kedifa:64f3419adffebef30d4cbc8cdf23891a91c6bb39 commitshttps://lab.nexedi.com/nexedi/kedifa/-/commits/64f3419adffebef30d4cbc8cdf23891a91c6bb392019-07-31T16:25:46+02:00https://lab.nexedi.com/nexedi/kedifa/-/commit/64f3419adffebef30d4cbc8cdf23891a91c6bb39app: Stabilise the key length2019-07-31T16:25:46+02:00Lukasz Nowakluke@nexedi.comhttps://lab.nexedi.com/nexedi/kedifa/-/commit/1d871c10eff1635b87173f9d68cda68539cd5d93test: Randomize ports on each run2019-07-31T15:54:42+02:00Lukasz Nowakluke@nexedi.comhttps://lab.nexedi.com/nexedi/kedifa/-/commit/2ec3c1416c1d4789211cda0934f3e7443f5ee0b9app: Avoid needless exception to pop2019-07-31T14:17:58+02:00Lukasz Nowakluke@nexedi.com
It's better to reply 400 Bad Request on malformed requests and do not pollute
log with exceptions.https://lab.nexedi.com/nexedi/kedifa/-/commit/f4d3ac6326ad71ba3ed93d736c5e5d5a7be2eaectest: Give more time for servers to start2019-07-31T14:14:04+02:00Lukasz Nowakluke@nexedi.com
Also improve message in case of failure.https://lab.nexedi.com/nexedi/kedifa/-/commit/c89c31a5cdc9367e196411d91c4dcd0229bb7893cli: Allow to run --preapre-only w/o additional information2019-05-29T11:56:21+02:00Lukasz Nowakluke@nexedi.com
/reviewed-on <a href="https://lab.nexedi.com/nexedi/kedifa/merge_requests/4" data-original="https://lab.nexedi.com/nexedi/kedifa/merge_requests/4" data-link="false" data-link-reference="true" data-project="865" data-merge-request="2986" data-project-path="nexedi/kedifa" data-iid="4" data-mr-title="cli: Allow to run --preapre-only w/o additional information" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">!4</a>https://lab.nexedi.com/nexedi/kedifa/-/commit/acf0f0541ae95df9e2f2b126b3eb775f4b18678dupdater: Implement prepare system2019-05-15T10:40:05+02:00Lukasz Nowakluke@nexedi.com
As updater is used in environment, which requires it to have certificates
available as fast as possible, add a prepare step and allow to launch it with
--prepare-only switch.
Thanks to this it is possible to run it with configuration file to provide
fallback or master certificates for all slaves without connecting to the
network, thus resulting in fast preparation.
/reviewed-on <a href="https://lab.nexedi.com/nexedi/kedifa/merge_requests/3" data-original="https://lab.nexedi.com/nexedi/kedifa/merge_requests/3" data-link="false" data-link-reference="true" data-project="865" data-merge-request="2946" data-project-path="nexedi/kedifa" data-iid="3" data-mr-title="updater: Implement prepare system" data-reference-type="merge_request" data-container="body" data-placement="top" data-html="true" title="" class="gfm gfm-merge_request">!3</a>https://lab.nexedi.com/nexedi/kedifa/-/commit/ae5963721157495778b014fe2d67e9bbfd8b38d8TODO: Add entry for faster downloads2019-05-14T18:50:45+02:00Lukasz Nowakluke@nexedi.comhttps://lab.nexedi.com/nexedi/kedifa/-/commit/73a14b0e88afe7512f2fefe6ee9e0000fa523d5dupdater: Unlink lock file2019-04-02T21:33:05+02:00Lukasz Nowakluke@nexedi.com
Also cover loop method.https://lab.nexedi.com/nexedi/kedifa/-/commit/1f273c261ca75e2645c5bf2691c0e83e58345726test: Import once2019-04-02T21:33:05+02:00Lukasz Nowakluke@nexedi.com
It will make further testing much easierhttps://lab.nexedi.com/nexedi/kedifa/-/commit/d48b47a461d964e63a8a0719566649d505fcd3deupdater: Make stateful decision2019-04-02T21:33:05+02:00Lukasz Nowakluke@nexedi.com
If at least once certificate has been downloaded from KeDiFa it shall never
use again the fall-back, as otherwise it would result with a problem, that
next unsuccessful download from KeDiFa would result replacement with
fall-back.
In order to do so state file is introduced keeping list of overridden
certificates. As now there is critical path regarding fetching certificates,
the lock is created to avoid concurrent updates.https://lab.nexedi.com/nexedi/kedifa/-/commit/53e99f68f1ae001b7252762060917c93f49101f3updater: Cover updateCertificate2019-04-02T21:33:05+02:00Lukasz Nowakluke@nexedi.com
Fix one condition.https://lab.nexedi.com/nexedi/kedifa/-/commit/2cd28eac76432bcdd3df24c199c00677bb87a674tests: Restructure2019-04-02T21:33:05+02:00Lukasz Nowakluke@nexedi.com
In order for further development and features create mixin.https://lab.nexedi.com/nexedi/kedifa/-/commit/6c731311d40089a8ebbf61884d210ab3a5fb78b5kedifa: Introduce asynchronous updater2019-04-02T21:33:05+02:00Lukasz Nowakluke@nexedi.com
Features:
* by default runs with 60s sleep
* allows to have master, updateable, certificate, which is used in case if
specific certificate is not availablehttps://lab.nexedi.com/nexedi/kedifa/-/commit/24ac19af8e3447afc79e15fa74f884edf63b8cdbtest: Follow rename to SLAPOS_TEST_IPV62018-12-12T16:22:44+01:00Lukasz Nowakluke@nexedi.comhttps://lab.nexedi.com/nexedi/kedifa/-/commit/5699d09c3890b640b0b7d828b6361f33aad8e26btest: Force use LOCAL_IPV4 and "randomize" ports2018-12-10T15:27:48+01:00Lukasz Nowakluke@nexedi.comhttps://lab.nexedi.com/nexedi/kedifa/-/commit/67bd60ea1bfb4fc6aafdfe4fa204f725731f20cfapp: Fix bug with wrong PRIMARY KEY2018-12-07T13:08:36+01:00Lukasz Nowakluke@nexedi.com
Having PRIMARY KEY on certificate.id is to strict -- as real uniques is
required on id + reference in certificate table.https://lab.nexedi.com/nexedi/kedifa/-/commit/85640261ff2c2a025521defb6b2d10532510728etests: Use simple capture system2018-12-04T14:17:43+01:00Lukasz Nowakluke@nexedi.com
capturer does not work in some of tests environment.https://lab.nexedi.com/nexedi/kedifa/-/commit/f6a344583d72ac2e9312aa5ed515bf678ca18c1asetup: Allow to easily install test requirements2018-12-04T14:05:02+01:00Lukasz Nowakluke@nexedi.comhttps://lab.nexedi.com/nexedi/kedifa/-/commit/594c82319a7626e5c75fe9869606c1ef8bbfe172test: Fail visibly on capturer issue2018-12-04T10:51:27+01:00Lukasz Nowakluke@nexedi.comhttps://lab.nexedi.com/nexedi/kedifa/-/commit/2a00f1b1fa06de27695771d9b6949c701f7fcbb2setup: Do not require minimal caucase version2018-11-27T10:39:11+01:00Lukasz Nowakluke@nexedi.com
In some places it is not working, and anyway KeDiFa is used in pinned
versions environment mostly.https://lab.nexedi.com/nexedi/kedifa/-/commit/f3a430566fbf9889be03263373ab9ab151320dfaKeDiFa: Initial implementation2018-11-13T11:41:17+01:00Lukasz Nowakluke@nexedi.com
Provided tools are kedifa and kedifa-getter.
kedifa is a server to PUT and GET sensitive information, like SSL keys and
certificates.
kedifa-getter is a client to this server.
As both are closely related to caucase, they allow to use information from
caucase, like CA Certificate, to validate each other.
Caucase is also used to generate certificates for kedifa-getter used to
authenticate to kedifa.
Extracted important points of development of the inital version:
* kedifa and kedifa-getter has been implemented
* TODOs list is kept for future improvements
* IPv6 and SSL-only support came
* API has been docstring documented
* PUTting information is based on query string key authorisation
* GETting information requires SSL authentication
* only correct keys are stored in KeDiFa database
* certificates are served orderd by theirs submission date
* kedifa-csr has been implemented, and dropped, as started to become openssl
req implementation
* caucase.http has been used as base for wsgiref approach
* caucase.utils has been used for certificate management
* argparse has been used for command line arguments
* time comparison has been done in python, instead of SQLite
* reloading, in caucase way, has been implemented
* CRLs are in-app checked only, as pythons implementation does not allow
proper reloads
* in critical places code raises instead of returning False, in order to
disallow ignoring result value
* ids to store data has to be reservedhttps://lab.nexedi.com/nexedi/kedifa/-/commit/9a55bb020b69860e21917ecc7d36c6550edb741bSkeletonise KeDiFa2018-10-03T11:42:27+02:00Lukasz Nowakluke@nexedi.com
Use versioneer. Add basic README. Create structure.