software/dufs: handle certificate renewal

Because dufs only reads certificate on startup it does not detect when the certificate was renewed. The only thing supported by dufs is to restart, so we use hash-files options of wrapper recipe to

software/dufs: handle certificate renewal
Because dufs only reads certificate on startup it does not detect when the certificate was renewed. The only thing supported by dufs is to restart, so we use hash-files options of wrapper recipe to
a44bf76b · Jérome Perrin · 63078069 · a44bf76b · a44bf76b · a44bf76b
Commit a44bf76b authored Dec 07, 2022 by Jérome Perrin
4 changed files
--- a/software/dufs/buildout.hash.cfg
+++ b/software/dufs/buildout.hash.cfg
@@ -15,4 +15,4 @@

 [instance.cfg.in]
 filename = instance.cfg.in
-md5sum = 9ed5d03f4f0cdc022f28b39e8ff1323e
+md5sum = 6edf5c64bf25dfd2e6e8a4e74c9b9812
--- a/software/dufs/instance.cfg.in
+++ b/software/dufs/instance.cfg.in
@@ -55,7 +55,20 @@ dash_path = {{ dash_bin }}
 curl_path = {{ curl_bin }}

 # Caucase
+[dufs-certificate-init-certificate]
+recipe = slapos.recipe.build
+init =
+  # pre-create a file at the path of the certificate,
+  # so that we can use hash-existing-files options
+  import pathlib
+  cert_file = pathlib.Path(self.buildout['dufs-certificate']['cert-file'])
+  if not cert_file.parent.exists():
+    cert_file.parent.mkdir()
+  if not cert_file.exists():
+    cert_file.touch()
+
 [dufs-certificate]
+init = ${dufs-certificate-init-certificate:init}
 key-file = ${directory:etc}/${:_buildout_section_name_}.key
 cert-file = ${directory:etc}/${:_buildout_section_name_}.crt
 common-name = ${:_buildout_section_name_}
@@ -154,6 +167,8 @@ wrapper-path = ${directory:service}/${:_buildout_section_name_}
 port = 19080
 ip = ${instance-parameter:ipv6-random}
 url = https://[${:ip}]:${:port}
+hash-existing-files =
+  ${dufs-certificate:cert-file}

 [dufs-listen-promise]
 <= check-port-listening-promise

--- a/software/dufs/software.cfg
+++ b/software/dufs/software.cfg
@@ -10,7 +10,6 @@ parts =
  caucase-eggs
  instance.cfg.in

-
 [dufs]
 recipe = slapos.recipe.cmmi
 shared = true

--- a/software/dufs/test/test.py
+++ b/software/dufs/test/test.py
@@ -25,8 +25,11 @@
 #
 ##############################################################################

+import contextlib
 import io
 import os
+import pathlib
+import subprocess
 import tempfile
 import urllib.parse

@@ -115,3 +118,38 @@ class TestFileServer(SlapOSInstanceTestCase):
    )
    self.assertEqual(resp.text, 'hello')
    self.assertEqual(resp.status_code, requests.codes.ok)
+
+  def test_renew_certificate(self):
+    def _getpeercert():
+      # XXX low level way to get get the server certificate
+      with requests.Session() as session:
+        pool = session.get(
+          self.connection_parameters['public-url'],
+          verify=self.ca_cert,
+        ).raw._pool.pool
+        with contextlib.closing(pool.get()) as cnx:
+          return cnx.sock._sslobj.getpeercert()
+
+    cert_before = _getpeercert()
+    # execute certificate updater two month later, when it's time to renew certificate.
+    # use a timeout, because this service runs forever
+    subprocess.run(
+      (
+        'timeout',
+        '5',
+        'faketime',
+        '+2 months',
+        os.path.join(
+          self.computer_partition_root_path,
+          'etc/service/dufs-certificate-updater'),
+      ),
+      capture_output=not self._debug,
+    )
+
+    # reprocess instance to get the new certificate, after removing the timestamp
+    # to force execution
+    (pathlib.Path(self.computer_partition_root_path) / '.timestamp').unlink()
+    self.waitForInstance()
+
+    cert_after = _getpeercert()
+    self.assertNotEqual(cert_before['notAfter'], cert_after['notAfter'])