freeipa/ipaserver/install/plugins/update_ra_cert_store.py

#
# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
#

from __future__ import absolute_import

import logging
import os
import tempfile

from ipalib import Registry
from ipalib import Updater
from ipalib.install import certmonger
from ipaplatform.paths import paths
from ipapython.certdb import NSSDatabase
from ipaserver.install import cainstance

logger = logging.getLogger(__name__)

register = Registry()


@register()
class update_ra_cert_store(Updater):
    """
    Moves the ipaCert store from /etc/httpd/alias RA_AGENT_PEM, RA_AGENT_KEY
    files
    """

    def execute(self, **options):
        ra_nick = 'ipaCert'
        ca_enabled = self.api.Command.ca_is_enabled()['result']
        if not ca_enabled:
            return False, []

        try:
            certdb = NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
        except ValueError as e:
            logger.warning("Problem opening NSS database in "
                           "%s. Skipping check for existing RA "
                           "agent certificate: %s", paths.HTTPD_ALIAS_DIR, e)
            return False, []

        if not certdb.has_nickname(ra_nick):
            # Nothign to do
            return False, []
        elif os.path.exists(paths.RA_AGENT_PEM):
            # even though the certificate file exists, we will overwrite it
            # as it's probabably something wrong anyway
            logger.warning(
                "A certificate with the nickname 'ipaCert' exists in "
                "the old '%s' NSS database as well as in the new "
                "PEM file '%s'",
                paths.HTTPD_ALIAS_DIR, paths.RA_AGENT_PEM)

        _fd, p12file = tempfile.mkstemp(dir=certdb.secdir)
        # no password is necessary as we will be saving it in clear anyway
        certdb.export_pkcs12(ra_nick, p12file, pkcs12_passwd='')

        # stop tracking the old cert and remove it
        certmonger.stop_tracking(paths.HTTPD_ALIAS_DIR, nickname=ra_nick)
        certdb.delete_key_and_cert(ra_nick)
        if os.path.exists(paths.OLD_KRA_AGENT_PEM):
            os.remove(paths.OLD_KRA_AGENT_PEM)

        # get the private key and certificate from the file and start
        # tracking it in certmonger
        ca = cainstance.CAInstance()
        ca.import_ra_cert(p12file)

        os.remove(p12file)

        return False, []