Move primary realm wizard sources to separate directory

Add cert-updater

1 files changed, 184 insertions, 0 deletions

diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
new file mode 100644
index 0000000..4c4f018
--- /dev/null
+++ b/cert-updater/main.cpp
@@ -0,0 +1,184 @@
+/***************************************************************************
+ *   Copyright (C) 2012 by Timothy Pearson                                 *
+ *   kb9vqf@pearsoncomputing.net                                           *
+ *                                                                         *
+ *   This program is free software; you can redistribute it and/or modify  *
+ *   it under the terms of the GNU General Public License as published by  *
+ *   the Free Software Foundation; either version 2 of the License, or     *
+ *   (at your option) any later version.                                   *
+ *                                                                         *
+ *   This program is distributed in the hope that it will be useful,       *
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
+ *   GNU General Public License for more details.                          *
+ *                                                                         *
+ *   You should have received a copy of the GNU General Public License     *
+ *   along with this program; if not, write to the                         *
+ *   Free Software Foundation, Inc.,                                       *
+ *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
+ ***************************************************************************/
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netdb.h>
+#include <pwd.h>
+
+#include <kapplication.h>
+#include <kstartupinfo.h>
+#include <kcmdlineargs.h>
+#include <kaboutdata.h>
+
+#include <ksimpleconfig.h>
+
+#include <tqdatetime.h>
+#include <tqfile.h>
+
+#include <libtdeldap.h>
+
+// FIXME
+// Connect this to CMake/Automake
+#define KDE_CONFDIR "/etc/trinity"
+
+static const char description[] =
+	I18N_NOOP("TDE utility for updating realm certificates");
+
+static const char version[] = "v0.0.1";
+
+int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) {
+	// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
+	TQFile cafile(KERBEROS_PKI_PEM_FILE);
+	if (cafile.open(IO_ReadOnly)) {
+		TQByteArray cafiledata = cafile.readAll();
+		if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", errstr) != 0) {
+			return -1;
+		}
+		return 0;
+	}
+	return -1;
+}
+
+int main(int argc, char *argv[])
+{
+	KAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Real Certificate Updater"),
+		version, description, KAboutData::License_GPL,
+		"(c) 2012, Timothy Pearson");
+		aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
+	KCmdLineArgs::init( argc, argv, &aboutData );
+	KApplication::disableAutoDcopRegistration(); 
+
+	KApplication app(false, false);
+
+	KStartupInfo::appStarted();
+
+	//======================================================================================================================================================
+	//
+	// Updater code follows
+	//
+	//======================================================================================================================================================
+
+	// FIXME
+	// This assumes Debian!
+	TQString m_ldapUserName = "openldap";
+	TQString m_ldapGroupName = "openldap";
+
+	KSimpleConfig* m_systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
+	LDAPRealmConfigList m_realmconfig = LDAPManager::readTDERealmList(m_systemconfig, false);
+	// Load cert config
+	m_systemconfig->setGroup("Certificates");
+	LDAPCertConfig m_certconfig;
+	m_certconfig.countryName = m_systemconfig->readEntry("countryName");
+	m_certconfig.stateOrProvinceName = m_systemconfig->readEntry("stateOrProvinceName");
+	m_certconfig.localityName = m_systemconfig->readEntry("localityName");
+	m_certconfig.organizationName = m_systemconfig->readEntry("organizationName");
+	m_certconfig.orgUnitName = m_systemconfig->readEntry("orgUnitName");
+	m_certconfig.commonName = m_systemconfig->readEntry("commonName");
+	m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress");
+	// Load other defaults
+	m_systemconfig->setGroup(NULL);
+	TQString m_defaultRealm = m_systemconfig->readEntry("DefaultRealm");
+
+	TQDateTime certExpiry;
+	TQDateTime now = TQDateTime::currentDateTime();
+	TQDateTime soon = now.addDays(7);	// Keep in sync with src/ldapcontroller.cpp
+
+	TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
+	kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc);
+	TQString ldap_certfile = LDAP_CERT_FILE;
+	ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);
+
+	// Certificate Authority
+	if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
+		certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
+		if (certExpiry >= now) {
+			printf("Certificate %s expires %s\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
+		}
+		if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+			printf("Regenerating certificate %s...\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
+			// RAJA FIXME FIXME FIXME
+			LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+		
+			TQString realmname = m_defaultRealm.upper();
+			LDAPCredentials* credentials = new LDAPCredentials;
+			credentials->username = "";
+			credentials->password = "";
+			credentials->realm = realmname;
+			LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+		
+			// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
+			TQString errorstring;
+			if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
+				printf("[ERROR] Unable to upload new certificate to LDAP server!\n\r%s\n\r", errorstring.ascii()); fflush(stdout);
+			}
+
+			delete ldap_mgr;
+		}
+	}
+	else {
+		printf("[WARNING] Certificate file %s not found!\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
+	}
+
+	// Kerberos
+	if (TQFile::exists(kdc_certfile)) {
+		certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile);
+		if (certExpiry >= now) {
+			printf("Certificate %s expires %s\n\r", kdc_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
+		}
+		if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+			printf("Regenerating certificate %s...\n\r", kdc_certfile.ascii()); fflush(stdout);
+			LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
+		}
+	}
+	else {
+		printf("[WARNING] Certificate file %s not found!\n\r", kdc_certfile.ascii()); fflush(stdout);
+	}
+
+	// LDAP
+	if (TQFile::exists(ldap_certfile)) {
+		certExpiry = LDAPManager::getCertificateExpiration(ldap_certfile);
+		if (certExpiry >= now) {
+			printf("Certificate %s expires %s\n\r", ldap_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
+		}
+		if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+			printf("Regenerating certificate %s...\n\r", ldap_certfile.ascii()); fflush(stdout);
+			uid_t slapd_uid = 0;
+			gid_t slapd_gid = 0;
+		
+			// Get LDAP user uid/gid
+			struct passwd *pwd;
+			pwd = getpwnam(m_ldapUserName);
+			slapd_uid = pwd->pw_uid;
+			slapd_gid = pwd->pw_gid;
+		
+			LDAPManager::generatePublicLDAPCertificate(m_certconfig, m_realmconfig[m_defaultRealm], slapd_uid, slapd_gid);
+		}
+	}
+	else {
+		printf("[WARNING] Certificate file %s not found!\n\r", ldap_certfile.ascii()); fflush(stdout);
+	}
+
+	delete m_systemconfig;
+
+	//======================================================================================================================================================
+
+	return 0;
+}