mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-28 01:41:14 -06:00
ba89635679
The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628
972 lines
34 KiB
Python
972 lines
34 KiB
Python
#!/usr/bin/python
|
|
#
|
|
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2009 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
"""
|
|
Upgrade configuration files to a newer template.
|
|
"""
|
|
|
|
import sys
|
|
import re
|
|
import os
|
|
import shutil
|
|
import pwd
|
|
import fileinput
|
|
import ConfigParser
|
|
|
|
from ipalib import api
|
|
import ipalib.util
|
|
import ipalib.errors
|
|
from ipapython import ipautil, sysrestore, version, services
|
|
from ipapython.config import IPAOptionParser
|
|
from ipapython.ipa_log_manager import *
|
|
from ipapython import certmonger
|
|
from ipapython import dogtag
|
|
from ipapython.dn import DN
|
|
from ipaserver.install import installutils
|
|
from ipaserver.install import dsinstance
|
|
from ipaserver.install import httpinstance
|
|
from ipaserver.install import memcacheinstance
|
|
from ipaserver.install import bindinstance
|
|
from ipaserver.install import service
|
|
from ipaserver.install import cainstance
|
|
from ipaserver.install import certs
|
|
from ipaserver.install import sysupgrade
|
|
|
|
|
|
def parse_options():
|
|
parser = IPAOptionParser(version=version.VERSION)
|
|
parser.add_option("-d", "--debug", dest="debug", action="store_true",
|
|
default=False, help="print debugging information")
|
|
parser.add_option("-q", "--quiet", dest="quiet",
|
|
action="store_true",
|
|
default=False, help="Output only errors")
|
|
|
|
options, args = parser.parse_args()
|
|
safe_options = parser.get_safe_opts(options)
|
|
|
|
return safe_options, options
|
|
|
|
class KpasswdInstance(service.SimpleServiceInstance):
|
|
def __init__(self):
|
|
service.SimpleServiceInstance.__init__(self, "ipa_kpasswd")
|
|
|
|
def uninstall_ipa_kpasswd():
|
|
"""
|
|
We can't use the full service uninstaller because that will attempt
|
|
to stop and disable the service which by now doesn't exist. We just
|
|
want to clean up sysrestore.state to remove all references to
|
|
ipa_kpasswd.
|
|
"""
|
|
ipa_kpasswd = KpasswdInstance()
|
|
|
|
running = ipa_kpasswd.restore_state("running")
|
|
enabled = not ipa_kpasswd.restore_state("enabled")
|
|
|
|
if enabled is not None and not enabled:
|
|
ipa_kpasswd.remove()
|
|
|
|
def backup_file(filename, ext):
|
|
"""Make a backup of filename using ext as the extension. Do not overwrite
|
|
previous backups."""
|
|
if not os.path.isabs(filename):
|
|
raise ValueError("Absolute path required")
|
|
|
|
backupfile = filename + ".bak"
|
|
(reldir, file) = os.path.split(filename)
|
|
|
|
while os.path.exists(backupfile):
|
|
backupfile = backupfile + "." + str(ext)
|
|
|
|
try:
|
|
shutil.copy2(filename, backupfile)
|
|
except IOError, e:
|
|
if e.errno == 2: # No such file or directory
|
|
pass
|
|
else:
|
|
raise e
|
|
|
|
def update_conf(sub_dict, filename, template_filename):
|
|
template = ipautil.template_file(template_filename, sub_dict)
|
|
fd = open(filename, "w")
|
|
fd.write(template)
|
|
fd.close()
|
|
|
|
def find_hostname():
|
|
"""Find the hostname currently configured in ipa-rewrite.conf"""
|
|
filename="/etc/httpd/conf.d/ipa-rewrite.conf"
|
|
|
|
if not ipautil.file_exists(filename):
|
|
return None
|
|
|
|
pattern = "^[\s#]*.*https:\/\/([A-Za-z0-9\.\-]*)\/.*"
|
|
p = re.compile(pattern)
|
|
for line in fileinput.input(filename):
|
|
if p.search(line):
|
|
fileinput.close()
|
|
return p.search(line).group(1)
|
|
fileinput.close()
|
|
|
|
raise RuntimeError("Unable to determine the fully qualified hostname from %s" % filename)
|
|
|
|
def find_autoredirect(fqdn):
|
|
"""
|
|
When upgrading ipa-rewrite.conf we need to see if the automatic redirect
|
|
was disabled during install time (or afterward). So sift through the
|
|
configuration file and see if we can determine the status.
|
|
|
|
Returns True if autoredirect is enabled, False otherwise
|
|
"""
|
|
filename = '/etc/httpd/conf.d/ipa-rewrite.conf'
|
|
if os.path.exists(filename):
|
|
pattern = "^RewriteRule \^/\$ https://%s/ipa/ui \[L,NC,R=301\]" % fqdn
|
|
p = re.compile(pattern)
|
|
for line in fileinput.input(filename):
|
|
if p.search(line):
|
|
fileinput.close()
|
|
return True
|
|
fileinput.close()
|
|
return False
|
|
return True
|
|
|
|
def find_version(filename):
|
|
"""Find the version of a configuration file
|
|
|
|
If no VERSION entry exists in the file, returns 0.
|
|
If the file does not exist, returns -1.
|
|
"""
|
|
if os.path.exists(filename):
|
|
pattern = "^[\s#]*VERSION\s+([0-9]+)\s+.*"
|
|
p = re.compile(pattern)
|
|
for line in fileinput.input(filename):
|
|
if p.search(line):
|
|
fileinput.close()
|
|
return p.search(line).group(1)
|
|
fileinput.close()
|
|
|
|
# no VERSION found
|
|
return 0
|
|
else:
|
|
return -1
|
|
|
|
def upgrade(sub_dict, filename, template, add=False):
|
|
"""
|
|
Get the version from the current and template files and update the
|
|
installed configuration file if there is a new template.
|
|
|
|
If add is True then create a new configuration file.
|
|
"""
|
|
old = int(find_version(filename))
|
|
new = int(find_version(template))
|
|
|
|
if old < 0 and not add:
|
|
root_logger.error("%s not found." % filename)
|
|
sys.exit(1)
|
|
|
|
if new < 0:
|
|
root_logger.error("%s not found." % template)
|
|
|
|
if old == 0:
|
|
# The original file does not have a VERSION entry. This means it's now
|
|
# managed by IPA, but previously was not.
|
|
root_logger.warning("%s is now managed by IPA. It will be "
|
|
"overwritten. A backup of the original will be made.", filename)
|
|
|
|
if old < new or (add and old == 0):
|
|
backup_file(filename, new)
|
|
update_conf(sub_dict, filename, template)
|
|
root_logger.info("Upgraded %s to version %d", filename, new)
|
|
|
|
def check_certs():
|
|
"""Check ca.crt is in the right place, and try to fix if not"""
|
|
root_logger.info('[Verifying that root certificate is published]')
|
|
if not os.path.exists("/usr/share/ipa/html/ca.crt"):
|
|
ca_file = "/etc/httpd/alias/cacert.asc"
|
|
if os.path.exists(ca_file):
|
|
old_umask = os.umask(022) # make sure its readable by httpd
|
|
try:
|
|
shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt")
|
|
finally:
|
|
os.umask(old_umask)
|
|
else:
|
|
root_logger.error("Missing Certification Authority file.")
|
|
root_logger.error("You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt")
|
|
else:
|
|
root_logger.debug('Certificate file exists')
|
|
|
|
def upgrade_pki(ca, fstore):
|
|
"""
|
|
Update/add the dogtag proxy configuration. The IPA side of this is
|
|
handled in ipa-pki-proxy.conf.
|
|
|
|
This requires enabling SSL renegotiation.
|
|
"""
|
|
configured_constants = dogtag.configured_constants()
|
|
root_logger.info('[Verifying that CA proxy configuration is correct]')
|
|
if not ca.is_configured():
|
|
root_logger.info('CA is not configured')
|
|
return
|
|
|
|
http = httpinstance.HTTPInstance(fstore)
|
|
http.enable_mod_nss_renegotiate()
|
|
if not installutils.get_directive(configured_constants.CS_CFG_PATH,
|
|
'proxy.securePort', '=') and \
|
|
os.path.exists('/usr/bin/pki-setup-proxy'):
|
|
ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
|
|
,'-pki_instance_name=pki-ca','-subsystem_type=ca'])
|
|
root_logger.debug('Proxy configuration updated')
|
|
else:
|
|
root_logger.debug('Proxy configuration up-to-date')
|
|
|
|
def update_dbmodules(realm, filename="/etc/krb5.conf"):
|
|
newfile = []
|
|
found_dbrealm = False
|
|
found_realm = False
|
|
prefix = ''
|
|
|
|
root_logger.info('[Verifying that KDC configuration is using ipa-kdb backend]')
|
|
st = os.stat(filename)
|
|
fd = open(filename)
|
|
|
|
lines = fd.readlines()
|
|
fd.close()
|
|
|
|
if ' db_library = ipadb.so\n' in lines:
|
|
root_logger.debug('dbmodules already updated in %s', filename)
|
|
return
|
|
|
|
for line in lines:
|
|
if line.startswith('[dbmodules]'):
|
|
found_dbrealm = True
|
|
if found_dbrealm and line.find(realm) > -1:
|
|
found_realm = True
|
|
prefix = '#'
|
|
if found_dbrealm and line.find('}') > -1 and found_realm:
|
|
found_realm = False
|
|
newfile.append('#%s' % line)
|
|
prefix = ''
|
|
continue
|
|
|
|
newfile.append('%s%s' % (prefix, line))
|
|
|
|
# Append updated dbmodules information
|
|
newfile.append(' %s = {\n' % realm)
|
|
newfile.append(' db_library = ipadb.so\n')
|
|
newfile.append(' }\n')
|
|
|
|
# Write out new file
|
|
fd = open(filename, 'w')
|
|
fd.write("".join(newfile))
|
|
fd.close()
|
|
root_logger.debug('%s updated', filename)
|
|
|
|
def cleanup_kdc(fstore):
|
|
"""
|
|
Clean up old KDC files if they exist. We need to remove the actual
|
|
file and any references in the uninstall configuration.
|
|
"""
|
|
root_logger.info('[Checking for deprecated KDC configuration files]')
|
|
for file in ['kpasswd.keytab', 'ldappwd']:
|
|
filename = '/var/kerberos/krb5kdc/%s' % file
|
|
installutils.remove_file(filename)
|
|
if fstore.has_file(filename):
|
|
fstore.untrack_file(filename)
|
|
root_logger.debug('Uninstalling %s', filename)
|
|
|
|
|
|
def setup_firefox_extension(fstore):
|
|
"""Set up the Firefox configuration extension, if it's not set up yet
|
|
"""
|
|
root_logger.info('[Setting up Firefox extension]')
|
|
http = httpinstance.HTTPInstance(fstore)
|
|
realm = api.env.realm
|
|
domain = api.env.domain
|
|
http.setup_firefox_extension(realm, domain)
|
|
|
|
|
|
def upgrade_ipa_profile(ca, domain, fqdn):
|
|
"""
|
|
Update the IPA Profile provided by dogtag
|
|
|
|
Returns True if restart is needed, False otherwise.
|
|
"""
|
|
root_logger.info('[Verifying that CA service certificate profile is updated]')
|
|
if ca.is_configured():
|
|
ski = ca.enable_subject_key_identifier()
|
|
if ski:
|
|
root_logger.debug('Subject Key Identifier updated.')
|
|
else:
|
|
root_logger.debug('Subject Key Identifier already set.')
|
|
audit = ca.set_audit_renewal()
|
|
uri = ca.set_crl_ocsp_extensions(domain, fqdn)
|
|
if audit or ski or uri:
|
|
return True
|
|
else:
|
|
root_logger.info('CA is not configured')
|
|
|
|
return False
|
|
|
|
|
|
def named_enable_psearch():
|
|
"""
|
|
From IPA 3.0, persistent search is a preferred mechanism for new DNS zone
|
|
detection and is also needed for other features (DNSSEC, SOA serial
|
|
updates). Enable psearch and make sure connections attribute is right.
|
|
This step is done just once for a case when user switched the persistent
|
|
search back to disabled.
|
|
|
|
When some change in named.conf is done, this functions returns True
|
|
"""
|
|
changed = False
|
|
|
|
root_logger.info('[Enabling persistent search in DNS]')
|
|
|
|
if not bindinstance.named_conf_exists():
|
|
# DNS service may not be configured
|
|
root_logger.info('DNS is not configured')
|
|
return
|
|
|
|
try:
|
|
psearch = bindinstance.named_conf_get_directive('psearch')
|
|
except IOError, e:
|
|
root_logger.debug('Cannot retrieve psearch option from %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
return
|
|
else:
|
|
psearch = None if psearch is None else psearch.lower()
|
|
if not sysupgrade.get_upgrade_state('named.conf', 'psearch_enabled'):
|
|
if psearch != "yes":
|
|
try:
|
|
bindinstance.named_conf_set_directive('zone_refresh', 0)
|
|
bindinstance.named_conf_set_directive('psearch', 'yes')
|
|
except IOError, e:
|
|
root_logger.error('Cannot enable psearch in %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
else:
|
|
changed = True
|
|
psearch = "yes"
|
|
sysupgrade.set_upgrade_state('named.conf', 'psearch_enabled', True)
|
|
root_logger.debug('Persistent search enabled')
|
|
|
|
# make sure number of connections is right
|
|
minimum_connections = 2
|
|
if psearch == 'yes':
|
|
# serial_autoincrement increased the minimal number of connections to 4
|
|
minimum_connections = 4
|
|
try:
|
|
connections = bindinstance.named_conf_get_directive('connections')
|
|
except IOError, e:
|
|
root_logger.debug('Cannot retrieve connections option from %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
return
|
|
try:
|
|
if connections is not None:
|
|
connections = int(connections)
|
|
except ValueError:
|
|
# this should not happend, but there is some bad value in
|
|
# "connections" option, bail out
|
|
pass
|
|
else:
|
|
if connections is not None and connections < minimum_connections:
|
|
try:
|
|
bindinstance.named_conf_set_directive('connections',
|
|
minimum_connections)
|
|
root_logger.debug('Connections set to %d', minimum_connections)
|
|
except IOError, e:
|
|
root_logger.error('Cannot update connections in %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
else:
|
|
changed = True
|
|
|
|
if not changed:
|
|
root_logger.debug('No changes made')
|
|
return changed
|
|
|
|
def named_enable_serial_autoincrement():
|
|
"""
|
|
Serial autoincrement is a requirement for zone transfers or DNSSEC. It
|
|
should be enabled both for new installs and upgraded servers.
|
|
|
|
When some change in named.conf is done, this functions returns True
|
|
"""
|
|
changed = False
|
|
|
|
root_logger.info('[Enabling serial autoincrement in DNS]')
|
|
|
|
if not bindinstance.named_conf_exists():
|
|
# DNS service may not be configured
|
|
root_logger.info('DNS is not configured')
|
|
return changed
|
|
|
|
try:
|
|
psearch = bindinstance.named_conf_get_directive('psearch')
|
|
serial_autoincrement = bindinstance.named_conf_get_directive(
|
|
'serial_autoincrement')
|
|
except IOError, e:
|
|
root_logger.debug('Cannot retrieve psearch option from %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
return changed
|
|
else:
|
|
psearch = None if psearch is None else psearch.lower()
|
|
serial_autoincrement = None if serial_autoincrement is None \
|
|
else serial_autoincrement.lower()
|
|
|
|
# enable SOA serial autoincrement
|
|
if not sysupgrade.get_upgrade_state('named.conf', 'autoincrement_enabled'):
|
|
if psearch != "yes": # psearch is required
|
|
root_logger.error('Persistent search is disabled, '
|
|
'serial autoincrement cannot be enabled')
|
|
else:
|
|
if serial_autoincrement != 'yes':
|
|
try:
|
|
bindinstance.named_conf_set_directive('serial_autoincrement', 'yes')
|
|
except IOError, e:
|
|
root_logger.error('Cannot enable serial_autoincrement in %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
return changed
|
|
else:
|
|
root_logger.debug('Serial autoincrement enabled')
|
|
changed = True
|
|
else:
|
|
root_logger.debug('Serial autoincrement is alredy enabled')
|
|
sysupgrade.set_upgrade_state('named.conf', 'autoincrement_enabled', True)
|
|
else:
|
|
root_logger.debug('Skip serial autoincrement check')
|
|
|
|
return changed
|
|
|
|
def named_update_gssapi_configuration():
|
|
"""
|
|
Update GSSAPI configuration in named.conf to a recent API.
|
|
tkey-gssapi-credential and tkey-domain is replaced with tkey-gssapi-keytab.
|
|
Details can be found in https://fedorahosted.org/freeipa/ticket/3429.
|
|
|
|
When some change in named.conf is done, this functions returns True
|
|
"""
|
|
|
|
root_logger.info('[Updating GSSAPI configuration in DNS]')
|
|
|
|
if not bindinstance.named_conf_exists():
|
|
# DNS service may not be configured
|
|
root_logger.info('DNS is not configured')
|
|
return False
|
|
|
|
if sysupgrade.get_upgrade_state('named.conf', 'gssapi_updated'):
|
|
root_logger.debug('Skip GSSAPI configuration check')
|
|
return False
|
|
|
|
try:
|
|
gssapi_keytab = bindinstance.named_conf_get_directive('tkey-gssapi-keytab',
|
|
bindinstance.NAMED_SECTION_OPTIONS)
|
|
except IOError, e:
|
|
root_logger.error('Cannot retrieve tkey-gssapi-keytab option from %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
return False
|
|
else:
|
|
if gssapi_keytab:
|
|
root_logger.debug('GSSAPI configuration already updated')
|
|
sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True)
|
|
return False
|
|
|
|
try:
|
|
tkey_credential = bindinstance.named_conf_get_directive('tkey-gssapi-credential',
|
|
bindinstance.NAMED_SECTION_OPTIONS)
|
|
tkey_domain = bindinstance.named_conf_get_directive('tkey-domain',
|
|
bindinstance.NAMED_SECTION_OPTIONS)
|
|
except IOError, e:
|
|
root_logger.error('Cannot retrieve tkey-gssapi-credential option from %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
return False
|
|
|
|
if not tkey_credential or not tkey_domain:
|
|
root_logger.error('Either tkey-gssapi-credential or tkey-domain is missing in %s. '
|
|
'Skip update.', bindinstance.NAMED_CONF)
|
|
return False
|
|
|
|
try:
|
|
bindinstance.named_conf_set_directive('tkey-gssapi-credential', None,
|
|
bindinstance.NAMED_SECTION_OPTIONS)
|
|
bindinstance.named_conf_set_directive('tkey-domain', None,
|
|
bindinstance.NAMED_SECTION_OPTIONS)
|
|
bindinstance.named_conf_set_directive('tkey-gssapi-keytab', '/etc/named.keytab',
|
|
bindinstance.NAMED_SECTION_OPTIONS)
|
|
except IOError, e:
|
|
root_logger.error('Cannot update GSSAPI configuration in %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
return False
|
|
else:
|
|
root_logger.debug('GSSAPI configuration updated')
|
|
|
|
sysupgrade.set_upgrade_state('named.conf', 'gssapi_updated', True)
|
|
return True
|
|
|
|
def named_update_pid_file():
|
|
"""
|
|
Make sure that named reads the pid file from the right file
|
|
"""
|
|
root_logger.info('[Updating pid-file configuration in DNS]')
|
|
|
|
if not bindinstance.named_conf_exists():
|
|
# DNS service may not be configured
|
|
root_logger.info('DNS is not configured')
|
|
return False
|
|
|
|
if sysupgrade.get_upgrade_state('named.conf', 'pid-file_updated'):
|
|
root_logger.debug('Skip pid-file configuration check')
|
|
return False
|
|
|
|
try:
|
|
pid_file = bindinstance.named_conf_get_directive('pid-file',
|
|
bindinstance.NAMED_SECTION_OPTIONS)
|
|
except IOError, e:
|
|
root_logger.error('Cannot retrieve pid-file option from %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
return False
|
|
else:
|
|
if pid_file:
|
|
root_logger.debug('pid-file configuration already updated')
|
|
sysupgrade.set_upgrade_state('named.conf', 'pid-file_updated', True)
|
|
return False
|
|
|
|
try:
|
|
bindinstance.named_conf_set_directive('pid-file', '/run/named/named.pid',
|
|
bindinstance.NAMED_SECTION_OPTIONS)
|
|
except IOError, e:
|
|
root_logger.error('Cannot update pid-file configuration in %s: %s',
|
|
bindinstance.NAMED_CONF, e)
|
|
return False
|
|
else:
|
|
root_logger.debug('pid-file configuration updated')
|
|
|
|
sysupgrade.set_upgrade_state('named.conf', 'pid-file_updated', True)
|
|
return True
|
|
|
|
|
|
def enable_certificate_renewal(ca):
|
|
"""
|
|
If the CA subsystem certificates are not being tracked for renewal then
|
|
tell certmonger to start tracking them.
|
|
|
|
Returns True when CA needs to be restarted
|
|
"""
|
|
root_logger.info('[Enable certificate renewal]')
|
|
if not ca.is_configured():
|
|
root_logger.info('CA is not configured')
|
|
return False
|
|
|
|
# Using the nickname find the certmonger request_id
|
|
criteria = (('cert_storage_location', '/etc/httpd/alias', certmonger.NPATH),('cert_nickname', 'ipaCert', None))
|
|
request_id = certmonger.get_request_id(criteria)
|
|
if request_id is not None:
|
|
root_logger.debug('Certificate renewal already configured')
|
|
return False
|
|
|
|
if not sysupgrade.get_upgrade_state('dogtag', 'renewal_configured'):
|
|
if ca.is_master():
|
|
ca.configure_renewal()
|
|
else:
|
|
ca.configure_certmonger_renewal()
|
|
ca.configure_clone_renewal()
|
|
ca.configure_agent_renewal()
|
|
ca.track_servercert()
|
|
sysupgrade.set_upgrade_state('dogtag', 'renewal_configured', True)
|
|
root_logger.debug('CA subsystem certificate renewal enabled')
|
|
return True
|
|
|
|
return False
|
|
|
|
def certificate_renewal_stop_ca(ca):
|
|
"""
|
|
Validate the certmonger configuration on certificates that already
|
|
have renewal configured.
|
|
|
|
As of certmonger 0.65 it now does locking from the point where it
|
|
generates the CSR to the end of the post-command. This is to ensure
|
|
that only one certmonger renewal, and hopefully, one process at a
|
|
time holds the NSS database open in read/write.
|
|
"""
|
|
root_logger.info('[Certificate renewal should stop the CA]')
|
|
if not ca.is_configured():
|
|
root_logger.info('CA is not configured')
|
|
return False
|
|
|
|
nss_dir = dogtag.configured_constants().ALIAS_DIR
|
|
# Using the nickname find the certmonger request_id
|
|
criteria = (('cert_storage_location', nss_dir, certmonger.NPATH),('cert_nickname', 'auditSigningCert cert-pki-ca', None))
|
|
id = certmonger.get_request_id(criteria)
|
|
if id is None:
|
|
root_logger.error('Unable to find certmonger request ID for auditSigning Cert')
|
|
return False
|
|
|
|
if sysupgrade.get_upgrade_state('dogtag', 'stop_ca_during_renewal'):
|
|
return False
|
|
|
|
# State not set, lets see if we are already configured
|
|
pre_command = certmonger.get_request_value(id, 'pre_certsave_command')
|
|
if pre_command is not None:
|
|
if pre_command.strip().endswith('stop_pkicad'):
|
|
root_logger.info('Already configured to stop CA')
|
|
return False
|
|
|
|
# Ok, now we need to stop tracking, then we can start tracking them
|
|
# again with new configuration:
|
|
cainstance.stop_tracking_certificates(dogtag.configured_constants())
|
|
if ca.is_master():
|
|
ca.configure_renewal()
|
|
else:
|
|
ca.configure_certmonger_renewal()
|
|
ca.configure_clone_renewal()
|
|
ca.configure_agent_renewal()
|
|
ca.track_servercert()
|
|
sysupgrade.set_upgrade_state('dogtag', 'stop_ca_during_renewal', True)
|
|
root_logger.debug('CA subsystem certificate renewal configured to stop the CA')
|
|
return True
|
|
|
|
def copy_crl_file(old_path, new_path=None):
|
|
"""
|
|
Copy CRL to new location, update permissions and SELinux context
|
|
"""
|
|
if new_path is None:
|
|
filename = os.path.basename(old_path)
|
|
new_path = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH,
|
|
filename)
|
|
root_logger.debug('copy_crl_file: %s -> %s', old_path, new_path)
|
|
|
|
if os.path.islink(old_path):
|
|
# update symlink to the most most recent CRL file
|
|
filename = os.path.basename(os.readlink(old_path))
|
|
realpath = os.path.join(dogtag.configured_constants().CRL_PUBLISH_PATH,
|
|
filename)
|
|
root_logger.debug('copy_crl_file: Create symlink %s -> %s',
|
|
new_path, realpath)
|
|
os.symlink(realpath, new_path)
|
|
else:
|
|
shutil.copy2(old_path, new_path)
|
|
pent = pwd.getpwnam(cainstance.PKI_USER)
|
|
os.chown(new_path, pent.pw_uid, pent.pw_gid)
|
|
|
|
services.restore_context(new_path)
|
|
|
|
def migrate_crl_publish_dir(ca):
|
|
"""
|
|
Move CRL publish dir from /var/lib/pki-ca/publish to IPA controlled tree:
|
|
/var/lib/ipa/pki-ca/publish
|
|
"""
|
|
root_logger.info('[Migrate CRL publish directory]')
|
|
if sysupgrade.get_upgrade_state('dogtag', 'moved_crl_publish_dir'):
|
|
root_logger.info('CRL tree already moved')
|
|
return False
|
|
|
|
if not ca.is_configured():
|
|
root_logger.info('CA is not configured')
|
|
return False
|
|
|
|
caconfig = dogtag.configured_constants()
|
|
|
|
try:
|
|
old_publish_dir = installutils.get_directive(caconfig.CS_CFG_PATH,
|
|
'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
|
|
separator='=')
|
|
except OSError, e:
|
|
root_logger.error('Cannot read CA configuration file "%s": %s',
|
|
caconfig.CS_CFG_PATH, e)
|
|
return False
|
|
|
|
if old_publish_dir == caconfig.CRL_PUBLISH_PATH:
|
|
# publish dir is already updated
|
|
root_logger.info('Publish directory already set to new location')
|
|
sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
|
|
return False
|
|
|
|
# Prepare target publish dir (permissions, SELinux context)
|
|
publishdir = ca.prepare_crl_publish_dir()
|
|
|
|
# Copy all CRLs to new directory
|
|
root_logger.info('Copy all CRLs to new publish directory')
|
|
try:
|
|
crl_files_unsorted = cainstance.get_crl_files(old_publish_dir)
|
|
except OSError, e:
|
|
root_logger.error('Cannot move CRL files to new directory: %s', e)
|
|
else:
|
|
# Move CRL files at the end of the list to make sure that the actual
|
|
# CRL files are copied first
|
|
crl_files = sorted(crl_files_unsorted,
|
|
key=lambda f: os.path.islink(f))
|
|
for f in crl_files:
|
|
try:
|
|
copy_crl_file(f)
|
|
except Exception, e:
|
|
root_logger.error('Cannot move CRL file to new directory: %s', e)
|
|
|
|
try:
|
|
installutils.set_directive(caconfig.CS_CFG_PATH,
|
|
'ca.publish.publisher.instance.FileBaseCRLPublisher.directory',
|
|
publishdir, quotes=False, separator='=')
|
|
except OSError, e:
|
|
root_logger.error('Cannot update CA configuration file "%s": %s',
|
|
caconfig.CS_CFG_PATH, e)
|
|
return False
|
|
sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
|
|
root_logger.info('CRL publish directory has been migrated, '
|
|
'request pki-ca restart')
|
|
return True
|
|
|
|
def add_ca_dns_records():
|
|
root_logger.info('[Add missing CA DNS records]')
|
|
|
|
if sysupgrade.get_upgrade_state('dns', 'ipa_ca_records'):
|
|
root_logger.info('IPA CA DNS records already processed')
|
|
return
|
|
|
|
try:
|
|
api.Backend.ldap2.connect(autobind=True)
|
|
except ipalib.errors.PublicError, e:
|
|
root_logger.error("Cannot connect to LDAP to add DNS records: %s", e)
|
|
return
|
|
|
|
ret = api.Command['dns_is_enabled']()
|
|
if not ret['result']:
|
|
root_logger.info('DNS is not configured')
|
|
sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
|
|
return
|
|
|
|
bind = bindinstance.BindInstance()
|
|
|
|
bind.convert_ipa_ca_cnames(api.env.domain)
|
|
|
|
# DNS is enabled, so let bindinstance find out if CA is enabled
|
|
# and let it add the record in that case
|
|
bind.add_ipa_ca_dns_records(api.env.host, api.env.domain,
|
|
ca_configured=None)
|
|
|
|
sysupgrade.set_upgrade_state('dns', 'ipa_ca_records', True)
|
|
|
|
def uninstall_selfsign(ds, http):
|
|
root_logger.info('[Removing self-signed CA]')
|
|
"""Replace self-signed CA by a CA-less install"""
|
|
if api.env.ra_plugin != 'selfsign':
|
|
root_logger.debug('Self-signed CA is not installed')
|
|
return
|
|
|
|
root_logger.warning(
|
|
'Removing self-signed CA. Certificates will need to managed manually.')
|
|
p = ConfigParser.SafeConfigParser()
|
|
p.read('/etc/ipa/default.conf')
|
|
p.set('global', 'enable_ra', 'False')
|
|
p.set('global', 'ra_plugin', 'none')
|
|
with open('/etc/ipa/default.conf', 'w') as f:
|
|
p.write(f)
|
|
|
|
ds.stop_tracking_certificates()
|
|
http.stop_tracking_certificates()
|
|
|
|
|
|
def fix_schema_file_syntax(ds):
|
|
"""Fix syntax errors in schema files
|
|
|
|
https://fedorahosted.org/freeipa/ticket/3578
|
|
"""
|
|
root_logger.info('[Fix DS schema file syntax]')
|
|
|
|
# This is not handled by normal schema updates, because pre-1.3.2 DS will
|
|
# ignore (auto-fix) these syntax errors, and 1.3.2 and above will choke on
|
|
# them before checking dynamic schema updates.
|
|
|
|
if sysupgrade.get_upgrade_state('ds', 'fix_schema_syntax'):
|
|
root_logger.info('Syntax already fixed')
|
|
return
|
|
|
|
serverid = dsinstance.realm_to_serverid(api.env.realm)
|
|
|
|
ds.stop(serverid)
|
|
|
|
ds_dir = dsinstance.config_dirname(serverid)
|
|
|
|
# 1. 60ipadns.ldif: Add parenthesis to idnsRecord
|
|
|
|
filename = os.path.join(ds_dir, 'schema', '60ipadns.ldif')
|
|
result_lines = []
|
|
with open(filename) as file:
|
|
for line in file:
|
|
line = line.strip('\n')
|
|
if (line.startswith('objectClasses:') and
|
|
"NAME 'idnsRecord'" in line and
|
|
line.count('(') == 2 and
|
|
line.count(')') == 1):
|
|
root_logger.debug('Add closing parenthesis in idnsRecord')
|
|
line += ' )'
|
|
result_lines.append(line)
|
|
|
|
with open(filename, 'w') as file:
|
|
file.write('\n'.join(result_lines))
|
|
|
|
# 2. 65ipasudo.ldif: Remove extra dollar from ipaSudoRule
|
|
|
|
filename = os.path.join(ds_dir, 'schema', '65ipasudo.ldif')
|
|
result_lines = []
|
|
with open(filename) as file:
|
|
for line in file:
|
|
line = line.strip('\n')
|
|
if (line.startswith('objectClasses:') and
|
|
"NAME 'ipaSudoRule'" in line):
|
|
root_logger.debug('Remove extra dollar sign in ipaSudoRule')
|
|
line = line.replace('$$', '$')
|
|
result_lines.append(line)
|
|
|
|
with open(filename, 'w') as file:
|
|
file.write('\n'.join(result_lines))
|
|
|
|
# Done
|
|
|
|
ds.start(serverid)
|
|
|
|
sysupgrade.set_upgrade_state('ds', 'fix_schema_syntax', True)
|
|
|
|
|
|
def main():
|
|
"""
|
|
Get some basics about the system. If getting those basics fail then
|
|
this is likely because the machine isn't currently an IPA server so
|
|
exit gracefully.
|
|
"""
|
|
|
|
if not os.geteuid()==0:
|
|
sys.exit("\nYou must be root to run this script.\n")
|
|
|
|
if not installutils.is_ipa_configured():
|
|
sys.exit(0)
|
|
|
|
safe_options, options = parse_options()
|
|
|
|
verbose = not options.quiet
|
|
if options.debug:
|
|
console_format = '%(levelname)s: %(message)s'
|
|
else:
|
|
console_format = '%(message)s'
|
|
|
|
standard_logging_setup('/var/log/ipaupgrade.log', debug=options.debug,
|
|
verbose=verbose, console_format=console_format, filemode='a')
|
|
root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
|
|
|
|
fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
|
|
|
|
api.bootstrap(context='restart', in_server=True)
|
|
api.finalize()
|
|
|
|
fqdn = find_hostname()
|
|
if fqdn is None:
|
|
# ipa-rewrite.conf doesn't exist, nothing to do
|
|
sys.exit(0)
|
|
|
|
# Ok, we are an IPA server, do the additional tests
|
|
|
|
check_certs()
|
|
|
|
auto_redirect = find_autoredirect(fqdn)
|
|
configured_constants = dogtag.configured_constants()
|
|
sub_dict = dict(
|
|
REALM=api.env.realm,
|
|
FQDN=fqdn,
|
|
AUTOREDIR='' if auto_redirect else '#',
|
|
CRL_PUBLISH_PATH=configured_constants.CRL_PUBLISH_PATH,
|
|
DOGTAG_PORT=configured_constants.AJP_PORT,
|
|
CLONE='#'
|
|
)
|
|
|
|
ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
|
|
|
|
# migrate CRL publish dir before the location in ipa.conf is updated
|
|
ca_restart = migrate_crl_publish_dir(ca)
|
|
|
|
if ca.is_configured():
|
|
crl = installutils.get_directive(configured_constants.CS_CFG_PATH,
|
|
'ca.crl.MasterCRL.enableCRLUpdates',
|
|
'=')
|
|
sub_dict['CLONE']='#' if crl.lower() == 'true' else ''
|
|
|
|
certmap_dir = dsinstance.config_dirname(
|
|
dsinstance.realm_to_serverid(api.env.realm))
|
|
|
|
upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
|
|
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
|
|
upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
|
|
upgrade(sub_dict, os.path.join(certmap_dir, "certmap.conf"),
|
|
os.path.join(ipautil.SHARE_DIR, "certmap.conf.template"))
|
|
upgrade_pki(ca, fstore)
|
|
update_dbmodules(api.env.realm)
|
|
uninstall_ipa_kpasswd()
|
|
|
|
http = httpinstance.HTTPInstance(fstore)
|
|
http.remove_httpd_ccache()
|
|
http.configure_selinux_for_httpd()
|
|
http.configure_httpd_ccache()
|
|
|
|
ds = dsinstance.DsInstance()
|
|
ds.configure_dirsrv_ccache()
|
|
|
|
fix_schema_file_syntax(ds)
|
|
|
|
uninstall_selfsign(ds, http)
|
|
|
|
memcache = memcacheinstance.MemcacheInstance()
|
|
memcache.ldapi = True
|
|
memcache.realm = api.env.realm
|
|
try:
|
|
if not memcache.is_configured():
|
|
# 389-ds needs to be running to create the memcache instance
|
|
# because we record the new service in cn=masters.
|
|
ds.start()
|
|
memcache.create_instance('MEMCACHE', fqdn, None, ipautil.realm_to_suffix(api.env.realm))
|
|
except ipalib.errors.DuplicateEntry:
|
|
pass
|
|
|
|
cleanup_kdc(fstore)
|
|
setup_firefox_extension(fstore)
|
|
add_ca_dns_records()
|
|
changed_psearch = named_enable_psearch()
|
|
changed_autoincrement = named_enable_serial_autoincrement()
|
|
changed_gssapi_conf = named_update_gssapi_configuration()
|
|
changed_pid_file_conf = named_update_pid_file()
|
|
if (changed_psearch or changed_autoincrement or changed_gssapi_conf
|
|
or changed_pid_file_conf):
|
|
# configuration has changed, restart the name server
|
|
root_logger.info('Changes to named.conf have been made, restart named')
|
|
bind = bindinstance.BindInstance(fstore)
|
|
try:
|
|
bind.restart()
|
|
except ipautil.CalledProcessError, e:
|
|
root_logger.error("Failed to restart %s: %s", bind.service_name, e)
|
|
ca_restart = any([
|
|
ca_restart,
|
|
enable_certificate_renewal(ca),
|
|
upgrade_ipa_profile(ca, api.env.domain, fqdn),
|
|
certificate_renewal_stop_ca(ca),
|
|
])
|
|
|
|
if ca_restart:
|
|
root_logger.info('pki-ca configuration changed, restart pki-ca')
|
|
try:
|
|
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
|
|
except ipautil.CalledProcessError, e:
|
|
root_logger.error("Failed to restart %s: %s", ca.service_name, e)
|
|
|
|
if __name__ == '__main__':
|
|
installutils.run_script(main, operation_name='ipa-upgradeconfig')
|