Make hosts more like real services so we can issue certs for host principals

This patch should make joining a client to the domain and using certmonger to get an initial certificate work.
author: Rob Crittenden <rcritten@redhat.com> 2009-12-16 16:04:53 -0500
committer: Jason Gerard DeRose <jderose@redhat.com> 2009-12-16 19:26:59 -0700
commit: c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce (patch)
tree: a4019f771531ab227791515b49cc8f632bb3afff /ipalib
parent: 585540e0a2d28d0e275dcb17d317880ff1a6d80f (diff)
download: freeipa-c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce.tar.gz
freeipa-c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce.tar.xz
freeipa-c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce.zip
2 files changed, 56 insertions, 12 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 5540e6ecf..21d0ebcdb 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -40,6 +40,7 @@ from pyasn1.error import PyAsn1Error
 import logging
 import traceback
 from ipalib.request import ugettext as _
+from ipalib.request import context
 
 def get_serial(certificate):
     """
@@ -154,8 +155,10 @@ class cert_request(VirtualCommand):
         taskgroup (directly or indirectly via role membership).
         """
 
+        bind_principal = getattr(context, 'principal')
         # Can this user request certs?
-        self.check_access()
+        if not bind_principal.startswith('host/'):
+            self.check_access()
 
         # FIXME: add support for subject alt name
 
@@ -170,7 +173,17 @@ class cert_request(VirtualCommand):
         # See if the service exists and punt if it doesn't and we aren't
         # going to add it
         try:
-            (dn, service) = api.Command['service_show'](principal, all=True, raw=True)
+            if not principal.startswith('host/'):
+                service = api.Command['service_show'](principal, all=True, raw=True)
+                dn = service['dn']
+            else:
+                realm = principal.find('@')
+                if realm == -1:
+                    realm = len(principal)
+                hostname = principal[5:realm]
+
+                service = api.Command['host_show'](hostname, all=True, raw=True)['result']
+                dn = service['dn']
             if 'usercertificate' in service:
                 # FIXME, what to do here? Do we revoke the old cert?
                 raise errors.CertificateOperationError(error=_('entry already has a certificate, serial number %s') % get_serial(base64.b64encode(service['usercertificate'][0])))
@@ -178,7 +191,8 @@ class cert_request(VirtualCommand):
             if not add:
                 raise errors.NotFound(reason="The service principal for this request doesn't exist.")
             try:
-                (dn, service) = api.Command['service_add'](principal, **{})
+                service = api.Command['service_add'](principal, **{})
+                dn = service['dn']
             except errors.ACIError:
                 raise errors.ACIError(info='You need to be a member of the serviceadmin role to add services')
 
@@ -191,7 +205,8 @@ class cert_request(VirtualCommand):
         if subjectaltname is not None:
             for name in subjectaltname:
                 try:
-                    (hostdn, hostentry) = api.Command['host_show'](name, all=True, raw=True)
+                    hostentry = api.Command['host_show'](name, all=True, raw=True)['result']
+                    hostdn = hostentry['dn']
                 except errors.NotFound:
                     # We don't want to issue any certificates referencing
                     # machines we don't know about. Nothing is stored in this
@@ -206,11 +221,21 @@ class cert_request(VirtualCommand):
         result = self.Backend.ra.request_certificate(csr, **kw)
 
         # Success? Then add it to the service entry.
-        if result.get('status') == 0:
-            skw = {"usercertificate": str(result.get('certificate'))}
-            api.Command['service_mod'](principal, **skw)
-
-        return result
+        if 'certificate' in result:
+            if not principal.startswith('host/'):
+                skw = {"usercertificate": str(result.get('certificate'))}
+                api.Command['service_mod'](principal, **skw)
+            else:
+                realm = principal.find('@')
+                if realm == -1:
+                    realm = len(principal)
+                hostname = principal[5:realm]
+                skw = {"usercertificate": str(result.get('certificate'))}
+                api.Command['host_mod'](hostname, **skw)
+
+        return dict(
+            result=result
+        )
 
     def output_for_cli(self, textui, result, *args, **kw):
         if isinstance(result, dict) and len(result) > 0:
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index dd19362bd..3d59be7cf 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -26,10 +26,12 @@ import os
 import sys
 
 from ipalib import api, errors, util
-from ipalib import Str, Flag
+from ipalib import Str, Flag, Bytes
 from ipalib.plugins.baseldap import *
 from ipalib.plugins.service import split_principal
+from ipalib.plugins.service import validate_certificate
 from ipalib import _, ngettext
+import base64
 
 
 def validate_host(ugettext, fqdn):
@@ -48,11 +50,11 @@ class host(LDAPObject):
     container_dn = api.env.container_host
     object_name = 'host'
     object_name_plural = 'hosts'
-    object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser']
+    object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser', 'ipaservice']
     # object_class_config = 'ipahostobjectclasses'
     default_attributes = [
         'fqdn', 'description', 'localityname', 'nshostlocation',
-        'nshardwareplatform', 'nsosversion'
+        'nshardwareplatform', 'nsosversion', 'usercertificate',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_names = {
@@ -107,6 +109,10 @@ class host(LDAPObject):
             label='User password',
             doc='Password used in bulk enrollment',
         ),
+        Bytes('usercertificate?', validate_certificate,
+            cli_name='certificate',
+            doc='base-64 encoded server certificate',
+        ),
     )
 
     def get_dn(self, *keys, **options):
@@ -148,6 +154,7 @@ class host_add(LDAPCreate):
                 entry_attrs['objectclass'].append('krbprincipal')
         elif 'krbprincipalaux' in entry_attrs['objectclass']:
             entry_attrs['objectclass'].remove('krbprincipalaux')
+        entry_attrs['managedby'] = dn
         return dn
 
 api.register(host_add)
@@ -209,6 +216,18 @@ class host_mod(LDAPUpdate):
             if 'krbprincipalaux' not in obj_classes:
                 obj_classes.append('krbprincipalaux')
                 entry_attrs['objectclass'] = obj_classes
+        cert = entry_attrs.get('usercertificate')
+        if cert:
+            (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate'])
+            if 'usercertificate' in entry_attrs_old:
+                # FIXME: what to do here? do we revoke the old cert?
+                fmt = 'entry already has a certificate, serial number: %s' % (
+                    get_serial(entry_attrs_old['usercertificate'])
+                )
+                raise errors.GenericError(format=fmt)
+            # FIXME: should be in normalizer; see service_add
+            entry_attrs['usercertificate'] = base64.b64decode(cert)
+
         return dn
 
 api.register(host_mod)
author	Rob Crittenden <rcritten@redhat.com>	2009-12-16 16:04:53 -0500
committer	Jason Gerard DeRose <jderose@redhat.com>	2009-12-16 19:26:59 -0700
commit	c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce (patch)
tree	a4019f771531ab227791515b49cc8f632bb3afff /ipalib
parent	585540e0a2d28d0e275dcb17d317880ff1a6d80f (diff)
download	freeipa-c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce.tar.gz freeipa-c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce.tar.xz freeipa-c3f9ec14d90c46f20bd03311e9b31e8fa7c116ce.zip