From 7c7cbb4f89a927ce17bac401bb555601c9bbb3ca Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Aug 27 2012 22:21:25 +0000 Subject: notify on more events (#852222) Notify on CA-issued-certificate-and-we-saved-it. Notify on CA-issued-certificate-and-we-failed-to-save-it (and try again). Notify on CA-rejected-our-request. --- diff --git a/configure.ac b/configure.ac index 5b9d7ce..f0b7597 100644 --- a/configure.ac +++ b/configure.ac @@ -300,6 +300,10 @@ AC_DEFINE_UNQUOTED(CM_TMPDIR_ENV,"${CM_TMPDIR_ENV}",[Define to the default locat AC_SUBST(CM_TMPDIR) AC_SUBST(CM_TMPDIR_ENV) +CM_NOTIFICATION_ENV="${UPCASE_PACKAGE_NAME}_NOTIFICATION" +AC_DEFINE_UNQUOTED(CM_NOTIFICATION_ENV,"${CM_NOTIFICATION_ENV}",[Define to the variable name to be used to hold a notification message.]) +AC_SUBST(CM_NOTIFICATION_ENV) + SYSTEMD=no AC_ARG_ENABLE(systemd, AS_HELP_STRING([--enable-systemd],[install unit files for systemd]), diff --git a/doc/design.txt b/doc/design.txt index 11d6bf6..32fabc2 100644 --- a/doc/design.txt +++ b/doc/design.txt @@ -42,6 +42,12 @@ Now with some arbitrarily-named states for our per-certificate state machine: States: MONITORING * Notifying the admin of impending/passed expiration. States: NEED_TO_NOTIFY_VALIDITY, NOTIFYING_VALIDITY [*] + * Notifying the admin of CA rejection. + States: NEED_TO_NOTIFY_REJECTION, NOTIFYING_REJECTION [*] + * Notifying the admin of CA issued cert, but not saved. + States: NEED_TO_NOTIFY_ISSUED_FAILED, NOTIFYING_ISSUED_FAILED [*] + * Notifying the admin of CA issued cert, and saved. + States: NEED_TO_NOTIFY_ISSUED_SAVED, NOTIFYING_ISSUED_SAVED [*] * Waiting for user input States: NEED_GUIDANCE [*] * Getting our bearings @@ -225,7 +231,7 @@ State logic: state_next = MONITORING state_transition = now else - state_next = CA_REJECTED + state_next = CA_NEED_TO_NOTIFY_REJECTION state_transition = later elseif ca-is-unreachable store-ca-cookie @@ -285,6 +291,9 @@ State logic: if cert-save-completed state_next = NEED_TO_READ_CERT state_transition = now + else + state_next = NEED_TO_NOTIFY_ISSUED_FAILED + state_transition = now break NEED_TO_READ_CERT: @@ -309,7 +318,7 @@ State logic: state_next = POST_SAVED_CERT state_transition = now else - state_next = MONITORING + state_next = NEED_TO_NOTIFY_ISSUED_SAVED state_transition = now break @@ -319,8 +328,56 @@ State logic: state_transition = now else if post-save-completed - state_next = MONITORING + state_next = NEED_TO_NOTIFY_ISSUED_SAVED + state_transition = now + + NEED_TO_NOTIFY_REJECTION: + start-notifying + state_next = NOTIFYING_REJECTION + state_transition = now + break + + NOTIFYING_REJECTION: + if starting-up + state_next = NEED_TO_NOTIFY_REJECTION + state_transition = now + else + if notification-completed + state_next = CA_REJECTED + state_transition = now + break + + NEED_TO_NOTIFY_ISSUED_FAILED: + start-notifying + state_next = NOTIFYING_ISSUED_FAILED + state_transition = now + break + + NOTIFYING_ISSUED_FAILED: + if starting-up + state_next = NEED_TO_NOTIFY_ISSUED_FAILED + state_transition = now + else + if notification-completed + state_next = NEED_TO_SAVE_CERT + state_transition = soonish + break + + NEED_TO_NOTIFY_ISSUED_SAVED: + start-notifying + state_next = NOTIFYING_ISSUED_SAVED: + state_transition = now + break + + NOTIFYING_ISSUED_SAVED: + if starting-up + state_next = NEED_TO_NOTIFY_ISSUED_SAVED: + state_transition = now + else + if notification-completed + state_next = CA_MONITORING state_transition = now + break CA_REJECTED: state_transition = soon diff --git a/src/certmonger.conf.5.in b/src/certmonger.conf.5.in index f4302e7..f7acda7 100644 --- a/src/certmonger.conf.5.in +++ b/src/certmonger.conf.5.in @@ -31,6 +31,9 @@ of the \fIttls\fR setting. The default list of values is "@CM_DEFAULT_TTL_LIST@ This is the method by which \fIcertmonger\fP will notify the system administrator that a certificate will soon become invalid. The recognized values are \fIsyslog\fP, \fImail\fP, and \fIcommand\fP. The default is \fIsyslog\fP. +When sending mail, the notification message will be the mail message subject. +When invoking a command, the notification message will be available in the +"@CM_NOTIFICATION_ENV@" environment variable. .IP notification_destination This is the destination to which \fIcertmonger\fP will send notifications. It diff --git a/src/getcert.c b/src/getcert.c index 4ec0c7a..821f0cb 100644 --- a/src/getcert.c +++ b/src/getcert.c @@ -2221,6 +2221,12 @@ list(const char *argv0, int argc, char **argv) case CM_MONITORING: case CM_NEED_TO_NOTIFY_VALIDITY: case CM_NOTIFYING_VALIDITY: + case CM_NEED_TO_NOTIFY_REJECTION: + case CM_NOTIFYING_REJECTION: + case CM_NEED_TO_NOTIFY_ISSUED_FAILED: + case CM_NOTIFYING_ISSUED_FAILED: + case CM_NEED_TO_NOTIFY_ISSUED_SAVED: + case CM_NOTIFYING_ISSUED_SAVED: if (requests_only) { continue; } diff --git a/src/iterate.c b/src/iterate.c index 687bf06..8defaa6 100644 --- a/src/iterate.c +++ b/src/iterate.c @@ -124,7 +124,7 @@ cm_entry_reset_state(struct cm_store_entry *entry) case CM_SAVED_CERT: break; case CM_POST_SAVED_CERT: - entry->cm_state = CM_POST_SAVED_CERT; + entry->cm_state = CM_SAVED_CERT; break; case CM_CA_REJECTED: break; @@ -150,6 +150,21 @@ cm_entry_reset_state(struct cm_store_entry *entry) case CM_NOTIFYING_VALIDITY: entry->cm_state = CM_NEED_TO_NOTIFY_VALIDITY; break; + case CM_NEED_TO_NOTIFY_REJECTION: + break; + case CM_NOTIFYING_REJECTION: + entry->cm_state = CM_NEED_TO_NOTIFY_REJECTION; + break; + case CM_NEED_TO_NOTIFY_ISSUED_FAILED: + break; + case CM_NOTIFYING_ISSUED_FAILED: + entry->cm_state = CM_NEED_TO_NOTIFY_ISSUED_FAILED; + break; + case CM_NEED_TO_NOTIFY_ISSUED_SAVED: + break; + case CM_NOTIFYING_ISSUED_SAVED: + entry->cm_state = CM_NEED_TO_NOTIFY_ISSUED_SAVED; + break; case CM_NEWLY_ADDED: break; case CM_NEWLY_ADDED_START_READING_KEYINFO: @@ -690,7 +705,7 @@ cm_iterate(struct cm_store_entry *entry, struct cm_store_ca *ca, entry->cm_state = CM_MONITORING; *when = cm_time_soonish; } else { - entry->cm_state = CM_CA_REJECTED; + entry->cm_state = CM_NEED_TO_NOTIFY_REJECTION; *when = cm_time_now; } } else @@ -851,11 +866,12 @@ cm_iterate(struct cm_store_entry *entry, struct cm_store_ca *ca, entry->cm_state = CM_NEED_TO_READ_CERT; *when = cm_time_now; } else { - /* Failed to save cert; try again in a bit. */ + /* Failed to save cert; make a note and try + * again in a bit. */ cm_certsave_done(entry, state->cm_certsave_state); state->cm_certsave_state = NULL; - entry->cm_state = CM_NEED_TO_SAVE_CERT; + entry->cm_state = CM_NEED_TO_NOTIFY_ISSUED_FAILED; *when = cm_time_soonish; } } else { @@ -937,11 +953,11 @@ cm_iterate(struct cm_store_entry *entry, struct cm_store_ca *ca, } } else { /* Failed to start the post-save; skip it. */ - entry->cm_state = CM_MONITORING; + entry->cm_state = CM_NEED_TO_NOTIFY_ISSUED_SAVED; *when = cm_time_soon; } } else { - entry->cm_state = CM_MONITORING; + entry->cm_state = CM_NEED_TO_NOTIFY_ISSUED_SAVED; *when = cm_time_now; } break; @@ -950,7 +966,7 @@ cm_iterate(struct cm_store_entry *entry, struct cm_store_ca *ca, if (cm_hook_ready(entry, state->cm_hook_state) == 0) { cm_hook_done(entry, state->cm_hook_state); state->cm_hook_state = NULL; - entry->cm_state = CM_MONITORING; + entry->cm_state = CM_NEED_TO_NOTIFY_ISSUED_SAVED; *when = cm_time_now; } else { /* Wait for status update, or poll. */ @@ -1066,6 +1082,118 @@ cm_iterate(struct cm_store_entry *entry, struct cm_store_ca *ca, } break; + case CM_NEED_TO_NOTIFY_REJECTION: + state->cm_notify_state = cm_notify_start(entry, + cm_notify_event_rejected); + if (state->cm_notify_state != NULL) { + entry->cm_state = CM_NOTIFYING_REJECTION; + /* Wait for status update, or poll. */ + *readfd = cm_notify_get_fd(entry, + state->cm_notify_state); + if (*readfd == -1) { + *when = cm_time_soon; + } else { + *when = cm_time_no_time; + } + } else { + /* Failed to start notifying; try again. */ + *when = cm_time_soonish; + } + break; + + case CM_NOTIFYING_REJECTION: + if (cm_notify_ready(entry, state->cm_notify_state) == 0) { + cm_notify_done(entry, state->cm_notify_state); + state->cm_notify_state = NULL; + entry->cm_state = CM_CA_REJECTED; + *when = cm_time_soon; + } else { + /* Wait for status update, or poll. */ + *readfd = cm_notify_get_fd(entry, + state->cm_notify_state); + if (*readfd == -1) { + *when = cm_time_soon; + } else { + *when = cm_time_no_time; + } + } + break; + + case CM_NEED_TO_NOTIFY_ISSUED_FAILED: + state->cm_notify_state = cm_notify_start(entry, + cm_notify_event_issued_not_saved); + if (state->cm_notify_state != NULL) { + entry->cm_state = CM_NOTIFYING_ISSUED_FAILED; + /* Wait for status update, or poll. */ + *readfd = cm_notify_get_fd(entry, + state->cm_notify_state); + if (*readfd == -1) { + *when = cm_time_soon; + } else { + *when = cm_time_no_time; + } + } else { + /* Failed to start notifying; try again. */ + *when = cm_time_soonish; + } + break; + + case CM_NOTIFYING_ISSUED_FAILED: + if (cm_notify_ready(entry, state->cm_notify_state) == 0) { + cm_notify_done(entry, state->cm_notify_state); + state->cm_notify_state = NULL; + entry->cm_state = CM_NEED_TO_SAVE_CERT; + *when = cm_time_soonish; + } else { + /* Wait for status update, or poll. */ + *readfd = cm_notify_get_fd(entry, + state->cm_notify_state); + if (*readfd == -1) { + *when = cm_time_soon; + } else { + *when = cm_time_no_time; + } + } + break; + + case CM_NEED_TO_NOTIFY_ISSUED_SAVED: + state->cm_notify_state = cm_notify_start(entry, + cm_notify_event_issued_and_saved); + if (state->cm_notify_state != NULL) { + entry->cm_state = CM_NOTIFYING_ISSUED_SAVED; + /* Wait for status update, or poll. */ + *readfd = cm_notify_get_fd(entry, + state->cm_notify_state); + if (*readfd == -1) { + *when = cm_time_soon; + } else { + *when = cm_time_no_time; + } + } else { + /* Failed to start notifying; try again. */ + *when = cm_time_soonish; + } + break; + + case CM_NOTIFYING_ISSUED_SAVED: + if (cm_notify_ready(entry, state->cm_notify_state) == 0) { + cm_notify_done(entry, state->cm_notify_state); + state->cm_notify_state = NULL; + entry->cm_state = CM_MONITORING; + *when = cm_time_soon; + } else { + /* Wait for status update, or poll. */ + *readfd = cm_notify_get_fd(entry, + state->cm_notify_state); + if (*readfd == -1) { + *when = cm_time_soon; + } else { + *when = cm_time_no_time; + } + } + break; + + case CM_NEWLY_ADDED: /* We need to do some recon, and then decide what we need to * do to make things the way the user has specified that they diff --git a/src/notify.c b/src/notify.c index 7e83881..01117b0 100644 --- a/src/notify.c +++ b/src/notify.c @@ -110,7 +110,7 @@ cm_notify_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, "in token \"%s\" " "in database \"%s\" " "will not be valid " - "after %s.\n", + "after %s.", entry->cm_cert_nickname, entry->cm_cert_token, entry->cm_cert_storage_location, @@ -120,7 +120,7 @@ cm_notify_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, "named \"%s\" " "in database \"%s\" " "will expire at " - "%s.\n", + "%s.", entry->cm_cert_nickname, entry->cm_cert_storage_location, cm_store_timestamp_from_time(entry->cm_cert_not_after, t)); @@ -129,7 +129,7 @@ cm_notify_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, case cm_cert_storage_file: message = talloc_asprintf(entry, "Certificate " "in file \"%s\" will not be " - "valid after %s.\n", + "valid after %s.", entry->cm_cert_storage_location, cm_store_timestamp_from_time(entry->cm_cert_not_after, t)); break; @@ -164,6 +164,94 @@ cm_notify_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, } } break; + case cm_notify_event_rejected: + switch (entry->cm_cert_storage_type) { + case cm_cert_storage_nssdb: + if (entry->cm_cert_token != NULL) { + message = talloc_asprintf(entry, "Request for " + "certificate to be " + "named \"%s\" " + "in token \"%s\" " + "in database \"%s\" " + "rejected by CA.", + entry->cm_cert_nickname, + entry->cm_cert_token, + entry->cm_cert_storage_location); + } else { + message = talloc_asprintf(entry, "Request for " + "certificate to be " + "named \"%s\" " + "in database \"%s\" " + "rejected by CA.", + entry->cm_cert_nickname, + entry->cm_cert_storage_location); + } + break; + case cm_cert_storage_file: + message = talloc_asprintf(entry, "Request for certificate to be " + "stored in file \"%s\" rejected by CA.", + entry->cm_cert_storage_location); + break; + } + break; + case cm_notify_event_issued_not_saved: + switch (entry->cm_cert_storage_type) { + case cm_cert_storage_nssdb: + if (entry->cm_cert_token != NULL) { + message = talloc_asprintf(entry, "Certificate " + "named \"%s\" " + "in token \"%s\" " + "in database \"%s\" " + "issued by CA but not saved.", + entry->cm_cert_nickname, + entry->cm_cert_token, + entry->cm_cert_storage_location); + } else { + message = talloc_asprintf(entry, "Certificate " + "named \"%s\" " + "in database \"%s\" " + "issued by CA but not saved.", + entry->cm_cert_nickname, + entry->cm_cert_storage_location); + } + break; + case cm_cert_storage_file: + message = talloc_asprintf(entry, "Certificate " + "in file \"%s\" " + "issued by CA but not saved.", + entry->cm_cert_storage_location); + break; + } + break; + case cm_notify_event_issued_and_saved: + switch (entry->cm_cert_storage_type) { + case cm_cert_storage_nssdb: + if (entry->cm_cert_token != NULL) { + message = talloc_asprintf(entry, "Certificate " + "named \"%s\" " + "in token \"%s\" " + "in database \"%s\" " + "issued by CA and saved.", + entry->cm_cert_nickname, + entry->cm_cert_token, + entry->cm_cert_storage_location); + } else { + message = talloc_asprintf(entry, "Certificate " + "named \"%s\" " + "in database \"%s\" " + "issued by CA and saved.", + entry->cm_cert_nickname, + entry->cm_cert_storage_location); + } + break; + case cm_cert_storage_file: + message = talloc_asprintf(entry, "Certificate " + "in file \"%s\" " + "issued by CA and saved.", + entry->cm_cert_storage_location); + break; + } + break; } method = entry->cm_notification_method; if (method == cm_notification_unspecified) { @@ -232,6 +320,7 @@ cm_notify_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, } cm_log(1, "Running notification helper \"%s\".\n", argv[0]); cm_subproc_mark_most_cloexec(entry, -1); + setenv(CM_NOTIFICATION_ENV, message, 1); if (execvp(argv[0], argv) == -1) { cm_log(0, "Error execvp()ing command \"%s\" (\"%s\"): %s.\n", argv[0], entry->cm_post_certsave_command, diff --git a/src/notify.h b/src/notify.h index 173da94..71ee1d6 100644 --- a/src/notify.h +++ b/src/notify.h @@ -23,7 +23,10 @@ struct cm_notify_state; enum cm_notify_event { cm_notify_event_unknown = 0, - cm_notify_event_validity_ending + cm_notify_event_validity_ending, + cm_notify_event_rejected, + cm_notify_event_issued_not_saved, + cm_notify_event_issued_and_saved }; /* Start to notify the administrator or user that expiration is imminent. */ diff --git a/src/store-gen.c b/src/store-gen.c index 89606dc..66d5fdb 100644 --- a/src/store-gen.c +++ b/src/store-gen.c @@ -66,6 +66,12 @@ static struct { {"MONITORING", CM_MONITORING}, {"NEED_TO_NOTIFY_VALIDITY", CM_NEED_TO_NOTIFY_VALIDITY}, {"NOTIFYING_VALIDITY", CM_NOTIFYING_VALIDITY}, + {"NEED_TO_NOTIFY_REJECTION", CM_NEED_TO_NOTIFY_REJECTION}, + {"NOTIFYING_REJECTION", CM_NOTIFYING_REJECTION}, + {"NEED_TO_NOTIFY_ISSUED_FAILED", CM_NEED_TO_NOTIFY_ISSUED_FAILED}, + {"NOTIFYING_ISSUED_FAILED", CM_NOTIFYING_ISSUED_FAILED}, + {"NEED_TO_NOTIFY_ISSUED_SAVED", CM_NEED_TO_NOTIFY_ISSUED_SAVED}, + {"NOTIFYING_ISSUED_SAVED", CM_NOTIFYING_ISSUED_SAVED}, {"NEED_GUIDANCE", CM_NEED_GUIDANCE}, {"NEWLY_ADDED", CM_NEWLY_ADDED}, {"NEWLY_ADDED_START_READING_KEYINFO", CM_NEWLY_ADDED_START_READING_KEYINFO}, diff --git a/src/store-int.h b/src/store-int.h index 18661fa..243659b 100644 --- a/src/store-int.h +++ b/src/store-int.h @@ -121,6 +121,9 @@ struct cm_store_entry { CM_SAVED_CERT, CM_POST_SAVED_CERT, CM_MONITORING, CM_NEED_TO_NOTIFY_VALIDITY, CM_NOTIFYING_VALIDITY, + CM_NEED_TO_NOTIFY_REJECTION, CM_NOTIFYING_REJECTION, + CM_NEED_TO_NOTIFY_ISSUED_FAILED, CM_NOTIFYING_ISSUED_FAILED, + CM_NEED_TO_NOTIFY_ISSUED_SAVED, CM_NOTIFYING_ISSUED_SAVED, CM_NEED_GUIDANCE, CM_NEWLY_ADDED, CM_NEWLY_ADDED_START_READING_KEYINFO, diff --git a/src/tdbush.c b/src/tdbush.c index 8c93eca..2537bc4 100644 --- a/src/tdbush.c +++ b/src/tdbush.c @@ -2947,6 +2947,12 @@ request_prop_get_stuck(struct cm_context *ctx, void *parent, case CM_MONITORING: case CM_NEED_TO_NOTIFY_VALIDITY: case CM_NOTIFYING_VALIDITY: + case CM_NEED_TO_NOTIFY_REJECTION: + case CM_NOTIFYING_REJECTION: + case CM_NEED_TO_NOTIFY_ISSUED_FAILED: + case CM_NOTIFYING_ISSUED_FAILED: + case CM_NEED_TO_NOTIFY_ISSUED_SAVED: + case CM_NOTIFYING_ISSUED_SAVED: case CM_NEWLY_ADDED: case CM_NEWLY_ADDED_START_READING_KEYINFO: case CM_NEWLY_ADDED_READING_KEYINFO: diff --git a/tests/010-iterate/expected.out b/tests/010-iterate/expected.out index d1afbc2..ed06d4c 100644 --- a/tests/010-iterate/expected.out +++ b/tests/010-iterate/expected.out @@ -39,6 +39,9 @@ SAVING_CERT NEED_TO_READ_CERT READING_CERT SAVED_CERT +NEED_TO_NOTIFY_ISSUED_SAVED +NOTIFYING_ISSUED_SAVED +Certificate in file "$tmpdir/certfile" issued by CA and saved. MONITORING -STOP- @@ -104,6 +107,9 @@ SAVING_CERT NEED_TO_READ_CERT READING_CERT SAVED_CERT +NEED_TO_NOTIFY_ISSUED_SAVED +NOTIFYING_ISSUED_SAVED +Certificate in file "$tmpdir/certfile2" issued by CA and saved. MONITORING -STOP- notBefore=Jan 1 00:00:00 1970 GMT @@ -114,8 +120,8 @@ notBefore=Jan 1 00:00:00 1970 GMT notAfter=Jan 2 00:00:00 1970 GMT MONITORING -START- -NEED_TO_NOTIFY -NOTIFYING +NEED_TO_NOTIFY_VALIDITY +NOTIFYING_VALIDITY Certificate in file "$tmpdir/certfile2" is no longer valid. delay=86400 MONITORING @@ -126,8 +132,8 @@ notBefore=Jan 1 00:00:00 1970 GMT notAfter=Jan 2 00:00:00 1970 GMT MONITORING -START- -NEED_TO_NOTIFY -NOTIFYING +NEED_TO_NOTIFY_VALIDITY +NOTIFYING_VALIDITY Certificate in file "$tmpdir/certfile2" is no longer valid. NEED_CSR -STOP- @@ -197,6 +203,12 @@ HAVE_CSR -START- NEED_TO_SUBMIT SUBMITTING +NEED_TO_NOTIFY_REJECTION +-STOP- +NEED_TO_NOTIFY_REJECTION +-START- +NOTIFYING_REJECTION +Request for certificate to be stored in file "$tmpdir/certfile3" rejected by CA. CA_REJECTED -STOP- CA_REJECTED @@ -682,6 +694,8 @@ SAVING_CERT NEED_TO_READ_CERT READING_CERT SAVED_CERT +NEED_TO_NOTIFY_ISSUED_SAVED +NOTIFYING_ISSUED_SAVED MONITORING -STOP- @@ -701,6 +715,8 @@ SAVING_CERT NEED_TO_READ_CERT READING_CERT SAVED_CERT +NEED_TO_NOTIFY_ISSUED_SAVED +NOTIFYING_ISSUED_SAVED MONITORING -STOP- @@ -709,8 +725,8 @@ notBefore=Jan 1 00:00:00 1970 GMT notAfter=Jan 1 00:00:00 1971 GMT MONITORING -START- -NEED_TO_NOTIFY -NOTIFYING +NEED_TO_NOTIFY_VALIDITY +NOTIFYING_VALIDITY delay=86400 MONITORING -STOP- @@ -720,8 +736,8 @@ notBefore=Jan 1 00:00:00 1970 GMT notAfter=Jan 1 00:00:00 1971 GMT MONITORING -START- -NEED_TO_NOTIFY -NOTIFYING +NEED_TO_NOTIFY_VALIDITY +NOTIFYING_VALIDITY NEED_CSR GENERATING_CSR HAVE_CSR @@ -733,8 +749,11 @@ SAVING_CERT NEED_TO_READ_CERT READING_CERT SAVED_CERT +NEED_TO_NOTIFY_ISSUED_SAVED +NOTIFYING_ISSUED_SAVED MONITORING -STOP- -The sky is falling. +The sky is falling: Certificate in file "$tmpdir/certfile10" is no longer valid. +The sky is falling: Certificate in file "$tmpdir/certfile10" issued by CA and saved. Test complete. diff --git a/tests/010-iterate/run.sh b/tests/010-iterate/run.sh index c11f96a..ac37c38 100755 --- a/tests/010-iterate/run.sh +++ b/tests/010-iterate/run.sh @@ -55,6 +55,7 @@ key_storage_type=FILE key_storage_location=$tmpdir/keyfile cert_storage_type=FILE cert_storage_location=$tmpdir/certfile +notification_method=STDOUT EOF # These cover parts of the process, forcing it to stop if any phase needs # to be tried again, so that we don't hit infinite loops. @@ -96,7 +97,7 @@ fi echo echo '[Saving certificate.]' -$toolsdir/iterate ca entry START_SAVING_CERT,SAVING_CERT,NEED_TO_READ_CERT,READING_CERT,SAVED_CERT +$toolsdir/iterate ca entry START_SAVING_CERT,SAVING_CERT,NEED_TO_READ_CERT,READING_CERT,NEED_TO_NOTIFY_ISSUED_SAVED,NOTIFYING_ISSUED_SAVED,SAVED_CERT | sed 's@'"$tmpdir"'@$tmpdir@g' if test "`grep ^state entry`" != state=MONITORING ; then echo Saving failed or did not move to monitoring. grep ^state entry @@ -115,6 +116,7 @@ key_storage_type=FILE key_storage_location=$tmpdir/keyfile2 cert_storage_type=FILE cert_storage_location=$tmpdir/certfile2 +notification_method=STDOUT EOF $toolsdir/iterate ca entry NEWLY_ADDED,NEWLY_ADDED_START_READING_KEYINFO,NEWLY_ADDED_READING_KEYINFO,NEWLY_ADDED_START_READING_CERT,NEWLY_ADDED_READING_CERT,NEWLY_ADDED_DECIDING if test "`grep ^state entry`" != state=NEED_KEY_PAIR ; then @@ -133,6 +135,7 @@ key_storage_type=FILE key_storage_location=$tmpdir/keyfile cert_storage_type=FILE cert_storage_location=$tmpdir/certfile2 +notification_method=STDOUT EOF $toolsdir/iterate ca entry NEWLY_ADDED,NEWLY_ADDED_START_READING_KEYINFO,NEWLY_ADDED_READING_KEYINFO,NEWLY_ADDED_START_READING_CERT,NEWLY_ADDED_READING_CERT,NEWLY_ADDED_DECIDING if test "`grep ^state entry`" != state=NEED_CSR; then @@ -150,6 +153,7 @@ key_storage_type=FILE key_storage_location=$tmpdir/keyfile cert_storage_type=FILE cert_storage_location=$tmpdir/certfile +notification_method=STDOUT EOF $toolsdir/iterate ca entry NEWLY_ADDED,NEWLY_ADDED_START_READING_KEYINFO,NEWLY_ADDED_READING_KEYINFO,NEWLY_ADDED_START_READING_CERT,NEWLY_ADDED_READING_CERT,NEWLY_ADDED_DECIDING if test "`grep ^state entry`" != state=MONITORING ; then @@ -180,12 +184,12 @@ EOF $toolsdir/iterate ca2 entry2 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO $toolsdir/iterate ca2 entry2 NEED_CSR,GENERATING_CSR $toolsdir/iterate ca2 entry2 NEED_TO_SUBMIT,SUBMITTING -$toolsdir/iterate ca2 entry2 START_SAVING_CERT,SAVING_CERT,NEED_TO_READ_CERT,READING_CERT,SAVED_CERT +$toolsdir/iterate ca2 entry2 START_SAVING_CERT,SAVING_CERT,NEED_TO_READ_CERT,READING_CERT,NEED_TO_NOTIFY_ISSUED_SAVED,NOTIFYING_ISSUED_SAVED,SAVED_CERT | sed 's@'"$tmpdir"'@$tmpdir@g' openssl x509 -noout -startdate -enddate -in $tmpdir/certfile2 echo echo '[Noticing expiration.]' openssl x509 -noout -startdate -enddate -in $tmpdir/certfile2 -$toolsdir/iterate ca entry2 NEED_TO_NOTIFY,NOTIFYING | sed 's@'"$tmpdir"'@$tmpdir@g' +$toolsdir/iterate ca entry2 NEED_TO_NOTIFY_VALIDITY,NOTIFYING_VALIDITY | sed 's@'"$tmpdir"'@$tmpdir@g' echo echo '[Kicking off autorenew.]' @@ -202,7 +206,7 @@ autorenew=1 notification_method=STDOUT EOF openssl x509 -noout -startdate -enddate -in $tmpdir/certfile2 -$toolsdir/iterate ca entry2 MONITORING,NEED_TO_NOTIFY,NOTIFYING | sed 's@'"$tmpdir"'@$tmpdir@g' +$toolsdir/iterate ca entry2 MONITORING,NEED_TO_NOTIFY_VALIDITY,NOTIFYING_VALIDITY | sed 's@'"$tmpdir"'@$tmpdir@g' echo echo '[Enroll until we notice we have no specified CA.]' @@ -211,6 +215,7 @@ id=Test state=HAVE_KEY_PAIR key_storage_type=FILE key_storage_location=$tmpdir/keyfile +notification_method=STDOUT EOF cat > ca3 << EOF id=Meanie @@ -229,6 +234,7 @@ ca_name=Busy state=HAVE_KEY_PAIR key_storage_type=FILE key_storage_location=$tmpdir/keyfile +notification_method=STDOUT EOF cat > ca4 << EOF id=Busy @@ -249,6 +255,9 @@ ca_name=Meanie state=HAVE_KEY_PAIR key_storage_type=FILE key_storage_location=$tmpdir/keyfile +cert_storage_type=FILE +cert_storage_location=$tmpdir/certfile3 +notification_method=STDOUT EOF cat > ca5 << EOF id=Meanie @@ -258,7 +267,8 @@ EOF $toolsdir/iterate ca5 entry5 NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO $toolsdir/iterate ca5 entry5 NEED_CSR,GENERATING_CSR $toolsdir/iterate ca5 entry5 NEED_TO_SUBMIT,SUBMITTING -$toolsdir/iterate ca5 entry5 "" +$toolsdir/iterate ca5 entry5 NEED_TO_NOTIFY_REJECTION,NOTIFYING_REJECTION | sed 's@'"$tmpdir"'@$tmpdir@g' +$toolsdir/iterate ca5 entry5 "" | sed 's@'"$tmpdir"'@$tmpdir@g' echo echo '[Enroll until the CA turns out to be unreachable.]' @@ -268,6 +278,7 @@ ca_name=Lostie state=HAVE_KEY_PAIR key_storage_type=FILE key_storage_location=$tmpdir/keyfile +notification_method=STDOUT EOF cat > ca6 << EOF id=Lostie @@ -287,6 +298,7 @@ ca_name=Lostie state=HAVE_KEY_PAIR key_storage_type=FILE key_storage_location=$tmpdir/keyfile +notification_method=STDOUT EOF cat > ca7 << EOF id=Lostie @@ -306,6 +318,7 @@ ca_name=Busy state=HAVE_KEY_PAIR key_storage_type=FILE key_storage_location=$tmpdir/keyfile +notification_method=STDOUT EOF cat > ca8 << EOF id=Busy @@ -326,6 +339,7 @@ ca_name=Confused state=HAVE_KEY_PAIR key_storage_type=FILE key_storage_location=$tmpdir/keyfile +notification_method=STDOUT EOF cat > ca9 << EOF id=Confused @@ -351,6 +365,7 @@ for interval in 0 30 1800 3600 7200 86000 86500 604800 1000000 2000000; do state=HAVE_CSR cert_not_after=$later csr=AAAA + notification_method=STDOUT EOF cat > ca9 <<- EOF id=Lostie @@ -367,6 +382,7 @@ for interval in 0 30 1800 3600 7200 86000 86500 604800 1000000 2000000; do state=MONITORING cert_not_after=$later csr=AAAA + notification_method=STDOUT EOF cat > ca9 <<- EOF id=Lostie @@ -401,7 +417,7 @@ $toolsdir/iterate ca10 entry10 NEWLY_ADDED_START_READING_KEYINFO,NEWLY_ADDED_REA $toolsdir/iterate ca10 entry10 NEED_KEY_PAIR,GENERATING_KEY_PAIR,HAVE_KEY_PAIR,NEED_KEYINFO,READING_KEYINFO,HAVE_KEYINFO $toolsdir/iterate ca10 entry10 NEED_CSR,GENERATING_CSR $toolsdir/iterate ca10 entry10 NEED_TO_SUBMIT,SUBMITTING -$toolsdir/iterate ca10 entry10 START_SAVING_CERT,SAVING_CERT,NEED_TO_READ_CERT,READING_CERT,SAVED_CERT +$toolsdir/iterate ca10 entry10 START_SAVING_CERT,SAVING_CERT,NEED_TO_READ_CERT,READING_CERT,NEED_TO_NOTIFY_ISSUED_SAVED,NOTIFYING_ISSUED_SAVED,SAVED_CERT | sed 's@'"$tmpdir"'@$tmpdir@g' cp $tmpdir/certfile10 $tmpdir/certfile10.bak echo @@ -430,7 +446,7 @@ cat > certmonger.conf << EOF enroll_ttls = 30s notify_ttls = N EOF -$toolsdir/iterate ca10 entry10 NEED_CSR,GENERATING_CSR,HAVE_CSR,NEED_TO_SUBMIT,SUBMITTING,NEED_TO_SAVE_CERT,START_SAVING_CERT,SAVING_CERT,SAVED_CERT,NEED_TO_READ_CERT,READING_CERT | sed 's@'"$tmpdir"'@$tmpdir@g' +$toolsdir/iterate ca10 entry10 NEED_CSR,GENERATING_CSR,HAVE_CSR,NEED_TO_SUBMIT,SUBMITTING,NEED_TO_SAVE_CERT,START_SAVING_CERT,SAVING_CERT,NEED_TO_NOTIFY_ISSUED_SAVED,NOTIFYING_ISSUED_SAVED,SAVED_CERT,NEED_TO_READ_CERT,READING_CERT | sed 's@'"$tmpdir"'@$tmpdir@g' echo echo '[Kicking off notify only.]' @@ -458,7 +474,7 @@ cat > certmonger.conf << EOF notify_ttls = 30s enroll_ttls = N EOF -$toolsdir/iterate ca10 entry10 NEED_TO_NOTIFY,NOTIFYING | sed 's@'"$tmpdir"'@$tmpdir@g' +$toolsdir/iterate ca10 entry10 NEED_TO_NOTIFY_VALIDITY,NOTIFYING_VALIDITY | sed 's@'"$tmpdir"'@$tmpdir@g' echo echo '[Kicking off notify-then-submit.]' @@ -466,7 +482,7 @@ echo '[Kicking off notify-then-submit.]' cat > $tmpdir/notify.sh << EOF #!/bin/sh touch $tmpdir/notification.txt -echo 'The sky is falling.' >> $tmpdir/notification.txt +echo The sky is falling: \$CERTMONGER_NOTIFICATION >> $tmpdir/notification.txt EOF chmod u+x $tmpdir/notify.sh cp $tmpdir/certfile10.bak $tmpdir/certfile10 @@ -495,8 +511,8 @@ enroll_ttls = 30s notification_method=command notification_destination=$tmpdir/notify.sh EOF -$toolsdir/iterate ca10 entry10 NEED_TO_NOTIFY,NOTIFYING,NEED_CSR,GENERATING_CSR,HAVE_CSR,NEED_TO_SUBMIT,SUBMITTING,NEED_TO_SAVE_CERT,START_SAVING_CERT,SAVING_CERT,SAVED_CERT,NEED_TO_READ_CERT,READING_CERT | sed 's@'"$tmpdir"'@$tmpdir@g' -cat $tmpdir/notification.txt +$toolsdir/iterate ca10 entry10 NEED_TO_NOTIFY_VALIDITY,NOTIFYING_VALIDITY,NEED_CSR,GENERATING_CSR,HAVE_CSR,NEED_TO_SUBMIT,SUBMITTING,NEED_TO_SAVE_CERT,START_SAVING_CERT,SAVING_CERT,NEED_TO_NOTIFY_ISSUED_SAVED,NOTIFYING_ISSUED_SAVED,SAVED_CERT,NEED_TO_READ_CERT,READING_CERT | sed 's@'"$tmpdir"'@$tmpdir@g' +cat $tmpdir/notification.txt | sed 's@'"$tmpdir"'@$tmpdir@g' CERTMONGER_CONFIG_DIR="$SAVED_CONFIG_DIR"