From dc90e83e77f63384f072ca31d79705e26dc5d656 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Thu, 30 May 2019 20:57:10 +1000

Subject: [PATCH] Handle missing LWCA certificate or chain

If lightweight CA key replication has not completed, requests for

the certificate or chain will return 404**.  This can occur in

normal operation, and should be a temporary condition.  Detect this

case and handle it by simply omitting the 'certificate' and/or

'certificate_out' fields in the response, and add a warning message

to the response.

Also update the client-side plugin that handles the

--certificate-out option.  Because the CLI will automatically print

the warning message, if the expected field is missing from the

response, just ignore it and continue processing.

** after the Dogtag NullPointerException gets fixed!

Part of: https://pagure.io/freeipa/issue/7964

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaclient/plugins/ca.py | 19 +++++++++++---

 ipalib/messages.py      |  9 +++++++

 ipaserver/plugins/ca.py | 57 +++++++++++++++++++++++++++++++----------

 3 files changed, 68 insertions(+), 17 deletions(-)

diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py

index f0e7d5ced0d3d9318e34aba84cbc37cf42b9410d..ab47ae85df398e1dc40191691a26639eb3772493 100644

--- a/ipaclient/plugins/ca.py

+++ b/ipaclient/plugins/ca.py

@@ -33,13 +33,24 @@ class WithCertOutArgs(MethodOverride):

                                              error=str(e))

         result = super(WithCertOutArgs, self).forward(*keys, **options)

+

         if filename:

+            # if result certificate / certificate_chain not present in result,

+            # it means Dogtag did not provide it (probably due to LWCA key

+            # replication lag or failure.  The server transmits a warning

+            # message in this case, which the client automatically prints.

+            # So in this section we just ignore it and move on.

+            certs = None

             if options.get('chain', False):

-                certs = result['result']['certificate_chain']

+                if 'certificate_chain' in result['result']:

+                    certs = result['result']['certificate_chain']

             else:

-                certs = [base64.b64decode(result['result']['certificate'])]

-            certs = (x509.load_der_x509_certificate(cert) for cert in certs)

-            x509.write_certificate_list(certs, filename)

+                if 'certificate' in result['result']:

+                    certs = [base64.b64decode(result['result']['certificate'])]

+            if certs:

+                x509.write_certificate_list(

+                    (x509.load_der_x509_certificate(cert) for cert in certs),

+                    filename)

         return result

diff --git a/ipalib/messages.py b/ipalib/messages.py

index 9e2c990d6db8ee41daf3fba6085eed8355dccbe7..646662795648b5a44a5ce25b7610982d5500cfac 100644

--- a/ipalib/messages.py

+++ b/ipalib/messages.py

@@ -487,6 +487,15 @@ class FailedToAddHostDNSRecords(PublicMessage):

                "%(reason)s")

+class LightweightCACertificateNotAvailable(PublicMessage):

+    """

+    **13031** Certificate is not available

+    """

+    errno = 13031

+    type = "error"

+    format = _("The certificate for %(ca)s is not available on this server.")

+

+

 def iter_messages(variables, base):

     """Return a tuple with all subclasses

     """

diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py

index 88e7ec2a9f50a3c4f90947c8e3d38e327627a878..c8f1630c65d55ee9e820ea50ef34e08f92c66f4a 100644

--- a/ipaserver/plugins/ca.py

+++ b/ipaserver/plugins/ca.py

@@ -6,7 +6,7 @@ import base64

 import six

-from ipalib import api, errors, output, Bytes, DNParam, Flag, Str

+from ipalib import api, errors, messages, output, Bytes, DNParam, Flag, Str

 from ipalib.constants import IPA_CA_CN

 from ipalib.plugable import Registry

 from ipapython.dn import ATTR_NAME_BY_OID

@@ -163,28 +163,53 @@ class ca(LDAPObject):

 def set_certificate_attrs(entry, options, want_cert=True):

+    """

+    Set certificate attributes into the entry.  Depending on

+    options, this may contact Dogtag to retrieve certificate or

+    chain.  If the retrieval fails with 404 (which can occur under

+    normal operation due to lightweight CA key replication delay),

+    return a message object that should be set in the response.

+

+    """

     try:

         ca_id = entry['ipacaid'][0]

     except KeyError:

-        return

+        return None

     full = options.get('all', False)

     want_chain = options.get('chain', False)

     want_data = want_cert or want_chain or full

     if not want_data:

-        return

+        return None

+

+    msg = None

     with api.Backend.ra_lightweight_ca as ca_api:

         if want_cert or full:

-            der = ca_api.read_ca_cert(ca_id)

-            entry['certificate'] = base64.b64encode(der).decode('ascii')

+            try:

+                der = ca_api.read_ca_cert(ca_id)

+                entry['certificate'] = base64.b64encode(der).decode('ascii')

+            except errors.HTTPRequestError as e:

+                if e.status == 404:  # pylint: disable=no-member

+                    msg = messages.LightweightCACertificateNotAvailable(

+                        ca=entry['cn'][0])

+                else:

+                    raise e

         if want_chain or full:

-            pkcs7_der = ca_api.read_ca_chain(ca_id)

-            certs = x509.pkcs7_to_certs(pkcs7_der, x509.DER)

-            ders = [cert.public_bytes(x509.Encoding.DER) for cert in certs]

-            entry['certificate_chain'] = ders

-

+            try:

+                pkcs7_der = ca_api.read_ca_chain(ca_id)

+                certs = x509.pkcs7_to_certs(pkcs7_der, x509.DER)

+                ders = [cert.public_bytes(x509.Encoding.DER) for cert in certs]

+                entry['certificate_chain'] = ders

+            except errors.HTTPRequestError as e:

+                if e.status == 404:  # pylint: disable=no-member

+                    msg = messages.LightweightCACertificateNotAvailable(

+                        ca=entry['cn'][0])

+                else:

+                    raise e

+

+    return msg

 @register()

 class ca_find(LDAPSearch):

@@ -198,7 +223,9 @@ class ca_find(LDAPSearch):

         result = super(ca_find, self).execute(*keys, **options)

         if not options.get('pkey_only', False):

             for entry in result['result']:

-                set_certificate_attrs(entry, options, want_cert=False)

+                msg = set_certificate_attrs(entry, options, want_cert=False)

+                if msg:

+                    self.add_message(msg)

         return result

@@ -220,7 +247,9 @@ class ca_show(LDAPRetrieve):

     def execute(self, *keys, **options):

         ca_enabled_check(self.api)

         result = super(ca_show, self).execute(*keys, **options)

-        set_certificate_attrs(result['result'], options)

+        msg = set_certificate_attrs(result['result'], options)

+        if msg:

+            self.add_message(msg)

         return result

@@ -284,7 +313,9 @@ class ca_add(LDAPCreate):

         return dn

     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):

-        set_certificate_attrs(entry_attrs, options)

+        msg = set_certificate_attrs(entry_attrs, options)

+        if msg:

+            self.add_message(msg)

         return dn

-- 

2.20.1