Create directories after checking for binaries

In case the binaries needed for certificate autoenrollment are not present on the system, avoid creating the needed directories. Also add a test to illustrate that we will not fail if the directory structure is wonky, if certmonger is not present.
ubuntu · Aug 9, 2023 · 845ccfe · 845ccfe
1 parent 4f33c8b
commit 845ccfe
Show file tree

Hide file tree

Showing 31 changed files with 86 additions and 20 deletions.
diff --git a/cmd/adsysd/integration_tests/adsysctl_policy_test.go b/cmd/adsysd/integration_tests/adsysctl_policy_test.go
@@ -216,6 +216,7 @@ func TestPolicyUpdate(t *testing.T) {
 		readOnlyDirs        []string
 		winbindMockBehavior string
 		purge               bool
+		missingCertmonger   bool
 
 		wantErr bool
 	}{
@@ -603,6 +604,21 @@ func TestPolicyUpdate(t *testing.T) {
 			initState:    "localhost-uptodate",
 			systemAnswer: "no_proxy_object",
 		},
+		"Does not error when certmonger or cepces is not available": {
+			args:       []string{"-m"},
+			krb5ccname: "-",
+			krb5ccNamesState: []krb5ccNamesWithState{
+				{
+					src:     "ccache_EXAMPLE.COM",
+					machine: true,
+				},
+			},
+			initState: "localhost-uptodate",
+			addPaths: []string{
+				"lib/private", // make parent of private dir a file
+			},
+			missingCertmonger: true,
+		},
 
 		// Purge cases
 		"Purge current user policies": {
@@ -966,13 +982,15 @@ func TestPolicyUpdate(t *testing.T) {
 			t.Setenv("ADSYS_WBCLIENT_BEHAVIOR", tc.winbindMockBehavior)
 
 			// Create fake certmonger and cepces binaries for the certificate manager
-			binDir := t.TempDir()
-			for _, executable := range []string{"getcert", "cepces-submit"} {
-				// #nosec G306. We want this asset to be executable.
-				err := os.WriteFile(filepath.Join(binDir, executable), []byte("#!/bin/sh\necho $@\n"), 0755)
-				require.NoError(t, err, "Setup: could not create %q binary", executable)
+			if !tc.missingCertmonger {
+				binDir := t.TempDir()
+				for _, executable := range []string{"getcert", "cepces-submit"} {
+					// #nosec G306. We want this asset to be executable.
+					err := os.WriteFile(filepath.Join(binDir, executable), []byte("#!/bin/sh\necho $@\n"), 0755)
+					require.NoError(t, err, "Setup: could not create %q binary", executable)
+				}
+				t.Setenv("PATH", binDir+":"+os.Getenv("PATH"))
 			}
-			t.Setenv("PATH", binDir+":"+os.Getenv("PATH"))
 
 			// Some tests will need some initial state assets
 			for _, k := range tc.clearDirs {

diff --git a/...or_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/nested/usr.bin.baz b/...or_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/nested/usr.bin.baz
@@ -0,0 +1 @@
+/usr/bin/baz {}
diff --git a/...not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.bar b/...not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.bar
@@ -0,0 +1 @@
+/usr/bin/bar {}
diff --git a/...not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.foo b/...not_error_when_certmonger_or_cepces_is_not_available/apparmor.d/adsys/machine/usr.bin.foo
@@ -0,0 +1 @@
+/usr/bin/foo {}
diff --git a/...en_certmonger_or_cepces_is_not_available/apparmor.d/adsys/users/adsystestuser@example.com b/...en_certmonger_or_cepces_is_not_available/apparmor.d/adsys/users/adsystestuser@example.com
@@ -0,0 +1,6 @@
+^adsystestuser@example.com {
+/etc/environment r,
+@{HOMEDIRS}/.xauth* w,
+/usr/bin/{,b,d,rb}ash Ux,
+/usr/bin/{c,k,tc}sh Ux,
+}
diff --git a/...ate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/adsys b/...ate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/adsys
@@ -0,0 +1,4 @@
+[org/gnome/desktop/interface]
+clock-format='24h'
+clock-show-date=false
+clock-show-weekday=true
diff --git a/...lden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/locks/adsys b/...lden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/gdm.d/locks/adsys
@@ -0,0 +1,3 @@
+/org/gnome/desktop/interface/clock-format
+/org/gnome/desktop/interface/clock-show-date
+/org/gnome/desktop/interface/clock-show-weekday
diff --git a/...golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/adsys b/...golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/adsys
@@ -0,0 +1 @@
+
diff --git a/.../does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/locks/adsys b/.../does_not_error_when_certmonger_or_cepces_is_not_available/dconf/db/machine.d/locks/adsys
@@ -0,0 +1 @@
+
diff --git a/...Update/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/profile/gdm b/...Update/golden/does_not_error_when_certmonger_or_cepces_is_not_available/dconf/profile/gdm
@@ -0,0 +1,3 @@
+user-db:user
+system-db:gdm
+system-db:machine
diff --git a/...PolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/lib/private b/...PolicyUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/lib/private
@@ -0,0 +1 @@
+new content
diff --git a/...es_not_error_when_certmonger_or_cepces_is_not_available/lib/samba/cert_gpo_state_HOST.tdb b/...es_not_error_when_certmonger_or_cepces_is_not_available/lib/samba/cert_gpo_state_HOST.tdb
@@ -0,0 +1 @@
+TDB file
diff --git a/...epces_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf b/...epces_is_not_available/polkit-1/localauthority.conf.d/99-adsys-privilege-enforcement.conf
@@ -0,0 +1,6 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+[Configuration]
+AdminIdentities=unix-user:bob@example.com;unix-group:mygroup@example2.com
diff --git a/...lden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/.ready b/...lden/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/.ready
diff --git a/..._certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/empty-subfolder/.empty b/..._certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/empty-subfolder/.empty
diff --git a/...certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/final-machine-script.sh b/...certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/final-machine-script.sh
@@ -0,0 +1 @@
+final machine script
diff --git a/...certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/other-script-user-logon b/...certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/other-script-user-logon
@@ -0,0 +1 @@
+script user logon
diff --git a/...ger_or_cepces_is_not_available/run/machine/scripts/scripts/otherfolder/script-user-logoff b/...ger_or_cepces_is_not_available/run/machine/scripts/scripts/otherfolder/script-user-logoff
@@ -0,0 +1 @@
+script user logoff
diff --git a/...certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-shutdown b/...certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-shutdown
@@ -0,0 +1 @@
+script machine shutdown
diff --git a/..._certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-startup b/..._certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-machine-startup
@@ -0,0 +1 @@
+script machine startup
diff --git a/..._when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-user-logon b/..._when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/script-user-logon
@@ -0,0 +1 @@
+script user logon
diff --git a/..._certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/subfolder/other-script b/..._certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/subfolder/other-script
@@ -0,0 +1 @@
+subfolder other script
diff --git a/..._when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-data b/..._when_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-data
@@ -0,0 +1 @@
+unreferenced data
diff --git a/...hen_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-script b/...hen_certmonger_or_cepces_is_not_available/run/machine/scripts/scripts/unreferenced-script
@@ -0,0 +1 @@
+unreferenced script
diff --git a/...den/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/startup b/...den/does_not_error_when_certmonger_or_cepces_is_not_available/run/machine/scripts/startup
@@ -0,0 +1,2 @@
+scripts/script-machine-startup
+scripts/subfolder/other-script
diff --git a/...yUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/users/.empty b/...yUpdate/golden/does_not_error_when_certmonger_or_cepces_is_not_available/run/users/.empty
diff --git a/...error_when_certmonger_or_cepces_is_not_available/sudoers.d/99-adsys-privilege-enforcement b/...error_when_certmonger_or_cepces_is_not_available/sudoers.d/99-adsys-privilege-enforcement
@@ -0,0 +1,10 @@
+# This file is managed by adsys.
+# Do not edit this file manually.
+# Any changes will be overwritten.
+
+%admin	ALL=(ALL) !ALL
+%sudo	ALL=(ALL:ALL) !ALL
+
+"bob@example.com"	ALL=(ALL:ALL) ALL
+"%mygroup@example2.com"	ALL=(ALL:ALL) ALL
+
diff --git a/...te/golden/does_not_error_when_certmonger_or_cepces_is_not_available/systemd/system/.empty b/...te/golden/does_not_error_when_certmonger_or_cepces_is_not_available/systemd/system/.empty
diff --git a/internal/policies/certificate/cert-autoenroll b/internal/policies/certificate/cert-autoenroll
@@ -58,30 +58,30 @@ def main():
     private_dir = os.path.join(args.state_dir, 'private', 'certs')
     global_trust_dir = args.global_trust_dir
 
-    # Create needed directories if they don't exist
-    for directory in [samba_cache_dir, trust_dir, private_dir, global_trust_dir]:
-        if not os.path.exists(directory):
-            perms = 0o700 if directory == private_dir else 0o755
-            os.makedirs(directory, mode=perms)
-
     with tempfile.NamedTemporaryFile(prefix='smb_conf') as smb_conf:
         smb_conf.write(smb_config(args.realm, args.debug).encode('utf-8'))
         smb_conf.flush()
 
         lp = param.LoadParm(smb_conf.name)
-        c = Credentials()
-        c.set_kerberos_state(MUST_USE_KERBEROS)
-        c.guess(lp)
-        username = c.get_username()
-        store = GPOStorage(os.path.join(samba_cache_dir, f'cert_gpo_state_{args.object_name}.tdb'))
-
         # Set up logging
         logger_init('cert-autoenroll', lp.log_level())
 
         if not cepces_submit() or not certmonger():
             log.warning('certmonger and/or cepces not found, skipping certificate enrollment')
             return
 
+        # Create needed directories if they don't exist
+        for directory in [samba_cache_dir, trust_dir, private_dir, global_trust_dir]:
+            if not os.path.exists(directory):
+                perms = 0o700 if directory == private_dir else 0o755
+                os.makedirs(directory, mode=perms)
+
+        c = Credentials()
+        c.set_kerberos_state(MUST_USE_KERBEROS)
+        c.guess(lp)
+        username = c.get_username()
+        store = GPOStorage(os.path.join(samba_cache_dir, f'cert_gpo_state_{args.object_name}.tdb'))
+
         ext = adsys_cert_auto_enroll(lp, c, username, store)
         guid = f'adsys-cert-autoenroll-{args.object_name}'
         if args.action == 'enroll':

diff --git a/...ies/certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_cepces_not_installed b/...ies/certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_cepces_not_installed
@@ -2,5 +2,4 @@ Loading smb.conf
 [global]
 realm = example.com
 
-Loading state file: #STATEDIR#/samba/cert_gpo_state_keypress.tdb
 WARNING: certmonger and/or cepces not found, skipping certificate enrollment
diff --git a/...certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_certmonger_not_installed b/...certificate/testdata/TestCertAutoenrollScript/golden/enroll_with_certmonger_not_installed
@@ -2,5 +2,4 @@ Loading smb.conf
 [global]
 realm = example.com
 
-Loading state file: #STATEDIR#/samba/cert_gpo_state_keypress.tdb
 WARNING: certmonger and/or cepces not found, skipping certificate enrollment