fetchers/messaging: untangle V

CMK-21657

Change-Id: I1a786c0f327c389afb68527beafad1b166a1d269

Author: mo-ki

bin/message-broker-certs

@@ -31,8 +31,10 @@ def initialize_message_broker_certs(omd_root: Path, site_name: str) -> None:
         ca_cert_bundle.certificate_path.read_bytes()
     )
 
-    site_cert = SiteBrokerCertificate.create(site_name, omd_root, issuer=ca_cert_bundle)
-    site_cert.persist(omd_root)
+    site_broker_ca = SiteBrokerCertificate(
+        messaging.site_cert_file(omd_root), messaging.site_key_file(omd_root)
+    )
+    site_broker_ca.persist(site_broker_ca.create_bundle(site_name, ca_cert_bundle))
 
 
 def _parse_arguments(argv: list[str]) -> Arguments:

cmk/gui/watolib/broker_certificates.py

@@ -35,6 +35,7 @@
 from cmk import messaging
 from cmk.crypto.certificate import (
     CertificateSigningRequest,
+    CertificateWithPrivateKey,
     PersistedCertificateWithPrivateKey,
     X509Name,
 )
@@ -168,10 +169,13 @@ def create_remote_broker_certs(
     Create a new certificate with private key for the broker of a remote site.
     """
 
-    site_cert = SiteBrokerCertificate.create(site_id, paths.omd_root, signing_ca_bundle)
+    site_broker_ca = SiteBrokerCertificate(
+        messaging.site_cert_file(paths.omd_root), messaging.site_key_file(paths.omd_root)
+    )
+    site_ca_bundle = site_broker_ca.create_bundle(site_id, signing_ca_bundle)
 
     return messaging.BrokerCertificates(
-        cert=site_cert.cert_bundle.certificate.dump_pem().bytes,
+        cert=site_ca_bundle.certificate.dump_pem().bytes,
         signing_ca=signing_ca_bundle.certificate.dump_pem().bytes,
     )
 
@@ -223,21 +227,23 @@ def plugin_name(self, instance: BrokerCertificateSync) -> str:
 broker_certificate_sync_registry = BrokerCertificateSyncRegistry()
 
 
-def _create_message_broker_certs() -> SiteBrokerCertificate:
+def _create_message_broker_certs() -> CertificateWithPrivateKey:
     """Initialize the CA and create the certificate for use with the message broker.
     These might be replaced by the "store-broker-certs" automation.
     """
 
     ca = SiteBrokerCA(messaging.cacert_file(paths.omd_root), messaging.ca_key_file(paths.omd_root))
-    bundle = ca.create_and_persist(omd_site())
+    ca_bundle = ca.create_and_persist(omd_site())
     MessagingTrustedCAs(messaging.trusted_cas_file(paths.omd_root)).write(
-        bundle.certificate_path.read_bytes()
+        ca_bundle.certificate_path.read_bytes()
     )
 
-    site_cert = SiteBrokerCertificate.create(omd_site(), paths.omd_root, issuer=bundle)
-    site_cert.persist(paths.omd_root)
+    site_broker_ca = SiteBrokerCertificate(
+        messaging.site_cert_file(paths.omd_root), messaging.site_key_file(paths.omd_root)
+    )
+    site_broker_ca.persist(bundle := site_broker_ca.create_bundle(omd_site(), issuer=ca_bundle))
 
-    return site_cert
+    return bundle
 
 
 def _create_csr(private_key: PrivateKey) -> CertificateSigningRequest:
@@ -300,8 +306,13 @@ def get_request(self) -> StoreBrokerCertificatesData:
 
     def execute(self, api_request: StoreBrokerCertificatesData) -> bool:
         trusted_cas_store = MessagingTrustedCAs(messaging.trusted_cas_file(paths.omd_root))
-        SiteBrokerCertificate.persist_broker_certificates(
-            paths.omd_root, api_request.certificates, trusted_cas_store
+        SiteBrokerCertificate(
+            messaging.site_cert_file(paths.omd_root), messaging.site_key_file(paths.omd_root)
+        ).persist_broker_certificates(
+            signing_ca=api_request.certificates.signing_ca,
+            cert=api_request.certificates.cert,
+            additionally_trusted_ca=api_request.certificates.additionally_trusted_ca,
+            trusted_cas_store=trusted_cas_store,
         )
 
         # Remove local CA files to avoid confusion. They have no use anymore.
@@ -327,5 +338,5 @@ def get_request(self) -> None:
         pass
 
     def execute(self, api_request: None) -> BrokerCertsCSR:
-        private_key = _create_message_broker_certs().cert_bundle.private_key
+        private_key = _create_message_broker_certs().private_key
         return {"csr": _create_csr(private_key).csr.public_bytes(Encoding.PEM)}

cmk/post_rename_site/plugins/actions/messaging.py

@@ -10,7 +10,6 @@
 from cmk.ccc.i18n import _
 
 from cmk.utils import paths
-from cmk.utils.certs import SiteBrokerCertificate
 
 from cmk.gui.watolib.activate_changes import get_all_replicated_sites
 from cmk.gui.watolib.broker_certificates import (
@@ -19,6 +18,7 @@
 from cmk.gui.watolib.changes import add_change
 from cmk.gui.watolib.config_domains import ConfigDomainGUI
 
+from cmk import messaging
 from cmk.post_rename_site.registry import rename_action_registry, RenameAction
 
 
@@ -31,7 +31,7 @@ def update_broker_config(old_site_id: SiteId, new_site_id: SiteId, logger: Logge
     created with the new names.
     """
     logger.debug("Deleting broker certificates of site %s", old_site_id)
-    SiteBrokerCertificate.cert_path(paths.omd_root).unlink(missing_ok=True)
+    messaging.site_cert_file(paths.omd_root).unlink(missing_ok=True)
     logger.debug("Deleting broker certificates of replicated sites")
     clean_remote_sites_certs(kept_sites=[])
 

cmk/utils/certs.py

@@ -9,7 +9,7 @@
 from collections.abc import Iterable
 from dataclasses import dataclass
 from pathlib import Path
-from typing import Final, Literal, Self
+from typing import Final, Literal
 
 from cryptography import x509
 from cryptography.hazmat.primitives.serialization import Encoding, load_pem_private_key
@@ -22,7 +22,6 @@
 from cmk.utils.log.security_event import SecurityEvent
 from cmk.utils.user import UserId
 
-from cmk import messaging
 from cmk.crypto.certificate import (
     Certificate,
     CertificatePEM,
@@ -224,19 +223,14 @@ def __init__(
 
 
 class SiteBrokerCertificate:
-    def __init__(self, bundle: CertificateWithPrivateKey) -> None:
-        self.cert_bundle = bundle
-
-    @classmethod
-    def key_path(cls, omd_root: Path) -> Path:
-        return messaging.site_key_file(omd_root)
-
-    @classmethod
-    def cert_path(cls, omd_root: Path) -> Path:
-        return messaging.site_cert_file(omd_root)
+    def __init__(self, cert_path: Path, key_path: Path) -> None:
+        self.cert_path: Final = cert_path
+        self.key_path: Final = key_path
 
     @classmethod
-    def create(cls, site_name: str, omd_root: Path, issuer: CertificateWithPrivateKey) -> Self:
+    def create_bundle(
+        cls, site_name: str, issuer: CertificateWithPrivateKey
+    ) -> CertificateWithPrivateKey:
         """Have the site's certificate issued by the given CA.
 
         The certificate and key are not persisted to disk directly because this method is also used
@@ -247,40 +241,33 @@ def create(cls, site_name: str, omd_root: Path, issuer: CertificateWithPrivateKe
         is_ca = False
         key_size = 4096
 
-        cert_bundle = issuer.issue_new_certificate(
+        return issuer.issue_new_certificate(
             common_name=site_name,
             organization=organization,
             expiry=expires,
             key_size=key_size,
             is_ca=is_ca,
         )
 
-        return cls(cert_bundle)
-
-    def persist(self, omd_root: Path) -> None:
-        cert_path = self.cert_path(omd_root)
-        key_path = self.key_path(omd_root)
-
-        cert_path.parent.mkdir(parents=True, exist_ok=True)
-        PersistedCertificateWithPrivateKey.persist(self.cert_bundle, cert_path, key_path)
+    def persist(self, cert_bundle: CertificateWithPrivateKey) -> None:
+        self.cert_path.parent.mkdir(parents=True, exist_ok=True)
+        PersistedCertificateWithPrivateKey.persist(cert_bundle, self.cert_path, self.key_path)
 
-    @classmethod
     def persist_broker_certificates(
-        cls,
-        omd_root: Path,
-        received: messaging.BrokerCertificates,
+        self,
+        signing_ca: bytes,
+        cert: bytes,
+        additionally_trusted_ca: bytes,
         trusted_cas_store: MessagingTrustedCAs,
     ) -> None:
         """Persist the received certificates to disk."""
-        cert_path = cls.cert_path(omd_root)
-
-        ca = Certificate.load_pem(CertificatePEM(received.signing_ca))
-        Certificate.load_pem(CertificatePEM(received.cert)).verify_is_signed_by(ca)
+        ca = Certificate.load_pem(CertificatePEM(signing_ca))
+        Certificate.load_pem(CertificatePEM(cert)).verify_is_signed_by(ca)
 
-        cert_path.parent.mkdir(parents=True, exist_ok=True)
+        self.cert_path.parent.mkdir(parents=True, exist_ok=True)
 
-        trusted_cas_store.write(received.signing_ca + received.additionally_trusted_ca)
-        cert_path.write_bytes(received.cert)
+        trusted_cas_store.write(signing_ca + additionally_trusted_ca)
+        self.cert_path.write_bytes(cert)
 
 
 class SiteBrokerCA: