4 files changed, 88 insertions, 4 deletions

diff --git a/API.txt b/API.txt
index fb5bf83ce..f3b2938da 100644
--- a/API.txt
+++ b/API.txt
@@ -465,6 +465,20 @@ option: Str('version?')
 output: Output('result', type=[<type 'dict'>])
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: ListOfPrimaryKeys('value')
+command: ca_disable/1
+args: 1,1,3
+arg: Str('cn', cli_name='name')
+option: Str('version?')
+output: Output('result', type=[<type 'bool'>])
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
+command: ca_enable/1
+args: 1,1,3
+arg: Str('cn', cli_name='name')
+option: Str('version?')
+output: Output('result', type=[<type 'bool'>])
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
 command: ca_find/1
 args: 1,11,4
 arg: Str('criteria?')
@@ -6249,6 +6263,8 @@ default: batch/1
 default: ca/1
 default: ca_add/1
 default: ca_del/1
+default: ca_disable/1
+default: ca_enable/1
 default: ca_find/1
 default: ca_is_enabled/1
 default: ca_mod/1
diff --git a/VERSION b/VERSION
index 24e16b337..5f138f589 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=213
-# Last change: dns: prompt for missing record parts in CLI
+IPA_API_VERSION_MINOR=214
+# Last change: ftweedal: add ca-disable and ca-enable commands
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 966ae2b1b..4d83fe81c 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -2,12 +2,12 @@
 # Copyright (C) 2016  FreeIPA Contributors see COPYING for license
 #
 
-from ipalib import api, errors, DNParam, Str
+from ipalib import api, errors, output, DNParam, Str
 from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from ipaserver.plugins.baseldap import (
     LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete,
-    LDAPUpdate, LDAPRetrieve)
+    LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value)
 from ipaserver.plugins.cert import ca_enabled_check
 from ipalib import _, ngettext
 
@@ -18,6 +18,14 @@ Manage Certificate Authorities
 Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance
 of X.509 certificates.
 
+CAs are enabled on creation, but their use is subject to CA ACLs unless the
+operator has permission to bypass CA ACLs.
+
+All CAs except the 'IPA' CA can be disabled or re-enabled.  Disabling a CA
+prevents it from issuing certificates but does not affect the validity of its
+certificate.
+
+
 EXAMPLES:
 
   Create new CA, subordinate to the IPA CA.
@@ -25,6 +33,14 @@ EXAMPLES:
     ipa ca-add puppet --desc "Puppet" \\
         --subject "CN=Puppet CA,O=EXAMPLE.COM"
 
+  Disable a CA.
+
+    ipa ca-disable puppet
+
+  Re-enable a CA.
+
+    ipa ca-enable puppet
+
 """)
 
 
@@ -222,3 +238,49 @@ class ca_mod(LDAPUpdate):
                     reason=u'IPA CA cannot be renamed')
 
         return dn
+
+
+class CAQuery(LDAPQuery):
+    has_output = output.standard_value
+
+    def execute(self, cn, **options):
+        ca_enabled_check()
+
+        ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
+        with self.api.Backend.ra_lightweight_ca as ca_api:
+            self.perform_action(ca_api, ca_id)
+
+        return dict(
+            result=True,
+            value=pkey_to_value(cn, options),
+        )
+
+    def perform_action(self, ca_api, ca_id):
+        raise NotImplementedError
+
+
+@register()
+class ca_disable(CAQuery):
+    __doc__ = _('Disable a CA.')
+    msg_summary = _('Disabled CA "%(value)s"')
+
+    def execute(self, cn, **options):
+        if cn == IPA_CA_CN:
+            raise errors.ProtectedEntryError(
+                label=_("CA"),
+                key=cn,
+                reason=_("IPA CA cannot be disabled"))
+
+        return super(ca_disable, self).execute(cn, **options)
+
+    def perform_action(self, ca_api, ca_id):
+        ca_api.disable_ca(ca_id)
+
+
+@register()
+class ca_enable(CAQuery):
+    __doc__ = _('Enable a CA.')
+    msg_summary = _('Enabled CA "%(value)s"')
+
+    def perform_action(self, ca_api, ca_id):
+        ca_api.enable_ca(ca_id)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index aef1e888e..01e5f1383 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -2211,5 +2211,11 @@ class ra_lightweight_ca(RestClient):
             headers={'Accept': 'application/json'},
         )
 
+    def enable_ca(self, ca_id):
+        self._ssldo(
+            'POST', ca_id + '/enable',
+            headers={'Accept': 'application/json'},
+        )
+
     def delete_ca(self, ca_id):
         self._ssldo('DELETE', ca_id)