Hi team,

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/6257.

The behaviour of cert-request when the CA is disabled is not very
nice (it reports a server error from Dogtag).  The Dogtag REST
interface gives much better errors so I plan to move to it in a
later change (which will also address
https://fedorahosted.org/freeipa/ticket/3473, in part).

Thanks,
Fraser
From 1d99777c2145d33278d2b1d8a4e8a2d1341c8e4d Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 25 Aug 2016 17:00:01 +1000
Subject: [PATCH] Add ca-disable and ca-enable commands

We soon plan to revoke certificates upon lightweight CA deletion.
This makes it important to provide a way to prevent a CA from
issuing certificates whilst not deleting and revoking it, and
continuing to allow management of issued certs.

This commit adds the ca-disable and ca-enable commands.

Fixes: https://fedorahosted.org/freeipa/ticket/6257
---
 API.txt                     | 16 ++++++++++++
 VERSION                     |  4 +--
 ipaserver/plugins/ca.py     | 62 +++++++++++++++++++++++++++++++++++++++++++--
 ipaserver/plugins/dogtag.py |  6 +++++
 4 files changed, 84 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 
5b83bfbd0b457b77e0522ab7d83abfae4df3ebe9..27b64ee143fa4f5f55c1b8a32446f004a8e3bb22
 100644
--- a/API.txt
+++ b/API.txt
@@ -465,6 +465,20 @@ option: Str('version?')
 output: Output('result', type=[<type 'dict'>])
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: ListOfPrimaryKeys('value')
+command: ca_disable/1
+args: 1,1,3
+arg: Str('cn', cli_name='name')
+option: Str('version?')
+output: Output('result', type=[<type 'bool'>])
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
+command: ca_enable/1
+args: 1,1,3
+arg: Str('cn', cli_name='name')
+option: Str('version?')
+output: Output('result', type=[<type 'bool'>])
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
 command: ca_find/1
 args: 1,11,4
 arg: Str('criteria?')
@@ -6249,6 +6263,8 @@ default: batch/1
 default: ca/1
 default: ca_add/1
 default: ca_del/1
+default: ca_disable/1
+default: ca_enable/1
 default: ca_find/1
 default: ca_is_enabled/1
 default: ca_mod/1
diff --git a/VERSION b/VERSION
index 
a8b89ed305bcfdf2990a7400d005a68d734fa7e8..8cc8b11c7c3e985ab53279b27a4701021e4271ba
 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=212
-# Last change: ab: service: add flag to allow S4U2Self
+IPA_API_VERSION_MINOR=213
+# Last change: ftweedal: add ca-disable and ca-enable commands
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 
966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..93c48722720e8509c2d096d66f9f2bd1c5c631d8
 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -2,12 +2,12 @@
 # Copyright (C) 2016  FreeIPA Contributors see COPYING for license
 #
 
-from ipalib import api, errors, DNParam, Str
+from ipalib import api, errors, output, DNParam, Str
 from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from ipaserver.plugins.baseldap import (
     LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete,
-    LDAPUpdate, LDAPRetrieve)
+    LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value)
 from ipaserver.plugins.cert import ca_enabled_check
 from ipalib import _, ngettext
 
@@ -18,6 +18,14 @@ Manage Certificate Authorities
 Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance
 of X.509 certificates.
 
+CAs are enabled on creation, but their use is subject to CA ACLs unless the
+operator has permission to bypass CA ACLs.
+
+All CAs except the 'IPA' CA can be disabled or re-enabled.  Disabling a CA
+prevents it from issuing certificates but does not affect the validity of its
+certificate.
+
+
 EXAMPLES:
 
   Create new CA, subordinate to the IPA CA.
@@ -25,6 +33,10 @@ EXAMPLES:
     ipa ca-add puppet --desc "Puppet" \\
         --subject "CN=Puppet CA,O=EXAMPLE.COM"
 
+  Disable a CA.
+
+    ipa ca-disable puppet
+
 """)
 
 
@@ -222,3 +234,49 @@ class ca_mod(LDAPUpdate):
                     reason=u'IPA CA cannot be renamed')
 
         return dn
+
+
+@register()
+class ca_disable(LDAPQuery):
+    __doc__ = _('Disable a CA.')
+
+    msg_summary = _('Disabled CA "%(value)s"')
+    has_output = output.standard_value
+
+    def execute(self, cn, **options):
+        ca_enabled_check()
+
+        if cn == IPA_CA_CN:
+            raise errors.ProtectedEntryError(
+                label=_("CA"),
+                key=cn,
+                reason=_("IPA CA cannot be disabled"))
+
+        ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
+        with self.api.Backend.ra_lightweight_ca as ca_api:
+            ca_api.disable_ca(ca_id)
+
+        return dict(
+            result=True,
+            value=pkey_to_value(cn, options),
+        )
+
+
+@register()
+class ca_enable(LDAPQuery):
+    __doc__ = _('Enable a CA.')
+
+    msg_summary = _('Enabled CA "%(value)s"')
+    has_output = output.standard_value
+
+    def execute(self, cn, **options):
+        ca_enabled_check()
+
+        ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0]
+        with self.api.Backend.ra_lightweight_ca as ca_api:
+            ca_api.enable_ca(ca_id)
+
+        return dict(
+            result=True,
+            value=pkey_to_value(cn, options),
+        )
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 
aef1e888eb1b6c273c1fd12cbf4912407f8f8132..01e5f1383ee135696a8e968793863ce964025094
 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -2211,5 +2211,11 @@ class ra_lightweight_ca(RestClient):
             headers={'Accept': 'application/json'},
         )
 
+    def enable_ca(self, ca_id):
+        self._ssldo(
+            'POST', ca_id + '/enable',
+            headers={'Accept': 'application/json'},
+        )
+
     def delete_ca(self, ca_id):
         self._ssldo('DELETE', ca_id)
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to