From 57f0be7b5dc0111087e3b5ce63462281729b78a2 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 15 Oct 2013 20:49:07 +0200 Subject: [PATCH] Use certmonger D-Bus API to configure certmonger in CA install. Before, certmonger was configured by modifying its internal database directly. Reviewed-By: Petr Viktorin --- freeipa.spec.in | 2 +- install/conf/Makefile.am | 1 - install/conf/ca_renewal | 6 ------ ipaserver/install/cainstance.py | 38 +++++++++++++++++++++------------ 4 files changed, 25 insertions(+), 22 deletions(-) delete mode 100644 install/conf/ca_renewal diff --git a/freeipa.spec.in b/freeipa.spec.in index c17e939ac..9f6f8fbce 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -136,6 +136,7 @@ Requires: python-pyasn1 Requires: python-qrcode Requires: memcached Requires: python-memcached +Requires: dbus-python Requires: systemd-units >= 38 Requires(pre): systemd-units Requires(post): systemd-units @@ -720,7 +721,6 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf -%{_usr}/share/ipa/ca_renewal %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf %{_usr}/share/ipa/ipa-pki-proxy.conf diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am index 06b3b32df..65e25bc94 100644 --- a/install/conf/Makefile.am +++ b/install/conf/Makefile.am @@ -2,7 +2,6 @@ NULL = appdir = $(IPA_DATA_DIR) app_DATA = \ - ca_renewal \ ipa.conf \ ipa-pki-proxy.conf \ ipa-rewrite.conf \ diff --git a/install/conf/ca_renewal b/install/conf/ca_renewal deleted file mode 100644 index 57a9e9c24..000000000 --- a/install/conf/ca_renewal +++ /dev/null @@ -1,6 +0,0 @@ -# A separate helper for fetching dogtag certificates that are renewed on -# another system. -id=dogtag-ipa-retrieve-agent-submit -ca_is_default=0 -ca_type=EXTERNAL -ca_external_helper=/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 62ce13a69..710caae72 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -36,6 +36,7 @@ import xml.dom.minidom import stat import syslog import ConfigParser +import dbus from ipapython import dogtag from ipapython.certdb import get_ca_nickname @@ -1347,7 +1348,19 @@ class CAInstance(service.Service): # cause files to have a new owner. user_exists = self.restore_state("user_exists") - installutils.remove_file("/var/lib/certmonger/cas/ca_renewal") + ipaservices.knownservices.messagebus.start() + cmonger = ipaservices.knownservices.certmonger + cmonger.start() + + bus = dbus.SystemBus() + obj = bus.get_object('org.fedorahosted.certmonger', + '/org/fedorahosted/certmonger') + iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') + path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit') + if path: + iface.remove_known_ca(path) + + cmonger.stop() # remove CRL files root_logger.info("Remove old CRL files") @@ -1438,24 +1451,21 @@ class CAInstance(service.Service): Create a new CA type for certmonger that will retrieve updated certificates from the dogtag master server. """ - target_fname = '/var/lib/certmonger/cas/ca_renewal' - if ipautil.file_exists(target_fname): - # This CA can be configured either during initial CA installation - # if the replica is created with --setup-ca or when Apache is - # being configured if not. - return - txt = ipautil.template_file(ipautil.SHARE_DIR + "ca_renewal", dict()) - fd = open(target_fname, "w") - fd.write(txt) - fd.close() - os.chmod(target_fname, 0600) - ipaservices.restore_context(target_fname) - cmonger = ipaservices.knownservices.certmonger cmonger.enable() ipaservices.knownservices.messagebus.start() cmonger.restart() + bus = dbus.SystemBus() + obj = bus.get_object('org.fedorahosted.certmonger', + '/org/fedorahosted/certmonger') + iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') + path = iface.find_ca_by_nickname('dogtag-ipa-retrieve-agent-submit') + if not path: + iface.add_known_ca( + 'dogtag-ipa-retrieve-agent-submit', + '/usr/libexec/certmonger/dogtag-ipa-retrieve-agent-submit', []) + def configure_clone_renewal(self): """ The actual renewal is done on the master. On the clone side we