def set_connection_info(
self,
host=None,
ssl_port=None,
handler=None,
cert_file=None,
key_file=None,
proxy_hostname_arg=None,
proxy_port_arg=None,
proxy_user_arg=None,
proxy_password_arg=None,
):
self.cert_file = ConsumerIdentity.certpath()
self.key_file = ConsumerIdentity.keypath()
# only use what was passed in, let the lowest level deal with
# no values and look elsewhere for them.
self.server_hostname = host
self.server_port = ssl_port
self.server_prefix = handler
self.proxy_hostname = proxy_hostname_arg
self.proxy_port = proxy_port_arg
self.proxy_user = proxy_user_arg
self.proxy_password = proxy_password_arg
self.clean()
def _update(self, cache_only):
""" update entitlement certificates """
logger.info(_('Updating Subscription Management repositories.'))
# XXX: Importing inline as you must be root to read the config file
from subscription_manager.identity import ConsumerIdentity
cert_file = str(ConsumerIdentity.certpath())
key_file = str(ConsumerIdentity.keypath())
identity = inj.require(inj.IDENTITY)
# In containers we have no identity, but we may have entitlements inherited
# from the host, which need to generate a redhat.repo.
if identity.is_valid():
try:
connection.UEPConnection(cert_file=cert_file,
key_file=key_file)
# FIXME: catchall exception
except Exception:
# log
logger.info(
_("Unable to connect to Subscription Management Service"))
return
else:
logger.info(_("Unable to read consumer identity"))
if config.in_container():
logger.info(
_("Subscription Manager is operating in container mode."))
rl = RepoActionInvoker(cache_only=cache_only)
rl.update()
def update(conduit, cache_only):
""" update entitlement certificates """
if os.getuid() != 0:
conduit.info(3, 'Not root, Subscription Management repositories not updated')
return
conduit.info(3, 'Updating Subscription Management repositories.')
# XXX: Importing inline as you must be root to read the config file
from subscription_manager.identity import ConsumerIdentity
cert_file = ConsumerIdentity.certpath()
key_file = ConsumerIdentity.keypath()
identity = inj.require(inj.IDENTITY)
# In containers we have no identity, but we may have entitlements inherited
# from the host, which need to generate a redhat.repo.
if identity.is_valid():
try:
connection.UEPConnection(cert_file=cert_file, key_file=key_file)
#FIXME: catchall exception
except Exception:
# log
conduit.info(2, "Unable to connect to Subscription Management Service")
return
else:
conduit.info(3, "Unable to read consumer identity")
if config.in_container():
conduit.info(3, "Subscription Manager is operating in container mode.")
rl = RepoActionInvoker(cache_only=cache_only, locker=YumRepoLocker(conduit=conduit))
rl.update()
def clean_all_data(backup=True):
consumer_dir = cfg.get('rhsm', 'consumerCertDir')
if backup:
if consumer_dir[-1] == "/":
consumer_dir_backup = consumer_dir[0:-1] + ".old"
else:
consumer_dir_backup = consumer_dir + ".old"
# Delete backup dir if it exists:
shutil.rmtree(consumer_dir_backup, ignore_errors=True)
# Copy current consumer dir:
log.debug("Backing up %s to %s.", consumer_dir, consumer_dir_backup)
shutil.copytree(consumer_dir, consumer_dir_backup)
# FIXME FIXME
# Delete current consumer certs:
for path in [ConsumerIdentity.keypath(), ConsumerIdentity.certpath()]:
if (os.path.exists(path)):
log.debug("Removing identity cert: %s" % path)
os.remove(path)
require(IDENTITY).reload()
# Delete all entitlement certs rather than the directory itself:
ent_cert_dir = cfg.get('rhsm', 'entitlementCertDir')
if os.path.exists(ent_cert_dir):
for f in glob.glob("%s/*.pem" % ent_cert_dir):
certpath = os.path.join(ent_cert_dir, f)
log.debug("Removing entitlement cert: %s" % f)
os.remove(certpath)
else:
log.warn("Entitlement cert directory does not exist: %s" %
ent_cert_dir)
# Subclasses of cache.CacheManager have a @classmethod delete_cache
# for deleting persistent caches
cache.ProfileManager.delete_cache()
cache.InstalledProductsManager.delete_cache()
cache.SyspurposeCache.delete_cache()
# FIXME: implement as dbus client to facts service DeleteCache() once implemented
#Facts.delete_cache()
# WrittenOverridesCache is also a subclass of cache.CacheManager, but
# it is deleted in RepoActionInvoker.delete_repo_file() below.
# StatusCache subclasses have a a per instance cache varable
# and delete_cache is an instance method, so we need to call
# the delete_cache on the instances created in injectioninit.
require(ENTITLEMENT_STATUS_CACHE).delete_cache()
require(PROD_STATUS_CACHE).delete_cache()
require(POOL_STATUS_CACHE).delete_cache()
require(OVERRIDE_STATUS_CACHE).delete_cache()
require(RELEASE_STATUS_CACHE).delete_cache()
RepoActionInvoker.delete_repo_file()
log.info("Cleaned local data")
def update(conduit, cache_only):
""" update entitlement certificates """
if os.getuid() != 0:
conduit.info(
3, 'Not root, Subscription Management repositories not updated')
return
conduit.info(3, 'Updating Subscription Management repositories.')
# XXX: Importing inline as you must be root to read the config file
from subscription_manager.identity import ConsumerIdentity
cert_file = ConsumerIdentity.certpath()
key_file = ConsumerIdentity.keypath()
identity = inj.require(inj.IDENTITY)
if not identity.is_valid():
conduit.info(3, "Unable to read consumer identity")
return
try:
connection.UEPConnection(cert_file=cert_file, key_file=key_file)
#FIXME: catchall exception
except Exception:
# log
conduit.info(2, "Unable to connect to Subscription Management Service")
return
rl = RepoActionInvoker(cache_only=cache_only)
rl.update()
def update(conduit, cache_only):
""" update entitlement certificates """
if os.getuid() != 0:
conduit.info(3, 'Not root, Subscription Management repositories not updated')
return
conduit.info(3, 'Updating Subscription Management repositories.')
# XXX: Importing inline as you must be root to read the config file
from subscription_manager.identity import ConsumerIdentity
cert_file = ConsumerIdentity.certpath()
key_file = ConsumerIdentity.keypath()
identity = inj.require(inj.IDENTITY)
if not identity.is_valid():
conduit.info(3, "Unable to read consumer identity")
return
try:
uep = connection.UEPConnection(cert_file=cert_file, key_file=key_file)
#FIXME: catchall exception
except Exception:
# log
conduit.info(2, "Unable to connect to Subscription Management Service")
return
rl = RepoActionInvoker(uep=uep, cache_only=cache_only)
rl.update()
def _update(self, cache_only):
""" update entitlement certificates """
logger.info(_('Updating Subscription Management repositories.'))
# XXX: Importing inline as you must be root to read the config file
from subscription_manager.identity import ConsumerIdentity
cert_file = str(ConsumerIdentity.certpath())
key_file = str(ConsumerIdentity.keypath())
identity = inj.require(inj.IDENTITY)
# In containers we have no identity, but we may have entitlements inherited
# from the host, which need to generate a redhat.repo.
if identity.is_valid():
try:
connection.UEPConnection(cert_file=cert_file, key_file=key_file)
# FIXME: catchall exception
except Exception:
# log
logger.info(_("Unable to connect to Subscription Management Service"))
return
else:
logger.info(_("Unable to read consumer identity"))
if config.in_container():
logger.info(_("Subscription Manager is operating in container mode."))
if not cache_only:
cert_action_invoker = EntCertActionInvoker()
cert_action_invoker.update()
repo_action_invoker = RepoActionInvoker(cache_only=cache_only)
repo_action_invoker.update()
def validate_registration():
"""
Validate consumer registration by making a REST call
to the server. Updates the global 'registered' variable.
"""
global registered
registered = False
if ConsumerIdentity.existsAndValid():
consumer = ConsumerIdentity.read()
consumer_id = consumer.getConsumerId()
else:
return
try:
uep = UEP()
consumer = uep.getConsumer(consumer_id)
registered = (consumer is not None)
except GoneException:
registered = False
except RemoteServerException as e:
if e.code not in (http.NOT_FOUND, http.GONE):
log.warn(str(e))
raise
except Exception as e:
log.exception(str(e))
raise
def set_connection_info(self,
host=None,
ssl_port=None,
handler=None,
cert_file=None,
key_file=None,
proxy_hostname_arg=None,
proxy_port_arg=None,
proxy_user_arg=None,
proxy_password_arg=None,
no_proxy_arg=None,
restlib_class=connection.Restlib):
self.cert_file = ConsumerIdentity.certpath()
self.key_file = ConsumerIdentity.keypath()
# only use what was passed in, let the lowest level deal with
# no values and look elsewhere for them.
self.server_hostname = host
self.server_port = ssl_port
self.server_prefix = handler
self.proxy_hostname = proxy_hostname_arg
self.proxy_port = proxy_port_arg
self.proxy_user = proxy_user_arg
self.proxy_password = proxy_password_arg
self.no_proxy = no_proxy_arg
self.restlib_class = restlib_class
self.clean()
def clean_all_data(backup=True):
consumer_dir = cfg.get('rhsm', 'consumerCertDir')
if backup:
if consumer_dir[-1] == "/":
consumer_dir_backup = consumer_dir[0:-1] + ".old"
else:
consumer_dir_backup = consumer_dir + ".old"
# Delete backup dir if it exists:
shutil.rmtree(consumer_dir_backup, ignore_errors=True)
# Copy current consumer dir:
log.debug("Backing up %s to %s.", consumer_dir, consumer_dir_backup)
shutil.copytree(consumer_dir, consumer_dir_backup)
# FIXME FIXME
# Delete current consumer certs:
for path in [ConsumerIdentity.keypath(), ConsumerIdentity.certpath()]:
if (os.path.exists(path)):
log.debug("Removing identity cert: %s" % path)
os.remove(path)
require(IDENTITY).reload()
# Delete all entitlement certs rather than the directory itself:
ent_cert_dir = cfg.get('rhsm', 'entitlementCertDir')
if os.path.exists(ent_cert_dir):
for f in glob.glob("%s/*.pem" % ent_cert_dir):
certpath = os.path.join(ent_cert_dir, f)
log.debug("Removing entitlement cert: %s" % f)
os.remove(certpath)
else:
log.warn("Entitlement cert directory does not exist: %s" % ent_cert_dir)
# Subclasses of cache.CacheManager have a @classmethod delete_cache
# for deleting persistent caches
cache.ProfileManager.delete_cache()
cache.InstalledProductsManager.delete_cache()
if SyncedStore is not None:
SyncedStore(None).update_cache({})
# FIXME: implement as dbus client to facts service DeleteCache() once implemented
# Facts.delete_cache()
# WrittenOverridesCache is also a subclass of cache.CacheManager, but
# it is deleted in RepoActionInvoker.delete_repo_file() below.
# StatusCache subclasses have a a per instance cache varable
# and delete_cache is an instance method, so we need to call
# the delete_cache on the instances created in injectioninit.
require(ENTITLEMENT_STATUS_CACHE).delete_cache()
require(SYSTEMPURPOSE_COMPLIANCE_STATUS_CACHE).delete_cache()
require(PROD_STATUS_CACHE).delete_cache()
require(POOL_STATUS_CACHE).delete_cache()
require(OVERRIDE_STATUS_CACHE).delete_cache()
require(RELEASE_STATUS_CACHE).delete_cache()
RepoActionInvoker.delete_repo_file()
log.debug("Cleaned local data")
def get_manager():
if 'subscription_manager.action_client' in sys.modules:
mgr = action_client.ActionClient()
else:
# for compatability with subscription-manager > =1.13
uep = connection.UEPConnection(cert_file=ConsumerIdentity.certpath(),
key_file=ConsumerIdentity.keypath())
mgr = certmgr.CertManager(uep=uep)
return mgr
def get_manager():
if 'subscription_manager.action_client' in sys.modules:
mgr = action_client.ActionClient()
else:
# for compatability with subscription-manager > =1.13
uep = connection.UEPConnection(cert_file=ConsumerIdentity.certpath(),
key_file=ConsumerIdentity.keypath())
mgr = certmgr.CertManager(uep=uep)
return mgr
def get_candlepin_consumer_connection(self):
self.cp_provider = inj.require(inj.CP_PROVIDER)
connection_info = self._get_connection_info()
connection_info["cert_file"] = ConsumerIdentity.certpath()
connection_info["key_file"] = ConsumerIdentity.keypath()
self.cp_provider.set_connection_info(**connection_info)
return self.cp_provider.get_consumer_auth_cp()
def get_candlepin_consumer_connection(self):
self.cp_provider = inj.require(inj.CP_PROVIDER)
connection_info = self._get_connection_info()
connection_info['cert_file'] = ConsumerIdentity.certpath()
connection_info['key_file'] = ConsumerIdentity.keypath()
self.cp_provider.set_connection_info(**connection_info)
return self.cp_provider.get_consumer_auth_cp()
def upload_tracer_profile(conduit=False):
data = json.dumps({ "traces": get_apps(conduit) })
headers = { "Content-type": "application/json" }
conn = httplib.HTTPSConnection(
RhsmConfigParser.get(initConfig() ,'server', 'hostname'),
RhsmConfigParser.get(initConfig() ,'server', 'port'),
key_file = ConsumerIdentity.keypath(),
cert_file = ConsumerIdentity.certpath()
)
conn.request('PUT', '/rhsm/consumers/%s/tracer' % (ConsumerIdentity.read().getConsumerId()), data, headers=headers)
response = conn.getresponse()
def upload_tracer_profile(conduit=False):
data = json.dumps({"traces": get_apps(conduit)})
headers = {"Content-type": "application/json"}
conn = httplib.HTTPSConnection(
RhsmConfigParser.get(initConfig(), "server", "hostname"),
RhsmConfigParser.get(initConfig(), "server", "port"),
key_file=ConsumerIdentity.keypath(),
cert_file=ConsumerIdentity.certpath(),
)
conn.request("PUT", "/rhsm/consumers/%s/tracer" % (ConsumerIdentity.read().getConsumerId()), data, headers=headers)
response = conn.getresponse()
def setup_plugin():
"""
Setup the plugin based on registration status using the RHSM configuration.
"""
if not ConsumerIdentity.existsAndValid():
# not registered
return
cfg = plugin.cfg()
rhsm_conf = Config(RHSM_CONFIG_PATH)
certificate = ConsumerIdentity.read()
cfg.messaging.url = 'ssl://%s:5671' % rhsm_conf['server']['hostname']
cfg.messaging.uuid = 'pulp.agent.%s' % certificate.getConsumerId()
bundle(certificate)
def _get_consumer_id(self):
try:
cid = ConsumerIdentity.read()
return cid.getConsumerId()
except Exception, e:
log.error(e)
raise Disconnected()
def send_enabled_report(path=REPOSITORY_PATH):
"""
Send the enabled repository report.
:param path: The path to a repository file.
:type path: str
"""
if not ConsumerIdentity.existsAndValid():
# not registered
return
try:
uep = UEP()
certificate = ConsumerIdentity.read()
report = EnabledReport(path)
uep.report_enabled(certificate.getConsumerId(), report.content)
except Exception, e:
log.error('send enabled report failed: %s', str(e))
def update_settings():
"""
Setup the plugin based on the RHSM configuration.
"""
rhsm_conf = Config(RHSM_CONFIG_PATH)
certificate = ConsumerIdentity.read()
if 'ca_cert_dir' in rhsm_conf['rhsm']:
ca_cert_dir = rhsm_conf['rhsm']['ca_cert_dir']
else:
#handle old subscription-manager configurations
ca_cert_dir = rhsm_conf['server']['ca_cert_dir']
# the 'katello-default-ca.pem' is the ca used for generating the CA certs.
# the 'candlepin-local.pem' is there for compatibility reasons (the old path where the
# legacy installer was putting this file. If none of them is present, there is still
# a chance the rhsm_conf['rhsm']['repo_ca_cert'] is serving as the CA for issuing
# the client certs
ca_candidates = [os.path.join(ca_cert_dir, 'katello-default-ca.pem'),
os.path.join(ca_cert_dir, 'candlepin-local.pem'),
rhsm_conf['rhsm']['repo_ca_cert'] % {'ca_cert_dir': ca_cert_dir}]
existing_ca_certs = [cert for cert in ca_candidates if os.path.exists(cert)]
if not existing_ca_certs:
log.warn('None of the ca cert files %s found for the qpid connection' % ca_candidates)
raise
else:
log.info('Using %s as the ca cert for qpid connection' % existing_ca_certs[0])
plugin.cfg.messaging.cacert = existing_ca_certs[0]
plugin.cfg.messaging.url = 'proton+amqps://%s:5647' % rhsm_conf['server']['hostname']
plugin.cfg.messaging.uuid = 'pulp.agent.%s' % certificate.getConsumerId()
bundle(certificate)
def _get_consumer_id(self):
try:
cid = ConsumerIdentity.read()
return cid.getConsumerId()
except Exception, e:
log.error(e)
raise Disconnected()
def clean_all_data(backup=True):
consumer_dir = cfg.get('rhsm', 'consumerCertDir')
if backup:
if consumer_dir[-1] == "/":
consumer_dir_backup = consumer_dir[0:-1] + ".old"
else:
consumer_dir_backup = consumer_dir + ".old"
# Delete backup dir if it exists:
shutil.rmtree(consumer_dir_backup, ignore_errors=True)
# Copy current consumer dir:
log.debug("Backing up %s to %s.", consumer_dir, consumer_dir_backup)
shutil.copytree(consumer_dir, consumer_dir_backup)
# FIXME FIXME
# Delete current consumer certs:
for path in [ConsumerIdentity.keypath(), ConsumerIdentity.certpath()]:
if (os.path.exists(path)):
log.debug("Removing identity cert: %s" % path)
os.remove(path)
require(IDENTITY).reload()
# Delete all entitlement certs rather than the directory itself:
ent_cert_dir = cfg.get('rhsm', 'entitlementCertDir')
if os.path.exists(ent_cert_dir):
for f in glob.glob("%s/*.pem" % ent_cert_dir):
certpath = os.path.join(ent_cert_dir, f)
log.debug("Removing entitlement cert: %s" % f)
os.remove(certpath)
else:
log.warn("Entitlement cert directory does not exist: %s" %
ent_cert_dir)
cache.ProfileManager.delete_cache()
cache.InstalledProductsManager.delete_cache()
Facts.delete_cache()
# Must also delete in-memory cache
require(ENTITLEMENT_STATUS_CACHE).delete_cache()
require(PROD_STATUS_CACHE).delete_cache()
require(OVERRIDE_STATUS_CACHE).delete_cache()
RepoActionInvoker.delete_repo_file()
log.info("Cleaned local data")
def _do_update(self):
uuid = ConsumerIdentity.read().getConsumerId()
consumer = self.uep.getConsumer(uuid)
if 'autoheal' in consumer and consumer['autoheal']:
try:
log.info("Checking if system requires healing.")
today = datetime.now(GMT())
tomorrow = today + timedelta(days=1)
# Check if we're invalid today and heal if so. If we are
# valid, see if 24h from now is greater than our "valid until"
# date, and heal for tomorrow if so.
cs = require(CERT_SORTER)
cert_updater = CertLib(lock=self.lock, uep=self.uep)
if not cs.is_valid():
log.warn("Found invalid entitlements for today: %s" %
today)
self.plugin_manager.run("pre_auto_attach",
consumer_uuid=uuid)
ents = self.uep.bind(uuid, today)
self.plugin_manager.run("post_auto_attach",
consumer_uuid=uuid,
entitlement_data=ents)
cert_updater.update()
else:
log.info("Entitlements are valid for today: %s" % today)
if cs.compliant_until is None:
# Edge case here, not even sure this can happen as we
# should have a compliant until date if we're valid
# today, but just in case:
log.warn(
"Got valid status from server but no valid until date."
)
elif tomorrow > cs.compliant_until:
log.warn(
"Entitlements will be invalid by tomorrow: %s" %
tomorrow)
self.plugin_manager.run("pre_auto_attach",
consumer_uuid=uuid)
ents = self.uep.bind(uuid, tomorrow)
self.plugin_manager.run("post_auto_attach",
consumer_uuid=uuid,
entitlement_data=ents)
cert_updater.update()
else:
log.info("Entitlements are valid for tomorrow: %s" %
tomorrow)
except Exception, e:
log.error("Error attempting to auto-heal:")
log.exception(e)
return 0
else:
log.info("Auto-heal check complete.")
return 1
def send():
try:
uep = UEP()
certificate = ConsumerIdentity.read()
report = EnabledReport(path)
uep.report_enabled(certificate.getConsumerId(), report.content)
except Exception, e:
log.error('send enabled report failed: %s', str(e))
def _do_update(self):
if not ConsumerIdentity.existsAndValid():
# we could in theory try to update the id in the
# case of it being bogus/corrupted, ala #844069,
# but that seems unneeded
return 0
from subscription_manager import managerlib
idcert = ConsumerIdentity.read()
uuid = idcert.getConsumerId()
consumer = self.uep.getConsumer(uuid)
# only write the cert if the serial has changed
if idcert.getSerialNumber() != consumer['idCert']['serial']['serial']:
log.debug('identity certificate changed, writing new one')
managerlib.persist_consumer_cert(consumer)
return 1
def consumer_id(self):
"""
Get the current consumer ID
:return: The unique consumer ID of the currently running agent
:rtype: str
"""
certificate = ConsumerIdentity.read()
return certificate.getConsumerId()
def consumer_id(self):
"""
Get the current consumer ID
:return: The unique consumer ID of the currently running agent
:rtype: str
"""
certificate = ConsumerIdentity.read()
return certificate.getConsumerId()
def _do_update(self):
if not ConsumerIdentity.existsAndValid():
# we could in theory try to update the id in the
# case of it being bogus/corrupted, ala #844069,
# but that seems unneeded
return 0
from subscription_manager import managerlib
idcert = ConsumerIdentity.read()
uuid = idcert.getConsumerId()
consumer = self.uep.getConsumer(uuid)
# only write the cert if the serial has changed
if idcert.getSerialNumber() != consumer['idCert']['serial']['serial']:
log.debug('identity certificate changed, writing new one')
managerlib.persist_consumer_cert(consumer)
return 1
def clean_all_data(backup=True):
consumer_dir = cfg.get('rhsm', 'consumerCertDir')
if backup:
if consumer_dir[-1] == "/":
consumer_dir_backup = consumer_dir[0:-1] + ".old"
else:
consumer_dir_backup = consumer_dir + ".old"
# Delete backup dir if it exists:
shutil.rmtree(consumer_dir_backup, ignore_errors=True)
# Copy current consumer dir:
log.info("Backing up %s to %s." % (consumer_dir, consumer_dir_backup))
shutil.copytree(consumer_dir, consumer_dir_backup)
# FIXME FIXME
# Delete current consumer certs:
for path in [ConsumerIdentity.keypath(), ConsumerIdentity.certpath()]:
if (os.path.exists(path)):
log.debug("Removing identity cert: %s" % path)
os.remove(path)
require(IDENTITY).reload()
# Delete all entitlement certs rather than the directory itself:
ent_cert_dir = cfg.get('rhsm', 'entitlementCertDir')
if os.path.exists(ent_cert_dir):
for f in glob.glob("%s/*.pem" % ent_cert_dir):
certpath = os.path.join(ent_cert_dir, f)
log.debug("Removing entitlement cert: %s" % f)
os.remove(certpath)
else:
log.warn("Entitlement cert directory does not exist: %s" % ent_cert_dir)
cache.ProfileManager.delete_cache()
cache.InstalledProductsManager.delete_cache()
Facts.delete_cache()
# Must also delete in-memory cache
require(ENTITLEMENT_STATUS_CACHE).delete_cache()
require(PROD_STATUS_CACHE).delete_cache()
require(OVERRIDE_STATUS_CACHE).delete_cache()
RepoActionInvoker.delete_repo_file()
log.info("Cleaned local data")
def warnOrGiveUsageMessage(conduit):
# XXX: Importing inline as you must be root to read the config file
""" either output a warning, or a usage message """
msg = ""
# TODO: refactor so there are not two checks for this
if os.getuid() != 0:
return
if ClassicCheck().is_registered_with_classic():
return
try:
identity = inj.require(inj.IDENTITY)
ent_dir = inj.require(inj.ENT_DIR)
# Don't warn people to register if we see entitelements, but no identity:
if not identity.is_valid() and len(ent_dir.list_valid()) == 0:
msg = not_registered_warning
elif len(ent_dir.list_valid()) == 0:
# XXX: Importing inline as you must be root to read the config file
from subscription_manager.identity import ConsumerIdentity
cert_file = ConsumerIdentity.certpath()
key_file = ConsumerIdentity.keypath()
# In containers we have no identity, but we may have entitlements inherited
# from the host, which need to generate a redhat.repo.
if identity.is_valid():
try:
uep = connection.UEPConnection(cert_file=cert_file,
key_file=key_file)
# FIXME: catchall exception
except Exception:
pass
else:
owner = uep.getOwner(identity.uuid)
if owner['contentAccessMode'] != "org_environment":
return
msg = no_subs_warning
if config.in_container() and len(ent_dir.list_valid()) == 0:
msg = no_subs_container_warning
finally:
if msg:
conduit.info(2, msg)
def __init__(self):
self.correlation_id = None
self.username = None
self.password = None
self.token = None
self.token_username = None
self.cdn_hostname = None
self.cdn_port = None
self.cert_file = ConsumerIdentity.certpath()
self.key_file = ConsumerIdentity.keypath()
self.server_hostname = None
self.server_port = None
self.server_prefix = None
self.proxy_hostname = None
self.proxy_port = None
self.proxy_user = None
self.proxy_password = None
self.no_proxy = None
self.restlib_class = None
def __init__(self, oscs, rdb, logger, opts):
self.oscs = oscs
self.rdb = rdb
self.logger = logger
self.opts = opts
self.rhsmconfig = rhsm.config.initConfig()
try:
self.consumer_key = _read(ConsumerIdentity.keypath())
self.consumer_cert = _read(ConsumerIdentity.certpath())
except IOError as ioerr:
if 2 == ioerr.errno:
raise SubscriptionManagerNotRegisteredError()
self.consumer_identity = ConsumerIdentity(self.consumer_key, self.consumer_cert)
self.consumer_uuid = self.consumer_identity.getConsumerId()
self.cp_provider = inj.require(inj.CP_PROVIDER)
self.cp = self.cp_provider.get_consumer_auth_cp()
# self.ATTR_DEFAULTS = dict([(attr, RepoConf.optionobj(attr).default) for attr in IMPORTANT_ATTRS])
self._set_attr_defaults()
self.problem = False
def update_settings():
"""
Setup the plugin based on the RHSM configuration.
"""
rhsm_conf = Config(RHSM_CONFIG_PATH)
certificate = ConsumerIdentity.read()
plugin.cfg.messaging.cacert = rhsm_conf['rhsm']['repo_ca_cert'] % rhsm_conf['rhsm']
plugin.cfg.messaging.url = 'proton+amqps://%s:5647' % rhsm_conf['server']['hostname']
plugin.cfg.messaging.uuid = 'pulp.agent.%s' % certificate.getConsumerId()
bundle(certificate)
def _do_update(self):
uuid = ConsumerIdentity.read().getConsumerId()
consumer = self.uep.getConsumer(uuid)
if 'autoheal' in consumer and consumer['autoheal']:
try:
log.info("Checking if system requires healing.")
today = datetime.now(GMT())
tomorrow = today + timedelta(days=1)
# Check if we're invalid today and heal if so. If we are
# valid, see if 24h from now is greater than our "valid until"
# date, and heal for tomorrow if so.
cs = require(CERT_SORTER)
cert_updater = CertLib(lock=self.lock, uep=self.uep)
if not cs.is_valid():
log.warn("Found invalid entitlements for today: %s" %
today)
self.plugin_manager.run("pre_auto_attach", consumer_uuid=uuid)
ents = self.uep.bind(uuid, today)
self.plugin_manager.run("post_auto_attach", consumer_uuid=uuid,
entitlement_data=ents)
cert_updater.update()
else:
log.info("Entitlements are valid for today: %s" %
today)
if cs.compliant_until is None:
# Edge case here, not even sure this can happen as we
# should have a compliant until date if we're valid
# today, but just in case:
log.warn("Got valid status from server but no valid until date.")
elif tomorrow > cs.compliant_until:
log.warn("Entitlements will be invalid by tomorrow: %s" %
tomorrow)
self.plugin_manager.run("pre_auto_attach", consumer_uuid=uuid)
ents = self.uep.bind(uuid, tomorrow)
self.plugin_manager.run("post_auto_attach", consumer_uuid=uuid,
entitlement_data=ents)
cert_updater.update()
else:
log.info("Entitlements are valid for tomorrow: %s" %
tomorrow)
except Exception, e:
log.error("Error attempting to auto-heal:")
log.exception(e)
return 0
else:
log.info("Auto-heal check complete.")
return 1
def update_settings():
"""
Setup the plugin based on the RHSM configuration.
"""
rhsm_conf = Config(RHSM_CONFIG_PATH)
certificate = ConsumerIdentity.read()
plugin.cfg.messaging.cacert = rhsm_conf['rhsm'][
'repo_ca_cert'] % rhsm_conf['rhsm']
plugin.cfg.messaging.url = 'proton+amqps://%s:5647' % rhsm_conf['server'][
'hostname']
plugin.cfg.messaging.uuid = 'pulp.agent.%s' % certificate.getConsumerId()
bundle(certificate)
def registration_changed(path):
"""
Notification that a change in registration has been detected.
On registration: setup the plugin; attach to the message broker.
On un-registration: detach from the message broker.
:param path: The path to the file that changed.
:type path: str
"""
log.info('changed: %s', path)
if ConsumerIdentity.existsAndValid():
setup_plugin()
plugin.attach()
else:
plugin.detach()
def init_plugin():
"""
Initialize the plugin.
Called (once) immediately after the plugin is loaded.
- setup plugin configuration.
- send an initial repository enabled report.
- setup path monitoring.
"""
setup_plugin()
send_enabled_report()
path = ConsumerIdentity.certpath()
path_monitor.add(path, registration_changed)
path_monitor.add(REPOSITORY_PATH, send_enabled_report)
path_monitor.start()
def send_enabled_report(path=REPOSITORY_PATH):
"""
Send the enabled repository report.
:param path: The path to a repository file.
:type path: str
"""
if not registered:
return
try:
uep = UEP()
certificate = ConsumerIdentity.read()
report = EnabledReport(path)
uep.report_enabled(certificate.getConsumerId(), report.content)
except Exception, e:
log.error('send enabled report failed: %s', str(e))
def main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
# exit on SIGTERM, otherwise finally statements don't run (one explanation: http://stackoverflow.com/a/41840796)
# SIGTERM happens for example when systemd wants the service to stop
# without finally statements, we get confusing behavior (ex. see bz#1431659)
signal.signal(signal.SIGTERM, exit_on_signal)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(
None
) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
def init_plugin():
"""
Initialize the plugin.
Called (once) immediately after the plugin is loaded.
- setup path monitoring.
- validate registration. If registered:
- setup plugin configuration.
"""
path = ConsumerIdentity.certpath()
path_monitor.add(path, certificate_changed)
path_monitor.add(REPOSITORY_PATH, send_enabled_report)
path_monitor.start()
while True:
try:
validate_registration()
if registered:
update_settings()
# DONE
break
except Exception, e:
log.warn(str(e))
sleep(60)
def main(options, log):
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
def main(options, log):
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
def plugin_loaded():
"""
Initialize the plugin.
Called (once) immediately after the plugin is loaded.
- setup path monitoring.
- validate registration. If registered:
- setup plugin configuration.
"""
global path_monitor
path = ConsumerIdentity.certpath()
path_monitor = PathMonitor()
path_monitor.add(path, certificate_changed)
path_monitor.start()
while True:
try:
validate_registration()
if registered:
update_settings()
# DONE
break
except Exception as e:
log.warn(str(e))
sleep(60)
def init_plugin():
"""
Initialize the plugin.
Called (once) immediately after the plugin is loaded.
- setup path monitoring.
- validate registration. If registered:
- setup plugin configuration.
- send an initial repository enabled report.
"""
path = ConsumerIdentity.certpath()
path_monitor.add(path, certificate_changed)
path_monitor.add(REPOSITORY_PATH, send_enabled_report)
path_monitor.start()
while True:
try:
validate_registration()
if registered:
update_settings()
send_enabled_report()
# DONE
break
except Exception, e:
log.warn(str(e))
sleep(60)
def main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(
None
) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
except connection.GoneException, ge:
uuid = ConsumerIdentity.read().getConsumerId()
# This code is to prevent an errant 410 response causing consumer cert deletion.
#
# If a server responds with a 410, we want to very that it's not just a 410 http status, but
# also that the response is from candlepin, and include the right info about the consumer.
#
# A connection to the entitlement server could get an unintentional 410 response. A common
# cause for that kind of error would be a bug or crash or misconfiguration of a reverse proxy
# in front of candlepin. Most error codes we treat as temporary and transient, and they don't
# cause any action to be taken (aside from error handling). But since consumer deletion is tied
# to the 410 status code, and that is difficult to recover from, we try to be a little bit
# more paranoid about that case.
#
# So we look for both the 410 status, and the expected response body. If we get those
# then python-rhsm will create a GoneException that includes the deleted_id. If we get
def __init__(self):
key = ConsumerIdentity.keypath()
cert = ConsumerIdentity.certpath()
UEPConnection.__init__(self, key_file=key, cert_file=cert)
def _main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
# exit on SIGTERM, otherwise finally statements don't run (one explanation: http://stackoverflow.com/a/41840796)
# SIGTERM happens for example when systemd wants the service to stop
# without finally statements, we get confusing behavior (ex. see bz#1431659)
signal.signal(signal.SIGTERM, exit_on_signal)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print(_('Updating entitlement certificates & repositories'))
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(None) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print(update_report)
except connection.ExpiredIdentityCertException as e:
log.critical(_("Your identity certificate has expired"))
raise e
except connection.GoneException as ge:
uuid = ConsumerIdentity.read().getConsumerId()
# This code is to prevent an errant 410 response causing consumer cert deletion.
#
# If a server responds with a 410, we want to very that it's not just a 410 http status, but
# also that the response is from candlepin, and include the right info about the consumer.
#
# A connection to the entitlement server could get an unintentional 410 response. A common
# cause for that kind of error would be a bug or crash or misconfiguration of a reverse proxy
# in front of candlepin. Most error codes we treat as temporary and transient, and they don't
# cause any action to be taken (aside from error handling). But since consumer deletion is tied
# to the 410 status code, and that is difficult to recover from, we try to be a little bit
# more paranoid about that case.
#
# So we look for both the 410 status, and the expected response body. If we get those
# then python-rhsm will create a GoneException that includes the deleted_id. If we get
# A GoneException and the deleted_id matches, then we actually delete the consumer.
#
# However... If we get a GoneException and it's deleted_id does not match the current
# consumer uuid, we do not delete the consumer. That would require using a valid consumer
# cert, but making a request for a different consumer uuid, so unlikely. Could register
# with --consumerid get there?
if ge.deleted_id == uuid:
log.critical("Consumer profile \"%s\" has been deleted from the server. Its local certificates will now be archived", uuid)
managerlib.clean_all_data()
log.critical("Certificates archived to '/etc/pki/consumer.old'. Contact your system administrator if you need more information.")
raise ge
class ReconciliationEngine(object):
def __init__(self, oscs, rdb, logger, opts):
self.oscs = oscs
self.rdb = rdb
self.logger = logger
self.opts = opts
self.rhsmconfig = rhsm.config.initConfig()
try:
self.consumer_key = _read(ConsumerIdentity.keypath())
self.consumer_cert = _read(ConsumerIdentity.certpath())
except IOError as ioerr:
if 2 == ioerr.errno:
raise SubscriptionManagerNotRegisteredError()
self.consumer_identity = ConsumerIdentity(self.consumer_key, self.consumer_cert)
self.consumer_uuid = self.consumer_identity.getConsumerId()
self.cp_provider = inj.require(inj.CP_PROVIDER)
self.cp = self.cp_provider.get_consumer_auth_cp()
# self.ATTR_DEFAULTS = dict([(attr, RepoConf.optionobj(attr).default) for attr in IMPORTANT_ATTRS])
self._set_attr_defaults()
self.problem = False
def _set_attr_defaults(self):
self.ATTR_DEFAULTS = dict()
for attr in IMPORTANT_ATTRS:
try:
self.ATTR_DEFAULTS[attr] = RepoConf.optionobj(attr).default
except KeyError:
IMPORTANT_ATTRS.remove(attr)
def get_overrides_and_repos(self):
overrides = self.cp.getContentOverrides(self.consumer_uuid)
override_repos = list(set([ovrd['contentLabel'] for ovrd in overrides]))
ovrdict = defaultdict(lambda: defaultdict(lambda: None))
for ovrd in overrides:
ovrdict[ovrd['contentLabel']][ovrd['name']] = ovrd['value']
return ovrdict, override_repos
def set_override(self, repo, attr):
if not self.problem:
self.logger.error(SET_OVERRIDE_MSG)
if self.opts.fix:
self.logger.error(SET_OVERRIDE_FIX_MSG)
else:
self.logger.error(SET_OVERRIDE_REPORT_MSG)
self.problem = True
value = repo.getAttribute(attr)
option = RepoConf.optionobj(attr)
if self.opts.fix:
if isinstance(option, config.ListOption):
v_str = ' '.join(value)
else:
v_str = option.tostring(value)
if self.current_repoid != repo.id:
self.current_repoid = repo.id
self.logger.error("Updating repository %s" % repo.id)
self.logger.error(" %s: %s" % (attr, v_str))
self.oscs.set_save_repo_attr(repo.id, attr, value)
else:
self.logger.error(
"# %s" %
self.oscs.get_update_override_cmd(
repo, attr, repo.getAttribute(attr), for_output=True))
def fix_overrides_for_repo(self, repoid, overrides):
self.current_repoid=""
try:
repo = self.oscs.repo_for_repoid(repoid)
except KeyError:
if self.opts.fix:
self.logger.warning('Cannot modify content overrides for '
'non-existent repo %s' % repoid)
return # don't operate on nonexistant repos
for attr in IMPORTANT_ATTRS:
if repo.getAttribute(attr) != self.ATTR_DEFAULTS[attr]:
if not overrides[repoid] or not overrides[repoid][attr]:
self.set_override(repo, attr)
def reconcile_overrides(self):
(overrides, override_repos) = self.get_overrides_and_repos()
rhsm_repoids = self.rdb.find_repoids(subscription = 'rhsm')
for repoid in rhsm_repoids:
self.fix_overrides_for_repo(repoid, overrides)
return self.problem
def upload_package_profile():
uep = connection.UEPConnection(cert_file=ConsumerIdentity.certpath(),
key_file=ConsumerIdentity.keypath())
get_manager().profilelib._do_update()
def lookup_consumer_id():
try:
certificate = ConsumerIdentity.read()
return certificate.getConsumerId()
except IOError:
return None
def get_uep():
key = ConsumerIdentity.keypath()
cert = ConsumerIdentity.certpath()
uep = UEPConnection(key_file=key, cert_file=cert)
return uep
