[Freeipa-devel] [PATCH] 0101 Add ca-disable and ca-enable commands
Fraser Tweedale
ftweedal at redhat.com
Thu Aug 25 08:25:23 UTC 2016
Hi team,
The attached patch fixes
https://fedorahosted.org/freeipa/ticket/6257.
The behaviour of cert-request when the CA is disabled is not very
nice (it reports a server error from Dogtag). The Dogtag REST
interface gives much better errors so I plan to move to it in a
later change (which will also address
https://fedorahosted.org/freeipa/ticket/3473, in part).
Thanks,
Fraser
-------------- next part --------------
From 1d99777c2145d33278d2b1d8a4e8a2d1341c8e4d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 25 Aug 2016 17:00:01 +1000
Subject: [PATCH] Add ca-disable and ca-enable commands
We soon plan to revoke certificates upon lightweight CA deletion.
This makes it important to provide a way to prevent a CA from
issuing certificates whilst not deleting and revoking it, and
continuing to allow management of issued certs.
This commit adds the ca-disable and ca-enable commands.
Fixes: https://fedorahosted.org/freeipa/ticket/6257
---
API.txt | 16 ++++++++++++
VERSION | 4 +--
ipaserver/plugins/ca.py | 62 +++++++++++++++++++++++++++++++++++++++++++--
ipaserver/plugins/dogtag.py | 6 +++++
4 files changed, 84 insertions(+), 4 deletions(-)
diff --git a/API.txt b/API.txt
index 5b83bfbd0b457b77e0522ab7d83abfae4df3ebe9..27b64ee143fa4f5f55c1b8a32446f004a8e3bb22 100644
--- a/API.txt
+++ b/API.txt
@@ -465,6 +465,20 @@ option: Str('version?')
output: Output('result', type=[<type 'dict'>])
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: ListOfPrimaryKeys('value')
+command: ca_disable/1
+args: 1,1,3
+arg: Str('cn', cli_name='name')
+option: Str('version?')
+output: Output('result', type=[<type 'bool'>])
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
+command: ca_enable/1
+args: 1,1,3
+arg: Str('cn', cli_name='name')
+option: Str('version?')
+output: Output('result', type=[<type 'bool'>])
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
command: ca_find/1
args: 1,11,4
arg: Str('criteria?')
@@ -6249,6 +6263,8 @@ default: batch/1
default: ca/1
default: ca_add/1
default: ca_del/1
+default: ca_disable/1
+default: ca_enable/1
default: ca_find/1
default: ca_is_enabled/1
default: ca_mod/1
diff --git a/VERSION b/VERSION
index a8b89ed305bcfdf2990a7400d005a68d734fa7e8..8cc8b11c7c3e985ab53279b27a4701021e4271ba 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=212
-# Last change: ab: service: add flag to allow S4U2Self
+IPA_API_VERSION_MINOR=213
+# Last change: ftweedal: add ca-disable and ca-enable commands
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..93c48722720e8509c2d096d66f9f2bd1c5c631d8 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -2,12 +2,12 @@
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
#
-from ipalib import api, errors, DNParam, Str
+from ipalib import api, errors, output, DNParam, Str
from ipalib.constants import IPA_CA_CN
from ipalib.plugable import Registry
from ipaserver.plugins.baseldap import (
LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete,
- LDAPUpdate, LDAPRetrieve)
+ LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value)
from ipaserver.plugins.cert import ca_enabled_check
from ipalib import _, ngettext
@@ -18,6 +18,14 @@ Manage Certificate Authorities
Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance
of X.509 certificates.
+CAs are enabled on creation, but their use is subject to CA ACLs unless the
+operator has permission to bypass CA ACLs.
+
+All CAs except the 'IPA' CA can be disabled or re-enabled. Disabling a CA
+prevents it from issuing certificates but does not affect the validity of its
+certificate.
+
+
EXAMPLES:
Create new CA, subordinate to the IPA CA.
@@ -25,6 +33,10 @@ EXAMPLES:
ipa ca-add puppet --desc "Puppet" \\
--subject "CN=Puppet CA,O=EXAMPLE.COM"
+ Disable a CA.
+
+ ipa ca-disable puppet
+
""")
@@ -222,3 +234,49 @@ class ca_mod(LDAPUpdate):
reason=u'IPA CA cannot be renamed')
return dn
+
+
+ at register()
+class ca_disable(LDAPQuery):
+ __doc__ = _('Disable a CA.')
+
+ msg_summary = _('Disabled CA "%(value)s"')
+ has_output = output.standard_value
+
+ def execute(self, cn, **options):
+ ca_enabled_check()
+
+ if cn == IPA_CA_CN:
+ raise errors.ProtectedEntryError(
+ label=_("CA"),
+ key=cn,
+ reason=_("IPA CA cannot be disabled"))
+
+ ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
+ with self.api.Backend.ra_lightweight_ca as ca_api:
+ ca_api.disable_ca(ca_id)
+
+ return dict(
+ result=True,
+ value=pkey_to_value(cn, options),
+ )
+
+
+ at register()
+class ca_enable(LDAPQuery):
+ __doc__ = _('Enable a CA.')
+
+ msg_summary = _('Enabled CA "%(value)s"')
+ has_output = output.standard_value
+
+ def execute(self, cn, **options):
+ ca_enabled_check()
+
+ ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
+ with self.api.Backend.ra_lightweight_ca as ca_api:
+ ca_api.enable_ca(ca_id)
+
+ return dict(
+ result=True,
+ value=pkey_to_value(cn, options),
+ )
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index aef1e888eb1b6c273c1fd12cbf4912407f8f8132..01e5f1383ee135696a8e968793863ce964025094 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -2211,5 +2211,11 @@ class ra_lightweight_ca(RestClient):
headers={'Accept': 'application/json'},
)
+ def enable_ca(self, ca_id):
+ self._ssldo(
+ 'POST', ca_id + '/enable',
+ headers={'Accept': 'application/json'},
+ )
+
def delete_ca(self, ca_id):
self._ssldo('DELETE', ca_id)
--
2.5.5
More information about the Freeipa-devel
mailing list