def add_new_profile(self, ansible_module, profile_id, profile_xml, user_nick=None):
''' Add a new profile xml as user_nick
:param str profile_id: Profile Name
:param str profile_xml: Path of the profile xml to be added
:param str user_nick: Certificate Nick to be used to submit the request, if none, CA Admin
cert will be used to submit the request
:Returns None
:Raises PkiLibException if profile could not be added
'''
if user_nick is None:
user_nick = self.nick
destination_profile_path = "%s/new-%s.xml" % ('/tmp', profile_id)
try:
file_contents = None
with open(profile_xml) as infile:
file_contents = infile.read()
ansible_module.copy(content=file_contents, dest=destination_profile_path)
except IOError as err:
raise PkiLibException("Unable to copy file")
try:
create_profile = ansible_module.pki(
cli="ca-profile-add",
nssdb=self.nssdb,
dbpassword=self.db_pass,
port=self.port,
certnick=self.nick,
extra_args=destination_profile_path
)
except CalledProcessError as err:
raise PkiLibException('Unable to add profile :%s' % (profile_xml), err.returncode)
else:
print("Successfully added profile %s" % (profile_xml))
return True
def add_new_profile(self,
ansible_module,
profile_id,
profile_xml,
user_nick=None):
''' Add a new profile xml as user_nick
:param str profile_id: Profile Name
:param str profile_xml: Path of the profile xml to be added
:param str user_nick: Certificate Nick to be used to submit the request, if none, CA Admin
cert will be used to submit the request
:Returns None
:Raises PkiLibException if profile could not be added
'''
if user_nick is None:
user_nick = self.nick
destination_profile_path = "/tmp/new-{}.xml".format(profile_id)
try:
file_contents = None
with open(profile_xml) as infile:
file_contents = infile.read()
ansible_module.copy(content=file_contents,
dest=destination_profile_path)
except IOError as err:
raise PkiLibException("Unable to copy file")
try:
return profileop.add_profile(ansible_module,
profile_name=profile_id,
profile_path=destination_profile_path)
except CalledProcessError as err:
raise PkiLibException('Unable to add profile :%s' % (profile_xml),
err.returncode)
def add_user_cert(self, ansible_module, user_nick, subsystem, userid, cert_serial_number, ca_http_port=None):
''' Add certificate to the subsystem user
:param str subsystem: Subsystem to which user should be added
:param str user_nick: Nickname of the user using which role user should be added
if None, it uses Admin cert
:param str userid: User id to be added
:param str cert_serial_number: serial Number of the cert
:Returns list Returncode, output_text
:Raises PkiLibException
'''
if user_nick is None:
user_nick = constants.CA_ADMIN_NICK,
if subsystem is not 'ca':
if ca_http_port is None:
ca_http_port = constants.CA_HTTP_PORT
[msg, output_file] = self.cert_show(ansible_module, cert_serial_number, ca_http_port)
try:
add_user_cert = ansible_module.pki(
cli="{} user-cert-add {} --input {}".format(subsystem, userid, output_file),
nssdb=self.nssdb,
dbpassword=self.db_pass,
hostname=self.host,
port=self.port,
certnick="'{}'".format(user_nick),
)
except CalledProcessError as err:
raise PkiLibException('Unable to add certificate to subsystem user %s'
% (userid), err.returncode)
else:
result = None
for result in add_user_cert.values():
pass
return [result['rc'], result['stdout']]
else:
try:
user_cert_add_output = ansible_module.pki(
cli="{} user-cert-add {} --serial {}".format(subsystem, userid, cert_serial_number),
nssdb=self.nssdb,
dbpassword=self.db_pass,
hostname=self.host,
port=constants.CA_HTTP_PORT,
certnick="'{}'".format(user_nick),
)
except CalledProcessError as err:
raise PkiLibException('Unable to add certificate to subsystem user %s'
% (userid), err.returncode)
else:
result = None
for result in user_cert_add_output.values():
pass
return [result['rc'], result['stdout']]
def cert_show(self, ansible_module, cert_serial_no, ca_http_port=None):
''' Run cert show on cert serial number
:param str cert_serial_no: Certficiate Serial Number
:Returns None
:Raises PkiLibException if profile could not be enabled
'''
if ca_http_port is None:
ca_http_port = constants.CA_HTTP_PORT
output_file = "%s/%s.pem" % (constants.NSSDB, cert_serial_no)
try:
cert_show = ansible_module.pki(
cli="cert-show",
nssdb=self.nssdb,
dbpassword=self.db_pass,
hostname=self.host,
port=self.port,
certnick="'{}'".format(constants.CA_ADMIN_NICK),
extra_args="{} --pretty --output {}".format(cert_serial_no, output_file)
)
except CalledProcessError as err:
raise PkiLibException('Unable run cert-show on serial number :%s' % (cert_serial_no),
err.returncode)
else:
output_text = None
for result in cert_show.values():
output_text = result['stdout']
return (output_text, output_file)
def import_cert_to_certdb(self, ansible_module, cert_serial_number, nickname):
''' Import certificate to certdb
:param str cert_serial_number: serial Number of the cert
:param str nickname: nickname to be used to import the cert to certdb
:Returns None
:Raises PkiLibException if importing the cert fails
'''
try:
import_to_certdb = ansible_module.pki(cli="client-cert-import",
nssdb=self.nssdb,
dbpassword=self.db_pass,
hostname=constants.MASTER_HOSTNAME,
port=constants.CA_HTTP_PORT,
certnick=nickname,
extra_args="--serial {}".format(cert_serial_number))
except CalledProcessError as err:
raise PkiLibException('Unable to import cert %s to certdb %s' % (
cert_serial_number, constants.NSSDB), err.returncode)
else:
log.info("Successfully added cert %s to certdb %s with nick %s" % (
cert_serial_number, constants.NSSDB, nickname))
result = None
for result in import_to_certdb.values():
pass
return [result['rc'], result['stdout']]
def create_role_user(self, ansible_module, subsystem, userid, groupid):
''' create role user for specific subsystem
:param str user_nick: Nickname of the user using which role user should be added
if None, it uses Admin cert
:param str subsystem: Subsystem to which user should be added
:param str userid: User id to be added
:param str groupid: Group to which the userid should be member of
:Returns None
:raises PkiLibException if adding the user or making the user member of
of the group fails
'''
added = userop.add_user(ansible_module, 'add', userid=userid, user_name=userid, subsystem=subsystem)
if added:
log.info("Added user {}".format(userid))
else:
log.error("Failed to add user {}".format(userid))
try:
ansible_module.pki(cli="{}-group-member-add".format(subsystem),
nssdb=self.nssdb,
dbpassword=self.db_pass,
port=self.port,
certnick=self.nick,
extra_args="'{}' {}".format(groupid, userid))
except CalledProcessError as err:
raise PkiLibException('Unable to add %s to role %s' % (userid, groupid), err.returncode)
else:
log.info("Successfully added user %s to role %s" % (userid, groupid))
return True
def revoke_cert(self, ansible_module, user_nick, cert_serial_number, reason, ca_http_port=None):
''' Revoke Certificate with with given reason
:param str user_nick: Nickname of the user using which role user should be added
if None, it uses Admin cert
:param str cert_serial_number: serial Number of the cert
:param str reason: Revocation reason
:param str ca_http_port: CA Subsystem HTTP Port
:Raise PKiLibException
:Returns stdout_text, returncode
'''
if user_nick is None:
user_nick = constants.CA_ADMIN_NICK
if ca_http_port is None:
ca_http_port = constants.CA_HTTP_PORT
try:
revoke_cert = ansible_module.pki(
cli="cert-revoke",
nssdb=self.nssdb,
dbpassword=self.db_pass,
hostname=self.host,
port=constants.CA_HTTP_PORT,
certnick="'{}'".format(user_nick),
extra_args="{} --force --reason {}".format(cert_serial_number, reason)
)
except CalledProcessError as err:
raise PkiLibException('Unable to revoke cert', err.returncode)
else:
output = None
for output in revoke_cert.values():
pass
print("Successfully revoked cert %s with reason %s" % (cert_serial_number, reason))
return (output['stdout'], output['rc'])
def create_role_user(self, ansible_module, user_nick, subsystem, userid,
groupid):
''' create role user for specific subsystem
:param str user_nick: Nickname of the user using which role user should be added
if None, it uses Admin cert
:param str subsystem: Subsystem to which user should be added
:param str userid: User id to be added
:param str groupid: Group to which the userid should be member of
:Returns None
:raises PkiLibException if adding the user or making the user member of
of the group fails
'''
if user_nick is None:
user_nick = self.nick,
try:
user_add = ansible_module.pki(
cli="{} user-add {} --fullName {}".format(
subsystem, userid, userid),
nssdb=self.nssdb,
dbpassword=self.db_pass,
port=self.port,
certnick="'{}'".format(user_nick))
except CalledProcessError as err:
raise PkiLibException('Unable to create user cert', err.returncode)
else:
print("Successfully created user %s" % (userid))
try:
group_member_add = ansible_module.pki(
cli="{} group-member-add".format(subsystem),
nssdb=self.nssdb,
dbpassword=self.db_pass,
port=self.port,
certnick=self.nick,
extra_args="'{}' {}".format(groupid, userid))
except CalledProcessError as err:
raise PkiLibException(
'Unable to add %s to role %s' % (userid, groupid),
err.returncode)
else:
print("Successfully added user %s to role %s" % (userid, groupid))
return True
def enable_profile(self, ansible_module, profile_id, user_nick=None):
''' Enable a profile as user_nick
:param str profile_id: Profile Name
:param str user_nick: Certificate Nick to be used to submit the request, if none, CA Admin
cert will be used to submit the request
:Returns None
:Raises PkiLibException if profile could not be enabled
'''
if user_nick is None:
user_nick = self.nick
try:
enable_profile = ansible_module.pki(cli="ca-profile-enable",
nssdb=self.nssdb,
dbpassword=self.db_pass,
port=self.port,
certnick=self.nick,
extra_args=profile_id)
except CalledProcessError as err:
raise PkiLibException(
'Unable to enable profile :%s' % (profile_id), err.returncode)
else:
print("Successfully enabled profile %s " % (profile_id))
return True
def create_user_cert(self, ansible_module, cert_subject, profile=None, ca_http_port=None, ca_agent_nick=None,
ca_hostname=None):
''' Create certificate to the subsystem user and add certificate to certdb
:param str cert_subject: Subject to be used to create certificate reqeust
:returns None
:raises PkiLibException if create of certificate request or approving fails
'''
if ca_agent_nick is not None and '\'' not in ca_agent_nick:
ca_agent_nick = "'{}'".format(ca_agent_nick)
if profile is None:
profile = 'caUserCert'
if ca_http_port is None:
ca_http_port = constants.CA_HTTP_PORT
if ca_agent_nick is None:
ca_agent_nick = self.nick
if ca_hostname is None:
ca_hostname = self.host
try:
create_user_cert = ansible_module.pki(
cli="client-cert-request",
nssdb=self.nssdb,
dbpassword=self.db_pass,
hostname=self.host,
port=constants.CA_HTTP_PORT,
certnick=self.nick,
extra_args="{} --profile {}".format(cert_subject, profile)
)
except CalledProcessError as err:
raise PkiLibException('Unable to create cert with subject %s' % (cert_subject),
err.returncode)
else:
try:
output = None
for result in create_user_cert.values():
output = result['stdout']
request_id = re.search('Request ID: [\w]*', output)
r_id = request_id.group().split(':')[1].strip()
except:
raise PkiLibException("Failed to grep Request ID for user cert %s" % cert_subject)
try:
cert_request_review = ansible_module.pki(
cli="cert-request-review",
nssdb=self.nssdb,
dbpassword=self.db_pass,
hostname=self.host,
port=constants.CA_HTTP_PORT,
certnick="'{}'".format(constants.CA_ADMIN_NICK),
extra_args="{} --action approve".format(r_id)
)
except CalledProcessError as err:
raise PkiLibException('Unable to approve certificate request %s' % (r_id),
err.returncode)
else:
try:
output = None
for result in cert_request_review.values():
output = result['stdout']
cert_id = re.search('Certificate ID: [\w]*', output)
c_id = cert_id.group().split(':')[1].strip()
return c_id
except:
raise PkiLibException("Failed to grep Certificate ID for user cert %s" % r_id)