From 7bbf7dbc27d1bcde8bf3e4d0bb8fec65de2660c8 Mon Sep 17 00:00:00 2001

From: Martin Babinsky <mbabinsk@redhat.com>

Date: Wed, 21 Jun 2017 18:52:57 +0200

Subject: [PATCH] smart-card advises: add steps to store smart card signing CA

 cert

On master, upload the CA certificate to IPA LDAP and NSS databases. On

both master and client run ipa-certupdate to update client-side CA

certificate bundles used as PKINIT anchors.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipaserver/advise/plugins/smart_card_auth.py | 46 +++++++++++++++++++++++------

 1 file changed, 37 insertions(+), 9 deletions(-)

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py

index 0ee4808d47aa87a4b1b838d427e9958d98075a4a..0217bd190778f1235981a49e7b0764b8b9cdf582 100644

--- a/ipaserver/advise/plugins/smart_card_auth.py

+++ b/ipaserver/advise/plugins/smart_card_auth.py

@@ -3,6 +3,7 @@

 #

 from ipalib.plugable import Registry

+from ipaplatform import services

 from ipaplatform.paths import paths

 from ipaserver.advise.base import Advice

 from ipaserver.install.httpinstance import NSS_OCSP_ENABLED

@@ -19,6 +20,16 @@ class common_smart_card_auth_config(Advice):

     systemwide_nssdb = paths.NSS_DB_DIR

     smart_card_ca_cert_variable_name = "SC_CA_CERT"

+    def check_ccache_not_empty(self):

+        self.log.comment('Check whether the credential cache is not empty')

+        self.log.exit_on_failed_command(

+            'klist',

+            [

+                "Credential cache is empty",

+                'Use kinit as privileged user to obtain Kerberos credentials'

+            ])

+

+

     def check_and_set_ca_cert_path(self):

         ca_path_variable = self.smart_card_ca_cert_variable_name

         self.log.command("{}=$1".format(ca_path_variable))

@@ -40,6 +51,20 @@ class common_smart_card_auth_config(Advice):

             )

         )

+    def install_smart_card_signing_ca_cert(self):

+        self.log.exit_on_failed_command(

+            'ipa-cacert-manage install ${} -t CT,C,C'.format(

+                self.smart_card_ca_cert_variable_name

+            ),

+            ['Failed to install external CA certificate to IPA']

+        )

+

+    def update_ipa_ca_certificate_store(self):

+        self.log.exit_on_failed_command(

+            'ipa-certupdate',

+            ['Failed to update IPA CA certificate database']

+        )

+

 @register()

 class config_server_for_smart_card_auth(common_smart_card_auth_config):

@@ -56,6 +81,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):

     nss_conf = paths.HTTPD_NSS_CONF

     nss_ocsp_directive = 'NSSOCSP'

     nss_nickname_directive = 'NSSNickname'

+    kdc_service_name = services.knownservices.krb5kdc.systemd_name

     def get_info(self):

         self.log.exit_on_nonroot_euid()

@@ -70,15 +96,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):

         self.check_and_enable_pkinit()

         self.enable_ok_to_auth_as_delegate_on_http_principal()

         self.upload_smartcard_ca_certificate_to_systemwide_db()

-

-    def check_ccache_not_empty(self):

-        self.log.comment('Check whether the credential cache is not empty')

-        self.log.exit_on_failed_command(

-            'klist',

-            [

-                "Credential cache is empty",

-                'Use kinit as privileged user to obtain Kerberos credentials'

-            ])

+        self.update_ipa_ca_certificate_store()

+        self.restart_kdc()

     def check_hostname_is_in_masters(self):

         self.log.comment('Check whether the host is IPA master')

@@ -193,6 +212,12 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):

             ["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]

         )

+    def restart_kdc(self):

+        self.log.exit_on_failed_command(

+            'systemctl restart {}'.format(self.kdc_service_name),

+            ['Failed to restart KDC. Please restart the service manually.']

+        )

+

 @register()

 class config_client_for_smart_card_auth(common_smart_card_auth_config):

@@ -214,11 +239,14 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):

     def get_info(self):

         self.log.exit_on_nonroot_euid()

         self.check_and_set_ca_cert_path()

+        self.check_ccache_not_empty()

         self.check_and_remove_pam_pkcs11()

         self.install_opensc_and_dconf_packages()

         self.start_enable_smartcard_daemon()

         self.add_pkcs11_module_to_systemwide_db()

         self.upload_smartcard_ca_certificate_to_systemwide_db()

+        self.install_smart_card_signing_ca_cert()

+        self.update_ipa_ca_certificate_store()

         self.run_authconfig_to_configure_smart_card_auth()

         self.restart_sssd()

-- 

2.9.4