IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

constants: remove CACERT

Browse Source 
CACERT depends on ipaplatform.

Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Jan Cholasta
2016-11-22 14:42:33 +01:00
committed by Martin Basti
parent a2c5888973
commit 977050c66b
12 changed files with 70 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
install/tools/ipa-csreplica-manage
View File

@@ -25,11 +25,11 @@ from __future__ import print_function
import sys
import os
from ipaplatform.paths import paths
from ipapython.ipa_log_manager import root_logger
from ipaserver.install import (replication, installutils, bindinstance,
cainstance, certs)
from ipalib import api, errors
from ipalib.constants import CACERT
from ipalib.util import has_managed_topology
from ipapython import ipautil, ipaldap, version
from ipapython.dn import DN
@@ -93,8 +93,8 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose):
try:
# connect to main IPA LDAP server
ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=paths.IPA_CA_CRT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_passwd)
@@ -295,8 +295,8 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
except Exception as e:
sys.exit(str(e))
try:
ldap_uri = ipaldap.get_ldap_uri(replica2, 636, cacert=CACERT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
ldap_uri = ipaldap.get_ldap_uri(replica2, 636, cacert=paths.IPA_CA_CRT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_passwd)

13
install/tools/ipa-replica-manage
View File

@@ -39,7 +39,6 @@ from ipaserver.install import bindinstance, cainstance, certs
from ipaserver.install import opendnssecinstance, dnskeysyncinstance
from ipapython import version, ipaldap
from ipalib import api, errors
from ipalib.constants import CACERT
from ipalib.util import has_managed_topology, verify_host_resolvable
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
from ipapython.dn import DN
@@ -167,8 +166,8 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False):
peers = {}
try:
ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=paths.IPA_CA_CRT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
if dirman_passwd:
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=dirman_passwd)
@@ -628,8 +627,8 @@ def clean_dangling_ruvs(realm, host, options):
Cleans all RUVs and CS-RUVs that are left in the system from
uninstalled replicas
"""
ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=paths.IPA_CA_CRT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
try:
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=options.dirman_passwd)
@@ -676,8 +675,8 @@ def clean_dangling_ruvs(realm, host, options):
offlines = set()
for master_cn, master_info in info.items():
try:
ldap_uri = ipaldap.get_ldap_uri(master_cn, 636, cacert=CACERT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
ldap_uri = ipaldap.get_ldap_uri(master_cn, 636, cacert=paths.IPA_CA_CRT)
conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
bind_password=options.dirman_passwd)
master_info['online'] = True

56
ipaclient/install/client.py
View File

@@ -37,7 +37,6 @@ from ipaclient import (
)
from ipaclient.ipachangeconf import IPAChangeConf
from ipalib import api, errors, x509
from ipalib.constants import CACERT
from ipalib.install import certmonger, certstore, service, sysrestore
from ipalib.install import hostname as hostname_
from ipalib.install.kinit import kinit_keytab, kinit_password
@@ -125,15 +124,15 @@ def get_cert_path(cert_path):
"""
If a CA certificate is passed in on the command line, use that.
Else if a CA file exists in CACERT then use that.
Else if a CA file exists in paths.IPA_CA_CRT then use that.
Otherwise return None.
"""
if cert_path is not None:
return cert_path
if os.path.exists(CACERT):
return CACERT
if os.path.exists(paths.IPA_CA_CRT):
return paths.IPA_CA_CRT
return None
@@ -577,7 +576,7 @@ def configure_openldap_conf(fstore, cli_basedn, cli_server):
'action': 'addifnotset',
'name': 'TLS_CACERT',
'type': 'option',
'value': CACERT
'value': paths.IPA_CA_CRT
},
]
@@ -713,7 +712,8 @@ def configure_krb5_conf(
])
kropts.append(krbconf.setOption('default_domain', cli_domain))
kropts.append(krbconf.setOption('pkinit_anchors', 'FILE: %s' % CACERT))
kropts.append(
krbconf.setOption('pkinit_anchors', 'FILE: %s' % paths.IPA_CA_CRT))
ropts = [{
'name': cli_realm,
'type': 'subsection',
@@ -935,7 +935,7 @@ def configure_sssd_conf(
# Note that SSSD will force StartTLS because the channel is later used for
# authentication as well if password migration is enabled. Thus set
# the option unconditionally.
domain.set_option('ldap_tls_cacert', CACERT)
domain.set_option('ldap_tls_cacert', paths.IPA_CA_CRT)
if options.dns_updates:
domain.set_option('dyndns_update', True)
@@ -1552,7 +1552,7 @@ def get_certs_from_ldap(server, base_dn, realm, ca_enabled):
def get_ca_certs_from_file(url):
"""
Get the CA cert from a user supplied file and write it into the
CACERT file.
paths.IPA_CA_CRT file.
Raises errors.NoCertificateError if unable to read cert.
Raises errors.FileError if unable to write cert.
@@ -1585,8 +1585,8 @@ def get_ca_certs_from_file(url):
def get_ca_certs_from_http(url, warn=True):
"""
Use HTTP to retrieve the CA cert and write it into the CACERT file.
This is insecure and should be avoided.
Use HTTP to retrieve the CA cert and write it into the paths.IPA_CA_CRT
file. This is insecure and should be avoided.
Raises errors.NoCertificateError if unable to retrieve and write cert.
"""
@@ -1615,7 +1615,7 @@ def get_ca_certs_from_ldap(server, basedn, realm):
"""
Retrieve th CA cert from the LDAP server by binding to the
server with GSSAPI using the current Kerberos credentials.
Write the retrieved cert into the CACERT file.
Write the retrieved cert into the paths.IPA_CA_CRT file.
Raises errors.NoCertificateError if cert is not found.
Raises errors.NetworkError if LDAP connection can't be established.
@@ -1650,7 +1650,7 @@ def validate_new_ca_certs(existing_ca_certs, new_ca_certs, ask,
if existing_ca_certs > new_ca_certs:
root_logger.warning(
"The CA cert available from the IPA server does not match the\n"
"local certificate available at %s" % CACERT)
"local certificate available at %s" % paths.IPA_CA_CRT)
root_logger.warning(
cert_summary("Existing CA cert:", existing_ca_certs))
root_logger.warning(
@@ -1671,7 +1671,7 @@ def get_ca_certs(fstore, options, server, basedn, realm):
Examine the different options and determine a method for obtaining
the CA cert.
If successful the CA cert will have been written into CACERT.
If successful the CA cert will have been written into paths.IPA_CA_CRT.
Raises errors.NoCertificateError if not successful.
@@ -1698,7 +1698,7 @@ def get_ca_certs(fstore, options, server, basedn, realm):
In all cases if HTTP is used emit warning message
"""
ca_file = CACERT + ".new"
ca_file = paths.IPA_CA_CRT + ".new"
def ldap_url():
return urlunparse(('ldap', ipautil.format_netloc(server),
@@ -1729,17 +1729,18 @@ def get_ca_certs(fstore, options, server, basedn, realm):
raise errors.NoCertificateError(entry=url)
root_logger.debug("CA cert provided by user, use it!")
else:
if os.path.exists(CACERT):
if os.path.isfile(CACERT):
if os.path.exists(paths.IPA_CA_CRT):
if os.path.isfile(paths.IPA_CA_CRT):
try:
existing_ca_certs = x509.load_certificate_list_from_file(
CACERT)
paths.IPA_CA_CRT)
except Exception as e:
raise errors.FileError(reason=u"Unable to load existing" +
" CA cert '%s': %s" % (CACERT, e))
raise errors.FileError(
reason=u"Unable to load existing CA cert '%s': %s" %
(paths.IPA_CA_CRT, e))
else:
raise errors.FileError(reason=u"Existing ca cert '%s' is " +
"not a plain file" % (CACERT))
"not a plain file" % (paths.IPA_CA_CRT))
if otp_auth:
if existing_ca_certs:
@@ -1828,14 +1829,14 @@ def get_ca_certs(fstore, options, server, basedn, realm):
ca_file, e)
)
os.rename(ca_file, CACERT)
os.rename(ca_file, paths.IPA_CA_CRT)
# Make sure the file permissions are correct
try:
os.chmod(CACERT, 0o644)
os.chmod(paths.IPA_CA_CRT, 0o644)
except Exception as e:
raise errors.FileError(reason=u"Unable set permissions on ca "
u"cert '%s': %s" % (CACERT, e))
u"cert '%s': %s" % (paths.IPA_CA_CRT, e))
# IMPORTANT: First line of FF config file is ignored
FIREFOX_CONFIG_TEMPLATE = """
@@ -2048,9 +2049,10 @@ def install_check(options):
# Check if old certificate exist and show warning
if (
not options.ca_cert_file and
get_cert_path(options.ca_cert_file) == CACERT
get_cert_path(options.ca_cert_file) == paths.IPA_CA_CRT
):
root_logger.warning("Using existing certificate '%s'.", CACERT)
root_logger.warning("Using existing certificate '%s'.",
paths.IPA_CA_CRT)
if not check_ip_addresses(options):
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
@@ -2673,7 +2675,7 @@ def _install(options):
pass
# Add CA certs to a temporary NSS database
ca_certs = x509.load_certificate_list_from_file(CACERT)
ca_certs = x509.load_certificate_list_from_file(paths.IPA_CA_CRT)
ca_certs = [
cert.public_bytes(serialization.Encoding.DER)
for cert in ca_certs
@@ -3319,7 +3321,7 @@ def uninstall(options):
tasks.remove_ca_certs_from_systemwide_ca_store()
# Remove the CA cert
remove_file(CACERT)
remove_file(paths.IPA_CA_CRT)
root_logger.info("Client uninstall complete.")

4
ipalib/constants.py
View File

@@ -22,7 +22,6 @@
All constants centralised in one file.
"""
import socket
from ipaplatform.paths import paths
from ipapython.dn import DN
from ipapython.version import VERSION, API_VERSION
@@ -34,9 +33,6 @@ except Exception:
except Exception:
FQDN = None
# Path to CA certificate bundle
CACERT = paths.IPA_CA_CRT
# regular expression NameSpace member names must match:
NAME_REGEX = r'^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$'

5
ipaserver/install/dsinstance.py
View File

@@ -47,7 +47,6 @@ from ipalib import errors
from ipalib import constants
from ipaplatform.constants import constants as platformconstants
from ipaplatform.tasks import tasks
from ipalib.constants import CACERT
from ipapython.dn import DN
from ipapython.admintool import ScriptError
from ipaplatform import services
@@ -963,8 +962,8 @@ class DsInstance(service.Service):
"-y", dmpwdfile, "-T", admpwdfile,
str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))]
try:
env = { 'LDAPTLS_CACERTDIR':os.path.dirname(CACERT),
'LDAPTLS_CACERT':CACERT }
env = {'LDAPTLS_CACERTDIR': os.path.dirname(paths.IPA_CA_CRT),
'LDAPTLS_CACERT': paths.IPA_CA_CRT}
ipautil.run(args, env=env)
root_logger.debug("ldappasswd done")
except ipautil.CalledProcessError as e:

3
ipaserver/install/ipa_backup.py
View File

@@ -38,7 +38,6 @@ from ipaserver.install.replication import wait_for_task
from ipaserver.install import installutils
from ipaserver.session import ISO8601_DATETIME_FMT
from ipapython import ipaldap
from ipalib.constants import CACERT
from ipaplatform.constants import constants
from ipaplatform.tasks import tasks
@@ -149,7 +148,7 @@ class Backup(admintool.AdminTool):
paths.SSHD_CONFIG,
paths.SSH_CONFIG,
paths.KRB5_CONF,
CACERT,
paths.IPA_CA_CRT,
paths.IPA_DEFAULT_CONF,
paths.DS_KEYTAB,
paths.NTP_CONF,

4
ipaserver/install/ipa_replica_prepare.py
View File

@@ -45,7 +45,7 @@ from ipapython import version
from ipalib import api
from ipalib import errors
from ipaplatform.paths import paths
from ipalib.constants import CACERT, DOMAIN_LEVEL_0
from ipalib.constants import DOMAIN_LEVEL_0
UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """
Replica creation using '{command_name}' to generate replica file
@@ -201,7 +201,7 @@ class ReplicaPrepare(admintool.AdminTool):
cert_files=cert_files,
key_password=key_password,
key_nickname=key_nickname,
ca_cert_files=[CACERT],
ca_cert_files=[paths.IPA_CA_CRT],
host_name=self.replica_fqdn)
def ask_for_options(self):

3
ipaserver/install/ipa_server_certinstall.py
View File

@@ -29,7 +29,6 @@ from ipapython import admintool, ipautil
from ipapython.certdb import get_ca_nickname, NSSDatabase
from ipapython.dn import DN
from ipalib import api, errors
from ipalib.constants import CACERT
from ipaserver.install import certs, dsinstance, installutils
@@ -191,7 +190,7 @@ class ServerCertInstall(admintool.AdminTool):
cert_files=self.args,
key_password=pkcs12_passwd,
key_nickname=self.options.cert_name,
ca_cert_files=[CACERT],
ca_cert_files=[paths.IPA_CA_CRT],
host_name=api.env.host)
dirname = os.path.normpath(dirname)

3
ipaserver/install/krbinstance.py
View File

@@ -32,7 +32,6 @@ from ipaserver.install import installutils
from ipapython import ipautil
from ipapython import kernel_keyring
from ipalib import api
from ipalib.constants import CACERT
from ipapython.ipa_log_manager import root_logger
from ipapython.dn import DN
@@ -352,7 +351,7 @@ class KrbInstance(service.Service):
# Finally copy the cacert in the krb directory so we don't
# have any selinux issues with the file context
shutil.copyfile(CACERT, paths.CACERT_PEM)
shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
def __add_anonymous_pkinit_principal(self):
princ = "WELLKNOWN/ANONYMOUS"

26
ipaserver/install/replication.py
View File

@@ -30,7 +30,6 @@ import ldap
from ipalib import api, errors
from ipalib.cli import textui
from ipalib.constants import CACERT
from ipapython.ipa_log_manager import root_logger
from ipapython import ipautil, ipaldap, kerberos
from ipapython.admintool import ScriptError
@@ -216,8 +215,8 @@ class ReplicationManager(object):
# otherwise we'll do a GSSAPI bind.
protocol = 'ldap' if starttls else None
ldap_uri = ipaldap.get_ldap_uri(
hostname, port, protocol=protocol, cacert=CACERT)
self.conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT,
hostname, port, protocol=protocol, cacert=paths.IPA_CA_CRT)
self.conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT,
start_tls=starttls)
if dirman_passwd:
self.conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
@@ -1001,9 +1000,12 @@ class ReplicationManager(object):
local_port = r_port
# note - there appears to be a bug in python-ldap - it does not
# allow connections using two different CA certs
ldap_uri = ipaldap.get_ldap_uri(r_hostname, r_port, cacert=CACERT,
ldap_uri = ipaldap.get_ldap_uri(r_hostname, r_port,
cacert=paths.IPA_CA_CRT,
protocol='ldap')
r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT, start_tls=True)
r_conn = ipaldap.LDAPClient(ldap_uri,
cacert=paths.IPA_CA_CRT,
start_tls=True)
if r_bindpw:
r_conn.simple_bind(r_binddn, r_bindpw)
@@ -1045,7 +1047,7 @@ class ReplicationManager(object):
def setup_winsync_replication(self,
ad_dc_name, ad_binddn, ad_pwd,
passsync_pw, ad_subtree,
cacert=CACERT):
cacert=paths.IPA_CA_CRT):
self.ad_suffix = ""
try:
# Validate AD connection
@@ -1110,8 +1112,9 @@ class ReplicationManager(object):
raise RuntimeError("Failed to start replication")
def convert_to_gssapi_replication(self, r_hostname, r_binddn, r_bindpw):
ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT, cacert=CACERT)
r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT,
cacert=paths.IPA_CA_CRT)
r_conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
if r_bindpw:
r_conn.simple_bind(r_binddn, r_bindpw)
else:
@@ -1141,8 +1144,9 @@ class ReplicationManager(object):
"""
# note - there appears to be a bug in python-ldap - it does not
# allow connections using two different CA certs
ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT, cacert=CACERT)
r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT,
cacert=paths.IPA_CA_CRT)
r_conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
if r_bindpw:
r_conn.simple_bind(r_binddn, r_bindpw)
else:
@@ -1614,7 +1618,7 @@ class ReplicationManager(object):
conn.update_entry(entry)
def setup_promote_replication(self, r_hostname, r_binddn=None,
r_bindpw=None, cacert=CACERT):
r_bindpw=None, cacert=paths.IPA_CA_CRT):
# note - there appears to be a bug in python-ldap - it does not
# allow connections using two different CA certs
ldap_uri = ipaldap.get_ldap_uri(r_hostname)

11
ipaserver/install/server/install.py
View File

@@ -25,7 +25,6 @@ from ipaplatform import services
from ipaplatform.paths import paths
from ipaplatform.tasks import tasks
from ipalib import api, constants, errors, x509
from ipalib.constants import CACERT
from ipalib.util import (
validate_domain_name,
network_ip_address_warning,
@@ -782,11 +781,11 @@ def install(installer):
# Now put the CA cert where other instances exepct it
ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR)
ca_instance.publish_ca_cert(CACERT)
ca_instance.publish_ca_cert(paths.IPA_CA_CRT)
else:
# Put the CA cert where other instances expect it
x509.write_certificate(http_ca_cert, CACERT)
os.chmod(CACERT, 0o444)
x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
os.chmod(paths.IPA_CA_CRT, 0o444)
# we now need to enable ssl on the ds
ds.enable_ssl()
@@ -844,8 +843,8 @@ def install(installer):
# Export full CA chain
ca_db = certs.CertDB(realm_name)
os.chmod(CACERT, 0o644)
ca_db.publish_ca_cert(CACERT)
os.chmod(paths.IPA_CA_CRT, 0o644)
ca_db.publish_ca_cert(paths.IPA_CA_CRT)
set_subject_in_config(realm_name, dm_password,
ipautil.realm_to_suffix(realm_name), options.subject)

5
ipaserver/plugins/ldap2.py
View File

@@ -31,7 +31,8 @@ import os
import ldap as _ldap
from ipalib import krb_utils, constants
from ipalib import krb_utils
from ipaplatform.paths import paths
from ipapython.dn import DN
from ipapython.ipaldap import (LDAPClient, AUTOBIND_AUTO, AUTOBIND_ENABLED,
AUTOBIND_DISABLED)
@@ -154,7 +155,7 @@ class ldap2(CrudBackend, LDAPClient):
assert isinstance(bind_dn, DN)
if cacert is None:
cacert = constants.CACERT
cacert = paths.IPA_CA_CRT
if time_limit is not _missing:
self.time_limit = time_limit