mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
b606fa6cca
When search for duplicate CA certs ignore the one expected entry. Related: https://pagure.io/freeipa/issue/7125 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
91 lines
3.2 KiB
Python
91 lines
3.2 KiB
Python
# Authors:
|
|
# Florence Blanc-Renaud <flo@redhat.com>
|
|
#
|
|
# Copyright (C) 2017 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import logging
|
|
|
|
from ipalib import Registry, errors
|
|
from ipalib import Updater
|
|
from ipalib.install import certstore
|
|
from ipapython.dn import DN
|
|
from ipapython.certdb import get_ca_nickname
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
register = Registry()
|
|
|
|
|
|
@register()
|
|
class update_fix_duplicate_cacrt_in_ldap(Updater):
|
|
"""
|
|
When multiple entries exist for IPA CA cert in ldap, remove the duplicate
|
|
|
|
After this plugin has removed duplicate entries, DS needs to be
|
|
restarted. This ensures that the attribute uniqueness plugin is working
|
|
and prevents other plugins from adding duplicates.
|
|
"""
|
|
|
|
def execute(self, **options):
|
|
# If CA is disabled, no need to check for duplicates of IPA CA
|
|
ca_enabled = self.api.Command.ca_is_enabled()['result']
|
|
if not ca_enabled:
|
|
return False, []
|
|
|
|
# Look for the IPA CA cert subject
|
|
ldap = self.api.Backend.ldap2
|
|
cacert_subject = certstore.get_ca_subject(
|
|
ldap,
|
|
self.api.env.container_ca,
|
|
self.api.env.basedn)
|
|
cacert_nick = get_ca_nickname(self.api.env.realm)
|
|
|
|
# Find if there are other certificates with the same subject
|
|
# They are duplicates resulting of BZ 1480102
|
|
base_dn = DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'),
|
|
self.api.env.basedn)
|
|
filter = ldap.combine_filters(
|
|
[
|
|
# all certificates with CA cert subject
|
|
ldap.make_filter({'ipaCertSubject': cacert_subject}),
|
|
# except the default certificate
|
|
ldap.make_filter({'cn': cacert_nick}, rules=ldap.MATCH_NONE),
|
|
],
|
|
rules=ldap.MATCH_ALL
|
|
)
|
|
try:
|
|
result, _truncated = ldap.find_entries(
|
|
base_dn=base_dn,
|
|
filter=filter,
|
|
attrs_list=[])
|
|
except errors.NotFound:
|
|
# No duplicate, we're good
|
|
logger.debug("No duplicates for IPA CA in LDAP")
|
|
return False, []
|
|
|
|
logger.debug("Found %d entrie(s) for IPA CA in LDAP", len(result))
|
|
for entry in result:
|
|
# Remove the duplicate
|
|
try:
|
|
ldap.delete_entry(entry)
|
|
logger.debug("Removed the duplicate %s", entry.dn)
|
|
except Exception as e:
|
|
logger.warning("Failed to remove the duplicate %s: %s",
|
|
entry.dn, e)
|
|
|
|
return True, []
|