freeipa/ipaserver/install/plugins/update_ra_cert_store.py

#
# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
#

from __future__ import absolute_import

import logging
import os
import tempfile

from ipalib import Registry
from ipalib import Updater
from ipalib.install import certmonger
from ipaplatform.paths import paths
from ipapython.certdb import NSSDatabase
from ipaserver.install import cainstance

logger = logging.getLogger(__name__)

register = Registry()


@register()
class update_ra_cert_store(Updater):
    """
    Moves the ipaCert store from /etc/httpd/alias RA_AGENT_PEM, RA_AGENT_KEY
    files
    """

    def execute(self, **options):
        ra_nick = 'ipaCert'
        ca_enabled = self.api.Command.ca_is_enabled()['result']
        if not ca_enabled:
            return False, []

        certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
        if not certdb.has_nickname(ra_nick):
            # Nothign to do
            return False, []
        elif os.path.exists(paths.RA_AGENT_PEM):
            # even though the certificate file exists, we will overwrite it
            # as it's probabably something wrong anyway
            logger.warning(
                "A certificate with the nickname 'ipaCert' exists in "
                "the old '%s' NSS database as well as in the new "
                "PEM file '%s'",
                paths.HTTPD_ALIAS_DIR, paths.RA_AGENT_PEM)

        _fd, p12file = tempfile.mkstemp(dir=certdb.secdir)
        # no password is necessary as we will be saving it in clear anyway
        certdb.export_pkcs12(ra_nick, p12file, pkcs12_passwd='')

        # stop tracking the old cert and remove it
        certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname=ra_nick)
        certdb.delete_cert(ra_nick)
        if os.path.exists(paths.OLD_KRA_AGENT_PEM):
            os.remove(paths.OLD_KRA_AGENT_PEM)

        # get the private key and certificate from the file and start
        # tracking it in certmonger
        ca = cainstance.CAInstance()
        ca.import_ra_cert(p12file)

        os.remove(p12file)

        return False, []
Separate RA cert store from the HTTP cert store This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-12-13 09:32:32 -06:00			`#`
			`# Copyright (C) 2016 FreeIPA Contributors see COPYING for license`
			`#`

Add absolute_import future imports Add absolute_import from __future__ so that pylint does not fail and to achieve python3 behavior in python2. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-04-05 02:21:16 -05:00			`from __future__ import absolute_import`

logging: remove object-specific loggers Remove all object-specific loggers, with the exception of `Plugin.log`, which is now deprecated. Replace affected logger calls with module-level logger calls. Deprecate object-specific loggers in `ipa_log_manager.get_logger`. Reviewed-By: Martin Basti <mbasti@redhat.com> 2017-05-23 11:35:57 -05:00			`import logging`
Separate RA cert store from the HTTP cert store This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-12-13 09:32:32 -06:00			`import os`
Moving ipaCert from HTTPD_ALIAS_DIR The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-01-13 02:08:42 -06:00			`import tempfile`
Separate RA cert store from the HTTP cert store This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-12-13 09:32:32 -06:00
			`from ipalib import Registry`
			`from ipalib import Updater`
			`from ipalib.install import certmonger`
			`from ipaplatform.paths import paths`
Moving ipaCert from HTTPD_ALIAS_DIR The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-01-13 02:08:42 -06:00			`from ipapython.certdb import NSSDatabase`
			`from ipaserver.install import cainstance`
Separate RA cert store from the HTTP cert store This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-12-13 09:32:32 -06:00
logging: remove object-specific loggers Remove all object-specific loggers, with the exception of `Plugin.log`, which is now deprecated. Replace affected logger calls with module-level logger calls. Deprecate object-specific loggers in `ipa_log_manager.get_logger`. Reviewed-By: Martin Basti <mbasti@redhat.com> 2017-05-23 11:35:57 -05:00			`logger = logging.getLogger(__name__)`

Separate RA cert store from the HTTP cert store This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-12-13 09:32:32 -06:00			`register = Registry()`


			`@register()`
			`class update_ra_cert_store(Updater):`
			`"""`
Moving ipaCert from HTTPD_ALIAS_DIR The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-01-13 02:08:42 -06:00			`Moves the ipaCert store from /etc/httpd/alias RA_AGENT_PEM, RA_AGENT_KEY`
			`files`
Separate RA cert store from the HTTP cert store This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-12-13 09:32:32 -06:00			`"""`

			`def execute(self, **options):`
Moving ipaCert from HTTPD_ALIAS_DIR The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-01-13 02:08:42 -06:00			`ra_nick = 'ipaCert'`
server upgrade: fix upgrade in CA-less Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as /var/lib/ipa/radb is not populated in CA-less. Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in CA-less, as it might be an incorrect certificate from previous CA-ful install, and is not necessary anyway. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 2017-02-16 04:09:04 -06:00			`ca_enabled = self.api.Command.ca_is_enabled()['result']`
			`if not ca_enabled:`
			`return False, []`

Moving ipaCert from HTTPD_ALIAS_DIR The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-01-13 02:08:42 -06:00			`certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)`
			`if not certdb.has_nickname(ra_nick):`
Separate RA cert store from the HTTP cert store This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-12-13 09:32:32 -06:00			`# Nothign to do`
			`return False, []`
Moving ipaCert from HTTPD_ALIAS_DIR The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-01-13 02:08:42 -06:00			`elif os.path.exists(paths.RA_AGENT_PEM):`
			`# even though the certificate file exists, we will overwrite it`
			`# as it's probabably something wrong anyway`
logging: remove object-specific loggers Remove all object-specific loggers, with the exception of `Plugin.log`, which is now deprecated. Replace affected logger calls with module-level logger calls. Deprecate object-specific loggers in `ipa_log_manager.get_logger`. Reviewed-By: Martin Basti <mbasti@redhat.com> 2017-05-23 11:35:57 -05:00			`logger.warning(`
Moving ipaCert from HTTPD_ALIAS_DIR The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-01-13 02:08:42 -06:00			`"A certificate with the nickname 'ipaCert' exists in "`
logging: remove object-specific loggers Remove all object-specific loggers, with the exception of `Plugin.log`, which is now deprecated. Replace affected logger calls with module-level logger calls. Deprecate object-specific loggers in `ipa_log_manager.get_logger`. Reviewed-By: Martin Basti <mbasti@redhat.com> 2017-05-23 11:35:57 -05:00			`"the old '%s' NSS database as well as in the new "`
			`"PEM file '%s'",`
			`paths.HTTPD_ALIAS_DIR, paths.RA_AGENT_PEM)`
Moving ipaCert from HTTPD_ALIAS_DIR The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2017-01-13 02:08:42 -06:00
			`_fd, p12file = tempfile.mkstemp(dir=certdb.secdir)`
			`# no password is necessary as we will be saving it in clear anyway`
			`certdb.export_pkcs12(ra_nick, p12file, pkcs12_passwd='')`

			`# stop tracking the old cert and remove it`
			`certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname=ra_nick)`
			`certdb.delete_cert(ra_nick)`
			`if os.path.exists(paths.OLD_KRA_AGENT_PEM):`
			`os.remove(paths.OLD_KRA_AGENT_PEM)`

			`# get the private key and certificate from the file and start`
			`# tracking it in certmonger`
			`ca = cainstance.CAInstance()`
			`ca.import_ra_cert(p12file)`

			`os.remove(p12file)`
Separate RA cert store from the HTTP cert store This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 2016-12-13 09:32:32 -06:00
			`return False, []`