Imported Upstream version 4.0.5

2021-07-25 07:50:50 +02:00
parent 8ff3be4216
commit 3bfaa6e020
2049 changed files with 317193 additions and 1632423 deletions
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -17,104 +17,39 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

-import logging
-
-from ipalib.install import certstore
-from ipaplatform.paths import paths
+from ipaserver.install.plugins import MIDDLE
+from ipaserver.install.plugins.baseupdate import PostUpdate
+from ipaserver.install.dsinstance import realm_to_serverid, config_dirname
 from ipaserver.install import certs
-from ipalib import Registry, errors
-from ipalib import Updater
-from ipapython import certdb
+from ipalib import api
 from ipapython.dn import DN
+import base64

-logger = logging.getLogger(__name__)
-
-register = Registry()
-
-
-@register()
-class update_upload_cacrt(Updater):
+class update_upload_cacrt(PostUpdate):
    """
    Upload public CA certificate to LDAP
    """
+    order=MIDDLE

    def execute(self, **options):
-        db = certs.CertDB(self.api.env.realm, paths.HTTPD_ALIAS_DIR)
-        ca_cert = None
+        ldap = self.obj.backend
+        ipa_config = ldap.get_ipa_config()
+        subject_base = ipa_config.get('ipacertificatesubjectbase', [None])[0]
+        dirname = config_dirname(realm_to_serverid(api.env.realm))
+        certdb = certs.CertDB(api.env.realm, nssdir=dirname, subject_base=subject_base)

-        ca_enabled = self.api.Command.ca_is_enabled()['result']
-        if ca_enabled:
-            ca_nickname = certdb.get_ca_nickname(self.api.env.realm)
-            ca_subject = certstore.get_ca_subject(
-                self.api.Backend.ldap2,
-                self.api.env.container_ca,
-                self.api.env.basedn)
-        else:
-            ca_nickname = None
-            server_certs = db.find_server_certs()
-            if server_certs:
-                ca_chain = db.find_root_cert(server_certs[0][0])[:-1]
-                if ca_chain:
-                    ca_nickname = ca_chain[-1]
+        dercert = certdb.get_cert_from_db(certdb.cacert_name, pem=False)

-        ldap = self.api.Backend.ldap2
+        updates = {}
+        dn = DN(('cn', 'CACert'), ('cn', 'ipa'), ('cn','etc'), api.env.basedn)

-        for nickname, trust_flags in db.list_certs():
-            if trust_flags.has_key:
-                continue
-            cert = db.get_cert_from_db(nickname)
-            subject = cert.subject
-            if ca_enabled and subject == ca_subject:
-                # When ca is enabled, we can have the IPA CA cert stored
-                # in the nss db with a different nickname (for instance
-                # when the server was installed with --subject to
-                # customize the CA cert subject), but it must always be
-                # stored in LDAP with the DN cn=$DOMAIN IPA CA
-                # This is why we check the subject instead of the nickname here
-                nickname = ca_nickname
-                trust_flags = certdb.IPA_CA_TRUST_FLAGS
-            trust, _ca, eku = certstore.trust_flags_to_key_policy(trust_flags)
+        cacrt_entry = ['objectclass:nsContainer',
+                       'objectclass:pkiCA',
+                       'cn:CAcert',
+                       'cACertificate;binary:%s' % dercert,
+                      ]
+        updates[dn] = {'dn': dn, 'default': cacrt_entry}

-            dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'),
-                    ('cn','etc'), self.api.env.basedn)
-            entry = ldap.make_entry(dn)
+        return (False, True, [updates])

-            try:
-                certstore.init_ca_entry(entry, cert, nickname, trust, eku)
-            except Exception as e:
-                logger.warning("Failed to create entry for %s: %s",
-                               nickname, e)
-                continue
-            if nickname == ca_nickname:
-                ca_cert = cert
-                config = entry.setdefault('ipaConfigString', [])
-                if ca_enabled:
-                    config.append('ipaCa')
-                config.append('ipaCa')
-
-            try:
-                ldap.add_entry(entry)
-            except errors.DuplicateEntry:
-                if nickname == ca_nickname and ca_enabled:
-                    try:
-                        ldap.update_entry(entry)
-                    except errors.EmptyModlist:
-                        pass
-
-        if ca_cert:
-            dn = DN(('cn', 'CACert'), ('cn', 'ipa'), ('cn','etc'),
-                    self.api.env.basedn)
-            try:
-                entry = ldap.get_entry(dn)
-            except errors.NotFound:
-                entry = ldap.make_entry(dn)
-                entry['objectclass'] = ['nsContainer', 'pkiCA']
-                entry.single_value['cn'] = 'CAcert'
-                entry.single_value['cACertificate;binary'] = ca_cert
-                ldap.add_entry(entry)
-            else:
-                if b'' in entry['cACertificate;binary']:
-                    entry.single_value['cACertificate;binary'] = ca_cert
-                    ldap.update_entry(entry)
-
-        return False, []
+api.register(update_upload_cacrt)