From a2a006c74667155e5e4c4a1bb0bd9c12da9b4aed Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 22 Mar 2019 13:37:45 +1100 Subject: [PATCH] Extract ca_renewal cert update subroutine When the CA renewal master renews certificates that are shared across CA replicas, it puts them in LDAP for the other CA replicas to see. The code to create/update these entries lives in the dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for the ipa-cert-fix program too. Extract it to a subroutine in the cainstance module. Part of: https://pagure.io/freeipa/issue/7885 Reviewed-By: Florence Blanc-Renaud --- .../dogtag-ipa-ca-renew-agent-submit.in | 16 +----------- ipaserver/install/cainstance.py | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+), 15 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in index 6961740be..8171207f9 100644 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in @@ -270,23 +270,9 @@ def store_cert(**kwargs): return (REJECTED, "New certificate requests not supported") cert = x509.load_pem_x509_certificate(cert.encode('ascii')) - dn = DN(('cn', nickname), ('cn', 'ca_renewal'), - ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: with ldap_connect() as conn: - try: - entry = conn.get_entry(dn, ['usercertificate']) - entry['usercertificate'] = [cert] - conn.update_entry(entry) - except errors.NotFound: - entry = conn.make_entry( - dn, - objectclass=['top', 'pkiuser', 'nscontainer'], - cn=[nickname], - usercertificate=[cert]) - conn.add_entry(entry) - except errors.EmptyModlist: - pass + cainstance.update_ca_renewal_entry(conn, nickname, cert) except Exception as e: attempts += 1 if attempts < 10: diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c5967140a..7b19c4c19 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1619,6 +1619,32 @@ def update_authority_entry(cert): return __update_entry_from_cert(make_filter, make_entry, cert) +def update_ca_renewal_entry(conn, nickname, cert): + """ + Update the ca_renewal entry for the given nickname. + + :param conn: A *connected* LDAP handle + :param nickname: NSSDB nickname + :param cert: python-cryptography X509Certificate + + """ + dn = DN(('cn', nickname), ('cn', 'ca_renewal'), + ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + try: + entry = conn.get_entry(dn, ['usercertificate']) + entry['usercertificate'] = [cert] + conn.update_entry(entry) + except errors.NotFound: + entry = conn.make_entry( + dn, + objectclass=['top', 'pkiuser', 'nscontainer'], + cn=[nickname], + usercertificate=[cert]) + conn.add_entry(entry) + except errors.EmptyModlist: + pass + + def ensure_ldap_profiles_container(): ensure_entry( DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),