diff options
author | Endi S. Dewata <edewata@redhat.com> | 2015-09-04 06:30:27 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2015-09-22 00:45:49 +0200 |
commit | bb6b49e0fba2b946c28d1beebfb6d22dfe6d568e (patch) | |
tree | b11fd549a5b8da298d071ec63c8543806387e4e9 /base/server/python | |
parent | 2c9121efc84c80c60e018911593406fc2e631bc9 (diff) | |
download | pki-bb6b49e0fba2b946c28d1beebfb6d22dfe6d568e.tar.gz pki-bb6b49e0fba2b946c28d1beebfb6d22dfe6d568e.tar.xz pki-bb6b49e0fba2b946c28d1beebfb6d22dfe6d568e.zip |
Added support for secure database connection in CLI.
The pki-server subsystem-cert-update has been modified to support
secure database connection with client certificate authentication.
The pki client-cert-show has been modified to provide an option
to export client certificate's private key.
https://fedorahosted.org/pki/ticket/1551
Diffstat (limited to 'base/server/python')
-rw-r--r-- | base/server/python/pki/server/__init__.py | 99 | ||||
-rw-r--r-- | base/server/python/pki/server/ca.py | 8 |
2 files changed, 96 insertions, 11 deletions
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 70e35b8f2..ec4dd7e9c 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -29,7 +29,9 @@ import operator import os import pwd import re +import shutil import subprocess +import tempfile import pki @@ -163,18 +165,43 @@ class PKISubsystem(object): def open_database(self, name='internaldb'): + # TODO: add LDAPI support hostname = self.config['%s.ldapconn.host' % name] port = self.config['%s.ldapconn.port' % name] - bind_dn = self.config['%s.ldapauth.bindDN' % name] + secure = self.config['%s.ldapconn.secureConn' % name] - # TODO: add support for other authentication - # mechanisms (e.g. client cert authentication, LDAPI) - bind_password = self.instance.get_password(name) + if secure == 'true': + url = 'ldaps://%s:%s' % (hostname, port) - con = ldap.initialize('ldap://%s:%s' % (hostname, port)) - con.simple_bind_s(bind_dn, bind_password) + elif secure == 'false': + url = 'ldap://%s:%s' % (hostname, port) - return con + else: + raise Exception('Invalid parameter value in %s.ldapconn.secureConn: %s' % (name, secure)) + + connection = PKIDatabaseConnection(url) + + connection.set_security_database(self.instance.nssdb_dir) + + auth_type = self.config['%s.ldapauth.authtype' % name] + if auth_type == 'BasicAuth': + connection.set_credentials( + bind_dn=self.config['%s.ldapauth.bindDN' % name], + bind_password=self.instance.get_password(name) + ) + + elif auth_type == 'SslClientAuth': + connection.set_credentials( + client_cert_nickname=self.config['%s.ldapauth.clientCertNickname' % name], + nssdb_password=self.instance.get_password('internal') + ) + + else: + raise Exception('Invalid parameter value in %s.ldapauth.authtype: %s' % (name, auth_type)) + + connection.open() + + return connection def __repr__(self): return str(self.instance) + '/' + self.name @@ -343,6 +370,64 @@ class PKIInstance(object): return self.name +class PKIDatabaseConnection(object): + + def __init__(self, url='ldap://localhost:389'): + + self.url = url + + self.nssdb_dir = None + + self.bind_dn = None + self.bind_password = None + + self.client_cert_nickname = None + self.nssdb_password = None + + self.temp_dir = None + self.ldap = None + + def set_security_database(self, nssdb_dir=None): + self.nssdb_dir = nssdb_dir + + def set_credentials(self, bind_dn=None, bind_password=None, + client_cert_nickname=None, nssdb_password=None): + self.bind_dn = bind_dn + self.bind_password = bind_password + self.client_cert_nickname = client_cert_nickname + self.nssdb_password = nssdb_password + + def open(self): + + self.temp_dir = tempfile.mkdtemp() + + if self.nssdb_dir: + + ldap.set_option(ldap.OPT_X_TLS_CACERTDIR, self.nssdb_dir) + + if self.client_cert_nickname: + + password_file = os.path.join(self.temp_dir, 'password.txt') + with open(password_file, 'w') as f: + f.write(self.nssdb_password) + + ldap.set_option(ldap.OPT_X_TLS_CERTFILE, self.client_cert_nickname) + ldap.set_option(ldap.OPT_X_TLS_KEYFILE, password_file) + + self.ldap = ldap.initialize(self.url) + + if self.bind_dn and self.bind_password: + self.ldap.simple_bind_s(self.bind_dn, self.bind_password) + + def close(self): + + if self.ldap: + self.ldap.unbind_s() + + if self.temp_dir: + shutil.rmtree(self.temp_dir) + + class PKIServerException(pki.PKIException): def __init__(self, message, exception=None, diff --git a/base/server/python/pki/server/ca.py b/base/server/python/pki/server/ca.py index 70ebf4dd1..31e373ad8 100644 --- a/base/server/python/pki/server/ca.py +++ b/base/server/python/pki/server/ca.py @@ -45,13 +45,13 @@ class CASubsystem(pki.server.PKISubsystem): con = self.open_database() - entries = con.search_s( + entries = con.ldap.search_s( 'ou=ca,ou=requests,%s' % base_dn, ldap.SCOPE_ONELEVEL, search_filter, None) - con.unbind_s() + con.close() requests = [] for entry in entries: @@ -65,13 +65,13 @@ class CASubsystem(pki.server.PKISubsystem): con = self.open_database() - entries = con.search_s( + entries = con.ldap.search_s( 'cn=%s,ou=ca,ou=requests,%s' % (request_id, base_dn), ldap.SCOPE_BASE, '(objectClass=*)', None) - con.unbind_s() + con.close() entry = entries[0] return self.create_request_object(entry) |