2015-05-08 12:39:29 -05:00
|
|
|
# Copyright (C) 2015 IPA Project Contributors, see COPYING for license
|
|
|
|
|
2018-04-05 02:21:16 -05:00
|
|
|
from __future__ import print_function, absolute_import
|
2015-05-08 12:39:29 -05:00
|
|
|
import os
|
|
|
|
import sys
|
2019-01-30 07:08:38 -06:00
|
|
|
|
|
|
|
from custodia.plugin import CSStore
|
|
|
|
|
|
|
|
from ipaplatform.paths import paths
|
|
|
|
from ipaplatform.constants import constants
|
|
|
|
from ipapython import ipautil
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
|
|
|
|
class UnknownKeyName(Exception):
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
2018-09-26 04:59:50 -05:00
|
|
|
class DBMAPHandler:
|
2019-01-30 07:08:38 -06:00
|
|
|
dbtype = None
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
def __init__(self, config, dbmap, nickname):
|
2019-01-30 07:08:38 -06:00
|
|
|
dbtype = dbmap.get('type')
|
|
|
|
if dbtype is None or dbtype != self.dbtype:
|
|
|
|
raise ValueError(
|
|
|
|
"Invalid type '{}', expected '{}'".format(
|
|
|
|
dbtype, self.dbtype
|
|
|
|
)
|
|
|
|
)
|
|
|
|
self.config = config
|
|
|
|
self.dbmap = dbmap
|
|
|
|
self.nickname = nickname
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
def export_key(self):
|
|
|
|
raise NotImplementedError
|
|
|
|
|
|
|
|
def import_key(self, value):
|
|
|
|
raise NotImplementedError
|
|
|
|
|
|
|
|
|
2019-01-30 07:08:38 -06:00
|
|
|
class DBMAPCommandHandler(DBMAPHandler):
|
|
|
|
def __init__(self, config, dbmap, nickname):
|
|
|
|
super().__init__(config, dbmap, nickname)
|
|
|
|
self.runas = dbmap.get('runas')
|
|
|
|
self.command = os.path.join(
|
|
|
|
paths.IPA_CUSTODIA_HANDLER,
|
|
|
|
dbmap['command']
|
|
|
|
)
|
|
|
|
|
|
|
|
def run_handler(self, extra_args=(), stdin=None):
|
|
|
|
"""Run handler script to export / import key material
|
|
|
|
"""
|
|
|
|
args = [self.command]
|
|
|
|
args.extend(extra_args)
|
|
|
|
kwargs = dict(
|
|
|
|
runas=self.runas,
|
|
|
|
encoding='utf-8',
|
|
|
|
)
|
|
|
|
|
|
|
|
if stdin:
|
|
|
|
args.extend(['--import', '-'])
|
|
|
|
kwargs.update(stdin=stdin)
|
|
|
|
else:
|
|
|
|
args.extend(['--export', '-'])
|
|
|
|
kwargs.update(capture_output=True)
|
|
|
|
|
|
|
|
result = ipautil.run(args, **kwargs)
|
|
|
|
|
|
|
|
if stdin is None:
|
|
|
|
return result.output
|
|
|
|
else:
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
2015-05-08 12:39:29 -05:00
|
|
|
def log_error(error):
|
|
|
|
print(error, file=sys.stderr)
|
|
|
|
|
|
|
|
|
2019-01-30 07:08:38 -06:00
|
|
|
class NSSWrappedCertDB(DBMAPCommandHandler):
|
|
|
|
"""
|
2016-04-18 20:47:29 -05:00
|
|
|
Store that extracts private keys from an NSSDB, wrapped with the
|
|
|
|
private key of the primary CA.
|
2019-01-30 07:08:38 -06:00
|
|
|
"""
|
|
|
|
dbtype = 'NSSDB'
|
2016-04-18 20:47:29 -05:00
|
|
|
|
|
|
|
def export_key(self):
|
2019-01-30 07:08:38 -06:00
|
|
|
return self.run_handler(['--nickname', self.nickname])
|
2015-05-08 12:39:29 -05:00
|
|
|
|
2019-01-30 07:08:38 -06:00
|
|
|
|
|
|
|
class NSSCertDB(DBMAPCommandHandler):
|
|
|
|
dbtype = 'NSSDB'
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
def export_key(self):
|
2019-01-30 07:08:38 -06:00
|
|
|
return self.run_handler(['--nickname', self.nickname])
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
def import_key(self, value):
|
2019-01-30 07:08:38 -06:00
|
|
|
return self.run_handler(
|
|
|
|
['--nickname', self.nickname],
|
|
|
|
stdin=value
|
|
|
|
)
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
|
|
|
|
# Exfiltrate the DM password Hash so it can be set in replica's and this
|
|
|
|
# way let a replica be install without knowing the DM password and yet
|
|
|
|
# still keep the DM password synchronized across replicas
|
2019-01-30 07:08:38 -06:00
|
|
|
class DMLDAP(DBMAPCommandHandler):
|
|
|
|
dbtype = 'DMLDAP'
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
def __init__(self, config, dbmap, nickname):
|
2019-01-30 07:08:38 -06:00
|
|
|
super().__init__(config, dbmap, nickname)
|
2015-05-08 12:39:29 -05:00
|
|
|
if nickname != 'DMHash':
|
|
|
|
raise UnknownKeyName("Unknown Key Named '%s'" % nickname)
|
|
|
|
|
|
|
|
def export_key(self):
|
2019-01-30 07:08:38 -06:00
|
|
|
return self.run_handler()
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
def import_key(self, value):
|
2019-01-30 07:08:38 -06:00
|
|
|
self.run_handler(stdin=value)
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
|
2019-01-30 07:08:38 -06:00
|
|
|
class PEMFileHandler(DBMAPCommandHandler):
|
|
|
|
dbtype = 'PEM'
|
2017-02-01 02:14:56 -06:00
|
|
|
|
|
|
|
def export_key(self):
|
2019-01-30 07:08:38 -06:00
|
|
|
return self.run_handler()
|
2017-02-01 02:14:56 -06:00
|
|
|
|
|
|
|
def import_key(self, value):
|
2019-01-30 07:08:38 -06:00
|
|
|
return self.run_handler(stdin=value)
|
2017-02-01 02:14:56 -06:00
|
|
|
|
|
|
|
|
2015-05-08 12:39:29 -05:00
|
|
|
NAME_DB_MAP = {
|
|
|
|
'ca': {
|
|
|
|
'type': 'NSSDB',
|
|
|
|
'handler': NSSCertDB,
|
2019-01-30 07:08:38 -06:00
|
|
|
'command': 'ipa-custodia-pki-tomcat',
|
|
|
|
'runas': constants.PKI_USER,
|
2015-05-08 12:39:29 -05:00
|
|
|
},
|
2016-04-18 20:47:29 -05:00
|
|
|
'ca_wrapped': {
|
2019-01-30 07:08:38 -06:00
|
|
|
'type': 'NSSDB',
|
2016-04-18 20:47:29 -05:00
|
|
|
'handler': NSSWrappedCertDB,
|
2019-01-30 07:08:38 -06:00
|
|
|
'command': 'ipa-custodia-pki-tomcat-wrapped',
|
|
|
|
'runas': constants.PKI_USER,
|
2016-04-18 20:47:29 -05:00
|
|
|
},
|
2015-05-08 12:39:29 -05:00
|
|
|
'ra': {
|
2017-01-13 02:08:42 -06:00
|
|
|
'type': 'PEM',
|
|
|
|
'handler': PEMFileHandler,
|
2019-01-30 07:08:38 -06:00
|
|
|
'command': 'ipa-custodia-ra-agent',
|
|
|
|
'runas': None, # import needs root permission to write to directory
|
2015-05-08 12:39:29 -05:00
|
|
|
},
|
|
|
|
'dm': {
|
|
|
|
'type': 'DMLDAP',
|
|
|
|
'handler': DMLDAP,
|
2019-01-30 07:08:38 -06:00
|
|
|
'command': 'ipa-custodia-dmldap',
|
|
|
|
'runas': None, # root
|
2015-05-08 12:39:29 -05:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-10-26 04:14:06 -05:00
|
|
|
class IPASecStore(CSStore):
|
2015-05-08 12:39:29 -05:00
|
|
|
|
|
|
|
def __init__(self, config=None):
|
|
|
|
self.config = config
|
|
|
|
|
|
|
|
def _get_handler(self, key):
|
|
|
|
path = key.split('/', 3)
|
|
|
|
if len(path) != 3 or path[0] != 'keys':
|
|
|
|
raise ValueError('Invalid name')
|
|
|
|
if path[1] not in NAME_DB_MAP:
|
|
|
|
raise UnknownKeyName("Unknown DB named '%s'" % path[1])
|
|
|
|
dbmap = NAME_DB_MAP[path[1]]
|
|
|
|
return dbmap['handler'](self.config, dbmap, path[2])
|
|
|
|
|
|
|
|
def get(self, key):
|
|
|
|
try:
|
|
|
|
key_handler = self._get_handler(key)
|
|
|
|
value = key_handler.export_key()
|
|
|
|
except Exception as e: # pylint: disable=broad-except
|
2017-07-31 09:53:06 -05:00
|
|
|
log_error('Error retrieving key "%s": %s' % (key, str(e)))
|
2015-05-08 12:39:29 -05:00
|
|
|
value = None
|
|
|
|
return value
|
|
|
|
|
|
|
|
def set(self, key, value, replace=False):
|
|
|
|
try:
|
|
|
|
key_handler = self._get_handler(key)
|
|
|
|
key_handler.import_key(value)
|
|
|
|
except Exception as e: # pylint: disable=broad-except
|
|
|
|
log_error('Error storing key "%s": %s' % (key, str(e)))
|
|
|
|
|
|
|
|
def list(self, keyfilter=None):
|
|
|
|
raise NotImplementedError
|
|
|
|
|
|
|
|
def cut(self, key):
|
|
|
|
raise NotImplementedError
|
2016-09-28 12:59:56 -05:00
|
|
|
|
|
|
|
def span(self, key):
|
|
|
|
raise NotImplementedError
|
2016-10-26 04:14:06 -05:00
|
|
|
|
|
|
|
|
|
|
|
# backwards compatibility with FreeIPA 4.3 and 4.4.
|
|
|
|
iSecStore = IPASecStore
|