#!/usr/bin/python try: import ConfigParser as configparser except ImportError: import configparser import os import sys import subprocess CM_SUBMIT_STATUS_ISSUED = 0 CM_SUBMIT_STATUS_UNCONFIGURED = 4 def main(): if len(sys.argv) < 3: return CM_SUBMIT_STATUS_UNCONFIGURED sub_ca = sys.argv[1] wrapped_command = sys.argv[2:] operation = os.environ.get('CERTMONGER_OPERATION') os.environ['CERTMONGER_CA_NICKNAME'] = 'IPA' if operation == 'FETCH-ROOTS' and sub_ca.lower() != 'ipa': config = configparser.ConfigParser() try: with open('/etc/ipa/default.conf') as fp: config.readfp(fp) except: return CM_SUBMIT_STATUS_UNCONFIGURED host = config.get('global', 'host') realm = config.get('global', 'realm') if host is None or realm is None: return CM_SUBMIT_STATUS_UNCONFIGURED principal = 'host/{}@{}'.format(host, realm) os.environ['KRB5CCNAME'] = '/tmp/krb5cc_cm_ipa_subca_wrapper' try: subprocess.check_call([ '/usr/bin/kinit', '-k', principal ]) except: return CM_SUBMIT_STATUS_UNCONFIGURED try: data = subprocess.check_output([ '/usr/bin/ipa', 'ca-show', sub_ca ]) except: return CM_SUBMIT_STATUS_ISSUED config = {} for line in data.split('\n'): line = line.strip() try: key, value = line.split(': ') except: continue config[key] = value if config.get('Name').lower() != sub_ca.lower(): return CM_SUBMIT_STATUS_ISSUED print(realm, sub_ca, 'CA') print('-----BEGIN CERTIFICATE-----') certificate = config['Certificate'] for i in range((len(certificate)/64) + 1): print(certificate[i*64:(i+1)*64]) print('-----END CERTIFICATE-----') sys.stdout.flush() else: os.environ['CERTMONGER_CA_ISSUER'] = sub_ca os.execl(wrapped_command[0], *wrapped_command) if __name__ == '__main__': main()