commit 598a079f5768c03b1947d2ed18a18b74ada6fc3f
author Piotr Dobrowolski <admin@tastycode.pl> Tue Apr 09 13:28:46 2019 +0200
committer Piotr Dobrowolski <admin@tastycode.pl> Tue Apr 09 13:29:33 2019 +0200
tree e87d7f1fc08e64ce35b31f40b0bf2ffed0073688
parent acd001bf8368959e1ce98d41a09c2d9d11dfda87

clustercfg: extract cfssl handling to separate function

cluster/clustercfg/ca.py

diff --git a/cluster/clustercfg/ca.py b/cluster/clustercfg/ca.py
index e4973db..06f03f3 100644
--- a/cluster/clustercfg/ca.py
+++ b/cluster/clustercfg/ca.py
@@ -1,3 +1,4 @@
+# encoding: utf-8
 import json
 import logging
 import os
@@ -89,6 +90,22 @@
         with open(self._cert) as f:
             return f.read()
 
+    def _cfssl_call(self, args, obj=None, stdin=None):
+        p = subprocess.Popen(['cfssl'] + args,
+                             stdin=subprocess.PIPE, stdout=subprocess.PIPE,
+                             stderr=subprocess.PIPE)
+        if obj:
+            stdin = json.dumps(stdin)
+
+        outs, errs = p.communicate(stdin.encode())
+        if p.returncode != 0:
+            raise Exception(
+                'cfssl failed. stderr: %r, stdout: %r, code: %r' % (
+                    errs, outs, p.returncode))
+
+        out = json.loads(outs)
+        return out
+
     def _init_ca(self):
         if self.ss.exists(self._secret_key):
             return
@@ -97,11 +114,7 @@
         ca_csr['CN'] = self.cn
 
         logger.info("{}: Generating CA...".format(self))
-        p = subprocess.Popen(['cfssl', 'gencert', '-initca', '-'],
-                             stdin=subprocess.PIPE, stdout=subprocess.PIPE,
-                             stderr=subprocess.PIPE)
-        outs, errs = p.communicate(json.dumps(ca_csr).encode())
-        out = json.loads(outs)
+        out = self._cfssl_call(['gencert', '-initca', '-'], obj=ca_csr)
 
         f = self.ss.open(self._secret_key, 'w')
         f.write(out['key'])
@@ -132,11 +145,8 @@
         }
         cfg.update(_ca_config)
         logger.info("{}: Generating key/CSR for {}".format(self, hosts))
-        p = subprocess.Popen(['cfssl', 'genkey', '-'],
-                             stdin=subprocess.PIPE, stdout=subprocess.PIPE,
-                             stderr=subprocess.PIPE)
-        outs, errs = p.communicate(json.dumps(cfg).encode())
-        out = json.loads(outs)
+        out = self._cfssl_call(['genkey', '-'], obj=cfg)
+
         key, csr = out['key'], out['csr']
         if save is not None:
             logging.info("{}: Saving new key to secret {}".format(self, save))
@@ -150,12 +160,8 @@
         logging.info("{}: Signing CSR".format(self))
         ca = self._cert
         cakey = self.ss.plaintext(self._secret_key)
-        p = subprocess.Popen(['cfssl', 'sign', '-ca=' + ca, '-ca-key=' + cakey,
-                              '-profile=client-server', '-'],
-                             stdin=subprocess.PIPE, stdout=subprocess.PIPE,
-                             stderr=subprocess.PIPE)
-        outs, errs = p.communicate(csr.encode())
-        out = json.loads(outs)
+        out = self._cfssl_call(['sign', '-ca=' + ca, '-ca-key=' + cakey,
+                                '-profile=client-server', '-'], stdin=csr)
         cert = out['cert']
         if save is not None:
             name = os.path.join(self.cdir, save)