Blob Blame History Raw
From 78eaf8b944f1b8f177aedabeaaeaa72c1dc4091e Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 14 Sep 2015 07:56:44 +0200
Subject: [PATCH] install: support KRA update

https://fedorahosted.org/freeipa/ticket/5250

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 freeipa.spec.in                  |  1 -
 install/share/Makefile.am        |  2 +-
 install/share/vault.ldif         | 29 +++++++++++++++++++++++++++++
 install/share/vault.update       | 38 --------------------------------------
 install/updates/40-vault.update  | 23 +++++++++++++++++++++++
 install/updates/Makefile.am      |  1 +
 ipaplatform/base/paths.py        |  1 -
 ipaserver/install/krainstance.py |  7 ++++++-
 8 files changed, 60 insertions(+), 42 deletions(-)
 create mode 100644 install/share/vault.ldif
 delete mode 100644 install/share/vault.update
 create mode 100644 install/updates/40-vault.update

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e9ba596fec1f8d179d4f834485e35a4814db898d..d8e24a5af47fbfca89ccb9c3d07dcfca5a8073d9 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -746,7 +746,6 @@ fi
 %{_usr}/share/ipa/copy-schema-to-ca.py*
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
-%{_usr}/share/ipa/*.update
 %{_usr}/share/ipa/*.template
 %dir %{_usr}/share/ipa/advise
 %dir %{_usr}/share/ipa/advise/legacy
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 80e959a751a0800c4d56c379a73b68a2f12570d7..d68c40e693a1d86c70d8ccd81ef2c915b2e1f61e 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -83,7 +83,7 @@ app_DATA =				\
 	copy-schema-to-ca.py		\
 	sasl-mapping-fallback.ldif	\
 	schema-update.ldif		\
-	vault.update			\
+	vault.ldif			\
 	kdcproxy.conf			\
 	kdcproxy-enable.uldif		\
 	kdcproxy-disable.uldif		\
diff --git a/install/share/vault.ldif b/install/share/vault.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..06dd83c5c45bd3143b8374965b9a02d311afdb42
--- /dev/null
+++ b/install/share/vault.ldif
@@ -0,0 +1,29 @@
+dn: cn=kra,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+cn: kra
+
+dn: cn=vaults,cn=kra,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaVaultContainer
+cn: vaults
+
+dn: cn=services,cn=vaults,cn=kra,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaVaultContainer
+cn: services
+
+dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaVaultContainer
+cn: shared
+
+dn: cn=users,cn=vaults,cn=kra,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: ipaVaultContainer
+cn: users
diff --git a/install/share/vault.update b/install/share/vault.update
deleted file mode 100644
index 4f0023840b34c2d2bae4e362e34be1764c430ad1..0000000000000000000000000000000000000000
--- a/install/share/vault.update
+++ /dev/null
@@ -1,38 +0,0 @@
-dn: cn=kra,$SUFFIX
-default: objectClass: top
-default: objectClass: nsContainer
-default: cn: kra
-
-dn: cn=vaults,cn=kra,$SUFFIX
-default: objectClass: top
-default: objectClass: ipaVaultContainer
-default: cn: vaults
-default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
-default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";)
-default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";)
-
-dn: cn=services,cn=vaults,cn=kra,$SUFFIX
-default: objectClass: top
-default: objectClass: ipaVaultContainer
-default: cn: services
-
-dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
-default: objectClass: top
-default: objectClass: ipaVaultContainer
-default: cn: shared
-
-dn: cn=users,cn=vaults,cn=kra,$SUFFIX
-default: objectClass: top
-default: objectClass: ipaVaultContainer
-default: cn: users
diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update
new file mode 100644
index 0000000000000000000000000000000000000000..3daea5b1988333d4d482463af0eec4163e4f0760
--- /dev/null
+++ b/install/updates/40-vault.update
@@ -0,0 +1,23 @@
+dn: cn=vaults,cn=kra,$SUFFIX
+remove: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";)
+remove: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";)
+remove: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";)
+addifexist: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow users to create private container"; allow(add) userdn="ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
+addifexist: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(targetfilter="(objectClass=ipaVaultContainer)")(version 3.0; acl "Allow services to create private container"; allow(add) userdn="ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX" and userattr="owner#SELFDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Container owners can access the container"; allow(read, search, compare) userattr="owner#USERDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description || owner")(version 3.0; acl "Indirect container owners can access the container"; allow(read, search, compare) userattr="owner#GROUPDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Container owners can manage the container"; allow(write, delete) userattr="owner#USERDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVaultContainer)")(targetattr="objectClass || cn || description")(version 3.0; acl "Indirect container owners can manage the container"; allow(write, delete) userattr="owner#GROUPDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Indirect container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#GROUPDN" and userattr="owner#SELFDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault owners can access the vault"; allow(read, search, compare) userattr="owner#USERDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault owners can access the vault"; allow(read, search, compare) userattr="owner#GROUPDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || owner || member")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Vault owners can manage the vault"; allow(write, delete) userattr="owner#USERDN";)
+addifexist: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="objectClass || cn || description || ipaVaultType || ipaVaultSalt || ipaVaultPublicKey || member")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(write, delete) userattr="owner#GROUPDN";)
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 1f4a91c9bb4222f99ad7a7ad16e376aeef7f525b..26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -34,6 +34,7 @@ app_DATA =				\
 	40-automember.update		\
 	40-certprofile.update		\
 	40-otp.update			\
+	40-vault.update			\
 	41-caacl.update			\
 	45-roles.update			\
 	50-7_bit_check.update	        \
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index ff75e0d7a5a0250ce71e67b0302bbaab64c5e935..3930c93fcba06959dd34507ecc29f92e33637775 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -251,7 +251,6 @@ class BasePathNamespace(object):
     SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/schema_compat.uldif"
     IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
     UPDATES_DIR = "/usr/share/ipa/updates/"
-    VAULT_UPDATE = "/usr/share/ipa/vault.update"
     PKI_CONF_SERVER_XML_TEMPLATE = "/usr/share/pki/%s/conf/server.xml"
     CACHE_IPA_SESSIONS = "/var/cache/ipa/sessions"
     VAR_KERBEROS_KRB5KDC_DIR = "/var/kerberos/krb5kdc/"
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 958fe6fb095e69f83342ce8299d1586b8bbacd47..48268b0be5331cced1aee6b7f3358333b65de6dd 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -124,6 +124,7 @@ class KRAInstance(DogtagInstance):
         self.step("configure HTTP to proxy connections",
                   self.http_proxy)
         self.step("add vault container", self.__add_vault_container)
+        self.step("apply LDAP updates", self.__apply_updates)
 
         self.start_creation(runtime=126)
 
@@ -313,13 +314,17 @@ class KRAInstance(DogtagInstance):
         conn.disconnect()
 
     def __add_vault_container(self):
+        self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix})
+        self.ldap_disconnect()
+
+    def __apply_updates(self):
         sub_dict = {
             'SUFFIX': self.suffix,
         }
 
         ld = ldapupdate.LDAPUpdate(dm_password=self.dm_password,
                                    sub_dict=sub_dict)
-        ld.update([paths.VAULT_UPDATE])
+        ld.update([os.path.join(paths.UPDATES_DIR, '40-vault.update')])
 
     @staticmethod
     def update_cert_config(nickname, cert, dogtag_constants=None):
-- 
2.4.3