IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-27 09:21:59 -06:00
Code Issues Packages Projects Releases Wiki Activity
af48654cbc
freeipa/ipalib/plugins/cert.py

517 lines
17 KiB
Python
Raw Normal View History

Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
# Authors:
# Andrew Wnuk <awnuk@redhat.com>
# Jason Gerard DeRose <jderose@redhat.com>
rebase dogtag clean-up patch
2009-12-08 15:57:07 -06:00
# John Dennis <jdennis@redhat.com>
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
#
# Copyright (C) 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
IPA certificate operations
Implements a set of commands for managing server SSL certificates.
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Certificate request exist in the form of a Certificate Signing Request (CSR)
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
in PEM format.
If using the selfsign backend then the subject in the CSR needs to match
the subject configured in the server. The dogtag CA uses just the CN
value of the CSR and forces the rest of the subject.
A certificate is stored with a service principal and a service principal
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
needs a host.
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
In order to request a certificate:
* The host must exist
* The service must exist (or you use the --add option to automatically add it)
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
EXAMPLES:
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
Request a new certificate and add the principal:
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
ipa cert-request --add --principal=HTTP/lion.example.com example.csr
Retrieve an existing certificate:
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
ipa cert-show 1032
First pass at per-command documentation
2010-06-02 13:08:50 -05:00
Revoke a certificate (see RFC 5280 for reason details):
ipa cert-revoke --revocation-reason=6 1032
Remove a certificate from revocation hold status:
ipa cert-remove-hold 1032
Check the status of a signing request:
ipa cert-status 10
Update command documentation based on feedback from docs team. ticket #158
2010-08-24 22:40:32 -05:00
IPA currently immediately issues (or declines) all certificate requests so
the status of a request is not normally useful. This is for future-use
or the case where a CA does not immediately issue a certificate.
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
"""
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
from ipalib import api, SkipPluginModule
if api.env.enable_ra is not True:
Removed 'Assert False' that was mistakingly left in cert.py; small cleanup in cert.py and ra.py imports
2009-02-12 18:18:54 -06:00
# In this case, abort loading this plugin module...
raise SkipPluginModule(reason='env.enable_ra is not True')
Use File parameter for CSR in cert_request command plugin.
2009-11-06 04:04:00 -06:00
from ipalib import Command, Str, Int, Bytes, Flag, File
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
from ipalib import errors
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
from ipalib import pkcs10
from ipalib import x509
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
from ipalib.plugins.virtual import *
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
from ipalib.plugins.service import split_principal
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
import base64
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
import logging
import traceback
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
from ipalib.text import _
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
from ipalib.request import context
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
from ipalib.output import Output
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
from ipalib.plugins.service import validate_principal
import nss.nss as nss
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
2010-07-20 13:00:43 -05:00
from nss.error import NSPRError
Fix plugin to work with new output validation, add new helpers Add a new get_subject() helper and return the subject when retrieving certificates. Add a normalizer so that everything before and after the BEGIN/END block is removed.
2010-01-20 09:03:42 -06:00
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
def get_csr_hostname(csr):
"""
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
2010-07-20 13:00:43 -05:00
Return the value of CN in the subject of the request or None
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
"""
try:
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
request = pkcs10.load_certificate_request(csr)
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
2010-07-20 13:00:43 -05:00
subject = pkcs10.get_subject(request)
return subject.common_name
except NSPRError, nsprerr:
raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request:'))
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
def get_subjectaltname(csr):
"""
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
2010-07-20 13:00:43 -05:00
Return the first value of the subject alt name, if any
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
"""
try:
request = pkcs10.load_certificate_request(csr)
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
2010-07-20 13:00:43 -05:00
for extension in request.extensions:
if extension.oid_tag == nss.SEC_OID_X509_SUBJECT_ALT_NAME:
return nss.x509_alt_name(extension.value)[0]
return None
except NSPRError, nsprerr:
rebase dogtag clean-up patch
2009-12-08 15:57:07 -06:00
raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request'))
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def validate_csr(ugettext, csr):
"""
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
Ensure the CSR is base64-encoded and can be decoded by our PKCS#10
parser.
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
"""
try:
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
request = pkcs10.load_certificate_request(csr)
except TypeError, e:
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
raise errors.Base64DecodeError(reason=str(e))
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
2010-07-20 13:00:43 -05:00
except NSPRError:
rebase dogtag clean-up patch
2009-12-08 15:57:07 -06:00
raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request'))
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
except Exception, e:
rebase dogtag clean-up patch
2009-12-08 15:57:07 -06:00
raise errors.CertificateOperationError(error=_('Failure decoding Certificate Signing Request: %s') % str(e))
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Fix plugin to work with new output validation, add new helpers Add a new get_subject() helper and return the subject when retrieving certificates. Add a normalizer so that everything before and after the BEGIN/END block is removed.
2010-01-20 09:03:42 -06:00
def normalize_csr(csr):
"""
Strip any leading and trailing cruft around the BEGIN/END block
"""
end_len = 37
s = csr.find('-----BEGIN NEW CERTIFICATE REQUEST-----')
if s == -1:
s = csr.find('-----BEGIN CERTIFICATE REQUEST-----')
e = csr.find('-----END NEW CERTIFICATE REQUEST-----')
if e == -1:
e = csr.find('-----END CERTIFICATE REQUEST-----')
if e != -1:
end_len = 33
if s > -1 and e > -1:
# We're normalizing here, not validating
csr = csr[s:e+end_len]
return csr
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
def get_host_from_principal(principal):
"""
Given a principal with or without a realm return the
host portion.
"""
validate_principal(None, principal)
realm = principal.find('@')
slash = principal.find('/')
if realm == -1:
realm = len(principal)
hostname = principal[slash+1:realm]
return hostname
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
class cert_request(VirtualCommand):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
Submit a certificate signing request.
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Use File parameter for CSR in cert_request command plugin.
2009-11-06 04:04:00 -06:00
takes_args = (
File('csr', validate_csr,
cli_name='csr_file',
Fix plugin to work with new output validation, add new helpers Add a new get_subject() helper and return the subject when retrieving certificates. Add a normalizer so that everything before and after the BEGIN/END block is removed.
2010-01-20 09:03:42 -06:00
normalizer=normalize_csr,
Use File parameter for CSR in cert_request command plugin.
2009-11-06 04:04:00 -06:00
),
)
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
operation="request certificate"
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
takes_options = (
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
Str('principal',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Principal'),
doc=_('Service principal for this certificate (e.g. HTTP/test.example.com)'),
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
),
Str('request_type',
default=u'pkcs10',
autofill=True,
),
Flag('add',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
doc=_("automatically add the principal if it doesn't exist"),
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
default=False,
autofill=True
),
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
)
has_output_params = (
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
Str('certificate?',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Certificate'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
flags=['no_create', 'no_update', 'no_search'],
),
Str('subject?',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Subject'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
flags=['no_create', 'no_update', 'no_search'],
),
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
Str('issuer?',
label=_('Issuer'),
flags=['no_create', 'no_update', 'no_search'],
),
Str('valid_not_before?',
label=_('Not Before'),
flags=['no_create', 'no_update', 'no_search'],
),
Str('valid_not_after?',
label=_('Not After'),
flags=['no_create', 'no_update', 'no_search'],
),
Str('md5_fingerprint?',
label=_('Fingerprint (MD5)'),
flags=['no_create', 'no_update', 'no_search'],
),
Str('sha1_fingerprint?',
label=_('Fingerprint (SHA1)'),
flags=['no_create', 'no_update', 'no_search'],
),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
Str('serial_number?',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Serial number'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
flags=['no_create', 'no_update', 'no_search'],
),
)
has_output = (
Output('result',
type=dict,
localize doc strings A number of doc strings were not localized, wrap them in _(). Some messages were not localized, wrap them in _() Fix a couple of failing tests: The method name in RPC should not be unicode. The doc attribute must use the .msg attribute for comparison. Also clean up imports of _() The import should come from ipalib or ipalib.text, not ugettext from request.
2010-03-05 15:11:21 -06:00
doc=_('Dictionary mapping variable name to value'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
),
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def execute(self, csr, **kw):
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
ldap = self.api.Backend.ldap2
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
principal = kw.get('principal')
add = kw.get('add')
del kw['principal']
del kw['add']
service = None
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
"""
Access control is partially handled by the ACI titled
'Hosts can modify service userCertificate'. This is for the case
where a machine binds using a host/ prinicpal. It can only do the
request if the target hostname is in the managedBy attribute which
is managed using the add/del member commands.
Binding with a user principal one needs to be in the request_certs
taskgroup (directly or indirectly via role membership).
"""
Use File parameter for CSR in cert_request command plugin.
2009-11-06 04:04:00 -06:00
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
bind_principal = getattr(context, 'principal')
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
# Can this user request certs?
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
if not bind_principal.startswith('host/'):
self.check_access()
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
# FIXME: add support for subject alt name
# Ensure that the hostname in the CSR matches the principal
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
subject_host = get_csr_hostname(csr)
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
(servicename, hostname, realm) = split_principal(principal)
if subject_host.lower() != hostname.lower():
raise errors.ACIError(info="hostname in subject of request '%s' does not match principal hostname '%s'" % (subject_host, hostname))
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
dn = None
service = None
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
# See if the service exists and punt if it doesn't and we aren't
# going to add it
try:
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
if not principal.startswith('host/'):
Use the caIPAserviceCert profile for issuing service certs. This profile enables subject validation and ensures that the subject that the CA issues is uniform. The client can only request a specific CN, the rest of the subject is fixed. This is the first step of allowing the subject to be set at installation time. Also fix 2 more issues related to the return results migration.
2009-12-18 10:01:00 -06:00
service = api.Command['service_show'](principal, all=True, raw=True)['result']
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
dn = service['dn']
else:
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
hostname = get_host_from_principal(principal)
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
service = api.Command['host_show'](hostname, all=True, raw=True)['result']
dn = service['dn']
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
except errors.NotFound, e:
if not add:
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
raise errors.NotFound(reason="The service principal for this request doesn't exist.")
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
try:
Require that hosts be resolvable in DNS. Use --force to ignore warnings. This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
2010-07-22 13:16:22 -05:00
service = api.Command['service_add'](principal, **{'force': True})['result']
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
dn = service['dn']
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
except errors.ACIError:
raise errors.ACIError(info='You need to be a member of the serviceadmin role to add services')
# We got this far so the service entry exists, can we write it?
if not ldap.can_write(dn, "usercertificate"):
raise errors.ACIError(info="Insufficient 'write' privilege to the 'userCertificate' attribute of entry '%s'." % dn)
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
# Validate the subject alt name, if any
Drop our own PKCS#10 ASN.1 decoder and use the one from python-nss This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
2010-07-20 13:00:43 -05:00
request = pkcs10.load_certificate_request(csr)
subjectaltname = pkcs10.get_subjectaltname(request)
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
if subjectaltname is not None:
for name in subjectaltname:
try:
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
hostentry = api.Command['host_show'](name, all=True, raw=True)['result']
hostdn = hostentry['dn']
Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL. The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify requests with subject alt names. Subject alt names are only allowed if: - the host for the alt name exists in IPA - if binding as host principal, the host is in the services managedBy attr
2009-11-24 15:07:44 -06:00
except errors.NotFound:
# We don't want to issue any certificates referencing
# machines we don't know about. Nothing is stored in this
# host record related to this certificate.
raise errors.NotFound(reason='no host record for subject alt name %s in certificate request' % name)
authprincipal = getattr(context, 'principal')
if authprincipal.startswith("host/"):
if not hostdn in service.get('managedby', []):
raise errors.ACIError(info="Insufficient privilege to create a certificate with subject alt name '%s'." % name)
Add flag to allow a cert to be re-issued I don't want a user to accidentally re-issue a certificate so I've added a new flag, --revoke, to revoke the old cert and load the new one.
2010-01-28 14:48:10 -06:00
if 'usercertificate' in service:
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
serial = x509.get_serial_number(service['usercertificate'][0], datatype=x509.DER)
Add flag to allow a cert to be re-issued I don't want a user to accidentally re-issue a certificate so I've added a new flag, --revoke, to revoke the old cert and load the new one.
2010-01-28 14:48:10 -06:00
# revoke the certificate and remove it from the service
Don't try to revoke a cert that is already revoked. We get a bit of an unusual error message back from dogtag when trying to revoke a revoked cert so check its status first.
2010-02-26 11:30:01 -06:00
# entry before proceeding. First we retrieve the certificate to
# see if it is already revoked, if not then we revoke it.
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
try:
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
result = api.Command['cert_show'](unicode(serial))['result']
Don't try to revoke a cert that is already revoked. We get a bit of an unusual error message back from dogtag when trying to revoke a revoked cert so check its status first.
2010-02-26 11:30:01 -06:00
if 'revocation_reason' not in result:
try:
api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
except errors.NotImplementedError:
# some CA's might not implement revoke
pass
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
except errors.NotImplementedError:
Don't try to revoke a cert that is already revoked. We get a bit of an unusual error message back from dogtag when trying to revoke a revoked cert so check its status first.
2010-02-26 11:30:01 -06:00
# some CA's might not implement get
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
pass
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
if not principal.startswith('host/'):
api.Command['service_mod'](principal, usercertificate=None)
else:
hostname = get_host_from_principal(principal)
api.Command['host_mod'](hostname, usercertificate=None)
Add flag to allow a cert to be re-issued I don't want a user to accidentally re-issue a certificate so I've added a new flag, --revoke, to revoke the old cert and load the new one.
2010-01-28 14:48:10 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
# Request the certificate
result = self.Backend.ra.request_certificate(csr, **kw)
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
cert = x509.load_certificate(result['certificate'])
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
Use a new mechanism for delegating certificate issuance. Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 08:35:19 -06:00
# Success? Then add it to the service entry.
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
if 'certificate' in result:
if not principal.startswith('host/'):
skw = {"usercertificate": str(result.get('certificate'))}
api.Command['service_mod'](principal, **skw)
else:
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
hostname = get_host_from_principal(principal)
Make hosts more like real services so we can issue certs for host principals This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
2009-12-16 15:04:53 -06:00
skw = {"usercertificate": str(result.get('certificate'))}
api.Command['host_mod'](hostname, **skw)
return dict(
result=result
)
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
api.register(cert_request)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
class cert_status(VirtualCommand):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
Check status of a certificate signing request.
"""
Some cleanup in cert plugins module, changed to shorter command names all starting with cert_*
2009-02-05 16:30:58 -06:00
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
takes_args = (
Str('request_id',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Request id'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
flags=['no_create', 'no_update', 'no_search'],
),
)
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
has_output_params = (
Str('cert_request_status',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Request status'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
),
)
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
operation = "certificate status"
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def execute(self, request_id, **kw):
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
self.check_access()
Fix plugin to work with new output validation, add new helpers Add a new get_subject() helper and return the subject when retrieving certificates. Add a normalizer so that everything before and after the BEGIN/END block is removed.
2010-01-20 09:03:42 -06:00
return dict(
result=self.Backend.ra.check_request_status(request_id)
)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
api.register(cert_status)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
_serial_number = Str('serial_number',
label=_('Serial number'),
doc=_('Serial number in decimal or if prefixed with 0x in hexadecimal'),
)
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
class cert_show(VirtualCommand):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
Retrieve an existing certificate.
"""
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
takes_args = _serial_number
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
has_output_params = (
Str('certificate',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Certificate'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
),
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
Str('subject',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Subject'),
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
),
Str('issuer',
label=_('Issuer'),
),
Str('valid_not_before',
label=_('Not Before'),
),
Str('valid_not_after',
label=_('Not After'),
),
Str('md5_fingerprint',
label=_('Fingerprint (MD5)'),
),
Str('sha1_fingerprint',
label=_('Fingerprint (SHA1)'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
),
Don't try to revoke a cert that is already revoked. We get a bit of an unusual error message back from dogtag when trying to revoke a revoked cert so check its status first.
2010-02-26 11:30:01 -06:00
Str('revocation_reason?',
label=_('Revocation reason'),
),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
)
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
operation="retrieve certificate"
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
def execute(self, serial_number):
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
2010-09-08 21:11:31 -05:00
hostname = None
try:
self.check_access()
except errors.ACIError, acierr:
self.debug("Not granted by ACI to retrieve certificate, looking at principal")
bind_principal = getattr(context, 'principal')
if not bind_principal.startswith('host/'):
raise acierr
hostname = get_host_from_principal(bind_principal)
Fix plugin to work with new output validation, add new helpers Add a new get_subject() helper and return the subject when retrieving certificates. Add a normalizer so that everything before and after the BEGIN/END block is removed.
2010-01-20 09:03:42 -06:00
result=self.Backend.ra.get_certificate(serial_number)
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
cert = x509.load_certificate(result['certificate'])
result['subject'] = unicode(cert.subject)
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
result['valid_not_after'] = unicode(cert.valid_not_after_str)
result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
2010-09-08 21:11:31 -05:00
if hostname:
# If we have a hostname we want to verify that the subject
# of the certificate matches it, otherwise raise an error
if hostname != cert.subject.common_name:
raise acierr
Fix plugin to work with new output validation, add new helpers Add a new get_subject() helper and return the subject when retrieving certificates. Add a normalizer so that everything before and after the BEGIN/END block is removed.
2010-01-20 09:03:42 -06:00
return dict(result=result)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
api.register(cert_show)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
class cert_revoke(VirtualCommand):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
Revoke a certificate.
"""
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
takes_args = _serial_number
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
has_output_params = (
Flag('revoked',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Revoked'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
),
)
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
operation = "revoke certificate"
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
# FIXME: The default is 0. Is this really an Int param?
Improve revocation_reason argument
2009-05-08 13:10:53 -05:00
takes_options = (
Int('revocation_reason?',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Reason'),
doc=_('Reason for revoking the certificate (0-10)'),
Improve revocation_reason argument
2009-05-08 13:10:53 -05:00
minvalue=0,
maxvalue=10,
default=0,
),
)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def execute(self, serial_number, **kw):
Have certmonger track the initial Apache and 389-ds server certs. We don't use certmonger to get certificates during installation because of the chicken-and-egg problem. This means that the IPA web and ldap certs aren't being tracked for renewal. This requires some manual changes to the certmonger request files once tracking has begun because it doesn't store a subject or principal template when a cert is added via start-tracking. This also required some changes to the cert command plugin to allow a host to execute calls against its own service certs. ticket 67
2010-09-08 21:11:31 -05:00
hostname = None
try:
self.check_access()
except errors.ACIError, acierr:
self.debug("Not granted by ACI to revoke certificate, looking at principal")
try:
# Let cert_show() handle verifying that the subject of the
# cert we're dealing with matches the hostname in the principal
result = api.Command['cert_show'](unicode(serial_number))['result']
except errors.NotImplementedError:
pass
Fix plugin to work with new output validation, add new helpers Add a new get_subject() helper and return the subject when retrieving certificates. Add a normalizer so that everything before and after the BEGIN/END block is removed.
2010-01-20 09:03:42 -06:00
return dict(
result=self.Backend.ra.revoke_certificate(serial_number, **kw)
)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
api.register(cert_revoke)
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
class cert_remove_hold(VirtualCommand):
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
"""
Take a revoked certificate off hold.
"""
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
takes_args = _serial_number
Clean up crypto code, take advantage of new nss-python capabilities This patch does the following: - drops our in-tree x509v3 parser to use the python-nss one - return more information on certificates - make an API change, renaming cert-get to cert-show - Drop a lot of duplicated code
2010-06-24 10:40:02 -05:00
has_output_params = (
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
Flag('unrevoked?',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Unrevoked'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
),
Str('error_string?',
Translatable Param.label, Param.doc
2010-02-19 10:08:16 -06:00
label=_('Error'),
Use the Output tuple to determine the order of output The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
2010-02-12 15:34:21 -06:00
),
)
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
operation = "certificate remove hold"
Merged in Andrew's RA plugin
2008-12-21 15:15:53 -06:00
Store the new certificate in a service record. Clean up some argument names to match the current standard.
2009-05-05 14:18:33 -05:00
def execute(self, serial_number, **kw):
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
self.check_access()
Fix plugin to work with new output validation, add new helpers Add a new get_subject() helper and return the subject when retrieving certificates. Add a normalizer so that everything before and after the BEGIN/END block is removed.
2010-01-20 09:03:42 -06:00
return dict(
result=self.Backend.ra.take_certificate_off_hold(serial_number)
)
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
api.register(cert_remove_hold)
Reference in New Issue Copy Permalink