3
# Author: Mike Milner <mike.milner@canonical.com>
5
# This program is free software: you can redistribute it and/or modify
6
# it under the terms of the GNU General Public License version 3, as
7
# published by the Free Software Foundation.
9
# This program is distributed in the hope that it will be useful,
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
# GNU General Public License for more details.
14
# You should have received a copy of the GNU General Public License
15
# along with this program. If not, see <http://www.gnu.org/licenses/>.
19
from cloudinit import util
21
CA_CERT_PATH = "/usr/share/ca-certificates/"
22
CA_CERT_FILENAME = "cloud-init-ca-certs.crt"
23
CA_CERT_CONFIG = "/etc/ca-certificates.conf"
24
CA_CERT_SYSTEM_PATH = "/etc/ssl/certs/"
26
distros = ['ubuntu', 'debian']
29
def update_ca_certs():
31
Updates the CA certificate cache on the current machine.
33
util.subp(["update-ca-certificates"], capture=False)
36
def add_ca_certs(paths, certs):
38
Adds certificates to the system. To actually apply the new certificates
39
you must also call L{update_ca_certs}.
41
@param certs: A list of certificate strings.
44
# First ensure they are strings...
45
cert_file_contents = "\n".join([str(c) for c in certs])
46
cert_file_fullpath = os.path.join(CA_CERT_PATH, CA_CERT_FILENAME)
47
cert_file_fullpath = paths.join(False, cert_file_fullpath)
48
util.write_file(cert_file_fullpath, cert_file_contents, mode=0644)
49
# Append cert filename to CA_CERT_CONFIG file.
50
util.write_file(paths.join(False, CA_CERT_CONFIG),
51
"\n%s" % CA_CERT_FILENAME, omode="ab")
54
def remove_default_ca_certs(paths):
56
Removes all default trusted CA certificates from the system. To actually
57
apply the change you must also call L{update_ca_certs}.
59
util.delete_dir_contents(paths.join(False, CA_CERT_PATH))
60
util.delete_dir_contents(paths.join(False, CA_CERT_SYSTEM_PATH))
61
util.write_file(paths.join(False, CA_CERT_CONFIG), "", mode=0644)
62
debconf_sel = "ca-certificates ca-certificates/trust_new_crts select no"
63
util.subp(('debconf-set-selections', '-'), debconf_sel)
66
def handle(name, cfg, cloud, log, _args):
68
Call to handle ca-cert sections in cloud-config file.
70
@param name: The module name "ca-cert" from cloud.cfg
71
@param cfg: A nested dict containing the entire cloud config contents.
72
@param cloud: The L{CloudInit} object in use.
73
@param log: Pre-initialized Python logger object to use for logging.
74
@param args: Any module arguments from cloud.cfg
76
# If there isn't a ca-certs section in the configuration don't do anything
77
if "ca-certs" not in cfg:
78
log.debug(("Skipping module named %s,"
79
" no 'ca-certs' key in configuration"), name)
82
ca_cert_cfg = cfg['ca-certs']
84
# If there is a remove-defaults option set to true, remove the system
85
# default trusted CA certs first.
86
if ca_cert_cfg.get("remove-defaults", False):
87
log.debug("Removing default certificates")
88
remove_default_ca_certs(cloud.paths)
90
# If we are given any new trusted CA certs to add, add them.
91
if "trusted" in ca_cert_cfg:
92
trusted_certs = util.get_cfg_option_list(ca_cert_cfg, "trusted")
94
log.debug("Adding %d certificates" % len(trusted_certs))
95
add_ca_certs(cloud.paths, trusted_certs)
97
# Update the system with the new cert configuration.
98
log.debug("Updating certificates")