URL: https://github.com/freeipa/freeipa/pull/5305 Author: rcritten Title: #5305: Add IPA RA Agent to ACME group on the CA Action: opened
PR body: """ Add IPA RA Agent to ACME group on the CA Move the addition of the RA agent to the ACME Enterprise Users group into setup_acme() so it is also added on upgrades. This allows ipa-acme-manage to authenticate to the CA REST API using the RA Agent credentials. https://pagure.io/freeipa/issue/8603 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5305/head:pr5305 git checkout pr5305
From 70b53669e25f4a3f0c58ff918f44535e2125f45e Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 30 Nov 2020 09:55:22 -0500 Subject: [PATCH 1/2] Remove test for minimum ACME support and rely on package deps This method was added temporarily while the required packages were still under development and not available in stable repositories. Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/install/cainstance.py | 40 +++----------------------- ipatests/test_integration/test_acme.py | 4 --- 2 files changed, 4 insertions(+), 40 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 535407cde2f..d740a280829 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -430,8 +430,7 @@ def configure_instance(self, host_name, dm_password, admin_password, if promote: self.step("destroying installation admin user", self.teardown_admin) - if minimum_acme_support(): - self.step("deploying ACME service", self.setup_acme) + self.step("deploying ACME service", self.setup_acme) # Materialize config changes and new ACLs self.step("starting certificate server instance", self.start_instance) @@ -771,10 +770,9 @@ def __create_ca_agent(self): self.basedn) conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') - if minimum_acme_support(): - group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'), - self.basedn) - conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') + group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'), + self.basedn) + conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') def __get_ca_chain(self): try: @@ -1487,9 +1485,6 @@ def setup_acme(self) -> bool: logger.debug('ACME service is already deployed') return False - if not minimum_acme_support(): - return False - self._ldap_mod('/usr/share/pki/acme/database/ds/schema.ldif') configure_acme_acls() @@ -1732,33 +1727,6 @@ def ensure_lightweight_cas_container(): ) -def minimum_acme_support(data=None): - """ - ACME with global enable/disable is required. - - This first shipped in dogtag version 10.10.0. - - Parse the version string to determine if the minimum version - is met. If parsing fails return False. - - :param: data: The string value to parse for version. Defaults to - reading from the filesystem. - """ - if not data: - with open('/usr/share/pki/VERSION', 'r') as fd: - data = fd.read() - - groups = re.match(r'.*\nSpecification-Version: ([\d+\.]*)\n.*', data) - if groups: - version_string = groups.groups(0)[0] - minimum_version = parse_version('10.10.0') - - return parse_version(version_string) >= minimum_version - else: - logger.debug('Unable to parse version from %s', data) - return False - - def ensure_acme_containers(): """ Create the ACME container objects under ou=acme,o=ipaca if diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py index 3fd322f05e6..a1c0d3b57a1 100644 --- a/ipatests/test_integration/test_acme.py +++ b/ipatests/test_integration/test_acme.py @@ -61,8 +61,6 @@ def wrapped(*args): return wrapped -@pytest.mark.skipif(not cainstance.minimum_acme_support(), - reason="does not provide ACME") class TestACME(CALessBase): """ Test the FreeIPA ACME service by using ACME clients on a FreeIPA client. @@ -402,8 +400,6 @@ def test_third_party_certs(self): assert "invalid 'certificate'" in result.stderr_text -@pytest.mark.skipif(not cainstance.minimum_acme_support(), - reason="does not provide ACME") class TestACMECALess(IntegrationTest): """Test to check the CA less replica setup""" num_replicas = 1 From 6e9d5e4b0bcf23ab4ea5cc7943324a4045d5482f Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 30 Nov 2020 10:02:50 -0500 Subject: [PATCH 2/2] Add IPA RA Agent to ACME group on the CA Move the addition of the RA agent to the ACME Enterprise Users group into setup_acme() so it is also added on upgrades. This allows ipa-acme-manage to authenticate to the CA REST API using the RA Agent credentials. https://pagure.io/freeipa/issue/8603 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/install/cainstance.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index d740a280829..b94eac96c63 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -770,10 +770,6 @@ def __create_ca_agent(self): self.basedn) conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') - group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'), - self.basedn) - conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') - def __get_ca_chain(self): try: return dogtag.get_ca_certchain(ca_host=self.fqdn) @@ -1505,6 +1501,14 @@ def setup_acme(self) -> bool: else: password = result + # Add the IPA RA user as a member of the ACME admins for + # ipa-acme-manage. + user_dn = DN(('uid', "ipara"), ('ou', 'People'), self.basedn) + conn = api.Backend.ldap2 + group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'), + self.basedn) + conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember') + # create container object heirarchy in LDAP ensure_acme_containers()
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org