From ece4c159e4fd726a70b1da25821493fb8a90c8b3 Mon Sep 17 00:00:00 2001 From: Adrian Likins Date: Tue, 22 Apr 2008 14:36:17 -0400 Subject: apply triggers patch from Steve Salevan Steves comments: Adding in triggering functionality, changed specfile and MANIFEST.in to reflect changes. Added sub_process.py file to facilitate the subprocesses necessary for triggering to work. Modified certmaster.py to add trigger points. --- certmaster/certmaster.py | 34 +++++++++++++++++++++++++++------- certmaster/utils.py | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 7 deletions(-) (limited to 'certmaster') diff --git a/certmaster/certmaster.py b/certmaster/certmaster.py index 1bf3a2d..970ff59 100755 --- a/certmaster/certmaster.py +++ b/certmaster/certmaster.py @@ -90,7 +90,7 @@ class CertMaster(object): commonname = commonname.replace('\\', '') return commonname - def wait_for_cert(self, csrbuf): + def wait_for_cert(self, csrbuf, with_triggers=True): """ takes csr as a string returns True, caller_cert, ca_cert @@ -104,7 +104,9 @@ class CertMaster(object): return False, '', '' requesting_host = self._sanitize_cn(csrreq.get_subject().CN) - + + if with_triggers: + self._run_triggers(None, '/var/lib/certmaster/triggers/request/pre/*') self.logger.info("%s requested signing of cert %s" % (requesting_host,csrreq.get_subject().CN)) # get rid of dodgy characters in the filename we're about to make @@ -137,6 +139,8 @@ class CertMaster(object): slavecert = certs.retrieve_cert_from_file(certfile) cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, slavecert) cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert) + if with_triggers: + self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*') return True, cert_buf, cacert_buf # if we don't have a cert then: @@ -149,6 +153,8 @@ class CertMaster(object): cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert) self.logger.info("cert for %s was autosigned" % (requesting_host)) + if with_triggers: + self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*') return True, cert_buf, cacert_buf else: @@ -158,6 +164,8 @@ class CertMaster(object): destfo.close() del destfo self.logger.info("cert for %s created and ready to be signed" % (requesting_host)) + if with_triggers: + self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*') return False, '', '' return False, '', '' @@ -172,7 +180,7 @@ class CertMaster(object): hosts.append(hn) return hosts - def remove_this_cert(self, hn): + def remove_this_cert(self, hn, with_triggers=True): """ removes cert for hostname using unlink """ cm = self csrglob = '%s/%s.csr' % (cm.cfg.csrroot, hn) @@ -183,12 +191,16 @@ class CertMaster(object): # FIXME: should be an exception? print 'No match for %s to clean up' % hn return + if with_triggers: + self._run_triggers(None,'/var/lib/certmaster/triggers/remove/pre/*') for fn in csrs + certs: print 'Cleaning out %s for host matching %s' % (fn, hn) self.logger.info('Cleaning out %s for host matching %s' % (fn, hn)) - os.unlink(fn) + os.unlink(fn) + if with_triggers: + self._run_triggers(None,'/var/lib/certmaster/triggers/remove/post/*') - def sign_this_csr(self, csr): + def sign_this_csr(self, csr, with_triggers=True): """returns the path to the signed cert file""" csr_unlink_file = None @@ -216,6 +228,9 @@ class CertMaster(object): else: # assume we got a bare csr req csrreq = csr + if with_triggers: + self._run_triggers(None,'/var/lib/certmaster/triggers/sign/pre/*') + requesting_host = self._sanitize_cn(csrreq.get_subject().CN) certfile = '%s/%s.cert' % (self.cfg.certroot, requesting_host) @@ -228,13 +243,18 @@ class CertMaster(object): del destfo - self.logger.info("csr %s signed" % (certfile)) + self.logger.info("csr %s signed" % (certfile)) + if with_triggers: + self._run_triggers(None,'/var/lib/certmaster/triggers/sign/post/*') + + if csr_unlink_file and os.path.exists(csr_unlink_file): os.unlink(csr_unlink_file) return certfile - + def _run_triggers(self, ref, globber): + return utils.run_triggers(ref, globber) class CertmasterXMLRPCServer(SimpleXMLRPCServer.SimpleXMLRPCServer): diff --git a/certmaster/utils.py b/certmaster/utils.py index eec3d2b..209e758 100755 --- a/certmaster/utils.py +++ b/certmaster/utils.py @@ -24,6 +24,7 @@ import certs from config import read_config from commonconfig import MinionConfig import logger +import sub_process # FIXME: module needs better pydoc @@ -108,6 +109,7 @@ def get_hostname(talk_to_certmaster=True): try: s = socket.socket() s.settimeout(5) + print "server, port", server, port s.connect((server, port)) (intf, port) = s.getsockname() remote_hostname = socket.gethostbyaddr(intf)[0] @@ -191,6 +193,37 @@ def create_minion_keys(): os.write(ca_cert_fd, ca_cert_string) os.close(ca_cert_fd) +def run_triggers(ref, globber): + """ + Runs all the trigger scripts in a given directory. + ref can be a certmaster object, if not None, the name will be passed + to the script. If ref is None, the script will be called with + no argumenets. Globber is a wildcard expression indicating which + triggers to run. Example: "/var/lib/certmaster/triggers/blah/*" + """ + + log = logger.Logger().logger + triggers = glob.glob(globber) + triggers.sort() + for file in triggers: + log.debug("Executing trigger: %s" % file) + try: + if file.find(".rpm") != -1: + # skip .rpmnew files that may have been installed + # in the triggers directory + continue + if ref: + rc = sub_process.call([file, ref.name], shell=False) + else: + rc = sub_process.call([file], shell=False) + except: + log.warning("Warning: failed to execute trigger: %s" % file) + continue + + if rc != 0: + raise codes.CMException, "certmaster trigger failed: %(file)s returns %(code)d" % { "file" : file, "code" : rc } + + def submit_csr_to_master(csr_file, master_uri): """" gets us our cert back from the certmaster.wait_for_cert() method -- cgit