diff options
| author | Stanislav Laznicka <slaznick@redhat.com> | 2016-12-20 10:23:47 +0100 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2017-03-01 09:43:41 +0000 |
| commit | 0a54fac02cecad3b9e3bf8ad0c8a44df3b701857 (patch) | |
| tree | 6b1afebc7aa6c20eba16024011f292b5722a6107 | |
| parent | 6b074ad833a12acbd4643795b2150fa7f019d6b2 (diff) | |
| download | freeipa-0a54fac02cecad3b9e3bf8ad0c8a44df3b701857.tar.gz freeipa-0a54fac02cecad3b9e3bf8ad0c8a44df3b701857.tar.xz freeipa-0a54fac02cecad3b9e3bf8ad0c8a44df3b701857.zip | |
Remove NSSConnection from Dogtag
Replaced NSSConnection with Python's httplib.HTTPSConnection.
This class is OpenSSL-based.
A client certificate with a private key is required to authenticate
against the certificate server. We facilitate the RA_AGENT_PEM which
already exists.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
| -rw-r--r-- | ipapython/dogtag.py | 24 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 6 | ||||
| -rw-r--r-- | ipaserver/install/certs.py | 27 | ||||
| -rw-r--r-- | ipaserver/install/ipa_replica_prepare.py | 7 | ||||
| -rw-r--r-- | ipaserver/plugins/dogtag.py | 41 |
5 files changed, 42 insertions, 63 deletions
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index b17175413..4aeb897fd 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -20,16 +20,16 @@ import collections import xml.dom.minidom -import nss.nss as nss import six # pylint: disable=import-error from six.moves.urllib.parse import urlencode # pylint: enable=import-error from ipalib import api, errors +from ipalib.util import create_https_connection from ipalib.errors import NetworkError from ipalib.text import _ -from ipapython import nsslib, ipautil +from ipapython import ipautil from ipapython.ipa_log_manager import root_logger # Python 3 rename. The package is available in "six.moves.http_client", but @@ -131,8 +131,8 @@ def ca_status(ca_host=None): return _parse_ca_status(body) -def https_request(host, port, url, secdir, password, nickname, - method='POST', headers=None, body=None, **kw): +def https_request(host, port, url, cafile, client_certfile, + method='POST', headers=None, body=None, **kw): """ :param method: HTTP request method (defalut: 'POST') :param url: The path (not complete URL!) to post to. @@ -145,16 +145,12 @@ def https_request(host, port, url, secdir, password, nickname, """ def connection_factory(host, port): - no_init = secdir == nsslib.current_dbdir - conn = nsslib.NSSConnection(host, port, dbdir=secdir, no_init=no_init, - tls_version_min=api.env.tls_version_min, - tls_version_max=api.env.tls_version_max) - conn.set_debuglevel(0) - conn.connect() - conn.sock.set_client_auth_data_callback( - nsslib.client_auth_data_callback, - nickname, password, nss.get_default_certdb()) - return conn + return create_https_connection( + host, port, + cafile=cafile, + client_certfile=client_certfile, + tls_version_min=api.env.tls_version_min, + tls_version_max=api.env.tls_version_max) if body is None: body = urlencode(kw) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 8f544ec1e..1a196f1de 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1584,7 +1584,6 @@ def import_included_profiles(): cn=['certprofiles'], ) - api.Backend.ra_certprofile._read_password() api.Backend.ra_certprofile.override_port = 8443 for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: @@ -1621,7 +1620,6 @@ def repair_profile_caIPAserviceCert(): This function detects and repairs occurrences of this problem. """ - api.Backend.ra_certprofile._read_password() api.Backend.ra_certprofile.override_port = 8443 profile_id = 'caIPAserviceCert' @@ -1664,8 +1662,6 @@ def migrate_profiles_to_ldap(): """ ensure_ldap_profiles_container() - - api.Backend.ra_certprofile._read_password() api.Backend.ra_certprofile.override_port = 8443 with open(paths.CA_CS_CFG_PATH) as f: @@ -1750,8 +1746,6 @@ def ensure_ipa_authority_entry(): """ # find out authority id, issuer DN and subject DN of IPA CA - # - api.Backend.ra_lightweight_ca._read_password() api.Backend.ra_lightweight_ca.override_port = 8443 with api.Backend.ra_lightweight_ca as lwca: data = lwca.read_ca('host-authority') diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index bca2504ca..001b03f3b 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -330,7 +330,7 @@ class CertDB(object): except RuntimeError as e: root_logger.error("certmonger failed to stop tracking certificate: %s" % str(e)) - def create_server_cert(self, nickname, hostname, other_certdb=None, subject=None): + def create_server_cert(self, nickname, hostname, subject=None): """ If we are using a dogtag CA then other_certdb contains the RA agent key that will issue our cert. @@ -339,13 +339,10 @@ class CertDB(object): Returns a certificate in DER format. """ - cdb = other_certdb - if not cdb: - cdb = self if subject is None: subject=DN(('CN', hostname), self.subject_base) self.request_cert(subject, san_dnsnames=[hostname]) - cdb.issue_server_cert(self.certreq_fname, self.certder_fname) + self.issue_server_cert(self.certreq_fname, self.certder_fname) self.import_cert(self.certder_fname, nickname) fd = open(self.certder_fname, "r") dercert = fd.read() @@ -397,12 +394,12 @@ class CertDB(object): 'xmlOutput': 'true'} # Send the request to the CA - f = open(self.passwd_fname, "r") - password = f.readline() - f.close() result = dogtag.https_request( - self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient", - self.secdir, password, "ipaCert", **params) + self.host_name, 8443, + url="/ca/ee/ca/profileSubmitSSLClient", + cafile=api.env.tls_ca_cert, + client_certfile=paths.RA_AGENT_PEM, + **params) http_status, _http_headers, http_body = result root_logger.debug("CA answer: %s", http_body) @@ -451,12 +448,12 @@ class CertDB(object): 'xmlOutput': 'true'} # Send the request to the CA - f = open(self.passwd_fname, "r") - password = f.readline() - f.close() result = dogtag.https_request( - self.host_name, 8443, "/ca/ee/ca/profileSubmitSSLClient", - self.secdir, password, "ipaCert", **params) + self.host_name, 8443, + url="/ca/ee/ca/profileSubmitSSLClient", + cafile=api.env.tls_ca_cert, + client_certfile=paths.RA_AGENT_PEM, + **params) http_status, _http_headers, http_body = result if http_status != 200: raise RuntimeError("Unable to submit cert request") diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index c77e7f6aa..14d5c7397 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -600,17 +600,14 @@ class ReplicaPrepare(admintool.AdminTool): db = certs.CertDB( api.env.realm, nssdir=self.dir, subject_base=subject_base) db.create_passwd_file() - ca_db = certs.CertDB( - api.env.realm, host_name=api.env.host, - subject_base=subject_base) db.create_from_cacert() - db.create_server_cert(nickname, hostname, ca_db) + db.create_server_cert(nickname, hostname) pkcs12_fname = os.path.join(self.dir, fname + ".p12") try: if is_kdc: - ca_db.export_pem_p12(pkcs12_fname, passwd_fname, + db.export_pem_p12(pkcs12_fname, passwd_fname, nickname, os.path.join(self.dir, "kdc.pem")) else: db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 2156f0791..4ae10b9fe 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1238,30 +1238,18 @@ class RestClient(Backend): return None def __init__(self, api): + self.ca_cert = api.env.tls_ca_cert if api.env.in_tree: - self.sec_dir = api.env.dot_ipa + os.sep + 'alias' - self.pwd_file = self.sec_dir + os.sep + '.pwd' + self.client_certfile = os.path.join( + api.env.dot_ipa, 'ra-agent.pem') else: - self.sec_dir = paths.IPA_RADB_DIR - self.pwd_file = os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt') - self.noise_file = self.sec_dir + os.sep + '.noise' - self.ipa_key_size = "2048" - self.ipa_certificate_nickname = "ipaCert" - self.ca_certificate_nickname = "caCert" - self._read_password() + self.client_certfile = paths.RA_AGENT_PEM super(RestClient, self).__init__(api) # session cookie self.override_port = None self.cookie = None - def _read_password(self): - try: - with open(self.pwd_file) as f: - self.password = f.readline().strip() - except IOError: - self.password = '' - @cachedproperty def ca_host(self): """ @@ -1288,8 +1276,9 @@ class RestClient(Backend): return status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, - '/ca/rest/account/login', - self.sec_dir, self.password, self.ipa_certificate_nickname, + url='/ca/rest/account/login', + cafile=self.ca_cert, + client_certfile=self.client_certfile, method='GET' ) cookies = ipapython.cookie.Cookie.parse(resp_headers.get('set-cookie', '')) @@ -1302,8 +1291,9 @@ class RestClient(Backend): """Log out of the REST API""" dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, - '/ca/rest/account/logout', - self.sec_dir, self.password, self.ipa_certificate_nickname, + url='/ca/rest/account/logout', + cafile=self.ca_cert, + client_certfile=self.client_certfile, method='GET' ) self.cookie = None @@ -1344,8 +1334,9 @@ class RestClient(Backend): # perform main request status, resp_headers, resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, - resource, - self.sec_dir, self.password, self.ipa_certificate_nickname, + url=resource, + cafile=self.ca_cert, + client_certfile=self.client_certfile, method=method, headers=headers, body=body ) if status < 200 or status >= 300: @@ -1426,7 +1417,11 @@ class ra(rabase.rabase, RestClient): Perform an HTTPS request """ - return dogtag.https_request(self.ca_host, port, url, self.sec_dir, self.password, self.ipa_certificate_nickname, **kw) + return dogtag.https_request( + self.ca_host, port, url, + cafile=self.ca_cert, + client_certfile=self.client_certfile, + **kw) def get_parse_result_xml(self, xml_text, parse_func): ''' |