Re: [Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.

2015-01-26 Thread Endi Sukma Dewata 

On 11/4/2014 12:29 AM, Endi Sukma Dewata wrote:

On 10/28/2014 6:26 PM, Endi Sukma Dewata wrote:

On 10/23/2014 6:18 AM, Jan Cholasta wrote:

Hi,

Dne 22.10.2014 v 22:06 Endi Sukma Dewata napsal(a):

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.


As part of the CA certificate renewal feature in 4.1, I have added a
LDAP certificate store to IPA, see
. Currently it
supports only CA certificates, but can be extended to support end entity
certificates rather easily. If you use it for the vault transport
certificate, it can be added to the client NSS database automatically on
install.

Honza



I'm attaching a new patch that's identical to the previous one with
ticket URL updated. I'm thinking we should check this patch in first
because it's already done, and then investigate the use of CA cert
management utility as a separate enhancement since the it seems to need
to be generalized before it can be used to manage KRA transport cert.
I'll also need to investigate the KRA transport cert replacement process
to make sure it can be accommodated via IPA's cert management utility.


Revised the patch to always download the transport certificate (no local
caching). Further optimization can be done later.


Rebased on top of #355-3, no code changes.

--
Endi S. Dewata
>From 56e1211f42faa1e4c36184efdcddc3af23310cda Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 22 Oct 2014 10:02:25 -0400
Subject: [PATCH] Added command to retrieve vault transport certificate.

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt |  5 
 VERSION |  4 +--
 ipalib/plugins/vault.py | 80 +++--
 3 files changed, 84 insertions(+), 5 deletions(-)

diff --git a/API.txt b/API.txt
index 
f6fd2686a49dfabc053a772818904ca6c14f3b53..f64fd1570efff9a2eb2e277e16ceef2ebb1a9ae3
 100644
--- a/API.txt
+++ b/API.txt
@@ -4676,6 +4676,11 @@ option: Str('version?', exclude='webui')
 output: Entry('result', , Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
+command: vault_transport_cert
+args: 0,2,1
+option: Str('out?', cli_name='out')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
 command: vaultcontainer_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index 
b0250045145d17e40df3828d0c50be1db8867625..c75e5376c1041a701908ea7e23c8b4e570eb21b6
 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=114
-# Last change: edewata - added vault access control
+IPA_API_VERSION_MINOR=115
+# Last change: edewata - added vault transport certificate
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 
7ec36836a741bc0669ab1be59192532136e8e126..58f0ae494c0d0c2c3a66f708cbe7c1545bdeec84
 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -25,6 +25,8 @@ import shutil
 import string
 import tempfile
 
+import nss.nss as nss
+
 import pki
 import pki.account
 import pki.crypto
@@ -118,7 +120,6 @@ EXAMPLES:
 """)
 
 register = Registry()
-transport_cert_nickname = 'KRA Transport Certificate'
 
 @register()
 class vaultcontainer(LDAPObject):
@@ -845,6 +846,63 @@ class vault_show(LDAPRetrieve):
 
 
 @register()
+class vault_transport_cert(Command):
+__doc__ = _('Retrieve vault transport certificate.')
+
+
+# list of attributes we want exported to JSON
+json_friendly_attributes = (
+'takes_args',
+)
+
+takes_options = (
+Str('out?',
+cli_name='out',
+doc=_('Output file to store the transport certificate'),
+),
+)
+
+has_output_params = (
+Str('certificate',
+label=_('Certificate'),
+),
+)
+
+def __json__(self):
+json_dict = dict(
+(a, getattr(self, a)) for a in self.json_friendly_attributes
+)
+json_dict['take

Re: [Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.

2014-11-03 Thread Endi Sukma Dewata 

On 10/28/2014 6:26 PM, Endi Sukma Dewata wrote:

On 10/23/2014 6:18 AM, Jan Cholasta wrote:

Hi,

Dne 22.10.2014 v 22:06 Endi Sukma Dewata napsal(a):

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.


As part of the CA certificate renewal feature in 4.1, I have added a
LDAP certificate store to IPA, see
. Currently it
supports only CA certificates, but can be extended to support end entity
certificates rather easily. If you use it for the vault transport
certificate, it can be added to the client NSS database automatically on
install.

Honza



I'm attaching a new patch that's identical to the previous one with
ticket URL updated. I'm thinking we should check this patch in first
because it's already done, and then investigate the use of CA cert
management utility as a separate enhancement since the it seems to need
to be generalized before it can be used to manage KRA transport cert.
I'll also need to investigate the KRA transport cert replacement process
to make sure it can be accommodated via IPA's cert management utility.


Revised the patch to always download the transport certificate (no local 
caching). Further optimization can be done later.


--
Endi S. Dewata
>From ef9af13e577343d3ff2564e81b9b6dc895a03b09 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 22 Oct 2014 10:02:25 -0400
Subject: [PATCH] Added command to retrieve vault transport certificate.

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt |  5 
 VERSION |  4 +--
 ipalib/plugins/vault.py | 80 +++--
 3 files changed, 84 insertions(+), 5 deletions(-)

diff --git a/API.txt b/API.txt
index 
ee33af74eb2870fcdf1ab7e6781797b348243a8f..7668e8ceebb1a2b6e6ebcd6d70c9209f5a874627
 100644
--- a/API.txt
+++ b/API.txt
@@ -4633,6 +4633,11 @@ option: Str('version?', exclude='webui')
 output: Entry('result', , Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
+command: vault_transport_cert
+args: 0,2,1
+option: Str('out?', cli_name='out')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
 command: vaultcontainer_add
 args: 1,9,3
 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index 
c471ed80af6a2c26be7fc89281ae60fac6c68577..d0ada131b700e93faa8c4946b811db36d76341a9
 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=110
-# Last change: edewata - added vault access control
+IPA_API_VERSION_MINOR=111
+# Last change: edewata - added vault transport certificate
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 
20948b267e2c585bd59e801d02f9e0b752399609..00a7a3471d79eee741a1986224c3ad534ec5ff3d
 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -24,6 +24,8 @@ import shutil
 import string
 import tempfile
 
+import nss.nss as nss
+
 import pki
 import pki.account
 import pki.crypto
@@ -109,7 +111,6 @@ EXAMPLES:
 """)
 
 register = Registry()
-transport_cert_nickname = "KRA Transport Certificate"
 
 @register()
 class vaultcontainer(LDAPObject):
@@ -693,6 +694,63 @@ class vault_show(LDAPRetrieve):
 
 
 @register()
+class vault_transport_cert(Command):
+__doc__ = _('Retrieve vault transport certificate.')
+
+
+# list of attributes we want exported to JSON
+json_friendly_attributes = (
+'takes_args',
+)
+
+takes_options = (
+Str('out?',
+cli_name='out',
+doc=_('Output file to store the transport certificate'),
+),
+)
+
+has_output_params = (
+Str('certificate',
+label=_('Certificate'),
+),
+)
+
+def __json__(self):
+json_dict = dict(
+(a, getattr(self, a)) for a in self.json_friendly_attributes
+)
+json_dict['takes_options'] = list(self.get_json_options())
+re

Re: [Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.

2014-10-28 Thread Endi Sukma Dewata 

On 10/23/2014 6:18 AM, Jan Cholasta wrote:

Hi,

Dne 22.10.2014 v 22:06 Endi Sukma Dewata napsal(a):

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.


As part of the CA certificate renewal feature in 4.1, I have added a
LDAP certificate store to IPA, see
. Currently it
supports only CA certificates, but can be extended to support end entity
certificates rather easily. If you use it for the vault transport
certificate, it can be added to the client NSS database automatically on
install.

Honza



I'm attaching a new patch that's identical to the previous one with 
ticket URL updated. I'm thinking we should check this patch in first 
because it's already done, and then investigate the use of CA cert 
management utility as a separate enhancement since the it seems to need 
to be generalized before it can be used to manage KRA transport cert. 
I'll also need to investigate the KRA transport cert replacement process 
to make sure it can be accommodated via IPA's cert management utility.


--
Endi S. Dewata
>From 1bffa29d35fee0ac06cb1bc943f9de8beee58d05 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 22 Oct 2014 10:02:25 -0400
Subject: [PATCH] Added command to retrieve vault transport certificate.

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt |  5 +++
 VERSION |  4 +--
 ipalib/plugins/vault.py | 85 +++--
 3 files changed, 89 insertions(+), 5 deletions(-)

diff --git a/API.txt b/API.txt
index 
a46592ec9e82e618154bf09393c83d4b854315c5..95b86ce84f5bc9f1d879e561e07b0348d719c90e
 100644
--- a/API.txt
+++ b/API.txt
@@ -4629,6 +4629,11 @@ option: Str('version?', exclude='webui')
 output: Entry('result', , Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
+command: vault_transport_cert
+args: 0,2,1
+option: Str('out?', cli_name='out')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
 command: vaultcontainer_add
 args: 1,8,3
 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index 
c471ed80af6a2c26be7fc89281ae60fac6c68577..d0ada131b700e93faa8c4946b811db36d76341a9
 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=110
-# Last change: edewata - added vault access control
+IPA_API_VERSION_MINOR=111
+# Last change: edewata - added vault transport certificate
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 
95f96859235af1c477c8f5738a27571d64aabe3a..871c3e3a25c688a64ba0ecfde5ccbd50b47fbe01
 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -24,6 +24,8 @@ import shutil
 import string
 import tempfile
 
+import nss.nss as nss
+
 import pki
 import pki.account
 import pki.crypto
@@ -109,7 +111,7 @@ EXAMPLES:
 """)
 
 register = Registry()
-transport_cert_nickname = "KRA Transport Certificate"
+transport_cert_filename = "vault-transport.pem"
 
 @register()
 class vaultcontainer(LDAPObject):
@@ -628,6 +630,63 @@ class vault_show(LDAPRetrieve):
 
 
 @register()
+class vault_transport_cert(Command):
+__doc__ = _('Retrieve vault transport certificate.')
+
+
+# list of attributes we want exported to JSON
+json_friendly_attributes = (
+'takes_args',
+)
+
+takes_options = (
+Str('out?',
+cli_name='out',
+doc=_('Output file to store the transport certificate'),
+),
+)
+
+has_output_params = (
+Str('certificate',
+label=_('Certificate'),
+),
+)
+
+def __json__(self):
+json_dict = dict(
+(a, getattr(self, a)) for a in self.json_friendly_attributes
+)
+json_dict['takes_options'] = list(self.get_json_options())
+return json_dict
+
+def execute(self, *args, **options):
+
+kra_client = api.Backend.kra.get_client()
+

Re: [Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.

2014-10-23 Thread Jan Cholasta 

Hi,

Dne 22.10.2014 v 22:06 Endi Sukma Dewata napsal(a):

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.


As part of the CA certificate renewal feature in 4.1, I have added a 
LDAP certificate store to IPA, see 
. Currently it 
supports only CA certificates, but can be extended to support end entity 
certificates rather easily. If you use it for the vault transport 
certificate, it can be added to the client NSS database automatically on 
install.


Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 356 Added command to retrieve vault transport certificate.

2014-10-22 Thread Endi Sukma Dewata 

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.

Ticket #3872

This patch depends on #355.

--
Endi S. Dewata
From abeda85904f7247f1f0d679a71a7094bb2cefe0c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 22 Oct 2014 10:02:25 -0400
Subject: [PATCH] Added command to retrieve vault transport certificate.

A new command has been added to retrieve the vault transport
certificate and optionally save it into a file. The vault archive
and retrieve command has been modified to retrieve the transport
certificate and store it locally for subsequent usage. This way
it's no longer necessary to manually import the transport
certificate into the client's NSS database.

Ticket #3872
---
 API.txt |  5 +++
 VERSION |  4 +--
 ipalib/plugins/vault.py | 85 +++--
 3 files changed, 89 insertions(+), 5 deletions(-)

diff --git a/API.txt b/API.txt
index 
a46592ec9e82e618154bf09393c83d4b854315c5..95b86ce84f5bc9f1d879e561e07b0348d719c90e
 100644
--- a/API.txt
+++ b/API.txt
@@ -4629,6 +4629,11 @@ option: Str('version?', exclude='webui')
 output: Entry('result', , Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (, ), None)
 output: PrimaryKey('value', None, None)
+command: vault_transport_cert
+args: 0,2,1
+option: Str('out?', cli_name='out')
+option: Str('version?', exclude='webui')
+output: Output('result', None, None)
 command: vaultcontainer_add
 args: 1,8,3
 arg: Str('cn', attribute=True, cli_name='container_name', maxlength=255, 
multivalue=False, 
pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', 
primary_key=True, required=True)
diff --git a/VERSION b/VERSION
index 
c471ed80af6a2c26be7fc89281ae60fac6c68577..d0ada131b700e93faa8c4946b811db36d76341a9
 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=110
-# Last change: edewata - added vault access control
+IPA_API_VERSION_MINOR=111
+# Last change: edewata - added vault transport certificate
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 
95f96859235af1c477c8f5738a27571d64aabe3a..871c3e3a25c688a64ba0ecfde5ccbd50b47fbe01
 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -24,6 +24,8 @@ import shutil
 import string
 import tempfile
 
+import nss.nss as nss
+
 import pki
 import pki.account
 import pki.crypto
@@ -109,7 +111,7 @@ EXAMPLES:
 """)
 
 register = Registry()
-transport_cert_nickname = "KRA Transport Certificate"
+transport_cert_filename = "vault-transport.pem"
 
 @register()
 class vaultcontainer(LDAPObject):
@@ -628,6 +630,63 @@ class vault_show(LDAPRetrieve):
 
 
 @register()
+class vault_transport_cert(Command):
+__doc__ = _('Retrieve vault transport certificate.')
+
+
+# list of attributes we want exported to JSON
+json_friendly_attributes = (
+'takes_args',
+)
+
+takes_options = (
+Str('out?',
+cli_name='out',
+doc=_('Output file to store the transport certificate'),
+),
+)
+
+has_output_params = (
+Str('certificate',
+label=_('Certificate'),
+),
+)
+
+def __json__(self):
+json_dict = dict(
+(a, getattr(self, a)) for a in self.json_friendly_attributes
+)
+json_dict['takes_options'] = list(self.get_json_options())
+return json_dict
+
+def execute(self, *args, **options):
+
+kra_client = api.Backend.kra.get_client()
+transport_cert = kra_client.system_certs.get_transport_cert()
+return {
+'result': {
+'certificate': transport_cert.encoded
+}
+}
+
+def forward(self, *args, **options):
+
+file = options.get('out')
+
+# don't send these parameters to server
+if 'out' in options:
+del options['out']
+
+response = super(vault_transport_cert, self).forward(*args, **options)
+
+if file:
+with open(file, 'w') as f:
+f.write(response['result']['certificate'])
+
+return response
+
+
+@register()
 class vault_archive(LDAPRetrieve):
 __doc__ = _('Archive a secret into a vault.')
 
@@ -743,7 +802,17 @@ class vault_archive(LDAPRetrieve):
 
 nonce = crypto.generate_nonce_iv()
 session_key = crypto.generate_session_key()
-nss_transport_cert = crypto.get_cert(transport_cert_nickname)
+
+ipa_dir = os.path.join(os.path.expanduser('~