Ticket 755 - Detect unescaped percent characters in deployment files

The deployment config files used by pkispawn support interpolation as
supplied by ConfigParser.  Interpolation uses the '%' character, which
means values that need to contain a '%' character need to be properly
escaped.

This patch detects errors with unescaped '%' characters and reports
a useful message bac kto the user who is running pkispawn.  This
patch also adds notes to the pkispawn and pki_default.cfg man pages
to explain that escaping of '%' characters is required.

4 files changed, 18 insertions, 0 deletions

diff --git a/base/server/man/man5/pki_default.cfg.5 b/base/server/man/man5/pki_default.cfg.5
index ec2379a9f..395bb3164 100644
--- a/base/server/man/man5/pki_default.cfg.5
+++ b/base/server/man/man5/pki_default.cfg.5
@@ -31,6 +31,9 @@ There are a small number of bootstrap parameters which are passed in the configu
 \fBpki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA\fP
 .PP
 This substitutes the value of pki_instance_name into the parameter value.  It is possible to interpolate any parameter within a section or in [DEFAULT]. Any parameter used in interpolation can \fBONLY\fP be overridden within the same section.  So, for example, pki_instance_name should only be overridden in [DEFAULT]; otherwise, interpolations can fail.
+.TP
+\fBNote:\fP
+Any parameter values in the configuration file that needs to contain a \fB%\fP character must be properly escaped.  For example, a value of \fBfoo%bar\fP would be specified as \fBfoo%%bar\fP in the configuration file.
 
 .SH GENERAL INSTANCE PARAMETERS
 The parameters described below, as well as the parameters located in the following sections, can be customized as part of a deployment.  This list is not exhaustive.
diff --git a/base/server/man/man8/pkispawn.8 b/base/server/man/man8/pkispawn.8
index 1cc863402..a636fbb14 100644
--- a/base/server/man/man8/pkispawn.8
+++ b/base/server/man/man8/pkispawn.8
@@ -39,6 +39,9 @@ respectively.
 The instances are created based on values for configuration parameters in the default configuration (/etc/pki/default.cfg) and the user-provided configuration file.  The user-provided configuration file is read after the default configuration file, so any parameters defined in that file will override parameters in the default configuration file.  In general, most users will store only those parameters which are different from the default configuration in their user-provided configuration file.
 .PP
 This configuration file contains directives that are divided into sections for different subsystem types (such as [DEFAULT], [CA], and [KRA]).  These sections are stacked, so that parameters read in earlier sections can be overwritten by parameters in later sections.  For the Java subsystems (CA, KRA, OCSP and TKS), the sections read are [DEFAULT], [Tomcat] and the subsystem-type section ([CA], [KRA], [OCSP], or [TKS]), in that order.  This allows the ability to specify parameters to be shared by all subsystems in [DEFAULT] or [Tomcat], and system-specific upgrades in the [CA], [KRA], and other sections.
+.TP
+\fBNote:\fP
+Any parameter values in the configuration file that needs to contain a \fB%\fP character must be properly escaped.  For example, a value of \fBfoo%bar\fP would be specified as \fBfoo%%bar\fP in the configuration file.
 .PP
 At a minimum, the user-defined configuration file must provide some passwords needed for the install.  An example configuration file is provided in the 
 .B EXAMPLES
diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
index 339ee149e..5e996667d 100644
--- a/base/server/python/pki/server/deployment/pkimessages.py
+++ b/base/server/python/pki/server/deployment/pkimessages.py
@@ -179,6 +179,12 @@ PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'"
 PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'"
 PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError:  Master dictionary "\
                                             "is missing the key called '%s'!"
+PKIHELPER_DICTIONARY_INTERPOLATION_1 = "Deployment file could not be parsed "\
+                                       "correctly.  This might be because of "\
+                                       "unescaped '%%' characters.  You must "\
+                                       "escape '%%' characters in deployment "\
+                                       "files (example - 'setting=foo%%%%bar')."
+PKIHELPER_DICTIONARY_INTERPOLATION_2 = "Interpolation error (%s)"
 PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty"
 PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty"
 PKIHELPER_GID_2 = "GID of '%s' is %s"
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 523d79e78..8a75b8fe3 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -1120,6 +1120,12 @@ class PKIConfigParser:
             config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1,
                                  err, extra=config.PKI_INDENTATION_LEVEL_2)
             raise
+        except ConfigParser.InterpolationSyntaxError as err:
+            config.pki_log.error(log.PKIHELPER_DICTIONARY_INTERPOLATION_1,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            config.pki_log.error(log.PKIHELPER_DICTIONARY_INTERPOLATION_2, err,
+                                 extra=config.PKI_INDENTATION_LEVEL_2)
+            sys.exit(1)
         return