recursive-include init-scripts *
recursive-include po *.po
recursive-include po *.pot
+recursice-include triggers *
include AUTHORS
include LICENSE
include README
%{python_sitelib}/certmaster/*.py*
%dir /var/log/certmaster
%dir /var/lib/certmaster
+%dir /var/lib/certmaster/triggers/sign/pre
+%dir /var/lib/certmaster/triggers/sign/post
+%dir /var/lib/certmaster/triggers/request/pre
+%dir /var/lib/certmaster/triggers/request/post
+%dir /var/lib/certmaster/triggers/remove/pre
+%dir /var/lib/certmaster/triggers/remove/post
%doc AUTHORS README LICENSE
%{_mandir}/man1/*.1.gz
%changelog
+* Tue Apr 15 2008 Steve Salevan <ssalevan@redhat.com> - 0.1-3
+- added in trigger directories
+
* Mon Mar 17 2008 Adrian Likins <alikins@redhat.com> - 0.1-2
- removed unused minion/ and overlord/ dirs
commonname = commonname.replace('\\', '')
return commonname
- def wait_for_cert(self, csrbuf):
+ def wait_for_cert(self, csrbuf, with_triggers=True):
"""
takes csr as a string
returns True, caller_cert, ca_cert
return False, '', ''
requesting_host = self._sanitize_cn(csrreq.get_subject().CN)
-
+
+ if with_triggers:
+ self._run_triggers(None, '/var/lib/certmaster/triggers/request/pre/*')
self.logger.info("%s requested signing of cert %s" % (requesting_host,csrreq.get_subject().CN))
# get rid of dodgy characters in the filename we're about to make
slavecert = certs.retrieve_cert_from_file(certfile)
cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, slavecert)
cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert)
+ if with_triggers:
+ self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*')
return True, cert_buf, cacert_buf
# if we don't have a cert then:
cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert)
self.logger.info("cert for %s was autosigned" % (requesting_host))
+ if with_triggers:
+ self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*')
return True, cert_buf, cacert_buf
else:
destfo.close()
del destfo
self.logger.info("cert for %s created and ready to be signed" % (requesting_host))
+ if with_triggers:
+ self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*')
return False, '', ''
return False, '', ''
hosts.append(hn)
return hosts
- def remove_this_cert(self, hn):
+ def remove_this_cert(self, hn, with_triggers=True):
""" removes cert for hostname using unlink """
cm = self
csrglob = '%s/%s.csr' % (cm.cfg.csrroot, hn)
# FIXME: should be an exception?
print 'No match for %s to clean up' % hn
return
+ if with_triggers:
+ self._run_triggers(None,'/var/lib/certmaster/triggers/remove/pre/*')
for fn in csrs + certs:
print 'Cleaning out %s for host matching %s' % (fn, hn)
self.logger.info('Cleaning out %s for host matching %s' % (fn, hn))
- os.unlink(fn)
+ os.unlink(fn)
+ if with_triggers:
+ self._run_triggers(None,'/var/lib/certmaster/triggers/remove/post/*')
- def sign_this_csr(self, csr):
+ def sign_this_csr(self, csr, with_triggers=True):
"""returns the path to the signed cert file"""
csr_unlink_file = None
else: # assume we got a bare csr req
csrreq = csr
+ if with_triggers:
+ self._run_triggers(None,'/var/lib/certmaster/triggers/sign/pre/*')
+
requesting_host = self._sanitize_cn(csrreq.get_subject().CN)
certfile = '%s/%s.cert' % (self.cfg.certroot, requesting_host)
del destfo
- self.logger.info("csr %s signed" % (certfile))
+ self.logger.info("csr %s signed" % (certfile))
+ if with_triggers:
+ self._run_triggers(None,'/var/lib/certmaster/triggers/sign/post/*')
+
+
if csr_unlink_file and os.path.exists(csr_unlink_file):
os.unlink(csr_unlink_file)
return certfile
-
+ def _run_triggers(self, ref, globber):
+ return utils.run_triggers(ref, globber)
class CertmasterXMLRPCServer(SimpleXMLRPCServer.SimpleXMLRPCServer):
from config import read_config
from commonconfig import MinionConfig
import logger
+import sub_process
# FIXME: module needs better pydoc
try:
s = socket.socket()
s.settimeout(5)
+ print "server, port", server, port
s.connect((server, port))
(intf, port) = s.getsockname()
remote_hostname = socket.gethostbyaddr(intf)[0]
os.write(ca_cert_fd, ca_cert_string)
os.close(ca_cert_fd)
+def run_triggers(ref, globber):
+ """
+ Runs all the trigger scripts in a given directory.
+ ref can be a certmaster object, if not None, the name will be passed
+ to the script. If ref is None, the script will be called with
+ no argumenets. Globber is a wildcard expression indicating which
+ triggers to run. Example: "/var/lib/certmaster/triggers/blah/*"
+ """
+
+ log = logger.Logger().logger
+ triggers = glob.glob(globber)
+ triggers.sort()
+ for file in triggers:
+ log.debug("Executing trigger: %s" % file)
+ try:
+ if file.find(".rpm") != -1:
+ # skip .rpmnew files that may have been installed
+ # in the triggers directory
+ continue
+ if ref:
+ rc = sub_process.call([file, ref.name], shell=False)
+ else:
+ rc = sub_process.call([file], shell=False)
+ except:
+ log.warning("Warning: failed to execute trigger: %s" % file)
+ continue
+
+ if rc != 0:
+ raise codes.CMException, "certmaster trigger failed: %(file)s returns %(code)d" % { "file" : file, "code" : rc }
+
+
def submit_csr_to_master(csr_file, master_uri):
""""
gets us our cert back from the certmaster.wait_for_cert() method
initpath = "/etc/init.d/"
logpath = "/var/log/%s/" % NAME
certdir = "/var/lib/%s/" % NAME
+ trigpath = "/var/lib/%s/triggers/"% NAME
pkipath = "/etc/pki/%s" % NAME
rotpath = "/etc/logrotate.d"
aclpath = "%s/minion-acl.d" % etcpath
(certdir, []),
(etcpath, []),
(pkipath, []),
- (aclpath, [])
+ (aclpath, []),
+ ("%s/sign/pre/" % trigpath, []),
+ ("%s/sign/post/" % trigpath, []),
+ ("%s/remove/pre/" % trigpath, []),
+ ("%s/remove/post/" % trigpath, []),
+ ("%s/request/pre/" % trigpath, []),
+ ("%s/request/post/" % trigpath, []),
],
description = SHORT_DESC,
long_description = LONG_DESC