Merge pull request #1244 from coreos-inc/enableaci

Add UI to the setup tool for enabling ACI conversion
2016-02-17 12:29:48 -05:00 · 2016-02-17 12:29:48 -05:00 · 11af123ba5
commit 11af123ba5
parent 04cd3c2f63 1940fd9939
11 changed files with 106 additions and 18 deletions
--- a/util/config/configutil.py
+++ b/util/config/configutil.py
@ -21,6 +21,14 @@ def add_enterprise_config_defaults(config_obj, current_secret_key, hostname):
  # Default features that are off.
  config_obj['FEATURE_MAILING'] = config_obj.get('FEATURE_MAILING', False)
  config_obj['FEATURE_BUILD_SUPPORT'] = config_obj.get('FEATURE_BUILD_SUPPORT', False)
+  config_obj['FEATURE_ACI_CONVERSION'] = config_obj.get('FEATURE_ACI_CONVERSION', True)
+
+  # Default the signer config.
+  config_obj['GPG2_PRIVATE_KEY_FILENAME'] = config_obj.get('GPG2_PRIVATE_KEY_FILENAME',
+                                                           'signing-private.gpg')
+  config_obj['GPG2_PUBLIC_KEY_FILENAME'] = config_obj.get('GPG2_PUBLIC_KEY_FILENAME',
+                                                          'signing-public.gpg')
+  config_obj['SIGNING_ENGINE'] = config_obj.get('SIGNING_ENGINE', 'gpg2')

  # Default auth type.
  if not 'AUTHENTICATION_TYPE' in config_obj:
--- a/util/config/validator.py
+++ b/util/config/validator.py
@ -6,6 +6,7 @@ import peewee
 import OpenSSL
 import logging

+from StringIO import StringIO
 from fnmatch import fnmatch
 from data.users.keystone import KeystoneUsers
 from data.users.externaljwt import ExternalJWTAuthN
@ -18,6 +19,7 @@ from storage import get_storage_driver
 from auth.auth_context import get_authenticated_user
 from util.config.oauth import GoogleOAuthConfig, GithubOAuthConfig, GitLabOAuthConfig
 from bitbucket import BitBucket
+from util.security.signing import SIGNING_ENGINES

 from app import app, config_provider, get_app_url, OVERRIDE_CONFIG_DIRECTORY

@ -27,8 +29,9 @@ logger = logging.getLogger(__name__)
 SSL_FILENAMES = ['ssl.cert', 'ssl.key']
 DB_SSL_FILENAMES = ['database.pem']
 JWT_FILENAMES = ['jwt-authn.cert']
+ACI_CERT_FILENAMES = ['signing-public.gpg', 'signing-private.gpg']

-CONFIG_FILENAMES = SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES
+CONFIG_FILENAMES = SSL_FILENAMES + DB_SSL_FILENAMES + JWT_FILENAMES + ACI_CERT_FILENAMES

 def get_storage_providers(config):
  storage_config = config.get('DISTRIBUTED_STORAGE_CONFIG', {})
@ -409,6 +412,18 @@ def _validate_keystone(config, password):
                     'OR Keystone auth is misconfigured.') % (username, err_msg))


+def _validate_signer(config, _):
+  """ Validates the GPG public+private key pair used for signing converted ACIs. """
+  if config.get('SIGNING_ENGINE') is None:
+    return
+
+  if config['SIGNING_ENGINE'] not in SIGNING_ENGINES:
+    raise Exception('Unknown signing engine: %s' % config['SIGNING_ENGINE'])
+
+  engine = SIGNING_ENGINES[config['SIGNING_ENGINE']](config, OVERRIDE_CONFIG_DIRECTORY)
+  engine.detached_sign(StringIO('test string'))
+
+
 _VALIDATORS = {
  'database': _validate_database,
  'redis': _validate_redis,
@ -423,4 +438,5 @@ _VALIDATORS = {
  'ldap': _validate_ldap,
  'jwt': _validate_jwt,
  'keystone': _validate_keystone,
+  'signer': _validate_signer,
 }