Ñò ìÿÒXc @sRddkZddkZddkZddkZddklZddklZdZdZdZ d„Z d„Z d „Z d „Z d „Zd „Zd „Zdd„Zd„Zddd„Zddd„Zd„Zd„Zd„Zd„Zd„Zd„Zedjo7eddddƒZe edƒZeGHeeƒndS(iÿÿÿÿN(tipautil(tdogtags/var/lib/certmonger/requests/s/var/lib/certmonger/cas/icCsåd}d}t}xÌ|djo¾|djo±|d}tidƒt|dƒ}|iƒ}|iƒxn|D]f}|o'|idƒp|S||d}qr|i|dƒot}|t |ƒd}qrqrWqW|S(s4 Return a value from a certmonger request file for the requested directive It tries to do this a number of times because sometimes there is a delay when ipa-getcert returns and the file is fully updated, particularly when doing a request. Generating a CSR is fast but not instantaneous. iitrt t=N( tNonetFalsettimetsleeptopent readlinestcloset startswithtTruetlen(tfilenamet directivettriestvaluetfoundtfptlinestline((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pytfind_request_value%s(    !cCsutitƒ}x_|D]W}tdt|fdƒ}|dj o+|iƒ|jotdt|f|ƒSqWdS(s¢ There is no guarantee that the request_id will match the filename in the certmonger requests directory, so open each one to find the request_id. s%s/%stidN(tostlistdirt REQUEST_DIRRRtrstrip(t request_idRtfileListtfileR((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pytget_request_valueGs c Cs t|ƒtjpt‚d}titƒ}xê|D]â}t}x…|D]}\}}}tdt|f|ƒ}|o#|t joti i |ƒ}n|djp|i ƒ|jo t }PqIqIW|o|dj otdƒ‚n|o#tdt|fdƒi ƒ}q6q6W|S(s´ If you don't know the certmonger request_id then try to find it by looking through all the request files. An alternative would be to parse the ipa-getcert list output but this seems cleaner. criteria is a tuple of key/value/type to search for. The more specific the better. An error is raised if multiple request_ids are returned for the same criteria. None is returned if none of the criteria match. s%s/%ss/multiple certmonger requests match the criteriaRN(ttypettupletAssertionErrorRRRRR RtNPATHtpathtabspathRRt RuntimeError( tcriteriatreqidRRtmatchtkeyRtvaltypetrv((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pytget_request_idUs&   'cCsÊg}titƒ}x®|D]¦}ttiit|ƒdƒ}|djoqntii|ƒiƒ}||joqnttiit|ƒdƒ}|dj o|i |iƒƒqqW|S(sZ Return a list containing the request ids for a given NSS database directory. tcert_storage_locationRN( RRRRR%tjoinRR&Rtappend(tdirR)RRR-R((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pytget_requests_for_dirus    cCs¿titƒ}x©|D]¡}tdt|fdƒ}|dj ou|iƒ|jobtdt|f|ƒ}|p>tdt|fdƒ}|id||fƒ|iƒq·qqWdS(s‚ Add a new directive to a certmonger request file. The certmonger service MUST be stopped in order for this to work. s%s/%sRtas%s=%s N( RRRRRRR twriteR (RRRRRRt current_valueR((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pytadd_request_valueŠs cCst|d|ƒS(s® In order for a certmonger request to be renewable it needs a principal. When an existing certificate is added via start-tracking it won't have a principal. ttemplate_principal(R7(Rt principal((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pyt add_principalœscCst|d|ƒS(sÔ In order for a certmonger request to be renwable it needs the subject set in the request file. When an existing certificate is added via start-tracking it won't have a subject_template set. ttemplate_subject(R7(Rtsubject((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pyt add_subject¥sc Cs’ddd|d|d|d|g }|o*|idƒ|itii|ƒƒnti|ƒ\}}}tid|ƒ} | id ƒ} | S( s< Execute certmonger to request a server certificate s/usr/bin/ipa-getcerttrequests-ds-ns-Ns-Ks-ps!New signing request "(\d+)" addedi( R1RR%R&RtruntreR*tgroup( tnssdbtnicknameR<R9t passwd_fnametargststdouttstderrt returncodetmR((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pyt request_cert¯s  cCs\dddtii|ƒd|g}ti|dtƒ\}}}|djotStSdS(s÷ See if a nickname exists in an NSS database. Returns True/False This isn't very sophisticated in that it doesn't differentiate between a database that doesn't exist and a nickname that doesn't exist within the database. s/usr/bin/certutils-Ls-ds-nt raiseonerriN(RR%R&RR?RR (RCtsecdirRERFRGtrc((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pyt cert_existsÃs   cCsÕt|tii|ƒƒptd||fƒ‚ndddtii|ƒd|g}|o*|idƒ|itii|ƒƒn|o|idƒ|i|ƒnti|ƒ\}}}|||fS(sÖ Tell certmonger to track the given certificate nickname in NSS database in secdir protected by optional password file password_file. command is an optional parameter which specifies a command for certmonger to run when it renews a certificate. This command must reside in /usr/lib/ipa/certmonger to work with SELinux. Returns the stdout, stderr and returncode from running ipa-getcert This assumes that certmonger is already running. s0Nickname "%s" doesn't exist in NSS database "%s"s/usr/bin/ipa-getcertsstart-trackings-ds-ns-ps-C(RNRR%R&R'R1RR?(RCRLt password_filetcommandRERFRGRH((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pytstart_tracking×s    cCs-|d jo|d jotdƒ‚n|ofdtii|ƒtfd|d ff}y"t|ƒ}|d jod SWq—tj oq—Xnddg}|o|idƒ|i|ƒnA|id ƒ|i|ƒ|id ƒ|itii|ƒƒti |ƒ\}}}|||fS( sŽ Stop tracking the current request using either the request_id or nickname. This assumes that the certmonger service is running. s)Both request_id and nickname are missing.R/t cert_nicknametis/usr/bin/getcerts stop-trackings-is-ns-dN(RSRSi( RR'RR%R&R$R.R1RR?(RLRRCR(RERFRGRH((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pyt stop_trackingôs**         cCsltitƒ}xV|D]N}tdt|fdƒ}|dj o"|iƒdjodt|fSqWdS(s­ Look through all the certmonger CA files to find the one that has id=IPA We can use find_request_value because the ca files have the same file format. s%s/%sRtIPAN(RRtCA_DIRRRtstrip(RRR((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pyt _find_IPA_cas cCsÿtƒ}|djodSt}t|dƒ}|iƒ}|iƒxptt|ƒƒD]\}||idƒoB||i dƒdjo(d||i ƒ|f|||D]6}|iddƒ\}}||jo |iƒSq6WWdQXdS(s‚ Dogtag stores its NSS pin in a file formatted as token:PIN. The caller is expected to handle any exceptions raised. RRiN( R Rtconfigured_constantstPASSWORD_CONF_PATHt__exit__t __enter__RaRWR(ttokent_[1]tfRttoktpin((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pytget_pinds/ c CsÓt|tii|ƒƒptd||fƒ‚ndddtii|ƒd|d|g}|dj oetii|ƒp4tidjo d }nd }d ||f}n|i d ƒ|i |ƒn|dj oetii|ƒp4tidjo d }nd }d ||f}n|i d ƒ|i |ƒn|o|i dƒ|i |ƒn|i dƒ|i |ƒ|djo|i dƒ|i |ƒnt i |d|gƒ\} } } dS(s0 Tell certmonger to start tracking a dogtag CA certificate. These are handled differently because their renewal must be done directly and not through IPA. This uses the generic certmonger command getcert so we can specify a different helper. pre_command is the script to execute before a renewal is done. post_command is the script to execute after a renewal is done. Both commands can be None. Returns the stdout, stderr and returncode from running ipa-getcert This assumes that certmonger is already running. s0Nickname "%s" doesn't exist in NSS database "%s"s/usr/bin/getcertsstart-trackings-ds-ns-cii tlib64tlibs/usr/%s/ipa/certmonger/%ss-Bs-Cs-ps-Ps dogtag-ipa-retrieve-agent-submits-TtnologNII( RNRR%R&R'RtisabstsystmaxsizeR1RR?( tcaRCRktpinfileRLt pre_commandt post_commandREtlibpathRFRGRH((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pytdogtag_start_trackingqs>            cCs.g}x!|D]}|it|ƒƒq W|S(s Given a set of directories and nicknames verify that we are no longer tracking certificates. dirs is a list of directories to test for. We will return a tuple of nicknames for any tracked certificates found. This can only check for NSS-based certificates. (textendR3(tdirstreqidsR2((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pyt check_state±s t__main__s/etc/httpd/aliastTestscn=tiger.example.com,O=IPAs"HTTP/tiger.example.com@EXAMPLE.COMtcsr(RRqR@Rt ipapythonRRRRVR$RR R.R3R7R:R=RRJRNRQRTRXR`RbRlRxR|t__name__RR(((s8/usr/lib/python2.6/site-packages/ipapython/certmonger.pyts<     "     $   @