Ejemplo n.º 1
0
 def execute(self, *keys, **options):
     ca_enabled_check(self.api)
     result = super(ca_show, self).execute(*keys, **options)
     msg = set_certificate_attrs(result['result'], options)
     if msg:
         self.add_message(msg)
     return result
Ejemplo n.º 2
0
 def execute(self, *keys, **options):
     ca_enabled_check(self.api)
     result = super(ca_find, self).execute(*keys, **options)
     if not options.get('pkey_only', False):
         for entry in result['result']:
             set_certificate_attrs(entry, options, want_cert=False)
     return result
Ejemplo n.º 3
0
    def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
        ca_enabled_check()
        if not ldap.can_add(dn[1:]):
            raise errors.ACIError(
                info=_("Insufficient 'add' privilege for entry '%s'.") % dn)

        # check for name collision before creating CA in Dogtag
        try:
            api.Object.ca.get_dn_if_exists(keys[-1])
            self.obj.handle_duplicate_entry(*keys)
        except errors.NotFound:
            pass

        # check for subject collision before creating CA in Dogtag
        result = api.Command.ca_find(ipacasubjectdn=options['ipacasubjectdn'])
        if result['count'] > 0:
            raise errors.DuplicateEntry(
                message=_("Subject DN is already used by CA '%s'") %
                result['result'][0]['cn'][0])

        # Create the CA in Dogtag.
        with self.api.Backend.ra_lightweight_ca as ca_api:
            resp = ca_api.create_ca(options['ipacasubjectdn'])
        entry['ipacaid'] = [resp['id']]
        entry['ipacaissuerdn'] = [resp['issuerDN']]

        # In the event that the issued certificate's subject DN
        # differs from what was requested, record the actual DN.
        #
        entry['ipacasubjectdn'] = [resp['dn']]
        return dn
Ejemplo n.º 4
0
 def execute(self, *keys, **options):
     ca_enabled_check(self.api)
     result = super(ca_find, self).execute(*keys, **options)
     if not options.get('pkey_only', False):
         for entry in result['result']:
             set_certificate_attrs(entry, options, want_cert=False)
     return result
Ejemplo n.º 5
0
    def pre_callback(self, ldap, dn, *keys, **options):
        ca_enabled_check(self.api)

        # ensure operator has permission to delete CA
        # before contacting Dogtag
        if not ldap.can_delete(dn):
            raise errors.ACIError(info=_(
                "Insufficient privilege to delete a CA."))

        if keys[0] == IPA_CA_CN:
            raise errors.ProtectedEntryError(
                label=_("CA"),
                key=keys[0],
                reason=_("IPA CA cannot be deleted"))

        ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0]
        with self.api.Backend.ra_lightweight_ca as ca_api:
            data = ca_api.read_ca(ca_id)
            if data['enabled']:
                raise errors.ProtectedEntryError(
                    label=_("CA"),
                    key=keys[0],
                    reason=_("Must be disabled first"))
            ca_api.delete_ca(ca_id)

        return dn
Ejemplo n.º 6
0
    def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
        ca_enabled_check()
        if not ldap.can_add(dn[1:]):
            raise errors.ACIError(
                info=_("Insufficient 'add' privilege for entry '%s'.") % dn)

        # check for name collision before creating CA in Dogtag
        try:
            api.Object.ca.get_dn_if_exists(keys[-1])
            self.obj.handle_duplicate_entry(*keys)
        except errors.NotFound:
            pass

        # check for subject collision before creating CA in Dogtag
        result = api.Command.ca_find(ipacasubjectdn=options['ipacasubjectdn'])
        if result['count'] > 0:
            raise errors.DuplicateEntry(message=_(
                "Subject DN is already used by CA '%s'"
                ) % result['result'][0]['cn'][0])

        # Create the CA in Dogtag.
        with self.api.Backend.ra_lightweight_ca as ca_api:
            resp = ca_api.create_ca(options['ipacasubjectdn'])
        entry['ipacaid'] = [resp['id']]
        entry['ipacaissuerdn'] = [resp['issuerDN']]

        # In the event that the issued certificate's subject DN
        # differs from what was requested, record the actual DN.
        #
        entry['ipacasubjectdn'] = [resp['dn']]
        return dn
Ejemplo n.º 7
0
    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
        ca_enabled_check()

        if "rename" in options or "cn" in entry_attrs:
            if keys[0] == IPA_CA_CN:
                raise errors.ProtectedEntryError(label=_("CA"), key=keys[0], reason=u"IPA CA cannot be renamed")

        return dn
Ejemplo n.º 8
0
    def execute(self, cn, **options):
        ca_enabled_check()

        ca_id = self.api.Command.ca_show(cn)["result"]["ipacaid"][0]
        with self.api.Backend.ra_lightweight_ca as ca_api:
            self.perform_action(ca_api, ca_id)

        return dict(result=True, value=pkey_to_value(cn, options))
Ejemplo n.º 9
0
    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
        ca_enabled_check(self.api)

        if 'rename' in options or 'cn' in entry_attrs:
            if keys[0] == IPA_CA_CN:
                raise errors.ProtectedEntryError(
                    label=_("CA"),
                    key=keys[0],
                    reason=u'IPA CA cannot be renamed')

        return dn
Ejemplo n.º 10
0
    def execute(self, cn, **options):
        ca_enabled_check()

        ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
        with self.api.Backend.ra_lightweight_ca as ca_api:
            self.perform_action(ca_api, ca_id)

        return dict(
            result=True,
            value=pkey_to_value(cn, options),
        )
Ejemplo n.º 11
0
    def pre_callback(self, ldap, dn, *keys, **options):
        ca_enabled_check()

        if keys[0] == IPA_CA_CN:
            raise errors.ProtectedEntryError(label=_("CA"), key=keys[0], reason=_("IPA CA cannot be deleted"))

        ca_id = self.api.Command.ca_show(keys[0])["result"]["ipacaid"][0]
        with self.api.Backend.ra_lightweight_ca as ca_api:
            ca_api.disable_ca(ca_id)
            ca_api.delete_ca(ca_id)

        return dn
Ejemplo n.º 12
0
    def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
        ca_enabled_check(self.api)
        if not ldap.can_add(dn[1:]):
            raise errors.ACIError(
                info=_("Insufficient 'add' privilege for entry '%s'.") % dn)

        # check that DN only includes standard naming attributes
        dn_attrs = {
            ava.attr.lower()
            for rdn in options['ipacasubjectdn']
            for ava in rdn
        }
        x509_attrs = {
            attr.lower()
            for attr in six.viewvalues(ATTR_NAME_BY_OID)
        }
        unknown_attrs = dn_attrs - x509_attrs
        if len(unknown_attrs) > 0:
            raise errors.ValidationError(
                name=_("Subject DN"),
                error=_("Unrecognized attributes: %(attrs)s")
                    % dict(attrs=", ".join(unknown_attrs))
            )

        # check for name collision before creating CA in Dogtag
        try:
            api.Object.ca.get_dn_if_exists(keys[-1])
            self.obj.handle_duplicate_entry(*keys)
        except errors.NotFound:
            pass

        # check for subject collision before creating CA in Dogtag
        result = api.Command.ca_find(ipacasubjectdn=options['ipacasubjectdn'])
        if result['count'] > 0:
            raise errors.DuplicateEntry(message=_(
                "Subject DN is already used by CA '%s'"
                ) % result['result'][0]['cn'][0])

        # Create the CA in Dogtag.
        with self.api.Backend.ra_lightweight_ca as ca_api:
            resp = ca_api.create_ca(options['ipacasubjectdn'])
        entry['ipacaid'] = [resp['id']]
        entry['ipacaissuerdn'] = [resp['issuerDN']]

        # In the event that the issued certificate's subject DN
        # differs from what was requested, record the actual DN.
        #
        entry['ipacasubjectdn'] = [resp['dn']]
        return dn
Ejemplo n.º 13
0
    def pre_callback(self, ldap, dn, *keys, **options):
        ca_enabled_check()

        if keys[0] == IPA_CA_CN:
            raise errors.ProtectedEntryError(
                label=_("CA"),
                key=keys[0],
                reason=_("IPA CA cannot be deleted"))

        ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0]
        with self.api.Backend.ra_lightweight_ca as ca_api:
            ca_api.disable_ca(ca_id)
            ca_api.delete_ca(ca_id)

        return dn
Ejemplo n.º 14
0
    def execute(self, cn, **options):
        ca_enabled_check(self.api)

        ca_obj = self.api.Command.ca_show(cn)['result']

        # ensure operator has permission to modify CAs
        if not self.api.Backend.ldap2.can_write(ca_obj['dn'], 'description'):
            raise errors.ACIError(info=_(
                "Insufficient privilege to modify a CA."))

        with self.api.Backend.ra_lightweight_ca as ca_api:
            self.perform_action(ca_api, ca_obj['ipacaid'][0])

        return dict(
            result=True,
            value=pkey_to_value(cn, options),
        )
Ejemplo n.º 15
0
    def execute(self, cn, **options):
        ca_enabled_check(self.api)

        ca_obj = self.api.Command.ca_show(cn)['result']

        # ensure operator has permission to modify CAs
        if not self.api.Backend.ldap2.can_write(ca_obj['dn'], 'description'):
            raise errors.ACIError(
                info=_("Insufficient privilege to modify a CA."))

        with self.api.Backend.ra_lightweight_ca as ca_api:
            self.perform_action(ca_api, ca_obj['ipacaid'][0])

        return dict(
            result=True,
            value=pkey_to_value(cn, options),
        )
Ejemplo n.º 16
0
    def pre_callback(self, ldap, dn, *keys, **options):
        ca_enabled_check(self.api)

        # ensure operator has permission to delete CA
        # before contacting Dogtag
        if not ldap.can_delete(dn):
            raise errors.ACIError(info=_(
                "Insufficient privilege to delete a CA."))

        if keys[0] == IPA_CA_CN:
            raise errors.ProtectedEntryError(
                label=_("CA"),
                key=keys[0],
                reason=_("IPA CA cannot be deleted"))

        ca_id = self.api.Command.ca_show(keys[0])['result']['ipacaid'][0]
        with self.api.Backend.ra_lightweight_ca as ca_api:
            ca_api.disable_ca(ca_id)
            ca_api.delete_ca(ca_id)

        return dn
Ejemplo n.º 17
0
 def execute(self, *keys, **options):
     ca_enabled_check()
     result = super(ca_find, self).execute(*keys, **options)
     for entry in result['result']:
         set_certificate_attrs(entry, options, want_cert=False)
     return result
Ejemplo n.º 18
0
 def execute(self, *args, **kwargs):
     ca_enabled_check()
     return super(ca_show, self).execute(*args, **kwargs)
Ejemplo n.º 19
0
 def execute(self, *keys, **options):
     ca_enabled_check()
     return super(ca_find, self).execute(*keys, **options)
Ejemplo n.º 20
0
 def execute(self, *keys, **options):
     ca_enabled_check(self.api)
     result = super(ca_show, self).execute(*keys, **options)
     set_certificate_attrs(result['result'], options)
     return result
Ejemplo n.º 21
0
 def execute(self, *keys, **options):
     ca_enabled_check(self.api)
     result = super(ca_show, self).execute(*keys, **options)
     set_certificate_attrs(result['result'], options)
     return result
Ejemplo n.º 22
0
 def execute(self, *args, **kwargs):
     ca_enabled_check()
     return super(ca_show, self).execute(*args, **kwargs)
Ejemplo n.º 23
0
 def execute(self, *keys, **options):
     ca_enabled_check()
     return super(ca_find, self).execute(*keys, **options)