ac7d03
From b98b21aaa709ccd91369e89a836f64c06c4593e8 Mon Sep 17 00:00:00 2001
ac7d03
From: Jan Cholasta <jcholast@redhat.com>
ac7d03
Date: Thu, 27 Apr 2017 09:33:25 +0200
ac7d03
Subject: [PATCH] certdb: add named trust flag constants
ac7d03
ac7d03
Add named constants for common trust flag combinations.
ac7d03
ac7d03
Use the named constants instead of trust flags strings in the code.
ac7d03
ac7d03
https://pagure.io/freeipa/issue/6831
ac7d03
ac7d03
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ac7d03
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ac7d03
---
ac7d03
 install/restart_scripts/restart_httpd      |  3 ++-
ac7d03
 install/tools/ipa-replica-conncheck        |  4 +++-
ac7d03
 ipaclient/install/client.py                |  9 ++++++---
ac7d03
 ipapython/certdb.py                        |  9 +++++++--
ac7d03
 ipaserver/install/ca.py                    |  2 +-
ac7d03
 ipaserver/install/certs.py                 |  5 +++--
ac7d03
 ipaserver/install/dsinstance.py            |  5 +++--
ac7d03
 ipaserver/install/httpinstance.py          |  5 +++--
ac7d03
 ipaserver/install/ipa_cacert_manage.py     | 16 +++++++++++-----
ac7d03
 ipaserver/install/plugins/upload_cacrt.py  |  2 +-
ac7d03
 ipaserver/install/server/replicainstall.py |  3 ++-
ac7d03
 ipaserver/install/server/upgrade.py        |  4 ++--
ac7d03
 12 files changed, 44 insertions(+), 23 deletions(-)
ac7d03
ac7d03
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
ac7d03
index b661b82b896b109c3859ac82c2d84ab27b839f72..cd7f12024ea3cab16e9c664687cd854e666c9570 100644
ac7d03
--- a/install/restart_scripts/restart_httpd
ac7d03
+++ b/install/restart_scripts/restart_httpd
ac7d03
@@ -24,6 +24,7 @@ import traceback
ac7d03
 from ipalib import api
ac7d03
 from ipaplatform import services
ac7d03
 from ipaplatform.paths import paths
ac7d03
+from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS
ac7d03
 from ipaserver.install import certs, installutils
ac7d03
 
ac7d03
 
ac7d03
@@ -36,7 +37,7 @@ def _main():
ac7d03
     nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
ac7d03
 
ac7d03
     # Add trust flag which set certificate trusted for SSL connections.
ac7d03
-    db.trust_root_cert(nickname, "P,,")
ac7d03
+    db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
ac7d03
 
ac7d03
     syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
ac7d03
 
ac7d03
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
ac7d03
index fdbd4f32d9fa4a625cca3614e13e71d00f58e57e..528242268f9992e903781b76a379039d533853c0 100755
ac7d03
--- a/install/tools/ipa-replica-conncheck
ac7d03
+++ b/install/tools/ipa-replica-conncheck
ac7d03
@@ -549,7 +549,9 @@ def main():
ac7d03
                             data = ca_cert.public_bytes(
ac7d03
                                 serialization.Encoding.DER)
ac7d03
                             nss_db.add_cert(
ac7d03
-                                data, str(DN(ca_cert.subject)), 'C,,')
ac7d03
+                                data,
ac7d03
+                                str(DN(ca_cert.subject)),
ac7d03
+                                certdb.EXTERNAL_CA_TRUST_FLAGS)
ac7d03
 
ac7d03
                     api.bootstrap(context='client',
ac7d03
                                   confdir=paths.ETC_IPA,
ac7d03
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
ac7d03
index abca692fd61be4a9f35a1398fb2af4b1d9e8689b..e78be904dd6bad491d9f3c1bb1e1410bc1779d45 100644
ac7d03
--- a/ipaclient/install/client.py
ac7d03
+++ b/ipaclient/install/client.py
ac7d03
@@ -2318,8 +2318,9 @@ def update_ipa_nssdb():
ac7d03
     if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
ac7d03
         create_ipa_nssdb()
ac7d03
 
ac7d03
-    for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
ac7d03
-                                  ('External CA cert', 'C,,')):
ac7d03
+    for nickname, trust_flags in (
ac7d03
+            ('IPA CA', certdb.IPA_CA_TRUST_FLAGS),
ac7d03
+            ('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)):
ac7d03
         try:
ac7d03
             cert = sys_db.get_cert(nickname)
ac7d03
         except RuntimeError:
ac7d03
@@ -2680,7 +2681,9 @@ def _install(options):
ac7d03
             tmp_db.create_db()
ac7d03
 
ac7d03
             for i, cert in enumerate(ca_certs):
ac7d03
-                tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
ac7d03
+                tmp_db.add_cert(cert,
ac7d03
+                                'CA certificate %d' % (i + 1),
ac7d03
+                                certdb.EXTERNAL_CA_TRUST_FLAGS)
ac7d03
         except CalledProcessError:
ac7d03
             raise ScriptError(
ac7d03
                 "Failed to add CA to temporary NSS database.",
ac7d03
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
ac7d03
index ea73ec139df9013b860df447fcffd9038cf7c8f2..44c7bf3197c198295035742e6db48527d76e85a6 100644
ac7d03
--- a/ipapython/certdb.py
ac7d03
+++ b/ipapython/certdb.py
ac7d03
@@ -52,6 +52,11 @@ CA_NICKNAME_FMT = "%s IPA CA"
ac7d03
 
ac7d03
 NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
ac7d03
 
ac7d03
+EMPTY_TRUST_FLAGS = ',,'
ac7d03
+IPA_CA_TRUST_FLAGS = 'CT,C,C'
ac7d03
+EXTERNAL_CA_TRUST_FLAGS = 'C,,'
ac7d03
+TRUSTED_PEER_TRUST_FLAGS = 'P,,'
ac7d03
+
ac7d03
 
ac7d03
 def get_ca_nickname(realm, format=CA_NICKNAME_FMT):
ac7d03
     return format % realm
ac7d03
@@ -441,7 +446,7 @@ class NSSDatabase(object):
ac7d03
             cert = x509.load_certificate(cert_pem)
ac7d03
             nickname = str(DN(cert.subject))
ac7d03
             data = cert.public_bytes(serialization.Encoding.DER)
ac7d03
-            self.add_cert(data, nickname, ',,')
ac7d03
+            self.add_cert(data, nickname, EMPTY_TRUST_FLAGS)
ac7d03
 
ac7d03
         if extracted_key:
ac7d03
             in_file = ipautil.write_tmp_file(
ac7d03
@@ -473,7 +478,7 @@ class NSSDatabase(object):
ac7d03
                 root_nickname)
ac7d03
         else:
ac7d03
             if trust_flags is None:
ac7d03
-                trust_flags = 'C,,'
ac7d03
+                trust_flags = EXTERNAL_CA_TRUST_FLAGS
ac7d03
             try:
ac7d03
                 self.run_certutil(["-M", "-n", root_nickname,
ac7d03
                                    "-t", trust_flags])
ac7d03
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
ac7d03
index 8ee0fda23411563c70b7db5f39f43c2869c108b5..52cb20f1cb3612394544a6a41f10e9e939bc0657 100644
ac7d03
--- a/ipaserver/install/ca.py
ac7d03
+++ b/ipaserver/install/ca.py
ac7d03
@@ -320,7 +320,7 @@ def install_step_1(standalone, replica_config, options):
ac7d03
             realm_name, nssdir=dirname, subject_base=subject_base)
ac7d03
         cacert = cadb.get_cert_from_db('caSigningCert cert-pki-ca', pem=False)
ac7d03
         nickname = certdb.get_ca_nickname(realm_name)
ac7d03
-        trust_flags = 'CT,C,C'
ac7d03
+        trust_flags = certdb.IPA_CA_TRUST_FLAGS
ac7d03
         dsdb.add_cert(cacert, nickname, trust_flags)
ac7d03
         certstore.put_ca_cert_nss(api.Backend.ldap2, api.env.basedn,
ac7d03
                                   cacert, nickname, trust_flags,
ac7d03
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
ac7d03
index 89e57134f24c505d669057eefffb7862b3b8179a..f87e00eb5e9c14ed30d39ef9f6e86b6f24bb1c61 100644
ac7d03
--- a/ipaserver/install/certs.py
ac7d03
+++ b/ipaserver/install/certs.py
ac7d03
@@ -37,6 +37,7 @@ from ipalib.install import certmonger, sysrestore
ac7d03
 from ipapython.ipa_log_manager import root_logger
ac7d03
 from ipapython import dogtag
ac7d03
 from ipapython import ipautil
ac7d03
+from ipapython.certdb import EMPTY_TRUST_FLAGS, IPA_CA_TRUST_FLAGS
ac7d03
 from ipapython.certdb import get_ca_nickname, find_cert_from_txt, NSSDatabase
ac7d03
 from ipapython.dn import DN
ac7d03
 from ipalib import pkcs10, x509, api
ac7d03
@@ -597,7 +598,7 @@ class CertDB(object):
ac7d03
         # a new certificate database.
ac7d03
         self.create_passwd_file()
ac7d03
         self.create_certdbs()
ac7d03
-        self.load_cacert(cacert_fname, 'CT,C,C')
ac7d03
+        self.load_cacert(cacert_fname, IPA_CA_TRUST_FLAGS)
ac7d03
 
ac7d03
     def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None,
ac7d03
                            ca_file=None, trust_flags=None):
ac7d03
@@ -643,7 +644,7 @@ class CertDB(object):
ac7d03
                     cert, st = find_cert_from_txt(certs, st)
ac7d03
                 except RuntimeError:
ac7d03
                     break
ac7d03
-                self.add_cert(cert, 'CA %s' % num, ',,', pem=True)
ac7d03
+                self.add_cert(cert, 'CA %s' % num, EMPTY_TRUST_FLAGS, pem=True)
ac7d03
                 num += 1
ac7d03
 
ac7d03
         # We only handle one server cert
ac7d03
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
ac7d03
index 403fe8489fdd9e0dbf40dd4df3794b51185d45b9..0db0368fa4b48495718afd779291ce164d1687c8 100644
ac7d03
--- a/ipaserver/install/dsinstance.py
ac7d03
+++ b/ipaserver/install/dsinstance.py
ac7d03
@@ -32,6 +32,7 @@ import fnmatch
ac7d03
 import ldap
ac7d03
 
ac7d03
 from ipalib.install import certmonger, certstore
ac7d03
+from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
ac7d03
 from ipapython.ipa_log_manager import root_logger
ac7d03
 from ipapython import ipautil, ipaldap
ac7d03
 from ipapython import dogtag
ac7d03
@@ -766,7 +767,7 @@ class DsInstance(service.Service):
ac7d03
         )
ac7d03
         if self.pkcs12_info:
ac7d03
             if self.ca_is_configured:
ac7d03
-                trust_flags = 'CT,C,C'
ac7d03
+                trust_flags = IPA_CA_TRUST_FLAGS
ac7d03
             else:
ac7d03
                 trust_flags = None
ac7d03
             dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ac7d03
@@ -1065,7 +1066,7 @@ class DsInstance(service.Service):
ac7d03
         certdb.cacert_name = cacert_name
ac7d03
         status = True
ac7d03
         try:
ac7d03
-            certdb.load_cacert(cacert_fname, 'C,,')
ac7d03
+            certdb.load_cacert(cacert_fname, EXTERNAL_CA_TRUST_FLAGS)
ac7d03
         except ipautil.CalledProcessError as e:
ac7d03
             root_logger.critical("Error importing CA cert file named [%s]: %s" %
ac7d03
                                          (cacert_fname, str(e)))
ac7d03
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
ac7d03
index ab688a85f157b1886842a91bb7d22f9ea99e3615..a6aeb21edc73783ff9a3f9b526409ea525aa66dd 100644
ac7d03
--- a/ipaserver/install/httpinstance.py
ac7d03
+++ b/ipaserver/install/httpinstance.py
ac7d03
@@ -32,6 +32,7 @@ import six
ac7d03
 from augeas import Augeas
ac7d03
 
ac7d03
 from ipalib.install import certmonger
ac7d03
+from ipapython.certdb import IPA_CA_TRUST_FLAGS, TRUSTED_PEER_TRUST_FLAGS
ac7d03
 from ipaserver.install import service
ac7d03
 from ipaserver.install import certs
ac7d03
 from ipaserver.install import installutils
ac7d03
@@ -381,7 +382,7 @@ class HTTPInstance(service.Service):
ac7d03
 
ac7d03
         if self.pkcs12_info:
ac7d03
             if self.ca_is_configured:
ac7d03
-                trust_flags = 'CT,C,C'
ac7d03
+                trust_flags = IPA_CA_TRUST_FLAGS
ac7d03
             else:
ac7d03
                 trust_flags = None
ac7d03
             db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ac7d03
@@ -403,7 +404,7 @@ class HTTPInstance(service.Service):
ac7d03
             self.__set_mod_nss_nickname(nickname)
ac7d03
             self.add_cert_to_service()
ac7d03
 
ac7d03
-            db.trust_root_cert(nickname, "P,,")
ac7d03
+            db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS)
ac7d03
 
ac7d03
         else:
ac7d03
             if not self.promote:
ac7d03
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
ac7d03
index 3b732e4dcbb5c9b4dfbb9e3608bc7d7afd3e10c2..88b40d45e10281d272882d21e06f5d53cf5a701d 100644
ac7d03
--- a/ipaserver/install/ipa_cacert_manage.py
ac7d03
+++ b/ipaserver/install/ipa_cacert_manage.py
ac7d03
@@ -26,6 +26,7 @@ import gssapi
ac7d03
 
ac7d03
 from ipalib.install import certmonger, certstore
ac7d03
 from ipapython import admintool, ipautil
ac7d03
+from ipapython.certdb import EMPTY_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
ac7d03
 from ipapython.dn import DN
ac7d03
 from ipaplatform.paths import paths
ac7d03
 from ipalib import api, errors, x509
ac7d03
@@ -242,10 +243,10 @@ class CACertManage(admintool.AdminTool):
ac7d03
 
ac7d03
         with certs.NSSDatabase() as tmpdb:
ac7d03
             tmpdb.create_db()
ac7d03
-            tmpdb.add_cert(old_cert_der, 'IPA CA', 'C,,')
ac7d03
+            tmpdb.add_cert(old_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
ac7d03
 
ac7d03
             try:
ac7d03
-                tmpdb.add_cert(new_cert_der, 'IPA CA', 'C,,')
ac7d03
+                tmpdb.add_cert(new_cert_der, 'IPA CA', EXTERNAL_CA_TRUST_FLAGS)
ac7d03
             except ipautil.CalledProcessError as e:
ac7d03
                 raise admintool.ScriptError(
ac7d03
                     "Not compatible with the current CA certificate: %s" % e)
ac7d03
@@ -253,7 +254,8 @@ class CACertManage(admintool.AdminTool):
ac7d03
             ca_certs = x509.load_certificate_list_from_file(ca_file.name)
ac7d03
             for ca_cert in ca_certs:
ac7d03
                 data = ca_cert.public_bytes(serialization.Encoding.DER)
ac7d03
-                tmpdb.add_cert(data, str(DN(ca_cert.subject)), 'C,,')
ac7d03
+                tmpdb.add_cert(
ac7d03
+                    data, str(DN(ca_cert.subject)), EXTERNAL_CA_TRUST_FLAGS)
ac7d03
 
ac7d03
             try:
ac7d03
                 tmpdb.verify_ca_cert_validity('IPA CA')
ac7d03
@@ -270,7 +272,11 @@ class CACertManage(admintool.AdminTool):
ac7d03
                 except RuntimeError:
ac7d03
                     break
ac7d03
                 certstore.put_ca_cert_nss(
ac7d03
-                    conn, api.env.basedn, ca_cert, nickname, ',,')
ac7d03
+                    conn,
ac7d03
+                    api.env.basedn,
ac7d03
+                    ca_cert,
ac7d03
+                    nickname,
ac7d03
+                    EMPTY_TRUST_FLAGS)
ac7d03
 
ac7d03
         dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'),
ac7d03
                 ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
ac7d03
@@ -343,7 +349,7 @@ class CACertManage(admintool.AdminTool):
ac7d03
 
ac7d03
         with certs.NSSDatabase() as tmpdb:
ac7d03
             tmpdb.create_db()
ac7d03
-            tmpdb.add_cert(cert, nickname, 'C,,')
ac7d03
+            tmpdb.add_cert(cert, nickname, EXTERNAL_CA_TRUST_FLAGS)
ac7d03
             for ca_cert, ca_nickname, ca_trust_flags in ca_certs:
ac7d03
                 tmpdb.add_cert(ca_cert, ca_nickname, ca_trust_flags)
ac7d03
 
ac7d03
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
ac7d03
index 425ea63976ec92a6d69492d90a1e970e528c4a26..7d294ff971bd109e5fbb3570bfff0198f24b68d3 100644
ac7d03
--- a/ipaserver/install/plugins/upload_cacrt.py
ac7d03
+++ b/ipaserver/install/plugins/upload_cacrt.py
ac7d03
@@ -55,7 +55,7 @@ class update_upload_cacrt(Updater):
ac7d03
             if 'u' in trust_flags:
ac7d03
                 continue
ac7d03
             if nickname == ca_nickname and ca_enabled:
ac7d03
-                trust_flags = 'CT,C,C'
ac7d03
+                trust_flags = certdb.IPA_CA_TRUST_FLAGS
ac7d03
             cert = db.get_cert_from_db(nickname, pem=False)
ac7d03
             trust, _ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
ac7d03
 
ac7d03
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
ac7d03
index aa8e67f60b8abe591d55a907c409b584c74d4541..5e78e6faf51ded2fe7634f230c66aa15ae84bad4 100644
ac7d03
--- a/ipaserver/install/server/replicainstall.py
ac7d03
+++ b/ipaserver/install/server/replicainstall.py
ac7d03
@@ -23,6 +23,7 @@ import ipaclient.install.ntpconf
ac7d03
 from ipalib.install import certstore, sysrestore
ac7d03
 from ipalib.install.kinit import kinit_keytab
ac7d03
 from ipapython import ipaldap, ipautil
ac7d03
+from ipapython.certdb import IPA_CA_TRUST_FLAGS
ac7d03
 from ipapython.dn import DN
ac7d03
 from ipapython.ipa_log_manager import root_logger
ac7d03
 from ipapython.admintool import ScriptError
ac7d03
@@ -737,7 +738,7 @@ def install_check(installer):
ac7d03
                                   nssdir=tmp_db_dir,
ac7d03
                                   subject_base=config.subject_base)
ac7d03
             if ca_enabled:
ac7d03
-                trust_flags = 'CT,C,C'
ac7d03
+                trust_flags = IPA_CA_TRUST_FLAGS
ac7d03
             else:
ac7d03
                 trust_flags = None
ac7d03
             tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
ac7d03
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
ac7d03
index 5e5c83731d3d3415deb61271baa7865c62f60336..73a4f1108a56a766cdbbcb93d7050482a8264a75 100644
ac7d03
--- a/ipaserver/install/server/upgrade.py
ac7d03
+++ b/ipaserver/install/server/upgrade.py
ac7d03
@@ -1389,7 +1389,7 @@ def fix_trust_flags():
ac7d03
     nickname = certdb.get_ca_nickname(api.env.realm)
ac7d03
     cert = db.get_cert_from_db(nickname)
ac7d03
     if cert:
ac7d03
-        db.trust_root_cert(nickname, 'CT,C,C')
ac7d03
+        db.trust_root_cert(nickname, certdb.IPA_CA_TRUST_FLAGS)
ac7d03
 
ac7d03
     sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
ac7d03
 
ac7d03
@@ -1407,7 +1407,7 @@ def fix_server_cert_trust_flags():
ac7d03
     sc_nickname = installutils.get_directive(paths.HTTPD_NSS_CONF,
ac7d03
                                              "NSSNickname")
ac7d03
     # Add trust flag which set certificate trusted for SSL connections.
ac7d03
-    db.trust_root_cert(sc_nickname, "P,,")
ac7d03
+    db.trust_root_cert(sc_nickname, certdb.TRUSTED_PEER_TRUST_FLAGS)
ac7d03
 
ac7d03
     sysupgrade.set_upgrade_state('http', 'fix_serv_cert_trust_flags', True)
ac7d03
 
ac7d03
-- 
ac7d03
2.9.4
ac7d03