IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 17:01:14 -06:00
Code Issues Packages Projects Releases Wiki Activity
566a3cb972
freeipa/ipalib/plugins/cert.py

284 lines
9.0 KiB
Python
Raw Normal View History

Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
# Authors:
# Andrew Wnuk <awnuk@redhat.com>
# Jason Gerard DeRose <jderose@redhat.com>
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
Some cleanup in cert plugins module, changed to shorter command names all starting with cert_*
2009-02-05 16:30:58 -06:00
Command plugins for IPA-RA certificate operations.
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
"""
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
from ipalib import api, SkipPluginModule
if api.env.enable_ra is not True:
Removed 'Assert False' that was mistakingly left in cert.py; small cleanup in cert.py and ra.py imports
2009-02-12 18:18:54 -06:00
# In this case, abort loading this plugin module...
raise SkipPluginModule(reason='env.enable_ra is not True')
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
from ipalib import Command, Str, Int, Bytes, Flag
from ipalib import errors
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
from ipalib.plugins.virtual import *
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
from ipalib.plugins.service import split_principal
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
import base64
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
from OpenSSL import crypto
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
from ipalib.request import context
from ipapython import dnsclient
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
def get_serial(certificate):
"""
Given a certificate, return the serial number in that cert
In theory there should be only one cert per object so even if we get
passed in a list/tuple only return the first one.
"""
if type(certificate) in (list, tuple):
certificate = certificate[0]
try:
x509 = crypto.load_certificate(crypto.FILETYPE_ASN1, certificate)
serial = str(x509.get_serial_number())
except crypto.Error:
raise errors.GenericError(format='Unable to decode certificate in entry')
return serial
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
def get_csr_hostname(csr):
"""
Return the value of CN in the subject of the request
"""
try:
der = base64.b64decode(csr)
request = crypto.load_certificate_request(crypto.FILETYPE_ASN1, der)
sub = request.get_subject().get_components()
for s in sub:
if s[0].lower() == "cn":
return s[1]
except crypto.Error, e:
raise errors.GenericError(format='Unable to decode CSR: %s' % str(e))
return None
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def validate_csr(ugettext, csr):
"""
For now just verify that it is properly base64-encoded.
"""
try:
base64.b64decode(csr)
except Exception, e:
raise errors.Base64DecodeError(reason=str(e))
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
class cert_request(VirtualCommand):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
Submit a certificate signing request.
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
takes_args = (Str('csr', validate_csr),)
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
operation="request certificate"
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
takes_options = (
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
Str('principal',
doc="service principal for this certificate (e.g. HTTP/test.example.com)",
),
Str('request_type',
default=u'pkcs10',
autofill=True,
),
Flag('add',
doc="automatically add the principal if it doesn't exist",
default=False,
autofill=True
),
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def execute(self, csr, **kw):
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
ldap = self.api.Backend.ldap2
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
skw = {"all": True}
principal = kw.get('principal')
add = kw.get('add')
del kw['principal']
del kw['add']
service = None
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
# Can this user request certs?
self.check_access()
# FIXME: add support for subject alt name
# Is this cert for this principal?
subject_host = get_csr_hostname(csr)
# Ensure that the hostname in the CSR matches the principal
(servicename, hostname, realm) = split_principal(principal)
if subject_host.lower() != hostname.lower():
raise errors.ACIError(info="hostname in subject of request '%s' does not match principal hostname '%s'" % (subject_host, hostname))
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
# See if the service exists and punt if it doesn't and we aren't
# going to add it
try:
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
(dn, service) = api.Command['service_show'](principal, **skw)
if 'usercertificate' in service:
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
# FIXME, what to do here? Do we revoke the old cert?
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
raise errors.GenericError(format='entry already has a certificate, serial number %s' % get_serial(service['usercertificate']))
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
except errors.NotFound, e:
if not add:
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
raise errors.NotFound(reason="The service principal for this request doesn't exist.")
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
try:
(dn, service) = api.Command['service_add'](principal, **{})
except errors.ACIError:
raise errors.ACIError(info='You need to be a member of the serviceadmin role to add services')
# We got this far so the service entry exists, can we write it?
if not ldap.can_write(dn, "usercertificate"):
raise errors.ACIError(info="Insufficient 'write' privilege to the 'userCertificate' attribute of entry '%s'." % dn)
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
# Request the certificate
result = self.Backend.ra.request_certificate(csr, **kw)
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
# Success? Then add it to the service entry.
if result.get('status') == 0:
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
skw = {"usercertificate": str(result.get('certificate'))}
api.Command['service_mod'](principal, **skw)
return result
def output_for_cli(self, textui, result, *args, **kw):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
if isinstance(result, dict) and len(result) > 0:
textui.print_entry(result, 0)
else:
textui.print_plain('Failed to submit a certificate request.')
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
def run(self, *args, **options):
"""
Dispatch to forward() and execute() to do work locally and on the
server.
"""
if self.env.in_server:
return self.execute(*args, **options)
# Client-side code
csr = args[0]
if csr[:7] == "file://":
file = csr[7:]
try:
f = open(file, "r")
csr = f.readlines()
f.close()
except IOError, err:
raise errors.ValidationError(name='csr', error=err[1])
csr = "".join(csr)
# We just want the CSR bits, make sure there is nothing else
s = csr.find("-----BEGIN NEW CERTIFICATE REQUEST-----")
e = csr.find("-----END NEW CERTIFICATE REQUEST-----")
if s >= 0:
csr = csr[s+40:e]
csr = csr.decode('UTF-8')
return self.forward(csr, **options)
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
api.register(cert_request)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
class cert_status(VirtualCommand):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
Check status of a certificate signing request.
"""
Some cleanup in cert plugins module, changed to shorter command names all starting with cert_*
2009-02-05 16:30:58 -06:00
Fix a few issues introduced by the new Param.use_in_context() patch
2009-05-21 13:31:54 -05:00
takes_args = ('request_id')
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
operation = "certificate status"
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def execute(self, request_id, **kw):
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
self.check_access()
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
return self.Backend.ra.check_request_status(request_id)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def output_for_cli(self, textui, result, *args, **kw):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
if isinstance(result, dict) and len(result) > 0:
textui.print_entry(result, 0)
else:
textui.print_plain('Failed to retrieve a request status.')
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
api.register(cert_status)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
class cert_get(VirtualCommand):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
Retrieve an existing certificate.
"""
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Fix a few issues introduced by the new Param.use_in_context() patch
2009-05-21 13:31:54 -05:00
takes_args = ('serial_number')
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
operation="retrieve certificate"
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
def execute(self, serial_number):
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
self.check_access()
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
return self.Backend.ra.get_certificate(serial_number)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def output_for_cli(self, textui, result, *args, **kw):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
if isinstance(result, dict) and len(result) > 0:
textui.print_entry(result, 0)
else:
textui.print_plain('Failed to obtain a certificate.')
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
api.register(cert_get)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
class cert_revoke(VirtualCommand):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
Revoke a certificate.
"""
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Fix a few issues introduced by the new Param.use_in_context() patch
2009-05-21 13:31:54 -05:00
takes_args = ('serial_number')
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
operation = "revoke certificate"
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
# FIXME: The default is 0. Is this really an Int param?
Improve revocation_reason argument
2009-05-08 13:10:53 -05:00
takes_options = (
Int('revocation_reason?',
doc='Reason for revoking the certificate (0-10)',
minvalue=0,
maxvalue=10,
default=0,
),
)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def execute(self, serial_number, **kw):
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
self.check_access()
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
return self.Backend.ra.revoke_certificate(serial_number, **kw)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def output_for_cli(self, textui, result, *args, **kw):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
if isinstance(result, dict) and len(result) > 0:
textui.print_entry(result, 0)
else:
textui.print_plain('Failed to revoke a certificate.')
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
api.register(cert_revoke)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
class cert_remove_hold(VirtualCommand):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
Take a revoked certificate off hold.
"""
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Fix a few issues introduced by the new Param.use_in_context() patch
2009-05-21 13:31:54 -05:00
takes_args = ('serial_number')
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
operation = "certificate remove hold"
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def execute(self, serial_number, **kw):
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
self.check_access()
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
return self.Backend.ra.take_certificate_off_hold(serial_number)
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def output_for_cli(self, textui, result, *args, **kw):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
if isinstance(result, dict) and len(result) > 0:
textui.print_entry(result, 0)
else:
textui.print_plain('Failed to take a revoked certificate off hold.')
api.register(cert_remove_hold)
Reference in New Issue Copy Permalink