From 240ba9b7e2ee00a8f6014c7d597a5afd1f96249c Mon Sep 17 00:00:00 2001 From: Jude N Date: Sun, 22 Mar 2015 11:47:07 -0400 Subject: [PATCH] BATS fell down pushing a process into the background, so I switched to shunit2 / lots of refactoring --- certmaster/certmaster.py | 65 +++++----- certmaster/config.py | 25 ++-- certmaster/requester.py | 4 +- certmaster/utils.py | 19 +-- scripts/certmaster-ca | 23 ++-- scripts/certmaster-request | 2 +- tests/certmaster.bats | 113 ----------------- tests/test-certmaster.sh | 240 +++++++++++++++++++++++++++++++++++++ 8 files changed, 317 insertions(+), 174 deletions(-) delete mode 100644 tests/certmaster.bats create mode 100755 tests/test-certmaster.sh diff --git a/certmaster/certmaster.py b/certmaster/certmaster.py index 71db996..36f2bc4 100644 --- a/certmaster/certmaster.py +++ b/certmaster/certmaster.py @@ -64,7 +64,7 @@ class CertMaster(object): self.cacert = {} for (s_caname,a_ca) in self.cfg.ca.iteritems(): - s_cadir = a_ca['cadir'] + s_cadir = a_ca.cadir if s_caname == "": mycn = '%s-CA-KEY' % usename @@ -88,10 +88,10 @@ class CertMaster(object): sys.exit(1) # open up the cakey and cacert so we have them available - self.cakey[s_caname] = certs.retrieve_key_from_file(s_ca_key_file) - self.cacert[s_caname] = certs.retrieve_cert_from_file(s_ca_cert_file) + a_ca.cakey = certs.retrieve_key_from_file(s_ca_key_file) + a_ca.cacert = certs.retrieve_cert_from_file(s_ca_cert_file) - for dirpath in [a_ca['cadir'], a_ca['certroot'], a_ca['csrroot'], a_ca['csrroot']]: + for dirpath in [a_ca.cadir, a_ca.certroot, a_ca.csrroot, a_ca.csrroot]: if not os.path.exists(dirpath): os.makedirs(dirpath) @@ -117,13 +117,18 @@ class CertMaster(object): commonname = commonname.replace('\\', '') return commonname - def wait_for_cert(self, csrbuf, ca='', with_triggers=True): + def wait_for_cert(self, csrbuf, ca_name, with_triggers=True): """ takes csr as a string returns True, caller_cert, ca_cert returns False, '', '' """ + try: + certauth = self.cfg.ca[ca_name] + except: + raise codes.CMException("Unknown cert authority: %s" % ca_name) + try: csrreq = crypto.load_certificate_request(crypto.FILETYPE_PEM, csrbuf) except crypto.Error, e: @@ -138,8 +143,8 @@ class CertMaster(object): self.logger.info("%s requested signing of cert %s" % (requesting_host,csrreq.get_subject().CN)) # get rid of dodgy characters in the filename we're about to make - certfile = '%s/%s.cert' % (self.cfg.ca[ca]['certroot'], requesting_host) - csrfile = '%s/%s.csr' % (self.cfg.ca[ca]['csrroot'], requesting_host) + certfile = '%s/%s.cert' % (certauth.certroot, requesting_host) + csrfile = '%s/%s.csr' % (certauth.csrroot, requesting_host) # check for old csr on disk # if we have it - compare the two - if they are not the same - raise a fault @@ -165,7 +170,7 @@ class CertMaster(object): if os.path.exists(certfile): slavecert = certs.retrieve_cert_from_file(certfile) cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, slavecert) - cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert[ca]) + cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, certauth.cacert) if with_triggers: self._run_triggers(requesting_host,'/var/lib/certmaster/triggers/request/post/*') return True, cert_buf, cacert_buf @@ -174,12 +179,12 @@ class CertMaster(object): # if we're autosign then sign it, write out the cert and return True, etc, etc # else write out the csr - if self.cfg.ca[ca]['autosign']: - cert_fn = self.sign_this_csr(csrreq,ca=ca) + if certauth.autosign: + cert_fn = self.sign_this_csr(csrreq,certauth) cert = certs.retrieve_cert_from_file(cert_fn) cert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, cert) - cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, self.cacert[ca]) - self.logger.info("cert for %s for ca %s was autosigned" % (requesting_host,ca)) + cacert_buf = crypto.dump_certificate(crypto.FILETYPE_PEM, certauth.cacert) + self.logger.info("cert for %s for ca %s was autosigned" % (requesting_host,ca_name)) if with_triggers: self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*') return True, cert_buf, cacert_buf @@ -190,16 +195,16 @@ class CertMaster(object): destfo.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csrreq)) destfo.close() del destfo - self.logger.info("cert for %s for CA %s created and ready to be signed" % (requesting_host, ca)) + self.logger.info("cert for %s for CA %s created and ready to be signed" % (requesting_host, ca_name)) if with_triggers: self._run_triggers(None,'/var/lib/certmaster/triggers/request/post/*') return False, '', '' return False, '', '' - def get_csrs_waiting(self, ca=''): + def get_csrs_waiting(self, certauth): hosts = [] - csrglob = '%s/*.csr' % self.cfg.ca[ca]['csrroot'] + csrglob = '%s/*.csr' % certauth.csrroot csr_list = glob.glob(csrglob) for f in csr_list: hn = os.path.basename(f) @@ -207,12 +212,12 @@ class CertMaster(object): hosts.append(hn) return hosts - def remove_this_cert(self, hn, with_triggers=True, ca=''): + def remove_this_cert(self, hn, certauth, with_triggers=True): """ removes cert for hostname using unlink """ cm = self - csrglob = '%s/%s.csr' % (cm.cfg.ca[ca]['csrroot'], hn) + csrglob = '%s/%s.csr' % (certauth.csrroot, hn) csrs = glob.glob(csrglob) - certglob = '%s/%s.cert' % (cm.cfg.ca[ca]['certroot'], hn) + certglob = '%s/%s.cert' % (certauth.certroot, hn) certs = glob.glob(certglob) if not csrs and not certs: # FIXME: should be an exception? @@ -227,7 +232,7 @@ class CertMaster(object): if with_triggers: self._run_triggers(hn,'/var/lib/certmaster/triggers/remove/post/*') - def sign_this_csr(self, csr, with_triggers=True, ca=''): + def sign_this_csr(self, csr, certauth,with_triggers=True): """returns the path to the signed cert file""" csr_unlink_file = None @@ -237,10 +242,10 @@ class CertMaster(object): csr_buf = csrfo.read() csr_unlink_file = csr - elif os.path.exists('%s/%s' % (self.cfg.ca[ca]['csrroot'], csr)): # we have a partial path? - csrfo = open('%s/%s' % (self.cfg.ca[ca]['csrroot'], csr)) + elif os.path.exists('%s/%s' % (certauth.csrroot, csr)): # we have a partial path? + csrfo = open('%s/%s' % (certauth.csrroot, csr)) csr_buf = csrfo.read() - csr_unlink_file = '%s/%s' % (self.cfg.ca[ca]['csrroot'], csr) + csr_unlink_file = '%s/%s' % (certauth.csrroot, csr) # we have a string of some kind else: @@ -261,9 +266,9 @@ class CertMaster(object): self._run_triggers(requesting_host,'/var/lib/certmaster/triggers/sign/pre/*') - certfile = '%s/%s.cert' % (self.cfg.ca[ca]['certroot'], requesting_host) + certfile = '%s/%s.cert' % (certauth.certroot, requesting_host) self.logger.info("Signing for csr %s requested" % certfile) - thiscert = certs.create_slave_certificate(csrreq, self.cakey[ca], self.cacert[ca], self.cfg.ca[ca]['cadir']) + thiscert = certs.create_slave_certificate(csrreq, certauth.cakey, certauth.cacert, certauth.cadir) destfo = open(certfile, 'w') destfo.write(crypto.dump_certificate(crypto.FILETYPE_PEM, thiscert)) @@ -282,8 +287,8 @@ class CertMaster(object): return certfile # return a list of already signed certs - def get_signed_certs(self, hostglobs=None, ca=''): - certglob = "%s/*.cert" % (self.cfg.ca[ca]['certroot']) + def get_signed_certs(self, certauth,hostglobs=None): + certglob = "%s/*.cert" % (certauth.certroot) certs = [] globs = "*" @@ -291,7 +296,7 @@ class CertMaster(object): globs = hostglobs for hostglob in globs: - certglob = "%s/%s.cert" % (self.cfg.ca[ca]['certroot'], hostglob) + certglob = "%s/%s.cert" % (certauth.certroot, hostglob) certs = certs + glob.glob(certglob) signed_certs = [] @@ -309,8 +314,8 @@ class CertMaster(object): return glob.glob(myglob) # return a list of the cert hash string we use to identify systems - def get_cert_hashes(self, hostglobs=None,ca=''): - certglob = "%s/*.cert" % (self.cfg.ca[ca]['certroot']) + def get_cert_hashes(self, certauth, hostglobs=None): + certglob = "%s/*.cert" % (certauth.certroot) certfiles = [] globs = "*" @@ -318,7 +323,7 @@ class CertMaster(object): globs = hostglobs for hostglob in globs: - certglob = "%s/%s.cert" % (self.cfg.ca[ca]['certroot'], hostglob) + certglob = "%s/%s.cert" % (certauth.certroot, hostglob) certfiles = certfiles + glob.glob(certglob) cert_hashes = [] diff --git a/certmaster/config.py b/certmaster/config.py index 205af35..7f7e623 100644 --- a/certmaster/config.py +++ b/certmaster/config.py @@ -478,22 +478,29 @@ def read_config(config_file, BaseConfigDerived): ## build up the cas structure opts.ca = {} - opts.ca[''] = {} +# opts.ca[''] = {} ## Add the default items when just using a single ca - main_items = confparser.items('main') - for (key,value) in main_items: - if key in ['autosign','cadir','cert_dir','certroot','csrroot']: - opts.ca[''][key] = value +# main_items = confparser.items('main') +# for (key,value) in main_items: +# if key in ['autosign','cadir','cert_dir','certroot','csrroot']: +# print "main ca: key: %s, value: %s" % (key,value) +# opts.ca[''][key] = value + opts.ca[''] = BaseConfigDerived() + opts.ca[''].populate(confparser,'main') ## Add additonal ca sections sections = confparser.sections() for a_section in sections: if a_section.startswith('ca:'): ca_name = a_section[3:] - items = confparser.items(a_section) - opts.ca[ca_name] = {} - for (key,value) in items: - opts.ca[ca_name][key] = value +# items = confparser.items(a_section) +# opts.ca[ca_name] = {} +# for (key,value) in items: +# opts.ca[ca_name][key] = value + opts.ca[ca_name] = BaseConfigDerived() + opts.ca[ca_name].populate(confparser,a_section) + opts.ca[ca_name].cakey = None + opts.ca[ca_name].cacert = None return opts diff --git a/certmaster/requester.py b/certmaster/requester.py index 9a0e94f..8a857ad 100644 --- a/certmaster/requester.py +++ b/certmaster/requester.py @@ -15,8 +15,8 @@ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. import utils -def request_cert(hostname=None, ca=''): +def request_cert(hostname=None, ca_name=''): # this should be enough, but do we want to allow parameters # for overriding the server and port from the config file? # maybe not. -- mpd - utils.create_minion_keys(hostname,ca) + utils.create_minion_keys(hostname,ca_name) diff --git a/certmaster/utils.py b/certmaster/utils.py index d160982..e348ec4 100644 --- a/certmaster/utils.py +++ b/certmaster/utils.py @@ -28,7 +28,6 @@ import sub_process # FIXME: module needs better pydoc - # FIXME: can remove this constant? REMOTE_ERROR = "REMOTE_ERROR" @@ -38,9 +37,6 @@ if (hasattr(os, "devnull")): else: REDIRECT_TO = "/dev/null" - - - def trace_me(): x = traceback.extract_stack() bar = string.join(traceback.format_list(x)) @@ -122,14 +118,19 @@ def get_hostname(talk_to_certmaster=True): # FIXME: move to requestor module and also create a verbose mode # prints to the screen for usage by /usr/bin/certmaster-request -def create_minion_keys(hostname=None, ca=''): +def create_minion_keys(hostname=None, ca_name=''): log = logger.Logger().logger # FIXME: paths should not be hard coded here, move to settings universally config_file = '/etc/certmaster/minion.conf' config = read_config(config_file, MinionConfig) - cert_dir = config.ca[ca]['cert_dir'] + try: + certauth=config.ca[ca_name] + except: + raise codes.CMException("Unknown cert authority: %s" % ca_name) + + cert_dir = certauth.cert_dir master_uri = 'http://%s:%s/' % (config.certmaster, config.certmaster_port) @@ -172,7 +173,7 @@ def create_minion_keys(hostname=None, ca=''): try: # print "DEBUG: submitting CSR to certmaster: %s" % master_uri log.debug("submitting CSR: %s to certmaster %s" % (csr_file, master_uri)) - result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri, ca) + result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri, ca_name) except socket.error, e: log.warning("Could not locate certmaster at %s" % master_uri) @@ -232,7 +233,7 @@ def run_triggers(ref, globber): raise codes.CMException, "certmaster trigger failed: %(file)s returns %(code)d" % { "file" : file, "code" : rc } -def submit_csr_to_master(csr_file, master_uri, ca=''): +def submit_csr_to_master(csr_file, master_uri, ca_name=''): """" gets us our cert back from the certmaster.wait_for_cert() method takes csr_file as path location and master_uri @@ -244,4 +245,4 @@ def submit_csr_to_master(csr_file, master_uri, ca=''): s = xmlrpclib.ServerProxy(master_uri) # print "DEBUG: waiting for cert" - return s.wait_for_cert(csr,ca) + return s.wait_for_cert(csr,ca_name) diff --git a/scripts/certmaster-ca b/scripts/certmaster-ca index 7f8f967..75bfad3 100755 --- a/scripts/certmaster-ca +++ b/scripts/certmaster-ca @@ -15,15 +15,12 @@ import certmaster import certmaster.certs import certmaster.certmaster - - - def errorprint(stuff): print >> sys.stderr, stuff class CertmasterCAOptionParser(optparse.OptionParser): def get_version(self): - return file("/etc/func/version").read().strip() + return file("/etc/certmaster/version").read().strip() def parseargs(args): usage = 'certmaster-ca