IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add ca-disable and ca-enable commands

Browse Source 
We soon plan to revoke certificates upon lightweight CA deletion.
This makes it important to provide a way to prevent a CA from
issuing certificates whilst not deleting and revoking it, and
continuing to allow management of issued certs.

This commit adds the ca-disable and ca-enable commands.

Fixes: https://fedorahosted.org/freeipa/ticket/6257
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Fraser Tweedale 2016-08-25 17:00:01 +10:00 committed by Martin Babinsky
parent a68da14654
commit b037e54e45
4 changed files with 88 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
API.txt
View File

@ -465,6 +465,20 @@ option: Str('version?')
output: Output('result', type=[<type 'dict'>]) output: Output('result', type=[<type 'dict'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: ListOfPrimaryKeys('value') output: ListOfPrimaryKeys('value')
command: ca_disable/1
args: 1,1,3
arg: Str('cn', cli_name='name')
option: Str('version?')
output: Output('result', type=[<type 'bool'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: ca_enable/1
args: 1,1,3
arg: Str('cn', cli_name='name')
option: Str('version?')
output: Output('result', type=[<type 'bool'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: ca_find/1 command: ca_find/1
args: 1,11,4 args: 1,11,4
arg: Str('criteria?') arg: Str('criteria?')
@ -6249,6 +6263,8 @@ default: batch/1
default: ca/1 default: ca/1
default: ca_add/1 default: ca_add/1
default: ca_del/1 default: ca_del/1
default: ca_disable/1
default: ca_enable/1
default: ca_find/1 default: ca_find/1
default: ca_is_enabled/1 default: ca_is_enabled/1
default: ca_mod/1 default: ca_mod/1

4
VERSION
View File

@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# # # #
######################################################## ########################################################
IPA_API_VERSION_MAJOR=2 IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=213 IPA_API_VERSION_MINOR=214
# Last change: dns: prompt for missing record parts in CLI # Last change: ftweedal: add ca-disable and ca-enable commands

66
ipaserver/plugins/ca.py
View File

@ -2,12 +2,12 @@
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license # Copyright (C) 2016 FreeIPA Contributors see COPYING for license
# #
from ipalib import api, errors, DNParam, Str from ipalib import api, errors, output, DNParam, Str
from ipalib.constants import IPA_CA_CN from ipalib.constants import IPA_CA_CN
from ipalib.plugable import Registry from ipalib.plugable import Registry
from ipaserver.plugins.baseldap import ( from ipaserver.plugins.baseldap import (
LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete,
LDAPUpdate, LDAPRetrieve) LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value)
from ipaserver.plugins.cert import ca_enabled_check from ipaserver.plugins.cert import ca_enabled_check
from ipalib import _, ngettext from ipalib import _, ngettext
@ -18,6 +18,14 @@ Manage Certificate Authorities
Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance
of X.509 certificates. of X.509 certificates.
CAs are enabled on creation, but their use is subject to CA ACLs unless the
operator has permission to bypass CA ACLs.
All CAs except the 'IPA' CA can be disabled or re-enabled. Disabling a CA
prevents it from issuing certificates but does not affect the validity of its
certificate.
EXAMPLES: EXAMPLES:
Create new CA, subordinate to the IPA CA. Create new CA, subordinate to the IPA CA.
@ -25,6 +33,14 @@ EXAMPLES:
ipa ca-add puppet --desc "Puppet" \\ ipa ca-add puppet --desc "Puppet" \\
--subject "CN=Puppet CA,O=EXAMPLE.COM" --subject "CN=Puppet CA,O=EXAMPLE.COM"
Disable a CA.
ipa ca-disable puppet
Re-enable a CA.
ipa ca-enable puppet
""") """)
@ -222,3 +238,49 @@ class ca_mod(LDAPUpdate):
reason=u'IPA CA cannot be renamed') reason=u'IPA CA cannot be renamed')
return dn return dn
class CAQuery(LDAPQuery):
has_output = output.standard_value
def execute(self, cn, **options):
ca_enabled_check()
ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
with self.api.Backend.ra_lightweight_ca as ca_api:
self.perform_action(ca_api, ca_id)
return dict(
result=True,
value=pkey_to_value(cn, options),
)
def perform_action(self, ca_api, ca_id):
raise NotImplementedError
@register()
class ca_disable(CAQuery):
__doc__ = _('Disable a CA.')
msg_summary = _('Disabled CA "%(value)s"')
def execute(self, cn, **options):
if cn == IPA_CA_CN:
raise errors.ProtectedEntryError(
label=_("CA"),
key=cn,
reason=_("IPA CA cannot be disabled"))
return super(ca_disable, self).execute(cn, **options)
def perform_action(self, ca_api, ca_id):
ca_api.disable_ca(ca_id)
@register()
class ca_enable(CAQuery):
__doc__ = _('Enable a CA.')
msg_summary = _('Enabled CA "%(value)s"')
def perform_action(self, ca_api, ca_id):
ca_api.enable_ca(ca_id)

6
ipaserver/plugins/dogtag.py
View File

@ -2211,5 +2211,11 @@ class ra_lightweight_ca(RestClient):
headers={'Accept': 'application/json'}, headers={'Accept': 'application/json'},
) )
def enable_ca(self, ca_id):
self._ssldo(
'POST', ca_id + '/enable',
headers={'Accept': 'application/json'},
)
def delete_ca(self, ca_id): def delete_ca(self, ca_id):
self._ssldo('DELETE', ca_id) self._ssldo('DELETE', ca_id)