|
James Antill |
0f7184 |
from __future__ import print_function
|
|
James Antill |
0f7184 |
|
|
Brian Stinson |
4e21f3 |
import os
|
|
|
73d529 |
from cryptography import x509
|
|
Brian Stinson |
4e21f3 |
import urlgrabber
|
|
Brian Stinson |
4e21f3 |
import datetime
|
|
Brian Stinson |
4e21f3 |
|
|
Brian Stinson |
4e21f3 |
# This file was modified from the fedora_cert section in fedora-packager written
|
|
Brian Stinson |
4e21f3 |
# by Dennis Gilmore (https://fedorahosted.org/fedora-packager/)
|
|
Brian Stinson |
4e21f3 |
|
|
Brian Stinson |
4e21f3 |
|
|
Brian Stinson |
4e21f3 |
# Define our own error class
|
|
Brian Stinson |
6fc4bb |
class centos_cert_error(Exception):
|
|
Brian Stinson |
4e21f3 |
pass
|
|
Brian Stinson |
4e21f3 |
|
|
Brian Stinson |
4e21f3 |
def _open_cert():
|
|
Brian Stinson |
4e21f3 |
"""
|
|
Brian Stinson |
4e21f3 |
Read in the certificate so we dont duplicate the code
|
|
Brian Stinson |
4e21f3 |
"""
|
|
Brian Stinson |
4e21f3 |
# Make sure we can even read the thing.
|
|
Brian Stinson |
4e21f3 |
cert_file = os.path.join(os.path.expanduser('~'), ".koji", "client.crt")
|
|
Brian Stinson |
4e21f3 |
if not os.access(cert_file, os.R_OK):
|
|
Brian Stinson |
6fc4bb |
raise centos_cert_error("""!!! cannot read your centos cert file !!!
|
|
Brian Stinson |
4e21f3 |
!!! Ensure the file is readable and try again !!!""")
|
|
|
73d529 |
raw_cert = open(cert_file, 'rb').read()
|
|
|
73d529 |
try:
|
|
|
73d529 |
my_cert = x509.load_pem_x509_certificate(raw_cert)
|
|
|
73d529 |
except TypeError:
|
|
|
73d529 |
# it was required to specify a backend prior to cryptography 3.1
|
|
|
73d529 |
from cryptography.hazmat.backends import default_backend
|
|
|
73d529 |
my_cert = x509.load_pem_x509_certificate(raw_cert, default_backend())
|
|
Brian Stinson |
4e21f3 |
return my_cert
|
|
Brian Stinson |
4e21f3 |
|
|
Brian Stinson |
4e21f3 |
def verify_cert():
|
|
Brian Stinson |
4e21f3 |
"""
|
|
Brian Stinson |
6fc4bb |
Check that the user cert is valid.
|
|
Brian Stinson |
4e21f3 |
things to check/return
|
|
Brian Stinson |
4e21f3 |
not revoked
|
|
Brian Stinson |
4e21f3 |
Expiry time warn if less than 21 days
|
|
Brian Stinson |
4e21f3 |
"""
|
|
Brian Stinson |
4e21f3 |
my_cert = _open_cert()
|
|
Brian Stinson |
6fc4bb |
# CRL verification would go here
|
|
Brian Stinson |
6fc4bb |
#crl = urlgrabber.urlread("https://<url_to_crl>/ca/crl.pem")
|
|
|
73d529 |
warn = datetime.datetime.now() + datetime.timedelta(days=21)
|
|
Brian Stinson |
4e21f3 |
|
|
|
73d529 |
print(my_cert.not_valid_after.strftime('cert expires: %Y-%m-%d'))
|
|
Brian Stinson |
4e21f3 |
|
|
|
73d529 |
if my_cert.not_valid_after < warn:
|
|
James Antill |
0f7184 |
print('WARNING: Your cert expires soon.')
|
|
Brian Stinson |
4e21f3 |
|
|
Brian Stinson |
4e21f3 |
|
|
Brian Stinson |
4e21f3 |
def certificate_expired():
|
|
Brian Stinson |
4e21f3 |
"""
|
|
Brian Stinson |
6fc4bb |
Check to see if client cert is expired
|
|
Brian Stinson |
4e21f3 |
Returns True or False
|
|
Brian Stinson |
4e21f3 |
|
|
Brian Stinson |
4e21f3 |
"""
|
|
Brian Stinson |
4e21f3 |
my_cert = _open_cert()
|
|
Brian Stinson |
4e21f3 |
|
|
|
73d529 |
return my_cert.not_valid_after < datetime.datetime.now()
|
|
|
73d529 |
|
|
Brian Stinson |
4e21f3 |
|
|
Brian Stinson |
4e21f3 |
def read_user_cert():
|
|
Brian Stinson |
4e21f3 |
"""
|
|
Brian Stinson |
6fc4bb |
Figure out the Fedora user name from client cert
|
|
Brian Stinson |
4e21f3 |
|
|
Brian Stinson |
4e21f3 |
"""
|
|
Brian Stinson |
4e21f3 |
my_cert = _open_cert()
|
|
Brian Stinson |
4e21f3 |
|
|
|
73d529 |
[common_name] = my_cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)
|
|
|
73d529 |
return common_name.value
|