areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0101-API-for-retrieval-of-master-s-PKINIT-status-and-publ.patch

483b06
From a6f958875f3b42a8ea5856b672f5e8416c0aad90 Mon Sep 17 00:00:00 2001
483b06
From: Martin Babinsky <mbabinsk@redhat.com>
483b06
Date: Fri, 31 Mar 2017 14:44:29 +0200
483b06
Subject: [PATCH] API for retrieval of master's PKINIT status and publishing it
483b06
 in LDAP
483b06
483b06
An API was provided to report whether PKINIT is enabled for clients or
483b06
not. If yes, the pkinitEnabled value will be added to the
483b06
ipaConfigString attribute of master's KDC entry.
483b06
483b06
See http://www.freeipa.org/page/V4/Kerberos_PKINIT#Configuration for
483b06
more details.
483b06
483b06
https://pagure.io/freeipa/issue/6830
483b06
483b06
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
483b06
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
483b06
Reviewed-By: Martin Basti <mbasti@redhat.com>
483b06
Reviewed-By: Simo Sorce <ssorce@redhat.com>
483b06
---
483b06
 ipaserver/install/krbinstance.py | 41 ++++++++++++++++++++++++++++++++++++++++
483b06
 1 file changed, 41 insertions(+)
483b06
483b06
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
483b06
index 80215788cf4031ef82e9ec7e08bde6cfc4390303..ad3475f95371c9ae17c8b0ac082039c041d5c64c 100644
483b06
--- a/ipaserver/install/krbinstance.py
483b06
+++ b/ipaserver/install/krbinstance.py
483b06
@@ -48,6 +48,38 @@ from ipaplatform.constants import constants
483b06
 from ipaplatform.tasks import tasks
483b06
 from ipaplatform.paths import paths
483b06
 
483b06
+PKINIT_ENABLED = 'pkinitEnabled'
483b06
+
483b06
+
483b06
+def get_pkinit_request_ca():
483b06
+    """
483b06
+    Return the certmonger CA name which is serving the PKINIT certificate
483b06
+    request. If the certificate is not tracked by Certmonger, return None
483b06
+    """
483b06
+    pkinit_request_id = certmonger.get_request_id(
483b06
+        {'cert-file': paths.KDC_CERT})
483b06
+
483b06
+    if pkinit_request_id is None:
483b06
+        return
483b06
+
483b06
+    return certmonger.get_request_value(pkinit_request_id, 'ca-name')
483b06
+
483b06
+
483b06
+def is_pkinit_enabled():
483b06
+    """
483b06
+    check whether PKINIT is enabled on the master by checking for the presence
483b06
+    of KDC certificate and it's tracking CA
483b06
+    """
483b06
+
483b06
+    if os.path.exists(paths.KDC_CERT):
483b06
+        pkinit_request_ca = get_pkinit_request_ca()
483b06
+
483b06
+        if pkinit_request_ca != "SelfSign":
483b06
+            return True
483b06
+
483b06
+    return False
483b06
+
483b06
+
483b06
 class KpasswdInstance(service.SimpleServiceInstance):
483b06
     def __init__(self):
483b06
         service.SimpleServiceInstance.__init__(self, "kadmin")
483b06
@@ -399,6 +431,13 @@ class KrbInstance(service.Service):
483b06
             if prev_helper is not None:
483b06
                 certmonger.modify_ca_helper(certmonger_ca, prev_helper)
483b06
 
483b06
+    def pkinit_enable(self):
483b06
+        """
483b06
+        advertise enabled PKINIT feature in master's KDC entry in LDAP
483b06
+        """
483b06
+        service.set_service_entry_config(
483b06
+            'KDC', self.fqdn, [PKINIT_ENABLED], self.suffix)
483b06
+
483b06
     def issue_selfsigned_pkinit_certs(self):
483b06
         self._call_certmonger(certmonger_ca="SelfSign")
483b06
         # for self-signed certificate, the certificate is its own CA, copy it
483b06
@@ -410,6 +449,7 @@ class KrbInstance(service.Service):
483b06
             self._call_certmonger()
483b06
             # copy IPA CA bundle to the KDC's CA cert bundle
483b06
             shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
483b06
+            self.pkinit_enable()
483b06
         except RuntimeError as e:
483b06
             root_logger.error("PKINIT certificate request failed: %s", e)
483b06
             root_logger.error("Failed to configure PKINIT")
483b06
@@ -427,6 +467,7 @@ class KrbInstance(service.Service):
483b06
         # NOTE: this may not be the same set of CA certificates trusted by
483b06
         # externally provided PKINIT cert.
483b06
         shutil.copyfile(paths.IPA_CA_CRT, paths.CACERT_PEM)
483b06
+        self.pkinit_enable()
483b06
 
483b06
     def setup_pkinit(self):
483b06
         if self.pkcs12_info:
483b06
-- 
483b06
2.12.2
483b06