Imported Debian patch 4.8.10-2

install/certmonger/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.1 from Makefile.am.
+# Makefile.in generated by automake 1.16.2 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2018 Free Software Foundation, Inc.
+# Copyright (C) 1994-2020 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -218,6 +218,8 @@ JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
 KRB5_CFLAGS = @KRB5_CFLAGS@
+KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
+KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
 KRB5_LIBS = @KRB5_LIBS@
 LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -260,11 +262,10 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 NSPR_CFLAGS = @NSPR_CFLAGS@
 NSPR_LIBS = @NSPR_LIBS@
-NSS_CFLAGS = @NSS_CFLAGS@
-NSS_LIBS = @NSS_LIBS@
 NUM_VERSION = @NUM_VERSION@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+ODS_GROUP = @ODS_GROUP@
 ODS_USER = @ODS_USER@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -285,8 +286,6 @@ POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
-PYTHON2 = @PYTHON2@
-PYTHON3 = @PYTHON3@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -374,7 +373,9 @@ program_transform_name = @program_transform_name@
 psdir = @psdir@
 pyexecdir = @pyexecdir@
 pythondir = @pythondir@
+runstatedir = @runstatedir@
 sbindir = @sbindir@
+selinux_makefile = @selinux_makefile@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
@@ -637,9 +638,12 @@ uninstall-am: uninstall-nodist_appSCRIPTS
 
 # special handling of Python scripts with auto-generated shebang line
 $(PYTHON_SHEBANG):%: %.in Makefile
-	$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
+	$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
 	$(AM_V_GEN)chmod +x $@
 
+.PHONY: python_scripts_sub
+python_scripts_sub: $(PYTHON_SHEBANG)
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:

install/certmonger/dogtag-ipa-ca-renew-agent-submit.in

@@ -1,4 +1,4 @@
-@PYTHONSHEBANG@
+#!/usr/bin/python3
 #
 # Authors:
 #   Jan Cholasta <jcholast@redhat.com>
@@ -85,20 +85,8 @@ def get_nickname():
 
     ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
 
-    nickname_by_subject_dn = {
-        DN(ca_subject_dn): 'caSigningCert cert-pki-ca',
-        DN('CN=CA Audit', subject_base): 'auditSigningCert cert-pki-ca',
-        DN('CN=OCSP Subsystem', subject_base): 'ocspSigningCert cert-pki-ca',
-        DN('CN=CA Subsystem', subject_base): 'subsystemCert cert-pki-ca',
-        DN('CN=KRA Audit', subject_base): 'auditSigningCert cert-pki-kra',
-        DN('CN=KRA Transport Certificate', subject_base):
-            'transportCert cert-pki-kra',
-        DN('CN=KRA Storage Certificate', subject_base):
-            'storageCert cert-pki-kra',
-        DN('CN=IPA RA', subject_base): 'ipaCert',
-    }
-
-    return nickname_by_subject_dn.get(DN(subject))
+    return cainstance.get_ca_renewal_nickname(
+        subject_base, ca_subject_dn, DN(subject))
 
 
 def is_replicated():
@@ -135,7 +123,9 @@ def call_handler(_handler, *args, **kwargs):
     operation = os.environ['CERTMONGER_OPERATION']
     if operation == 'POLL':
         cookie = os.environ.pop('CERTMONGER_CA_COOKIE', None)
-        if cookie is not None:
+        if cookie is None:
+            return (UNCONFIGURED, "Cookie not provided")
+        if len(cookie) > 0:
             try:
                 context = json.loads(cookie)
                 if not isinstance(context, dict):
@@ -143,7 +133,13 @@ def call_handler(_handler, *args, **kwargs):
             except (TypeError, ValueError):
                 return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
         else:
-            return (UNCONFIGURED, "Cookie not provided")
+            # Reconstruct the data for the missing cookie. Sanity checking
+            # is done elsewhere, when needed.
+            context = dict(cookie=u'')
+            profile = os.environ.get('CERTMONGER_CA_PROFILE')
+            if profile is not None:
+                profile = profile.encode('ascii').decode('raw_unicode_escape')
+            context['profile'] = profile
 
         if 'profile' in context:
             profile = context.pop('profile')
@@ -215,9 +211,9 @@ def request_cert(reuse_existing, **kwargs):
              "--certfile", paths.RA_AGENT_PEM,
              "--keyfile", paths.RA_AGENT_KEY] +
             sys.argv[1:] +
-            ['--submit-option', "requestor_name=IPA"])
-    if os.environ.get('CERTMONGER_CA_PROFILE') == 'caCACert':
-        args += ['-N', '-O', 'bypassCAnotafter=true']
+            ['--submit-option', "requestor_name=IPA"] +
+            ['--force-new', '--approval-option', 'bypassCAnotafter=true']
+    )
     result = ipautil.run(args, raiseonerr=False, env=os.environ,
                          capture_output=True)
     if six.PY2:
@@ -270,23 +266,9 @@ def store_cert(**kwargs):
         return (REJECTED, "New certificate requests not supported")
     cert = x509.load_pem_x509_certificate(cert.encode('ascii'))
 
-    dn = DN(('cn', nickname), ('cn', 'ca_renewal'),
-            ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn)
     try:
         with ldap_connect() as conn:
-            try:
-                entry = conn.get_entry(dn, ['usercertificate'])
-                entry['usercertificate'] = [cert]
-                conn.update_entry(entry)
-            except errors.NotFound:
-                entry = conn.make_entry(
-                    dn,
-                    objectclass=['top', 'pkiuser', 'nscontainer'],
-                    cn=[nickname],
-                    usercertificate=[cert])
-                conn.add_entry(entry)
-            except errors.EmptyModlist:
-                pass
+            cainstance.update_ca_renewal_entry(conn, nickname, cert)
     except Exception as e:
         attempts += 1
         if attempts < 10:
@@ -420,7 +402,7 @@ def retrieve_cert(**kwargs):
     return result
 
 
-def renew_ca_cert(reuse_existing, **kwargs):
+def renew_ca_cert(reuse_existing, force_self_signed, **kwargs):
     """
     This is used for automatic CA certificate renewal.
     """
@@ -438,7 +420,8 @@ def renew_ca_cert(reuse_existing, **kwargs):
     if operation == 'SUBMIT':
         state = 'retrieve'
 
-        if not reuse_existing and is_renewal_master():
+        if (is_self_signed or force_self_signed) \
+                and not reuse_existing and is_renewal_master():
             state = 'request'
 
         csr_file = paths.IPA_CA_CSR
@@ -491,7 +474,9 @@ def renew_ca_cert(reuse_existing, **kwargs):
 def main():
     kwargs = {
         'reuse_existing': False,
+        'force_self_signed': False,
     }
+
     try:
         sys.argv.remove('--reuse-existing')
     except ValueError:
@@ -499,13 +484,22 @@ def main():
     else:
         kwargs['reuse_existing'] = True
 
-    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
-    api.finalize()
+    try:
+        sys.argv.remove('--force-self-signed')
+    except ValueError:
+        pass
+    else:
+        kwargs['force_self_signed'] = True
 
     operation = os.environ.get('CERTMONGER_OPERATION')
     if operation not in ('SUBMIT', 'POLL'):
         return OPERATION_NOT_SUPPORTED_BY_HELPER
 
+    api.bootstrap(
+        in_server=True, context='renew', confdir=paths.ETC_IPA, log=None
+    )
+    api.finalize()
+
     tmpdir = tempfile.mkdtemp(prefix="tmp-")
     certs.renewal_lock.acquire()
     try:

install/certmonger/ipa-server-guard.in

@@ -1,4 +1,4 @@
-@PYTHONSHEBANG@
+#!/usr/bin/python3
 #
 # Authors:
 #   Jan Cholasta <jcholast@redhat.com>
@@ -19,45 +19,57 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from __future__ import print_function
-
 import os
 # Prevent garbage from readline on standard output
 # (see https://fedorahosted.org/freeipa/ticket/4064)
 if not os.isatty(1):
     os.environ['TERM'] = 'dumb'
 import sys
-import syslog
-import traceback
 
-import six
+# Return codes. Names of the constants are taken from
+# https://git.fedorahosted.org/cgit/certmonger.git/tree/src/submit-e.h
+OPERATION_NOT_SUPPORTED_BY_HELPER = 6
 
-from ipapython import ipautil
-from ipaserver.install import certs
+
+def run_operation(cmd):
+    from ipapython import ipautil
+
+    result = ipautil.run(cmd, raiseonerr=False, env=os.environ)
+    # Write bytes directly
+    sys.stdout.buffer.write(result.raw_output)  #pylint: disable=no-member
+    sys.stderr.buffer.write(result.raw_error_output)  #pylint: disable=no-member
+    sys.stdout.flush()
+    sys.stderr.flush()
+
+    return result.returncode
 
 
 def main():
     if len(sys.argv) < 2:
         raise RuntimeError("Not enough arguments")
 
-    with certs.renewal_lock:
-        result = ipautil.run(sys.argv[1:], raiseonerr=False, env=os.environ)
-        if six.PY2:
-            sys.stdout.write(result.raw_output)
-            sys.stderr.write(result.raw_error_output)
-        else:
-            # Write bytes directly
-            sys.stdout.buffer.write(result.raw_output)  #pylint: disable=no-member
-            sys.stderr.buffer.write(result.raw_error_output)  #pylint: disable=no-member
-        sys.stdout.flush()
-        sys.stderr.flush()
+    # Avoid the lock if the operation is unsupported by ipa-submit
+    operation = os.environ.get('CERTMONGER_OPERATION')
+    if operation not in ('IDENTIFY',
+                         'FETCH-ROOTS',
+                         'GET-NEW-REQUEST-REQUIREMENTS',
+                         'SUBMIT',
+                         'POLL'):
+        return OPERATION_NOT_SUPPORTED_BY_HELPER
 
-    return result.returncode
+    if operation in ('SUBMIT', 'POLL', 'FETCH-ROOTS'):
+        from ipaserver.install import certs
+        with certs.renewal_lock:
+            return run_operation(sys.argv[1:])
+    else:
+        return run_operation(sys.argv[1:])
 
 
 try:
     sys.exit(main())
 except Exception as e:
+    import traceback
+    import syslog
     syslog.syslog(syslog.LOG_ERR, traceback.format_exc())
     print("Internal error")
     sys.exit(3)