From 5c0e7644cb666ac499718614f011863e6d84f70b Mon Sep 17 00:00:00 2001
From: "Chris St. Pierre" <chris.a.st.pierre@gmail.com>
Date: Wed, 14 Nov 2012 10:36:53 -0500
Subject: SSLCA: clean up temp files on error, better error messages

---
 src/lib/Bcfg2/Server/Plugins/SSLCA.py | 74 ++++++++++++++++++++++-------------
 1 file changed, 46 insertions(+), 28 deletions(-)

(limited to 'src/lib/Bcfg2/Server/Plugins/SSLCA.py')

diff --git a/src/lib/Bcfg2/Server/Plugins/SSLCA.py b/src/lib/Bcfg2/Server/Plugins/SSLCA.py
index 2a621eeb0..a920a9cca 100644
--- a/src/lib/Bcfg2/Server/Plugins/SSLCA.py
+++ b/src/lib/Bcfg2/Server/Plugins/SSLCA.py
@@ -9,6 +9,7 @@ import lxml.etree
 import tempfile
 from subprocess import Popen, PIPE, STDOUT
 from Bcfg2.Compat import ConfigParser, md5
+from Bcfg2.Server.Plugin import PluginExecutionError
 
 
 class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
@@ -235,29 +236,37 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
         """
         creates a new certificate according to the specification
         """
-        req_config = self.build_req_config(entry, metadata)
-        req = self.build_request(key_filename, req_config, entry)
-        ca = self.cert_specs[entry.get('name')]['ca']
-        ca_config = self.CAs[ca]['config']
-        days = self.cert_specs[entry.get('name')]['days']
-        passphrase = self.CAs[ca].get('passphrase')
-        cmd = ["openssl", "ca", "-config", ca_config, "-in", req,
-               "-days", days, "-batch"]
-        if passphrase:
-            cmd.extend(["-passin", "pass:%s" % passphrase])
-        self.debug_log("SSLCA: Generating new certificate: %s" % " ".join(cmd))
-        proc = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
-        (cert, err) = proc.communicate()
-        if proc.wait():
-            raise Bcfg2.Server.Plugin.PluginExecutionError(
-                "SSLCA: Failed to generate cert: %s" %
-                err.splitlines()[-1])  # pylint: disable=E1103
+        req_config = None
+        req = None
         try:
-            os.unlink(req_config)
-            os.unlink(req)
-        except OSError:
-            self.logger.error("SSLCA: Failed to unlink temporary files: %s" %
-                              sys.exc_info()[1])
+            req_config = self.build_req_config(entry, metadata)
+            req = self.build_request(key_filename, req_config, entry)
+            ca = self.cert_specs[entry.get('name')]['ca']
+            ca_config = self.CAs[ca]['config']
+            days = self.cert_specs[entry.get('name')]['days']
+            passphrase = self.CAs[ca].get('passphrase')
+            cmd = ["openssl", "ca", "-config", ca_config, "-in", req,
+                   "-days", days, "-batch"]
+            if passphrase:
+                cmd.extend(["-passin", "pass:%s" % passphrase])
+            self.debug_log("SSLCA: Generating new certificate: %s" %
+                           " ".join(cmd))
+            proc = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
+            (cert, err) = proc.communicate()
+            if proc.wait():
+                # pylint: disable=E1103
+                raise PluginExecutionError("SSLCA: Failed to generate cert: %s"
+                                           % err.splitlines()[-1])
+                # pylint: enable=E1103
+        finally:
+            try:
+                if req_config and os.path.exists(req_config):
+                    os.unlink(req_config)
+                if req and os.path.exists(req):
+                    os.unlink(req)
+            except OSError:
+                self.logger.error("SSLCA: Failed to unlink temporary files: %s"
+                                  % sys.exc_info()[1])
         if (self.cert_specs[entry.get('name')]['append_chain'] and
             self.CAs[ca]['chaincert']):
             cert += open(self.CAs[ca]['chaincert']).read()
@@ -269,7 +278,7 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
         used to generate the required certificate request
         """
         # create temp request config file
-        conffile = open(tempfile.mkstemp()[1], 'w')
+        fh, fname = tempfile.mkstemp()
         cfp = ConfigParser.ConfigParser({})
         cfp.optionxform = str
         defaults = {
@@ -301,19 +310,28 @@ class SSLCA(Bcfg2.Server.Plugin.GroupSpool):
                 cfp.set('req_distinguished_name', item,
                         self.cert_specs[entry.get('name')][item])
         cfp.set('req_distinguished_name', 'CN', metadata.hostname)
-        cfp.write(conffile)
-        conffile.close()
-        return conffile.name
+        self.debug_log("SSLCA: Writing temporary request config to %s" % fname)
+        try:
+            cfp.write(os.fdopen(fh, 'w'))
+        except IOError:
+            raise PluginExecutionError("SSLCA: Failed to write temporary CSR "
+                                       "config file: %s" % sys.exc_info()[1])
+        return fname
 
     def build_request(self, key_filename, req_config, entry):
         """
         creates the certificate request
         """
-        req = tempfile.mkstemp()[1]
+        fh, req = tempfile.mkstemp()
+        os.close(fh)
         days = self.cert_specs[entry.get('name')]['days']
         key = self.data + key_filename
         cmd = ["openssl", "req", "-new", "-config", req_config,
                "-days", days, "-key", key, "-text", "-out", req]
         self.debug_log("SSLCA: Generating new CSR: %s" % " ".join(cmd))
-        Popen(cmd, stdout=PIPE).wait()
+        proc = Popen(cmd, stdout=PIPE, stderr=PIPE)
+        err = proc.communicate()[1]
+        if proc.wait():
+            raise PluginExecutionError("SSLCA: Failed to generate CSR: %s" %
+                                       err)
         return req
-- 
cgit v1.2.3-1-g7c22