diff options
author | Endi S. Dewata <edewata@redhat.com> | 2016-04-27 01:42:12 +0200 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2016-05-03 02:48:40 +0200 |
commit | 599cf1a65203e4b6ec83cf46fe776fc9ebc07ddd (patch) | |
tree | 872f557ad64af1225255d7b2d9f793e5d7817ab1 | |
parent | 901141696b2206b35e498b03ff9867564057c84b (diff) | |
download | pki-599cf1a65203e4b6ec83cf46fe776fc9ebc07ddd.tar.gz pki-599cf1a65203e4b6ec83cf46fe776fc9ebc07ddd.tar.xz pki-599cf1a65203e4b6ec83cf46fe776fc9ebc07ddd.zip |
Added client database scriptlet.
The code that generates the client database has been moved into a
new scriptlet.
https://fedorahosted.org/pki/ticket/2278
4 files changed, 85 insertions, 32 deletions
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index dc30468df..984c10429 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -41,6 +41,7 @@ spawn_scriplets= webapp_deployment slot_substitution security_databases + client_database configuration finalization diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index c8821bbb6..ee35a2f8d 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -445,6 +445,7 @@ SUBSYSTEM_SPAWN_1 = "populating '%s'" WEBAPP_DEPLOYMENT_DESTROY_1 = "removing '%s'" WEBAPP_DEPLOYMENT_SPAWN_1 = "deploying '%s'" SKIP_ADMIN_DOMAIN_SPAWN_1 = "skip populating '%s'" +SKIP_CLIENT_DATABASE_SPAWN_1 = "skip generating '%s'" SKIP_CONFIGURATION_SPAWN_1 = "skip configuring '%s'" SKIP_FINALIZATION_SPAWN_1 = "skip finalizing '%s'" SKIP_INITIALIZATION_SPAWN_1 = "skip initializing '%s'" diff --git a/base/server/python/pki/server/deployment/scriptlets/client_database.py b/base/server/python/pki/server/deployment/scriptlets/client_database.py new file mode 100644 index 000000000..31abb6feb --- /dev/null +++ b/base/server/python/pki/server/deployment/scriptlets/client_database.py @@ -0,0 +1,83 @@ +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import + +# PKI Deployment Imports +from .. import pkiconfig as config +from .. import pkimessages as log +from .. import pkiscriptlet + + +# PKI Deployment Client Database Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + def spawn(self, deployer): + + if config.str2bool(deployer.mdict['pki_skip_configuration']): + config.pki_log.info(log.SKIP_CLIENT_DATABASE_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return + + # Place "slightly" less restrictive permissions on + # the top-level client directory ONLY + + deployer.directory.create( + deployer.mdict['pki_client_subsystem_dir'], + uid=0, gid=0, + perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) + + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a client password file + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + + deployer.password.create_password_conf( + deployer.mdict['pki_client_password_conf'], + deployer.mdict['pki_client_database_password'], pin_sans_token=True) + + deployer.file.modify( + deployer.mdict['pki_client_password_conf'], + uid=0, gid=0) + + # Similarly, create a simple password file containing the + # PKCS #12 password used when exporting the "Admin Certificate" + # into a PKCS #12 file + + deployer.password.create_client_pkcs12_password_conf( + deployer.mdict['pki_client_pkcs12_password_conf']) + + deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf']) + + deployer.directory.create( + deployer.mdict['pki_client_database_dir'], + uid=0, gid=0) + + deployer.certutil.create_security_databases( + deployer.mdict['pki_client_database_dir'], + deployer.mdict['pki_client_cert_database'], + deployer.mdict['pki_client_key_database'], + deployer.mdict['pki_client_secmod_database'], + password_file=deployer.mdict['pki_client_password_conf']) + + + def destroy(self, deployer): + + pass diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index fc5dc84c4..17ca83681 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -54,38 +54,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - # Place "slightly" less restrictive permissions on - # the top-level client directory ONLY - deployer.directory.create( - deployer.mdict['pki_client_subsystem_dir'], - uid=0, gid=0, - perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) - # Since 'certutil' does NOT strip the 'token=' portion of - # the 'token=password' entries, create a client password file - # which ONLY contains the 'password' for the purposes of - # allowing 'certutil' to generate the security databases - deployer.password.create_password_conf( - deployer.mdict['pki_client_password_conf'], - deployer.mdict['pki_client_database_password'], pin_sans_token=True) - deployer.file.modify( - deployer.mdict['pki_client_password_conf'], - uid=0, gid=0) - # Similarly, create a simple password file containing the - # PKCS #12 password used when exporting the "Admin Certificate" - # into a PKCS #12 file - deployer.password.create_client_pkcs12_password_conf( - deployer.mdict['pki_client_pkcs12_password_conf']) - deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf']) - deployer.directory.create( - deployer.mdict['pki_client_database_dir'], - uid=0, gid=0) - deployer.certutil.create_security_databases( - deployer.mdict['pki_client_database_dir'], - deployer.mdict['pki_client_cert_database'], - deployer.mdict['pki_client_key_database'], - deployer.mdict['pki_client_secmod_database'], - password_file=deployer.mdict['pki_client_password_conf']) - instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name']) instance.load() |