[Pki-devel] [PATCH] 0105 Add pki-server ca-cert-db-upgrade command
Fraser Tweedale
ftweedal at redhat.com
Mon May 9 07:15:14 UTC 2016
Hi all,
The following patch adds a pki-server subcommand for updating
certificate records to add the issuerName attribute.
It is for #1667 (Database upgrade script to add issuerName attribute
to all cert entries).
Follow-up question: should I (and if so, how should I) also add an
upgrade scriptlet to perform the upgrade for Dogtag CA subsystem on
the host? Is there a precedent for invoking pki-server (or
subroutines thereof) from pki-server-upgrade scriptlets?
Cheers,
Fraser
-------------- next part --------------
From 9d994fe2c4e31c3d4212673f1dd3a0c8e84c40a3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 9 May 2016 17:00:54 +1000
Subject: [PATCH] Add pki-server ca-cert-db-upgrade command
Add the 'ca-cert-db-upgrade' command to 'pki-server', which updates
certificate records to add the issuerName attribute where missing.
Part of: https://fedorahosted.org/pki/ticket/1667
---
base/server/python/pki/server/cli/ca.py | 81 +++++++++++++++++++++++++++++++++
1 file changed, 81 insertions(+)
diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
index dbf8239f4f548714beb0c68d7bca2c84f6c0fb74..b76a8f8834cc0c7d802b38b83d3a8ce99fbb0d84 100644
--- a/base/server/python/pki/server/cli/ca.py
+++ b/base/server/python/pki/server/cli/ca.py
@@ -22,6 +22,8 @@ from __future__ import absolute_import
from __future__ import print_function
import getopt
import io
+import ldap
+import nss.nss as nss
import os
import shutil
import sys
@@ -48,6 +50,7 @@ class CACertCLI(pki.cli.CLI):
self.add_module(CACertChainCLI())
self.add_module(CACertRequestCLI())
+ self.add_module(CACertDBUpgrade())
class CACertChainCLI(pki.cli.CLI):
@@ -407,3 +410,81 @@ class CAClonePrepareCLI(pki.cli.CLI):
finally:
shutil.rmtree(tmpdir)
+
+
+class CACertDBUpgrade(pki.cli.CLI):
+ def __init__(self):
+ super(CACertDBUpgrade, self).__init__(
+ 'db-upgrade', 'Upgrade certificate records')
+
+ def usage(self):
+ print('Usage: pki-server ca-cert-db-upgrade [OPTIONS]')
+ print()
+ print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
+ print(' -v, --verbose Run in verbose mode.')
+ print(' --help Show help message.')
+ print()
+
+ def execute(self, args):
+ try:
+ opts, _ = getopt.gnu_getopt(
+ args, 'i:v', ['instance=', 'verbose', 'help'])
+
+ except getopt.GetoptError as e:
+ print('ERROR: ' + str(e))
+ self.usage()
+ sys.exit(1)
+
+ instance_name = 'pki-tomcat'
+
+ for o, a in opts:
+ if o in ('-i', '--instance'):
+ instance_name = a
+
+ elif o in ('-v', '--verbose'):
+ self.set_verbose(True)
+
+ elif o == '--help':
+ self.print_help()
+ sys.exit()
+
+ else:
+ print('ERROR: unknown option ' + o)
+ self.usage()
+ sys.exit(1)
+
+ nss.nss_init_nodb()
+
+ instance = pki.server.PKIInstance(instance_name)
+ instance.load()
+
+ subsystem = instance.get_subsystem('ca')
+ base_dn = subsystem.config['internaldb.basedn']
+ conn = subsystem.open_database()
+ try:
+ entries = conn.ldap.search_s(
+ 'ou=certificateRepository,ou=ca,%s' % base_dn,
+ ldap.SCOPE_ONELEVEL,
+ '(&(objectclass=certificateRecord)(!(issuerName=*)))',
+ None)
+ for entry in entries:
+ self.__add_issuer(conn, entry)
+ finally:
+ conn.close()
+
+ @staticmethod
+ def __add_issuer(conn, entry):
+ dn, attrs = entry
+ attr_cert = attrs.get('userCertificate;binary')
+ if not attr_cert:
+ return # shouldn't happen, but nothing we can do if it does
+
+ cert = nss.Certificate(bytearray(attr_cert[0]))
+ issuer_name = str(cert.issuer)
+
+ try:
+ conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)])
+ except ldap.LDAPError as e:
+ print(
+ 'Failed to add issuerName to certificate {}: {}'
+ .format(attrs.get('cn', ['<unknown>'])[0], e))
--
2.5.5
More information about the Pki-devel
mailing list