SCAutolib.models.CA
This module implements classes that represents Certification Authorities (CA).
Classes
- class BaseCA[source]
-
- request_cert(csr, username, cert_out)[source]
Request certificate from CA for given username
- Parameters:
csr (str) – path to CSR
username (str) – subject for the certificate
cert_out (pathlib.Path) – path where the certificate should be duplicated. Default None
- Returns:
None or path where the certificate is stored.
- Return type:
None or pathlib.Path
- revoke_cert(cert)[source]
Revoke the certificate
- Parameters:
cert (pathlib.Path) –
- class CustomCA(card)[source]
- TODO:
CustomCA is not tested yet and it’s not functional until physical cards testing with removinator is implemented
Represents CA for physical cards. Physical cards are often read-only and rootCA certs or bundles are provided with a card. This class provides methods for manipulation with rootCA certs of physical cards.
Initialize required attributes
- class IPAServerCA(ip_addr, server_hostname, domain, admin_passwd, root_passwd, client_hostname, realm=None)[source]
Class represents IPA server with integrated CA. Through this class communication with IPA server is made primarily using
python_freeipa.client_meta.ClientMetaclass.During setup of the IPA client on the system, script generated on IPA server side has to be executed for setting up the client for smart card authentication. For this reason SSH connection is made to the server and the script is fetched in frame of
IPAServerCA.create()method.Initialize object for IPA client for given IPA server. Also, creates meta client (python_freeipa.client_meta.ClientMeta) logged in to the server and ready-to-use.
- Parameters:
ip_addr (str) – IP address of the IPA server
server_hostname (str) – Hostname of the IPA server
domain (str) – Domain name of the IPA server
admin_passwd (str) – Password for admin user on the IPA server
root_passwd (str) – Password for root user on the IPA server (system user)
client_hostname (str) – Hostname for the client. This name would be set on the client host
realm (str) – Kerberos realm. If not set, domain in upper cases would be used instead
- _add_to_resolv()[source]
Add new nameserver (IPA) to /etc/resolv.conf and lock this file for editing
- _get_sc_setup_script()[source]
Fetch script for smart card setup of IPA client and place it to predefined location. Script is generated only on IPA server. Fetching is done by connecting to the host via SSH.
- add_user(user)[source]
Add given user to IPA server. It is a wrapper on the python_freeipa.client_meta.ClientMeta.user_add method. Just extracts necessary fields from IPAUser object and pass them to the method. As a result, o_givenname == o_uid == o_sn == o_cn for simplicity.
- Parameters:
user – User to be added to the IPA server.
- cleanup()[source]
Remove IPA client from the system and from the IPA server
- Raises:
subprocess.CalledProcessError – by run function
- del_user(user)[source]
Remove user from IPA server. :type user: :param user: User to be deleted
- Raises:
AssertionError – If operation is failed. Fail is detected in return value from request to IPA server.
- property is_installed
- Returns:
True, if IPA client is installed on the system (/etc/ipa directory contains ca.crt file from IPA server), otherwise False
- Return type:
- request_cert(csr, username, cert_out)[source]
Request certificate using CSR from IPA CA for given username. It is a wrapper around the python_freeipa.client_meta.ClientMeta.cert_request method. It works with a file, extracts CSR data from it and then stores in PEM format adding required prefix and suffix as in normal certificate and. If cert_out is a directory, then certificate would be stored in this directory with name <username>.pem. If it is a file, then check if it has PEM extension. If not, append .pem suffix to the name.
- Parameters:
csr (patlib.Path) – path to CSR
username (str) – subject for the certificate
cert_out (patlib.Path) – path where the certificate is stored. Can be a directory or a file.
- Returns:
Path to the PEM certificate.
- Return type:
patlib.Path
- revoke_cert(cert_path)[source]
Revoke given certificate on the IPA server. It is a wrapper on the python_freeipa.client_meta.ClientMeta.revoke_cert method. It extracts serial number of the certificate from the file
- Parameters:
cert_path (
Path) – Path to the certificate in PEM format
- class LocalCA(root_dir=None, cnf=None)[source]
Represents local CA that is created as CA for virtual cards.
Class for local CA. Initialize required attributes, real setup is made by LocalCA.setup() method
- Parameters:
root_dir (
Optional[Path]) – Path to root directory of the CA. By default, is in /etc/SCAutolib/cacnf (OpensslCnf) – object representing openssl cnf file
- Type:
Path
- property is_installed
Check if the local CA is installed
- request_cert(csr, username, cert_out=None)[source]
Create the certificate from CSR and sign it. Certificate is stored in the <root ca directory>/ca/newcerts directory with name username.pem
- Parameters:
csr (pathlib.Path) – path to CSR
username (str) – subject in the CSR
cert_out (pathlib.Path) – path where the certificate should be duplicated. Can be a directory or a file. If a file, .pem extension would be set to the filename. If not specified, certificate would be created in default directory and filename <root ca directory>/certs/<username>.pem
- Returns:
returns path to the signed certificate
- Return type:
- revoke_cert(cert)[source]
Revoke given certificate
- Parameters:
cert (pathlib.Path) – path to the certificate