websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.3.1

Browse Source
This commit is contained in:
Mario Fetka
2021-08-10 02:37:58 +02:00
parent a791de49a2
commit 2f177da8f2
2056 changed files with 421730 additions and 1668138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
ipaserver/install/kra.py
View File

@@ -2,32 +2,22 @@
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
"""
KRA installer module
"""
from __future__ import absolute_import
import os
from ipalib import api
from ipalib.install.kinit import kinit_keytab
from ipalib import api, errors
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import certdb
from ipapython import ipautil
from ipapython.install.core import group
from ipapython.dn import DN
from ipaserver.install import custodiainstance
from ipaserver.install import cainstance
from ipaserver.install import krainstance
from ipaserver.install import dsinstance
from ipaserver.install import service as _service
from . import dogtag
from ipaserver.install import service
def install_check(api, replica_config, options):
if replica_config is not None and not replica_config.setup_kra:
return
kra = krainstance.KRAInstance(api.env.realm)
if kra.is_installed():
raise RuntimeError("KRA is already installed.")
@@ -50,79 +40,75 @@ def install_check(api, replica_config, options):
"KRA is not installed on the master system. Please use "
"'ipa-kra-install' command to install the first instance.")
if options.promote:
return
def install(api, replica_config, options, custodia):
with certdb.NSSDatabase() as tmpdb:
pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
tmpdb.create_db(pw.name)
tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
replica_config.dirman_password)
kra_cert_nicknames = [
"storageCert cert-pki-kra", "transportCert cert-pki-kra",
"auditSigningCert cert-pki-kra"
]
if not all(tmpdb.has_nickname(nickname)
for nickname in kra_cert_nicknames):
raise RuntimeError("Missing KRA certificates, please create a "
"new replica file.")
def install(api, replica_config, options):
subject = dsinstance.DsInstance().find_subject_base()
if replica_config is None:
if not options.setup_kra:
return
realm_name = api.env.realm
dm_password = options.dm_password
host_name = api.env.host
subject_base = dsinstance.DsInstance().find_subject_base()
pkcs12_info = None
master_host = None
promote = False
kra = krainstance.KRAInstance(api.env.realm)
kra.configure_instance(
api.env.realm, api.env.host, options.dm_password,
options.dm_password, subject_base=subject)
else:
if not replica_config.setup_kra:
if options.promote:
ca_data = (os.path.join(replica_config.dir, 'kracert.p12'),
replica_config.dirman_password)
custodia = custodiainstance.CustodiaInstance(
replica_config.host_name, replica_config.realm_name)
custodia.get_kra_keys(replica_config.kra_host_name,
ca_data[0], ca_data[1])
kra = krainstance.KRAInstance(replica_config.realm_name)
kra.configure_replica(replica_config.host_name,
replica_config.kra_host_name,
replica_config.dirman_password,
kra_cert_bundle=ca_data)
return
krafile = os.path.join(replica_config.dir, 'kracert.p12')
with ipautil.private_ccache():
ccache = os.environ['KRB5CCNAME']
kinit_keytab(
'host/{env.host}@{env.realm}'.format(env=api.env),
paths.KRB5_KEYTAB,
ccache)
custodia.get_kra_keys(
krafile,
replica_config.dirman_password)
realm_name = replica_config.realm_name
dm_password = replica_config.dirman_password
host_name = replica_config.host_name
subject_base = replica_config.subject_base
else:
kra = krainstance.install_replica_kra(replica_config)
pkcs12_info = (krafile,)
master_host = replica_config.kra_host_name
promote = True
kra = krainstance.KRAInstance(realm_name)
kra.configure_instance(realm_name, host_name, dm_password, dm_password,
subject_base=subject_base,
pkcs12_info=pkcs12_info,
master_host=master_host,
promote=promote)
_service.print_msg("Restarting the directory server")
service.print_msg("Restarting the directory server")
ds = dsinstance.DsInstance()
ds.restart()
kra.enable_client_auth_to_db()
kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn)
kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH)
# Restart apache for new proxy config file
services.knownservices.httpd.restart(capture_output=True)
# Restarted named-pkcs11 to restore bind-dyndb-ldap operation, see
# https://pagure.io/freeipa/issue/5813
named = services.knownservices.named # alias for named-pkcs11
if named.is_running():
named.restart(capture_output=True)
def uninstall():
def uninstall(standalone):
kra = krainstance.KRAInstance(api.env.realm)
kra.stop_tracking_certificates()
if standalone:
kra.ldap_connect()
try:
kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
('cn', 'masters'), ('cn', 'ipa'),
('cn', 'etc'), api.env.basedn))
except errors.NotFound:
pass
kra.stop_tracking_certificates(stop_certmonger=not standalone)
if kra.is_installed():
kra.uninstall()
@group
class KRAInstallInterface(dogtag.DogtagInstallInterface):
"""
Interface of the KRA installer
Knobs defined here will be available in:
* ipa-server-install
* ipa-replica-prepare
* ipa-replica-install
* ipa-kra-install
"""
description = "KRA"