Commit 306f0709 authored by Vincent Pelletier's avatar Vincent Pelletier

http: New caucased-manage command.

For offline database administration: restoring backups, importing and
exporting CA key pairs.
parent 8d759f9e
...@@ -243,7 +243,7 @@ users until a disaster happens. ...@@ -243,7 +243,7 @@ users until a disaster happens.
Restoration procedure Restoration procedure
--------------------- ---------------------
See `--restore-backup`. See `caucased-manage --restore-backup`.
To restore, one of the trusted users must voluntarily compromise their own To restore, one of the trusted users must voluntarily compromise their own
private key, providing it to the administrator in charge of the restoration private key, providing it to the administrator in charge of the restoration
...@@ -257,14 +257,15 @@ their access only via different credentials. ...@@ -257,14 +257,15 @@ their access only via different credentials.
- key holders manifest themselves - key holders manifest themselves
- admin picks a key holder, requests them to provide their eixsting private key - admin picks a key holder, requests them to provide their existing private key
and to generate a new key and accompanying csr and to generate a new key and accompanying csr
- key holder provide requested items - key holder provide requested items
- admin initiates restoration with `--restore-backup` and provides key holder - admin initiates restoration with `--restore-backup` and provides key holder
with the csr_id so they can fetch their new certificate using caucase with replacement certificate
protocol
- admin starts caucased, service is back online.
Backup file format Backup file format
------------------ ------------------
......
This diff is collapsed.
...@@ -136,34 +136,26 @@ class CaucaseTest(unittest.TestCase): ...@@ -136,34 +136,26 @@ class CaucaseTest(unittest.TestCase):
new_key_path, new_key_path,
): ):
""" """
Start caucased in its special --restore-backup mode. It will exit once Start caucased-manage --restore-backup .
done.
Returns its exit status. Returns its exit status.
""" """
server = multiprocessing.Process( try:
target=http.main, http.manage(
kwargs={ argv=(
'argv': (
'--db', self._server_db, '--db', self._server_db,
'--server-key', self._server_key,
'--netloc', self._server_netloc,
#'--threshold', '31',
#'--key-len', '2048',
'--backup-directory', self._server_backup_path,
'--restore-backup', '--restore-backup',
backup_path, backup_path,
key_path, key_path,
new_csr_path, new_csr_path,
new_key_path, new_key_path,
), ),
} )
) except SystemExit, e:
server.daemon = True return e.code
server.start() except:
# Must exit after a (short) while return 1
if not retry(lambda: not server.is_alive(), try_count=400): return 0
raise AssertionError('Backup restoration took too long')
return server.exitcode
def _startServer(self, *argv): def _startServer(self, *argv):
""" """
...@@ -1553,5 +1545,33 @@ class CaucaseTest(unittest.TestCase): ...@@ -1553,5 +1545,33 @@ class CaucaseTest(unittest.TestCase):
0, 0,
) )
def testCAImportExport(self):
"""
Exercise CA export and import code.
"""
exported_ca = os.path.join(self._server_dir, 'exported.ca.pem')
getBytePass_orig = http.getBytePass
http.getBytePass = lambda x: 'test'
try:
self.assertFalse(os.path.exists(exported_ca), exported_ca)
http.manage(
argv=(
'--db', self._server_db,
'--export-ca', exported_ca,
),
)
self.assertTrue(os.path.exists(exported_ca), exported_ca)
server_db2 = self._server_db + '2'
self.assertFalse(os.path.exists(server_db2), server_db2)
http.manage(
argv=(
'--db', server_db2,
'--import-ca', exported_ca,
),
)
self.assertTrue(os.path.exists(server_db2), server_db2)
finally:
http.getBytePass = getBytePass_orig
if __name__ == '__main__': if __name__ == '__main__':
unittest.main() unittest.main()
...@@ -58,6 +58,7 @@ setup( ...@@ -58,6 +58,7 @@ setup(
'caucase-rerequest = caucase.cli:rerequest', 'caucase-rerequest = caucase.cli:rerequest',
'caucase-key-id = caucase.cli:key_id', 'caucase-key-id = caucase.cli:key_id',
'caucased = caucase.http:main', 'caucased = caucase.http:main',
'caucased-manage = caucase.http:manage',
] ]
}, },
test_suite='caucase.test', test_suite='caucase.test',
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment