Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
salt.9543
x509-fixes-for-remote-signing-106.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File x509-fixes-for-remote-signing-106.patch of Package salt.9543
From 322e935968ac7c08db5aedc7c2205d2c9cd7f2a8 Mon Sep 17 00:00:00 2001 From: Florian Bergmann <bergmannf@users.noreply.github.com> Date: Tue, 11 Sep 2018 14:02:55 +0200 Subject: [PATCH] X509 fixes for remote signing (#106) * Use to_str salt.utils when writing to a file. * Assign the certificate as a string. * Convert to string before sending via 'publish'. Otherwise the publish call with receive a "b''" string, which can not be used in the functions. * Do not silently ignore errors. At least log the occurring errors to debug and trace. --- salt/modules/x509.py | 60 +++++++++++++++++++++----------------------- salt/states/x509.py | 2 +- 2 files changed, 30 insertions(+), 32 deletions(-) diff --git a/salt/modules/x509.py b/salt/modules/x509.py index fe9c682ce2..87a40104ca 100644 --- a/salt/modules/x509.py +++ b/salt/modules/x509.py @@ -658,7 +658,7 @@ def read_crl(crl): text = get_pem_entry(text, pem_type='X509 CRL') crltempfile = tempfile.NamedTemporaryFile() - crltempfile.write(text) + crltempfile.write(salt.utils.stringutils.to_str(text)) crltempfile.flush() crlparsed = _parse_openssl_crl(crltempfile.name) crltempfile.close() @@ -757,32 +757,30 @@ def write_pem(text, path, overwrite=True, pem_type=None): .. code-block:: bash - salt '*' x509.write_pem \\ - "-----BEGIN CERTIFICATE-----MIIGMzCCBBugA..." \\ - path=/etc/pki/mycert.crt - ''' - old_umask = os.umask(0o77) - text = get_pem_entry(text, pem_type=pem_type) - _dhparams = '' - _private_key = '' - if pem_type and pem_type == 'CERTIFICATE' and os.path.isfile(path) and \ - not overwrite: - _filecontents = _text_or_file(path) - try: - _dhparams = get_pem_entry(_filecontents, 'DH PARAMETERS') - except salt.exceptions.SaltInvocationError: - pass - try: - _private_key = get_pem_entry(_filecontents, '(?:RSA )?PRIVATE KEY') - except salt.exceptions.SaltInvocationError: - pass - with salt.utils.files.fopen(path, 'w') as _fp: - if pem_type and pem_type == 'CERTIFICATE' and _private_key: - _fp.write(salt.utils.stringutils.to_str(_private_key)) - _fp.write(text) - if pem_type and pem_type == 'CERTIFICATE' and _dhparams: - _fp.write(salt.utils.stringutils.to_str(_dhparams)) - os.umask(old_umask) + salt '*' x509.write_pem "-----BEGIN CERTIFICATE-----MIIGMzCCBBugA..." path=/etc/pki/mycert.crt + ''' + with salt.utils.files.set_umask(0o077): + text = get_pem_entry(text, pem_type=pem_type) + _dhparams = '' + _private_key = '' + if pem_type and pem_type == 'CERTIFICATE' and os.path.isfile(path) and not overwrite: + _filecontents = _text_or_file(path) + try: + _dhparams = get_pem_entry(_filecontents, 'DH PARAMETERS') + except salt.exceptions.SaltInvocationError as err: + log.debug("Error when getting DH PARAMETERS: %s", err) + log.trace(err, exc_info=err) + try: + _private_key = get_pem_entry(_filecontents, '(?:RSA )?PRIVATE KEY') + except salt.exceptions.SaltInvocationError as err: + log.debug("Error when getting PRIVATE KEY: %s", err) + log.trace(err, exc_info=err) + with salt.utils.files.fopen(path, 'w') as _fp: + if pem_type and pem_type == 'CERTIFICATE' and _private_key: + _fp.write(salt.utils.stringutils.to_str(_private_key)) + _fp.write(salt.utils.stringutils.to_str(text)) + if pem_type and pem_type == 'CERTIFICATE' and _dhparams: + _fp.write(salt.utils.stringutils.to_str(_dhparams)) return 'PEM written to {0}'.format(path) @@ -1369,9 +1367,9 @@ def create_certificate( pem_type='CERTIFICATE REQUEST').replace('\n', '') if 'public_key' in kwargs: # Strip newlines to make passing through as cli functions easier - kwargs['public_key'] = get_public_key( + kwargs['public_key'] = salt.utils.stringutils.to_str(get_public_key( kwargs['public_key'], - passphrase=kwargs['public_key_passphrase']).replace('\n', '') + passphrase=kwargs['public_key_passphrase'])).replace('\n', '') # Remove system entries in kwargs # Including listen_in and preqreuired because they are not included @@ -1767,13 +1765,13 @@ def verify_crl(crl, cert): crltext = _text_or_file(crl) crltext = get_pem_entry(crltext, pem_type='X509 CRL') crltempfile = tempfile.NamedTemporaryFile() - crltempfile.write(crltext) + crltempfile.write(salt.utils.stringutils.to_str(crltext)) crltempfile.flush() certtext = _text_or_file(cert) certtext = get_pem_entry(certtext, pem_type='CERTIFICATE') certtempfile = tempfile.NamedTemporaryFile() - certtempfile.write(certtext) + certtempfile.write(salt.utils.stringutils.to_str(certtext)) certtempfile.flush() cmd = ('openssl crl -noout -in {0} -CAfile {1}'.format( diff --git a/salt/states/x509.py b/salt/states/x509.py index 832f74168c..7bb941f393 100644 --- a/salt/states/x509.py +++ b/salt/states/x509.py @@ -545,7 +545,7 @@ def certificate_managed(name, if not private_ret['result']: return private_ret - file_args['contents'] += certificate + file_args['contents'] += salt.utils.stringutils.to_str(certificate) if not append_certs: append_certs = [] -- 2.18.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor