def test_healing_needs_heal(self): # need a stub product dir with prods with no entitlements, # don't have to mock here since we can actually pass in a product self.mock_cert_sorter.is_valid = mock.Mock(return_value=False) actionclient = action_client.HealingActionClient() actionclient.update(autoheal=True) self.assertTrue(self.mock_uep.bind.called)
def test_healing_no_heal(self): self.mock_cert_sorter.is_valid = mock.Mock(return_value=True) self.mock_cert_sorter.compliant_until = datetime.now() + \ timedelta(days=15) actionclient = action_client.HealingActionClient() actionclient.update(autoheal=True) self.assertFalse(self.mock_uep.bind.called)
def test_healing_trigger_exception(self, mock_log): # Forcing is_valid to throw the type error we used to expect from # cert sorter using the product dir. Just making sure an unexpected # exception is logged and not bubbling up. self.mock_cert_sorter.is_valid = mock.Mock(side_effect=TypeError()) actionclient = action_client.HealingActionClient() actionclient.update(autoheal=True) for call in mock_log.method_calls: if call[0] == 'exception' and isinstance(call[1][0], TypeError): return self.fail("Did not see TypeError in the logged exceptions")
def test_healing_needs_heal_tomorrow(self, cert_build_mock): # Valid today, but not valid 24h from now: self.mock_cert_sorter.is_valid = mock.Mock(return_value=True) self.mock_cert_sorter.compliant_until = datetime.now(GMT()) + \ timedelta(hours=6) cert_build_mock.return_value = (mock.Mock(), self.stub_ent_expires_tomorrow) self._stub_certificate_calls([self.stub_ent_expires_tomorrow]) actionclient = action_client.HealingActionClient() actionclient.update(autoheal=True) # see if we tried to update certs self.assertTrue(self.mock_uep.bind.called)
def main(options, log): # Set default mainloop dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) # exit on SIGTERM, otherwise finally statements don't run (one explanation: http://stackoverflow.com/a/41840796) # SIGTERM happens for example when systemd wants the service to stop # without finally statements, we get confusing behavior (ex. see bz#1431659) signal.signal(signal.SIGTERM, exit_on_signal) cp_provider = inj.require(inj.CP_PROVIDER) correlation_id = generate_correlation_id() log.info('X-Correlation-ID: %s', correlation_id) cp_provider.set_correlation_id(correlation_id) if not ConsumerIdentity.existsAndValid(): log.error('Either the consumer is not registered or the certificates' + ' are corrupted. Certificate update using daemon failed.') sys.exit(-1) print _('Updating entitlement certificates & repositories') cp = cp_provider.get_consumer_auth_cp() cp.supports_resource( None ) # pre-load supported resources; serves as a way of failing before locking the repos try: if options.autoheal: actionclient = action_client.HealingActionClient() else: actionclient = action_client.ActionClient() actionclient.update(options.autoheal) for update_report in actionclient.update_reports: # FIXME: make sure we don't get None reports if update_report: print update_report except connection.ExpiredIdentityCertException, e: log.critical(_("Your identity certificate has expired")) raise e
def main(options, log): if not ConsumerIdentity.existsAndValid(): log.error('Either the consumer is not registered or the certificates' + ' are corrupted. Certificate update using daemon failed.') sys.exit(-1) print _('Updating entitlement certificates & repositories') try: if options.autoheal: actionclient = action_client.HealingActionClient() else: actionclient = action_client.ActionClient() actionclient.update(options.autoheal) for update_report in actionclient.update_reports: # FIXME: make sure we don't get None reports if update_report: print update_report except connection.ExpiredIdentityCertException, e: log.critical(_("Your identity certificate has expired")) raise e
def main(options, log): # Set default mainloop dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) cp_provider = inj.require(inj.CP_PROVIDER) correlation_id = generate_correlation_id() log.info('X-Correlation-ID: %s', correlation_id) cp_provider.set_correlation_id(correlation_id) if not ConsumerIdentity.existsAndValid(): log.error('Either the consumer is not registered or the certificates' + ' are corrupted. Certificate update using daemon failed.') sys.exit(-1) print _('Updating entitlement certificates & repositories') cp = cp_provider.get_consumer_auth_cp() cp.supports_resource( None ) # pre-load supported resources; serves as a way of failing before locking the repos try: if options.autoheal: actionclient = action_client.HealingActionClient() else: actionclient = action_client.ActionClient() actionclient.update(options.autoheal) for update_report in actionclient.update_reports: # FIXME: make sure we don't get None reports if update_report: print update_report except connection.ExpiredIdentityCertException, e: log.critical(_("Your identity certificate has expired")) raise e
def _main(options, log): # Set default mainloop dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) # exit on SIGTERM, otherwise finally statements don't run (one explanation: http://stackoverflow.com/a/41840796) # SIGTERM happens for example when systemd wants the service to stop # without finally statements, we get confusing behavior (ex. see bz#1431659) signal.signal(signal.SIGTERM, exit_on_signal) cp_provider = inj.require(inj.CP_PROVIDER) correlation_id = generate_correlation_id() log.info('X-Correlation-ID: %s', correlation_id) cp_provider.set_correlation_id(correlation_id) cfg = config.initConfig() log.debug('check for rhsmcertd disable') if '1' == cfg.get('rhsmcertd', 'disable') and not options.force: log.warning('The rhsmcertd process has been disabled by configuration.') sys.exit(-1) if not ConsumerIdentity.existsAndValid(): log.error('Either the consumer is not registered or the certificates' + ' are corrupted. Certificate update using daemon failed.') sys.exit(-1) print(_('Updating entitlement certificates & repositories')) cp = cp_provider.get_consumer_auth_cp() cp.supports_resource(None) # pre-load supported resources; serves as a way of failing before locking the repos try: if options.autoheal: actionclient = action_client.HealingActionClient() else: actionclient = action_client.ActionClient() actionclient.update(options.autoheal) for update_report in actionclient.update_reports: # FIXME: make sure we don't get None reports if update_report: print(update_report) except connection.ExpiredIdentityCertException as e: log.critical(_("Your identity certificate has expired")) raise e except connection.GoneException as ge: uuid = ConsumerIdentity.read().getConsumerId() # This code is to prevent an errant 410 response causing consumer cert deletion. # # If a server responds with a 410, we want to very that it's not just a 410 http status, but # also that the response is from candlepin, and include the right info about the consumer. # # A connection to the entitlement server could get an unintentional 410 response. A common # cause for that kind of error would be a bug or crash or misconfiguration of a reverse proxy # in front of candlepin. Most error codes we treat as temporary and transient, and they don't # cause any action to be taken (aside from error handling). But since consumer deletion is tied # to the 410 status code, and that is difficult to recover from, we try to be a little bit # more paranoid about that case. # # So we look for both the 410 status, and the expected response body. If we get those # then python-rhsm will create a GoneException that includes the deleted_id. If we get # A GoneException and the deleted_id matches, then we actually delete the consumer. # # However... If we get a GoneException and it's deleted_id does not match the current # consumer uuid, we do not delete the consumer. That would require using a valid consumer # cert, but making a request for a different consumer uuid, so unlikely. Could register # with --consumerid get there? if ge.deleted_id == uuid: log.critical("Consumer profile \"%s\" has been deleted from the server. Its local certificates will now be archived", uuid) managerlib.clean_all_data() log.critical("Certificates archived to '/etc/pki/consumer.old'. Contact your system administrator if you need more information.") raise ge