Remove all services when a host is removed Revoke certificate (if any) when a service is removed

2025-02-25 18:55:28 -06:00 · 2009-05-08 17:42:54 -04:00
parent 014f3ff1c6
commit 5e3cdb9643
2 changed files with 35 additions and 14 deletions
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -140,7 +140,7 @@ class host_add(crud.Add):

        current = util.get_current_principal()
        if not current:
-            raise errors.NotFound('Unable to determine current user')
+            raise errors.NotFound(reason='Unable to determine current user')
        kw['enrolledby'] = ldap.find_entry_dn("krbPrincipalName", current, "posixAccount")

        # Get our configuration
@@ -186,6 +186,17 @@ class host_del(crud.Del):
        """
        ldap = self.api.Backend.ldap
        dn = get_host(hostname)
+
+        # Remove all service records for this host
+        services=api.Command['service_find'](hostname, **{})
+
+        counter = services[0]
+        services = services[1:]
+        if counter > 0:
+            for s in services:
+                principal = s.get('krbprincipalname').decode('UTF-8')
+                api.Command['service_del'](principal, **{})
+
        return ldap.delete(dn)
    def output_for_cli(self, textui, result, *args, **options):
        """
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -26,39 +26,44 @@ from ipalib import api, crud, errors
 from ipalib import Object  # Plugin base classes
 from ipalib import Str, Flag, Bytes # Parameter types
 import base64
+from OpenSSL import crypto

 default_attributes = ['krbprincipalname', 'usercertificate']

 def validate_principal(ugettext, principal):
+    (service, hostname, principal) = split_principal(principal)
+
+def split_principal(principal):
+    service = hostname = realm = None
+
    # Break down the principal into its component parts, which may or
    # may not include the realm.
    sp = principal.split('/')
    if len(sp) != 2:
        raise errors.MalformedServicePrincipal(reason="missing service")

+    service = sp[0]
    sr = sp[1].split('@')
    if len(sr) > 2:
        raise errors.MalformedServicePrincipal(reason="unable to determine realm")

+    hostname = sr[0].lower()
+
    if len(sr) == 2:
        realm = sr[1].upper()

        # At some point we'll support multiple realms
        if (realm != api.env.realm):
            raise errors.RealmMismatch()
+    else:
+        realm = api.env.realm
+
+    # Note that realm may be None.
+    return (service, hostname, realm)

 def normalize_principal(principal):
    # The principal is already validated when it gets here
-    sp = principal.split('/')
-    service = sp[0]
-
-    sr = sp[1].split('@')
-    if len(sr) == 1:
-        hostname = sr[0].lower()
-        realm = api.env.realm
-    elif len(sr) == 2:
-        hostname = sr[0].lower()
-        realm = sr[1].upper()
+    (service, hostname, realm) = split_principal(principal)

    # Put the principal back together again
    principal = service + "/" + hostname + "@" + realm
@@ -124,10 +129,9 @@ class service_add(crud.Add):
        except:
            pass

-        sp = principal.split('/')
-        service = sp[0]
+        (service, hostname, realm) = split_principal(principal)

-        if service.lower() == "host":
+        if service.lower() == "host" and not force:
            raise errors.HostService()

        """
@@ -176,6 +180,12 @@ class service_del(crud.Del):
        """
        ldap = self.api.Backend.ldap
        dn = ldap.find_entry_dn("krbprincipalname", principal, object_type="ipaService")
+        entry = ldap.retrieve(dn)
+        if entry.has_key('usercertificate'):
+            cert = entry.get('usercertificate')
+            x509 = crypto.load_certificate(crypto.FILETYPE_ASN1, cert)
+            serial = str(x509.get_serial_number())
+            api.Command['cert_revoke'](unicode(serial, ), **{'revocation_reason': 5})
        return ldap.delete(dn)

    def output_to_cli(self, ret):