constants: remove CACERT

CACERT depends on ipaplatform.

Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

install/tools/ipa-csreplica-manage

@@ -25,11 +25,11 @@ from __future__ import print_function
 import sys
 import os
 
+from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger
 from ipaserver.install import (replication, installutils, bindinstance,
     cainstance, certs)
 from ipalib import api, errors
-from ipalib.constants import CACERT
 from ipalib.util import has_managed_topology
 from ipapython import ipautil, ipaldap, version
 from ipapython.dn import DN
@@ -93,8 +93,8 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose):
 
     try:
         # connect to main IPA LDAP server
-        ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT)
+        ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=paths.IPA_CA_CRT)
-        conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
+        conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
         conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
                          bind_password=dirman_passwd)
 
@@ -295,8 +295,8 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
     except Exception as e:
         sys.exit(str(e))
     try:
-        ldap_uri = ipaldap.get_ldap_uri(replica2, 636, cacert=CACERT)
+        ldap_uri = ipaldap.get_ldap_uri(replica2, 636, cacert=paths.IPA_CA_CRT)
-        conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
+        conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
         conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
                          bind_password=dirman_passwd)
 

install/tools/ipa-replica-manage

@@ -39,7 +39,6 @@ from ipaserver.install import bindinstance, cainstance, certs
 from ipaserver.install import opendnssecinstance, dnskeysyncinstance
 from ipapython import version, ipaldap
 from ipalib import api, errors
-from ipalib.constants import CACERT
 from ipalib.util import has_managed_topology, verify_host_resolvable
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
 from ipapython.dn import DN
@@ -167,8 +166,8 @@ def list_replicas(realm, host, replica, dirman_passwd, verbose, nolookup=False):
     peers = {}
 
     try:
-        ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT)
+        ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=paths.IPA_CA_CRT)
-        conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
+        conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
         if dirman_passwd:
             conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
                              bind_password=dirman_passwd)
@@ -628,8 +627,8 @@ def clean_dangling_ruvs(realm, host, options):
     Cleans all RUVs and CS-RUVs that are left in the system from
     uninstalled replicas
     """
-    ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=CACERT)
+    ldap_uri = ipaldap.get_ldap_uri(host, 636, cacert=paths.IPA_CA_CRT)
-    conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
+    conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
     try:
         conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
                          bind_password=options.dirman_passwd)
@@ -676,8 +675,8 @@ def clean_dangling_ruvs(realm, host, options):
     offlines = set()
     for master_cn, master_info in info.items():
         try:
-            ldap_uri = ipaldap.get_ldap_uri(master_cn, 636, cacert=CACERT)
+            ldap_uri = ipaldap.get_ldap_uri(master_cn, 636, cacert=paths.IPA_CA_CRT)
-            conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
+            conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
             conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
                              bind_password=options.dirman_passwd)
             master_info['online'] = True

ipaclient/install/client.py

@@ -37,7 +37,6 @@ from ipaclient import (
 )
 from ipaclient.ipachangeconf import IPAChangeConf
 from ipalib import api, errors, x509
-from ipalib.constants import CACERT
 from ipalib.install import certmonger, certstore, service, sysrestore
 from ipalib.install import hostname as hostname_
 from ipalib.install.kinit import kinit_keytab, kinit_password
@@ -125,15 +124,15 @@ def get_cert_path(cert_path):
     """
     If a CA certificate is passed in on the command line, use that.
 
-    Else if a CA file exists in CACERT then use that.
+    Else if a CA file exists in paths.IPA_CA_CRT then use that.
 
     Otherwise return None.
     """
     if cert_path is not None:
         return cert_path
 
-    if os.path.exists(CACERT):
+    if os.path.exists(paths.IPA_CA_CRT):
-        return CACERT
+        return paths.IPA_CA_CRT
 
     return None
 
@@ -577,7 +576,7 @@ def configure_openldap_conf(fstore, cli_basedn, cli_server):
             'action': 'addifnotset',
             'name': 'TLS_CACERT',
             'type': 'option',
-            'value': CACERT
+            'value': paths.IPA_CA_CRT
         },
     ]
 
@@ -713,7 +712,8 @@ def configure_krb5_conf(
             ])
         kropts.append(krbconf.setOption('default_domain', cli_domain))
 
-    kropts.append(krbconf.setOption('pkinit_anchors', 'FILE: %s' % CACERT))
+    kropts.append(
+        krbconf.setOption('pkinit_anchors', 'FILE: %s' % paths.IPA_CA_CRT))
     ropts = [{
         'name': cli_realm,
         'type': 'subsection',
@@ -935,7 +935,7 @@ def configure_sssd_conf(
     # Note that SSSD will force StartTLS because the channel is later used for
     # authentication as well if password migration is enabled. Thus set
     # the option unconditionally.
-    domain.set_option('ldap_tls_cacert', CACERT)
+    domain.set_option('ldap_tls_cacert', paths.IPA_CA_CRT)
 
     if options.dns_updates:
         domain.set_option('dyndns_update', True)
@@ -1552,7 +1552,7 @@ def get_certs_from_ldap(server, base_dn, realm, ca_enabled):
 def get_ca_certs_from_file(url):
     """
     Get the CA cert from a user supplied file and write it into the
-    CACERT file.
+    paths.IPA_CA_CRT file.
 
     Raises errors.NoCertificateError if unable to read cert.
     Raises errors.FileError if unable to write cert.
@@ -1585,8 +1585,8 @@ def get_ca_certs_from_file(url):
 
 def get_ca_certs_from_http(url, warn=True):
     """
-    Use HTTP to retrieve the CA cert and write it into the CACERT file.
+    Use HTTP to retrieve the CA cert and write it into the paths.IPA_CA_CRT
-    This is insecure and should be avoided.
+    file. This is insecure and should be avoided.
 
     Raises errors.NoCertificateError if unable to retrieve and write cert.
     """
@@ -1615,7 +1615,7 @@ def get_ca_certs_from_ldap(server, basedn, realm):
     """
     Retrieve th CA cert from the LDAP server by binding to the
     server with GSSAPI using the current Kerberos credentials.
-    Write the retrieved cert into the CACERT file.
+    Write the retrieved cert into the paths.IPA_CA_CRT file.
 
     Raises errors.NoCertificateError if cert is not found.
     Raises errors.NetworkError if LDAP connection can't be established.
@@ -1650,7 +1650,7 @@ def validate_new_ca_certs(existing_ca_certs, new_ca_certs, ask,
     if existing_ca_certs > new_ca_certs:
         root_logger.warning(
             "The CA cert available from the IPA server does not match the\n"
-            "local certificate available at %s" % CACERT)
+            "local certificate available at %s" % paths.IPA_CA_CRT)
         root_logger.warning(
             cert_summary("Existing CA cert:", existing_ca_certs))
         root_logger.warning(
@@ -1671,7 +1671,7 @@ def get_ca_certs(fstore, options, server, basedn, realm):
     Examine the different options and determine a method for obtaining
     the CA cert.
 
-    If successful the CA cert will have been written into CACERT.
+    If successful the CA cert will have been written into paths.IPA_CA_CRT.
 
     Raises errors.NoCertificateError if not successful.
 
@@ -1698,7 +1698,7 @@ def get_ca_certs(fstore, options, server, basedn, realm):
     In all cases if HTTP is used emit warning message
     """
 
-    ca_file = CACERT + ".new"
+    ca_file = paths.IPA_CA_CRT + ".new"
 
     def ldap_url():
         return urlunparse(('ldap', ipautil.format_netloc(server),
@@ -1729,17 +1729,18 @@ def get_ca_certs(fstore, options, server, basedn, realm):
             raise errors.NoCertificateError(entry=url)
         root_logger.debug("CA cert provided by user, use it!")
     else:
-        if os.path.exists(CACERT):
+        if os.path.exists(paths.IPA_CA_CRT):
-            if os.path.isfile(CACERT):
+            if os.path.isfile(paths.IPA_CA_CRT):
                 try:
                     existing_ca_certs = x509.load_certificate_list_from_file(
-                        CACERT)
+                        paths.IPA_CA_CRT)
                 except Exception as e:
-                    raise errors.FileError(reason=u"Unable to load existing" +
+                    raise errors.FileError(
-                                           " CA cert '%s': %s" % (CACERT, e))
+                        reason=u"Unable to load existing CA cert '%s': %s" %
+                               (paths.IPA_CA_CRT, e))
             else:
                 raise errors.FileError(reason=u"Existing ca cert '%s' is " +
-                                       "not a plain file" % (CACERT))
+                                       "not a plain file" % (paths.IPA_CA_CRT))
 
         if otp_auth:
             if existing_ca_certs:
@@ -1828,14 +1829,14 @@ def get_ca_certs(fstore, options, server, basedn, realm):
                     ca_file, e)
             )
 
-        os.rename(ca_file, CACERT)
+        os.rename(ca_file, paths.IPA_CA_CRT)
 
     # Make sure the file permissions are correct
     try:
-        os.chmod(CACERT, 0o644)
+        os.chmod(paths.IPA_CA_CRT, 0o644)
     except Exception as e:
         raise errors.FileError(reason=u"Unable set permissions on ca "
-                               u"cert '%s': %s" % (CACERT, e))
+                               u"cert '%s': %s" % (paths.IPA_CA_CRT, e))
 
 # IMPORTANT: First line of FF config file is ignored
 FIREFOX_CONFIG_TEMPLATE = """
@@ -2048,9 +2049,10 @@ def install_check(options):
     # Check if old certificate exist and show warning
     if (
         not options.ca_cert_file and
-        get_cert_path(options.ca_cert_file) == CACERT
+        get_cert_path(options.ca_cert_file) == paths.IPA_CA_CRT
     ):
-        root_logger.warning("Using existing certificate '%s'.", CACERT)
+        root_logger.warning("Using existing certificate '%s'.",
+                            paths.IPA_CA_CRT)
 
     if not check_ip_addresses(options):
         raise ScriptError(rval=CLIENT_INSTALL_ERROR)
@@ -2673,7 +2675,7 @@ def _install(options):
             pass
 
         # Add CA certs to a temporary NSS database
-        ca_certs = x509.load_certificate_list_from_file(CACERT)
+        ca_certs = x509.load_certificate_list_from_file(paths.IPA_CA_CRT)
         ca_certs = [
             cert.public_bytes(serialization.Encoding.DER)
             for cert in ca_certs
@@ -3319,7 +3321,7 @@ def uninstall(options):
     tasks.remove_ca_certs_from_systemwide_ca_store()
 
     # Remove the CA cert
-    remove_file(CACERT)
+    remove_file(paths.IPA_CA_CRT)
 
     root_logger.info("Client uninstall complete.")
 

ipalib/constants.py

@@ -22,7 +22,6 @@
 All constants centralised in one file.
 """
 import socket
-from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.version import VERSION, API_VERSION
 
@@ -34,9 +33,6 @@ except Exception:
     except Exception:
         FQDN = None
 
-# Path to CA certificate bundle
-CACERT = paths.IPA_CA_CRT
-
 # regular expression NameSpace member names must match:
 NAME_REGEX = r'^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$'
 

ipaserver/install/dsinstance.py

@@ -47,7 +47,6 @@ from ipalib import errors
 from ipalib import constants
 from ipaplatform.constants import constants as platformconstants
 from ipaplatform.tasks import tasks
-from ipalib.constants import CACERT
 from ipapython.dn import DN
 from ipapython.admintool import ScriptError
 from ipaplatform import services
@@ -963,8 +962,8 @@ class DsInstance(service.Service):
                     "-y", dmpwdfile, "-T", admpwdfile,
                     str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))]
             try:
-                env = { 'LDAPTLS_CACERTDIR':os.path.dirname(CACERT),
+                env = {'LDAPTLS_CACERTDIR': os.path.dirname(paths.IPA_CA_CRT),
-                        'LDAPTLS_CACERT':CACERT }
+                       'LDAPTLS_CACERT': paths.IPA_CA_CRT}
                 ipautil.run(args, env=env)
                 root_logger.debug("ldappasswd done")
             except ipautil.CalledProcessError as e:

ipaserver/install/ipa_backup.py

@@ -38,7 +38,6 @@ from ipaserver.install.replication import wait_for_task
 from ipaserver.install import installutils
 from ipaserver.session import ISO8601_DATETIME_FMT
 from ipapython import ipaldap
-from ipalib.constants import CACERT
 from ipaplatform.constants import constants
 from ipaplatform.tasks import tasks
 
@@ -149,7 +148,7 @@ class Backup(admintool.AdminTool):
         paths.SSHD_CONFIG,
         paths.SSH_CONFIG,
         paths.KRB5_CONF,
-        CACERT,
+        paths.IPA_CA_CRT,
         paths.IPA_DEFAULT_CONF,
         paths.DS_KEYTAB,
         paths.NTP_CONF,

ipaserver/install/ipa_replica_prepare.py

@@ -45,7 +45,7 @@ from ipapython import version
 from ipalib import api
 from ipalib import errors
 from ipaplatform.paths import paths
-from ipalib.constants import CACERT, DOMAIN_LEVEL_0
+from ipalib.constants import DOMAIN_LEVEL_0
 
 UNSUPPORTED_DOMAIN_LEVEL_TEMPLATE = """
 Replica creation using '{command_name}' to generate replica file
@@ -201,7 +201,7 @@ class ReplicaPrepare(admintool.AdminTool):
             cert_files=cert_files,
             key_password=key_password,
             key_nickname=key_nickname,
-            ca_cert_files=[CACERT],
+            ca_cert_files=[paths.IPA_CA_CRT],
             host_name=self.replica_fqdn)
 
     def ask_for_options(self):

ipaserver/install/ipa_server_certinstall.py

@@ -29,7 +29,6 @@ from ipapython import admintool, ipautil
 from ipapython.certdb import get_ca_nickname, NSSDatabase
 from ipapython.dn import DN
 from ipalib import api, errors
-from ipalib.constants import CACERT
 from ipaserver.install import certs, dsinstance, installutils
 
 
@@ -191,7 +190,7 @@ class ServerCertInstall(admintool.AdminTool):
             cert_files=self.args,
             key_password=pkcs12_passwd,
             key_nickname=self.options.cert_name,
-            ca_cert_files=[CACERT],
+            ca_cert_files=[paths.IPA_CA_CRT],
             host_name=api.env.host)
 
         dirname = os.path.normpath(dirname)

ipaserver/install/krbinstance.py

@@ -32,7 +32,6 @@ from ipaserver.install import installutils
 from ipapython import ipautil
 from ipapython import kernel_keyring
 from ipalib import api
-from ipalib.constants import CACERT
 from ipapython.ipa_log_manager import root_logger
 from ipapython.dn import DN
 
@@ -352,7 +351,7 @@ class KrbInstance(service.Service):
 
         # Finally copy the cacert in the krb directory so we don't
         # have any selinux issues with the file context
-        shutil.copyfile(CACERT, paths.CACERT_PEM)
+        shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
 
     def __add_anonymous_pkinit_principal(self):
         princ = "WELLKNOWN/ANONYMOUS"

ipaserver/install/replication.py

@@ -30,7 +30,6 @@ import ldap
 
 from ipalib import api, errors
 from ipalib.cli import textui
-from ipalib.constants import CACERT
 from ipapython.ipa_log_manager import root_logger
 from ipapython import ipautil, ipaldap, kerberos
 from ipapython.admintool import ScriptError
@@ -216,8 +215,8 @@ class ReplicationManager(object):
             # otherwise we'll do a GSSAPI bind.
             protocol = 'ldap' if starttls else None
             ldap_uri = ipaldap.get_ldap_uri(
-                hostname, port, protocol=protocol, cacert=CACERT)
+                hostname, port, protocol=protocol, cacert=paths.IPA_CA_CRT)
-            self.conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT,
+            self.conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT,
                                            start_tls=starttls)
             if dirman_passwd:
                 self.conn.simple_bind(bind_dn=ipaldap.DIRMAN_DN,
@@ -1001,9 +1000,12 @@ class ReplicationManager(object):
             local_port = r_port
         # note - there appears to be a bug in python-ldap - it does not
         # allow connections using two different CA certs
-        ldap_uri = ipaldap.get_ldap_uri(r_hostname, r_port, cacert=CACERT,
+        ldap_uri = ipaldap.get_ldap_uri(r_hostname, r_port,
+                                        cacert=paths.IPA_CA_CRT,
                                         protocol='ldap')
-        r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT, start_tls=True)
+        r_conn = ipaldap.LDAPClient(ldap_uri,
+                                    cacert=paths.IPA_CA_CRT,
+                                    start_tls=True)
 
         if r_bindpw:
             r_conn.simple_bind(r_binddn, r_bindpw)
@@ -1045,7 +1047,7 @@ class ReplicationManager(object):
     def setup_winsync_replication(self,
                                   ad_dc_name, ad_binddn, ad_pwd,
                                   passsync_pw, ad_subtree,
-                                  cacert=CACERT):
+                                  cacert=paths.IPA_CA_CRT):
         self.ad_suffix = ""
         try:
             # Validate AD connection
@@ -1110,8 +1112,9 @@ class ReplicationManager(object):
             raise RuntimeError("Failed to start replication")
 
     def convert_to_gssapi_replication(self, r_hostname, r_binddn, r_bindpw):
-        ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT, cacert=CACERT)
+        ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT,
-        r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
+                                        cacert=paths.IPA_CA_CRT)
+        r_conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
         if r_bindpw:
             r_conn.simple_bind(r_binddn, r_bindpw)
         else:
@@ -1141,8 +1144,9 @@ class ReplicationManager(object):
         """
         # note - there appears to be a bug in python-ldap - it does not
         # allow connections using two different CA certs
-        ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT, cacert=CACERT)
+        ldap_uri = ipaldap.get_ldap_uri(r_hostname, PORT,
-        r_conn = ipaldap.LDAPClient(ldap_uri, cacert=CACERT)
+                                        cacert=paths.IPA_CA_CRT)
+        r_conn = ipaldap.LDAPClient(ldap_uri, cacert=paths.IPA_CA_CRT)
         if r_bindpw:
             r_conn.simple_bind(r_binddn, r_bindpw)
         else:
@@ -1614,7 +1618,7 @@ class ReplicationManager(object):
         conn.update_entry(entry)
 
     def setup_promote_replication(self, r_hostname, r_binddn=None,
-                                  r_bindpw=None, cacert=CACERT):
+                                  r_bindpw=None, cacert=paths.IPA_CA_CRT):
         # note - there appears to be a bug in python-ldap - it does not
         # allow connections using two different CA certs
         ldap_uri = ipaldap.get_ldap_uri(r_hostname)

ipaserver/install/server/install.py

@@ -25,7 +25,6 @@ from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaplatform.tasks import tasks
 from ipalib import api, constants, errors, x509
-from ipalib.constants import CACERT
 from ipalib.util import (
     validate_domain_name,
     network_ip_address_warning,
@@ -782,11 +781,11 @@ def install(installer):
 
         # Now put the CA cert where other instances exepct it
         ca_instance = cainstance.CAInstance(realm_name, certs.NSS_DIR)
-        ca_instance.publish_ca_cert(CACERT)
+        ca_instance.publish_ca_cert(paths.IPA_CA_CRT)
     else:
         # Put the CA cert where other instances expect it
-        x509.write_certificate(http_ca_cert, CACERT)
+        x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
-        os.chmod(CACERT, 0o444)
+        os.chmod(paths.IPA_CA_CRT, 0o444)
 
     # we now need to enable ssl on the ds
     ds.enable_ssl()
@@ -844,8 +843,8 @@ def install(installer):
 
     # Export full CA chain
     ca_db = certs.CertDB(realm_name)
-    os.chmod(CACERT, 0o644)
+    os.chmod(paths.IPA_CA_CRT, 0o644)
-    ca_db.publish_ca_cert(CACERT)
+    ca_db.publish_ca_cert(paths.IPA_CA_CRT)
 
     set_subject_in_config(realm_name, dm_password,
                           ipautil.realm_to_suffix(realm_name), options.subject)

ipaserver/plugins/ldap2.py

@@ -31,7 +31,8 @@ import os
 
 import ldap as _ldap
 
-from ipalib import krb_utils, constants
+from ipalib import krb_utils
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.ipaldap import (LDAPClient, AUTOBIND_AUTO, AUTOBIND_ENABLED,
                                AUTOBIND_DISABLED)
@@ -154,7 +155,7 @@ class ldap2(CrudBackend, LDAPClient):
         assert isinstance(bind_dn, DN)
 
         if cacert is None:
-            cacert = constants.CACERT
+            cacert = paths.IPA_CA_CRT
 
         if time_limit is not _missing:
             self.time_limit = time_limit