2015-05-08 12:39:29 -05:00
|
|
|
# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
|
|
|
|
|
2017-03-31 10:22:45 -05:00
|
|
|
from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
|
2016-11-22 10:55:10 -06:00
|
|
|
from ipaserver.secrets.client import CustodiaClient
|
2015-05-08 12:39:29 -05:00
|
|
|
from ipaplatform.paths import paths
|
2016-03-22 03:40:43 -05:00
|
|
|
from ipaplatform.constants import constants
|
2016-05-03 08:53:12 -05:00
|
|
|
from ipaserver.install.service import SimpleServiceInstance
|
2015-05-08 12:39:29 -05:00
|
|
|
from ipapython import ipautil
|
2015-11-03 11:33:17 -06:00
|
|
|
from ipapython.ipa_log_manager import root_logger
|
2017-01-06 07:19:12 -06:00
|
|
|
from ipapython.certdb import NSSDatabase
|
2015-05-08 12:39:29 -05:00
|
|
|
from ipaserver.install import installutils
|
2015-11-27 09:21:02 -06:00
|
|
|
from ipaserver.install import ldapupdate
|
2015-11-03 11:33:17 -06:00
|
|
|
from ipaserver.install import sysupgrade
|
2017-01-06 07:19:12 -06:00
|
|
|
from base64 import b64decode
|
2015-08-07 10:44:59 -05:00
|
|
|
from jwcrypto.common import json_decode
|
2016-04-08 00:21:19 -05:00
|
|
|
import functools
|
2015-08-07 10:44:59 -05:00
|
|
|
import shutil
|
2015-05-08 12:39:29 -05:00
|
|
|
import os
|
2016-08-08 08:05:52 -05:00
|
|
|
import stat
|
2015-08-07 10:44:59 -05:00
|
|
|
import tempfile
|
2017-03-31 10:22:45 -05:00
|
|
|
import time
|
2016-03-22 03:40:43 -05:00
|
|
|
import pwd
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
|
|
|
|
class CustodiaInstance(SimpleServiceInstance):
|
2016-10-26 07:28:21 -05:00
|
|
|
def __init__(self, host_name=None, realm=None):
|
2015-05-08 12:39:29 -05:00
|
|
|
super(CustodiaInstance, self).__init__("ipa-custodia")
|
|
|
|
self.config_file = paths.IPA_CUSTODIA_CONF
|
|
|
|
self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR,
|
|
|
|
'server.keys')
|
2015-06-11 14:45:38 -05:00
|
|
|
self.ldap_uri = None
|
|
|
|
self.fqdn = host_name
|
|
|
|
self.realm = realm
|
2016-04-08 00:21:19 -05:00
|
|
|
self.__CustodiaClient = functools.partial(
|
|
|
|
CustodiaClient,
|
|
|
|
client_service='host@%s' % self.fqdn,
|
|
|
|
keyfile=self.server_keys,
|
|
|
|
keytab=paths.KRB5_KEYTAB,
|
|
|
|
realm=realm,
|
|
|
|
)
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
def __config_file(self):
|
|
|
|
template_file = os.path.basename(self.config_file) + '.template'
|
2016-11-22 09:06:45 -06:00
|
|
|
template = os.path.join(paths.USR_SHARE_IPA_DIR, template_file)
|
2016-03-22 03:40:43 -05:00
|
|
|
httpd_info = pwd.getpwnam(constants.HTTPD_USER)
|
2015-05-08 12:39:29 -05:00
|
|
|
sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
|
|
|
|
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
|
|
|
|
IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
|
2016-03-22 03:40:43 -05:00
|
|
|
LDAP_URI=installutils.realm_to_ldapi_uri(self.realm),
|
|
|
|
UID=httpd_info.pw_uid, GID=httpd_info.pw_gid)
|
2015-05-08 12:39:29 -05:00
|
|
|
conf = ipautil.template_file(template, sub_dict)
|
|
|
|
fd = open(self.config_file, "w+")
|
|
|
|
fd.write(conf)
|
|
|
|
fd.flush()
|
|
|
|
fd.close()
|
|
|
|
|
2016-10-06 10:35:04 -05:00
|
|
|
def create_instance(self):
|
2015-06-11 14:45:38 -05:00
|
|
|
suffix = ipautil.realm_to_suffix(self.realm)
|
2015-05-08 12:39:29 -05:00
|
|
|
self.step("Generating ipa-custodia config file", self.__config_file)
|
2015-11-27 09:21:02 -06:00
|
|
|
self.step("Making sure custodia container exists", self.__create_container)
|
2015-05-08 12:39:29 -05:00
|
|
|
self.step("Generating ipa-custodia keys", self.__gen_keys)
|
2015-06-11 14:45:38 -05:00
|
|
|
super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
|
|
|
|
fqdn=self.fqdn,
|
|
|
|
ldap_suffix=suffix,
|
|
|
|
realm=self.realm)
|
2015-11-03 11:33:17 -06:00
|
|
|
sysupgrade.set_upgrade_state('custodia', 'installed', True)
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
def __gen_keys(self):
|
2015-06-11 14:45:38 -05:00
|
|
|
KeyStore = IPAKEMKeys({'server_keys': self.server_keys,
|
|
|
|
'ldap_uri': self.ldap_uri})
|
2015-05-08 12:39:29 -05:00
|
|
|
KeyStore.generate_server_keys()
|
|
|
|
|
2015-06-11 14:45:38 -05:00
|
|
|
def upgrade_instance(self):
|
2015-11-03 11:33:17 -06:00
|
|
|
if not sysupgrade.get_upgrade_state("custodia", "installed"):
|
|
|
|
root_logger.info("Custodia service is being configured")
|
|
|
|
self.create_instance()
|
2016-11-24 02:55:27 -06:00
|
|
|
else:
|
|
|
|
old_config = open(self.config_file).read()
|
|
|
|
self.__config_file()
|
|
|
|
new_config = open(self.config_file).read()
|
|
|
|
if new_config != old_config:
|
|
|
|
root_logger.info("Restarting Custodia")
|
|
|
|
self.restart()
|
|
|
|
|
2016-08-08 08:05:52 -05:00
|
|
|
mode = os.stat(self.server_keys).st_mode
|
|
|
|
if stat.S_IMODE(mode) != 0o600:
|
|
|
|
root_logger.info("Secure server.keys mode")
|
|
|
|
os.chmod(self.server_keys, 0o600)
|
2015-05-08 12:39:29 -05:00
|
|
|
|
2015-06-11 14:45:38 -05:00
|
|
|
def create_replica(self, master_host_name):
|
|
|
|
suffix = ipautil.realm_to_suffix(self.realm)
|
|
|
|
self.ldap_uri = 'ldap://%s' % master_host_name
|
|
|
|
self.master_host_name = master_host_name
|
|
|
|
|
|
|
|
self.step("Generating ipa-custodia config file", self.__config_file)
|
|
|
|
self.step("Generating ipa-custodia keys", self.__gen_keys)
|
|
|
|
super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
|
|
|
|
fqdn=self.fqdn,
|
|
|
|
ldap_suffix=suffix,
|
|
|
|
realm=self.realm)
|
|
|
|
|
2015-11-27 09:21:02 -06:00
|
|
|
def __create_container(self):
|
|
|
|
"""
|
|
|
|
Runs the custodia update file to ensure custodia container is present.
|
|
|
|
"""
|
|
|
|
|
|
|
|
sub_dict = {
|
|
|
|
'SUFFIX': self.suffix,
|
|
|
|
}
|
|
|
|
|
2016-10-06 10:35:04 -05:00
|
|
|
updater = ldapupdate.LDAPUpdate(sub_dict=sub_dict)
|
2015-11-27 09:21:02 -06:00
|
|
|
updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')])
|
|
|
|
|
2016-10-26 07:28:21 -05:00
|
|
|
def import_ra_key(self, master_host_name):
|
|
|
|
cli = self.__CustodiaClient(server=master_host_name)
|
2017-01-13 02:08:42 -06:00
|
|
|
# please note that ipaCert part has to stay here for historical
|
|
|
|
# reasons (old servers expect you to ask for ra/ipaCert during
|
|
|
|
# replication as they store the RA agent cert in an NSS database
|
|
|
|
# with this nickname)
|
2015-06-11 14:45:38 -05:00
|
|
|
cli.fetch_key('ra/ipaCert')
|
|
|
|
|
|
|
|
def import_dm_password(self, master_host_name):
|
2016-04-08 00:21:19 -05:00
|
|
|
cli = self.__CustodiaClient(server=master_host_name)
|
2015-06-11 14:45:38 -05:00
|
|
|
cli.fetch_key('dm/DMHash')
|
|
|
|
|
2017-03-31 10:22:45 -05:00
|
|
|
def __wait_keys(self, host, timeout=300):
|
|
|
|
ldap_uri = 'ldap://%s' % host
|
|
|
|
deadline = int(time.time()) + timeout
|
|
|
|
root_logger.info("Waiting up to {} seconds to see our keys "
|
|
|
|
"appear on host: {}".format(timeout, host))
|
|
|
|
|
|
|
|
konn = KEMLdap(ldap_uri)
|
|
|
|
saved_e = None
|
|
|
|
while True:
|
|
|
|
try:
|
|
|
|
return konn.check_host_keys(self.fqdn)
|
|
|
|
except Exception as e:
|
|
|
|
# log only once for the same error
|
|
|
|
if not isinstance(e, type(saved_e)):
|
|
|
|
root_logger.debug(
|
|
|
|
"Transient error getting keys: '{err}'".format(err=e))
|
|
|
|
saved_e = e
|
|
|
|
if int(time.time()) > deadline:
|
|
|
|
raise RuntimeError("Timed out trying to obtain keys.")
|
|
|
|
time.sleep(1)
|
|
|
|
|
2015-08-25 14:42:25 -05:00
|
|
|
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
|
2015-08-07 10:44:59 -05:00
|
|
|
# Fecth all needed certs one by one, then combine them in a single
|
|
|
|
# p12 file
|
2015-08-25 14:42:25 -05:00
|
|
|
|
|
|
|
prefix = data['prefix']
|
|
|
|
certlist = data['list']
|
2015-08-07 10:44:59 -05:00
|
|
|
|
2017-03-31 10:22:45 -05:00
|
|
|
# Before we attempt to fetch keys from this host, make sure our public
|
|
|
|
# keys have been replicated there.
|
|
|
|
self.__wait_keys(ca_host)
|
|
|
|
|
2016-04-08 00:21:19 -05:00
|
|
|
cli = self.__CustodiaClient(server=ca_host)
|
2015-08-07 10:44:59 -05:00
|
|
|
|
|
|
|
# Temporary nssdb
|
|
|
|
tmpnssdir = tempfile.mkdtemp(dir=paths.TMP)
|
2017-01-06 07:19:12 -06:00
|
|
|
tmpdb = NSSDatabase(tmpnssdir)
|
|
|
|
tmpdb.create_db()
|
2015-08-07 10:44:59 -05:00
|
|
|
try:
|
|
|
|
# Cert file password
|
|
|
|
crtpwfile = os.path.join(tmpnssdir, 'crtpwfile')
|
|
|
|
with open(crtpwfile, 'w+') as f:
|
|
|
|
f.write(cacerts_pwd)
|
|
|
|
f.flush()
|
|
|
|
|
|
|
|
for nickname in certlist:
|
2015-08-25 14:42:25 -05:00
|
|
|
value = cli.fetch_key(os.path.join(prefix, nickname), False)
|
2015-08-07 10:44:59 -05:00
|
|
|
v = json_decode(value)
|
|
|
|
pk12pwfile = os.path.join(tmpnssdir, 'pk12pwfile')
|
|
|
|
with open(pk12pwfile, 'w+') as f:
|
|
|
|
f.write(v['export password'])
|
|
|
|
pk12file = os.path.join(tmpnssdir, 'pk12file')
|
|
|
|
with open(pk12file, 'w+') as f:
|
|
|
|
f.write(b64decode(v['pkcs12 data']))
|
|
|
|
ipautil.run([paths.PK12UTIL,
|
2017-01-06 07:19:12 -06:00
|
|
|
'-d', tmpdb.secdir,
|
|
|
|
'-k', tmpdb.pwd_file,
|
2015-08-07 10:44:59 -05:00
|
|
|
'-n', nickname,
|
|
|
|
'-i', pk12file,
|
|
|
|
'-w', pk12pwfile])
|
|
|
|
|
2016-08-23 03:39:08 -05:00
|
|
|
# Add CA certificates
|
|
|
|
self.suffix = ipautil.realm_to_suffix(self.realm)
|
|
|
|
self.import_ca_certs(tmpdb, True)
|
|
|
|
|
2015-08-07 10:44:59 -05:00
|
|
|
# Now that we gathered all certs, re-export
|
|
|
|
ipautil.run([paths.PKCS12EXPORT,
|
2017-01-06 07:19:12 -06:00
|
|
|
'-d', tmpdb.secdir,
|
|
|
|
'-p', tmpdb.pwd_file,
|
2015-08-07 10:44:59 -05:00
|
|
|
'-w', crtpwfile,
|
|
|
|
'-o', cacerts_file])
|
|
|
|
|
|
|
|
finally:
|
|
|
|
shutil.rmtree(tmpnssdir)
|
|
|
|
|
2015-08-25 14:42:25 -05:00
|
|
|
def get_ca_keys(self, ca_host, cacerts_file, cacerts_pwd):
|
|
|
|
certlist = ['caSigningCert cert-pki-ca',
|
|
|
|
'ocspSigningCert cert-pki-ca',
|
|
|
|
'auditSigningCert cert-pki-ca',
|
|
|
|
'subsystemCert cert-pki-ca']
|
|
|
|
data = {'prefix': 'ca',
|
|
|
|
'list': certlist}
|
|
|
|
self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
|
|
|
|
|
|
|
|
def get_kra_keys(self, ca_host, cacerts_file, cacerts_pwd):
|
|
|
|
certlist = ['auditSigningCert cert-pki-kra',
|
|
|
|
'storageCert cert-pki-kra',
|
|
|
|
'subsystemCert cert-pki-ca',
|
|
|
|
'transportCert cert-pki-kra']
|
|
|
|
data = {'prefix': 'ca',
|
|
|
|
'list': certlist}
|
|
|
|
self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)
|
|
|
|
|
2015-05-08 12:39:29 -05:00
|
|
|
def __start(self):
|
|
|
|
super(CustodiaInstance, self).__start()
|
|
|
|
|
|
|
|
def __enable(self):
|
|
|
|
super(CustodiaInstance, self).__enable()
|