IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't install ACME if full support is not available

Browse Source 
The initial ACME support required that each server individually
enable/disable the service. PKI 10.10.0 stores this state in LDAP
so global enable/disable is available and the IPA code relies on
this.

Parse the VERSION file shipped with PKI to determine the version.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
This commit is contained in:
Rob Crittenden 2020-10-14 11:51:08 -04:00
parent c0d55ce6de
commit 92c3ea4e29
2 changed files with 40 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
ipaserver/install/cainstance.py
View File

@ -36,6 +36,7 @@ import syslog
import time
import tempfile
from configparser import RawConfigParser
from pkg_resources import parse_version
from ipalib import api
from ipalib import x509
@ -428,7 +429,8 @@ class CAInstance(DogtagInstance):
if promote:
self.step("destroying installation admin user",
self.teardown_admin)
self.step("deploying ACME service", self.setup_acme)
if minimum_acme_support():
self.step("deploying ACME service", self.setup_acme)
# Materialize config changes and new ACLs
self.step("starting certificate server instance",
self.start_instance)
@ -768,11 +770,10 @@ class CAInstance(DogtagInstance):
self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
conn.disconnect()
if minimum_acme_support():
group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
def __get_ca_chain(self):
try:
@ -1485,6 +1486,9 @@ class CAInstance(DogtagInstance):
logger.debug('ACME service is already deployed')
return False
if not minimum_acme_support():
return False
self._ldap_mod('/usr/share/pki/acme/database/ds/schema.ldif')
configure_acme_acls()
@ -1727,6 +1731,33 @@ def ensure_lightweight_cas_container():
)
def minimum_acme_support(data=None):
"""
ACME with global enable/disable is required.
This first shipped in dogtag version 10.10.0.
Parse the version string to determine if the minimum version
is met. If parsing fails return False.
:param: data: The string value to parse for version. Defaults to
reading from the filesystem.
"""
if not data:
with open('/usr/share/pki/VERSION', 'r') as fd:
data = fd.read()
groups = re.match(r'.*\nSpecification-Version: ([\d+\.]*)\n.*', data)
if groups:
version_string = groups.groups(0)[0]
minimum_version = parse_version('10.10.0')
return parse_version(version_string) >= minimum_version
else:
logger.debug('Unable to parse version from %s', data)
return False
def ensure_acme_containers():
"""
Create the ACME container objects under ou=acme,o=ipaca if

3
ipatests/test_integration/test_acme.py
View File

@ -12,6 +12,7 @@ from ipalib.constants import IPA_CA_RECORD
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
from ipaplatform.osinfo import osinfo
from ipaserver.install import cainstance
# RHEL does not have certbot. EPEL's version is broken with
@ -26,6 +27,8 @@ skip_mod_md_tests = osinfo.id not in ['rhel','fedora',]
CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa'
@pytest.mark.skipif(not cainstance.minimum_acme_support(),
reason="does not provide ACME")
class TestACME(IntegrationTest):
"""
Test the FreeIPA ACME service by using ACME clients on a FreeIPA client.