You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by sw...@apache.org on 2013/06/14 02:52:29 UTC
svn commit: r1492918 - in /incubator/ambari/trunk/ambari-server/src:
main/java/org/apache/ambari/server/security/CertificateManager.java
test/java/org/apache/ambari/server/security/CertGenerationTest.java
Author: swagle
Date: Fri Jun 14 00:52:29 2013
New Revision: 1492918
URL: http://svn.apache.org/r1492918
Log:
AMBARI-2361. Simplify the agent cert creation and server cert signing so that cleanup of certs can make retries a simpler process. (Dmitry Sen via swagle)
Modified:
incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
incubator/ambari/trunk/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java
Modified: incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
URL: http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java?rev=1492918&r1=1492917&r2=1492918&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java (original)
+++ incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java Fri Jun 14 00:52:29 2013
@@ -56,6 +56,9 @@ public class CertificateManager {
private static final String EXPRT_KSTR = "openssl pkcs12 -export" +
" -in {1}/{3} -inkey {1}/{2} -certfile {1}/{3} -out {1}/{4} " +
"-password pass:{0} -passin pass:{0} \n";
+ private static final String REVOKE_AGENT_CRT = "openssl ca " +
+ "-config {0}/ca.config -keyfile {0}/{4} -revoke {0}/{2} -batch " +
+ "-passin pass:{3} -cert {0}/{5}";
private static final String SIGN_AGENT_CRT = "openssl ca -config " +
"{0}/ca.config -in {0}/{1} -out {0}/{2} -batch -passin pass:{3} " +
"-keyfile {0}/{4} -cert {0}/{5}"; /**
@@ -207,6 +210,22 @@ public class CertificateManager {
String agentCrtReqName = agentHostname + ".csr";
String agentCrtName = agentHostname + ".crt";
+ Object[] scriptArgs = {srvrKstrDir,agentCrtReqName,agentCrtName,
+ srvrCrtPass,srvrKeyName,srvrCrtName};
+
+ //Revoke previous agent certificate if exists
+ File agentCrtFile = new File(srvrKstrDir + File.separator + agentCrtName);
+
+ if (agentCrtFile.exists()) {
+ LOG.info("Revoking of " + agentHostname + " certificate.");
+ String command = MessageFormat.format(REVOKE_AGENT_CRT, scriptArgs);
+ int commandExitCode = runCommand(command);
+ if (commandExitCode != 0) {
+ response.setResult(SignCertResponse.ERROR_STATUS);
+ response.setMessage(ShellCommandUtil.getOpenSslCommandResult(command, commandExitCode));
+ return response;
+ }
+ }
File agentCrtReqFile = new File(srvrKstrDir + File.separator +
agentCrtReqName);
@@ -216,8 +235,6 @@ public class CertificateManager {
// TODO Auto-generated catch block
e1.printStackTrace();
}
- Object[] scriptArgs = {srvrKstrDir,agentCrtReqName,agentCrtName,
- srvrCrtPass,srvrKeyName,srvrCrtName};
String command = MessageFormat.format(SIGN_AGENT_CRT,scriptArgs);
@@ -231,7 +248,6 @@ public class CertificateManager {
return response;
}
- File agentCrtFile = new File(srvrKstrDir + File.separator + agentCrtName);
String agentCrtContent = "";
try {
agentCrtContent = FileUtils.readFileToString(agentCrtFile);
Modified: incubator/ambari/trunk/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java
URL: http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java?rev=1492918&r1=1492917&r2=1492918&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java (original)
+++ incubator/ambari/trunk/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java Fri Jun 14 00:52:29 2013
@@ -18,9 +18,9 @@
package org.apache.ambari.server.security;
-import java.io.File;
-import java.io.IOException;
+import java.io.*;
import java.lang.reflect.Constructor;
+import java.util.Map;
import java.util.Properties;
import org.apache.ambari.server.configuration.Configuration;
@@ -123,4 +123,30 @@ public class CertGenerationTest extends
File.separator + Configuration.KSTR_NAME_DEFAULT);
assertTrue(serverKeyStrore.exists());
}
+
+ @Test
+ public void testRevokeExistingAgentCert() throws Exception {
+
+ Map<String,String> config = certMan.configs.getConfigsMap();
+ config.put(Configuration.PASSPHRASE_KEY,"passphrase");
+
+ String agentHostname = "agent_hostname1";
+ SignCertResponse scr = certMan.signAgentCrt(agentHostname,
+ "incorrect_agentCrtReqContent", "passphrase");
+ //Revoke command wasn't executed
+ assertFalse(scr.getMessage().contains("-revoke"));
+
+ //Emulate existing agent certificate
+ File fakeAgentCertFile = new File(temp.getRoot().getAbsoluteFile() +
+ File.separator + agentHostname + ".crt");
+ assertFalse(fakeAgentCertFile.exists());
+ fakeAgentCertFile.createNewFile();
+ assertTrue(fakeAgentCertFile.exists());
+
+ //Revoke command was executed
+ scr = certMan.signAgentCrt(agentHostname,
+ "incorrect_agentCrtReqContent", "passphrase");
+ assertTrue(scr.getMessage().contains("-revoke"));
+ }
+
}