http: New caucased-manage command.

For offline database administration: restoring backups, importing and
exporting CA key pairs.

README.rst

@@ -243,7 +243,7 @@ users until a disaster happens.
 Restoration procedure
 ---------------------
 
-See `--restore-backup`.
+See `caucased-manage --restore-backup`.
 
 To restore, one of the trusted users must voluntarily compromise their own
 private key, providing it to the administrator in charge of the restoration
@@ -257,14 +257,15 @@ their access only via different credentials.
 
 - key holders manifest themselves
 
-- admin picks a key holder, requests them to provide their eixsting private key
+- admin picks a key holder, requests them to provide their existing private key
   and to generate a new key and accompanying csr
 
 - key holder provide requested items
 
 - admin initiates restoration with `--restore-backup` and provides key holder
-  with the csr_id so they can fetch their new certificate using caucase
-  protocol
+  with replacement certificate
+
+- admin starts caucased, service is back online.
 
 Backup file format
 ------------------

caucase/test.py

@@ -136,34 +136,26 @@ class CaucaseTest(unittest.TestCase):
     new_key_path,
   ):
     """
-    Start caucased in its special --restore-backup mode. It will exit once
-    done.
+    Start caucased-manage --restore-backup .
     Returns its exit status.
     """
-    server = multiprocessing.Process(
-      target=http.main,
-      kwargs={
-        'argv': (
+    try:
+      http.manage(
+        argv=(
           '--db', self._server_db,
-          '--server-key', self._server_key,
-          '--netloc', self._server_netloc,
-          #'--threshold', '31',
-          #'--key-len', '2048',
-          '--backup-directory', self._server_backup_path,
           '--restore-backup',
           backup_path,
           key_path,
           new_csr_path,
           new_key_path,
         ),
-      }
-    )
-    server.daemon = True
-    server.start()
-    # Must exit after a (short) while
-    if not retry(lambda: not server.is_alive(), try_count=400):
-      raise AssertionError('Backup restoration took too long')
-    return server.exitcode
+      )
+    except SystemExit, e:
+      return e.code
+    except:
+      return 1
+    return 0
+
 
   def _startServer(self, *argv):
     """
@@ -1553,5 +1545,33 @@ class CaucaseTest(unittest.TestCase):
       0,
     )
 
+  def testCAImportExport(self):
+    """
+    Exercise CA export and import code.
+    """
+    exported_ca = os.path.join(self._server_dir, 'exported.ca.pem')
+    getBytePass_orig = http.getBytePass
+    http.getBytePass = lambda x: 'test'
+    try:
+      self.assertFalse(os.path.exists(exported_ca), exported_ca)
+      http.manage(
+        argv=(
+          '--db', self._server_db,
+          '--export-ca', exported_ca,
+        ),
+      )
+      self.assertTrue(os.path.exists(exported_ca), exported_ca)
+      server_db2 = self._server_db + '2'
+      self.assertFalse(os.path.exists(server_db2), server_db2)
+      http.manage(
+        argv=(
+          '--db', server_db2,
+          '--import-ca', exported_ca,
+        ),
+      )
+      self.assertTrue(os.path.exists(server_db2), server_db2)
+    finally:
+      http.getBytePass = getBytePass_orig
+
 if __name__ == '__main__':
   unittest.main()

setup.py

@@ -58,6 +58,7 @@ setup(
       'caucase-rerequest = caucase.cli:rerequest',
       'caucase-key-id = caucase.cli:key_id',
       'caucased = caucase.http:main',
+      'caucased-manage = caucase.http:manage',
     ]
   },
   test_suite='caucase.test',