Add ca-disable and ca-enable commands

We soon plan to revoke certificates upon lightweight CA deletion. This makes it important to provide a way to prevent a CA from issuing certificates whilst not deleting and revoking it, and continuing to allow management of issued certs. This commit adds the ca-disable and ca-enable commands. Fixes: https://fedorahosted.org/freeipa/ticket/6257 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-08-25 17:00:01 +10:00 · 2016-08-25 17:00:01 +10:00 · b037e54e45
commit b037e54e45
parent a68da14654
4 changed files with 88 additions and 4 deletions
--- a/API.txt
+++ b/API.txt
@ -465,6 +465,20 @@ option: Str('version?')
 output: Output('result', type=[<type 'dict'>])
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: ListOfPrimaryKeys('value')
+command: ca_disable/1
+args: 1,1,3
+arg: Str('cn', cli_name='name')
+option: Str('version?')
+output: Output('result', type=[<type 'bool'>])
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
+command: ca_enable/1
+args: 1,1,3
+arg: Str('cn', cli_name='name')
+option: Str('version?')
+output: Output('result', type=[<type 'bool'>])
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
 command: ca_find/1
 args: 1,11,4
 arg: Str('criteria?')
@ -6249,6 +6263,8 @@ default: batch/1
 default: ca/1
 default: ca_add/1
 default: ca_del/1
+default: ca_disable/1
+default: ca_enable/1
 default: ca_find/1
 default: ca_is_enabled/1
 default: ca_mod/1
--- a/4
+++ b/4
@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=213
-# Last change: dns: prompt for missing record parts in CLI
+IPA_API_VERSION_MINOR=214
+# Last change: ftweedal: add ca-disable and ca-enable commands
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@ -2,12 +2,12 @@
 # Copyright (C) 2016  FreeIPA Contributors see COPYING for license
 #

-from ipalib import api, errors, DNParam, Str
+from ipalib import api, errors, output, DNParam, Str
 from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from ipaserver.plugins.baseldap import (
    LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete,
-    LDAPUpdate, LDAPRetrieve)
+    LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value)
 from ipaserver.plugins.cert import ca_enabled_check
 from ipalib import _, ngettext

@ -18,6 +18,14 @@ Manage Certificate Authorities
 Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance
 of X.509 certificates.

+CAs are enabled on creation, but their use is subject to CA ACLs unless the
+operator has permission to bypass CA ACLs.
+
+All CAs except the 'IPA' CA can be disabled or re-enabled.  Disabling a CA
+prevents it from issuing certificates but does not affect the validity of its
+certificate.
+
+
 EXAMPLES:

  Create new CA, subordinate to the IPA CA.
@ -25,6 +33,14 @@ EXAMPLES:
    ipa ca-add puppet --desc "Puppet" \\
        --subject "CN=Puppet CA,O=EXAMPLE.COM"

+  Disable a CA.
+
+    ipa ca-disable puppet
+
+  Re-enable a CA.
+
+    ipa ca-enable puppet
+
 """)


@ -222,3 +238,49 @@ class ca_mod(LDAPUpdate):
                    reason=u'IPA CA cannot be renamed')

        return dn
+
+
+class CAQuery(LDAPQuery):
+    has_output = output.standard_value
+
+    def execute(self, cn, **options):
+        ca_enabled_check()
+
+        ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
+        with self.api.Backend.ra_lightweight_ca as ca_api:
+            self.perform_action(ca_api, ca_id)
+
+        return dict(
+            result=True,
+            value=pkey_to_value(cn, options),
+        )
+
+    def perform_action(self, ca_api, ca_id):
+        raise NotImplementedError
+
+
+@register()
+class ca_disable(CAQuery):
+    __doc__ = _('Disable a CA.')
+    msg_summary = _('Disabled CA "%(value)s"')
+
+    def execute(self, cn, **options):
+        if cn == IPA_CA_CN:
+            raise errors.ProtectedEntryError(
+                label=_("CA"),
+                key=cn,
+                reason=_("IPA CA cannot be disabled"))
+
+        return super(ca_disable, self).execute(cn, **options)
+
+    def perform_action(self, ca_api, ca_id):
+        ca_api.disable_ca(ca_id)
+
+
+@register()
+class ca_enable(CAQuery):
+    __doc__ = _('Enable a CA.')
+    msg_summary = _('Enabled CA "%(value)s"')
+
+    def perform_action(self, ca_api, ca_id):
+        ca_api.enable_ca(ca_id)
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@ -2211,5 +2211,11 @@ class ra_lightweight_ca(RestClient):
            headers={'Accept': 'application/json'},
        )

+    def enable_ca(self, ca_id):
+        self._ssldo(
+            'POST', ca_id + '/enable',
+            headers={'Accept': 'application/json'},
+        )
+
    def delete_ca(self, ca_id):
        self._ssldo('DELETE', ca_id)