Remove NSSConnection from Dogtag

Replaced NSSConnection with Python's httplib.HTTPSConnection. This class is OpenSSL-based. A client certificate with a private key is required to authenticate against the certificate server. We facilitate the RA_AGENT_PEM which already exists. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-12-20 10:23:47 +01:00
parent 6b074ad833
commit 0a54fac02c
5 changed files with 42 additions and 63 deletions
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -20,16 +20,16 @@
 import collections
 import xml.dom.minidom

-import nss.nss as nss
 import six
 # pylint: disable=import-error
 from six.moves.urllib.parse import urlencode
 # pylint: enable=import-error

 from ipalib import api, errors
+from ipalib.util import create_https_connection
 from ipalib.errors import NetworkError
 from ipalib.text import _
-from ipapython import nsslib, ipautil
+from ipapython import ipautil
 from ipapython.ipa_log_manager import root_logger

 # Python 3 rename. The package is available in "six.moves.http_client", but
@@ -131,8 +131,8 @@ def ca_status(ca_host=None):
    return _parse_ca_status(body)


-def https_request(host, port, url, secdir, password, nickname,
-        method='POST', headers=None, body=None, **kw):
+def https_request(host, port, url, cafile, client_certfile,
+                  method='POST', headers=None, body=None, **kw):
    """
    :param method: HTTP request method (defalut: 'POST')
    :param url: The path (not complete URL!) to post to.
@@ -145,16 +145,12 @@ def https_request(host, port, url, secdir, password, nickname,
    """

    def connection_factory(host, port):
-        no_init = secdir == nsslib.current_dbdir
-        conn = nsslib.NSSConnection(host, port, dbdir=secdir, no_init=no_init,
-                                    tls_version_min=api.env.tls_version_min,
-                                    tls_version_max=api.env.tls_version_max)
-        conn.set_debuglevel(0)
-        conn.connect()
-        conn.sock.set_client_auth_data_callback(
-            nsslib.client_auth_data_callback,
-            nickname, password, nss.get_default_certdb())
-        return conn
+        return create_https_connection(
+            host, port,
+            cafile=cafile,
+            client_certfile=client_certfile,
+            tls_version_min=api.env.tls_version_min,
+            tls_version_max=api.env.tls_version_max)

    if body is None:
        body = urlencode(kw)