smart-card advises: configure systemwide NSS DB also on master

Previously the Smart card signing CA cert was uploaded to systemwide NSS
DB only on the client, but it need to be added also to the server.
Modify the advise plugins to allow for common configuration steps to
occur in both cases.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Martin Babinsky 2017-06-21 18:28:50 +02:00 committed by Martin Basti
parent 902f736a2b
commit 69ba5f9422

View File

@ -10,8 +10,39 @@ from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
register = Registry()
class common_smart_card_auth_config(Advice):
"""
Common steps required to properly configure both server and client for
smart card auth
"""
systemwide_nssdb = paths.NSS_DB_DIR
smart_card_ca_cert_variable_name = "SC_CA_CERT"
def check_and_set_ca_cert_path(self):
ca_path_variable = self.smart_card_ca_cert_variable_name
self.log.command("{}=$1".format(ca_path_variable))
self.log.exit_on_predicate(
'[ -z "${}" ]'.format(ca_path_variable),
['You need to provide the path to the PEM file containing CA '
'signing the Smart Cards']
)
self.log.exit_on_predicate(
'[ ! -f "${}" ]'.format(ca_path_variable),
['Invalid CA certificate filename: ${}'.format(ca_path_variable),
'Please check that the path exists and is a valid file']
)
def upload_smartcard_ca_certificate_to_systemwide_db(self):
self.log.command(
'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
)
)
@register()
class config_server_for_smart_card_auth(Advice):
class config_server_for_smart_card_auth(common_smart_card_auth_config):
"""
Configures smart card authentication via Kerberos (PKINIT) and for WebUI
"""
@ -28,6 +59,7 @@ class config_server_for_smart_card_auth(Advice):
def get_info(self):
self.log.exit_on_nonroot_euid()
self.check_and_set_ca_cert_path()
self.check_ccache_not_empty()
self.check_hostname_is_in_masters()
self.resolve_ipaca_records()
@ -37,6 +69,7 @@ class config_server_for_smart_card_auth(Advice):
self.record_httpd_ocsp_status()
self.check_and_enable_pkinit()
self.enable_ok_to_auth_as_delegate_on_http_principal()
self.upload_smartcard_ca_certificate_to_systemwide_db()
def check_ccache_not_empty(self):
self.log.comment('Check whether the credential cache is not empty')
@ -162,11 +195,10 @@ class config_server_for_smart_card_auth(Advice):
@register()
class config_client_for_smart_card_auth(Advice):
class config_client_for_smart_card_auth(common_smart_card_auth_config):
"""
Configures smart card authentication on FreeIPA client
"""
smart_card_ca_cert_variable_name = "SC_CA_CERT"
description = ("Instructions for enabling Smart Card authentication on "
" a single FreeIPA client. Configures Smart Card daemon, "
@ -190,20 +222,6 @@ class config_client_for_smart_card_auth(Advice):
self.run_authconfig_to_configure_smart_card_auth()
self.restart_sssd()
def check_and_set_ca_cert_path(self):
ca_path_variable = self.smart_card_ca_cert_variable_name
self.log.command("{}=$1".format(ca_path_variable))
self.log.exit_on_predicate(
'[ -z "${}" ]'.format(ca_path_variable),
['You need to provide the path to the PEM file containing CA '
'signing the Smart Cards']
)
self.log.exit_on_predicate(
'[ ! -f "${}" ]'.format(ca_path_variable),
['Invalid CA certificate filename: ${}'.format(ca_path_variable),
'Please check that the path exists and is a valid file']
)
def check_and_remove_pam_pkcs11(self):
self.log.command('rpm -qi pam_pkcs11 > /dev/null')
self.log.commands_on_predicate(
@ -247,13 +265,6 @@ class config_client_for_smart_card_auth(Advice):
]
)
def upload_smartcard_ca_certificate_to_systemwide_db(self):
self.log.command(
'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
)
)
def run_authconfig_to_configure_smart_card_auth(self):
self.log.exit_on_failed_command(
'authconfig --enablesmartcard --smartcardmodule=sssd --updateall',