From 1eb9cc7556357b1b8d6d826321cb38b1f96c1b7e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 18 May 2016 14:10:39 +1000 Subject: [PATCH] Detect and repair incorrect caIPAserviceCert config A regression caused replica installation to replace the FreeIPA version of caIPAserviceCert with the version shipped by Dogtag. During upgrade, detect and repair occurrences of this problem. Part of: https://fedorahosted.org/freeipa/ticket/5881 Reviewed-By: Jan Cholasta --- ipaserver/install/cainstance.py | 49 ++++++++++++++++++++++++++++++++++--- ipaserver/install/server/upgrade.py | 3 +++ 2 files changed, 49 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 50ca5d3aeb9be24d8e1e80ad408191fca76a459c..a8a57c4ffdbec453c76a01b88a7d4a188c03be33 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -1717,14 +1717,18 @@ def configure_profiles_acl(): conn.disconnect() return updated -def import_included_profiles(): + +def __get_profile_config(profile_id): sub_dict = dict( DOMAIN=ipautil.format_netloc(api.env.domain), IPA_CA_RECORD=IPA_CA_RECORD, CRL_ISSUER='CN=Certificate Authority,o=ipaca', SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(), ) + return ipautil.template_file( + '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) +def import_included_profiles(): server_id = installutils.realm_to_serverid(api.env.realm) dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) @@ -1761,10 +1765,9 @@ def import_included_profiles(): ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'], ) conn.add_entry(entry) - profile_data = ipautil.template_file( - '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) # Create the profile, replacing any existing profile of same name + profile_data = __get_profile_config(profile_id) _create_dogtag_profile(profile_id, profile_data, overwrite=True) root_logger.info("Imported profile '%s'", profile_id) @@ -1772,6 +1775,46 @@ def import_included_profiles(): conn.disconnect() +def repair_profile_caIPAserviceCert(): + """ + A regression caused replica installation to replace the FreeIPA + version of caIPAserviceCert with the version shipped by Dogtag. + + This function detects and repairs occurrences of this problem. + + """ + api.Backend.ra_certprofile._read_password() + api.Backend.ra_certprofile.override_port = 8443 + + profile_id = 'caIPAserviceCert' + + with api.Backend.ra_certprofile as profile_api: + try: + cur_config = profile_api.read_profile(profile_id).splitlines() + except errors.RemoteRetrieveError as e: + # no profile there to check/repair + api.Backend.ra_certprofile.override_port = None + return + + indicators = [ + "policyset.serverCertSet.1.default.params.name=" + "CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA ", + "policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=" + "https://ipa.example.com/ipa/crl/MasterCRL.bin", + ] + need_repair = all(l in cur_config for l in indicators) + + if need_repair: + root_logger.debug( + "Detected that profile '{}' has been replaced with " + "incorrect version; begin repair.".format(profile_id)) + _create_dogtag_profile( + profile_id, __get_profile_config(profile_id), overwrite=True) + root_logger.debug("Repair of profile '{}' complete.".format(profile_id)) + + api.Backend.ra_certprofile.override_port = None + + def migrate_profiles_to_ldap(dogtag_constants): """Migrate profiles from filesystem to LDAP. diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index c53b19a937d559b25da256670a5205ab40e0cadb..b0cd789d58408f720774adb276843a1b6ab6007d 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1554,6 +1554,9 @@ def upgrade_configuration(): ca_import_included_profiles(ca) add_default_caacl(ca) + if ca.is_configured(): + cainstance.repair_profile_caIPAserviceCert() + set_sssd_domain_option('ipa_server_mode', 'True') if ds_running and not ds.is_running(): -- 2.5.5