diff options
-rw-r--r-- | API.txt | 16 | ||||
-rw-r--r-- | VERSION | 4 | ||||
-rw-r--r-- | ipaserver/plugins/ca.py | 66 | ||||
-rw-r--r-- | ipaserver/plugins/dogtag.py | 6 |
4 files changed, 88 insertions, 4 deletions
@@ -465,6 +465,20 @@ option: Str('version?') output: Output('result', type=[<type 'dict'>]) output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: ListOfPrimaryKeys('value') +command: ca_disable/1 +args: 1,1,3 +arg: Str('cn', cli_name='name') +option: Str('version?') +output: Output('result', type=[<type 'bool'>]) +output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) +output: PrimaryKey('value') +command: ca_enable/1 +args: 1,1,3 +arg: Str('cn', cli_name='name') +option: Str('version?') +output: Output('result', type=[<type 'bool'>]) +output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) +output: PrimaryKey('value') command: ca_find/1 args: 1,11,4 arg: Str('criteria?') @@ -6249,6 +6263,8 @@ default: batch/1 default: ca/1 default: ca_add/1 default: ca_del/1 +default: ca_disable/1 +default: ca_enable/1 default: ca_find/1 default: ca_is_enabled/1 default: ca_mod/1 @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=213 -# Last change: dns: prompt for missing record parts in CLI +IPA_API_VERSION_MINOR=214 +# Last change: ftweedal: add ca-disable and ca-enable commands diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 966ae2b1b..4d83fe81c 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -2,12 +2,12 @@ # Copyright (C) 2016 FreeIPA Contributors see COPYING for license # -from ipalib import api, errors, DNParam, Str +from ipalib import api, errors, output, DNParam, Str from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from ipaserver.plugins.baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, - LDAPUpdate, LDAPRetrieve) + LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value) from ipaserver.plugins.cert import ca_enabled_check from ipalib import _, ngettext @@ -18,6 +18,14 @@ Manage Certificate Authorities Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance of X.509 certificates. +CAs are enabled on creation, but their use is subject to CA ACLs unless the +operator has permission to bypass CA ACLs. + +All CAs except the 'IPA' CA can be disabled or re-enabled. Disabling a CA +prevents it from issuing certificates but does not affect the validity of its +certificate. + + EXAMPLES: Create new CA, subordinate to the IPA CA. @@ -25,6 +33,14 @@ EXAMPLES: ipa ca-add puppet --desc "Puppet" \\ --subject "CN=Puppet CA,O=EXAMPLE.COM" + Disable a CA. + + ipa ca-disable puppet + + Re-enable a CA. + + ipa ca-enable puppet + """) @@ -222,3 +238,49 @@ class ca_mod(LDAPUpdate): reason=u'IPA CA cannot be renamed') return dn + + +class CAQuery(LDAPQuery): + has_output = output.standard_value + + def execute(self, cn, **options): + ca_enabled_check() + + ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + self.perform_action(ca_api, ca_id) + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + def perform_action(self, ca_api, ca_id): + raise NotImplementedError + + +@register() +class ca_disable(CAQuery): + __doc__ = _('Disable a CA.') + msg_summary = _('Disabled CA "%(value)s"') + + def execute(self, cn, **options): + if cn == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=cn, + reason=_("IPA CA cannot be disabled")) + + return super(ca_disable, self).execute(cn, **options) + + def perform_action(self, ca_api, ca_id): + ca_api.disable_ca(ca_id) + + +@register() +class ca_enable(CAQuery): + __doc__ = _('Enable a CA.') + msg_summary = _('Enabled CA "%(value)s"') + + def perform_action(self, ca_api, ca_id): + ca_api.enable_ca(ca_id) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index aef1e888e..01e5f1383 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2211,5 +2211,11 @@ class ra_lightweight_ca(RestClient): headers={'Accept': 'application/json'}, ) + def enable_ca(self, ca_id): + self._ssldo( + 'POST', ca_id + '/enable', + headers={'Accept': 'application/json'}, + ) + def delete_ca(self, ca_id): self._ssldo('DELETE', ca_id) |