From 7bbf7dbc27d1bcde8bf3e4d0bb8fec65de2660c8 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 21 Jun 2017 18:52:57 +0200
Subject: [PATCH] smart-card advises: add steps to store smart card signing CA
 cert

On master, upload the CA certificate to IPA LDAP and NSS databases. On
both master and client run ipa-certupdate to update client-side CA
certificate bundles used as PKINIT anchors.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/advise/plugins/smart_card_auth.py | 46 +++++++++++++++++++++++------
 1 file changed, 37 insertions(+), 9 deletions(-)

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 0ee4808d47aa87a4b1b838d427e9958d98075a4a..0217bd190778f1235981a49e7b0764b8b9cdf582 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -3,6 +3,7 @@
 #
 
 from ipalib.plugable import Registry
+from ipaplatform import services
 from ipaplatform.paths import paths
 from ipaserver.advise.base import Advice
 from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
@@ -19,6 +20,16 @@ class common_smart_card_auth_config(Advice):
     systemwide_nssdb = paths.NSS_DB_DIR
     smart_card_ca_cert_variable_name = "SC_CA_CERT"
 
+    def check_ccache_not_empty(self):
+        self.log.comment('Check whether the credential cache is not empty')
+        self.log.exit_on_failed_command(
+            'klist',
+            [
+                "Credential cache is empty",
+                'Use kinit as privileged user to obtain Kerberos credentials'
+            ])
+
+
     def check_and_set_ca_cert_path(self):
         ca_path_variable = self.smart_card_ca_cert_variable_name
         self.log.command("{}=$1".format(ca_path_variable))
@@ -40,6 +51,20 @@ class common_smart_card_auth_config(Advice):
             )
         )
 
+    def install_smart_card_signing_ca_cert(self):
+        self.log.exit_on_failed_command(
+            'ipa-cacert-manage install ${} -t CT,C,C'.format(
+                self.smart_card_ca_cert_variable_name
+            ),
+            ['Failed to install external CA certificate to IPA']
+        )
+
+    def update_ipa_ca_certificate_store(self):
+        self.log.exit_on_failed_command(
+            'ipa-certupdate',
+            ['Failed to update IPA CA certificate database']
+        )
+
 
 @register()
 class config_server_for_smart_card_auth(common_smart_card_auth_config):
@@ -56,6 +81,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
     nss_conf = paths.HTTPD_NSS_CONF
     nss_ocsp_directive = 'NSSOCSP'
     nss_nickname_directive = 'NSSNickname'
+    kdc_service_name = services.knownservices.krb5kdc.systemd_name
 
     def get_info(self):
         self.log.exit_on_nonroot_euid()
@@ -70,15 +96,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
         self.check_and_enable_pkinit()
         self.enable_ok_to_auth_as_delegate_on_http_principal()
         self.upload_smartcard_ca_certificate_to_systemwide_db()
-
-    def check_ccache_not_empty(self):
-        self.log.comment('Check whether the credential cache is not empty')
-        self.log.exit_on_failed_command(
-            'klist',
-            [
-                "Credential cache is empty",
-                'Use kinit as privileged user to obtain Kerberos credentials'
-            ])
+        self.update_ipa_ca_certificate_store()
+        self.restart_kdc()
 
     def check_hostname_is_in_masters(self):
         self.log.comment('Check whether the host is IPA master')
@@ -193,6 +212,12 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
             ["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]
         )
 
+    def restart_kdc(self):
+        self.log.exit_on_failed_command(
+            'systemctl restart {}'.format(self.kdc_service_name),
+            ['Failed to restart KDC. Please restart the service manually.']
+        )
+
 
 @register()
 class config_client_for_smart_card_auth(common_smart_card_auth_config):
@@ -214,11 +239,14 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
     def get_info(self):
         self.log.exit_on_nonroot_euid()
         self.check_and_set_ca_cert_path()
+        self.check_ccache_not_empty()
         self.check_and_remove_pam_pkcs11()
         self.install_opensc_and_dconf_packages()
         self.start_enable_smartcard_daemon()
         self.add_pkcs11_module_to_systemwide_db()
         self.upload_smartcard_ca_certificate_to_systemwide_db()
+        self.install_smart_card_signing_ca_cert()
+        self.update_ipa_ca_certificate_store()
         self.run_authconfig_to_configure_smart_card_auth()
         self.restart_sssd()
 
-- 
2.9.4