def get_manager():
if 'subscription_manager.action_client' in sys.modules:
mgr = action_client.ActionClient()
else:
# for compatability with subscription-manager >= 1.13
mgr = certmgr.CertManager(uep=get_uep())
return mgr
def test_idcertlib_gone_exception(self, mock_update):
mock_update.side_effect = GoneException(410, "bye bye", " 234234")
actionclient = action_client.ActionClient()
self.assertRaises(GoneException, actionclient.update)
# just verify the certlib update worked
report = actionclient.entcertlib.report
self.assertTrue(self.stub_ent1.serial in report.valid)
def get_manager():
if 'subscription_manager.action_client' in sys.modules:
mgr = action_client.ActionClient()
else:
# for compatability with subscription-manager > =1.13
uep = connection.UEPConnection(cert_file=ConsumerIdentity.certpath(),
key_file=ConsumerIdentity.keypath())
mgr = certmgr.CertManager(uep=uep)
return mgr
def test_missing(self, cert_build_mock):
# mock no certs client side
self._stub_certificate_calls()
cert_build_mock.return_value = (mock.Mock(), self.stub_ent1)
actionclient = action_client.ActionClient()
actionclient.update()
report = actionclient.entcertlib.report
self.assertTrue(self.stub_ent1 in report.added)
def test_idcertlib_update_exception(self, mock_log, mock_update):
mock_update.side_effect = ExceptionalException()
actionclient = action_client.ActionClient()
actionclient.update()
for call in mock_log.method_calls:
if call[0] == 'exception' and isinstance(call[1][0],
ExceptionalException):
return
self.fail("Did not ExceptionException in the logged exceptions")
def test_rogue(self):
# to mock "rogue" certs we need some local, that are not known to the
# server so getCertificateSerials to return nothing
self.mock_uep.getCertificateSerials = mock.Mock(return_value=[])
self.set_consumer_auth_cp(self.mock_uep)
actionclient = action_client.ActionClient()
actionclient.update()
report = actionclient.entcertlib.report
# our local ent certs should be showing up as rogue
self.assertTrue(self.local_ent_certs[0] in report.rogue)
self.assertTrue(self.local_ent_certs[1] in report.rogue)
def test_exception_on_cert_write(self, mock_log, mock_cert_build):
# this is basically the same as test_missing, expect we throw
# an exception attempting to write the certs out
self._stub_certificate_calls()
mock_cert_build.side_effect = ExceptionalException()
actionclient = action_client.ActionClient()
# we should fail on the certlib.update, but keep going...
# and handle it well.
actionclient.update()
for call in mock_log.method_calls:
if call[0] == 'exception' and isinstance(call[1][0],
ExceptionalException):
return
self.fail("Did not ExceptionException in the logged exceptions")
def test_expired(self, cert_build_mock):
cert_build_mock.return_value = (mock.Mock(), self.stub_ent1)
# this makes the stub_ent_dir report all ents as being expired
# so we fetch new ones
self.stub_ent_dir.list_expired = mock.Mock(
return_value=self.stub_ent_dir.list())
# we don't want to find replacements, so this forces a delete
self.mock_uep.getCertificateSerials = mock.Mock(return_value=[])
self.set_consumer_auth_cp(self.mock_uep)
actionclient = action_client.ActionClient()
actionclient.update()
report = actionclient.entcertlib.report
# the expired certs should be delete/rogue and expired
#report = self.update_action_syslog_mock.call_args[0][0]
self.assertTrue(self.stub_ent1 in report.rogue)
def main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
# exit on SIGTERM, otherwise finally statements don't run (one explanation: http://stackoverflow.com/a/41840796)
# SIGTERM happens for example when systemd wants the service to stop
# without finally statements, we get confusing behavior (ex. see bz#1431659)
signal.signal(signal.SIGTERM, exit_on_signal)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(
None
) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
def main(options, log):
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
def main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(
None
) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
def _main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
# exit on SIGTERM, otherwise finally statements don't run (one explanation: http://stackoverflow.com/a/41840796)
# SIGTERM happens for example when systemd wants the service to stop
# without finally statements, we get confusing behavior (ex. see bz#1431659)
signal.signal(signal.SIGTERM, exit_on_signal)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
cfg = config.initConfig()
log.debug('check for rhsmcertd disable')
if '1' == cfg.get('rhsmcertd', 'disable') and not options.force:
log.warning('The rhsmcertd process has been disabled by configuration.')
sys.exit(-1)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print(_('Updating entitlement certificates & repositories'))
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(None) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print(update_report)
except connection.ExpiredIdentityCertException as e:
log.critical(_("Your identity certificate has expired"))
raise e
except connection.GoneException as ge:
uuid = ConsumerIdentity.read().getConsumerId()
# This code is to prevent an errant 410 response causing consumer cert deletion.
#
# If a server responds with a 410, we want to very that it's not just a 410 http status, but
# also that the response is from candlepin, and include the right info about the consumer.
#
# A connection to the entitlement server could get an unintentional 410 response. A common
# cause for that kind of error would be a bug or crash or misconfiguration of a reverse proxy
# in front of candlepin. Most error codes we treat as temporary and transient, and they don't
# cause any action to be taken (aside from error handling). But since consumer deletion is tied
# to the 410 status code, and that is difficult to recover from, we try to be a little bit
# more paranoid about that case.
#
# So we look for both the 410 status, and the expected response body. If we get those
# then python-rhsm will create a GoneException that includes the deleted_id. If we get
# A GoneException and the deleted_id matches, then we actually delete the consumer.
#
# However... If we get a GoneException and it's deleted_id does not match the current
# consumer uuid, we do not delete the consumer. That would require using a valid consumer
# cert, but making a request for a different consumer uuid, so unlikely. Could register
# with --consumerid get there?
if ge.deleted_id == uuid:
log.critical("Consumer profile \"%s\" has been deleted from the server. Its local certificates will now be archived", uuid)
managerlib.clean_all_data()
log.critical("Certificates archived to '/etc/pki/consumer.old'. Contact your system administrator if you need more information.")
raise ge
def test_gone_exception(self, mock_update):
mock_update.side_effect = GoneException(410, "bye bye", " 234234")
actionclient = action_client.ActionClient()
self.assertRaises(GoneException, actionclient.update)
def test_init(self):
actionclient = action_client.ActionClient()
actionclient.update()
