diff options
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/install/certmonger.py | 152 | ||||
| -rw-r--r-- | ipaserver/install/certs.py | 27 | ||||
| -rw-r--r-- | ipaserver/install/dsinstance.py | 4 |
3 files changed, 14 insertions, 169 deletions
diff --git a/ipaserver/install/certmonger.py b/ipaserver/install/certmonger.py deleted file mode 100644 index bb56c2ab..00000000 --- a/ipaserver/install/certmonger.py +++ /dev/null @@ -1,152 +0,0 @@ -# Authors: Rob Crittenden <rcritten@redhat.com> -# -# Copyright (C) 2010 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; version 2 only -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# - -# Some certmonger functions, mostly around updating the request file. -# This is used so we can add tracking to the Apache and 389-ds -# server certificates created during the IPA server installation. - -import os -import re -import time -from ipapython import ipautil - -REQUEST_DIR='/var/lib/certmonger/requests/' - -def find_request_value(filename, directive): - """ - Return a value from a certmonger request file for the requested directive - - It tries to do this a number of times because sometimes there is a delay - when ipa-getcert returns and the file is fully updated, particularly - when doing a request. Genrerating a CSR is fast but not instantaneous. - """ - tries = 1 - value = None - found = False - while value is None and tries <= 5: - tries=tries + 1 - time.sleep(1) - fp = open(filename, 'r') - lines = fp.readlines() - fp.close() - - for line in lines: - if found: - # A value can span multiple lines. If it does then it has a - # leading space. - if not line.startswith(' '): - # We hit the next directive, return now - return value - else: - value = value + line[1:] - else: - if line.startswith(directive + '='): - found = True - value = line[len(directive)+1:] - - return value - -def get_request_value(request_id, directive): - """ - There is no guarantee that the request_id will match the filename - in the certmonger requests directory, so open each one to find the - request_id. - """ - fileList=os.listdir(REQUEST_DIR) - for file in fileList: - value = find_request_value('%s/%s' % (REQUEST_DIR, file), 'id') - if value is not None and value.rstrip() == request_id: - return find_request_value('%s/%s' % (REQUEST_DIR, file), directive) - - return None - -def add_request_value(request_id, directive, value): - """ - Add a new directive to a certmonger request file. - - The certmonger service MUST be stopped in order for this to work. - """ - fileList=os.listdir(REQUEST_DIR) - for file in fileList: - id = find_request_value('%s/%s' % (REQUEST_DIR, file), 'id') - if id is not None and id.rstrip() == request_id: - current_value = find_request_value('%s/%s' % (REQUEST_DIR, file), directive) - if not current_value: - fp = open('%s/%s' % (REQUEST_DIR, file), 'a') - fp.write('%s=%s\n' % (directive, value)) - fp.close() - - return - -def add_principal(request_id, principal): - """ - In order for a certmonger request to be renwable it needs a principal. - - When an existing certificate is added via start-tracking it won't have - a principal. - """ - return add_request_value(request_id, 'template_principal', principal) - -def add_subject(request_id, subject): - """ - In order for a certmonger request to be renwable it needs the subject - set in the request file. - - When an existing certificate is added via start-tracking it won't have - a subject_template set. - """ - return add_request_value(request_id, 'template_subject', subject) - -def request_cert(nssdb, nickname, subject, principal, passwd_fname=None): - """ - Execute certmonger to request a server certificate - """ - args = ['/usr/bin/ipa-getcert', - 'request', - '-d', nssdb, - '-n', nickname, - '-N', subject, - '-K', principal, - ] - if passwd_fname: - args.append('-p') - args.append(passwd_fname) - (stdout, stderr, returncode) = ipautil.run(args) - # FIXME: should be some error handling around this - m = re.match('New signing request "(\d+)" added', stdout) - request_id = m.group(1) - return request_id - -def stop_tracking(request_id): - """ - Stop tracking the current request. - - This assumes that the certmonger service is running. - """ - args = ['/usr/bin/ipa-getcert', - 'stop-tracking', - '-i', request_id - ] - (stdout, stderr, returncode) = ipautil.run(args) - -if __name__ == '__main__': - request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM") - csr = get_request_value(request_id, 'csr') - print csr - stop_tracking(request_id) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 7f246d11..c8e1d17d 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -32,10 +32,10 @@ from ipapython import nsslib from ipapython import dogtag from ipapython import sysrestore from ipapython import ipautil +from ipapython import certmonger from ipalib import pkcs10 from ConfigParser import RawConfigParser import service -import certmonger from ipalib import x509 from nss.error import NSPRError @@ -441,21 +441,19 @@ class CertDB(object): """ service.chkconfig_on("certmonger") service.start("certmonger") - args = ["/usr/bin/ipa-getcert", "start-tracking", - "-d", self.secdir, - "-n", nickname] - if password_file: - args.append("-p") - args.append(password_file) try: - (stdout, stderr, returncode) = ipautil.run(args) - except ipautil.CalledProcessError, e: - logging.error("tracking certificate failed: %s" % str(e)) + (stdout, stderr, rc) = certmonger.start_tracking(nickname, self.secdir, password_file) + except (ipautil.CalledProcessError, RuntimeError), e: + logging.error("certmonger failed starting to track certificate: %s" % str(e)) + return service.stop("certmonger") cert = self.get_cert_from_db(nickname) subject = str(x509.get_subject(cert)) m = re.match('New tracking request "(\d+)" added', stdout) + if not m: + logging.error('Didn\'t get new certmonger request, got %s' % stdout) + raise RuntimeError('certmonger did not issue new tracking request for \'%s\' in \'%s\'. Use \'ipa-getcert list\' to list existing certificates.' % (nickname, self.secdir)) request_id = m.group(1) certmonger.add_principal(request_id, principal) @@ -471,13 +469,10 @@ class CertDB(object): # Always start certmonger. We can't untrack something if it isn't # running service.start("certmonger") - args = ["/usr/bin/ipa-getcert", "stop-tracking", - "-d", self.secdir, - "-n", nickname] try: - (stdout, stderr, returncode) = ipautil.run(args) - except ipautil.CalledProcessError, e: - logging.error("untracking certificate failed: %s" % str(e)) + certmonger.stop_tracking(self.secdir, nickname=nickname) + except (ipautil.CalledProcessError, RuntimeError), e: + logging.error("certmonger failed to stop tracking certificate: %s" % str(e)) service.stop("certmonger") def create_server_cert(self, nickname, hostname, other_certdb=None, subject=None): diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index a5334845..4a36f1b9 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -493,7 +493,9 @@ class DsInstance(service.Service): serverid = self.restore_state("serverid") if not serverid is None: - dirname = config_dirname(serverid) + # drop the trailing / off the config_dirname so the directory + # will match what is in certmonger + dirname = config_dirname(serverid)[:-1] dsdb = certs.CertDB(dirname) dsdb.untrack_server_cert("Server-Cert") erase_ds_instance_data(serverid) |