From 1eb9cc7556357b1b8d6d826321cb38b1f96c1b7e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 18 May 2016 14:10:39 +1000
Subject: [PATCH] Detect and repair incorrect caIPAserviceCert config
A regression caused replica installation to replace the FreeIPA
version of caIPAserviceCert with the version shipped by Dogtag.
During upgrade, detect and repair occurrences of this problem.
Part of: https://fedorahosted.org/freeipa/ticket/5881
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
ipaserver/install/cainstance.py | 49 ++++++++++++++++++++++++++++++++++---
ipaserver/install/server/upgrade.py | 3 +++
2 files changed, 49 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 50ca5d3aeb9be24d8e1e80ad408191fca76a459c..a8a57c4ffdbec453c76a01b88a7d4a188c03be33 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1717,14 +1717,18 @@ def configure_profiles_acl():
conn.disconnect()
return updated
-def import_included_profiles():
+
+def __get_profile_config(profile_id):
sub_dict = dict(
DOMAIN=ipautil.format_netloc(api.env.domain),
IPA_CA_RECORD=IPA_CA_RECORD,
CRL_ISSUER='CN=Certificate Authority,o=ipaca',
SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(),
)
+ return ipautil.template_file(
+ '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
+def import_included_profiles():
server_id = installutils.realm_to_serverid(api.env.realm)
dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
conn = ldap2.ldap2(api, ldap_uri=dogtag_uri)
@@ -1761,10 +1765,9 @@ def import_included_profiles():
ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'],
)
conn.add_entry(entry)
- profile_data = ipautil.template_file(
- '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
# Create the profile, replacing any existing profile of same name
+ profile_data = __get_profile_config(profile_id)
_create_dogtag_profile(profile_id, profile_data, overwrite=True)
root_logger.info("Imported profile '%s'", profile_id)
@@ -1772,6 +1775,46 @@ def import_included_profiles():
conn.disconnect()
+def repair_profile_caIPAserviceCert():
+ """
+ A regression caused replica installation to replace the FreeIPA
+ version of caIPAserviceCert with the version shipped by Dogtag.
+
+ This function detects and repairs occurrences of this problem.
+
+ """
+ api.Backend.ra_certprofile._read_password()
+ api.Backend.ra_certprofile.override_port = 8443
+
+ profile_id = 'caIPAserviceCert'
+
+ with api.Backend.ra_certprofile as profile_api:
+ try:
+ cur_config = profile_api.read_profile(profile_id).splitlines()
+ except errors.RemoteRetrieveError as e:
+ # no profile there to check/repair
+ api.Backend.ra_certprofile.override_port = None
+ return
+
+ indicators = [
+ "policyset.serverCertSet.1.default.params.name="
+ "CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA ",
+ "policyset.serverCertSet.9.default.params.crlDistPointsPointName_0="
+ "https://ipa.example.com/ipa/crl/MasterCRL.bin",
+ ]
+ need_repair = all(l in cur_config for l in indicators)
+
+ if need_repair:
+ root_logger.debug(
+ "Detected that profile '{}' has been replaced with "
+ "incorrect version; begin repair.".format(profile_id))
+ _create_dogtag_profile(
+ profile_id, __get_profile_config(profile_id), overwrite=True)
+ root_logger.debug("Repair of profile '{}' complete.".format(profile_id))
+
+ api.Backend.ra_certprofile.override_port = None
+
+
def migrate_profiles_to_ldap(dogtag_constants):
"""Migrate profiles from filesystem to LDAP.
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index c53b19a937d559b25da256670a5205ab40e0cadb..b0cd789d58408f720774adb276843a1b6ab6007d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1554,6 +1554,9 @@ def upgrade_configuration():
ca_import_included_profiles(ca)
add_default_caacl(ca)
+ if ca.is_configured():
+ cainstance.repair_profile_caIPAserviceCert()
+
set_sssd_domain_option('ipa_server_mode', 'True')
if ds_running and not ds.is_running():
--
2.5.5