From 50c7f3b2366aa48a966a958a7f95941c917ad3fa Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 2 Apr 2014 10:28:00 +0200 Subject: Fix update_ca_renewal_master plugin on CA-less installs. This also fixes updates from ancient versions of IPA which did not have automatic CA subsystem certificate renewal. https://fedorahosted.org/freeipa/ticket/4294 Reviewed-By: Martin Kosek --- ipaserver/install/plugins/ca_renewal_master.py | 79 +++++++++++++++++--------- 1 file changed, 53 insertions(+), 26 deletions(-) diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index 2481fa70d..b2a7ba7cc 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -18,9 +18,10 @@ # along with this program. If not, see . from ipaserver.install.plugins.baseupdate import PostUpdate +from ipaserver.install import installutils, certs, cainstance from ipalib import errors from ipalib.plugable import Registry -from ipapython import certmonger +from ipapython import certmonger, dogtag from ipapython.dn import DN register = Registry() @@ -32,6 +33,11 @@ class update_ca_renewal_master(PostUpdate): """ def execute(self, **options): + ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR) + if not ca.is_configured(): + self.debug("CA is not configured on this host") + return (False, False, []) + ldap = self.obj.backend base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.api.env.basedn) @@ -50,30 +56,51 @@ class update_ca_renewal_master(PostUpdate): ('cert_nickname', 'ipaCert', None), ) request_id = certmonger.get_request_id(criteria) - if request_id is None: - self.error("certmonger request for ipaCert not found") - return (False, False, []) - ca_name = certmonger.get_request_value(request_id, 'ca_name') - if ca_name is None: - self.error("certmonger request for ipaCert is missing ca_name") - return (False, False, []) - ca_name = ca_name.strip() + if request_id is not None: + self.debug("found certmonger request for ipaCert") - if ca_name == 'dogtag-ipa-renew-agent': - dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) - update = { - dn: { - 'dn': dn, - 'updates': ['add:ipaConfigString: caRenewalMaster'], - }, - } - return (False, True, [update]) - elif ca_name == 'dogtag-ipa-retrieve-agent-submit': - return (False, False, []) - elif ca_name == 'dogtag-ipa-ca-renew-agent': - return (False, False, []) + ca_name = certmonger.get_request_value(request_id, 'ca_name') + if ca_name is None: + self.warning( + "certmonger request for ipaCert is missing ca_name, " + "assuming local CA is renewal slave") + return (False, False, []) + ca_name = ca_name.strip() + + if ca_name == 'dogtag-ipa-renew-agent': + pass + elif ca_name == 'dogtag-ipa-retrieve-agent-submit': + return (False, False, []) + elif ca_name == 'dogtag-ipa-ca-renew-agent': + return (False, False, []) + else: + self.warning( + "certmonger request for ipaCert has unknown ca_name '%s', " + "assuming local CA is renewal slave", ca_name) + return (False, False, []) else: - self.warning( - "certmonger request for ipaCert has unknown ca_name \"%s\", " - "assuming local CA is renewal slave", ca_name) - return (False, False, []) + self.debug("certmonger request for ipaCert not found") + + config = installutils.get_directive( + dogtag.configured_constants().CS_CFG_PATH, + 'subsystem.select', '=') + + if config == 'New': + pass + elif config == 'Clone': + return (False, False, []) + else: + self.warning( + "CS.cfg has unknown subsystem.select value '%s', " + "assuming local CA is renewal slave", config) + return (False, False, []) + + dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) + update = { + dn: { + 'dn': dn, + 'updates': ['add:ipaConfigString: caRenewalMaster'], + }, + } + + return (False, True, [update]) -- cgit