Fix update_ca_renewal_master plugin on CA-less installs.

This also fixes updates from ancient versions of IPA which did not have automatic CA subsystem certificate renewal. https://fedorahosted.org/freeipa/ticket/4294 Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Jan Cholasta <jcholast@redhat.com> 2014-04-02 10:28:00 +0200
committer: Martin Kosek <mkosek@redhat.com> 2014-04-10 16:40:10 +0200
commit: 50c7f3b2366aa48a966a958a7f95941c917ad3fa (patch)
tree: de989dde80cbf31e62967d2232cecbbb6c6fecdf
parent: 41607774bc6146f83496bd469d59595261e314a7 (diff)
download: freeipa-50c7f3b2366aa48a966a958a7f95941c917ad3fa.tar.gz
freeipa-50c7f3b2366aa48a966a958a7f95941c917ad3fa.tar.xz
freeipa-50c7f3b2366aa48a966a958a7f95941c917ad3fa.zip
1 files changed, 53 insertions, 26 deletions
diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py
index 2481fa70d..b2a7ba7cc 100644
--- a/ipaserver/install/plugins/ca_renewal_master.py
+++ b/ipaserver/install/plugins/ca_renewal_master.py
@@ -18,9 +18,10 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipaserver.install.plugins.baseupdate import PostUpdate
+from ipaserver.install import installutils, certs, cainstance
 from ipalib import errors
 from ipalib.plugable import Registry
-from ipapython import certmonger
+from ipapython import certmonger, dogtag
 from ipapython.dn import DN
 
 register = Registry()
@@ -32,6 +33,11 @@ class update_ca_renewal_master(PostUpdate):
     """
 
     def execute(self, **options):
+        ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
+        if not ca.is_configured():
+            self.debug("CA is not configured on this host")
+            return (False, False, [])
+
         ldap = self.obj.backend
         base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                      self.api.env.basedn)
@@ -50,30 +56,51 @@ class update_ca_renewal_master(PostUpdate):
             ('cert_nickname', 'ipaCert', None),
         )
         request_id = certmonger.get_request_id(criteria)
-        if request_id is None:
-            self.error("certmonger request for ipaCert not found")
-            return (False, False, [])
-        ca_name = certmonger.get_request_value(request_id, 'ca_name')
-        if ca_name is None:
-            self.error("certmonger request for ipaCert is missing ca_name")
-            return (False, False, [])
-        ca_name = ca_name.strip()
+        if request_id is not None:
+            self.debug("found certmonger request for ipaCert")
 
-        if ca_name == 'dogtag-ipa-renew-agent':
-            dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
-            update = {
-                dn: {
-                    'dn': dn,
-                    'updates': ['add:ipaConfigString: caRenewalMaster'],
-                },
-            }
-            return (False, True, [update])
-        elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
-            return (False, False, [])
-        elif ca_name == 'dogtag-ipa-ca-renew-agent':
-            return (False, False, [])
+            ca_name = certmonger.get_request_value(request_id, 'ca_name')
+            if ca_name is None:
+                self.warning(
+                    "certmonger request for ipaCert is missing ca_name, "
+                    "assuming local CA is renewal slave")
+                return (False, False, [])
+            ca_name = ca_name.strip()
+
+            if ca_name == 'dogtag-ipa-renew-agent':
+                pass
+            elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
+                return (False, False, [])
+            elif ca_name == 'dogtag-ipa-ca-renew-agent':
+                return (False, False, [])
+            else:
+                self.warning(
+                    "certmonger request for ipaCert has unknown ca_name '%s', "
+                    "assuming local CA is renewal slave", ca_name)
+                return (False, False, [])
         else:
-            self.warning(
-                "certmonger request for ipaCert has unknown ca_name \"%s\", "
-                "assuming local CA is renewal slave", ca_name)
-            return (False, False, [])
+            self.debug("certmonger request for ipaCert not found")
+
+            config = installutils.get_directive(
+                dogtag.configured_constants().CS_CFG_PATH,
+                'subsystem.select', '=')
+
+            if config == 'New':
+                pass
+            elif config == 'Clone':
+                return (False, False, [])
+            else:
+                self.warning(
+                    "CS.cfg has unknown subsystem.select value '%s', "
+                    "assuming local CA is renewal slave", config)
+                return (False, False, [])
+
+        dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
+        update = {
+            dn: {
+                'dn': dn,
+                'updates': ['add:ipaConfigString: caRenewalMaster'],
+            },
+        }
+
+        return (False, True, [update])
author	Jan Cholasta <jcholast@redhat.com>	2014-04-02 10:28:00 +0200
committer	Martin Kosek <mkosek@redhat.com>	2014-04-10 16:40:10 +0200
commit	50c7f3b2366aa48a966a958a7f95941c917ad3fa (patch)
tree	de989dde80cbf31e62967d2232cecbbb6c6fecdf
parent	41607774bc6146f83496bd469d59595261e314a7 (diff)
download	freeipa-50c7f3b2366aa48a966a958a7f95941c917ad3fa.tar.gz freeipa-50c7f3b2366aa48a966a958a7f95941c917ad3fa.tar.xz freeipa-50c7f3b2366aa48a966a958a7f95941c917ad3fa.zip