URL: https://github.com/freeipa/freeipa/pull/377
Author: HonzaCholasta
 Title: #377: dogtaginstance: track server certificate with our renew agent
Action: opened

PR body:
"""
This patchset is intended to make @simo5's life easier when changing the RA 
agent certificate location in #314.

**renew agent: handle non-replicated certificates**

In addition to replicated certificates (Dogtag certificates, RA
certificate), handle non-replicated certificates in
dogtag-ipa-ca-renew-agent as well.

**dogtaginstance: track server certificate with our renew agent**

Track Dogtag's server certificate with dogtag-ipa-ca-renew-agent instead of
dogtag-ipa-renew-agent.

**cainstance: do not configure renewal guard**

Do not configure renewal guard for dogtag-ipa-renew-agent, as it is not
used in IPA anymore.

https://fedorahosted.org/freeipa/ticket/5959
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/377/head:pr377
git checkout pr377
From 65d5593e9f8ed014d2a022c8dc25c1fca8a3d622 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Fri, 6 Jan 2017 10:45:38 +0100
Subject: [PATCH 1/3] renew agent: handle non-replicated certificates

In addition to replicated certificates (Dogtag certificates, RA
certificate), handle non-replicated certificates in
dogtag-ipa-ca-renew-agent as well.

https://fedorahosted.org/freeipa/ticket/5959
---
 .../certmonger/dogtag-ipa-ca-renew-agent-submit    | 25 ++++++++++++++--------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 2e137ad..cb8f93b 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -108,6 +108,15 @@ def is_renewable():
         return x509.is_self_signed(cert) or is_lightweight_ca()
 
 
+def is_replicated():
+    return not get_nickname()
+
+
+def is_renewal_master():
+    ca = cainstance.CAInstance(host_name=api.env.host)
+    return ca.is_renewal_master()
+
+
 @contextlib.contextmanager
 def ldap_connect():
     conn = None
@@ -447,10 +456,8 @@ def renew_ca_cert():
     if operation == 'SUBMIT':
         state = 'retrieve'
 
-        if is_renewable():
-            ca = cainstance.CAInstance(host_name=api.env.host)
-            if ca.is_renewal_master():
-                state = 'request'
+        if is_renewable() and is_renewal_master():
+            state = 'request'
     elif operation == 'POLL':
         cookie = os.environ.get('CERTMONGER_CA_COOKIE')
         if not cookie:
@@ -506,14 +513,14 @@ def main():
     certs.renewal_lock.acquire()
     try:
         profile = os.environ.get('CERTMONGER_CA_PROFILE')
-        if profile:
-            handler = handlers.get(profile, request_and_store_cert)
-        else:
-            ca = cainstance.CAInstance(host_name=api.env.host)
-            if ca.is_renewal_master():
+        if is_replicated():
+            if profile or is_renewal_master():
                 handler = request_and_store_cert
             else:
                 handler = retrieve_cert_continuous
+        else:
+            handler = request_cert
+        handler = handlers.get(profile, handler)
 
         res = call_handler(handler)
         for item in res[1:]:

From 8e079d1e1eb88cac5cfcc421735077ee8f178dd3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Fri, 6 Jan 2017 10:47:02 +0100
Subject: [PATCH 2/3] dogtaginstance: track server certificate with our renew
 agent

Track Dogtag's server certificate with dogtag-ipa-ca-renew-agent instead of
dogtag-ipa-renew-agent.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaserver/install/dogtaginstance.py | 2 +-
 ipaserver/install/server/upgrade.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index c3c470d..4c02d73 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -325,7 +325,7 @@ def track_servercert(self):
         pin = self.__get_pin()
         try:
             certmonger.dogtag_start_tracking(
-                ca='dogtag-ipa-renew-agent',
+                ca='dogtag-ipa-ca-renew-agent',
                 nickname=self.server_cert_name,
                 pin=pin,
                 pinfile=None,
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 5d8e596..10f2e3d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -917,7 +917,7 @@ def certificate_renewal_update(ca, ds, http):
     dirsrv_dir = dsinstance.config_dirname(serverid)
 
     # bump version when requests is changed
-    version = 5
+    version = 6
     requests = (
         (
             paths.PKI_TOMCAT_ALIAS_DIR,
@@ -962,7 +962,7 @@ def certificate_renewal_update(ca, ds, http):
         (
             paths.PKI_TOMCAT_ALIAS_DIR,
             'Server-Cert cert-pki-ca',
-            'dogtag-ipa-renew-agent',
+            'dogtag-ipa-ca-renew-agent',
             template % 'stop_pkicad',
             '%s "Server-Cert cert-pki-ca"' % (template % 'renew_ca_cert'),
             None,

From 9b6d1e8af6439d297fc3307ec678c38bb83ef048 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Fri, 6 Jan 2017 10:49:41 +0100
Subject: [PATCH 3/3] cainstance: do not configure renewal guard

Do not configure renewal guard for dogtag-ipa-renew-agent, as it is not
used in IPA anymore.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaserver/install/cainstance.py     | 52 ++++++++++---------------------------
 ipaserver/install/server/upgrade.py |  2 +-
 2 files changed, 15 insertions(+), 39 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c7e81f0..8d309a3 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -32,8 +32,6 @@
 import syslog
 import time
 import tempfile
-import shlex
-import pipes
 
 # pylint: disable=import-error
 from six.moves.configparser import ConfigParser, RawConfigParser
@@ -946,16 +944,6 @@ def uninstall(self):
         if path:
             iface.remove_known_ca(path)
 
-        helper = self.restore_state('certmonger_dogtag_helper')
-        if helper:
-            path = iface.find_ca_by_nickname('dogtag-ipa-renew-agent')
-            if path:
-                ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
-                ca_iface = dbus.Interface(ca_obj,
-                                          'org.freedesktop.DBus.Properties')
-                ca_iface.Set('org.fedorahosted.certmonger.ca',
-                             'external-helper', helper)
-
         cmonger.stop()
 
         # remove CRL files
@@ -986,35 +974,23 @@ def publish_ca_cert(self, location):
         fd.close()
         os.chmod(location, 0o444)
 
-
-    def configure_certmonger_renewal(self):
-        super(CAInstance, self).configure_certmonger_renewal()
-
-        self.configure_certmonger_renewal_guard()
-
-    def configure_certmonger_renewal_guard(self):
+    def unconfigure_certmonger_renewal_guard(self):
         if not self.is_configured():
             return
 
-        bus = dbus.SystemBus()
-        obj = bus.get_object('org.fedorahosted.certmonger',
-                             '/org/fedorahosted/certmonger')
-        iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
-        path = iface.find_ca_by_nickname('dogtag-ipa-renew-agent')
-        if path:
-            ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
-            ca_iface = dbus.Interface(ca_obj,
-                                      'org.freedesktop.DBus.Properties')
-            helper = ca_iface.Get('org.fedorahosted.certmonger.ca',
-                                  'external-helper')
-            if helper:
-                args = shlex.split(helper)
-                if args[0] != paths.IPA_SERVER_GUARD:
-                    self.backup_state('certmonger_dogtag_helper', helper)
-                    args = [paths.IPA_SERVER_GUARD] + args
-                    helper = ' '.join(pipes.quote(a) for a in args)
-                    ca_iface.Set('org.fedorahosted.certmonger.ca',
-                                 'external-helper', helper)
+        helper = self.restore_state('certmonger_dogtag_helper')
+        if helper:
+            bus = dbus.SystemBus()
+            obj = bus.get_object('org.fedorahosted.certmonger',
+                                 '/org/fedorahosted/certmonger')
+            iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
+            path = iface.find_ca_by_nickname('dogtag-ipa-renew-agent')
+            if path:
+                ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
+                ca_iface = dbus.Interface(ca_obj,
+                                          'org.freedesktop.DBus.Properties')
+                ca_iface.Set('org.fedorahosted.certmonger.ca',
+                             'external-helper', helper)
 
     def configure_agent_renewal(self):
         try:
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 10f2e3d..068db21 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1613,7 +1613,7 @@ def upgrade_configuration():
     if ca.is_configured() and not certmonger_service.is_running():
         certmonger_service.start()
 
-    ca.configure_certmonger_renewal_guard()
+    ca.unconfigure_certmonger_renewal_guard()
 
     update_dbmodules(api.env.realm)
     uninstall_ipa_kpasswd()
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to