IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix update_ca_renewal_master plugin on CA-less installs.

Browse Source 
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.

https://fedorahosted.org/freeipa/ticket/4294

Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Jan Cholasta
2014-04-02 10:28:00 +02:00
committed by Martin Kosek
parent 41607774bc
commit 50c7f3b236
1 changed files with 53 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
ipaserver/install/plugins/ca_renewal_master.py
View File

@@ -18,9 +18,10 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
from ipaserver.install.plugins.baseupdate import PostUpdate from ipaserver.install.plugins.baseupdate import PostUpdate
from ipaserver.install import installutils, certs, cainstance
from ipalib import errors from ipalib import errors
from ipalib.plugable import Registry from ipalib.plugable import Registry
from ipapython import certmonger from ipapython import certmonger, dogtag
from ipapython.dn import DN from ipapython.dn import DN
register = Registry() register = Registry()
@@ -32,6 +33,11 @@ class update_ca_renewal_master(PostUpdate):
""" """
def execute(self, **options): def execute(self, **options):
ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
if not ca.is_configured():
self.debug("CA is not configured on this host")
return (False, False, [])
ldap = self.obj.backend ldap = self.obj.backend
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn) self.api.env.basedn)
@@ -50,30 +56,51 @@ class update_ca_renewal_master(PostUpdate):
('cert_nickname', 'ipaCert', None), ('cert_nickname', 'ipaCert', None),
) )
request_id = certmonger.get_request_id(criteria) request_id = certmonger.get_request_id(criteria)
if request_id is None: if request_id is not None:
self.error("certmonger request for ipaCert not found") self.debug("found certmonger request for ipaCert")
return (False, False, [])
ca_name = certmonger.get_request_value(request_id, 'ca_name')
if ca_name is None:
self.error("certmonger request for ipaCert is missing ca_name")
return (False, False, [])
ca_name = ca_name.strip()
if ca_name == 'dogtag-ipa-renew-agent': ca_name = certmonger.get_request_value(request_id, 'ca_name')
dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) if ca_name is None:
update = { self.warning(
dn: { "certmonger request for ipaCert is missing ca_name, "
'dn': dn, "assuming local CA is renewal slave")
'updates': ['add:ipaConfigString: caRenewalMaster'], return (False, False, [])
}, ca_name = ca_name.strip()
}
return (False, True, [update]) if ca_name == 'dogtag-ipa-renew-agent':
elif ca_name == 'dogtag-ipa-retrieve-agent-submit': pass
return (False, False, []) elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
elif ca_name == 'dogtag-ipa-ca-renew-agent': return (False, False, [])
return (False, False, []) elif ca_name == 'dogtag-ipa-ca-renew-agent':
return (False, False, [])
else:
self.warning(
"certmonger request for ipaCert has unknown ca_name '%s', "
"assuming local CA is renewal slave", ca_name)
return (False, False, [])
else: else:
self.warning( self.debug("certmonger request for ipaCert not found")
"certmonger request for ipaCert has unknown ca_name \"%s\", "
"assuming local CA is renewal slave", ca_name) config = installutils.get_directive(
return (False, False, []) dogtag.configured_constants().CS_CFG_PATH,
'subsystem.select', '=')
if config == 'New':
pass
elif config == 'Clone':
return (False, False, [])
else:
self.warning(
"CS.cfg has unknown subsystem.select value '%s', "
"assuming local CA is renewal slave", config)
return (False, False, [])
dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
update = {
dn: {
'dn': dn,
'updates': ['add:ipaConfigString: caRenewalMaster'],
},
}
return (False, True, [update])