X-Git-Url: https://pwan.org/git/?a=blobdiff_plain;f=certmaster%2Futils.py;h=6f73ccc507f5d42322890916acfd0c391bb973e0;hb=e2f635bb3294d13a29420ab0d0aab5ace0cfe03f;hp=61721ac7c255d6e7197bb426089d1f07b57ba4c1;hpb=621cc4e377e0bf0a48a7bbbf384a3f28d9933be9;p=certmaster.git

diff --git a/certmaster/utils.py b/certmaster/utils.py
old mode 100755
new mode 100644
index 61721ac..6f73ccc
--- a/certmaster/utils.py
+++ b/certmaster/utils.py
@@ -32,6 +32,14 @@ import sub_process
 # FIXME: can remove this constant?
 REMOTE_ERROR = "REMOTE_ERROR"
 
+# The standard I/O file descriptors are redirected to /dev/null by default.
+if (hasattr(os, "devnull")):
+    REDIRECT_TO = os.devnull
+else:
+    REDIRECT_TO = "/dev/null"
+
+
+
 
 def trace_me():
     x = traceback.extract_stack()
@@ -44,14 +52,26 @@ def daemonize(pidfile=None):
     Writes the new PID to the provided file name if not None.
     """
 
-#    print pidfile
     pid = os.fork()
     if pid > 0:
         sys.exit(0)
+    os.chdir("/")
     os.setsid()
-    os.umask(0)
+    os.umask(077)
     pid = os.fork()
 
+    os.close(0)
+    os.close(1)
+    os.close(2)
+
+    # based on http://code.activestate.com/recipes/278731/
+    os.open(REDIRECT_TO, os.O_RDWR)	# standard input (0)
+
+    os.dup2(0, 1)			# standard output (1)
+    os.dup2(0, 2)			# standard error (2)
+
+
+
     if pid > 0:
         if pidfile is not None:
             open(pidfile, "w").write(str(pid))
@@ -87,59 +107,33 @@ def get_hostname(talk_to_certmaster=True):
     up the hostname for that. 
     """
     # FIXME: this code ignores http proxies (which granted, we don't
-    #      support elsewhere either. It also hardcodes the port number
-    #      for the certmaster for now
+    #      support elsewhere either. 
     hostname = None
     hostname = socket.gethostname()
     # print "DEBUG: HOSTNAME TRY1: %s" % hostname
     try:
         ip = socket.gethostbyname(hostname)
-        # print "DEBUG: IP TRY2: %s" % ip
     except:
-        # print "DEBUG: ERROR: returning"
         return hostname
     if ip != "127.0.0.1":
-        # print "DEBUG: ERROR: returning 2"
         return hostname
 
-    if talk_to_certmaster:
-        config_file = '/etc/certmaster/minion.conf'
-        config = read_config(config_file, MinionConfig)
-
-        server = config.certmaster
-        port = 51235
-
-        try:
-            s = socket.socket()
-            s.settimeout(5)
-	    # print "server, port", server, port
-            s.connect((server, port))
-            (intf, port) = s.getsockname()
-            remote_hostname = socket.gethostbyaddr(intf)[0]
-            if remote_hostname != "localhost":
-               hostname = remote_hostname
-               # print "DEBUG: HOSTNAME FROM CERTMASTER == %s" % hostname
-            s.close()
-        except:
-            s.close()
-            raise
-
-    # print "DEBUG: final hostname=%s" % hostname
-    return hostname
-    
 
 # FIXME: move to requestor module and also create a verbose mode
 # prints to the screen for usage by /usr/bin/certmaster-request
 
-def create_minion_keys():
+def create_minion_keys(hostname=None):
+    log = logger.Logger().logger
+
     # FIXME: paths should not be hard coded here, move to settings universally
     config_file = '/etc/certmaster/minion.conf'
     config = read_config(config_file, MinionConfig)
     cert_dir = config.cert_dir
-    master_uri = 'http://%s:51235/' % config.certmaster
-    # print "DEBUG: acquiring hostname"
-    hn = get_hostname()
-    # print "DEBUG: hostname = %s\n" % hn
+    master_uri = 'http://%s:%s/' % (config.certmaster, config.certmaster_port)
+
+    hn = hostname
+    if hn is None:
+        hn = get_hostname()
 
     if hn is None:
         raise codes.CMException("Could not determine a hostname other than localhost")
@@ -163,17 +157,17 @@ def create_minion_keys():
         if not os.path.exists(csr_file):
             if not keypair:
                 keypair = certs.retrieve_key_from_file(key_file)
-            csr = certs.make_csr(keypair, dest=csr_file)
+            csr = certs.make_csr(keypair, dest=csr_file, hostname=hn)
     except Exception, e:
         traceback.print_exc()
         raise codes.CMException, "Could not create local keypair or csr for session"
 
     result = False
-    log = logger.Logger().logger
+   
     while not result:
         try:
             # print "DEBUG: submitting CSR to certmaster: %s" % master_uri
-            log.debug("submitting CSR to certmaster %s" % master_uri)
+            log.debug("submitting CSR: %s  to certmaster %s" % (csr_file, master_uri))
             result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri)
         except socket.gaierror, e:
             raise codes.CMException, "Could not locate certmaster at %s" % master_uri
@@ -188,6 +182,13 @@ def create_minion_keys():
     if result:
         # print "DEBUG: recieved certificate from certmaster"
         log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
+        if not keypair:
+            keypair = certs.retrieve_key_from_file(key_file)
+        valid = certs.check_cert_key_match(cert_string, keypair)
+        if not valid:
+            log.info("certificate does not match key (run certmaster-ca --clean first?)")
+            sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
+            return
         cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
         os.write(cert_fd, cert_string)
         os.close(cert_fd)
@@ -216,7 +217,7 @@ def run_triggers(ref, globber):
                 # in the triggers directory
                 continue
             if ref:
-                rc = sub_process.call([file, ref.name], shell=False)
+                rc = sub_process.call([file, ref], shell=False)
             else:
                 rc = sub_process.call([file], shell=False)
         except: