Imported Upstream version 4.7.2
This commit is contained in:
Mario Fetka
@@ -17,31 +17,39 @@
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
from ipaserver.install.plugins.baseupdate import PostUpdate
|
||||
from ipaserver.install import installutils, certs, cainstance
|
||||
from __future__ import absolute_import
|
||||
|
||||
import logging
|
||||
|
||||
from ipaserver.install import cainstance
|
||||
from ipalib import errors
|
||||
from ipalib import Updater
|
||||
from ipalib.install import certmonger
|
||||
from ipalib.plugable import Registry
|
||||
from ipapython import certmonger, dogtag
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.dn import DN
|
||||
from ipapython import directivesetter
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
register = Registry()
|
||||
|
||||
@register()
|
||||
class update_ca_renewal_master(PostUpdate):
|
||||
class update_ca_renewal_master(Updater):
|
||||
"""
|
||||
Set CA renewal master in LDAP.
|
||||
"""
|
||||
|
||||
def execute(self, **options):
|
||||
ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
|
||||
ca = cainstance.CAInstance(self.api.env.realm)
|
||||
if not ca.is_configured():
|
||||
self.debug("CA is not configured on this host")
|
||||
return (False, False, [])
|
||||
logger.debug("CA is not configured on this host")
|
||||
return False, []
|
||||
|
||||
ldap = self.obj.backend
|
||||
ldap = self.api.Backend.ldap2
|
||||
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
|
||||
self.api.env.basedn)
|
||||
dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
|
||||
filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
|
||||
try:
|
||||
entries = ldap.get_entries(base_dn=base_dn, filter=filter,
|
||||
@@ -49,59 +57,77 @@ class update_ca_renewal_master(PostUpdate):
|
||||
except errors.NotFound:
|
||||
pass
|
||||
else:
|
||||
self.debug("found CA renewal master %s", entries[0].dn[1].value)
|
||||
return (False, False, [])
|
||||
logger.debug("found CA renewal master %s", entries[0].dn[1].value)
|
||||
|
||||
master = False
|
||||
updates = []
|
||||
|
||||
for entry in entries:
|
||||
if entry.dn == dn:
|
||||
master = True
|
||||
continue
|
||||
|
||||
updates.append({
|
||||
'dn': entry.dn,
|
||||
'updates': [
|
||||
dict(action='remove', attr='ipaConfigString',
|
||||
value='caRenewalMaster')
|
||||
],
|
||||
})
|
||||
|
||||
if master:
|
||||
return False, updates
|
||||
else:
|
||||
return False, []
|
||||
|
||||
criteria = {
|
||||
'cert-database': paths.HTTPD_ALIAS_DIR,
|
||||
'cert-nickname': 'ipaCert',
|
||||
'cert-file': paths.RA_AGENT_PEM,
|
||||
}
|
||||
request_id = certmonger.get_request_id(criteria)
|
||||
if request_id is not None:
|
||||
self.debug("found certmonger request for ipaCert")
|
||||
logger.debug("found certmonger request for RA cert")
|
||||
|
||||
ca_name = certmonger.get_request_value(request_id, 'ca-name')
|
||||
if ca_name is None:
|
||||
self.warning(
|
||||
"certmonger request for ipaCert is missing ca_name, "
|
||||
logger.warning(
|
||||
"certmonger request for RA cert is missing ca_name, "
|
||||
"assuming local CA is renewal slave")
|
||||
return (False, False, [])
|
||||
return False, []
|
||||
ca_name = ca_name.strip()
|
||||
|
||||
if ca_name == 'dogtag-ipa-renew-agent':
|
||||
pass
|
||||
elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
|
||||
return (False, False, [])
|
||||
return False, []
|
||||
elif ca_name == 'dogtag-ipa-ca-renew-agent':
|
||||
return (False, False, [])
|
||||
return False, []
|
||||
else:
|
||||
self.warning(
|
||||
"certmonger request for ipaCert has unknown ca_name '%s', "
|
||||
logger.warning(
|
||||
"certmonger request for RA cert has unknown ca_name '%s', "
|
||||
"assuming local CA is renewal slave", ca_name)
|
||||
return (False, False, [])
|
||||
return False, []
|
||||
else:
|
||||
self.debug("certmonger request for ipaCert not found")
|
||||
logger.debug("certmonger request for RA cert not found")
|
||||
|
||||
config = installutils.get_directive(
|
||||
dogtag.configured_constants().CS_CFG_PATH,
|
||||
'subsystem.select', '=')
|
||||
config = directivesetter.get_directive(
|
||||
paths.CA_CS_CFG_PATH, 'subsystem.select', '=')
|
||||
|
||||
if config == 'New':
|
||||
pass
|
||||
elif config == 'Clone':
|
||||
return (False, False, [])
|
||||
return False, []
|
||||
else:
|
||||
self.warning(
|
||||
logger.warning(
|
||||
"CS.cfg has unknown subsystem.select value '%s', "
|
||||
"assuming local CA is renewal slave", config)
|
||||
return (False, False, [])
|
||||
|
||||
dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
|
||||
update = {
|
||||
dn: {
|
||||
'dn': dn,
|
||||
'updates': ['add:ipaConfigString: caRenewalMaster'],
|
||||
},
|
||||
'updates': [
|
||||
dict(action='add', attr='ipaConfigString',
|
||||
value='caRenewalMaster')
|
||||
],
|
||||
}
|
||||
|
||||
return (False, True, [update])
|
||||
return False, [update]
|
||||
|
||||
Reference in New Issue
Block a user