freeipa/ipapython/dogtag.py

# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2009    Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.    See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

from ipalib import api, errors
import httplib
import xml.dom.minidom
from ipapython import nsslib
import nss.nss as nss
from nss.error import NSPRError
from ipalib.errors import NetworkError, CertificateOperationError
from urllib import urlencode
import logging

def get_ca_certchain(ca_host=None):
    """
    Retrieve the CA Certificate chain from the configured Dogtag server.
    """
    if ca_host is None:
        ca_host = api.env.ca_host
    chain = None
    conn = httplib.HTTPConnection(ca_host, api.env.ca_port)
    conn.request("GET", "/ca/ee/ca/getCertChain")
    res = conn.getresponse()
    doc = None
    if res.status == 200:
        data = res.read()
        conn.close()
        try:
            doc = xml.dom.minidom.parseString(data)
            try:
                item_node = doc.getElementsByTagName("ChainBase64")
                chain = item_node[0].childNodes[0].data
            except IndexError:
                try:
                    item_node = doc.getElementsByTagName("Error")
                    reason = item_node[0].childNodes[0].data
                    raise errors.RemoteRetrieveError(reason=reason)
                except Exception, e:
                    raise errors.RemoteRetrieveError(reason="Retrieving CA cert chain failed: %s" % str(e))
        finally:
            if doc:
                doc.unlink()
    else:
        raise errors.RemoteRetrieveError(reason="request failed with HTTP status %d" % res.status)

    return chain

def https_request(host, port, url, secdir, password, nickname, **kw):
    """
    :param url: The URL to post to.
    :param kw:  Keyword arguments to encode into POST body.
    :return:   (http_status, http_reason_phrase, http_headers, http_body)
               as (integer, unicode, dict, str)

    Perform a client authenticated HTTPS request
    """
    if isinstance(host, unicode):
        host = host.encode('utf-8')
    uri = 'https://%s:%d%s' % (host, port, url)
    post = urlencode(kw)
    logging.info('sslget %r', uri)
    logging.debug('sslget post %r', post)
    request_headers = {"Content-type": "application/x-www-form-urlencoded",
                       "Accept": "text/plain"}
    try:
        conn = nsslib.NSSConnection(host, port, dbdir=secdir)
        conn.set_debuglevel(0)
        conn.connect()
        conn.sock.set_client_auth_data_callback(nsslib.client_auth_data_callback,
                                                nickname,
                                                password, nss.get_default_certdb())
        conn.request("POST", url, post, request_headers)

        res = conn.getresponse()

        http_status = res.status
        http_reason_phrase = unicode(res.reason, 'utf-8')
        http_headers = res.msg.dict
        http_body = res.read()
        conn.close()
    except Exception, e:
        raise NetworkError(uri=uri, error=str(e))

    return http_status, http_reason_phrase, http_headers, http_body

def http_request(host, port, url, **kw):
        """
        :param url: The URL to post to.
        :param kw: Keyword arguments to encode into POST body.
        :return:   (http_status, http_reason_phrase, http_headers, http_body)
                   as (integer, unicode, dict, str)

        Perform an HTTP request.
        """
        if isinstance(host, unicode):
            host = host.encode('utf-8')
        uri = 'http://%s:%s%s' % (host, port, url)
        post = urlencode(kw)
        logging.info('request %r', uri)
        logging.debug('request post %r', post)
        conn = httplib.HTTPConnection(host, port)
        try:
            conn.request('POST', url,
                body=post,
                headers={'Content-type': 'application/x-www-form-urlencoded'},
            )
            res = conn.getresponse()

            http_status = res.status
            http_reason_phrase = unicode(res.reason, 'utf-8')
            http_headers = res.msg.dict
            http_body = res.read()
            conn.close()
        except NSPRError, e:
            raise NetworkError(uri=uri, error=str(e))

        logging.debug('request status %d',        http_status)
        logging.debug('request reason_phrase %r', http_reason_phrase)
        logging.debug('request headers %s',       http_headers)
        logging.debug('request body %r',          http_body)

        return http_status, http_reason_phrase, http_headers, http_body
Utilities for dealing with dogtag 2009-04-22 13:35:27 -05:00			`# Authors: Rob Crittenden <rcritten@redhat.com>`
			`#`
			`# Copyright (C) 2009 Red Hat`
			`# see file 'COPYING' for use and warranty information`
			`#`
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239 2010-12-09 06:59:11 -06:00			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
Utilities for dealing with dogtag 2009-04-22 13:35:27 -05:00			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239 2010-12-09 06:59:11 -06:00			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
Utilities for dealing with dogtag 2009-04-22 13:35:27 -05:00			`#`

Raise an exception if the certificate chain is not returned from the CA 2009-05-21 16:34:00 -05:00			`from ipalib import api, errors`
Utilities for dealing with dogtag 2009-04-22 13:35:27 -05:00			`import httplib`
			`import xml.dom.minidom`
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly. 2010-02-02 21:52:11 -06:00			`from ipapython import nsslib`
			`import nss.nss as nss`
use NSS for SSL operations 2010-05-31 06:40:17 -05:00			`from nss.error import NSPRError`
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly. 2010-02-02 21:52:11 -06:00			`from ipalib.errors import NetworkError, CertificateOperationError`
			`from urllib import urlencode`
			`import logging`
Utilities for dealing with dogtag 2009-04-22 13:35:27 -05:00
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently. 2009-07-10 15:18:16 -05:00			`def get_ca_certchain(ca_host=None):`
Utilities for dealing with dogtag 2009-04-22 13:35:27 -05:00			`"""`
			`Retrieve the CA Certificate chain from the configured Dogtag server.`
			`"""`
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently. 2009-07-10 15:18:16 -05:00			`if ca_host is None:`
			`ca_host = api.env.ca_host`
Utilities for dealing with dogtag 2009-04-22 13:35:27 -05:00			`chain = None`
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly. 2010-02-02 21:52:11 -06:00			`conn = httplib.HTTPConnection(ca_host, api.env.ca_port)`
Utilities for dealing with dogtag 2009-04-22 13:35:27 -05:00			`conn.request("GET", "/ca/ee/ca/getCertChain")`
			`res = conn.getresponse()`
Catch when we fail to get a cert chain from the CA during installation Also don't free the XML document if it was never created. ticket 404 2010-11-22 09:27:34 -06:00			`doc = None`
Utilities for dealing with dogtag 2009-04-22 13:35:27 -05:00			`if res.status == 200:`
			`data = res.read()`
			`conn.close()`
Raise an exception if the certificate chain is not returned from the CA 2009-05-21 16:34:00 -05:00			`try:`
			`doc = xml.dom.minidom.parseString(data)`
			`try:`
			`item_node = doc.getElementsByTagName("ChainBase64")`
			`chain = item_node[0].childNodes[0].data`
			`except IndexError:`
			`try:`
			`item_node = doc.getElementsByTagName("Error")`
			`reason = item_node[0].childNodes[0].data`
			`raise errors.RemoteRetrieveError(reason=reason)`
Allow replicas of an IPA server using an internal dogtag server as the CA This involves creating a new CA instance on the replica and using pkisilent to create a clone of the master CA. Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of changes to ports and configuration have been done recently. 2009-07-10 15:18:16 -05:00			`except Exception, e:`
			`raise errors.RemoteRetrieveError(reason="Retrieving CA cert chain failed: %s" % str(e))`
Raise an exception if the certificate chain is not returned from the CA 2009-05-21 16:34:00 -05:00			`finally:`
Catch when we fail to get a cert chain from the CA during installation Also don't free the XML document if it was never created. ticket 404 2010-11-22 09:27:34 -06:00			`if doc:`
			`doc.unlink()`
			`else:`
			`raise errors.RemoteRetrieveError(reason="request failed with HTTP status %d" % res.status)`
Utilities for dealing with dogtag 2009-04-22 13:35:27 -05:00
			`return chain`
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly. 2010-02-02 21:52:11 -06:00
			`def https_request(host, port, url, secdir, password, nickname, **kw):`
			`"""`
			`:param url: The URL to post to.`
			`:param kw: Keyword arguments to encode into POST body.`
			`:return: (http_status, http_reason_phrase, http_headers, http_body)`
			`as (integer, unicode, dict, str)`

			`Perform a client authenticated HTTPS request`
			`"""`
Fix http(s)_request in dogtag. Was blowing up because of unicode strings. 2010-03-30 09:11:17 -05:00			`if isinstance(host, unicode):`
			`host = host.encode('utf-8')`
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly. 2010-02-02 21:52:11 -06:00			`uri = 'https://%s:%d%s' % (host, port, url)`
			`post = urlencode(kw)`
			`logging.info('sslget %r', uri)`
			`logging.debug('sslget post %r', post)`
			`request_headers = {"Content-type": "application/x-www-form-urlencoded",`
			`"Accept": "text/plain"}`
			`try:`
			`conn = nsslib.NSSConnection(host, port, dbdir=secdir)`
Set the client auth callback after creating the SSL connection. If we set the callback before calling connect() then if the connection tries a network family type and fails, it will try other family types. If this happens then the callback set on the first socket will be lost when a new socket is created. There is no way to query for the callback in an existing socket. https://fedorahosted.org/freeipa/ticket/1349 2011-06-29 14:01:18 -05:00			`conn.set_debuglevel(0)`
			`conn.connect()`
use NSS for SSL operations 2010-05-31 06:40:17 -05:00			`conn.sock.set_client_auth_data_callback(nsslib.client_auth_data_callback,`
			`nickname,`
			`password, nss.get_default_certdb())`
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly. 2010-02-02 21:52:11 -06:00			`conn.request("POST", url, post, request_headers)`

			`res = conn.getresponse()`

			`http_status = res.status`
			`http_reason_phrase = unicode(res.reason, 'utf-8')`
			`http_headers = res.msg.dict`
			`http_body = res.read()`
			`conn.close()`
			`except Exception, e:`
			`raise NetworkError(uri=uri, error=str(e))`

			`return http_status, http_reason_phrase, http_headers, http_body`

			`def http_request(host, port, url, **kw):`
			`"""`
			`:param url: The URL to post to.`
			`:param kw: Keyword arguments to encode into POST body.`
			`:return: (http_status, http_reason_phrase, http_headers, http_body)`
			`as (integer, unicode, dict, str)`

			`Perform an HTTP request.`
			`"""`
Fix http(s)_request in dogtag. Was blowing up because of unicode strings. 2010-03-30 09:11:17 -05:00			`if isinstance(host, unicode):`
			`host = host.encode('utf-8')`
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly. 2010-02-02 21:52:11 -06:00			`uri = 'http://%s:%s%s' % (host, port, url)`
			`post = urlencode(kw)`
			`logging.info('request %r', uri)`
			`logging.debug('request post %r', post)`
			`conn = httplib.HTTPConnection(host, port)`
			`try:`
			`conn.request('POST', url,`
			`body=post,`
			`headers={'Content-type': 'application/x-www-form-urlencoded'},`
			`)`
			`res = conn.getresponse()`

			`http_status = res.status`
			`http_reason_phrase = unicode(res.reason, 'utf-8')`
			`http_headers = res.msg.dict`
			`http_body = res.read()`
			`conn.close()`
use NSS for SSL operations 2010-05-31 06:40:17 -05:00			`except NSPRError, e:`
			`raise NetworkError(uri=uri, error=str(e))`
Move the HTTP/S request code to a common library This moves code that does HTTP and HTTPS requests into a common library that can be used by both the installer and the dogtag plugin. These functions are not generic HTTP/S clients, they are designed specifically to talk to dogtag, so use accordingly. 2010-02-02 21:52:11 -06:00
			`logging.debug('request status %d', http_status)`
			`logging.debug('request reason_phrase %r', http_reason_phrase)`
			`logging.debug('request headers %s', http_headers)`
			`logging.debug('request body %r', http_body)`

			`return http_status, http_reason_phrase, http_headers, http_body`