There are times we need to hunt through the certmonger request files
trying (such as trying to stop tracking a cert). One criteria is the
cert database and they need to match exactly. We weren't normalizing
this so something as simple as a trailing slash would cause a match to fail.
Normalize both values to address this.
rob
>From d4cd8ef04827f7b28df23f252d56b5965f89af16 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <[email protected]>
Date: Tue, 8 Nov 2011 18:30:44 -0500
Subject: [PATCH] Use absolute paths when trying to find certmonger request
id.
The value stored in certmonger is not guaranteed to be normalized
nor is the value passed-in (could be a relative path and may or not
contain trailing slash). We do direct string compares so they need
to match exactly or we won't find the request.
https://fedorahosted.org/freeipa/ticket/1942
---
ipapython/certmonger.py | 19 ++++++++++++-------
1 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 1ed9076..3517be3 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -29,6 +29,9 @@ from ipapython import ipautil
REQUEST_DIR='/var/lib/certmonger/requests/'
CA_DIR='/var/lib/certmonger/cas/'
+# Normalizer types for critera in get_request_id()
+NPATH = 1
+
def find_request_value(filename, directive):
"""
Return a value from a certmonger request file for the requested directive
@@ -83,7 +86,7 @@ def get_request_id(criteria):
through all the request files. An alternative would be to parse the
ipa-getcert list output but this seems cleaner.
- criteria is a tuple of key/value pairs to search for. The more specific
+ criteria is a tuple of key/value/type to search for. The more specific
the better. An error is raised if multiple request_ids are returned for
the same criteria.
@@ -95,8 +98,10 @@ def get_request_id(criteria):
fileList=os.listdir(REQUEST_DIR)
for file in fileList:
match = True
- for (key, value) in criteria:
+ for (key, value, valtype) in criteria:
rv = find_request_value('%s/%s' % (REQUEST_DIR, file), key)
+ if rv and valtype == NPATH:
+ rv = os.path.abspath(rv)
if rv is None or rv.rstrip() != value:
match = False
break
@@ -175,7 +180,7 @@ def cert_exists(nickname, secdir):
the database.
"""
args = ["/usr/bin/certutil", "-L",
- "-d", secdir,
+ "-d", os.path.abspath(secdir),
"-n", nickname
]
(stdout, stderr, rc) = ipautil.run(args, raiseonerr=False)
@@ -193,10 +198,10 @@ def start_tracking(nickname, secdir, password_file=None):
This assumes that certmonger is already running.
"""
- if not cert_exists(nickname, secdir):
+ if not cert_exists(nickname, os.path.abspath(secdir)):
raise RuntimeError('Nickname "%s" doesn\'t exist in NSS database "%s"' % (nickname, secdir))
args = ["/usr/bin/ipa-getcert", "start-tracking",
- "-d", secdir,
+ "-d", os.path.abspath(secdir),
"-n", nickname]
if password_file:
args.append("-p")
@@ -216,7 +221,7 @@ def stop_tracking(secdir, request_id=None, nickname=None):
raise RuntimeError('Both request_id and nickname are missing.')
if nickname:
# Using the nickname find the certmonger request_id
- criteria = (('cert_storage_location','%s' % secdir),('cert_nickname', '%s' % nickname))
+ criteria = (('cert_storage_location','%s' % os.path.abspath(secdir), NPATH),('cert_nickname', '%s' % nickname, None))
try:
request_id = get_request_id(criteria)
if request_id is None:
@@ -236,7 +241,7 @@ def stop_tracking(secdir, request_id=None, nickname=None):
args.append('-n')
args.append(nickname)
args.append('-d')
- args.append(secdir)
+ args.append(os.path.abspath(secdir))
(stdout, stderr, returncode) = ipautil.run(args)
--
1.7.6.4
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
