IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Check that renewed certificates coming from LDAP are actually renewed.

Browse Source 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta 2014-04-14 12:13:12 +02:00 committed by Petr Viktorin
parent 7086183519
commit 61159b7ff2
1 changed files with 32 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
install/certmonger/dogtag-ipa-ca-renew-agent-submit
View File

@ -210,6 +210,21 @@ def retrieve_cert():
""" """
Retrieve new certificate from LDAP. Retrieve new certificate from LDAP.
""" """
operation = os.environ.get('CERTMONGER_OPERATION')
if operation == 'SUBMIT':
attempts = 0
elif operation == 'POLL':
cookie = os.environ.get('CERTMONGER_CA_COOKIE')
if not cookie:
return (UNCONFIGURED, "Cookie not provided")
try:
attempts = int(cookie)
except ValueError:
return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
else:
return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
csr = os.environ.get('CERTMONGER_CSR') csr = os.environ.get('CERTMONGER_CSR')
if not csr: if not csr:
return (UNCONFIGURED, "Certificate request not provided") return (UNCONFIGURED, "Certificate request not provided")
@ -218,6 +233,11 @@ def retrieve_cert():
if not nickname: if not nickname:
return (REJECTED, "No friendly name in the certificate request") return (REJECTED, "No friendly name in the certificate request")
old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
if not old_cert:
return (REJECTED, "New certificate requests not supported")
old_cert = x509.normalize_certificate(old_cert)
syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname) syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname)
with ldap_connect() as conn: with ldap_connect() as conn:
@ -227,13 +247,19 @@ def retrieve_cert():
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn),
['usercertificate']) ['usercertificate'])
except errors.NotFound: except errors.NotFound:
cert = old_cert
else:
cert = entry.single_value['usercertificate']
if cert == old_cert:
attempts += 1
if attempts < 4:
syslog.syslog( syslog.syslog(
syslog.LOG_INFO, syslog.LOG_INFO,
"Updated certificate for %s not available" % nickname) "Updated certificate for %s not available" % nickname)
# No cert available yet, tell certmonger to wait another 8 hours # No cert available yet, tell certmonger to wait another 8 hours
return (WAIT_WITH_DELAY, 8 * 60 * 60) return (WAIT_WITH_DELAY, 8 * 60 * 60, attempts)
cert = entry.single_value['usercertificate']
cert = base64.b64encode(cert) cert = base64.b64encode(cert)
cert = x509.make_pem(cert) cert = x509.make_pem(cert)