Display debugging information for keychain operations and SSL errors

code/client/munkilib/fetch.py

@@ -189,6 +189,7 @@ def get_url(url, destinationpath,
         if connection.SSLerror:
             munkicommon.display_detail(
                 'SSL error detail: %s' % str(connection.SSLerror))
+            keychain.debug_output()
         munkicommon.display_detail('Headers: %s', connection.headers)
         if os.path.exists(tempdownloadpath) and not resume:
             os.remove(tempdownloadpath)

code/client/munkilib/keychain.py

@@ -78,6 +78,43 @@ def security(verb_name, *args):
     return output
 
 
+def debug_output():
+    '''Debugging output for keychain'''
+    try:
+        munkicommon.display_info('***Keychain list***')
+        munkicommon.display_info(security('list-keychains', '-d', 'user'))
+        munkicommon.display_info('***Default keychain info***')
+        munkicommon.display_info(security('default-keychain', '-d', 'user'))
+        keychainfile = keychain_path()
+        munkicommon.display_info('***Info for %s***' % keychainfile)
+        munkicommon.display_info(
+                        security('show-keychain-info', keychainfile))
+    except SecurityError, err:
+        munkicommon.display_info(str(err))
+
+
+def keychain_path():
+    '''Returns an absolute path for our keychain'''
+    keychain_name = munkicommon.pref('KeychainName') or DEFAULT_KEYCHAIN_NAME
+    # If we have an odd path that appears to be all directory and no file name,
+    # revert to default filename
+    if not os.path.basename(keychain_name):
+        keychain_name = DEFAULT_KEYCHAIN_NAME
+    # Check to make sure it's just a simple file name, no directory information
+    if os.path.dirname(keychain_name):
+        # keychain name should be just the filename,
+        # so we'll drop down to the base name
+        keychain_name = os.path.basename(
+                                keychain_name).strip() or DEFAULT_KEYCHAIN_NAME
+    # Correct the filename to include '.keychain' if not already present
+    if not keychain_name.lower().endswith('.keychain'):
+        keychain_name += '.keychain'
+    # make full path
+    abs_keychain_path = os.path.realpath(
+        os.path.join(os.path.expanduser('/Library/Keychains'), keychain_name))
+    return abs_keychain_path
+
+
 def ensure_keychain_is_in_search_list(abs_keychain_path):
     # Check to make sure the keychain is in the search path
     try:
@@ -105,25 +142,9 @@ def ensure_keychain_is_in_search_list(abs_keychain_path):
 
 def setup():
     '''Unlocks the Munki's keychain if it exists; creating it if needed'''
-    keychain_name = munkicommon.pref('KeychainName') or DEFAULT_KEYCHAIN_NAME
+    abs_keychain_path = keychain_path()
     keychain_pass = (
         munkicommon.pref('KeychainPassword') or DEFAULT_KEYCHAIN_PASSWORD)
-    # If we have an odd path that appears to be all directory and no file name,
-    # revert to default filename
-    if not os.path.basename(keychain_name):
-        keychain_name = DEFAULT_KEYCHAIN_NAME
-    # Check to make sure it's just a simple file name, no directory information
-    if os.path.dirname(keychain_name):
-        # keychain name should be just the filename,
-        # so we'll drop down to the base name
-        keychain_name = os.path.basename(
-                                keychain_name).strip() or DEFAULT_KEYCHAIN_NAME
-    # Correct the filename to include '.keychain' if not already present
-    if not keychain_name.lower().endswith('.keychain'):
-        keychain_name += '.keychain'
-    # Check to see if the keychain already exists
-    abs_keychain_path = os.path.realpath(
-        os.path.join(os.path.expanduser('/Library/Keychains'), keychain_name))
     if os.path.exists(abs_keychain_path):
         ensure_keychain_is_in_search_list(abs_keychain_path)
         try:
@@ -154,6 +175,8 @@ def setup():
                 % (abs_keychain_path, err))
     if not os.path.exists(abs_keychain_path):
         make_keychain(abs_keychain_path)
+    elif munkicommon.verbose > 2:
+        debug_output()
 
 
 def make_keychain(abs_keychain_path):
@@ -308,4 +331,6 @@ def make_keychain(abs_keychain_path):
             if default_keychain:
                 # We originally had a different one, set it back
                 output = security(
-                    'default-keychain', '-d', 'user', '-s', default_keychain)
+                    'default-keychain', '-d', 'user', '-s', default_keychain)
+    if munkicommon.verbose > 2:
+        debug_output()