A new command has been added to retrieve the vault transport certificate and optionally save it into a file. The vault archive and retrieve command has been modified to retrieve the transport certificate and store it locally for subsequent usage. This way it's no longer necessary to manually import the transport certificate into the client's NSS database.
Ticket #3872 This patch depends on #355. -- Endi S. Dewata
From abeda85904f7247f1f0d679a71a7094bb2cefe0c Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Wed, 22 Oct 2014 10:02:25 -0400 Subject: [PATCH] Added command to retrieve vault transport certificate. A new command has been added to retrieve the vault transport certificate and optionally save it into a file. The vault archive and retrieve command has been modified to retrieve the transport certificate and store it locally for subsequent usage. This way it's no longer necessary to manually import the transport certificate into the client's NSS database. Ticket #3872 --- API.txt | 5 +++ VERSION | 4 +-- ipalib/plugins/vault.py | 85 +++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 89 insertions(+), 5 deletions(-) diff --git a/API.txt b/API.txt index a46592ec9e82e618154bf09393c83d4b854315c5..95b86ce84f5bc9f1d879e561e07b0348d719c90e 100644 --- a/API.txt +++ b/API.txt @@ -4629,6 +4629,11 @@ option: Str('version?', exclude='webui') output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: PrimaryKey('value', None, None) +command: vault_transport_cert +args: 0,2,1 +option: Str('out?', cli_name='out') +option: Str('version?', exclude='webui') +output: Output('result', None, None) command: vaultcontainer_add args: 1,8,3 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, required=True) diff --git a/VERSION b/VERSION index c471ed80af6a2c26be7fc89281ae60fac6c68577..d0ada131b700e93faa8c4946b811db36d76341a9 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=110 -# Last change: edewata - added vault access control +IPA_API_VERSION_MINOR=111 +# Last change: edewata - added vault transport certificate diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 95f96859235af1c477c8f5738a27571d64aabe3a..871c3e3a25c688a64ba0ecfde5ccbd50b47fbe01 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -24,6 +24,8 @@ import shutil import string import tempfile +import nss.nss as nss + import pki import pki.account import pki.crypto @@ -109,7 +111,7 @@ EXAMPLES: """) register = Registry() -transport_cert_nickname = "KRA Transport Certificate" +transport_cert_filename = "vault-transport.pem" @register() class vaultcontainer(LDAPObject): @@ -628,6 +630,63 @@ class vault_show(LDAPRetrieve): @register() +class vault_transport_cert(Command): + __doc__ = _('Retrieve vault transport certificate.') + + + # list of attributes we want exported to JSON + json_friendly_attributes = ( + 'takes_args', + ) + + takes_options = ( + Str('out?', + cli_name='out', + doc=_('Output file to store the transport certificate'), + ), + ) + + has_output_params = ( + Str('certificate', + label=_('Certificate'), + ), + ) + + def __json__(self): + json_dict = dict( + (a, getattr(self, a)) for a in self.json_friendly_attributes + ) + json_dict['takes_options'] = list(self.get_json_options()) + return json_dict + + def execute(self, *args, **options): + + kra_client = api.Backend.kra.get_client() + transport_cert = kra_client.system_certs.get_transport_cert() + return { + 'result': { + 'certificate': transport_cert.encoded + } + } + + def forward(self, *args, **options): + + file = options.get('out') + + # don't send these parameters to server + if 'out' in options: + del options['out'] + + response = super(vault_transport_cert, self).forward(*args, **options) + + if file: + with open(file, 'w') as f: + f.write(response['result']['certificate']) + + return response + + +@register() class vault_archive(LDAPRetrieve): __doc__ = _('Archive a secret into a vault.') @@ -743,7 +802,17 @@ class vault_archive(LDAPRetrieve): nonce = crypto.generate_nonce_iv() session_key = crypto.generate_session_key() - nss_transport_cert = crypto.get_cert(transport_cert_nickname) + + ipa_dir = os.path.join(os.path.expanduser('~'), '.ipa') + if not os.path.exists(ipa_dir): + os.makedirs(ipa_dir) + + transport_cert_path = os.path.join(ipa_dir, transport_cert_filename) + if not os.path.exists(transport_cert_path): + api.Command.vault_transport_cert(out=unicode(transport_cert_path)) + + transport_cert_der = nss.read_der_from_file(transport_cert_path, True) + nss_transport_cert = nss.Certificate(transport_cert_der) wrapped_session_key = crypto.asymmetric_wrap( session_key, @@ -842,7 +911,17 @@ class vault_retrieve(LDAPRetrieve): ipapython.nsslib.current_dbdir = paths.IPA_NSSDB_DIR session_key = crypto.generate_session_key() - nss_transport_cert = crypto.get_cert(transport_cert_nickname) + + ipa_dir = os.path.join(os.path.expanduser('~'), '.ipa') + if not os.path.exists(ipa_dir): + os.makedirs(ipa_dir) + + transport_cert_path = os.path.join(ipa_dir, transport_cert_filename) + if not os.path.exists(transport_cert_path): + api.Command.vault_transport_cert(out=unicode(transport_cert_path)) + + transport_cert_der = nss.read_der_from_file(transport_cert_path, True) + nss_transport_cert = nss.Certificate(transport_cert_der) wrapped_session_key = crypto.asymmetric_wrap( session_key, -- 1.9.0
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel