[CalendarServer-changes] [9485] CalendarServer/trunk/contrib/certupdate

source_changes at macosforge.org source_changes at macosforge.org
Mon Jul 23 17:02:33 PDT 2012 

Revision: 9485
          http://trac.macosforge.org/projects/calendarserver/changeset/9485
Author:   sagen at apple.com
Date:     2012-07-23 17:02:33 -0700 (Mon, 23 Jul 2012)
Log Message:
-----------
Fall back to default certificate if it exists

Modified Paths:
--------------
    CalendarServer/trunk/contrib/certupdate/calendarcertupdate.py
    CalendarServer/trunk/contrib/certupdate/test/test_certupdate.py

Modified: CalendarServer/trunk/contrib/certupdate/calendarcertupdate.py
===================================================================
--- CalendarServer/trunk/contrib/certupdate/calendarcertupdate.py	2012-07-23 22:44:56 UTC (rev 9484)
+++ CalendarServer/trunk/contrib/certupdate/calendarcertupdate.py	2012-07-24 00:02:33 UTC (rev 9485)
@@ -27,6 +27,7 @@
 SERVICE_NAME = "calendar"
 CALDAVD_PLIST = "/Library/Server/Calendar and Contacts/Config/caldavd.plist"
 SERVER_ADMIN = "/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin"
+CERT_ADMIN = "/Applications/Server.app/Contents/ServerRoot/usr/sbin/certadmin"
 
 def main():
 
@@ -36,7 +37,14 @@
         if sys.argv[1] != "remove":
             die("Bad command line; 'remove' expected", 2)
         if isThisMyCert(CALDAVD_PLIST, sys.argv[2]):
-            die("%s is in use by calendar" % (sys.argv[2],), 1)
+            defaultCert = getDefaultCert()
+            if defaultCert:
+                replaceCert(CALDAVD_PLIST, defaultCert)
+                restartService(CALDAVD_PLIST)
+                die("Replaced calendar cert with default: %s" % (defaultCert,), 0)
+            else:
+                removeCert(CALDAVD_PLIST)
+                die("No default, so removing calendar cert", 0)
         else:
             die("%s is not in use by calendar" % (sys.argv[2],), 0)
 
@@ -75,6 +83,49 @@
     return otherCert == myCert
 
 
+def getDefaultCert():
+    """
+    Ask certadmin for default cert
+    @returns: path to default certificate, or empty string if no default
+    @rtype: C{str}
+    """
+    child = subprocess.Popen(
+        args=[CERT_ADMIN, "--default-certificate-path"],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+    )
+    output, error = child.communicate()
+    if child.returncode:
+        log("Error looking up default certificate (%d): %s" % (child.returncode, error))
+        return ""
+    else:
+        certPath = output.strip()
+        log("Default certificate is: %s" % (certPath,))
+        return certPath
+
+
+def removeCert(plistPath):
+    """
+    Remove SSL settings in plist at plistPath
+    """
+    log("Reading plist %s" % (plistPath,))
+    plist = readPlist(plistPath)
+    log("Read in plist %s" % (plistPath,))
+
+    log("Clearing SSLCertificate")
+    plist["SSLCertificate"] = ""
+    log("Clearing SSLAuthorityChain")
+    plist["SSLAuthorityChain"] = ""
+    log("Clearing SSLPrivateKey")
+    plist["SSLPrivateKey"] = ""
+
+    log("Disabling SSL")
+    plist["EnableSSL"] = False
+
+    log("Writing plist %s" % (plistPath,))
+    writePlist(plist, plistPath)
+
+
 def replaceCert(plistPath, otherCert):
     """
     Replace SSL settings in plist at plistPath based on otherCert path

Modified: CalendarServer/trunk/contrib/certupdate/test/test_certupdate.py
===================================================================
--- CalendarServer/trunk/contrib/certupdate/test/test_certupdate.py	2012-07-23 22:44:56 UTC (rev 9484)
+++ CalendarServer/trunk/contrib/certupdate/test/test_certupdate.py	2012-07-24 00:02:33 UTC (rev 9485)
@@ -19,7 +19,7 @@
 import twistedcaldav.test.util
 from plistlib import readPlist
 from contrib.certupdate.calendarcertupdate import (
-    getMyCert, isThisMyCert, replaceCert
+    getMyCert, isThisMyCert, replaceCert, removeCert
 )
 
 samplePlist = """<?xml version="1.0" encoding="UTF-8"?>
@@ -32,6 +32,8 @@
     <string>/etc/certificates/original.cert.pem</string>
     <key>SSLPrivateKey</key>
     <string>/etc/certificates/original.key.pem</string>
+    <key>EnableSSL</key>
+    <true/>
 </dict>
 </plist>
 """
@@ -63,3 +65,10 @@
         self.assertEquals(plist["SSLAuthorityChain"], "/etc/certificates/new.chain.pem")
         self.assertEquals(plist["SSLCertificate"], "/etc/certificates/new.cert.pem")
         self.assertEquals(plist["SSLPrivateKey"], "/etc/certificates/new.key.pem")
+
+    def test_removeCert(self):
+        removeCert(self.path)
+        plist = readPlist(self.path)
+        self.assertEquals(plist["SSLAuthorityChain"], "")
+        self.assertEquals(plist["SSLCertificate"], "")
+        self.assertEquals(plist["SSLPrivateKey"], "")
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20120723/73d9ae22/attachment-0001.html>

More information about the calendarserver-changes mailing list