Revert "Disabling client certificate usage"

This reverts commit 45f75526, which was introduced to
temporarily disable the implementation of SSL client
certificates. As this patch series fixes the reason for
the disabling, we are rolling back the patch.
Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Klaus Aehlig <aehlig@google.com>

UPGRADE

@@ -29,6 +29,20 @@ This will carry out the steps described below in the section on upgrades from
 way, specifiying the smaller version on the ``--to`` argument.
 
 
+2.11
+----
+
+When upgrading to 2.11, first apply the instructions of ``2.11 and
+above``. 2.11 comes with the new feature of enhanced RPC security
+through client certificates. This features needs to be enabled after the
+upgrade by::
+
+   $ gnt-cluster renew-crypto --new-node-certificates
+
+Note that new node certificates are generated automatically without
+warning when upgrading with ``gnt-cluster upgrade``.
+
+
 2.1 and above
 -------------
 

lib/cmdlib/cluster.py

@@ -3189,6 +3189,7 @@ class LUClusterVerifyGroup(LogicalUnit, _VerifyErrors):
 
     feedback_fn("* Verifying configuration file consistency")
 
+    self._VerifyClientCertificates(self.my_node_info.values(), all_nvinfo)
     # If not all nodes are being checked, we need to make sure the master node
     # and a non-checked vm_capable node are in the list.
     absent_node_uuids = set(self.all_node_info).difference(self.my_node_info)

lib/http/__init__.py

@@ -610,7 +610,7 @@ class HttpBase(object):
     if ssl_verify_peer:
       ctx.set_verify(OpenSSL.SSL.VERIFY_PEER |
                      OpenSSL.SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
-                     self._SSLVerifyCallback)
+                     ssl_verify_callback)
 
       # Also add our certificate as a trusted CA to be sent to the client.
       # This is required at least for GnuTLS clients to work.

lib/rpc/node.py

@@ -36,6 +36,7 @@ import base64
 import pycurl
 import threading
 import copy
+import os
 
 from ganeti import utils
 from ganeti import objects
@@ -97,15 +98,23 @@ def Shutdown():
 
 def _ConfigRpcCurl(curl):
   noded_cert = str(pathutils.NODED_CERT_FILE)
+  noded_client_cert = str(pathutils.NODED_CLIENT_CERT_FILE)
+
+  # FIXME: The next two lines are necessary to ensure upgradability from
+  # 2.10 to 2.11. Remove in 2.12, because this slows down RPC calls.
+  if not os.path.exists(noded_client_cert):
+    logging.info("Using server certificate as client certificate for RPC"
+                 "call.")
+    noded_client_cert = noded_cert
 
   curl.setopt(pycurl.FOLLOWLOCATION, False)
   curl.setopt(pycurl.CAINFO, noded_cert)
   curl.setopt(pycurl.SSL_VERIFYHOST, 0)
   curl.setopt(pycurl.SSL_VERIFYPEER, True)
   curl.setopt(pycurl.SSLCERTTYPE, "PEM")
-  curl.setopt(pycurl.SSLCERT, noded_cert)
+  curl.setopt(pycurl.SSLCERT, noded_client_cert)
   curl.setopt(pycurl.SSLKEYTYPE, "PEM")
-  curl.setopt(pycurl.SSLKEY, noded_cert)
+  curl.setopt(pycurl.SSLKEY, noded_client_cert)
   curl.setopt(pycurl.CONNECTTIMEOUT, constants.RPC_CONNECT_TIMEOUT)
 
 

man/gnt-cluster.rst

@@ -766,7 +766,7 @@ RENEW-CRYPTO
 ~~~~~~~~~~~~
 
 | **renew-crypto** [-f]
-| [\--new-cluster-certificate]
+| [\--new-cluster-certificate] | [\--new-node-certificates]
 | [\--new-confd-hmac-key]
 | [\--new-rapi-certificate] [\--rapi-certificate *rapi-cert*]
 | [\--new-spice-certificate | \--spice-certificate *spice-cert*
@@ -779,6 +779,11 @@ options ``--new-cluster-certificate`` and ``--new-confd-hmac-key``
 can be used to regenerate respectively the cluster-internal SSL
 certificate and the HMAC key used by **ganeti-confd**\(8).
 
+The option ``--new-node-certificates`` will generate new node SSL
+certificates for all nodes. Note that the regeneration of the node
+certificates takes place after the other certificates are created
+and distributed and the ganeti daemons are restarted again.
+
 To generate a new self-signed RAPI certificate (used by
 **ganeti-rapi**\(8)) specify ``--new-rapi-certificate``. If you want to
 use your own certificate, e.g. one signed by a certificate

src/Ganeti/Rpc.hs

@@ -90,6 +90,7 @@ import Data.Maybe (fromMaybe)
 import qualified Text.JSON as J
 import Text.JSON.Pretty (pp_value)
 import qualified Data.ByteString.Base64.Lazy as Base64
+import System.Directory
 
 import Network.Curl hiding (content)
 import qualified Ganeti.Path as P
@@ -228,8 +229,15 @@ getOptionsForCall cert_path client_cert_path call =
 executeRpcCalls :: (Rpc a b) => [(Node, a)] -> IO [(Node, ERpcError b)]
 executeRpcCalls nodeCalls = do
   cert_file <- P.nodedCertFile
-  let (nodes, calls) = unzip nodeCalls
-      opts = map (getOptionsForCall cert_file cert_file) calls
+  client_cert_file_name <- P.nodedClientCertFile
+  client_file_exists <- doesFileExist client_cert_file_name
+  -- FIXME: This is needed to ensure upgradability to 2.11
+  -- Remove in 2.12.
+  let client_cert_file = if client_file_exists
+                         then client_cert_file_name
+                         else cert_file
+      (nodes, calls) = unzip nodeCalls
+      opts = map (getOptionsForCall cert_file client_cert_file) calls
       opts_urls = zipWith3 (\n c o ->
                          case prepareHttpRequest o n c of
                            Left v -> Left v

test/py/cmdlib/cluster_unittest.py

@@ -1085,6 +1085,140 @@ class TestLUClusterVerifyGroup(CmdlibTestCase):
     self.ExecOpCode(op)
 
 
+class TestLUClusterVerifyClientCerts(CmdlibTestCase):
+
+  def _AddNormalNode(self):
+    self.normalnode = copy.deepcopy(self.master)
+    self.normalnode.master_candidate = False
+    self.normalnode.uuid = "normal-node-uuid"
+    self.cfg.AddNode(self.normalnode, None)
+
+  def testVerifyMasterCandidate(self):
+    client_cert = "client-cert-digest"
+    self.cluster.candidate_certs = {self.master.uuid: client_cert}
+    self.rpc.call_node_verify.return_value = \
+      RpcResultsBuilder() \
+        .AddSuccessfulNode(self.master,
+          {constants.NV_CLIENT_CERT: (None, client_cert)}) \
+        .Build()
+    op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
+    self.ExecOpCode(op)
+
+  def testVerifyMasterCandidateInvalid(self):
+    client_cert = "client-cert-digest"
+    self.cluster.candidate_certs = {self.master.uuid: client_cert}
+    self.rpc.call_node_verify.return_value = \
+      RpcResultsBuilder() \
+        .AddSuccessfulNode(self.master,
+          {constants.NV_CLIENT_CERT: (666, "Invalid Certificate")}) \
+        .Build()
+    op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
+    self.ExecOpCode(op)
+    self.mcpu.assertLogContainsRegex("Client certificate")
+    self.mcpu.assertLogContainsRegex("failed validation")
+
+  def testVerifyNoMasterCandidateMap(self):
+    client_cert = "client-cert-digest"
+    self.cluster.candidate_certs = {}
+    self.rpc.call_node_verify.return_value = \
+      RpcResultsBuilder() \
+        .AddSuccessfulNode(self.master,
+          {constants.NV_CLIENT_CERT: (None, client_cert)}) \
+        .Build()
+    op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
+    self.ExecOpCode(op)
+    self.mcpu.assertLogContainsRegex(
+      "list of master candidate certificates is empty")
+
+  def testVerifyNoSharingMasterCandidates(self):
+    client_cert = "client-cert-digest"
+    self.cluster.candidate_certs = {
+      self.master.uuid: client_cert,
+      "some-other-master-candidate-uuid": client_cert}
+    self.rpc.call_node_verify.return_value = \
+      RpcResultsBuilder() \
+        .AddSuccessfulNode(self.master,
+          {constants.NV_CLIENT_CERT: (None, client_cert)}) \
+        .Build()
+    op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
+    self.ExecOpCode(op)
+    self.mcpu.assertLogContainsRegex(
+      "two master candidates configured to use the same")
+
+  def testVerifyMasterCandidateCertMismatch(self):
+    client_cert = "client-cert-digest"
+    self.cluster.candidate_certs = {self.master.uuid: "different-cert-digest"}
+    self.rpc.call_node_verify.return_value = \
+      RpcResultsBuilder() \
+        .AddSuccessfulNode(self.master,
+          {constants.NV_CLIENT_CERT: (None, client_cert)}) \
+        .Build()
+    op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
+    self.ExecOpCode(op)
+    self.mcpu.assertLogContainsRegex("does not match its entry")
+
+  def testVerifyMasterCandidateUnregistered(self):
+    client_cert = "client-cert-digest"
+    self.cluster.candidate_certs = {"other-node-uuid": "different-cert-digest"}
+    self.rpc.call_node_verify.return_value = \
+      RpcResultsBuilder() \
+        .AddSuccessfulNode(self.master,
+          {constants.NV_CLIENT_CERT: (None, client_cert)}) \
+        .Build()
+    op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
+    self.ExecOpCode(op)
+    self.mcpu.assertLogContainsRegex("does not have an entry")
+
+  def testVerifyMasterCandidateOtherNodesCert(self):
+    client_cert = "client-cert-digest"
+    self.cluster.candidate_certs = {"other-node-uuid": client_cert}
+    self.rpc.call_node_verify.return_value = \
+      RpcResultsBuilder() \
+        .AddSuccessfulNode(self.master,
+          {constants.NV_CLIENT_CERT: (None, client_cert)}) \
+        .Build()
+    op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
+    self.ExecOpCode(op)
+    self.mcpu.assertLogContainsRegex("using a certificate of another node")
+
+  def testNormalNodeStillInList(self):
+    self._AddNormalNode()
+    client_cert_master = "client-cert-digest-master"
+    client_cert_normal = "client-cert-digest-normal"
+    self.cluster.candidate_certs = {
+      self.normalnode.uuid: client_cert_normal,
+      self.master.uuid: client_cert_master}
+    self.rpc.call_node_verify.return_value = \
+      RpcResultsBuilder() \
+        .AddSuccessfulNode(self.normalnode,
+          {constants.NV_CLIENT_CERT: (None, client_cert_normal)}) \
+        .AddSuccessfulNode(self.master,
+          {constants.NV_CLIENT_CERT: (None, client_cert_master)}) \
+        .Build()
+    op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
+    self.ExecOpCode(op)
+    self.mcpu.assertLogContainsRegex("not a master candidate")
+    self.mcpu.assertLogContainsRegex("still listed")
+
+  def testNormalNodeStealingMasterCandidateCert(self):
+    self._AddNormalNode()
+    client_cert_master = "client-cert-digest-master"
+    self.cluster.candidate_certs = {
+      self.master.uuid: client_cert_master}
+    self.rpc.call_node_verify.return_value = \
+      RpcResultsBuilder() \
+        .AddSuccessfulNode(self.normalnode,
+          {constants.NV_CLIENT_CERT: (None, client_cert_master)}) \
+        .AddSuccessfulNode(self.master,
+          {constants.NV_CLIENT_CERT: (None, client_cert_master)}) \
+        .Build()
+    op = opcodes.OpClusterVerifyGroup(group_name="default", verbose=True)
+    self.ExecOpCode(op)
+    self.mcpu.assertLogContainsRegex("not a master candidate")
+    self.mcpu.assertLogContainsRegex(
+      "certificate of another node which is master candidate")
+
+
 class TestLUClusterVerifyGroupMethods(CmdlibTestCase):
   """Base class for testing individual methods in LUClusterVerifyGroup.
 

tools/post-upgrade

@@ -43,9 +43,11 @@ def main():
   version = utils.version.ParseVersion(versionstring)
 
   if utils.version.IsBefore(version, 2, 11, 0):
-    # FIXME: Add client certificate handling here when resolving issue 692.
-    pass
-
+    result = utils.RunCmd(["gnt-cluster", "renew-crypto",
+                           "--new-node-certificates", "-f"])
+    if result.failed:
+      cli.ToStderr("Failed to create node certificates: %s; Output %s" %
+                   (result.fail_reason, result.output))
   return 0
 
 if __name__ == "__main__":