X-Git-Url: https://pwan.org/git/?p=certmaster.git;a=blobdiff_plain;f=certmaster%2Futils.py;h=e348ec492b5e37c743eba7913249eda6ad9efdf9;hp=958d26ddb8208029927b99d4a2374631d7b38420;hb=240ba9b7e2ee00a8f6014c7d597a5afd1f96249c;hpb=48b1e96d3c66a1a733ca573505e7203651142308

diff --git a/certmaster/utils.py b/certmaster/utils.py
old mode 100755
new mode 100644
index 958d26d..e348ec4
--- a/certmaster/utils.py
+++ b/certmaster/utils.py
@@ -28,7 +28,6 @@ import sub_process
 
 # FIXME: module needs better pydoc
 
-
 # FIXME: can remove this constant?
 REMOTE_ERROR = "REMOTE_ERROR"
 
@@ -38,9 +37,6 @@ if (hasattr(os, "devnull")):
 else:
     REDIRECT_TO = "/dev/null"
 
-
-
-
 def trace_me():
     x = traceback.extract_stack()
     bar = string.join(traceback.format_list(x))
@@ -57,7 +53,7 @@ def daemonize(pidfile=None):
         sys.exit(0)
     os.chdir("/")
     os.setsid()
-    os.umask(0)
+    os.umask(077)
     pid = os.fork()
 
     os.close(0)
@@ -65,10 +61,10 @@ def daemonize(pidfile=None):
     os.close(2)
 
     # based on http://code.activestate.com/recipes/278731/
-    os.open(REDIRECT_TO, os.O_RDWR)	# standard input (0)
+    os.open(REDIRECT_TO, os.O_RDWR)     # standard input (0)
 
-    os.dup2(0, 1)			# standard output (1)
-    os.dup2(0, 2)			# standard error (2)
+    os.dup2(0, 1)                       # standard output (1)
+    os.dup2(0, 2)                       # standard error (2)
 
 
 
@@ -87,7 +83,7 @@ def nice_exception(etype, evalue, etb):
     except:
         nicetype = etype
     nicestack = string.join(traceback.format_list(traceback.extract_tb(etb)))
-    return [ REMOTE_ERROR, nicetype, str(evalue), nicestack ] 
+    return [ REMOTE_ERROR, nicetype, str(evalue), nicestack ]
 
 def is_error(result):
     # FIXME: I believe we can remove this function
@@ -104,71 +100,55 @@ def get_hostname(talk_to_certmaster=True):
     "localhost" is a lame hostname to use for a key, so try to get
     a more meaningful hostname. We do this by connecting to the certmaster
     and seeing what interface/ip it uses to make that connection, and looking
-    up the hostname for that. 
+    up the hostname for that.
     """
     # FIXME: this code ignores http proxies (which granted, we don't
-    #      support elsewhere either. It also hardcodes the port number
-    #      for the certmaster for now
+    #      support elsewhere either.
     hostname = None
     hostname = socket.gethostname()
     # print "DEBUG: HOSTNAME TRY1: %s" % hostname
     try:
         ip = socket.gethostbyname(hostname)
-        # print "DEBUG: IP TRY2: %s" % ip
     except:
-        # print "DEBUG: ERROR: returning"
         return hostname
     if ip != "127.0.0.1":
-        # print "DEBUG: ERROR: returning 2"
         return hostname
 
-    if talk_to_certmaster:
-        config_file = '/etc/certmaster/minion.conf'
-        config = read_config(config_file, MinionConfig)
-
-        server = config.certmaster
-        port = config.certmaster_port
-
-        try:
-            s = socket.socket()
-            s.settimeout(5)
-            s.connect((server, port))
-            (intf, port) = s.getsockname()
-            remote_hostname = socket.gethostbyaddr(intf)[0]
-            if remote_hostname != "localhost":
-               hostname = remote_hostname
-               # print "DEBUG: HOSTNAME FROM CERTMASTER == %s" % hostname
-            s.close()
-        except:
-            s.close()
-            raise
-
-    # print "DEBUG: final hostname=%s" % hostname
-    return hostname
-    
 
 # FIXME: move to requestor module and also create a verbose mode
 # prints to the screen for usage by /usr/bin/certmaster-request
 
-def create_minion_keys():
+def create_minion_keys(hostname=None, ca_name=''):
+    log = logger.Logger().logger
+
     # FIXME: paths should not be hard coded here, move to settings universally
     config_file = '/etc/certmaster/minion.conf'
     config = read_config(config_file, MinionConfig)
-    cert_dir = config.cert_dir
+
+    try:
+        certauth=config.ca[ca_name]
+    except:
+        raise codes.CMException("Unknown cert authority: %s" % ca_name)
+
+    cert_dir = certauth.cert_dir
+        
     master_uri = 'http://%s:%s/' % (config.certmaster, config.certmaster_port)
-    # print "DEBUG: acquiring hostname"
-    hn = get_hostname()
-    # print "DEBUG: hostname = %s\n" % hn
+
+    hn = hostname
+    if hn is None:
+        hn = get_hostname()
 
     if hn is None:
         raise codes.CMException("Could not determine a hostname other than localhost")
+    else:
+        # use lowercase letters for hostnames
+        hn = hn.lower()
 
     key_file = '%s/%s.pem' % (cert_dir, hn)
     csr_file = '%s/%s.csr' % (cert_dir, hn)
     cert_file = '%s/%s.cert' % (cert_dir, hn)
     ca_cert_file = '%s/ca.cert' % cert_dir
 
-
     if os.path.exists(cert_file) and os.path.exists(ca_cert_file):
         # print "DEBUG: err, no cert_file"
         return
@@ -182,20 +162,20 @@ def create_minion_keys():
         if not os.path.exists(csr_file):
             if not keypair:
                 keypair = certs.retrieve_key_from_file(key_file)
-            csr = certs.make_csr(keypair, dest=csr_file)
+            csr = certs.make_csr(keypair, dest=csr_file, hostname=hn)
     except Exception, e:
         traceback.print_exc()
         raise codes.CMException, "Could not create local keypair or csr for session"
 
     result = False
-    log = logger.Logger().logger
+
     while not result:
         try:
             # print "DEBUG: submitting CSR to certmaster: %s" % master_uri
-            log.debug("submitting CSR to certmaster %s" % master_uri)
-            result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri)
-        except socket.gaierror, e:
-            raise codes.CMException, "Could not locate certmaster at %s" % master_uri
+            log.debug("submitting CSR: %s  to certmaster %s" % (csr_file, master_uri))
+            result, cert_string, ca_cert_string = submit_csr_to_master(csr_file, master_uri, ca_name)
+        except socket.error, e:
+            log.warning("Could not locate certmaster at %s" % master_uri)
 
         # logging here would be nice
         if not result:
@@ -207,6 +187,13 @@ def create_minion_keys():
     if result:
         # print "DEBUG: recieved certificate from certmaster"
         log.debug("received certificate from certmaster %s, storing to %s" % (master_uri, cert_file))
+        if not keypair:
+            keypair = certs.retrieve_key_from_file(key_file)
+        valid = certs.check_cert_key_match(cert_string, keypair)
+        if not valid:
+            log.info("certificate does not match key (run certmaster-ca --clean first?)")
+            sys.stderr.write("certificate does not match key (run certmaster-ca --clean first?)\n")
+            return
         cert_fd = os.open(cert_file, os.O_RDWR|os.O_CREAT, 0644)
         os.write(cert_fd, cert_string)
         os.close(cert_fd)
@@ -246,7 +233,7 @@ def run_triggers(ref, globber):
             raise codes.CMException, "certmaster trigger failed: %(file)s returns %(code)d" % { "file" : file, "code" : rc }
 
 
-def submit_csr_to_master(csr_file, master_uri):
+def submit_csr_to_master(csr_file, master_uri, ca_name=''):
     """"
     gets us our cert back from the certmaster.wait_for_cert() method
     takes csr_file as path location and master_uri
@@ -258,5 +245,4 @@ def submit_csr_to_master(csr_file, master_uri):
     s = xmlrpclib.ServerProxy(master_uri)
 
     # print "DEBUG: waiting for cert"
-    return s.wait_for_cert(csr)
-              
+    return s.wait_for_cert(csr,ca_name)