Add profiles and default CA ACL on migration

Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.

To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.

Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.

Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

9 files changed, 90 insertions, 56 deletions

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 92508a9ba..42f3972e1 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -31,7 +31,6 @@ app_DATA =				\
 	caJarSigningCert.cfg.template	\
 	custodia.conf.template		\
 	default-aci.ldif		\
-	default-caacl.ldif		\
 	default-hbac.ldif		\
 	default-smb-group.ldif		\
 	default-trust-view.ldif		\
diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif
deleted file mode 100644
index f3cd5b4d4..000000000
--- a/install/share/default-caacl.ldif
+++ /dev/null
@@ -1,11 +0,0 @@
-# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services
-dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX
-changetype: add
-objectclass: ipaassociation
-objectclass: ipacaacl
-ipauniqueid: autogenerate
-cn: hosts_services_caIPAserviceCert
-ipaenabledflag: TRUE
-ipamembercertprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX
-hostcategory: all
-servicecategory: all
diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update
index 2ab9d15bd..0070c308a 100644
--- a/install/updates/50-dogtag10-migration.update
+++ b/install/updates/50-dogtag10-migration.update
@@ -16,3 +16,4 @@ addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Admi
 addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations
 replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml
 replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information
+addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles
diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py
index 247d6df14..64dbec16e 100644
--- a/ipalib/plugins/caacl.py
+++ b/ipalib/plugins/caacl.py
@@ -307,6 +307,14 @@ class caacl_del(LDAPDelete):
 
     msg_summary = _('Deleted CA ACL "%(value)s"')
 
+    def pre_callback(self, ldap, dn, *keys, **options):
+        if keys[0] == 'hosts_services_caIPAserviceCert':
+            raise errors.ProtectedEntryError(
+                label=_("CA ACL"),
+                key=keys[0],
+                reason=_("default CA ACL can be only disabled"))
+        return dn
+
 
 @register()
 class caacl_mod(LDAPUpdate):
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 8d0252cbb..51871f2dc 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -138,9 +138,10 @@ def install_step_0(standalone, replica_config, options):
         if standalone:
             api.Backend.ldap2.disconnect()
 
-        cainstance.install_replica_ca(replica_config, postinstall)
+        cainstance.install_replica_ca(replica_config, postinstall,
+                ra_p12=getattr(options, 'ra_p12', None))
 
-        if standalone:
+        if standalone and not api.Backend.ldap2.isconnected():
             api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
                                       bind_pw=dm_password)
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 448e42e2b..90edb362f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -410,7 +410,7 @@ class CAInstance(DogtagInstance):
                            cert_file=None, cert_chain_file=None,
                            master_replication_port=None,
                            subject_base=None, ca_signing_algorithm=None,
-                           ca_type=None):
+                           ca_type=None, ra_p12=None):
         """Create a CA instance.
 
            For Dogtag 9, this may involve creating the pki-ca instance.
@@ -484,7 +484,10 @@ class CAInstance(DogtagInstance):
                 self.step("requesting RA certificate from CA", self.__request_ra_certificate)
                 self.step("issuing RA agent certificate", self.__issue_ra_cert)
                 self.step("adding RA agent as a trusted user", self.__create_ca_agent)
-                self.step("authorizing RA to modify profiles", self.__configure_profiles_acl)
+            elif ra_p12 is not None:
+                self.step("importing RA certificate from PKCS #12 file",
+                          lambda: self.import_ra_cert(ra_p12, configure_renewal=False))
+            self.step("authorizing RA to modify profiles", configure_profiles_acl)
             self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
             self.step("configure certificate renewals", self.configure_renewal)
             if not self.clone:
@@ -492,9 +495,12 @@ class CAInstance(DogtagInstance):
             self.step("configure Server-Cert certificate renewal", self.track_servercert)
             self.step("Configure HTTP to proxy connections",
                       self.http_proxy)
-            if not self.clone:
-                self.step("restarting certificate server", self.restart_instance)
-                self.step("Importing IPA certificate profiles", import_included_profiles)
+            self.step("restarting certificate server", self.restart_instance)
+            self.step("migrating certificate profiles to LDAP",
+                      migrate_profiles_to_ldap)
+            self.step("importing IPA certificate profiles",
+                      import_included_profiles)
+            self.step("adding default CA ACL", ensure_default_caacl)
 
         self.start_creation(runtime=210)
 
@@ -921,7 +927,7 @@ class CAInstance(DogtagInstance):
 
         export_kra_agent_pem()
 
-    def import_ra_cert(self, rafile):
+    def import_ra_cert(self, rafile, configure_renewal=True):
         """
         Cloned RAs will use the same RA agent cert as the master so we
         need to import from a PKCS#12 file.
@@ -937,7 +943,8 @@ class CAInstance(DogtagInstance):
         finally:
             os.remove(agent_name)
 
-        self.configure_agent_renewal()
+        if configure_renewal:
+            self.configure_agent_renewal()
 
         export_kra_agent_pem()
 
@@ -987,10 +994,6 @@ class CAInstance(DogtagInstance):
 
         conn.disconnect()
 
-    def __configure_profiles_acl(self):
-        """Allow the Certificate Manager Agents group to modify profiles."""
-        configure_profiles_acl()
-
     def __run_certutil(self, args, database=None, pwd_file=None, stdin=None):
         if not database:
             database = self.ra_agent_db
@@ -1654,7 +1657,7 @@ def replica_ca_install_check(config):
         exit('IPA schema missing on master CA directory server')
 
 
-def install_replica_ca(config, postinstall=False):
+def install_replica_ca(config, postinstall=False, ra_p12=None):
     """
     Install a CA on a replica.
 
@@ -1691,7 +1694,7 @@ def install_replica_ca(config, postinstall=False):
         ca.create_ra_agent_db = False
     ca.configure_instance(config.host_name,
                           config.dirman_password, config.dirman_password,
-                          pkcs12_info=(cafile,),
+                          pkcs12_info=(cafile,), ra_p12=ra_p12,
                           master_host=config.master_host_name,
                           master_replication_port=config.ca_ds_port,
                           subject_base=config.subject_base)
@@ -1816,6 +1819,14 @@ def update_people_entry(dercert):
     return True
 
 def ensure_ldap_profiles_container():
+    ensure_entry(
+        DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),
+        objectclass=['top', 'organizationalUnit'],
+        ou=['certificateProfiles'],
+    )
+
+
+def ensure_entry(dn, **attrs):
     server_id = installutils.realm_to_serverid(api.env.realm)
     dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
 
@@ -1823,40 +1834,39 @@ def ensure_ldap_profiles_container():
     if not conn.isconnected():
         conn.connect(autobind=True)
 
-    dn = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca'))
     try:
         conn.get_entry(dn)
     except errors.NotFound:
         # entry doesn't exist; add it
-        entry = conn.make_entry(
-            dn,
-            objectclass=['top', 'organizationalUnit'],
-            ou=['certificateProfiles'],
-        )
+        entry = conn.make_entry(dn, **attrs)
         conn.add_entry(entry)
 
     conn.disconnect()
 
 
 def configure_profiles_acl():
+    """Allow the Certificate Manager Agents group to modify profiles."""
     server_id = installutils.realm_to_serverid(api.env.realm)
     dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
     updated = False
 
     dn = DN(('cn', 'aclResources'), ('o', 'ipaca'))
-    rule = (
+    new_rules = [
         'certServer.profile.configuration:read,modify:allow (read,modify) '
         'group="Certificate Manager Agents":'
-        'Certificate Manager agents may modify (create/update/delete) and read profiles'
-    )
-    modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])]
+        'Certificate Manager agents may modify (create/update/delete) and read profiles',
+
+        'certServer.ca.account:login,logout:allow (login,logout) '
+        'user="anybody":Anybody can login and logout',
+    ]
 
     conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
     if not conn.isconnected():
         conn.connect(autobind=True)
-    rules = conn.get_entry(dn).get('resourceACLS', [])
-    if rule not in rules:
-        conn.conn.modify_s(str(dn), modlist)
+    cur_rules = conn.get_entry(dn).get('resourceACLS', [])
+    add_rules = [rule for rule in new_rules if rule not in cur_rules]
+    if add_rules:
+        conn.conn.modify_s(str(dn), [(ldap.MOD_ADD, 'resourceACLS', add_rules)])
         updated = True
 
     conn.disconnect()
@@ -1876,6 +1886,17 @@ def import_included_profiles():
     if not conn.isconnected():
         conn.connect(autobind=True)
 
+    ensure_entry(
+        DN(('cn', 'ca'), api.env.basedn),
+        objectclass=['top', 'nsContainer'],
+        cn=['ca'],
+    )
+    ensure_entry(
+        DN(api.env.container_certprofile, api.env.basedn),
+        objectclass=['top', 'nsContainer'],
+        cn=['certprofiles'],
+    )
+
     api.Backend.ra_certprofile._read_password()
     api.Backend.ra_certprofile.override_port = 8443
 
@@ -1981,6 +2002,33 @@ def _create_dogtag_profile(profile_id, profile_data):
                 "(it is probably already enabled)")
 
 
+def ensure_default_caacl():
+    """Add the default CA ACL if missing."""
+    if not api.Backend.ldap2.isconnected():
+        try:
+            api.Backend.ldap2.connect(autobind=True)
+        except errors.PublicError as e:
+            root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
+            return
+
+    ensure_entry(
+        DN(('cn', 'ca'), api.env.basedn),
+        objectclass=['top', 'nsContainer'],
+        cn=['ca'],
+    )
+    ensure_entry(
+        DN(api.env.container_caacl, api.env.basedn),
+        objectclass=['top', 'nsContainer'],
+        cn=['certprofiles'],
+    )
+
+    if not api.Command.caacl_find()['result']:
+        api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
+            hostcategory=u'all', servicecategory=u'all')
+        api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
+            certprofile=(u'caIPAserviceCert',))
+
+
 if __name__ == "__main__":
     standard_logging_setup("install.log")
     ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 7bdcaea31..c980ebf4e 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -332,7 +332,6 @@ class DsInstance(service.Service):
         self.step("adding range check plugin", self.__add_range_check_plugin)
         if hbac_allow:
             self.step("creating default HBAC rule allow_all", self.add_hbac)
-        self.step("creating default CA ACL rule", self.add_caacl)
         self.step("adding sasl mappings to the directory",
                   self.__configure_sasl_mappings)
         self.step("adding entries for topology management", self.__add_topology_entries)
@@ -874,9 +873,6 @@ class DsInstance(service.Service):
     def add_hbac(self):
         self._ldap_mod("default-hbac.ldif", self.sub_dict)
 
-    def add_caacl(self):
-        self._ldap_mod("default-caacl.ldif", self.sub_dict)
-
     def change_admin_password(self, password):
         root_logger.debug("Changing admin password")
         dirname = config_dirname(self.serverid)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 5ce9eb709..492ea72d8 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -672,6 +672,9 @@ def install(installer):
         options.domain_name = config.domain_name
         options.host_name = config.host_name
 
+        if ipautil.file_exists(config.dir + "/cacert.p12"):
+            options.ra_p12 = config.dir + "/ra.p12"
+
         ca.install(False, config, options)
 
     krb = install_krb(config, setup_pkinit=not options.no_pkinit)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index b9621a39d..84339b0a2 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1328,18 +1328,7 @@ def add_default_caacl(ca):
         return
 
     if ca.is_configured():
-        if not api.Backend.ldap2.isconnected():
-            try:
-                api.Backend.ldap2.connect(autobind=True)
-            except ipalib.errors.PublicError as e:
-                root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
-                return
-
-        if not api.Command.caacl_find()['result']:
-            api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
-                hostcategory=u'all', servicecategory=u'all')
-            api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
-                certprofile=(u'caIPAserviceCert',))
+        cainstance.ensure_default_caacl()
 
     sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)