diff options
Diffstat (limited to 'cert-updater/main.cpp')
-rw-r--r-- | cert-updater/main.cpp | 184 |
1 files changed, 184 insertions, 0 deletions
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp new file mode 100644 index 0000000..4c4f018 --- /dev/null +++ b/cert-updater/main.cpp @@ -0,0 +1,184 @@ +/*************************************************************************** + * Copyright (C) 2012 by Timothy Pearson * + * [email protected] * + * * + * This program is free software; you can redistribute it and/or modify * + * it under the terms of the GNU General Public License as published by * + * the Free Software Foundation; either version 2 of the License, or * + * (at your option) any later version. * + * * + * This program is distributed in the hope that it will be useful, * + * but WITHOUT ANY WARRANTY; without even the implied warranty of * + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * + * GNU General Public License for more details. * + * * + * You should have received a copy of the GNU General Public License * + * along with this program; if not, write to the * + * Free Software Foundation, Inc., * + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * + ***************************************************************************/ + +#include <sys/types.h> +#include <sys/socket.h> +#include <netdb.h> +#include <pwd.h> + +#include <kapplication.h> +#include <kstartupinfo.h> +#include <kcmdlineargs.h> +#include <kaboutdata.h> + +#include <ksimpleconfig.h> + +#include <tqdatetime.h> +#include <tqfile.h> + +#include <libtdeldap.h> + +// FIXME +// Connect this to CMake/Automake +#define KDE_CONFDIR "/etc/trinity" + +static const char description[] = + I18N_NOOP("TDE utility for updating realm certificates"); + +static const char version[] = "v0.0.1"; + +int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) { + // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server + TQFile cafile(KERBEROS_PKI_PEM_FILE); + if (cafile.open(IO_ReadOnly)) { + TQByteArray cafiledata = cafile.readAll(); + if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", errstr) != 0) { + return -1; + } + return 0; + } + return -1; +} + +int main(int argc, char *argv[]) +{ + KAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Real Certificate Updater"), + version, description, KAboutData::License_GPL, + "(c) 2012, Timothy Pearson"); + aboutData.addAuthor("Timothy Pearson",0, "[email protected]"); + KCmdLineArgs::init( argc, argv, &aboutData ); + KApplication::disableAutoDcopRegistration(); + + KApplication app(false, false); + + KStartupInfo::appStarted(); + + //====================================================================================================================================================== + // + // Updater code follows + // + //====================================================================================================================================================== + + // FIXME + // This assumes Debian! + TQString m_ldapUserName = "openldap"; + TQString m_ldapGroupName = "openldap"; + + KSimpleConfig* m_systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" )); + LDAPRealmConfigList m_realmconfig = LDAPManager::readTDERealmList(m_systemconfig, false); + // Load cert config + m_systemconfig->setGroup("Certificates"); + LDAPCertConfig m_certconfig; + m_certconfig.countryName = m_systemconfig->readEntry("countryName"); + m_certconfig.stateOrProvinceName = m_systemconfig->readEntry("stateOrProvinceName"); + m_certconfig.localityName = m_systemconfig->readEntry("localityName"); + m_certconfig.organizationName = m_systemconfig->readEntry("organizationName"); + m_certconfig.orgUnitName = m_systemconfig->readEntry("orgUnitName"); + m_certconfig.commonName = m_systemconfig->readEntry("commonName"); + m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress"); + // Load other defaults + m_systemconfig->setGroup(NULL); + TQString m_defaultRealm = m_systemconfig->readEntry("DefaultRealm"); + + TQDateTime certExpiry; + TQDateTime now = TQDateTime::currentDateTime(); + TQDateTime soon = now.addDays(7); // Keep in sync with src/ldapcontroller.cpp + + TQString kdc_certfile = KERBEROS_PKI_KDC_FILE; + kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc); + TQString ldap_certfile = LDAP_CERT_FILE; + ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server); + + // Certificate Authority + if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) { + certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE); + if (certExpiry >= now) { + printf("Certificate %s expires %s\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout); + } + if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + printf("Regenerating certificate %s...\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); + // RAJA FIXME FIXME FIXME + LDAPManager::generatePublicKerberosCACertificate(m_certconfig); + + TQString realmname = m_defaultRealm.upper(); + LDAPCredentials* credentials = new LDAPCredentials; + credentials->username = ""; + credentials->password = ""; + credentials->realm = realmname; + LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials); + + // Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server + TQString errorstring; + if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) { + printf("[ERROR] Unable to upload new certificate to LDAP server!\n\r%s\n\r", errorstring.ascii()); fflush(stdout); + } + + delete ldap_mgr; + } + } + else { + printf("[WARNING] Certificate file %s not found!\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout); + } + + // Kerberos + if (TQFile::exists(kdc_certfile)) { + certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile); + if (certExpiry >= now) { + printf("Certificate %s expires %s\n\r", kdc_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout); + } + if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + printf("Regenerating certificate %s...\n\r", kdc_certfile.ascii()); fflush(stdout); + LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]); + } + } + else { + printf("[WARNING] Certificate file %s not found!\n\r", kdc_certfile.ascii()); fflush(stdout); + } + + // LDAP + if (TQFile::exists(ldap_certfile)) { + certExpiry = LDAPManager::getCertificateExpiration(ldap_certfile); + if (certExpiry >= now) { + printf("Certificate %s expires %s\n\r", ldap_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout); + } + if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) { + printf("Regenerating certificate %s...\n\r", ldap_certfile.ascii()); fflush(stdout); + uid_t slapd_uid = 0; + gid_t slapd_gid = 0; + + // Get LDAP user uid/gid + struct passwd *pwd; + pwd = getpwnam(m_ldapUserName); + slapd_uid = pwd->pw_uid; + slapd_gid = pwd->pw_gid; + + LDAPManager::generatePublicLDAPCertificate(m_certconfig, m_realmconfig[m_defaultRealm], slapd_uid, slapd_gid); + } + } + else { + printf("[WARNING] Certificate file %s not found!\n\r", ldap_certfile.ascii()); fflush(stdout); + } + + delete m_systemconfig; + + //====================================================================================================================================================== + + return 0; +} |