Hi team, The attached patch fixes https://fedorahosted.org/freeipa/ticket/6257.
The behaviour of cert-request when the CA is disabled is not very nice (it reports a server error from Dogtag). The Dogtag REST interface gives much better errors so I plan to move to it in a later change (which will also address https://fedorahosted.org/freeipa/ticket/3473, in part). Thanks, Fraser
From 1d99777c2145d33278d2b1d8a4e8a2d1341c8e4d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <ftwee...@redhat.com> Date: Thu, 25 Aug 2016 17:00:01 +1000 Subject: [PATCH] Add ca-disable and ca-enable commands We soon plan to revoke certificates upon lightweight CA deletion. This makes it important to provide a way to prevent a CA from issuing certificates whilst not deleting and revoking it, and continuing to allow management of issued certs. This commit adds the ca-disable and ca-enable commands. Fixes: https://fedorahosted.org/freeipa/ticket/6257 --- API.txt | 16 ++++++++++++ VERSION | 4 +-- ipaserver/plugins/ca.py | 62 +++++++++++++++++++++++++++++++++++++++++++-- ipaserver/plugins/dogtag.py | 6 +++++ 4 files changed, 84 insertions(+), 4 deletions(-) diff --git a/API.txt b/API.txt index 5b83bfbd0b457b77e0522ab7d83abfae4df3ebe9..27b64ee143fa4f5f55c1b8a32446f004a8e3bb22 100644 --- a/API.txt +++ b/API.txt @@ -465,6 +465,20 @@ option: Str('version?') output: Output('result', type=[<type 'dict'>]) output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: ListOfPrimaryKeys('value') +command: ca_disable/1 +args: 1,1,3 +arg: Str('cn', cli_name='name') +option: Str('version?') +output: Output('result', type=[<type 'bool'>]) +output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) +output: PrimaryKey('value') +command: ca_enable/1 +args: 1,1,3 +arg: Str('cn', cli_name='name') +option: Str('version?') +output: Output('result', type=[<type 'bool'>]) +output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) +output: PrimaryKey('value') command: ca_find/1 args: 1,11,4 arg: Str('criteria?') @@ -6249,6 +6263,8 @@ default: batch/1 default: ca/1 default: ca_add/1 default: ca_del/1 +default: ca_disable/1 +default: ca_enable/1 default: ca_find/1 default: ca_is_enabled/1 default: ca_mod/1 diff --git a/VERSION b/VERSION index a8b89ed305bcfdf2990a7400d005a68d734fa7e8..8cc8b11c7c3e985ab53279b27a4701021e4271ba 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=212 -# Last change: ab: service: add flag to allow S4U2Self +IPA_API_VERSION_MINOR=213 +# Last change: ftweedal: add ca-disable and ca-enable commands diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..93c48722720e8509c2d096d66f9f2bd1c5c631d8 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -2,12 +2,12 @@ # Copyright (C) 2016 FreeIPA Contributors see COPYING for license # -from ipalib import api, errors, DNParam, Str +from ipalib import api, errors, output, DNParam, Str from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from ipaserver.plugins.baseldap import ( LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, - LDAPUpdate, LDAPRetrieve) + LDAPUpdate, LDAPRetrieve, LDAPQuery, pkey_to_value) from ipaserver.plugins.cert import ca_enabled_check from ipalib import _, ngettext @@ -18,6 +18,14 @@ Manage Certificate Authorities Subordinate Certificate Authorities (Sub-CAs) can be added for scoped issuance of X.509 certificates. +CAs are enabled on creation, but their use is subject to CA ACLs unless the +operator has permission to bypass CA ACLs. + +All CAs except the 'IPA' CA can be disabled or re-enabled. Disabling a CA +prevents it from issuing certificates but does not affect the validity of its +certificate. + + EXAMPLES: Create new CA, subordinate to the IPA CA. @@ -25,6 +33,10 @@ EXAMPLES: ipa ca-add puppet --desc "Puppet" \\ --subject "CN=Puppet CA,O=EXAMPLE.COM" + Disable a CA. + + ipa ca-disable puppet + """) @@ -222,3 +234,49 @@ class ca_mod(LDAPUpdate): reason=u'IPA CA cannot be renamed') return dn + + +@register() +class ca_disable(LDAPQuery): + __doc__ = _('Disable a CA.') + + msg_summary = _('Disabled CA "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ca_enabled_check() + + if cn == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), + key=cn, + reason=_("IPA CA cannot be disabled")) + + ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + ca_api.disable_ca(ca_id) + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) + + +@register() +class ca_enable(LDAPQuery): + __doc__ = _('Enable a CA.') + + msg_summary = _('Enabled CA "%(value)s"') + has_output = output.standard_value + + def execute(self, cn, **options): + ca_enabled_check() + + ca_id = self.api.Command.ca_show(cn)['result']['ipacaid'][0] + with self.api.Backend.ra_lightweight_ca as ca_api: + ca_api.enable_ca(ca_id) + + return dict( + result=True, + value=pkey_to_value(cn, options), + ) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index aef1e888eb1b6c273c1fd12cbf4912407f8f8132..01e5f1383ee135696a8e968793863ce964025094 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -2211,5 +2211,11 @@ class ra_lightweight_ca(RestClient): headers={'Accept': 'application/json'}, ) + def enable_ca(self, ca_id): + self._ssldo( + 'POST', ca_id + '/enable', + headers={'Accept': 'application/json'}, + ) + def delete_ca(self, ca_id): self._ssldo('DELETE', ca_id) -- 2.5.5
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
