From dfe9db55484339a8a9f2ce3bd057bd9702bb9579 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 17 Apr 2009 17:17:31 -0400
Subject: Add signing profile to CA installation so we can sign the firefox jar
 file.

Use the requestId we get back from the CA when requesting the RA agent cert
and use that to issue the certificate rather than hardcoding 7.

This also adds some clean-up of file permissions and leaking fds
---
 ipaserver/install/cainstance.py | 40 +++++++++++++++++++++++++++++++++-------
 1 file changed, 33 insertions(+), 7 deletions(-)

(limited to 'ipaserver/install/cainstance.py')

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 088744a4..d33901dc 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -34,6 +34,7 @@ import shutil
 import httplib
 import urllib
 import xml.dom.minidom
+import stat
 
 from nss.error import NSPRError
 import nss.nss as nss
@@ -44,7 +45,6 @@ from ipapython import nsslib
 from ipaserver.install import service
 from ipaserver.install import installutils
 from ipaserver import ipaldap
-from ipaserver.install import ldapupdate
 from ipaserver.install import dsinstance
 from ipalib import util
 
@@ -368,6 +368,7 @@ class CAInstance(service.Service):
         self.server_root = "/var/lib"
         self.secure_port = 9444
         self.ra_cert = None
+        self.requestId = None
 
     def __del__(self):
         shutil.rmtree(self.ca_agent_db, ignore_errors=True)
@@ -390,6 +391,7 @@ class CAInstance(service.Service):
         self.step("issuing RA agent certificate", self.__issue_ra_cert)
         self.step("adding RA agent as a trusted user", self.__configure_ra)
         self.step("fixing RA database permissions", self.__fix_ra_perms)
+        self.step("setting up signing cert profile", self.__setup_sign_profile)
         self.step("configuring certificate server to start on boot", self.__enable)
         self.step("restarting certificate server", self.__restart_instance)
 
@@ -540,7 +542,7 @@ class CAInstance(service.Service):
     def __restart_instance(self):
         try:
             self.restart()
-        except Exception:
+        except Exception, e:
             # TODO: roll back here?
             logging.critical("Failed to restart the certificate server. See the installation log for details.")
 
@@ -577,9 +579,10 @@ class CAInstance(service.Service):
             '-n', 'ipa-ca-agent',
             '-p', self.admin_password,
             '-d', self.ca_agent_db,
-            '-r', '/ca/agent/ca/profileReview?requestId=7',
+            '-r', '/ca/agent/ca/profileReview?requestId=%s' % self.requestId,
             '%s:%d' % (self.host_name, 9443),
         ]
+        logging.debug("running sslget %s" % args)
         (stdout, stderr) = ipautil.run(args)
 
         data = stdout.split('\r\n')
@@ -589,6 +592,8 @@ class CAInstance(service.Service):
         params['submit'] = 'submit'
         params['requestNotes'] = ''
         params = urllib.urlencode(params)
+        headers = {"Content-type": "application/x-www-form-urlencoded",
+                   "Accept": "text/plain"}
 
         # Now issue the RA certificate.
         args = [
@@ -600,6 +605,7 @@ class CAInstance(service.Service):
             '-r', '/ca/agent/ca/profileProcess',
             '%s:%d' % (self.host_name, 9443),
         ]
+        logging.debug("running sslget %s" % args)
         (stdout, stderr) = ipautil.run(args)
 
         data = stdout.split('\r\n')
@@ -679,6 +685,7 @@ class CAInstance(service.Service):
         f = os.open(self.ra_agent_pwd, os.O_CREAT | os.O_RDWR)
         os.write(f, hex_str)
         os.close(f)
+        os.chmod(self.ra_agent_pwd, stat.S_IRUSR)
 
         stdout, stderr = self.__run_certutil(["-N"])
 
@@ -758,11 +765,14 @@ class CAInstance(service.Service):
         res = conn.getresponse()
         if res.status == 200:
             data = res.read()
-            # FIXME: pull the requestId out so of the response so it isn't
-            # later hard-coded at 7
-#            print data
-
             conn.close()
+            doc = xml.dom.minidom.parseString(data)
+            item_node = doc.getElementsByTagName("RequestId")
+            self.requestId = item_node[0].childNodes[0].data
+            doc.unlink()
+            self.requestId = self.requestId.strip()
+            if self.requestId is None:
+                raise RuntimeError("Unable to determine RA certificate requestId")
         else:
             conn.close()
             raise RuntimeError("Unable to submit RA cert request")
@@ -778,6 +788,22 @@ class CAInstance(service.Service):
         os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
         os.chown(self.ra_agent_pwd, 0, pent.pw_gid)
 
+    def __setup_sign_profile(self):
+        caconfig = "/var/lib/pki-ca/conf/CS.cfg"
+
+        if not ipautil.file_exists('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg'):
+            profile = ipautil.template_file(ipautil.SHARE_DIR + "caJarSigningCert.cfg.template", {})
+            fd = open("/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg", "w")
+            fd.write(profile)
+            fd.close()
+
+        profilelist = installutils.get_directive(caconfig, "profile.list", separator="=")
+        if profilelist.find('caJarSigningCert') < 0:
+            profilelist = profilelist + ',caJarSigningCert'
+            installutils.set_directive(caconfig, 'profile.list', profilelist, quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'profile.caJarSigningCert.class_id', 'caEnrollImpl', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'profile.caJarSigningCert.config', '/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', quotes=False, separator='=')
+
     def uninstall(self):
         try:
             ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib",
-- 
cgit