python-ipaserver 4.7.0~pre1+git20180411-2ubuntu2 / usr / lib / python2.7 / dist-packages / ipaserver / install / custodiainstance.py

This file is indexed.

/usr/lib/python2.7/dist-packages/ipaserver/install/custodiainstance.py is in python-ipaserver 4.7.0~pre1+git20180411-2ubuntu2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.

from __future__ import print_function

import logging

from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
from ipaserver.secrets.client import CustodiaClient
from ipaplatform.paths import paths
from ipaplatform.constants import constants
from ipaserver.install.service import SimpleServiceInstance
from ipapython import ipautil
from ipapython.certdb import NSSDatabase
from ipaserver.install import installutils
from ipaserver.install import ldapupdate
from ipaserver.install import sysupgrade
from base64 import b64decode
from jwcrypto.common import json_decode
import shutil
import os
import stat
import tempfile
import time
import pwd

logger = logging.getLogger(__name__)


class CustodiaInstance(SimpleServiceInstance):
    def __init__(self, host_name=None, realm=None, ldap_uri=None):
        super(CustodiaInstance, self).__init__("ipa-custodia")
        self.config_file = paths.IPA_CUSTODIA_CONF
        self.server_keys = paths.IPA_CUSTODIA_KEYS
        self.ldap_uri = ldap_uri
        self.fqdn = host_name
        self.realm = realm

    def __config_file(self):
        template_file = os.path.basename(self.config_file) + '.template'
        template = os.path.join(paths.USR_SHARE_IPA_DIR, template_file)
        httpd_info = pwd.getpwnam(constants.HTTPD_USER)
        sub_dict = dict(
            IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
            IPA_CUSTODIA_KEYS=paths.IPA_CUSTODIA_KEYS,
            IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
            IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
            LDAP_URI=installutils.realm_to_ldapi_uri(self.realm),
            UID=httpd_info.pw_uid,
            GID=httpd_info.pw_gid
        )
        conf = ipautil.template_file(template, sub_dict)
        with open(self.config_file, "w") as f:
            f.write(conf)
            ipautil.flush_sync(f)

    def create_instance(self):
        suffix = ipautil.realm_to_suffix(self.realm)
        self.step("Generating ipa-custodia config file", self.__config_file)
        self.step("Making sure custodia container exists", self.__create_container)
        self.step("Generating ipa-custodia keys", self.__gen_keys)
        super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
                                                      fqdn=self.fqdn,
                                                      ldap_suffix=suffix,
                                                      realm=self.realm)
        sysupgrade.set_upgrade_state('custodia', 'installed', True)

    def uninstall(self):
        super(CustodiaInstance, self).uninstall()
        keystore = IPAKEMKeys({
            'server_keys': self.server_keys,
            'ldap_uri': self.ldap_uri
        })
        keystore.remove_server_keys_file()
        installutils.remove_file(self.config_file)
        sysupgrade.set_upgrade_state('custodia', 'installed', False)

    def __gen_keys(self):
        keystore = IPAKEMKeys({
            'server_keys': self.server_keys,
            'ldap_uri': self.ldap_uri
        })
        keystore.generate_server_keys()

    def upgrade_instance(self):
        installed = sysupgrade.get_upgrade_state("custodia", "installed")
        if installed:
            if (not os.path.isfile(self.server_keys)
                    or not os.path.isfile(self.config_file)):
                logger.warning(
                    "Custodia server keys or config are missing, forcing "
                    "reinstallation of ipa-custodia."
                )
                installed = False

        if not installed:
            logger.info("Custodia service is being configured")
            self.create_instance()
        else:
            old_config = open(self.config_file).read()
            self.__config_file()
            new_config = open(self.config_file).read()
            if new_config != old_config:
                logger.info("Restarting Custodia")
                self.restart()

        mode = os.stat(self.server_keys).st_mode
        if stat.S_IMODE(mode) != 0o600:
            logger.info("Secure server.keys mode")
            os.chmod(self.server_keys, 0o600)

    def create_replica(self, master_host_name):
        suffix = ipautil.realm_to_suffix(self.realm)
        self.ldap_uri = 'ldap://%s' % master_host_name
        self.master_host_name = master_host_name

        self.step("Generating ipa-custodia config file", self.__config_file)
        self.step("Generating ipa-custodia keys", self.__gen_keys)
        super(CustodiaInstance, self).create_instance(gensvc_name='KEYS',
                                                      fqdn=self.fqdn,
                                                      ldap_suffix=suffix,
                                                      realm=self.realm)

    def __create_container(self):
        """
        Runs the custodia update file to ensure custodia container is present.
        """

        sub_dict = {
            'SUFFIX': self.suffix,
        }

        updater = ldapupdate.LDAPUpdate(sub_dict=sub_dict)
        updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')])

    def import_ra_key(self, master_host_name):
        cli = self.__CustodiaClient(server=master_host_name)
        # please note that ipaCert part has to stay here for historical
        # reasons (old servers expect you to ask for ra/ipaCert during
        # replication as they store the RA agent cert in an NSS database
        # with this nickname)
        cli.fetch_key('ra/ipaCert')

    def import_dm_password(self, master_host_name):
        cli = self.__CustodiaClient(server=master_host_name)
        cli.fetch_key('dm/DMHash')

    def __wait_keys(self, host, timeout=300):
        ldap_uri = 'ldap://%s' % host
        deadline = int(time.time()) + timeout
        logger.info("Waiting up to %s seconds to see our keys "
                    "appear on host: %s", timeout, host)
        # FIXME: Change once there's better way to show this mesage
        # in installer output
        print("Waiting for keys to appear on host: {}, "
              "please wait until this has completed.".format(host))

        konn = KEMLdap(ldap_uri)
        saved_e = None
        while True:
            try:
                return konn.check_host_keys(self.fqdn)
            except Exception as e:
                # log only once for the same error
                if not isinstance(e, type(saved_e)):
                    logger.debug(
                        "Transient error getting keys: '%s'", e)
                    saved_e = e
                if int(time.time()) > deadline:
                    raise RuntimeError("Timed out trying to obtain keys.")
                time.sleep(1)

    def __CustodiaClient(self, server):
        # Before we attempt to fetch keys from this host, make sure our public
        # keys have been replicated there.
        self.__wait_keys(server)

        return CustodiaClient('host@%s' % self.fqdn, self.server_keys,
                              paths.KRB5_KEYTAB, server, realm=self.realm)

    def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
        # Fecth all needed certs one by one, then combine them in a single
        # p12 file

        prefix = data['prefix']
        certlist = data['list']

        cli = self.__CustodiaClient(server=ca_host)

        # Temporary nssdb
        tmpnssdir = tempfile.mkdtemp(dir=paths.TMP)
        tmpdb = NSSDatabase(tmpnssdir)
        tmpdb.create_db()
        try:
            # Cert file password
            crtpwfile = os.path.join(tmpnssdir, 'crtpwfile')
            with open(crtpwfile, 'w+') as f:
                f.write(cacerts_pwd)
                f.flush()

            for nickname in certlist:
                value = cli.fetch_key(os.path.join(prefix, nickname), False)
                v = json_decode(value)
                pk12pwfile = os.path.join(tmpnssdir, 'pk12pwfile')
                with open(pk12pwfile, 'w+') as f:
                    f.write(v['export password'])
                pk12file = os.path.join(tmpnssdir, 'pk12file')
                with open(pk12file, 'wb') as f:
                    f.write(b64decode(v['pkcs12 data']))
                ipautil.run([paths.PK12UTIL,
                             '-d', tmpdb.secdir,
                             '-k', tmpdb.pwd_file,
                             '-n', nickname,
                             '-i', pk12file,
                             '-w', pk12pwfile])

            # Add CA certificates
            self.suffix = ipautil.realm_to_suffix(self.realm)
            self.export_ca_certs_nssdb(tmpdb, True)

            # Now that we gathered all certs, re-export
            ipautil.run([paths.PKCS12EXPORT,
                         '-d', tmpdb.secdir,
                         '-p', tmpdb.pwd_file,
                         '-w', crtpwfile,
                         '-o', cacerts_file])

        finally:
            shutil.rmtree(tmpnssdir)

    def get_ca_keys(self, ca_host, cacerts_file, cacerts_pwd):
        certlist = ['caSigningCert cert-pki-ca',
                    'ocspSigningCert cert-pki-ca',
                    'auditSigningCert cert-pki-ca',
                    'subsystemCert cert-pki-ca']
        data = {'prefix': 'ca',
                'list': certlist}
        self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)

    def get_kra_keys(self, ca_host, cacerts_file, cacerts_pwd):
        certlist = ['auditSigningCert cert-pki-kra',
                    'storageCert cert-pki-kra',
                    'subsystemCert cert-pki-ca',
                    'transportCert cert-pki-kra']
        data = {'prefix': 'ca',
                'list': certlist}
        self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data)

    def __start(self):
        super(CustodiaInstance, self).__start()

    def __enable(self):
        super(CustodiaInstance, self).__enable()

APT Browse - Built by Thomas Orozco.