Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caucase
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
2
Merge Requests
2
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
nexedi
caucase
Commits
f7d8281d
Commit
f7d8281d
authored
3 years ago
by
Vincent Pelletier
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
client: Close http connection after each request.
Make python3 resource leak detector happy.
parent
bd633a1e
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
85 additions
and
50 deletions
+85
-50
CHANGES.txt
CHANGES.txt
+4
-0
caucase/cli.py
caucase/cli.py
+59
-43
caucase/client.py
caucase/client.py
+22
-7
No files found.
CHANGES.txt
View file @
f7d8281d
0.9.10 (not released yet)
===================
* Add caucase.client.CaucaseClient.close method.
0.9.9 (2021-03-02)
==================
* Add AuthorityKeyIdentifier extension in CRLs.
...
...
This diff is collapsed.
Click to expand it.
caucase/cli.py
View file @
f7d8281d
...
...
@@ -113,6 +113,18 @@ class CLICaucaseClient(object):
kw
.
setdefault
(
'file'
,
self
.
_stdout
)
print
(
*
args
,
**
kw
)
def
__enter__
(
self
):
return
self
def
__exit__
(
self
,
exc_type
,
exc_value
,
traceback
):
self
.
close
()
def
close
(
self
):
"""
Tell client to close any open connection.
"""
self
.
_client
.
close
()
def
putCSR
(
self
,
csr_path_list
):
"""
--send-csr
...
...
@@ -610,7 +622,7 @@ def main(argv=None, stdout=sys.stdout, stderr=sys.stderr):
if
args
.
update_user
or
args
.
mode
==
MODE_USER
:
updated
|=
CaucaseClient
.
updateCAFile
(
cau_url
,
args
.
user_ca_crt
)
client
=
CLICaucaseClient
(
with
CLICaucaseClient
(
client
=
CaucaseClient
(
ca_url
=
{
MODE_SERVICE
:
cas_url
,
...
...
@@ -621,37 +633,37 @@ def main(argv=None, stdout=sys.stdout, stderr=sys.stderr):
),
stdout
=
stdout
,
stderr
=
stderr
,
)
ca_list
=
[
utils
.
load_ca_certificate
(
x
)
for
x
in
utils
.
getCertList
({
MODE_SERVICE
:
args
.
ca_crt
,
MODE_USER
:
args
.
user_ca_crt
,
}[
args
.
mode
])
]
client
.
putCSR
(
args
.
send_csr
)
client
.
getCSR
(
args
.
get_csr
)
warning
,
error
=
client
.
getCRT
(
warning
,
error
,
args
.
get_crt
,
ca_list
)
error
=
client
.
revokeCRT
(
error
,
args
.
revoke_crt
)
updated
,
error
=
client
.
renewCRT
(
crt_key_list
=
args
.
renew_crt
,
renewal_deadline
=
datetime
.
datetime
.
utcnow
()
+
datetime
.
timedelta
(
args
.
threshold
,
0
,
),
key_len
=
args
.
key_len
,
ca_certificate_list
=
ca_list
,
updated
=
updated
,
error
=
error
,
)
client
.
signCSR
(
args
.
sign_csr
)
client
.
signCSRWith
(
args
.
sign_csr_with
)
client
.
rejectCSR
(
args
.
reject_csr
)
client
.
revokeOtherCRT
(
args
.
revoke_other_crt
)
client
.
revokeSerial
(
args
.
revoke_serial
)
# show latest CSR list status
if
args
.
list_csr
:
client
.
listCSR
(
args
.
mode
)
)
as
client
:
ca_list
=
[
utils
.
load_ca_certificate
(
x
)
for
x
in
utils
.
getCertList
({
MODE_SERVICE
:
args
.
ca_crt
,
MODE_USER
:
args
.
user_ca_crt
,
}[
args
.
mode
])
]
client
.
putCSR
(
args
.
send_csr
)
client
.
getCSR
(
args
.
get_csr
)
warning
,
error
=
client
.
getCRT
(
warning
,
error
,
args
.
get_crt
,
ca_list
)
error
=
client
.
revokeCRT
(
error
,
args
.
revoke_crt
)
updated
,
error
=
client
.
renewCRT
(
crt_key_list
=
args
.
renew_crt
,
renewal_deadline
=
datetime
.
datetime
.
utcnow
()
+
datetime
.
timedelta
(
args
.
threshold
,
0
,
),
key_len
=
args
.
key_len
,
ca_certificate_list
=
ca_list
,
updated
=
updated
,
error
=
error
,
)
client
.
signCSR
(
args
.
sign_csr
)
client
.
signCSRWith
(
args
.
sign_csr_with
)
client
.
rejectCSR
(
args
.
reject_csr
)
client
.
revokeOtherCRT
(
args
.
revoke_other_crt
)
client
.
revokeSerial
(
args
.
revoke_serial
)
# show latest CSR list status
if
args
.
list_csr
:
client
.
listCSR
(
args
.
mode
)
# update our CRL after all revocations we were requested
updated
|=
CaucaseClient
.
updateCRLFile
(
cas_url
,
args
.
crl
,
[
utils
.
load_ca_certificate
(
x
)
...
...
@@ -695,17 +707,16 @@ def probe(argv=None):
)
ca_url
,
=
parser
.
parse_args
(
argv
).
ca_url
cas_url
=
ca_url
+
'/cas'
http_client
=
CaucaseClient
(
ca_url
=
cas_url
,
)
http_ca_pem
=
http_client
.
getCACertificate
()
https_ca_pem
=
HTTPSOnlyCaucaseClient
(
ca_url
=
cas_url
,
ca_crt_pem_list
=
[
http_ca_pem
],
).
getCACertificate
()
# Retrieve again in case there was a renewal between both calls - we do
# not expect 2 renewals in very short succession.
http2_ca_pem
=
http_client
.
getCACertificate
()
with
CaucaseClient
(
ca_url
=
cas_url
)
as
http_client
:
http_ca_pem
=
http_client
.
getCACertificate
()
with
HTTPSOnlyCaucaseClient
(
ca_url
=
cas_url
,
ca_crt_pem_list
=
[
http_ca_pem
],
)
as
https_client
:
https_ca_pem
=
https_client
.
getCACertificate
()
# Retrieve again in case there was a renewal between both calls - we do
# not expect 2 renewals in very short succession.
http2_ca_pem
=
http_client
.
getCACertificate
()
if
https_ca_pem
not
in
(
http_ca_pem
,
http2_ca_pem
):
raise
ValueError
(
'http and https do not serve the same caucase database'
)
...
...
@@ -837,6 +848,7 @@ def updater(argv=None, until=utils.until):
'Will be maintained up-to-date.'
)
args
=
parser
.
parse_args
(
argv
)
client
=
None
try
:
cas_url
=
args
.
ca_url
+
'/cas'
ca_url
=
{
...
...
@@ -892,6 +904,7 @@ def updater(argv=None, until=utils.until):
cas_url
,
args
.
cas_ca
,
):
client
.
close
()
client
=
RetryingCaucaseClient
(
ca_url
=
ca_url
,
ca_crt_pem_list
=
utils
.
getCertList
(
args
.
cas_ca
)
...
...
@@ -962,6 +975,9 @@ def updater(argv=None, until=utils.until):
# Not intercepting KeyboardInterrupt so interrupting outside of
# interruptibleSleep shows where the script got interrupted.
pass
finally
:
if
client
is
not
None
:
client
.
close
()
def
rerequest
(
argv
=
None
):
"""
...
...
This diff is collapsed.
Click to expand it.
caucase/client.py
View file @
f7d8281d
...
...
@@ -88,8 +88,8 @@ class CaucaseClient(object):
"""
loaded_ca_pem_list
=
utils
.
getCertList
(
ca_crt_path
)
if
not
loaded_ca_pem_list
:
ca_pem
=
cls
(
ca_url
=
url
).
getCACertificate
()
utils
.
saveCertList
(
ca_crt_path
,
[
ca_pem
])
with
cls
(
ca_url
=
url
)
as
client
:
utils
.
saveCertList
(
ca_crt_path
,
[
client
.
getCACertificate
()
])
updated
=
True
# Note: reloading from file instead of using ca_pem, to exercise the
# same code path as future executions, to apply the same checks.
...
...
@@ -102,9 +102,8 @@ class CaucaseClient(object):
for
x
in
loaded_ca_pem_list
if
utils
.
load_ca_certificate
(
x
).
not_valid_after
>
now
]
ca_pem_list
.
extend
(
cls
(
ca_url
=
url
,
ca_crt_pem_list
=
ca_pem_list
).
getCACertificateChain
(),
)
with
cls
(
ca_url
=
url
,
ca_crt_pem_list
=
ca_pem_list
)
as
client
:
ca_pem_list
.
extend
(
client
.
getCACertificateChain
())
if
ca_pem_list
!=
loaded_ca_pem_list
:
utils
.
saveCertList
(
ca_crt_path
,
ca_pem_list
)
updated
=
True
...
...
@@ -143,8 +142,11 @@ class CaucaseClient(object):
updated
=
True
else
:
updated
=
len
(
local_crl_list
)
!=
len
(
local_crl_dict
)
server_crl_list
=
cls
(
ca_url
=
url
).
getCertificateRevocationListList
()
for
ca_key_id
,
crl_pem
in
_asCRLDict
(
crl_list
=
server_crl_list
).
iteritems
():
with
cls
(
ca_url
=
url
)
as
client
:
server_crl_list
=
client
.
getCertificateRevocationListList
()
for
ca_key_id
,
crl_pem
in
_asCRLDict
(
crl_pem_list
=
server_crl_list
,
).
iteritems
():
updated
|=
local_crl_dict
.
pop
(
ca_key_id
,
None
)
!=
crl_pem
updated
|=
bool
(
local_crl_dict
)
if
updated
:
...
...
@@ -221,6 +223,19 @@ class CaucaseClient(object):
def
_https
(
self
,
method
,
url
,
body
=
None
,
headers
=
None
):
return
self
.
_request
(
self
.
_https_connection
,
method
,
url
,
body
,
headers
)
def
__enter__
(
self
):
return
self
def
__exit__
(
self
,
exc_type
,
exc_value
,
traceback
):
self
.
close
()
def
close
(
self
):
"""
Close any open connection.
"""
self
.
_http_connection
.
close
()
self
.
_https_connection
.
close
()
def
getCertificateRevocationList
(
self
,
authority_key_identifier
):
"""
[ANONYMOUS] Retrieve latest CRL for given integer authority key
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment