diff options
author | Linus Nordberg <linus@nordu.net> | 2015-06-04 16:58:41 +0200 |
---|---|---|
committer | Linus Nordberg <linus@nordu.net> | 2015-06-04 16:58:41 +0200 |
commit | 228aae4427925c7f62f19b96ea009f448fd68b97 (patch) | |
tree | c9d388cbac6d5819f36f36c9f42ecbdf44969632 /mklog.py | |
parent | b4ec3393fa5012baed85ba045f9a625495a8579d (diff) |
Make mklog.py (more) idempotent.
One should be able to add hosts to $logname.cfg and run again, with
the correct result.
Diffstat (limited to 'mklog.py')
-rwxr-xr-x | mklog.py | 37 |
1 files changed, 22 insertions, 15 deletions
@@ -18,24 +18,26 @@ def run_openssl(args): return False def make_eckey(name): + privkey = '%s-private.pem' % name + pubkey = '%s.pem' % name + + if os.access(privkey, os.R_OK) and os.access(pubkey, os.R_OK): + return True print "creating EC key \"%s\"" % name - privkey_filename = '%s-private.pem' % name - pubkey_filename = '%s.pem' % name ecparam_args = ['ecparam', '-name', 'prime256v1', '-genkey', '-noout', - '-out', privkey_filename] + '-out', privkey] if not run_openssl(ecparam_args): return False - os.chmod(privkey_filename, stat.S_IRUSR) + os.chmod(privkey, stat.S_IRUSR | stat.S_IWUSR) - ec_args = ['ec', '-in', privkey_filename, '-pubout', '-out', pubkey_filename] + ec_args = ['ec', '-in', privkey, '-pubout', '-out', pubkey] if not run_openssl(ec_args): return False - os.chmod(pubkey_filename, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH) return True -def make_ca(logname, cakey_filename, cacert_filename): +def make_ca(logname, cakey, cacert): os.makedirs('./demoCA/newcerts', 0700) f = open('./demoCA/index.txt', 'w') @@ -56,14 +58,14 @@ def make_ca(logname, cakey_filename, cacert_filename): f.close() subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/commonName=ca' % logname - req_args = ['req', '-newkey', 'rsa:2048', '-keyout', cakey_filename, '-out', + req_args = ['req', '-newkey', 'rsa:2048', '-keyout', cakey, '-out', 'req.csr', '-nodes', '-subj', subject, '-config', 'caconfig.txt'] if not run_openssl(req_args): return False - os.chmod(cakey_filename, stat.S_IRUSR) + os.chmod(cakey, stat.S_IRUSR) - ca_args = ['ca', '-in', 'req.csr', '-selfsign', '-keyfile', cakey_filename, - '-out', cacert_filename, '-batch'] + ca_args = ['ca', '-in', 'req.csr', '-selfsign', '-keyfile', cakey, + '-out', cacert, '-batch'] if not run_openssl(ca_args): return False @@ -87,10 +89,10 @@ def make_certs(logname, nodenames): cert = './%s.pem' % nodename subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/CN=%s' % (logname, nodename) - print "creating cert for node %s" % nodename - if os.access(key, os.R_OK) and os.access(cert, os.R_OK): continue + print "creating cert for node %s" % nodename + req_args = ['req', '-new', '-newkey', 'rsa:2048', '-keyout', key, '-out', csr, '-nodes', '-subj', subject] if not run_openssl(req_args): @@ -115,9 +117,14 @@ def make_authkeys(nodenames): for nodename in nodenames: if not make_eckey(nodename): return False - shutil.move('%s-private.pem' % nodename, '../nodes/%s/' % nodename) + dst = '../nodes/%s/%s-private.pem' % (nodename, nodename) + if os.access(dst, os.F_OK) and not os.access(dst, os.W_OK): + os.chmod(dst, stat.S_IWUSR) + shutil.move('%s-private.pem' % nodename, dst) for nodename in nodenames: - shutil.copytree('.', '../nodes/%s/publickeys' % nodename) + dst = '../nodes/%s/publickeys' % nodename + shutil.rmtree(dst, ignore_errors=True) + shutil.copytree('.', dst) os.chdir('..') return True |