def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
principal = kerberos.Principal(getattr(context, 'principal'))
if principal.is_service:
owner_dn = self.api.Object.service.get_dn(unicode(principal))
else:
owner_dn = self.api.Object.user.get_dn(principal.username)
parent_dn = DN(*dn[1:])
try:
self.obj.create_container(parent_dn, owner_dn)
except (errors.DuplicateEntry, errors.ACIError):
pass
# vault should be owned by the creator
entry_attrs['owner'] = owner_dn
return dn
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args,
**options):
assert isinstance(base_dn, DN)
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
if options.get('users') or options.get('services'):
mutex = ['service', 'services', 'shared', 'username', 'users']
count = sum(bool(options.get(option)) for option in mutex)
if count > 1:
raise errors.MutuallyExclusiveError(
reason=_('Service(s), shared, and user(s) options ' +
'cannot be specified simultaneously'))
scope = ldap.SCOPE_SUBTREE
container_dn = DN(self.obj.container_dn,
self.api.env.basedn)
if options.get('services'):
base_dn = DN(('cn', 'services'), container_dn)
else:
base_dn = DN(('cn', 'users'), container_dn)
else:
base_dn = self.obj.get_dn(None, **options)
return filter, base_dn, scope
def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
assert isinstance(dn, DN)
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
return dn
def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args,
**options):
assert isinstance(base_dn, DN)
if not dns_container_exists(self.api.Backend.ldap2):
raise errors.InvocationError(
format=_('IPA DNS Server is not installed'))
return (filters, base_dn, scope)
def check_fips_auth_opts(fips_mode, **options):
"""
OTP and RADIUS are not allowed in FIPS mode since they use MD5
checksums (OTP uses our RADIUS responder daemon ipa-otpd).
"""
if 'ipauserauthtype' in options and fips_mode:
if ('otp' in options['ipauserauthtype'] or
'radius' in options['ipauserauthtype']):
raise errors.InvocationError(
'OTP and RADIUS authentication in FIPS is '
'not yet supported')
def execute(self, *args, **options):
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
wrapped_vault_data = options.pop('vault_data')
nonce = options.pop('nonce')
wrapped_session_key = options.pop('session_key')
wrapping_algo = options.pop('wrapping_algo', None)
algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
# retrieve vault info
vault = self.api.Command.vault_show(*args, **options)['result']
# connect to KRA
with self.api.Backend.kra.get_client() as kra_client:
kra_account = pki.account.AccountClient(kra_client.connection)
kra_account.login()
client_key_id = self.obj.get_key_id(vault['dn'])
# deactivate existing vault record in KRA
response = kra_client.keys.list_keys(
client_key_id,
pki.key.KeyClient.KEY_STATUS_ACTIVE)
for key_info in response.key_infos:
kra_client.keys.modify_key_status(
key_info.get_key_id(),
pki.key.KeyClient.KEY_STATUS_INACTIVE)
# forward wrapped data to KRA
kra_client.keys.archive_encrypted_data(
client_key_id,
pki.key.KeyClient.PASS_PHRASE_TYPE,
wrapped_vault_data,
wrapped_session_key,
algorithm_oid=algorithm_oid,
nonce_iv=nonce,
)
kra_account.logout()
response = {
'value': args[-1],
'result': {},
}
response['summary'] = self.msg_summary % response
return response
def execute(self, *args, **options):
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
wrapped_session_key = options.pop('session_key')
wrapping_algo = options.pop('wrapping_algo', None)
algorithm_oid = self.obj._translate_algorithm(wrapping_algo)
# retrieve vault info
vault = self.api.Command.vault_show(*args, **options)['result']
# connect to KRA
with self.api.Backend.kra.get_client() as kra_client:
kra_account = pki.account.AccountClient(kra_client.connection)
kra_account.login()
client_key_id = self.obj.get_key_id(vault['dn'])
# find vault record in KRA
response = kra_client.keys.list_keys(
client_key_id,
pki.key.KeyClient.KEY_STATUS_ACTIVE)
if not len(response.key_infos):
raise errors.NotFound(reason=_('No archived data.'))
key_info = response.key_infos[0]
# XXX hack
kra_client.keys.encrypt_alg_oid = algorithm_oid
# retrieve encrypted data from KRA
key = kra_client.keys.retrieve_key(
key_info.get_key_id(),
wrapped_session_key)
kra_account.logout()
response = {
'value': args[-1],
'result': {
'vault_data': key.encrypted_data,
'nonce': key.nonce_data,
},
}
response['summary'] = self.msg_summary % response
return response
def forward(self, csr=None, **options):
database = options.pop('database', None)
private_key = options.pop('private_key', None)
csr_profile_id = options.pop('csr_profile_id', None)
password_file = options.pop('password_file', None)
if csr is None:
# Deferred import, ipaclient.csrgen is expensive to load.
# see https://pagure.io/freeipa/issue/7484
from ipaclient import csrgen
if database:
adaptor = csrgen.NSSAdaptor(database, password_file)
elif private_key:
adaptor = csrgen.OpenSSLAdaptor(
key_filename=private_key, password_filename=password_file)
else:
raise errors.InvocationError(
message=u"One of 'database' or 'private_key' is required")
pubkey_info = adaptor.get_subject_public_key_info()
pubkey_info_b64 = base64.b64encode(pubkey_info)
# If csr_profile_id is passed, that takes precedence.
# Otherwise, use profile_id. If neither are passed, the default
# in cert_get_requestdata will be used.
profile_id = csr_profile_id
if profile_id is None:
profile_id = options.get('profile_id')
response = self.api.Command.cert_get_requestdata(
profile_id=profile_id,
principal=options.get('principal'),
public_key_info=pubkey_info_b64)
req_info_b64 = response['result']['request_info']
req_info = base64.b64decode(req_info_b64)
csr = adaptor.sign_csr(req_info)
if not csr:
raise errors.CertificateOperationError(
error=(_('Generated CSR was empty')))
else:
if database is not None or private_key is not None:
raise errors.MutuallyExclusiveError(reason=_(
"Options 'database' and 'private_key' are not compatible"
" with 'csr'"))
return super(cert_request, self).forward(csr, **options)
def forward(self, csr=None, **options):
database = options.pop('database', None)
private_key = options.pop('private_key', None)
csr_profile_id = options.pop('csr_profile_id', None)
password_file = options.pop('password_file', None)
if csr is None:
if database:
adaptor = csrgen.NSSAdaptor(database, password_file)
elif private_key:
adaptor = csrgen.OpenSSLAdaptor(private_key, password_file)
else:
raise errors.InvocationError(
message=u"One of 'database' or 'private_key' is required")
pubkey_info = adaptor.get_subject_public_key_info()
pubkey_info_b64 = base64.b64encode(pubkey_info)
# If csr_profile_id is passed, that takes precedence.
# Otherwise, use profile_id. If neither are passed, the default
# in cert_get_requestdata will be used.
profile_id = csr_profile_id
if profile_id is None:
profile_id = options.get('profile_id')
response = self.api.Command.cert_get_requestdata(
profile_id=profile_id,
principal=options.get('principal'),
public_key_info=unicode(pubkey_info_b64))
req_info_b64 = response['result']['request_info']
req_info = base64.b64decode(req_info_b64)
csr = adaptor.sign_csr(req_info)
if not csr:
raise errors.CertificateOperationError(
error=(_('Generated CSR was empty')))
# cert_request requires the CSR to be base64-encoded (but PEM
# header and footer are not required)
csr = unicode(base64.b64encode(csr))
else:
if database is not None or private_key is not None:
raise errors.MutuallyExclusiveError(reason=_(
"Options 'database' and 'private_key' are not compatible"
" with 'csr'"))
return super(cert_request, self).forward(csr, **options)
def execute(self, *args, **options):
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
with self.api.Backend.kra.get_client() as kra_client:
transport_cert = kra_client.system_certs.get_transport_cert()
config = {'transport_cert': transport_cert.binary}
config.update(
self.api.Backend.serverroles.config_retrieve("KRA server"))
return {
'result': config,
'value': None,
}
def execute(self, *args, **options):
if not self.api.Command.kra_is_enabled()['result']:
raise errors.InvocationError(
format=_('KRA service is not enabled'))
config = dict(
wrapping_supported_algorithms=VAULT_WRAPPING_SUPPORTED_ALGOS,
wrapping_default_algorithm=VAULT_WRAPPING_DEFAULT_ALGO,
)
with self.api.Backend.kra.get_client() as kra_client:
transport_cert = kra_client.system_certs.get_transport_cert()
config['transport_cert'] = transport_cert.binary
self.api.Object.config.show_servroles_attributes(
config, "KRA server", **options)
return {
'result': config,
'value': None,
}
def execute(self, *keys, **options):
ldap = self.obj.backend
# First check that the user exists and is a delete one
delete_dn = self.obj.get_either_dn(*keys, **options)
try:
self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if delete_dn.endswith(DN(self.obj.active_container_dn,
api.env.basedn)):
raise errors.InvocationError(
message=_('user "%s" is already active') % keys[-1])
active_dn = DN(delete_dn[0], self.obj.active_container_dn,
api.env.basedn)
# start to move the entry to the Active container
self._exc_wrapper(keys, options, ldap.move_entry)(delete_dn,
active_dn,
del_old=True)
# add the user we just undelete into the default primary group
config = ldap.get_ipa_config()
def_primary_group = config.get('ipadefaultprimarygroup')
group_dn = self.api.Object['group'].get_dn(def_primary_group)
# if the user is already a member of default primary group,
# do not raise error
# this can happen if automember rule or default group is set
try:
ldap.add_entry_to_group(active_dn, group_dn)
except errors.AlreadyGroupMember:
pass
return dict(
result=True,
value=pkey_to_value(keys[0], options),
)