From 5fb869896c9ed6327f5f004022cdee42f758f78c Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Mon, 23 Nov 2015 12:09:32 +1100

Subject: [PATCH] Add profiles and default CA ACL on migration

Profiles and the default CA ACL were not being added during replica

install from pre-4.2 servers.  Update ipa-replica-install to add

these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA

ACL and instruct the administrator to disable it instead.

To ensure that the cainstance installation can add profiles, supply

the RA certificate as part of the instance configuration.

Certmonger renewal setup is avoided at this point because the NSSDB

gets reinitialised later in installation procedure.

Also move the addition of the default CA ACL from dsinstance

installation to cainstance installation.

Fixes: https://fedorahosted.org/freeipa/ticket/5459

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

---

 install/share/Makefile.am                    |   1 -

 install/share/default-caacl.ldif             |  11 ---

 install/updates/50-dogtag10-migration.update |   1 +

 ipalib/plugins/caacl.py                      |   8 +++

 ipaserver/install/ca.py                      |   5 +-

 ipaserver/install/cainstance.py              | 100 ++++++++++++++++++++-------

 ipaserver/install/dsinstance.py              |   4 --

 ipaserver/install/server/replicainstall.py   |   3 +

 ipaserver/install/server/upgrade.py          |  13 +---

 9 files changed, 90 insertions(+), 56 deletions(-)

 delete mode 100644 install/share/default-caacl.ldif

diff --git a/install/share/Makefile.am b/install/share/Makefile.am

index d68c40e693a1d86c70d8ccd81ef2c915b2e1f61e..e4cca8708ab0042d6cb37eba31341e53e3cdac4d 100644

--- a/install/share/Makefile.am

+++ b/install/share/Makefile.am

@@ -29,7 +29,6 @@ app_DATA =				\

 	bootstrap-template.ldif		\

 	caJarSigningCert.cfg.template	\

 	default-aci.ldif		\

-	default-caacl.ldif		\

 	default-hbac.ldif		\

 	default-smb-group.ldif		\

 	default-trust-view.ldif		\

diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif

deleted file mode 100644

index f3cd5b4d4e3a79bc6638dc1ffdd7028596ded254..0000000000000000000000000000000000000000

--- a/install/share/default-caacl.ldif

+++ /dev/null

@@ -1,11 +0,0 @@

-# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services

-dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX

-changetype: add

-objectclass: ipaassociation

-objectclass: ipacaacl

-ipauniqueid: autogenerate

-cn: hosts_services_caIPAserviceCert

-ipaenabledflag: TRUE

-ipamembercertprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX

-hostcategory: all

-servicecategory: all

diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update

index 2ab9d15bd220540dbc6b3fcd7928fc15c42caf80..0070c308aefc39aa4c27a046d185ce6d268e6270 100644

--- a/install/updates/50-dogtag10-migration.update

+++ b/install/updates/50-dogtag10-migration.update

@@ -16,3 +16,4 @@ addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Admi

 addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations

 replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml

 replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information

+addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles

diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py

index 247d6df143aef1fba9f0ee74a9f7d8386bef5180..64dbec16e11e9fa2a67287b195b4bd1180a379e7 100644

--- a/ipalib/plugins/caacl.py

+++ b/ipalib/plugins/caacl.py

@@ -307,6 +307,14 @@ class caacl_del(LDAPDelete):

     msg_summary = _('Deleted CA ACL "%(value)s"')

+    def pre_callback(self, ldap, dn, *keys, **options):

+        if keys[0] == 'hosts_services_caIPAserviceCert':

+            raise errors.ProtectedEntryError(

+                label=_("CA ACL"),

+                key=keys[0],

+                reason=_("default CA ACL can be only disabled"))

+        return dn

+

 @register()

 class caacl_mod(LDAPUpdate):

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py

index 498cc48a742d1b2d862eb9dfdb18743cfb211b78..0de992cb0c15f8161aae4937699baae2a94d305a 100644

--- a/ipaserver/install/ca.py

+++ b/ipaserver/install/ca.py

@@ -126,9 +126,10 @@ def install_step_0(standalone, replica_config, options):

         if standalone:

             api.Backend.ldap2.disconnect()

-        cainstance.install_replica_ca(replica_config, postinstall)

+        cainstance.install_replica_ca(replica_config, postinstall,

+                ra_p12=getattr(options, 'ra_p12', None))

-        if standalone:

+        if standalone and not api.Backend.ldap2.isconnected():

             api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),

                                       bind_pw=dm_password)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py

index 3e3dce93de2b8ca48a3fe3ea5994ee92a1b0ce49..189876f3c0d980e78165d73eed86b2830ac8c5b8 100644

--- a/ipaserver/install/cainstance.py

+++ b/ipaserver/install/cainstance.py

@@ -391,7 +391,7 @@ class CAInstance(DogtagInstance):

                            cert_file=None, cert_chain_file=None,

                            master_replication_port=None,

                            subject_base=None, ca_signing_algorithm=None,

-                           ca_type=None):

+                           ca_type=None, ra_p12=None):

         """Create a CA instance.

            For Dogtag 9, this may involve creating the pki-ca instance.

@@ -465,7 +465,10 @@ class CAInstance(DogtagInstance):

                 self.step("requesting RA certificate from CA", self.__request_ra_certificate)

                 self.step("issuing RA agent certificate", self.__issue_ra_cert)

                 self.step("adding RA agent as a trusted user", self.__create_ca_agent)

-                self.step("authorizing RA to modify profiles", self.__configure_profiles_acl)

+            elif ra_p12 is not None:

+                self.step("importing RA certificate from PKCS #12 file",

+                          lambda: self.import_ra_cert(ra_p12, configure_renewal=False))

+            self.step("authorizing RA to modify profiles", configure_profiles_acl)

             self.step("configure certmonger for renewals", self.configure_certmonger_renewal)

             self.step("configure certificate renewals", self.configure_renewal)

             if not self.clone:

@@ -473,9 +476,12 @@ class CAInstance(DogtagInstance):

             self.step("configure Server-Cert certificate renewal", self.track_servercert)

             self.step("Configure HTTP to proxy connections",

                       self.http_proxy)

-            if not self.clone:

-                self.step("restarting certificate server", self.restart_instance)

-                self.step("Importing IPA certificate profiles", import_included_profiles)

+            self.step("restarting certificate server", self.restart_instance)

+            self.step("migrating certificate profiles to LDAP",

+                      migrate_profiles_to_ldap)

+            self.step("importing IPA certificate profiles",

+                      import_included_profiles)

+            self.step("adding default CA ACL", ensure_default_caacl)

         self.start_creation(runtime=210)

@@ -887,7 +893,7 @@ class CAInstance(DogtagInstance):

         export_kra_agent_pem()

-    def import_ra_cert(self, rafile):

+    def import_ra_cert(self, rafile, configure_renewal=True):

         """

         Cloned RAs will use the same RA agent cert as the master so we

         need to import from a PKCS#12 file.

@@ -903,7 +909,8 @@ class CAInstance(DogtagInstance):

         finally:

             os.remove(agent_name)

-        self.configure_agent_renewal()

+        if configure_renewal:

+            self.configure_agent_renewal()

         export_kra_agent_pem()

@@ -953,10 +960,6 @@ class CAInstance(DogtagInstance):

         conn.disconnect()

-    def __configure_profiles_acl(self):

-        """Allow the Certificate Manager Agents group to modify profiles."""

-        configure_profiles_acl()

-

     def __run_certutil(self, args, database=None, pwd_file=None, stdin=None):

         if not database:

             database = self.ra_agent_db

@@ -1491,7 +1494,7 @@ def replica_ca_install_check(config):

         exit('IPA schema missing on master CA directory server')

-def install_replica_ca(config, postinstall=False):

+def install_replica_ca(config, postinstall=False, ra_p12=None):

     """

     Install a CA on a replica.

@@ -1533,7 +1536,7 @@ def install_replica_ca(config, postinstall=False):

         ca.create_ra_agent_db = False

     ca.configure_instance(config.host_name, config.domain_name,

                           config.dirman_password, config.dirman_password,

-                          pkcs12_info=(cafile,),

+                          pkcs12_info=(cafile,), ra_p12=ra_p12,

                           master_host=config.master_host_name,

                           master_replication_port=config.ca_ds_port,

                           subject_base=config.subject_base)

@@ -1658,6 +1661,14 @@ def update_people_entry(dercert):

     return True

 def ensure_ldap_profiles_container():

+    ensure_entry(

+        DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')),

+        objectclass=['top', 'organizationalUnit'],

+        ou=['certificateProfiles'],

+    )

+

+

+def ensure_entry(dn, **attrs):

     server_id = installutils.realm_to_serverid(api.env.realm)

     dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id

@@ -1665,40 +1676,39 @@ def ensure_ldap_profiles_container():

     if not conn.isconnected():

         conn.connect(autobind=True)

-    dn = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca'))

     try:

         conn.get_entry(dn)

     except errors.NotFound:

         # entry doesn't exist; add it

-        entry = conn.make_entry(

-            dn,

-            objectclass=['top', 'organizationalUnit'],

-            ou=['certificateProfiles'],

-        )

+        entry = conn.make_entry(dn, **attrs)

         conn.add_entry(entry)

     conn.disconnect()

 def configure_profiles_acl():

+    """Allow the Certificate Manager Agents group to modify profiles."""

     server_id = installutils.realm_to_serverid(api.env.realm)

     dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id

     updated = False

     dn = DN(('cn', 'aclResources'), ('o', 'ipaca'))

-    rule = (

+    new_rules = [

         'certServer.profile.configuration:read,modify:allow (read,modify) '

         'group="Certificate Manager Agents":'

-        'Certificate Manager agents may modify (create/update/delete) and read profiles'

-    )

-    modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])]

+        'Certificate Manager agents may modify (create/update/delete) and read profiles',

+

+        'certServer.ca.account:login,logout:allow (login,logout) '

+        'user="anybody":Anybody can login and logout',

+    ]

     conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)

     if not conn.isconnected():

         conn.connect(autobind=True)

-    rules = conn.get_entry(dn).get('resourceACLS', [])

-    if rule not in rules:

-        conn.conn.modify_s(str(dn), modlist)

+    cur_rules = conn.get_entry(dn).get('resourceACLS', [])

+    add_rules = [rule for rule in new_rules if rule not in cur_rules]

+    if add_rules:

+        conn.conn.modify_s(str(dn), [(ldap.MOD_ADD, 'resourceACLS', add_rules)])

         updated = True

     conn.disconnect()

@@ -1718,6 +1728,17 @@ def import_included_profiles():

     if not conn.isconnected():

         conn.connect(autobind=True)

+    ensure_entry(

+        DN(('cn', 'ca'), api.env.basedn),

+        objectclass=['top', 'nsContainer'],

+        cn=['ca'],

+    )

+    ensure_entry(

+        DN(api.env.container_certprofile, api.env.basedn),

+        objectclass=['top', 'nsContainer'],

+        cn=['certprofiles'],

+    )

+

     api.Backend.ra_certprofile._read_password()

     api.Backend.ra_certprofile.override_port = 8443

@@ -1823,6 +1844,33 @@ def _create_dogtag_profile(profile_id, profile_data):

                 "(it is probably already enabled)")

+def ensure_default_caacl():

+    """Add the default CA ACL if missing."""

+    if not api.Backend.ldap2.isconnected():

+        try:

+            api.Backend.ldap2.connect(autobind=True)

+        except errors.PublicError as e:

+            root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)

+            return

+

+    ensure_entry(

+        DN(('cn', 'ca'), api.env.basedn),

+        objectclass=['top', 'nsContainer'],

+        cn=['ca'],

+    )

+    ensure_entry(

+        DN(api.env.container_caacl, api.env.basedn),

+        objectclass=['top', 'nsContainer'],

+        cn=['certprofiles'],

+    )

+

+    if not api.Command.caacl_find()['result']:

+        api.Command.caacl_add(u'hosts_services_caIPAserviceCert',

+            hostcategory=u'all', servicecategory=u'all')

+        api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',

+            certprofile=(u'caIPAserviceCert',))

+

+

 if __name__ == "__main__":

     standard_logging_setup("install.log")

     ds = dsinstance.DsInstance()

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py

index f33a9e03a4148dde69fc61441c878f5126f8e455..d78158532c4c88d9aa9acf3c65d278f5151458d8 100644

--- a/ipaserver/install/dsinstance.py

+++ b/ipaserver/install/dsinstance.py

@@ -310,7 +310,6 @@ class DsInstance(service.Service):

         self.step("adding range check plugin", self.__add_range_check_plugin)

         if hbac_allow:

             self.step("creating default HBAC rule allow_all", self.add_hbac)

-        self.step("creating default CA ACL rule", self.add_caacl)

         self.step("adding entries for topology management", self.__add_topology_entries)

         self.__common_post_setup()

@@ -745,9 +744,6 @@ class DsInstance(service.Service):

     def add_hbac(self):

         self._ldap_mod("default-hbac.ldif", self.sub_dict)

-    def add_caacl(self):

-        self._ldap_mod("default-caacl.ldif", self.sub_dict)

-

     def change_admin_password(self, password):

         root_logger.debug("Changing admin password")

         dirname = config_dirname(self.serverid)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py

index 6f9a6141fe9af44806244ce52df59c191dc966b0..6e9157cabc49161ba27983cbf1de1428d1b48b7d 100644

--- a/ipaserver/install/server/replicainstall.py

+++ b/ipaserver/install/server/replicainstall.py

@@ -573,6 +573,9 @@ def install(installer):

         options.domain_name = config.domain_name

         options.host_name = config.host_name

+        if ipautil.file_exists(config.dir + "/cacert.p12"):

+            options.ra_p12 = config.dir + "/ra.p12"

+

         ca.install(False, config, options)

     krb = install_krb(config, setup_pkinit=not options.no_pkinit)

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py

index c8f744c392c7b859459bda63c1f397226553d4ba..945cb3ebd63767cb1d57083e1da7c5605ac5a2f9 100644

--- a/ipaserver/install/server/upgrade.py

+++ b/ipaserver/install/server/upgrade.py

@@ -1321,18 +1321,7 @@ def add_default_caacl(ca):

         return

     if ca.is_configured():

-        if not api.Backend.ldap2.isconnected():

-            try:

-                api.Backend.ldap2.connect(autobind=True)

-            except ipalib.errors.PublicError as e:

-                root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)

-                return

-

-        if not api.Command.caacl_find()['result']:

-            api.Command.caacl_add(u'hosts_services_caIPAserviceCert',

-                hostcategory=u'all', servicecategory=u'all')

-            api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',

-                certprofile=(u'caIPAserviceCert',))

+        cainstance.ensure_default_caacl()

     sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)

-- 

2.4.3