Make mklog.py (more) idempotent.

One should be able to add hosts to $logname.cfg and run again, with
the correct result.

1 files changed, 22 insertions, 15 deletions

diff --git a/mklog.py b/mklog.py
index 26df433..f8f3510 100755
--- a/mklog.py
+++ b/mklog.py
@@ -18,24 +18,26 @@ def run_openssl(args):
     return False
 
 def make_eckey(name):
+    privkey = '%s-private.pem' % name
+    pubkey = '%s.pem' % name
+
+    if os.access(privkey, os.R_OK) and os.access(pubkey, os.R_OK):
+        return True
     print "creating EC key \"%s\"" % name
 
-    privkey_filename = '%s-private.pem' % name
-    pubkey_filename = '%s.pem' % name
     ecparam_args =  ['ecparam', '-name', 'prime256v1', '-genkey', '-noout',
-                     '-out', privkey_filename]
+                     '-out', privkey]
     if not run_openssl(ecparam_args):
         return False
-    os.chmod(privkey_filename, stat.S_IRUSR)
+    os.chmod(privkey, stat.S_IRUSR | stat.S_IWUSR)
 
-    ec_args = ['ec', '-in', privkey_filename, '-pubout', '-out', pubkey_filename]
+    ec_args = ['ec', '-in', privkey, '-pubout', '-out', pubkey]
     if not run_openssl(ec_args):
         return False
-    os.chmod(pubkey_filename, stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
 
     return True
 
-def make_ca(logname, cakey_filename, cacert_filename):
+def make_ca(logname, cakey, cacert):
     os.makedirs('./demoCA/newcerts', 0700)
 
     f = open('./demoCA/index.txt', 'w')
@@ -56,14 +58,14 @@ def make_ca(logname, cakey_filename, cacert_filename):
     f.close()
     
     subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/commonName=ca' % logname
-    req_args = ['req', '-newkey', 'rsa:2048', '-keyout', cakey_filename, '-out',
+    req_args = ['req', '-newkey', 'rsa:2048', '-keyout', cakey, '-out',
                 'req.csr', '-nodes', '-subj', subject, '-config', 'caconfig.txt']
     if not run_openssl(req_args):
         return False
-    os.chmod(cakey_filename, stat.S_IRUSR)
+    os.chmod(cakey, stat.S_IRUSR)
 
-    ca_args = ['ca', '-in', 'req.csr', '-selfsign', '-keyfile', cakey_filename,
-               '-out', cacert_filename, '-batch']
+    ca_args = ['ca', '-in', 'req.csr', '-selfsign', '-keyfile', cakey,
+               '-out', cacert, '-batch']
     if not run_openssl(ca_args):
         return False
 
@@ -87,10 +89,10 @@ def make_certs(logname, nodenames):
         cert = './%s.pem' % nodename
         subject = '/countryName=II/stateOrProvinceName=internets/organizationName=%s/CN=%s' % (logname, nodename)
 
-        print "creating cert for node %s" % nodename
-
         if os.access(key, os.R_OK) and os.access(cert, os.R_OK):
             continue
+        print "creating cert for node %s" % nodename
+
         req_args = ['req', '-new', '-newkey', 'rsa:2048', '-keyout', key,
                     '-out', csr, '-nodes', '-subj', subject]
         if not run_openssl(req_args):
@@ -115,9 +117,14 @@ def make_authkeys(nodenames):
     for nodename in nodenames:
         if not make_eckey(nodename):
             return False
-        shutil.move('%s-private.pem' % nodename, '../nodes/%s/' % nodename)
+        dst = '../nodes/%s/%s-private.pem' % (nodename, nodename)
+        if os.access(dst, os.F_OK) and not os.access(dst, os.W_OK):
+            os.chmod(dst, stat.S_IWUSR)
+        shutil.move('%s-private.pem' % nodename, dst)
     for nodename in nodenames:
-        shutil.copytree('.', '../nodes/%s/publickeys' % nodename)
+        dst = '../nodes/%s/publickeys' % nodename
+        shutil.rmtree(dst, ignore_errors=True)
+        shutil.copytree('.', dst)
 
     os.chdir('..')
     return True