2014-06-27 05:31:50 -05:00
|
|
|
# Authors: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2014 Red Hat
|
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
import os
|
|
|
|
|
import tempfile
|
|
|
|
|
import shutil
|
2015-09-14 05:52:29 -05:00
|
|
|
|
|
|
|
|
from six.moves.urllib.parse import urlsplit
|
2014-06-27 05:31:50 -05:00
|
|
|
|
|
|
|
|
from ipapython import (admintool, ipautil, ipaldap, sysrestore, dogtag,
|
2014-09-18 05:00:15 -05:00
|
|
|
certmonger, certdb)
|
2014-06-27 05:31:50 -05:00
|
|
|
from ipaplatform import services
|
|
|
|
|
from ipaplatform.paths import paths
|
|
|
|
|
from ipaplatform.tasks import tasks
|
2014-10-13 07:30:15 -05:00
|
|
|
from ipalib import api, errors, x509, certstore
|
2014-06-27 05:31:50 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class CertUpdate(admintool.AdminTool):
|
|
|
|
|
command_name = 'ipa-certupdate'
|
|
|
|
|
|
|
|
|
|
usage = "%prog [options]"
|
|
|
|
|
|
|
|
|
|
description = ("Update local IPA certificate databases with certificates "
|
|
|
|
|
"from the server.")
|
|
|
|
|
|
|
|
|
|
def validate_options(self):
|
|
|
|
|
super(CertUpdate, self).validate_options(needs_root=True)
|
|
|
|
|
|
|
|
|
|
def run(self):
|
2014-09-18 03:52:56 -05:00
|
|
|
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
|
|
|
|
|
if (not fstore.has_files() and
|
|
|
|
|
not os.path.exists(paths.IPA_DEFAULT_CONF)):
|
|
|
|
|
raise admintool.ScriptError(
|
|
|
|
|
"IPA client is not configured on this system.")
|
|
|
|
|
|
2014-06-27 05:31:50 -05:00
|
|
|
api.bootstrap(context='cli_installer')
|
|
|
|
|
api.finalize()
|
|
|
|
|
|
2015-09-14 05:52:29 -05:00
|
|
|
server = urlsplit(api.env.jsonrpc_uri).hostname
|
2014-06-27 05:31:50 -05:00
|
|
|
ldap = ipaldap.IPAdmin(server)
|
|
|
|
|
|
|
|
|
|
tmpdir = tempfile.mkdtemp(prefix="tmp-")
|
2015-03-16 10:43:10 -05:00
|
|
|
ccache_name = os.path.join(tmpdir, 'ccache')
|
2014-06-27 05:31:50 -05:00
|
|
|
try:
|
|
|
|
|
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
|
2015-03-16 10:43:10 -05:00
|
|
|
ipautil.kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_name)
|
|
|
|
|
os.environ['KRB5CCNAME'] = ccache_name
|
2014-06-27 05:31:50 -05:00
|
|
|
|
2014-10-13 07:30:15 -05:00
|
|
|
api.Backend.rpcclient.connect()
|
|
|
|
|
try:
|
|
|
|
|
result = api.Backend.rpcclient.forward(
|
|
|
|
|
'ca_is_enabled',
|
2015-03-17 04:35:49 -05:00
|
|
|
version=u'2.107',
|
2014-10-13 07:30:15 -05:00
|
|
|
)
|
|
|
|
|
ca_enabled = result['result']
|
2015-03-17 04:35:49 -05:00
|
|
|
except (errors.CommandError, errors.NetworkError):
|
2014-10-13 07:30:15 -05:00
|
|
|
result = api.Backend.rpcclient.forward(
|
|
|
|
|
'env',
|
|
|
|
|
server=True,
|
|
|
|
|
version=u'2.0',
|
|
|
|
|
)
|
|
|
|
|
ca_enabled = result['result']['enable_ra']
|
|
|
|
|
api.Backend.rpcclient.disconnect()
|
|
|
|
|
|
2014-06-27 05:31:50 -05:00
|
|
|
ldap.do_sasl_gssapi_bind()
|
|
|
|
|
|
|
|
|
|
certs = certstore.get_ca_certs(ldap, api.env.basedn,
|
2014-10-13 07:30:15 -05:00
|
|
|
api.env.realm, ca_enabled)
|
2014-06-27 05:31:50 -05:00
|
|
|
finally:
|
|
|
|
|
shutil.rmtree(tmpdir)
|
|
|
|
|
|
|
|
|
|
server_fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
|
|
|
|
if server_fstore.has_files():
|
|
|
|
|
self.update_server(certs)
|
|
|
|
|
|
|
|
|
|
self.update_client(certs)
|
|
|
|
|
|
|
|
|
|
def update_client(self, certs):
|
|
|
|
|
self.update_file(paths.IPA_CA_CRT, certs)
|
2014-09-18 09:28:59 -05:00
|
|
|
|
2014-09-22 04:13:15 -05:00
|
|
|
ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
|
2014-09-18 05:00:15 -05:00
|
|
|
sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
|
2014-09-22 04:13:15 -05:00
|
|
|
|
|
|
|
|
# Remove IPA certs from /etc/pki/nssdb
|
|
|
|
|
for nickname, trust_flags in ipa_db.list_certs():
|
|
|
|
|
while sys_db.has_nickname(nickname):
|
2014-06-27 05:31:50 -05:00
|
|
|
try:
|
2014-09-22 04:13:15 -05:00
|
|
|
sys_db.delete_cert(nickname)
|
2015-07-30 09:49:29 -05:00
|
|
|
except ipautil.CalledProcessError as e:
|
2014-09-22 04:13:15 -05:00
|
|
|
self.log.error("Failed to remove %s from %s: %s",
|
|
|
|
|
nickname, sys_db.secdir, e)
|
|
|
|
|
break
|
|
|
|
|
|
|
|
|
|
# Remove old IPA certs from /etc/ipa/nssdb
|
|
|
|
|
for nickname in ('IPA CA', 'External CA cert'):
|
|
|
|
|
while ipa_db.has_nickname(nickname):
|
2014-06-27 05:31:50 -05:00
|
|
|
try:
|
2014-09-22 04:13:15 -05:00
|
|
|
ipa_db.delete_cert(nickname)
|
2015-07-30 09:49:29 -05:00
|
|
|
except ipautil.CalledProcessError as e:
|
2014-09-22 04:13:15 -05:00
|
|
|
self.log.error("Failed to remove %s from %s: %s",
|
|
|
|
|
nickname, ipa_db.secdir, e)
|
|
|
|
|
break
|
|
|
|
|
|
|
|
|
|
self.update_db(ipa_db.secdir, certs)
|
|
|
|
|
self.update_db(sys_db.secdir, certs)
|
2014-06-27 05:31:50 -05:00
|
|
|
|
|
|
|
|
tasks.remove_ca_certs_from_systemwide_ca_store()
|
|
|
|
|
tasks.insert_ca_certs_into_systemwide_ca_store(certs)
|
|
|
|
|
|
|
|
|
|
def update_server(self, certs):
|
|
|
|
|
instance = '-'.join(api.env.realm.split('.'))
|
|
|
|
|
self.update_db(
|
|
|
|
|
paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance, certs)
|
|
|
|
|
if services.knownservices.dirsrv.is_running():
|
|
|
|
|
services.knownservices.dirsrv.restart(instance)
|
|
|
|
|
|
|
|
|
|
self.update_db(paths.HTTPD_ALIAS_DIR, certs)
|
|
|
|
|
if services.knownservices.httpd.is_running():
|
|
|
|
|
services.knownservices.httpd.restart()
|
|
|
|
|
|
|
|
|
|
dogtag_constants = dogtag.configured_constants()
|
|
|
|
|
nickname = 'caSigningCert cert-pki-ca'
|
2014-09-03 02:07:16 -05:00
|
|
|
criteria = {
|
|
|
|
|
'cert-database': dogtag_constants.ALIAS_DIR,
|
|
|
|
|
'cert-nickname': nickname,
|
2014-09-24 12:22:59 -05:00
|
|
|
'ca-name': 'dogtag-ipa-ca-renew-agent',
|
2014-09-03 02:07:16 -05:00
|
|
|
}
|
2014-06-27 05:31:50 -05:00
|
|
|
request_id = certmonger.get_request_id(criteria)
|
|
|
|
|
if request_id is not None:
|
|
|
|
|
timeout = api.env.startup_timeout + 60
|
|
|
|
|
|
|
|
|
|
self.log.debug("resubmitting certmonger request '%s'", request_id)
|
2014-10-14 04:12:55 -05:00
|
|
|
certmonger.resubmit_request(
|
|
|
|
|
request_id, profile='ipaRetrievalOrReuse')
|
2014-06-27 05:31:50 -05:00
|
|
|
try:
|
|
|
|
|
state = certmonger.wait_for_request(request_id, timeout)
|
|
|
|
|
except RuntimeError:
|
|
|
|
|
raise admintool.ScriptError(
|
|
|
|
|
"Resubmitting certmonger request '%s' timed out, "
|
|
|
|
|
"please check the request manually" % request_id)
|
2014-10-14 04:12:55 -05:00
|
|
|
ca_error = certmonger.get_request_value(request_id, 'ca-error')
|
|
|
|
|
if state != 'MONITORING' or ca_error:
|
2014-06-27 05:31:50 -05:00
|
|
|
raise admintool.ScriptError(
|
|
|
|
|
"Error resubmitting certmonger request '%s', "
|
|
|
|
|
"please check the request manually" % request_id)
|
|
|
|
|
|
|
|
|
|
self.log.debug("modifying certmonger request '%s'", request_id)
|
|
|
|
|
certmonger.modify(request_id, profile='ipaCACertRenewal')
|
|
|
|
|
|
|
|
|
|
self.update_file(paths.CA_CRT, certs)
|
|
|
|
|
|
2015-07-15 09:38:06 -05:00
|
|
|
def update_file(self, filename, certs, mode=0o444):
|
2014-06-27 05:31:50 -05:00
|
|
|
certs = (c[0] for c in certs if c[2] is not False)
|
|
|
|
|
try:
|
|
|
|
|
x509.write_certificate_list(certs, filename)
|
2015-07-30 09:49:29 -05:00
|
|
|
except Exception as e:
|
2014-06-27 05:31:50 -05:00
|
|
|
self.log.error("failed to update %s: %s", filename, e)
|
|
|
|
|
|
|
|
|
|
def update_db(self, path, certs):
|
2014-09-18 05:00:15 -05:00
|
|
|
db = certdb.NSSDatabase(path)
|
2014-06-27 05:31:50 -05:00
|
|
|
for cert, nickname, trusted, eku in certs:
|
|
|
|
|
trust_flags = certstore.key_policy_to_trust_flags(
|
|
|
|
|
trusted, True, eku)
|
|
|
|
|
try:
|
2014-09-18 05:00:15 -05:00
|
|
|
db.add_cert(cert, nickname, trust_flags)
|
2015-07-30 09:49:29 -05:00
|
|
|
except ipautil.CalledProcessError as e:
|
2014-06-27 05:31:50 -05:00
|
|
|
self.log.error(
|
|
|
|
|
"failed to update %s in %s: %s", nickname, path, e)
|
