Mercurial Mercurial > pvl-hosts / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
pvl/login/ssl.py
changeset 438 d45fc43c6073
parent 437 5100b359906c
child 439 6a8ea0d363c1 
--- a/pvl/login/ssl.py	Tue Feb 24 12:47:09 2015 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,149 +0,0 @@
-# encoding: utf-8
-
-import base64
-import datetime
-import hashlib
-import os
-import os.path
-import string
-
-import pvl.invoke
-
-import logging; log = logging.getLogger('pvl.login.ssl')
-
-class Error (Exception) :
-    pass
-
-class UsersCA (object) :
-    OPENSSL = '/usr/bin/openssl'
-
-    SIGN_DAYS = 1
-
-    VALID_USER = set(string.letters + string.digits + '-.')
-    
-    O = u"Päivölän Kansanopisto"
-    OU = u"People"
-    DC = ('paivola', 'fi')
-
-    def __init__ (self, ca, users) :
-        self.ca = ca
-        self.users = users
-
-        self.ca_config = os.path.join(ca, 'openssl.cnf')
-
-    def sign_spkac (self, out, spkac, days=SIGN_DAYS) :
-        """
-            Sign given request file (path).
-
-            Creates the given output file (path). Empty file on errors..
-        """
-
-        pvl.invoke.invoke(self.OPENSSL, ('ca',
-                '-config', self.ca_config,
-                '-spkac', spkac,
-                '-out', out,
-                '-policy', 'policy_user',
-                '-days', str(days),
-                '-utf8',
-            ),
-            setenv={
-                'CA':   self.ca,
-            },
-        )
-
-    def generate_dn (self, uid, cn=None) :
-        """
-            Generate OpenSSL (rdn, value) pairs for given user.
-        """
-
-        if self.O :
-            yield 'O', self.O
-
-        elif self.DC :
-            for index, dc in enumerate(self.DC, 1) :
-                yield '{index}.DC'.format(index=index), dc
-        
-        yield 'OU', self.OU
-         
-        yield 'UID', uid 
-        
-        if cn :
-            yield 'CN', cn
-
-    def write_spkac (self, path, spkac, dn) :
-        """
-            Write out a spkac file to the given path, containing the given base64-encoded spkac and DN.
-        """
-
-        # roundtrip the spkac for consistent formatting
-        spkac = base64.b64encode(base64.b64decode(spkac))
-
-        file = open(path, 'w')
-
-        file.write('SPKAC=')
-        file.write(spkac)
-        file.write('\n')
-
-        for rdn, value in dn :
-            file.write(u'{rdn}={value}\n'.format(rdn=rdn, value=value).encode('utf-8'))
-        
-        file.close()
-
-    def sign_user (self, user, spkac, userinfo=None) :
-        """
-            Sign given spkac string (base64-encoded) for given user.
-
-            Returns a name for the signed cert.
-        """
-
-        if not set(user).issubset(self.VALID_USER) :
-            raise Error("Invalid username: {user}".format(user=user))
-
-        dir = os.path.join(self.users, user)
-
-        if not os.path.exists(dir) :
-            os.mkdir(dir)
-
-        name = hashlib.sha1(user + spkac).hexdigest()
-        spkac_file = os.path.join(dir, name) + '.spkac'
-        cert_file = os.path.join(dir, name)
-        tmp_file = os.path.join(dir, name) + '.tmp'
-        
-        # the req to sign
-        if os.path.exists(spkac_file) :
-            log.warning("spkac already exists: %s", spkac_file)
-        else :
-            log.info("%s: write spkac: %s", user, spkac_file)
-            self.write_spkac(os.path.join(dir, name) + '.spkac', spkac, self.generate_dn(user, userinfo))
-        
-        # sign it
-        if os.path.exists(cert_file) :
-            log.warning("cert already exists: %s", cert_file)
-            return name
-        
-        if os.path.exists(tmp_file) :
-            log.warning("cleaning out previous tmp file: %s", tmp_file)
-            os.unlink(tmp_file)
-
-        log.info("%s: sign cert: %s", user, cert_file)
-        self.sign_spkac(tmp_file, spkac_file)
-
-        log.debug("%s: rename %s -> %s", user, tmp_file, cert_file)
-        os.rename(tmp_file, cert_file)
-
-        return name
-
-    def open_cert (self, user, name) :
-        """
-            Return an opened cert file by username / cert name.
-        """
-
-        if not set(user).issubset(self.VALID_USER) :
-            raise Error("Invalid username: {user}".format(user=user))
-
-        path = os.path.join(self.users, user, name)
-
-        if not os.path.exists(path) :
-            raise Error("No cert found on server")
-
-        return open(path)
pvl-hosts