URL: https://github.com/freeipa/freeipa/pull/5305
Author: rcritten
Title: #5305: Add IPA RA Agent to ACME group on the CA
Action: opened
PR body:
"""
Add IPA RA Agent to ACME group on the CA
Move the addition of the RA agent to the ACME Enterprise Users
group into setup_acme() so it is also added on upgrades.
This allows ipa-acme-manage to authenticate to the CA REST
API using the RA Agent credentials.
https://pagure.io/freeipa/issue/8603
Signed-off-by: Rob Crittenden <rcrit...@redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5305/head:pr5305
git checkout pr5305
From 70b53669e25f4a3f0c58ff918f44535e2125f45e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 30 Nov 2020 09:55:22 -0500
Subject: [PATCH 1/2] Remove test for minimum ACME support and rely on package
deps
This method was added temporarily while the required packages
were still under development and not available in stable
repositories.
Signed-off-by: Rob Crittenden <rcrit...@redhat.com>
---
ipaserver/install/cainstance.py | 40 +++-----------------------
ipatests/test_integration/test_acme.py | 4 ---
2 files changed, 4 insertions(+), 40 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 535407cde2f..d740a280829 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -430,8 +430,7 @@ def configure_instance(self, host_name, dm_password, admin_password,
if promote:
self.step("destroying installation admin user",
self.teardown_admin)
- if minimum_acme_support():
- self.step("deploying ACME service", self.setup_acme)
+ self.step("deploying ACME service", self.setup_acme)
# Materialize config changes and new ACLs
self.step("starting certificate server instance",
self.start_instance)
@@ -771,10 +770,9 @@ def __create_ca_agent(self):
self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
- if minimum_acme_support():
- group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
- self.basedn)
- conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
+ group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
+ self.basedn)
+ conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
def __get_ca_chain(self):
try:
@@ -1487,9 +1485,6 @@ def setup_acme(self) -> bool:
logger.debug('ACME service is already deployed')
return False
- if not minimum_acme_support():
- return False
-
self._ldap_mod('/usr/share/pki/acme/database/ds/schema.ldif')
configure_acme_acls()
@@ -1732,33 +1727,6 @@ def ensure_lightweight_cas_container():
)
-def minimum_acme_support(data=None):
- """
- ACME with global enable/disable is required.
-
- This first shipped in dogtag version 10.10.0.
-
- Parse the version string to determine if the minimum version
- is met. If parsing fails return False.
-
- :param: data: The string value to parse for version. Defaults to
- reading from the filesystem.
- """
- if not data:
- with open('/usr/share/pki/VERSION', 'r') as fd:
- data = fd.read()
-
- groups = re.match(r'.*\nSpecification-Version: ([\d+\.]*)\n.*', data)
- if groups:
- version_string = groups.groups(0)[0]
- minimum_version = parse_version('10.10.0')
-
- return parse_version(version_string) >= minimum_version
- else:
- logger.debug('Unable to parse version from %s', data)
- return False
-
-
def ensure_acme_containers():
"""
Create the ACME container objects under ou=acme,o=ipaca if
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index 3fd322f05e6..a1c0d3b57a1 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -61,8 +61,6 @@ def wrapped(*args):
return wrapped
-@pytest.mark.skipif(not cainstance.minimum_acme_support(),
- reason="does not provide ACME")
class TestACME(CALessBase):
"""
Test the FreeIPA ACME service by using ACME clients on a FreeIPA client.
@@ -402,8 +400,6 @@ def test_third_party_certs(self):
assert "invalid 'certificate'" in result.stderr_text
-@pytest.mark.skipif(not cainstance.minimum_acme_support(),
- reason="does not provide ACME")
class TestACMECALess(IntegrationTest):
"""Test to check the CA less replica setup"""
num_replicas = 1
From 6e9d5e4b0bcf23ab4ea5cc7943324a4045d5482f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 30 Nov 2020 10:02:50 -0500
Subject: [PATCH 2/2] Add IPA RA Agent to ACME group on the CA
Move the addition of the RA agent to the ACME Enterprise Users
group into setup_acme() so it is also added on upgrades.
This allows ipa-acme-manage to authenticate to the CA REST
API using the RA Agent credentials.
https://pagure.io/freeipa/issue/8603
Signed-off-by: Rob Crittenden <rcrit...@redhat.com>
---
ipaserver/install/cainstance.py | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d740a280829..b94eac96c63 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -770,10 +770,6 @@ def __create_ca_agent(self):
self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
- group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
- self.basedn)
- conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
-
def __get_ca_chain(self):
try:
return dogtag.get_ca_certchain(ca_host=self.fqdn)
@@ -1505,6 +1501,14 @@ def setup_acme(self) -> bool:
else:
password = result
+ # Add the IPA RA user as a member of the ACME admins for
+ # ipa-acme-manage.
+ user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn)
+ conn = api.Backend.ldap2
+ group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
+ self.basedn)
+ conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
+
# create container object heirarchy in LDAP
ensure_acme_containers()
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
