pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone

Blame SOURCES/0206-smart-card-advises-configure-systemwide-NSS-DB-also-.patch

b38368
From 57c93cb21d542e1d0eab52baa01ac60f30459dc7 Mon Sep 17 00:00:00 2001
b38368
From: Martin Babinsky <mbabinsk@redhat.com>
b38368
Date: Wed, 21 Jun 2017 18:28:50 +0200
b38368
Subject: [PATCH] smart-card advises: configure systemwide NSS DB also on
b38368
 master
b38368
b38368
Previously the Smart card signing CA cert was uploaded to systemwide NSS
b38368
DB only on the client, but it need to be added also to the server.
b38368
Modify the advise plugins to allow for common configuration steps to
b38368
occur in both cases.
b38368
b38368
https://pagure.io/freeipa/issue/7036
b38368
b38368
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
b38368
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
b38368
---
b38368
 ipaserver/advise/plugins/smart_card_auth.py | 59 +++++++++++++++++------------
b38368
 1 file changed, 35 insertions(+), 24 deletions(-)
b38368
b38368
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
b38368
index 5859e350939fdba0a8b258de5285dd10c7b3bc23..0ee4808d47aa87a4b1b838d427e9958d98075a4a 100644
b38368
--- a/ipaserver/advise/plugins/smart_card_auth.py
b38368
+++ b/ipaserver/advise/plugins/smart_card_auth.py
b38368
@@ -10,8 +10,39 @@ from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
b38368
 register = Registry()
b38368
 
b38368
 
b38368
+class common_smart_card_auth_config(Advice):
b38368
+    """
b38368
+    Common steps required to properly configure both server and client for
b38368
+    smart card auth
b38368
+    """
b38368
+
b38368
+    systemwide_nssdb = paths.NSS_DB_DIR
b38368
+    smart_card_ca_cert_variable_name = "SC_CA_CERT"
b38368
+
b38368
+    def check_and_set_ca_cert_path(self):
b38368
+        ca_path_variable = self.smart_card_ca_cert_variable_name
b38368
+        self.log.command("{}=$1".format(ca_path_variable))
b38368
+        self.log.exit_on_predicate(
b38368
+            '[ -z "${}" ]'.format(ca_path_variable),
b38368
+            ['You need to provide the path to the PEM file containing CA '
b38368
+             'signing the Smart Cards']
b38368
+        )
b38368
+        self.log.exit_on_predicate(
b38368
+            '[ ! -f "${}" ]'.format(ca_path_variable),
b38368
+            ['Invalid CA certificate filename: ${}'.format(ca_path_variable),
b38368
+             'Please check that the path exists and is a valid file']
b38368
+        )
b38368
+
b38368
+    def upload_smartcard_ca_certificate_to_systemwide_db(self):
b38368
+        self.log.command(
b38368
+            'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
b38368
+                self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
b38368
+            )
b38368
+        )
b38368
+
b38368
+
b38368
 @register()
b38368
-class config_server_for_smart_card_auth(Advice):
b38368
+class config_server_for_smart_card_auth(common_smart_card_auth_config):
b38368
     """
b38368
     Configures smart card authentication via Kerberos (PKINIT) and for WebUI
b38368
     """
b38368
@@ -28,6 +59,7 @@ class config_server_for_smart_card_auth(Advice):
b38368
 
b38368
     def get_info(self):
b38368
         self.log.exit_on_nonroot_euid()
b38368
+        self.check_and_set_ca_cert_path()
b38368
         self.check_ccache_not_empty()
b38368
         self.check_hostname_is_in_masters()
b38368
         self.resolve_ipaca_records()
b38368
@@ -37,6 +69,7 @@ class config_server_for_smart_card_auth(Advice):
b38368
         self.record_httpd_ocsp_status()
b38368
         self.check_and_enable_pkinit()
b38368
         self.enable_ok_to_auth_as_delegate_on_http_principal()
b38368
+        self.upload_smartcard_ca_certificate_to_systemwide_db()
b38368
 
b38368
     def check_ccache_not_empty(self):
b38368
         self.log.comment('Check whether the credential cache is not empty')
b38368
@@ -162,11 +195,10 @@ class config_server_for_smart_card_auth(Advice):
b38368
 
b38368
 
b38368
 @register()
b38368
-class config_client_for_smart_card_auth(Advice):
b38368
+class config_client_for_smart_card_auth(common_smart_card_auth_config):
b38368
     """
b38368
     Configures smart card authentication on FreeIPA client
b38368
     """
b38368
-    smart_card_ca_cert_variable_name = "SC_CA_CERT"
b38368
 
b38368
     description = ("Instructions for enabling Smart Card authentication on "
b38368
                    " a single FreeIPA client. Configures Smart Card daemon, "
b38368
@@ -190,20 +222,6 @@ class config_client_for_smart_card_auth(Advice):
b38368
         self.run_authconfig_to_configure_smart_card_auth()
b38368
         self.restart_sssd()
b38368
 
b38368
-    def check_and_set_ca_cert_path(self):
b38368
-        ca_path_variable = self.smart_card_ca_cert_variable_name
b38368
-        self.log.command("{}=$1".format(ca_path_variable))
b38368
-        self.log.exit_on_predicate(
b38368
-            '[ -z "${}" ]'.format(ca_path_variable),
b38368
-            ['You need to provide the path to the PEM file containing CA '
b38368
-             'signing the Smart Cards']
b38368
-        )
b38368
-        self.log.exit_on_predicate(
b38368
-            '[ ! -f "${}" ]'.format(ca_path_variable),
b38368
-            ['Invalid CA certificate filename: ${}'.format(ca_path_variable),
b38368
-             'Please check that the path exists and is a valid file']
b38368
-        )
b38368
-
b38368
     def check_and_remove_pam_pkcs11(self):
b38368
         self.log.command('rpm -qi pam_pkcs11 > /dev/null')
b38368
         self.log.commands_on_predicate(
b38368
@@ -247,13 +265,6 @@ class config_client_for_smart_card_auth(Advice):
b38368
             ]
b38368
         )
b38368
 
b38368
-    def upload_smartcard_ca_certificate_to_systemwide_db(self):
b38368
-        self.log.command(
b38368
-            'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
b38368
-                self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
b38368
-            )
b38368
-        )
b38368
-
b38368
     def run_authconfig_to_configure_smart_card_auth(self):
b38368
         self.log.exit_on_failed_command(
b38368
             'authconfig --enablesmartcard --smartcardmodule=sssd --updateall',
b38368
-- 
b38368
2.9.4
b38368