diff options
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/cert.py | 43 | ||||
| -rw-r--r-- | ipalib/plugins/host.py | 25 |
2 files changed, 56 insertions, 12 deletions
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py index 5540e6ecf..21d0ebcdb 100644 --- a/ipalib/plugins/cert.py +++ b/ipalib/plugins/cert.py @@ -40,6 +40,7 @@ from pyasn1.error import PyAsn1Error import logging import traceback from ipalib.request import ugettext as _ +from ipalib.request import context def get_serial(certificate): """ @@ -154,8 +155,10 @@ class cert_request(VirtualCommand): taskgroup (directly or indirectly via role membership). """ + bind_principal = getattr(context, 'principal') # Can this user request certs? - self.check_access() + if not bind_principal.startswith('host/'): + self.check_access() # FIXME: add support for subject alt name @@ -170,7 +173,17 @@ class cert_request(VirtualCommand): # See if the service exists and punt if it doesn't and we aren't # going to add it try: - (dn, service) = api.Command['service_show'](principal, all=True, raw=True) + if not principal.startswith('host/'): + service = api.Command['service_show'](principal, all=True, raw=True) + dn = service['dn'] + else: + realm = principal.find('@') + if realm == -1: + realm = len(principal) + hostname = principal[5:realm] + + service = api.Command['host_show'](hostname, all=True, raw=True)['result'] + dn = service['dn'] if 'usercertificate' in service: # FIXME, what to do here? Do we revoke the old cert? raise errors.CertificateOperationError(error=_('entry already has a certificate, serial number %s') % get_serial(base64.b64encode(service['usercertificate'][0]))) @@ -178,7 +191,8 @@ class cert_request(VirtualCommand): if not add: raise errors.NotFound(reason="The service principal for this request doesn't exist.") try: - (dn, service) = api.Command['service_add'](principal, **{}) + service = api.Command['service_add'](principal, **{}) + dn = service['dn'] except errors.ACIError: raise errors.ACIError(info='You need to be a member of the serviceadmin role to add services') @@ -191,7 +205,8 @@ class cert_request(VirtualCommand): if subjectaltname is not None: for name in subjectaltname: try: - (hostdn, hostentry) = api.Command['host_show'](name, all=True, raw=True) + hostentry = api.Command['host_show'](name, all=True, raw=True)['result'] + hostdn = hostentry['dn'] except errors.NotFound: # We don't want to issue any certificates referencing # machines we don't know about. Nothing is stored in this @@ -206,11 +221,21 @@ class cert_request(VirtualCommand): result = self.Backend.ra.request_certificate(csr, **kw) # Success? Then add it to the service entry. - if result.get('status') == 0: - skw = {"usercertificate": str(result.get('certificate'))} - api.Command['service_mod'](principal, **skw) - - return result + if 'certificate' in result: + if not principal.startswith('host/'): + skw = {"usercertificate": str(result.get('certificate'))} + api.Command['service_mod'](principal, **skw) + else: + realm = principal.find('@') + if realm == -1: + realm = len(principal) + hostname = principal[5:realm] + skw = {"usercertificate": str(result.get('certificate'))} + api.Command['host_mod'](hostname, **skw) + + return dict( + result=result + ) def output_for_cli(self, textui, result, *args, **kw): if isinstance(result, dict) and len(result) > 0: diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index dd19362bd..3d59be7cf 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -26,10 +26,12 @@ import os import sys from ipalib import api, errors, util -from ipalib import Str, Flag +from ipalib import Str, Flag, Bytes from ipalib.plugins.baseldap import * from ipalib.plugins.service import split_principal +from ipalib.plugins.service import validate_certificate from ipalib import _, ngettext +import base64 def validate_host(ugettext, fqdn): @@ -48,11 +50,11 @@ class host(LDAPObject): container_dn = api.env.container_host object_name = 'host' object_name_plural = 'hosts' - object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser'] + object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser', 'ipaservice'] # object_class_config = 'ipahostobjectclasses' default_attributes = [ 'fqdn', 'description', 'localityname', 'nshostlocation', - 'nshardwareplatform', 'nsosversion' + 'nshardwareplatform', 'nsosversion', 'usercertificate', ] uuid_attribute = 'ipauniqueid' attribute_names = { @@ -107,6 +109,10 @@ class host(LDAPObject): label='User password', doc='Password used in bulk enrollment', ), + Bytes('usercertificate?', validate_certificate, + cli_name='certificate', + doc='base-64 encoded server certificate', + ), ) def get_dn(self, *keys, **options): @@ -148,6 +154,7 @@ class host_add(LDAPCreate): entry_attrs['objectclass'].append('krbprincipal') elif 'krbprincipalaux' in entry_attrs['objectclass']: entry_attrs['objectclass'].remove('krbprincipalaux') + entry_attrs['managedby'] = dn return dn api.register(host_add) @@ -209,6 +216,18 @@ class host_mod(LDAPUpdate): if 'krbprincipalaux' not in obj_classes: obj_classes.append('krbprincipalaux') entry_attrs['objectclass'] = obj_classes + cert = entry_attrs.get('usercertificate') + if cert: + (dn, entry_attrs_old) = ldap.get_entry(dn, ['usercertificate']) + if 'usercertificate' in entry_attrs_old: + # FIXME: what to do here? do we revoke the old cert? + fmt = 'entry already has a certificate, serial number: %s' % ( + get_serial(entry_attrs_old['usercertificate']) + ) + raise errors.GenericError(format=fmt) + # FIXME: should be in normalizer; see service_add + entry_attrs['usercertificate'] = base64.b64decode(cert) + return dn api.register(host_mod) |