2014-03-18 10:23:30 -05:00
|
|
|
# Authors: Ade Lee <alee@redhat.com>
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2014 Red Hat
|
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
#
|
|
|
|
|
|
2018-04-05 02:21:16 -05:00
|
|
|
from __future__ import absolute_import
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
import base64
|
2017-05-23 11:35:57 -05:00
|
|
|
import logging
|
2018-06-22 03:04:38 -05:00
|
|
|
import time
|
2017-05-23 11:35:57 -05:00
|
|
|
|
2015-08-25 14:42:25 -05:00
|
|
|
import ldap
|
2014-03-18 10:23:30 -05:00
|
|
|
import os
|
|
|
|
|
import shutil
|
|
|
|
|
import traceback
|
2014-10-07 09:46:15 -05:00
|
|
|
import dbus
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2018-09-03 05:45:30 -05:00
|
|
|
from configparser import DEFAULTSECT, ConfigParser, RawConfigParser
|
|
|
|
|
|
2018-08-30 09:42:40 -05:00
|
|
|
import six
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
from pki.client import PKIConnection
|
|
|
|
|
import pki.system
|
|
|
|
|
|
2017-06-16 03:18:07 -05:00
|
|
|
from ipalib import api, errors, x509
|
2016-11-23 08:04:40 -06:00
|
|
|
from ipalib.install import certmonger
|
2019-06-26 20:48:53 -05:00
|
|
|
from ipalib.constants import CA_DBUS_TIMEOUT, IPA_CA_RECORD, RENEWAL_CA_NAME
|
2014-03-18 10:23:30 -05:00
|
|
|
from ipaplatform import services
|
2016-01-19 05:43:18 -06:00
|
|
|
from ipaplatform.constants import constants
|
2016-01-19 07:18:30 -06:00
|
|
|
from ipaplatform.paths import paths
|
2018-05-23 03:37:58 -05:00
|
|
|
from ipapython import directivesetter
|
2014-03-18 10:23:30 -05:00
|
|
|
from ipapython import ipaldap
|
|
|
|
|
from ipapython import ipautil
|
|
|
|
|
from ipapython.dn import DN
|
|
|
|
|
from ipaserver.install import service
|
2018-12-06 02:03:10 -06:00
|
|
|
from ipaserver.install import sysupgrade
|
2015-08-25 14:42:25 -05:00
|
|
|
from ipaserver.install import replication
|
2014-03-18 10:23:30 -05:00
|
|
|
from ipaserver.install.installutils import stopped_service
|
2017-05-23 11:35:57 -05:00
|
|
|
|
2018-09-03 05:45:30 -05:00
|
|
|
|
2018-08-30 09:42:40 -05:00
|
|
|
|
2017-05-23 11:35:57 -05:00
|
|
|
logger = logging.getLogger(__name__)
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2016-01-19 07:18:30 -06:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
def get_security_domain():
|
|
|
|
|
"""
|
|
|
|
|
Get the security domain from the REST interface on the local Dogtag CA
|
|
|
|
|
This function will succeed if the local dogtag CA is up.
|
|
|
|
|
"""
|
2017-02-24 06:00:25 -06:00
|
|
|
connection = PKIConnection(
|
|
|
|
|
protocol='https',
|
|
|
|
|
hostname=api.env.ca_host,
|
|
|
|
|
port='8443'
|
|
|
|
|
)
|
2014-03-18 10:23:30 -05:00
|
|
|
domain_client = pki.system.SecurityDomainClient(connection)
|
|
|
|
|
info = domain_client.get_security_domain_info()
|
|
|
|
|
return info
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def is_installing_replica(sys_type):
|
|
|
|
|
"""
|
|
|
|
|
We expect only one of each type of Dogtag subsystem in an IPA deployment.
|
|
|
|
|
That means that if a subsystem of the specified type has already been
|
|
|
|
|
deployed - and therefore appears in the security domain - then we must be
|
|
|
|
|
installing a replica.
|
|
|
|
|
"""
|
|
|
|
|
info = get_security_domain()
|
|
|
|
|
try:
|
|
|
|
|
sys_list = info.systems[sys_type]
|
|
|
|
|
return len(sys_list.hosts) > 0
|
|
|
|
|
except KeyError:
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class DogtagInstance(service.Service):
|
|
|
|
|
"""
|
|
|
|
|
This is the base class for a Dogtag 10+ instance, which uses a
|
|
|
|
|
shared tomcat instance and DS to host the relevant subsystems.
|
|
|
|
|
|
|
|
|
|
It contains functions that will be common to installations of the
|
|
|
|
|
CA, KRA, and eventually TKS and TPS.
|
|
|
|
|
"""
|
|
|
|
|
|
2019-06-25 20:54:59 -05:00
|
|
|
# Mapping of nicknames for tracking requests, and the profile to
|
|
|
|
|
# use for that certificate. 'configure_renewal()' reads this
|
2019-06-25 22:52:20 -05:00
|
|
|
# dict. The profile MUST be specified.
|
2019-05-17 01:04:14 -05:00
|
|
|
tracking_reqs = dict()
|
2014-10-07 09:46:15 -05:00
|
|
|
|
2019-04-23 06:47:38 -05:00
|
|
|
# token for CA and subsystem certificates. For now, only internal token
|
|
|
|
|
# is supported.
|
|
|
|
|
token_name = "internal"
|
|
|
|
|
|
2019-06-25 20:54:59 -05:00
|
|
|
# override token for specific nicknames
|
|
|
|
|
token_names = dict()
|
|
|
|
|
|
|
|
|
|
def get_token_name(self, nickname):
|
|
|
|
|
"""Look up token name for nickname."""
|
|
|
|
|
return self.token_names.get(nickname, self.token_name)
|
|
|
|
|
|
2018-06-22 03:04:38 -05:00
|
|
|
ipaca_groups = DN(('ou', 'groups'), ('o', 'ipaca'))
|
|
|
|
|
ipaca_people = DN(('ou', 'people'), ('o', 'ipaca'))
|
|
|
|
|
groups_aci = (
|
|
|
|
|
b'(targetfilter="(objectClass=groupOfUniqueNames)")'
|
|
|
|
|
b'(targetattr="cn || description || objectclass || uniquemember")'
|
|
|
|
|
b'(version 3.0; acl "Allow users from o=ipaca to read groups"; '
|
|
|
|
|
b'allow (read, search, compare) '
|
|
|
|
|
b'userdn="ldap:///uid=*,ou=people,o=ipaca";)'
|
|
|
|
|
)
|
|
|
|
|
|
2015-11-09 11:28:47 -06:00
|
|
|
def __init__(self, realm, subsystem, service_desc, host_name=None,
|
2017-11-08 12:21:22 -06:00
|
|
|
nss_db=paths.PKI_TOMCAT_ALIAS_DIR, service_prefix=None,
|
|
|
|
|
config=None):
|
2014-03-18 10:23:30 -05:00
|
|
|
"""Initializer"""
|
|
|
|
|
|
|
|
|
|
super(DogtagInstance, self).__init__(
|
2015-11-09 11:28:47 -06:00
|
|
|
'pki-tomcatd',
|
2016-11-03 10:38:06 -05:00
|
|
|
service_desc=service_desc,
|
2016-11-03 11:43:33 -05:00
|
|
|
realm_name=realm,
|
2016-11-03 11:54:14 -05:00
|
|
|
service_user=constants.PKI_USER,
|
|
|
|
|
service_prefix=service_prefix
|
2014-03-18 10:23:30 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
self.admin_password = None
|
|
|
|
|
self.fqdn = host_name
|
|
|
|
|
self.pkcs12_info = None
|
|
|
|
|
self.clone = False
|
|
|
|
|
|
2018-09-03 05:45:30 -05:00
|
|
|
self.basedn = None
|
2015-08-25 14:42:25 -05:00
|
|
|
self.admin_user = "admin"
|
2018-06-22 03:04:38 -05:00
|
|
|
self.admin_dn = DN(
|
|
|
|
|
('uid', self.admin_user), self.ipaca_people
|
|
|
|
|
)
|
2015-08-25 14:42:25 -05:00
|
|
|
self.admin_groups = None
|
2017-02-14 09:55:11 -06:00
|
|
|
self.tmp_agent_db = None
|
2014-03-18 10:23:30 -05:00
|
|
|
self.subsystem = subsystem
|
|
|
|
|
# replication parameters
|
|
|
|
|
self.master_host = None
|
2018-08-30 09:42:40 -05:00
|
|
|
self.master_replication_port = 389
|
2015-11-09 11:28:47 -06:00
|
|
|
self.nss_db = nss_db
|
2017-11-08 12:21:22 -06:00
|
|
|
self.config = config # Path to CS.cfg
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2018-09-03 05:45:30 -05:00
|
|
|
# filled out by configure_instance
|
|
|
|
|
self.pki_config_override = None
|
2018-08-30 09:42:40 -05:00
|
|
|
self.ca_subject = None
|
|
|
|
|
self.subject_base = None
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
def is_installed(self):
|
|
|
|
|
"""
|
|
|
|
|
Determine if subsystem instance has been installed.
|
|
|
|
|
|
|
|
|
|
Returns True/False
|
|
|
|
|
"""
|
|
|
|
|
return os.path.exists(os.path.join(
|
2015-11-09 11:28:47 -06:00
|
|
|
paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower()))
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2016-11-10 07:24:26 -06:00
|
|
|
def spawn_instance(self, cfg_file, nolog_list=()):
|
2014-03-18 10:23:30 -05:00
|
|
|
"""
|
|
|
|
|
Create and configure a new Dogtag instance using pkispawn.
|
|
|
|
|
Passes in a configuration file with IPA-specific
|
|
|
|
|
parameters.
|
|
|
|
|
"""
|
|
|
|
|
subsystem = self.subsystem
|
|
|
|
|
args = [paths.PKISPAWN,
|
|
|
|
|
"-s", subsystem,
|
|
|
|
|
"-f", cfg_file]
|
|
|
|
|
|
|
|
|
|
with open(cfg_file) as f:
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.debug(
|
2014-03-18 10:23:30 -05:00
|
|
|
'Contents of pkispawn configuration file (%s):\n%s',
|
2016-11-10 07:24:26 -06:00
|
|
|
cfg_file, ipautil.nolog_replace(f.read(), nolog_list))
|
2014-03-18 10:23:30 -05:00
|
|
|
|
|
|
|
|
try:
|
2016-11-10 07:24:26 -06:00
|
|
|
ipautil.run(args, nolog=nolog_list)
|
2015-07-30 09:49:29 -05:00
|
|
|
except ipautil.CalledProcessError as e:
|
2015-04-20 05:34:38 -05:00
|
|
|
self.handle_setup_error(e)
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2017-02-14 09:55:11 -06:00
|
|
|
def clean_pkispawn_files(self):
|
|
|
|
|
if self.tmp_agent_db is not None:
|
2018-10-26 11:12:29 -05:00
|
|
|
logger.debug("Removing %s", self.tmp_agent_db)
|
2017-02-14 09:55:11 -06:00
|
|
|
shutil.rmtree(self.tmp_agent_db, ignore_errors=True)
|
|
|
|
|
|
2018-10-26 11:12:29 -05:00
|
|
|
client_dir = os.path.join(
|
|
|
|
|
'/root/.dogtag/pki-tomcat/', self.subsystem.lower())
|
|
|
|
|
logger.debug("Removing %s", client_dir)
|
|
|
|
|
shutil.rmtree(client_dir, ignore_errors=True)
|
2017-02-14 09:55:11 -06:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
def restart_instance(self):
|
2017-05-04 07:58:46 -05:00
|
|
|
self.restart('pki-tomcat')
|
2014-03-18 10:23:30 -05:00
|
|
|
|
|
|
|
|
def start_instance(self):
|
2017-05-04 07:58:46 -05:00
|
|
|
self.start('pki-tomcat')
|
2014-03-18 10:23:30 -05:00
|
|
|
|
|
|
|
|
def stop_instance(self):
|
|
|
|
|
try:
|
2015-11-09 11:28:47 -06:00
|
|
|
self.stop('pki-tomcat')
|
2014-03-18 10:23:30 -05:00
|
|
|
except Exception:
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.debug("%s", traceback.format_exc())
|
|
|
|
|
logger.critical(
|
2017-05-04 08:00:33 -05:00
|
|
|
"Failed to stop the Dogtag instance."
|
2014-03-18 10:23:30 -05:00
|
|
|
"See the installation log for details.")
|
|
|
|
|
|
2017-11-08 12:21:22 -06:00
|
|
|
def enable_client_auth_to_db(self):
|
2014-03-18 10:23:30 -05:00
|
|
|
"""
|
|
|
|
|
Enable client auth connection to the internal db.
|
|
|
|
|
"""
|
2019-04-23 06:47:38 -05:00
|
|
|
sub_system_nickname = "subsystemCert cert-pki-ca"
|
|
|
|
|
if self.token_name != "internal":
|
|
|
|
|
# TODO: Dogtag 10.6.9 does not like "internal" prefix.
|
|
|
|
|
sub_system_nickname = '{}:{}'.format(
|
|
|
|
|
self.token_name, sub_system_nickname
|
|
|
|
|
)
|
|
|
|
|
|
2015-11-09 11:28:47 -06:00
|
|
|
with stopped_service('pki-tomcatd', 'pki-tomcat'):
|
2018-05-23 03:37:58 -05:00
|
|
|
directivesetter.set_directive(
|
2017-11-08 12:21:22 -06:00
|
|
|
self.config,
|
2014-03-18 10:23:30 -05:00
|
|
|
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
|
|
|
|
|
'SslClientAuth', quotes=False, separator='=')
|
2018-05-23 03:37:58 -05:00
|
|
|
directivesetter.set_directive(
|
2017-11-08 12:21:22 -06:00
|
|
|
self.config,
|
2014-03-18 10:23:30 -05:00
|
|
|
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
|
2019-04-23 06:47:38 -05:00
|
|
|
sub_system_nickname, quotes=False, separator='=')
|
2018-05-23 03:37:58 -05:00
|
|
|
directivesetter.set_directive(
|
2017-11-08 12:21:22 -06:00
|
|
|
self.config,
|
2015-11-09 11:28:47 -06:00
|
|
|
'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636',
|
2014-03-18 10:23:30 -05:00
|
|
|
quotes=False, separator='=')
|
2018-05-23 03:37:58 -05:00
|
|
|
directivesetter.set_directive(
|
2017-11-08 12:21:22 -06:00
|
|
|
self.config,
|
2014-03-18 10:23:30 -05:00
|
|
|
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
|
|
|
|
|
'true', quotes=False, separator='=')
|
|
|
|
|
|
2018-05-23 03:37:58 -05:00
|
|
|
directivesetter.set_directive(
|
2017-11-08 12:21:22 -06:00
|
|
|
self.config,
|
2014-03-18 10:23:30 -05:00
|
|
|
'internaldb.ldapauth.authtype',
|
|
|
|
|
'SslClientAuth', quotes=False, separator='=')
|
|
|
|
|
|
2018-05-23 03:37:58 -05:00
|
|
|
directivesetter.set_directive(
|
2017-11-08 12:21:22 -06:00
|
|
|
self.config,
|
2014-03-18 10:23:30 -05:00
|
|
|
'internaldb.ldapauth.clientCertNickname',
|
2019-04-23 06:47:38 -05:00
|
|
|
sub_system_nickname, quotes=False, separator='=')
|
2018-05-23 03:37:58 -05:00
|
|
|
directivesetter.set_directive(
|
2017-11-08 12:21:22 -06:00
|
|
|
self.config,
|
2015-11-09 11:28:47 -06:00
|
|
|
'internaldb.ldapconn.port', '636', quotes=False, separator='=')
|
2018-05-23 03:37:58 -05:00
|
|
|
directivesetter.set_directive(
|
2017-11-08 12:21:22 -06:00
|
|
|
self.config,
|
2014-03-18 10:23:30 -05:00
|
|
|
'internaldb.ldapconn.secureConn', 'true', quotes=False,
|
|
|
|
|
separator='=')
|
2013-11-06 06:29:09 -06:00
|
|
|
# Remove internaldb password as is not needed anymore
|
2018-05-23 03:37:58 -05:00
|
|
|
directivesetter.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF,
|
2020-11-20 15:47:57 -06:00
|
|
|
'internaldb', None, separator='=')
|
2014-03-18 10:23:30 -05:00
|
|
|
|
|
|
|
|
def uninstall(self):
|
|
|
|
|
if self.is_installed():
|
|
|
|
|
self.print_msg("Unconfiguring %s" % self.subsystem)
|
|
|
|
|
|
|
|
|
|
try:
|
2015-11-09 11:28:47 -06:00
|
|
|
ipautil.run([paths.PKIDESTROY,
|
|
|
|
|
"-i", 'pki-tomcat',
|
2014-03-18 10:23:30 -05:00
|
|
|
"-s", self.subsystem])
|
2015-07-30 09:49:29 -05:00
|
|
|
except ipautil.CalledProcessError as e:
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.critical("failed to uninstall %s instance %s",
|
|
|
|
|
self.subsystem, e)
|
2014-03-18 10:23:30 -05:00
|
|
|
|
|
|
|
|
def http_proxy(self):
|
|
|
|
|
""" Update the http proxy file """
|
2016-11-22 09:06:45 -06:00
|
|
|
template_filename = (
|
2017-03-15 12:28:07 -05:00
|
|
|
os.path.join(paths.USR_SHARE_IPA_DIR,
|
|
|
|
|
"ipa-pki-proxy.conf.template"))
|
2014-03-18 10:23:30 -05:00
|
|
|
sub_dict = dict(
|
2015-11-09 11:28:47 -06:00
|
|
|
DOGTAG_PORT=8009,
|
2014-03-18 10:23:30 -05:00
|
|
|
CLONE='' if self.clone else '#',
|
|
|
|
|
FQDN=self.fqdn,
|
|
|
|
|
)
|
|
|
|
|
template = ipautil.template_file(template_filename, sub_dict)
|
|
|
|
|
with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd:
|
|
|
|
|
fd.write(template)
|
2019-05-15 07:35:32 -05:00
|
|
|
os.fchmod(fd.fileno(), 0o644)
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2015-01-08 03:06:46 -06:00
|
|
|
def configure_certmonger_renewal(self):
|
2014-10-07 09:46:15 -05:00
|
|
|
"""
|
|
|
|
|
Create a new CA type for certmonger that will retrieve updated
|
|
|
|
|
certificates from the dogtag master server.
|
|
|
|
|
"""
|
|
|
|
|
cmonger = services.knownservices.certmonger
|
|
|
|
|
cmonger.enable()
|
2019-04-26 02:01:42 -05:00
|
|
|
if not services.knownservices.dbus.is_running():
|
|
|
|
|
# some platforms protect dbus with RefuseManualStart=True
|
|
|
|
|
services.knownservices.dbus.start()
|
2014-10-07 09:46:15 -05:00
|
|
|
cmonger.start()
|
|
|
|
|
|
|
|
|
|
bus = dbus.SystemBus()
|
|
|
|
|
obj = bus.get_object('org.fedorahosted.certmonger',
|
|
|
|
|
'/org/fedorahosted/certmonger')
|
|
|
|
|
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
2017-04-19 07:55:47 -05:00
|
|
|
for suffix, args in [('', ''), ('-reuse', ' --reuse-existing')]:
|
2019-06-26 20:48:53 -05:00
|
|
|
name = RENEWAL_CA_NAME + suffix
|
2017-04-19 07:55:47 -05:00
|
|
|
path = iface.find_ca_by_nickname(name)
|
|
|
|
|
if not path:
|
|
|
|
|
command = paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT + args
|
|
|
|
|
iface.add_known_ca(
|
|
|
|
|
name,
|
|
|
|
|
command,
|
2017-09-13 11:27:48 -05:00
|
|
|
dbus.Array([], dbus.Signature('s')),
|
|
|
|
|
# Give dogtag extra time to generate cert
|
|
|
|
|
timeout=CA_DBUS_TIMEOUT)
|
2014-10-07 09:46:15 -05:00
|
|
|
|
2019-04-23 06:47:38 -05:00
|
|
|
def __get_pin(self, token_name="internal"):
|
2014-03-18 10:23:30 -05:00
|
|
|
try:
|
2019-04-23 06:47:38 -05:00
|
|
|
return certmonger.get_pin(token_name)
|
2015-07-30 09:49:29 -05:00
|
|
|
except IOError as e:
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.debug(
|
2014-03-18 10:23:30 -05:00
|
|
|
'Unable to determine PIN for the Dogtag instance: %s', e)
|
|
|
|
|
raise RuntimeError(e)
|
|
|
|
|
|
2014-10-07 09:46:15 -05:00
|
|
|
def configure_renewal(self):
|
|
|
|
|
""" Configure certmonger to renew system certs """
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2017-04-24 01:40:11 -05:00
|
|
|
for nickname in self.tracking_reqs:
|
2019-06-25 20:54:59 -05:00
|
|
|
token_name = self.get_token_name(nickname)
|
|
|
|
|
pin = self.__get_pin(token_name)
|
2014-03-18 10:23:30 -05:00
|
|
|
try:
|
2017-01-27 02:34:23 -06:00
|
|
|
certmonger.start_tracking(
|
|
|
|
|
certpath=self.nss_db,
|
2019-06-26 20:48:53 -05:00
|
|
|
ca=RENEWAL_CA_NAME,
|
2014-03-18 10:23:30 -05:00
|
|
|
nickname=nickname,
|
2019-06-25 20:54:59 -05:00
|
|
|
token_name=token_name,
|
2014-03-18 10:23:30 -05:00
|
|
|
pin=pin,
|
|
|
|
|
pre_command='stop_pkicad',
|
|
|
|
|
post_command='renew_ca_cert "%s"' % nickname,
|
2019-05-17 01:04:14 -05:00
|
|
|
profile=self.tracking_reqs[nickname],
|
2017-04-24 01:40:11 -05:00
|
|
|
)
|
2015-07-30 09:49:29 -05:00
|
|
|
except RuntimeError as e:
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.error(
|
2014-03-18 10:23:30 -05:00
|
|
|
"certmonger failed to start tracking certificate: %s", e)
|
|
|
|
|
|
2014-10-07 09:46:15 -05:00
|
|
|
def stop_tracking_certificates(self, stop_certmonger=True):
|
2014-03-18 10:23:30 -05:00
|
|
|
"""Stop tracking our certificates. Called on uninstall.
|
|
|
|
|
"""
|
2018-05-02 10:43:09 -05:00
|
|
|
logger.debug(
|
2014-09-01 21:49:54 -05:00
|
|
|
"Configuring certmonger to stop tracking system certificates "
|
2018-05-02 10:43:09 -05:00
|
|
|
"for %s", self.subsystem)
|
2014-09-01 21:49:54 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
cmonger = services.knownservices.certmonger
|
2019-04-26 02:01:42 -05:00
|
|
|
if not services.knownservices.dbus.is_running():
|
|
|
|
|
# some platforms protect dbus with RefuseManualStart=True
|
|
|
|
|
services.knownservices.dbus.start()
|
2014-03-18 10:23:30 -05:00
|
|
|
cmonger.start()
|
|
|
|
|
|
2019-06-25 20:54:59 -05:00
|
|
|
for nickname in self.tracking_reqs:
|
2014-03-18 10:23:30 -05:00
|
|
|
try:
|
|
|
|
|
certmonger.stop_tracking(
|
2015-11-09 11:28:47 -06:00
|
|
|
self.nss_db, nickname=nickname)
|
2015-07-30 09:49:29 -05:00
|
|
|
except RuntimeError as e:
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.error(
|
2014-03-18 10:23:30 -05:00
|
|
|
"certmonger failed to stop tracking certificate: %s", e)
|
|
|
|
|
|
2014-10-07 09:46:15 -05:00
|
|
|
if stop_certmonger:
|
|
|
|
|
cmonger.stop()
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2017-11-08 12:21:22 -06:00
|
|
|
def update_cert_cs_cfg(self, directive, cert):
|
2014-03-18 10:23:30 -05:00
|
|
|
"""
|
|
|
|
|
When renewing a Dogtag subsystem certificate the configuration file
|
|
|
|
|
needs to get the new certificate as well.
|
|
|
|
|
|
2016-06-16 22:33:26 -05:00
|
|
|
``directive`` is the directive to update in CS.cfg
|
2017-06-16 03:18:07 -05:00
|
|
|
cert is IPACertificate.
|
2014-03-18 10:23:30 -05:00
|
|
|
cs_cfg is the path to the CS.cfg file
|
|
|
|
|
"""
|
|
|
|
|
|
2015-11-09 11:28:47 -06:00
|
|
|
with stopped_service('pki-tomcatd', 'pki-tomcat'):
|
2018-05-23 03:37:58 -05:00
|
|
|
directivesetter.set_directive(
|
2017-11-08 12:21:22 -06:00
|
|
|
self.config,
|
2016-06-16 22:33:26 -05:00
|
|
|
directive,
|
2017-06-16 03:18:07 -05:00
|
|
|
# the cert must be only the base64 string without headers
|
2017-08-16 08:39:06 -05:00
|
|
|
(base64.b64encode(cert.public_bytes(x509.Encoding.DER))
|
|
|
|
|
.decode('ascii')),
|
2014-03-18 10:23:30 -05:00
|
|
|
quotes=False,
|
|
|
|
|
separator='=')
|
|
|
|
|
|
|
|
|
|
def get_admin_cert(self):
|
|
|
|
|
"""
|
|
|
|
|
Get the certificate for the admin user by checking the ldap entry
|
|
|
|
|
for the user. There should be only one certificate per user.
|
|
|
|
|
"""
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.debug('Trying to find the certificate for the admin user')
|
2014-03-18 10:23:30 -05:00
|
|
|
conn = None
|
|
|
|
|
|
|
|
|
|
try:
|
2018-11-30 03:28:32 -06:00
|
|
|
conn = ipaldap.LDAPClient.from_realm(self.realm)
|
2016-10-06 01:45:43 -05:00
|
|
|
conn.external_bind()
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2015-08-25 14:42:25 -05:00
|
|
|
entry_attrs = conn.get_entry(self.admin_dn, ['usercertificate'])
|
2014-03-18 10:23:30 -05:00
|
|
|
admin_cert = entry_attrs.get('usercertificate')[0]
|
|
|
|
|
|
|
|
|
|
# TODO(edewata) Add check to warn if there is more than one cert.
|
|
|
|
|
finally:
|
|
|
|
|
if conn is not None:
|
|
|
|
|
conn.unbind()
|
|
|
|
|
|
2017-07-03 10:10:34 -05:00
|
|
|
return admin_cert
|
2015-04-20 05:34:38 -05:00
|
|
|
|
|
|
|
|
def handle_setup_error(self, e):
|
2017-05-23 11:35:57 -05:00
|
|
|
logger.critical("Failed to configure %s instance: %s",
|
|
|
|
|
self.subsystem, e)
|
|
|
|
|
logger.critical("See the installation logs and the following "
|
|
|
|
|
"files/directories for more information:")
|
|
|
|
|
logger.critical(" %s", paths.TOMCAT_TOPLEVEL_DIR)
|
2015-04-20 05:34:38 -05:00
|
|
|
|
|
|
|
|
raise RuntimeError("%s configuration failed." % self.subsystem)
|
2015-08-25 14:42:25 -05:00
|
|
|
|
2018-06-22 03:04:38 -05:00
|
|
|
def add_ipaca_aci(self):
|
|
|
|
|
"""Add ACI to allow ipaca users to read their own group information
|
|
|
|
|
|
|
|
|
|
Dogtag users aren't allowed to enumerate their own groups. The
|
|
|
|
|
setup_admin() method needs the permission to wait, until all group
|
|
|
|
|
information has been replicated.
|
|
|
|
|
"""
|
|
|
|
|
dn = self.ipaca_groups
|
|
|
|
|
mod = [(ldap.MOD_ADD, 'aci', [self.groups_aci])]
|
2015-08-25 14:42:25 -05:00
|
|
|
try:
|
2016-11-09 05:53:14 -06:00
|
|
|
api.Backend.ldap2.modify_s(dn, mod)
|
2015-08-25 14:42:25 -05:00
|
|
|
except ldap.TYPE_OR_VALUE_EXISTS:
|
2018-06-22 03:04:38 -05:00
|
|
|
logger.debug("%s already has ACI to read group information", dn)
|
|
|
|
|
else:
|
|
|
|
|
logger.debug("Added ACI to read groups to %s", dn)
|
2015-08-25 14:42:25 -05:00
|
|
|
|
|
|
|
|
def setup_admin(self):
|
|
|
|
|
self.admin_user = "admin-%s" % self.fqdn
|
2016-12-21 08:07:34 -06:00
|
|
|
self.admin_password = ipautil.ipa_generate_password()
|
2018-06-22 03:04:38 -05:00
|
|
|
self.admin_dn = DN(
|
|
|
|
|
('uid', self.admin_user), self.ipaca_people
|
|
|
|
|
)
|
2015-08-25 14:42:25 -05:00
|
|
|
# remove user if left-over exists
|
|
|
|
|
try:
|
2018-06-22 03:04:38 -05:00
|
|
|
api.Backend.ldap2.delete_entry(self.admin_dn)
|
2015-08-25 14:42:25 -05:00
|
|
|
except errors.NotFound:
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
# add user
|
2016-11-09 05:53:14 -06:00
|
|
|
entry = api.Backend.ldap2.make_entry(
|
2015-08-25 14:42:25 -05:00
|
|
|
self.admin_dn,
|
|
|
|
|
objectclass=["top", "person", "organizationalPerson",
|
|
|
|
|
"inetOrgPerson", "cmsuser"],
|
|
|
|
|
uid=[self.admin_user],
|
|
|
|
|
cn=[self.admin_user],
|
|
|
|
|
sn=[self.admin_user],
|
|
|
|
|
usertype=['adminType'],
|
|
|
|
|
mail=['root@localhost'],
|
|
|
|
|
userPassword=[self.admin_password],
|
|
|
|
|
userstate=['1']
|
|
|
|
|
)
|
2016-11-09 05:53:14 -06:00
|
|
|
api.Backend.ldap2.add_entry(entry)
|
2015-08-25 14:42:25 -05:00
|
|
|
|
2018-06-22 03:04:38 -05:00
|
|
|
wait_groups = []
|
2015-08-25 14:42:25 -05:00
|
|
|
for group in self.admin_groups:
|
2018-06-22 03:04:38 -05:00
|
|
|
group_dn = DN(('cn', group), self.ipaca_groups)
|
|
|
|
|
mod = [(ldap.MOD_ADD, 'uniqueMember', [self.admin_dn])]
|
|
|
|
|
try:
|
|
|
|
|
api.Backend.ldap2.modify_s(group_dn, mod)
|
|
|
|
|
except ldap.TYPE_OR_VALUE_EXISTS:
|
|
|
|
|
# already there
|
|
|
|
|
return None
|
|
|
|
|
else:
|
|
|
|
|
wait_groups.append(group_dn)
|
2015-08-25 14:42:25 -05:00
|
|
|
|
|
|
|
|
# Now wait until the other server gets replicated this data
|
2018-11-30 03:28:32 -06:00
|
|
|
master_conn = ipaldap.LDAPClient.from_hostname_secure(
|
|
|
|
|
self.master_host
|
|
|
|
|
)
|
2018-06-22 03:04:38 -05:00
|
|
|
logger.debug(
|
|
|
|
|
"Waiting for %s to appear on %s", self.admin_dn, master_conn
|
|
|
|
|
)
|
|
|
|
|
deadline = time.time() + api.env.replication_wait_timeout
|
|
|
|
|
while time.time() < deadline:
|
|
|
|
|
time.sleep(1)
|
|
|
|
|
try:
|
|
|
|
|
master_conn.simple_bind(self.admin_dn, self.admin_password)
|
2018-06-29 04:08:45 -05:00
|
|
|
except errors.ACIError:
|
|
|
|
|
# user not replicated yet
|
2018-06-22 03:04:38 -05:00
|
|
|
pass
|
|
|
|
|
else:
|
|
|
|
|
logger.debug("Successfully logged in as %s", self.admin_dn)
|
|
|
|
|
break
|
|
|
|
|
else:
|
|
|
|
|
logger.error(
|
|
|
|
|
"Unable to log in as %s on %s", self.admin_dn, master_conn
|
|
|
|
|
)
|
|
|
|
|
raise errors.NotFound(
|
|
|
|
|
reason="{} did not replicate to {}".format(
|
|
|
|
|
self.admin_dn, master_conn
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# wait for group membership
|
|
|
|
|
for group_dn in wait_groups:
|
|
|
|
|
replication.wait_for_entry(
|
|
|
|
|
master_conn,
|
|
|
|
|
group_dn,
|
|
|
|
|
timeout=api.env.replication_wait_timeout,
|
|
|
|
|
attr='uniqueMember',
|
|
|
|
|
attrvalue=self.admin_dn
|
|
|
|
|
)
|
2015-08-25 14:42:25 -05:00
|
|
|
|
|
|
|
|
def __remove_admin_from_group(self, group):
|
2018-06-22 03:04:38 -05:00
|
|
|
dn = DN(('cn', group), self.ipaca_groups)
|
2015-08-25 14:42:25 -05:00
|
|
|
mod = [(ldap.MOD_DELETE, 'uniqueMember', self.admin_dn)]
|
|
|
|
|
try:
|
2016-11-09 05:53:14 -06:00
|
|
|
api.Backend.ldap2.modify_s(dn, mod)
|
2015-08-25 14:42:25 -05:00
|
|
|
except ldap.NO_SUCH_ATTRIBUTE:
|
|
|
|
|
# already removed
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
def teardown_admin(self):
|
|
|
|
|
for group in self.admin_groups:
|
|
|
|
|
self.__remove_admin_from_group(group)
|
2016-11-09 05:53:14 -06:00
|
|
|
api.Backend.ldap2.delete_entry(self.admin_dn)
|
2016-02-25 02:09:35 -06:00
|
|
|
|
2017-09-27 16:45:38 -05:00
|
|
|
def backup_config(self):
|
|
|
|
|
"""
|
|
|
|
|
Create a backup copy of CS.cfg
|
|
|
|
|
"""
|
2018-03-15 07:09:48 -05:00
|
|
|
config = self.config
|
|
|
|
|
bak = config + '.ipabkp'
|
2017-09-27 16:45:38 -05:00
|
|
|
if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'):
|
|
|
|
|
raise RuntimeError(
|
2018-03-15 07:09:48 -05:00
|
|
|
"Dogtag must be stopped when creating backup of %s" % config)
|
|
|
|
|
shutil.copy(config, bak)
|
|
|
|
|
# shutil.copy() doesn't copy owner
|
|
|
|
|
s = os.stat(config)
|
|
|
|
|
os.chown(bak, s.st_uid, s.st_gid)
|
2018-12-06 02:03:10 -06:00
|
|
|
|
|
|
|
|
def reindex_task(self, force=False):
|
|
|
|
|
"""Reindex ipaca entries
|
|
|
|
|
|
|
|
|
|
pkispawn sometimes does not run its indextasks. This leads to slow
|
|
|
|
|
unindexed filters on attributes such as description, which is used
|
|
|
|
|
to log in with a certificate. Explicitly reindex attribute that
|
|
|
|
|
should have been reindexed by CA's indextasks.ldif.
|
|
|
|
|
|
|
|
|
|
See https://pagure.io/dogtagpki/issue/3083
|
|
|
|
|
"""
|
|
|
|
|
state_name = 'reindex_task'
|
|
|
|
|
if not force and sysupgrade.get_upgrade_state('dogtag', state_name):
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
cn = "indextask_ipaca_{}".format(int(time.time()))
|
|
|
|
|
dn = DN(
|
|
|
|
|
('cn', cn), ('cn', 'index'), ('cn', 'tasks'), ('cn', 'config')
|
|
|
|
|
)
|
|
|
|
|
entry = api.Backend.ldap2.make_entry(
|
|
|
|
|
dn,
|
|
|
|
|
objectClass=['top', 'extensibleObject'],
|
|
|
|
|
cn=[cn],
|
|
|
|
|
nsInstance=['ipaca'], # Dogtag PKI database
|
|
|
|
|
nsIndexAttribute=[
|
|
|
|
|
# from pki/base/ca/shared/conf/indextasks.ldif
|
|
|
|
|
'archivedBy', 'certstatus', 'clientId', 'dataType',
|
|
|
|
|
'dateOfCreate', 'description', 'duration', 'extension',
|
|
|
|
|
'issuedby', 'issuername', 'metaInfo', 'notafter',
|
|
|
|
|
'notbefore', 'ownername', 'publicKeyData', 'requestid',
|
|
|
|
|
'requestowner', 'requestsourceid', 'requeststate',
|
|
|
|
|
'requesttype', 'revInfo', 'revokedOn', 'revokedby',
|
|
|
|
|
'serialno', 'status', 'subjectname',
|
|
|
|
|
],
|
|
|
|
|
ttl=[10],
|
|
|
|
|
)
|
|
|
|
|
logger.debug('Creating ipaca reindex task %s', dn)
|
|
|
|
|
api.Backend.ldap2.add_entry(entry)
|
|
|
|
|
logger.debug('Waiting for task...')
|
|
|
|
|
exitcode = replication.wait_for_task(api.Backend.ldap2, dn)
|
|
|
|
|
logger.debug(
|
|
|
|
|
'Task %s has finished with exit code %i',
|
|
|
|
|
dn, exitcode
|
|
|
|
|
)
|
|
|
|
|
sysupgrade.set_upgrade_state('dogtag', state_name, True)
|
2018-08-30 09:42:40 -05:00
|
|
|
|
|
|
|
|
def _configure_clone(self, subsystem_config, security_domain_hostname,
|
|
|
|
|
clone_pkcs12_path):
|
|
|
|
|
subsystem_config.update(
|
|
|
|
|
# Security domain registration
|
|
|
|
|
pki_security_domain_hostname=security_domain_hostname,
|
|
|
|
|
pki_security_domain_https_port=443,
|
|
|
|
|
pki_security_domain_user=self.admin_user,
|
|
|
|
|
pki_security_domain_password=self.admin_password,
|
|
|
|
|
# Clone
|
|
|
|
|
pki_clone=True,
|
|
|
|
|
pki_clone_pkcs12_path=clone_pkcs12_path,
|
|
|
|
|
pki_clone_pkcs12_password=self.dm_password,
|
|
|
|
|
pki_clone_replication_security="TLS",
|
|
|
|
|
pki_clone_replication_master_port=self.master_replication_port,
|
|
|
|
|
pki_clone_replication_clone_port=389,
|
|
|
|
|
pki_clone_replicate_schema=False,
|
|
|
|
|
pki_clone_uri="https://%s" % ipautil.format_netloc(
|
|
|
|
|
self.master_host, 443),
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
def _create_spawn_config(self, subsystem_config):
|
2018-09-03 05:45:30 -05:00
|
|
|
loader = PKIIniLoader(
|
|
|
|
|
subsystem=self.subsystem,
|
|
|
|
|
fqdn=self.fqdn,
|
|
|
|
|
domain=api.env.domain,
|
|
|
|
|
subject_base=self.subject_base,
|
|
|
|
|
ca_subject=self.ca_subject,
|
|
|
|
|
admin_user=self.admin_user,
|
|
|
|
|
admin_password=self.admin_password,
|
|
|
|
|
dm_password=self.dm_password,
|
|
|
|
|
pki_config_override=self.pki_config_override
|
|
|
|
|
)
|
|
|
|
|
return loader.create_spawn_config(subsystem_config)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class PKIIniLoader:
|
2019-02-08 08:09:28 -06:00
|
|
|
# supported subsystems
|
|
|
|
|
subsystems = ('CA', 'KRA')
|
|
|
|
|
# default, hard-coded, and immutable settings
|
2018-09-03 05:45:30 -05:00
|
|
|
ipaca_default = os.path.join(
|
|
|
|
|
paths.USR_SHARE_IPA_DIR, 'ipaca_default.ini'
|
|
|
|
|
)
|
2019-02-08 08:09:28 -06:00
|
|
|
# customizable settings
|
2018-09-03 05:45:30 -05:00
|
|
|
ipaca_customize = os.path.join(
|
|
|
|
|
paths.USR_SHARE_IPA_DIR, 'ipaca_customize.ini'
|
|
|
|
|
)
|
2019-02-08 08:09:28 -06:00
|
|
|
# keys that may be stored in a HSM token
|
|
|
|
|
token_stanzas = (
|
2018-09-03 05:45:30 -05:00
|
|
|
'pki_audit_signing_token',
|
|
|
|
|
'pki_subsystem_token',
|
|
|
|
|
'pki_ca_signing_token',
|
|
|
|
|
'pki_ocsp_signing_token',
|
|
|
|
|
'pki_storage_token',
|
|
|
|
|
'pki_transport_token',
|
2019-02-08 08:09:28 -06:00
|
|
|
)
|
|
|
|
|
# Set of immutable keys, initialized on demand
|
|
|
|
|
_immutable_keys = None
|
|
|
|
|
# Set of immutable config keys that are defined in dynamic code instead
|
|
|
|
|
# of ipaca_default config file.
|
|
|
|
|
_immutable_code_keys = frozenset({
|
|
|
|
|
# dogtaginstance
|
|
|
|
|
'pki_admin_password',
|
|
|
|
|
'pki_ds_password',
|
|
|
|
|
'pki_dns_domainname',
|
|
|
|
|
'pki_hostname',
|
|
|
|
|
'pki_subsystem',
|
|
|
|
|
'pki_subsystem_type',
|
|
|
|
|
# clone settings
|
|
|
|
|
'pki_security_domain_hostname',
|
|
|
|
|
'pki_security_domain_https_port',
|
|
|
|
|
'pki_security_domain_user',
|
|
|
|
|
'pki_security_domain_password',
|
|
|
|
|
'pki_clone',
|
|
|
|
|
'pki_clone_pkcs12_path',
|
|
|
|
|
'pki_clone_pkcs12_password',
|
|
|
|
|
'pki_clone_replication_security',
|
|
|
|
|
'pki_clone_replication_master_port',
|
|
|
|
|
'pki_clone_replication_clone_port',
|
|
|
|
|
'pki_clone_replicate_schema',
|
|
|
|
|
'pki_clone_uri',
|
|
|
|
|
# cainstance
|
|
|
|
|
'pki_ds_secure_connection',
|
|
|
|
|
'pki_server_database_password',
|
|
|
|
|
'pki_ds_create_new_db',
|
|
|
|
|
'pki_clone_setup_replication',
|
|
|
|
|
'pki_clone_reindex_data',
|
|
|
|
|
'pki_external',
|
|
|
|
|
'pki_ca_signing_csr_path',
|
|
|
|
|
'pki_ca_signing_cert_path',
|
|
|
|
|
'pki_cert_chain_path',
|
|
|
|
|
'pki_external_step_two',
|
|
|
|
|
# krainstance
|
|
|
|
|
'pki_issuing_ca_uri',
|
|
|
|
|
'pki_client_database_dir',
|
|
|
|
|
'pki_client_database_password',
|
|
|
|
|
'pki_client_database_purge',
|
|
|
|
|
'pki_client_pkcs12_password',
|
|
|
|
|
'pki_import_admin_cert',
|
|
|
|
|
'pki_client_admin_cert_p12',
|
|
|
|
|
})
|
2018-09-03 05:45:30 -05:00
|
|
|
|
2018-09-26 02:59:12 -05:00
|
|
|
def __init__(self, subsystem, fqdn, domain,
|
2018-09-03 05:45:30 -05:00
|
|
|
subject_base, ca_subject, admin_user, admin_password,
|
|
|
|
|
dm_password, pki_config_override=None):
|
|
|
|
|
self.pki_config_override = pki_config_override
|
|
|
|
|
self.defaults = dict(
|
2018-08-30 09:42:40 -05:00
|
|
|
# pretty much static
|
|
|
|
|
ipa_ca_pem_file=paths.IPA_CA_CRT,
|
|
|
|
|
# variable
|
2018-09-03 05:45:30 -05:00
|
|
|
ipa_ca_subject=ca_subject,
|
|
|
|
|
ipa_subject_base=subject_base,
|
|
|
|
|
ipa_fqdn=fqdn,
|
2018-08-30 09:42:40 -05:00
|
|
|
ipa_ocsp_uri="http://{}.{}/ca/ocsp".format(
|
2018-09-03 05:45:30 -05:00
|
|
|
IPA_CA_RECORD, ipautil.format_netloc(domain)),
|
2018-08-30 09:42:40 -05:00
|
|
|
ipa_admin_cert_p12=paths.DOGTAG_ADMIN_P12,
|
2018-09-03 05:45:30 -05:00
|
|
|
ipa_admin_user=admin_user,
|
|
|
|
|
pki_admin_password=admin_password,
|
|
|
|
|
pki_ds_password=dm_password,
|
2018-08-30 09:42:40 -05:00
|
|
|
# Dogtag's pkiparser defines these config vars by default:
|
2018-09-03 05:45:30 -05:00
|
|
|
pki_dns_domainname=domain,
|
|
|
|
|
pki_hostname=fqdn,
|
|
|
|
|
pki_subsystem=subsystem.upper(),
|
|
|
|
|
pki_subsystem_type=subsystem.lower(),
|
2018-08-30 09:42:40 -05:00
|
|
|
home_dir=os.path.expanduser("~"),
|
2018-09-03 05:45:30 -05:00
|
|
|
# for softhsm2 testing
|
|
|
|
|
softhsm2_so=paths.LIBSOFTHSM2_SO
|
2018-08-30 09:42:40 -05:00
|
|
|
)
|
|
|
|
|
|
2019-02-08 08:09:28 -06:00
|
|
|
@classmethod
|
|
|
|
|
def get_immutable_keys(cls):
|
|
|
|
|
"""Get set of immutable keys
|
|
|
|
|
|
|
|
|
|
Immutable keys are calculated from 'ipaca_default' config file
|
|
|
|
|
and known keys that are defined in code.
|
|
|
|
|
"""
|
|
|
|
|
if cls._immutable_keys is None:
|
|
|
|
|
immutable = set()
|
|
|
|
|
immutable.update(cls._immutable_code_keys)
|
|
|
|
|
cfg = RawConfigParser()
|
|
|
|
|
with open(cls.ipaca_default) as f:
|
|
|
|
|
cfg.read_file(f)
|
|
|
|
|
for section in cls.subsystems:
|
|
|
|
|
for k, _v in cfg.items(section, raw=True):
|
|
|
|
|
if k.startswith('pki_'):
|
|
|
|
|
immutable.add(k)
|
|
|
|
|
cls._immutable_keys = frozenset(immutable)
|
|
|
|
|
return cls._immutable_keys
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def verify_pki_config_override(cls, filename):
|
|
|
|
|
"""Verify pki config override file
|
|
|
|
|
|
|
|
|
|
* filename must be an absolute path to an existing file
|
|
|
|
|
* file must be a valid ini file
|
|
|
|
|
* ini file must not override immutable settings
|
|
|
|
|
|
|
|
|
|
TODO: The checker does not verify config interpolation values, yet.
|
|
|
|
|
The validator does not have access to all settings.
|
|
|
|
|
|
|
|
|
|
:param filename: path to pki.ini
|
|
|
|
|
"""
|
|
|
|
|
if not os.path.isfile(filename):
|
|
|
|
|
raise ValueError(
|
|
|
|
|
"Config file '{}' does not exist.".format(filename)
|
|
|
|
|
)
|
|
|
|
|
if not os.path.isabs(filename):
|
|
|
|
|
raise ValueError(
|
|
|
|
|
"Config file '{}' is not an absolute path.".format(filename)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
cfg = RawConfigParser()
|
|
|
|
|
with open(filename) as f:
|
|
|
|
|
cfg.read_file(f)
|
|
|
|
|
except Exception as e:
|
|
|
|
|
raise ValueError(
|
|
|
|
|
"Invalid config '{}': {}".format(filename, e)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
immutable_keys = cls.get_immutable_keys()
|
|
|
|
|
invalid_keys = set()
|
|
|
|
|
sections = [cfg.default_section]
|
|
|
|
|
sections.extend(cls.subsystems)
|
|
|
|
|
for section in sections:
|
|
|
|
|
if not cfg.has_section(section):
|
|
|
|
|
continue
|
|
|
|
|
for k, _v in cfg.items(section, raw=True):
|
|
|
|
|
if k in immutable_keys:
|
|
|
|
|
invalid_keys.add(k)
|
|
|
|
|
|
|
|
|
|
if invalid_keys:
|
|
|
|
|
raise ValueError(
|
|
|
|
|
"'{}' overrides immutable options: {}".format(
|
|
|
|
|
filename, ', '.join(sorted(invalid_keys))
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
|
2018-09-03 05:45:30 -05:00
|
|
|
def _mangle_values(self, dct):
|
|
|
|
|
"""Stringify and quote % as %% to avoid interpolation errors
|
|
|
|
|
|
|
|
|
|
* booleans are converted to 'True', 'False'
|
|
|
|
|
* DN and numbers are converted to string
|
|
|
|
|
* None is turned into empty string ''
|
|
|
|
|
"""
|
|
|
|
|
result = {}
|
|
|
|
|
for k, v in dct.items():
|
|
|
|
|
if isinstance(v, (DN, bool, six.integer_types)):
|
|
|
|
|
v = six.text_type(v)
|
|
|
|
|
elif v is None:
|
|
|
|
|
v = ''
|
|
|
|
|
result[k] = v.replace('%', '%%')
|
|
|
|
|
return result
|
|
|
|
|
|
2019-02-08 08:09:28 -06:00
|
|
|
def _get_default_config(self):
|
|
|
|
|
"""Load default config
|
|
|
|
|
|
|
|
|
|
:return: config parser, immutable keys
|
|
|
|
|
"""
|
|
|
|
|
defaults = self._mangle_values(self.defaults)
|
|
|
|
|
# create a config template with interpolation support
|
|
|
|
|
# read base config
|
|
|
|
|
cfgtpl = ConfigParser(defaults=defaults)
|
|
|
|
|
cfgtpl.optionxform = str
|
|
|
|
|
with open(self.ipaca_default) as f:
|
|
|
|
|
cfgtpl.read_file(f)
|
|
|
|
|
|
|
|
|
|
# overwrite defaults with our defaults
|
|
|
|
|
for key, value in defaults.items():
|
|
|
|
|
cfgtpl.set(DEFAULTSECT, key, value)
|
|
|
|
|
|
|
|
|
|
# all keys in default conf + known keys defined in code are
|
|
|
|
|
# considered immutable.
|
|
|
|
|
immutable_keys = set()
|
|
|
|
|
immutable_keys.update(self._immutable_code_keys)
|
|
|
|
|
for section_name in self.subsystems:
|
|
|
|
|
for k, _v in cfgtpl.items(section_name, raw=True):
|
|
|
|
|
immutable_keys.add(k)
|
|
|
|
|
|
|
|
|
|
return cfgtpl, immutable_keys
|
|
|
|
|
|
2018-09-03 05:45:30 -05:00
|
|
|
def _verify_immutable(self, config, immutable_settings, filename):
|
|
|
|
|
section_name = self.defaults['pki_subsystem']
|
2019-02-08 08:09:28 -06:00
|
|
|
errs = []
|
|
|
|
|
for key, isvalue in immutable_settings.items():
|
2018-09-03 05:45:30 -05:00
|
|
|
cfgvalue = config.get(section_name, key)
|
|
|
|
|
if isvalue != cfgvalue:
|
2019-02-08 08:09:28 -06:00
|
|
|
errs.append(f"{key}: '{cfgvalue}' != '{isvalue}'")
|
|
|
|
|
if errs:
|
2018-09-03 05:45:30 -05:00
|
|
|
raise ValueError(
|
|
|
|
|
'{} overrides immutable options:\n{}'.format(
|
2019-07-11 22:24:51 -05:00
|
|
|
filename, '\n'.join(errs)
|
2018-09-03 05:45:30 -05:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
def create_spawn_config(self, subsystem_config):
|
|
|
|
|
"""Create config instance
|
|
|
|
|
"""
|
|
|
|
|
section_name = self.defaults['pki_subsystem']
|
2019-02-08 08:09:28 -06:00
|
|
|
cfgtpl, immutable_keys = self._get_default_config()
|
2018-09-03 05:45:30 -05:00
|
|
|
|
2018-08-30 09:42:40 -05:00
|
|
|
# overwrite CA/KRA config with subsystem settings
|
2018-09-03 05:45:30 -05:00
|
|
|
subsystem_config = self._mangle_values(subsystem_config)
|
2018-08-30 09:42:40 -05:00
|
|
|
for key, value in subsystem_config.items():
|
|
|
|
|
cfgtpl.set(section_name, key, value)
|
|
|
|
|
|
2019-02-08 08:09:28 -06:00
|
|
|
# get a mapping of settings that cannot be modified by users
|
2018-09-03 05:45:30 -05:00
|
|
|
immutable_settings = {
|
2019-02-08 08:09:28 -06:00
|
|
|
k: v for k, v in cfgtpl.items(section_name)
|
|
|
|
|
if k in immutable_keys
|
2018-09-03 05:45:30 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# add ipaca_customize overlay,
|
2018-09-26 02:59:12 -05:00
|
|
|
# These are settings that can be modified by a user, too. We use
|
2018-09-03 05:45:30 -05:00
|
|
|
# ipaca_customize.ini to set sensible defaults.
|
|
|
|
|
with open(self.ipaca_customize) as f:
|
|
|
|
|
cfgtpl.read_file(f)
|
|
|
|
|
|
|
|
|
|
# load external overlay from command line
|
|
|
|
|
if self.pki_config_override is not None:
|
|
|
|
|
with open(self.pki_config_override) as f:
|
|
|
|
|
cfgtpl.read_file(f)
|
2019-02-08 08:09:28 -06:00
|
|
|
|
|
|
|
|
# verify again
|
|
|
|
|
self._verify_immutable(
|
|
|
|
|
cfgtpl, immutable_settings, self.pki_config_override
|
|
|
|
|
)
|
2018-09-03 05:45:30 -05:00
|
|
|
|
|
|
|
|
# key backup is not compatible with HSM support
|
|
|
|
|
if (cfgtpl.has_option(section_name, 'pki_hsm_enable') and
|
|
|
|
|
cfgtpl.getboolean(section_name, 'pki_hsm_enable')):
|
|
|
|
|
cfgtpl.set(section_name, 'pki_backup_keys', 'False')
|
|
|
|
|
cfgtpl.set(section_name, 'pki_backup_password', '')
|
|
|
|
|
|
|
|
|
|
pki_token_name = cfgtpl.get(section_name, 'pki_token_name')
|
|
|
|
|
for stanza in self.token_stanzas:
|
|
|
|
|
if cfgtpl.has_option(section_name, stanza):
|
|
|
|
|
cfgtpl.set(section_name, stanza, pki_token_name)
|
|
|
|
|
|
2018-08-30 09:42:40 -05:00
|
|
|
# Next up, get rid of interpolation variables, DEFAULT,
|
|
|
|
|
# irrelevant sections and unused variables. Only the subsystem
|
|
|
|
|
# section is copied into a new raw config parser. A raw config
|
|
|
|
|
# parser is necessary, because ConfigParser.write() write passwords
|
|
|
|
|
# with '%' in a way, that is not accepted by Dogtag.
|
|
|
|
|
config = RawConfigParser()
|
|
|
|
|
config.optionxform = str
|
|
|
|
|
config.add_section(section_name)
|
|
|
|
|
for key, value in sorted(cfgtpl.items(section=section_name)):
|
|
|
|
|
if key.startswith('pki_'):
|
|
|
|
|
config.set(section_name, key, value)
|
|
|
|
|
|
|
|
|
|
return config
|
2018-09-03 05:45:30 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def test():
|
|
|
|
|
import sys
|
|
|
|
|
|
2018-09-26 02:59:12 -05:00
|
|
|
sharedir = os.path.abspath(os.path.join(
|
|
|
|
|
os.path.dirname(os.path.join(__file__)),
|
|
|
|
|
os.pardir,
|
|
|
|
|
os.pardir,
|
|
|
|
|
'install',
|
|
|
|
|
'share',
|
|
|
|
|
))
|
|
|
|
|
|
2019-02-08 08:09:28 -06:00
|
|
|
class TestPKIIniLoader(PKIIniLoader):
|
|
|
|
|
ipaca_default = os.path.join(sharedir, 'ipaca_default.ini')
|
|
|
|
|
ipaca_customize = os.path.join(sharedir, 'ipaca_customize.ini')
|
|
|
|
|
|
|
|
|
|
override = os.path.join(sharedir, 'ipaca_softhsm2.ini')
|
|
|
|
|
|
2018-09-26 02:59:12 -05:00
|
|
|
base_settings = dict(
|
2018-09-03 05:45:30 -05:00
|
|
|
fqdn='replica.ipa.example',
|
|
|
|
|
domain='ipa.example',
|
|
|
|
|
subject_base='o=IPA,o=EXAMPLE',
|
|
|
|
|
ca_subject='cn=CA,o=IPA,o=EXAMPLE',
|
|
|
|
|
admin_user='admin',
|
|
|
|
|
admin_password='Secret1',
|
|
|
|
|
dm_password='Secret2',
|
2019-02-08 08:09:28 -06:00
|
|
|
pki_config_override=override,
|
2018-09-03 05:45:30 -05:00
|
|
|
)
|
2018-09-26 02:59:12 -05:00
|
|
|
|
2019-02-08 08:09:28 -06:00
|
|
|
for subsystem in TestPKIIniLoader.subsystems:
|
2018-09-26 02:59:12 -05:00
|
|
|
print('-' * 78)
|
2019-02-08 08:09:28 -06:00
|
|
|
loader = TestPKIIniLoader(subsystem=subsystem, **base_settings)
|
|
|
|
|
loader.verify_pki_config_override(loader.ipaca_customize)
|
|
|
|
|
loader.verify_pki_config_override(override)
|
2018-09-26 02:59:12 -05:00
|
|
|
config = loader.create_spawn_config({})
|
|
|
|
|
config.write(sys.stdout, False)
|
2018-09-03 05:45:30 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
test()
|
