From 69ba5f942284d17f32650638965c21dcf907a579 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Jul 04 2017 07:48:04 +0000
Subject: smart-card advises: configure systemwide NSS DB also on master


Previously the Smart card signing CA cert was uploaded to systemwide NSS
DB only on the client, but it need to be added also to the server.
Modify the advise plugins to allow for common configuration steps to
occur in both cases.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index 5859e35..0ee4808 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -10,8 +10,39 @@ from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
 register = Registry()
 
 
+class common_smart_card_auth_config(Advice):
+    """
+    Common steps required to properly configure both server and client for
+    smart card auth
+    """
+
+    systemwide_nssdb = paths.NSS_DB_DIR
+    smart_card_ca_cert_variable_name = "SC_CA_CERT"
+
+    def check_and_set_ca_cert_path(self):
+        ca_path_variable = self.smart_card_ca_cert_variable_name
+        self.log.command("{}=$1".format(ca_path_variable))
+        self.log.exit_on_predicate(
+            '[ -z "${}" ]'.format(ca_path_variable),
+            ['You need to provide the path to the PEM file containing CA '
+             'signing the Smart Cards']
+        )
+        self.log.exit_on_predicate(
+            '[ ! -f "${}" ]'.format(ca_path_variable),
+            ['Invalid CA certificate filename: ${}'.format(ca_path_variable),
+             'Please check that the path exists and is a valid file']
+        )
+
+    def upload_smartcard_ca_certificate_to_systemwide_db(self):
+        self.log.command(
+            'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
+                self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
+            )
+        )
+
+
 @register()
-class config_server_for_smart_card_auth(Advice):
+class config_server_for_smart_card_auth(common_smart_card_auth_config):
     """
     Configures smart card authentication via Kerberos (PKINIT) and for WebUI
     """
@@ -28,6 +59,7 @@ class config_server_for_smart_card_auth(Advice):
 
     def get_info(self):
         self.log.exit_on_nonroot_euid()
+        self.check_and_set_ca_cert_path()
         self.check_ccache_not_empty()
         self.check_hostname_is_in_masters()
         self.resolve_ipaca_records()
@@ -37,6 +69,7 @@ class config_server_for_smart_card_auth(Advice):
         self.record_httpd_ocsp_status()
         self.check_and_enable_pkinit()
         self.enable_ok_to_auth_as_delegate_on_http_principal()
+        self.upload_smartcard_ca_certificate_to_systemwide_db()
 
     def check_ccache_not_empty(self):
         self.log.comment('Check whether the credential cache is not empty')
@@ -162,11 +195,10 @@ class config_server_for_smart_card_auth(Advice):
 
 
 @register()
-class config_client_for_smart_card_auth(Advice):
+class config_client_for_smart_card_auth(common_smart_card_auth_config):
     """
     Configures smart card authentication on FreeIPA client
     """
-    smart_card_ca_cert_variable_name = "SC_CA_CERT"
 
     description = ("Instructions for enabling Smart Card authentication on "
                    " a single FreeIPA client. Configures Smart Card daemon, "
@@ -190,20 +222,6 @@ class config_client_for_smart_card_auth(Advice):
         self.run_authconfig_to_configure_smart_card_auth()
         self.restart_sssd()
 
-    def check_and_set_ca_cert_path(self):
-        ca_path_variable = self.smart_card_ca_cert_variable_name
-        self.log.command("{}=$1".format(ca_path_variable))
-        self.log.exit_on_predicate(
-            '[ -z "${}" ]'.format(ca_path_variable),
-            ['You need to provide the path to the PEM file containing CA '
-             'signing the Smart Cards']
-        )
-        self.log.exit_on_predicate(
-            '[ ! -f "${}" ]'.format(ca_path_variable),
-            ['Invalid CA certificate filename: ${}'.format(ca_path_variable),
-             'Please check that the path exists and is a valid file']
-        )
-
     def check_and_remove_pam_pkcs11(self):
         self.log.command('rpm -qi pam_pkcs11 > /dev/null')
         self.log.commands_on_predicate(
@@ -247,13 +265,6 @@ class config_client_for_smart_card_auth(Advice):
             ]
         )
 
-    def upload_smartcard_ca_certificate_to_systemwide_db(self):
-        self.log.command(
-            'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
-                self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
-            )
-        )
-
     def run_authconfig_to_configure_smart_card_auth(self):
         self.log.exit_on_failed_command(
             'authconfig --enablesmartcard --smartcardmodule=sssd --updateall',