pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 5 years ago
Clone

Blame SOURCES/0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch

0201d8
From e6bdbe215ae3fba629eea69e4413c44fea7cd02b Mon Sep 17 00:00:00 2001
0201d8
From: Jan Cholasta <jcholast@redhat.com>
0201d8
Date: Tue, 17 Mar 2015 08:23:40 +0000
0201d8
Subject: [PATCH] upload_cacrt: Fix empty cACertificate in cn=CAcert
0201d8
0201d8
https://fedorahosted.org/freeipa/ticket/4565
0201d8
0201d8
Reviewed-By: David Kupka <dkupka@redhat.com>
0201d8
---
0201d8
 ipaserver/install/plugins/upload_cacrt.py | 54 +++++++++++++++++--------------
0201d8
 1 file changed, 30 insertions(+), 24 deletions(-)
0201d8
0201d8
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
0201d8
index 66270ae7613e935fc8df4bc90aa5001296e1c06d..4d5ce52d4073660fc0c1c1ba09e993b250e11fcb 100644
0201d8
--- a/ipaserver/install/plugins/upload_cacrt.py
0201d8
+++ b/ipaserver/install/plugins/upload_cacrt.py
0201d8
@@ -20,7 +20,7 @@
0201d8
 from ipaserver.install.plugins import MIDDLE
0201d8
 from ipaserver.install.plugins.baseupdate import PostUpdate
0201d8
 from ipaserver.install import certs
0201d8
-from ipalib import api, certstore
0201d8
+from ipalib import api, errors, certstore
0201d8
 from ipapython import certdb
0201d8
 from ipapython.dn import DN
0201d8
 
0201d8
@@ -45,7 +45,7 @@ class update_upload_cacrt(PostUpdate):
0201d8
                 if ca_chain:
0201d8
                     ca_nickname = ca_chain[-1]
0201d8
 
0201d8
-        updates = {}
0201d8
+        ldap = self.obj.backend
0201d8
 
0201d8
         for nickname, trust_flags in db.list_certs():
0201d8
             if 'u' in trust_flags:
0201d8
@@ -53,40 +53,46 @@ class update_upload_cacrt(PostUpdate):
0201d8
             if nickname == ca_nickname and ca_enabled:
0201d8
                 trust_flags = 'CT,C,C'
0201d8
             cert = db.get_cert_from_db(nickname, pem=False)
0201d8
+            trust, ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
0201d8
+
0201d8
+            dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'),
0201d8
+                    ('cn','etc'), self.api.env.basedn)
0201d8
+            entry = ldap.make_entry(dn)
0201d8
+
0201d8
             try:
0201d8
-                dn, entry = self._make_entry(cert, nickname, trust_flags)
0201d8
+                certstore.init_ca_entry(entry, cert, nickname, trust, eku)
0201d8
             except Exception, e:
0201d8
                 self.log.warning("Failed to create entry for %s: %s",
0201d8
                                  nickname, e)
0201d8
                 continue
0201d8
             if nickname == ca_nickname:
0201d8
                 ca_cert = cert
0201d8
+                config = entry.setdefault('ipaConfigString', [])
0201d8
                 if ca_enabled:
0201d8
-                    entry.append('ipaConfigString:ipaCA')
0201d8
-                entry.append('ipaConfigString:compatCA')
0201d8
-            updates[dn] = {'dn': dn, 'default': entry}
0201d8
+                    config.append('ipaCa')
0201d8
+                config.append('ipaCa')
0201d8
+
0201d8
+            try:
0201d8
+                ldap.add_entry(entry)
0201d8
+            except errors.DuplicateEntry:
0201d8
+                pass
0201d8
 
0201d8
         if ca_cert:
0201d8
             dn = DN(('cn', 'CACert'), ('cn', 'ipa'), ('cn','etc'),
0201d8
                     self.api.env.basedn)
0201d8
-            entry = ['objectclass:nsContainer',
0201d8
-                     'objectclass:pkiCA',
0201d8
-                     'cn:CAcert',
0201d8
-                     'cACertificate;binary:%s' % ca_cert,
0201d8
-                    ]
0201d8
-            updates[dn] = {'dn': dn, 'default': entry}
0201d8
-
0201d8
-        return (False, True, [updates])
0201d8
-
0201d8
-    def _make_entry(self, cert, nickname, trust_flags):
0201d8
-        dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'),
0201d8
-                ('cn','etc'), self.api.env.basedn)
0201d8
-
0201d8
-        entry = dict()
0201d8
-        trust, ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
0201d8
-        certstore.init_ca_entry(entry, cert, nickname, trust, eku)
0201d8
-        entry = ['%s:%s' % (a, v) for a, vs in entry.iteritems() for v in vs]
0201d8
+            try:
0201d8
+                entry = ldap.get_entry(dn)
0201d8
+            except errors.NotFound:
0201d8
+                entry = ldap.make_entry(dn)
0201d8
+                entry['objectclass'] = ['nsContainer', 'pkiCA']
0201d8
+                entry.single_value['cn'] = 'CAcert'
0201d8
+                entry.single_value['cACertificate;binary'] = ca_cert
0201d8
+                ldap.add_entry(entry)
0201d8
+            else:
0201d8
+                if '' in entry['cACertificate;binary']:
0201d8
+                    entry.single_value['cACertificate;binary'] = ca_cert
0201d8
+                    ldap.update_entry(entry)
0201d8
 
0201d8
-        return dn, entry
0201d8
+        return (False, False, [])
0201d8
 
0201d8
 api.register(update_upload_cacrt)
0201d8
-- 
0201d8
2.1.0
0201d8