Extract ca_renewal cert update subroutine

When the CA renewal master renews certificates that are shared
across CA replicas, it puts them in LDAP for the other CA replicas
to see.  The code to create/update these entries lives in the
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
the ipa-cert-fix program too.  Extract it to a subroutine in the
cainstance module.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Fraser Tweedale 2019-03-22 13:37:45 +11:00
parent 0b21e2ab9f
commit a2a006c746
2 changed files with 27 additions and 15 deletions

View File

@ -270,23 +270,9 @@ def store_cert(**kwargs):
return (REJECTED, "New certificate requests not supported") return (REJECTED, "New certificate requests not supported")
cert = x509.load_pem_x509_certificate(cert.encode('ascii')) cert = x509.load_pem_x509_certificate(cert.encode('ascii'))
dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try: try:
with ldap_connect() as conn: with ldap_connect() as conn:
try: cainstance.update_ca_renewal_entry(conn, nickname, cert)
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [cert]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[nickname],
usercertificate=[cert])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
except Exception as e: except Exception as e:
attempts += 1 attempts += 1
if attempts < 10: if attempts < 10:

View File

@ -1619,6 +1619,32 @@ def update_authority_entry(cert):
return __update_entry_from_cert(make_filter, make_entry, cert) return __update_entry_from_cert(make_filter, make_entry, cert)
def update_ca_renewal_entry(conn, nickname, cert):
"""
Update the ca_renewal entry for the given nickname.
:param conn: A *connected* LDAP handle
:param nickname: NSSDB nickname
:param cert: python-cryptography X509Certificate
"""
dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
try:
entry = conn.get_entry(dn, ['usercertificate'])
entry['usercertificate'] = [cert]
conn.update_entry(entry)
except errors.NotFound:
entry = conn.make_entry(
dn,
objectclass=['top', 'pkiuser', 'nscontainer'],
cn=[nickname],
usercertificate=[cert])
conn.add_entry(entry)
except errors.EmptyModlist:
pass
def ensure_ldap_profiles_container(): def ensure_ldap_profiles_container():
ensure_entry( ensure_entry(
DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')), DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),