pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 5 years ago
Clone

Blame SOURCES/0005-Do-not-wait-for-new-CA-certificate-to-appear-in-LDAP.patch

e3ffab
From 5fa2b9d411c7c35266fa1c9726d91243ba2b02d6 Mon Sep 17 00:00:00 2001
e3ffab
From: Jan Cholasta <jcholast@redhat.com>
e3ffab
Date: Tue, 14 Oct 2014 11:12:55 +0200
e3ffab
Subject: [PATCH] Do not wait for new CA certificate to appear in LDAP in
e3ffab
 ipa-certupdate
e3ffab
e3ffab
If new certificate is not available, reuse the old one, instead of waiting
e3ffab
indefinitely for the new certificate to appear.
e3ffab
e3ffab
https://fedorahosted.org/freeipa/ticket/4628
e3ffab
e3ffab
Reviewed-By: David Kupka <dkupka@redhat.com>
e3ffab
---
e3ffab
 .../certmonger/dogtag-ipa-ca-renew-agent-submit    | 87 ++++++++++++----------
e3ffab
 ipa-client/ipaclient/ipa_certupdate.py             |  6 +-
e3ffab
 2 files changed, 53 insertions(+), 40 deletions(-)
e3ffab
e3ffab
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
e3ffab
index ca4380c331cc417c0a89eca17e987920118337d7..9a01eb3a08900a5c8d04953b41f4493f30c2b56f 100755
e3ffab
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
e3ffab
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
e3ffab
@@ -279,25 +279,11 @@ def request_and_store_cert():
e3ffab
     else:
e3ffab
         return result
e3ffab
 
e3ffab
-def retrieve_cert():
e3ffab
+def retrieve_or_reuse_cert():
e3ffab
     """
e3ffab
-    Retrieve new certificate from LDAP.
e3ffab
+    Retrieve certificate from LDAP. If the certificate is not available, reuse
e3ffab
+    the old certificate.
e3ffab
     """
e3ffab
-    operation = os.environ.get('CERTMONGER_OPERATION')
e3ffab
-    if operation == 'SUBMIT':
e3ffab
-        attempts = 0
e3ffab
-    elif operation == 'POLL':
e3ffab
-        cookie = os.environ.get('CERTMONGER_CA_COOKIE')
e3ffab
-        if not cookie:
e3ffab
-            return (UNCONFIGURED, "Cookie not provided")
e3ffab
-
e3ffab
-        try:
e3ffab
-            attempts = int(cookie)
e3ffab
-        except ValueError:
e3ffab
-            return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
e3ffab
-    else:
e3ffab
-        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
e3ffab
-
e3ffab
     csr = os.environ.get('CERTMONGER_CSR')
e3ffab
     if not csr:
e3ffab
         return (UNCONFIGURED, "Certificate request not provided")
e3ffab
@@ -306,12 +292,9 @@ def retrieve_cert():
e3ffab
     if not nickname:
e3ffab
         return (REJECTED, "No friendly name in the certificate request")
e3ffab
 
e3ffab
-    old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
e3ffab
-    if not old_cert:
e3ffab
+    cert = os.environ.get('CERTMONGER_CERTIFICATE')
e3ffab
+    if not cert:
e3ffab
         return (REJECTED, "New certificate requests not supported")
e3ffab
-    old_cert = x509.normalize_certificate(old_cert)
e3ffab
-
e3ffab
-    syslog.syslog(syslog.LOG_NOTICE, "Updating certificate for %s" % nickname)
e3ffab
 
e3ffab
     with ldap_connect() as conn:
e3ffab
         try:
e3ffab
@@ -320,23 +303,50 @@ def retrieve_cert():
e3ffab
                    ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn),
e3ffab
                 ['usercertificate'])
e3ffab
         except errors.NotFound:
e3ffab
-            cert = old_cert
e3ffab
+            pass
e3ffab
         else:
e3ffab
             cert = entry.single_value['usercertificate']
e3ffab
+            cert = base64.b64encode(cert)
e3ffab
+            cert = x509.make_pem(cert)
e3ffab
+
e3ffab
+    return (ISSUED, cert)
e3ffab
+
e3ffab
+def retrieve_cert():
e3ffab
+    """
e3ffab
+    Retrieve new certificate from LDAP.
e3ffab
+    """
e3ffab
+    operation = os.environ.get('CERTMONGER_OPERATION')
e3ffab
+    if operation == 'SUBMIT':
e3ffab
+        attempts = 0
e3ffab
+    elif operation == 'POLL':
e3ffab
+        cookie = os.environ.get('CERTMONGER_CA_COOKIE')
e3ffab
+        if not cookie:
e3ffab
+            return (UNCONFIGURED, "Cookie not provided")
e3ffab
+
e3ffab
+        try:
e3ffab
+            attempts = int(cookie)
e3ffab
+        except ValueError:
e3ffab
+            return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
e3ffab
+    else:
e3ffab
+        return (OPERATION_NOT_SUPPORTED_BY_HELPER,)
e3ffab
 
e3ffab
-        if cert == old_cert:
e3ffab
-            attempts += 1
e3ffab
-            if attempts < 4:
e3ffab
-                syslog.syslog(
e3ffab
-                    syslog.LOG_INFO,
e3ffab
-                    "Updated certificate for %s not available" % nickname)
e3ffab
-                # No cert available yet, tell certmonger to wait another 8 hours
e3ffab
-                return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))
e3ffab
+    old_cert = os.environ.get('CERTMONGER_CERTIFICATE')
e3ffab
+    if old_cert:
e3ffab
+        old_cert = x509.normalize_certificate(old_cert)
e3ffab
 
e3ffab
-        cert = base64.b64encode(cert)
e3ffab
-        cert = x509.make_pem(cert)
e3ffab
+    result = call_handler(retrieve_or_reuse_cert)
e3ffab
+    if result[0] != ISSUED:
e3ffab
+        return result
e3ffab
 
e3ffab
-    return (ISSUED, cert)
e3ffab
+    new_cert = x509.normalize_certificate(result[1])
e3ffab
+    if new_cert == old_cert:
e3ffab
+        attempts += 1
e3ffab
+        if attempts < 4:
e3ffab
+            syslog.syslog(syslog.LOG_INFO, "Updated certificate not available")
e3ffab
+            # No cert available yet, tell certmonger to wait another 8 hours
e3ffab
+            return (WAIT_WITH_DELAY, 8 * 60 * 60, str(attempts))
e3ffab
+
e3ffab
+    return result
e3ffab
 
e3ffab
 def export_csr():
e3ffab
     """
e3ffab
@@ -414,10 +424,11 @@ def renew_ca_cert():
e3ffab
 
e3ffab
 def main():
e3ffab
     handlers = {
e3ffab
-        'ipaStorage':       store_cert,
e3ffab
-        'ipaRetrieval':     retrieve_cert,
e3ffab
-        'ipaCSRExport':     export_csr,
e3ffab
-        'ipaCACertRenewal': renew_ca_cert,
e3ffab
+        'ipaStorage':           store_cert,
e3ffab
+        'ipaRetrievalOrReuse':  retrieve_or_reuse_cert,
e3ffab
+        'ipaRetrieval':         retrieve_cert,
e3ffab
+        'ipaCSRExport':         export_csr,
e3ffab
+        'ipaCACertRenewal':     renew_ca_cert,
e3ffab
     }
e3ffab
 
e3ffab
     api.bootstrap(context='renew')
e3ffab
diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py
e3ffab
index 7ef11d058eeeb47dc47d46aa7cbe73578c42d131..031a34c3a54a02d43978eedcb794678a1550702b 100644
e3ffab
--- a/ipa-client/ipaclient/ipa_certupdate.py
e3ffab
+++ b/ipa-client/ipaclient/ipa_certupdate.py
e3ffab
@@ -143,14 +143,16 @@ class CertUpdate(admintool.AdminTool):
e3ffab
             timeout = api.env.startup_timeout + 60
e3ffab
 
e3ffab
             self.log.debug("resubmitting certmonger request '%s'", request_id)
e3ffab
-            certmonger.resubmit_request(request_id, profile='ipaRetrieval')
e3ffab
+            certmonger.resubmit_request(
e3ffab
+                request_id, profile='ipaRetrievalOrReuse')
e3ffab
             try:
e3ffab
                 state = certmonger.wait_for_request(request_id, timeout)
e3ffab
             except RuntimeError:
e3ffab
                 raise admintool.ScriptError(
e3ffab
                     "Resubmitting certmonger request '%s' timed out, "
e3ffab
                     "please check the request manually" % request_id)
e3ffab
-            if state != 'MONITORING':
e3ffab
+            ca_error = certmonger.get_request_value(request_id, 'ca-error')
e3ffab
+            if state != 'MONITORING' or ca_error:
e3ffab
                 raise admintool.ScriptError(
e3ffab
                     "Error resubmitting certmonger request '%s', "
e3ffab
                     "please check the request manually" % request_id)
e3ffab
-- 
e3ffab
2.1.0
e3ffab