def __save_config(self): shutil.copy2(self.filename, self.savefilename) port = installutils.get_directive(self.filename, 'nsslapd-port', separator=':') security = installutils.get_directive(self.filename, 'nsslapd-security', separator=':') self.backup_state('nsslapd-port', port) self.backup_state('nsslapd-security', security)
def test_get_directive(self, tmpdir): configfile = tmpdir.join('config') configfile.write(''.join(EXAMPLE_CONFIG)) assert '1' == installutils.get_directive(str(configfile), 'foo', separator='=') assert '2' == installutils.get_directive(str(configfile), 'foobar', separator='=')
def __save_config(self): shutil.copy2(self.filename, self.savefilename) port = installutils.get_directive(self.filename, 'nsslapd-port', separator=':') security = installutils.get_directive(self.filename, 'nsslapd-security', separator=':') self.backup_state('nsslapd-port', port) self.backup_state('nsslapd-security', security)
def install_http_cert(self): dirname = paths.HTTPD_ALIAS_DIR old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname') unquoted_cert = installutils.unquote_directive_value(old_cert, quote_char="'") server_cert = self.import_cert(dirname, self.options.pin, unquoted_cert, 'HTTP/%s' % api.env.host, 'restart_httpd') quoted_server_cert = installutils.quote_directive_value(server_cert, quote_char="'") installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', quoted_server_cert, quotes=False) # Fix the database permissions os.chmod(os.path.join(dirname, 'cert8.db'), 0o640) os.chmod(os.path.join(dirname, 'key3.db'), 0o640) os.chmod(os.path.join(dirname, 'secmod.db'), 0o640) pent = pwd.getpwnam(constants.HTTPD_USER) os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def install_http_cert(self): dirname = paths.HTTPD_ALIAS_DIR old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname') unquoted_cert = installutils.unquote_directive_value( old_cert, quote_char="'") server_cert = self.import_cert(dirname, self.options.pin, unquoted_cert, 'HTTP/%s' % api.env.host, 'restart_httpd') quoted_server_cert = installutils.quote_directive_value( server_cert, quote_char="'") installutils.set_directive( paths.HTTPD_NSS_CONF, 'NSSNickname', quoted_server_cert, quotes=False) # Fix the database permissions os.chmod(os.path.join(dirname, 'cert8.db'), 0o640) os.chmod(os.path.join(dirname, 'key3.db'), 0o640) os.chmod(os.path.join(dirname, 'secmod.db'), 0o640) pent = pwd.getpwnam(constants.HTTPD_USER) os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def install_http_cert(self): dirname = paths.HTTPD_ALIAS_DIR old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname') unquoted_cert = installutils.unquote_directive_value(old_cert, quote_char="'") server_cert = self.import_cert(dirname, self.options.pin, unquoted_cert, 'HTTP/%s' % api.env.host, 'restart_httpd') quoted_server_cert = installutils.quote_directive_value(server_cert, quote_char="'") installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', quoted_server_cert, quotes=False) # Fix the database permissions pent = pwd.getpwnam(constants.HTTPD_USER) for filename in (NSS_DBM_FILES + NSS_SQL_FILES): absname = os.path.join(dirname, filename) if os.path.isfile(absname): os.chmod(absname, 0o640) os.chown(absname, 0, pent.pw_gid)
def install_http_cert(self): dirname = certs.NSS_DIR old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname') server_cert = self.import_cert(dirname, self.options.pin, old_cert, 'HTTP/%s' % api.env.host, 'restart_httpd') installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', server_cert) # Fix the database permissions os.chmod(os.path.join(dirname, 'cert8.db'), 0640) os.chmod(os.path.join(dirname, 'key3.db'), 0640) os.chmod(os.path.join(dirname, 'secmod.db'), 0640) pent = pwd.getpwnam("apache") os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def install_http_cert(self): dirname = certs.NSS_DIR old_cert = installutils.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname') server_cert = self.import_cert(dirname, self.options.pin, old_cert, 'HTTP/%s' % api.env.host, 'restart_httpd') installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSNickname', server_cert) # Fix the database permissions os.chmod(os.path.join(dirname, 'cert8.db'), 0o640) os.chmod(os.path.join(dirname, 'key3.db'), 0o640) os.chmod(os.path.join(dirname, 'secmod.db'), 0o640) pent = pwd.getpwnam(constants.HTTPD_USER) os.chown(os.path.join(dirname, 'cert8.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
def update_mod_nss_cipher_suite(): add_ciphers = ['ecdhe_rsa_aes_128_sha', 'ecdhe_rsa_aes_256_sha'] ciphers = installutils.get_directive(NSS_CONF, 'NSSCipherSuite') # Run through once to see if any of the new ciphers are there but # disabled. If they are then enable them. lciphers = ciphers.split(',') new_ciphers = [] for cipher in lciphers: for add in add_ciphers: if cipher.endswith(add): if cipher.startswith('-'): cipher = '+%s' % add new_ciphers.append(cipher) # Run through again and add remaining ciphers as enabled. for add in add_ciphers: if add not in ciphers: new_ciphers.append('+%s' % add) ciphers = ','.join(new_ciphers) set_directive(NSS_CONF, 'NSSCipherSuite', ciphers, False) root_logger.info('Updated Apache cipher list')
def execute(self, **options): ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR) if not ca.is_configured(): self.debug("CA is not configured on this host") return False, [] ldap = self.api.Backend.ldap2 base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.api.env.basedn) dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' try: entries = ldap.get_entries(base_dn=base_dn, filter=filter, attrs_list=[]) except errors.NotFound: pass else: self.debug("found CA renewal master %s", entries[0].dn[1].value) master = False updates = [] for entry in entries: if entry.dn == dn: master = True continue updates.append({ 'dn': entry.dn, 'updates': [ dict(action='remove', attr='ipaConfigString', value='caRenewalMaster') ], }) if master: return False, updates else: return False, [] criteria = { 'cert-database': paths.HTTPD_ALIAS_DIR, 'cert-nickname': 'ipaCert', } request_id = certmonger.get_request_id(criteria) if request_id is not None: self.debug("found certmonger request for ipaCert") ca_name = certmonger.get_request_value(request_id, 'ca-name') if ca_name is None: self.warning( "certmonger request for ipaCert is missing ca_name, " "assuming local CA is renewal slave") return False, [] ca_name = ca_name.strip() if ca_name == 'dogtag-ipa-renew-agent': pass elif ca_name == 'dogtag-ipa-retrieve-agent-submit': return False, [] elif ca_name == 'dogtag-ipa-ca-renew-agent': return False, [] else: self.warning( "certmonger request for ipaCert has unknown ca_name '%s', " "assuming local CA is renewal slave", ca_name) return False, [] else: self.debug("certmonger request for ipaCert not found") config = installutils.get_directive(paths.CA_CS_CFG_PATH, 'subsystem.select', '=') if config == 'New': pass elif config == 'Clone': return False, [] else: self.warning( "CS.cfg has unknown subsystem.select value '%s', " "assuming local CA is renewal slave", config) return (False, False, []) update = { 'dn': dn, 'updates': [ dict(action='add', attr='ipaConfigString', value='caRenewalMaster') ], } return False, [update]
def test_get_directive(self, tmpdir): configfile = tmpdir.join('config') configfile.write(''.join(WHITESPACE_CONFIG)) assert '1' == installutils.get_directive(str(configfile), 'foo') assert '2' == installutils.get_directive(str(configfile), 'foobar')
def execute(self, **options): ca = cainstance.CAInstance(self.api.env.realm, certs.NSS_DIR) if not ca.is_configured(): self.debug("CA is not configured on this host") return False, [] ldap = self.api.Backend.ldap2 base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.api.env.basedn) dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' try: entries = ldap.get_entries(base_dn=base_dn, filter=filter, attrs_list=[]) except errors.NotFound: pass else: self.debug("found CA renewal master %s", entries[0].dn[1].value) master = False updates = [] for entry in entries: if entry.dn == dn: master = True continue updates.append({ 'dn': entry.dn, 'updates': [ dict(action='remove', attr='ipaConfigString', value='caRenewalMaster') ], }) if master: return False, updates else: return False, [] criteria = { 'cert-database': paths.HTTPD_ALIAS_DIR, 'cert-nickname': 'ipaCert', } request_id = certmonger.get_request_id(criteria) if request_id is not None: self.debug("found certmonger request for ipaCert") ca_name = certmonger.get_request_value(request_id, 'ca-name') if ca_name is None: self.warning( "certmonger request for ipaCert is missing ca_name, " "assuming local CA is renewal slave") return False, [] ca_name = ca_name.strip() if ca_name == 'dogtag-ipa-renew-agent': pass elif ca_name == 'dogtag-ipa-retrieve-agent-submit': return False, [] elif ca_name == 'dogtag-ipa-ca-renew-agent': return False, [] else: self.warning( "certmonger request for ipaCert has unknown ca_name '%s', " "assuming local CA is renewal slave", ca_name) return False, [] else: self.debug("certmonger request for ipaCert not found") config = installutils.get_directive( paths.CA_CS_CFG_PATH, 'subsystem.select', '=') if config == 'New': pass elif config == 'Clone': return False, [] else: self.warning( "CS.cfg has unknown subsystem.select value '%s', " "assuming local CA is renewal slave", config) return (False, False, []) update = { 'dn': dn, 'updates': [ dict(action='add', attr='ipaConfigString', value='caRenewalMaster') ], } return False, [update]
def get_mod_nss_nickname(self): cert = installutils.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname') nickname = installutils.unquote_directive_value(cert, quote_char="'") return nickname