2 files changed, 94 insertions, 0 deletions

diff --git a/install/certmonger/Makefile.am b/install/certmonger/Makefile.am
new file mode 100644
index 000000000..2023a2aec
--- /dev/null
+++ b/install/certmonger/Makefile.am
@@ -0,0 +1,14 @@
+NULL =
+
+appdir = $(libexecdir)/certmonger/
+app_SCRIPTS =					\
+	dogtag-ipa-retrieve-agent-submit	\
+	$(NULL)
+
+EXTRA_DIST =				\
+	$(app_SCRIPTS)			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =			\
+	*~				\
+	Makefile.in
diff --git a/install/certmonger/dogtag-ipa-retrieve-agent-submit b/install/certmonger/dogtag-ipa-retrieve-agent-submit
new file mode 100644
index 000000000..24e1844a5
--- /dev/null
+++ b/install/certmonger/dogtag-ipa-retrieve-agent-submit
@@ -0,0 +1,80 @@
+#!/usr/bin/python -E
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2012  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# The certificate rewewal is done on only one dogtag CA. The others
+# retrieve the updated certificate from IPA.
+
+import os
+import sys
+import shutil
+import tempfile
+import krbV
+import syslog
+from ipalib import api
+from ipalib.dn import DN
+from ipalib import errors
+from ipalib import x509
+from ipapython import services as ipaservices
+from ipapython import ipautil
+from ipaserver.install import certs
+from ipaserver.plugins.ldap2 import ldap2
+import base64
+
+# We cheat and pass in the nickname as the CA profile to execute against.
+# Some way is needed to determine which entry to retrieve from LDAP
+operation = os.environ.get('CERTMONGER_OPERATION')
+nickname = os.environ.get('CERTMONGER_CA_PROFILE')
+
+if operation not in ['SUBMIT', 'POLL']:
+    sys.exit(6) # unsupported operation
+
+api.bootstrap(context='renew')
+api.finalize()
+
+# Update or add it
+tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+try:
+    dn = str(DN(('cn',nickname),('cn=ca_renewal,cn=ipa,cn=etc'),(api.env.basedn)))
+    principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+    ccache = ipautil.kinit_hostprincipal('/etc/krb5.keytab', tmpdir, principal)
+    conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+    conn.connect(ccache=ccache)
+    try:
+        syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname)
+        (entry_dn, entry_attrs) = conn.get_entry(dn, ['usercertificate'])
+        cert = entry_attrs['usercertificate'][0]
+        cert = base64.b64encode(cert)
+        print x509.make_pem(cert)
+    except errors.NotFound:
+        syslog.syslog(syslog.LOG_INFO, "Updated certificate for %s not available" % nickname)
+        # No cert available yet, tell certmonger to wait another 8 hours
+        print 8 * 60 * 60
+        sys.exit(5)
+    finally:
+        conn.disconnect()
+except Exception, e:
+    syslog.syslog(syslog.LOG_ERR, "Exception trying to retrieve %s: %s" % (nickname, e))
+    # Unhandled error
+    sys.exit(3)
+finally:
+    shutil.rmtree(tmpdir)
+
+sys.exit(0)