[Freeipa-devel] [PATCHES 0001-0011 v3] Profile management
Fraser Tweedale
ftweedal at redhat.com
Wed May 20 14:41:06 UTC 2015
Hi Honza, Martin et al,
Latest patches attached. On top of previous patches (most review
matters addressed**) patches 0008..0011 add support for profiles and
user certificates to `ipa cert-request'.
** those that were not are being tracked at [1]; please add anything
I missed.
Some points to note:
- usercertificate is not yet a multi-valued attribute for users,
hosts and services.
QUESTION - we do want to allow multiple certificates for all
principal types, not just users? Or have I got that wrong.
- "DN and SAN match principal" checks are not implemented for users
yet.
- ACL was added to allow user principals to request their own
certificates, however, this will be further subject to CA/profile
ACLs which are to come.
- Pursuant to [2] revocation logic was removed from `cert-request'
[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
[2] http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates
Thanks,
Fraser
-------------- next part --------------
>From 07599bb290fdd23990c978489bc3b08d493caed6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 20 Apr 2015 23:20:19 -0400
Subject: [PATCH 01/11] Install CA with LDAP profiles backend
Install the Dogtag CA to use the LDAPProfileSubsystem instead of the
default (file-based) ProfileSubsystem.
Part of: https://fedorahosted.org/freeipa/ticket/4560
---
ipaserver/install/cainstance.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5133940687204b615eec56b6a89542ddd5617539..030c9f12daba4b38b748da8940e38d3cf2109788 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -503,6 +503,7 @@ class CAInstance(DogtagInstance):
config.set("CA", "pki_restart_configured_instance", "False")
config.set("CA", "pki_backup_keys", "True")
config.set("CA", "pki_backup_password", self.admin_password)
+ config.set("CA", "pki_profiles_in_ldap", "True")
# Client security database
config.set("CA", "pki_client_database_dir", self.agent_db)
--
2.1.0
-------------- next part --------------
>From c1fafbce7b077c6981381b727f1dc9571ccf2f19 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 21 Apr 2015 02:24:10 -0400
Subject: [PATCH 02/11] Add schema for certificate profiles
The certprofile object class is used to track IPA-managed
certificate profiles in Dogtag and store IPA-specific settings.
Part of: https://fedorahosted.org/freeipa/ticket/57
---
install/share/60certificate-profiles.ldif | 3 +++
install/share/Makefile.am | 1 +
install/share/bootstrap-template.ldif | 12 ++++++++++++
ipaserver/install/dsinstance.py | 1 +
4 files changed, 17 insertions(+)
create mode 100644 install/share/60certificate-profiles.ldif
diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif
new file mode 100644
index 0000000000000000000000000000000000000000..dcf4680589c98dad165141b1e13946c161a6abd7
--- /dev/null
+++ b/install/share/60certificate-profiles.ldif
@@ -0,0 +1,3 @@
+dn: cn=schema
+attributeTypes: (2.16.840.1.113730.3.8.19.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' )
+objectClasses: (2.16.840.1.113730.3.8.19.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' )
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index ca6128e2911ab5c0a773dd553f8e67eab944f120..2cae5279079cdd3e0d793667f4d1bf4e44757b9e 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -16,6 +16,7 @@ app_DATA = \
60basev3.ldif \
60ipadns.ldif \
60ipapk11.ldif \
+ 60certificate-profiles.ldif \
61kerberos-ipav3.ldif \
65ipacertstore.ldif \
65ipasudo.ldif \
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 06b82aa4ae74e7766d0c09a63aa75fa222e7ab7d..c5d4bad8b80640881f4631e4873a12c82b0ea48a 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -429,3 +429,15 @@ cn: ${REALM}_id_range
ipaBaseID: $IDSTART
ipaIDRangeSize: $IDRANGE_SIZE
ipaRangeType: ipa-local
+
+dn: cn=ca,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: ca
+
+dn: cn=certprofiles,cn=ca,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: certprofiles
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index f1d24e49d1b184efde1c8d18ff37d0e329037ccc..210992fc41127de29d41b889e33a312613ae28da 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -56,6 +56,7 @@ IPA_SCHEMA_FILES = ("60kerberos.ldif",
"60basev3.ldif",
"60ipapk11.ldif",
"60ipadns.ldif",
+ "60certificate-profiles.ldif",
"61kerberos-ipav3.ldif",
"65ipacertstore.ldif",
"65ipasudo.ldif",
--
2.1.0
-------------- next part --------------
>From fc1dfcd7f8a9241c81ac97164a6e5699da74aa1b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 29 Apr 2015 06:07:58 -0400
Subject: [PATCH 03/11] ipa-pki-proxy: provide access to profiles REST API
Part of: https://fedorahosted.org/freeipa/ticket/57
---
install/conf/ipa-pki-proxy.conf | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 5d21156848f3b5ddf14c42d92a26a30a9f94af36..366ca15a1868758547f9f1d3334fddba38793083 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,4 +1,4 @@
-# VERSION 5 - DO NOT REMOVE THIS LINE
+# VERSION 6 - DO NOT REMOVE THIS LINE
ProxyRequests Off
@@ -11,7 +11,7 @@ ProxyRequests Off
</LocationMatch>
# matches for admin port and installer
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/rest/config/cert/transport">
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/securityDomain/installToken|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/rest/config/cert/transport">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient none
ProxyPassMatch ajp://localhost:$DOGTAG_PORT
@@ -26,5 +26,13 @@ ProxyRequests Off
ProxyPassReverse ajp://localhost:$DOGTAG_PORT
</LocationMatch>
+# matches for REST API
+<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/profiles">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient require
+ ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+ ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
# Only enable this on servers that are not generating a CRL
${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]
--
2.1.0
-------------- next part --------------
>From ae5f5dae49ad891864bbdcbc5c2d9f592521fe74 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 30 Apr 2015 23:50:41 -0400
Subject: [PATCH 04/11] Add ACL to allow CA agent to modify profiles
Part of: https://fedorahosted.org/freeipa/ticket/57
---
install/tools/ipa-upgradeconfig | 19 +++++++++++++++++++
ipaserver/install/cainstance.py | 26 ++++++++++++++++++++++++++
2 files changed, 45 insertions(+)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index dfef1e0aa8b1507b7aa4907e9b688ce99253b87c..92c4934874f12c7017329bdcb67ac9a888f6e389 100755
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -31,6 +31,7 @@ import pwd
import fileinput
import ConfigParser
import grp
+import ldap
from ipalib import api
import SSSDConfig
@@ -40,6 +41,7 @@ from ipaplatform import services
from ipaplatform.tasks import tasks
from ipapython import ipautil, sysrestore, version, certdb
from ipapython.config import IPAOptionParser
+from ipapython.dn import DN
from ipapython.ipa_log_manager import *
from ipapython import certmonger
from ipapython import dogtag
@@ -322,6 +324,22 @@ def setup_firefox_extension(fstore):
http.setup_firefox_extension(realm, domain)
+def ca_configure_profiles_acl(ca):
+ root_logger.info('[Authorizing RA Agent to modify profiles]')
+
+ if not ca.is_configured():
+ root_logger.info('CA is not configured')
+ return False
+
+ if sysupgrade.get_upgrade_state('dogtag', 'agent_allow_profile_modify'):
+ return False
+
+ cainstance.configure_profiles_acl()
+
+ sysupgrade.set_upgrade_state('dogtag', 'agent_allow_profile_modifiy', True)
+ return True
+
+
def upgrade_ipa_profile(ca, domain, fqdn):
"""
Update the IPA Profile provided by dogtag
@@ -1420,6 +1438,7 @@ def main():
upgrade_ipa_profile(ca, api.env.domain, fqdn),
certificate_renewal_update(ca),
ca_enable_pkix(ca),
+ ca_configure_profiles_acl(ca),
])
if ca_restart:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 030c9f12daba4b38b748da8940e38d3cf2109788..d85210e02a6b4a5e664d57965299d775836ae5c5 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -469,6 +469,7 @@ class CAInstance(DogtagInstance):
self.step("requesting RA certificate from CA", self.__request_ra_certificate)
self.step("issuing RA agent certificate", self.__issue_ra_cert)
self.step("adding RA agent as a trusted user", self.__configure_ra)
+ self.step("authorizing RA to modify profiles", self.__configure_profiles_acl)
self.step("configure certmonger for renewals", self.configure_certmonger_renewal)
self.step("configure certificate renewals", self.configure_renewal)
if not self.clone:
@@ -940,6 +941,10 @@ class CAInstance(DogtagInstance):
conn.unbind()
+ def __configure_profiles_acl(self):
+ """Allow the Certificate Manager Agents group to modify profiles."""
+ configure_profiles_acl()
+
def __run_certutil(self, args, database=None, pwd_file=None, stdin=None):
if not database:
database = self.ra_agent_db
@@ -1825,6 +1830,27 @@ def update_people_entry(dercert):
return True
+def configure_profiles_acl():
+ server_id = installutils.realm_to_serverid(api.env.realm)
+ dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id
+ updated = False
+
+ dn = DN(('cn', 'aclResources'), ('o', 'ipaca'))
+ rule = (
+ 'certServer.profile.configuration:read,modify:allow (read,modify) '
+ 'group="Certificate Manager Agents":'
+ 'Certificate Manager agents may modify (create/update/delete) and read profiles'
+ )
+ modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])]
+
+ conn = ldap2.ldap2(shared_instance=False, ldap_uri=dogtag_uri)
+ if not conn.isconnected():
+ conn.connect(autobind=True)
+ rules = conn.get_entry(dn).get('resourceACLS', [])
+ if rule not in rules:
+ conn.conn.modify_s(str(dn), modlist)
+ conn.disconnect()
+
if __name__ == "__main__":
standard_logging_setup("install.log")
ds = dsinstance.DsInstance()
--
2.1.0
-------------- next part --------------
>From 7302ce777669ab4300c3919abe91565dd3cd1641 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 30 Apr 2015 04:55:29 -0400
Subject: [PATCH 05/11] Add certprofile plugin
Add the 'certprofile' plugin which defines the commands for managing
certificate profiles and associated permissions.
Also update Dogtag network code in 'ipapython.dogtag' to support
headers and arbitrary request bodies, to facilitate use of the
Dogtag profiles REST API.
Part of: https://fedorahosted.org/freeipa/ticket/57
---
ACI.txt | 8 ++
API.txt | 62 +++++++++
install/updates/40-certprofile.update | 9 ++
install/updates/40-delegation.update | 8 ++
install/updates/Makefile.am | 1 +
ipalib/constants.py | 1 +
ipalib/plugins/certprofile.py | 253 ++++++++++++++++++++++++++++++++++
ipapython/dogtag.py | 29 ++--
ipaserver/plugins/dogtag.py | 176 ++++++++++++++++++++++-
9 files changed, 534 insertions(+), 13 deletions(-)
create mode 100644 install/updates/40-certprofile.update
create mode 100644 ipalib/plugins/certprofile.py
diff --git a/ACI.txt b/ACI.txt
index bf539892910f14ebc3fbee88a72d2b57c0d1327b..870a343f0e59fa2075b53e881c224d4965984d08 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -22,6 +22,14 @@ dn: cn=automount,dc=ipa,dc=example
aci: (targetattr = "automountmapname || description")(targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Modify Automount Maps";allow (write) groupdn = "ldap:///cn=System: Modify Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=automount,dc=ipa,dc=example
aci: (targetfilter = "(objectclass=automountmap)")(version 3.0;acl "permission:System: Remove Automount Maps";allow (delete) groupdn = "ldap:///cn=System: Remove Automount Maps,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=System: Delete Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Import Certificate Profile";allow (add) groupdn = "ldap:///cn=System: Import Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || description || ipacertprofilestoreissued")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=certprofiles,cn=ca,dc=ipa,dc=example
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipacertprofilestoreissued || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipacertprofile)")(version 3.0;acl "permission:System: Read Certificate Profiles";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=ipaconfig,cn=etc,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=costemplates,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 0808f3c64595495c8a9e60da5cbd689d5cdc6224..55d2baccaaf7a6cd891aa872935c01c76781c273 100644
--- a/API.txt
+++ b/API.txt
@@ -509,6 +509,68 @@ args: 1,1,1
arg: Str('request_id')
option: Str('version?', exclude='webui')
output: Output('result', None, None)
+command: certprofile_del
+args: 1,2,3
+arg: Str('cn', attribute=True, cli_name='id', multivalue=True, primary_key=True, query=True, required=True)
+option: Flag('continue', autofill=True, cli_name='continue', default=False)
+option: Str('version?', exclude='webui')
+output: Output('result', <type 'dict'>, None)
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: ListOfPrimaryKeys('value', None, None)
+command: certprofile_find
+args: 1,9,4
+arg: Str('criteria?', noextrawhitespace=False)
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
+option: Str('cn', attribute=True, autofill=False, cli_name='id', multivalue=False, primary_key=True, query=True, required=False)
+option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False)
+option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, query=True, required=False)
+option: Flag('pkey_only?', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Int('sizelimit?', autofill=False, minvalue=0)
+option: Int('timelimit?', autofill=False, minvalue=0)
+option: Str('version?', exclude='webui')
+output: Output('count', <type 'int'>, None)
+output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: Output('truncated', <type 'bool'>, None)
+command: certprofile_import
+args: 1,6,3
+arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
+option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=True)
+option: File('file', cli_name='file')
+option: Bool('ipacertprofilestoreissued', attribute=True, cli_name='store', default=True, multivalue=False, required=True)
+option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
+command: certprofile_mod
+args: 1,10,3
+arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True)
+option: Str('addattr*', cli_name='addattr', exclude='webui')
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
+option: Str('delattr*', cli_name='delattr', exclude='webui')
+option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
+option: Bool('ipacertprofilestoreissued', attribute=True, autofill=False, cli_name='store', default=True, multivalue=False, required=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False)
+option: Flag('rights', autofill=True, default=False)
+option: Str('setattr*', cli_name='setattr', exclude='webui')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
+command: certprofile_show
+args: 1,4,3
+arg: Str('cn', attribute=True, cli_name='id', multivalue=False, primary_key=True, query=True, required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Flag('rights', autofill=True, default=False)
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
command: compat_is_enabled
args: 0,1,1
option: Str('version?', exclude='webui')
diff --git a/install/updates/40-certprofile.update b/install/updates/40-certprofile.update
new file mode 100644
index 0000000000000000000000000000000000000000..6b0a81d0ff6d69dabe82138227d105fc780ee17d
--- /dev/null
+++ b/install/updates/40-certprofile.update
@@ -0,0 +1,9 @@
+dn: cn=ca,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: ca
+
+dn: cn=certprofiles,cn=ca,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: certprofiles
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 975929bd70400b2f9cf407d6faedb246003d7f58..bc0736c5b6c07747586a56c2cbde9596c7522d1c 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -237,3 +237,11 @@ default:ipapermissiontype: SYSTEM
dn: cn=config
add:aci: (version 3.0;acl "permission:Add Configuration Sub-Entries";allow (add) groupdn = "ldap:///cn=Add Configuration Sub-Entries,cn=permissions,cn=pbac,$SUFFIX";)
+
+# CA Administrators
+dn: cn=CA Administrator,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: CA Administrator
+default:description: CA Administrator
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 0d63d9ea8d85f1add5f036e7a39f89543586d33b..cd44f08d4cd736ee19caf8ec1b8df604c9c2fa9d 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -32,6 +32,7 @@ app_DATA = \
40-replication.update \
40-dns.update \
40-automember.update \
+ 40-certprofile.update \
40-otp.update \
45-roles.update \
50-7_bit_check.update \
diff --git a/ipalib/constants.py b/ipalib/constants.py
index f1e14702ffdf5a3bd23a62b1fdd2ee3cd95d84f8..3722ab1999938ad021b8789645368633eac7f08b 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -116,6 +116,7 @@ DEFAULT_CONFIG = (
('container_otp', DN(('cn', 'otp'))),
('container_radiusproxy', DN(('cn', 'radiusproxy'))),
('container_views', DN(('cn', 'views'), ('cn', 'accounts'))),
+ ('container_certprofile', DN(('cn', 'certprofiles'), ('cn', 'ca'))),
# Ports, hosts, and URIs:
('xmlrpc_uri', 'http://localhost:8888/ipa/xml'),
diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
new file mode 100644
index 0000000000000000000000000000000000000000..3d9e807445f55b5406640a268ab0d50ddedc896d
--- /dev/null
+++ b/ipalib/plugins/certprofile.py
@@ -0,0 +1,253 @@
+#
+# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
+#
+
+import re
+
+from ipalib import api, Bool, File, Str
+from ipalib import output
+from ipalib.plugable import Registry
+from ipalib.plugins.virtual import VirtualCommand
+from ipalib.plugins.baseldap import (
+ LDAPObject, LDAPSearch, LDAPCreate,
+ LDAPDelete, LDAPUpdate, LDAPRetrieve)
+from ipalib import ngettext
+from ipalib.text import _
+
+from ipalib import errors
+
+
+__doc__ = _("""
+Manage Certificate Profiles
+
+Certificate Profiles are used by Certificate Authority (CA) in the signing of
+certificates to determine if a Certificate Signing Request (CSR) is acceptable,
+and if so what features and extensions will be present on the certificate.
+
+The Certificate Profile format is the property-list format understood by the
+Dogtag or Red Hat Certificate System CA.
+
+PROFILE ID SYNTAX:
+
+A Profile ID is a string without spaces or punctuation starting with a letter
+and followed by a sequence of letters, digits or underscore ("_").
+
+EXAMPLES:
+
+ Import a profile that will not store issued certificates:
+ ipa certprofile-import ShortLivedUserCert \\
+ --file UserCert.profile --summary "User Certificates" \\
+ --store=false
+
+ Delete a certificate profile:
+ ipa certprofile-del ShortLivedUserCert
+
+ Show information about a profile:
+ ipa certprofile-show ShortLivedUserCert
+
+ Search for profiles that do not store certificates:
+ ipa certprofile-find --store=false
+
+""")
+
+
+register = Registry()
+
+
+def ca_enabled_check():
+ """Raise NotFound if CA is not enabled.
+
+ This function is defined in multiple plugins to avoid circular imports
+ (cert depends on certprofile, so we cannot import cert here).
+
+ """
+ if not api.Command.ca_is_enabled()['result']:
+ raise errors.NotFound(reason=_('CA is not configured'))
+
+
+profile_id_pattern = re.compile('^[a-zA-Z]\w*$')
+
+
+def validate_profile_id(ugettext, value):
+ """Ensure profile ID matches form required by CA."""
+ if profile_id_pattern.match(value) is None:
+ return _('invalid Profile ID')
+ else:
+ return None
+
+
+ at register()
+class certprofile(LDAPObject):
+ """
+ Certificate Profile object.
+ """
+ container_dn = api.env.container_certprofile
+ object_name = _('Certificate Profile')
+ object_name_plural = _('Certificate Profiles')
+ object_class = ['ipacertprofile']
+ default_attributes = [
+ 'cn', 'description', 'ipacertprofilestoreissued'
+ ]
+ search_attributes = [
+ 'cn', 'description', 'ipacertprofilestoreissued'
+ ]
+ rdn_is_primary_key = True
+ label = _('Certificate Profiles')
+ label_singular = _('Certificate Profile')
+
+ takes_params = (
+ Str('cn', validate_profile_id,
+ primary_key=True,
+ cli_name='id',
+ label=_('Profile ID'),
+ doc=_('Profile ID for referring to this profile'),
+ ),
+ Str('description',
+ required=True,
+ cli_name='desc',
+ label=_('Profile description'),
+ doc=_('Brief description of this profile'),
+ ),
+ Bool('ipacertprofilestoreissued',
+ default=True,
+ cli_name='store',
+ label=_('Store issued certificates'),
+ doc=_('Whether to store certs issued using this profile'),
+ ),
+ )
+
+ permission_filter_objectclasses = ['ipacertprofile']
+ managed_permissions = {
+ 'System: Read Certificate Profiles': {
+ 'replaces_global_anonymous_aci': True,
+ 'ipapermbindruletype': 'all',
+ 'ipapermright': {'read', 'search', 'compare'},
+ 'ipapermdefaultattr': {
+ 'cn',
+ 'description',
+ 'ipacertprofilestoreissued',
+ 'objectclass',
+ },
+ },
+ 'System: Import Certificate Profile': {
+ 'ipapermright': {'add'},
+ 'replaces': [
+ '(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Import Certificate Profile";allow (add) groupdn = "ldap:///cn=Import Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'CA Administrator'},
+ },
+ 'System: Delete Certificate Profile': {
+ 'ipapermright': {'delete'},
+ 'replaces': [
+ '(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Delete Certificate Profile";allow (delete) groupdn = "ldap:///cn=Delete Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'CA Administrator'},
+ },
+ 'System: Modify Certificate Profile': {
+ 'ipapermright': {'write'},
+ 'ipapermdefaultattr': {
+ 'cn',
+ 'description',
+ 'ipacertprofilestoreissued',
+ },
+ 'replaces': [
+ '(targetattr = "cn || description || ipacertprofilestoreissued")(target = "ldap:///cn=*,cn=certprofiles,cn=ca,$SUFFIX")(version 3.0;acl "permission:Modify Certificate Profile";allow (write) groupdn = "ldap:///cn=Modify Certificate Profile,cn=permissions,cn=pbac,$SUFFIX";)',
+ ],
+ 'default_privileges': {'CA Administrator'},
+ },
+ }
+
+
+
+ at register()
+class certprofile_find(LDAPSearch):
+ __doc__ = _("Search for Certificate Profiles.")
+ msg_summary = ngettext(
+ '%(count)d profile matched', '%(count)d profiles matched', 0
+ )
+
+ def execute(self, *args, **kwargs):
+ ca_enabled_check()
+ return super(certprofile_find, self).execute(self, *args, **kwargs)
+
+
+ at register()
+class certprofile_show(LDAPRetrieve):
+ __doc__ = _("Display the properties of a Certificate Profile.")
+
+ def execute(self, *args, **kwargs):
+ ca_enabled_check()
+ return super(certprofile_show, self).execute(self, *args, **kwargs)
+
+
+ at register()
+class certprofile_import(LDAPCreate):
+ __doc__ = _("Import a Certificate Profile.")
+ msg_summary = _('Imported profile "%(value)s"')
+ takes_options = (
+ File('file',
+ label=_('Filename'),
+ cli_name='file',
+ flags=('virtual_attribute',),
+ ),
+ )
+
+ PROFILE_ID_PATTERN = re.compile('^profileId=(\w+)', re.MULTILINE)
+
+ def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
+ ca_enabled_check()
+
+ match = self.PROFILE_ID_PATTERN.search(options['file'])
+ if match is None:
+ raise errors.ValidationError(name='file',
+ error=_("Profile ID is not present in profile data"))
+ elif keys[0] != match.group(1):
+ raise errors.ValidationError(name='file',
+ error=_("Profile ID '%(cli_value)s' does not match profile data '%(file_value)s'")
+ % {'cli_value': keys[0], 'file_value': match.group(1)}
+ )
+ return dn
+
+
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ """Import the profile into Dogtag and enable it.
+
+ If the operation succeeds, update the LDAP entry to 'enabled'.
+ If the operation fails, remove the LDAP entry.
+ """
+ try:
+ with self.api.Backend.ra_certprofile as profile_api:
+ profile_api.create_profile(options['file'])
+ profile_api.enable_profile(keys[0])
+ except:
+ # something went wrong ; delete entry
+ ldap.delete_entry(dn)
+ raise
+
+ return dn
+
+
+ at register()
+class certprofile_del(LDAPDelete):
+ __doc__ = _("Delete a Certificate Profile.")
+ msg_summary = _('Deleted profile "%(value)s"')
+
+ def execute(self, *args, **kwargs):
+ ca_enabled_check()
+ return super(certprofile_del, self).execute(self, *args, **kwargs)
+
+ def post_callback(self, ldap, dn, *keys, **options):
+ with self.api.Backend.ra_certprofile as profile_api:
+ profile_api.disable_profile(keys[0])
+ profile_api.delete_profile(keys[0])
+ return dn
+
+
+ at register()
+class certprofile_mod(LDAPUpdate):
+ __doc__ = _("Modify Certificate Profile configuration.")
+ msg_summary = _('Modified Certificate Profile "%(value)s')
+
+ def execute(self, *args, **kwargs):
+ ca_enabled_check()
+ return super(certprofile_mod, self).execute(self, *args, **kwargs)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index c74b8736a4b15f7bf081206b52b9876a8c4928af..11311cf7b55d7b84e9434a698dbfd60b0eb142a1 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -233,9 +233,12 @@ def ca_status(ca_host=None, use_proxy=True):
return _parse_ca_status(body)
-def https_request(host, port, url, secdir, password, nickname, **kw):
+def https_request(host, port, url, secdir, password, nickname,
+ method='POST', headers=None, body=None, **kw):
"""
+ :param method: HTTP request method (defalut: 'POST')
:param url: The path (not complete URL!) to post to.
+ :param body: The request body (encodes kw if None)
:param kw: Keyword arguments to encode into POST body.
:return: (http_status, http_reason_phrase, http_headers, http_body)
as (integer, unicode, dict, str)
@@ -254,9 +257,11 @@ def https_request(host, port, url, secdir, password, nickname, **kw):
nickname, password, nss.get_default_certdb())
return conn
- body = urlencode(kw)
+ if body is None:
+ body = urlencode(kw)
return _httplib_request(
- 'https', host, port, url, connection_factory, body)
+ 'https', host, port, url, connection_factory, body,
+ method=method, headers=headers)
def http_request(host, port, url, **kw):
@@ -288,11 +293,13 @@ def unauthenticated_https_request(host, port, url, **kw):
def _httplib_request(
- protocol, host, port, path, connection_factory, request_body):
+ protocol, host, port, path, connection_factory, request_body,
+ method='POST', headers=None):
"""
:param request_body: Request body
:param connection_factory: Connection class to use. Will be called
with the host and port arguments.
+ :param method: HTTP request method (default: 'POST')
Perform a HTTP(s) request.
"""
@@ -301,13 +308,17 @@ def _httplib_request(
uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path)
root_logger.debug('request %r', uri)
root_logger.debug('request body %r', request_body)
+
+ headers = headers or {}
+ if (
+ method == 'POST'
+ and 'content-type' not in (str(k).lower() for k in headers.viewkeys())
+ ):
+ headers['content-type'] = 'application/x-www-form-urlencoded'
+
try:
conn = connection_factory(host, port)
- conn.request(
- 'POST', uri,
- body=request_body,
- headers={'Content-type': 'application/x-www-form-urlencoded'},
- )
+ conn.request(method, uri, body=request_body, headers=headers)
res = conn.getresponse()
http_status = res.status
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 52bdb0d4245594785e718c63242e27cee0e59322..9654123b16d8e417398d49bf1305fd41880bc3a7 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -4,8 +4,9 @@
# Jason Gerard DeRose <jderose at redhat.com>
# Rob Crittenden <rcritten@@redhat.com>
# John Dennis <jdennis at redhat.com>
+# Fraser Tweedale <ftweedal at redhat.com>
#
-# Copyright (C) 2014 Red Hat
+# Copyright (C) 2014, 2015 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@@ -238,17 +239,21 @@ digits and nothing else follows.
'''
import datetime
+import json
from lxml import etree
+import os
import tempfile
import time
import urllib2
+import pki
from pki.client import PKIConnection
import pki.crypto as cryptoutil
from pki.kra import KRAClient
from ipalib import Backend
from ipapython.dn import DN
+import ipapython.cookie
import ipapython.dogtag
from ipapython import ipautil
from ipaserver.install.certs import CertDB
@@ -1262,13 +1267,12 @@ def select_any_master(ldap2, service='CA'):
#-------------------------------------------------------------------------------
-from ipalib import api, SkipPluginModule
+from ipalib import api, errors, SkipPluginModule
if api.env.ra_plugin != 'dogtag':
# In this case, abort loading this plugin module...
raise SkipPluginModule(reason='dogtag not selected as RA plugin')
import os, random
from ipaserver.plugins import rabase
-from ipalib.errors import CertificateOperationError
from ipalib.constants import TYPE_ERROR
from ipalib.util import cachedproperty
from ipapython import dogtag
@@ -1318,7 +1322,7 @@ class ra(rabase.rabase):
err_msg = u'%s (%s)' % (err_msg, detail)
self.error('%s.%s(): %s', self.fullname, func_name, err_msg)
- raise CertificateOperationError(error=err_msg)
+ raise errors.CertificateOperationError(error=err_msg)
@cachedproperty
def ca_host(self):
@@ -1923,3 +1927,167 @@ class kra(Backend):
return KRAClient(connection, crypto)
api.register(kra)
+
+
+class RestClient(Backend):
+ """Simple Dogtag REST client to be subclassed by other backends.
+
+ This class is a context manager. Authenticated calls must be
+ executed in a ``with`` suite::
+
+ class ra_certprofile(RestClient):
+ path = 'profile'
+ ...
+
+ api.register(ra_certprofile)
+
+ with api.Backend.ra_certprofile as profile_api:
+ # REST client is now logged in
+ profile_api.create_profile(...)
+
+ """
+ path = None
+
+ @staticmethod
+ def _parse_dogtag_error(body):
+ try:
+ return pki.PKIException.from_json(json.loads(body))
+ except:
+ return None
+
+ def __init__(self):
+ if api.env.in_tree:
+ self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
+ self.pwd_file = self.sec_dir + os.sep + '.pwd'
+ else:
+ self.sec_dir = paths.HTTPD_ALIAS_DIR
+ self.pwd_file = paths.ALIAS_PWDFILE_TXT
+ self.noise_file = self.sec_dir + os.sep + '.noise'
+ self.ipa_key_size = "2048"
+ self.ipa_certificate_nickname = "ipaCert"
+ self.ca_certificate_nickname = "caCert"
+ try:
+ f = open(self.pwd_file, "r")
+ self.password = f.readline().strip()
+ f.close()
+ except IOError:
+ self.password = ''
+ super(RestClient, self).__init__()
+
+ # session cookie
+ self.cookie = None
+
+ @cachedproperty
+ def ca_host(self):
+ """
+ :return: host
+ as str
+
+ Select our CA host.
+ """
+ ldap2 = self.api.Backend.ldap2
+ if host_has_service(api.env.ca_host, ldap2, "CA"):
+ return api.env.ca_host
+ if api.env.host != api.env.ca_host:
+ if host_has_service(api.env.host, ldap2, "CA"):
+ return api.env.host
+ host = select_any_master(ldap2)
+ if host:
+ return host
+ else:
+ return api.env.ca_host
+
+ def __enter__(self):
+ """Log into the REST API"""
+ if self.cookie is not None:
+ return
+ status, status_text, resp_headers, resp_body = dogtag.https_request(
+ self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login',
+ self.sec_dir, self.password, self.ipa_certificate_nickname,
+ method='GET'
+ )
+ cookies = ipapython.cookie.Cookie.parse(resp_headers.get('set-cookie', ''))
+ if status != 200 or len(cookies) == 0:
+ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
+ self.cookie = str(cookies[0])
+ return self
+
+ def __exit__(self, exc_type, exc_value, traceback):
+ """Log out of the REST API"""
+ dogtag.https_request(
+ self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout',
+ self.sec_dir, self.password, self.ipa_certificate_nickname,
+ method='GET'
+ )
+ self.cookie = None
+
+ def _ssldo(self, method, path, headers=None, body=None):
+ """
+ :param url: The URL to post to.
+ :param kw: Keyword arguments to encode into POST body.
+ :return: (http_status, http_reason_phrase, http_headers, http_body)
+ as (integer, unicode, dict, str)
+
+ Perform an HTTPS request
+ """
+ if self.cookie is None:
+ raise errors.RemoteRetrieveError(
+ reason=_("REST API is not logged in."))
+
+ headers = headers or {}
+ headers['Cookie'] = self.cookie
+
+ resource = os.path.join('/ca/rest', self.path, path)
+
+ # perform main request
+ status, status_text, resp_headers, resp_body = dogtag.https_request(
+ self.ca_host, self.env.ca_agent_port, resource,
+ self.sec_dir, self.password, self.ipa_certificate_nickname,
+ method=method, headers=headers, body=body
+ )
+ if status < 200 or status >= 300:
+ explanation = self._parse_dogtag_error(resp_body) or ''
+ raise errors.RemoteRetrieveError(
+ reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s')
+ % {'status': status, 'status_text': status_text, 'explanation': explanation}
+ )
+ return (status, status_text, resp_headers, resp_body)
+
+
+class ra_certprofile(RestClient):
+ """
+ Profile management backend plugin.
+ """
+ path = 'profiles'
+
+ def create_profile(self, profile_data):
+ """
+ Import the profile into Dogtag
+ """
+ self._ssldo('POST', 'raw',
+ headers={
+ 'Content-type': 'application/xml',
+ 'Accept': 'application/json',
+ },
+ body=profile_data
+ )
+
+ def enable_profile(self, profile_id):
+ """
+ Enable the profile in Dogtag
+ """
+ self._ssldo('POST', profile_id + '?action=enable')
+
+ def disable_profile(self, profile_id):
+ """
+ Enable the profile in Dogtag
+ """
+ self._ssldo('POST', profile_id + '?action=disable')
+
+ def delete_profile(self, profile_id):
+ """
+ Delete the profile from Dogtag
+ """
+ self._ssldo('DELETE', profile_id, headers={'Accept': 'application/json'})
+
+api.register(ra_certprofile)
--
2.1.0
-------------- next part --------------
>From 3c9a29566e49b01f7017ef861daf1ca1967f59a7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 11 May 2015 23:38:41 -0400
Subject: [PATCH 06/11] Enable LDAP-based profiles in CA on upgrade
Part of: https://fedorahosted.org/freeipa/ticket/4560
---
install/tools/ipa-upgradeconfig | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 92c4934874f12c7017329bdcb67ac9a888f6e389..246118fd451fbf57754049258aeaa1895eb11e5e 100755
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -340,6 +340,45 @@ def ca_configure_profiles_acl(ca):
return True
+def ca_enable_ldap_profile_subsystem(ca):
+ root_logger.info('[Ensuring CA is using LDAPProfileSubsystem]')
+ if not ca.is_configured():
+ root_logger.info('CA is not configured')
+ return False
+
+ caconfig = dogtag.configured_constants()
+
+ needs_update = False
+ directive = None
+ try:
+ for i in range(15):
+ directive = "subsystem.{}.class".format(i)
+ value = installutils.get_directive(
+ caconfig.CS_CFG_PATH,
+ directive,
+ separator='=')
+ if value == 'ProfileSubsystem':
+ needs_update = True
+ break
+ except OSError, e:
+ root_logger.error('Cannot read CA configuration file "%s": %s',
+ caconfig.CS_CFG_PATH, e)
+ return False
+
+ if needs_update:
+ installutils.set_directive(
+ caconfig.CS_CFG_PATH,
+ directive,
+ 'LDAPProfileSubsystem',
+ quotes=False,
+ separator='=')
+
+ # TODO import file-based profiles into Dogtag
+ # More code needed on Dogtag side for this.
+
+ return needs_update
+
+
def upgrade_ipa_profile(ca, domain, fqdn):
"""
Update the IPA Profile provided by dogtag
@@ -1439,6 +1478,7 @@ def main():
certificate_renewal_update(ca),
ca_enable_pkix(ca),
ca_configure_profiles_acl(ca),
+ ca_enable_ldap_profile_subsystem(ca),
])
if ca_restart:
--
2.1.0
-------------- next part --------------
>From 27ac261f1c67e150855ea1e94d5893138772364b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 11 May 2015 21:17:48 -0400
Subject: [PATCH 07/11] Import included profiles during install or upgrade
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.
Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.
Fixes https://fedorahosted.org/freeipa/ticket/4002
---
freeipa.spec.in | 2 +
install/configure.ac | 1 +
install/share/Makefile.am | 1 +
install/share/profiles/DefaultService.cfg | 109 +++++++++++++++
install/share/profiles/Makefile.am | 14 ++
install/tools/ipa-server-install | 9 ++
install/tools/ipa-upgradeconfig | 49 ++++---
ipapython/dogtag.py | 5 +
ipaserver/install/cainstance.py | 216 ++++--------------------------
ipaserver/plugins/dogtag.py | 14 +-
10 files changed, 201 insertions(+), 219 deletions(-)
create mode 100644 install/share/profiles/DefaultService.cfg
create mode 100644 install/share/profiles/Makefile.am
diff --git a/freeipa.spec.in b/freeipa.spec.in
index b14acee638d10d1e153e1f6765ab5902060cb169..6f5479240ba16a8a32ca2924437b4a2e7f37adc4 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -718,6 +718,8 @@ fi
%dir %{_usr}/share/ipa/advise
%dir %{_usr}/share/ipa/advise/legacy
%{_usr}/share/ipa/advise/legacy/*.template
+%dir %{_usr}/share/ipa/profiles
+%{_usr}/share/ipa/profiles/*.cfg
%dir %{_usr}/share/ipa/ffextension
%{_usr}/share/ipa/ffextension/bootstrap.js
%{_usr}/share/ipa/ffextension/install.rdf
diff --git a/install/configure.ac b/install/configure.ac
index 2e48aa5cc67b30f2582de987a12d4e7043256679..57f4219b66bbe1dadaed3e89c3e84b1c8240399e 100644
--- a/install/configure.ac
+++ b/install/configure.ac
@@ -88,6 +88,7 @@ AC_CONFIG_FILES([
share/Makefile
share/advise/Makefile
share/advise/legacy/Makefile
+ share/profiles/Makefile
ui/Makefile
ui/css/Makefile
ui/src/Makefile
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 2cae5279079cdd3e0d793667f4d1bf4e44757b9e..1ff2278ebf395057fccc4f0650b7726374cc1cc8 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -2,6 +2,7 @@ NULL =
SUBDIRS = \
advise \
+ profiles \
$(NULL)
appdir = $(IPA_DATA_DIR)
diff --git a/install/share/profiles/DefaultService.cfg b/install/share/profiles/DefaultService.cfg
new file mode 100644
index 0000000000000000000000000000000000000000..d70fc9867d8af3f49dd6dfebcefdf772772bd100
--- /dev/null
+++ b/install/share/profiles/DefaultService.cfg
@@ -0,0 +1,109 @@
+profileId=DefaultService
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://$IPA_CA_RECORD.$DOMAIN/ca/ocsp
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
+policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
+policyset.serverCertSet.9.default.params.crlDistPointsNum=1
+policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=$CRL_ISSUER
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
+policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://$IPA_CA_RECORD.$DOMAIN/ipa/crl/MasterCRL.bin
+policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
+policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
+policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.10.constraint.name=No Constraint
+policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
+policyset.serverCertSet.10.default.params.critical=false
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.11.constraint.name=No Constraint
+policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
+policyset.serverCertSet.11.default.name=User Supplied Extension Default
+policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
diff --git a/install/share/profiles/Makefile.am b/install/share/profiles/Makefile.am
new file mode 100644
index 0000000000000000000000000000000000000000..8c6b3114a346b3d96d94e75ad330c5f0bbaf7322
--- /dev/null
+++ b/install/share/profiles/Makefile.am
@@ -0,0 +1,14 @@
+NULL =
+
+appdir = $(IPA_DATA_DIR)/profiles
+app_DATA = \
+ DefaultService.cfg \
+ $(NULL)
+
+EXTRA_DIST = \
+ $(app_DATA) \
+ $(NULL)
+
+MAINTAINERCLEANFILES = \
+ *~ \
+ Makefile.in
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cb6e1abe2016c0f8cefc35b1d685373f05b3ef89..7a7743e17c0f3ad9215dfc9d985d0ff021e57277 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -1124,6 +1124,9 @@ def main():
api.env.ca_host = host_name
api.bootstrap(**cfg)
+ if setup_ca:
+ # ensure profile backend is available
+ import ipaserver.plugins.dogtag
api.finalize()
# Create DS user/group if it doesn't exist yet
@@ -1273,6 +1276,12 @@ def main():
service.print_msg("Restarting the certificate server")
ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
+ service.print_msg("Importing certificate profiles")
+ api.Backend.ra_certprofile._read_password()
+ if not api.Backend.ldap2.isconnected():
+ api.Backend.ldap2.connect(autobind=True)
+ ca.import_included_profiles()
+
if options.setup_dns:
api.Backend.ldap2.connect(autobind=True)
dns_installer.install(False, False, options)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 246118fd451fbf57754049258aeaa1895eb11e5e..24cdf466ceff3885b779b7de88681c087792c99e 100755
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -379,32 +379,34 @@ def ca_enable_ldap_profile_subsystem(ca):
return needs_update
-def upgrade_ipa_profile(ca, domain, fqdn):
+def ca_import_included_profiles(ca):
+ root_logger.info('[Ensuring presence of included profiles]')
+
+ if not ca.is_configured():
+ root_logger.info('CA is not configured')
+ return False
+
+ if not api.Backend.ldap2.isconnected():
+ try:
+ api.Backend.ldap2.connect(autobind=True)
+ except ipalib.errors.PublicError, e:
+ root_logger.error("Cannot connect to LDAP: %s", e)
+ return
+ ca.import_included_profiles()
+
+
+def upgrade_ca_audit_cert_validity(ca):
"""
- Update the IPA Profile provided by dogtag
+ Update the Dogtag audit signing certificate.
Returns True if restart is needed, False otherwise.
"""
- root_logger.info('[Verifying that CA service certificate profile is updated]')
+ root_logger.info('[Verifying that CA audit signing cert has 2 year validity]')
if ca.is_configured():
- ski = ca.enable_subject_key_identifier()
- if ski:
- root_logger.debug('Subject Key Identifier updated.')
- else:
- root_logger.debug('Subject Key Identifier already set.')
- san = ca.enable_subject_alternative_name()
- if san:
- root_logger.debug('Subject Alternative Name updated.')
- else:
- root_logger.debug('Subject Alternative Name already set.')
- audit = ca.set_audit_renewal()
- uri = ca.set_crl_ocsp_extensions(domain, fqdn)
- if audit or ski or san or uri:
- return True
+ return ca.set_audit_renewal()
else:
root_logger.info('CA is not configured')
-
- return False
+ return False
def named_remove_deprecated_options():
@@ -1327,6 +1329,7 @@ def main():
fstore = sysrestore.FileStore(paths.SYSRESTORE)
api.bootstrap(context='restart', in_server=True)
+ import ipaserver.plugins.dogtag # ensure profile backend gets loaded
api.finalize()
fqdn = find_hostname()
@@ -1474,7 +1477,7 @@ def main():
ca_restart = any([
ca_restart,
- upgrade_ipa_profile(ca, api.env.domain, fqdn),
+ upgrade_ca_audit_cert_validity(ca),
certificate_renewal_update(ca),
ca_enable_pkix(ca),
ca_configure_profiles_acl(ca),
@@ -1488,6 +1491,12 @@ def main():
except ipautil.CalledProcessError, e:
root_logger.error("Failed to restart %s: %s", ca.service_name, e)
+ # This step MUST be done after ca_enable_ldap_profile_subsystem and
+ # ca_configure_profiles_acl, and the consequent restart, but does not
+ # itself require a restart.
+ #
+ ca_import_included_profiles(ca)
+
set_sssd_domain_option('ipa_server_mode', 'True')
if __name__ == '__main__':
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 11311cf7b55d7b84e9434a698dbfd60b0eb142a1..e0091ba8747dff3a488b9908f057ae15c6b4bedc 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -42,6 +42,11 @@ from ipapython.ipa_log_manager import *
# the configured version.
+INCLUDED_PROFILES = {
+ # ( profile_id , description , store_issued)
+ (u'DefaultService', u'Standard profile for network services', True),
+ }
+
class Dogtag10Constants(object):
DOGTAG_VERSION = 10
UNSECURE_PORT = 8080
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d85210e02a6b4a5e664d57965299d775836ae5c5..7fc1572604a09cc1c6bc28f7a068b5b2d49a6a12 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -459,10 +459,6 @@ class CAInstance(DogtagInstance):
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
self.step("fixing RA database permissions", self.fix_ra_perms)
self.step("setting up signing cert profile", self.__setup_sign_profile)
- self.step("set certificate subject base", self.__set_subject_in_config)
- self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
- self.step("enabling Subject Alternative Name", self.enable_subject_alternative_name)
- self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions)
self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
if not self.clone:
self.step("restarting certificate server", self.restart_instance)
@@ -1125,94 +1121,6 @@ class CAInstance(DogtagInstance):
return publishdir
- def __set_crl_ocsp_extensions(self):
- self.set_crl_ocsp_extensions(self.domain, self.fqdn)
-
- def set_crl_ocsp_extensions(self, domain, fqdn):
- """
- Configure CRL and OCSP extensions in default IPA certificate profile
- if not done already.
- """
- changed = False
-
- # OCSP extension
- ocsp_url = 'http://%s.%s/ca/ocsp' % (IPA_CA_RECORD, ipautil.format_netloc(domain))
-
- ocsp_location_0 = installutils.get_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
- separator='=')
-
- if ocsp_location_0 != ocsp_url:
- # Set the first OCSP URI
- installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0',
- ocsp_url, quotes=False, separator='=')
- changed = True
-
- ocsp_profile_count = installutils.get_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
- separator='=')
-
- if ocsp_profile_count != '1':
- installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.5.default.params.authInfoAccessNumADs',
- '1', quotes=False, separator='=')
- changed = True
-
-
- # CRL extension
- crl_url = 'http://%s.%s/ipa/crl/MasterCRL.bin'% (IPA_CA_RECORD, ipautil.format_netloc(domain))
-
- crl_point_0 = installutils.get_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
- separator='=')
-
- if crl_point_0 != crl_url:
- installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0',
- 'CN=Certificate Authority,o=ipaca', quotes=False, separator='=')
- installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0',
- 'DirectoryName', quotes=False, separator='=')
- installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.9.default.params.crlDistPointsPointName_0',
- crl_url, quotes=False, separator='=')
- changed = True
-
- crl_profile_count = installutils.get_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.9.default.params.crlDistPointsNum',
- separator='=')
-
- if crl_profile_count != '1':
- installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.9.default.params.crlDistPointsNum',
- '1', quotes=False, separator='=')
- changed = True
-
- # CRL extension is not enabled by default
- setlist = installutils.get_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.list', separator='=')
- new_set_list = None
-
- if setlist == '1,2,3,4,5,6,7,8':
- new_set_list = '1,2,3,4,5,6,7,8,9'
- elif setlist == '1,2,3,4,5,6,7,8,10':
- new_set_list = '1,2,3,4,5,6,7,8,9,10'
- elif setlist == '1,2,3,4,5,6,7,8,10,11':
- new_set_list = '1,2,3,4,5,6,7,8,9,10,11'
-
- if new_set_list:
- installutils.set_directive(self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.list',
- new_set_list, quotes=False, separator='=')
- changed = True
-
- return changed
-
def __enable_crl_publish(self):
"""
@@ -1267,13 +1175,6 @@ class CAInstance(DogtagInstance):
installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=')
installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=')
- def __set_subject_in_config(self):
- # dogtag ships with an IPA-specific profile that forces a subject
- # format. We need to update that template with our base subject
- if installutils.update_file(self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'OU=pki-ipa, O=IPA', str(self.subject_base)):
- print "Updating subject_base in CA template failed"
-
def uninstall(self):
# just eat state
self.restore_state("enabled")
@@ -1407,100 +1308,6 @@ class CAInstance(DogtagInstance):
services.knownservices.certmonger.stop()
- def enable_subject_key_identifier(self):
- """
- See if Subject Key Identifier is set in the profile and if not, add it.
- """
- setlist = installutils.get_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.list', separator='=')
-
- # this is the default setting from pki-ca/pki-tomcat. Don't touch it
- # if a user has manually modified it.
- if setlist == '1,2,3,4,5,6,7,8' or setlist == '1,2,3,4,5,6,7,8,9':
- setlist += ',10'
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.list',
- setlist,
- quotes=False, separator='=')
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.10.constraint.class_id',
- 'noConstraintImpl',
- quotes=False, separator='=')
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.10.constraint.name',
- 'No Constraint',
- quotes=False, separator='=')
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.10.default.class_id',
- 'subjectKeyIdentifierExtDefaultImpl',
- quotes=False, separator='=')
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.10.default.name',
- 'Subject Key Identifier Extension Default',
- quotes=False, separator='=')
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.10.default.params.critical',
- 'false',
- quotes=False, separator='=')
- return True
-
- # No update was done
- return False
-
- def enable_subject_alternative_name(self):
- """
- See if Subject Alternative Name is set in the profile and if not, add
- it.
- """
- setlist = installutils.get_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.list', separator='=')
-
- # this is the default setting from pki-ca/pki-tomcat. Don't touch it
- # if a user has manually modified it.
- if setlist == '1,2,3,4,5,6,7,8,10' or setlist == '1,2,3,4,5,6,7,8,9,10':
- setlist += ',11'
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.list',
- setlist,
- quotes=False, separator='=')
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.11.constraint.class_id',
- 'noConstraintImpl',
- quotes=False, separator='=')
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.11.constraint.name',
- 'No Constraint',
- quotes=False, separator='=')
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.11.default.class_id',
- 'userExtensionDefaultImpl',
- quotes=False, separator='=')
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.11.default.name',
- 'User Supplied Extension Default',
- quotes=False, separator='=')
- installutils.set_directive(
- self.dogtag_constants.IPA_SERVICE_PROFILE,
- 'policyset.serverCertSet.11.default.params.userExtOID',
- '2.5.29.17',
- quotes=False, separator='=')
- return True
-
- # No update was done
- return False
def set_audit_renewal(self):
"""
@@ -1586,6 +1393,29 @@ class CAInstance(DogtagInstance):
master_entry['ipaConfigString'].append('caRenewalMaster')
self.admin_conn.update_entry(master_entry)
+ def import_included_profiles(self):
+ sub_dict = dict(
+ DOMAIN=ipautil.format_netloc(api.env.domain),
+ IPA_CA_RECORD=IPA_CA_RECORD,
+ CRL_ISSUER='CN=Certificate Authority,o=ipaca',
+ SUBJECT_DN_O=str(DN(('O', api.env.realm))),
+ )
+
+ for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
+ try:
+ show_ret = api.Command['certprofile_show'](profile_id)
+ continue # the profile is present
+ except errors.NotFound:
+ # profile not found; add it
+ profile_data = ipautil.template_file(
+ '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
+ api.Command['certprofile_import'](
+ profile_id,
+ file=profile_data.decode('utf-8'),
+ description=desc,
+ ipacertprofilestoreissued=store_issued,
+ )
+ root_logger.info("Imported profile '%s'", profile_id)
@staticmethod
def update_cert_config(nickname, cert, dogtag_constants=None):
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 9654123b16d8e417398d49bf1305fd41880bc3a7..880b319d68728a40f4479626d5a7c2b8c56ced02 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1966,17 +1966,19 @@ class RestClient(Backend):
self.ipa_key_size = "2048"
self.ipa_certificate_nickname = "ipaCert"
self.ca_certificate_nickname = "caCert"
- try:
- f = open(self.pwd_file, "r")
- self.password = f.readline().strip()
- f.close()
- except IOError:
- self.password = ''
+ self._read_password()
super(RestClient, self).__init__()
# session cookie
self.cookie = None
+ def _read_password(self):
+ try:
+ with open(self.pwd_file) as f:
+ self.password = f.readline().strip()
+ except IOError:
+ self.password = ''
+
@cachedproperty
def ca_host(self):
"""
--
2.1.0
-------------- next part --------------
>From 28e8d503b7d5f13a40ca177f15a69696042a996f Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 7 May 2015 21:26:24 -0400
Subject: [PATCH 08/11] Add generic split_any_principal method
There exist methods to split user or service/host principals, but
there is no method to split any kind of principal and allow the
caller to decide what to do.
Generalize ``ipalib.plugins.service.split_principal`` to return a
service of ``None`` if the principal is a user principal, rename it
``split_any_principal`` and reimplement ``split_principal`` to
preserve existing behaviour.
Part of: https://fedorahosted.org/freeipa/ticket/4938
---
ipalib/plugins/service.py | 27 +++++++++++++++++++--------
1 file changed, 19 insertions(+), 8 deletions(-)
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index b37dc7b4bf56b69df204fd29e9487f1390197bbe..5af320286bab98535e1f7118840afc4d525be401 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -185,19 +185,24 @@ _ticket_flags_map = {
_ticket_flags_default = _ticket_flags_map['ipakrbrequirespreauth']
-def split_principal(principal):
+def split_any_principal(principal):
service = hostname = realm = None
# Break down the principal into its component parts, which may or
# may not include the realm.
sp = principal.split('/')
- if len(sp) != 2:
- raise errors.MalformedServicePrincipal(reason=_('missing service'))
+ name_and_realm = None
+ if len(sp) > 2:
+ raise errors.MalformedServicePrincipal(reason=_('unable to determine service'))
+ elif len(sp) == 2:
+ service = sp[0]
+ if len(service) == 0:
+ raise errors.MalformedServicePrincipal(reason=_('blank service'))
+ name_and_realm = sp[1]
+ else:
+ name_and_realm = sp[0]
- service = sp[0]
- if len(service) == 0:
- raise errors.MalformedServicePrincipal(reason=_('blank service'))
- sr = sp[1].split('@')
+ sr = name_and_realm.split('@')
if len(sr) > 2:
raise errors.MalformedServicePrincipal(
reason=_('unable to determine realm'))
@@ -212,7 +217,13 @@ def split_principal(principal):
realm = api.env.realm
# Note that realm may be None.
- return (service, hostname, realm)
+ return service, hostname, realm
+
+def split_principal(principal):
+ service, name, realm = split_any_principal(principal)
+ if service is None:
+ raise errors.MalformedServicePrincipal(reason=_('missing service'))
+ return service, name, realm
def validate_principal(ugettext, principal):
(service, hostname, principal) = split_principal(principal)
--
2.1.0
-------------- next part --------------
>From 8c3267f2d1026835ace648c0a66566ed1a5dda06 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 8 May 2015 02:23:24 -0400
Subject: [PATCH 09/11] Add profile_id parameter to 'request_certificate'
Add the profile_id parameter to the 'request_certificate' function
and update call sites.
Also remove multiple occurrences of the default profile ID
'caIPAserviceCert'.
Part of: https://fedorahosted.org/freeipa/ticket/57
---
API.txt | 3 ++-
checks/check-ra.py | 2 +-
ipalib/plugins/cert.py | 2 +-
ipapython/dogtag.py | 6 ++++--
ipaserver/install/certs.py | 2 +-
ipaserver/plugins/dogtag.py | 7 +++++--
ipaserver/plugins/rabase.py | 3 ++-
7 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/API.txt b/API.txt
index 55d2baccaaf7a6cd891aa872935c01c76781c273..93ef2cdae533ad5564685bb21c8857a807dc8e08 100644
--- a/API.txt
+++ b/API.txt
@@ -485,10 +485,11 @@ arg: Str('serial_number')
option: Str('version?', exclude='webui')
output: Output('result', None, None)
command: cert_request
-args: 1,4,1
+args: 1,5,1
arg: File('csr', cli_name='csr_file')
option: Flag('add', autofill=True, default=False)
option: Str('principal')
+option: Str('profile_id')
option: Str('request_type', autofill=True, default=u'pkcs10')
option: Str('version?', exclude='webui')
output: Output('result', <type 'dict'>, None)
diff --git a/checks/check-ra.py b/checks/check-ra.py
index a1df50ba4a4ad7fc0b6d2118e40977b1da6edf65..28929545ab7f0a63e47a3829c53cf08d784c9524 100755
--- a/checks/check-ra.py
+++ b/checks/check-ra.py
@@ -90,7 +90,7 @@ def assert_equal(trial, reference):
api.log.info('******** Testing ra.request_certificate() ********')
-request_result = ra.request_certificate(csr)
+request_result = ra.request_certificate(csr, ra.DEFAULT_PROFILE)
if verbose: print "request_result=\n%s" % request_result
assert_equal(request_result,
{'subject' : subject,
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index 7e2c77622b3627e9e57bbcb69291f723ecf509bf..e4cb6dc0aa8b89368806b08674aae277b3653e8f 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -436,7 +436,7 @@ class cert_request(VirtualCommand):
# Request the certificate
result = self.Backend.ra.request_certificate(
- csr, request_type=request_type)
+ csr, 'caIPAserviceCert', request_type=request_type)
cert = x509.load_certificate(result['certificate'])
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index e0091ba8747dff3a488b9908f057ae15c6b4bedc..6476d7e5813967cb1b812dc8a01eb3a0fae96d4e 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -47,6 +47,8 @@ INCLUDED_PROFILES = {
(u'DefaultService', u'Standard profile for network services', True),
}
+DEFAULT_PROFILE = 'caIPAserviceCert'
+
class Dogtag10Constants(object):
DOGTAG_VERSION = 10
UNSECURE_PORT = 8080
@@ -76,7 +78,7 @@ class Dogtag10Constants(object):
RACERT_LINE_SEP = '\n'
- IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+ IPA_SERVICE_PROFILE = '%s/%s.cfg' % (SERVICE_PROFILE_DIR, DEFAULT_PROFILE)
SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
SHARED_DB = True
DS_USER = "dirsrv"
@@ -115,7 +117,7 @@ class Dogtag9Constants(object):
EE_CLIENT_AUTH_PORT = 9446
TOMCAT_SERVER_PORT = 9701
- IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+ IPA_SERVICE_PROFILE = '%s/%s.cfg' % (SERVICE_PROFILE_DIR, DEFAULT_PROFILE)
SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
SHARED_DB = False
DS_USER = "pkisrv"
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index bc7dccf805386e9fa84b58d2ff9346085e1b93b1..564332e6fde0698a23884922c5018fab59da7e4d 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -386,7 +386,7 @@ class CertDB(object):
# We just want the CSR bits, make sure there is nothing else
csr = pkcs10.strip_header(csr)
- params = {'profileId': 'caIPAserviceCert',
+ params = {'profileId': dogtag.DEFAULT_PROFILE,
'cert_request_type': 'pkcs10',
'requestor_name': 'IPA Installer',
'cert_request': csr,
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 880b319d68728a40f4479626d5a7c2b8c56ced02..e6668bb43b994863a14fdd347635753422ed9388 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1284,6 +1284,8 @@ class ra(rabase.rabase):
"""
Request Authority backend plugin.
"""
+ DEFAULT_PROFILE = dogtag.DEFAULT_PROFILE
+
def __init__(self):
if api.env.in_tree:
self.sec_dir = api.env.dot_ipa + os.sep + 'alias'
@@ -1541,9 +1543,10 @@ class ra(rabase.rabase):
return cmd_result
- def request_certificate(self, csr, request_type='pkcs10'):
+ def request_certificate(self, csr, profile_id, request_type='pkcs10'):
"""
:param csr: The certificate signing request.
+ :param profile_id: The profile to use for the request.
:param request_type: The request type (defaults to ``'pkcs10'``).
Submit certificate signing request.
@@ -1575,7 +1578,7 @@ class ra(rabase.rabase):
http_status, http_reason_phrase, http_headers, http_body = \
self._sslget('/ca/eeca/ca/profileSubmitSSLClient',
self.env.ca_ee_port,
- profileId='caIPAserviceCert',
+ profileId=profile_id,
cert_request_type=request_type,
cert_request=csr,
xml='true')
diff --git a/ipaserver/plugins/rabase.py b/ipaserver/plugins/rabase.py
index e14969970ef5b402d06b766f895200c6eb4fc76f..cf4426235b02866a3f565c51c52c44aabbdc1153 100644
--- a/ipaserver/plugins/rabase.py
+++ b/ipaserver/plugins/rabase.py
@@ -67,11 +67,12 @@ class rabase(Backend):
"""
raise errors.NotImplementedError(name='%s.get_certificate' % self.name)
- def request_certificate(self, csr, request_type='pkcs10'):
+ def request_certificate(self, csr, profile_id, request_type='pkcs10'):
"""
Submit certificate signing request.
:param csr: The certificate signing request.
+ :param profile_id: Profile to use for this request.
:param request_type: The request type (defaults to ``'pkcs10'``).
"""
raise errors.NotImplementedError(name='%s.request_certificate' % self.name)
--
2.1.0
-------------- next part --------------
>From 9bf0edfbb1e5458e92c76309c58fade50b9fc0d0 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 18 May 2015 22:11:52 -0400
Subject: [PATCH 10/11] Add usercertificate attribute to user plugin
---
ACI.txt | 2 +-
API.txt | 18 ++++++++++++------
install/share/default-aci.ldif | 1 +
install/updates/20-aci.update | 4 ++++
ipalib/plugins/baseuser.py | 10 ++++++++--
ipalib/plugins/user.py | 4 ++--
6 files changed, 28 insertions(+), 11 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 870a343f0e59fa2075b53e881c224d4965984d08..279d15d6dcf2a465a07ec27a67b15bf452da6c81 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -281,7 +281,7 @@ aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sam
dn: cn=users,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || usercertificate || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example
aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=users,cn=accounts,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 93ef2cdae533ad5564685bb21c8857a807dc8e08..a1ff2afbd1d29087c4295bf9b58b596f73279c27 100644
--- a/API.txt
+++ b/API.txt
@@ -3772,7 +3772,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: stageuser_add
-args: 1,43,3
+args: 1,44,3
arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -3814,6 +3814,7 @@ option: Str('street', attribute=True, cli_name='street', multivalue=False, requi
option: Str('telephonenumber', attribute=True, cli_name='phone', multivalue=True, required=False)
option: Str('title', attribute=True, cli_name='title', multivalue=False, required=False)
option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False)
+option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False)
option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False)
option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False)
option: Str('version?', exclude='webui')
@@ -3829,7 +3830,7 @@ output: Output('result', <type 'dict'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: ListOfPrimaryKeys('value', None, None)
command: stageuser_find
-args: 1,52,4
+args: 1,53,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=True, query=True, required=False)
@@ -3880,6 +3881,7 @@ option: Int('timelimit?', autofill=False, minvalue=0)
option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, query=True, required=False)
option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False)
option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, query=True, required=False)
+option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, query=True, required=False)
option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False)
option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, query=True, required=False)
option: Str('version?', exclude='webui')
@@ -3888,7 +3890,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: stageuser_mod
-args: 1,44,3
+args: 1,45,3
arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -3931,6 +3933,7 @@ option: Str('street', attribute=True, autofill=False, cli_name='street', multiva
option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', multivalue=True, required=False)
option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, required=False)
option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False)
+option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False)
option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False)
option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False)
option: Str('version?', exclude='webui')
@@ -4558,7 +4561,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: user_add
-args: 1,44,3
+args: 1,45,3
arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -4601,6 +4604,7 @@ option: Str('street', attribute=True, cli_name='street', multivalue=False, requi
option: Str('telephonenumber', attribute=True, cli_name='phone', multivalue=True, required=False)
option: Str('title', attribute=True, cli_name='title', multivalue=False, required=False)
option: Int('uidnumber', attribute=True, cli_name='uid', minvalue=1, multivalue=False, required=False)
+option: Bytes('usercertificate', attribute=True, cli_name='certificate', multivalue=False, required=False)
option: Str('userclass', attribute=True, cli_name='class', multivalue=True, required=False)
option: Password('userpassword', attribute=True, cli_name='password', exclude='webui', multivalue=False, required=False)
option: Str('version?', exclude='webui')
@@ -4632,7 +4636,7 @@ output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: user_find
-args: 1,55,4
+args: 1,56,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('carlicense', attribute=True, autofill=False, cli_name='carlicense', multivalue=True, query=True, required=False)
@@ -4685,6 +4689,7 @@ option: Int('timelimit?', autofill=False, minvalue=0)
option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, query=True, required=False)
option: Str('uid', attribute=True, autofill=False, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=False)
option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, query=True, required=False)
+option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, query=True, required=False)
option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, query=True, required=False)
option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, query=True, required=False)
option: Str('version?', exclude='webui')
@@ -4694,7 +4699,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: user_mod
-args: 1,45,3
+args: 1,46,3
arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -4738,6 +4743,7 @@ option: Str('street', attribute=True, autofill=False, cli_name='street', multiva
option: Str('telephonenumber', attribute=True, autofill=False, cli_name='phone', multivalue=True, required=False)
option: Str('title', attribute=True, autofill=False, cli_name='title', multivalue=False, required=False)
option: Int('uidnumber', attribute=True, autofill=False, cli_name='uid', minvalue=1, multivalue=False, required=False)
+option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False)
option: Str('userclass', attribute=True, autofill=False, cli_name='class', multivalue=True, required=False)
option: Password('userpassword', attribute=True, autofill=False, cli_name='password', exclude='webui', multivalue=False, required=False)
option: Str('version?', exclude='webui')
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index af7eedb0b92375f893a61ad1fb6e2d7b176389f9..7b174e774aae3ea012a431fe4a2535fb4230e402 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -10,6 +10,7 @@ changetype: modify
add: aci
aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)
aci: (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)
+aci: (targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
dn: cn=etc,$SUFFIX
changetype: modify
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index fde3afeee59e4d4dc0bd6a9c0eb24ab255c4e637..8964876b0f07c664e4855baa3971a2c774073f09 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -79,3 +79,7 @@ add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Group
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";)
add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Admins are allowed to rekey any entity"; allow(write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
add:aci: (targetfilter="(|(objectclass=ipaHost)(objectclass=ipaService))")(targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey managed entries"; allow(write) userattr="managedby#USERDN";)
+
+# User certificates
+dn: $SUFFIX
+add:aci:(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py
index a1be29d83550a0412ed37cfde47ac74c6ca478fd..5004cbc12f0eaecfffa0d14e8367a5c5ca4a70fd 100644
--- a/ipalib/plugins/baseuser.py
+++ b/ipalib/plugins/baseuser.py
@@ -23,10 +23,11 @@ import posixpath
import os
from ipalib import api, errors
-from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime
+from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime, Bytes
from ipalib.plugable import Registry
from ipalib.plugins.baseldap import DN, LDAPObject, \
LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve
+from ipalib.plugins.service import validate_certificate
from ipalib.plugins import baseldap
from ipalib.request import context
from ipalib import _, ngettext
@@ -188,7 +189,7 @@ class baseuser(LDAPObject):
'telephonenumber', 'title', 'memberof', 'nsaccountlock',
'memberofindirect', 'ipauserauthtype', 'userclass',
'ipatokenradiusconfiglink', 'ipatokenradiususername',
- 'krbprincipalexpiration'
+ 'krbprincipalexpiration', 'usercertificate',
]
search_display_attributes = [
'uid', 'givenname', 'sn', 'homedirectory', 'loginshell',
@@ -383,6 +384,11 @@ class baseuser(LDAPObject):
+ '(\s*,\s*[a-zA-Z]{1,8}(-[a-zA-Z]{1,8})?(;q\=((0(\.[0-9]{0,3})?)|(1(\.0{0,3})?)))?)*)|(\*))$',
pattern_errmsg='must match RFC 2068 - 14.4, e.g., "da, en-gb;q=0.8, en;q=0.7"',
),
+ Bytes('usercertificate?', validate_certificate,
+ cli_name='certificate',
+ label=_('Certificate'),
+ doc=_('Base-64 encoded server certificate'),
+ ),
)
def normalize_and_validate_email(self, email, config=None):
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 54d47bb01450ec462577e552315e3d680b7648c3..e0004a5b01bf48887ca1bc429d8b37342e1c9cc0 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -267,10 +267,10 @@ class user(baseuser):
'mepmanagedentry', 'mobile', 'objectclass', 'ou', 'pager',
'postalcode', 'roomnumber', 'secretary', 'seealso', 'sn', 'st',
'street', 'telephonenumber', 'title', 'userclass',
- 'preferredlanguage',
+ 'preferredlanguage', 'usercertificate',
},
'replaces': [
- '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)',
+ '(targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || usercertificate || ou || mepmanagedentry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Users";allow (write) groupdn = "ldap:///cn=Modify Users,cn=permissions,cn=pbac,$SUFFIX";)',
],
'default_privileges': {
'User Administrators',
--
2.1.0
-------------- next part --------------
>From a877bad933cfb7454e670a684ce976194946f4c6 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 14 May 2015 01:45:16 -0400
Subject: [PATCH 11/11] Update cert-request to support user certs and profiles
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4938
---
ipalib/pkcs10.py | 1 +
ipalib/plugins/cert.py | 174 ++++++++++++++++++++++++++-----------------------
2 files changed, 94 insertions(+), 81 deletions(-)
diff --git a/ipalib/pkcs10.py b/ipalib/pkcs10.py
index f35e200a2c1b47e2a2c8cffcf9b723f398fe3221..6299dfea43b7a3f4104f0b0ec78c4f105d9daf62 100644
--- a/ipalib/pkcs10.py
+++ b/ipalib/pkcs10.py
@@ -30,6 +30,7 @@ PEM = 0
DER = 1
SAN_DNSNAME = 'DNS name'
+SAN_RFC822NAME = 'RFC822 Name'
SAN_OTHERNAME_UPN = 'Other Name (OID.1.3.6.1.4.1.311.20.2.3)'
SAN_OTHERNAME_KRB5PRINCIPALNAME = 'Other Name (OID.1.3.6.1.5.2.2)'
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index e4cb6dc0aa8b89368806b08674aae277b3653e8f..8fe5b9daf88870647067db37e6e3929cbc11626e 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -31,7 +31,8 @@ from ipalib import ngettext
from ipalib.plugable import Registry
from ipalib.plugins.virtual import *
from ipalib.plugins.baseldap import pkey_to_value
-from ipalib.plugins.service import split_principal
+from ipalib.plugins.service import split_any_principal
+from ipalib.plugins.certprofile import validate_profile_id
import base64
import traceback
from ipalib.text import _
@@ -122,6 +123,8 @@ http://www.ietf.org/rfc/rfc5280.txt
""")
+USER, HOST, SERVICE = range(3)
+
register = Registry()
def validate_pkidate(ugettext, value):
@@ -232,7 +235,7 @@ class cert_request(VirtualCommand):
takes_options = (
Str('principal',
label=_('Principal'),
- doc=_('Service principal for this certificate (e.g. HTTP/test.example.com)'),
+ doc=_('Principal for this certificate (e.g. HTTP/test.example.com)'),
),
Str('request_type',
default=u'pkcs10',
@@ -243,6 +246,10 @@ class cert_request(VirtualCommand):
default=False,
autofill=True
),
+ Str('profile_id', validate_profile_id,
+ label=_("Profile ID"),
+ doc=_("Certificate Profile to use"),
+ )
)
has_output_params = (
@@ -294,10 +301,9 @@ class cert_request(VirtualCommand):
ca_enabled_check()
ldap = self.api.Backend.ldap2
- principal = kw.get('principal')
add = kw.get('add')
request_type = kw.get('request_type')
- service = None
+ profile_id = kw.get('profile_id', self.Backend.ra.DEFAULT_PROFILE)
"""
Access control is partially handled by the ACI titled
@@ -310,9 +316,20 @@ class cert_request(VirtualCommand):
taskgroup (directly or indirectly via role membership).
"""
- bind_principal = getattr(context, 'principal')
- # Can this user request certs?
- if not bind_principal.startswith('host/'):
+ principal = split_any_principal(kw.get('principal'))
+ servicename, principal_name, realm = principal
+ if servicename is None:
+ principal_type = USER
+ elif servicename == 'host':
+ principal_type = HOST
+ else:
+ principal_type = SERVICE
+
+ bind_principal = split_any_principal(getattr(context, 'principal'))
+ bind_service, _, _ = bind_principal
+
+ if bind_principal != principal:
+ # Can the bound principal request certs for another principal?
self.check_access()
try:
@@ -323,57 +340,54 @@ class cert_request(VirtualCommand):
raise errors.CertificateOperationError(
error=_("Failure decoding Certificate Signing Request: %s") % e)
- if not bind_principal.startswith('host/'):
+ # host principals may bypass allowed ext check
+ if bind_service != 'host':
for ext in extensions:
operation = self._allowed_extensions.get(ext)
if operation:
self.check_access(operation)
- # Ensure that the hostname in the CSR matches the principal
- subject_host = subject.common_name #pylint: disable=E1101
- if not subject_host:
+
+ # Ensure that the DN in the CSR matches the principal
+ cn = subject.common_name #pylint: disable=E1101
+ if not cn:
raise errors.ValidationError(name='csr',
- error=_("No hostname was found in subject of request."))
+ error=_("No Common Name was found in subject of request."))
- (servicename, hostname, realm) = split_principal(principal)
- if subject_host.lower() != hostname.lower():
- raise errors.ACIError(
- info=_("hostname in subject of request '%(subject_host)s' "
- "does not match principal hostname '%(hostname)s'") % dict(
- subject_host=subject_host, hostname=hostname))
+ if principal_type in (SERVICE, HOST):
+ if cn.lower() != principal_name.lower():
+ raise errors.ACIError(
+ info=_("hostname in subject of request '%(cn)s' "
+ "does not match principal hostname '%(hostname)s'")
+ % dict(cn=cn, hostname=principal_name))
+ elif principal_type == USER:
+ pass # TODO require cn / emailAddress to match user
for ext in extensions:
if ext not in self._allowed_extensions:
raise errors.ValidationError(
name='csr', error=_("extension %s is forbidden") % ext)
- for name_type, name in subjectaltname:
- if name_type not in (pkcs10.SAN_DNSNAME,
- pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
- pkcs10.SAN_OTHERNAME_UPN):
- raise errors.ValidationError(
- name='csr',
- error=_("subject alt name type %s is forbidden") %
- name_type)
-
dn = None
- service = None
+ principal_obj = None
# See if the service exists and punt if it doesn't and we aren't
# going to add it
try:
- if servicename != 'host':
- service = api.Command['service_show'](principal, all=True)
- else:
- service = api.Command['host_show'](hostname, all=True)
- except errors.NotFound, e:
- if not add:
- raise errors.NotFound(reason=_("The service principal for "
- "this request doesn't exist."))
- service = api.Command['service_add'](principal, force=True)
- service = service['result']
- dn = service['dn']
+ if principal_type == SERVICE:
+ principal_obj = api.Command['service_show'](principal, all=True)
+ elif principal_type == HOST:
+ principal_obj = api.Command['host_show'](principal_name, all=True)
+ elif principal_type == USER:
+ principal_obj = api.Command['user_show'](principal_name, all=True)
+ except errors.NotFound as e:
+ if principal_type != SERVICE or not add:
+ raise errors.NotFound(
+ reason=_("The principal for this request doesn't exist."))
+ principal_obj = api.Command['service_add'](principal, force=True)
+ principal_obj = principal_obj['result']
+ dn = principal_obj['dn']
- # We got this far so the service entry exists, can we write it?
+ # We got this far so the principal entry exists, can we write it?
if not ldap.can_write(dn, "usercertificate"):
raise errors.ACIError(info=_("Insufficient 'write' privilege "
"to the 'userCertificate' attribute of entry '%s'.") % dn)
@@ -382,13 +396,20 @@ class cert_request(VirtualCommand):
for name_type, name in subjectaltname:
if name_type == pkcs10.SAN_DNSNAME:
name = unicode(name)
+ alt_principal_obj = None
try:
- if servicename == 'host':
- altservice = api.Command['host_show'](name, all=True)
- else:
+ if principal_type == HOST:
+ alt_principal_obj = api.Command['host_show'](name, all=True)
+ elif principal_type == SERVICE:
altprincipal = '%s/%s@%s' % (servicename, name, realm)
- altservice = api.Command['service_show'](
+ alt_principal_obj = api.Command['service_show'](
altprincipal, all=True)
+ elif principal_type == USER:
+ raise errors.ValidationError(
+ name='csr',
+ error=_("subject alt name type %s is forbidden "
+ "for user principals") % name_type
+ )
except errors.NotFound:
# We don't want to issue any certificates referencing
# machines we don't know about. Nothing is stored in this
@@ -396,47 +417,35 @@ class cert_request(VirtualCommand):
raise errors.NotFound(reason=_('The service principal for '
'subject alt name %s in certificate request does not '
'exist') % name)
- altdn = altservice['result']['dn']
- if not ldap.can_write(altdn, "usercertificate"):
- raise errors.ACIError(info=_(
- "Insufficient privilege to create a certificate with "
- "subject alt name '%s'.") % name)
+ if alt_principal_obj is not None:
+ altdn = alt_principal_obj['result']['dn']
+ if not ldap.can_write(altdn, "usercertificate"):
+ raise errors.ACIError(info=_(
+ "Insufficient privilege to create a certificate "
+ "with subject alt name '%s'.") % name)
elif name_type in (pkcs10.SAN_OTHERNAME_KRB5PRINCIPALNAME,
pkcs10.SAN_OTHERNAME_UPN):
if name != principal:
raise errors.ACIError(
info=_("Principal '%s' in subject alt name does not "
- "match requested service principal") % name)
+ "match requested principal") % name)
+ elif name_type == pkcs10.SAN_RFC822NAME:
+ if principal_type == USER:
+ pass # TODO require match to user email address
+ else:
+ raise errors.ValidationError(
+ name='csr',
+ error=_("subject alt name type %s is forbidden "
+ "for non-user principals") % name_type
+ )
else:
raise errors.ACIError(
info=_("Subject alt name type %s is forbidden") %
name_type)
- if 'usercertificate' in service:
- serial = x509.get_serial_number(service['usercertificate'][0], datatype=x509.DER)
- # revoke the certificate and remove it from the service
- # entry before proceeding. First we retrieve the certificate to
- # see if it is already revoked, if not then we revoke it.
- try:
- result = api.Command['cert_show'](unicode(serial))['result']
- if 'revocation_reason' not in result:
- try:
- api.Command['cert_revoke'](unicode(serial), revocation_reason=4)
- except errors.NotImplementedError:
- # some CA's might not implement revoke
- pass
- except errors.NotImplementedError:
- # some CA's might not implement get
- pass
- if not principal.startswith('host/'):
- api.Command['service_mod'](principal, usercertificate=None)
- else:
- hostname = get_host_from_principal(principal)
- api.Command['host_mod'](hostname, usercertificate=None)
-
# Request the certificate
result = self.Backend.ra.request_certificate(
- csr, 'caIPAserviceCert', request_type=request_type)
+ csr, profile_id, request_type=request_type)
cert = x509.load_certificate(result['certificate'])
result['issuer'] = unicode(cert.issuer)
result['valid_not_before'] = unicode(cert.valid_not_before_str)
@@ -444,15 +453,18 @@ class cert_request(VirtualCommand):
result['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
result['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
- # Success? Then add it to the service entry.
- if 'certificate' in result:
- if not principal.startswith('host/'):
- skw = {"usercertificate": str(result.get('certificate'))}
+ # Success? Then add it to the principal's entry
+ # (unless the profile tells us not to)
+ profile = api.Command['certprofile_show'](profile_id)
+ profile_store_issued = profile['result']['ipacertprofilestoreissued']
+ if profile_store_issued and 'certificate' in result:
+ skw = {"usercertificate": str(result.get('certificate'))}
+ if principal_type == SERVICE:
api.Command['service_mod'](principal, **skw)
- else:
- hostname = get_host_from_principal(principal)
- skw = {"usercertificate": str(result.get('certificate'))}
- api.Command['host_mod'](hostname, **skw)
+ elif principal_type == HOST:
+ api.Command['host_mod'](principal_name, **skw)
+ elif principal_type == USER:
+ api.Command['user_mod'](principal_name, **skw)
return dict(
result=result
--
2.1.0
More information about the Freeipa-devel
mailing list