acertmgr: implement deployment error handling

Remove the long-standing todo from cert_put and implement useful error handling and defaults for certificate deployment. Also do a separate try/expect for each deployed file on every single certificate.
2024-12-29 10:31:49 +01:00 · 2019-04-05 09:59:29 +02:00 · 2019-04-05 09:59:29 +02:00 · 89be66dc87
commit 89be66dc87
parent 7c9e7f7d0c
2 changed files with 41 additions and 52 deletions
--- a/README.md
+++ b/README.md
@ -99,11 +99,11 @@ By default the directory (work_dir) containing the working data (csr,certificate
 | nsupdate_keyalgorithm   | **d**,g           | [dns.nsupdate] TSIG key algorithm to use for updates                                                                                         | HMAC-MD5.SIG-ALG.REG.INT             |
 | defaults:               | **g**             | Default deployment action settings used by all domains                                                                                       |                                      |
 | path                    | **d**             | (deployment) deploy certificate data to the given file                                                                                       |                                      |
 | user                    | **d**,g(defaults) | (deployment) change the user of the file deployed at path to this value                                                                      |                                      |
 | group                   | **d**,g(defaults) | (deployment) change the group of the file deployed at path to this value                                                                     |                                      |
 | perm                    | **d**,g(defaults) | (deployment) change the permissions of the file deployed at path to this value                                                               |                                      |
 | format                  | **d**,g(defaults) | (deployment) deploy one or more of the following data to the file at path: key,crt,ca                                                        |                                      |
-| action                  | **d**,g(defaults) | (deployment) run the following action after deployment is finished. This command will be run in a shell and therefore supports shell syntax. |                                      |
+| user                    | **d**,g(defaults) | (deployment) change the user of the file deployed at path to this value (optional, defaults to acertmgr current effective user)              |                                      |
 | group                   | **d**,g(defaults) | (deployment) change the group of the file deployed at path to this value (optional,defaults to acertmgr current effective group)             |                                      |
 | perm                    | **d**,g(defaults) | (deployment) change the permissions of the file deployed at path to this value (optional, CAUTION: uses system defaults for new files)       |                                      |
 | action                  | **d**,g(defaults) | (deployment) run the following action after deployment is finished. This command will be run in a shell and supports it's syntax. (optional) |                                      |
 Security
 --------
--- a/acertmgr/init.py
+++ b/acertmgr/init.py
@ -70,52 +70,41 @@ def cert_get(settings):
 # @param settings the domain's configuration options
 # @return the action to be executed after the certificate update
 def cert_put(settings):
-    # TODO error handling
+    if 'path' not in settings:
-    ca_file = settings['ca_file']
+        raise ValueError('Deployment settings are missing required element: path')
-    crt_user = settings['user']
+    if 'format' not in settings:
-    crt_group = settings['group']
+        raise ValueError('Deployment settings are missing required element: format')
    crt_perm = settings['perm']
    crt_path = settings['path']
    crt_format = settings['format'].split(",")
    crt_format = [str.strip(x) for x in crt_format]
    crt_action = settings['action']
-    key_file = settings['key_file']
+    with io.open(settings['path'], "w+") as crt_fd:
-    crt_final = settings['cert_file']
+        for fmt in [str.strip(x) for x in settings['format'].split(",")]:
    with io.open(crt_path, "w+") as crt_fd:
        for fmt in crt_format:
            if fmt == "crt":
-                src_fd = io.open(crt_final, "r")
+                with io.open(settings['cert_file'], "r") as src_fd:
-                crt_fd.write(src_fd.read())
+                    crt_fd.write(src_fd.read())
-                src_fd.close()
+            elif fmt == "key":
-            if fmt == "key":
+                with io.open(settings['key_file'], "r") as src_fd:
-                src_fd = io.open(key_file, "r")
+                    crt_fd.write(src_fd.read())
-                crt_fd.write(src_fd.read())
+            elif fmt == "ca":
-                src_fd.close()
+                with io.open(settings['ca_file'], "r") as src_fd:
-            if fmt == "ca":
+                    crt_fd.write(src_fd.read())
                if not os.path.isfile(ca_file):
                    raise FileNotFoundError("The CA certificate file (%s) is missing!" % ca_file)
                src_fd = io.open(ca_file, "r")
                crt_fd.write(src_fd.read())
                src_fd.close()
            else:
-                # TODO error handling
+                log("Ignored unknown deployment format key: {}".format(fmt), warning=True)
                pass
-    # set owner and permissions
+    # set owner and group
-    uid = pwd.getpwnam(crt_user).pw_uid
+    if 'user' in settings or 'group' in settings:
-    gid = grp.getgrnam(crt_group).gr_gid
+        try:
-    try:
+            uid = pwd.getpwnam(settings['user']).pw_uid if 'user' in settings else os.geteuid()
-        os.chown(crt_path, uid, gid)
+            gid = grp.getgrnam(settings['group']).gr_gid if 'group' in settings else os.getegid()
-    except OSError:
+            os.chown(settings['path'], uid, gid)
-        log('Could not set certificate file ownership!', warning=True)
+        except OSError as e:
-    try:
+            log('Could not set certificate file ownership', e, warning=True)
-        os.chmod(crt_path, int(crt_perm, 8))
+    # set permissions
-    except OSError:
+    if 'perm' in settings:
-        log('Could not set certificate file permissions!', warning=True)
+        try:
            os.chmod(settings['path'], int(settings['perm'], 8))
        except OSError as e:
            log('Could not set certificate file permissions', e, warning=True)
-    return crt_action
+    return settings['action']
 def cert_revoke(cert, configs, fallback_authority, reason=None):
@ -169,15 +158,15 @@ def main():
        # deploy new certificates after all are renewed
        deployment_success = True
        for config in domainconfigs:
-            try:
+            for cfg in config['actions']:
-                for cfg in config['actions']:
+                try:
                    if not tools.target_is_current(cfg['path'], config['cert_file']):
                        log("Updating '{}' due to newer version".format(cfg['path']))
                        actions.add(cert_put(cfg))
-            except Exception as e:
+                        log("Updated '{}' due to newer version".format(cfg['path']))
-                log("Certificate deployment failed", e, error=True)
+                except Exception as e:
-                exceptions.append(e)
+                    log("Certificate deployment to {} failed".format(cfg['path']), e, error=True)
-                deployment_success = False
+                    exceptions.append(e)
                    deployment_success = False
        # run post-update actions
        for action in actions: