diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-10-16 07:26:39 +0000 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-25 16:54:54 +0100 |
commit | bab88eb1ed440d1e62eb59e32c4d22fa178f4869 (patch) | |
tree | ce2a791e59488578d7e7d011a6b962085b3ee99d | |
parent | 57f0be7b5dc0111087e3b5ce63462281729b78a2 (diff) | |
download | freeipa-bab88eb1ed440d1e62eb59e32c4d22fa178f4869.tar.gz freeipa-bab88eb1ed440d1e62eb59e32c4d22fa178f4869.tar.xz freeipa-bab88eb1ed440d1e62eb59e32c4d22fa178f4869.zip |
Add new certmonger CA helper dogtag-ipa-ca-renew-agent.
The helper will be used to handle CA-related certificate renewal requests.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
-rw-r--r-- | freeipa.spec.in | 1 | ||||
-rw-r--r-- | install/certmonger/Makefile.am | 1 | ||||
-rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 81 |
3 files changed, 83 insertions, 0 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 9f6f8fbce..d1ac09884 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -636,6 +636,7 @@ fi %{_sbindir}/ipa-upgradeconfig %{_sbindir}/ipa-advise %{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit +%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/ipa-otpd %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am index 2023a2aec..03fd210af 100644 --- a/install/certmonger/Makefile.am +++ b/install/certmonger/Makefile.am @@ -3,6 +3,7 @@ NULL = appdir = $(libexecdir)/certmonger/ app_SCRIPTS = \ dogtag-ipa-retrieve-agent-submit \ + dogtag-ipa-ca-renew-agent-submit \ $(NULL) EXTRA_DIST = \ diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit new file mode 100755 index 000000000..7e62836d1 --- /dev/null +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -0,0 +1,81 @@ +#!/usr/bin/python2 -E +# +# Authors: +# Jan Cholasta <jcholast@redhat.com> +# +# Copyright (C) 2013 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +import os +# Prevent garbage from readline on standard output +# (see https://fedorahosted.org/freeipa/ticket/4064) +if not os.isatty(1): + os.environ['TERM'] = 'dumb' +import sys +import syslog +import traceback + +from ipapython import ipautil +from ipalib import api + +# This is a certmonger CA helper script for IPA CA subsystem cert renewal. See +# https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more +# info on certmonger CA helper scripts. + +# Return codes. Names of the constants are taken from +# https://git.fedorahosted.org/cgit/certmonger.git/tree/src/submit-e.h +ISSUED = 0 +WAIT = 1 +REJECTED = 2 +UNREACHABLE = 3 +UNCONFIGURED = 4 +WAIT_WITH_DELAY = 5 +OPERATION_NOT_SUPPORTED_BY_HELPER = 6 + +def request_cert(): + """ + Request certificate from IPA CA. + """ + syslog.syslog(syslog.LOG_NOTICE, + "Forwarding request to dogtag-ipa-renew-agent") + + path = '/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit' + args = [path] + sys.argv[1:] + stdout, stderr, rc = ipautil.run(args, raiseonerr=False, env=os.environ) + sys.stderr.write(stderr) + sys.stderr.flush() + + syslog.syslog(syslog.LOG_NOTICE, "dogtag-ipa-renew-agent returned %d" % rc) + + if stdout.endswith('\n'): + stdout = stdout[:-1] + + return (rc, stdout) + +def main(): + api.bootstrap(context='renew') + api.finalize() + + res = request_cert() + print res[1] + return res[0] + +try: + sys.exit(main()) +except Exception, e: + syslog.syslog(syslog.LOG_ERR, traceback.format_exc()) + print "Internal error" + sys.exit(UNREACHABLE) |