def test_set_directive(self): """Check that set_directive writes the new data and preserves mode.""" fd, filename = tempfile.mkstemp() try: os.close(fd) stat_pre = os.stat(filename) with open(filename, 'w') as f: for line in EXAMPLE_CONFIG: f.write(line) directivesetter.set_directive(filename, 'foo', '3', False, '=', "#") stat_post = os.stat(filename) with open(filename, 'r') as f: lines = list(f) assert lines == ['foo=3\n', 'foobar=2\n'] assert stat_pre.st_mode == stat_post.st_mode assert stat_pre.st_uid == stat_post.st_uid assert stat_pre.st_gid == stat_post.st_gid finally: os.remove(filename)
def __setup_dnskeysyncd(self): # set up dnskeysyncd this is DNSSEC master directivesetter.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD, 'ISMASTER', '1', quotes=False, separator='=')
def setup_httpd_logging(self): directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'ErrorLog', 'logs/error_log', False) directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'TransferLog', 'logs/access_log', False)
def test_set_directive(self): """Check that set_directive writes the new data and preserves mode.""" fd, filename = tempfile.mkstemp() try: os.close(fd) stat_pre = os.stat(filename) with open(filename, 'w') as f: for line in EXAMPLE_CONFIG: f.write(line) directivesetter.set_directive( filename, 'foo', '3', False, '=', "#") stat_post = os.stat(filename) with open(filename, 'r') as f: lines = list(f) assert lines == ['foo=3\n', 'foobar=2\n'] assert stat_pre.st_mode == stat_post.st_mode assert stat_pre.st_uid == stat_post.st_uid assert stat_pre.st_gid == stat_post.st_gid finally: os.remove(filename)
def setup_httpd_logging(self): directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'ErrorLog', 'logs/error_log', False) directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'TransferLog', 'logs/access_log', False)
def enable_ephemeral(self): """ Enable ephemeral KRA requests to reduce the number of LDAP write operations. """ with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): directivesetter.set_directive( self.config, 'kra.ephemeralRequests', 'true', quotes=False, separator='=')
def enable_ephemeral(self): """ Enable ephemeral KRA requests to reduce the number of LDAP write operations. """ with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): directivesetter.set_directive( self.config, 'kra.ephemeralRequests', 'true', quotes=False, separator='=')
def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE): self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE): self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE) pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r") pin = pin_fd.read() pin_fd.close() # add pin to template sub_conf_dict = self.conf_file_dict sub_conf_dict['PIN'] = pin if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL): # OpenDNSSEC 1.4 sub_conf_dict['INTERVAL'] = '<Interval>PT3600S</Interval>' else: # OpenDNSSEC 2.x sub_conf_dict['INTERVAL'] = '<!-- Interval not used in 2x -->' ods_conf_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"), sub_conf_dict) ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w') ods_conf_fd.seek(0) ods_conf_fd.truncate(0) ods_conf_fd.write(ods_conf_txt) ods_conf_fd.close() ods_kasp_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"), self.kasp_file_dict) ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w') ods_kasp_fd.seek(0) ods_kasp_fd.truncate(0) ods_kasp_fd.write(ods_kasp_txt) ods_kasp_fd.close() if not self.fstore.has_file(paths.SYSCONFIG_ODS): self.fstore.backup_file(paths.SYSCONFIG_ODS) if not os.path.isfile(paths.SYSCONFIG_ODS): # create file, it's not shipped on Debian with open(paths.SYSCONFIG_ODS, 'a') as f: os.fchmod(f.fileno(), 0o644) directivesetter.set_directive(paths.SYSCONFIG_ODS, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=')
def setup_ipa_dnskeysyncd_sysconfig(self): logger.debug("Setup ipa-dnskeysyncd sysconfig") sysconfig = paths.SYSCONFIG_IPA_DNSKEYSYNCD directivesetter.set_directive( sysconfig, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=') if constants.NAMED_OPENSSL_ENGINE is not None: directivesetter.set_directive( sysconfig, 'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF, quotes=False, separator='=')
def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE): self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE): self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE) pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r") pin = pin_fd.read() pin_fd.close() # add pin to template sub_conf_dict = self.conf_file_dict sub_conf_dict['PIN'] = pin ods_conf_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"), sub_conf_dict) ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w') ods_conf_fd.seek(0) ods_conf_fd.truncate(0) ods_conf_fd.write(ods_conf_txt) ods_conf_fd.close() ods_kasp_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"), self.kasp_file_dict) ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w') ods_kasp_fd.seek(0) ods_kasp_fd.truncate(0) ods_kasp_fd.write(ods_kasp_txt) ods_kasp_fd.close() if not self.fstore.has_file(paths.SYSCONFIG_ODS): self.fstore.backup_file(paths.SYSCONFIG_ODS) directivesetter.set_directive(paths.SYSCONFIG_ODS, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=')
def update_cert_cs_cfg(self, directive, cert): """ When renewing a Dogtag subsystem certificate the configuration file needs to get the new certificate as well. ``directive`` is the directive to update in CS.cfg cert is IPACertificate. cs_cfg is the path to the CS.cfg file """ with stopped_service('pki-tomcatd', 'pki-tomcat'): directivesetter.set_directive( self.config, directive, # the cert must be only the base64 string without headers (base64.b64encode(cert.public_bytes(x509.Encoding.DER)) .decode('ascii')), quotes=False, separator='=')
def __setup_conf_files(self): if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE): self.fstore.backup_file(paths.OPENDNSSEC_CONF_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_KASP_FILE): self.fstore.backup_file(paths.OPENDNSSEC_KASP_FILE) if not self.fstore.has_file(paths.OPENDNSSEC_ZONELIST_FILE): self.fstore.backup_file(paths.OPENDNSSEC_ZONELIST_FILE) pin_fd = open(paths.DNSSEC_SOFTHSM_PIN, "r") pin = pin_fd.read() pin_fd.close() # add pin to template sub_conf_dict = self.conf_file_dict sub_conf_dict['PIN'] = pin ods_conf_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"), sub_conf_dict) ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w') ods_conf_fd.seek(0) ods_conf_fd.truncate(0) ods_conf_fd.write(ods_conf_txt) ods_conf_fd.close() ods_kasp_txt = ipautil.template_file( os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"), self.kasp_file_dict) ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w') ods_kasp_fd.seek(0) ods_kasp_fd.truncate(0) ods_kasp_fd.write(ods_kasp_txt) ods_kasp_fd.close() if not self.fstore.has_file(paths.SYSCONFIG_ODS): self.fstore.backup_file(paths.SYSCONFIG_ODS) directivesetter.set_directive(paths.SYSCONFIG_ODS, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=')
def update_cert_cs_cfg(self, directive, cert): """ When renewing a Dogtag subsystem certificate the configuration file needs to get the new certificate as well. ``directive`` is the directive to update in CS.cfg cert is IPACertificate. cs_cfg is the path to the CS.cfg file """ with stopped_service('pki-tomcatd', 'pki-tomcat'): directivesetter.set_directive( self.config, directive, # the cert must be only the base64 string without headers (base64.b64encode(cert.public_bytes(x509.Encoding.DER)) .decode('ascii')), quotes=False, separator='=')
def configure_mod_ssl_certs(self): """Configure the mod_ssl certificate directives""" directivesetter.set_directive(paths.HTTPD_SSL_SITE_CONF, 'SSLCertificateFile', paths.HTTPD_CERT_FILE, False) directivesetter.set_directive(paths.HTTPD_SSL_SITE_CONF, 'SSLCertificateKeyFile', paths.HTTPD_KEY_FILE, False) directivesetter.set_directive( paths.HTTPD_SSL_CONF, 'SSLPassPhraseDialog', 'exec:{passread}'.format(passread=paths.IPA_HTTPD_PASSWD_READER), False) directivesetter.set_directive(paths.HTTPD_SSL_SITE_CONF, 'SSLCACertificateFile', paths.IPA_CA_CRT, False) # set SSLVerifyDepth for external CA installations directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'SSLVerifyDepth', MOD_SSL_VERIFY_DEPTH, quotes=False)
def configure_mod_ssl_certs(self): """Configure the mod_ssl certificate directives""" directivesetter.set_directive(paths.HTTPD_SSL_SITE_CONF, 'SSLCertificateFile', paths.HTTPD_CERT_FILE, False) directivesetter.set_directive(paths.HTTPD_SSL_SITE_CONF, 'SSLCertificateKeyFile', paths.HTTPD_KEY_FILE, False) directivesetter.set_directive( paths.HTTPD_SSL_CONF, 'SSLPassPhraseDialog', 'exec:{passread}'.format(passread=paths.IPA_HTTPD_PASSWD_READER), False) directivesetter.set_directive(paths.HTTPD_SSL_SITE_CONF, 'SSLCACertificateFile', paths.IPA_CA_CRT, False) # set SSLVerifyDepth for external CA installations directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'SSLVerifyDepth', MOD_SSL_VERIFY_DEPTH, quotes=False)
def setup_named_sysconfig(self): logger.debug("Setup BIND sysconfig") sysconfig = paths.SYSCONFIG_NAMED self.fstore.backup_file(sysconfig) directivesetter.set_directive(sysconfig, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=') if constants.NAMED_OPENSSL_ENGINE is not None: directivesetter.set_directive(sysconfig, 'OPENSSL_CONF', paths.DNSSEC_OPENSSL_CONF, quotes=False, separator='=') options = directivesetter.get_directive( paths.SYSCONFIG_NAMED, constants.NAMED_OPTIONS_VAR, separator="=") or '' if not self._are_named_options_configured(options): engine_cmd = "-E {}".format(constants.NAMED_OPENSSL_ENGINE) new_options = ' '.join([options, engine_cmd]) directivesetter.set_directive(sysconfig, constants.NAMED_OPTIONS_VAR, new_options, quotes=True, separator='=')
def fix_certreq_directives(certs): """ For all the certs to be fixed, ensure that the corresponding CSR is found in PKI config file, or try to get the CSR from certmonger. """ directives = { 'auditSigningCert cert-pki-ca': ('ca.audit_signing.certreq', paths.CA_CS_CFG_PATH), 'ocspSigningCert cert-pki-ca': ('ca.ocsp_signing.certreq', paths.CA_CS_CFG_PATH), 'subsystemCert cert-pki-ca': ('ca.subsystem.certreq', paths.CA_CS_CFG_PATH), 'Server-Cert cert-pki-ca': ('ca.sslserver.certreq', paths.CA_CS_CFG_PATH), 'auditSigningCert cert-pki-kra': ('kra.audit_signing.certreq', paths.KRA_CS_CFG_PATH), 'storageCert cert-pki-kra': ('kra.storage.certreq', paths.KRA_CS_CFG_PATH), 'transportCert cert-pki-kra': ('kra.transport.certreq', paths.KRA_CS_CFG_PATH), } # pki-server cert-fix needs to find the CSR in the subsystem config file # otherwise it will fail # For each cert to be fixed, check that the CSR is present or # get it from certmonger for (certid, _cert) in certs: # Check if the directive is set in the config file nickname = cert_nicknames[certid] (directive, cfg_path) = directives[nickname] if directivesetter.get_directive(cfg_path, directive, '=') is None: # The CSR is missing, try to get it from certmonger csr = get_csr_from_certmonger(nickname) if csr: # Update the directive directivesetter.set_directive(cfg_path, directive, csr, quotes=False, separator='=')
def configure_httpd_protocol(self): # TLS 1.3 is not yet supported directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'SSLProtocol', 'TLSv1.2', False)
def enable_client_auth_to_db(self): """ Enable client auth connection to the internal db. """ with stopped_service('pki-tomcatd', 'pki-tomcat'): directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype', 'SslClientAuth', quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname', 'subsystemCert cert-pki-ca', quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636', quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn', 'true', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapauth.authtype', 'SslClientAuth', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapauth.clientCertNickname', 'subsystemCert cert-pki-ca', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapconn.port', '636', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapconn.secureConn', 'true', quotes=False, separator='=') # Remove internaldb password as is not needed anymore directivesetter.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF, 'internaldb', None, separator='=')
def enable_client_auth_to_db(self): """ Enable client auth connection to the internal db. """ sub_system_nickname = "subsystemCert cert-pki-ca" if self.token_name != "internal": # TODO: Dogtag 10.6.9 does not like "internal" prefix. sub_system_nickname = '{}:{}'.format(self.token_name, sub_system_nickname) with stopped_service('pki-tomcatd', 'pki-tomcat'): directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype', 'SslClientAuth', quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname', sub_system_nickname, quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636', quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn', 'true', quotes=False, separator='=') directivesetter.set_directive(self.config, 'internaldb.ldapauth.authtype', 'SslClientAuth', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapauth.clientCertNickname', sub_system_nickname, quotes=False, separator='=') directivesetter.set_directive(self.config, 'internaldb.ldapconn.port', '636', quotes=False, separator='=') directivesetter.set_directive(self.config, 'internaldb.ldapconn.secureConn', 'true', quotes=False, separator='=') # Remove internaldb password as is not needed anymore directivesetter.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF, 'internaldb', None, separator='=')
def set_mod_ssl_protocol(self): directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'SSLProtocol', '+TLSv1 +TLSv1.1 +TLSv1.2', False)
def uninstall(self): if not self.is_configured(): return self.print_msg("Unconfiguring %s" % self.service_name) running = self.restore_state("running") enabled = self.restore_state("enabled") # stop DNSSEC services before backing up kasp.db try: self.stop() except Exception: pass ods_exporter = services.service('ipa-ods-exporter', api) try: ods_exporter.stop() except Exception: pass # remove directive from ipa-dnskeysyncd, this server is not DNSSEC # master anymore directivesetter.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD, 'ISMASTER', None, quotes=False, separator='=') restore_list = [ paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE, paths.SYSCONFIG_ODS, paths.OPENDNSSEC_ZONELIST_FILE ] if os.path.isfile(paths.OPENDNSSEC_KASP_DB): # force to export data cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update'] try: self.print_msg("Exporting DNSSEC data before uninstallation") ipautil.run(cmd, runas=constants.ODS_USER) except CalledProcessError: logger.error("DNSSEC data export failed") try: shutil.copy(paths.OPENDNSSEC_KASP_DB, paths.IPA_KASP_DB_BACKUP) except IOError as e: logger.error( "Unable to backup OpenDNSSEC database %s, " "restore will be skipped: %s", paths.OPENDNSSEC_KASP_DB, e) else: logger.info("OpenDNSSEC database backed up in %s", paths.IPA_KASP_DB_BACKUP) # restore OpenDNSSEC's KASP DB only if backup succeeded # removing the file without backup could totally break DNSSEC restore_list.append(paths.OPENDNSSEC_KASP_DB) for f in restore_list: try: self.fstore.restore_file(f) except ValueError as error: logger.debug("%s", error) self.restore_state("kasp_db_configured") # just eat state # disabled by default, by ldap_configure() if enabled: self.enable() if running: self.restart()
def set_mod_ssl_protocol(self): directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'SSLProtocol', '+TLSv1 +TLSv1.1 +TLSv1.2', False)
def __setup_softhsm(self): assert self.ods_uid is not None assert self.named_gid is not None token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR) # create dnssec directory if not os.path.exists(paths.IPA_DNSSEC_DIR): logger.debug("Creating %s directory", paths.IPA_DNSSEC_DIR) os.mkdir(paths.IPA_DNSSEC_DIR) os.chmod(paths.IPA_DNSSEC_DIR, 0o770) # chown ods:named os.chown(paths.IPA_DNSSEC_DIR, self.ods_uid, self.named_gid) # setup softhsm2 config file softhsm_conf_txt = ("# SoftHSM v2 configuration file \n" "# File generated by IPA instalation\n" "directories.tokendir = %(tokens_dir)s\n" "objectstore.backend = file") % { 'tokens_dir': paths.DNSSEC_TOKENS_DIR } logger.debug("Creating new softhsm config file") named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(softhsm_conf_txt) named_fd.close() os.chmod(paths.DNSSEC_SOFTHSM2_CONF, 0o644) # setting up named to use softhsm2 if not self.fstore.has_file(paths.SYSCONFIG_NAMED): self.fstore.backup_file(paths.SYSCONFIG_NAMED) # setting up named and ipa-dnskeysyncd to use our softhsm2 config for sysconfig in [ paths.SYSCONFIG_NAMED, paths.SYSCONFIG_IPA_DNSKEYSYNCD ]: directivesetter.set_directive(sysconfig, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=') if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)): # there is initialized softhsm return # remove old tokens if token_dir_exists: logger.debug('Removing old tokens directory %s', paths.DNSSEC_TOKENS_DIR) shutil.rmtree(paths.DNSSEC_TOKENS_DIR) # create tokens subdirectory logger.debug('Creating tokens %s directory', paths.DNSSEC_TOKENS_DIR) # sticky bit is required by daemon os.mkdir(paths.DNSSEC_TOKENS_DIR) os.chmod(paths.DNSSEC_TOKENS_DIR, 0o770 | stat.S_ISGID) # chown to ods:named os.chown(paths.DNSSEC_TOKENS_DIR, self.ods_uid, self.named_gid) # generate PINs for softhsm pin_length = 30 # Bind allows max 32 bytes including ending '\0' pin = ipautil.ipa_generate_password(entropy_bits=0, special=None, min_len=pin_length) pin_so = ipautil.ipa_generate_password(entropy_bits=0, special=None, min_len=pin_length) logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN) named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(pin) named_fd.close() os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0o770) # chown to ods:named os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid) logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO) named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(pin_so) named_fd.close() # owner must be root os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0o400) # initialize SoftHSM command = [ paths.SOFTHSM2_UTIL, '--init-token', '--free', # use random free slot '--label', SOFTHSM_DNSSEC_TOKEN_LABEL, '--pin', pin, '--so-pin', pin_so, ] logger.debug("Initializing tokens") os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF ipautil.run(command, nolog=( pin, pin_so, ))
def configure_httpd_protocol(self): # use default crypto policy for SSLProtocol directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'SSLProtocol', None, False)
def uninstall(self): if not self.is_configured(): return self.print_msg("Unconfiguring %s" % self.service_name) running = self.restore_state("running") enabled = self.restore_state("enabled") # stop DNSSEC services before backing up kasp.db try: self.stop() except Exception: pass ods_exporter = services.service('ipa-ods-exporter', api) try: ods_exporter.stop() except Exception: pass # remove directive from ipa-dnskeysyncd, this server is not DNSSEC # master anymore directivesetter.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD, 'ISMASTER', None, quotes=False, separator='=') restore_list = [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE, paths.SYSCONFIG_ODS, paths.OPENDNSSEC_ZONELIST_FILE] if os.path.isfile(paths.OPENDNSSEC_KASP_DB): # force to export data cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update'] try: self.print_msg("Exporting DNSSEC data before uninstallation") ipautil.run(cmd, runas=constants.ODS_USER) except CalledProcessError: logger.error("DNSSEC data export failed") try: shutil.copy(paths.OPENDNSSEC_KASP_DB, paths.IPA_KASP_DB_BACKUP) except IOError as e: logger.error( "Unable to backup OpenDNSSEC database %s, " "restore will be skipped: %s", paths.OPENDNSSEC_KASP_DB, e) else: logger.info("OpenDNSSEC database backed up in %s", paths.IPA_KASP_DB_BACKUP) # restore OpenDNSSEC's KASP DB only if backup succeeded # removing the file without backup could totally break DNSSEC restore_list.append(paths.OPENDNSSEC_KASP_DB) for f in restore_list: try: self.fstore.restore_file(f) except ValueError as error: logger.debug("%s", error) self.restore_state("kasp_db_configured") # just eat state # disabled by default, by ldap_enable() if enabled: self.enable() if running: self.restart()
def __setup_softhsm(self): assert self.ods_uid is not None assert self.named_gid is not None token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR) # create dnssec directory if not os.path.exists(paths.IPA_DNSSEC_DIR): logger.debug("Creating %s directory", paths.IPA_DNSSEC_DIR) os.mkdir(paths.IPA_DNSSEC_DIR) os.chmod(paths.IPA_DNSSEC_DIR, 0o770) # chown ods:named os.chown(paths.IPA_DNSSEC_DIR, self.ods_uid, self.named_gid) # setup softhsm2 config file softhsm_conf_txt = ("# SoftHSM v2 configuration file \n" "# File generated by IPA instalation\n" "directories.tokendir = %(tokens_dir)s\n" "objectstore.backend = file") % { 'tokens_dir': paths.DNSSEC_TOKENS_DIR } logger.debug("Creating new softhsm config file") named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(softhsm_conf_txt) named_fd.close() os.chmod(paths.DNSSEC_SOFTHSM2_CONF, 0o644) # setting up named to use softhsm2 if not self.fstore.has_file(paths.SYSCONFIG_NAMED): self.fstore.backup_file(paths.SYSCONFIG_NAMED) # setting up named and ipa-dnskeysyncd to use our softhsm2 config for sysconfig in [paths.SYSCONFIG_NAMED, paths.SYSCONFIG_IPA_DNSKEYSYNCD]: directivesetter.set_directive(sysconfig, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=') if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)): # there is initialized softhsm return # remove old tokens if token_dir_exists: logger.debug('Removing old tokens directory %s', paths.DNSSEC_TOKENS_DIR) shutil.rmtree(paths.DNSSEC_TOKENS_DIR) # create tokens subdirectory logger.debug('Creating tokens %s directory', paths.DNSSEC_TOKENS_DIR) # sticky bit is required by daemon os.mkdir(paths.DNSSEC_TOKENS_DIR) os.chmod(paths.DNSSEC_TOKENS_DIR, 0o770 | stat.S_ISGID) # chown to ods:named os.chown(paths.DNSSEC_TOKENS_DIR, self.ods_uid, self.named_gid) # generate PINs for softhsm pin_length = 30 # Bind allows max 32 bytes including ending '\0' pin = ipautil.ipa_generate_password( entropy_bits=0, special=None, min_len=pin_length) pin_so = ipautil.ipa_generate_password( entropy_bits=0, special=None, min_len=pin_length) logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN) named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(pin) named_fd.close() os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0o770) # chown to ods:named os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid) logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO) named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w') named_fd.seek(0) named_fd.truncate(0) named_fd.write(pin_so) named_fd.close() # owner must be root os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0o400) # initialize SoftHSM command = [ paths.SOFTHSM2_UTIL, '--init-token', '--free', # use random free slot '--label', SOFTHSM_DNSSEC_TOKEN_LABEL, '--pin', pin, '--so-pin', pin_so, ] logger.debug("Initializing tokens") os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF ipautil.run(command, nolog=(pin, pin_so,))
def enable_client_auth_to_db(self): """ Enable client auth connection to the internal db. """ sub_system_nickname = "subsystemCert cert-pki-ca" if self.token_name != "internal": # TODO: Dogtag 10.6.9 does not like "internal" prefix. sub_system_nickname = '{}:{}'.format( self.token_name, sub_system_nickname ) with stopped_service('pki-tomcatd', 'pki-tomcat'): directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype', 'SslClientAuth', quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname', sub_system_nickname, quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636', quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn', 'true', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapauth.authtype', 'SslClientAuth', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapauth.clientCertNickname', sub_system_nickname, quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapconn.port', '636', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapconn.secureConn', 'true', quotes=False, separator='=') # Remove internaldb password as is not needed anymore directivesetter.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF, 'internaldb', None, separator='=')
def configure_httpd_protocol(self): # On Fedora 31 and earlier DEFAULT crypto-policy has TLS 1.0 and 1.1 # enabled. directivesetter.set_directive(paths.HTTPD_SSL_CONF, 'SSLProtocol', "all -SSLv3 -TLSv1 -TLSv1.1", False)
def __setup_dnskeysyncd(self): # set up dnskeysyncd this is DNSSEC master directivesetter.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD, 'ISMASTER', '1', quotes=False, separator='=')
def __setup_key_exporter(self): directivesetter.set_directive(paths.SYSCONFIG_IPA_ODS_EXPORTER, 'SOFTHSM2_CONF', paths.DNSSEC_SOFTHSM2_CONF, quotes=False, separator='=')
def enable_client_auth_to_db(self): """ Enable client auth connection to the internal db. """ with stopped_service('pki-tomcatd', 'pki-tomcat'): directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapauth.authtype', 'SslClientAuth', quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname', 'subsystemCert cert-pki-ca', quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapconn.port', '636', quotes=False, separator='=') directivesetter.set_directive( self.config, 'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn', 'true', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapauth.authtype', 'SslClientAuth', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapauth.clientCertNickname', 'subsystemCert cert-pki-ca', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapconn.port', '636', quotes=False, separator='=') directivesetter.set_directive( self.config, 'internaldb.ldapconn.secureConn', 'true', quotes=False, separator='=') # Remove internaldb password as is not needed anymore directivesetter.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF, 'internaldb', None, separator='=')