a

�N(i~'�@s
dd
lm
Z

ddlZddlZddlmZ
ddlmZmZ
ddl	m
Z

ddlmZm
Z
mZmZ
ddlmZ
ddlmZ
dd	lmZ
dd
lmZmZmZ
ddlmZmZmZ
ddlmZ
e� e!�
Z"Gd
d�dej#�Z$dd�Z%dd�Z&dd�Z'dd�Z(ddd�
Z)dd�Z*dS)�)
�absolute_importN)
�urlsplit)�
certmonger�	certstore)
�is_ipa_configured)�	admintool�certdb�ipaldap�ipautil)
�services)
�paths)
�tasks)�api�errors�x509)�FQDN�IPA_CA_NICKNAME�RENEWAL_CA_NAME)
�check_client_configurationcs0eZ
dZd
ZdZdZ�f
dd�Zdd�Z�ZS)�
CertUpdatezipa-certupdatez%prog [options]zIUpdate local IPA certificate databases with certificates from the server.c

stt
|�jd
d�

dS)NT)
Z
needs_root)�superr�validate_options)
�self�
�	__class__��D/usr/lib/python3.9/site-packages/ipaclient/install/ipa_certupdate.pyr0s
zCertUpdate.validate_optionsc
	Cs�t�
t
j�d
�
}
dt
jd<dt
jd
<z�z<tjdtjd�
t��
tj	j
��
tt�

tj	j
�
�
Wn"tjy�


t�dt�
�Yn0W|
dur�t
jd
=q�|
t
jd
<n|
dur�t
jd
=n
|
t
jd
<0dS)NZ
KRB5CCNAMEz/etc/krb5.keytabZKRB5_CLIENT_KTNAMEzMEMORY:Z
cli_installer)�contextZconfdirz9Unable to obtain credentials for %s from /etc/krb5.keytab)r�os�environ�getrZ	bootstraprZETC_IPA�finalizeZBackendZ	rpcclientZconnect�
run_with_argsZ
disconnectrZCCacheError�logger�errorr)rZold_krb5ccnamerrr�run3s,












�


�

zCertUpdate.run)	�__name__�
__module__�__qualname__Zcommand_name�usage�descriptionrr%�
__classcell__rrrrr(s

rc
	Cs�
t|j
j�
j}
tj�|
�
}z|jjd
d�
}|d}Wn6t	j
t	jfyj


|jj
ddd�}|dd}Yn0|��
t
�||j
j|j
j|�}|r�|j��d}ng}t|�

t��
r�|jjdd	d
�}dd�|dD�
}t|�

d
dlm}	m}

|	�����
r*z|	�|�

Wnt�
y(


t�d�

Yn0zt|	|
|j
j |j
j!|�
Wnt�
yd


t�d�

Yn0t"j#j$�%��
r�t"j#j$�&�
t"j#j'�%��
r�t"j#j'�&�
dS)z�
    Run the certupdate procedure with the given API object.

    :param api: API object with ldap2/rpcclient backend connected
                (such that Commands can be invoked)

    z2.107)
�version�resultTz2.0)�serverr,�	enable_raz	CA serverZenabled)Z
role_servrole�statusc
Ssg|]}
|
d�qS)
Z
server_serverr)�.0r.rrr�
<listcomp>s�z!run_with_args.<locals>.<listcomp>r
)�
cainstance�custodiainstancez.Failed to add lightweight CA tracking requestszFailed to update RA configN)(r�envZjsonrpc_uri�hostnamer	Z
LDAPClientZfrom_hostname_secureZCommandZ
ca_is_enabledrZCommandErrorZNetworkErrorZgssapi_bindrZget_ca_certsZbasedn�realmZca_find�
update_clientrZserver_role_find�
update_serverZipaserver.installr4r5�
CAInstanceZ
is_configuredZ$add_lightweight_ca_tracking_requests�	Exceptionr#�	exception�update_server_ra_configr/�ca_hostr�
knownservicesZhttpd�
is_running�restartZkrb5kdc)rr.Zldapr-Z
ca_enabled�certsZlwcasZresp�
ca_serversr4r5rrrr"NsT






�


�




�



�


r"c
Cs�tt
j|�
tt
j|�
tt
j|�
t�tjj	�
}
d
D]d}|
�
|�
r6z|
�|�

Wq:tj
y�
}
z*t�d||
j|�
WYd}~q6WYd}~q:d}~00q:q6t|
j|�
t��
t�|�

dS)N)zIPA CAzExternal CA certzFailed to remove %s from %s: %s)�update_filerZ
IPA_CA_CRTZKDC_CA_BUNDLE_PEMZ
CA_BUNDLE_PEMr�NSSDatabaserr6Znss_dirZhas_nickname�delete_certr
�CalledProcessErrorr#r$Zsecdir�	update_dbr
Z(remove_ca_certs_from_systemwide_ca_storeZ(insert_ca_certs_into_systemwide_ca_store)rCZipa_db�nickname�
errrr9�s"










�&
r9c
Cs
d
�t
jj�d�
�
}
ttj|
|�
tj	j
��r>tj	j
�|
�

tj
ttd�}t�|�
}|du
r�t
jjd}t�d|�
tj|dd�
zt�||�}Wn ty�


t�d|�
�
Yn0t�|d	�}|d
ks�|r�t�d|�
�
t�d|�
tj|d
d�
ttj|�
ttj|�
dS)N�
-�
.)z
cert-databasez
cert-nicknamezca-name�<z$resubmitting certmonger request '%s'zdogtag-ipa-ca-renew-agent-reuse)
�cazQResubmitting certmonger request '%s' timed out, please check the request manuallyzca-errorZ
MONITORINGzMError resubmitting certmonger request '%s', please check the request manuallyz!modifying certmonger request '%s'zdogtag-ipa-ca-renew-agent)�joinrr6r8�splitrIrZ"ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATErr@ZdirsrvrArBZPKI_TOMCAT_ALIAS_DIRrrrZget_request_idZstartup_timeoutr#�debugZresubmit_requestZwait_for_request�RuntimeErrorrZScriptErrorZget_request_valueZmodifyrEZCA_CRTZ
CACERT_PEM)rC�instanceZcriteriaZ
request_id�timeout�stateZca_errorrrrr:�sD





�





�




��




��

r:cCsjt|�
d
krdS|d
}|sT|j
��
|
jtjjtjj|d�}|�|�

|�	|�

n||v
rf|�	|�

dS)z�
    After promoting a CA-less deployment to CA-ful, or after removal
    of a CA server from the topology, it may be necessary to update
    the default.conf ca_host setting on non-CA replicas.

    r
N)Z	host_namer8Z
custodia_peer)
�lenr;Z$configure_certmonger_renewal_helpersZCustodiaInstancerr6�hostr8Z
import_ra_keyZupdate_ipa_conf)r4r5r/r?rDZnew_ca_hostZcustodiarrrr>�s






�

r>�
c
CsZd
d�|
D�
}
ztj
|
||d�
Wn2tyT
}
zt�d||�
WYd}~n
d}~00dS)Nc
ss"|]}
|
dd
u
r|
dV
qdS)�Fr
Nr)r1�
crrr�	<genexpr>
r3zupdate_file.<locals>.<genexpr>)
�modezfailed to update %s: %s)rZwrite_certificate_listr<r#r$)�filenamerCr]rKrrrrE
s





rEcCs�t�
|�
}|��D]\}}|jr|�|�

q|
D]f\}}}}}	t�|d
|�}
z|�|||
�
Wq0tj	y�
}
zt
�d|||�
WYd}~q0d}~00q0dS)z�Drop all CA certs from db then add certs from list provided

       This may result in some churn as existing certs are dropped
       and re-added but this also provides the ability to change
       the trust flags.
    Tzfailed to update %s in %s: %sN)rrFZ
list_certsrOrGrZkey_policy_to_trust_flagsZadd_certr
rHr#r$)�pathrCZdb�name�flagsZcertrJZtrustedZekuZ_serialZtrust_flagsrKrrrrI
s









rI)
rY)+Z
__future__rZloggingr�urllib.parserZipalib.installrrZipalib.factsrZ	ipapythonrrr	r
ZipaplatformrZipaplatform.pathsrZipaplatform.tasksr
ZipalibrrrZipalib.constantsrrrZipalib.utilrZ	getLoggerr&r#Z	AdminToolrr"r9r:r>rErIrrrr�<module>s(









&I0%