* Change files to use 4-space indents and no hard tab characters.
* Trim excess spaces and tabs from ends of lines.
* Remove empty lines at the end of files and ensure the last line ends with a newline.
Generated by http://svn.python.org/projects/python/trunk/Tools/scripts/reindent.py
self.value = value
def __str__(self):
return "%s" %(self.value,)
-
def __init__(self, host='', port=None, ssl_context=None, strict=None, timeout=None):
self._setup(self._connection_class(host, port, ssl_context, strict, timeout))
-
if hasattr(data, 'tobytes'):
data = data.tobytes()
-
+
starttime = time.time()
origlen = len(data)
sent = -1
print 'Cannot make certmaster certificate authority keys/certs, aborting: %s' % e
sys.exit(1)
-
+
# open up the cakey and cacert so we have them available
self.cakey = certs.retrieve_key_from_file(self.ca_key_file)
self.cacert = certs.retrieve_cert_from_file(self.ca_cert_file)
-
+
for dirpath in [self.cfg.cadir, self.cfg.certroot, self.cfg.csrroot]:
if not os.path.exists(dirpath):
os.makedirs(dirpath)
'wait_for_cert': self.wait_for_cert,
}
-
+
def _dispatch(self, method, params):
if method == 'trait_names' or method == '_getAttributeNames':
return self.handlers.keys()
else:
self.logger.info("Unhandled method call for method: %s " % method)
raise codes.InvalidMethodException
-
+
def _sanitize_cn(self, commonname):
commonname = commonname.replace('/', '')
- commonname = commonname.replace('\\', '')
+ commonname = commonname.replace('\\', '')
return commonname
-
+
def wait_for_cert(self, csrbuf, with_triggers=True):
"""
takes csr as a string
returns True, caller_cert, ca_cert
returns False, '', ''
"""
-
+
try:
csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrbuf)
except crypto.Error, e:
#XXX need to raise a fault here and document it - but false is just as good
return False, '', ''
-
+
requesting_host = self._sanitize_cn(csrreq.get_subject().CN)
if with_triggers:
- self._run_triggers(requesting_host, '/var/lib/certmaster/triggers/request/pre/*')
+ self._run_triggers(requesting_host, '/var/lib/certmaster/triggers/request/pre/*')
self.logger.info("%s requested signing of cert %s" % (requesting_host,csrreq.get_subject().CN))
# get rid of dodgy characters in the filename we're about to make
-
+
certfile = '%s/%s.cert' % (self.cfg.certroot, requesting_host)
csrfile = '%s/%s.csr' % (self.cfg.csrroot, requesting_host)
# check for old csr on disk
# if we have it - compare the two - if they are not the same - raise a fault
self.logger.debug("csrfile: %s certfile: %s" % (csrfile, certfile))
-
+
if os.path.exists(csrfile):
oldfo = open(csrfile)
oldcsrbuf = oldfo.read()
self.logger.info("A cert for %s already exists and does not match the requesting cert" % (requesting_host))
# XXX raise a proper fault
return False, '', ''
-
+
# look for a cert:
# if we have it, then return True, etc, etc
if with_triggers:
self._run_triggers(requesting_host,'/var/lib/certmaster/triggers/request/post/*')
return True, cert_buf, cacert_buf
-
+
# if we don't have a cert then:
# if we're autosign then sign it, write out the cert and return True, etc, etc
# else write out the csr
-
+
if self.cfg.autosign:
cert_fn = self.sign_this_csr(csrreq)
- cert = certs.retrieve_cert_from_file(cert_fn)
+ cert = certs.retrieve_cert_from_file(cert_fn)
cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert)
self.logger.info("cert for %s was autosigned" % (requesting_host))
if with_triggers:
self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*')
return True, cert_buf, cacert_buf
-
+
else:
# write the csr out to a file to be dealt with by the admin
destfo = open(csrfile, 'w')
return False, '', ''
def get_csrs_waiting(self):
- hosts = []
+ hosts = []
csrglob = '%s/*.csr' % self.cfg.csrroot
csr_list = glob.glob(csrglob)
for f in csr_list:
hn = hn[:-4]
hosts.append(hn)
return hosts
-
+
def remove_this_cert(self, hn, with_triggers=True):
""" removes cert for hostname using unlink """
cm = self
os.unlink(fn)
if with_triggers:
self._run_triggers(hn,'/var/lib/certmaster/triggers/remove/post/*')
-
+
def sign_this_csr(self, csr, with_triggers=True):
"""returns the path to the signed cert file"""
csr_unlink_file = None
- if type(csr) is type(''):
+ if type(csr) is type(''):
if csr.startswith('/') and os.path.exists(csr): # we have a full path to the file
csrfo = open(csr)
csr_buf = csrfo.read()
csr_unlink_file = csr
-
+
elif os.path.exists('%s/%s' % (self.cfg.csrroot, csr)): # we have a partial path?
csrfo = open('%s/%s' % (self.cfg.csrroot, csr))
csr_buf = csrfo.read()
csr_unlink_file = '%s/%s' % (self.cfg.csrroot, csr)
-
+
# we have a string of some kind
else:
csr_buf = csr
try:
- csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_buf)
+ csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csr_buf)
except crypto.Error, e:
self.logger.info("Unable to sign %s: Bad CSR" % (csr))
raise exceptions.Exception("Bad CSR: %s" % csr)
-
+
else: # assume we got a bare csr req
csrreq = csr
if with_triggers:
self._run_triggers(requesting_host,'/var/lib/certmaster/triggers/sign/post/*')
-
+
if csr_unlink_file and os.path.exists(csr_unlink_file):
os.unlink(csr_unlink_file)
-
+
return certfile
# return a list of already signed certs
for hostglob in globs:
certglob = "%s/%s.cert" % (self.cfg.certroot, hostglob)
certfiles = certfiles + glob.glob(certglob)
-
+
cert_hashes = []
for certfile in certfiles:
cert = certs.retrieve_cert_from_file(certfile)
cert_hashes.append("%s-%s" % (cert.get_subject().CN, cert.subject_name_hash()))
-
+
return cert_hashes
def _run_triggers(self, ref, globber):
def __init__(self, addr):
self.allow_reuse_address = True
SimpleXMLRPCServer.SimpleXMLRPCServer.__init__(self, addr)
-
+
def serve(xmlrpcinstance):
listen_addr = config.listen_addr
listen_port = config.listen_port
if listen_port == '':
- listen_port = CERTMASTER_LISTEN_PORT
+ listen_port = CERTMASTER_LISTEN_PORT
server = CertmasterXMLRPCServer((listen_addr,listen_port))
server.logRequests = 0 # don't print stuff to console
server.register_instance(xmlrpcinstance)
print excvalue_blurb
print exctb_blurb
- log = logger.Logger().logger
+ log = logger.Logger().logger
log.info(exctype_blurb)
log.info(excvalue_blurb)
log.info(exctb_blurb)
def main(argv):
-
- sys.excepthook = excepthook
+
+ sys.excepthook = excepthook
cm = CertMaster('/etc/certmaster/certmaster.conf')
if "--version" in sys.argv or "-v" in sys.argv:
# just let exceptions bubble up for now
serve(cm)
-
+
if __name__ == "__main__":
#textdomain(I18N_DOMAIN)
main(sys.argv)
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-# Copyright (c) 2007 Red Hat, inc
+# Copyright (c) 2007 Red Hat, inc
#- Written by Seth Vidal skvidal @ fedoraproject.org
from OpenSSL import crypto
destfd = os.open(dest, os.O_RDWR|os.O_CREAT, 0600)
os.write(destfd, (crypto.dump_privatekey(crypto.FILETYPE_PEM, pkey)))
os.close(destfd)
-
+
return pkey
if emailaddr:
subj.emailAddress = emailaddr
else:
- subj.emailAddress = 'root@%s' % subj.CN
-
+ subj.emailAddress = 'root@%s' % subj.CN
+
req.set_pubkey(pkey)
req.sign(pkey, 'md5')
if dest:
keypair = crypto.load_privatekey(crypto.FILETYPE_PEM, buf)
return keypair
-
+
def retrieve_csr_from_file(csrfile):
fo = open(csrfile, 'r')
buf = fo.read()
destfo = open(ca_cert_file, 'w')
destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cacert))
destfo.close()
-
-
+
+
def _get_serial_number(cadir):
serial = '%s/serial.txt' % cadir
i = 1
f = f.replace('\n','')
try:
i = int(f)
- i+=1
+ i+=1
except ValueError, e:
i = 1
-
- _set_serial_number(cadir, i)
+
+ _set_serial_number(cadir, i)
return i
f = open(serial, 'w')
f.write(str(last) + '\n')
f.close()
-
-
+
+
def create_slave_certificate(csr, cakey, cacert, cadir, slave_cert_file=None):
cert = crypto.X509()
cert.set_serial_number(_get_serial_number(cadir))
cert.set_pubkey(csr.get_pubkey())
cert.set_version(2)
xt = crypto.X509Extension('basicConstraints', False ,'CA:FALSE')
- # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
+ # FIXME - add subjectkeyidentifier and authoritykeyidentifier extensions, too)
cert.add_extensions((xt,))
cert.sign(cakey, 'sha1')
if slave_cert_file:
pass
# FIXME: more sub-exceptions maybe
-
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-# Copyright 2002 Duke University
+# Copyright 2002 Duke University
# filched from yum - menno smits wrote this - he rocks
self.value = value
def __str__(self):
return "%s" %(self.value,)
-
-
+
+
class Option(object):
'''
This class handles a single Yum configuration file option. Create
subclasses for each type of supported configuration option.
-
+
Python descriptor foo (__get__ and __set__) is used to make option
definition easy and consise.
'''
self._attrname = '__opt%d' % id(self)
def __get__(self, obj, objtype):
- '''Called when the option is read (via the descriptor protocol).
+ '''Called when the option is read (via the descriptor protocol).
@param obj: The configuration instance to modify.
@param objtype: The type of the config instance (not used).
return getattr(obj, self._attrname, None)
def __set__(self, obj, value):
- '''Called when the option is set (via the descriptor protocol).
+ '''Called when the option is set (via the descriptor protocol).
@param obj: The configuration instance to modify.
@param value: The value to set the option to.
setattr(obj, self._attrname, value)
def setup(self, obj, name):
- '''Initialise the option for a config instance.
- This must be called before the option can be set or retrieved.
+ '''Initialise the option for a config instance.
+ This must be called before the option can be set or retrieved.
@param obj: BaseConfig (or subclass) instance.
@param name: Name of the option.
@param s: Raw string value to parse.
@return: Validated native value.
-
+
Will raise ValueError if there was a problem parsing the string.
Subclasses should override this.
'''
This option handles lists of URLs with validation of the URL scheme.
'''
- def __init__(self, default=None, schemes=('http', 'ftp', 'file', 'https'),
+ def __init__(self, default=None, schemes=('http', 'ftp', 'file', 'https'),
allow_none=False):
super(UrlOption, self).__init__(default)
self.schemes = schemes
# Hold a UrlOption instance to assist with parsing
self._urloption = UrlOption(schemes=schemes)
-
+
def parse(self, s):
out = []
for url in super(UrlListOption, self).parse(s):
def __init__(self, default=None, allowed=()):
super(SelectionOption, self).__init__(default)
self._allowed = allowed
-
+
def parse(self, s):
if s not in self._allowed:
raise ValueError('"%s" is not an allowed value' % s)
The input should be a string containing a (possibly floating point)
number followed by an optional single character unit. Valid units are
'k', 'M', 'G'. Case is ignored.
-
+
Valid inputs: 100, 123M, 45.6k, 12.4G, 100K, 786.3, 0
Invalid inputs: -10, -0.1, 45.6L, 123Mb
else:
n = s
mult = 1
-
+
try:
n = float(n)
except ValueError:
class ThrottleOption(BytesOption):
def parse(self, s):
- """Get a throttle option.
+ """Get a throttle option.
Input may either be a percentage or a "friendly bandwidth value" as
accepted by the BytesOption.
# No matching option in this section, try inheriting
if parent and option.inherit:
value = getattr(parent, name)
-
+
if value is not None:
setattr(self, name, value)
optionobj = classmethod(optionobj)
def isoption(cls, name):
- '''Return True if the given name refers to a defined option
+ '''Return True if the given name refers to a defined option
'''
try:
cls.optionobj(name)
raise ValueError("not populated, don't know section")
section = self._section
- # Updated the ConfigParser with the changed values
+ # Updated the ConfigParser with the changed values
cfgOptions = self.cfg.options(section)
for name,value in self.iteritems():
option = self.optionobj(name)
def __init__(self, logfilepath ="/var/log/certmaster/certmaster.log"):
config_file = '/etc/certmaster/minion.conf'
- self.config = read_config(config_file, CMConfig)
+ self.config = read_config(config_file, CMConfig)
self.loglevel = logging._levelNames[self.config.log_level]
self._setup_logging()
if self._no_handlers:
self._setup_handlers(logfilepath=logfilepath)
-
+
def _setup_logging(self):
self.logger = logging.getLogger("certmaster")
import utils
def request_cert(hostname=None):
- # this should be enough, but do we want to allow parameters
- # for overriding the server and port from the config file?
- # maybe not. -- mpd
- utils.create_minion_keys(hostname)
+ # this should be enough, but do we want to allow parameters
+ # for overriding the server and port from the config file?
+ # maybe not. -- mpd
+ utils.create_minion_keys(hostname)
os.close(2)
# based on http://code.activestate.com/recipes/278731/
- os.open(REDIRECT_TO, os.O_RDWR) # standard input (0)
+ os.open(REDIRECT_TO, os.O_RDWR) # standard input (0)
- os.dup2(0, 1) # standard output (1)
- os.dup2(0, 2) # standard error (2)
+ os.dup2(0, 1) # standard output (1)
+ os.dup2(0, 2) # standard error (2)
except:
nicetype = etype
nicestack = string.join(traceback.format_list(traceback.extract_tb(etb)))
- return [ REMOTE_ERROR, nicetype, str(evalue), nicestack ]
+ return [ REMOTE_ERROR, nicetype, str(evalue), nicestack ]
def is_error(result):
# FIXME: I believe we can remove this function
"localhost" is a lame hostname to use for a key, so try to get
a more meaningful hostname. We do this by connecting to the certmaster
and seeing what interface/ip it uses to make that connection, and looking
- up the hostname for that.
+ up the hostname for that.
"""
# FIXME: this code ignores http proxies (which granted, we don't
- # support elsewhere either.
+ # support elsewhere either.
hostname = None
hostname = socket.gethostname()
# print "DEBUG: HOSTNAME TRY1: %s" % hostname
raise codes.CMException, "Could not create local keypair or csr for session"
result = False
-
+
while not result:
try:
# print "DEBUG: submitting CSR to certmaster: %s" % master_uri
# print "DEBUG: waiting for cert"
return s.wait_for_cert(csr)
-
projects / certmaster.git / commitdiff