|
||||
'certificate {0} is ok and still valid for {1} days'.format(
|
||||
name, delta.days))
|
||||
ret['result'] = True
|
||||
ret["comment"] = "certificate {0} is ok and still valid for {1} days".format(
|
||||
name, delta.days
|
||||
)
|
||||
ret["result"] = True
|
||||
return ret
|
||||
|
|
Loading…
Reference in a new issue