PNG  IHDR;IDATxܻn0K )(pA 7LeG{ §㻢|ذaÆ 6lذaÆ 6lذaÆ 6lom$^yذag5bÆ 6lذaÆ 6lذa{ 6lذaÆ `}HFkm,mӪôô! x|'ܢ˟;E:9&ᶒ}{v]n&6 h_tڠ͵-ҫZ;Z$.Pkž)!o>}leQfJTu іچ\X=8Rن4`Vwl>nG^is"ms$ui?wbs[m6K4O.4%/bC%t Mז -lG6mrz2s%9s@-k9=)kB5\+͂Zsٲ Rn~GRC wIcIn7jJhۛNCS|j08yiHKֶۛkɈ+;SzL/F*\Ԕ#"5m2[S=gnaPeғL lذaÆ 6l^ḵaÆ 6lذaÆ 6lذa; _ذaÆ 6lذaÆ 6lذaÆ RIENDB`  #^c @@sddlmZmZddlZddlZddlZddlZddlZddlZddl Z ddl m Z ddl m Z ddlmZddlmZddlmZejeZdZd Zd Zd Zd Zd Zd efdYZdefdYZe dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(ddddddddddd Z*dddddddddd Z+dddddddddZ,dddddZ-ddddZ.ddde/d Z0d!Z1d"Z2d#Z3d$Z4d%Z5d&Z6d'd(Z7ed)kre+ej8d*d+d,Z9e#e9d-Z:e;e:e-e9ndS(.i(tprint_functiontabsolute_importN(tapi(tCA_DBUS_TIMEOUT(tDN(tpaths(tservicess/org/fedorahosted/certmongersorg.fedorahosted.certmongers#org.fedorahosted.certmonger.requestsorg.fedorahosted.certmonger.casorg.freedesktop.DBus.Propertiest_cm_dbus_objectcB@seZdZdedZRS(s> Auxiliary class for convenient DBus object handling. cC@s|dks$|dks$|dkr3tdn|dkrH|}n||_||_||_||_||_|j|||_t j |j||_ |rt j |jt |_ ndS(sY bus - DBus bus object, result of dbus.SystemBus() or dbus.SessionBus() Object is accesible over this DBus bus instance. object_path - path to requested object on DBus bus object_dbus_interface parent_dbus_interface property_interface - create DBus property interface? True or False s5bus, object_path and dbus_interface must not be None.N(tNonet RuntimeErrortbustparenttpatht obj_dbus_iftparent_dbus_ift get_objecttobjtdbust Interfacetobj_iftDBUS_PROPERTY_IFtprop_if(tselfR R t object_pathtobject_dbus_interfacetparent_dbus_interfacetproperty_interface((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyt__init__6s $        N(t__name__t __module__t__doc__RtFalseR(((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyR2st _certmongercB@s8eZdZdZdZdZdZdZRS(s Create a connection to certmonger. By default use SystemBus. When not available use private connection over Unix socket. This solution is really ugly and should be removed as soon as DBus SystemBus is available at system install time. i,cC@stjjtjd}tjtjddd|g|_ xDt d|j dD]-}tjj |rud|St jdqUW|jtddS( Nt certmongers-ns-Ls-Piis unix:path=%ss%Failed to start certmonger: Timed out(tosR tjointtempfiletmkdtempt subprocesstPopenRt CERTMONGERt_proctrangettimeouttexiststtimetsleept_stop_private_connR (Rt sock_filenamet_t((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyt_start_private_connZs cC@s|jr|jj}|dk r(dS|jjxItd|jdD]2}|jj}|dk rpdStjdqKWtj dndS(NiisFailed to stop certmonger.( R)tpollRt terminateR*R+R-R.tloggerterror(RtretcodeR1((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyR/es    cC@s|jdS(N(R/(R((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyt__del__rscC@sd|_d|_ytj|_Wntjk r}|j}|d krhtjd|ny+|j |_ tj j |j |_Wqtjk r}tjd|qXnXy|jj tWntjk rytjjjWn&tk r&}tjd|nXxftd|jdD]K}y|jj tPWntjk rnnXtjdtdq=WnXtt|j|jdttdS( Ns#org.freedesktop.DBus.Error.NoServers'org.freedesktop.DBus.Error.FileNotFounds2Failed to connect to certmonger over SystemBus: %ss7Failed to connect to certmonger over private socket: %ssFailed to start certmonger: %siisFailed to start certmonger(s#org.freedesktop.DBus.Error.NoServers'org.freedesktop.DBus.Error.FileNotFound(RR)t_busRt SystemBust DBusExceptiont get_dbus_nameR5R6R2t _private_sockt connectiont Connectiontget_name_ownert DBUS_CM_NAMERt knownservicesR!tstartt ExceptionR*R+R-R.R tsuperR Rt DBUS_CM_PATHt DBUS_CM_IF(Rteterr_nameR1((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyRusH        (RRRR+R2R/R8R(((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyR Ps  c C@sct|tstdnt}g}g}d|krj|jj|d}|ry|g}qyn|jj}x|D]}t|j||t t t }x|D]}|dkr!|jj }|dkrtd|jdnt|j||tt }|jj} n|jjt |} | ||krPqqW|j|qW|S(s> Get all requests that matches the provided criteria. s"criteria" must be dict.tnicknamesca-names!certmonger CA '%s' is not definedN(t isinstancetdictt TypeErrorR Rtfind_request_by_nicknamet get_requestsRR tDBUS_CM_REQUEST_IFRGtTruetget_caRR tgett DBUS_CM_CA_IFt get_nicknameRtGettappend( tcriteriatcmtrequeststrequests_pathst request_pathtrequestt criteriontca_pathtcatvalue((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyt _get_requestss6        cC@sVt|}t|dkr"dSt|dkr<|dStdt|dS(s Find request that matches criteria. If 'nickname' is specified other criteria are ignored because 'nickname' uniquely identify single request. When multiple or none request matches specified criteria RuntimeError is raised. iis1Criteria expected to be met by 1 request, got %s.N(RbtlenRR (RXRZ((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyt _get_requests cC@syttd|}Wn&tk rA}tjd|nX|r|dkr|jj}t|j||t t }|jj S|j j t|SndSdS(s" Get property of request. RJsFailed to get request: %ssca-nameN(RdRLR R5R6RRRRR RTRGRURRVRPR(t request_idt directiveR]RHR_R`((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pytget_request_values   cC@sZyt|}Wn&tk r8}tjd|nX|rR|jjtdSdSdS(sQ If you don't know the certmonger request_id then try to find it by looking through all the requests. criteria is a tuple of key/value to search for. The more specific the better. An error is raised if multiple request_ids are returned for the same criteria. None is returned if none of the criteria match. sFailed to get request: %sRJN(RdR R5R6RRVRPR(RXR]RH((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pytget_request_ids cC@seg}idd6dd6|d6|d6}t|}x*|D]"}|j|jjtdq;W|S(sZ Return a list containing the request ids for a given NSS database directory. tNSSDBs cert-storages key-storages cert-databases key-databaseRJ(RbRWRRVRP(tdirtreqidRXRZR]((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pytget_requests_for_dirs   cC@sdyti|d6}Wn&tk r?}tjd|nX|r`|jji||6ndS(s; Add a new directive to a certmonger request file. RJsFailed to get request: %sN(RdR R5R6Rtmodify(ReRfRaR]RH((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pytadd_request_valuescC@st|d|gdS(s In order for a certmonger request to be renewable it needs a principal. When an existing certificate is added via start-tracking it won't have a principal. stemplate-principalN(Rn(Ret principal((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyt add_principalscC@st|d|dS(s In order for a certmonger request to be renwable it needs the subject set in the request file. When an existing certificate is added via start-tracking it won't have a subject_template set. stemplate-subjectN(Rn(Retsubject((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyt add_subject)stIPARic  C@sIt|||||||||| | | } tj| }xtr,t| tjj}t| d}|dkr|d krt j d| | St j d| |||ddhkrt j d| Pn| sPntj|krt j d| Pq@t j d | tj d t | q@Wt d j||d S( sRequest certificate, wait and possibly resubmit failing requests Submit a cert request to certmonger and wait until the request has finished. With timeout, a failed request is resubmitted. During parallel replica installation, a request sometimes fails with CA_REJECTED or CA_UNREACHABLE. The error occurs when the master is either busy or some information haven't been replicated yet. Even a stuck request can be recovered, e.g. when permission and group information have been replicated. sca-errort MONITORINGsCert request %s was successfulsCert request %s failed: %s (%s)t CA_REJECTEDtCA_UNREACHABLEsGiving up on cert request %ss%Request %s reached resubmit dead lines"Sleep and resubmit cert request %si s$Certificate issuance failed ({}: {})N(t request_certR-RQtwait_for_requestRtenvtreplication_wait_timeoutRgRR5tdebugR.tresubmit_requestR tformat(tcertpathRqRoRJt passwd_fnametdnsR`tprofilet pre_commandt post_commandtstoragetpermstresubmit_timeouttreq_idtdeadlinetstatetca_error((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pytrequest_and_wait_for_cert4s2  c  C@sH| dkr9|\} } tttt|}n |} |} t}|jj|}|s~tdj|ntd| d| d| d| d|d|}|r||d <||d :[:] :param is_ca: boolean that if True adds the CA basic constraint RJRstemplate-profiles template-ms-certificate-templatestemplate-is-caistemplate-ca-path-lengthiN( RdRR RRRQRcRmtresubmit(ReR`RRtis_caR]RRY((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyR|5s         cC@s7t}|jjd}t|j||tttS(s Look through all the certmonger CA files to find the one that has id=IPA We can use find_request_value because the ca files have the same file format. Rs(R RRRR RTRGRQ(RYR_((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyt _find_IPA_caYs cC@sut}|rq|jjtd}|rqdtj|krqd|j|f}|jjtd|qqndS(s If the hostname we were passed to use in ipa-client-install doesn't match the value of gethostname() then we need to append -k host/HOSTNAME@REALM to the ca helper defined for /usr/libexec/certmonger/ipa-submit. We also need to restore this on uninstall. sexternal-helpers-ks%s -k %sN(RRRVRTtshlextsplittstriptSet(RoR`t ext_helper((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pytadd_principal_to_casfs cC@srt}|rn|jjtd}|rndtj|krntj|d}|jjtd|qnndS(sE Remove any -k principal options from the ipa_submit helper. sexternal-helpers-kiN(RRRVRTRRR(R`R((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pytremove_principal_from_casws  c C@stj}|jdd}tj|d}|j|}|s]tdj|nS|jd|}tj|d}|jdd}|jdd|dt |SdS( si Modify certmonger CA helper. Applies the new helper and return the previous configuration. sorg.fedorahosted.certmongers/org/fedorahosted/certmongers{} is not configuredsorg.freedesktop.DBus.Propertiessorg.fedorahosted.certmonger.casexternal-helperR+N( RR:RRRR R}RVRR( tca_namethelperR RtifaceR tca_objtca_ifacet old_helper((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pytmodify_ca_helpers          cC@s^ttjdF}x<|D]4}|jdd\}}||kr|jSqWWdQXdS(s Dogtag stores its NSS pin in a file formatted as token:PIN. The caller is expected to handle any exceptions raised. trt=iN(topenRtPKI_TOMCAT_PASSWORD_CONFRRR(ttokentftlinettokR((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pytget_pins   cC@s.g}x!|D]}|jt|q W|S(s Given a set of directories and nicknames verify that we are no longer tracking certificates. dirs is a list of directories to test for. We will return a tuple of nicknames for any tracked certificates found. This can only check for NSS-based certificates. (textendRl(tdirstreqidsRj((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyt check_states  ixcC@sixbtd|dD]B}t|d}tjd||d krHPntjdqWtd |S( Niitstatuss!certmonger request is in state %rRuRvtCA_UNCONFIGUREDt NEED_GUIDANCEtNEED_CARtsrequest timed out(s CA_REJECTEDsCA_UNREACHABLERRRs MONITORING(R*RgR5R{R-R.R (ReR+t_iR((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pyRxs  t__main__scn=tiger.example.com,O=IPAs"HTTP/tiger.example.com@EXAMPLE.COMtTesttcsr(<t __future__RRtloggingR"R-RRR&R$tipalibRtipalib.constantsRt ipapython.dnRtipaplatform.pathsRt ipaplatformRt getLoggerRR5RFRGRARPRTRtobjectRR RLRbRdRgRhRlRnRpRrRRRwRRRmRR|RRRRRRRxtHTTPD_ALIAS_DIRReRtprint(((s=/usr/lib/python2.7/site-packages/ipalib/install/certmonger.pytst       O'        4 B W