certdeploy.client package

Subpackages

• certdeploy.client.config package
  • Submodules
  • certdeploy.client.config.client module
    • Config
      • Config.destination
      • Config.docker_timeout
      • Config.docker_url
      • Config.fail_fast
      • Config.file_permissions
      • Config.init_timeout
      • Config.load()
      • Config.log_filename
      • Config.log_level
      • Config.rc_service_exec
      • Config.script_timeout
      • Config.sftpd
      • Config.source
      • Config.systemd_exec
      • Config.update_delay
      • Config.update_services
    • Permissions
      • Permissions.directory_mode
      • Permissions.group
      • Permissions.mode
      • Permissions.owner
    • SFTPDConfig
      • SFTPDConfig.listen_address
      • SFTPDConfig.listen_port
      • SFTPDConfig.log_filename
      • SFTPDConfig.log_level
      • SFTPDConfig.privkey_filename
      • SFTPDConfig.server_pubkey
      • SFTPDConfig.server_pubkey_filename
      • SFTPDConfig.socket_backlog
      • SFTPDConfig.username
  • certdeploy.client.config.service module
    • DockerContainer
      • DockerContainer.action
    • DockerService
    • RCService
      • RCService.action
    • Script
    • Service
      • Service.action
      • Service.filters
      • Service.load()
      • Service.name
      • Service.timeout
    • SystemdUnit
      • SystemdUnit.action
  • Module contents
    • ClientConfig

Submodules

certdeploy.client.daemon module

A daemon for accepting and installing certs from a CertDeploy server.

class certdeploy.client.daemon.DeployServer(config: ClientConfig)

Bases: object

SFTP server to accept certs from the CertDeploy server.

Parameters:

config – The CertDeploy client config.

serve_forever()

Start the server and leave it running.

Raises:

• Any exception encountered by the update worker if fail_fast is – enabled.

• CertDeployError – When unable to listen on the socket.

class certdeploy.client.daemon.SFTPHandle(flags=0)

Bases: SFTPHandle

SFTP file handle.

chattr(attr)

Set attributes for self.filename.

stat()

Return stat data or error info for the self.readfile.

class certdeploy.client.daemon.SSHServer(config, *args, **kwargs)

Bases: ServerInterface

Base SSH server to hand off SFTP connections.

valid_username

The username that is valid for login.

Type:

str

valid_public_key

The server’s public key.

Type:

paramiko.PublicBlob

Parameters:

• config (ClientConfig) – The CertDeploy client config.

• args (list[Any], optional) – Passthrough positional arguments to the parent class.

Keyword Arguments:

kwargs (dict[Any, Any]) – Passthrough keyword arguments to the parent class.

check_auth_password(username, password)

Override parent method to always deny password authentication.

check_auth_publickey(username, key)

Verify username and public key combination.

check_channel_request(kind, chanid)

Always allow channel requests.

get_allowed_auths(username)

List availble authentication mechanisms.

class certdeploy.client.daemon.StubSFTPServer(server, *args, **kwargs)

Bases: SFTPServerInterface

SFTPServer stub.

Implements just the parts required to get certificates from the CertDeploy server. Also drops actions on paths outside of the upload directory.

list_folder(path)

List the contents of path.

mkdir(path, attr)

Make a directory (path) with attributes (attr).

open(path, flags, attr)

Open path for reading or writing.

stat(path)

Return stat data or error info for the path.

certdeploy.client.deploy module

CertDeploy Client deploy code.

certdeploy.client.deploy.deploy(config: ClientConfig) → bool

Deploy the certificates.

Returns True if new certificates were deployed.

certdeploy.client.deploy.needs_update(source_filename: PathLike, dest_filename: PathLike) → bool

Verify that dest_filename needs to be updated.

Parameters:

• source_filename – The incoming cert file.

• dest_filename – The previously deployed cert file.

Returns:

True if dest_filename does not exist or if dest_filename

exists and is not the same as source_filename.

Return type:

bool

certdeploy.client.deploy.validate_keys(*path: PathLike)

Verify the keys are actually keys.

certdeploy.client.errors module

Exceptions for use by the CertDeploy client.

exception certdeploy.client.errors.DockerContainerError(service: Any, message: Exception | str = None, service_name: str = None)

Bases: DockerError

Error restarting a docker container.

exception certdeploy.client.errors.DockerContainerNotFound(service: Any, service_name: str = None)

Bases: DockerNotFound

Could not find a docker container using the given filters.

exception certdeploy.client.errors.DockerError(service: Any, message: Exception | str = None, service_name: str = None)

Bases: UpdateError

Base class for docker related errors.

Parameters:

• service – The DockerService object associated with the error.

• message – Either the Exception or the error message string. Defaults to None.

• service_name – The name of the service in the event the name is unclear or unavailable from service. Defaults to None.

exception certdeploy.client.errors.DockerNotFound(service: Any, service_name: str = None)

Bases: UpdateError

Base class for failed docker API searches.

Parameters:

• service – The certdeploy.client.config.service.Service with the problem.

• service_name – The name of the service with a problem in the event it needs to be different than service.name.

exception certdeploy.client.errors.DockerServiceError(service: Any, message: Exception | str = None, service_name: str = None)

Bases: DockerError

Error force updating a docker service.

exception certdeploy.client.errors.DockerServiceNotFound(service: Any, service_name: str = None)

Bases: DockerNotFound

Could not find a docker service using the given filters.

exception certdeploy.client.errors.InvalidKey(key_path: PathLike)

Bases: CertDeployError

Certificate validation error.

Parameters:

key_path – The path to the invalid key.

exception certdeploy.client.errors.RCServiceError(service: Any, message: Exception | str = None, stdout: str = None)

Bases: UpdateError

Error updating a traditional init service.

Parameters:

• service – The certdeploy.client.config.service.Service with the problem.

• message – Either a message string or an exception. An exception will be formatted.

• stdout – The combined stdout/stderr from the service command.

exception certdeploy.client.errors.ScriptError(service: Any, message: Exception | str = None, proc: Popen = None, stdout: str = None)

Bases: UpdateError

Error running an update script.

Parameters:

• service – The certdeploy.client.config.service.Service with the problem.

• message – Either a message string or an exception. An exception will be formatted.

• proc – The Popen object that ran the script.

• stdout – The combined stdout/stderr from the script execution.

exception certdeploy.client.errors.SystemdError(service: Any, message: Exception | str = None, stdout: str = None)

Bases: UpdateError

Error updating a systemd unit.

Parameters:

• service – The certdeploy.client.config.service.Service with the problem.

• message – Either a message string or an exception. An exception will be formatted.

• stdout – The combined stdout/stderr from the systemctl command.

exception certdeploy.client.errors.UpdateError(service: Any, message: Exception | str = None, service_name: str = None)

Bases: CertDeployError

Base class for all service update related errors.

Parameters:

• service – The certdeploy.client.config.service.Service with the problem.

• message – Either a message string or an exception. An exception will be formatted.

• service_name – The name of the service with a problem in the event it needs to be different than service.name.

certdeploy.client.update module

Functions that update system services.

certdeploy.client.update.update_docker_container(spec: DockerContainer, client_config: ClientConfig)

Update a docker container.

Parameters:

• spec – The update service specifications.

• client_config – The CertDeploy client config.

Raises:

• DockerContainerError – When there is a docker error while restarting the container.

• DockerContainerNotFound – When the specified container cannot be found.

certdeploy.client.update.update_docker_service(spec: DockerService, client_config: ClientConfig)

Force update a docker service.

Parameters:

• spec – The update service specifications.

• client_config – The CertDeploy client config.

Raises:

• DockerServiceError – When there is a docker error while force updating the service.

• DockerServiceNotFound – When the specified service cannot be found.

certdeploy.client.update.update_rc_service(spec: RCService, client_config: ClientConfig)

Update an init system service.

Parameters:

• spec – The update service specifications.

• client_config – The CertDeploy client config.

Raises:

RCServiceError – When the service encounters an OSError, doesn’t finish in a timely manner (according to script.timeout), or exits non-zero.

certdeploy.client.update.update_script(script: Script, client_config: ClientConfig)

Update the system with a script.

Parameters:

• script – The update service specifications.

• client_config – The CertDeploy client config.

Raises:

ScriptError – When the script encounters an OSError, doesn’t finish in a timely manner (according to script.timeout), or exits non-zero.

certdeploy.client.update.update_services(config: ClientConfig)

Update all services in config.services.

Parameters:

config – The CertDeploy client config.

certdeploy.client.update.update_systemd_unit(unit: SystemdUnit, client_config: ClientConfig)

Update a Systemd unit.

Parameters:

• unit – The update service specifications.

• client_config – The CertDeploy client config.

Raises:

SystemdError – When the systemctl encounters an OSError, doesn’t finish in a timely manner (according to script.timeout), or exits non-zero.

Module contents

Common CertDeploy Client resources.