← Back to branch summary

~1chb1n/charms/trusty/keystone/kilo-support

« back to all changes in this revision

Viewing changes to hooks/keystone_context.py

[hopem,r=gnuoy] Fixes single unit SSL.

Show diffs side-by-side

added added

removed removed

Lines of Context:
hooks/keystone_context.py
 
1
import hashlib
1
2
import os
2
3
 
3
4
from charmhelpers.core.hookenv import config
4
5
 
5
 
from charmhelpers.core.host import mkdir, write_file
 
6
from charmhelpers.core.host import (
 
7
    mkdir,
 
8
    write_file,
 
9
    service_restart,
 
10
)
6
11
 
7
12
from charmhelpers.contrib.openstack import context
8
13
 
29
34
 
30
35
    def __call__(self):
31
36
        # late import to work around circular dependency
32
 
        from keystone_utils import determine_ports
 
37
        from keystone_utils import (
 
38
            determine_ports,
 
39
            update_hash_from_path,
 
40
        )
 
41
 
 
42
        ssl_paths = [CA_CERT_PATH,
 
43
                     os.path.join('/etc/apache2/ssl/',
 
44
                                  self.service_namespace)]
 
45
 
33
46
        self.external_ports = determine_ports()
34
 
        return super(ApacheSSLContext, self).__call__()
 
47
        before = hashlib.sha256()
 
48
        for path in ssl_paths:
 
49
            update_hash_from_path(before, path)
 
50
 
 
51
        ret = super(ApacheSSLContext, self).__call__()
 
52
 
 
53
        after = hashlib.sha256()
 
54
        for path in ssl_paths:
 
55
            update_hash_from_path(after, path)
 
56
 
 
57
        # Ensure that apache2 is restarted if these change
 
58
        if before.hexdigest() != after.hexdigest():
 
59
            service_restart('apache2')
 
60
 
 
61
        return ret
35
62
 
36
63
    def configure_cert(self, cn):
37
64
        from keystone_utils import (
39
66
            get_ca,
40
67
            ensure_permissions,
41
68
            is_ssl_cert_master,
 
69
            is_ssl_enabled,
42
70
        )
43
71
 
 
72
        if not is_ssl_enabled():
 
73
            return
 
74
 
 
75
        # Ensure ssl dir exists whether master or not
44
76
        ssl_dir = os.path.join('/etc/apache2/ssl/', self.service_namespace)
45
77
        perms = 0o755
46
78
        mkdir(path=ssl_dir, owner=SSH_USER, group='keystone', perms=perms)
49
81
                           perms=perms)
50
82
 
51
83
        if not is_ssl_cert_master():
52
 
            log("Not ssl-cert-master - skipping apache cert config",
53
 
                level=INFO)
 
84
            log("Not ssl-cert-master - skipping apache cert config until "
 
85
                "master is elected", level=INFO)
54
86
            return
55
87
 
56
88
        log("Creating apache ssl certs in %s" % (ssl_dir), level=INFO)
68
100
            get_ca,
69
101
            ensure_permissions,
70
102
            is_ssl_cert_master,
 
103
            is_ssl_enabled,
71
104
        )
72
105
 
 
106
        if not is_ssl_enabled():
 
107
            return
 
108
 
73
109
        if not is_ssl_cert_master():
74
 
            log("Not ssl-cert-master - skipping apache cert config",
75
 
                level=INFO)
 
110
            log("Not ssl-cert-master - skipping apache ca config until "
 
111
                "master is elected", level=INFO)
76
112
            return
77
113
 
78
114
        ca = get_ca(user=SSH_USER)