areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0031-Extract-ca_renewal-cert-update-subroutine.patch

86baa9
From 474c13d1543608c8c4da06957295215bbcd5b67c Mon Sep 17 00:00:00 2001
86baa9
From: Fraser Tweedale <ftweedal@redhat.com>
86baa9
Date: Fri, 22 Mar 2019 13:37:45 +1100
86baa9
Subject: [PATCH] Extract ca_renewal cert update subroutine
86baa9
86baa9
When the CA renewal master renews certificates that are shared
86baa9
across CA replicas, it puts them in LDAP for the other CA replicas
86baa9
to see.  The code to create/update these entries lives in the
86baa9
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
86baa9
the ipa-cert-fix program too.  Extract it to a subroutine in the
86baa9
cainstance module.
86baa9
86baa9
Part of: https://pagure.io/freeipa/issue/7885
86baa9
86baa9
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
86baa9
---
86baa9
 .../dogtag-ipa-ca-renew-agent-submit          | 16 +-----------
86baa9
 ipaserver/install/cainstance.py               | 26 +++++++++++++++++++
86baa9
 2 files changed, 27 insertions(+), 15 deletions(-)
86baa9
86baa9
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
86baa9
index c33404c18c0022af6b801d25cac1eb0bec019cdf..c2ba9cb842ba835948925a8e415d1e25fe8ee139 100755
86baa9
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
86baa9
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
86baa9
@@ -270,23 +270,9 @@ def store_cert(**kwargs):
86baa9
         return (REJECTED, "New certificate requests not supported")
86baa9
     cert = x509.load_pem_x509_certificate(cert.encode('ascii'))
86baa9
 
86baa9
-    dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
86baa9
-            ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
86baa9
     try:
86baa9
         with ldap_connect() as conn:
86baa9
-            try:
86baa9
-                entry = conn.get_entry(dn, ['usercertificate'])
86baa9
-                entry['usercertificate'] = [cert]
86baa9
-                conn.update_entry(entry)
86baa9
-            except errors.NotFound:
86baa9
-                entry = conn.make_entry(
86baa9
-                    dn,
86baa9
-                    objectclass=['top', 'pkiuser', 'nscontainer'],
86baa9
-                    cn=[nickname],
86baa9
-                    usercertificate=[cert])
86baa9
-                conn.add_entry(entry)
86baa9
-            except errors.EmptyModlist:
86baa9
-                pass
86baa9
+            cainstance.update_ca_renewal_entry(conn, nickname, cert)
86baa9
     except Exception as e:
86baa9
         attempts += 1
86baa9
         if attempts < 10:
86baa9
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
86baa9
index 2946b5cc2b4b8b708a060aa79d1b7ab0e7b4e651..527ad0a1f492050d452336105cc5cf3c645af693 100644
86baa9
--- a/ipaserver/install/cainstance.py
86baa9
+++ b/ipaserver/install/cainstance.py
86baa9
@@ -1711,6 +1711,32 @@ def update_authority_entry(cert):
86baa9
     return __update_entry_from_cert(make_filter, make_entry, cert)
86baa9
 
86baa9
 
86baa9
+def update_ca_renewal_entry(conn, nickname, cert):
86baa9
+    """
86baa9
+    Update the ca_renewal entry for the given nickname.
86baa9
+
86baa9
+    :param conn: A *connected* LDAP handle
86baa9
+    :param nickname: NSSDB nickname
86baa9
+    :param cert: python-cryptography X509Certificate
86baa9
+
86baa9
+    """
86baa9
+    dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
86baa9
+            ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
86baa9
+    try:
86baa9
+        entry = conn.get_entry(dn, ['usercertificate'])
86baa9
+        entry['usercertificate'] = [cert]
86baa9
+        conn.update_entry(entry)
86baa9
+    except errors.NotFound:
86baa9
+        entry = conn.make_entry(
86baa9
+            dn,
86baa9
+            objectclass=['top', 'pkiuser', 'nscontainer'],
86baa9
+            cn=[nickname],
86baa9
+            usercertificate=[cert])
86baa9
+        conn.add_entry(entry)
86baa9
+    except errors.EmptyModlist:
86baa9
+        pass
86baa9
+
86baa9
+
86baa9
 def ensure_ldap_profiles_container():
86baa9
     ensure_entry(
86baa9
         DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),
86baa9
-- 
86baa9
2.20.1
86baa9