def configure_ssl

def configure_ssl_certs()

in infrastructure-provisioning/src/ssn/scripts/configure_ssn_node.py [0:0]
66 lines of code
4 McCabe index (conditional complexity)

def configure_ssl_certs(hostname, custom_ssl_cert):
    try:
        if custom_ssl_cert:
            conn.put('/root/certs/datalab.crt', 'datalab.crt')
            conn.put('/root/certs/datalab.key', 'datalab.key')
            conn.sudo('mv datalab.crt /etc/ssl/certs/datalab.crt')
            conn.sudo('mv datalab.key /etc/ssl/certs/datalab.key')
        else:
            if os.environ['conf_stepcerts_enabled'] == 'true':
                ensure_step(args.os_user)
                conn.sudo('mkdir -p /home/{0}/keys'.format(args.os_user))
                conn.sudo('''bash -c 'echo "{0}" | base64 --decode > /etc/ssl/certs/root_ca.crt' '''.format(
                     os.environ['conf_stepcerts_root_ca']))
                fingerprint = conn.sudo('step certificate fingerprint /etc/ssl/certs/root_ca.crt').stdout.replace('\n', '')
                conn.sudo('step ca bootstrap --fingerprint {0} --ca-url "{1}"'.format(fingerprint,
                                                                                 os.environ['conf_stepcerts_ca_url']))
                conn.sudo('''bash -c 'echo "{0}" > /home/{1}/keys/provisioner_password' '''.format(
                     os.environ['conf_stepcerts_kid_password'], args.os_user))
                sans = "--san localhost --san 127.0.0.1 {0}".format(args.step_cert_sans)
                cn = hostname
                conn.sudo('step ca token {3} --kid {0} --ca-url "{1}" --root /etc/ssl/certs/root_ca.crt '
                     '--password-file /home/{2}/keys/provisioner_password {4} --output-file /tmp/step_token'.format(
                              os.environ['conf_stepcerts_kid'], os.environ['conf_stepcerts_ca_url'],
                              args.os_user, cn, sans))
                token = conn.sudo('cat /tmp/step_token').stdout
                conn.sudo('step ca certificate "{0}" /etc/ssl/certs/datalab.crt /etc/ssl/certs/datalab.key '
                     '--token "{1}" --kty=RSA --size 2048 --provisioner {2} '.format(cn, token,
                                                                                     os.environ['conf_stepcerts_kid']))
                conn.sudo('touch /var/log/renew_certificates.log')
                conn.put('/root/templates/renew_certificates.sh', '/tmp/renew_certificates.sh')
                conn.sudo('mv /tmp/renew_certificates.sh /usr/local/bin/')
                conn.sudo('chmod +x /usr/local/bin/renew_certificates.sh')
                conn.sudo('sed -i "s/OS_USER/{0}/g" /usr/local/bin/renew_certificates.sh'.format(args.os_user))
                conn.sudo('sed -i "s|JAVA_HOME|{0}|g" /usr/local/bin/renew_certificates.sh'.format(find_java_path_remote()))
                conn.sudo('sed -i "s|RESOURCE_TYPE|ssn|g" /usr/local/bin/renew_certificates.sh')
                conn.sudo('sed -i "s|CONF_FILE|ssn|g" /usr/local/bin/renew_certificates.sh')
                conn.put('/root/templates/manage_step_certs.sh', '/tmp/manage_step_certs.sh')
                conn.sudo('cp /tmp/manage_step_certs.sh /usr/local/bin/manage_step_certs.sh')
                conn.sudo('chmod +x /usr/local/bin/manage_step_certs.sh')
                conn.sudo('sed -i "s|STEP_ROOT_CERT_PATH|/etc/ssl/certs/root_ca.crt|g" '
                     '/usr/local/bin/manage_step_certs.sh')
                conn.sudo('sed -i "s|STEP_CERT_PATH|/etc/ssl/certs/datalab.crt|g" /usr/local/bin/manage_step_certs.sh')
                conn.sudo('sed -i "s|STEP_KEY_PATH|/etc/ssl/certs/datalab.key|g" /usr/local/bin/manage_step_certs.sh')
                conn.sudo('sed -i "s|STEP_CA_URL|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(
                    os.environ['conf_stepcerts_ca_url']))
                conn.sudo('sed -i "s|RESOURCE_TYPE|ssn|g" /usr/local/bin/manage_step_certs.sh')
                conn.sudo('sed -i "s|SANS|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(sans))
                conn.sudo('sed -i "s|CN|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(cn))
                conn.sudo('sed -i "s|KID|{0}|g" /usr/local/bin/manage_step_certs.sh'.format(
                    os.environ['conf_stepcerts_kid']))
                conn.sudo('sed -i "s|STEP_PROVISIONER_PASSWORD_PATH|/home/{0}/keys/provisioner_password|g" '
                     '/usr/local/bin/manage_step_certs.sh'.format(args.os_user))
                conn.sudo('bash -c \'echo "0 * * * * root /usr/local/bin/manage_step_certs.sh >> '
                     '/var/log/renew_certificates.log 2>&1" >> /etc/crontab \'')
                conn.put('/root/templates/step-cert-manager.service', '/tmp/step-cert-manager.service')
                conn.sudo('cp /tmp/step-cert-manager.service /etc/systemd/system/step-cert-manager.service')
                conn.sudo('systemctl daemon-reload')
                conn.sudo('systemctl enable step-cert-manager.service')
            else:
                conn.sudo('openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/certs/datalab.key \
                     -out /etc/ssl/certs/datalab.crt -subj "/C=US/ST=US/L=US/O=datalab/CN={}"'.format(hostname))
        conn.sudo('openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048')
    except Exception as err:
        traceback.print_exc()
        print('Failed to configure SSL certificates: ', str(err))
        sys.exit(1)