From 57c93cb21d542e1d0eab52baa01ac60f30459dc7 Mon Sep 17 00:00:00 2001

From: Martin Babinsky <mbabinsk@redhat.com>

Date: Wed, 21 Jun 2017 18:28:50 +0200

Subject: [PATCH] smart-card advises: configure systemwide NSS DB also on

 master

Previously the Smart card signing CA cert was uploaded to systemwide NSS

DB only on the client, but it need to be added also to the server.

Modify the advise plugins to allow for common configuration steps to

occur in both cases.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipaserver/advise/plugins/smart_card_auth.py | 59 +++++++++++++++++------------

 1 file changed, 35 insertions(+), 24 deletions(-)

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py

index 5859e350939fdba0a8b258de5285dd10c7b3bc23..0ee4808d47aa87a4b1b838d427e9958d98075a4a 100644

--- a/ipaserver/advise/plugins/smart_card_auth.py

+++ b/ipaserver/advise/plugins/smart_card_auth.py

@@ -10,8 +10,39 @@ from ipaserver.install.httpinstance import NSS_OCSP_ENABLED

 register = Registry()

+class common_smart_card_auth_config(Advice):

+    """

+    Common steps required to properly configure both server and client for

+    smart card auth

+    """

+

+    systemwide_nssdb = paths.NSS_DB_DIR

+    smart_card_ca_cert_variable_name = "SC_CA_CERT"

+

+    def check_and_set_ca_cert_path(self):

+        ca_path_variable = self.smart_card_ca_cert_variable_name

+        self.log.command("{}=$1".format(ca_path_variable))

+        self.log.exit_on_predicate(

+            '[ -z "${}" ]'.format(ca_path_variable),

+            ['You need to provide the path to the PEM file containing CA '

+             'signing the Smart Cards']

+        )

+        self.log.exit_on_predicate(

+            '[ ! -f "${}" ]'.format(ca_path_variable),

+            ['Invalid CA certificate filename: ${}'.format(ca_path_variable),

+             'Please check that the path exists and is a valid file']

+        )

+

+    def upload_smartcard_ca_certificate_to_systemwide_db(self):

+        self.log.command(

+            'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(

+                self.systemwide_nssdb, self.smart_card_ca_cert_variable_name

+            )

+        )

+

+

 @register()

-class config_server_for_smart_card_auth(Advice):

+class config_server_for_smart_card_auth(common_smart_card_auth_config):

     """

     Configures smart card authentication via Kerberos (PKINIT) and for WebUI

     """

@@ -28,6 +59,7 @@ class config_server_for_smart_card_auth(Advice):

     def get_info(self):

         self.log.exit_on_nonroot_euid()

+        self.check_and_set_ca_cert_path()

         self.check_ccache_not_empty()

         self.check_hostname_is_in_masters()

         self.resolve_ipaca_records()

@@ -37,6 +69,7 @@ class config_server_for_smart_card_auth(Advice):

         self.record_httpd_ocsp_status()

         self.check_and_enable_pkinit()

         self.enable_ok_to_auth_as_delegate_on_http_principal()

+        self.upload_smartcard_ca_certificate_to_systemwide_db()

     def check_ccache_not_empty(self):

         self.log.comment('Check whether the credential cache is not empty')

@@ -162,11 +195,10 @@ class config_server_for_smart_card_auth(Advice):

 @register()

-class config_client_for_smart_card_auth(Advice):

+class config_client_for_smart_card_auth(common_smart_card_auth_config):

     """

     Configures smart card authentication on FreeIPA client

     """

-    smart_card_ca_cert_variable_name = "SC_CA_CERT"

     description = ("Instructions for enabling Smart Card authentication on "

                    " a single FreeIPA client. Configures Smart Card daemon, "

@@ -190,20 +222,6 @@ class config_client_for_smart_card_auth(Advice):

         self.run_authconfig_to_configure_smart_card_auth()

         self.restart_sssd()

-    def check_and_set_ca_cert_path(self):

-        ca_path_variable = self.smart_card_ca_cert_variable_name

-        self.log.command("{}=$1".format(ca_path_variable))

-        self.log.exit_on_predicate(

-            '[ -z "${}" ]'.format(ca_path_variable),

-            ['You need to provide the path to the PEM file containing CA '

-             'signing the Smart Cards']

-        )

-        self.log.exit_on_predicate(

-            '[ ! -f "${}" ]'.format(ca_path_variable),

-            ['Invalid CA certificate filename: ${}'.format(ca_path_variable),

-             'Please check that the path exists and is a valid file']

-        )

-

     def check_and_remove_pam_pkcs11(self):

         self.log.command('rpm -qi pam_pkcs11 > /dev/null')

         self.log.commands_on_predicate(

@@ -247,13 +265,6 @@ class config_client_for_smart_card_auth(Advice):

             ]

         )

-    def upload_smartcard_ca_certificate_to_systemwide_db(self):

-        self.log.command(

-            'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(

-                self.systemwide_nssdb, self.smart_card_ca_cert_variable_name

-            )

-        )

-

     def run_authconfig_to_configure_smart_card_auth(self):

         self.log.exit_on_failed_command(

             'authconfig --enablesmartcard --smartcardmodule=sssd --updateall',

-- 

2.9.4