diff options
-rw-r--r-- | API.txt | 6 | ||||
-rw-r--r-- | VERSION | 4 | ||||
-rw-r--r-- | ipalib/plugins/vault.py | 38 | ||||
-rw-r--r-- | ipaplatform/base/paths.py | 4 | ||||
-rw-r--r-- | ipaserver/install/installutils.py | 16 | ||||
-rw-r--r-- | ipaserver/install/ipa_kra_install.py | 22 | ||||
-rw-r--r-- | ipaserver/install/kra.py | 65 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 7 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 33 | ||||
-rw-r--r-- | ipaserver/install/service.py | 1 | ||||
-rw-r--r-- | ipaserver/plugins/dogtag.py | 2 |
11 files changed, 102 insertions, 96 deletions
@@ -2487,6 +2487,12 @@ option: Str('version?', exclude='webui') output: Output('commands', <type 'dict'>, None) output: Output('methods', <type 'dict'>, None) output: Output('objects', <type 'dict'>, None) +command: kra_is_enabled +args: 0,1,3 +option: Str('version?', exclude='webui') +output: Output('result', <type 'bool'>, None) +output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) +output: PrimaryKey('value', None, None) command: krbtpolicy_mod args: 1,9,3 arg: Str('uid', attribute=True, cli_name='user', multivalue=False, primary_key=True, query=True, required=False) @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=126 -# Last change: edewata - added vault-archive and vault-retrieve +IPA_API_VERSION_MINOR=127 +# Last change: jcholast - add kra_is_enabled diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index e1e64aa40..f80ecfdfa 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -33,7 +33,7 @@ from ipalib import output from ipalib.crud import PKQuery, Retrieve, Update from ipalib.plugable import Registry from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ - LDAPSearch, LDAPUpdate, LDAPRetrieve + LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value from ipalib.request import context from ipalib.plugins.user import split_principal from ipalib import _, ngettext @@ -320,7 +320,7 @@ class vault_add(LDAPCreate): **options): assert isinstance(dn, DN) - if not self.api.env.enable_kra: + if not self.api.Command.kra_is_enabled()['result']: raise errors.InvocationError( format=_('KRA service is not enabled')) @@ -344,7 +344,7 @@ class vault_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): assert isinstance(dn, DN) - if not self.api.env.enable_kra: + if not self.api.Command.kra_is_enabled()['result']: raise errors.InvocationError( format=_('KRA service is not enabled')) @@ -390,7 +390,7 @@ class vault_find(LDAPSearch): **options): assert isinstance(base_dn, DN) - if not self.api.env.enable_kra: + if not self.api.Command.kra_is_enabled()['result']: raise errors.InvocationError( format=_('KRA service is not enabled')) @@ -422,7 +422,7 @@ class vault_mod(LDAPUpdate): assert isinstance(dn, DN) - if not self.api.env.enable_kra: + if not self.api.Command.kra_is_enabled()['result']: raise errors.InvocationError( format=_('KRA service is not enabled')) @@ -438,7 +438,7 @@ class vault_show(LDAPRetrieve): def pre_callback(self, ldap, dn, attrs_list, *keys, **options): assert isinstance(dn, DN) - if not self.api.env.enable_kra: + if not self.api.Command.kra_is_enabled()['result']: raise errors.InvocationError( format=_('KRA service is not enabled')) @@ -486,7 +486,7 @@ class vaultconfig_show(Retrieve): def execute(self, *args, **options): - if not self.api.env.enable_kra: + if not self.api.Command.kra_is_enabled()['result']: raise errors.InvocationError( format=_('KRA service is not enabled')) @@ -624,7 +624,7 @@ class vault_archive_encrypted(Update): def execute(self, *args, **options): - if not self.api.env.enable_kra: + if not self.api.Command.kra_is_enabled()['result']: raise errors.InvocationError( format=_('KRA service is not enabled')) @@ -774,7 +774,7 @@ class vault_retrieve_encrypted(Retrieve): def execute(self, *args, **options): - if not self.api.env.enable_kra: + if not self.api.Command.kra_is_enabled()['result']: raise errors.InvocationError( format=_('KRA service is not enabled')) @@ -813,3 +813,23 @@ class vault_retrieve_encrypted(Retrieve): kra_account.logout() return result + + +@register() +class kra_is_enabled(Command): + NO_CLI = True + + has_output = output.standard_value + + def execute(self, *args, **options): + base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), + self.api.env.basedn) + filter = '(&(objectClass=ipaConfigObject)(cn=KRA))' + try: + self.api.Backend.ldap2.find_entries( + base_dn=base_dn, filter=filter, attrs_list=[]) + except errors.NotFound: + result = False + else: + result = True + return dict(result=result, value=pkey_to_value(None, options)) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index b83e9482a..174c7d175 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -309,6 +309,8 @@ class BasePathNamespace(object): IPARESTORE_LOG = "/var/log/iparestore.log" IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log" IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log" + IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log" + IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log" IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log" IPAUPGRADE_LOG = "/var/log/ipaupgrade.log" KADMIND_LOG = "/var/log/kadmind.log" @@ -316,8 +318,6 @@ class BasePathNamespace(object): PKI_CA_LOG_DIR = "/var/log/pki-ca" PKI_CA_INSTALL_LOG = "/var/log/pki-ca-install.log" PKI_CA_UNINSTALL_LOG = "/var/log/pki-ca-uninstall.log" - PKI_KRA_INSTALL_LOG = "/var/log/pki-kra-install.log" - PKI_KRA_UNINSTALL_LOG = "/var/log/pki-kra-uninstall.log" VAR_LOG_PKI_DIR = "/var/log/pki/" TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat" TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca" diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9d0998f5f..5fb2bb29f 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -584,22 +584,6 @@ def read_replica_info_dogtag_port(config_dir): return dogtag_master_ds_port -def read_replica_info_kra_enabled(config_dir): - """ - Check the replica info to determine if a KRA has been installed - on the master - """ - default_file = config_dir + "/default.conf" - if not ipautil.file_exists(default_file): - return False - else: - with open(default_file) as fd: - config = SafeConfigParser() - config.readfp(fd) - - enable_kra = config.getboolean("global", "enable_kra") - return enable_kra - def create_replica_config(dirman_password, filename, options): top_dir = None diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index edb622583..d75a24273 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -23,7 +23,10 @@ from ipalib import api from ipaplatform import services from ipaplatform.paths import paths from ipapython import admintool +from ipapython import dogtag from ipapython import ipautil +from ipapython.dn import DN +from ipaserver.install import krainstance from ipaserver.install import installutils from ipaserver.install.installutils import create_replica_config from ipaserver.install import dogtaginstance @@ -80,7 +83,7 @@ class KRAInstall(admintool.AdminTool): class KRAUninstaller(KRAInstall): - log_file_name = paths.PKI_KRA_UNINSTALL_LOG + log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG def validate_options(self, needs_root=True): super(KRAUninstaller, self).validate_options(needs_root=True) @@ -88,18 +91,20 @@ class KRAUninstaller(KRAInstall): if self.args: self.option_parser.error("Too many parameters provided.") - if not api.env.enable_kra: + dogtag_constants = dogtag.configured_constants(api) + _kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants) + if not _kra.is_installed(): self.option_parser.error( "Cannot uninstall. There is no KRA installed on this system." ) def run(self): super(KRAUninstaller, self).run() - kra.uninstall() + kra.uninstall(True) class KRAInstaller(KRAInstall): - log_file_name = paths.PKI_KRA_INSTALL_LOG + log_file_name = paths.IPASERVER_KRA_INSTALL_LOG INSTALLER_START_MESSAGE = ''' =================================================================== @@ -161,15 +166,18 @@ class KRAInstaller(KRAInstall): self.replica_file, self.options) + self.options.dm_password = self.options.password self.options.setup_ca = False + api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'), + bind_pw=self.options.dm_password) + try: - kra.install_check(replica_config, self.options, api.env.enable_kra, - int(api.env.dogtag_version)) + kra.install_check(api, replica_config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) - kra.install(replica_config, self.options, self.options.password) + kra.install(api, replica_config, self.options) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 8083c7427..b55dfb702 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -2,25 +2,25 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # -import os -from ConfigParser import RawConfigParser -from ipalib import api -from ipaplatform.paths import paths +from ipalib import api, errors from ipapython import dogtag +from ipapython.dn import DN from ipaserver.install import cainstance from ipaserver.install import krainstance from ipaserver.install import dsinstance from ipaserver.install import service -from ipaserver.install.installutils import read_replica_info_kra_enabled -def install_check(replica_config, options, enable_kra, dogtag_version): - if enable_kra: +def install_check(api, replica_config, options): + dogtag_constants = dogtag.configured_constants(api=api) + kra = krainstance.KRAInstance(api.env.realm, + dogtag_constants=dogtag_constants) + if kra.is_installed(): raise RuntimeError("KRA is already installed.") if not options.setup_ca: if cainstance.is_ca_installed_locally(): - if dogtag_version >= 10: + if api.env.dogtag_version >= 10: # correct dogtag version of CA installed pass else: @@ -31,14 +31,11 @@ def install_check(replica_config, options, enable_kra, dogtag_version): "Dogtag CA is not installed. Please install the CA first") if replica_config is not None: - if not read_replica_info_kra_enabled(replica_config.dir): - raise RuntimeError( - "Either KRA is not installed on the master system or " - "your replica file is out of date" - ) + if not api.Command.kra_is_enabled()['result']: + raise RuntimeError("KRA is not installed on the master system") -def install(replica_config, options, dm_password): +def install(api, replica_config, options): subject = dsinstance.DsInstance().find_subject_base() if replica_config is None: kra = krainstance.KRAInstance( @@ -55,31 +52,25 @@ def install(replica_config, options, dm_password): ds = dsinstance.DsInstance() ds.restart() - kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) - - # Update config file - parser = RawConfigParser() - parser.read(paths.IPA_DEFAULT_CONF) - parser.set('global', 'enable_kra', 'True') - - with open(paths.IPA_DEFAULT_CONF, 'w') as f: - parser.write(f) + kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn) + kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) -def uninstall(): - dogtag_constants = dogtag.configured_constants(api=api) - kra_instance = krainstance.KRAInstance( - api.env.realm, dogtag_constants=dogtag_constants) - kra_instance.stop_tracking_certificates() - if kra_instance.is_installed(): - kra_instance.uninstall() +def uninstall(standalone): + dogtag_constants = dogtag.configured_constants(api) + kra = krainstance.KRAInstance(api.env.realm, + dogtag_constants=dogtag_constants) - # Check if config file exists, then update it - if os.path.exists(paths.IPA_DEFAULT_CONF): - parser = RawConfigParser() - parser.read(paths.IPA_DEFAULT_CONF) - parser.set('global', 'enable_kra', 'False') + if standalone: + kra.ldap_connect() + try: + kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host), + ('cn', 'masters'), ('cn', 'ipa'), + ('cn', 'etc'), api.env.basedn)) + except errors.NotFound: + pass - with open(paths.IPA_DEFAULT_CONF, 'w') as f: - parser.write(f) + kra.stop_tracking_certificates() + if kra.is_installed(): + kra.uninstall() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 89473dc02..bde348518 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -602,8 +602,7 @@ def install_check(installer): if setup_kra: try: - kra.install_check(None, options, False, - dogtag.install_constants.DOGTAG_VERSION) + kra.install_check(api, None, options) except RuntimeError as e: print str(e) sys.exit(1) @@ -865,7 +864,7 @@ def install(installer): http.restart() if setup_kra: - kra.install(None, options, dm_password) + kra.install(api, None, options) # Set the admin user kerberos password ds.change_admin_password(admin_password) @@ -1060,7 +1059,7 @@ def uninstall(installer): ntpinstance.NTPInstance(fstore).uninstall() - kra.uninstall() + kra.uninstall(False) ca.uninstall(dogtag_constants) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 0429a4057..34580ce19 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -379,8 +379,6 @@ def install_check(installer): fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") - fd.write("enable_kra=%s\n" % config.setup_kra) - fd.write("mode=production\n") fd.close() finally: @@ -480,6 +478,18 @@ def install_check(installer): root_logger.debug('No IPA DNS servers, ' 'skipping forward/reverse resolution check') + if options.setup_ca: + options.realm_name = config.realm_name + options.host_name = config.host_name + options.subject = config.subject_base + ca.install_check(False, config, options) + + if config.setup_kra: + try: + kra.install_check(remote_api, config, options) + except RuntimeError as e: + print str(e) + sys.exit(1) except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server " "%s" % config.master_host_name) @@ -492,20 +502,6 @@ def install_check(installer): if conn.isconnected(): conn.disconnect() - if options.setup_ca: - options.realm_name = config.realm_name - options.host_name = config.host_name - options.subject = config.subject_base - ca.install_check(False, config, options) - - if config.setup_kra: - try: - kra.install_check(config, options, False, - dogtag.install_constants.DOGTAG_VERSION) - except RuntimeError as e: - print str(e) - sys.exit(1) - if options.setup_dns: dns.install_check(False, True, options, config.host_name) else: @@ -567,10 +563,11 @@ def install(installer): if conn.isconnected(): conn.disconnect() + options.dm_password = config.dirman_password + if config.setup_ca: options.realm_name = config.realm_name options.domain_name = config.domain_name - options.dm_password = config.dirman_password options.host_name = config.host_name ca.install(False, config, options) @@ -591,7 +588,7 @@ def install(installer): ds.apply_updates() if options.setup_kra: - kra.install(config, options, config.dirman_password) + kra.install(api, config, options) else: service.print_msg("Restarting the directory server") ds.restart() diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index e4e5dd3ac..88307a077 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -41,6 +41,7 @@ SERVICE_LIST = { 'MEMCACHE': ('ipa_memcached', 39), 'HTTP': ('httpd', 40), 'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50), + 'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51), 'ADTRUST': ('smb', 60), 'EXTID': ('winbind', 70), 'OTPD': ('ipa-otpd', 80), diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index e60cced1a..a5b7d2382 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1909,7 +1909,7 @@ class kra(Backend): Raises a generic exception if KRA is not enabled. """ - if not api.env.enable_kra: + if not self.api.Command.kra_is_enabled()['result']: # TODO: replace this with a more specific exception raise RuntimeError('KRA service is not enabled') |