Add versions to the ACME config templates and update on upgrade

Put the ACME config files under normal IPA versioning so we can more seamlessly do updates to them. Signed-off-by: Rob Crittenden <rcritten@redhat.com> https://pagure.io/freeipa/issue/8712 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-01-26 16:16:31 -06:00 · 2021-02-10 14:54:56 -05:00 · 2021-02-10 14:54:56 -05:00 · b1e72cb12e
commit b1e72cb12e
parent d2d487bccc
7 changed files with 36 additions and 9 deletions
--- a/install/share/pki-acme-configsources.conf.template
+++ b/install/share/pki-acme-configsources.conf.template
@ -1,2 +1,3 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
 engine.class=org.dogtagpki.acme.server.ACMEEngineConfigFileSource
 engine.filename=/etc/pki/pki-tomcat/acme/engine.conf
--- a/install/share/pki-acme-database.conf.template
+++ b/install/share/pki-acme-database.conf.template
@ -1,3 +1,4 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
 class=org.dogtagpki.acme.database.LDAPDatabase
 basedn=ou=acme,o=ipaca
 configFile=/etc/pki/pki-tomcat/ca/CS.cfg
--- a/install/share/pki-acme-engine.conf.template
+++ b/install/share/pki-acme-engine.conf.template
@ -1,3 +1,4 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
 # Parameters read by ACMEEngineConfigFileSource, i.e. these are
 # expected to be in the file pointed to by the 'filename' directive
 # above.
--- a/install/share/pki-acme-issuer.conf.template
+++ b/install/share/pki-acme-issuer.conf.template
@ -1,3 +1,4 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
 class=org.dogtagpki.acme.issuer.PKIIssuer
 url=https://$FQDN:8443
 profile=acmeIPAServerCert
--- a/install/share/pki-acme-realm.conf.template
+++ b/install/share/pki-acme-realm.conf.template
@ -1,3 +1,4 @@
+# VERSION 2 - DO NOT REMOVE THIS LINE
 authType=BasicAuth
 class=org.dogtagpki.acme.realm.DSRealm
 groupsDN=ou=groups,o=ipaca
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -77,6 +77,15 @@ ACME_AGENT_GROUP = 'Enterprise ACME Administrators'

 PROFILES_DN = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca'))

+ACME_CONFIG_FILES = (
+    ('pki-acme-configsources.conf.template',
+        paths.PKI_ACME_CONFIGSOURCES_CONF),
+    ('pki-acme-database.conf.template', paths.PKI_ACME_DATABASE_CONF),
+    ('pki-acme-engine.conf.template', paths.PKI_ACME_ENGINE_CONF),
+    ('pki-acme-issuer.conf.template', paths.PKI_ACME_ISSUER_CONF),
+    ('pki-acme-realm.conf.template', paths.PKI_ACME_REALM_CONF),
+)
+

 def check_ports():
    """Check that dogtag ports (8080, 8443) are available.
@ -1524,20 +1533,12 @@ class CAInstance(DogtagInstance):
        ipautil.run(['pki-server', 'acme-create'])

        # write configuration files
-        files = [
-            ('pki-acme-configsources.conf.template',
-                paths.PKI_ACME_CONFIGSOURCES_CONF),
-            ('pki-acme-database.conf.template', paths.PKI_ACME_DATABASE_CONF),
-            ('pki-acme-engine.conf.template', paths.PKI_ACME_ENGINE_CONF),
-            ('pki-acme-issuer.conf.template', paths.PKI_ACME_ISSUER_CONF),
-            ('pki-acme-realm.conf.template', paths.PKI_ACME_REALM_CONF),
-        ]
        sub_dict = dict(
            FQDN=self.fqdn,
            USER=acme_user,
            PASSWORD=password,
        )
-        for template_name, target in files:
+        for template_name, target in ACME_CONFIG_FILES:
            template_filename = \
                os.path.join(paths.USR_SHARE_IPA_DIR, template_name)
            filled = ipautil.template_file(template_filename, sub_dict)
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@ -1526,6 +1526,26 @@ def bind_old_upgrade_states():
        sysupgrade.remove_upgrade_state("dns", state)


+def ca_update_acme_configuration(ca, fqdn):
+    """
+    Re-apply the templates in case anyting has been updated.
+    """
+    password = directivesetter.get_directive(
+        paths.PKI_ACME_ISSUER_CONF,
+        'password',
+        separator='=')
+    acme_user = ca.acme_uid(fqdn)
+    sub_dict = dict(
+        FQDN=fqdn,
+        USER=acme_user,
+        PASSWORD=password,
+    )
+    for template_name, target in cainstance.ACME_CONFIG_FILES:
+        upgrade_file(sub_dict, target,
+                     os.path.join(paths.USR_SHARE_IPA_DIR,
+                                  template_name))
+
+
 def upgrade_configuration():
    """
    Execute configuration upgrade of the IPA services
@ -1797,6 +1817,7 @@ def upgrade_configuration():
        ca.setup_lightweight_ca_key_retrieval()
        cainstance.ensure_ipa_authority_entry()
        ca.setup_acme()
+        ca_update_acme_configuration(ca, fqdn)
        ca_initialize_hsm_state(ca)

    migrate_to_authselect()