summaryrefslogtreecommitdiffstats
path: root/ipapython
diff options
context:
space:
mode:
Diffstat (limited to 'ipapython')
-rw-r--r--ipapython/certmonger.py23
1 files changed, 14 insertions, 9 deletions
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 1ed907686..fda539b34 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -29,6 +29,9 @@ from ipapython import ipautil
REQUEST_DIR='/var/lib/certmonger/requests/'
CA_DIR='/var/lib/certmonger/cas/'
+# Normalizer types for critera in get_request_id()
+NPATH = 1
+
def find_request_value(filename, directive):
"""
Return a value from a certmonger request file for the requested directive
@@ -83,7 +86,7 @@ def get_request_id(criteria):
through all the request files. An alternative would be to parse the
ipa-getcert list output but this seems cleaner.
- criteria is a tuple of key/value pairs to search for. The more specific
+ criteria is a tuple of key/value/type to search for. The more specific
the better. An error is raised if multiple request_ids are returned for
the same criteria.
@@ -95,8 +98,10 @@ def get_request_id(criteria):
fileList=os.listdir(REQUEST_DIR)
for file in fileList:
match = True
- for (key, value) in criteria:
+ for (key, value, valtype) in criteria:
rv = find_request_value('%s/%s' % (REQUEST_DIR, file), key)
+ if rv and valtype == NPATH:
+ rv = os.path.abspath(rv)
if rv is None or rv.rstrip() != value:
match = False
break
@@ -157,7 +162,7 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None):
]
if passwd_fname:
args.append('-p')
- args.append(passwd_fname)
+ args.append(os.path.abspath(passwd_fname))
(stdout, stderr, returncode) = ipautil.run(args)
# FIXME: should be some error handling around this
m = re.match('New signing request "(\d+)" added', stdout)
@@ -175,7 +180,7 @@ def cert_exists(nickname, secdir):
the database.
"""
args = ["/usr/bin/certutil", "-L",
- "-d", secdir,
+ "-d", os.path.abspath(secdir),
"-n", nickname
]
(stdout, stderr, rc) = ipautil.run(args, raiseonerr=False)
@@ -193,14 +198,14 @@ def start_tracking(nickname, secdir, password_file=None):
This assumes that certmonger is already running.
"""
- if not cert_exists(nickname, secdir):
+ if not cert_exists(nickname, os.path.abspath(secdir)):
raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database "%s"' % (nickname, secdir))
args = ["/usr/bin/ipa-getcert", "start-tracking",
- "-d", secdir,
+ "-d", os.path.abspath(secdir),
"-n", nickname]
if password_file:
args.append("-p")
- args.append(password_file)
+ args.append(os.path.abspath(password_file))
(stdout, stderr, returncode) = ipautil.run(args)
@@ -216,7 +221,7 @@ def stop_tracking(secdir, request_id=None, nickname=None):
raise RuntimeError('Both request_id and nickname are missing.')
if nickname:
# Using the nickname find the certmonger request_id
- criteria = (('cert_storage_location','%s' % secdir),('cert_nickname', '%s' % nickname))
+ criteria = (('cert_storage_location', os.path.abspath(secdir), NPATH),('cert_nickname', nickname, None))
try:
request_id = get_request_id(criteria)
if request_id is None:
@@ -236,7 +241,7 @@ def stop_tracking(secdir, request_id=None, nickname=None):
args.append('-n')
args.append(nickname)
args.append('-d')
- args.append(secdir)
+ args.append(os.path.abspath(secdir))
(stdout, stderr, returncode) = ipautil.run(args)
generated by cgit (git 2.34.1) at 2026-04-03 20:24:52 +0000
>); child = fork(); if (child == -1) { perror_msg_and_die("fork"); } if (child == 0) { /* Child */ if (dir) xchdir(dir); if (flags & EXECFLG_SETGUID) { struct passwd* pw = getpwuid(uid); gid_t gid = pw ? pw->pw_gid : uid; setgroups(1, &gid); xsetregid(gid, gid); xsetreuid(uid, uid); } if (unsetenv_vec) { while (*unsetenv_vec) unsetenv(*unsetenv_vec++); } /* Play with stdio descriptors */ if (flags & EXECFLG_INPUT) { xmove_fd(pipe_to_child[0], STDIN_FILENO); close(pipe_to_child[1]); } else if (flags & EXECFLG_INPUT_NUL) { xmove_fd(xopen("/dev/null", O_RDWR), STDIN_FILENO); } if (flags & EXECFLG_OUTPUT) { xmove_fd(pipe_fm_child[1], STDOUT_FILENO); close(pipe_fm_child[0]); } else if (flags & EXECFLG_OUTPUT_NUL) { xmove_fd(xopen("/dev/null", O_RDWR), STDOUT_FILENO); } /* This should be done BEFORE stderr redirect */ VERB1 { char *r = concat_str_vector(argv); log("Executing: %s", r); free(r); } if (flags & EXECFLG_ERR2OUT) { /* Want parent to see errors in the same stream */ xdup2(STDOUT_FILENO, STDERR_FILENO); } else if (flags & EXECFLG_ERR_NUL) { xmove_fd(xopen("/dev/null", O_RDWR), STDERR_FILENO); } if (flags & EXECFLG_SETSID) setsid(); execvp(argv[0], argv); if (!(flags & EXECFLG_QUIET)) perror_msg("Can't execute '%s'", argv[0]); exit(127); /* shell uses this exitcode in this case */ } if (flags & EXECFLG_INPUT) { close(pipe_to_child[0]); pipefds[1] = pipe_to_child[1]; } if (flags & EXECFLG_OUTPUT) { close(pipe_fm_child[1]); pipefds[0] = pipe_fm_child[0]; } return child; } char *run_in_shell_and_save_output(int flags, const char *cmd, const char *dir, size_t *size_p) { flags |= EXECFLG_OUTPUT; flags &= ~EXECFLG_INPUT; const char *argv[] = { "/bin/sh", "-c", cmd, NULL }; int pipeout[2]; pid_t child = fork_execv_on_steroids(flags, (char **)argv, pipeout, /*unsetenv_vec:*/ NULL, dir, /*uid (unused):*/ 0); size_t pos = 0; char *result = NULL; while (1) { result = (char*) xrealloc(result, pos + 4*1024 + 1); size_t sz = safe_read(pipeout[0], result + pos, 4*1024); if (sz <= 0) { break; } pos += sz; } result[pos] = '\0'; if (size_p) *size_p = pos; close(pipeout[0]); waitpid(child, NULL, 0); return result; }
generated by cgit (git 2.34.1) at 2026-04-03 20:24:52 +0000