From d208e3a087076d8da38a8a13ddf9f1e54d63ea7c Mon Sep 17 00:00:00 2001
From: Aurélien Bompard <aurelien@bompard.org>
Date: Oct 13 2020 14:27:07 +0000
Subject: IPA: attempt to create a certificate profile & ACL


Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

---

diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index fd8cdac..005c57f 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -208,7 +208,7 @@
 #   failed_when: "'already exists' not in output.stderr and output.rc != 0"
 
 # Set the default value back
-- name: Disable default permissions so we don't break our privacy policy
+- name: Restore the default permission on user addressbook attributes
   command:
     argv:
       - ipa
@@ -247,6 +247,101 @@
   - config
   when: ipa_initial
 
+# Certificate generation
+- name: Make a directory to store certificate profiles
+  file:
+    path: /etc/ipa/certprofiles
+    state: directory
+  tags:
+  - ipa/server
+  - config
+
+- name: Warn admins that this is not the canonical source
+  copy:
+    dest: /etc/ipa/certprofiles/README
+    content: "This is just a dump of the server values, which are accessible with ipa certprofile-find"
+  tags:
+  - ipa/server
+  - config
+
+#- name: Check if we should import or update the certificate profile
+#  stat:
+#    path: /etc/ipa/certprofiles/userCerts.conf
+#  register: st_profile
+
+- name: Copy the certificate profile for users
+  template:
+    src: userCerts.conf
+    dest: /etc/ipa/certprofiles/userCerts.conf
+  tags:
+  - ipa/server
+  - config
+
+- name: Create the certificate profile
+  command:
+    argv:
+      - ipa
+      - certprofile-import
+      - userCerts
+      - --desc=Profile for user certificates
+      - --store=true
+      - --file=/etc/ipa/certprofiles/userCerts.conf
+  tags:
+  - ipa/server
+  - config
+  #when: ipa_initial and not st_profile.stat.exists
+  when: ipa_initial
+  register: output
+  changed_when: "'Modified profile' in output.stdout"
+  failed_when: "'no modifications to be performed' not in output.stderr and output.rc != 0"
+
+- name: Update the certificate profile
+  command:
+    argv:
+      - ipa
+      - certprofile-mod
+      - userCerts
+      - --desc=Profile for user certificates
+      - --store=true
+      - --file=/etc/ipa/certprofiles/userCerts.conf
+  tags:
+  - ipa/server
+  - config
+  #when: ipa_initial and st_profile.stat.exists
+  when: ipa_initial
+  register: update_output
+  changed_when: "'Modified profile' in output.stdout"
+  failed_when: "'no modifications to be performed' not in output.stderr and output.rc != 0"
+
+# Create a new ACL linking the new profile and ipausers group (that all users are members of)
+- name: Create the CA ACL for the new certificate profile
+  command: ipa caacl-add userCerts
+  tags:
+  - ipa/server
+  - config
+  when: ipa_initial
+  register: output
+  changed_when: "'already exists' not in output.stdout"
+  failed_when: "'already exists' not in output.stdout and output.rc != 0"
+- name: Add the ipausers group to the CA ACL
+  command: ipa caacl-add-user userCerts --group ipausers
+  tags:
+  - ipa/server
+  - config
+  when: ipa_initial
+  register: output
+  changed_when: "'already exists' not in output.stdout"
+  failed_when: "'already exists' not in output.stdout and output.rc != 0"
+- name: Add the ipausers group to the CA ACL
+  command: ipa caacl-add-profile userCerts --certprofile userCerts
+  tags:
+  - ipa/server
+  - config
+  when: ipa_initial
+  register: output
+  changed_when: "'already exists' not in output.stdout"
+  failed_when: "'already exists' not in output.stdout and output.rc != 0"
+
 # Noggin user setup
 
 - name: Register the proper noggin admin password
diff --git a/roles/ipa/server/templates/userCerts.conf b/roles/ipa/server/templates/userCerts.conf
new file mode 100644
index 0000000..df59328
--- /dev/null
+++ b/roles/ipa/server/templates/userCerts.conf
@@ -0,0 +1,114 @@
+profileId=userCerts
+name=User certificate enrollment
+desc=This certificate profile is for user certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+classId=caEnrollImpl
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O={{ ipa_realm }}
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint
+policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.serverCertSet.5.default.name=AIA Extension Default
+policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca{{ env_suffix }}.fedoraproject.org/ca/ocsp
+policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.serverCertSet.5.default.params.authInfoAccessCritical=false
+policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.serverCertSet.6.constraint.params.keyUsageCritical=true
+policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.serverCertSet.6.default.name=Key Usage Default
+policyset.serverCertSet.6.default.params.keyUsageCritical=true
+policyset.serverCertSet.6.default.params.keyUsageCrlSign=false
+policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true
+policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.serverCertSet.7.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.7.constraint.name=No Constraint
+policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.serverCertSet.7.default.params.exKeyUsageCritical=false
+policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2
+policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl
+policyset.serverCertSet.8.constraint.name=No Constraint
+policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC
+policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl
+policyset.serverCertSet.8.default.name=Signing Alg
+policyset.serverCertSet.8.default.params.signingAlg=-
+policyset.serverCertSet.9.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.9.constraint.name=No Constraint
+policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl
+policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default
+policyset.serverCertSet.9.default.params.crlDistPointsCritical=false
+policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca
+policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName
+policyset.serverCertSet.9.default.params.crlDistPointsNum=1
+policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca{{ env_suffix }}.fedoraproject.org/ipa/crl/MasterCRL.bin
+policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName
+policyset.serverCertSet.9.default.params.crlDistPointsReasons_0=
+policyset.serverCertSet.10.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.10.constraint.name=No Constraint
+policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default
+policyset.serverCertSet.10.default.params.critical=false
+policyset.serverCertSet.11.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.11.constraint.name=No Constraint
+policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl
+policyset.serverCertSet.11.default.name=User Supplied Extension Default
+policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
+policyset.serverCertSet.12.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.12.constraint.name=No Constraint
+policyset.serverCertSet.12.default.class_id=userExtensionDefaultImpl
+policyset.serverCertSet.12.default.name=IECUserRoles Extension Default
+policyset.serverCertSet.12.default.params.userExtOID=1.2.840.10070.8.1