diff options
author | Fraser Tweedale <ftweedal@redhat.com> | 2016-05-09 17:00:54 +1000 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2016-05-14 00:57:49 +0200 |
commit | f306058c4fb2f1e80e753b744a4d26eaa53a293f (patch) | |
tree | a28e137166083b3f6da7e98bed0c266a4e879733 /base/server | |
parent | b6bba0ff4d35444ae9b5123c089a13d93ad94af8 (diff) | |
download | pki-f306058c4fb2f1e80e753b744a4d26eaa53a293f.tar.gz pki-f306058c4fb2f1e80e753b744a4d26eaa53a293f.tar.xz pki-f306058c4fb2f1e80e753b744a4d26eaa53a293f.zip |
Add pki-server ca-db-upgrade command
Add the 'ca-db-upgrade' command to 'pki-server'. This command
updates certificate records to add the issuerName attribute where
missing. If other database updates are needed in future, they can
be added to this command.
Part of: https://fedorahosted.org/pki/ticket/1667
Diffstat (limited to 'base/server')
-rw-r--r-- | base/server/python/pki/server/cli/ca.py | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py index dbf8239f4..428345db4 100644 --- a/base/server/python/pki/server/cli/ca.py +++ b/base/server/python/pki/server/cli/ca.py @@ -22,6 +22,8 @@ from __future__ import absolute_import from __future__ import print_function import getopt import io +import ldap +import nss.nss as nss import os import shutil import sys @@ -38,6 +40,7 @@ class CACLI(pki.cli.CLI): self.add_module(CACertCLI()) self.add_module(CACloneCLI()) + self.add_module(CADBUpgrade()) class CACertCLI(pki.cli.CLI): @@ -407,3 +410,81 @@ class CAClonePrepareCLI(pki.cli.CLI): finally: shutil.rmtree(tmpdir) + + +class CADBUpgrade(pki.cli.CLI): + def __init__(self): + super(CADBUpgrade, self).__init__( + 'db-upgrade', 'Upgrade certificate records') + + def usage(self): + print('Usage: pki-server ca-db-upgrade [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, args): + try: + opts, _ = getopt.gnu_getopt( + args, 'i:v', ['instance=', 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + nss.nss_init_nodb() + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem('ca') + base_dn = subsystem.config['internaldb.basedn'] + conn = subsystem.open_database() + try: + entries = conn.ldap.search_s( + 'ou=certificateRepository,ou=ca,%s' % base_dn, + ldap.SCOPE_ONELEVEL, + '(&(objectclass=certificateRecord)(!(issuerName=*)))', + None) + for entry in entries: + self.__add_issuer(conn, entry) + finally: + conn.close() + + @staticmethod + def __add_issuer(conn, entry): + dn, attrs = entry + attr_cert = attrs.get('userCertificate;binary') + if not attr_cert: + return # shouldn't happen, but nothing we can do if it does + + cert = nss.Certificate(bytearray(attr_cert[0])) + issuer_name = str(cert.issuer) + + try: + conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)]) + except ldap.LDAPError as e: + print( + 'Failed to add issuerName to certificate {}: {}' + .format(attrs.get('cn', ['<unknown>'])[0], e)) |