pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone
Source Code
GIT

Blame SOURCES/0031-Extract-ca_renewal-cert-update-subroutine.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client
  1.   c7
  2.   SOURCES
  3.   0031-Extract-ca_renewal-cert-update-subroutine.patch
Blob History Raw
86baa9 
From 474c13d1543608c8c4da06957295215bbcd5b67c Mon Sep 17 00:00:00 2001
86baa9 
From: Fraser Tweedale <ftweedal@redhat.com>
86baa9 
Date: Fri, 22 Mar 2019 13:37:45 +1100
86baa9 
Subject: [PATCH] Extract ca_renewal cert update subroutine
86baa9
86baa9 
When the CA renewal master renews certificates that are shared
86baa9 
across CA replicas, it puts them in LDAP for the other CA replicas
86baa9 
to see.  The code to create/update these entries lives in the
86baa9 
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
86baa9 
the ipa-cert-fix program too.  Extract it to a subroutine in the
86baa9 
cainstance module.
86baa9
86baa9 
Part of: https://pagure.io/freeipa/issue/7885
86baa9
86baa9 
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
86baa9 
---
86baa9 
 .../dogtag-ipa-ca-renew-agent-submit          | 16 +-----------
86baa9 
 ipaserver/install/cainstance.py               | 26 +++++++++++++++++++
86baa9 
 2 files changed, 27 insertions(+), 15 deletions(-)
86baa9
86baa9 
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
86baa9 
index c33404c18c0022af6b801d25cac1eb0bec019cdf..c2ba9cb842ba835948925a8e415d1e25fe8ee139 100755
86baa9 
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
86baa9 
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
86baa9 
@@ -270,23 +270,9 @@ def store_cert(**kwargs):
86baa9 
         return (REJECTED, "New certificate requests not supported")
86baa9 
     cert = x509.load_pem_x509_certificate(cert.encode('ascii'))
86baa9
86baa9 
-    dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
86baa9 
-            ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
86baa9 
     try:
86baa9 
         with ldap_connect() as conn:
86baa9 
-            try:
86baa9 
-                entry = conn.get_entry(dn, ['usercertificate'])
86baa9 
-                entry['usercertificate'] = [cert]
86baa9 
-                conn.update_entry(entry)
86baa9 
-            except errors.NotFound:
86baa9 
-                entry = conn.make_entry(
86baa9 
-                    dn,
86baa9 
-                    objectclass=['top', 'pkiuser', 'nscontainer'],
86baa9 
-                    cn=[nickname],
86baa9 
-                    usercertificate=[cert])
86baa9 
-                conn.add_entry(entry)
86baa9 
-            except errors.EmptyModlist:
86baa9 
-                pass
86baa9 
+            cainstance.update_ca_renewal_entry(conn, nickname, cert)
86baa9 
     except Exception as e:
86baa9 
         attempts += 1
86baa9 
         if attempts < 10:
86baa9 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
86baa9 
index 2946b5cc2b4b8b708a060aa79d1b7ab0e7b4e651..527ad0a1f492050d452336105cc5cf3c645af693 100644
86baa9 
--- a/ipaserver/install/cainstance.py
86baa9 
+++ b/ipaserver/install/cainstance.py
86baa9 
@@ -1711,6 +1711,32 @@ def update_authority_entry(cert):
86baa9 
     return __update_entry_from_cert(make_filter, make_entry, cert)
86baa9
86baa9
86baa9 
+def update_ca_renewal_entry(conn, nickname, cert):
86baa9 
+    """
86baa9 
+    Update the ca_renewal entry for the given nickname.
86baa9 
+
86baa9 
+    :param conn: A *connected* LDAP handle
86baa9 
+    :param nickname: NSSDB nickname
86baa9 
+    :param cert: python-cryptography X509Certificate
86baa9 
+
86baa9 
+    """
86baa9 
+    dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
86baa9 
+            ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
86baa9 
+    try:
86baa9 
+        entry = conn.get_entry(dn, ['usercertificate'])
86baa9 
+        entry['usercertificate'] = [cert]
86baa9 
+        conn.update_entry(entry)
86baa9 
+    except errors.NotFound:
86baa9 
+        entry = conn.make_entry(
86baa9 
+            dn,
86baa9 
+            objectclass=['top', 'pkiuser', 'nscontainer'],
86baa9 
+            cn=[nickname],
86baa9 
+            usercertificate=[cert])
86baa9 
+        conn.add_entry(entry)
86baa9 
+    except errors.EmptyModlist:
86baa9 
+        pass
86baa9 
+
86baa9 
+
86baa9 
 def ensure_ldap_profiles_container():
86baa9 
     ensure_entry(
86baa9 
         DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),
86baa9 
--
86baa9 
2.20.1
86baa9

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation