def __save_config(self):
shutil.copy2(self.filename, self.savefilename)
port = installutils.get_directive(self.filename, 'nsslapd-port',
separator=':')
security = installutils.get_directive(self.filename, 'nsslapd-security',
separator=':')
self.backup_state('nsslapd-port', port)
self.backup_state('nsslapd-security', security)
def test_get_directive(self, tmpdir):
configfile = tmpdir.join('config')
configfile.write(''.join(EXAMPLE_CONFIG))
assert '1' == installutils.get_directive(str(configfile),
'foo',
separator='=')
assert '2' == installutils.get_directive(str(configfile),
'foobar',
separator='=')
def __save_config(self):
shutil.copy2(self.filename, self.savefilename)
port = installutils.get_directive(self.filename,
'nsslapd-port',
separator=':')
security = installutils.get_directive(self.filename,
'nsslapd-security',
separator=':')
self.backup_state('nsslapd-port', port)
self.backup_state('nsslapd-security', security)
def install_http_cert(self):
dirname = paths.HTTPD_ALIAS_DIR
old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF,
'NSSNickname')
unquoted_cert = installutils.unquote_directive_value(old_cert,
quote_char="'")
server_cert = self.import_cert(dirname, self.options.pin,
unquoted_cert, 'HTTP/%s' % api.env.host,
'restart_httpd')
quoted_server_cert = installutils.quote_directive_value(server_cert,
quote_char="'")
installutils.set_directive(paths.HTTPD_NSS_CONF,
'NSSNickname',
quoted_server_cert,
quotes=False)
# Fix the database permissions
os.chmod(os.path.join(dirname, 'cert8.db'), 0o640)
os.chmod(os.path.join(dirname, 'key3.db'), 0o640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0o640)
pent = pwd.getpwnam(constants.HTTPD_USER)
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def install_http_cert(self):
dirname = paths.HTTPD_ALIAS_DIR
old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF,
'NSSNickname')
unquoted_cert = installutils.unquote_directive_value(
old_cert, quote_char="'")
server_cert = self.import_cert(dirname, self.options.pin,
unquoted_cert, 'HTTP/%s' % api.env.host,
'restart_httpd')
quoted_server_cert = installutils.quote_directive_value(
server_cert, quote_char="'")
installutils.set_directive(
paths.HTTPD_NSS_CONF,
'NSSNickname',
quoted_server_cert,
quotes=False)
# Fix the database permissions
os.chmod(os.path.join(dirname, 'cert8.db'), 0o640)
os.chmod(os.path.join(dirname, 'key3.db'), 0o640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0o640)
pent = pwd.getpwnam(constants.HTTPD_USER)
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def install_http_cert(self):
dirname = paths.HTTPD_ALIAS_DIR
old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF,
'NSSNickname')
unquoted_cert = installutils.unquote_directive_value(old_cert,
quote_char="'")
server_cert = self.import_cert(dirname, self.options.pin,
unquoted_cert, 'HTTP/%s' % api.env.host,
'restart_httpd')
quoted_server_cert = installutils.quote_directive_value(server_cert,
quote_char="'")
installutils.set_directive(paths.HTTPD_NSS_CONF,
'NSSNickname',
quoted_server_cert,
quotes=False)
# Fix the database permissions
pent = pwd.getpwnam(constants.HTTPD_USER)
for filename in (NSS_DBM_FILES + NSS_SQL_FILES):
absname = os.path.join(dirname, filename)
if os.path.isfile(absname):
os.chmod(absname, 0o640)
os.chown(absname, 0, pent.pw_gid)
def install_http_cert(self):
dirname = certs.NSS_DIR
old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF,
'NSSNickname')
server_cert = self.import_cert(dirname, self.options.pin, old_cert,
'HTTP/%s' % api.env.host,
'restart_httpd')
installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname',
server_cert)
# Fix the database permissions
os.chmod(os.path.join(dirname, 'cert8.db'), 0640)
os.chmod(os.path.join(dirname, 'key3.db'), 0640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0640)
pent = pwd.getpwnam("apache")
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def install_http_cert(self):
dirname = certs.NSS_DIR
old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF,
'NSSNickname')
server_cert = self.import_cert(dirname, self.options.pin,
old_cert, 'HTTP/%s' % api.env.host,
'restart_httpd')
installutils.set_directive(paths.HTTPD_NSS_CONF,
'NSSNickname', server_cert)
# Fix the database permissions
os.chmod(os.path.join(dirname, 'cert8.db'), 0o640)
os.chmod(os.path.join(dirname, 'key3.db'), 0o640)
os.chmod(os.path.join(dirname, 'secmod.db'), 0o640)
pent = pwd.getpwnam(constants.HTTPD_USER)
os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def update_mod_nss_cipher_suite():
add_ciphers = ['ecdhe_rsa_aes_128_sha', 'ecdhe_rsa_aes_256_sha']
ciphers = installutils.get_directive(NSS_CONF, 'NSSCipherSuite')
# Run through once to see if any of the new ciphers are there but
# disabled. If they are then enable them.
lciphers = ciphers.split(',')
new_ciphers = []
for cipher in lciphers:
for add in add_ciphers:
if cipher.endswith(add):
if cipher.startswith('-'):
cipher = '+%s' % add
new_ciphers.append(cipher)
# Run through again and add remaining ciphers as enabled.
for add in add_ciphers:
if add not in ciphers:
new_ciphers.append('+%s' % add)
ciphers = ','.join(new_ciphers)
set_directive(NSS_CONF, 'NSSCipherSuite', ciphers, False)
root_logger.info('Updated Apache cipher list')
def execute(self, **options):
ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
if not ca.is_configured():
self.debug("CA is not configured on this host")
return False, []
ldap = self.api.Backend.ldap2
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn)
dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
try:
entries = ldap.get_entries(base_dn=base_dn,
filter=filter,
attrs_list=[])
except errors.NotFound:
pass
else:
self.debug("found CA renewal master %s", entries[0].dn[1].value)
master = False
updates = []
for entry in entries:
if entry.dn == dn:
master = True
continue
updates.append({
'dn':
entry.dn,
'updates': [
dict(action='remove',
attr='ipaConfigString',
value='caRenewalMaster')
],
})
if master:
return False, updates
else:
return False, []
criteria = {
'cert-database': paths.HTTPD_ALIAS_DIR,
'cert-nickname': 'ipaCert',
}
request_id = certmonger.get_request_id(criteria)
if request_id is not None:
self.debug("found certmonger request for ipaCert")
ca_name = certmonger.get_request_value(request_id, 'ca-name')
if ca_name is None:
self.warning(
"certmonger request for ipaCert is missing ca_name, "
"assuming local CA is renewal slave")
return False, []
ca_name = ca_name.strip()
if ca_name == 'dogtag-ipa-renew-agent':
pass
elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
return False, []
elif ca_name == 'dogtag-ipa-ca-renew-agent':
return False, []
else:
self.warning(
"certmonger request for ipaCert has unknown ca_name '%s', "
"assuming local CA is renewal slave", ca_name)
return False, []
else:
self.debug("certmonger request for ipaCert not found")
config = installutils.get_directive(paths.CA_CS_CFG_PATH,
'subsystem.select', '=')
if config == 'New':
pass
elif config == 'Clone':
return False, []
else:
self.warning(
"CS.cfg has unknown subsystem.select value '%s', "
"assuming local CA is renewal slave", config)
return (False, False, [])
update = {
'dn':
dn,
'updates': [
dict(action='add',
attr='ipaConfigString',
value='caRenewalMaster')
],
}
return False, [update]
def test_get_directive(self, tmpdir):
configfile = tmpdir.join('config')
configfile.write(''.join(WHITESPACE_CONFIG))
assert '1' == installutils.get_directive(str(configfile), 'foo')
assert '2' == installutils.get_directive(str(configfile), 'foobar')
def execute(self, **options):
ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR)
if not ca.is_configured():
self.debug("CA is not configured on this host")
return False, []
ldap = self.api.Backend.ldap2
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
self.api.env.basedn)
dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn)
filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))'
try:
entries = ldap.get_entries(base_dn=base_dn, filter=filter,
attrs_list=[])
except errors.NotFound:
pass
else:
self.debug("found CA renewal master %s", entries[0].dn[1].value)
master = False
updates = []
for entry in entries:
if entry.dn == dn:
master = True
continue
updates.append({
'dn': entry.dn,
'updates': [
dict(action='remove', attr='ipaConfigString',
value='caRenewalMaster')
],
})
if master:
return False, updates
else:
return False, []
criteria = {
'cert-database': paths.HTTPD_ALIAS_DIR,
'cert-nickname': 'ipaCert',
}
request_id = certmonger.get_request_id(criteria)
if request_id is not None:
self.debug("found certmonger request for ipaCert")
ca_name = certmonger.get_request_value(request_id, 'ca-name')
if ca_name is None:
self.warning(
"certmonger request for ipaCert is missing ca_name, "
"assuming local CA is renewal slave")
return False, []
ca_name = ca_name.strip()
if ca_name == 'dogtag-ipa-renew-agent':
pass
elif ca_name == 'dogtag-ipa-retrieve-agent-submit':
return False, []
elif ca_name == 'dogtag-ipa-ca-renew-agent':
return False, []
else:
self.warning(
"certmonger request for ipaCert has unknown ca_name '%s', "
"assuming local CA is renewal slave", ca_name)
return False, []
else:
self.debug("certmonger request for ipaCert not found")
config = installutils.get_directive(
paths.CA_CS_CFG_PATH, 'subsystem.select', '=')
if config == 'New':
pass
elif config == 'Clone':
return False, []
else:
self.warning(
"CS.cfg has unknown subsystem.select value '%s', "
"assuming local CA is renewal slave", config)
return (False, False, [])
update = {
'dn': dn,
'updates': [
dict(action='add', attr='ipaConfigString',
value='caRenewalMaster')
],
}
return False, [update]
def get_mod_nss_nickname(self):
cert = installutils.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname')
nickname = installutils.unquote_directive_value(cert, quote_char="'")
return nickname
