mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
149 lines
4.3 KiB
Python
Executable File
149 lines
4.3 KiB
Python
Executable File
#!/usr/bin/python2 -E
|
|
#
|
|
# Authors:
|
|
# Jan Cholasta <jcholast@redhat.com>
|
|
#
|
|
# Copyright (C) 2013 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import os
|
|
# Prevent garbage from readline on standard output
|
|
# (see https://fedorahosted.org/freeipa/ticket/4064)
|
|
if not os.isatty(1):
|
|
os.environ['TERM'] = 'dumb'
|
|
import sys
|
|
import syslog
|
|
import traceback
|
|
import tempfile
|
|
import shutil
|
|
import base64
|
|
import contextlib
|
|
|
|
from ipapython import ipautil
|
|
from ipapython.dn import DN
|
|
from ipalib import api, errors, pkcs10, x509
|
|
from ipaserver.plugins.ldap2 import ldap2
|
|
|
|
# This is a certmonger CA helper script for IPA CA subsystem cert renewal. See
|
|
# https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more
|
|
# info on certmonger CA helper scripts.
|
|
|
|
# Return codes. Names of the constants are taken from
|
|
# https://git.fedorahosted.org/cgit/certmonger.git/tree/src/submit-e.h
|
|
ISSUED = 0
|
|
WAIT = 1
|
|
REJECTED = 2
|
|
UNREACHABLE = 3
|
|
UNCONFIGURED = 4
|
|
WAIT_WITH_DELAY = 5
|
|
OPERATION_NOT_SUPPORTED_BY_HELPER = 6
|
|
|
|
@contextlib.contextmanager
|
|
def ldap_connect():
|
|
conn = None
|
|
tmpdir = tempfile.mkdtemp(prefix="tmp-")
|
|
try:
|
|
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
|
|
ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir,
|
|
principal)
|
|
|
|
conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
|
|
conn.connect(ccache=ccache)
|
|
|
|
yield conn
|
|
finally:
|
|
if conn is not None and conn.isconnected():
|
|
conn.disconnect()
|
|
shutil.rmtree(tmpdir)
|
|
|
|
def request_cert():
|
|
"""
|
|
Request certificate from IPA CA.
|
|
"""
|
|
syslog.syslog(syslog.LOG_NOTICE,
|
|
"Forwarding request to dogtag-ipa-renew-agent")
|
|
|
|
path = '/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit'
|
|
args = [path] + sys.argv[1:]
|
|
stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ)
|
|
sys.stderr.write(stderr)
|
|
sys.stderr.flush()
|
|
|
|
syslog.syslog(syslog.LOG_NOTICE, "dogtag-ipa-renew-agent returned %d" % rc)
|
|
|
|
if stdout.endswith('\n'):
|
|
stdout = stdout[:-1]
|
|
|
|
return (rc, stdout)
|
|
|
|
def retrieve_cert():
|
|
"""
|
|
Retrieve new certificate from LDAP.
|
|
"""
|
|
csr = os.environ.get('CERTMONGER_CSR')
|
|
if not csr:
|
|
return (UNCONFIGURED, "Certificate request not provided")
|
|
|
|
nickname = pkcs10.get_friendlyname(csr)
|
|
if not nickname:
|
|
return (REJECTED, "No friendly name in the certificate request")
|
|
|
|
syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname)
|
|
|
|
with ldap_connect() as conn:
|
|
try:
|
|
entry = conn.get_entry(
|
|
DN(('cn', nickname), ('cn', 'ca_renewal'),
|
|
('cn', 'ipa'), ('cn', 'etc'), api.env.basedn),
|
|
['usercertificate'])
|
|
except errors.NotFound:
|
|
syslog.syslog(
|
|
syslog.LOG_INFO,
|
|
"Updated certificate for %s not available" % nickname)
|
|
# No cert available yet, tell certmonger to wait another 8 hours
|
|
return (WAIT_WITH_DELAY, 8 * 60 * 60)
|
|
|
|
cert = entry.single_value['usercertificate']
|
|
cert = base64.b64encode(cert)
|
|
cert = x509.make_pem(cert)
|
|
|
|
return (ISSUED, cert)
|
|
|
|
def main():
|
|
handlers = {
|
|
'ipaRetrieval': retrieve_cert,
|
|
}
|
|
|
|
api.bootstrap(context='renew')
|
|
api.finalize()
|
|
|
|
profile = os.environ.get('CERTMONGER_CA_PROFILE')
|
|
if profile:
|
|
handler = handlers.get(profile, request_cert)
|
|
else:
|
|
handler = request_cert
|
|
|
|
res = handler()
|
|
print res[1]
|
|
return res[0]
|
|
|
|
try:
|
|
sys.exit(main())
|
|
except Exception, e:
|
|
syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
|
|
print "Internal error"
|
|
sys.exit(UNREACHABLE)
|