diff options
Diffstat (limited to 'cloudinit/config/ca_certs.py')
-rw-r--r-- | cloudinit/config/ca_certs.py | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/cloudinit/config/ca_certs.py b/cloudinit/config/ca_certs.py new file mode 100644 index 00000000..56c41561 --- /dev/null +++ b/cloudinit/config/ca_certs.py @@ -0,0 +1,99 @@ +# vi: ts=4 expandtab +# +# Author: Mike Milner <mike.milner@canonical.com> +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3, as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os + +from cloudinit import util + +CA_CERT_PATH = "/usr/share/ca-certificates/" +CA_CERT_FILENAME = "cloud-init-ca-certs.crt" +CA_CERT_CONFIG = "/etc/ca-certificates.conf" +CA_CERT_SYSTEM_PATH = "/etc/ssl/certs/" + +distros = ['ubuntu'] + + +def update_ca_certs(): + """ + Updates the CA certificate cache on the current machine. + """ + util.subp(["update-ca-certificates"]) + + +def add_ca_certs(cloud, certs): + """ + Adds certificates to the system. To actually apply the new certificates + you must also call L{update_ca_certs}. + + @param certs: A list of certificate strings. + """ + if certs: + # First ensure they are strings... + cert_file_contents = "\n".join([str(c) for c in certs]) + cert_file_fullpath = os.path.join(CA_CERT_PATH, CA_CERT_FILENAME) + cert_file_fullpath = cloud.paths.join(False, cert_file_fullpath) + util.write_file(cert_file_fullpath, cert_file_contents, mode=0644) + # Append cert filename to CA_CERT_CONFIG file. + util.write_file(cloud.paths.join(False, CA_CERT_CONFIG), + "\n%s" % CA_CERT_FILENAME, omode="ab") + + +def remove_default_ca_certs(cloud): + """ + Removes all default trusted CA certificates from the system. To actually + apply the change you must also call L{update_ca_certs}. + """ + util.delete_dir_contents(cloud.paths.join(False, CA_CERT_PATH)) + util.delete_dir_contents(cloud.paths.join(False, CA_CERT_SYSTEM_PATH)) + util.write_file(cloud.paths.join(False, CA_CERT_CONFIG), "", mode=0644) + debconf_sel = "ca-certificates ca-certificates/trust_new_crts select no" + util.subp(('debconf-set-selections', '-'), debconf_sel) + + +def handle(name, cfg, cloud, log, _args): + """ + Call to handle ca-cert sections in cloud-config file. + + @param name: The module name "ca-cert" from cloud.cfg + @param cfg: A nested dict containing the entire cloud config contents. + @param cloud: The L{CloudInit} object in use. + @param log: Pre-initialized Python logger object to use for logging. + @param args: Any module arguments from cloud.cfg + """ + # If there isn't a ca-certs section in the configuration don't do anything + if "ca-certs" not in cfg: + log.debug(("Skipping transform named %s," + " no 'ca-certs' key in configuration"), name) + return + + ca_cert_cfg = cfg['ca-certs'] + + # If there is a remove-defaults option set to true, remove the system + # default trusted CA certs first. + if ca_cert_cfg.get("remove-defaults", False): + log.debug("Removing default certificates") + remove_default_ca_certs(cloud) + + # If we are given any new trusted CA certs to add, add them. + if "trusted" in ca_cert_cfg: + trusted_certs = util.get_cfg_option_list(ca_cert_cfg, "trusted") + if trusted_certs: + log.debug("Adding %d certificates" % len(trusted_certs)) + add_ca_certs(cloud, trusted_certs) + + # Update the system with the new cert configuration. + log.debug("Updating certificates") + update_ca_certs() |