From 253f6abaf56ce0008b11aa4db03f09d024efc7ab Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Tue, 2 Jul 2013 18:17:45 +0000
Subject: [PATCH] Do not update CA certificates if master is unknown

---
 admin                 |   2 +-
 cert-updater/main.cpp | 201 ++++++++++++++++++++++--------------------
 2 files changed, 104 insertions(+), 99 deletions(-)

diff --git a/admin b/admin
index 65ecce4..4027b87 160000
--- a/admin
+++ b/admin
@@ -1 +1 @@
-Subproject commit 65ecce459d54e772303052de50d08557ba9cc7ed
+Subproject commit 4027b878fb556a51ed29affd578e78aa70997480
diff --git a/cert-updater/main.cpp b/cert-updater/main.cpp
index e4acaa5..e11a73e 100644
--- a/cert-updater/main.cpp
+++ b/cert-updater/main.cpp
@@ -147,113 +147,118 @@ int main(int argc, char *argv[])
 	delete ldap_mgr;
 	delete credentials;
 
-	if (realmCAMaster == fqdn) {
-		printf("This server is the realm CA master\n"); fflush(stdout);
-		if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
-			certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
-			if (certExpiry >= now) {
-				printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
-			}
-			if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
-				printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
-				LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
-			
-				TQString realmname = m_defaultRealm.upper();
-				LDAPCredentials* credentials = new LDAPCredentials;
-				credentials->username = "";
-				credentials->password = "";
-				credentials->realm = realmname;
-				LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
-			
-				// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
-				TQString errorstring;
-				if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
-					printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
+	if (realmCAMaster == "") {
+		printf("[WARNING] Unable to determine the realm CA master!  CA will not be updated\n"); fflush(stdout);
+	}
+	else {
+		if (realmCAMaster == fqdn) {
+			printf("This server is the realm CA master\n"); fflush(stdout);
+			if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
+				certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
+				if (certExpiry >= now) {
+					printf("Certificate %s expires %s\n", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
+				}
+				if (force_update || (certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
+					printf("Regenerating certificate %s...\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
+					LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
+				
+					TQString realmname = m_defaultRealm.upper();
+					LDAPCredentials* credentials = new LDAPCredentials;
+					credentials->username = "";
+					credentials->password = "";
+					credentials->realm = realmname;
+					LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
+				
+					// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
+					TQString errorstring;
+					if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
+						printf("[ERROR] Unable to upload new certificate to LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
+					}
+		
+					delete ldap_mgr;
 				}
 	
-				delete ldap_mgr;
+				// Set permissions
+				chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
+				chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
+				chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
+				chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
 			}
-
+			else {
+				printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
+			}
+		}
+		else {
+			printf("This server is a realm CA slave\n"); fflush(stdout);
+	
+			// Connect to LDAP
+			TQString realmname = defaultRealm.upper();
+			LDAPCredentials* credentials = new LDAPCredentials;
+			credentials->username = "cn=admin," + basedn;
+			m_systemconfig->setGroup("Replication");
+			credentials->password = m_systemconfig->readEntry("Password");
+			m_systemconfig->setGroup(NULL);
+			credentials->realm = realmname;
+			LDAPManager* ldap_mgr = new LDAPManager(realmname, TQString("ldaps://%1/").arg(realmCAMaster), credentials);
+			TQString errorstring;
+	
+			if (ldap_mgr->getTDECertificate("privateRootCertificateKey", KERBEROS_PKI_PEMKEY_FILE ".tmp", &errorstring) != 0) {
+				printf("[ERROR] Unable to get private CA certificate key from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
+			}
+			if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PEM_FILE ".tmp", &errorstring) != 0) {
+				printf("[ERROR] Unable to get public CA certificate from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
+			}
+	
+			delete ldap_mgr;
+			delete credentials;
+	
+			TQByteArray originalPemKeyFile;
+			TQByteArray originalPemFile;
+			TQByteArray newPemKeyFile;
+			TQByteArray newPemFile;
+	
+			TQFile* cafile;
+			cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE);
+			if (cafile->open(IO_ReadOnly)) {
+				originalPemKeyFile = cafile->readAll();
+			}
+			delete cafile;
+			cafile = new TQFile(KERBEROS_PKI_PEM_FILE);
+			if (cafile->open(IO_ReadOnly)) {
+				originalPemFile = cafile->readAll();
+			}
+			delete cafile;
+			cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE ".tmp");
+			if (cafile->open(IO_ReadOnly)) {
+				newPemKeyFile = cafile->readAll();
+			}
+			delete cafile;
+			cafile = new TQFile(KERBEROS_PKI_PEM_FILE ".tmp");
+			if (cafile->open(IO_ReadOnly)) {
+				newPemFile = cafile->readAll();
+			}
+			delete cafile;
+	
+			if ((originalPemKeyFile == newPemKeyFile) && (originalPemFile == newPemFile)) {
+				unlink(KERBEROS_PKI_PEMKEY_FILE ".tmp");
+				unlink(KERBEROS_PKI_PEM_FILE ".tmp");
+				printf("Certificates have not changed since last update\n");
+			}
+			else {
+				unlink(KERBEROS_PKI_PEMKEY_FILE);
+				unlink(KERBEROS_PKI_PEM_FILE);
+				rename(KERBEROS_PKI_PEMKEY_FILE ".tmp", KERBEROS_PKI_PEMKEY_FILE);
+				rename(KERBEROS_PKI_PEM_FILE ".tmp", KERBEROS_PKI_PEM_FILE);
+				force_update = true;
+				printf("Certificates have changed, forcing certificate regeneration\n");
+			}
+	
 			// Set permissions
 			chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
 			chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
 			chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
 			chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
 		}
-		else {
-			printf("[WARNING] Certificate file %s not found!\n", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
-		}
-	}
-	else {
-		printf("This server is a realm CA slave\n"); fflush(stdout);
-
-		// Connect to LDAP
-		TQString realmname = defaultRealm.upper();
-		LDAPCredentials* credentials = new LDAPCredentials;
-		credentials->username = "cn=admin," + basedn;
-		m_systemconfig->setGroup("Replication");
-		credentials->password = m_systemconfig->readEntry("Password");
-		m_systemconfig->setGroup(NULL);
-		credentials->realm = realmname;
-		LDAPManager* ldap_mgr = new LDAPManager(realmname, TQString("ldaps://%1/").arg(realmCAMaster), credentials);
-		TQString errorstring;
-
-		if (ldap_mgr->getTDECertificate("privateRootCertificateKey", KERBEROS_PKI_PEMKEY_FILE ".tmp", &errorstring) != 0) {
-			printf("[ERROR] Unable to get private CA certificate key from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
-		}
-		if (ldap_mgr->getTDECertificate("publicRootCertificate", KERBEROS_PKI_PEM_FILE ".tmp", &errorstring) != 0) {
-			printf("[ERROR] Unable to get public CA certificate from LDAP server!\n%s\n", errorstring.ascii()); fflush(stdout);
-		}
-
-		delete ldap_mgr;
-		delete credentials;
-
-		TQByteArray originalPemKeyFile;
-		TQByteArray originalPemFile;
-		TQByteArray newPemKeyFile;
-		TQByteArray newPemFile;
-
-		TQFile* cafile;
-		cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE);
-		if (cafile->open(IO_ReadOnly)) {
-			originalPemKeyFile = cafile->readAll();
-		}
-		delete cafile;
-		cafile = new TQFile(KERBEROS_PKI_PEM_FILE);
-		if (cafile->open(IO_ReadOnly)) {
-			originalPemFile = cafile->readAll();
-		}
-		delete cafile;
-		cafile = new TQFile(KERBEROS_PKI_PEMKEY_FILE ".tmp");
-		if (cafile->open(IO_ReadOnly)) {
-			newPemKeyFile = cafile->readAll();
-		}
-		delete cafile;
-		cafile = new TQFile(KERBEROS_PKI_PEM_FILE ".tmp");
-		if (cafile->open(IO_ReadOnly)) {
-			newPemFile = cafile->readAll();
-		}
-		delete cafile;
-
-		if ((originalPemKeyFile == newPemKeyFile) && (originalPemFile == newPemFile)) {
-			unlink(KERBEROS_PKI_PEMKEY_FILE ".tmp");
-			unlink(KERBEROS_PKI_PEM_FILE ".tmp");
-			printf("Certificates have not changed since last update\n");
-		}
-		else {
-			unlink(KERBEROS_PKI_PEMKEY_FILE);
-			unlink(KERBEROS_PKI_PEM_FILE);
-			rename(KERBEROS_PKI_PEMKEY_FILE ".tmp", KERBEROS_PKI_PEMKEY_FILE);
-			rename(KERBEROS_PKI_PEM_FILE ".tmp", KERBEROS_PKI_PEM_FILE);
-			force_update = true;
-			printf("Certificates have changed, forcing certificate regeneration\n");
-		}
-
-		// Set permissions
-		chmod(KERBEROS_PKI_PEMKEY_FILE, S_IRUSR|S_IWUSR);
-		chown_safe(KERBEROS_PKI_PEMKEY_FILE, 0, 0);
-		chmod(KERBEROS_PKI_PEM_FILE, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
-		chown_safe(KERBEROS_PKI_PEM_FILE, 0, 0);
 	}
 
 	// Kerberos