IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-13 09:41:55 -06:00
Code Issues Packages Projects Releases Wiki Activity
a746c613a4
freeipa/ipalib/plugins/service.py

509 lines
17 KiB
Python
Raw Normal View History

Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
# Authors:
# Jason Gerard DeRose <jderose@redhat.com>
# Rob Crittenden <rcritten@redhat.com>
# Pavel Zuna <pzuna@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Services
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
A IPA service represents a service that runs on a host. The IPA service
record can store a Kerberos principal, an SSL certificate, or both.
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
An IPA service can be managed directly from a machine, provided that
machine has been given the correct permission. This is true even for
machines other than the one the service is associated with. For example,
requesting an SSL certificate using the host service principal credentials
Fix style and grammatical issues in built-in command help. There is a rather large API.txt change but it is only due to changes in the doc string in parameters. ticket 729
2011-03-04 10:08:54 -06:00
of the host. To manage a service using host credentials you need to
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
kinit as the host:
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
# kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Adding an IPA service allows the associated service to request an SSL
certificate or keytab, but this is performed as a separate step; they
are not produced as a result of adding the service.
Only the public aspect of a certificate is stored in a service record;
the private key is not stored.
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
EXAMPLES:
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Add a new IPA service:
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
ipa service-add HTTP/web.example.com
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Allow a host to manage an IPA service certificate:
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
ipa service-add-host --hosts=web.example.com HTTP/web.example.com
Re-implement access control using an updated model. The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
2010-12-01 10:23:52 -06:00
ipa role-add-member --hosts=web.example.com certadmin
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Delete an IPA service:
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
ipa service-del HTTP/web.example.com
Fixed typo in ipa help service
2011-01-13 13:37:10 -06:00
Find all IPA services associated with a host:
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
ipa service-find web.example.com
Find all HTTP services:
ipa service-find HTTP
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
Service/Host disable command output clarification When a service/host is disabled, the resulting summary message states that a Kerberos key was disabled. However, Kerberos key may not have been enabled before this command at all, which makes this information confusing for some users. Also, the summary message didn't state that an SSL certificate was disabled too. This patch rather changes the summary message to a standard phrase known from other plugins disable command and states all disable command steps in a respective command help. https://fedorahosted.org/freeipa/ticket/872
2011-02-16 03:35:49 -06:00
Disable the service Kerberos key and SSL certificate:
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
ipa service-disable HTTP/web.example.com
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Request a certificate for an IPA service:
ipa cert-request --principal=HTTP/web.example.com example.csr
Generate and retrieve a keytab for an IPA service:
ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
import base64
Add --out option to service, host and cert-show to save the cert to a file. Override forward() to grab the result and if a certificate is in the entry and the file is writable then dump the certificate in PEM format. ticket 473
2010-12-10 09:53:20 -06:00
import os
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 13:16:22 -05:00
from ipalib import api, errors, util
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
from ipalib import Str, Flag, Bytes
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
from ipalib.plugins.baseldap import *
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
from ipalib import x509
Be more careful when base64-decoding certificates Only decode certs that have a BEGIN/END block, otherwise assume it is in DER format.
2010-02-01 13:00:28 -06:00
from ipalib import _, ngettext
Accept an incoming certificate as either DER or base64 in the service plugin. The plugin required a base64-encoded certificate and always decoded it before processing. This doesn't work with the UI because the json module decodes binary values already. Try to detect if the incoming value is base64-encoded and decode if necessary. Finally, try to pull the cert apart to validate it. This will tell us for sure that the data is a certificate, regardless of the format it came in as. ticket 348
2010-10-08 12:15:03 -05:00
from ipalib import util
Service certificate UI. The service.py has been modified to include certificate info in the service-show result if the service contains usercertificate. A new file certificate.js has been added to store codes related to certificates (e.g. revocation reasons, dialog boxes). The service.js has been modified to provide the UI for certificate management. The certificate.js can also be used for host certificate management. The Makefile.am and index.xhtml has been modified to include certificate.js. New test data files have been added for certificate operations. To test revoke and restore operations the server needs to be installed with dogtag CA instead of self-signed CA. The certificate status and revocation reason in the details page will be implemented in subsequent patches. Unit tests will also be added in subsequent patches.
2010-10-15 12:22:01 -05:00
import nss.nss as nss
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
from nss.error import NSPRError
Add --out option to service, host and cert-show to save the cert to a file. Override forward() to grab the result and if a certificate is in the entry and the file is writable then dump the certificate in PEM format. ticket 473
2010-12-10 09:53:20 -06:00
from ipapython.ipautil import file_exists
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
output_params = (
Flag('has_keytab',
label=_('Keytab'),
),
Str('managedby_host',
label='Managed by',
),
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 14:16:53 -05:00
Str('subject',
label=_('Subject'),
),
Str('serial_number',
label=_('Serial Number'),
),
Str('issuer',
label=_('Issuer'),
),
Str('valid_not_before',
label=_('Not Before'),
),
Str('valid_not_after',
label=_('Not After'),
),
Str('md5_fingerprint',
label=_('Fingerprint (MD5)'),
),
Str('sha1_fingerprint',
label=_('Fingerprint (SHA1)'),
),
Str('revocation_reason?',
label=_('Revocation reason'),
)
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
)
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
def split_principal(principal):
service = hostname = realm = None
# Break down the principal into its component parts, which may or
# may not include the realm.
sp = principal.split('/')
if len(sp) != 2:
raise errors.MalformedServicePrincipal(reason='missing service')
service = sp[0]
Fix service validator, ensure the service isn't blank. ticket 961
2011-02-15 11:37:25 -06:00
if len(service) == 0:
raise errors.MalformedServicePrincipal(
reason='blank service'
)
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
sr = sp[1].split('@')
if len(sr) > 2:
raise errors.MalformedServicePrincipal(
reason='unable to determine realm'
)
hostname = sr[0].lower()
if len(sr) == 2:
realm = sr[1].upper()
# At some point we'll support multiple realms
if realm != api.env.realm:
raise errors.RealmMismatch()
else:
realm = api.env.realm
# Note that realm may be None.
return (service, hostname, realm)
def validate_principal(ugettext, principal):
(service, hostname, principal) = split_principal(principal)
return None
def normalize_principal(principal):
# The principal is already validated when it gets here
(service, hostname, realm) = split_principal(principal)
# Put the principal back together again
principal = '%s/%s@%s' % (service, hostname, realm)
return unicode(principal)
def validate_certificate(ugettext, cert):
"""
For now just verify that it is properly base64-encoded.
"""
Certificate management for services. This is an initial implementation of certificate management for services. It addresses the mechanism required to view and update certificates. The complete UI implementation will be addressed in subsequent patches. On the server side, the service.py has been modified to define usercertificate in the service object's takes_params. This is needed to generate the proper JSON metadata which is needed by the UI. It also has been modified to accept null certificate for deletion. On the client side, the service details page has been modified to display the base64-encoded certificate in a text area. When the page is saved, the action handler will store the base64-encoded certificate in the proper JSON structure. Also the service name and service hostname are now displayed in separate fields. The details configuration has been modified to support displaying and updating certificates. The structure is changed to use maps to define sections and fields. A section contains name, label, and an array of fields. A field contains name, label, setup function, load function, and save function. This is used to implement custom interface and behavior for certificates. All other entities, test cases, and test data have been updated accordingly. Some functions and variables have been renamed to improve clarity and consistency.
2010-10-07 14:02:44 -05:00
if cert and util.isvalid_base64(cert):
Accept an incoming certificate as either DER or base64 in the service plugin. The plugin required a base64-encoded certificate and always decoded it before processing. This doesn't work with the UI because the json module decodes binary values already. Try to detect if the incoming value is base64-encoded and decode if necessary. Finally, try to pull the cert apart to validate it. This will tell us for sure that the data is a certificate, regardless of the format it came in as. ticket 348
2010-10-08 12:15:03 -05:00
try:
base64.b64decode(cert)
except Exception, e:
raise errors.Base64DecodeError(reason=str(e))
else:
# We'll assume this is DER data
pass
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 14:16:53 -05:00
def set_certificate_attrs(entry_attrs):
"""
Set individual attributes from some values from a certificate.
entry_attrs is a dict of an entry
returns nothing
"""
if not 'usercertificate' in entry_attrs:
return
if type(entry_attrs['usercertificate']) in (list, tuple):
cert = entry_attrs['usercertificate'][0]
else:
cert = entry_attrs['usercertificate']
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
cert = x509.normalize_certificate(cert)
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 14:16:53 -05:00
cert = x509.load_certificate(cert, datatype=x509.DER)
entry_attrs['subject'] = unicode(cert.subject)
entry_attrs['serial_number'] = unicode(cert.serial_number)
entry_attrs['issuer'] = unicode(cert.issuer)
entry_attrs['valid_not_before'] = unicode(cert.valid_not_before_str)
entry_attrs['valid_not_after'] = unicode(cert.valid_not_after_str)
entry_attrs['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
entry_attrs['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
class service(LDAPObject):
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Service object.
"""
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
container_dn = api.env.container_service
Fixed object_name and object_name_plural internationalization The object_name, object_name_plural and messages that use these attributes have been converted to support translation. The label attribute in the Param class has been modified to accept unicode string. Ticket #1435
2011-07-12 11:01:25 -05:00
object_name = _('service')
object_name_plural = _('services')
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
object_class = [
'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject',
'ipaservice', 'pkiuser'
]
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
search_attributes = ['krbprincipalname', 'managedby']
default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'krblastpwdchange']
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
uuid_attribute = 'ipauniqueid'
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
attribute_members = {
'managedby': ['host'],
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
}
Provide list of available attributes for use in ACI UI. Also include flag indicating whether the object is bindable. This will be used to determine if the object can have a selfservice ACI. ticket 446
2010-12-02 10:05:54 -06:00
bindable = True
Fixed association facets. The association config has been removed because it incorrectly assumes there is only one association between two entities. Now each association is defined separately using association facets. The service.py has been modified to specify the correct relationships. The API.txt has been updated. https://fedorahosted.org/freeipa/ticket/960
2011-02-11 18:04:04 -06:00
relationships = {
'managedby': ('Managed by', 'man_by_', 'not_man_by_'),
}
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
Add Object.label class attribute, enable in webUI
2010-02-08 06:03:28 -06:00
label = _('Services')
Added singular entity labels. A new attribute label_singular has been added to all entities which contains the singular form of the entity label in lower cases except for acronyms (e.g. HBAC) or proper nouns (e.g. Kerberos). In the Web UI, this label can be capitalized using CSS text-transform. The existing 'label' attribute is intentionally left unchanged due to inconsistencies in the current values. It contains mostly the plural form of capitalized entity label, but some are singular. Also, it seems currently there is no comparable capitalization method on the server-side. So more work is needed before the label can be changed. Ticket #1249
2011-06-23 19:48:50 -05:00
label_singular = _('service')
Add Object.label class attribute, enable in webUI
2010-02-08 06:03:28 -06:00
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
takes_params = (
Str('krbprincipalname', validate_principal,
cli_name='principal',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Principal'),
doc=_('Service principal'),
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
primary_key=True,
normalizer=lambda value: normalize_principal(value),
),
Certificate management for services. This is an initial implementation of certificate management for services. It addresses the mechanism required to view and update certificates. The complete UI implementation will be addressed in subsequent patches. On the server side, the service.py has been modified to define usercertificate in the service object's takes_params. This is needed to generate the proper JSON metadata which is needed by the UI. It also has been modified to accept null certificate for deletion. On the client side, the service details page has been modified to display the base64-encoded certificate in a text area. When the page is saved, the action handler will store the base64-encoded certificate in the proper JSON structure. Also the service name and service hostname are now displayed in separate fields. The details configuration has been modified to support displaying and updating certificates. The structure is changed to use maps to define sections and fields. A section contains name, label, and an array of fields. A field contains name, label, setup function, load function, and save function. This is used to implement custom interface and behavior for certificates. All other entities, test cases, and test data have been updated accordingly. Some functions and variables have been renamed to improve clarity and consistency.
2010-10-07 14:02:44 -05:00
Bytes('usercertificate?', validate_certificate,
cli_name='certificate',
label=_('Certificate'),
doc=_('Base-64 encoded server certificate'),
Remove certificate as service a search option. ticket 912
2011-02-09 12:24:47 -06:00
flags=['no_search',],
Service certificate UI. The service.py has been modified to include certificate info in the service-show result if the service contains usercertificate. A new file certificate.js has been added to store codes related to certificates (e.g. revocation reasons, dialog boxes). The service.js has been modified to provide the UI for certificate management. The certificate.js can also be used for host certificate management. The Makefile.am and index.xhtml has been modified to include certificate.js. New test data files have been added for certificate operations. To test revoke and restore operations the server needs to be installed with dogtag CA instead of self-signed CA. The certificate status and revocation reason in the details page will be implemented in subsequent patches. Unit tests will also be added in subsequent patches.
2010-10-15 12:22:01 -05:00
)
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
)
Rename plugins2 to plugins.
2009-06-16 07:38:27 -05:00
api.register(service)
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
class service_add(LDAPCreate):
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Add a new IPA new service.
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
msg_summary = _('Added service "%(value)s"')
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
member_attributes = ['managedby']
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
has_output_params = LDAPCreate.has_output_params + output_params
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
takes_options = (
Flag('force',
Updated json_metadata and i18n_messages. The json_metadata() has been updated to return ipa.Objects and ipa.Methods. The i18n_messages() has been updated to include other messages that are not available from the metadata.
2011-02-18 00:02:51 -06:00
label=_('Force'),
localize doc strings A number of doc strings were not localized, wrap them in _(). Some messages were not localized, wrap them in _() Fix a couple of failing tests: The method name in RPC should not be unicode. The doc attribute must use the .msg attribute for comparison. Also clean up imports of _() The import should come from ipalib or ipalib.text, not ugettext from request.
2010-03-05 15:11:21 -06:00
doc=_('force principal name even if not in DNS'),
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
),
)
Add --all to LDAPCreate and make LDAP commands always display default attributes.
2009-12-10 09:39:24 -06:00
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
(service, hostname, realm) = split_principal(keys[-1])
if service.lower() == 'host' and not options['force']:
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
raise errors.HostService()
Require that a host exist before creating a service for it.
2009-10-20 21:23:15 -05:00
try:
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
hostresult = api.Command['host_show'](hostname)['result']
Require that a host exist before creating a service for it.
2009-10-20 21:23:15 -05:00
except errors.NotFound:
raise errors.NotFound(reason="The host '%s' does not exist to add a service to." % hostname)
Accept an incoming certificate as either DER or base64 in the service plugin. The plugin required a base64-encoded certificate and always decoded it before processing. This doesn't work with the UI because the json module decodes binary values already. Try to detect if the incoming value is base64-encoded and decode if necessary. Finally, try to pull the cert apart to validate it. This will tell us for sure that the data is a certificate, regardless of the format it came in as. ticket 348
2010-10-08 12:15:03 -05:00
cert = options.get('usercertificate')
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
if cert:
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
dercert = x509.normalize_certificate(cert)
x509.verify_cert_subject(ldap, hostname, dercert)
entry_attrs['usercertificate'] = dercert
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 13:16:22 -05:00
if not options.get('force', False):
# We know the host exists if we've gotten this far but we
# really want to discourage creating services for hosts that
# don't exist in DNS.
util.validate_host_dns(self.log, hostname)
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
if not 'managedby' in entry_attrs:
entry_attrs['managedby'] = hostresult['dn']
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
return dn
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Rename *-create/*-delete commands to *-add/*-del respectively.
2009-06-16 09:51:44 -05:00
api.register(service_add)
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
class service_del(LDAPDelete):
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Delete an IPA service.
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
msg_summary = _('Deleted service "%(value)s"')
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
member_attributes = ['managedby']
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
def pre_callback(self, ldap, dn, *keys, **options):
if self.api.env.enable_ra:
(dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
cert = entry_attrs.get('usercertificate')
if cert:
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
cert = cert[0]
Add NotImplementedError type so CA plugins can return client-friendly errors Ignore NotImplementedError when revoking a certificate as this isn't implemented in the selfsign plugin. Also use the new type argument in x509.load_certificate(). Certificates are coming out of LDAP as binary instead of base64-encoding.
2009-12-01 16:17:15 -06:00
try:
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
serial = unicode(x509.get_serial_number(cert, x509.DER))
try:
result = api.Command['cert_show'](unicode(serial))['result']
if 'revocation_reason' not in result:
try:
api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
except errors.NotImplementedError:
# some CA's might not implement revoke
pass
except errors.NotImplementedError:
# some CA's might not implement revoke
pass
except NSPRError, nsprerr:
if nsprerr.errno == -8183:
# If we can't decode the cert them proceed with
# removing the service.
self.log.info("Problem decoding certificate %s" % nsprerr.args[1])
else:
raise nsprerr
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
return dn
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Rename *-create/*-delete commands to *-add/*-del respectively.
2009-06-16 09:51:44 -05:00
api.register(service_del)
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
class service_mod(LDAPUpdate):
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Modify an existing IPA service.
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
msg_summary = _('Modified service "%(value)s"')
Certificate management for services. This is an initial implementation of certificate management for services. It addresses the mechanism required to view and update certificates. The complete UI implementation will be addressed in subsequent patches. On the server side, the service.py has been modified to define usercertificate in the service object's takes_params. This is needed to generate the proper JSON metadata which is needed by the UI. It also has been modified to accept null certificate for deletion. On the client side, the service details page has been modified to display the base64-encoded certificate in a text area. When the page is saved, the action handler will store the base64-encoded certificate in the proper JSON structure. Also the service name and service hostname are now displayed in separate fields. The details configuration has been modified to support displaying and updating certificates. The structure is changed to use maps to define sections and fields. A section contains name, label, and an array of fields. A field contains name, label, setup function, load function, and save function. This is used to implement custom interface and behavior for certificates. All other entities, test cases, and test data have been updated accordingly. Some functions and variables have been renamed to improve clarity and consistency.
2010-10-07 14:02:44 -05:00
takes_options = LDAPUpdate.takes_options
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
has_output_params = LDAPUpdate.has_output_params + output_params
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
member_attributes = ['managedby']
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
def pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
Fix replacing a certificate in a service. When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
2010-07-22 15:08:17 -05:00
if 'usercertificate' in options:
Require an imported certificate's issuer to match our issuer. The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
2011-04-26 15:45:19 -05:00
(service, hostname, realm) = split_principal(keys[-1])
Fix replacing a certificate in a service. When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
2010-07-22 15:08:17 -05:00
cert = options.get('usercertificate')
if cert:
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
dercert = x509.normalize_certificate(cert)
x509.verify_cert_subject(ldap, hostname, dercert)
Fix replacing a certificate in a service. When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
2010-07-22 15:08:17 -05:00
(dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate'])
if 'usercertificate' in entry_attrs_old:
# FIXME: what to do here? do we revoke the old cert?
fmt = 'entry already has a certificate, serial number: %s' % (
x509.get_serial_number(entry_attrs_old['usercertificate'][0], x509.DER)
)
raise errors.GenericError(format=fmt)
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
entry_attrs['usercertificate'] = dercert
Fix replacing a certificate in a service. When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
2010-07-22 15:08:17 -05:00
else:
entry_attrs['usercertificate'] = None
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
return dn
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 14:16:53 -05:00
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
set_certificate_attrs(entry_attrs)
Rename plugins2 to plugins.
2009-06-16 07:38:27 -05:00
api.register(service_mod)
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
class service_find(LDAPSearch):
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Search for IPA services.
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
msg_summary = ngettext(
Fix translatable strings in ipalib plugins. Needed for xgettext/pygettext processing.
2011-02-23 15:47:49 -06:00
'%(count)d service matched', '%(count)d services matched', 0
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
)
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
member_attributes = ['managedby']
Certificate management for services. This is an initial implementation of certificate management for services. It addresses the mechanism required to view and update certificates. The complete UI implementation will be addressed in subsequent patches. On the server side, the service.py has been modified to define usercertificate in the service object's takes_params. This is needed to generate the proper JSON metadata which is needed by the UI. It also has been modified to accept null certificate for deletion. On the client side, the service details page has been modified to display the base64-encoded certificate in a text area. When the page is saved, the action handler will store the base64-encoded certificate in the proper JSON structure. Also the service name and service hostname are now displayed in separate fields. The details configuration has been modified to support displaying and updating certificates. The structure is changed to use maps to define sections and fields. A section contains name, label, and an array of fields. A field contains name, label, setup function, load function, and save function. This is used to implement custom interface and behavior for certificates. All other entities, test cases, and test data have been updated accordingly. Some functions and variables have been renamed to improve clarity and consistency.
2010-10-07 14:02:44 -05:00
takes_options = LDAPSearch.takes_options
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
has_output_params = LDAPSearch.has_output_params + output_params
Change signature of LDAPSearch.pre_callback. Add the opportunity to change base DN and scope in the callback.
2010-11-23 08:02:54 -06:00
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options):
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
# lisp style!
custom_filter = '(&(objectclass=ipaService)' \
'(!(objectClass=posixAccount))' \
'(!(|(krbprincipalname=kadmin/*)' \
'(krbprincipalname=K/M@*)' \
'(krbprincipalname=krbtgt/*))' \
')' \
')'
Change signature of LDAPSearch.pre_callback. Add the opportunity to change base DN and scope in the callback.
2010-11-23 08:02:54 -06:00
return (
ldap.combine_filters((custom_filter, filter), rules=ldap.MATCH_ALL),
base_dn, scope
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
)
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
entry_attrs = entry[1]
if 'krblastpwdchange' in entry_attrs:
entry_attrs['has_keytab'] = True
if not options.get('all', False):
del entry_attrs['krblastpwdchange']
else:
entry_attrs['has_keytab'] = False
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 14:16:53 -05:00
set_certificate_attrs(entry_attrs)
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
Rename plugins2 to plugins.
2009-06-16 07:38:27 -05:00
api.register(service_find)
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Make the service plugin use baseldap classes.
2009-09-15 06:04:09 -05:00
class service_show(LDAPRetrieve):
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Display information about an IPA service.
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
"""
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
member_attributes = ['managedby']
Add --out option to service, host and cert-show to save the cert to a file. Override forward() to grab the result and if a certificate is in the entry and the file is writable then dump the certificate in PEM format. ticket 473
2010-12-10 09:53:20 -06:00
takes_options = LDAPRetrieve.takes_options + (
Str('out?',
doc=_('file to store certificate in'),
),
)
Service certificate UI. The service.py has been modified to include certificate info in the service-show result if the service contains usercertificate. A new file certificate.js has been added to store codes related to certificates (e.g. revocation reasons, dialog boxes). The service.js has been modified to provide the UI for certificate management. The certificate.js can also be used for host certificate management. The Makefile.am and index.xhtml has been modified to include certificate.js. New test data files have been added for certificate operations. To test revoke and restore operations the server needs to be installed with dogtag CA instead of self-signed CA. The certificate status and revocation reason in the details page will be implemented in subsequent patches. Unit tests will also be added in subsequent patches.
2010-10-15 12:22:01 -05:00
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
if 'krblastpwdchange' in entry_attrs:
entry_attrs['has_keytab'] = True
if not options.get('all', False):
del entry_attrs['krblastpwdchange']
else:
entry_attrs['has_keytab'] = False
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 14:16:53 -05:00
set_certificate_attrs(entry_attrs)
Service certificate UI. The service.py has been modified to include certificate info in the service-show result if the service contains usercertificate. A new file certificate.js has been added to store codes related to certificates (e.g. revocation reasons, dialog boxes). The service.js has been modified to provide the UI for certificate management. The certificate.js can also be used for host certificate management. The Makefile.am and index.xhtml has been modified to include certificate.js. New test data files have been added for certificate operations. To test revoke and restore operations the server needs to be installed with dogtag CA instead of self-signed CA. The certificate status and revocation reason in the details page will be implemented in subsequent patches. Unit tests will also be added in subsequent patches.
2010-10-15 12:22:01 -05:00
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
return dn
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Add --out option to service, host and cert-show to save the cert to a file. Override forward() to grab the result and if a certificate is in the entry and the file is writable then dump the certificate in PEM format. ticket 473
2010-12-10 09:53:20 -06:00
def forward(self, *keys, **options):
if 'out' in options:
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
util.check_writable_file(options['out'])
Add --out option to service, host and cert-show to save the cert to a file. Override forward() to grab the result and if a certificate is in the entry and the file is writable then dump the certificate in PEM format. ticket 473
2010-12-10 09:53:20 -06:00
result = super(service_show, self).forward(*keys, **options)
if 'usercertificate' in result['result']:
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
x509.write_certificate(result['result']['usercertificate'][0], options['out'])
Add --out option to service, host and cert-show to save the cert to a file. Override forward() to grab the result and if a certificate is in the entry and the file is writable then dump the certificate in PEM format. ticket 473
2010-12-10 09:53:20 -06:00
result['summary'] = _('Certificate stored in file \'%(file)s\'') % dict(file=options['out'])
return result
else:
raise errors.NoCertificateError(entry=keys[-1])
else:
return super(service_show, self).forward(*keys, **options)
Rename plugins2 to plugins.
2009-06-16 07:38:27 -05:00
api.register(service_show)
Add service plugin port to new LDAP backend.
2009-05-27 08:55:26 -05:00
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
class service_add_host(LDAPAddMember):
"""
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
Add hosts that can manage this service.
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
"""
member_attributes = ['managedby']
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
has_output_params = LDAPAddMember.has_output_params + output_params
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
api.register(service_add_host)
class service_remove_host(LDAPRemoveMember):
"""
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
Remove hosts that can manage this service.
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
"""
member_attributes = ['managedby']
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
has_output_params = LDAPRemoveMember.has_output_params + output_params
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
api.register(service_remove_host)
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
class service_disable(LDAPQuery):
"""
Service/Host disable command output clarification When a service/host is disabled, the resulting summary message states that a Kerberos key was disabled. However, Kerberos key may not have been enabled before this command at all, which makes this information confusing for some users. Also, the summary message didn't state that an SSL certificate was disabled too. This patch rather changes the summary message to a standard phrase known from other plugins disable command and states all disable command steps in a respective command help. https://fedorahosted.org/freeipa/ticket/872
2011-02-16 03:35:49 -06:00
Disable the Kerberos key and SSL certificate of a service.
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
"""
has_output = output.standard_value
Service/Host disable command output clarification When a service/host is disabled, the resulting summary message states that a Kerberos key was disabled. However, Kerberos key may not have been enabled before this command at all, which makes this information confusing for some users. Also, the summary message didn't state that an SSL certificate was disabled too. This patch rather changes the summary message to a standard phrase known from other plugins disable command and states all disable command steps in a respective command help. https://fedorahosted.org/freeipa/ticket/872
2011-02-16 03:35:49 -06:00
msg_summary = _('Disabled service "%(value)s"')
Enable a host to retrieve a keytab for all its services. Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
2010-08-05 21:41:32 -05:00
has_output_params = LDAPQuery.has_output_params + output_params
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
def execute(self, *keys, **options):
ldap = self.obj.backend
dn = self.obj.get_dn(*keys, **options)
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 14:16:53 -05:00
(dn, entry_attrs) = ldap.get_entry(dn, ['krblastpwdchange', 'usercertificate'])
# See if we do any work at all here and if not raise an exception
done_work = False
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 14:16:53 -05:00
if 'usercertificate' in entry_attrs:
Make data type of certificates more obvious/predictable internally. For the most part certificates will be treated as being in DER format. When we load a certificate we will generally accept it in any format but will convert it to DER before proceeding in normalize_certificate(). This also re-arranges a bit of code to pull some certificate-specific functions out of ipalib/plugins/service.py into ipalib/x509.py. This also tries to use variable names to indicate what format the certificate is in at any given point: dercert: DER cert: PEM nsscert: a python-nss Certificate object rawcert: unknown format ticket 32
2011-06-08 09:54:41 -05:00
cert = x509.normalize_certificate(entry_attrs.get('usercertificate')[0])
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 14:16:53 -05:00
try:
serial = unicode(x509.get_serial_number(cert, x509.DER))
try:
result = api.Command['cert_show'](unicode(serial))['result']
if 'revocation_reason' not in result:
try:
api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
except errors.NotImplementedError:
# some CA's might not implement revoke
pass
except errors.NotImplementedError:
# some CA's might not implement revoke
pass
except NSPRError, nsprerr:
if nsprerr.errno == -8183:
# If we can't decode the cert them proceed with
# disabling the service
self.log.info("Problem decoding certificate %s" % nsprerr.args[1])
else:
raise nsprerr
# Remove the usercertificate altogether
ldap.update_entry(dn, {'usercertificate': None})
done_work = True
if 'krblastpwdchange' in entry_attrs:
ldap.remove_principal_key(dn)
done_work = True
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
Revoke a host's certificate (if any) when it is deleted or disabled. Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
2010-11-05 14:16:53 -05:00
if not done_work:
raise errors.AlreadyInactive()
Add API to delete a service principal key, service-disable. I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
2010-07-12 16:45:06 -05:00
return dict(
result=True,
value=keys[0],
)
api.register(service_disable)
Reference in New Issue Copy Permalink