IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix update_ca_renewal_master plugin on CA-less installs.

Browse Source 
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.

https://fedorahosted.org/freeipa/ticket/4294

Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Jan Cholasta
2014-04-02 10:28:00 +02:00
committed by Martin Kosek
parent 41607774bc
commit 50c7f3b236
1 changed files with 53 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
ipaserver/install/plugins/ca_renewal_master.py
View File

@@ -18,9 +18,10 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipaserver.install.plugins.baseupdate import PostUpdate
from ipaserver.install import installutils, certs, cainstance
from ipalib import errors
from ipalib.plugable import Registry
from ipapython import certmonger
from ipapython import certmonger, dogtag
from ipapython.dn import DN
register = Registry()
@@ -32,6 +33,11 @@ class update_ca_renewal_master(PostUpdate):
"""
def execute(self, **options):
ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
if not ca.is_configured():
self.debug("CA is not configured on this host")
return (False, False, [])
ldap = self.obj.backend
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn)
@@ -50,30 +56,51 @@ class update_ca_renewal_master(PostUpdate):
('cert_nickname', 'ipaCert', None),
)
request_id = certmonger.get_request_id(criteria)
if request_id is None:
self.error("certmonger request for ipaCert not found")
return (False, False, [])
ca_name = certmonger.get_request_value(request_id, 'ca_name')
if ca_name is None:
self.error("certmonger request for ipaCert is missing ca_name")
return (False, False, [])
ca_name = ca_name.strip()
if request_id is not None:
self.debug("found certmonger request for ipaCert")
if ca_name == 'dogtag-ipa-renew-agent':
dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
update = {
dn: {
'dn': dn,
'updates': ['add:ipaConfigString: caRenewalMaster'],
},
}
return (False, True, [update])
elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
return (False, False, [])
elif ca_name == 'dogtag-ipa-ca-renew-agent':
return (False, False, [])
ca_name = certmonger.get_request_value(request_id, 'ca_name')
if ca_name is None:
self.warning(
"certmonger request for ipaCert is missing ca_name, "
"assuming local CA is renewal slave")
return (False, False, [])
ca_name = ca_name.strip()
if ca_name == 'dogtag-ipa-renew-agent':
pass
elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
return (False, False, [])
elif ca_name == 'dogtag-ipa-ca-renew-agent':
return (False, False, [])
else:
self.warning(
"certmonger request for ipaCert has unknown ca_name '%s', "
"assuming local CA is renewal slave", ca_name)
return (False, False, [])
else:
self.warning(
"certmonger request for ipaCert has unknown ca_name \"%s\", "
"assuming local CA is renewal slave", ca_name)
return (False, False, [])
self.debug("certmonger request for ipaCert not found")
config = installutils.get_directive(
dogtag.configured_constants().CS_CFG_PATH,
'subsystem.select', '=')
if config == 'New':
pass
elif config == 'Clone':
return (False, False, [])
else:
self.warning(
"CS.cfg has unknown subsystem.select value '%s', "
"assuming local CA is renewal slave", config)
return (False, False, [])
dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
update = {
dn: {
'dn': dn,
'updates': ['add:ipaConfigString: caRenewalMaster'],
},
}
return (False, True, [update])