pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone

Blame SOURCES/0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch

db5969
From 1eb9cc7556357b1b8d6d826321cb38b1f96c1b7e Mon Sep 17 00:00:00 2001
db5969
From: Fraser Tweedale <ftweedal@redhat.com>
db5969
Date: Wed, 18 May 2016 14:10:39 +1000
db5969
Subject: [PATCH] Detect and repair incorrect caIPAserviceCert config
db5969
db5969
A regression caused replica installation to replace the FreeIPA
db5969
version of caIPAserviceCert with the version shipped by Dogtag.
db5969
db5969
During upgrade, detect and repair occurrences of this problem.
db5969
db5969
Part of: https://fedorahosted.org/freeipa/ticket/5881
db5969
db5969
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
db5969
---
db5969
 ipaserver/install/cainstance.py     | 49 ++++++++++++++++++++++++++++++++++---
db5969
 ipaserver/install/server/upgrade.py |  3 +++
db5969
 2 files changed, 49 insertions(+), 3 deletions(-)
db5969
db5969
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
db5969
index 50ca5d3aeb9be24d8e1e80ad408191fca76a459c..a8a57c4ffdbec453c76a01b88a7d4a188c03be33 100644
db5969
--- a/ipaserver/install/cainstance.py
db5969
+++ b/ipaserver/install/cainstance.py
db5969
@@ -1717,14 +1717,18 @@ def configure_profiles_acl():
db5969
     conn.disconnect()
db5969
     return updated
db5969
 
db5969
-def import_included_profiles():
db5969
+
db5969
+def __get_profile_config(profile_id):
db5969
     sub_dict = dict(
db5969
         DOMAIN=ipautil.format_netloc(api.env.domain),
db5969
         IPA_CA_RECORD=IPA_CA_RECORD,
db5969
         CRL_ISSUER='CN=Certificate Authority,o=ipaca',
db5969
         SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
db5969
     )
db5969
+    return ipautil.template_file(
db5969
+        '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
db5969
 
db5969
+def import_included_profiles():
db5969
     server_id = installutils.realm_to_serverid(api.env.realm)
db5969
     dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
db5969
     conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
db5969
@@ -1761,10 +1765,9 @@ def import_included_profiles():
db5969
                 ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'],
db5969
             )
db5969
             conn.add_entry(entry)
db5969
-            profile_data = ipautil.template_file(
db5969
-                '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
db5969
 
db5969
             # Create the profile, replacing any existing profile of same name
db5969
+            profile_data = __get_profile_config(profile_id)
db5969
             _create_dogtag_profile(profile_id, profile_data, overwrite=True)
db5969
             root_logger.info("Imported profile '%s'", profile_id)
db5969
 
db5969
@@ -1772,6 +1775,46 @@ def import_included_profiles():
db5969
     conn.disconnect()
db5969
 
db5969
 
db5969
+def repair_profile_caIPAserviceCert():
db5969
+    """
db5969
+    A regression caused replica installation to replace the FreeIPA
db5969
+    version of caIPAserviceCert with the version shipped by Dogtag.
db5969
+
db5969
+    This function detects and repairs occurrences of this problem.
db5969
+
db5969
+    """
db5969
+    api.Backend.ra_certprofile._read_password()
db5969
+    api.Backend.ra_certprofile.override_port = 8443
db5969
+
db5969
+    profile_id = 'caIPAserviceCert'
db5969
+
db5969
+    with api.Backend.ra_certprofile as profile_api:
db5969
+        try:
db5969
+            cur_config = profile_api.read_profile(profile_id).splitlines()
db5969
+        except errors.RemoteRetrieveError as e:
db5969
+            # no profile there to check/repair
db5969
+            api.Backend.ra_certprofile.override_port = None
db5969
+            return
db5969
+
db5969
+    indicators = [
db5969
+        "policyset.serverCertSet.1.default.params.name="
db5969
+            "CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA ",
db5969
+        "policyset.serverCertSet.9.default.params.crlDistPointsPointName_0="
db5969
+            "https://ipa.example.com/ipa/crl/MasterCRL.bin",
db5969
+        ]
db5969
+    need_repair = all(l in cur_config for l in indicators)
db5969
+
db5969
+    if need_repair:
db5969
+        root_logger.debug(
db5969
+            "Detected that profile '{}' has been replaced with "
db5969
+            "incorrect version; begin repair.".format(profile_id))
db5969
+        _create_dogtag_profile(
db5969
+            profile_id, __get_profile_config(profile_id), overwrite=True)
db5969
+        root_logger.debug("Repair of profile '{}' complete.".format(profile_id))
db5969
+
db5969
+    api.Backend.ra_certprofile.override_port = None
db5969
+
db5969
+
db5969
 def migrate_profiles_to_ldap(dogtag_constants):
db5969
     """Migrate profiles from filesystem to LDAP.
db5969
 
db5969
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
db5969
index c53b19a937d559b25da256670a5205ab40e0cadb..b0cd789d58408f720774adb276843a1b6ab6007d 100644
db5969
--- a/ipaserver/install/server/upgrade.py
db5969
+++ b/ipaserver/install/server/upgrade.py
db5969
@@ -1554,6 +1554,9 @@ def upgrade_configuration():
db5969
     ca_import_included_profiles(ca)
db5969
     add_default_caacl(ca)
db5969
 
db5969
+    if ca.is_configured():
db5969
+        cainstance.repair_profile_caIPAserviceCert()
db5969
+
db5969
     set_sssd_domain_option('ipa_server_mode', 'True')
db5969
 
db5969
     if ds_running and not ds.is_running():
db5969
-- 
db5969
2.5.5
db5969