diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-09-04 06:30:27 +0200 |
---|---|---|
committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-09-23 15:20:39 -0600 |
commit | c5853ed032768a32ba496f21db3720c6c3dd61e5 (patch) | |
tree | 6cc6d345e5e87223c663505ce4c874427a6c08be /base/server/python/pki/server/__init__.py | |
parent | 5a8996b20d297ed29a142f5d70f03b5af4e37484 (diff) | |
download | pki-c5853ed032768a32ba496f21db3720c6c3dd61e5.tar.gz pki-c5853ed032768a32ba496f21db3720c6c3dd61e5.tar.xz pki-c5853ed032768a32ba496f21db3720c6c3dd61e5.zip |
Added support for secure database connection in CLI.
The pki-server subsystem-cert-update has been modified to support
secure database connection with client certificate authentication.
The certificate and the private key will be exported temporarily
into PEM files so python-ldap can use them.
The pki client-cert-show has been modified to provide an option
to export client certificate's private key.
https://fedorahosted.org/pki/ticket/1551
(cherry picked from commit f153bd8a455953698e8af5085cd3cd7b368b1247)
Conflicts:
base/server/upgrade/10.2.0/01-AddTLSRangeSupport
Diffstat (limited to 'base/server/python/pki/server/__init__.py')
-rw-r--r-- | base/server/python/pki/server/__init__.py | 99 |
1 files changed, 92 insertions, 7 deletions
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index d00446567..89d4acfd5 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -28,7 +28,9 @@ import operator import os import pwd import re +import shutil import subprocess +import tempfile import pki @@ -162,18 +164,43 @@ class PKISubsystem(object): def open_database(self, name='internaldb'): + # TODO: add LDAPI support hostname = self.config['%s.ldapconn.host' % name] port = self.config['%s.ldapconn.port' % name] - bind_dn = self.config['%s.ldapauth.bindDN' % name] + secure = self.config['%s.ldapconn.secureConn' % name] - # TODO: add support for other authentication - # mechanisms (e.g. client cert authentication, LDAPI) - bind_password = self.instance.get_password(name) + if secure == 'true': + url = 'ldaps://%s:%s' % (hostname, port) - con = ldap.initialize('ldap://%s:%s' % (hostname, port)) - con.simple_bind_s(bind_dn, bind_password) + elif secure == 'false': + url = 'ldap://%s:%s' % (hostname, port) - return con + else: + raise Exception('Invalid parameter value in %s.ldapconn.secureConn: %s' % (name, secure)) + + connection = PKIDatabaseConnection(url) + + connection.set_security_database(self.instance.nssdb_dir) + + auth_type = self.config['%s.ldapauth.authtype' % name] + if auth_type == 'BasicAuth': + connection.set_credentials( + bind_dn=self.config['%s.ldapauth.bindDN' % name], + bind_password=self.instance.get_password(name) + ) + + elif auth_type == 'SslClientAuth': + connection.set_credentials( + client_cert_nickname=self.config['%s.ldapauth.clientCertNickname' % name], + nssdb_password=self.instance.get_password('internal') + ) + + else: + raise Exception('Invalid parameter value in %s.ldapauth.authtype: %s' % (name, auth_type)) + + connection.open() + + return connection def __repr__(self): return str(self.instance) + '/' + self.name @@ -337,6 +364,64 @@ class PKIInstance(object): return self.name +class PKIDatabaseConnection(object): + + def __init__(self, url='ldap://localhost:389'): + + self.url = url + + self.nssdb_dir = None + + self.bind_dn = None + self.bind_password = None + + self.client_cert_nickname = None + self.nssdb_password = None + + self.temp_dir = None + self.ldap = None + + def set_security_database(self, nssdb_dir=None): + self.nssdb_dir = nssdb_dir + + def set_credentials(self, bind_dn=None, bind_password=None, + client_cert_nickname=None, nssdb_password=None): + self.bind_dn = bind_dn + self.bind_password = bind_password + self.client_cert_nickname = client_cert_nickname + self.nssdb_password = nssdb_password + + def open(self): + + self.temp_dir = tempfile.mkdtemp() + + if self.nssdb_dir: + + ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.nssdb_dir) + + if self.client_cert_nickname: + + password_file = os.path.join(self.temp_dir, 'password.txt') + with open(password_file, 'w') as f: + f.write(self.nssdb_password) + + ldap.set_option(ldap.OPT_X_TLS_CERTFILE, self.client_cert_nickname) + ldap.set_option(ldap.OPT_X_TLS_KEYFILE, password_file) + + self.ldap = ldap.initialize(self.url) + + if self.bind_dn and self.bind_password: + self.ldap.simple_bind_s(self.bind_dn, self.bind_password) + + def close(self): + + if self.ldap: + self.ldap.unbind_s() + + if self.temp_dir: + shutil.rmtree(self.temp_dir) + + class PKIServerException(pki.PKIException): def __init__(self, message, exception=None, |