2013-10-16 02:26:39 -05:00
|
|
|
#!/usr/bin/python2 -E
|
|
|
|
#
|
|
|
|
# Authors:
|
|
|
|
# Jan Cholasta <jcholast@redhat.com>
|
|
|
|
#
|
|
|
|
# Copyright (C) 2013 Red Hat
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
|
|
|
import os
|
|
|
|
# Prevent garbage from readline on standard output
|
|
|
|
# (see https://fedorahosted.org/freeipa/ticket/4064)
|
|
|
|
if not os.isatty(1):
|
|
|
|
os.environ['TERM'] = 'dumb'
|
|
|
|
import sys
|
|
|
|
import syslog
|
|
|
|
import traceback
|
2013-10-16 02:44:52 -05:00
|
|
|
import tempfile
|
|
|
|
import shutil
|
|
|
|
import base64
|
|
|
|
import contextlib
|
2014-10-14 03:30:07 -05:00
|
|
|
import json
|
2013-10-16 02:26:39 -05:00
|
|
|
|
|
|
|
from ipapython import ipautil
|
2013-10-16 02:44:52 -05:00
|
|
|
from ipapython.dn import DN
|
|
|
|
from ipalib import api, errors, pkcs10, x509
|
2014-06-17 04:45:43 -05:00
|
|
|
from ipaplatform.paths import paths
|
2013-10-16 02:44:52 -05:00
|
|
|
from ipaserver.plugins.ldap2 import ldap2
|
2015-01-08 03:06:46 -06:00
|
|
|
from ipaserver.install import cainstance, certs
|
2013-10-16 02:26:39 -05:00
|
|
|
|
|
|
|
# This is a certmonger CA helper script for IPA CA subsystem cert renewal. See
|
|
|
|
# https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more
|
|
|
|
# info on certmonger CA helper scripts.
|
|
|
|
|
|
|
|
# Return codes. Names of the constants are taken from
|
|
|
|
# https://git.fedorahosted.org/cgit/certmonger.git/tree/src/submit-e.h
|
|
|
|
ISSUED = 0
|
|
|
|
WAIT = 1
|
|
|
|
REJECTED = 2
|
|
|
|
UNREACHABLE = 3
|
|
|
|
UNCONFIGURED = 4
|
|
|
|
WAIT_WITH_DELAY = 5
|
|
|
|
OPERATION_NOT_SUPPORTED_BY_HELPER = 6
|
|
|
|
|
2013-10-16 02:44:52 -05:00
|
|
|
@contextlib.contextmanager
|
|
|
|
def ldap_connect():
|
|
|
|
conn = None
|
|
|
|
try:
|
|
|
|
conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
|
2014-07-18 04:01:13 -05:00
|
|
|
conn.connect(ccache=os.environ['KRB5CCNAME'])
|
2013-10-16 02:44:52 -05:00
|
|
|
yield conn
|
|
|
|
finally:
|
|
|
|
if conn is not None and conn.isconnected():
|
|
|
|
conn.disconnect()
|
|
|
|
|
2014-10-14 03:30:07 -05:00
|
|
|
def call_handler(_handler, *args, **kwargs):
|
|
|
|
"""
|
|
|
|
Request handler call wrapper
|
|
|
|
|
|
|
|
Before calling the handler, get the original profile name and cookie from
|
|
|
|
the provided cookie, if there is one. If the profile name does not match
|
|
|
|
the requested profile name, drop the cookie and restart the request.
|
|
|
|
|
|
|
|
After calling the handler, put the requested profile name and cookie
|
|
|
|
returned by the handler in a new cookie and return it.
|
|
|
|
"""
|
|
|
|
operation = os.environ['CERTMONGER_OPERATION']
|
|
|
|
if operation == 'POLL':
|
|
|
|
cookie = os.environ.pop('CERTMONGER_CA_COOKIE', None)
|
|
|
|
if cookie is not None:
|
|
|
|
try:
|
|
|
|
context = json.loads(cookie)
|
|
|
|
if not isinstance(context, dict):
|
|
|
|
raise TypeError
|
|
|
|
except (TypeError, ValueError):
|
|
|
|
return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
|
|
|
|
else:
|
|
|
|
return (UNCONFIGURED, "Cookie not provided")
|
|
|
|
|
|
|
|
if 'profile' in context:
|
|
|
|
profile = context.pop('profile')
|
|
|
|
try:
|
|
|
|
if profile is not None:
|
|
|
|
if not isinstance(profile, unicode):
|
|
|
|
raise TypeError
|
|
|
|
profile = profile.encode('raw_unicode_escape')
|
|
|
|
except (TypeError, UnicodeEncodeError):
|
|
|
|
return (UNCONFIGURED,
|
|
|
|
"Invalid 'profile' in cookie: %r" % profile)
|
|
|
|
else:
|
|
|
|
return (UNCONFIGURED, "No 'profile' in cookie")
|
|
|
|
|
|
|
|
# If profile has changed between SUBMIT and POLL, restart request
|
|
|
|
if os.environ.get('CERTMONGER_CA_PROFILE') != profile:
|
|
|
|
os.environ['CERTMONGER_OPERATION'] = 'SUBMIT'
|
|
|
|
context = {}
|
|
|
|
|
|
|
|
if 'cookie' in context:
|
|
|
|
cookie = context.pop('cookie')
|
|
|
|
try:
|
|
|
|
if not isinstance(cookie, unicode):
|
|
|
|
raise TypeError
|
|
|
|
cookie = cookie.encode('raw_unicode_escape')
|
|
|
|
except (TypeError, UnicodeEncodeError):
|
|
|
|
return (UNCONFIGURED,
|
|
|
|
"Invalid 'cookie' in cookie: %r" % cookie)
|
|
|
|
os.environ['CERTMONGER_CA_COOKIE'] = cookie
|
|
|
|
else:
|
|
|
|
context = {}
|
|
|
|
|
|
|
|
result = _handler(*args, **kwargs)
|
|
|
|
|
|
|
|
if result[0] in (WAIT, WAIT_WITH_DELAY):
|
|
|
|
context['cookie'] = result[-1].decode('raw_unicode_escape')
|
|
|
|
|
|
|
|
profile = os.environ.get('CERTMONGER_CA_PROFILE')
|
|
|
|
if profile is not None:
|
|
|
|
profile = profile.decode('raw_unicode_escape')
|
|
|
|
context['profile'] = profile
|
|
|
|
|
|
|
|
cookie = json.dumps(context)
|
|
|
|
os.environ['CERTMONGER_CA_COOKIE'] = cookie
|
|
|
|
if result[0] in (WAIT, WAIT_WITH_DELAY):
|
|
|
|
result = result[:-1] + (cookie,)
|
|
|
|
|
|
|
|
return result
|
|
|
|
|
2013-10-16 02:26:39 -05:00
|
|
|
def request_cert():
|
|
|
|
"""
|
|
|
|
Request certificate from IPA CA.
|
|
|
|
"""
|
|
|
|
syslog.syslog(syslog.LOG_NOTICE,
|
|
|
|
"Forwarding request to dogtag-ipa-renew-agent")
|
|
|
|
|
2014-06-17 04:45:43 -05:00
|
|
|
path = paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT
|
2013-10-16 02:26:39 -05:00
|
|
|
args = [path] + sys.argv[1:]
|
2014-11-18 08:01:59 -06:00
|
|
|
if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
|
2014-12-04 09:34:55 -06:00
|
|
|
args += ['-N', '-O', 'bypassCAnotafter=true']
|
2013-10-16 02:26:39 -05:00
|
|
|
stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ)
|
|
|
|
sys.stderr.write(stderr)
|
|
|
|
sys.stderr.flush()
|
|
|
|
|
|
|
|
syslog.syslog(syslog.LOG_NOTICE, "dogtag-ipa-renew-agent returned %d" % rc)
|
|
|
|
|
|
|
|
if stdout.endswith('\n'):
|
|
|
|
stdout = stdout[:-1]
|
|
|
|
|
2013-10-16 03:15:33 -05:00
|
|
|
if rc == WAIT_WITH_DELAY:
|
|
|
|
delay, sep, cookie = stdout.partition('\n')
|
|
|
|
return (rc, delay, cookie)
|
|
|
|
else:
|
|
|
|
return (rc, stdout)
|
|
|
|
|
|
|
|
def store_cert():
|
|
|
|
"""
|
|
|
|
Store certificate in LDAP.
|
|
|
|
"""
|
|
|
|
operation = os.environ.get('CERTMONGER_OPERATION')
|
|
|
|
if operation == 'SUBMIT':
|
|
|
|
attempts = 0
|
|
|
|
elif operation == 'POLL':
|
|
|
|
cookie = os.environ.get('CERTMONGER_CA_COOKIE')
|
|
|
|
if not cookie:
|
|
|
|
return (UNCONFIGURED, "Cookie not provided")
|
|
|
|
|
|
|
|
try:
|
|
|
|
attempts = int(cookie)
|
|
|
|
except ValueError:
|
2014-02-18 11:14:47 -06:00
|
|
|
return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
|
2013-10-16 03:15:33 -05:00
|
|
|
else:
|
|
|
|
return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
|
|
|
|
|
|
|
|
csr = os.environ.get('CERTMONGER_CSR')
|
|
|
|
if not csr:
|
|
|
|
return (UNCONFIGURED, "Certificate request not provided")
|
|
|
|
|
|
|
|
nickname = pkcs10.get_friendlyname(csr)
|
|
|
|
if not nickname:
|
|
|
|
return (REJECTED, "No friendly name in the certificate request")
|
|
|
|
|
|
|
|
cert = os.environ.get('CERTMONGER_CERTIFICATE')
|
|
|
|
if not cert:
|
|
|
|
return (REJECTED, "New certificate requests not supported")
|
|
|
|
|
|
|
|
dercert = x509.normalize_certificate(cert)
|
|
|
|
|
|
|
|
dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
|
|
|
|
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
|
|
|
|
try:
|
|
|
|
with ldap_connect() as conn:
|
|
|
|
try:
|
|
|
|
entry = conn.get_entry(dn, ['usercertificate'])
|
|
|
|
entry['usercertificate'] = [dercert]
|
|
|
|
conn.update_entry(entry)
|
|
|
|
except errors.NotFound:
|
|
|
|
entry = conn.make_entry(
|
|
|
|
dn,
|
|
|
|
objectclass=['top', 'pkiuser', 'nscontainer'],
|
|
|
|
cn=[nickname],
|
|
|
|
usercertificate=[dercert])
|
|
|
|
conn.add_entry(entry)
|
|
|
|
except errors.EmptyModlist:
|
|
|
|
pass
|
|
|
|
except Exception, e:
|
|
|
|
attempts += 1
|
|
|
|
if attempts < 10:
|
|
|
|
syslog.syslog(
|
|
|
|
syslog.LOG_ERR,
|
|
|
|
"Updating renewal certificate failed: %s. Sleeping 30s" % e)
|
2014-10-14 03:30:07 -05:00
|
|
|
return (WAIT_WITH_DELAY, 30, str(attempts))
|
2013-10-16 03:15:33 -05:00
|
|
|
else:
|
|
|
|
syslog.syslog(
|
|
|
|
syslog.LOG_ERR,
|
|
|
|
"Giving up. To retry storing the certificate, resubmit the "
|
|
|
|
"request with profile \"ipaStorage\"")
|
|
|
|
|
|
|
|
return (ISSUED, cert)
|
|
|
|
|
|
|
|
def request_and_store_cert():
|
|
|
|
"""
|
|
|
|
Request certificate from IPA CA and store it in LDAP.
|
|
|
|
"""
|
|
|
|
operation = os.environ.get('CERTMONGER_OPERATION')
|
|
|
|
if operation == 'SUBMIT':
|
|
|
|
state = 'request'
|
|
|
|
cookie = None
|
|
|
|
elif operation == 'POLL':
|
|
|
|
cookie = os.environ.get('CERTMONGER_CA_COOKIE')
|
|
|
|
if not cookie:
|
|
|
|
return (UNCONFIGURED, "Cookie not provided")
|
|
|
|
|
|
|
|
state, sep, cookie = cookie.partition(':')
|
|
|
|
if state not in ('request', 'store'):
|
2014-02-18 11:14:47 -06:00
|
|
|
return (UNCONFIGURED,
|
|
|
|
"Invalid cookie: %r" % os.environ['CERTMONGER_CA_COOKIE'])
|
2013-10-16 03:15:33 -05:00
|
|
|
else:
|
|
|
|
return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
|
|
|
|
|
|
|
|
if state == 'request':
|
|
|
|
if cookie is None:
|
|
|
|
os.environ['CERTMONGER_OPERATION'] = 'SUBMIT'
|
|
|
|
else:
|
|
|
|
os.environ['CERTMONGER_CA_COOKIE'] = cookie
|
|
|
|
|
2014-10-14 03:30:07 -05:00
|
|
|
result = call_handler(request_cert)
|
2013-10-16 03:15:33 -05:00
|
|
|
if result[0] == WAIT:
|
|
|
|
return (result[0], 'request:%s' % result[1])
|
|
|
|
elif result[0] == WAIT_WITH_DELAY:
|
|
|
|
return (result[0], result[1], 'request:%s' % result[2])
|
|
|
|
elif result[0] != ISSUED:
|
|
|
|
return result
|
|
|
|
else:
|
|
|
|
cert = result[1]
|
|
|
|
cookie = None
|
|
|
|
else:
|
|
|
|
cert, sep, cookie = cookie.partition(':')
|
|
|
|
|
|
|
|
if cookie is None:
|
|
|
|
os.environ['CERTMONGER_OPERATION'] = 'SUBMIT'
|
|
|
|
else:
|
|
|
|
os.environ['CERTMONGER_CA_COOKIE'] = cookie
|
|
|
|
os.environ['CERTMONGER_CERTIFICATE'] = cert
|
|
|
|
|
2014-10-14 03:30:07 -05:00
|
|
|
result = call_handler(store_cert)
|
2013-10-16 03:15:33 -05:00
|
|
|
if result[0] == WAIT:
|
|
|
|
return (result[0], 'store:%s:%s' % (cert, result[1]))
|
|
|
|
elif result[0] == WAIT_WITH_DELAY:
|
|
|
|
return (result[0], result[1], 'store:%s:%s' % (cert, result[2]))
|
|
|
|
else:
|
|
|
|
return result
|
2013-10-16 02:26:39 -05:00
|
|
|
|
2014-10-14 04:12:55 -05:00
|
|
|
def retrieve_or_reuse_cert():
|
2013-10-16 02:44:52 -05:00
|
|
|
"""
|
2014-10-14 04:12:55 -05:00
|
|
|
Retrieve certificate from LDAP. If the certificate is not available, reuse
|
|
|
|
the old certificate.
|
2013-10-16 02:44:52 -05:00
|
|
|
"""
|
|
|
|
csr = os.environ.get('CERTMONGER_CSR')
|
|
|
|
if not csr:
|
|
|
|
return (UNCONFIGURED, "Certificate request not provided")
|
|
|
|
|
|
|
|
nickname = pkcs10.get_friendlyname(csr)
|
|
|
|
if not nickname:
|
|
|
|
return (REJECTED, "No friendly name in the certificate request")
|
|
|
|
|
2014-10-14 04:12:55 -05:00
|
|
|
cert = os.environ.get('CERTMONGER_CERTIFICATE')
|
|
|
|
if not cert:
|
2014-04-14 05:13:12 -05:00
|
|
|
return (REJECTED, "New certificate requests not supported")
|
2013-10-16 02:44:52 -05:00
|
|
|
|
|
|
|
with ldap_connect() as conn:
|
|
|
|
try:
|
|
|
|
entry = conn.get_entry(
|
|
|
|
DN(('cn', nickname), ('cn', 'ca_renewal'),
|
|
|
|
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn),
|
|
|
|
['usercertificate'])
|
|
|
|
except errors.NotFound:
|
2014-10-14 04:12:55 -05:00
|
|
|
pass
|
2014-04-14 05:13:12 -05:00
|
|
|
else:
|
|
|
|
cert = entry.single_value['usercertificate']
|
2014-10-14 04:12:55 -05:00
|
|
|
cert = base64.b64encode(cert)
|
|
|
|
cert = x509.make_pem(cert)
|
|
|
|
|
|
|
|
return (ISSUED, cert)
|
|
|
|
|
2014-10-14 04:26:15 -05:00
|
|
|
def retrieve_cert_continuous():
|
2014-10-14 04:12:55 -05:00
|
|
|
"""
|
2014-10-14 04:26:15 -05:00
|
|
|
Retrieve new certificate from LDAP. Repeat every eight hours until the
|
|
|
|
certificate is available.
|
2014-10-14 04:12:55 -05:00
|
|
|
"""
|
|
|
|
old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
|
|
|
|
if old_cert:
|
|
|
|
old_cert = x509.normalize_certificate(old_cert)
|
2013-10-16 02:44:52 -05:00
|
|
|
|
2014-10-14 04:12:55 -05:00
|
|
|
result = call_handler(retrieve_or_reuse_cert)
|
|
|
|
if result[0] != ISSUED:
|
|
|
|
return result
|
2013-10-16 02:44:52 -05:00
|
|
|
|
2014-10-14 04:12:55 -05:00
|
|
|
new_cert = x509.normalize_certificate(result[1])
|
|
|
|
if new_cert == old_cert:
|
2014-10-14 04:26:15 -05:00
|
|
|
syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
|
|
|
|
# No cert available yet, tell certmonger to wait another 8 hours
|
|
|
|
return (WAIT_WITH_DELAY, 8 * 60 * 60, '')
|
|
|
|
|
|
|
|
return result
|
|
|
|
|
|
|
|
def retrieve_cert():
|
|
|
|
"""
|
|
|
|
Retrieve new certificate from LDAP.
|
|
|
|
"""
|
|
|
|
result = call_handler(retrieve_cert_continuous)
|
|
|
|
if result[0] == WAIT_WITH_DELAY:
|
|
|
|
return (REJECTED, "Updated certificate not available")
|
2014-10-14 04:12:55 -05:00
|
|
|
|
|
|
|
return result
|
2013-10-16 02:44:52 -05:00
|
|
|
|
2013-10-16 10:37:10 -05:00
|
|
|
def export_csr():
|
|
|
|
"""
|
|
|
|
This does not actually renew the cert, it just writes the CSR provided
|
|
|
|
by certmonger to /var/lib/ipa/ca.csr and returns the existing cert.
|
|
|
|
"""
|
|
|
|
operation = os.environ.get('CERTMONGER_OPERATION')
|
|
|
|
if operation != 'SUBMIT':
|
|
|
|
return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
|
|
|
|
|
|
|
|
csr = os.environ.get('CERTMONGER_CSR')
|
|
|
|
if not csr:
|
|
|
|
return (UNCONFIGURED, "Certificate request not provided")
|
|
|
|
|
|
|
|
cert = os.environ.get('CERTMONGER_CERTIFICATE')
|
|
|
|
if not cert:
|
|
|
|
return (REJECTED, "New certificate requests not supported")
|
|
|
|
|
2014-06-17 04:45:43 -05:00
|
|
|
csr_file = paths.IPA_CA_CSR
|
2013-10-16 10:37:10 -05:00
|
|
|
try:
|
|
|
|
with open(csr_file, 'wb') as f:
|
|
|
|
f.write(csr)
|
|
|
|
except Exception, e:
|
|
|
|
return (UNREACHABLE, "Failed to write %s: %s" % (csr_file, e))
|
|
|
|
|
|
|
|
return (ISSUED, cert)
|
|
|
|
|
2014-02-18 11:14:47 -06:00
|
|
|
def renew_ca_cert():
|
|
|
|
"""
|
|
|
|
This is used for automatic CA certificate renewal.
|
|
|
|
"""
|
|
|
|
cert = os.environ.get('CERTMONGER_CERTIFICATE')
|
|
|
|
if not cert:
|
|
|
|
return (REJECTED, "New certificate requests not supported")
|
2014-03-12 05:36:30 -05:00
|
|
|
is_self_signed = x509.is_self_signed(cert)
|
2014-02-18 11:14:47 -06:00
|
|
|
|
|
|
|
operation = os.environ.get('CERTMONGER_OPERATION')
|
|
|
|
if operation == 'SUBMIT':
|
|
|
|
state = 'retrieve'
|
|
|
|
|
2014-03-12 05:36:30 -05:00
|
|
|
if is_self_signed:
|
2014-07-18 04:01:13 -05:00
|
|
|
ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
|
2014-02-18 11:14:47 -06:00
|
|
|
if ca.is_renewal_master():
|
|
|
|
state = 'request'
|
|
|
|
elif operation == 'POLL':
|
|
|
|
cookie = os.environ.get('CERTMONGER_CA_COOKIE')
|
|
|
|
if not cookie:
|
|
|
|
return (UNCONFIGURED, "Cookie not provided")
|
|
|
|
|
|
|
|
state, sep, cookie = cookie.partition(':')
|
|
|
|
if state not in ('retrieve', 'request'):
|
|
|
|
return (UNCONFIGURED,
|
|
|
|
"Invalid cookie: %r" % os.environ['CERTMONGER_CA_COOKIE'])
|
|
|
|
|
|
|
|
os.environ['CERTMONGER_CA_COOKIE'] = cookie
|
|
|
|
else:
|
|
|
|
return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
|
|
|
|
|
|
|
|
if state == 'retrieve':
|
2014-10-14 03:30:07 -05:00
|
|
|
result = call_handler(retrieve_cert)
|
2015-01-08 10:01:42 -06:00
|
|
|
if result[0] == REJECTED and not is_self_signed:
|
2014-03-12 05:36:30 -05:00
|
|
|
syslog.syslog(syslog.LOG_ALERT,
|
|
|
|
"IPA CA certificate is about to expire, "
|
|
|
|
"use ipa-cacert-manage to renew it")
|
2014-02-18 11:14:47 -06:00
|
|
|
elif state == 'request':
|
2014-12-03 01:43:15 -06:00
|
|
|
profile = os.environ['CERTMONGER_CA_PROFILE']
|
2014-02-18 11:14:47 -06:00
|
|
|
os.environ['CERTMONGER_CA_PROFILE'] = 'caCACert'
|
2014-10-14 03:30:07 -05:00
|
|
|
result = call_handler(request_and_store_cert)
|
2014-12-03 01:43:15 -06:00
|
|
|
os.environ['CERTMONGER_CA_PROFILE'] = profile
|
2014-02-18 11:14:47 -06:00
|
|
|
|
|
|
|
if result[0] == WAIT:
|
|
|
|
return (result[0], '%s:%s' % (state, result[1]))
|
|
|
|
elif result[0] == WAIT_WITH_DELAY:
|
|
|
|
return (result[0], result[1], '%s:%s' % (state, result[2]))
|
|
|
|
else:
|
|
|
|
return result
|
|
|
|
|
2013-10-16 02:26:39 -05:00
|
|
|
def main():
|
2013-10-16 02:44:52 -05:00
|
|
|
handlers = {
|
2014-10-14 04:12:55 -05:00
|
|
|
'ipaStorage': store_cert,
|
|
|
|
'ipaRetrievalOrReuse': retrieve_or_reuse_cert,
|
|
|
|
'ipaRetrieval': retrieve_cert,
|
|
|
|
'ipaCSRExport': export_csr,
|
|
|
|
'ipaCACertRenewal': renew_ca_cert,
|
2013-10-16 02:44:52 -05:00
|
|
|
}
|
|
|
|
|
2013-10-16 02:26:39 -05:00
|
|
|
api.bootstrap(context='renew')
|
|
|
|
api.finalize()
|
|
|
|
|
2014-07-18 04:01:13 -05:00
|
|
|
operation = os.environ.get('CERTMONGER_OPERATION')
|
|
|
|
if operation not in ('SUBMIT', 'POLL'):
|
|
|
|
return OPERATION_NOT_SUPPORTED_BY_HELPER
|
2013-10-16 02:44:52 -05:00
|
|
|
|
2014-07-18 04:01:13 -05:00
|
|
|
tmpdir = tempfile.mkdtemp(prefix="tmp-")
|
2015-01-08 03:06:46 -06:00
|
|
|
certs.renewal_lock.acquire()
|
2014-07-18 04:01:13 -05:00
|
|
|
try:
|
|
|
|
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
|
2015-03-16 10:43:10 -05:00
|
|
|
ccache_filename = os.path.join(tmpdir, 'ccache')
|
|
|
|
os.environ['KRB5CCNAME'] = ccache_filename
|
|
|
|
ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
|
2014-07-18 04:01:13 -05:00
|
|
|
|
|
|
|
profile = os.environ.get('CERTMONGER_CA_PROFILE')
|
|
|
|
if profile:
|
|
|
|
handler = handlers.get(profile, request_and_store_cert)
|
|
|
|
else:
|
|
|
|
ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
|
|
|
|
if ca.is_renewal_master():
|
|
|
|
handler = request_and_store_cert
|
|
|
|
else:
|
2014-10-14 04:26:15 -05:00
|
|
|
handler = retrieve_cert_continuous
|
2014-07-18 04:01:13 -05:00
|
|
|
|
2014-10-14 03:30:07 -05:00
|
|
|
res = call_handler(handler)
|
2014-07-18 04:01:13 -05:00
|
|
|
for item in res[1:]:
|
|
|
|
print item
|
|
|
|
return res[0]
|
|
|
|
finally:
|
2015-01-08 03:06:46 -06:00
|
|
|
certs.renewal_lock.release()
|
2014-07-18 04:01:13 -05:00
|
|
|
shutil.rmtree(tmpdir)
|
2013-10-16 02:26:39 -05:00
|
|
|
|
|
|
|
try:
|
|
|
|
sys.exit(main())
|
|
|
|
except Exception, e:
|
|
|
|
syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
|
|
|
|
print "Internal error"
|
|
|
|
sys.exit(UNREACHABLE)
|