From e7ac57e1390c76c3d7fdb2710808def107d21d6d Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 10 Jun 2015 08:50:42 +0000 Subject: vault: Fix ipa-kra-install Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka --- ipaserver/install/installutils.py | 16 -------- ipaserver/install/ipa_kra_install.py | 22 ++++++---- ipaserver/install/kra.py | 65 +++++++++++++----------------- ipaserver/install/server/install.py | 7 ++-- ipaserver/install/server/replicainstall.py | 33 +++++++-------- ipaserver/install/service.py | 1 + 6 files changed, 62 insertions(+), 82 deletions(-) (limited to 'ipaserver/install') diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 9d0998f5f..5fb2bb29f 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -584,22 +584,6 @@ def read_replica_info_dogtag_port(config_dir): return dogtag_master_ds_port -def read_replica_info_kra_enabled(config_dir): - """ - Check the replica info to determine if a KRA has been installed - on the master - """ - default_file = config_dir + "/default.conf" - if not ipautil.file_exists(default_file): - return False - else: - with open(default_file) as fd: - config = SafeConfigParser() - config.readfp(fd) - - enable_kra = config.getboolean("global", "enable_kra") - return enable_kra - def create_replica_config(dirman_password, filename, options): top_dir = None diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py index edb622583..d75a24273 100644 --- a/ipaserver/install/ipa_kra_install.py +++ b/ipaserver/install/ipa_kra_install.py @@ -23,7 +23,10 @@ from ipalib import api from ipaplatform import services from ipaplatform.paths import paths from ipapython import admintool +from ipapython import dogtag from ipapython import ipautil +from ipapython.dn import DN +from ipaserver.install import krainstance from ipaserver.install import installutils from ipaserver.install.installutils import create_replica_config from ipaserver.install import dogtaginstance @@ -80,7 +83,7 @@ class KRAInstall(admintool.AdminTool): class KRAUninstaller(KRAInstall): - log_file_name = paths.PKI_KRA_UNINSTALL_LOG + log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG def validate_options(self, needs_root=True): super(KRAUninstaller, self).validate_options(needs_root=True) @@ -88,18 +91,20 @@ class KRAUninstaller(KRAInstall): if self.args: self.option_parser.error("Too many parameters provided.") - if not api.env.enable_kra: + dogtag_constants = dogtag.configured_constants(api) + _kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants) + if not _kra.is_installed(): self.option_parser.error( "Cannot uninstall. There is no KRA installed on this system." ) def run(self): super(KRAUninstaller, self).run() - kra.uninstall() + kra.uninstall(True) class KRAInstaller(KRAInstall): - log_file_name = paths.PKI_KRA_INSTALL_LOG + log_file_name = paths.IPASERVER_KRA_INSTALL_LOG INSTALLER_START_MESSAGE = ''' =================================================================== @@ -161,15 +166,18 @@ class KRAInstaller(KRAInstall): self.replica_file, self.options) + self.options.dm_password = self.options.password self.options.setup_ca = False + api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'), + bind_pw=self.options.dm_password) + try: - kra.install_check(replica_config, self.options, api.env.enable_kra, - int(api.env.dogtag_version)) + kra.install_check(api, replica_config, self.options) except RuntimeError as e: raise admintool.ScriptError(str(e)) - kra.install(replica_config, self.options, self.options.password) + kra.install(api, replica_config, self.options) # Restart apache for new proxy config file services.knownservices.httpd.restart(capture_output=True) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 8083c7427..b55dfb702 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -2,25 +2,25 @@ # Copyright (C) 2015 FreeIPA Contributors see COPYING for license # -import os -from ConfigParser import RawConfigParser -from ipalib import api -from ipaplatform.paths import paths +from ipalib import api, errors from ipapython import dogtag +from ipapython.dn import DN from ipaserver.install import cainstance from ipaserver.install import krainstance from ipaserver.install import dsinstance from ipaserver.install import service -from ipaserver.install.installutils import read_replica_info_kra_enabled -def install_check(replica_config, options, enable_kra, dogtag_version): - if enable_kra: +def install_check(api, replica_config, options): + dogtag_constants = dogtag.configured_constants(api=api) + kra = krainstance.KRAInstance(api.env.realm, + dogtag_constants=dogtag_constants) + if kra.is_installed(): raise RuntimeError("KRA is already installed.") if not options.setup_ca: if cainstance.is_ca_installed_locally(): - if dogtag_version >= 10: + if api.env.dogtag_version >= 10: # correct dogtag version of CA installed pass else: @@ -31,14 +31,11 @@ def install_check(replica_config, options, enable_kra, dogtag_version): "Dogtag CA is not installed. Please install the CA first") if replica_config is not None: - if not read_replica_info_kra_enabled(replica_config.dir): - raise RuntimeError( - "Either KRA is not installed on the master system or " - "your replica file is out of date" - ) + if not api.Command.kra_is_enabled()['result']: + raise RuntimeError("KRA is not installed on the master system") -def install(replica_config, options, dm_password): +def install(api, replica_config, options): subject = dsinstance.DsInstance().find_subject_base() if replica_config is None: kra = krainstance.KRAInstance( @@ -55,31 +52,25 @@ def install(replica_config, options, dm_password): ds = dsinstance.DsInstance() ds.restart() - kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) - - # Update config file - parser = RawConfigParser() - parser.read(paths.IPA_DEFAULT_CONF) - parser.set('global', 'enable_kra', 'True') - - with open(paths.IPA_DEFAULT_CONF, 'w') as f: - parser.write(f) + kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn) + kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH) -def uninstall(): - dogtag_constants = dogtag.configured_constants(api=api) - kra_instance = krainstance.KRAInstance( - api.env.realm, dogtag_constants=dogtag_constants) - kra_instance.stop_tracking_certificates() - if kra_instance.is_installed(): - kra_instance.uninstall() +def uninstall(standalone): + dogtag_constants = dogtag.configured_constants(api) + kra = krainstance.KRAInstance(api.env.realm, + dogtag_constants=dogtag_constants) - # Check if config file exists, then update it - if os.path.exists(paths.IPA_DEFAULT_CONF): - parser = RawConfigParser() - parser.read(paths.IPA_DEFAULT_CONF) - parser.set('global', 'enable_kra', 'False') + if standalone: + kra.ldap_connect() + try: + kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host), + ('cn', 'masters'), ('cn', 'ipa'), + ('cn', 'etc'), api.env.basedn)) + except errors.NotFound: + pass - with open(paths.IPA_DEFAULT_CONF, 'w') as f: - parser.write(f) + kra.stop_tracking_certificates() + if kra.is_installed(): + kra.uninstall() diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 89473dc02..bde348518 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -602,8 +602,7 @@ def install_check(installer): if setup_kra: try: - kra.install_check(None, options, False, - dogtag.install_constants.DOGTAG_VERSION) + kra.install_check(api, None, options) except RuntimeError as e: print str(e) sys.exit(1) @@ -865,7 +864,7 @@ def install(installer): http.restart() if setup_kra: - kra.install(None, options, dm_password) + kra.install(api, None, options) # Set the admin user kerberos password ds.change_admin_password(admin_password) @@ -1060,7 +1059,7 @@ def uninstall(installer): ntpinstance.NTPInstance(fstore).uninstall() - kra.uninstall() + kra.uninstall(False) ca.uninstall(dogtag_constants) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 0429a4057..34580ce19 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -379,8 +379,6 @@ def install_check(installer): fd.write("enable_ra=False\n") fd.write("ra_plugin=none\n") - fd.write("enable_kra=%s\n" % config.setup_kra) - fd.write("mode=production\n") fd.close() finally: @@ -480,6 +478,18 @@ def install_check(installer): root_logger.debug('No IPA DNS servers, ' 'skipping forward/reverse resolution check') + if options.setup_ca: + options.realm_name = config.realm_name + options.host_name = config.host_name + options.subject = config.subject_base + ca.install_check(False, config, options) + + if config.setup_kra: + try: + kra.install_check(remote_api, config, options) + except RuntimeError as e: + print str(e) + sys.exit(1) except errors.ACIError: sys.exit("\nThe password provided is incorrect for LDAP server " "%s" % config.master_host_name) @@ -492,20 +502,6 @@ def install_check(installer): if conn.isconnected(): conn.disconnect() - if options.setup_ca: - options.realm_name = config.realm_name - options.host_name = config.host_name - options.subject = config.subject_base - ca.install_check(False, config, options) - - if config.setup_kra: - try: - kra.install_check(config, options, False, - dogtag.install_constants.DOGTAG_VERSION) - except RuntimeError as e: - print str(e) - sys.exit(1) - if options.setup_dns: dns.install_check(False, True, options, config.host_name) else: @@ -567,10 +563,11 @@ def install(installer): if conn.isconnected(): conn.disconnect() + options.dm_password = config.dirman_password + if config.setup_ca: options.realm_name = config.realm_name options.domain_name = config.domain_name - options.dm_password = config.dirman_password options.host_name = config.host_name ca.install(False, config, options) @@ -591,7 +588,7 @@ def install(installer): ds.apply_updates() if options.setup_kra: - kra.install(config, options, config.dirman_password) + kra.install(api, config, options) else: service.print_msg("Restarting the directory server") ds.restart() diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index e4e5dd3ac..88307a077 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -41,6 +41,7 @@ SERVICE_LIST = { 'MEMCACHE': ('ipa_memcached', 39), 'HTTP': ('httpd', 40), 'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50), + 'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51), 'ADTRUST': ('smb', 60), 'EXTID': ('winbind', 70), 'OTPD': ('ipa-otpd', 80), -- cgit