2009-04-01 21:39:44 -05:00
|
|
|
# Authors: Rob Crittenden <rcritten@redhat.com>
|
|
|
|
|
# Ade Lee <alee@redhat.com>
|
|
|
|
|
# Andrew Wnuk <awnuk@redhat.com>
|
|
|
|
|
#
|
|
|
|
|
# Copyright (C) 2009 Red Hat
|
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
|
#
|
2010-12-09 06:59:11 -06:00
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
2009-04-01 21:39:44 -05:00
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
2010-12-09 06:59:11 -06:00
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2009-04-01 21:39:44 -05:00
|
|
|
#
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
import array
|
|
|
|
|
import base64
|
|
|
|
|
import binascii
|
|
|
|
|
import ConfigParser
|
|
|
|
|
import dbus
|
|
|
|
|
import httplib
|
|
|
|
|
import ldap
|
2009-04-01 21:39:44 -05:00
|
|
|
import os
|
2014-03-18 10:23:30 -05:00
|
|
|
import pwd
|
2009-04-01 21:39:44 -05:00
|
|
|
import re
|
2014-03-18 10:23:30 -05:00
|
|
|
import shutil
|
|
|
|
|
import stat
|
|
|
|
|
import subprocess
|
|
|
|
|
import sys
|
|
|
|
|
import syslog
|
2009-04-01 21:39:44 -05:00
|
|
|
import time
|
|
|
|
|
import tempfile
|
|
|
|
|
import urllib
|
|
|
|
|
import xml.dom.minidom
|
2015-01-08 03:06:46 -06:00
|
|
|
import shlex
|
|
|
|
|
import pipes
|
2013-01-21 05:05:07 -06:00
|
|
|
|
2013-07-23 05:19:42 -05:00
|
|
|
from ipalib import api
|
2011-06-08 09:54:41 -05:00
|
|
|
from ipalib import pkcs10, x509
|
2014-12-02 12:18:36 -06:00
|
|
|
from ipalib import errors
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
from ipaplatform import services
|
|
|
|
|
from ipaplatform.paths import paths
|
|
|
|
|
from ipaplatform.tasks import tasks
|
|
|
|
|
|
|
|
|
|
from ipapython import dogtag
|
|
|
|
|
from ipapython import certmonger
|
2009-04-01 21:39:44 -05:00
|
|
|
from ipapython import ipautil
|
2013-01-31 05:59:35 -06:00
|
|
|
from ipapython import ipaldap
|
2014-03-18 10:23:30 -05:00
|
|
|
from ipapython.certdb import get_ca_nickname
|
|
|
|
|
from ipapython.dn import DN
|
|
|
|
|
from ipapython.ipa_log_manager import log_mgr,\
|
|
|
|
|
standard_logging_setup, root_logger
|
|
|
|
|
|
2011-03-09 23:06:15 -06:00
|
|
|
from ipaserver.install import certs
|
2014-03-18 10:23:30 -05:00
|
|
|
from ipaserver.install import dsinstance
|
|
|
|
|
from ipaserver.install import installutils
|
|
|
|
|
from ipaserver.install import service
|
|
|
|
|
from ipaserver.install.dogtaginstance import DogtagInstance
|
|
|
|
|
from ipaserver.install.dogtaginstance import PKI_USER, DEFAULT_DSPORT
|
Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
2012-10-24 03:37:16 -05:00
|
|
|
from ipaserver.plugins import ldap2
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2011-01-28 14:45:19 -06:00
|
|
|
|
2012-11-19 09:32:28 -06:00
|
|
|
# When IPA is installed with DNS support, this CNAME should hold all IPA
|
|
|
|
|
# replicas with CA configured
|
2013-04-15 05:19:11 -05:00
|
|
|
IPA_CA_RECORD = "ipa-ca"
|
2011-08-17 14:36:18 -05:00
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
# We need to reset the template because the CA uses the regular boot
|
|
|
|
|
# information
|
|
|
|
|
INF_TEMPLATE = """
|
|
|
|
|
[General]
|
2012-02-14 08:48:32 -06:00
|
|
|
FullMachineName= $FQDN
|
2009-04-01 21:39:44 -05:00
|
|
|
SuiteSpotUserID= $USER
|
2011-02-24 13:45:46 -06:00
|
|
|
SuiteSpotGroup= $GROUP
|
2009-04-01 21:39:44 -05:00
|
|
|
ServerRoot= $SERVER_ROOT
|
|
|
|
|
[slapd]
|
|
|
|
|
ServerPort= $DSPORT
|
|
|
|
|
ServerIdentifier= $SERVERID
|
|
|
|
|
Suffix= $SUFFIX
|
|
|
|
|
RootDN= cn=Directory Manager
|
|
|
|
|
RootDNPwd= $PASSWORD
|
2012-12-19 14:44:26 -06:00
|
|
|
ConfigFile = /usr/share/pki/ca/conf/database.ldif
|
2009-04-01 21:39:44 -05:00
|
|
|
"""
|
|
|
|
|
|
2009-09-10 15:15:14 -05:00
|
|
|
|
2014-09-29 03:27:30 -05:00
|
|
|
def check_port():
|
|
|
|
|
"""
|
|
|
|
|
Check that dogtag port (8443) is available.
|
|
|
|
|
|
|
|
|
|
Returns True when the port is free, False if it's taken.
|
|
|
|
|
"""
|
|
|
|
|
return not ipautil.host_port_open(None, 8443)
|
|
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
def get_preop_pin(instance_root, instance_name):
|
|
|
|
|
# Only used for Dogtag 9
|
|
|
|
|
preop_pin = None
|
|
|
|
|
|
|
|
|
|
filename = instance_root + "/" + instance_name + "/conf/CS.cfg"
|
|
|
|
|
|
|
|
|
|
# read the config file and get the preop pin
|
|
|
|
|
try:
|
2014-03-18 10:23:30 -05:00
|
|
|
f = open(filename)
|
2012-08-23 11:38:45 -05:00
|
|
|
except IOError, e:
|
|
|
|
|
root_logger.error("Cannot open configuration file." + str(e))
|
|
|
|
|
raise e
|
|
|
|
|
data = f.read()
|
|
|
|
|
data = data.split('\n')
|
2014-03-18 10:23:30 -05:00
|
|
|
pattern = re.compile("preop.pin=(.*)")
|
2012-08-23 11:38:45 -05:00
|
|
|
for line in data:
|
|
|
|
|
match = re.search(pattern, line)
|
2014-03-18 10:23:30 -05:00
|
|
|
if match:
|
|
|
|
|
preop_pin = match.group(1)
|
2012-08-23 11:38:45 -05:00
|
|
|
break
|
|
|
|
|
|
|
|
|
|
if preop_pin is None:
|
2014-03-18 10:23:30 -05:00
|
|
|
raise RuntimeError(
|
|
|
|
|
"Unable to find preop.pin in %s. Is your CA already configured?" %
|
|
|
|
|
filename)
|
2012-08-23 11:38:45 -05:00
|
|
|
|
|
|
|
|
return preop_pin
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2009-07-10 15:18:16 -05:00
|
|
|
def import_pkcs12(input_file, input_passwd, cert_database,
|
2009-04-01 21:39:44 -05:00
|
|
|
cert_passwd):
|
2014-05-29 07:47:17 -05:00
|
|
|
ipautil.run([paths.PK12UTIL, "-d", cert_database,
|
2009-07-10 15:18:16 -05:00
|
|
|
"-i", input_file,
|
2009-04-01 21:39:44 -05:00
|
|
|
"-k", cert_passwd,
|
2009-07-10 15:18:16 -05:00
|
|
|
"-w", input_passwd])
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
def get_value(s):
|
|
|
|
|
"""
|
|
|
|
|
Parse out a name/value pair from a Javascript variable.
|
|
|
|
|
"""
|
|
|
|
|
try:
|
2014-03-18 10:23:30 -05:00
|
|
|
expr = s.split('=', 1)
|
2009-04-01 21:39:44 -05:00
|
|
|
value = expr[1]
|
|
|
|
|
value = value.replace('\"', '')
|
2014-03-18 10:23:30 -05:00
|
|
|
value = value.replace(';', '')
|
|
|
|
|
value = value.replace('\\n', '\n')
|
|
|
|
|
value = value.replace('\\r', '\r')
|
2009-04-01 21:39:44 -05:00
|
|
|
return value
|
|
|
|
|
except IndexError:
|
|
|
|
|
return None
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
def find_substring(data, value):
|
|
|
|
|
"""
|
|
|
|
|
Scan through a list looking for a string that starts with value.
|
|
|
|
|
"""
|
|
|
|
|
for d in data:
|
|
|
|
|
if d.startswith(value):
|
|
|
|
|
return get_value(d)
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
def get_defList(data):
|
|
|
|
|
"""
|
|
|
|
|
Return a dictionary of defList name/value pairs.
|
|
|
|
|
|
2009-07-10 15:18:16 -05:00
|
|
|
A certificate signing request is specified as a series of these.
|
2009-04-01 21:39:44 -05:00
|
|
|
"""
|
|
|
|
|
varname = None
|
|
|
|
|
value = None
|
|
|
|
|
skip = False
|
|
|
|
|
defdict = {}
|
|
|
|
|
for d in data:
|
|
|
|
|
if d.startswith("defList = new Object"):
|
|
|
|
|
varname = None
|
|
|
|
|
value = None
|
|
|
|
|
skip = False
|
|
|
|
|
if d.startswith("defList.defId"):
|
|
|
|
|
varname = get_value(d)
|
|
|
|
|
if d.startswith("defList.defVal"):
|
|
|
|
|
value = get_value(d)
|
|
|
|
|
if skip:
|
|
|
|
|
varname = None
|
|
|
|
|
value = None
|
|
|
|
|
skip = False
|
|
|
|
|
if d.startswith("defList.defConstraint"):
|
|
|
|
|
ctype = get_value(d)
|
|
|
|
|
if ctype == "readonly":
|
|
|
|
|
skip = True
|
|
|
|
|
|
|
|
|
|
if varname and value:
|
|
|
|
|
defdict[varname] = value
|
|
|
|
|
varname = None
|
|
|
|
|
value = None
|
|
|
|
|
|
|
|
|
|
return defdict
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
def get_outputList(data):
|
|
|
|
|
"""
|
|
|
|
|
Return a dictionary of outputList name/value pairs.
|
|
|
|
|
|
|
|
|
|
The output from issuing a certificate is a series of these.
|
|
|
|
|
"""
|
|
|
|
|
varname = None
|
|
|
|
|
value = None
|
|
|
|
|
outputdict = {}
|
|
|
|
|
for d in data:
|
|
|
|
|
if d.startswith("outputList = new"):
|
|
|
|
|
varname = None
|
|
|
|
|
value = None
|
|
|
|
|
if d.startswith("outputList.outputId"):
|
|
|
|
|
varname = get_value(d)
|
|
|
|
|
if d.startswith("outputList.outputVal"):
|
|
|
|
|
value = get_value(d)
|
|
|
|
|
|
|
|
|
|
if varname and value:
|
|
|
|
|
outputdict[varname] = value
|
|
|
|
|
varname = None
|
|
|
|
|
value = None
|
|
|
|
|
|
|
|
|
|
return outputdict
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
|
2012-10-08 08:58:48 -05:00
|
|
|
def get_crl_files(path=None):
|
|
|
|
|
"""
|
|
|
|
|
Traverse dogtag's CRL files in default CRL publish directory or in chosen
|
|
|
|
|
target directory.
|
|
|
|
|
|
|
|
|
|
@param path Custom target directory
|
|
|
|
|
"""
|
|
|
|
|
if path is None:
|
|
|
|
|
path = dogtag.configured_constants().CRL_PUBLISH_PATH
|
|
|
|
|
|
|
|
|
|
files = os.listdir(path)
|
|
|
|
|
for f in files:
|
|
|
|
|
if f == "MasterCRL.bin":
|
|
|
|
|
yield os.path.join(path, f)
|
|
|
|
|
elif f.endswith(".der"):
|
|
|
|
|
yield os.path.join(path, f)
|
|
|
|
|
|
2012-09-19 22:35:42 -05:00
|
|
|
|
|
|
|
|
def is_step_one_done():
|
2014-03-18 10:23:30 -05:00
|
|
|
"""Read CS.cfg and determine if step one of an external CA install is done
|
|
|
|
|
"""
|
2013-02-25 10:15:23 -06:00
|
|
|
path = dogtag.install_constants.CS_CFG_PATH
|
|
|
|
|
if not os.path.exists(path):
|
|
|
|
|
return False
|
|
|
|
|
test = installutils.get_directive(path, 'preop.ca.type', '=')
|
2012-09-19 22:35:42 -05:00
|
|
|
if test == "otherca":
|
|
|
|
|
return True
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
def is_ca_installed_locally():
|
|
|
|
|
"""Check if CA is installed locally by checking for existence of CS.cfg
|
|
|
|
|
:return:True/False
|
|
|
|
|
"""
|
|
|
|
|
path = dogtag.install_constants.CS_CFG_PATH
|
|
|
|
|
return os.path.exists(path)
|
|
|
|
|
|
|
|
|
|
|
2014-07-15 06:31:01 -05:00
|
|
|
def create_ca_user():
|
|
|
|
|
"""Create PKI user/group if it doesn't exist yet."""
|
2014-10-22 08:07:44 -05:00
|
|
|
tasks.create_system_user(
|
2014-07-15 06:31:01 -05:00
|
|
|
name=PKI_USER,
|
|
|
|
|
group=PKI_USER,
|
|
|
|
|
homedir=paths.VAR_LIB,
|
|
|
|
|
shell=paths.NOLOGIN,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
class CADSInstance(service.Service):
|
2012-11-15 08:38:24 -06:00
|
|
|
"""Certificate Authority DS instance
|
|
|
|
|
|
|
|
|
|
The CA DS was used with Dogtag 9. Only upgraded installations still use it.
|
|
|
|
|
Thus this class only does uninstallation.
|
|
|
|
|
"""
|
2012-08-23 11:38:45 -05:00
|
|
|
def __init__(self, host_name=None, realm_name=None, domain_name=None, dm_password=None, dogtag_constants=None):
|
2014-03-18 10:23:30 -05:00
|
|
|
service.Service.__init__(
|
|
|
|
|
self, "pkids",
|
2012-10-11 02:32:17 -05:00
|
|
|
service_desc="directory server for the CA",
|
|
|
|
|
dm_password=dm_password,
|
|
|
|
|
ldapi=False,
|
2014-08-27 08:06:42 -05:00
|
|
|
autobind=ipaldap.AUTOBIND_DISABLED)
|
2012-10-11 02:32:17 -05:00
|
|
|
|
2011-06-08 14:56:29 -05:00
|
|
|
self.serverid = "PKI-IPA"
|
2013-10-11 02:38:10 -05:00
|
|
|
self.realm = realm_name
|
2009-04-01 21:39:44 -05:00
|
|
|
self.sub_dict = None
|
|
|
|
|
self.domain = domain_name
|
2011-06-08 14:56:29 -05:00
|
|
|
self.fqdn = host_name
|
2011-03-14 15:27:19 -05:00
|
|
|
self.dercert = None
|
2009-04-01 21:39:44 -05:00
|
|
|
self.pkcs12_info = None
|
|
|
|
|
self.ds_port = None
|
2009-07-10 15:18:16 -05:00
|
|
|
self.master_host = None
|
2011-03-09 23:06:15 -06:00
|
|
|
self.nickname = 'Server-Cert'
|
2011-03-14 15:27:19 -05:00
|
|
|
self.subject_base = None
|
2009-04-01 21:39:44 -05:00
|
|
|
|
|
|
|
|
def uninstall(self):
|
2010-05-03 14:21:51 -05:00
|
|
|
if self.is_configured():
|
|
|
|
|
self.print_msg("Unconfiguring CA directory server")
|
|
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
enabled = self.restore_state("enabled")
|
|
|
|
|
serverid = self.restore_state("serverid")
|
|
|
|
|
|
2012-04-16 16:03:46 -05:00
|
|
|
# Just eat this state if it exists
|
2014-03-18 10:23:30 -05:00
|
|
|
self.restore_state("running")
|
2012-04-16 16:03:46 -05:00
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
if not enabled is None and not enabled:
|
2014-05-29 03:37:18 -05:00
|
|
|
services.knownservices.dirsrv.disable()
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2015-01-21 06:40:36 -06:00
|
|
|
if serverid is not None:
|
2011-03-14 15:27:19 -05:00
|
|
|
# drop the trailing / off the config_dirname so the directory
|
|
|
|
|
# will match what is in certmonger
|
|
|
|
|
dirname = dsinstance.config_dirname(serverid)[:-1]
|
2013-10-11 02:38:10 -05:00
|
|
|
dsdb = certs.CertDB(self.realm, nssdir=dirname)
|
2011-03-14 15:27:19 -05:00
|
|
|
dsdb.untrack_server_cert("Server-Cert")
|
2015-01-21 06:40:36 -06:00
|
|
|
try:
|
|
|
|
|
dsinstance.remove_ds_instance(serverid)
|
|
|
|
|
except ipautil.CalledProcessError:
|
|
|
|
|
root_logger.error("Failed to remove CA DS instance. You may "
|
|
|
|
|
"need to remove instance data manually")
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
self.restore_state("user_exists")
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2012-02-28 22:05:06 -06:00
|
|
|
# At one time we removed this user on uninstall. That can potentially
|
2014-03-18 10:23:30 -05:00
|
|
|
# orphan files, or worse, if another useradd runs in the interim,
|
2012-02-28 22:05:06 -06:00
|
|
|
# cause files to have a new owner.
|
2012-07-11 14:51:01 -05:00
|
|
|
|
2012-11-12 08:49:46 -06:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
class CAInstance(DogtagInstance):
|
2009-04-13 12:39:15 -05:00
|
|
|
"""
|
2010-12-08 15:35:12 -06:00
|
|
|
When using a dogtag CA the DS database contains just the
|
2009-04-13 12:39:15 -05:00
|
|
|
server cert for DS. The mod_nss database will contain the RA agent
|
|
|
|
|
cert that will be used to do authenticated requests against dogtag.
|
|
|
|
|
|
|
|
|
|
This is done because we use python-nss and will inherit the opened
|
|
|
|
|
NSS database in mod_python. In nsslib.py we do an nssinit but this will
|
|
|
|
|
return success if the database is already initialized. It doesn't care
|
|
|
|
|
if the database is different or not.
|
2009-09-10 15:15:14 -05:00
|
|
|
|
|
|
|
|
external is a state machine:
|
|
|
|
|
0 = not an externally signed CA
|
|
|
|
|
1 = generating CSR to be signed
|
|
|
|
|
2 = have signed cert, continue installation
|
2009-04-13 12:39:15 -05:00
|
|
|
"""
|
|
|
|
|
|
2014-10-07 09:46:15 -05:00
|
|
|
tracking_reqs = (('auditSigningCert cert-pki-ca', None),
|
|
|
|
|
('ocspSigningCert cert-pki-ca', None),
|
|
|
|
|
('subsystemCert cert-pki-ca', None),
|
|
|
|
|
('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
|
|
|
|
|
server_cert_name = 'Server-Cert cert-pki-ca'
|
|
|
|
|
|
2014-07-18 04:01:13 -05:00
|
|
|
def __init__(self, realm=None, ra_db=None, dogtag_constants=None,
|
|
|
|
|
host_name=None, dm_password=None, ldapi=True):
|
2012-08-23 11:38:45 -05:00
|
|
|
if dogtag_constants is None:
|
|
|
|
|
dogtag_constants = dogtag.configured_constants()
|
2012-10-11 02:32:17 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
super(CAInstance, self).__init__(
|
|
|
|
|
realm=realm,
|
|
|
|
|
subsystem="CA",
|
|
|
|
|
service_desc="certificate server",
|
|
|
|
|
dogtag_constants=dogtag_constants,
|
|
|
|
|
host_name=host_name,
|
|
|
|
|
dm_password=dm_password,
|
|
|
|
|
ldapi=ldapi
|
|
|
|
|
)
|
2012-10-11 02:32:17 -05:00
|
|
|
|
2009-09-10 15:15:14 -05:00
|
|
|
# for external CAs
|
|
|
|
|
self.external = 0
|
|
|
|
|
self.csr_file = None
|
|
|
|
|
self.cert_file = None
|
|
|
|
|
self.cert_chain_file = None
|
2011-06-17 15:47:39 -05:00
|
|
|
self.create_ra_agent_db = True
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2014-09-30 02:47:23 -05:00
|
|
|
if realm is not None:
|
|
|
|
|
self.canickname = get_ca_nickname(realm)
|
|
|
|
|
else:
|
|
|
|
|
self.canickname = None
|
2010-12-08 15:35:12 -06:00
|
|
|
self.ra_agent_db = ra_db
|
2014-09-30 02:47:23 -05:00
|
|
|
if self.ra_agent_db is not None:
|
|
|
|
|
self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
|
|
|
|
|
else:
|
|
|
|
|
self.ra_agent_pwd = None
|
2009-04-01 21:39:44 -05:00
|
|
|
self.ra_cert = None
|
2009-04-17 16:17:31 -05:00
|
|
|
self.requestId = None
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log = log_mgr.get_logger(self)
|
2011-01-26 09:53:02 -06:00
|
|
|
|
2012-11-19 09:32:28 -06:00
|
|
|
def configure_instance(self, host_name, domain, dm_password,
|
2009-09-10 15:15:14 -05:00
|
|
|
admin_password, ds_port=DEFAULT_DSPORT,
|
|
|
|
|
pkcs12_info=None, master_host=None, csr_file=None,
|
2010-01-20 10:26:20 -06:00
|
|
|
cert_file=None, cert_chain_file=None,
|
2012-09-19 22:35:42 -05:00
|
|
|
master_replication_port=None,
|
2014-10-08 03:51:31 -05:00
|
|
|
subject_base=None, ca_signing_algorithm=None,
|
|
|
|
|
ca_type=None):
|
2012-08-15 21:53:51 -05:00
|
|
|
"""Create a CA instance.
|
2009-09-10 15:15:14 -05:00
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
For Dogtag 9, this may involve creating the pki-ca instance.
|
|
|
|
|
|
2009-09-10 15:15:14 -05:00
|
|
|
To create a clone, pass in pkcs12_info.
|
|
|
|
|
|
|
|
|
|
Creating a CA with an external signer is a 2-step process. In
|
|
|
|
|
step 1 we generate a CSR. In step 2 we are given the cert and
|
|
|
|
|
chain and actually proceed to create the CA. For step 1 set
|
|
|
|
|
csr_file. For step 2 set cert_file and cert_chain_file.
|
|
|
|
|
"""
|
2011-03-14 15:27:19 -05:00
|
|
|
self.fqdn = host_name
|
2012-11-19 09:32:28 -06:00
|
|
|
self.domain = domain
|
2009-04-01 21:39:44 -05:00
|
|
|
self.dm_password = dm_password
|
|
|
|
|
self.admin_password = admin_password
|
|
|
|
|
self.ds_port = ds_port
|
2009-07-10 15:18:16 -05:00
|
|
|
self.pkcs12_info = pkcs12_info
|
|
|
|
|
if self.pkcs12_info is not None:
|
|
|
|
|
self.clone = True
|
|
|
|
|
self.master_host = master_host
|
2012-09-19 22:35:42 -05:00
|
|
|
self.master_replication_port = master_replication_port
|
2010-11-01 12:51:14 -05:00
|
|
|
if subject_base is None:
|
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
|
|
|
self.subject_base = DN(('O', self.realm))
|
2010-11-01 12:51:14 -05:00
|
|
|
else:
|
|
|
|
|
self.subject_base = subject_base
|
2014-08-06 02:43:19 -05:00
|
|
|
if ca_signing_algorithm is None:
|
|
|
|
|
self.ca_signing_algorithm = 'SHA256withRSA'
|
|
|
|
|
else:
|
|
|
|
|
self.ca_signing_algorithm = ca_signing_algorithm
|
2014-10-08 03:51:31 -05:00
|
|
|
if ca_type is not None:
|
|
|
|
|
self.ca_type = ca_type
|
|
|
|
|
else:
|
|
|
|
|
self.ca_type = 'generic'
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2009-09-10 15:15:14 -05:00
|
|
|
# Determine if we are installing as an externally-signed CA and
|
|
|
|
|
# what stage we're in.
|
|
|
|
|
if csr_file is not None:
|
2014-03-18 10:23:30 -05:00
|
|
|
self.csr_file = csr_file
|
|
|
|
|
self.external = 1
|
2009-09-10 15:15:14 -05:00
|
|
|
elif cert_file is not None:
|
2014-03-18 10:23:30 -05:00
|
|
|
self.cert_file = cert_file
|
|
|
|
|
self.cert_chain_file = cert_chain_file
|
|
|
|
|
self.external = 2
|
2009-09-10 15:15:14 -05:00
|
|
|
|
2014-07-15 06:31:01 -05:00
|
|
|
self.step("creating certificate server user", create_ca_user)
|
2012-08-23 11:38:45 -05:00
|
|
|
if self.dogtag_constants.DOGTAG_VERSION >= 10:
|
|
|
|
|
self.step("configuring certificate server instance", self.__spawn_instance)
|
|
|
|
|
else:
|
2014-05-29 07:47:17 -05:00
|
|
|
if not ipautil.dir_exists(paths.VAR_LIB_PKI_CA_DIR):
|
2012-08-23 11:38:45 -05:00
|
|
|
self.step("creating pki-ca instance", self.create_instance)
|
|
|
|
|
self.step("configuring certificate server instance", self.__configure_instance)
|
2014-03-18 10:23:30 -05:00
|
|
|
self.step("stopping certificate server instance to update CS.cfg", self.stop_instance)
|
2014-09-03 08:04:35 -05:00
|
|
|
self.step("backing up CS.cfg", self.backup_config)
|
2011-08-01 14:16:24 -05:00
|
|
|
self.step("disabling nonces", self.__disable_nonce)
|
2013-08-01 07:47:52 -05:00
|
|
|
self.step("set up CRL publishing", self.__enable_crl_publish)
|
2014-07-17 04:47:26 -05:00
|
|
|
self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
|
2014-03-18 10:23:30 -05:00
|
|
|
self.step("starting certificate server instance", self.start_instance)
|
2009-09-10 15:15:14 -05:00
|
|
|
# Step 1 of external is getting a CSR so we don't need to do these
|
|
|
|
|
# steps until we get a cert back from the external CA.
|
|
|
|
|
if self.external != 1:
|
2012-08-23 11:38:45 -05:00
|
|
|
if self.dogtag_constants.DOGTAG_VERSION < 10 and not self.clone:
|
|
|
|
|
self.step("creating CA agent PKCS#12 file in /root", self.__create_ca_agent_pkcs12)
|
2011-06-17 15:47:39 -05:00
|
|
|
if self.create_ra_agent_db:
|
|
|
|
|
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
|
2009-09-10 15:15:14 -05:00
|
|
|
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
|
|
|
|
|
self.step("fixing RA database permissions", self.fix_ra_perms)
|
|
|
|
|
self.step("setting up signing cert profile", self.__setup_sign_profile)
|
2011-08-01 14:16:24 -05:00
|
|
|
self.step("set certificate subject base", self.__set_subject_in_config)
|
2012-03-07 16:46:33 -06:00
|
|
|
self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
|
2013-12-05 07:34:14 -06:00
|
|
|
self.step("enabling Subject Alternative Name", self.enable_subject_alternative_name)
|
2012-11-19 09:32:28 -06:00
|
|
|
self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions)
|
2012-10-09 10:25:27 -05:00
|
|
|
self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
|
2014-03-18 10:23:30 -05:00
|
|
|
self.step("configuring certificate server to start on boot",
|
|
|
|
|
self.enable)
|
2011-03-09 23:06:15 -06:00
|
|
|
if not self.clone:
|
2014-03-18 10:23:30 -05:00
|
|
|
self.step("restarting certificate server", self.restart_instance)
|
2011-08-01 14:16:24 -05:00
|
|
|
self.step("requesting RA certificate from CA", self.__request_ra_certificate)
|
|
|
|
|
self.step("issuing RA agent certificate", self.__issue_ra_cert)
|
|
|
|
|
self.step("adding RA agent as a trusted user", self.__configure_ra)
|
2013-10-16 03:40:31 -05:00
|
|
|
self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
|
2014-10-07 09:46:15 -05:00
|
|
|
self.step("configure certificate renewals", self.configure_renewal)
|
2013-10-16 03:40:31 -05:00
|
|
|
if not self.clone:
|
2013-10-16 04:08:49 -05:00
|
|
|
self.step("configure RA certificate renewal", self.configure_agent_renewal)
|
2012-07-11 14:51:01 -05:00
|
|
|
self.step("configure Server-Cert certificate renewal", self.track_servercert)
|
2014-03-18 10:23:30 -05:00
|
|
|
self.step("Configure HTTP to proxy connections",
|
|
|
|
|
self.http_proxy)
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2012-10-11 02:32:17 -05:00
|
|
|
self.start_creation(runtime=210)
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2012-08-15 21:53:51 -05:00
|
|
|
def __spawn_instance(self):
|
2009-04-13 12:39:15 -05:00
|
|
|
"""
|
2012-11-28 02:05:53 -06:00
|
|
|
Create and configure a new CA instance using pkispawn.
|
2014-03-18 10:23:30 -05:00
|
|
|
Creates the config file with IPA specific parameters
|
|
|
|
|
and passes it to the base class to call pkispawn
|
2009-04-13 12:39:15 -05:00
|
|
|
"""
|
|
|
|
|
|
2012-11-28 02:05:53 -06:00
|
|
|
# Create an empty and secured file
|
2012-08-15 21:53:51 -05:00
|
|
|
(cfg_fd, cfg_file) = tempfile.mkstemp()
|
|
|
|
|
os.close(cfg_fd)
|
|
|
|
|
pent = pwd.getpwnam(PKI_USER)
|
2012-11-28 02:05:53 -06:00
|
|
|
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
|
|
|
|
|
|
|
|
|
|
# Create CA configuration
|
|
|
|
|
config = ConfigParser.ConfigParser()
|
|
|
|
|
config.optionxform = str
|
|
|
|
|
config.add_section("CA")
|
|
|
|
|
|
|
|
|
|
# Server
|
|
|
|
|
config.set("CA", "pki_security_domain_name", self.security_domain_name)
|
|
|
|
|
config.set("CA", "pki_enable_proxy", "True")
|
|
|
|
|
config.set("CA", "pki_restart_configured_instance", "False")
|
|
|
|
|
config.set("CA", "pki_backup_keys", "True")
|
|
|
|
|
config.set("CA", "pki_backup_password", self.admin_password)
|
|
|
|
|
|
|
|
|
|
# Client security database
|
2014-03-18 10:23:30 -05:00
|
|
|
config.set("CA", "pki_client_database_dir", self.agent_db)
|
2012-11-28 02:05:53 -06:00
|
|
|
config.set("CA", "pki_client_database_password", self.admin_password)
|
|
|
|
|
config.set("CA", "pki_client_database_purge", "False")
|
|
|
|
|
config.set("CA", "pki_client_pkcs12_password", self.admin_password)
|
|
|
|
|
|
|
|
|
|
# Administrator
|
|
|
|
|
config.set("CA", "pki_admin_name", "admin")
|
|
|
|
|
config.set("CA", "pki_admin_uid", "admin")
|
|
|
|
|
config.set("CA", "pki_admin_email", "root@localhost")
|
|
|
|
|
config.set("CA", "pki_admin_password", self.admin_password)
|
|
|
|
|
config.set("CA", "pki_admin_nickname", "ipa-ca-agent")
|
2012-12-05 06:00:21 -06:00
|
|
|
config.set("CA", "pki_admin_subject_dn",
|
|
|
|
|
str(DN(('cn', 'ipa-ca-agent'), self.subject_base)))
|
2014-10-01 13:59:46 -05:00
|
|
|
config.set("CA", "pki_client_admin_cert_p12", paths.DOGTAG_ADMIN_P12)
|
2012-11-28 02:05:53 -06:00
|
|
|
|
|
|
|
|
# Directory server
|
|
|
|
|
config.set("CA", "pki_ds_ldap_port", str(self.ds_port))
|
|
|
|
|
config.set("CA", "pki_ds_password", self.dm_password)
|
|
|
|
|
config.set("CA", "pki_ds_base_dn", self.basedn)
|
|
|
|
|
config.set("CA", "pki_ds_database", "ipaca")
|
|
|
|
|
|
|
|
|
|
# Certificate subject DN's
|
2012-12-05 06:00:21 -06:00
|
|
|
config.set("CA", "pki_subsystem_subject_dn",
|
|
|
|
|
str(DN(('cn', 'CA Subsystem'), self.subject_base)))
|
|
|
|
|
config.set("CA", "pki_ocsp_signing_subject_dn",
|
|
|
|
|
str(DN(('cn', 'OCSP Subsystem'), self.subject_base)))
|
|
|
|
|
config.set("CA", "pki_ssl_server_subject_dn",
|
|
|
|
|
str(DN(('cn', self.fqdn), self.subject_base)))
|
|
|
|
|
config.set("CA", "pki_audit_signing_subject_dn",
|
|
|
|
|
str(DN(('cn', 'CA Audit'), self.subject_base)))
|
|
|
|
|
config.set("CA", "pki_ca_signing_subject_dn",
|
|
|
|
|
str(DN(('cn', 'Certificate Authority'), self.subject_base)))
|
2012-11-28 02:05:53 -06:00
|
|
|
|
|
|
|
|
# Certificate nicknames
|
|
|
|
|
config.set("CA", "pki_subsystem_nickname", "subsystemCert cert-pki-ca")
|
|
|
|
|
config.set("CA", "pki_ocsp_signing_nickname", "ocspSigningCert cert-pki-ca")
|
|
|
|
|
config.set("CA", "pki_ssl_server_nickname", "Server-Cert cert-pki-ca")
|
|
|
|
|
config.set("CA", "pki_audit_signing_nickname", "auditSigningCert cert-pki-ca")
|
|
|
|
|
config.set("CA", "pki_ca_signing_nickname", "caSigningCert cert-pki-ca")
|
2012-08-15 21:53:51 -05:00
|
|
|
|
2014-08-06 02:43:19 -05:00
|
|
|
# CA key algorithm
|
|
|
|
|
config.set("CA", "pki_ca_signing_key_algorithm", self.ca_signing_algorithm)
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
if self.clone:
|
2012-08-15 21:53:51 -05:00
|
|
|
cafile = self.pkcs12_info[0]
|
2014-05-29 07:47:17 -05:00
|
|
|
shutil.copy(cafile, paths.TMP_CA_P12)
|
2012-08-15 21:53:51 -05:00
|
|
|
pent = pwd.getpwnam(PKI_USER)
|
2014-05-29 07:47:17 -05:00
|
|
|
os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)
|
2012-11-28 02:05:53 -06:00
|
|
|
|
|
|
|
|
# Security domain registration
|
|
|
|
|
config.set("CA", "pki_security_domain_hostname", self.master_host)
|
|
|
|
|
config.set("CA", "pki_security_domain_https_port", "443")
|
|
|
|
|
config.set("CA", "pki_security_domain_user", "admin")
|
|
|
|
|
config.set("CA", "pki_security_domain_password", self.admin_password)
|
|
|
|
|
|
|
|
|
|
# Clone
|
|
|
|
|
config.set("CA", "pki_clone", "True")
|
2014-05-29 07:47:17 -05:00
|
|
|
config.set("CA", "pki_clone_pkcs12_path", paths.TMP_CA_P12)
|
2012-11-28 02:05:53 -06:00
|
|
|
config.set("CA", "pki_clone_pkcs12_password", self.dm_password)
|
|
|
|
|
config.set("CA", "pki_clone_replication_security", "TLS")
|
|
|
|
|
config.set("CA", "pki_clone_replication_master_port", str(self.master_replication_port))
|
|
|
|
|
config.set("CA", "pki_clone_replication_clone_port", dogtag.install_constants.DS_PORT)
|
|
|
|
|
config.set("CA", "pki_clone_replicate_schema", "False")
|
|
|
|
|
config.set("CA", "pki_clone_uri", "https://%s" % ipautil.format_netloc(self.master_host, 443))
|
|
|
|
|
|
|
|
|
|
# External CA
|
2012-08-15 21:53:51 -05:00
|
|
|
if self.external == 1:
|
2012-11-28 02:05:53 -06:00
|
|
|
config.set("CA", "pki_external", "True")
|
|
|
|
|
config.set("CA", "pki_external_csr_path", self.csr_file)
|
|
|
|
|
|
2014-10-08 03:51:31 -05:00
|
|
|
if self.ca_type == 'ms-cs':
|
|
|
|
|
# Include MS template name extension in the CSR
|
|
|
|
|
config.set("CA", "pki_req_ext_add", "True")
|
|
|
|
|
config.set("CA", "pki_req_ext_oid", "1.3.6.1.4.1.311.20.2")
|
|
|
|
|
config.set("CA", "pki_req_ext_critical", "False")
|
|
|
|
|
config.set("CA", "pki_req_ext_data", "1E0A00530075006200430041")
|
|
|
|
|
|
2012-08-15 21:53:51 -05:00
|
|
|
elif self.external == 2:
|
2014-08-29 06:35:45 -05:00
|
|
|
cert = x509.load_certificate_from_file(self.cert_file)
|
|
|
|
|
cert_file = tempfile.NamedTemporaryFile()
|
|
|
|
|
x509.write_certificate(cert.der_data, cert_file.name)
|
|
|
|
|
cert_file.flush()
|
|
|
|
|
|
2014-08-08 03:15:26 -05:00
|
|
|
cert_chain, stderr, rc = ipautil.run(
|
|
|
|
|
[paths.OPENSSL, 'crl2pkcs7',
|
|
|
|
|
'-certfile', self.cert_chain_file,
|
|
|
|
|
'-nocrl'])
|
|
|
|
|
# Dogtag chokes on the header and footer, remove them
|
|
|
|
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1127838
|
|
|
|
|
cert_chain = re.search(
|
|
|
|
|
r'(?<=-----BEGIN PKCS7-----).*?(?=-----END PKCS7-----)',
|
|
|
|
|
cert_chain, re.DOTALL).group(0)
|
|
|
|
|
cert_chain_file = ipautil.write_tmp_file(cert_chain)
|
|
|
|
|
|
2012-11-28 02:05:53 -06:00
|
|
|
config.set("CA", "pki_external", "True")
|
2014-08-29 06:35:45 -05:00
|
|
|
config.set("CA", "pki_external_ca_cert_path", cert_file.name)
|
2014-08-08 03:15:26 -05:00
|
|
|
config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
|
2012-11-28 02:05:53 -06:00
|
|
|
config.set("CA", "pki_external_step_two", "True")
|
2012-08-15 21:53:51 -05:00
|
|
|
|
2012-11-28 02:05:53 -06:00
|
|
|
# Generate configuration file
|
|
|
|
|
with open(cfg_file, "wb") as f:
|
|
|
|
|
config.write(f)
|
2012-08-15 21:53:51 -05:00
|
|
|
|
2014-07-21 08:57:18 -05:00
|
|
|
self.backup_state('installed', True)
|
2012-08-15 21:53:51 -05:00
|
|
|
try:
|
2014-03-18 10:23:30 -05:00
|
|
|
DogtagInstance.spawn_instance(self, cfg_file)
|
2012-08-15 21:53:51 -05:00
|
|
|
finally:
|
|
|
|
|
os.remove(cfg_file)
|
|
|
|
|
|
|
|
|
|
if self.external == 1:
|
2014-06-16 03:41:57 -05:00
|
|
|
print "The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0])
|
2014-09-24 09:31:39 -05:00
|
|
|
print "%s --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate" % sys.argv[0]
|
2012-08-15 21:53:51 -05:00
|
|
|
sys.exit(0)
|
2013-02-25 10:15:23 -06:00
|
|
|
else:
|
2014-03-18 10:23:30 -05:00
|
|
|
shutil.move(paths.CA_BACKUP_KEYS_P12,
|
2014-05-29 07:47:17 -05:00
|
|
|
paths.CACERT_P12)
|
2012-08-15 21:53:51 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.debug("completed creating ca instance")
|
2012-08-15 21:53:51 -05:00
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
def create_instance(self):
|
|
|
|
|
"""
|
|
|
|
|
If for some reason the instance doesn't exist, create a new one."
|
|
|
|
|
"""
|
|
|
|
|
# Only used for Dogtag 9
|
|
|
|
|
|
2014-05-29 07:47:17 -05:00
|
|
|
args = [paths.PKICREATE,
|
|
|
|
|
'-pki_instance_root', paths.VAR_LIB,
|
2012-08-23 11:38:45 -05:00
|
|
|
'-pki_instance_name',
|
|
|
|
|
self.dogtag_constants.PKI_INSTANCE_NAME,
|
|
|
|
|
'-subsystem_type', 'ca',
|
|
|
|
|
'-agent_secure_port',
|
|
|
|
|
str(self.dogtag_constants.AGENT_SECURE_PORT),
|
|
|
|
|
'-ee_secure_port',
|
|
|
|
|
str(self.dogtag_constants.EE_SECURE_PORT),
|
|
|
|
|
'-admin_secure_port',
|
|
|
|
|
str(self.dogtag_constants.ADMIN_SECURE_PORT),
|
|
|
|
|
'-ee_secure_client_auth_port',
|
|
|
|
|
str(self.dogtag_constants.EE_CLIENT_AUTH_PORT),
|
|
|
|
|
'-unsecure_port', str(self.dogtag_constants.UNSECURE_PORT),
|
|
|
|
|
'-tomcat_server_port',
|
|
|
|
|
str(self.dogtag_constants.TOMCAT_SERVER_PORT),
|
|
|
|
|
'-redirect', 'conf=/etc/pki-ca',
|
|
|
|
|
'-redirect', 'logs=/var/log/pki-ca',
|
|
|
|
|
'-enable_proxy'
|
|
|
|
|
]
|
2014-07-21 08:57:18 -05:00
|
|
|
self.backup_state('installed', True)
|
2012-08-23 11:38:45 -05:00
|
|
|
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn})
|
2009-04-13 12:39:15 -05:00
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
def __configure_instance(self):
|
|
|
|
|
# Only used for Dogtag 9
|
|
|
|
|
preop_pin = get_preop_pin(
|
|
|
|
|
self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME)
|
|
|
|
|
|
|
|
|
|
try:
|
2014-05-29 07:47:17 -05:00
|
|
|
args = [paths.PERL, paths.PKISILENT, "ConfigureCA",
|
2012-08-23 11:38:45 -05:00
|
|
|
"-cs_hostname", self.fqdn,
|
|
|
|
|
"-cs_port", str(self.dogtag_constants.ADMIN_SECURE_PORT),
|
2014-03-18 10:23:30 -05:00
|
|
|
"-client_certdb_dir", self.agent_db,
|
2012-08-23 11:38:45 -05:00
|
|
|
"-client_certdb_pwd", self.admin_password,
|
|
|
|
|
"-preop_pin" , preop_pin,
|
2012-11-19 09:32:28 -06:00
|
|
|
"-domain_name", self.security_domain_name,
|
2012-08-23 11:38:45 -05:00
|
|
|
"-admin_user", "admin",
|
|
|
|
|
"-admin_email", "root@localhost",
|
|
|
|
|
"-admin_password", self.admin_password,
|
|
|
|
|
"-agent_name", "ipa-ca-agent",
|
|
|
|
|
"-agent_key_size", "2048",
|
|
|
|
|
"-agent_key_type", "rsa",
|
|
|
|
|
"-agent_cert_subject", str(DN(('CN', 'ipa-ca-agent'), self.subject_base)),
|
|
|
|
|
"-ldap_host", self.fqdn,
|
|
|
|
|
"-ldap_port", str(self.ds_port),
|
|
|
|
|
"-bind_dn", "cn=Directory Manager",
|
|
|
|
|
"-bind_password", self.dm_password,
|
|
|
|
|
"-base_dn", str(self.basedn),
|
|
|
|
|
"-db_name", "ipaca",
|
|
|
|
|
"-key_size", "2048",
|
|
|
|
|
"-key_type", "rsa",
|
2014-08-06 02:43:19 -05:00
|
|
|
"-key_algorithm", self.ca_signing_algorithm,
|
|
|
|
|
"-signing_algorithm", "SHA256withRSA",
|
2012-08-23 11:38:45 -05:00
|
|
|
"-save_p12", "true",
|
|
|
|
|
"-backup_pwd", self.admin_password,
|
|
|
|
|
"-subsystem_name", self.service_name,
|
|
|
|
|
"-token_name", "internal",
|
|
|
|
|
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
|
|
|
|
|
"-ca_subsystem_cert_subject_name", str(DN(('CN', 'CA Subsystem'), self.subject_base)),
|
|
|
|
|
"-ca_ocsp_cert_subject_name", str(DN(('CN', 'OCSP Subsystem'), self.subject_base)),
|
|
|
|
|
"-ca_server_cert_subject_name", str(DN(('CN', self.fqdn), self.subject_base)),
|
|
|
|
|
"-ca_audit_signing_cert_subject_name", str(DN(('CN', 'CA Audit'), self.subject_base)),
|
|
|
|
|
"-ca_sign_cert_subject_name", str(DN(('CN', 'Certificate Authority'), self.subject_base)) ]
|
|
|
|
|
if self.external == 1:
|
|
|
|
|
args.append("-external")
|
|
|
|
|
args.append("true")
|
|
|
|
|
args.append("-ext_csr_file")
|
|
|
|
|
args.append(self.csr_file)
|
|
|
|
|
elif self.external == 2:
|
2014-08-29 06:35:45 -05:00
|
|
|
cert = x509.load_certificate_from_file(self.cert_file)
|
|
|
|
|
cert_file = tempfile.NamedTemporaryFile()
|
|
|
|
|
x509.write_certificate(cert.der_data, cert_file.name)
|
|
|
|
|
cert_file.flush()
|
|
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
args.append("-external")
|
|
|
|
|
args.append("true")
|
|
|
|
|
args.append("-ext_ca_cert_file")
|
2014-08-29 06:35:45 -05:00
|
|
|
args.append(cert_file.name)
|
2012-08-23 11:38:45 -05:00
|
|
|
args.append("-ext_ca_cert_chain_file")
|
|
|
|
|
args.append(self.cert_chain_file)
|
|
|
|
|
else:
|
|
|
|
|
args.append("-external")
|
|
|
|
|
args.append("false")
|
2014-03-18 10:23:30 -05:00
|
|
|
if self.clone:
|
2012-08-23 11:38:45 -05:00
|
|
|
"""sd = security domain --> all CS systems get registered to
|
|
|
|
|
a security domain. This is set to the hostname and port of
|
|
|
|
|
the master CA.
|
|
|
|
|
"""
|
|
|
|
|
# The install wizard expects the file to be here.
|
|
|
|
|
cafile = self.pkcs12_info[0]
|
2014-05-29 07:47:17 -05:00
|
|
|
shutil.copy(cafile, paths.PKI_ALIAS_CA_P12)
|
2012-08-23 11:38:45 -05:00
|
|
|
pent = pwd.getpwnam(PKI_USER)
|
2014-05-29 07:47:17 -05:00
|
|
|
os.chown(paths.PKI_ALIAS_CA_P12, pent.pw_uid, pent.pw_gid )
|
2012-08-23 11:38:45 -05:00
|
|
|
args.append("-clone")
|
|
|
|
|
args.append("true")
|
|
|
|
|
args.append("-clone_p12_file")
|
|
|
|
|
args.append("ca.p12")
|
|
|
|
|
args.append("-clone_p12_password")
|
|
|
|
|
args.append(self.dm_password)
|
|
|
|
|
args.append("-sd_hostname")
|
|
|
|
|
args.append(self.master_host)
|
|
|
|
|
args.append("-sd_admin_port")
|
|
|
|
|
args.append("443")
|
|
|
|
|
args.append("-sd_admin_name")
|
|
|
|
|
args.append("admin")
|
|
|
|
|
args.append("-sd_admin_password")
|
|
|
|
|
args.append(self.admin_password)
|
2012-09-19 22:35:42 -05:00
|
|
|
args.append("-clone_master_port")
|
|
|
|
|
args.append(str(self.master_replication_port))
|
2012-08-23 11:38:45 -05:00
|
|
|
args.append("-clone_start_tls")
|
|
|
|
|
args.append("true")
|
|
|
|
|
args.append("-clone_uri")
|
|
|
|
|
args.append("https://%s" % ipautil.format_netloc(self.master_host, 443))
|
|
|
|
|
else:
|
|
|
|
|
args.append("-clone")
|
|
|
|
|
args.append("false")
|
|
|
|
|
|
|
|
|
|
# Define the things we don't want logged
|
|
|
|
|
nolog = (self.admin_password, self.dm_password,)
|
|
|
|
|
|
|
|
|
|
ipautil.run(args, env={'PKI_HOSTNAME':self.fqdn}, nolog=nolog)
|
|
|
|
|
except ipautil.CalledProcessError, e:
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.critical("failed to configure ca instance %s", e)
|
2012-08-23 11:38:45 -05:00
|
|
|
raise RuntimeError('Configuration of CA failed')
|
|
|
|
|
|
|
|
|
|
if self.external == 1:
|
2014-06-16 03:41:57 -05:00
|
|
|
print "The next step is to get %s signed by your CA and re-run %s as:" % (self.csr_file, sys.argv[0])
|
2014-09-24 09:31:39 -05:00
|
|
|
print "%s --external-cert-file=/path/to/signed_certificate --external-cert-file=/path/to/external_ca_certificate" % sys.argv[0]
|
2012-08-23 11:38:45 -05:00
|
|
|
sys.exit(0)
|
|
|
|
|
|
|
|
|
|
# pkisilent makes a copy of the CA PKCS#12 file for us but gives
|
|
|
|
|
# it a lousy name.
|
2014-05-29 07:47:17 -05:00
|
|
|
if ipautil.file_exists(paths.ROOT_TMP_CA_P12):
|
|
|
|
|
shutil.move(paths.ROOT_TMP_CA_P12, paths.CACERT_P12)
|
2012-08-23 11:38:45 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.debug("completed creating ca instance")
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2014-09-03 08:04:35 -05:00
|
|
|
def backup_config(self):
|
|
|
|
|
try:
|
|
|
|
|
backup_config(self.dogtag_constants)
|
|
|
|
|
except Exception, e:
|
|
|
|
|
root_logger.warning("Failed to backup CS.cfg: %s", e)
|
|
|
|
|
|
2011-08-01 14:16:24 -05:00
|
|
|
def __disable_nonce(self):
|
|
|
|
|
# Turn off Nonces
|
2012-08-23 11:38:45 -05:00
|
|
|
update_result = installutils.update_file(
|
|
|
|
|
self.dogtag_constants.CS_CFG_PATH, 'ca.enableNonces=true',
|
|
|
|
|
'ca.enableNonces=false')
|
|
|
|
|
if update_result != 0:
|
2011-08-01 14:16:24 -05:00
|
|
|
raise RuntimeError("Disabling nonces failed")
|
|
|
|
|
pent = pwd.getpwnam(PKI_USER)
|
2013-08-01 07:47:52 -05:00
|
|
|
os.chown(self.dogtag_constants.CS_CFG_PATH,
|
|
|
|
|
pent.pw_uid, pent.pw_gid)
|
2011-08-01 14:16:24 -05:00
|
|
|
|
2014-07-17 04:47:26 -05:00
|
|
|
def enable_pkix(self):
|
|
|
|
|
installutils.set_directive(self.dogtag_constants.SYSCONFIG_FILE_PATH,
|
|
|
|
|
'NSS_ENABLE_PKIX_VERIFY', '1',
|
|
|
|
|
quotes=False, separator='=')
|
|
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
def __issue_ra_cert(self):
|
|
|
|
|
# The CA certificate is in the agent DB but isn't trusted
|
|
|
|
|
(admin_fd, admin_name) = tempfile.mkstemp()
|
|
|
|
|
os.write(admin_fd, self.admin_password)
|
|
|
|
|
os.close(admin_fd)
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
# Look through the cert chain to get all the certs we need to add
|
2009-09-10 15:15:14 -05:00
|
|
|
# trust for
|
2014-03-18 10:23:30 -05:00
|
|
|
p = subprocess.Popen([paths.CERTUTIL, "-d", self.agent_db,
|
2009-09-10 15:15:14 -05:00
|
|
|
"-O", "-n", "ipa-ca-agent"], stdout=subprocess.PIPE)
|
|
|
|
|
|
|
|
|
|
chain = p.stdout.read()
|
|
|
|
|
chain = chain.split("\n")
|
|
|
|
|
|
|
|
|
|
root_nickname=[]
|
|
|
|
|
for i in xrange(len(chain)):
|
|
|
|
|
m = re.match('\ *"(.*)" \[.*', chain[i])
|
|
|
|
|
if m:
|
|
|
|
|
nick = m.groups(0)[0]
|
|
|
|
|
if nick != "ipa-ca-agent" and nick[:7] != "Builtin":
|
|
|
|
|
root_nickname.append(m.groups()[0])
|
|
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
try:
|
2009-09-10 15:15:14 -05:00
|
|
|
for nick in root_nickname:
|
|
|
|
|
self.__run_certutil(
|
|
|
|
|
['-M', '-t', 'CT,C,C', '-n',
|
|
|
|
|
nick],
|
2014-03-18 10:23:30 -05:00
|
|
|
database=self.agent_db, pwd_file=self.admin_password)
|
2009-04-01 21:39:44 -05:00
|
|
|
finally:
|
|
|
|
|
os.remove(admin_name)
|
|
|
|
|
|
|
|
|
|
# Retrieve the certificate request so we can get the values needed
|
2009-04-13 12:39:15 -05:00
|
|
|
# to issue a certificate. Use sslget here because this is a
|
|
|
|
|
# temporary database and nsslib doesn't currently support gracefully
|
|
|
|
|
# opening and closing an NSS database. This would leave the installer
|
|
|
|
|
# process stuck using this database during the entire cycle. We need
|
|
|
|
|
# to use the final RA agent database when issuing certs for DS and
|
|
|
|
|
# mod_nss.
|
|
|
|
|
args = [
|
2014-05-29 07:47:17 -05:00
|
|
|
paths.SSLGET,
|
2012-02-22 22:20:14 -06:00
|
|
|
'-v',
|
2009-04-13 12:39:15 -05:00
|
|
|
'-n', 'ipa-ca-agent',
|
|
|
|
|
'-p', self.admin_password,
|
2014-03-18 10:23:30 -05:00
|
|
|
'-d', self.agent_db,
|
2009-04-17 16:17:31 -05:00
|
|
|
'-r', '/ca/agent/ca/profileReview?requestId=%s' % self.requestId,
|
2012-08-23 11:38:45 -05:00
|
|
|
'%s' % ipautil.format_netloc(
|
|
|
|
|
self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT),
|
2009-04-13 12:39:15 -05:00
|
|
|
]
|
2014-03-18 10:23:30 -05:00
|
|
|
(stdout, _stderr, _returncode) = ipautil.run(
|
|
|
|
|
args, nolog=(self.admin_password,))
|
2009-04-13 12:39:15 -05:00
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP)
|
2009-04-01 21:39:44 -05:00
|
|
|
params = get_defList(data)
|
|
|
|
|
params['requestId'] = find_substring(data, "requestId")
|
|
|
|
|
params['op'] = 'approve'
|
|
|
|
|
params['submit'] = 'submit'
|
|
|
|
|
params['requestNotes'] = ''
|
|
|
|
|
params = urllib.urlencode(params)
|
|
|
|
|
|
|
|
|
|
# Now issue the RA certificate.
|
2009-04-13 12:39:15 -05:00
|
|
|
args = [
|
2014-05-29 07:47:17 -05:00
|
|
|
paths.SSLGET,
|
2012-02-22 22:20:14 -06:00
|
|
|
'-v',
|
2009-04-13 12:39:15 -05:00
|
|
|
'-n', 'ipa-ca-agent',
|
|
|
|
|
'-p', self.admin_password,
|
2014-03-18 10:23:30 -05:00
|
|
|
'-d', self.agent_db,
|
2009-04-13 12:39:15 -05:00
|
|
|
'-e', params,
|
|
|
|
|
'-r', '/ca/agent/ca/profileProcess',
|
2012-08-23 11:38:45 -05:00
|
|
|
'%s' % ipautil.format_netloc(
|
|
|
|
|
self.fqdn, self.dogtag_constants.AGENT_SECURE_PORT),
|
2009-04-13 12:39:15 -05:00
|
|
|
]
|
2014-03-18 10:23:30 -05:00
|
|
|
(stdout, _stderr, _returncode) = ipautil.run(
|
|
|
|
|
args, nolog=(self.admin_password,))
|
2009-04-13 12:39:15 -05:00
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
data = stdout.split(self.dogtag_constants.RACERT_LINE_SEP)
|
2009-04-01 21:39:44 -05:00
|
|
|
outputList = get_outputList(data)
|
|
|
|
|
|
|
|
|
|
self.ra_cert = outputList['b64_cert']
|
2013-03-28 08:36:36 -05:00
|
|
|
|
|
|
|
|
# Strip certificate headers and convert it to proper line ending
|
2011-06-08 09:54:41 -05:00
|
|
|
self.ra_cert = x509.strip_header(self.ra_cert)
|
2013-03-28 08:36:36 -05:00
|
|
|
self.ra_cert = "\n".join(line.strip() for line
|
|
|
|
|
in self.ra_cert.splitlines() if line.strip())
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2009-04-13 12:39:15 -05:00
|
|
|
# Add the new RA cert to the database in /etc/httpd/alias
|
2009-04-01 21:39:44 -05:00
|
|
|
(agent_fd, agent_name) = tempfile.mkstemp()
|
|
|
|
|
os.write(agent_fd, self.ra_cert)
|
|
|
|
|
os.close(agent_fd)
|
|
|
|
|
try:
|
|
|
|
|
self.__run_certutil(
|
|
|
|
|
['-A', '-t', 'u,u,u', '-n', 'ipaCert', '-a',
|
|
|
|
|
'-i', agent_name]
|
|
|
|
|
)
|
|
|
|
|
finally:
|
|
|
|
|
os.remove(agent_name)
|
|
|
|
|
|
2009-07-10 15:18:16 -05:00
|
|
|
def import_ra_cert(self, rafile):
|
|
|
|
|
"""
|
|
|
|
|
Cloned RAs will use the same RA agent cert as the master so we
|
|
|
|
|
need to import from a PKCS#12 file.
|
|
|
|
|
|
|
|
|
|
Used when setting up replication
|
|
|
|
|
"""
|
|
|
|
|
# Add the new RA cert to the database in /etc/httpd/alias
|
|
|
|
|
(agent_fd, agent_name) = tempfile.mkstemp()
|
|
|
|
|
os.write(agent_fd, self.dm_password)
|
|
|
|
|
os.close(agent_fd)
|
|
|
|
|
try:
|
|
|
|
|
import_pkcs12(rafile, agent_name, self.ra_agent_db, self.ra_agent_pwd)
|
|
|
|
|
finally:
|
|
|
|
|
os.remove(agent_name)
|
|
|
|
|
|
2012-07-11 14:51:01 -05:00
|
|
|
self.configure_agent_renewal()
|
|
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
def __configure_ra(self):
|
|
|
|
|
# Create an RA user in the CA LDAP server and add that user to
|
|
|
|
|
# the appropriate groups so it can issue certificates without
|
|
|
|
|
# manual intervention.
|
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
|
|
|
conn = ipaldap.IPAdmin(self.fqdn, self.ds_port)
|
2013-01-30 03:32:24 -06:00
|
|
|
conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password)
|
2009-04-01 21:39:44 -05:00
|
|
|
|
|
|
|
|
decoded = base64.b64decode(self.ra_cert)
|
|
|
|
|
|
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
|
|
|
entry_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
|
2013-10-31 11:54:49 -05:00
|
|
|
entry = conn.make_entry(
|
|
|
|
|
entry_dn,
|
|
|
|
|
objectClass=['top', 'person', 'organizationalPerson',
|
|
|
|
|
'inetOrgPerson', 'cmsuser'],
|
|
|
|
|
uid=["ipara"],
|
|
|
|
|
sn=["ipara"],
|
|
|
|
|
cn=["ipara"],
|
|
|
|
|
usertype=["agentType"],
|
|
|
|
|
userstate=["1"],
|
|
|
|
|
userCertificate=[decoded],
|
|
|
|
|
description=['2;%s;%s;%s' % (
|
|
|
|
|
str(self.requestId),
|
|
|
|
|
DN(('CN', 'Certificate Authority'), self.subject_base),
|
|
|
|
|
DN(('CN', 'IPA RA'), self.subject_base))])
|
|
|
|
|
|
|
|
|
|
conn.add_entry(entry)
|
2009-04-01 21:39:44 -05:00
|
|
|
|
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
|
|
|
dn = DN(('cn', 'Certificate Manager Agents'), ('ou', 'groups'), self.basedn)
|
2009-04-01 21:39:44 -05:00
|
|
|
modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
|
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
|
|
|
conn.modify_s(dn, modlist)
|
2009-04-01 21:39:44 -05:00
|
|
|
|
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
|
|
|
dn = DN(('cn', 'Registration Manager Agents'), ('ou', 'groups'), self.basedn)
|
2009-04-01 21:39:44 -05:00
|
|
|
modlist = [(0, 'uniqueMember', '%s' % entry_dn)]
|
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
|
|
|
conn.modify_s(dn, modlist)
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2013-01-30 05:46:48 -06:00
|
|
|
conn.unbind()
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
def __run_certutil(self, args, database=None, pwd_file=None, stdin=None):
|
2009-04-01 21:39:44 -05:00
|
|
|
if not database:
|
|
|
|
|
database = self.ra_agent_db
|
|
|
|
|
if not pwd_file:
|
|
|
|
|
pwd_file = self.ra_agent_pwd
|
2014-05-29 07:47:17 -05:00
|
|
|
new_args = [paths.CERTUTIL, "-d", database, "-f", pwd_file]
|
2009-04-01 21:39:44 -05:00
|
|
|
new_args = new_args + args
|
2010-11-30 16:00:54 -06:00
|
|
|
return ipautil.run(new_args, stdin, nolog=(pwd_file,))
|
2009-04-01 21:39:44 -05:00
|
|
|
|
|
|
|
|
def __create_ra_agent_db(self):
|
|
|
|
|
if ipautil.file_exists(self.ra_agent_db + "/cert8.db"):
|
2009-04-13 12:39:15 -05:00
|
|
|
ipautil.backup_file(self.ra_agent_db + "/cert8.db")
|
|
|
|
|
ipautil.backup_file(self.ra_agent_db + "/key3.db")
|
|
|
|
|
ipautil.backup_file(self.ra_agent_db + "/secmod.db")
|
|
|
|
|
ipautil.backup_file(self.ra_agent_db + "/pwdfile.txt")
|
2009-04-01 21:39:44 -05:00
|
|
|
|
|
|
|
|
if not ipautil.dir_exists(self.ra_agent_db):
|
|
|
|
|
os.mkdir(self.ra_agent_db)
|
|
|
|
|
|
|
|
|
|
# Create the password file for this db
|
|
|
|
|
hex_str = binascii.hexlify(os.urandom(10))
|
|
|
|
|
f = os.open(self.ra_agent_pwd, os.O_CREAT | os.O_RDWR)
|
|
|
|
|
os.write(f, hex_str)
|
|
|
|
|
os.close(f)
|
2009-04-17 16:17:31 -05:00
|
|
|
os.chmod(self.ra_agent_pwd, stat.S_IRUSR)
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
self.__run_certutil(["-N"])
|
2009-04-01 21:39:44 -05:00
|
|
|
|
|
|
|
|
def __get_ca_chain(self):
|
2009-04-22 13:36:51 -05:00
|
|
|
try:
|
2012-10-31 09:37:33 -05:00
|
|
|
return dogtag.get_ca_certchain(ca_host=self.fqdn,
|
|
|
|
|
dogtag_constants=self.dogtag_constants)
|
2009-07-10 15:18:16 -05:00
|
|
|
except Exception, e:
|
|
|
|
|
raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
def __create_ca_agent_pkcs12(self):
|
|
|
|
|
# Only used for Dogtag 9
|
|
|
|
|
(pwd_fd, pwd_name) = tempfile.mkstemp()
|
|
|
|
|
os.write(pwd_fd, self.admin_password)
|
|
|
|
|
os.close(pwd_fd)
|
|
|
|
|
try:
|
2014-05-29 07:47:17 -05:00
|
|
|
ipautil.run([paths.PK12UTIL,
|
2012-08-23 11:38:45 -05:00
|
|
|
"-n", "ipa-ca-agent",
|
2014-10-01 13:59:46 -05:00
|
|
|
"-o", paths.DOGTAG_ADMIN_P12,
|
2014-03-18 10:23:30 -05:00
|
|
|
"-d", self.agent_db,
|
2012-08-23 11:38:45 -05:00
|
|
|
"-k", pwd_name,
|
|
|
|
|
"-w", pwd_name])
|
|
|
|
|
finally:
|
|
|
|
|
os.remove(pwd_name)
|
|
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
def __import_ca_chain(self):
|
|
|
|
|
chain = self.__get_ca_chain()
|
2009-09-10 15:15:14 -05:00
|
|
|
|
|
|
|
|
# If this chain contains multiple certs then certutil will only import
|
|
|
|
|
# the first one. So we have to pull them all out and import them
|
|
|
|
|
# separately. Unfortunately no NSS tool can do this so we have to
|
|
|
|
|
# use openssl.
|
|
|
|
|
|
|
|
|
|
# Convert to DER because the chain comes back as one long string which
|
|
|
|
|
# makes openssl throw up.
|
|
|
|
|
data = base64.b64decode(chain)
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
(certlist, _stderr, _returncode) = ipautil.run(
|
|
|
|
|
[paths.OPENSSL,
|
2009-09-10 15:15:14 -05:00
|
|
|
"pkcs7",
|
|
|
|
|
"-inform",
|
|
|
|
|
"DER",
|
|
|
|
|
"-print_certs",
|
|
|
|
|
], stdin=data)
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
# Ok, now we have all the certificates in certs, walk through it
|
2009-09-10 15:15:14 -05:00
|
|
|
# and pull out each certificate and add it to our database
|
|
|
|
|
|
|
|
|
|
st = 1
|
|
|
|
|
en = 0
|
|
|
|
|
subid = 0
|
2011-07-28 13:32:26 -05:00
|
|
|
ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
|
2009-09-10 15:15:14 -05:00
|
|
|
while st > 0:
|
2011-07-11 16:39:30 -05:00
|
|
|
st = certlist.find('-----BEGIN', en)
|
|
|
|
|
en = certlist.find('-----END', en+1)
|
2009-09-10 15:15:14 -05:00
|
|
|
if st > 0:
|
|
|
|
|
try:
|
|
|
|
|
(chain_fd, chain_name) = tempfile.mkstemp()
|
2011-07-11 16:39:30 -05:00
|
|
|
os.write(chain_fd, certlist[st:en+25])
|
2009-09-10 15:15:14 -05:00
|
|
|
os.close(chain_fd)
|
2014-03-18 10:23:30 -05:00
|
|
|
(_rdn, subject_dn) = certs.get_cert_nickname(certlist[st:en+25])
|
2011-07-28 13:32:26 -05:00
|
|
|
if subject_dn == ca_dn:
|
2011-07-11 16:39:30 -05:00
|
|
|
nick = get_ca_nickname(self.realm)
|
2014-06-09 09:04:09 -05:00
|
|
|
trust_flags = 'CT,C,C'
|
2009-09-10 15:15:14 -05:00
|
|
|
else:
|
2011-07-28 13:32:26 -05:00
|
|
|
nick = str(subject_dn)
|
2014-06-09 09:04:09 -05:00
|
|
|
trust_flags = ',,'
|
2009-09-10 15:15:14 -05:00
|
|
|
self.__run_certutil(
|
2014-06-09 09:04:09 -05:00
|
|
|
['-A', '-t', trust_flags, '-n', nick, '-a',
|
2009-09-10 15:15:14 -05:00
|
|
|
'-i', chain_name]
|
|
|
|
|
)
|
|
|
|
|
finally:
|
|
|
|
|
os.remove(chain_name)
|
2014-03-18 10:23:30 -05:00
|
|
|
subid += 1
|
2009-04-01 21:39:44 -05:00
|
|
|
|
|
|
|
|
def __request_ra_certificate(self):
|
|
|
|
|
# Create a noise file for generating our private key
|
|
|
|
|
noise = array.array('B', os.urandom(128))
|
|
|
|
|
(noise_fd, noise_name) = tempfile.mkstemp()
|
|
|
|
|
os.write(noise_fd, noise)
|
|
|
|
|
os.close(noise_fd)
|
|
|
|
|
|
|
|
|
|
# Generate our CSR. The result gets put into stdout
|
|
|
|
|
try:
|
2014-03-18 10:23:30 -05:00
|
|
|
(stdout, _stderr, _returncode) = self.__run_certutil(
|
|
|
|
|
["-R", "-k", "rsa", "-g", "2048", "-s",
|
|
|
|
|
str(DN(('CN', 'IPA RA'), self.subject_base)),
|
|
|
|
|
"-z", noise_name, "-a"])
|
2009-04-01 21:39:44 -05:00
|
|
|
finally:
|
|
|
|
|
os.remove(noise_name)
|
|
|
|
|
|
2010-05-03 16:38:39 -05:00
|
|
|
csr = pkcs10.strip_header(stdout)
|
2009-04-01 21:39:44 -05:00
|
|
|
|
|
|
|
|
# Send the request to the CA
|
2012-08-23 11:38:45 -05:00
|
|
|
conn = httplib.HTTPConnection(
|
|
|
|
|
self.fqdn, self.dogtag_constants.UNSECURE_PORT)
|
2009-04-01 21:39:44 -05:00
|
|
|
params = urllib.urlencode({'profileId': 'caServerCert',
|
|
|
|
|
'cert_request_type': 'pkcs10',
|
|
|
|
|
'requestor_name': 'IPA Installer',
|
|
|
|
|
'cert_request': csr,
|
|
|
|
|
'xmlOutput': 'true'})
|
|
|
|
|
headers = {"Content-type": "application/x-www-form-urlencoded",
|
|
|
|
|
"Accept": "text/plain"}
|
|
|
|
|
|
|
|
|
|
conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
|
|
|
|
|
res = conn.getresponse()
|
|
|
|
|
if res.status == 200:
|
|
|
|
|
data = res.read()
|
|
|
|
|
conn.close()
|
2009-04-17 16:17:31 -05:00
|
|
|
doc = xml.dom.minidom.parseString(data)
|
|
|
|
|
item_node = doc.getElementsByTagName("RequestId")
|
|
|
|
|
self.requestId = item_node[0].childNodes[0].data
|
|
|
|
|
doc.unlink()
|
|
|
|
|
self.requestId = self.requestId.strip()
|
|
|
|
|
if self.requestId is None:
|
|
|
|
|
raise RuntimeError("Unable to determine RA certificate requestId")
|
2009-04-01 21:39:44 -05:00
|
|
|
else:
|
|
|
|
|
conn.close()
|
2009-04-13 12:39:15 -05:00
|
|
|
raise RuntimeError("Unable to submit RA cert request")
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2009-07-10 15:18:16 -05:00
|
|
|
def fix_ra_perms(self):
|
2009-04-01 21:39:44 -05:00
|
|
|
os.chmod(self.ra_agent_db + "/cert8.db", 0640)
|
|
|
|
|
os.chmod(self.ra_agent_db + "/key3.db", 0640)
|
|
|
|
|
os.chmod(self.ra_agent_db + "/secmod.db", 0640)
|
|
|
|
|
|
|
|
|
|
pent = pwd.getpwnam("apache")
|
|
|
|
|
os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
|
|
|
|
|
os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
|
|
|
|
|
os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
|
2009-07-10 15:18:16 -05:00
|
|
|
os.chown(self.ra_agent_pwd, pent.pw_uid, pent.pw_gid)
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2009-04-17 16:17:31 -05:00
|
|
|
def __setup_sign_profile(self):
|
2009-07-10 15:18:16 -05:00
|
|
|
# Tell the profile to automatically issue certs for RAs
|
2012-08-23 11:38:45 -05:00
|
|
|
installutils.set_directive(self.dogtag_constants.SIGN_PROFILE,
|
|
|
|
|
'auth.instance_id', 'raCertAuth', quotes=False, separator='=')
|
2009-04-17 16:17:31 -05:00
|
|
|
|
2012-10-08 08:58:48 -05:00
|
|
|
def prepare_crl_publish_dir(self):
|
|
|
|
|
"""
|
|
|
|
|
Prepare target directory for CRL publishing
|
|
|
|
|
|
|
|
|
|
Returns a path to the CRL publishing directory
|
|
|
|
|
"""
|
|
|
|
|
publishdir = self.dogtag_constants.CRL_PUBLISH_PATH
|
2013-07-16 05:10:54 -05:00
|
|
|
|
|
|
|
|
if not os.path.exists(publishdir):
|
|
|
|
|
os.mkdir(publishdir)
|
|
|
|
|
|
2012-10-08 08:58:48 -05:00
|
|
|
os.chmod(publishdir, 0775)
|
|
|
|
|
pent = pwd.getpwnam(PKI_USER)
|
|
|
|
|
os.chown(publishdir, 0, pent.pw_gid)
|
|
|
|
|
|
2014-05-29 03:18:21 -05:00
|
|
|
tasks.restore_context(publishdir)
|
2012-10-08 08:58:48 -05:00
|
|
|
|
|
|
|
|
return publishdir
|
|
|
|
|
|
2012-11-19 09:32:28 -06:00
|
|
|
def __set_crl_ocsp_extensions(self):
|
|
|
|
|
self.set_crl_ocsp_extensions(self.domain, self.fqdn)
|
|
|
|
|
|
|
|
|
|
def set_crl_ocsp_extensions(self, domain, fqdn):
|
|
|
|
|
"""
|
|
|
|
|
Configure CRL and OCSP extensions in default IPA certificate profile
|
|
|
|
|
if not done already.
|
|
|
|
|
"""
|
|
|
|
|
changed = False
|
|
|
|
|
|
|
|
|
|
# OCSP extension
|
2013-04-15 05:19:11 -05:00
|
|
|
ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_RECORD, ipautil.format_netloc(domain))
|
2013-04-08 03:20:00 -05:00
|
|
|
|
2012-11-19 09:32:28 -06:00
|
|
|
ocsp_location_0 = installutils.get_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
|
|
|
|
|
separator='=')
|
|
|
|
|
|
2013-04-08 03:20:00 -05:00
|
|
|
if ocsp_location_0 != ocsp_url:
|
2012-11-19 09:32:28 -06:00
|
|
|
# Set the first OCSP URI
|
|
|
|
|
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
|
2013-04-08 03:20:00 -05:00
|
|
|
ocsp_url, quotes=False, separator='=')
|
2012-11-19 09:32:28 -06:00
|
|
|
changed = True
|
|
|
|
|
|
|
|
|
|
ocsp_profile_count = installutils.get_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
|
|
|
|
|
separator='=')
|
|
|
|
|
|
2013-04-08 03:20:00 -05:00
|
|
|
if ocsp_profile_count != '1':
|
2012-11-19 09:32:28 -06:00
|
|
|
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
|
2013-04-08 03:20:00 -05:00
|
|
|
'1', quotes=False, separator='=')
|
2012-11-19 09:32:28 -06:00
|
|
|
changed = True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# CRL extension
|
2013-04-15 05:19:11 -05:00
|
|
|
crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_RECORD, ipautil.format_netloc(domain))
|
2013-04-08 03:20:00 -05:00
|
|
|
|
|
|
|
|
crl_point_0 = installutils.get_directive(
|
2012-11-19 09:32:28 -06:00
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
2013-04-08 03:20:00 -05:00
|
|
|
'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
|
2012-11-19 09:32:28 -06:00
|
|
|
separator='=')
|
|
|
|
|
|
2013-04-08 03:20:00 -05:00
|
|
|
if crl_point_0 != crl_url:
|
2012-11-19 09:32:28 -06:00
|
|
|
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
|
|
|
|
|
'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0',
|
|
|
|
|
'DirectoryName', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
|
2013-04-08 03:20:00 -05:00
|
|
|
crl_url, quotes=False, separator='=')
|
2012-11-19 09:32:28 -06:00
|
|
|
changed = True
|
|
|
|
|
|
|
|
|
|
crl_profile_count = installutils.get_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.9.default.params.crlDistPointsNum',
|
|
|
|
|
separator='=')
|
|
|
|
|
|
2013-04-08 03:20:00 -05:00
|
|
|
if crl_profile_count != '1':
|
2012-11-19 09:32:28 -06:00
|
|
|
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.9.default.params.crlDistPointsNum',
|
2013-04-08 03:20:00 -05:00
|
|
|
'1', quotes=False, separator='=')
|
2012-11-19 09:32:28 -06:00
|
|
|
changed = True
|
|
|
|
|
|
|
|
|
|
# CRL extension is not enabled by default
|
|
|
|
|
setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.list', separator='=')
|
|
|
|
|
new_set_list = None
|
|
|
|
|
|
|
|
|
|
if setlist == '1,2,3,4,5,6,7,8':
|
|
|
|
|
new_set_list = '1,2,3,4,5,6,7,8,9'
|
|
|
|
|
elif setlist == '1,2,3,4,5,6,7,8,10':
|
|
|
|
|
new_set_list = '1,2,3,4,5,6,7,8,9,10'
|
2013-12-05 07:34:14 -06:00
|
|
|
elif setlist == '1,2,3,4,5,6,7,8,10,11':
|
|
|
|
|
new_set_list = '1,2,3,4,5,6,7,8,9,10,11'
|
2012-11-19 09:32:28 -06:00
|
|
|
|
|
|
|
|
if new_set_list:
|
|
|
|
|
installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.list',
|
|
|
|
|
new_set_list, quotes=False, separator='=')
|
|
|
|
|
changed = True
|
|
|
|
|
|
|
|
|
|
return changed
|
|
|
|
|
|
|
|
|
|
|
2009-08-24 12:42:48 -05:00
|
|
|
def __enable_crl_publish(self):
|
|
|
|
|
"""
|
|
|
|
|
Enable file-based CRL publishing and disable LDAP publishing.
|
|
|
|
|
|
2012-10-08 08:58:48 -05:00
|
|
|
https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Certificate_System/8.0/html/Admin_Guide/Setting_up_Publishing.html
|
2009-08-24 12:42:48 -05:00
|
|
|
"""
|
2012-08-23 11:38:45 -05:00
|
|
|
caconfig = self.dogtag_constants.CS_CFG_PATH
|
2009-08-24 12:42:48 -05:00
|
|
|
|
2012-10-08 08:58:48 -05:00
|
|
|
publishdir = self.prepare_crl_publish_dir()
|
2009-08-24 12:42:48 -05:00
|
|
|
|
|
|
|
|
# Enable file publishing, disable LDAP
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.ldappublish.enable', 'false', quotes=False, separator='=')
|
|
|
|
|
|
|
|
|
|
# Create the file publisher, der only, not b64
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.publisher.impl.FileBasedPublisher.class','com.netscape.cms.publish.publishers.FileBasedPublisher', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt', 'bin', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink', 'true', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName', 'FileBasedPublisher', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp', 'LocalTime', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs', 'false', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel', '9', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64', 'false', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der', 'true', quotes=False, separator='=')
|
|
|
|
|
|
|
|
|
|
# The publishing rule
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.enable', 'true', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.mapper', 'NoMap', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.pluginName', 'Rule', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.predicate=', '', quotes=False, separator='')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.publisher', 'FileBaseCRLPublisher', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.type', 'crl', quotes=False, separator='=')
|
|
|
|
|
|
|
|
|
|
# Now disable LDAP publishing
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCaCertRule.enable', 'false', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCrlRule.enable', 'false', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
|
|
|
|
|
|
2012-10-09 09:40:20 -05:00
|
|
|
# If we are the initial master then we are the CRL generator, otherwise
|
|
|
|
|
# we point to that master for CRLs.
|
|
|
|
|
if not self.clone:
|
|
|
|
|
# These next two are defaults, but I want to be explicit that the
|
|
|
|
|
# initial master is the CRL generator.
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'true', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'true', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'true', quotes=False, separator='=')
|
|
|
|
|
else:
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'false', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=')
|
|
|
|
|
|
2011-08-01 14:16:24 -05:00
|
|
|
def __set_subject_in_config(self):
|
2010-01-20 10:26:20 -06:00
|
|
|
# dogtag ships with an IPA-specific profile that forces a subject
|
|
|
|
|
# format. We need to update that template with our base subject
|
2012-08-23 11:38:45 -05:00
|
|
|
if installutils.update_file(self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'OU=pki-ipa, O=IPA', str(self.subject_base)):
|
2010-01-20 10:26:20 -06:00
|
|
|
print "Updating subject_base in CA template failed"
|
|
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
def uninstall(self):
|
2010-05-03 14:21:51 -05:00
|
|
|
enabled = self.restore_state("enabled")
|
2015-01-27 04:04:03 -06:00
|
|
|
|
|
|
|
|
# disabled by default, by ldap_enable()
|
|
|
|
|
if enabled:
|
|
|
|
|
self.enable()
|
2010-05-03 14:21:51 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
if self.dogtag_constants.DOGTAG_VERSION >= 10:
|
|
|
|
|
DogtagInstance.uninstall(self)
|
|
|
|
|
else:
|
|
|
|
|
if self.is_configured():
|
|
|
|
|
self.print_msg("Unconfiguring CA")
|
|
|
|
|
|
|
|
|
|
try:
|
2014-05-29 07:47:17 -05:00
|
|
|
ipautil.run([paths.PKIREMOVE,
|
2014-03-18 10:23:30 -05:00
|
|
|
"-pki_instance_root=%s" % paths.VAR_LIB,
|
2012-08-23 11:38:45 -05:00
|
|
|
"-pki_instance_name=%s" %
|
|
|
|
|
self.dogtag_constants.PKI_INSTANCE_NAME,
|
|
|
|
|
"--force"])
|
2014-03-18 10:23:30 -05:00
|
|
|
except ipautil.CalledProcessError, e:
|
|
|
|
|
self.log.critical("failed to uninstall CA instance %s", e)
|
|
|
|
|
|
|
|
|
|
self.restore_state("installed")
|
2009-04-01 21:39:44 -05:00
|
|
|
|
2012-02-28 22:05:06 -06:00
|
|
|
# At one time we removed this user on uninstall. That can potentially
|
2014-03-18 10:23:30 -05:00
|
|
|
# orphan files, or worse, if another useradd runs in the interim,
|
2012-02-28 22:05:06 -06:00
|
|
|
# cause files to have a new owner.
|
2014-03-18 10:23:30 -05:00
|
|
|
self.restore_state("user_exists")
|
2010-05-03 14:21:51 -05:00
|
|
|
|
2014-05-29 03:37:18 -05:00
|
|
|
services.knownservices.messagebus.start()
|
|
|
|
|
cmonger = services.knownservices.certmonger
|
2013-10-15 13:49:07 -05:00
|
|
|
cmonger.start()
|
|
|
|
|
|
|
|
|
|
bus = dbus.SystemBus()
|
|
|
|
|
obj = bus.get_object('org.fedorahosted.certmonger',
|
|
|
|
|
'/org/fedorahosted/certmonger')
|
|
|
|
|
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
2013-10-16 03:08:57 -05:00
|
|
|
path = iface.find_ca_by_nickname('dogtag-ipa-ca-renew-agent')
|
2013-10-15 13:49:07 -05:00
|
|
|
if path:
|
|
|
|
|
iface.remove_known_ca(path)
|
|
|
|
|
|
2015-01-08 03:06:46 -06:00
|
|
|
helper = self.restore_state('certmonger_dogtag_helper')
|
|
|
|
|
if helper:
|
|
|
|
|
path = iface.find_ca_by_nickname('dogtag-ipa-renew-agent')
|
|
|
|
|
if path:
|
|
|
|
|
ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
|
|
|
|
|
ca_iface = dbus.Interface(ca_obj,
|
|
|
|
|
'org.freedesktop.DBus.Properties')
|
|
|
|
|
ca_iface.Set('org.fedorahosted.certmonger.ca',
|
|
|
|
|
'external-helper', helper)
|
|
|
|
|
|
2013-10-15 13:49:07 -05:00
|
|
|
cmonger.stop()
|
2012-07-11 14:51:01 -05:00
|
|
|
|
2012-10-08 08:58:48 -05:00
|
|
|
# remove CRL files
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.info("Remove old CRL files")
|
2014-07-21 08:57:18 -05:00
|
|
|
try:
|
|
|
|
|
for f in get_crl_files():
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.debug("Remove %s", f)
|
2014-07-21 08:57:18 -05:00
|
|
|
installutils.remove_file(f)
|
|
|
|
|
except OSError, e:
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.warning("Error while removing old CRL files: %s", e)
|
2012-10-08 08:58:48 -05:00
|
|
|
|
2013-07-16 05:10:54 -05:00
|
|
|
# remove CRL directory
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.info("Remove CRL directory")
|
2013-07-16 05:10:54 -05:00
|
|
|
if os.path.exists(self.dogtag_constants.CRL_PUBLISH_PATH):
|
|
|
|
|
try:
|
|
|
|
|
shutil.rmtree(self.dogtag_constants.CRL_PUBLISH_PATH)
|
|
|
|
|
except OSError, e:
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.warning("Error while removing CRL publish "
|
|
|
|
|
"directory: %s", e)
|
2013-07-16 05:10:54 -05:00
|
|
|
|
2010-12-10 13:53:06 -06:00
|
|
|
def publish_ca_cert(self, location):
|
|
|
|
|
args = ["-L", "-n", self.canickname, "-a"]
|
2014-03-18 10:23:30 -05:00
|
|
|
(cert, _err, _returncode) = self.__run_certutil(args)
|
2010-12-10 13:53:06 -06:00
|
|
|
fd = open(location, "w+")
|
|
|
|
|
fd.write(cert)
|
|
|
|
|
fd.close()
|
|
|
|
|
os.chmod(location, 0444)
|
|
|
|
|
|
2015-01-08 03:06:46 -06:00
|
|
|
|
|
|
|
|
def configure_certmonger_renewal(self):
|
|
|
|
|
super(CAInstance, self).configure_certmonger_renewal()
|
|
|
|
|
|
|
|
|
|
self.configure_certmonger_renewal_guard()
|
|
|
|
|
|
|
|
|
|
def configure_certmonger_renewal_guard(self):
|
|
|
|
|
if not self.is_configured():
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
bus = dbus.SystemBus()
|
|
|
|
|
obj = bus.get_object('org.fedorahosted.certmonger',
|
|
|
|
|
'/org/fedorahosted/certmonger')
|
|
|
|
|
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
|
|
|
|
|
path = iface.find_ca_by_nickname('dogtag-ipa-renew-agent')
|
|
|
|
|
if path:
|
|
|
|
|
ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
|
|
|
|
|
ca_iface = dbus.Interface(ca_obj,
|
|
|
|
|
'org.freedesktop.DBus.Properties')
|
|
|
|
|
helper = ca_iface.Get('org.fedorahosted.certmonger.ca',
|
|
|
|
|
'external-helper')
|
|
|
|
|
if helper:
|
|
|
|
|
args = shlex.split(helper)
|
|
|
|
|
if args[0] != paths.IPA_SERVER_GUARD:
|
|
|
|
|
self.backup_state('certmonger_dogtag_helper', helper)
|
|
|
|
|
args = [paths.IPA_SERVER_GUARD] + args
|
|
|
|
|
helper = ' '.join(pipes.quote(a) for a in args)
|
|
|
|
|
ca_iface.Set('org.fedorahosted.certmonger.ca',
|
|
|
|
|
'external-helper', helper)
|
|
|
|
|
|
2013-10-16 04:08:49 -05:00
|
|
|
def configure_agent_renewal(self):
|
|
|
|
|
try:
|
|
|
|
|
certmonger.dogtag_start_tracking(
|
|
|
|
|
ca='dogtag-ipa-ca-renew-agent',
|
|
|
|
|
nickname='ipaCert',
|
|
|
|
|
pin=None,
|
2014-05-29 07:47:17 -05:00
|
|
|
pinfile=paths.ALIAS_PWDFILE_TXT,
|
|
|
|
|
secdir=paths.HTTPD_ALIAS_DIR,
|
2013-10-16 04:08:49 -05:00
|
|
|
pre_command=None,
|
|
|
|
|
post_command='renew_ra_cert')
|
2014-09-03 02:07:16 -05:00
|
|
|
except RuntimeError, e:
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.error(
|
|
|
|
|
"certmonger failed to start tracking certificate: %s", e)
|
2012-07-11 14:51:01 -05:00
|
|
|
|
2014-10-07 09:46:15 -05:00
|
|
|
def stop_tracking_certificates(self):
|
|
|
|
|
"""Stop tracking our certificates. Called on uninstall.
|
2013-10-16 04:08:49 -05:00
|
|
|
"""
|
2014-10-07 09:46:15 -05:00
|
|
|
super(CAInstance, self).stop_tracking_certificates(False)
|
2014-03-18 10:23:30 -05:00
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname='ipaCert')
|
2014-09-03 02:07:16 -05:00
|
|
|
except RuntimeError, e:
|
2013-10-16 04:08:49 -05:00
|
|
|
root_logger.error(
|
2014-03-18 10:23:30 -05:00
|
|
|
"certmonger failed to stop tracking certificate: %s", e)
|
2014-10-07 09:46:15 -05:00
|
|
|
|
|
|
|
|
services.knownservices.certmonger.stop()
|
2012-07-11 14:51:01 -05:00
|
|
|
|
2012-03-07 16:46:33 -06:00
|
|
|
def enable_subject_key_identifier(self):
|
|
|
|
|
"""
|
|
|
|
|
See if Subject Key Identifier is set in the profile and if not, add it.
|
|
|
|
|
"""
|
2012-08-23 11:38:45 -05:00
|
|
|
setlist = installutils.get_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
2012-03-07 16:46:33 -06:00
|
|
|
'policyset.serverCertSet.list', separator='=')
|
|
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
# this is the default setting from pki-ca/pki-tomcat. Don't touch it
|
|
|
|
|
# if a user has manually modified it.
|
2012-11-19 09:32:28 -06:00
|
|
|
if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9':
|
2014-03-18 10:23:30 -05:00
|
|
|
setlist += ',10'
|
2012-08-23 11:38:45 -05:00
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
2012-03-07 16:46:33 -06:00
|
|
|
'policyset.serverCertSet.list',
|
2012-11-19 09:32:28 -06:00
|
|
|
setlist,
|
2012-03-07 16:46:33 -06:00
|
|
|
quotes=False, separator='=')
|
2012-08-23 11:38:45 -05:00
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
2012-03-07 16:46:33 -06:00
|
|
|
'policyset.serverCertSet.10.constraint.class_id',
|
|
|
|
|
'noConstraintImpl',
|
|
|
|
|
quotes=False, separator='=')
|
2012-08-23 11:38:45 -05:00
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
2012-03-07 16:46:33 -06:00
|
|
|
'policyset.serverCertSet.10.constraint.name',
|
|
|
|
|
'No Constraint',
|
|
|
|
|
quotes=False, separator='=')
|
2012-08-23 11:38:45 -05:00
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
2012-03-07 16:46:33 -06:00
|
|
|
'policyset.serverCertSet.10.default.class_id',
|
|
|
|
|
'subjectKeyIdentifierExtDefaultImpl',
|
|
|
|
|
quotes=False, separator='=')
|
2012-08-23 11:38:45 -05:00
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
2012-03-07 16:46:33 -06:00
|
|
|
'policyset.serverCertSet.10.default.name',
|
|
|
|
|
'Subject Key Identifier Extension Default',
|
|
|
|
|
quotes=False, separator='=')
|
2012-08-23 11:38:45 -05:00
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
2012-03-07 16:46:33 -06:00
|
|
|
'policyset.serverCertSet.10.default.params.critical',
|
|
|
|
|
'false',
|
|
|
|
|
quotes=False, separator='=')
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
# No update was done
|
|
|
|
|
return False
|
2011-08-17 14:36:18 -05:00
|
|
|
|
2013-12-05 07:34:14 -06:00
|
|
|
def enable_subject_alternative_name(self):
|
|
|
|
|
"""
|
|
|
|
|
See if Subject Alternative Name is set in the profile and if not, add
|
|
|
|
|
it.
|
|
|
|
|
"""
|
|
|
|
|
setlist = installutils.get_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.list', separator='=')
|
|
|
|
|
|
|
|
|
|
# this is the default setting from pki-ca/pki-tomcat. Don't touch it
|
|
|
|
|
# if a user has manually modified it.
|
|
|
|
|
if setlist == '1,2,3,4,5,6,7,8,10' or setlist == '1,2,3,4,5,6,7,8,9,10':
|
2014-03-18 10:23:30 -05:00
|
|
|
setlist += ',11'
|
2013-12-05 07:34:14 -06:00
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.list',
|
|
|
|
|
setlist,
|
|
|
|
|
quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.11.constraint.class_id',
|
|
|
|
|
'noConstraintImpl',
|
|
|
|
|
quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.11.constraint.name',
|
|
|
|
|
'No Constraint',
|
|
|
|
|
quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.11.default.class_id',
|
|
|
|
|
'userExtensionDefaultImpl',
|
|
|
|
|
quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.11.default.name',
|
|
|
|
|
'User Supplied Extension Default',
|
|
|
|
|
quotes=False, separator='=')
|
|
|
|
|
installutils.set_directive(
|
|
|
|
|
self.dogtag_constants.IPA_SERVICE_PROFILE,
|
|
|
|
|
'policyset.serverCertSet.11.default.params.userExtOID',
|
|
|
|
|
'2.5.29.17',
|
|
|
|
|
quotes=False, separator='=')
|
|
|
|
|
return True
|
|
|
|
|
|
|
|
|
|
# No update was done
|
|
|
|
|
return False
|
|
|
|
|
|
2012-10-09 10:25:27 -05:00
|
|
|
def set_audit_renewal(self):
|
|
|
|
|
"""
|
|
|
|
|
The default renewal time for the audit signing certificate is
|
|
|
|
|
six months rather than two years. Fix it. This is BZ 843979.
|
|
|
|
|
"""
|
|
|
|
|
# Check the default validity period of the audit signing cert
|
|
|
|
|
# and set it to 2 years if it is 6 months.
|
2014-03-18 10:23:30 -05:00
|
|
|
cert_range = installutils.get_directive(
|
2012-10-09 10:25:27 -05:00
|
|
|
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
|
|
|
|
|
'policyset.caLogSigningSet.2.default.params.range',
|
|
|
|
|
separator='='
|
|
|
|
|
)
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.debug(
|
|
|
|
|
'caSignedLogCert.cfg profile validity range is %s', cert_range)
|
|
|
|
|
if cert_range == "180":
|
2012-10-09 10:25:27 -05:00
|
|
|
installutils.set_directive(
|
|
|
|
|
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
|
|
|
|
|
'policyset.caLogSigningSet.2.default.params.range',
|
|
|
|
|
'720',
|
|
|
|
|
quotes=False,
|
|
|
|
|
separator='='
|
|
|
|
|
)
|
|
|
|
|
installutils.set_directive(
|
|
|
|
|
'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
|
|
|
|
|
'policyset.caLogSigningSet.2.constraint.params.range',
|
|
|
|
|
'720',
|
|
|
|
|
quotes=False,
|
|
|
|
|
separator='='
|
|
|
|
|
)
|
2014-03-18 10:23:30 -05:00
|
|
|
self.log.debug(
|
|
|
|
|
'updated caSignedLogCert.cfg profile validity range to 720')
|
2012-10-09 10:25:27 -05:00
|
|
|
return True
|
|
|
|
|
return False
|
|
|
|
|
|
2014-03-24 09:30:53 -05:00
|
|
|
def is_renewal_master(self, fqdn=None):
|
|
|
|
|
if fqdn is None:
|
|
|
|
|
fqdn = api.env.host
|
|
|
|
|
|
2013-10-16 03:51:06 -05:00
|
|
|
if not self.admin_conn:
|
|
|
|
|
self.ldap_connect()
|
|
|
|
|
|
2014-03-24 09:30:53 -05:00
|
|
|
dn = DN(('cn', 'CA'), ('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'),
|
|
|
|
|
('cn', 'etc'), api.env.basedn)
|
2014-03-18 10:23:30 -05:00
|
|
|
renewal_filter = '(ipaConfigString=caRenewalMaster)'
|
2013-10-16 03:51:06 -05:00
|
|
|
try:
|
2014-03-18 10:23:30 -05:00
|
|
|
self.admin_conn.get_entries(base_dn=dn, filter=renewal_filter,
|
2013-10-16 03:51:06 -05:00
|
|
|
attrs_list=[])
|
|
|
|
|
except errors.NotFound:
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
2014-03-24 09:30:53 -05:00
|
|
|
def set_renewal_master(self, fqdn=None):
|
|
|
|
|
if fqdn is None:
|
|
|
|
|
fqdn = api.env.host
|
|
|
|
|
|
|
|
|
|
if not self.admin_conn:
|
|
|
|
|
self.ldap_connect()
|
|
|
|
|
|
|
|
|
|
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
|
|
|
|
|
api.env.basedn)
|
|
|
|
|
filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
|
|
|
|
|
try:
|
|
|
|
|
entries = self.admin_conn.get_entries(
|
|
|
|
|
base_dn=base_dn, filter=filter, attrs_list=['ipaConfigString'])
|
|
|
|
|
except errors.NotFound:
|
|
|
|
|
entries = []
|
|
|
|
|
|
|
|
|
|
dn = DN(('cn', 'CA'), ('cn', fqdn), base_dn)
|
|
|
|
|
master_entry = self.admin_conn.get_entry(dn, ['ipaConfigString'])
|
|
|
|
|
|
|
|
|
|
for entry in entries:
|
|
|
|
|
if master_entry is not None and entry.dn == master_entry.dn:
|
|
|
|
|
master_entry = None
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
entry['ipaConfigString'] = [x for x in entry['ipaConfigString']
|
|
|
|
|
if x.lower() != 'carenewalmaster']
|
|
|
|
|
self.admin_conn.update_entry(entry)
|
|
|
|
|
|
|
|
|
|
if master_entry is not None:
|
|
|
|
|
master_entry['ipaConfigString'].append('caRenewalMaster')
|
|
|
|
|
self.admin_conn.update_entry(master_entry)
|
|
|
|
|
|
Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
2012-10-24 03:37:16 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
@staticmethod
|
|
|
|
|
def update_cert_config(nickname, cert, dogtag_constants=None):
|
|
|
|
|
"""
|
|
|
|
|
When renewing a CA subsystem certificate the configuration file
|
|
|
|
|
needs to get the new certificate as well.
|
|
|
|
|
|
|
|
|
|
nickname is one of the known nicknames.
|
|
|
|
|
cert is a DER-encoded certificate.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
if dogtag_constants is None:
|
|
|
|
|
dogtag_constants = dogtag.configured_constants()
|
|
|
|
|
|
|
|
|
|
# The cert directive to update per nickname
|
|
|
|
|
directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
|
|
|
|
|
'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
|
|
|
|
|
'caSigningCert cert-pki-ca': 'ca.signing.cert',
|
|
|
|
|
'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
|
|
|
|
|
'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
|
|
|
|
|
|
2014-09-03 08:04:35 -05:00
|
|
|
try:
|
|
|
|
|
backup_config(dogtag_constants)
|
|
|
|
|
except Exception, e:
|
|
|
|
|
syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
|
|
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
DogtagInstance.update_cert_cs_cfg(
|
|
|
|
|
nickname, cert, directives,
|
|
|
|
|
dogtag.configured_constants().CS_CFG_PATH,
|
|
|
|
|
dogtag_constants)
|
|
|
|
|
|
2014-03-11 10:28:19 -05:00
|
|
|
def replica_ca_install_check(config):
|
Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
2012-10-24 03:37:16 -05:00
|
|
|
if not config.setup_ca:
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
cafile = config.dir + "/cacert.p12"
|
|
|
|
|
if not ipautil.file_exists(cafile):
|
2013-03-27 07:48:36 -05:00
|
|
|
# Replica of old "self-signed" master - CA won't be installed
|
Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
2012-10-24 03:37:16 -05:00
|
|
|
return
|
|
|
|
|
|
|
|
|
|
# Exit if we have an old-style (Dogtag 9) CA already installed
|
|
|
|
|
ca = CAInstance(config.realm_name, certs.NSS_DIR,
|
|
|
|
|
dogtag_constants=dogtag.Dogtag9Constants)
|
|
|
|
|
if ca.is_installed():
|
|
|
|
|
root_logger.info('Dogtag 9 style CA instance found')
|
|
|
|
|
sys.exit("A CA is already configured on this system.")
|
|
|
|
|
|
2014-03-11 10:28:19 -05:00
|
|
|
if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT:
|
Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
2012-10-24 03:37:16 -05:00
|
|
|
root_logger.debug(
|
|
|
|
|
'Installing CA Replica from master with a merged database')
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
# Check if the master has the necessary schema in its CA instance
|
2014-03-11 10:28:19 -05:00
|
|
|
ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port)
|
Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
2012-10-24 03:37:16 -05:00
|
|
|
objectclass = 'ipaObject'
|
|
|
|
|
root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
|
|
|
|
|
try:
|
2015-04-08 06:32:21 -05:00
|
|
|
with ipaldap.LDAPClient(ca_ldap_url,
|
|
|
|
|
start_tls=True,
|
|
|
|
|
force_schema_updates=False) as connection:
|
|
|
|
|
connection.simple_bind(DN(('cn', 'Directory Manager')),
|
|
|
|
|
config.dirman_password)
|
|
|
|
|
rschema = connection.schema
|
|
|
|
|
result = rschema.get_obj(ldap.schema.models.ObjectClass,
|
|
|
|
|
objectclass)
|
Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.
Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.
The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.
The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
The --skip-schema-check option is added to ipa-{replica,ca}-install to
override the check.
All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.
https://fedorahosted.org/freeipa/ticket/3213
2012-10-24 03:37:16 -05:00
|
|
|
except Exception:
|
|
|
|
|
root_logger.critical(
|
|
|
|
|
'CA DS schema check failed. Make sure the PKI service on the '
|
|
|
|
|
'remote master is operational.')
|
|
|
|
|
raise
|
|
|
|
|
if result:
|
|
|
|
|
root_logger.debug('Check OK')
|
|
|
|
|
else:
|
|
|
|
|
root_logger.critical(
|
|
|
|
|
'The master CA directory server does not have necessary schema. '
|
|
|
|
|
'Please copy the following script to all CA masters and run it '
|
|
|
|
|
'on them: %s\n'
|
|
|
|
|
'If you are certain that this is a false positive, use '
|
|
|
|
|
'--skip-schema-check.',
|
|
|
|
|
os.path.join(ipautil.SHARE_DIR, 'copy-schema-to-ca.py'))
|
|
|
|
|
exit('IPA schema missing on master CA directory server')
|
|
|
|
|
|
|
|
|
|
|
2014-03-11 10:28:19 -05:00
|
|
|
def install_replica_ca(config, postinstall=False):
|
2011-06-17 15:47:39 -05:00
|
|
|
"""
|
|
|
|
|
Install a CA on a replica.
|
|
|
|
|
|
|
|
|
|
There are two modes of doing this controlled:
|
|
|
|
|
- While the replica is being installed
|
|
|
|
|
- Post-replica installation
|
|
|
|
|
|
|
|
|
|
config is a ReplicaConfig object
|
|
|
|
|
|
|
|
|
|
Returns a tuple of the CA and CADS instances
|
|
|
|
|
"""
|
|
|
|
|
cafile = config.dir + "/cacert.p12"
|
|
|
|
|
|
|
|
|
|
if not ipautil.file_exists(cafile):
|
2013-03-27 07:48:36 -05:00
|
|
|
# Replica of old "self-signed" master - skip installing CA
|
2012-11-15 08:38:24 -06:00
|
|
|
return None
|
2011-06-17 15:47:39 -05:00
|
|
|
|
|
|
|
|
if not config.setup_ca:
|
|
|
|
|
# We aren't configuring the CA in this step but we still need
|
|
|
|
|
# a minimum amount of information on the CA for this IPA install.
|
2012-08-23 11:38:45 -05:00
|
|
|
ca = CAInstance(config.realm_name, certs.NSS_DIR,
|
|
|
|
|
dogtag_constants=dogtag.install_constants)
|
2011-06-17 15:47:39 -05:00
|
|
|
ca.dm_password = config.dirman_password
|
|
|
|
|
ca.subject_base = config.subject_base
|
2012-11-15 08:38:24 -06:00
|
|
|
return ca
|
2011-06-17 15:47:39 -05:00
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
ca = CAInstance(config.realm_name, certs.NSS_DIR,
|
|
|
|
|
dogtag_constants=dogtag.install_constants)
|
2011-06-17 15:47:39 -05:00
|
|
|
ca.dm_password = config.dirman_password
|
|
|
|
|
ca.subject_base = config.subject_base
|
|
|
|
|
if ca.is_installed():
|
|
|
|
|
sys.exit("A CA is already configured on this system.")
|
|
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
ca = CAInstance(config.realm_name, certs.NSS_DIR,
|
|
|
|
|
dogtag_constants=dogtag.install_constants)
|
2011-06-17 15:47:39 -05:00
|
|
|
if postinstall:
|
|
|
|
|
# If installing this afterward the Apache NSS database already
|
|
|
|
|
# exists, don't remove it.
|
|
|
|
|
ca.create_ra_agent_db = False
|
2012-11-19 09:32:28 -06:00
|
|
|
ca.configure_instance(config.host_name, config.domain_name,
|
|
|
|
|
config.dirman_password, config.dirman_password,
|
|
|
|
|
pkcs12_info=(cafile,),
|
2011-06-17 15:47:39 -05:00
|
|
|
master_host=config.master_host_name,
|
2014-03-11 10:28:19 -05:00
|
|
|
master_replication_port=config.ca_ds_port,
|
2011-06-17 15:47:39 -05:00
|
|
|
subject_base=config.subject_base)
|
|
|
|
|
|
2013-10-09 15:33:20 -05:00
|
|
|
# Restart httpd since we changed it's config and added ipa-pki-proxy.conf
|
|
|
|
|
# Without the restart, CA service status check would fail due to missing
|
|
|
|
|
# proxy
|
2012-09-25 08:57:03 -05:00
|
|
|
if postinstall:
|
2014-05-29 03:37:18 -05:00
|
|
|
services.knownservices.httpd.restart()
|
2012-09-25 08:57:03 -05:00
|
|
|
|
|
|
|
|
|
2011-06-17 15:47:39 -05:00
|
|
|
# The dogtag DS instance needs to be restarted after installation.
|
|
|
|
|
# The procedure for this is: stop dogtag, stop DS, start DS, start
|
|
|
|
|
# dogtag
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
# The service_name trickery is due to the service naming we do
|
|
|
|
|
# internally. In the case of the dogtag DS the name doesn't match the
|
|
|
|
|
# unix service.
|
|
|
|
|
|
|
|
|
|
service.print_msg("Restarting the directory and certificate servers")
|
2012-08-23 11:38:45 -05:00
|
|
|
ca.stop(dogtag.install_constants.PKI_INSTANCE_NAME)
|
2012-09-19 22:35:42 -05:00
|
|
|
|
2014-05-29 03:37:18 -05:00
|
|
|
services.knownservices.dirsrv.restart()
|
2012-09-19 22:35:42 -05:00
|
|
|
|
2012-08-23 11:38:45 -05:00
|
|
|
ca.start(dogtag.install_constants.PKI_INSTANCE_NAME)
|
2011-06-17 15:47:39 -05:00
|
|
|
|
2012-11-15 08:38:24 -06:00
|
|
|
return ca
|
2011-06-17 15:47:39 -05:00
|
|
|
|
2014-09-03 08:04:35 -05:00
|
|
|
def backup_config(dogtag_constants=None):
|
|
|
|
|
"""
|
|
|
|
|
Create a backup copy of CS.cfg
|
|
|
|
|
"""
|
|
|
|
|
if dogtag_constants is None:
|
|
|
|
|
dogtag_constants = dogtag.configured_constants()
|
|
|
|
|
|
2014-11-21 01:52:24 -06:00
|
|
|
if services.knownservices[dogtag_constants.SERVICE_NAME].is_running(
|
|
|
|
|
dogtag_constants.PKI_INSTANCE_NAME):
|
2014-09-30 07:41:49 -05:00
|
|
|
raise RuntimeError("Dogtag must be stopped when creating backup of %s"
|
|
|
|
|
% dogtag_constants.CS_CFG_PATH)
|
2014-09-03 08:04:35 -05:00
|
|
|
shutil.copy(dogtag_constants.CS_CFG_PATH,
|
|
|
|
|
dogtag_constants.CS_CFG_PATH + '.ipabkp')
|
2012-07-11 14:51:01 -05:00
|
|
|
|
2013-07-23 05:19:42 -05:00
|
|
|
def update_people_entry(dercert):
|
2014-12-02 12:18:36 -06:00
|
|
|
"""
|
|
|
|
|
Update the userCerticate for an entry in the dogtag ou=People. This
|
|
|
|
|
is needed when a certificate is renewed.
|
|
|
|
|
|
|
|
|
|
dercert: An X509.3 certificate in DER format
|
|
|
|
|
|
|
|
|
|
Logging is done via syslog
|
|
|
|
|
|
|
|
|
|
Returns True or False
|
|
|
|
|
"""
|
2013-07-23 05:19:42 -05:00
|
|
|
base_dn = DN(('ou','People'), ('o','ipaca'))
|
2014-12-02 12:18:36 -06:00
|
|
|
serial_number = x509.get_serial_number(dercert, datatype=x509.DER)
|
|
|
|
|
subject = x509.get_subject(dercert, datatype=x509.DER)
|
|
|
|
|
issuer = x509.get_issuer(dercert, datatype=x509.DER)
|
|
|
|
|
|
|
|
|
|
attempts = 0
|
2014-09-02 04:28:16 -05:00
|
|
|
server_id = dsinstance.realm_to_serverid(api.env.realm)
|
|
|
|
|
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
|
2014-12-02 12:18:36 -06:00
|
|
|
updated = False
|
|
|
|
|
|
|
|
|
|
while attempts < 10:
|
|
|
|
|
conn = None
|
|
|
|
|
try:
|
|
|
|
|
conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
|
2014-09-02 04:28:16 -05:00
|
|
|
conn.connect(autobind=True)
|
2013-07-23 05:19:42 -05:00
|
|
|
|
2014-03-18 10:23:30 -05:00
|
|
|
db_filter = conn.make_filter(
|
2013-07-23 05:19:42 -05:00
|
|
|
{'description': ';%s;%s' % (issuer, subject)},
|
|
|
|
|
exact=False, trailing_wildcard=False)
|
|
|
|
|
try:
|
2014-03-18 10:23:30 -05:00
|
|
|
entries = conn.get_entries(base_dn, conn.SCOPE_SUBTREE, db_filter)
|
2013-07-23 05:19:42 -05:00
|
|
|
except errors.NotFound:
|
|
|
|
|
entries = []
|
|
|
|
|
|
2014-12-02 12:18:36 -06:00
|
|
|
updated = True
|
2013-07-23 05:19:42 -05:00
|
|
|
|
|
|
|
|
for entry in entries:
|
|
|
|
|
syslog.syslog(
|
|
|
|
|
syslog.LOG_NOTICE, 'Updating entry %s' % str(entry.dn))
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
entry['usercertificate'].append(dercert)
|
|
|
|
|
entry['description'] = '2;%d;%s;%s' % (
|
|
|
|
|
serial_number, issuer, subject)
|
|
|
|
|
|
|
|
|
|
conn.update_entry(entry)
|
|
|
|
|
except errors.EmptyModlist:
|
|
|
|
|
pass
|
|
|
|
|
except Exception, e:
|
|
|
|
|
syslog.syslog(
|
|
|
|
|
syslog.LOG_ERR,
|
|
|
|
|
'Updating entry %s failed: %s' % (str(entry.dn), e))
|
|
|
|
|
updated = False
|
|
|
|
|
|
2014-12-02 12:18:36 -06:00
|
|
|
break
|
|
|
|
|
except errors.NetworkError:
|
2013-07-23 05:19:42 -05:00
|
|
|
syslog.syslog(
|
|
|
|
|
syslog.LOG_ERR,
|
|
|
|
|
'Connection to %s failed, sleeping 30s' % dogtag_uri)
|
2014-12-02 12:18:36 -06:00
|
|
|
time.sleep(30)
|
|
|
|
|
attempts += 1
|
|
|
|
|
except Exception, e:
|
2013-07-23 05:19:42 -05:00
|
|
|
syslog.syslog(syslog.LOG_ERR, 'Caught unhandled exception: %s' % e)
|
2014-12-02 12:18:36 -06:00
|
|
|
break
|
|
|
|
|
finally:
|
2013-07-23 05:19:42 -05:00
|
|
|
if conn is not None and conn.isconnected():
|
2014-12-02 12:18:36 -06:00
|
|
|
conn.disconnect()
|
|
|
|
|
|
|
|
|
|
if not updated:
|
|
|
|
|
syslog.syslog(syslog.LOG_ERR, 'Update failed.')
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
return True
|
|
|
|
|
|
2009-04-01 21:39:44 -05:00
|
|
|
if __name__ == "__main__":
|
2011-11-15 13:39:31 -06:00
|
|
|
standard_logging_setup("install.log")
|
2012-11-15 08:38:24 -06:00
|
|
|
ds = dsinstance.DsInstance()
|
2012-09-19 22:35:42 -05:00
|
|
|
|
2014-05-29 07:47:17 -05:00
|
|
|
ca = CAInstance("EXAMPLE.COM", paths.HTTPD_ALIAS_DIR)
|
2012-11-19 09:32:28 -06:00
|
|
|
ca.configure_instance("catest.example.com", "example.com", "password", "password")
|
