diff options
author | Tomas Babej <tbabej@redhat.com> | 2013-09-24 10:54:57 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2013-11-20 13:15:38 +0100 |
commit | 4a0e91449e2b65304ae8d660d1a480200b1a13d3 (patch) | |
tree | 16ced8dc1828b3a429abafb8d2f143e37af7cd07 /ipapython | |
parent | 60b472479d6427243b5ef51c4dd60cdcd9e52afd (diff) | |
download | freeipa-4a0e91449e2b65304ae8d660d1a480200b1a13d3.tar.gz freeipa-4a0e91449e2b65304ae8d660d1a480200b1a13d3.tar.xz freeipa-4a0e91449e2b65304ae8d660d1a480200b1a13d3.zip |
ipa-client-install: Publish CA certificate to systemwide store
During the installation, copy the CA certificate to the systemwide
store (/etc/pki/ca-trust/source/anchors/ipa-ca.crt) and update the
systemwide CA database.
This allows browsers to access IPA WebUI without warning out of the
box.
https://fedorahosted.org/freeipa/ticket/3504
Diffstat (limited to 'ipapython')
-rw-r--r-- | ipapython/platform/fedora19/__init__.py | 67 | ||||
-rw-r--r-- | ipapython/services.py.in | 11 |
2 files changed, 76 insertions, 2 deletions
diff --git a/ipapython/platform/fedora19/__init__.py b/ipapython/platform/fedora19/__init__.py index 80356d65f..9b931625b 100644 --- a/ipapython/platform/fedora19/__init__.py +++ b/ipapython/platform/fedora19/__init__.py @@ -17,6 +17,14 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # +import shutil +import os + +from subprocess import CalledProcessError + +from ipapython.ipa_log_manager import root_logger +from ipapython.ipautil import run + from ipapython.platform import fedora18, base # All what we allow exporting directly from this module @@ -38,10 +46,19 @@ from ipapython.platform import fedora18, base # applicable # check_selinux_status -- platform-specific way to see if SELinux is enabled # and restorecon is installed. +# insert_ca_cert_into_systemwide_ca_store - platform-specific way to insert our +# CA certificate into the systemwide +# CA store +# remove_ca_cert_from_systemwide_ca_store - platform-specific way to remove our +# CA certificate from the systemwide +# CA store + __all__ = ['authconfig', 'service', 'knownservices', 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status', - 'restore_network_configuration', 'timedate_services'] + 'restore_network_configuration', 'timedate_services', + 'insert_ca_cert_into_systemwide_ca_store', + 'remove_ca_cert_from_systemwide_ca_store'] # Just copy a referential list of timedate services timedate_services = list(base.timedate_services) @@ -53,3 +70,51 @@ service = fedora18.service knownservices = fedora18.knownservices restore_context = fedora18.restore_context check_selinux_status = fedora18.check_selinux_status + +systemwide_ca_store = '/etc/pki/ca-trust/source/anchors/' + + +def insert_ca_cert_into_systemwide_ca_store(cacert_path): + # Add the 'ipa-' prefix to cert name to avoid name collisions + cacert_name = os.path.basename(cacert_path) + new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name) + + # Add the CA to the systemwide CA trust database + try: + shutil.copy(cacert_path, new_cacert_path) + run(['/usr/bin/update-ca-trust']) + except OSError, e: + root_logger.info("Failed to copy %s to %s" % (cacert_path, + new_cacert_path)) + except CalledProcessError, e: + root_logger.info("Failed to add CA to the systemwide " + "CA trust database: %s" % str(e)) + else: + root_logger.info('Added the CA to the systemwide CA trust database.') + return True + + return False + + +def remove_ca_cert_from_systemwide_ca_store(cacert_path): + # Derive the certificate name in the store + cacert_name = os.path.basename(cacert_path) + new_cacert_path = os.path.join(systemwide_ca_store, 'ipa-%s' % cacert_name) + + # Remove CA cert from systemwide store + if os.path.exists(new_cacert_path): + try: + os.remove(new_cacert_path) + run(['/usr/bin/update-ca-trust']) + except OSError, e: + root_logger.error('Could not remove: %s, %s' + % (new_cacert_path, str(e))) + return False + except CalledProcessError, e: + root_logger.error('Could not update systemwide CA trust ' + 'database: %s' % str(e)) + return False + else: + root_logger.info('Systemwide CA database updated.') + + return True diff --git a/ipapython/services.py.in b/ipapython/services.py.in index 16b62ca85..d648ad5bf 100644 --- a/ipapython/services.py.in +++ b/ipapython/services.py.in @@ -21,7 +21,7 @@ authconfig = None # knownservices is an entry point to known platform services -# (instance of ipapython.platform.base.KnownServices) +# (instance of ipapython.platform.base.KnownServices) knownservices = None # service is a class to instantiate ipapython.platform.base.PlatformService @@ -55,4 +55,13 @@ from ipapython.platform.base import SVC_LIST_FILE def get_svc_list_file(): return SVC_LIST_FILE +def insert_ca_cert_into_systemwide_ca_store_default(path): + return True + +def remove_ca_cert_from_systemwide_ca_store_default(path): + return True + +insert_ca_cert_into_systemwide_ca_store = insert_ca_cert_into_systemwide_ca_store_default +remove_ca_cert_from_systemwide_ca_store = remove_ca_cert_from_systemwide_ca_store_default + from ipapython.platform.SUPPORTED_PLATFORM import * |