From: Frank Brehm Date: Wed, 15 Feb 2017 14:17:59 +0000 (+0100) Subject: Changes in checking SSL certificate files. X-Git-Tag: 0.8.4~25 X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=9fa1d2ba2fd940304d7c33ca1d1fd8d9876159c1;p=pixelpark%2Fpuppetmaster-webhooks.git Changes in checking SSL certificate files. --- diff --git a/lib/webhooks/base_app.py b/lib/webhooks/base_app.py index 4f6b5f9..1ca90cf 100644 --- a/lib/webhooks/base_app.py +++ b/lib/webhooks/base_app.py @@ -17,6 +17,7 @@ import datetime import json import smtplib import argparse +import traceback from email.message import EmailMessage # Third party modules @@ -441,13 +442,6 @@ class BaseHookApp(object): self.data = sys.stdin.read() try: self.json_data = json.loads(self.data) - except Exception as e: - msg = "Got a {n} reading input data as JSON: {e}".format(n=e.__class__.__name__, e=e) - msg += "\nInput data: {!r}".format(self.data) - LOG.error(msg) - self.error_data.append(msg) - else: - if self.verbose > 1: LOG.debug("Got JSON data:\n{}".format(pp(self.json_data))) @@ -459,6 +453,11 @@ class BaseHookApp(object): msg += "\n\nTraceback:\n{}".format(traceback.format_exc()) self.error_data.append(msg) LOG.error(msg) + except Exception as e: + msg = "Got a {n} reading input data as JSON: {e}".format(n=e.__class__.__name__, e=e) + msg += "\nInput data: {!r}".format(self.data) + LOG.error(msg) + self.error_data.append(msg) finally: if self.full_name: self.send_error_msgs(self.full_name) diff --git a/lib/webhooks/r10k.py b/lib/webhooks/r10k.py index 0f6f0a1..976b707 100644 --- a/lib/webhooks/r10k.py +++ b/lib/webhooks/r10k.py @@ -18,6 +18,8 @@ import locale import ssl import pipes import subprocess +import urllib.parse +import traceback from http.client import HTTPSConnection @@ -45,7 +47,6 @@ class R10kHookApp(BaseHookApp): def __init__(self, appname=None, verbose=0, version=__version__): """Constructor.""" - self.ignore_projects = [] self.r10k_bin = None self.description = textwrap.dedent('''\ Receives push events as JSON-Data and synchronizes @@ -54,6 +55,7 @@ class R10kHookApp(BaseHookApp): self.locale = 'de_DE.utf8' self.simulate = False + self.http_timeout = 30 self.puppetmaster_host = 'puppetmaster01.pixelpark.com' self.puppetmaster_api_port = 8140 @@ -144,6 +146,18 @@ class R10kHookApp(BaseHookApp): LOG.error("Puppetmaster SSL directory {!r} is not an absolute path name.".format( self.puppetmaster_ssl_dir)) sys.exit(10) + + pdir = os.path.dirname(self.puppetmaster_ssl_dir) + if not os.path.isdir(pdir): + LOG.error("Directory {!r} does not exists.".format(pdir)) + sys.exit(10) + + if not os.access(pdir, os.R_OK): + LOG.error(( + "Directory {!r} is read protected, " + "cannot check existence of cert files.").format(pdir)) + return + if not os.path.isdir(self.puppetmaster_ssl_dir): LOG.error("Puppetmaster SSL directory {!r} does not exists.".format( self.puppetmaster_ssl_dir)) @@ -172,21 +186,6 @@ class R10kHookApp(BaseHookApp): if 'simulate' in config: self.simulate = to_bool(config['simulate']) - if 'ignore_projects' in config: - if config['ignore_projects'] is None: - self.ignore_projects = [] - elif isinstance(config['ignore_projects'], str): - if config['ignore_projects']: - self.ignore_projects = [config['ignore_projects']] - elif isinstance(config['ignore_projects'], list): - self.ignore_projects = config['ignore_projects'] - - if 'add_ignore_projects' in config and config['add_ignore_projects']: - if isinstance(config['add_ignore_projects'], str): - self.ignore_projects.append(config['add_ignore_projects']) - elif isinstance(config['add_ignore_projects'], list): - self.ignore_projects += config['add_ignore_projects'] - if 'locale' in config and config['locale']: self.locale = config['locale'] @@ -212,10 +211,6 @@ class R10kHookApp(BaseHookApp): if not super(R10kHookApp, self).pre_run(): return False - if self.full_name in self.ignore_projects or self.name in self.ignore_projects: - LOG.info("Ignoring project {!r}.".format(self.full_name)) - return False - cur_loc = locale.getlocale() cur_lang = os.environ.get('LANG', None) if self.verbose > 1: @@ -232,13 +227,54 @@ class R10kHookApp(BaseHookApp): def run(self): """Main routine.""" - LOG.info("Starting {} ...".format(self.appname)) - if not self.exec_r10k(): + LOG.warn("Executing {!r} was not successful.".format(self.r10k_bin)) return - ssl_context = ssl.SSLContext() - ssl_context.verify_mode = ssl.CERT_NONE + ssl_context = None + try: + ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1) + except Exception as e: + LOG.error("Got a {c}: {e}".format(c=e.__class__.__name__, e=e)) + else: + ssl_context.verify_mode = ssl.CERT_NONE + ssl_context.check_hostname = False + + key_file = os.path.join( + self.puppetmaster_ssl_dir, 'private_keys', self.puppetmaster_host + '.pem') + cert_file = os.path.join( + self.puppetmaster_ssl_dir, 'certs', self.puppetmaster_host + '.pem') + + LOG.debug("Creating connection to https://{h}:{p} ...".format( + h=self.puppetmaster_host, p=self.puppetmaster_api_port)) + conn = HTTPSConnection( + self.puppetmaster_host, self.puppetmaster_api_port, + key_file=key_file, cert_file=cert_file, timeout=self.http_timeout, + context=ssl_context) + if self.verbose > 1: + LOG.debug("HTTPS connection object: {!r}".format(conn)) + + path = ( + self.puppetmaster_api_path + '/environment-cache?environment=' + + urllib.parse.quote(self.ref)) + url = 'https://{h}:{po}{pa}'.format( + h=self.puppetmaster_host, po=self.puppetmaster_api_port, pa=path) + LOG.info("Requesting DELETE from {} ...".format(url)) + + if self.simulate: + LOG.info("Simulation mode, don't requesting {}.".format(url)) + return + + conn.request('DELETE', path) + response = conn.getresponse() + + LOG.info("Response: {s} {r}".format(s=response.status, r=response.reason)) + if response.status != 200: + msg = 'Error on clearing Puppet cache:' + self.error_data.append(msg) + LOG.error(msg) + + return # ------------------------------------------------------------------------- def exec_r10k(self): diff --git a/r10k-hook.yaml b/r10k-hook.yaml index aecbeec..40ca9b7 100644 --- a/r10k-hook.yaml +++ b/r10k-hook.yaml @@ -1,4 +1,2 @@ --- -#add_ignore_projects: -# - nova - +simulate: False