-- David Kupka
From ece6e155007e5ab1c13c4cb61977fec5c68c8e51 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Wed, 1 Jul 2015 16:26:15 +0200 Subject: [PATCH] cermonger: Use private unix socket when DBus SystemBus is not available.
--- ipaplatform/base/paths.py | 1 + ipapython/certmonger.py | 125 +++++++++++++++++++++++++++++++++------------- 2 files changed, 91 insertions(+), 35 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index e94cb9d02a8d429a5c19a935766486d5e60c97ad..52ab156c907158d6f52ca4ffc876c01cd5ffa01e 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -346,6 +346,7 @@ class BasePathNamespace(object): BAK2DB = '/usr/sbin/bak2db' DB2BAK = '/usr/sbin/db2bak' KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf' + CERTMONGER = '/usr/sbin/certmonger' path_namespace = BasePathNamespace diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 4baaaa85da08bb943d6b9f0091a1d2acc36b18d6..09e1ce78609f205c7e633053c1fab36d095ee07d 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -27,6 +27,8 @@ import sys import time import dbus import shlex +import subprocess +import tempfile from ipapython import ipautil from ipapython import dogtag from ipapython.ipa_log_manager import * @@ -39,12 +41,11 @@ DBUS_CM_REQUEST_IF = 'org.fedorahosted.certmonger.request' DBUS_CM_CA_IF = 'org.fedorahosted.certmonger.ca' DBUS_PROPERTY_IF = 'org.freedesktop.DBus.Properties' - class _cm_dbus_object(object): """ Auxiliary class for convenient DBus object handling. """ - def __init__(self, bus, object_path, object_dbus_interface, + def __init__(self, bus, parent, object_path, object_dbus_interface, parent_dbus_interface=None, property_interface=False): """ bus - DBus bus object, result of dbus.SystemBus() or dbus.SessionBus() @@ -60,6 +61,7 @@ class _cm_dbus_object(object): if parent_dbus_interface is None: parent_dbus_interface = object_dbus_interface self.bus = bus + self.parent = parent self.path = object_path self.obj_dbus_if = object_dbus_interface self.parent_dbus_if = parent_dbus_interface @@ -74,31 +76,83 @@ def _start_certmonger(): Start certmonger daemon. If it's already running systemctl just ignores the command. """ - if not services.knownservices.certmonger.is_running(): - try: - services.knownservices.certmonger.start() - except Exception, e: - root_logger.error('Failed to start certmonger: %s' % e) - raise - - -def _connect_to_certmonger(): - """ - Start certmonger daemon and connect to it via DBus. - """ try: - _start_certmonger() - except (KeyboardInterrupt, OSError), e: + services.knownservices.certmonger.start() + except Exception, e: root_logger.error('Failed to start certmonger: %s' % e) raise - try: - bus = dbus.SystemBus() - cm = _cm_dbus_object(bus, DBUS_CM_PATH, DBUS_CM_IF) - except dbus.DBusException, e: - root_logger.error("Failed to access certmonger over DBus: %s", e) - raise - return cm + +def _private_conn_start(): + sock_dir = tempfile.mkdtemp() + sock_filename = os.path.join(sock_dir, 'certmonger') + proc = subprocess.Popen([paths.CERTMONGER, '-n', '-L', '-P', sock_filename], stderr=subprocess.STDOUT) + while not os.path.exists(sock_filename): + time.sleep(1) + unix_sock = "unix:path=%s" % sock_filename + return (unix_sock, proc) + + +def _private_conn_stop(proc, timeout=30): + retcode = proc.poll() + if retcode is not None: + return + proc.terminate() + for i in range(0, timeout, 5): + retcode = proc.poll() + if retcode is not None: + return + time.sleep(5) + proc.kill() + + +class _certmonger(_cm_dbus_object): + """ + Create a connection to certmonger. + By default use SystemBus. When not available use private connection + over Unix socket. + This solution is really ugly and should be removed as soon as DBus + SystemBus is available at system install time. + """ + _bus = None + _private_sock = None + _proc = None + + def __del__(self): + if self._proc: + _private_conn_stop(self._proc) + + def __init__(self): + if self._bus and self._bus.get_is_connected(): + return + + try: + self._bus = dbus.SystemBus() + except dbus.DBusException as e: + err_name = e.get_dbus_name() + if err_name == 'org.freedesktop.DBus.Error.ServiceUnknown': + try: + _start_certmonger() + except Exception as e: + root_logger.error("Failed to start certmonger: %s" % e) + else: + try: + self._bus = dbus.SystemBus() + except dbus.DBusException as e: + err_name = e.get_dbus_name() + + if not self._bus: + if err_name not in ['org.freedesktop.DBus.Error.NoServer', + 'org.freedesktop.DBus.Error.FileNotFound']: + root_logger.error("Failed to connect to certmonger over SystemBus: %s" % e) + raise + try: + (self._private_sock, self._proc) = _private_conn_start() + self._bus = dbus.connection.Connection(self._private_sock) + except dbus.DBusException as e: + root_logger.error("Failed to connect to certmonger over private socket: %s" % e) + raise + super(_certmonger, self).__init__(self._bus, None, DBUS_CM_PATH, DBUS_CM_IF) def _get_requests(criteria=dict()): @@ -108,7 +162,7 @@ def _get_requests(criteria=dict()): if not isinstance(criteria, dict): raise TypeError('"criteria" must be dict.') - cm = _connect_to_certmonger() + cm = _certmonger() requests = [] requests_paths = [] if 'nickname' in criteria: @@ -119,12 +173,12 @@ def _get_requests(criteria=dict()): requests_paths = cm.obj_if.get_requests() for request_path in requests_paths: - request = _cm_dbus_object(cm.bus, request_path, DBUS_CM_REQUEST_IF, + request = _cm_dbus_object(cm.bus, cm, request_path, DBUS_CM_REQUEST_IF, DBUS_CM_IF, True) for criterion in criteria: if criterion == 'ca-name': ca_path = request.obj_if.get_ca() - ca = _cm_dbus_object(cm.bus, ca_path, DBUS_CM_CA_IF, + ca = _cm_dbus_object(cm.bus, cm, ca_path, DBUS_CM_CA_IF, DBUS_CM_IF) value = ca.obj_if.get_nickname() else: @@ -133,6 +187,7 @@ def _get_requests(criteria=dict()): break else: requests.append(request) + return requests @@ -166,7 +221,7 @@ def get_request_value(request_id, directive): if request: if directive == 'ca-name': ca_path = request.obj_if.get_ca() - ca = _cm_dbus_object(request.bus, ca_path, DBUS_CM_CA_IF, + ca = _cm_dbus_object(request.bus, request, ca_path, DBUS_CM_CA_IF, DBUS_CM_IF) return ca.obj_if.get_nickname() else: @@ -250,7 +305,7 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): """ Execute certmonger to request a server certificate. """ - cm = _connect_to_certmonger() + cm = _certmonger() ca_path = cm.obj_if.find_ca_by_nickname('IPA') if not ca_path: raise RuntimeError('IPA CA not found') @@ -264,7 +319,7 @@ def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): result = cm.obj_if.add_request(request_parameters) try: if result[0]: - request = _cm_dbus_object(cm.bus, result[1], DBUS_CM_REQUEST_IF, + request = _cm_dbus_object(cm.bus, cm, result[1], DBUS_CM_REQUEST_IF, DBUS_CM_IF, True) except TypeError: root_logger.error('Failed to get create new request.') @@ -283,7 +338,7 @@ def start_tracking(nickname, secdir, password_file=None, command=None): Returns certificate nickname. """ - cm = _connect_to_certmonger() + cm = _certmonger() params = {'TRACK': True} params['cert-nickname'] = nickname params['cert-database'] = os.path.abspath(secdir) @@ -302,7 +357,7 @@ def start_tracking(nickname, secdir, password_file=None, command=None): result = cm.obj_if.add_request(params) try: if result[0]: - request = _cm_dbus_object(cm.bus, result[1], DBUS_CM_REQUEST_IF, + request = _cm_dbus_object(cm.bus, cm, result[1], DBUS_CM_REQUEST_IF, DBUS_CM_IF, True) except TypeError, e: root_logger.error('Failed to add new request.') @@ -330,7 +385,7 @@ def stop_tracking(secdir, request_id=None, nickname=None): root_logger.error('Failed to get request: %s' % e) raise if request: - cm = _connect_to_certmonger() + cm = _certmonger() cm.obj_if.remove_request(request.path) @@ -357,9 +412,9 @@ def _find_IPA_ca(): We can use find_request_value because the ca files have the same file format. """ - cm = _connect_to_certmonger() + cm = _certmonger() ca_path = cm.obj_if.find_ca_by_nickname('IPA') - return _cm_dbus_object(cm.bus, ca_path, DBUS_CM_CA_IF, DBUS_CM_IF, True) + return _cm_dbus_object(cm.bus, cm, ca_path, DBUS_CM_CA_IF, DBUS_CM_IF, True) def add_principal_to_cas(principal): @@ -423,7 +478,7 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, pre_command, Both commands can be None. """ - cm = _connect_to_certmonger() + cm = _certmonger() certmonger_cmd_template = paths.CERTMONGER_COMMAND_TEMPLATE params = {'TRACK': True} -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code