mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-13 09:41:55 -06:00
5e96fbc22a
Part of the effort to port FreeIPA to Arch Linux, where Python 3 is the default. FreeIPA hasn't been ported to Python 3, so the code must be modified to run /usr/bin/python2 https://fedorahosted.org/freeipa/ticket/3438 Updated by pviktori@redhat.com
84 lines
2.9 KiB
Python
84 lines
2.9 KiB
Python
#!/usr/bin/python2 -E
|
|
#
|
|
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2012 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
# The certificate rewewal is done on only one dogtag CA. The others
|
|
# retrieve the updated certificate from IPA.
|
|
|
|
import os
|
|
# Prevent garbage from readline on standard output
|
|
# (see https://fedorahosted.org/freeipa/ticket/4064)
|
|
if not os.isatty(1):
|
|
os.environ['TERM'] = 'dumb'
|
|
import sys
|
|
import shutil
|
|
import tempfile
|
|
import syslog
|
|
from ipalib import api
|
|
from ipapython.dn import DN
|
|
from ipalib import errors
|
|
from ipalib import x509
|
|
from ipapython import services as ipaservices
|
|
from ipapython import ipautil
|
|
from ipaserver.install import certs
|
|
from ipaserver.plugins.ldap2 import ldap2
|
|
import base64
|
|
|
|
# We cheat and pass in the nickname as the CA profile to execute against.
|
|
# Some way is needed to determine which entry to retrieve from LDAP
|
|
operation = os.environ.get('CERTMONGER_OPERATION')
|
|
nickname = os.environ.get('CERTMONGER_CA_PROFILE')
|
|
|
|
if operation not in ['SUBMIT', 'POLL']:
|
|
sys.exit(6) # unsupported operation
|
|
|
|
api.bootstrap(context='renew')
|
|
api.finalize()
|
|
|
|
# Update or add it
|
|
tmpdir = tempfile.mkdtemp(prefix = "tmp-")
|
|
try:
|
|
dn = DN(('cn', nickname), ('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
|
|
principal = str('host/%s@%s' % (api.env.host, api.env.realm))
|
|
ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
|
|
conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
|
|
conn.connect(ccache=ccache)
|
|
try:
|
|
syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname)
|
|
(entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
|
|
cert = entry_attrs['usercertificate'][0]
|
|
cert = base64.b64encode(cert)
|
|
print x509.make_pem(cert)
|
|
except errors.NotFound:
|
|
syslog.syslog(syslog.LOG_INFO, "Updated certificate for %s not available" % nickname)
|
|
# No cert available yet, tell certmonger to wait another 8 hours
|
|
print 8 * 60 * 60
|
|
sys.exit(5)
|
|
finally:
|
|
conn.disconnect()
|
|
except Exception, e:
|
|
syslog.syslog(syslog.LOG_ERR, "Exception trying to retrieve %s: %s" % (nickname, e))
|
|
# Unhandled error
|
|
sys.exit(3)
|
|
finally:
|
|
shutil.rmtree(tmpdir)
|
|
|
|
sys.exit(0)
|