Saimon/support 78 certificate apis (#233)

Author: saimonation

cterasdk/common/datetime_utils.py

@@ -18,7 +18,7 @@ def get_expiration_date(expiration):
             expiration_date = datetime.date.today() + datetime.timedelta(days=expiration)
         elif isinstance(expiration, datetime.date):
             expiration_date = expiration
-        return expiration_date
+        return expiration_date  # pylint: disable=possibly-used-before-assignment
 
 
 def from_iso_format(time):

cterasdk/edge/ssl.py

@@ -5,6 +5,15 @@
 from ..common import Object
 
 
+def initialize(edge):
+    """
+    Conditional intialization of the Edge Filer SSL Module.
+    """
+    if edge.session().version > '7.8':
+        return SSLv78(edge)
+    return SSLv1(edge)
+
+
 class SSL(BaseCommand):
     """ Edge Filer SSL APIs """
 
@@ -38,6 +47,10 @@ def _get_force_https(self):
     def _set_force_https(self, force):
         self._edge.api.put('/config/fileservices/webdav/forceHttps', force)
 
+
+class SSLv1(SSL):
+    """ Edge Filer SSLv1 APIs """
+
     def remove_storage_ca(self):
         """
         Remove object storage trusted CA certificate
@@ -81,3 +94,94 @@ def import_certificate(self, private_key, *certificates):
         response = self._edge.api.put('/config/certificate', f"\n{server_certificate}")
         logging.getLogger('cterasdk.edge').info("Uploaded SSL certificate.")
         return response
+
+
+class SSLv78(SSL):
+    """ Edge Filer v7.8 SSL Certificate APIs """
+
+    def __init__(self, edge):
+        super().__init__(edge)
+        self.server = ServerCertificate(edge)
+        self.ca = TrustedCAs(edge)
+
+
+class ServerCertificate(BaseCommand):
+    """ Edge Filer v7.8 Server Certificate APIs """
+
+    def get(self):
+        """
+        Get Server Cerificate.
+        """
+        return self._edge.api.get('/proc/certificates/serverCertificate')
+
+    def regenerate(self):
+        """
+        Generate a Self Signed Certificate.
+        """
+        logging.getLogger('cterasdk.edge').info("Generating a Self Signed Certificate.")
+        response = self._edge.api.execute('/config/certificates', 'createSelfSign')
+        logging.getLogger('cterasdk.edge').info("Generated a Self Signed Certificate.")
+        return response
+
+    def import_certificate(self, private_key, *certificates):
+        """
+        Import the Edge Filer's server SSL certificate
+
+        :param str private_key: The PEM-encoded private key, or a path to the PEM-encoded private key file
+        :param list[str] certificates: The PEM-encoded certificates, or a list of paths to the PEM-encoded certificates
+        """
+        key_object = PrivateKey.load_private_key(private_key)
+        certificates = [X509Certificate.load_certificate(certificate) for certificate in certificates]
+        certificate_chain = [certificate.pem_data.decode('utf-8') for certificate in create_certificate_chain(*certificates)]
+        server_certificate = ''.join([key_object.pem_data.decode('utf-8')] + certificate_chain)
+        logging.getLogger('cterasdk.edge').info("Uploading SSL certificate.")
+        response = self._edge.api.put('/config/certificates/serverCertificate', f"\n{server_certificate}")
+        logging.getLogger('cterasdk.edge').info("Uploaded SSL certificate.")
+        return response
+
+
+class TrustedCAs(BaseCommand):
+    """ Edge Filer v7.8 Trusted CAs APIs """
+
+    def all(self):
+        """
+        List Trusted CAs.
+        """
+        return self._edge.api.get('/proc/certificates/trustedCACertificates')
+
+    def add(self, ca):
+        """
+        Add Trusted CA.
+
+        :param str certificate: The PEM-encoded certificate or a path to the PEM-encoded server certificate file
+        """
+        certificate = X509Certificate.load_certificate(ca).pem_data.decode('utf-8')
+        return self._edge.api.execute('/config/certificates', 'addTrustedCACert', certificate)
+
+    def remove(self, ca):
+        """
+        Remove Trusted CA.
+
+        :param object ca: CA fingerprint as `str`, or a trusted CA object.
+        """
+        fingerprint = None
+        if isinstance(ca, Object) and hasattr(ca, 'fingerprint'):
+            fingerprint = ca.fingerprint
+        else:
+            fingerprint = ca
+
+        if fingerprint:
+            logging.getLogger('cterasdk.edge').info("Removing Trusted CA. %s", {'fingerprint': fingerprint})
+            response = self._edge.api.delete(f'/config/certificates/trustedCACertificates/{fingerprint}')
+            logging.getLogger('cterasdk.edge').info("Removed Trusted CA. %s", {'fingerprint': fingerprint})
+            return response
+
+        raise ValueError('Could not identify CA fingerprint.')
+
+    def clear(self):
+        """
+        Remove all Trusted CAs.
+        """
+        logging.getLogger('cterasdk.edge').info("Removing all Trusted CAs.")
+        for ca in self.all():
+            self.remove(ca)

cterasdk/objects/edge.py

@@ -149,6 +149,9 @@ def __init__(self, host=None, port=None, https=True, Portal=None, *, base=None):
         self.users = users.Users(self)
         self.volumes = volumes.Volumes(self)
 
+    def _after_login(self):
+        self.ssl = ssl.initialize(self)
+
     @property
     def migrate(self):
         return self.clients.migrate

cterasdk/objects/services.py

@@ -44,6 +44,12 @@ def __init__(self, host, port, https, base):
     def clients(self):
         return self._ctera_clients
 
+    def _before_login(self):
+        """Override to implement logic before login"""
+
+    def _after_login(self):
+        """Override to implement logic after login"""
+
     @property
     @abstractmethod
     def _login_object(self):
@@ -80,8 +86,10 @@ def login(self, username, password):
         :param str username: Username
         :param str password: Password
         """
+        self._before_login()
         self._login_object.login(username, password)
         self._ctera_session.start_local_session(self)
+        self._after_login()
 
     def logout(self):
         """ Log out """

docs/source/UserGuides/Edge/Configuration.rst

@@ -1039,41 +1039,75 @@ Reset to Defaults
 SSL Certificate
 ===============
 
-.. automethod:: cterasdk.edge.ssl.SSL.disable_http
+SSL management commands supported starting Edge Filer v7.8 or higher:
+
+.. automethod:: cterasdk.edge.ssl.ServerCertificate.get
    :noindex:
 
 .. code-block:: python
 
-   edge.ssl.disable_http()
+   server_certificate = edge.ssl.server.get()
+   print(server_certificate.fingerprint)
 
-.. automethod:: cterasdk.edge.ssl.SSL.enable_http
+.. automethod:: cterasdk.edge.ssl.ServerCertificate.regenerate
    :noindex:
 
 .. code-block:: python
 
-   edge.ssl.enable_http()
+   edge.ssl.server.regenerate()  # generate a self-signed server certificate
 
-.. automethod:: cterasdk.edge.ssl.SSL.is_http_disabled
+.. automethod:: cterasdk.edge.ssl.ServerCertificate.import_certificate
    :noindex:
 
 .. code-block:: python
 
-   edge.ssl.is_http_disabled()
+   edge.ssl.server.import_certificate(
+      r'C:/users/username/certificate/private.key',
+      r'C:/users/username/certificate/certificate.crt',
+      r'C:/users/username/certificate/intermediate1.crt',
+      r'C:/users/username/certificate/intermediate2.crt',
+      r'C:/users/username/certificate/root.crt'
+   )
 
-.. automethod:: cterasdk.edge.ssl.SSL.is_http_enabled
+.. automethod:: cterasdk.edge.ssl.TrustedCAs.all
    :noindex:
 
 .. code-block:: python
 
-   edge.ssl.is_http_enabled()
+   for ca_certificate in edge.ssl.ca.all():
+       print(ca_certificate.fingerprint)
 
-.. automethod:: cterasdk.edge.ssl.SSL.get_storage_ca
+.. automethod:: cterasdk.edge.ssl.TrustedCAs.add
    :noindex:
 
-.. automethod:: cterasdk.edge.ssl.SSL.remove_storage_ca
+.. code-block:: python
+
+   edge.ssl.ca.add(r'C:/users/username/certificate/ca.crt')  # add Trusted CA certificate
+
+.. automethod:: cterasdk.edge.ssl.TrustedCAs.remove
    :noindex:
 
-.. automethod:: cterasdk.edge.ssl.SSL.import_certificate
+.. code-block:: python
+
+   certificate_fingerprint = '04:a0:56:a9:87:64:bb:dc:96:bf:6d:b0:49:fa:80:81:ed:06:8a:1e'
+   edge.ssl.ca.remove(certificate_fingerprint)
+
+.. automethod:: cterasdk.edge.ssl.TrustedCAs.clear
+   :noindex:
+
+.. code-block:: python
+
+   edge.ssl.ca.clear()
+
+SSL management commands supported up to Edge Filer v7.6:
+
+.. automethod:: cterasdk.edge.ssl.SSLv1.get_storage_ca
+   :noindex:
+
+.. automethod:: cterasdk.edge.ssl.SSLv1.remove_storage_ca
+   :noindex:
+
+.. automethod:: cterasdk.edge.ssl.SSLv1.import_certificate
    :noindex:
 
 .. code-block:: python
@@ -1093,6 +1127,36 @@ SSL Certificate
 
 .. danger: Exercise caution. Test thoroughly prior to implementing in production. Ensure the integrity of the PEM encoded private key and certificates. Supplying an invalid private key or certificate will disable administrative access to the filer and would require CTERA Support to re-enable it.
 
+SSL management commands supported in all Edge Filer versions:
+
+.. automethod:: cterasdk.edge.ssl.SSL.disable_http
+   :noindex:
+
+.. code-block:: python
+
+   edge.ssl.disable_http()
+
+.. automethod:: cterasdk.edge.ssl.SSL.enable_http
+   :noindex:
+
+.. code-block:: python
+
+   edge.ssl.enable_http()
+
+.. automethod:: cterasdk.edge.ssl.SSL.is_http_disabled
+   :noindex:
+
+.. code-block:: python
+
+   edge.ssl.is_http_disabled()
+
+.. automethod:: cterasdk.edge.ssl.SSL.is_http_enabled
+   :noindex:
+
+.. code-block:: python
+
+   edge.ssl.is_http_enabled()
+
 Power Management
 ================
 

tests/ut/test_core_users.py

@@ -69,7 +69,7 @@ def _test_add_user_with_password_change(self, password_change):
                 expiration_date = datetime.date.today() + datetime.timedelta(days=password_change)
             elif isinstance(password_change, datetime.date):
                 expiration_date = password_change
-            expected_requirePasswordChangeOn = expiration_date.strftime('%Y-%m-%d')
+            expected_requirePasswordChangeOn = expiration_date.strftime('%Y-%m-%d')  # pylint: disable=possibly-used-before-assignment
         expected_param = self._get_user_object(
             name=self._username,
             email=self._email,
@@ -79,7 +79,7 @@ def _test_add_user_with_password_change(self, password_change):
             role=self._role,
             company=None,
             comment=None,
-            requirePasswordChangeOn=expected_requirePasswordChangeOn
+            requirePasswordChangeOn=expected_requirePasswordChangeOn  # pylint: disable=possibly-used-before-assignment
         )
         actual_param = self._global_admin.api.add.call_args[0][1]
         self._assert_equal_objects(actual_param, expected_param)
@@ -247,7 +247,7 @@ def _test_add_admin_user_with_password_change(self, password_change):
                 expiration_date = datetime.date.today() + datetime.timedelta(days=password_change)
             elif isinstance(password_change, datetime.date):
                 expiration_date = password_change
-            expected_requirePasswordChangeOn = expiration_date.strftime('%Y-%m-%d')
+            expected_requirePasswordChangeOn = expiration_date.strftime('%Y-%m-%d')  # pylint: disable=possibly-used-before-assignment
         expected_param = self._get_admin_object(
             name=self._username,
             email=self._email,
@@ -257,7 +257,7 @@ def _test_add_admin_user_with_password_change(self, password_change):
             role=self._role,
             company=None,
             comment=None,
-            requirePasswordChangeOn=expected_requirePasswordChangeOn
+            requirePasswordChangeOn=expected_requirePasswordChangeOn  # pylint: disable=possibly-used-before-assignment
         )
         actual_param = self._global_admin.api.add.call_args[0][1]
         self._assert_equal_objects(actual_param, expected_param)

tests/ut/test_edge_ssl.py

@@ -62,7 +62,7 @@ def test_import_certificate(self):
         mock_load_private_key.return_value = TestEdgeSSL._get_secret(self._private_key_contents)
         mock_load_certificate = self.patch_call("cterasdk.lib.crypto.X509Certificate.load_certificate")
         mock_load_certificate.return_value = TestEdgeSSL._get_secret(self._certificate_contents)
-        ret = ssl.SSL(self._filer).import_certificate(self._key_filepath, self._domain_cert, self._intermediate_cert, self._root_cert)
+        ret = ssl.SSLv1(self._filer).import_certificate(self._key_filepath, self._domain_cert, self._intermediate_cert, self._root_cert)
         mock_load_private_key.assert_called_once_with(self._key_filepath)
         mock_load_certificate.assert_has_calls(
             [
@@ -83,7 +83,7 @@ def test_import_certificate(self):
     def test_get_storage_ca(self):
         get_response = 'Success'
         self._init_filer(get_response=get_response)
-        ret = ssl.SSL(self._filer).get_storage_ca()
+        ret = ssl.SSLv1(self._filer).get_storage_ca()
         self._filer.api.get.assert_called_once_with('/status/extStorageTrustedCA')
         self.assertEqual(ret, get_response)
 
@@ -92,7 +92,7 @@ def test_import_storage_ca(self):
         self._init_filer(put_response=put_response)
         mock_load_certificate = self.patch_call("cterasdk.lib.crypto.X509Certificate.load_certificate")
         mock_load_certificate.return_value = TestEdgeSSL._get_secret(self._certificate_contents)
-        ret = ssl.SSL(self._filer).import_storage_ca(self._domain_cert)
+        ret = ssl.SSLv1(self._filer).import_storage_ca(self._domain_cert)
         expected_param = Object()
         expected_param._classname = 'ExtTrustedCA'  # pylint: disable=protected-access
         expected_param.certificate = self._certificate_contents
@@ -105,7 +105,7 @@ def test_import_storage_ca(self):
     def test_remove_storage_ca(self):
         put_response = 'Success'
         self._init_filer(put_response=put_response)
-        ssl.SSL(self._filer).remove_storage_ca()
+        ssl.SSLv1(self._filer).remove_storage_ca()
         self._filer.api.put.assert_called_once_with('/config/extStorageTrustedCA', None)
 
     @staticmethod