svn commit: r1492918 - in /incubator/ambari/trunk/ambari-server/src: main/java/org/apache/ambari/server/security/CertificateManager.java test/java/org/apache/ambari/server/security/CertGenerationTest.java

[sw...@apache.org]

Author: swagle
Date: Fri Jun 14 00:52:29 2013
New Revision: 1492918

URL: http://svn.apache.org/r1492918
Log:
AMBARI-2361. Simplify the agent cert creation and server cert signing so that cleanup of certs can make retries a simpler process. (Dmitry Sen via swagle)

Modified:
    incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
    incubator/ambari/trunk/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java

Modified: incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java
URL: http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java?rev=1492918&r1=1492917&r2=1492918&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java (original)
+++ incubator/ambari/trunk/ambari-server/src/main/java/org/apache/ambari/server/security/CertificateManager.java Fri Jun 14 00:52:29 2013
@@ -56,6 +56,9 @@ public class CertificateManager {
   private static final String EXPRT_KSTR = "openssl pkcs12 -export" +
       " -in {1}/{3} -inkey {1}/{2} -certfile {1}/{3} -out {1}/{4} " +
       "-password pass:{0} -passin pass:{0} \n";
+  private static final String REVOKE_AGENT_CRT = "openssl ca " +
+      "-config {0}/ca.config -keyfile {0}/{4} -revoke {0}/{2} -batch " +
+      "-passin pass:{3} -cert {0}/{5}";
   private static final String SIGN_AGENT_CRT = "openssl ca -config " +
       "{0}/ca.config -in {0}/{1} -out {0}/{2} -batch -passin pass:{3} " +
       "-keyfile {0}/{4} -cert {0}/{5}"; /**
@@ -207,6 +210,22 @@ public class CertificateManager {
     String agentCrtReqName = agentHostname + ".csr";
     String agentCrtName = agentHostname + ".crt";
 
+    Object[] scriptArgs = {srvrKstrDir,agentCrtReqName,agentCrtName,
+      srvrCrtPass,srvrKeyName,srvrCrtName};
+
+    //Revoke previous agent certificate if exists
+    File agentCrtFile = new File(srvrKstrDir + File.separator + agentCrtName);
+
+    if (agentCrtFile.exists()) {
+      LOG.info("Revoking of " + agentHostname + " certificate.");
+      String command = MessageFormat.format(REVOKE_AGENT_CRT, scriptArgs);
+      int commandExitCode = runCommand(command);
+      if (commandExitCode != 0) {
+        response.setResult(SignCertResponse.ERROR_STATUS);
+        response.setMessage(ShellCommandUtil.getOpenSslCommandResult(command, commandExitCode));
+        return response;
+      }
+    }
 
     File agentCrtReqFile = new File(srvrKstrDir + File.separator +
         agentCrtReqName);
@@ -216,8 +235,6 @@ public class CertificateManager {
       // TODO Auto-generated catch block
       e1.printStackTrace();
     }
-    Object[] scriptArgs = {srvrKstrDir,agentCrtReqName,agentCrtName,
-        srvrCrtPass,srvrKeyName,srvrCrtName};
 
     String command = MessageFormat.format(SIGN_AGENT_CRT,scriptArgs);
 
@@ -231,7 +248,6 @@ public class CertificateManager {
       return response;
     }
 
-    File agentCrtFile = new File(srvrKstrDir + File.separator + agentCrtName);
     String agentCrtContent = "";
     try {
       agentCrtContent = FileUtils.readFileToString(agentCrtFile);

Modified: incubator/ambari/trunk/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java
URL: http://svn.apache.org/viewvc/incubator/ambari/trunk/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java?rev=1492918&r1=1492917&r2=1492918&view=diff
==============================================================================
--- incubator/ambari/trunk/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java (original)
+++ incubator/ambari/trunk/ambari-server/src/test/java/org/apache/ambari/server/security/CertGenerationTest.java Fri Jun 14 00:52:29 2013
@@ -18,9 +18,9 @@
 
 package org.apache.ambari.server.security;
 
-import java.io.File;
-import java.io.IOException;
+import java.io.*;
 import java.lang.reflect.Constructor;
+import java.util.Map;
 import java.util.Properties;
 
 import org.apache.ambari.server.configuration.Configuration;
@@ -123,4 +123,30 @@ public class CertGenerationTest extends 
     						  File.separator + Configuration.KSTR_NAME_DEFAULT);
     assertTrue(serverKeyStrore.exists());
   }
+
+  @Test
+  public void testRevokeExistingAgentCert() throws Exception {
+
+    Map<String,String> config = certMan.configs.getConfigsMap();
+    config.put(Configuration.PASSPHRASE_KEY,"passphrase");
+
+    String agentHostname = "agent_hostname1";
+    SignCertResponse scr = certMan.signAgentCrt(agentHostname,
+      "incorrect_agentCrtReqContent", "passphrase");
+    //Revoke command wasn't executed
+    assertFalse(scr.getMessage().contains("-revoke"));
+
+    //Emulate existing agent certificate
+    File fakeAgentCertFile = new File(temp.getRoot().getAbsoluteFile() +
+      File.separator + agentHostname + ".crt");
+    assertFalse(fakeAgentCertFile.exists());
+    fakeAgentCertFile.createNewFile();
+    assertTrue(fakeAgentCertFile.exists());
+
+    //Revoke command was executed
+    scr = certMan.signAgentCrt(agentHostname,
+      "incorrect_agentCrtReqContent", "passphrase");
+    assertTrue(scr.getMessage().contains("-revoke"));
+  }
+
 }