From eea65faf117d6d3e8566d419477e7e54209100c1 Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Thu, 12 Jan 2012 14:17:50 +0100 Subject: Initial work on trusted CA cert handling. --- cloudinit/CloudConfig/cc_ca_certs.py | 38 ++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 cloudinit/CloudConfig/cc_ca_certs.py diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py new file mode 100644 index 00000000..1c866f12 --- /dev/null +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -0,0 +1,38 @@ +# vi: ts=4 expandtab +# +# Author: Mike Milner +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 3, as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +import os +import pwd +import socket +import subprocess +import json +import StringIO +import ConfigParser +import cloudinit.CloudConfig as cc +import cloudinit.util as util + +def handle(name, cfg, cloud, log, args): + # If there isn't a chef key in the configuration don't do anything + if not cfg.has_key('ca-certs'): + return + ca_cert_cfg = cfg['ca-certs'] + + # set the validation key based on the presence of either 'validation_key' + # or 'validation_cert'. In the case where both exist, 'validation_key' + # takes precedence + if ca_cert_cfg.has_key('trusted'): + trusted_certs = util.get_cfg_option_str(chef_cfg, 'trusted') + with open('/etc/cert.pem', 'w') as cert_file: + cert_file.write(trusted_certs) -- cgit v1.2.3 From 581be44da04ccfff8750b145efedf34f08ed02ac Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Thu, 12 Jan 2012 18:51:19 +0100 Subject: Add some tests for get_cfg_option_list_or_str. --- tests/unittests/test_util.py | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py index 34a073d9..ba15e44d 100644 --- a/tests/unittests/test_util.py +++ b/tests/unittests/test_util.py @@ -1,6 +1,6 @@ from unittest import TestCase -from cloudinit.util import mergedict +from cloudinit.util import mergedict, get_cfg_option_list_or_str class TestMergeDict(TestCase): def test_simple_merge(self): @@ -51,3 +51,29 @@ class TestMergeDict(TestCase): candidate = "candidate" result = mergedict(source, candidate) self.assertEqual(source, result) + +class TestGetCfgOptionListOrStr(TestCase): + def test_not_found_no_default(self): + config = {} + result = get_cfg_option_list_or_str(config, "key") + self.assertIsNone(result) + + def test_not_found_with_default(self): + config = {} + result = get_cfg_option_list_or_str(config, "key", default=["DEFAULT"]) + self.assertEqual(["DEFAULT"], result) + + def test_found_with_default(self): + config = {"key": ["value1"]} + result = get_cfg_option_list_or_str(config, "key", default=["DEFAULT"]) + self.assertEqual(["value1"], result) + + def test_found_convert_to_list(self): + config = {"key": "value1"} + result = get_cfg_option_list_or_str(config, "key") + self.assertEqual(["value1"], result) + + def test_value_is_none(self): + config = {"key": None} + result = get_cfg_option_list_or_str(config, "key") + self.assertEqual([], result) -- cgit v1.2.3 From fb0ff769bdce25497949770d392f43b2888a732b Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Thu, 12 Jan 2012 18:51:48 +0100 Subject: Add tests for ca-certs handler. --- cloudinit/CloudConfig/cc_ca_certs.py | 21 +++++++++-- debian.trunk/control | 1 + tests/unittests/test_handler_ca_certs.py | 64 ++++++++++++++++++++++++++++++++ 3 files changed, 82 insertions(+), 4 deletions(-) create mode 100644 tests/unittests/test_handler_ca_certs.py diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index 1c866f12..e2110890 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -23,8 +23,20 @@ import ConfigParser import cloudinit.CloudConfig as cc import cloudinit.util as util +CERT_FILENAME = "/usr/share/ca-certificates/cloud-init-provided.crt" + +def write_file(filename, contents, owner, group, mode): + raise Exception() + def handle(name, cfg, cloud, log, args): - # If there isn't a chef key in the configuration don't do anything + """ + @param name: The module name "ca-cert" from cloud.cfg + @param cfg: A nested dict containing the entire cloud config contents. + @param cloud: The L{CloudInit} object in use + @param log: Pre-initialized Python logger object to use for logging + @param args: Any module arguments from cloud.cfg + """ + # If there isn't a ca-certs section in the configuration don't do anything if not cfg.has_key('ca-certs'): return ca_cert_cfg = cfg['ca-certs'] @@ -33,6 +45,7 @@ def handle(name, cfg, cloud, log, args): # or 'validation_cert'. In the case where both exist, 'validation_key' # takes precedence if ca_cert_cfg.has_key('trusted'): - trusted_certs = util.get_cfg_option_str(chef_cfg, 'trusted') - with open('/etc/cert.pem', 'w') as cert_file: - cert_file.write(trusted_certs) + trusted_certs = util.get_cfg_option_list_or_str(ca_cert_cfg, 'trusted') + if trusted_certs: + cert_file_contents = "\n".join(trusted_certs) + write_file(CERT_FILENAME, cert_file_contents, "root", "root", "644") diff --git a/debian.trunk/control b/debian.trunk/control index c877f673..eef3cd1d 100644 --- a/debian.trunk/control +++ b/debian.trunk/control @@ -8,6 +8,7 @@ Build-Depends: cdbs, python-nose, pyflakes, pylint, + python-mocker, XS-Python-Version: all Standards-Version: 3.9.1 diff --git a/tests/unittests/test_handler_ca_certs.py b/tests/unittests/test_handler_ca_certs.py new file mode 100644 index 00000000..21eddf18 --- /dev/null +++ b/tests/unittests/test_handler_ca_certs.py @@ -0,0 +1,64 @@ +from unittest import TestCase +from mocker import MockerTestCase + +from cloudinit.CloudConfig.cc_ca_certs import handle, write_file + +class TestAddCaCerts(MockerTestCase): + def setUp(self): + super(TestAddCaCerts, self).setUp() + self.name = "ca-certs" + self.cloud_init = None + self.log = None + self.args = [] + + def test_no_config(self): + """Test that no certificate are written if not provided.""" + config = {"unknown-key": "value"} + + mock = self.mocker.replace(write_file, passthrough=False) + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_no_trusted_list(self): + """Test that no certificate are written if not provided.""" + config = {"ca-certs": {}} + + mock = self.mocker.replace(write_file, passthrough=False) + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_no_certs_in_list(self): + """Test that no certificate are written if not provided.""" + config = {"ca-certs": {"trusted": []}} + + mock = self.mocker.replace(write_file, passthrough=False) + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_single_cert(self): + """Test adding a single certificate to the trusted CAs""" + cert = "CERT1\nLINE2\nLINE3" + config = {"ca-certs": {"trusted": cert}} + + mock = self.mocker.replace(write_file, passthrough=False) + mock("/usr/share/ca-certificates/cloud-init-provided.crt", + cert, "root", "root", "644") + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_multiple_certs(self): + """Test adding multiple certificate to the trusted CAs""" + certs = ["CERT1\nLINE2\nLINE3", "CERT2\nLINE2\nLINE3"] + cert_file = "\n".join(certs) + config = {"ca-certs": {"trusted": certs}} + + mock = self.mocker.replace(write_file, passthrough=False) + mock("/usr/share/ca-certificates/cloud-init-provided.crt", + cert_file, "root", "root", "644") + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) -- cgit v1.2.3 From a717e4f8b9210374edcc9053ca6ff980cb0cefff Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Thu, 12 Jan 2012 19:28:09 +0100 Subject: Add ability to rebuild CA certificate file. --- cloudinit/CloudConfig/cc_ca_certs.py | 25 +++++++++++++++++++-- tests/unittests/test_handler_ca_certs.py | 37 +++++++++++++++++++++++++++----- 2 files changed, 55 insertions(+), 7 deletions(-) diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index e2110890..81ed7237 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -16,7 +16,7 @@ import os import pwd import socket -import subprocess +from subprocess import check_call import json import StringIO import ConfigParser @@ -26,10 +26,29 @@ import cloudinit.util as util CERT_FILENAME = "/usr/share/ca-certificates/cloud-init-provided.crt" def write_file(filename, contents, owner, group, mode): - raise Exception() + """ + Write a file to disk with specified owner, group, and mode. If the file + exists already it will be overwritten. + + @param filename: Full path to the new file. + @param contents: The contents of the newly created file. + @param owner: The username who should own the file. + @param group: The group for the new file. + @param mode: The octal mode (as string) for the new file. + """ + raise NotImplementedError() + +def update_ca_certs(): + """ + Updates the CA certificate cache on the current machine. + """ + check_call(["dpkg-reconfigure", "ca-certificates"]) + check_call(["update-ca-certificates"]) def handle(name, cfg, cloud, log, args): """ + Call to handle ca-cert sections in cloud-config file. + @param name: The module name "ca-cert" from cloud.cfg @param cfg: A nested dict containing the entire cloud config contents. @param cloud: The L{CloudInit} object in use @@ -49,3 +68,5 @@ def handle(name, cfg, cloud, log, args): if trusted_certs: cert_file_contents = "\n".join(trusted_certs) write_file(CERT_FILENAME, cert_file_contents, "root", "root", "644") + + update_ca_certs() diff --git a/tests/unittests/test_handler_ca_certs.py b/tests/unittests/test_handler_ca_certs.py index 21eddf18..254c8727 100644 --- a/tests/unittests/test_handler_ca_certs.py +++ b/tests/unittests/test_handler_ca_certs.py @@ -1,25 +1,42 @@ from unittest import TestCase from mocker import MockerTestCase -from cloudinit.CloudConfig.cc_ca_certs import handle, write_file +from cloudinit.CloudConfig.cc_ca_certs import handle, write_file, update_ca_certs -class TestAddCaCerts(MockerTestCase): +class TestNoConfig(MockerTestCase): def setUp(self): - super(TestAddCaCerts, self).setUp() + super(TestNoConfig, self).setUp() self.name = "ca-certs" self.cloud_init = None self.log = None self.args = [] def test_no_config(self): - """Test that no certificate are written if not provided.""" + """ + Test that nothing is done if no ca-certs configuration is provided. + """ config = {"unknown-key": "value"} - mock = self.mocker.replace(write_file, passthrough=False) + self.mocker.replace(write_file, passthrough=False) + self.mocker.replace(update_ca_certs, passthrough=False) self.mocker.replay() handle(self.name, config, self.cloud_init, self.log, self.args) + +class TestAddCaCerts(MockerTestCase): + def setUp(self): + super(TestAddCaCerts, self).setUp() + self.name = "ca-certs" + self.cloud_init = None + self.log = None + self.args = [] + + # The config option is present for all these tests so + # update_ca_certs should always be called. + mock = self.mocker.replace(update_ca_certs, passthrough=False) + mock() + def test_no_trusted_list(self): """Test that no certificate are written if not provided.""" config = {"ca-certs": {}} @@ -62,3 +79,13 @@ class TestAddCaCerts(MockerTestCase): self.mocker.replay() handle(self.name, config, self.cloud_init, self.log, self.args) + +class TestUpdateCaCerts(MockerTestCase): + def test_commands(self): + mock_check_call = self.mocker.replace("subprocess.check_call", + passthrough=False) + mock_check_call(["dpkg-reconfigure", "ca-certificates"]) + mock_check_call(["update-ca-certificates"]) + self.mocker.replay() + + update_ca_certs() -- cgit v1.2.3 From 094e915e91186401ebc7c97564917334faade150 Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Sat, 14 Jan 2012 10:49:09 +0000 Subject: Factor out writing of certificates. --- cloudinit/CloudConfig/cc_ca_certs.py | 15 ++++++++++++--- tests/unittests/test_handler_ca_certs.py | 22 ++++++++++------------ 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index 81ed7237..07074e2f 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -45,6 +45,17 @@ def update_ca_certs(): check_call(["dpkg-reconfigure", "ca-certificates"]) check_call(["update-ca-certificates"]) +def add_ca_certs(certs): + """ + Adds certificates to the system. To actually apply the new certificates + you must also call L{update_ca_certs}. + + @param certs: A list of certificate strings. + """ + if certs: + cert_file_contents = "\n".join(certs) + write_file(CERT_FILENAME, cert_file_contents, "root", "root", "644") + def handle(name, cfg, cloud, log, args): """ Call to handle ca-cert sections in cloud-config file. @@ -66,7 +77,5 @@ def handle(name, cfg, cloud, log, args): if ca_cert_cfg.has_key('trusted'): trusted_certs = util.get_cfg_option_list_or_str(ca_cert_cfg, 'trusted') if trusted_certs: - cert_file_contents = "\n".join(trusted_certs) - write_file(CERT_FILENAME, cert_file_contents, "root", "root", "644") - + add_ca_certs(trusted_certs) update_ca_certs() diff --git a/tests/unittests/test_handler_ca_certs.py b/tests/unittests/test_handler_ca_certs.py index 254c8727..7c0197ed 100644 --- a/tests/unittests/test_handler_ca_certs.py +++ b/tests/unittests/test_handler_ca_certs.py @@ -1,7 +1,7 @@ from unittest import TestCase from mocker import MockerTestCase -from cloudinit.CloudConfig.cc_ca_certs import handle, write_file, update_ca_certs +from cloudinit.CloudConfig.cc_ca_certs import handle, write_file, update_ca_certs, add_ca_certs class TestNoConfig(MockerTestCase): def setUp(self): @@ -24,9 +24,9 @@ class TestNoConfig(MockerTestCase): handle(self.name, config, self.cloud_init, self.log, self.args) -class TestAddCaCerts(MockerTestCase): +class TestConfig(MockerTestCase): def setUp(self): - super(TestAddCaCerts, self).setUp() + super(TestConfig, self).setUp() self.name = "ca-certs" self.cloud_init = None self.log = None @@ -46,39 +46,37 @@ class TestAddCaCerts(MockerTestCase): handle(self.name, config, self.cloud_init, self.log, self.args) + +class TestAddCaCerts(MockerTestCase): def test_no_certs_in_list(self): """Test that no certificate are written if not provided.""" - config = {"ca-certs": {"trusted": []}} - mock = self.mocker.replace(write_file, passthrough=False) self.mocker.replay() - handle(self.name, config, self.cloud_init, self.log, self.args) + add_ca_certs([]) def test_single_cert(self): """Test adding a single certificate to the trusted CAs""" cert = "CERT1\nLINE2\nLINE3" - config = {"ca-certs": {"trusted": cert}} mock = self.mocker.replace(write_file, passthrough=False) mock("/usr/share/ca-certificates/cloud-init-provided.crt", cert, "root", "root", "644") self.mocker.replay() - handle(self.name, config, self.cloud_init, self.log, self.args) + add_ca_certs([cert]) def test_multiple_certs(self): """Test adding multiple certificate to the trusted CAs""" certs = ["CERT1\nLINE2\nLINE3", "CERT2\nLINE2\nLINE3"] - cert_file = "\n".join(certs) - config = {"ca-certs": {"trusted": certs}} + expected_cert_file = "\n".join(certs) mock = self.mocker.replace(write_file, passthrough=False) mock("/usr/share/ca-certificates/cloud-init-provided.crt", - cert_file, "root", "root", "644") + expected_cert_file, "root", "root", "644") self.mocker.replay() - handle(self.name, config, self.cloud_init, self.log, self.args) + add_ca_certs(certs) class TestUpdateCaCerts(MockerTestCase): def test_commands(self): -- cgit v1.2.3 From 667a3da2be1c6351496d3584ee658d58f479f4b0 Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Sat, 14 Jan 2012 12:22:27 -0400 Subject: Handle config flag for removing default trusted CAs. --- cloudinit/CloudConfig/cc_ca_certs.py | 9 ++++ tests/unittests/test_handler_ca_certs.py | 93 +++++++++++++++++++++++++++++--- 2 files changed, 95 insertions(+), 7 deletions(-) diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index 07074e2f..a51dbe9f 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -56,6 +56,12 @@ def add_ca_certs(certs): cert_file_contents = "\n".join(certs) write_file(CERT_FILENAME, cert_file_contents, "root", "root", "644") +def remove_default_ca_certs(): + """ + Removes all default trusted CA certificates from the system. + """ + raise NotImplementedError() + def handle(name, cfg, cloud, log, args): """ Call to handle ca-cert sections in cloud-config file. @@ -71,6 +77,9 @@ def handle(name, cfg, cloud, log, args): return ca_cert_cfg = cfg['ca-certs'] + if ca_cert_cfg.get("remove-defaults", False): + remove_default_ca_certs() + # set the validation key based on the presence of either 'validation_key' # or 'validation_cert'. In the case where both exist, 'validation_key' # takes precedence diff --git a/tests/unittests/test_handler_ca_certs.py b/tests/unittests/test_handler_ca_certs.py index 7c0197ed..08126d19 100644 --- a/tests/unittests/test_handler_ca_certs.py +++ b/tests/unittests/test_handler_ca_certs.py @@ -1,7 +1,8 @@ from unittest import TestCase from mocker import MockerTestCase -from cloudinit.CloudConfig.cc_ca_certs import handle, write_file, update_ca_certs, add_ca_certs +from cloudinit.CloudConfig.cc_ca_certs import handle, write_file, update_ca_certs, add_ca_certs, remove_default_ca_certs + class TestNoConfig(MockerTestCase): def setUp(self): @@ -32,16 +33,82 @@ class TestConfig(MockerTestCase): self.log = None self.args = [] - # The config option is present for all these tests so - # update_ca_certs should always be called. - mock = self.mocker.replace(update_ca_certs, passthrough=False) - mock() + # Mock out the functions that actually modify the system + self.mock_add = self.mocker.replace(add_ca_certs, passthrough=False) + self.mock_update = self.mocker.replace(update_ca_certs, passthrough=False) + self.mock_remove = self.mocker.replace(remove_default_ca_certs, passthrough=False) + # Order must be correct + self.mocker.order() def test_no_trusted_list(self): - """Test that no certificate are written if not provided.""" + """ + Test that no certificates are written if the 'trusted' key is not + present. + """ config = {"ca-certs": {}} - mock = self.mocker.replace(write_file, passthrough=False) + # No functions should be called + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_empty_trusted_list(self): + """Test that no certificate are written if 'trusted' list is empty""" + config = {"ca-certs": {"trusted": []}} + + # No functions should be called + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_single_trusted(self): + """Test that a single cert gets passed to add_ca_certs""" + config = {"ca-certs": {"trusted": ["CERT1"]}} + + self.mock_add(["CERT1"]) + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_multiple_trusted(self): + """Test that multiple certs get passed to add_ca_certs""" + config = {"ca-certs": {"trusted": ["CERT1", "CERT2"]}} + + self.mock_add(["CERT1", "CERT2"]) + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_remove_default_ca_certs(self): + """Test remove_defaults works as expected""" + config = {"ca-certs": {"remove-defaults": True}} + + self.mock_remove() + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_no_remove_defaults_if_false(self): + """Test remove_defaults is not called when config value is False""" + config = {"ca-certs": {"remove-defaults": False}} + + self.mock_update() + self.mocker.replay() + + handle(self.name, config, self.cloud_init, self.log, self.args) + + def test_correct_order_for_remove_then_add(self): + """Test remove_defaults is not called when config value is False""" + config = {"ca-certs": {"remove-defaults": True, "trusted": ["CERT1"]}} + + self.mock_remove() + self.mock_add(["CERT1"]) + self.mock_update() self.mocker.replay() handle(self.name, config, self.cloud_init, self.log, self.args) @@ -78,6 +145,7 @@ class TestAddCaCerts(MockerTestCase): add_ca_certs(certs) + class TestUpdateCaCerts(MockerTestCase): def test_commands(self): mock_check_call = self.mocker.replace("subprocess.check_call", @@ -87,3 +155,14 @@ class TestUpdateCaCerts(MockerTestCase): self.mocker.replay() update_ca_certs() + + +#class TestRemoveDefaultCaCerts(MockerTestCase): +# def test_commands(self): +# mock_check_call = self.mocker.replace("subprocess.check_call", +# passthrough=False) +# mock_check_call(["dpkg-reconfigure", "ca-certificates"]) +# mock_check_call(["update-ca-certificates"]) +# self.mocker.replay() +# +# update_ca_certs() -- cgit v1.2.3 From db55fc96f62258598cfdf98ee806151aa0fb2d6d Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Sun, 15 Jan 2012 22:17:25 -0400 Subject: Added function for deleting default trusted CA certs. --- cloudinit/CloudConfig/cc_ca_certs.py | 33 ++++++++++++++++++++++---- tests/unittests/test_handler_ca_certs.py | 40 ++++++++++++++++++-------------- 2 files changed, 52 insertions(+), 21 deletions(-) diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index a51dbe9f..b2ac7d60 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -23,7 +23,10 @@ import ConfigParser import cloudinit.CloudConfig as cc import cloudinit.util as util -CERT_FILENAME = "/usr/share/ca-certificates/cloud-init-provided.crt" +CA_CERT_PATH = "/usr/share/ca-certificates/" +CA_CERT_FILENAME = "cloud-init-ca-certs.crt" +CA_CERT_CONFIG = "/etc/ca-certificates.conf" +CA_CERT_SYSTEM_PATH = "/etc/ssl/certs/" def write_file(filename, contents, owner, group, mode): """ @@ -38,11 +41,29 @@ def write_file(filename, contents, owner, group, mode): """ raise NotImplementedError() +def append_to_file(filename, contents): + """ + Append C{contents} to an existing file on the filesystem. If the file + doesn't exist it will be created with the default owner and permissions. + + @param filename: Full path to the new file. + @param contents: The contents to append to the file. + """ + raise NotImplementedError() + +def delete_dir_contents(dirname): + """ + Delete all the contents of the directory specified by C{dirname} without + deleting the directory itself. + + @param dirname: The directory whose contents should be deleted. + """ + raise NotImplementedError() + def update_ca_certs(): """ Updates the CA certificate cache on the current machine. """ - check_call(["dpkg-reconfigure", "ca-certificates"]) check_call(["update-ca-certificates"]) def add_ca_certs(certs): @@ -54,13 +75,17 @@ def add_ca_certs(certs): """ if certs: cert_file_contents = "\n".join(certs) - write_file(CERT_FILENAME, cert_file_contents, "root", "root", "644") + cert_file_fullpath = os.path.join(CA_CERT_PATH, CA_CERT_FILENAME) + write_file(cert_file_fullpath, cert_file_contents, "root", "root", "644") + append_to_file(CA_CERT_CONFIG, CA_CERT_FILENAME) def remove_default_ca_certs(): """ Removes all default trusted CA certificates from the system. """ - raise NotImplementedError() + delete_dir_contents(CA_CERT_PATH) + delete_dir_contents(CA_CERT_SYSTEM_PATH) + write_file(CA_CERT_CONFIG, "", "root", "root", "644") def handle(name, cfg, cloud, log, args): """ diff --git a/tests/unittests/test_handler_ca_certs.py b/tests/unittests/test_handler_ca_certs.py index 08126d19..7c6dc873 100644 --- a/tests/unittests/test_handler_ca_certs.py +++ b/tests/unittests/test_handler_ca_certs.py @@ -1,7 +1,7 @@ from unittest import TestCase from mocker import MockerTestCase -from cloudinit.CloudConfig.cc_ca_certs import handle, write_file, update_ca_certs, add_ca_certs, remove_default_ca_certs +from cloudinit.CloudConfig.cc_ca_certs import handle, write_file, update_ca_certs, add_ca_certs, remove_default_ca_certs, append_to_file, delete_dir_contents class TestNoConfig(MockerTestCase): @@ -126,9 +126,11 @@ class TestAddCaCerts(MockerTestCase): """Test adding a single certificate to the trusted CAs""" cert = "CERT1\nLINE2\nLINE3" - mock = self.mocker.replace(write_file, passthrough=False) - mock("/usr/share/ca-certificates/cloud-init-provided.crt", - cert, "root", "root", "644") + mock_write = self.mocker.replace(write_file, passthrough=False) + mock_append = self.mocker.replace(append_to_file, passthrough=False) + mock_write("/usr/share/ca-certificates/cloud-init-ca-certs.crt", + cert, "root", "root", "644") + mock_append("/etc/ca-certificates.conf", "cloud-init-ca-certs.crt") self.mocker.replay() add_ca_certs([cert]) @@ -138,9 +140,11 @@ class TestAddCaCerts(MockerTestCase): certs = ["CERT1\nLINE2\nLINE3", "CERT2\nLINE2\nLINE3"] expected_cert_file = "\n".join(certs) - mock = self.mocker.replace(write_file, passthrough=False) - mock("/usr/share/ca-certificates/cloud-init-provided.crt", - expected_cert_file, "root", "root", "644") + mock_write = self.mocker.replace(write_file, passthrough=False) + mock_append = self.mocker.replace(append_to_file, passthrough=False) + mock_write("/usr/share/ca-certificates/cloud-init-ca-certs.crt", + expected_cert_file, "root", "root", "644") + mock_append("/etc/ca-certificates.conf", "cloud-init-ca-certs.crt") self.mocker.replay() add_ca_certs(certs) @@ -150,19 +154,21 @@ class TestUpdateCaCerts(MockerTestCase): def test_commands(self): mock_check_call = self.mocker.replace("subprocess.check_call", passthrough=False) - mock_check_call(["dpkg-reconfigure", "ca-certificates"]) mock_check_call(["update-ca-certificates"]) self.mocker.replay() update_ca_certs() -#class TestRemoveDefaultCaCerts(MockerTestCase): -# def test_commands(self): -# mock_check_call = self.mocker.replace("subprocess.check_call", -# passthrough=False) -# mock_check_call(["dpkg-reconfigure", "ca-certificates"]) -# mock_check_call(["update-ca-certificates"]) -# self.mocker.replay() -# -# update_ca_certs() +class TestRemoveDefaultCaCerts(MockerTestCase): + def test_commands(self): + mock_delete_dir_contents = self.mocker.replace(delete_dir_contents, passthrough=False) + mock_write = self.mocker.replace(write_file, passthrough=False) + + mock_delete_dir_contents("/usr/share/ca-certificates/") + mock_delete_dir_contents("/etc/ssl/certs/") + mock_write("/etc/ca-certificates.conf", "", "root", "root", "644") + + self.mocker.replay() + + remove_default_ca_certs() -- cgit v1.2.3 From 66d4ee588ea1de9badeebbfc700ce65724f75bfa Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Mon, 16 Jan 2012 12:55:13 -0400 Subject: Small docstring fix. --- cloudinit/CloudConfig/cc_ca_certs.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index b2ac7d60..b7dd1781 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -81,7 +81,8 @@ def add_ca_certs(certs): def remove_default_ca_certs(): """ - Removes all default trusted CA certificates from the system. + Removes all default trusted CA certificates from the system. To actually + apply the change you must also call L{update_ca_certs}. """ delete_dir_contents(CA_CERT_PATH) delete_dir_contents(CA_CERT_SYSTEM_PATH) -- cgit v1.2.3 From 181fd3ceeb6a93530af7ccebfa1d06a1f7412a12 Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Tue, 17 Jan 2012 09:58:42 -0400 Subject: Add unit tests for util.write_file. --- cloudinit/util.py | 71 ++++++++++++++++++++++++------------ tests/unittests/test_util.py | 85 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 132 insertions(+), 24 deletions(-) diff --git a/cloudinit/util.py b/cloudinit/util.py index de95ec79..b690d517 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -86,10 +86,24 @@ def get_cfg_option_str(yobj, key, default=None): return yobj[key] def get_cfg_option_list_or_str(yobj, key, default=None): - if not yobj.has_key(key): return default - if yobj[key] is None: return [] - if isinstance(yobj[key],list): return yobj[key] - return([yobj[key]]) + """ + Gets the C{key} config option from C{yobj} as a list of strings. If the + key is present as a single string it will be returned as a list with one + string arg. + + @param yobj: The configuration object. + @param key: The configuration key to get. + @param default: The default to return if key is not found. + @return: The configuration option as a list of strings or default if key + is not found. + """ + if not key in yobj: + return default + if yobj[key] is None: + return [] + if isinstance(yobj[key], list): + return yobj[key] + return [yobj[key]] # get a cfg entry by its path array # for f['a']['b']: get_cfg_by_path(mycfg,('a','b')) @@ -100,30 +114,41 @@ def get_cfg_by_path(yobj,keyp,default=None): cur = cur[tok] return(cur) -# merge values from cand into source -# if src has a key, cand will not override -def mergedict(src,cand): - if isinstance(src,dict) and isinstance(cand,dict): - for k,v in cand.iteritems(): +def mergedict(src, cand): + """ + Merge values from C{cand} into C{src}. If C{src} has a key C{cand} will + not override. Nested dictionaries are merged recursively. + """ + if isinstance(src, dict) and isinstance(cand, dict): + for k, v in cand.iteritems(): if k not in src: src[k] = v else: - src[k] = mergedict(src[k],v) + src[k] = mergedict(src[k], v) return src -def write_file(file,content,mode=0644,omode="wb"): - try: - os.makedirs(os.path.dirname(file)) - except OSError as e: - if e.errno != errno.EEXIST: - raise e - - f=open(file,omode) - if mode != None: - os.chmod(file,mode) - f.write(content) - f.close() - restorecon_if_possible(file) +def write_file(filepath, content, mode=0644, omode="wb"): + """ + Writes a file with the given content and sets the file mode as specified. + Resotres the SELinux context if possible. + + @param filepath: The full path of the file to write. + @param content: The content to write to the file. + @param mode: The filesystem mode to set on the file. + @param omode: The open mode used when opening the file (r, rb, a, etc.) + """ + try: + os.makedirs(os.path.dirname(filepath)) + except OSError as e: + if e.errno != errno.EEXIST: + raise e + + f = open(filepath, omode) + if mode is not None: + os.chmod(filepath, mode) + f.write(content) + f.close() + restorecon_if_possible(filepath) def restorecon_if_possible(path, recursive=False): if HAVE_LIBSELINUX and selinux.is_selinux_enabled(): diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py index ba15e44d..ecbaba1a 100644 --- a/tests/unittests/test_util.py +++ b/tests/unittests/test_util.py @@ -1,6 +1,11 @@ from unittest import TestCase +from mocker import MockerTestCase +from tempfile import mkdtemp +from shutil import rmtree +import os +import stat -from cloudinit.util import mergedict, get_cfg_option_list_or_str +from cloudinit.util import mergedict, get_cfg_option_list_or_str, write_file class TestMergeDict(TestCase): def test_simple_merge(self): @@ -77,3 +82,81 @@ class TestGetCfgOptionListOrStr(TestCase): config = {"key": None} result = get_cfg_option_list_or_str(config, "key") self.assertEqual([], result) + +class TestWriteFile(MockerTestCase): + def setUp(self): + super(TestWriteFile, self).setUp() + # Make a temp directoy for tests to use. + self.tmp = mkdtemp(prefix="unittest_") + + def tearDown(self): + super(TestWriteFile, self).tearDown() + # Clean up temp directory + rmtree(self.tmp) + + def test_basic_usage(self): + """Verify basic usage with default args.""" + path = os.path.join(self.tmp, "NewFile.txt") + contents = "Hey there" + + write_file(path, contents) + + self.assertTrue(os.path.exists(path)) + self.assertTrue(os.path.isfile(path)) + with open(path) as f: + create_contents = f.read() + self.assertEqual(contents, create_contents) + file_stat = os.stat(path) + self.assertEqual(0644, stat.S_IMODE(file_stat.st_mode)) + + def test_dir_is_created_if_required(self): + """Verifiy that directories are created is required.""" + dirname = os.path.join(self.tmp, "subdir") + path = os.path.join(dirname, "NewFile.txt") + contents = "Hey there" + + write_file(path, contents) + + self.assertTrue(os.path.isdir(dirname)) + self.assertTrue(os.path.isfile(path)) + + def test_custom_mode(self): + """Verify custom mode works properly.""" + path = os.path.join(self.tmp, "NewFile.txt") + contents = "Hey there" + + write_file(path, contents, mode=0666) + + self.assertTrue(os.path.exists(path)) + self.assertTrue(os.path.isfile(path)) + file_stat = os.stat(path) + self.assertEqual(0666, stat.S_IMODE(file_stat.st_mode)) + + def test_custom_omode(self): + """Verify custom omode works properly.""" + path = os.path.join(self.tmp, "NewFile.txt") + contents = "Hey there" + + # Create file first with basic content + with open(path, "wb") as f: + f.write("LINE1\n") + write_file(path, contents, omode="a") + + self.assertTrue(os.path.exists(path)) + self.assertTrue(os.path.isfile(path)) + with open(path) as f: + create_contents = f.read() + self.assertEqual("LINE1\nHey there", create_contents) + + def test_restorecon_if_possible_is_called(self): + """Make sure the restorecon_if_possible is called correctly.""" + path = os.path.join(self.tmp, "NewFile.txt") + contents = "Hey there" + + # Mock out the restorecon_if_possible call to test if it's called. + mock_restorecon = self.mocker.replace( + "cloudinit.util.restorecon_if_possible", passthrough=False) + mock_restorecon(path) + self.mocker.replay() + + write_file(path, contents) -- cgit v1.2.3 From b3e8c541d8d7a5d677f04e6fb6767c511f52f930 Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Tue, 17 Jan 2012 10:04:33 -0400 Subject: Comment and doc cleanup. --- cloudinit/CloudConfig/cc_ca_certs.py | 12 +++++++----- tests/unittests/test_util.py | 13 +++++++++++++ 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index b7dd1781..cec70e5c 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -94,8 +94,8 @@ def handle(name, cfg, cloud, log, args): @param name: The module name "ca-cert" from cloud.cfg @param cfg: A nested dict containing the entire cloud config contents. - @param cloud: The L{CloudInit} object in use - @param log: Pre-initialized Python logger object to use for logging + @param cloud: The L{CloudInit} object in use. + @param log: Pre-initialized Python logger object to use for logging. @param args: Any module arguments from cloud.cfg """ # If there isn't a ca-certs section in the configuration don't do anything @@ -103,14 +103,16 @@ def handle(name, cfg, cloud, log, args): return ca_cert_cfg = cfg['ca-certs'] + # If there is a remove-defaults option set to true, remove the system + # default trusted CA certs first. if ca_cert_cfg.get("remove-defaults", False): remove_default_ca_certs() - # set the validation key based on the presence of either 'validation_key' - # or 'validation_cert'. In the case where both exist, 'validation_key' - # takes precedence + # If we are given any new trusted CA certs to add, add them. if ca_cert_cfg.has_key('trusted'): trusted_certs = util.get_cfg_option_list_or_str(ca_cert_cfg, 'trusted') if trusted_certs: add_ca_certs(trusted_certs) + + # Update the system with the new cert configuration. update_ca_certs() diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py index ecbaba1a..4c512990 100644 --- a/tests/unittests/test_util.py +++ b/tests/unittests/test_util.py @@ -9,12 +9,14 @@ from cloudinit.util import mergedict, get_cfg_option_list_or_str, write_file class TestMergeDict(TestCase): def test_simple_merge(self): + """Test simple non-conflict merge.""" source = {"key1": "value1"} candidate = {"key2": "value2"} result = mergedict(source, candidate) self.assertEqual({"key1": "value1", "key2": "value2"}, result) def test_nested_merge(self): + """Test nested merge.""" source = {"key1": {"key1.1": "value1.1"}} candidate = {"key1": {"key1.2": "value1.2"}} result = mergedict(source, candidate) @@ -22,36 +24,42 @@ class TestMergeDict(TestCase): {"key1": {"key1.1": "value1.1", "key1.2": "value1.2"}}, result) def test_merge_does_not_override(self): + """Test that candidate doesn't override source.""" source = {"key1": "value1", "key2": "value2"} candidate = {"key2": "value2", "key2": "NEW VALUE"} result = mergedict(source, candidate) self.assertEqual(source, result) def test_empty_candidate(self): + """Test empty candidate doesn't change source.""" source = {"key": "value"} candidate = {} result = mergedict(source, candidate) self.assertEqual(source, result) def test_empty_source(self): + """Test empty source is replaced by candidate.""" source = {} candidate = {"key": "value"} result = mergedict(source, candidate) self.assertEqual(candidate, result) def test_non_dict_candidate(self): + """Test non-dict candidate is discarded.""" source = {"key": "value"} candidate = "not a dict" result = mergedict(source, candidate) self.assertEqual(source, result) def test_non_dict_source(self): + """Test non-dict source is not modified with a dict candidate.""" source = "not a dict" candidate = {"key": "value"} result = mergedict(source, candidate) self.assertEqual(source, result) def test_neither_dict(self): + """Test if neither candidate or source is dict source wins.""" source = "source" candidate = "candidate" result = mergedict(source, candidate) @@ -59,26 +67,31 @@ class TestMergeDict(TestCase): class TestGetCfgOptionListOrStr(TestCase): def test_not_found_no_default(self): + """None is returned if key is not found and no default given.""" config = {} result = get_cfg_option_list_or_str(config, "key") self.assertIsNone(result) def test_not_found_with_default(self): + """Default is returned if key is not found.""" config = {} result = get_cfg_option_list_or_str(config, "key", default=["DEFAULT"]) self.assertEqual(["DEFAULT"], result) def test_found_with_default(self): + """Default is not returned if key is found.""" config = {"key": ["value1"]} result = get_cfg_option_list_or_str(config, "key", default=["DEFAULT"]) self.assertEqual(["value1"], result) def test_found_convert_to_list(self): + """Single string is converted to one element list.""" config = {"key": "value1"} result = get_cfg_option_list_or_str(config, "key") self.assertEqual(["value1"], result) def test_value_is_none(self): + """If value is None empty list is returned.""" config = {"key": None} result = get_cfg_option_list_or_str(config, "key") self.assertEqual([], result) -- cgit v1.2.3 From dfadfb05c1d8fcb50f97952a6ba7ca662babeba4 Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Tue, 17 Jan 2012 10:22:29 -0400 Subject: Convert code to use the write_file function from cloudinit.util. --- cloudinit/CloudConfig/cc_ca_certs.py | 34 ++++++-------------------------- tests/unittests/test_handler_ca_certs.py | 17 ++++++++-------- 2 files changed, 14 insertions(+), 37 deletions(-) diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index cec70e5c..9d7dcf7f 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -21,36 +21,13 @@ import json import StringIO import ConfigParser import cloudinit.CloudConfig as cc -import cloudinit.util as util +from cloudinit.util import write_file, get_cfg_option_list_or_str CA_CERT_PATH = "/usr/share/ca-certificates/" CA_CERT_FILENAME = "cloud-init-ca-certs.crt" CA_CERT_CONFIG = "/etc/ca-certificates.conf" CA_CERT_SYSTEM_PATH = "/etc/ssl/certs/" -def write_file(filename, contents, owner, group, mode): - """ - Write a file to disk with specified owner, group, and mode. If the file - exists already it will be overwritten. - - @param filename: Full path to the new file. - @param contents: The contents of the newly created file. - @param owner: The username who should own the file. - @param group: The group for the new file. - @param mode: The octal mode (as string) for the new file. - """ - raise NotImplementedError() - -def append_to_file(filename, contents): - """ - Append C{contents} to an existing file on the filesystem. If the file - doesn't exist it will be created with the default owner and permissions. - - @param filename: Full path to the new file. - @param contents: The contents to append to the file. - """ - raise NotImplementedError() - def delete_dir_contents(dirname): """ Delete all the contents of the directory specified by C{dirname} without @@ -76,8 +53,9 @@ def add_ca_certs(certs): if certs: cert_file_contents = "\n".join(certs) cert_file_fullpath = os.path.join(CA_CERT_PATH, CA_CERT_FILENAME) - write_file(cert_file_fullpath, cert_file_contents, "root", "root", "644") - append_to_file(CA_CERT_CONFIG, CA_CERT_FILENAME) + write_file(cert_file_fullpath, cert_file_contents, mode=0644) + # Append cert filename to CA_CERT_CONFIG file. + write_file(CA_CERT_CONFIG, "\n%s" % CA_CERT_FILENAME, omode="a") def remove_default_ca_certs(): """ @@ -86,7 +64,7 @@ def remove_default_ca_certs(): """ delete_dir_contents(CA_CERT_PATH) delete_dir_contents(CA_CERT_SYSTEM_PATH) - write_file(CA_CERT_CONFIG, "", "root", "root", "644") + write_file(CA_CERT_CONFIG, "", mode=0644) def handle(name, cfg, cloud, log, args): """ @@ -110,7 +88,7 @@ def handle(name, cfg, cloud, log, args): # If we are given any new trusted CA certs to add, add them. if ca_cert_cfg.has_key('trusted'): - trusted_certs = util.get_cfg_option_list_or_str(ca_cert_cfg, 'trusted') + trusted_certs = get_cfg_option_list_or_str(ca_cert_cfg, 'trusted') if trusted_certs: add_ca_certs(trusted_certs) diff --git a/tests/unittests/test_handler_ca_certs.py b/tests/unittests/test_handler_ca_certs.py index 7c6dc873..d8b98a6b 100644 --- a/tests/unittests/test_handler_ca_certs.py +++ b/tests/unittests/test_handler_ca_certs.py @@ -1,7 +1,8 @@ from unittest import TestCase from mocker import MockerTestCase -from cloudinit.CloudConfig.cc_ca_certs import handle, write_file, update_ca_certs, add_ca_certs, remove_default_ca_certs, append_to_file, delete_dir_contents +from cloudinit.util import write_file +from cloudinit.CloudConfig.cc_ca_certs import handle, update_ca_certs, add_ca_certs, remove_default_ca_certs, delete_dir_contents class TestNoConfig(MockerTestCase): @@ -127,24 +128,22 @@ class TestAddCaCerts(MockerTestCase): cert = "CERT1\nLINE2\nLINE3" mock_write = self.mocker.replace(write_file, passthrough=False) - mock_append = self.mocker.replace(append_to_file, passthrough=False) mock_write("/usr/share/ca-certificates/cloud-init-ca-certs.crt", - cert, "root", "root", "644") - mock_append("/etc/ca-certificates.conf", "cloud-init-ca-certs.crt") + cert, mode=0644) + mock_write("/etc/ca-certificates.conf", "\ncloud-init-ca-certs.crt", omode="a") self.mocker.replay() add_ca_certs([cert]) def test_multiple_certs(self): - """Test adding multiple certificate to the trusted CAs""" + """Test adding multiple certificates to the trusted CAs""" certs = ["CERT1\nLINE2\nLINE3", "CERT2\nLINE2\nLINE3"] expected_cert_file = "\n".join(certs) mock_write = self.mocker.replace(write_file, passthrough=False) - mock_append = self.mocker.replace(append_to_file, passthrough=False) mock_write("/usr/share/ca-certificates/cloud-init-ca-certs.crt", - expected_cert_file, "root", "root", "644") - mock_append("/etc/ca-certificates.conf", "cloud-init-ca-certs.crt") + expected_cert_file, mode=0644) + mock_write("/etc/ca-certificates.conf", "\ncloud-init-ca-certs.crt", omode="a") self.mocker.replay() add_ca_certs(certs) @@ -167,7 +166,7 @@ class TestRemoveDefaultCaCerts(MockerTestCase): mock_delete_dir_contents("/usr/share/ca-certificates/") mock_delete_dir_contents("/etc/ssl/certs/") - mock_write("/etc/ca-certificates.conf", "", "root", "root", "644") + mock_write("/etc/ca-certificates.conf", "", mode=0644) self.mocker.replay() -- cgit v1.2.3 From 44ea733b7a462442fe2cc3c858001c0cd909dd1b Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Tue, 17 Jan 2012 11:47:12 -0400 Subject: Added delete_dir_contents function to cloudinit.util. --- cloudinit/util.py | 14 +++++++++ tests/unittests/test_util.py | 72 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/cloudinit/util.py b/cloudinit/util.py index b690d517..3701f42d 100644 --- a/cloudinit/util.py +++ b/cloudinit/util.py @@ -18,6 +18,7 @@ import yaml import os import os.path +import shutil import errno import subprocess from Cheetah.Template import Template @@ -127,6 +128,19 @@ def mergedict(src, cand): src[k] = mergedict(src[k], v) return src +def delete_dir_contents(dirname): + """ + Deletes all contents of a directory without deleting the directory itself. + + @param dirname: The directory whose contents should be deleted. + """ + for node in os.listdir(dirname): + node_fullpath = os.path.join(dirname, node) + if os.path.isdir(node_fullpath): + shutil.rmtree(node_fullpath) + else: + os.unlink(node_fullpath) + def write_file(filepath, content, mode=0644, omode="wb"): """ Writes a file with the given content and sets the file mode as specified. diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py index 4c512990..f2b2ee3d 100644 --- a/tests/unittests/test_util.py +++ b/tests/unittests/test_util.py @@ -5,7 +5,7 @@ from shutil import rmtree import os import stat -from cloudinit.util import mergedict, get_cfg_option_list_or_str, write_file +from cloudinit.util import mergedict, get_cfg_option_list_or_str, write_file, delete_dir_contents class TestMergeDict(TestCase): def test_simple_merge(self): @@ -173,3 +173,73 @@ class TestWriteFile(MockerTestCase): self.mocker.replay() write_file(path, contents) + +class TestDeleteDirContents(TestCase): + def setUp(self): + super(TestDeleteDirContents, self).setUp() + # Make a temp directoy for tests to use. + self.tmp = mkdtemp(prefix="unittest_") + + def tearDown(self): + super(TestDeleteDirContents, self).tearDown() + # Clean up temp directory + rmtree(self.tmp) + + def assertDirEmpty(self, dirname): + self.assertEqual([], os.listdir(dirname)) + + def test_does_not_delete_dir(self): + """Ensure directory itself is not deleted.""" + delete_dir_contents(self.tmp) + + self.assertTrue(os.path.isdir(self.tmp)) + self.assertDirEmpty(self.tmp) + + def test_deletes_files(self): + """Single file should be deleted.""" + with open(os.path.join(self.tmp, "new_file.txt"), "wb") as f: + f.write("DELETE ME") + + delete_dir_contents(self.tmp) + + self.assertDirEmpty(self.tmp) + + def test_deletes_empty_dirs(self): + """Empty directories should be deleted.""" + os.mkdir(os.path.join(self.tmp, "new_dir")) + + delete_dir_contents(self.tmp) + + self.assertDirEmpty(self.tmp) + + def test_deletes_nested_dirs(self): + """Nested directories should be deleted.""" + os.mkdir(os.path.join(self.tmp, "new_dir")) + os.mkdir(os.path.join(self.tmp, "new_dir", "new_subdir")) + + delete_dir_contents(self.tmp) + + self.assertDirEmpty(self.tmp) + + def test_deletes_non_empty_dirs(self): + """Non-empty directories should be deleted.""" + os.mkdir(os.path.join(self.tmp, "new_dir")) + f_name = os.path.join(self.tmp, "new_dir", "new_file.txt") + with open(f_name, "wb") as f: + f.write("DELETE ME") + + delete_dir_contents(self.tmp) + + self.assertDirEmpty(self.tmp) + + def test_deletes_symlinks(self): + """Symlinks should be deleted.""" + file_name = os.path.join(self.tmp, "new_file.txt") + link_name = os.path.join(self.tmp, "new_file_link.txt") + with open(file_name, "wb") as f: + f.write("DELETE ME") + os.symlink(file_name, link_name) + + delete_dir_contents(self.tmp) + + self.assertDirEmpty(self.tmp) -- cgit v1.2.3 From 19da04df35c1e6b22379c7b8e0457b16af299593 Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Tue, 17 Jan 2012 11:49:32 -0400 Subject: Use delete_dir_contents from cloudinit.util. --- cloudinit/CloudConfig/cc_ca_certs.py | 11 +---------- tests/unittests/test_handler_ca_certs.py | 4 ++-- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index 9d7dcf7f..ef651f8b 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -21,22 +21,13 @@ import json import StringIO import ConfigParser import cloudinit.CloudConfig as cc -from cloudinit.util import write_file, get_cfg_option_list_or_str +from cloudinit.util import write_file, get_cfg_option_list_or_str, delete_dir_contents CA_CERT_PATH = "/usr/share/ca-certificates/" CA_CERT_FILENAME = "cloud-init-ca-certs.crt" CA_CERT_CONFIG = "/etc/ca-certificates.conf" CA_CERT_SYSTEM_PATH = "/etc/ssl/certs/" -def delete_dir_contents(dirname): - """ - Delete all the contents of the directory specified by C{dirname} without - deleting the directory itself. - - @param dirname: The directory whose contents should be deleted. - """ - raise NotImplementedError() - def update_ca_certs(): """ Updates the CA certificate cache on the current machine. diff --git a/tests/unittests/test_handler_ca_certs.py b/tests/unittests/test_handler_ca_certs.py index d8b98a6b..92460088 100644 --- a/tests/unittests/test_handler_ca_certs.py +++ b/tests/unittests/test_handler_ca_certs.py @@ -1,8 +1,8 @@ from unittest import TestCase from mocker import MockerTestCase -from cloudinit.util import write_file -from cloudinit.CloudConfig.cc_ca_certs import handle, update_ca_certs, add_ca_certs, remove_default_ca_certs, delete_dir_contents +from cloudinit.util import write_file, delete_dir_contents +from cloudinit.CloudConfig.cc_ca_certs import handle, update_ca_certs, add_ca_certs, remove_default_ca_certs class TestNoConfig(MockerTestCase): -- cgit v1.2.3 From 93b733862c1f5f41a5597aa640c434610ad76231 Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Tue, 17 Jan 2012 12:30:07 -0400 Subject: Add ca-certs example to docs. --- doc/examples/cloud-config-ca-certs.txt | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 doc/examples/cloud-config-ca-certs.txt diff --git a/doc/examples/cloud-config-ca-certs.txt b/doc/examples/cloud-config-ca-certs.txt new file mode 100644 index 00000000..5e9115a0 --- /dev/null +++ b/doc/examples/cloud-config-ca-certs.txt @@ -0,0 +1,31 @@ +#cloud-config +# +# This is an example file to configure an instance's trusted CA certificates +# system-wide for SSL/TLS trust establishment when the instance boots for the +# first time. +# +# Make sure that this file is valid yaml before starting instances. +# It should be passed as user-data when starting the instance. + +ca-certs: + # If present and set to True, the 'remove-defaults' parameter will remove + # all the default trusted CA certificates that are normally shipped with + # Ubuntu. + # This is mainly for paranoid admins - most users will not need this + # functionality. + remove-defaults: true + + # If present, the 'trusted' parameter should contain a certificate (or list + # of certificates) to add to the system as trusted CA certificates. + # Pay close attention to the YAML multiline list syntax. The example shown + # here is for a list of multiline certificates. + trusted: + - | + -----BEGIN CERTIFICATE----- + YOUR-ORGS-TRUSTED-CA-CERT-HERE + -----END CERTIFICATE----- + - | + -----BEGIN CERTIFICATE----- + YOUR-ORGS-TRUSTED-CA-CERT-HERE + -----END CERTIFICATE----- + -- cgit v1.2.3 From f52ffe2dda01dd0314523fcac559e6f3fbb3578e Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Tue, 17 Jan 2012 13:35:31 -0400 Subject: Lint fixes. --- cloudinit/CloudConfig/cc_ca_certs.py | 19 +++++++++---------- tests/unittests/test_handler_ca_certs.py | 22 +++++++++++++--------- tests/unittests/test_util.py | 7 ++++++- 3 files changed, 28 insertions(+), 20 deletions(-) diff --git a/cloudinit/CloudConfig/cc_ca_certs.py b/cloudinit/CloudConfig/cc_ca_certs.py index ef651f8b..e6cdc3f5 100644 --- a/cloudinit/CloudConfig/cc_ca_certs.py +++ b/cloudinit/CloudConfig/cc_ca_certs.py @@ -14,26 +14,23 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . import os -import pwd -import socket from subprocess import check_call -import json -import StringIO -import ConfigParser -import cloudinit.CloudConfig as cc -from cloudinit.util import write_file, get_cfg_option_list_or_str, delete_dir_contents +from cloudinit.util import (write_file, get_cfg_option_list_or_str, + delete_dir_contents) CA_CERT_PATH = "/usr/share/ca-certificates/" CA_CERT_FILENAME = "cloud-init-ca-certs.crt" CA_CERT_CONFIG = "/etc/ca-certificates.conf" CA_CERT_SYSTEM_PATH = "/etc/ssl/certs/" + def update_ca_certs(): """ Updates the CA certificate cache on the current machine. """ check_call(["update-ca-certificates"]) + def add_ca_certs(certs): """ Adds certificates to the system. To actually apply the new certificates @@ -48,6 +45,7 @@ def add_ca_certs(certs): # Append cert filename to CA_CERT_CONFIG file. write_file(CA_CERT_CONFIG, "\n%s" % CA_CERT_FILENAME, omode="a") + def remove_default_ca_certs(): """ Removes all default trusted CA certificates from the system. To actually @@ -57,6 +55,7 @@ def remove_default_ca_certs(): delete_dir_contents(CA_CERT_SYSTEM_PATH) write_file(CA_CERT_CONFIG, "", mode=0644) + def handle(name, cfg, cloud, log, args): """ Call to handle ca-cert sections in cloud-config file. @@ -68,7 +67,7 @@ def handle(name, cfg, cloud, log, args): @param args: Any module arguments from cloud.cfg """ # If there isn't a ca-certs section in the configuration don't do anything - if not cfg.has_key('ca-certs'): + if "ca-certs" not in cfg: return ca_cert_cfg = cfg['ca-certs'] @@ -78,8 +77,8 @@ def handle(name, cfg, cloud, log, args): remove_default_ca_certs() # If we are given any new trusted CA certs to add, add them. - if ca_cert_cfg.has_key('trusted'): - trusted_certs = get_cfg_option_list_or_str(ca_cert_cfg, 'trusted') + if "trusted" in ca_cert_cfg: + trusted_certs = get_cfg_option_list_or_str(ca_cert_cfg, "trusted") if trusted_certs: add_ca_certs(trusted_certs) diff --git a/tests/unittests/test_handler_ca_certs.py b/tests/unittests/test_handler_ca_certs.py index 92460088..c289a4f6 100644 --- a/tests/unittests/test_handler_ca_certs.py +++ b/tests/unittests/test_handler_ca_certs.py @@ -1,8 +1,8 @@ -from unittest import TestCase from mocker import MockerTestCase from cloudinit.util import write_file, delete_dir_contents -from cloudinit.CloudConfig.cc_ca_certs import handle, update_ca_certs, add_ca_certs, remove_default_ca_certs +from cloudinit.CloudConfig.cc_ca_certs import ( + handle, update_ca_certs, add_ca_certs, remove_default_ca_certs) class TestNoConfig(MockerTestCase): @@ -36,8 +36,10 @@ class TestConfig(MockerTestCase): # Mock out the functions that actually modify the system self.mock_add = self.mocker.replace(add_ca_certs, passthrough=False) - self.mock_update = self.mocker.replace(update_ca_certs, passthrough=False) - self.mock_remove = self.mocker.replace(remove_default_ca_certs, passthrough=False) + self.mock_update = self.mocker.replace(update_ca_certs, + passthrough=False) + self.mock_remove = self.mocker.replace(remove_default_ca_certs, + passthrough=False) # Order must be correct self.mocker.order() @@ -118,7 +120,7 @@ class TestConfig(MockerTestCase): class TestAddCaCerts(MockerTestCase): def test_no_certs_in_list(self): """Test that no certificate are written if not provided.""" - mock = self.mocker.replace(write_file, passthrough=False) + self.mocker.replace(write_file, passthrough=False) self.mocker.replay() add_ca_certs([]) @@ -130,7 +132,8 @@ class TestAddCaCerts(MockerTestCase): mock_write = self.mocker.replace(write_file, passthrough=False) mock_write("/usr/share/ca-certificates/cloud-init-ca-certs.crt", cert, mode=0644) - mock_write("/etc/ca-certificates.conf", "\ncloud-init-ca-certs.crt", omode="a") + mock_write("/etc/ca-certificates.conf", + "\ncloud-init-ca-certs.crt", omode="a") self.mocker.replay() add_ca_certs([cert]) @@ -143,7 +146,8 @@ class TestAddCaCerts(MockerTestCase): mock_write = self.mocker.replace(write_file, passthrough=False) mock_write("/usr/share/ca-certificates/cloud-init-ca-certs.crt", expected_cert_file, mode=0644) - mock_write("/etc/ca-certificates.conf", "\ncloud-init-ca-certs.crt", omode="a") + mock_write("/etc/ca-certificates.conf", + "\ncloud-init-ca-certs.crt", omode="a") self.mocker.replay() add_ca_certs(certs) @@ -161,13 +165,13 @@ class TestUpdateCaCerts(MockerTestCase): class TestRemoveDefaultCaCerts(MockerTestCase): def test_commands(self): - mock_delete_dir_contents = self.mocker.replace(delete_dir_contents, passthrough=False) + mock_delete_dir_contents = self.mocker.replace(delete_dir_contents, + passthrough=False) mock_write = self.mocker.replace(write_file, passthrough=False) mock_delete_dir_contents("/usr/share/ca-certificates/") mock_delete_dir_contents("/etc/ssl/certs/") mock_write("/etc/ca-certificates.conf", "", mode=0644) - self.mocker.replay() remove_default_ca_certs() diff --git a/tests/unittests/test_util.py b/tests/unittests/test_util.py index f2b2ee3d..d8da8bc9 100644 --- a/tests/unittests/test_util.py +++ b/tests/unittests/test_util.py @@ -5,7 +5,9 @@ from shutil import rmtree import os import stat -from cloudinit.util import mergedict, get_cfg_option_list_or_str, write_file, delete_dir_contents +from cloudinit.util import (mergedict, get_cfg_option_list_or_str, write_file, + delete_dir_contents) + class TestMergeDict(TestCase): def test_simple_merge(self): @@ -65,6 +67,7 @@ class TestMergeDict(TestCase): result = mergedict(source, candidate) self.assertEqual(source, result) + class TestGetCfgOptionListOrStr(TestCase): def test_not_found_no_default(self): """None is returned if key is not found and no default given.""" @@ -96,6 +99,7 @@ class TestGetCfgOptionListOrStr(TestCase): result = get_cfg_option_list_or_str(config, "key") self.assertEqual([], result) + class TestWriteFile(MockerTestCase): def setUp(self): super(TestWriteFile, self).setUp() @@ -174,6 +178,7 @@ class TestWriteFile(MockerTestCase): write_file(path, contents) + class TestDeleteDirContents(TestCase): def setUp(self): super(TestDeleteDirContents, self).setUp() -- cgit v1.2.3 From ce05d60cbe7a542c51e2fa206acf57e59091f17a Mon Sep 17 00:00:00 2001 From: Mike Milner Date: Tue, 17 Jan 2012 13:46:44 -0400 Subject: Add ca-certs into the main config to run just before rsyslog. --- config/cloud.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/config/cloud.cfg b/config/cloud.cfg index 45538955..25d02cee 100644 --- a/config/cloud.cfg +++ b/config/cloud.cfg @@ -9,6 +9,7 @@ cloud_init_modules: - set_hostname - update_hostname - update_etc_hosts + - ca-certs - rsyslog - ssh -- cgit v1.2.3