def test_healing_needs_heal(self):
# need a stub product dir with prods with no entitlements,
# don't have to mock here since we can actually pass in a product
self.mock_cert_sorter.is_valid = mock.Mock(return_value=False)
actionclient = action_client.HealingActionClient()
actionclient.update(autoheal=True)
self.assertTrue(self.mock_uep.bind.called)
def test_healing_no_heal(self):
self.mock_cert_sorter.is_valid = mock.Mock(return_value=True)
self.mock_cert_sorter.compliant_until = datetime.now() + \
timedelta(days=15)
actionclient = action_client.HealingActionClient()
actionclient.update(autoheal=True)
self.assertFalse(self.mock_uep.bind.called)
def test_healing_trigger_exception(self, mock_log):
# Forcing is_valid to throw the type error we used to expect from
# cert sorter using the product dir. Just making sure an unexpected
# exception is logged and not bubbling up.
self.mock_cert_sorter.is_valid = mock.Mock(side_effect=TypeError())
actionclient = action_client.HealingActionClient()
actionclient.update(autoheal=True)
for call in mock_log.method_calls:
if call[0] == 'exception' and isinstance(call[1][0], TypeError):
return
self.fail("Did not see TypeError in the logged exceptions")
def test_healing_needs_heal_tomorrow(self, cert_build_mock):
# Valid today, but not valid 24h from now:
self.mock_cert_sorter.is_valid = mock.Mock(return_value=True)
self.mock_cert_sorter.compliant_until = datetime.now(GMT()) + \
timedelta(hours=6)
cert_build_mock.return_value = (mock.Mock(),
self.stub_ent_expires_tomorrow)
self._stub_certificate_calls([self.stub_ent_expires_tomorrow])
actionclient = action_client.HealingActionClient()
actionclient.update(autoheal=True)
# see if we tried to update certs
self.assertTrue(self.mock_uep.bind.called)
def main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
# exit on SIGTERM, otherwise finally statements don't run (one explanation: http://stackoverflow.com/a/41840796)
# SIGTERM happens for example when systemd wants the service to stop
# without finally statements, we get confusing behavior (ex. see bz#1431659)
signal.signal(signal.SIGTERM, exit_on_signal)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(
None
) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
def main(options, log):
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
def main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print _('Updating entitlement certificates & repositories')
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(
None
) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print update_report
except connection.ExpiredIdentityCertException, e:
log.critical(_("Your identity certificate has expired"))
raise e
def _main(options, log):
# Set default mainloop
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
# exit on SIGTERM, otherwise finally statements don't run (one explanation: http://stackoverflow.com/a/41840796)
# SIGTERM happens for example when systemd wants the service to stop
# without finally statements, we get confusing behavior (ex. see bz#1431659)
signal.signal(signal.SIGTERM, exit_on_signal)
cp_provider = inj.require(inj.CP_PROVIDER)
correlation_id = generate_correlation_id()
log.info('X-Correlation-ID: %s', correlation_id)
cp_provider.set_correlation_id(correlation_id)
cfg = config.initConfig()
log.debug('check for rhsmcertd disable')
if '1' == cfg.get('rhsmcertd', 'disable') and not options.force:
log.warning('The rhsmcertd process has been disabled by configuration.')
sys.exit(-1)
if not ConsumerIdentity.existsAndValid():
log.error('Either the consumer is not registered or the certificates' +
' are corrupted. Certificate update using daemon failed.')
sys.exit(-1)
print(_('Updating entitlement certificates & repositories'))
cp = cp_provider.get_consumer_auth_cp()
cp.supports_resource(None) # pre-load supported resources; serves as a way of failing before locking the repos
try:
if options.autoheal:
actionclient = action_client.HealingActionClient()
else:
actionclient = action_client.ActionClient()
actionclient.update(options.autoheal)
for update_report in actionclient.update_reports:
# FIXME: make sure we don't get None reports
if update_report:
print(update_report)
except connection.ExpiredIdentityCertException as e:
log.critical(_("Your identity certificate has expired"))
raise e
except connection.GoneException as ge:
uuid = ConsumerIdentity.read().getConsumerId()
# This code is to prevent an errant 410 response causing consumer cert deletion.
#
# If a server responds with a 410, we want to very that it's not just a 410 http status, but
# also that the response is from candlepin, and include the right info about the consumer.
#
# A connection to the entitlement server could get an unintentional 410 response. A common
# cause for that kind of error would be a bug or crash or misconfiguration of a reverse proxy
# in front of candlepin. Most error codes we treat as temporary and transient, and they don't
# cause any action to be taken (aside from error handling). But since consumer deletion is tied
# to the 410 status code, and that is difficult to recover from, we try to be a little bit
# more paranoid about that case.
#
# So we look for both the 410 status, and the expected response body. If we get those
# then python-rhsm will create a GoneException that includes the deleted_id. If we get
# A GoneException and the deleted_id matches, then we actually delete the consumer.
#
# However... If we get a GoneException and it's deleted_id does not match the current
# consumer uuid, we do not delete the consumer. That would require using a valid consumer
# cert, but making a request for a different consumer uuid, so unlikely. Could register
# with --consumerid get there?
if ge.deleted_id == uuid:
log.critical("Consumer profile \"%s\" has been deleted from the server. Its local certificates will now be archived", uuid)
managerlib.clean_all_data()
log.critical("Certificates archived to '/etc/pki/consumer.old'. Contact your system administrator if you need more information.")
raise ge
