IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Make the path to CS.cfg a class variable

Browse Source 
Rather than passing around the path to CS.cfg for the CA and KRA
set it at object creation and use everywhere.

Make update_cert_config() a real class method instead of a static
method. It wasn't being called that way in any case and makes it
possible to use the class config file.

Related: https://pagure.io/freeipa/issue/6703

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This commit is contained in:
Rob Crittenden
2017-11-08 13:21:22 -05:00
committed by Christian Heimes
parent 1059a24d2a
commit 10a847b682
5 changed files with 45 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
ipaserver/install/dogtaginstance.py
View File

@@ -89,7 +89,8 @@ class DogtagInstance(service.Service):
server_cert_name = None
def __init__(self, realm, subsystem, service_desc, host_name=None,
nss_db=paths.PKI_TOMCAT_ALIAS_DIR, service_prefix=None):
nss_db=paths.PKI_TOMCAT_ALIAS_DIR, service_prefix=None,
config=None):
"""Initializer"""
super(DogtagInstance, self).__init__(
@@ -118,6 +119,7 @@ class DogtagInstance(service.Service):
self.master_replication_port = None
self.subject_base = None
self.nss_db = nss_db
self.config = config # Path to CS.cfg
def is_installed(self):
"""
@@ -172,44 +174,43 @@ class DogtagInstance(service.Service):
"Failed to stop the Dogtag instance."
"See the installation log for details.")
def enable_client_auth_to_db(self, config):
def enable_client_auth_to_db(self):
"""
Enable client auth connection to the internal db.
Path to CS.cfg config file passed in.
"""
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
config,
self.config,
'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
installutils.set_directive(
config,
self.config,
'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
self.config,
'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636',
quotes=False, separator='=')
installutils.set_directive(
config,
self.config,
'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
'true', quotes=False, separator='=')
installutils.set_directive(
config,
self.config,
'internaldb.ldapauth.authtype',
'SslClientAuth', quotes=False, separator='=')
installutils.set_directive(
config,
self.config,
'internaldb.ldapauth.clientCertNickname',
'subsystemCert cert-pki-ca', quotes=False, separator='=')
installutils.set_directive(
config,
self.config,
'internaldb.ldapconn.port', '636', quotes=False, separator='=')
installutils.set_directive(
config,
self.config,
'internaldb.ldapconn.secureConn', 'true', quotes=False,
separator='=')
# Remove internaldb password as is not needed anymore
@@ -338,8 +339,7 @@ class DogtagInstance(service.Service):
if stop_certmonger:
cmonger.stop()
@staticmethod
def update_cert_cs_cfg(directive, cert, cs_cfg):
def update_cert_cs_cfg(self, directive, cert):
"""
When renewing a Dogtag subsystem certificate the configuration file
needs to get the new certificate as well.
@@ -351,7 +351,7 @@ class DogtagInstance(service.Service):
with stopped_service('pki-tomcatd', 'pki-tomcat'):
installutils.set_directive(
cs_cfg,
self.config,
directive,
# the cert must be only the base64 string without headers
(base64.b64encode(cert.public_bytes(x509.Encoding.DER))
@@ -455,6 +455,10 @@ class DogtagInstance(service.Service):
api.Backend.ldap2.delete_entry(self.admin_dn)
def _use_ldaps_during_spawn(self, config, ds_cacert=paths.IPA_CA_CRT):
"""
config is a RawConfigParser object
cs_cacert is path to a PEM CA certificate
"""
config.set(self.subsystem, "pki_ds_ldaps_port", "636")
config.set(self.subsystem, "pki_ds_secure_connection", "True")
config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",