From 30e4f083c98f93058c59f89e140819f7a3151f43 Mon Sep 17 00:00:00 2001 From: sarthurdev <965089+sarthurdev@users.noreply.github.com> Date: Thu, 1 Jul 2021 10:29:42 +0200 Subject: pki: ipsec: T3642: Update migration script to account for file permission issues --- src/migration-scripts/ipsec/6-to-7 | 84 ++++++++++++++++++++++++++------------ 1 file changed, 58 insertions(+), 26 deletions(-) (limited to 'src/migration-scripts') diff --git a/src/migration-scripts/ipsec/6-to-7 b/src/migration-scripts/ipsec/6-to-7 index 6655fba93..788a87095 100755 --- a/src/migration-scripts/ipsec/6-to-7 +++ b/src/migration-scripts/ipsec/6-to-7 @@ -27,6 +27,7 @@ from vyos.pki import load_crl from vyos.pki import load_private_key from vyos.pki import encode_certificate from vyos.pki import encode_private_key +from vyos.util import run if (len(argv) < 1): print("Must specify file name!") @@ -69,13 +70,21 @@ if config.exists(ipsec_site_base): cert_path = os.path.join(AUTH_DIR, cert_file) cert = None - with open(cert_path, 'r') as f: - cert_data = f.read() - cert = load_certificate(cert_data, wrap_tags=False) + if os.path.isfile(cert_path): + if not os.access(cert_path, os.R_OK): + run(f'sudo chmod 644 {cert_path}') + + with open(cert_path, 'r') as f: + cert_data = f.read() + cert = load_certificate(cert_data, wrap_tags=False) + + if cert: + cert_pem = encode_certificate(cert) + config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) + config.set(peer_x509_base + ['certificate'], value=pki_name) + else: + print(f'Failed to migrate certificate on peer "{peer}"') - cert_pem = encode_certificate(cert) - config.set(pki_base + ['certificate', pki_name, 'certificate'], value=wrapped_pem_to_config_value(cert_pem)) - config.set(peer_x509_base + ['certificate'], value=pki_name) config.delete(peer_x509_base + ['cert-file']) if config.exists(peer_x509_base + ['ca-cert-file']): @@ -83,13 +92,21 @@ if config.exists(ipsec_site_base): ca_cert_path = os.path.join(AUTH_DIR, ca_cert_file) ca_cert = None - with open(ca_cert_path, 'r') as f: - ca_cert_data = f.read() - ca_cert = load_certificate(ca_cert_data, wrap_tags=False) + if os.path.isfile(ca_cert_path): + if not os.access(ca_cert_path, os.R_OK): + run(f'sudo chmod 644 {ca_cert_path}') + + with open(ca_cert_path, 'r') as f: + ca_cert_data = f.read() + ca_cert = load_certificate(ca_cert_data, wrap_tags=False) + + if ca_cert: + ca_cert_pem = encode_certificate(ca_cert) + config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(ca_cert_pem)) + config.set(peer_x509_base + ['ca-certificate'], value=pki_name) + else: + print(f'Failed to migrate CA certificate on peer "{peer}"') - ca_cert_pem = encode_certificate(ca_cert) - config.set(pki_base + ['ca', pki_name, 'certificate'], value=wrapped_pem_to_config_value(ca_cert_pem)) - config.set(peer_x509_base + ['ca-certificate'], value=pki_name) config.delete(peer_x509_base + ['ca-cert-file']) if config.exists(peer_x509_base + ['crl-file']): @@ -97,12 +114,20 @@ if config.exists(ipsec_site_base): crl_path = os.path.join(AUTH_DIR, crl_file) crl = None - with open(crl_path, 'r') as f: - crl_data = f.read() - crl = load_crl(crl_data, wrap_tags=False) + if os.path.isfile(crl_path): + if not os.access(crl_path, os.R_OK): + run(f'sudo chmod 644 {crl_path}') - crl_pem = encode_certificate(crl) - config.set(pki_base + ['ca', pki_name, 'crl'], value=wrapped_pem_to_config_value(crl_pem)) + with open(crl_path, 'r') as f: + crl_data = f.read() + crl = load_crl(crl_data, wrap_tags=False) + + if crl: + crl_pem = encode_certificate(crl) + config.set(pki_base + ['ca', pki_name, 'crl'], value=wrapped_pem_to_config_value(crl_pem)) + else: + print(f'Failed to migrate CRL on peer "{peer}"') + config.delete(peer_x509_base + ['crl-file']) if config.exists(peer_x509_base + ['key', 'file']): @@ -115,17 +140,24 @@ if config.exists(ipsec_site_base): key_path = os.path.join(AUTH_DIR, key_file) key = None - with open(key_path, 'r') as f: - key_data = f.read() - key = load_private_key(key_data, passphrase=key_passphrase, wrap_tags=False) + if os.path.isfile(key_path): + if not os.access(key_path, os.R_OK): + run(f'sudo chmod 644 {key_path}') - key_pem = encode_private_key(key, passphrase=key_passphrase) - config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + with open(key_path, 'r') as f: + key_data = f.read() + key = load_private_key(key_data, passphrase=key_passphrase, wrap_tags=False) - if key_passphrase: - config.set(pki_base + ['certificate', pki_name, 'private', 'password-protected']) - config.set(peer_x509_base + ['private-key-passphrase'], value=key_passphrase) - + if key: + key_pem = encode_private_key(key, passphrase=key_passphrase) + config.set(pki_base + ['certificate', pki_name, 'private', 'key'], value=wrapped_pem_to_config_value(key_pem)) + + if key_passphrase: + config.set(pki_base + ['certificate', pki_name, 'private', 'password-protected']) + config.set(peer_x509_base + ['private-key-passphrase'], value=key_passphrase) + else: + print(f'Failed to migrate private key on peer "{peer}"') + config.delete(peer_x509_base + ['key']) if changes_made: -- cgit v1.2.3