def run(self): if not is_ipa_configured(): print("IPA is not configured.") return 2 if not cainstance.is_ca_installed_locally(): print("CA is not installed on this server.") return 1 if self.command == Command.ENABLE: directive = 'enabled' value = 'true' elif self.command == Command.DISABLE: directive = 'enabled' value = 'false' else: raise RuntimeError('programmer error: unhandled enum case') with DirectiveSetter( paths.PKI_ACME_ENGINE_CONF, separator='=', quotes=False, ) as ds: ds.set(directive, value) # Work around a limitation in PKI ACME service file watching # where renames (what DirectiveSetter does) are not detected. # It will be fixed, but keeping the workaround will do no harm. pathlib.Path(paths.PKI_ACME_ENGINE_CONF).touch() # Nothing else to do; the Dogtag ACME service monitors engine.conf # for updates and reconfigures itself as required. return 0
def run(self): if not is_ipa_configured(): print("IPA is not configured.") return 2 if not cainstance.is_ca_installed_locally(): print("CA is not installed on this server.") return 3 api.bootstrap(in_server=True, confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() state = acme_state(api) with state as ca_api: if self.command == Command.ENABLE: self.check_san_status() ca_api.enable() elif self.command == Command.DISABLE: ca_api.disable() elif self.command == Command.STATUS: status = "enabled" if dogtag.acme_status() else "disabled" print("ACME is {}".format(status)) return 0 else: raise RuntimeError('programmer error: unhandled enum case') return 0
def check_IPA_configuration(): if not is_ipa_configured(): # LSB status code 6: program is not configured raise IpactlError( "IPA is not configured " "(see man pages of ipa-server-install for help)", 6, )
def is_ipa_configured(): """ Use the state to determine if IPA has been configured. """ warnings.warn("Use 'ipalib.facts.is_ipa_configured'", DeprecationWarning, stacklevel=2) return facts.is_ipa_configured()
def pre_check(self): if is_ipa_configured is None: print("IPA server is not installed") return 1 if not is_ipa_configured(): print("IPA server is not configured") return 1 return None
def check_server_configuration(): """ Check if IPA server is configured on the system. This is done by checking if there are system restore (uninstall) files present on the system. Note that this check can only be run with root privileges. When IPA is not configured, this function raises a RuntimeError exception. Most convenient use case for the function is in install tools that require configured IPA for its function. """ if not facts.is_ipa_configured(): raise ScriptError("IPA is not configured on this system.", rval=SERVER_NOT_CONFIGURED)
def run(self): if not is_ipa_configured(): print("IPA is not configured.") return 2 api.bootstrap(in_server=True, confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() self.ldap2 = api.Backend.ldap2 subid_generate = api.Command.subid_generate dry_run = self.safe_options.dry_run group_info = self.get_group_info() filters = self.make_filter( group_info, self.safe_options.user_filter ) entries = self.search_users(filters) total = len(entries) logger.info("Found %i user(s) without subordinate ids", total) total = len(entries) for i, entry in enumerate(entries, start=1): logger.info( " Processing user '%s' (%i/%i)", entry.single_value["uid"], i, total ) if not dry_run: # TODO: check for duplicate entry (race condition) # TODO: log new subid subid_generate( ipaowner=entry.single_value["uid"], version=API_VERSION ) if dry_run: logger.info("Dry run mode, no user was modified") else: logger.info("Updated %s user(s)", total) return 0
def run_with_args(api): """ Run the certupdate procedure with the given API object. :param api: API object with ldap2/rpcclient backend connected (such that Commands can be invoked) """ server = urlsplit(api.env.jsonrpc_uri).hostname ldap = ipaldap.LDAPClient.from_hostname_secure(server) try: result = api.Command.ca_is_enabled(version=u'2.107') ca_enabled = result['result'] except (errors.CommandError, errors.NetworkError): result = api.Command.env(server=True, version=u'2.0') ca_enabled = result['result']['enable_ra'] ldap.gssapi_bind() certs = certstore.get_ca_certs(ldap, api.env.basedn, api.env.realm, ca_enabled) if ca_enabled: lwcas = api.Command.ca_find()['result'] else: lwcas = [] if is_ipa_configured(): # look up CA servers before service restarts resp = api.Command.server_role_find( role_servrole=u'CA server', status='enabled', ) ca_servers = [server['server_server'] for server in resp['result']] update_server(certs) # pylint: disable=import-error,ipa-forbidden-import from ipaserver.install import cainstance, custodiainstance # pylint: enable=import-error,ipa-forbidden-import # Add LWCA tracking requests. Only execute if *this server* # has CA installed (ca_enabled indicates CA-ful topology). if cainstance.CAInstance().is_configured(): try: cainstance.add_lightweight_ca_tracking_requests(lwcas) except Exception: logger.exception( "Failed to add lightweight CA tracking requests") try: update_server_ra_config( cainstance, custodiainstance, api.env.enable_ra, api.env.ca_host, ca_servers, ) except Exception: logger.exception("Failed to update RA config") # update_server_ra_config possibly updated default.conf; # restart httpd to pick up changes. if services.knownservices.httpd.is_running(): services.knownservices.httpd.restart() update_client(certs)
def run(self): if not is_ipa_configured(): print("IPA is not configured.") return 2 if not cainstance.is_ca_installed_locally(): print("CA is not installed on this server.") return 1 try: ipautil.run(['pki-server', 'cert-fix', '--help'], raiseonerr=True) except ipautil.CalledProcessError: print( "The 'pki-server cert-fix' command is not available; " "cannot proceed." ) return 1 api.bootstrap(in_server=True, confdir=paths.ETC_IPA) api.finalize() api.Backend.ldap2.connect() # ensure DS is up subject_base = dsinstance.DsInstance().find_subject_base() if not subject_base: raise RuntimeError("Cannot determine certificate subject base.") ca_subject_dn = ca.lookup_ca_subject(api, subject_base) now = datetime.datetime.now() + datetime.timedelta(weeks=2) certs, extra_certs = expired_certs(now) if not certs and not extra_certs: print("Nothing to do.") return 0 print(msg) print_intentions(certs, extra_certs) response = ipautil.user_input('Enter "yes" to proceed') if response.lower() != 'yes': print("Not proceeding.") return 0 print("Proceeding.") try: run_cert_fix(certs, extra_certs) except ipautil.CalledProcessError: if any(x[0] is IPACertType.LDAPS for x in extra_certs): # The DS cert was expired. This will cause # 'pki-server cert-fix' to fail at the final # restart. Therefore ignore the CalledProcessError # and proceed to installing the IPA-specific certs. pass else: raise # otherwise re-raise replicate_dogtag_certs(subject_base, ca_subject_dn, certs) install_ipa_certs(subject_base, ca_subject_dn, extra_certs) if any(x[0] != 'sslserver' for x in certs) \ or any(x[0] is IPACertType.IPARA for x in extra_certs): # we renewed a "shared" certificate, therefore we must # become the renewal master print("Becoming renewal master.") cainstance.CAInstance().set_renewal_master() ipautil.run(['ipactl', 'restart'], raiseonerr=True) return 0
def install_check(installer): options = installer dirsrv_pkcs12_file = installer._dirsrv_pkcs12_file http_pkcs12_file = installer._http_pkcs12_file pkinit_pkcs12_file = installer._pkinit_pkcs12_file dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info http_pkcs12_info = installer._http_pkcs12_info pkinit_pkcs12_info = installer._pkinit_pkcs12_info external_cert_file = installer._external_cert_file external_ca_file = installer._external_ca_file http_ca_cert = installer._ca_cert dirsrv_ca_cert = None pkinit_ca_cert = None tasks.check_ipv6_stack_enabled() tasks.check_selinux_status() check_ldap_conf() mask_str = validate_mask() if mask_str: print("Unexpected system mask: %s, expected 0022" % mask_str) if installer.interactive: if not user_input("Do you want to continue anyway?", True): raise ScriptError("Unexpected system mask: %s" % mask_str) else: raise ScriptError("Unexpected system mask: %s" % mask_str) if options.master_password: msg = ("WARNING:\noption '-P/--master-password' is deprecated. " "KDC master password of sufficient strength is autogenerated " "during IPA server installation and should not be set " "manually.") print(textwrap.fill(msg, width=79, replace_whitespace=False)) installer._installation_cleanup = True print("\nThe log file for this installation can be found in " "/var/log/ipaserver-install.log") if (not options.external_ca and not options.external_cert_files and is_ipa_configured()): installer._installation_cleanup = False raise ScriptError( "IPA server is already configured on this system.\n" "If you want to reinstall the IPA server, please uninstall " "it first using 'ipa-server-install --uninstall'.") if is_ipa_client_configured(on_master=True): installer._installation_cleanup = False raise ScriptError( "IPA client is already configured on this system.\n" "Please uninstall it before configuring the IPA server, " "using 'ipa-client-install --uninstall'") fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) # This will override any settings passed in on the cmdline if os.path.isfile(paths.ROOT_IPA_CACHE): if options.dm_password is not None: dm_password = options.dm_password else: dm_password = read_password("Directory Manager", confirm=False) if dm_password is None: raise ScriptError("Directory Manager password required") try: cache_vars = read_cache(dm_password) options.__dict__.update(cache_vars) if cache_vars.get('external_ca', False): options.external_ca = False options.interactive = False except Exception as e: raise ScriptError("Cannot process the cache file: %s" % str(e)) # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_cert_files: setup_ca = False else: setup_ca = True options.setup_ca = setup_ca if not setup_ca and options.ca_subject: raise ScriptError( "--ca-subject cannot be used with CA-less installation") if not setup_ca and options.subject_base: raise ScriptError( "--subject-base cannot be used with CA-less installation") if not setup_ca and options.setup_kra: raise ScriptError( "--setup-kra cannot be used with CA-less installation") print("=======================================" "=======================================") print("This program will set up the FreeIPA Server.") print("Version {}".format(version.VERSION)) print("") print("This includes:") if setup_ca: print(" * Configure a stand-alone CA (dogtag) for certificate " "management") if not options.no_ntp: print(" * Configure the NTP client (chronyd)") print(" * Create and configure an instance of Directory Server") print(" * Create and configure a Kerberos Key Distribution Center (KDC)") print(" * Configure Apache (httpd)") if options.setup_kra: print(" * Configure KRA (dogtag) for secret management") if options.setup_dns: print(" * Configure DNS (bind)") if options.setup_adtrust: print(" * Configure Samba (smb) and winbind for managing AD trusts") if not options.no_pkinit: print(" * Configure the KDC to enable PKINIT") if options.no_ntp: print("") print("Excluded by options:") print(" * Configure the NTP client (chronyd)") if installer.interactive: print("") print("To accept the default shown in brackets, press the Enter key.") print("") if not options.external_cert_files: # Make sure the 389-ds ports are available check_dirsrv(not installer.interactive) if not options.no_ntp: try: timeconf.check_timedate_services() except timeconf.NTPConflictingService as e: print("WARNING: conflicting time&date synchronization service " "'{}' will be disabled in favor of chronyd\n".format( e.conflicting_service)) except timeconf.NTPConfigurationError: pass if not options.setup_dns and installer.interactive: if ipautil.user_input( "Do you want to configure integrated DNS " "(BIND)?", False): dns.package_check(ScriptError) options.setup_dns = True print("") # check bind packages are installed if options.setup_dns: # Don't require an external DNS to say who we are if we are # setting up a local DNS server. options.no_host_dns = True # check the hostname is correctly configured, it must be as the kldap # utilities just use the hostname as returned by getaddrinfo to set # up some of the standard entries if options.host_name: host_default = options.host_name else: host_default = get_fqdn() try: if not installer.interactive or options.host_name: verify_fqdn(host_default, options.no_host_dns) host_name = host_default else: host_name = read_host_name(host_default, options.no_host_dns) except BadHostError as e: raise ScriptError(e) host_name = host_name.lower() logger.debug("will use host_name: %s\n", host_name) if not options.domain_name: domain_name = read_domain_name(host_name[host_name.find(".") + 1:], not installer.interactive) logger.debug("read domain_name: %s\n", domain_name) try: validate_domain_name(domain_name) except ValueError as e: raise ScriptError("Invalid domain name: %s" % unicode(e)) else: domain_name = options.domain_name domain_name = domain_name.lower() if not options.realm_name: realm_name = read_realm_name(domain_name, not installer.interactive) logger.debug("read realm_name: %s\n", realm_name) try: validate_domain_name(realm_name, entity="realm") except ValueError as e: raise ScriptError("Invalid realm name: {}".format(unicode(e))) else: realm_name = options.realm_name.upper() if not options.subject_base: options.subject_base = installutils.default_subject_base(realm_name) if not options.ca_subject: options.ca_subject = \ installutils.default_ca_subject_dn(options.subject_base) if options.http_cert_files: if options.http_pin is None: options.http_pin = installutils.read_password( "Enter Apache Server private key unlock", confirm=False, validate=False, retry=False) if options.http_pin is None: raise ScriptError( "Apache Server private key unlock password required") http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12( cert_files=options.http_cert_files, key_password=options.http_pin, key_nickname=options.http_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) http_pkcs12_info = (http_pkcs12_file.name, http_pin) if options.dirsrv_cert_files: if options.dirsrv_pin is None: options.dirsrv_pin = read_password( "Enter Directory Server private key unlock", confirm=False, validate=False, retry=False) if options.dirsrv_pin is None: raise ScriptError( "Directory Server private key unlock password required") dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12( cert_files=options.dirsrv_cert_files, key_password=options.dirsrv_pin, key_nickname=options.dirsrv_cert_name, ca_cert_files=options.ca_cert_files, host_name=host_name) dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin) if options.pkinit_cert_files: if options.pkinit_pin is None: options.pkinit_pin = read_password( "Enter Kerberos KDC private key unlock", confirm=False, validate=False, retry=False) if options.pkinit_pin is None: raise ScriptError( "Kerberos KDC private key unlock password required") pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12( cert_files=options.pkinit_cert_files, key_password=options.pkinit_pin, key_nickname=options.pkinit_cert_name, ca_cert_files=options.ca_cert_files, realm_name=realm_name) pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin) if (options.http_cert_files and options.dirsrv_cert_files and http_ca_cert != dirsrv_ca_cert): raise ScriptError( "Apache Server SSL certificate and Directory Server SSL " "certificate are not signed by the same CA certificate") if (options.http_cert_files and options.pkinit_cert_files and http_ca_cert != pkinit_ca_cert): raise ScriptError( "Apache Server SSL certificate and PKINIT KDC " "certificate are not signed by the same CA certificate") if not options.dm_password: dm_password = read_dm_password() if dm_password is None: raise ScriptError("Directory Manager password required") else: dm_password = options.dm_password if not options.master_password: master_password = ipa_generate_password() else: master_password = options.master_password if not options.admin_password: admin_password = read_admin_password() if admin_password is None: raise ScriptError("IPA admin password required") else: admin_password = options.admin_password # Configuration for ipalib, we will bootstrap and finalize later, after # we are sure we have the configuration file ready. cfg = dict( context='installer', confdir=paths.ETC_IPA, in_server=True, # make sure host name specified by user is used instead of default host=host_name, ) if setup_ca: # we have an IPA-integrated CA cfg['ca_host'] = host_name # Create the management framework config file and finalize api target_fname = paths.IPA_DEFAULT_CONF ipaconf = IPAChangeConf("IPA Server Install") ipaconf.setOptionAssignment(" = ") ipaconf.setSectionNameDelimiters(("[", "]")) xmlrpc_uri = 'https://{0}/ipa/xml'.format(ipautil.format_netloc(host_name)) ldapi_uri = ipaldap.realm_to_ldapi_uri(realm_name) # [global] section gopts = [ ipaconf.setOption('host', host_name), ipaconf.setOption('basedn', ipautil.realm_to_suffix(realm_name)), ipaconf.setOption('realm', realm_name), ipaconf.setOption('domain', domain_name), ipaconf.setOption('xmlrpc_uri', xmlrpc_uri), ipaconf.setOption('ldap_uri', ldapi_uri), ipaconf.setOption('mode', 'production') ] if setup_ca: gopts.extend([ ipaconf.setOption('enable_ra', 'True'), ipaconf.setOption('ra_plugin', 'dogtag'), ipaconf.setOption('dogtag_version', '10') ]) else: gopts.extend([ ipaconf.setOption('enable_ra', 'False'), ipaconf.setOption('ra_plugin', 'None') ]) opts = [ ipaconf.setSection('global', gopts), { 'name': 'empty', 'type': 'empty' } ] ipaconf.newConf(target_fname, opts) # Must be readable for everyone os.chmod(target_fname, 0o644) api.bootstrap(**cfg) api.finalize() if setup_ca: ca.install_check(False, None, options) if options.setup_kra: kra.install_check(api, None, options) if options.setup_dns: dns.install_check(False, api, False, options, host_name) ip_addresses = dns.ip_addresses else: ip_addresses = get_server_ip_address(host_name, not installer.interactive, False, options.ip_addresses) # check addresses here, dns module is doing own check no_matching_interface_for_ip_address_warning(ip_addresses) instance_name = "-".join(realm_name.split(".")) dirsrv = services.knownservices.dirsrv if (options.external_cert_files and dirsrv.is_installed(instance_name) and not dirsrv.is_running(instance_name)): logger.debug('Starting Directory Server') services.knownservices.dirsrv.start(instance_name) if options.setup_adtrust: adtrust.install_check(False, options, api) # installer needs to update hosts file when DNS subsystem will be # installed or custom addresses are used if options.ip_addresses or options.setup_dns: installer._update_hosts_file = True if not options.no_ntp and not options.unattended and not ( options.ntp_servers or options.ntp_pool): options.ntp_servers, options.ntp_pool = timeconf.get_time_source() print() print("The IPA Master Server will be configured with:") print("Hostname: %s" % host_name) print("IP address(es): %s" % ", ".join(str(ip) for ip in ip_addresses)) print("Domain name: %s" % domain_name) print("Realm name: %s" % realm_name) print() if setup_ca: ca.print_ca_configuration(options) print() if options.setup_dns: print("BIND DNS server will be configured to serve IPA domain with:") print("Forwarders: %s" % ("No forwarders" if not options.forwarders else ", ".join( [str(ip) for ip in options.forwarders]))) print('Forward policy: %s' % options.forward_policy) print("Reverse zone(s): %s" % ("No reverse zone" if options.no_reverse or not dns.reverse_zones else ", ".join(str(rz) for rz in dns.reverse_zones))) print() if not options.setup_adtrust: # If domain name and realm does not match, IPA server will not be able # to establish trust with Active Directory. Print big fat warning. realm_not_matching_domain = (domain_name.upper() != realm_name) if realm_not_matching_domain: print("WARNING: Realm name does not match the domain name.\n" "You will not be able to establish trusts with Active " "Directory unless\nthe realm name of the IPA server matches " "its domain name.\n\n") if options.ntp_servers or options.ntp_pool: if options.ntp_servers: for server in options.ntp_servers: print("NTP server:\t{}".format(server)) if options.ntp_pool: print("NTP pool:\t{}".format(options.ntp_pool)) if installer.interactive and not user_input( "Continue to configure the system with these values?", False): raise ScriptError("Installation aborted") options.realm_name = realm_name options.domain_name = domain_name options.dm_password = dm_password options.master_password = master_password options.admin_password = admin_password options._host_name_overridden = bool(options.host_name) options.host_name = host_name options.ip_addresses = ip_addresses installer._fstore = fstore installer._sstore = sstore installer._dirsrv_pkcs12_file = dirsrv_pkcs12_file installer._http_pkcs12_file = http_pkcs12_file installer._pkinit_pkcs12_file = pkinit_pkcs12_file installer._dirsrv_pkcs12_info = dirsrv_pkcs12_info installer._http_pkcs12_info = http_pkcs12_info installer._pkinit_pkcs12_info = pkinit_pkcs12_info installer._external_cert_file = external_cert_file installer._external_ca_file = external_ca_file installer._ca_cert = http_ca_cert
def uninstall_check(installer): options = installer tasks.check_selinux_status() installer._installation_cleanup = False if not is_ipa_configured(): print("WARNING:\nIPA server is not configured on this system. " "If you want to install the\nIPA server, please install " "it using 'ipa-server-install'.") fstore = sysrestore.FileStore(SYSRESTORE_DIR_PATH) sstore = sysrestore.StateFile(SYSRESTORE_DIR_PATH) # Configuration for ipalib, we will bootstrap and finalize later, after # we are sure we have the configuration file ready. cfg = dict( context='installer', confdir=paths.ETC_IPA, in_server=True, ) # We will need at least api.env, finalize api now. This system is # already installed, so the configuration file is there. api.bootstrap(**cfg) api.finalize() if installer.interactive: print( "\nThis is a NON REVERSIBLE operation and will delete all data " "and configuration!\nIt is highly recommended to take a backup of " "existing data and configuration using ipa-backup utility " "before proceeding.\n") if not user_input( "Are you sure you want to continue with the " "uninstall procedure?", False): raise ScriptError("Aborting uninstall operation.") try: api.Backend.ldap2.connect(autobind=True) domain_level = dsinstance.get_domain_level(api) except Exception: msg = ("\nWARNING: Failed to connect to Directory Server to find " "information about replication agreements. Uninstallation " "will continue despite the possible existing replication " "agreements.\n\n" "If this server is the last instance of CA, KRA, or DNSSEC " "master, uninstallation may result in data loss.\n\n") print(textwrap.fill(msg, width=80, replace_whitespace=False)) if (installer.interactive and not user_input( "Are you sure you want to continue with the uninstall " "procedure?", False)): raise ScriptError("Aborting uninstall operation.") else: dns.uninstall_check(options) ca.uninstall_check(options) cleanup_dogtag_server_specific_data() if domain_level == DOMAIN_LEVEL_0: rm = replication.ReplicationManager(realm=api.env.realm, hostname=api.env.host, dirman_passwd=None, conn=api.Backend.ldap2) agreements = rm.find_ipa_replication_agreements() if agreements: other_masters = [a.get('cn')[0][4:] for a in agreements] msg = ( "\nReplication agreements with the following IPA masters " "found: %s. Removing any replication agreements before " "uninstalling the server is strongly recommended. You can " "remove replication agreements by running the following " "command on any other IPA master:\n" % ", ".join(other_masters)) cmd = "$ ipa-replica-manage del %s\n" % api.env.host print(textwrap.fill(msg, width=80, replace_whitespace=False)) print(cmd) if (installer.interactive and not user_input( "Are you sure you want to continue with" " the uninstall procedure?", False)): raise ScriptError("Aborting uninstall operation.") else: remove_master_from_managed_topology(api, options) api.Backend.ldap2.disconnect() installer._fstore = fstore installer._sstore = sstore
def run(self): if not is_ipa_configured(): print("IPA is not configured.") return 2 if not cainstance.is_ca_installed_locally(): print("CA is not installed on this server.") return 1 try: ipautil.run(['pki-server', 'cert-fix', '--help'], raiseonerr=True) except ipautil.CalledProcessError: print("The 'pki-server cert-fix' command is not available; " "cannot proceed.") return 1 api.bootstrap(in_server=True, confdir=paths.ETC_IPA) api.finalize() if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)): print("The LDAP server is not running; cannot proceed.") return 1 api.Backend.ldap2.connect() # ensure DS is up subject_base = dsinstance.DsInstance().find_subject_base() if not subject_base: raise RuntimeError("Cannot determine certificate subject base.") ca_subject_dn = ca.lookup_ca_subject(api, subject_base) now = datetime.datetime.now() + datetime.timedelta(weeks=2) certs, extra_certs, non_renewed = expired_certs(now) if not certs and not extra_certs: print("Nothing to do.") return 0 print(msg) print_intentions(certs, extra_certs, non_renewed) response = ipautil.user_input('Enter "yes" to proceed') if response.lower() != 'yes': print("Not proceeding.") return 0 print("Proceeding.") try: fix_certreq_directives(certs) run_cert_fix(certs, extra_certs) except ipautil.CalledProcessError: if any(x[0] is IPACertType.LDAPS for x in extra_certs + non_renewed): # The DS cert was expired. This will cause 'pki-server # cert-fix' to fail at the final restart, and return nonzero. # So this exception *might* be OK to ignore. # # If 'pki-server cert-fix' has written new certificates # corresponding to all the extra_certs, then ignore the # CalledProcessError and proceed to installing the IPA-specific # certs. Otherwise re-raise. if check_renewed_ipa_certs(extra_certs): pass else: raise else: raise # otherwise re-raise replicate_dogtag_certs(subject_base, ca_subject_dn, certs) install_ipa_certs(subject_base, ca_subject_dn, extra_certs) if any(x[0] != 'sslserver' for x in certs) \ or any(x[0] is IPACertType.IPARA for x in extra_certs): # we renewed a "shared" certificate, therefore we must # become the renewal master print("Becoming renewal master.") cainstance.CAInstance().set_renewal_master() print("Restarting IPA") ipautil.run(['ipactl', 'restart'], raiseonerr=True) print(renewal_note) return 0
def run_with_args(api): """ Run the certupdate procedure with the given API object. :param api: API object with ldap2/rpcclient backend connected (such that Commands can be invoked) """ server = urlsplit(api.env.jsonrpc_uri).hostname ldap = ipaldap.LDAPClient.from_hostname_secure(server) tmpdir = tempfile.mkdtemp(prefix="tmp-") ccache_name = os.path.join(tmpdir, 'ccache') old_krb5ccname = os.environ.get('KRB5CCNAME') try: principal = str('host/%s@%s' % (api.env.host, api.env.realm)) kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_name) os.environ['KRB5CCNAME'] = ccache_name try: result = api.Command.ca_is_enabled(version=u'2.107') ca_enabled = result['result'] except (errors.CommandError, errors.NetworkError): result = api.Command.env(server=True, version=u'2.0') ca_enabled = result['result']['enable_ra'] ldap.gssapi_bind() certs = certstore.get_ca_certs(ldap, api.env.basedn, api.env.realm, ca_enabled) if ca_enabled: lwcas = api.Command.ca_find()['result'] else: lwcas = [] finally: if old_krb5ccname is None: del os.environ['KRB5CCNAME'] else: os.environ['KRB5CCNAME'] = old_krb5ccname shutil.rmtree(tmpdir) if is_ipa_configured(): # look up CA servers before service restarts resp = api.Command.server_role_find( role_servrole=u'CA server', status='enabled', ) ca_servers = [server['server_server'] for server in resp['result']] update_server(certs) # pylint: disable=import-error,ipa-forbidden-import from ipaserver.install import cainstance, custodiainstance # pylint: enable=import-error,ipa-forbidden-import # Add LWCA tracking requests. Only execute if *this server* # has CA installed (ca_enabled indicates CA-ful topology). if cainstance.CAInstance().is_configured(): try: cainstance.add_lightweight_ca_tracking_requests(lwcas) except Exception: logger.exception( "Failed to add lightweight CA tracking requests") try: update_server_ra_config( cainstance, custodiainstance, api.env.enable_ra, api.env.ca_host, ca_servers, ) except Exception: logger.exception("Failed to update RA config") # update_server_ra_config possibly updated default.conf; # restart httpd to pick up changes. if services.knownservices.httpd.is_running(): services.knownservices.httpd.restart() update_client(certs)
# Copyright (C) 2020 FreeIPA Contributors see COPYING for license import os import pytest from ipalib import facts from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test from ipatests.util import assert_equal, assert_not_equal from ipaplatform.paths import paths @pytest.mark.tier1 @pytest.mark.skipif( not facts.is_ipa_configured(), reason="Requires configured IPA server", ) class test_jsplugins(Unauthorized_HTTP_test): app_uri = '/ipa/ui/js/freeipa/plugins.js' jsplugins = (('foo', 'foo.js'), ('bar', '')) content_type = 'application/javascript' def test_jsplugins(self): empty_response = "define([],function(){return[];});" # Step 1: make sure default response has no additional plugins response = self.send_request(method='GET') assert_equal(response.status, 200) response_data = response.read().decode(encoding='utf-8') assert_equal(response_data, empty_response) # Step 2: add fake plugins