X-Git-Url: https://pwan.org/git/?a=blobdiff_plain;f=certmaster%2Fcertmaster.py;h=1bf3a2d57c6c895102df03623347f613af8cb5cc;hb=e92972a02d0e506cb7780694642137201421a74a;hp=fe5dcbcef393cc0cb43cd99eb49c68d76b915a1c;hpb=8f2ff4d7c902d534d68ff1a16418b7be492033bf;p=certmaster.git diff --git a/certmaster/certmaster.py b/certmaster/certmaster.py index fe5dcbc..1bf3a2d 100755 --- a/certmaster/certmaster.py +++ b/certmaster/certmaster.py @@ -25,25 +25,31 @@ import glob import socket import exceptions -#from func.server import codes import certs import codes import utils + +import logger + from config import read_config from commonconfig import CMConfig CERTMASTER_LISTEN_PORT = 51235 -CERTMASTER_CONFIG = "/etc/func/certmaster.conf" +CERTMASTER_CONFIG = "/etc/certmaster/certmaster.conf" class CertMaster(object): def __init__(self, conf_file=CERTMASTER_CONFIG): self.cfg = read_config(conf_file, CMConfig) - usename = utils.get_hostname() + usename = utils.get_hostname(talk_to_certmaster=False) mycn = '%s-CA-KEY' % usename - self.ca_key_file = '%s/funcmaster.key' % self.cfg.cadir - self.ca_cert_file = '%s/funcmaster.crt' % self.cfg.cadir + self.ca_key_file = '%s/certmaster.key' % self.cfg.cadir + self.ca_cert_file = '%s/certmaster.crt' % self.cfg.cadir + + self.logger = logger.Logger().logger + self.audit_logger = logger.AuditLogger() + try: if not os.path.exists(self.cfg.cadir): os.makedirs(self.cfg.cadir) @@ -66,14 +72,17 @@ class CertMaster(object): self.handlers = { 'wait_for_cert': self.wait_for_cert, } + def _dispatch(self, method, params): if method == 'trait_names' or method == '_getAttributeNames': return self.handlers.keys() - + + if method in self.handlers.keys(): return self.handlers[method](*params) else: + self.logger.info("Unhandled method call for method: %s " % method) raise codes.InvalidMethodException def _sanitize_cn(self, commonname): @@ -96,6 +105,8 @@ class CertMaster(object): requesting_host = self._sanitize_cn(csrreq.get_subject().CN) + + self.logger.info("%s requested signing of cert %s" % (requesting_host,csrreq.get_subject().CN)) # get rid of dodgy characters in the filename we're about to make certfile = '%s/%s.cert' % (self.cfg.certroot, requesting_host) @@ -103,6 +114,8 @@ class CertMaster(object): # check for old csr on disk # if we have it - compare the two - if they are not the same - raise a fault + self.logger.debug("csrfile: %s certfile: %s" % (csrfile, certfile)) + if os.path.exists(csrfile): oldfo = open(csrfile) oldcsrbuf = oldfo.read() @@ -113,8 +126,10 @@ class CertMaster(object): newsha.update(csrbuf) newdig = newsha.hexdigest() if not newdig == olddig: + self.logger.info("A cert for %s already exists and does not match the requesting cert" % (requesting_host)) # XXX raise a proper fault - return False, '', '' + return False, '', '' + # look for a cert: # if we have it, then return True, etc, etc @@ -133,6 +148,7 @@ class CertMaster(object): cert = certs.retrieve_cert_from_file(cert_fn) cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert) + self.logger.info("cert for %s was autosigned" % (requesting_host)) return True, cert_buf, cacert_buf else: @@ -141,6 +157,7 @@ class CertMaster(object): destfo.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csrreq)) destfo.close() del destfo + self.logger.info("cert for %s created and ready to be signed" % (requesting_host)) return False, '', '' return False, '', '' @@ -168,6 +185,7 @@ class CertMaster(object): return for fn in csrs + certs: print 'Cleaning out %s for host matching %s' % (fn, hn) + self.logger.info('Cleaning out %s for host matching %s' % (fn, hn)) os.unlink(fn) def sign_this_csr(self, csr): @@ -192,28 +210,37 @@ class CertMaster(object): try: csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_buf) except crypto.Error, e: + self.logger.info("Unable to sign %s: Bad CSR" % (csr)) raise exceptions.Exception("Bad CSR: %s" % csr) else: # assume we got a bare csr req csrreq = csr - requesting_host = self._sanitize_cn(csrreq.get_subject().CN) - + + + requesting_host = self._sanitize_cn(csrreq.get_subject().CN) certfile = '%s/%s.cert' % (self.cfg.certroot, requesting_host) + self.logger.info("Signing for csr %s requested" % certfile) thiscert = certs.create_slave_certificate(csrreq, self.cakey, self.cacert, self.cfg.cadir) + destfo = open(certfile, 'w') destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, thiscert)) destfo.close() del destfo + + + self.logger.info("csr %s signed" % (certfile)) if csr_unlink_file and os.path.exists(csr_unlink_file): os.unlink(csr_unlink_file) return certfile + + class CertmasterXMLRPCServer(SimpleXMLRPCServer.SimpleXMLRPCServer): - def __init__(self, args): + def __init__(self, addr): self.allow_reuse_address = True - SimpleXMLRPCServer.SimpleXMLRPCServer.__init__(self, args) + SimpleXMLRPCServer.SimpleXMLRPCServer.__init__(self, addr) def serve(xmlrpcinstance): @@ -222,15 +249,18 @@ def serve(xmlrpcinstance): Code for starting the XMLRPC service. """ + server = CertmasterXMLRPCServer((xmlrpcinstance.cfg.listen_addr, CERTMASTER_LISTEN_PORT)) server.logRequests = 0 # don't print stuff to console server.register_instance(xmlrpcinstance) + xmlrpcinstance.logger.info("certmaster started") + xmlrpcinstance.audit_logger.logger.info("certmaster started") server.serve_forever() def main(argv): - cm = CertMaster('/etc/func/certmaster.conf') + cm = CertMaster('/etc/certmaster/certmaster.conf') if "daemon" in argv or "--daemon" in argv: utils.daemonize("/var/run/certmaster.pid")