pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 5 years ago
Clone
Blob Blame History Raw
From 1eb9cc7556357b1b8d6d826321cb38b1f96c1b7e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 18 May 2016 14:10:39 +1000
Subject: [PATCH] Detect and repair incorrect caIPAserviceCert config

A regression caused replica installation to replace the FreeIPA
version of caIPAserviceCert with the version shipped by Dogtag.

During upgrade, detect and repair occurrences of this problem.

Part of: https://fedorahosted.org/freeipa/ticket/5881

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/cainstance.py     | 49 ++++++++++++++++++++++++++++++++++---
 ipaserver/install/server/upgrade.py |  3 +++
 2 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 50ca5d3aeb9be24d8e1e80ad408191fca76a459c..a8a57c4ffdbec453c76a01b88a7d4a188c03be33 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1717,14 +1717,18 @@ def configure_profiles_acl():
     conn.disconnect()
     return updated
 
-def import_included_profiles():
+
+def __get_profile_config(profile_id):
     sub_dict = dict(
         DOMAIN=ipautil.format_netloc(api.env.domain),
         IPA_CA_RECORD=IPA_CA_RECORD,
         CRL_ISSUER='CN=Certificate Authority,o=ipaca',
         SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
     )
+    return ipautil.template_file(
+        '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
 
+def import_included_profiles():
     server_id = installutils.realm_to_serverid(api.env.realm)
     dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
     conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
@@ -1761,10 +1765,9 @@ def import_included_profiles():
                 ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'],
             )
             conn.add_entry(entry)
-            profile_data = ipautil.template_file(
-                '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
 
             # Create the profile, replacing any existing profile of same name
+            profile_data = __get_profile_config(profile_id)
             _create_dogtag_profile(profile_id, profile_data, overwrite=True)
             root_logger.info("Imported profile '%s'", profile_id)
 
@@ -1772,6 +1775,46 @@ def import_included_profiles():
     conn.disconnect()
 
 
+def repair_profile_caIPAserviceCert():
+    """
+    A regression caused replica installation to replace the FreeIPA
+    version of caIPAserviceCert with the version shipped by Dogtag.
+
+    This function detects and repairs occurrences of this problem.
+
+    """
+    api.Backend.ra_certprofile._read_password()
+    api.Backend.ra_certprofile.override_port = 8443
+
+    profile_id = 'caIPAserviceCert'
+
+    with api.Backend.ra_certprofile as profile_api:
+        try:
+            cur_config = profile_api.read_profile(profile_id).splitlines()
+        except errors.RemoteRetrieveError as e:
+            # no profile there to check/repair
+            api.Backend.ra_certprofile.override_port = None
+            return
+
+    indicators = [
+        "policyset.serverCertSet.1.default.params.name="
+            "CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA ",
+        "policyset.serverCertSet.9.default.params.crlDistPointsPointName_0="
+            "https://ipa.example.com/ipa/crl/MasterCRL.bin",
+        ]
+    need_repair = all(l in cur_config for l in indicators)
+
+    if need_repair:
+        root_logger.debug(
+            "Detected that profile '{}' has been replaced with "
+            "incorrect version; begin repair.".format(profile_id))
+        _create_dogtag_profile(
+            profile_id, __get_profile_config(profile_id), overwrite=True)
+        root_logger.debug("Repair of profile '{}' complete.".format(profile_id))
+
+    api.Backend.ra_certprofile.override_port = None
+
+
 def migrate_profiles_to_ldap(dogtag_constants):
     """Migrate profiles from filesystem to LDAP.
 
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index c53b19a937d559b25da256670a5205ab40e0cadb..b0cd789d58408f720774adb276843a1b6ab6007d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1554,6 +1554,9 @@ def upgrade_configuration():
     ca_import_included_profiles(ca)
     add_default_caacl(ca)
 
+    if ca.is_configured():
+        cainstance.repair_profile_caIPAserviceCert()
+
     set_sssd_domain_option('ipa_server_mode', 'True')
 
     if ds_running and not ds.is_running():
-- 
2.5.5