Refactor installer code requesting certificates

- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA agent cert, using the temp cert created during pkispawn. The cert request is now processed through certmonger, and the helper arguments are restored once the agent cert is obtained. - Modify the installer code creating HTTP and LDAP certificates to use certmonger's IPA helper with temporary parameters (calling dogtag-submit instead of ipa-submit) - Clean-up for the integration tests: sometimes ipa renewal.lock is not released during ipa-server-uninstall. Make sure that the file is removed to allow future installations. https://fedorahosted.org/freeipa/ticket/6433 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
author: Florence Blanc-Renaud <flo@redhat.com> 2016-10-25 08:49:10 +0200
committer: David Kupka <dkupka@redhat.com> 2016-11-10 14:15:57 +0100
commit: 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f (patch)
tree: 16d163b00306d976c4f4dcec66a69b6316c080bf /ipapython
parent: 7462adec13c5b25b6868d2863dc38062c97d0ff7 (diff)
download: freeipa-808b1436b4158cb6f926ac2b5bd0979df6ea7e9f.tar.gz
freeipa-808b1436b4158cb6f926ac2b5bd0979df6ea7e9f.tar.xz
freeipa-808b1436b4158cb6f926ac2b5bd0979df6ea7e9f.zip
1 files changed, 61 insertions, 4 deletions
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 765f9e887..6f0948af6 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -297,9 +297,27 @@ def add_subject(request_id, subject):
     add_request_value(request_id, 'template-subject', subject)
 
 
+def request_and_wait_for_cert(
+        nssdb, nickname, subject, principal, passwd_fname=None,
+        dns=None, ca='IPA', profile=None,
+        pre_command=None, post_command=None):
+    """
+    Execute certmonger to request a server certificate.
+
+    The method also waits for the certificate to be available.
+    """
+    reqId = request_cert(nssdb, nickname, subject, principal,
+                         passwd_fname, dns, ca, profile,
+                         pre_command, post_command)
+    state = wait_for_request(reqId, timeout=60)
+    ca_error = get_request_value(reqId, 'ca-error')
+    if state != 'MONITORING' or ca_error:
+        raise RuntimeError("Certificate issuance failed")
+    return reqId
+
 def request_cert(
         nssdb, nickname, subject, principal, passwd_fname=None,
-        dns=None):
+        dns=None, ca='IPA', profile=None, pre_command=None, post_command=None):
     """
     Execute certmonger to request a server certificate.
 
@@ -307,18 +325,33 @@ def request_cert(
         A sequence of DNS names to appear in SAN request extension.
     """
     cm = _certmonger()
-    ca_path = cm.obj_if.find_ca_by_nickname('IPA')
+    ca_path = cm.obj_if.find_ca_by_nickname(ca)
     if not ca_path:
-        raise RuntimeError('IPA CA not found')
+        raise RuntimeError('{} CA not found'.format(ca))
     request_parameters = dict(KEY_STORAGE='NSSDB', CERT_STORAGE='NSSDB',
                               CERT_LOCATION=nssdb, CERT_NICKNAME=nickname,
                               KEY_LOCATION=nssdb, KEY_NICKNAME=nickname,
-                              SUBJECT=subject, PRINCIPAL=[principal],
+                              SUBJECT=subject,
                               CA=ca_path)
+    if principal:
+        request_parameters['PRINCIPAL'] = [principal]
     if dns is not None and len(dns) > 0:
         request_parameters['DNS'] = dns
     if passwd_fname:
         request_parameters['KEY_PIN_FILE'] = passwd_fname
+    if profile:
+        request_parameters['ca-profile'] = profile
+
+    certmonger_cmd_template = paths.CERTMONGER_COMMAND_TEMPLATE
+    if pre_command:
+        if not os.path.isabs(pre_command):
+            pre_command = certmonger_cmd_template % (pre_command)
+        request_parameters['cert-presave-command'] = pre_command
+    if post_command:
+        if not os.path.isabs(post_command):
+            post_command = certmonger_cmd_template % (post_command)
+        request_parameters['cert-postsave-command'] = post_command
+
     result = cm.obj_if.add_request(request_parameters)
     try:
         if result[0]:
@@ -454,6 +487,30 @@ def remove_principal_from_cas():
             ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper)
 
 
+def modify_ca_helper(ca_name, helper):
+    """
+    Modify certmonger CA helper.
+
+    Applies the new helper and return the previous configuration.
+    """
+    bus = dbus.SystemBus()
+    obj = bus.get_object('org.fedorahosted.certmonger',
+                         '/org/fedorahosted/certmonger')
+    iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
+    path = iface.find_ca_by_nickname(ca_name)
+    if not path:
+        raise RuntimeError("{} is not configured".format(ca_name))
+    else:
+        ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
+        ca_iface = dbus.Interface(ca_obj,
+                                  'org.freedesktop.DBus.Properties')
+        old_helper = ca_iface.Get('org.fedorahosted.certmonger.ca',
+                                  'external-helper')
+        ca_iface.Set('org.fedorahosted.certmonger.ca',
+                     'external-helper', helper)
+        return old_helper
+
+
 def get_pin(token):
     """
     Dogtag stores its NSS pin in a file formatted as token:PIN.
author	Florence Blanc-Renaud <flo@redhat.com>	2016-10-25 08:49:10 +0200
committer	David Kupka <dkupka@redhat.com>	2016-11-10 14:15:57 +0100
commit	808b1436b4158cb6f926ac2b5bd0979df6ea7e9f (patch)
tree	16d163b00306d976c4f4dcec66a69b6316c080bf /ipapython
parent	7462adec13c5b25b6868d2863dc38062c97d0ff7 (diff)
download	freeipa-808b1436b4158cb6f926ac2b5bd0979df6ea7e9f.tar.gz freeipa-808b1436b4158cb6f926ac2b5bd0979df6ea7e9f.tar.xz freeipa-808b1436b4158cb6f926ac2b5bd0979df6ea7e9f.zip