Skip to content

Commit

Permalink
Merge pull request #2692 from freenas/issues/76440
Browse files Browse the repository at this point in the history 
tkt-76440: Migrate CA's to Certificate in Directory Services
  • Loading branch information
@sonicaj
sonicaj committed Mar 5, 2019
2 parents f51429b + 4e53118 commit 9c9d0a5
Show file tree
Hide file tree
Showing 8 changed files with 148 additions and 32 deletions.
4 changes: 2 additions & 2 deletions gui/common/freenasldap.py
View file
Expand Up @@ -615,7 +615,7 @@ def __init__(self, **kwargs):
if ldap.ldap_certificate:
with client as c:
cert = c.call(
'certificateauthority.query',
'certificate.query',
[['id', '=', ldap.ldap_certificate.id]],
{'get': True}
)
Expand Down Expand Up @@ -1624,7 +1624,7 @@ def set_kwargs(self):
if ad.ad_certificate:
with client as c:
cert = c.call(
'certificateauthority.query',
'certificate.query',
[['id', '=', ad.ad_certificate.id]],
{'get': True}
)
Expand Down
6 changes: 3 additions & 3 deletions gui/directoryservice/forms.py
View file
Expand Up @@ -490,7 +490,7 @@ def clean(self):
if certificate:
with client as c:
certificate = c.call(
'certificateauthority.query',
'certificate.query',
[['id', '=', certificate.id]],
{'get': True}
)
Expand Down Expand Up @@ -845,7 +845,7 @@ def check_for_samba_schema(self):
if certificate:
with client as c:
certificate = c.call(
'certificateauthority.query',
'certificate.query',
[['id', '=', certificate.id]],
{'get': True}
)
Expand Down Expand Up @@ -917,7 +917,7 @@ def clean(self):
else:
with client as c:
certificate = c.call(
'certificateauthority.query',
'certificate.query',
[['id', '=', certificate.id]],
{'get': True}
)
Expand Down
112 changes: 112 additions & 0 deletions gui/directoryservice/migrations/0006_certificate_model.py
View file
@@ -0,0 +1,112 @@
from django.db import migrations, models
import django.db.models.deletion

import datetime

CERT_TYPE_EXISTING = 0x08
affected_models = {
'activedirectory': {
'field': 'ad_certificate'
},
'idmap_ldap': {
'field': 'idmap_ldap_certificate'
},
'idmap_rfc2307': {
'field': 'idmap_rfc2307_certificate'
},
'ldap': {
'field': 'ldap_certificate'
}
}


def save_cas(apps, schema_editor):
for model_name in affected_models:
model = apps.get_model('directoryservice', model_name).objects.order_by('-id')
field = affected_models[model_name]['field']
if model and getattr(model[0], field):
affected_models[model_name]['ca_id'] = getattr(model[0], field).id
setattr(model[0], field, None)
model[0].save()


def migrate_cas_to_certs(apps, schema_editor):
cert_model = apps.get_model('system', 'certificate')
ca_model = apps.get_model('system', 'certificateauthority')
for model_name in filter(
lambda i: affected_models[i].get('ca_id'),
affected_models
):
obj = apps.get_model('directoryservice', model_name).objects.order_by('-id')[0]
ca = ca_model.objects.get(pk=affected_models[model_name]['ca_id'])
setattr(
obj,
affected_models[model_name]['field'],
cert_model.objects.create(**{
'cert_name': f'{ca.cert_name} (migrated for {model_name} at {datetime.datetime.now()})',
'cert_certificate': ca.cert_certificate,
'cert_privatekey': ca.cert_privatekey,
'cert_type': CERT_TYPE_EXISTING
})
)
obj.save()


class Migration(migrations.Migration):

dependencies = [
('directoryservice', '0005_idmap_ad'),
]

operations = [
migrations.RunPython(
save_cas
),
migrations.AlterField(
model_name='activedirectory',
name='ad_certificate',
field=models.ForeignKey(
blank=True,
null=True,
on_delete=django.db.models.deletion.SET_NULL,
to='system.Certificate',
verbose_name='Certificate',
),
),
migrations.AlterField(
model_name='idmap_ldap',
name='idmap_ldap_certificate',
field=models.ForeignKey(
blank=True,
null=True,
on_delete=django.db.models.deletion.SET_NULL,
to='system.Certificate',
verbose_name='Certificate',
),
),
migrations.AlterField(
model_name='idmap_rfc2307',
name='idmap_rfc2307_certificate',
field=models.ForeignKey(
blank=True,
null=True,
on_delete=django.db.models.deletion.SET_NULL,
to='system.Certificate',
verbose_name='Certificate',
),
),
migrations.AlterField(
model_name='ldap',
name='ldap_certificate',
field=models.ForeignKey(
blank=True,
null=True,
on_delete=django.db.models.deletion.SET_NULL,
to='system.Certificate',
verbose_name='Certificate',
),
),
migrations.RunPython(
migrate_cas_to_certs
)
]
22 changes: 13 additions & 9 deletions gui/directoryservice/models.py
View file
Expand Up @@ -32,7 +32,7 @@
from freenasUI import choices
from freenasUI.freeadmin.models import Model, PathField
from freenasUI.middleware.notifier import notifier
from freenasUI.system.models import CertificateAuthority
from freenasUI.system.models import Certificate

log = logging.getLogger("directoryservice.models")

Expand Down Expand Up @@ -416,11 +416,12 @@ class idmap_ldap(idmap_base):
default='off'
)
idmap_ldap_certificate = models.ForeignKey(
CertificateAuthority,
Certificate,
verbose_name=_("Certificate"),
on_delete=models.SET_NULL,
blank=True,
null=True
null=True,
limit_choices_to={'cert_certificate__isnull': False, 'cert_privatekey__isnull': False}
)

def __init__(self, *args, **kwargs):
Expand Down Expand Up @@ -586,11 +587,12 @@ class idmap_rfc2307(idmap_base):
default='off'
)
idmap_rfc2307_certificate = models.ForeignKey(
CertificateAuthority,
Certificate,
verbose_name=_("Certificate"),
on_delete=models.SET_NULL,
blank=True,
null=True
null=True,
limit_choices_to={'cert_certificate__isnull': False, 'cert_privatekey__isnull': False}
)

def __init__(self, *args, **kwargs):
Expand Down Expand Up @@ -912,11 +914,12 @@ class ActiveDirectory(DirectoryServiceBase):
default='off'
)
ad_certificate = models.ForeignKey(
CertificateAuthority,
Certificate,
verbose_name=_("Certificate"),
on_delete=models.SET_NULL,
blank=True,
null=True
null=True,
limit_choices_to={'cert_certificate__isnull': False, 'cert_privatekey__isnull': False}
)
ad_verbose_logging = models.BooleanField(
verbose_name=_("Verbose logging"),
Expand Down Expand Up @@ -1245,11 +1248,12 @@ class LDAP(DirectoryServiceBase):
default='off'
)
ldap_certificate = models.ForeignKey(
CertificateAuthority,
Certificate,
verbose_name=_("Certificate"),
on_delete=models.SET_NULL,
blank=True,
null=True
null=True,
limit_choices_to={'cert_certificate__isnull': False, 'cert_privatekey__isnull': False}
)
ldap_timeout = models.IntegerField(
verbose_name=_("LDAP timeout"),
Expand Down
8 changes: 4 additions & 4 deletions src/freenas/usr/local/libexec/nas/generate_sssd_conf.py
View file
Expand Up @@ -674,15 +674,15 @@ def add_ldap_section(client, sc):
)

if ldap.ldap_ssl == 'on':
ca = client.call('certificateauthority.query', [('id', '=', ldap.ldap_certificate.id)], {'get': True})
certpath = ca['certificate_path']
cert = client.call('certificate.query', [('id', '=', ldap.ldap_certificate.id)], {'get': True})
certpath = cert['certificate_path']
if certpath:
ldap_section.ldap_tls_cacert = certpath

elif ldap.ldap_ssl == 'start_tls':
ldap_section.tls_reqcert = 'allow'
ca = client.call('certificateauthority.query', [('id', '=', ldap.ldap_certificate.id)], {'get': True})
certpath = ca['certificate_path']
cert = client.call('certificate.query', [('id', '=', ldap.ldap_certificate.id)], {'get': True})
certpath = cert['certificate_path']
if certpath:
ldap_section.ldap_tls_cacert = certpath
ldap_section.ldap_id_use_start_tls = 'true'
Expand Down
10 changes: 5 additions & 5 deletions src/middlewared/middlewared/etc_files/local/nslcd.conf
View file
Expand Up @@ -9,11 +9,11 @@
ldap = safe_call('datastore.query', 'directoryservice.LDAP')
if ldap and ldap[0]:
ldap = ldap[0]
capath = None
certpath = None
if ldap['ldap_certificate']:
cert = safe_call('certificateauthority.query', [('id', '=', ldap['ldap_certificate']['id'])], {'get': True})
cert = safe_call('certificate.query', [('id', '=', ldap['ldap_certificate']['id'])], {'get': True})
if cert:
capath = cert['certificate_path']
certpath = cert['certificate_path']
else:
ldap = None

Expand All @@ -27,8 +27,8 @@ uri ${ldap_uri}
base ${ldap['ldap_basedn']}
% if ldap['ldap_ssl'] in ('start_tls', 'on'):
ssl ${ldap['ldap_ssl']}
% if capath:
tls_cacert ${capath}
% if certpath:
tls_cacert ${certpath}
% endif
tls_reqcert allow
% endif
Expand Down
10 changes: 5 additions & 5 deletions src/middlewared/middlewared/etc_files/local/nss_ldap.conf
View file
Expand Up @@ -9,11 +9,11 @@
ldap = safe_call('datastore.query', 'directoryservice.LDAP')
if ldap and ldap[0]:
ldap = ldap[0]
capath = None
certpath = None
if ldap['ldap_certificate']:
cert = safe_call('certificateauthority.query', [('id', '=', ldap['ldap_certificate']['id'])], {'get': True})
cert = safe_call('certificate.query', [('id', '=', ldap['ldap_certificate']['id'])], {'get': True})
if cert:
capath = cert['certificate_path']
certpath = cert['certificate_path']
else:
ldap = None

Expand All @@ -27,8 +27,8 @@ uri ${ldap_uri}
base ${ldap['ldap_basedn']}
% if ldap['ldap_ssl'] in ('start_tls', 'on'):
ssl ${ldap['ldap_ssl']}
% if capath:
tls_cacert ${capath}
% if certpath:
tls_cacert ${certpath}
% endif
tls_reqcert allow
% endif
Expand Down
8 changes: 4 additions & 4 deletions src/middlewared/middlewared/etc_files/local/openldap/ldap.conf
View file
Expand Up @@ -56,17 +56,17 @@
# Recursive inception
#
if idmap['ssl'] in ('start_tls', 'on'):
ca = safe_call('certificateauthority.query', [('id', '=', idmap['certificate']['id'])], {'get': True})
tls_cacert = ca['cert_ceritifcate_path']
cert = safe_call('certificate.query', [('id', '=', idmap['certificate']['id'])], {'get': True})
tls_cacert = cert['certificate_path']
ssl = idmap['ssl']

elif ldap_enabled and ldap:
uri = "%s://%s" % ("ldaps" if ldap['ldap_ssl'] == "on" else "ldap", ldap['ldap_hostname'])
base = ldap['ldap_basedn']

if ldap['ldap_ssl'] in ("start_tls", "on"):
ca = safe_call('certificateauthority.query', [('id', '=', ldap['ldap_certificate']['id'])], {'get': True})
tls_cacert = ca['certificate_path']
cert = safe_call('certificate.query', [('id', '=', ldap['ldap_certificate']['id'])], {'get': True})
tls_cacert = cert['certificate_path']
ssl = ldap['ldap_ssl']
%>
% if (ldap_enabled and ldap) or (ad_enabled and ad):
Expand Down

0 comments on commit 9c9d0a5

Please sign in to comment.