[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-05-03 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From cbe2a8491beea81a80a2cb261496d1c41c9b2195 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  4 
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 25 +
 ipaserver/setup.py|  1 +
 5 files changed, 73 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..83788bf 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -199,6 +199,7 @@ BuildRequires:  python-nose
 BuildRequires:  python-paste
 BuildRequires:  systemd-python
 BuildRequires:  python2-jinja2
+BuildRequires:  python-augeas
 
 %if 0%{?with_python3}
 # FIXME: this depedency is missing - server will not work
@@ -236,6 +237,7 @@ BuildRequires:  python3-nose
 BuildRequires:  python3-paste
 BuildRequires:  python3-systemd
 BuildRequires:  python3-jinja2
+BuildRequires:  python3-augeas
 %endif # with_python3
 %endif # with_lint
 
@@ -359,6 +361,7 @@ Requires: python-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
 Requires: pki-base-python2
+Requires: python-augeas
 
 %description -n python2-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -388,6 +391,7 @@ Requires: python3-pyasn1
 Requires: python3-dbus
 Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
+Requires: python3-augeas
 Requires: rpm-libs
 Requires: pki-base-python3
 
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7898c53..ab688a8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.install import certmonger
 from ipaserver.install import service
@@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF)
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 9e8e55bb205211637539bf149eb1fa0ed13ff872 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  2 ++
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 25 +
 4 files changed, 70 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..0b5500e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -359,6 +359,7 @@ Requires: python-dns >= 1.15
 Requires: python-kdcproxy >= 0.3
 Requires: rpm-libs
 Requires: pki-base-python2
+Requires: python-augeas
 
 %description -n python2-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -388,6 +389,7 @@ Requires: python3-pyasn1
 Requires: python3-dbus
 Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
+Requires: python3-augeas
 Requires: rpm-libs
 Requires: pki-base-python3
 
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7898c53..ab688a8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.install import certmonger
 from ipaserver.install import service
@@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF)
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment is present
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+elif ocsp_dir is None:
+# Directive is missing and comment is missing
+aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers =

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 91565422833deab89b378bb40df2bf19e9cb2209 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 25 +
 4 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..24fc838 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -314,6 +314,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7898c53..ab688a8 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.install import certmonger
 from ipaserver.install import service
@@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = '/files{}/VirtualHost'.format(paths.HTTPD_NSS_CONF)
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment is present
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+elif ocsp_dir is None:
+# Directive is missing and comment is missing
+aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -351,6 +378,7 @@ def __setup_ssl(self):
   create=True)

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 740da4c68e307187de86beb2113df87157a9e950 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 24 
 4 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..24fc838 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -314,6 +314,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7898c53..72488cc 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.install import certmonger
 from ipaserver.install import service
@@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost')
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment is present
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+elif ocsp_dir is None:
+# Directive is missing and comment is missing
+aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -351,6 +378,7 @@ def __setup_ssl(self):
   create=True)

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-05-02 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 3c994f38a5dad38b89c57ecce0558059d4d39e65 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 24 
 4 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..24fc838 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -314,6 +314,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 7898c53..72488cc 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.install import certmonger
 from ipaserver.install import service
@@ -153,6 +154,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -259,6 +261,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lns')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost')
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment is present
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+elif ocsp_dir is None:
+# Directive is missing and comment is missing
+aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -351,6 +378,7 @@ def __setup_ssl(self):
   create=True)

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-04-28 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 2da6692288d276e199f3d4d92a69fd59f31ff138 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 24 
 4 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbc67cb..9077734 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -306,6 +306,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index aeb5c5e..f291580 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
@@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -263,6 +265,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lens')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost')
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment is present
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+elif ocsp_dir is None:
+# Directive is missing and comment is missing
+aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -369,6 +396,7 @@ def __setup_ssl(self):
   create=True)

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-04-28 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 96447296da8dd4ee565d9b5dcf5991e160e87091 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH 1/2] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 19 +++
 ipaserver/install/server/upgrade.py   | 24 
 4 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbc67cb..9077734 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -306,6 +306,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index aeb5c5e..90f918b 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+import augeas
 
 from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
@@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -263,6 +265,20 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = augeas.Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lens')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost')
+
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), 'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -369,6 +385,7 @@ def __setup_ssl(self):
   create=True)
 self.disable_system_trust()
 self.create_password_conf()
+
 if self.pkcs12_info:
 if self.ca_is_configured:
 trust_flags = 'CT,C,C'
@@ -393,6 +410,8 @@ def __setup_ssl(self):
 self.__set_mod_nss_nickname(nickname)
 self.add_cert_to_service()
 
+db.trust_root_cert(nickname, "P,,")
+
 else:
 if not self.promote:
 ca_args = [
diff --git a/ipaserver/install/server/upgrade.py

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-04-27 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From d2a319e8aed6cc0510fb2b4395a8e37f487fa95c Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 19 +++
 ipaserver/install/server/upgrade.py   | 24 
 4 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbc67cb..9077734 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -306,6 +306,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index aeb5c5e..aefb9dc 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+import augeas
 
 from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
@@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -263,6 +265,20 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = augeas.Augeas()
+ocsp_path = os.path.join('/files',
+ paths.HTTPD_NSS_CONF[1:],
+ 'VirtualHost')
+aug.set(
+'{path}/#comment[. =~ regexp("NSSOCSP .*")]'.format(path=ocsp_path),
+'NSSOCSP')
+aug.rename('{path}/#comment[. = "NSSOCSP"]'.format(path=ocsp_path),
+   'directive')
+aug.set('{path}/directive[. = "NSSOCSP"]/arg'.format(path=ocsp_path),
+'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -369,6 +385,7 @@ def __setup_ssl(self):
   create=True)
 self.disable_system_trust()
 self.create_password_conf()
+
 if self.pkcs12_info:
 if self.ca_is_configured:
 trust_flags = 'CT,C,C'
@@ -393,6 +410,8 @@ def __setup_ssl(self):
 self.__set_mod_nss_nickname(nickname)
 self.add_cert_to_service()
 
+db.trust_root_cert(nickname, "P,,")
+
 else:
 if not self.promote:
 ca_args = [
diff --git a/ipaserver/install/server/upgrade.py

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-04-26 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From dcd894bf135d37ed647a244f415b7a55cbe10412 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 13 -
 ipaserver/install/httpinstance.py | 18 ++
 ipaserver/install/server/upgrade.py   | 12 +++-
 4 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbc67cb..9077734 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -306,6 +306,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..f10544c 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,22 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index aeb5c5e..2844d19 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+import augeas
 
 from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
@@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -263,6 +265,19 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = augeas.Augeas()
+ocsp_path = os.path.join('/files',
+ paths.HTTPD_NSS_CONF[1:],
+ 'VirtualHost')
+ocsp = aug.get(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg'))
+
+if ocsp is None:
+aug.set(os.path.join(ocsp_path, 'directive[last()+1]'), 'NSSOCSP')
+
+aug.set(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg'), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -369,6 +384,7 @@ def __setup_ssl(self):
   create=True)
 self.disable_system_trust()
 self.create_password_conf()
+
 if self.pkcs12_info:
 if self.ca_is_configured:
 trust_flags = 'CT,C,C'
@@ -393,6 +409,8 @@ def __setup_ssl(self):
 self.__set_mod_nss_nickname(nickname)
 self.add_cert_to_service()
 
+db.trust_root_cert(nickname, "P,,")
+
 else:
 if not self.promote:
 ca_args = [
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 927acb0..732f6b5 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1375,6 +1375,11 @@ def remove_ds_ra_cert(subject_base):
 def fix_trust_flags():
 root_logger.info('[Fixing trust flags in %s]' % paths.HTTPD_ALIAS_DIR)
 
+db =

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

2017-04-25 Thread pvomacka 
   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 641a69736086a14743052c3c17200fe8a545d2a2 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 ++
 ipaserver/install/httpinstance.py | 18 ++
 ipaserver/install/server/upgrade.py   | 14 --
 4 files changed, 45 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbc67cb..9077734 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -306,6 +306,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..1d7615c 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,25 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
+from ipaplatform.paths import paths
 from ipaserver.install import certs
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+server_certs = db.find_server_certs()
+if len(server_certs) == 0:
+raise RuntimeError("Could not find a suitable server cert.")
+
+nickname = server_certs[0][0]
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index aeb5c5e..111392b 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+import augeas
 
 from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
@@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss NSSOCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -263,6 +265,19 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = augeas.Augeas()
+ocsp_path = os.path.join('/files',
+ paths.HTTPD_NSS_CONF[1:],
+ 'VirtualHost')
+ocsp = aug.get(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg'))
+
+if ocsp is None:
+aug.set(os.path.join(ocsp_path, 'directive[last()+1]'), 'NSSOCSP')
+
+aug.set(os.path.join(ocsp_path, 'directive[. = "NSSOCSP"]/arg'), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -369,6 +384,7 @@ def __setup_ssl(self):
   create=True)
 self.disable_system_trust()
 self.create_password_conf()
+
 if self.pkcs12_info:
 if self.ca_is_configured:
 trust_flags = 'CT,C,C'
@@ -393,6 +409,8 @@ def __setup_ssl(self):
 self.__set_mod_nss_nickname(nickname)
 self.add_cert_to_service()
 
+db.trust_root_cert(nickname, "P,,")
+
 else:
 if not self.promote:
 ca_args = [
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 927acb0..0f315a6 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1375,7 +1375,7 @@ def remove_ds_ra_cert(subject_base):
 def fix_trust_flags():
 root_logger.info('[Fixing trust flags in %s]' %