On 23.7.2014 12:23, Martin Kosek wrote:
On 07/23/2014 10:49 AM, Jan Cholasta wrote:
On 23.7.2014 10:38, Martin Kosek wrote:
On 07/23/2014 10:33 AM, Jan Cholasta wrote:
On 23.7.2014 10:12, Martin Kosek wrote:
On 07/23/2014 09:56 AM, David Kupka wrote:
While solving ticket #4280 I noticed that we are messing with certmonger's
files right under its hands. That can lead to some unpleasant race condition
issues.
Is there any reason why not to call certmonger via DBus and ask it to stop
tracking the requests?
+1 for using the dbus API. When I saw the hacky way of parsing certmonger
internal configuration files in ipapython/certmonger.py, I suggested the dbus
way as IMO it would not be difficult to implement, it would make us more
future
proof and it would remove intermittent problems like #4280.
I have already started using the API, e.g. for adding/removing of the CA helper
in cainstance. Word of warning, the API apparently does not exercised much and
there might be bugs (I found one causing certmonger to segfault which Nalin
promptly fixed).
Yup, this is the place where the inspiration came from :-)
Certmonger API looked complete enough to pull this off:
https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt
If I am wrong, please tell me.
IIRC some of the properties in requests might not be accessible using the API.
But I'm not sure if this is true or if it affects us.
I did couple tests and it seems that getting properties works fine:
import dbus
bus = dbus.SystemBus()
obj =
bus.get_object('org.fedorahosted.certmonger','/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
reqs = iface.get_requests()
req = bus.get_object('org.fedorahosted.certmonger', reqs[0])
iface_request = dbus.Interface(req, 'org.fedorahosted.certmonger.request')
iface_request.get_nickname()
dbus.String(u'20140723081859')
iface_request.get_status()
(dbus.String(u'MONITORING'), dbus.Boolean(False))
iface_request.get_key_storage_info()
(dbus.String(u'NSSDB'), dbus.String(u'/etc/pki/pki-tomcat/alias'),
dbus.String(u'auditSigningCert cert-pki-ca'), dbus.String(u'NSS Certificate
DB'))
iface_request.get_cert_data()
dbus.String(u'-----BEGIN
CERTIFICATE-----\nMIIDZzCCAk+gAwIBAgIBBTANBgkqhkiG9w0BAQsFADA/MR0wGwYDVQQKDBRNS09T\r\nRUstRkVET1JBMjAuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\r\nMB4XDTE0MDcyMzA4MTc1OVoXDTE2MDcxMjA4MTc1OVowMjEdMBsGA1UECgwUTUtP\r\nU0VLLUZFRE9SQTIwLlRFU1QxETAPBgNVBAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG\r\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHJ6iNEUOCLybjMsuC1X3ojJFDml91caAT6u\r\nvySSnz6S79Y2Z3CgpnS71p842SukEXtawkBH+4Vzv3EkiT2OEGFMIFPxtg0z6KJw\r\n64Kv7R6qP1N9iW091pSsui8CoypINtvOmdZtop6meqPEcbjqVzYqQxZ2nq4FI1Ed\r\ncPiirF33OkAJQ5CuvzJFotoZ7f7tAisTpUqghCBAr0kg5MtvcjtlB+hysdVWf+rf\r\nCpzsVA1DbXRNdwsZpOv07Lhm1EGIsJZ3/wZszBpycM1H+8mIuTa5mpNpluDHoDrG\r\ne51TzF5F/DQI7ctMoI6CGxPvyPGbammKcID/yDzyePx3XBnCaQIDAQABo3sweTAf\r\nBgNVHSMEGDAWgBQoqt6chwnASMhQa2DwaWvSF9C/GDAOBgNVHQ8BAf8EBAMCBsAw\r\nRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vaXBhLm1rb3Nlay1m\r\nZWRvcmEyMC50ZXN0OjgwL2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAEDoy8AW\r\nJinIA4pYEDuTYG/mUBJvvaH+XR7a8pZtX0mnWOlS1mbI1gjlkCCBi7t//c2U3Nmx\r\nb+EiG8isXT0urow!
I!
3!
iB!
jhOXyweJDF
7+Wa1kN57SRkMeJIhCTBWOVGEBYGA6nUUKb\r\nnULomV9XXE5Bj+yP3IRewe0AYL0Gyk5QnSNLCYUMA+u/oi4i+uloKv3yZd6On0Re\r\nuIVSvmwXNHMKgGPg2cKSu1fd9tZ7qvQo6Vblf/zYp17tg2Vgd/ESeqgclgJs8AaL\r\nRDED3RT0FaOR/6SCTrXTGymmRaAVA6gGCUScyWD+MaKldOu2qDBG32obPiSw9lm8\r\nnxQBR2IlqByyeDA=\n-----END
CERTIFICATE-----\n\n')
Martin
When I said "some of the properties", I certainly did not mean the absolute
basics, but rather stuff like "cert-presave-command".
Ah, ok. Then I think this snippet will help:
properties_manager = dbus.Interface(req, 'org.freedesktop.DBus.Properties')
properties_manager.Get('org.fedorahosted.certmonger.request',
'cert-presave-command')
dbus.String(u'/usr/lib64/ipa/certmonger/stop_pkicad')
properties_manager.Get('org.fedorahosted.certmonger.request',
'cert-postsave-command')
dbus.String(u'/usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"')
Martin
Nice, I think we are good to go then.
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
