cli.updater: Make --crt optional.

No certificate is needed to be an anonymous client, only up-to-date CA and CRL are needed to validate service certificate.

cli.updater: Make --crt optional.
No certificate is needed to be an anonymous client, only up-to-date CA and CRL are needed to validate service certificate.
e3e1893b · Vincent Pelletier · c15f6a11 · e3e1893b
Commit e3e1893b authored May 04, 2018 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 30 deletions

caucase/cli.py caucase/cli.py +30 -30

No files found.
--- a/caucase/cli.py
+++ b/caucase/cli.py
@@ -668,7 +668,6 @@ def updater(argv=None, until=utils.until):
  )
  parser.add_argument(
    '--crt',
-    required=True,
    metavar='CRT_PATH',
    help='Path of your certificate for MODE. Will be renewed before '
    'expiration.',
@@ -701,7 +700,7 @@ def updater(argv=None, until=utils.until):
      ca_url=ca_url,
      ca_crt_pem_list=utils.getCertList(args.cas_ca)
    )
-    if not utils.hasOneCert(args.crt):
+    if args.crt and not utils.hasOneCert(args.crt):
      print 'Bootstraping...'
      csr_pem = utils.getCertRequest(args.csr)
      # Quick sanity check before bothering server
@@ -755,35 +754,36 @@ def updater(argv=None, until=utils.until):
          next_deadline,
          utils.load_crl(open(args.crl).read(), ca_crt_list).next_update,
        )
-      crt_pem, key_pem, key_path = utils.getKeyPair(args.crt, args.key)
-      crt = utils.load_certificate(crt_pem, ca_crt_list, None)
-      if crt.not_valid_after - threshold <= now:
-        print 'Renewing', args.crt
-        new_key_pem, new_crt_pem = client.renewCertificate(
-          old_crt=crt,
-          old_key=utils.load_privatekey(key_pem),
-          key_len=args.key_len,
+      if args.crt:
+        crt_pem, key_pem, key_path = utils.getKeyPair(args.crt, args.key)
+        crt = utils.load_certificate(crt_pem, ca_crt_list, None)
+        if crt.not_valid_after - threshold <= now:
+          print 'Renewing', args.crt
+          new_key_pem, new_crt_pem = client.renewCertificate(
+            old_crt=crt,
+            old_key=utils.load_privatekey(key_pem),
+            key_len=args.key_len,
+          )
+          if key_path is None:
+            with open(args.crt, 'w') as crt_file:
+              crt_file.write(new_key_pem)
+              crt_file.write(new_crt_pem)
+          else:
+            with open(
+              args.crt,
+              'w',
+            ) as crt_file, open(
+              key_path,
+              'w',
+            ) as key_file:
+              key_file.write(new_key_pem)
+              crt_file.write(new_crt_pem)
+          crt = utils.load_certificate(utils.getCert(args.crt), ca_crt_list, None)
+          updated = True
+        next_deadline = min(
+          next_deadline,
+          crt.not_valid_after - threshold,
        )
-        if key_path is None:
-          with open(args.crt, 'w') as crt_file:
-            crt_file.write(new_key_pem)
-            crt_file.write(new_crt_pem)
-        else:
-          with open(
-            args.crt,
-            'w',
-          ) as crt_file, open(
-            key_path,
-            'w',
-          ) as key_file:
-            key_file.write(new_key_pem)
-            crt_file.write(new_crt_pem)
-        crt = utils.load_certificate(utils.getCert(args.crt), ca_crt_list, None)
-        updated = True
-      next_deadline = min(
-        next_deadline,
-        crt.not_valid_after - threshold,
-      )
      if updated:
        if args.on_renew is not None:
          status = os.system(args.on_renew)