Clean up the PKI securitydomain when removing a server

PKI has its own internal knowledge of servers and services
in its securitydomain. This has not been cleaned up in the
past but is becoming more of an issue as PKI now relies on its
securitydomain for more things, and it has a healthcheck that
reports inconsistencies.

Removing entries is straightforward using the PKI REST API.

In order to operate on the API access is needed. There was an
unused Security Domain Administrators group that I've added to
the resourceACLS we created for managing the securitydomain.
The ipara user is added as a member of this group. The REST
API binds to the CA using the IPA RA certificate.

Related commits are b3c2197b7e
and ba4df6449a.

These resourceACLS were originally created as a backwards
compatibility mechanism for dogtag v9 and later only created when a
replica was installed purportedly to save a restart. I don't see
any reason to not have these defined. They are apparently needed due
to the PKI database upgrade issues.

In any case if the purpose was to suppress these ACLS it failed
because as soon as a replica with a CA was installed they were as
well, and we need this ACL in order to manage the securitydomain.

https://pagure.io/freeipa/issue/8930

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

install/updates/50-dogtag10-migration.update

@@ -14,6 +14,9 @@ addifexist:resourceACLS:certServer.ca.certrequests:execute:allow (execute) group
 addifexist:resourceACLS:certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations
 addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations
 addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
-replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
+# new installation
+replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Security Domain Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
+# upgraded installation
+replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Security Domain Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
 replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
 addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles

ipaserver/install/cainstance.py

@@ -435,10 +435,9 @@ class CAInstance(DogtagInstance):
                       configure_lightweight_ca_acls)
             self.step("Ensure lightweight CAs container exists",
                       ensure_lightweight_cas_container)
-            if self.clone and not promote:
+            self.step(
-                self.step(
+                "Ensuring backward compatibility",
-                    "Ensuring backward compatibility",
+                self.__dogtag10_migration)
-                    self.__dogtag10_migration)
             if promote:
                 self.step("destroying installation admin user",
                           self.teardown_admin)
@@ -794,6 +793,11 @@ class CAInstance(DogtagInstance):
             self.basedn)
         conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
 
+        # add ipara user to Security Domain Administrators group
+        group_dn = DN(('cn', 'Security Domain Administrators'),
+                      ('ou', 'groups'), self.basedn)
+        conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
+
     def __get_ca_chain(self):
         try:
             return dogtag.get_ca_certchain(ca_host=self.fqdn)

ipaserver/install/server/upgrade.py

@@ -1157,6 +1157,16 @@ def add_default_caacl(ca):
     sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)
 
 
+def add_agent_to_security_domain_admins():
+    user_dn = DN(('uid', "ipara"), ('ou', 'People'), ('o', 'ipaca'))
+    group_dn = DN(('cn', 'Security Domain Administrators'), ('ou', 'groups'),
+                  ('o', 'ipaca'))
+    try:
+        api.Backend.ldap2.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
+    except ipalib.errors.AlreadyGroupMember:
+        pass
+
+
 def setup_pkinit(krb):
     logger.info("[Setup PKINIT]")
 
@@ -1837,6 +1847,7 @@ def upgrade_configuration():
     migrate_to_authselect()
     add_systemd_user_hbac()
     add_admin_root_alias()
+    add_agent_to_security_domain_admins()
 
     sssd_update()
 

ipaserver/plugins/dogtag.py

@@ -2117,3 +2117,23 @@ class ra_lightweight_ca(RestClient):
 
     def delete_ca(self, ca_id):
         self._ssldo('DELETE', ca_id)
+
+
+@register()
+class ra_securitydomain(RestClient):
+    """
+    Security domain management backend plugin.
+
+    Dogtag handles the creation of securitydomain entries
+    we need to clean them up when an IPA server is removed.
+    """
+    path = 'securityDomain/hosts'
+
+    def delete_domain(self, hostname, type):
+        """
+        Delete a security domain
+        """
+        self._ssldo(
+            'DELETE', f'{type}%20{hostname}%20443',
+            headers={'Accept': 'application/json'}
+        )

ipaserver/plugins/server.py

@@ -756,6 +756,18 @@ class server_del(LDAPDelete):
             pkey, ignore_last_of_role=options.get('ignore_last_of_role', False)
         )
 
+        if self.api.Command.ca_is_enabled()['result']:
+            try:
+                with self.api.Backend.ra_securitydomain as domain_api:
+                    domain_api.delete_domain(pkey, 'KRA')
+                    domain_api.delete_domain(pkey, 'CA')
+            except Exception as e:
+                self.add_message(messages.ServerRemovalWarning(
+                    message=_(
+                        "Failed to remove server from security domain: %s" % e
+                    ))
+                )
+
         # remove the references to master's ldap/http principals
         self._remove_server_principal_references(pkey)