summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2016-04-27 01:42:12 +0200
committerEndi S. Dewata <edewata@redhat.com>2016-05-03 02:48:40 +0200
commit599cf1a65203e4b6ec83cf46fe776fc9ebc07ddd (patch)
tree872f557ad64af1225255d7b2d9f793e5d7817ab1
parent901141696b2206b35e498b03ff9867564057c84b (diff)
downloadpki-599cf1a65203e4b6ec83cf46fe776fc9ebc07ddd.zip
pki-599cf1a65203e4b6ec83cf46fe776fc9ebc07ddd.tar.gz
pki-599cf1a65203e4b6ec83cf46fe776fc9ebc07ddd.tar.xz
Added client database scriptlet.
The code that generates the client database has been moved into a new scriptlet. https://fedorahosted.org/pki/ticket/2278
-rw-r--r--base/server/etc/default.cfg1
-rw-r--r--base/server/python/pki/server/deployment/pkimessages.py1
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/client_database.py83
-rw-r--r--base/server/python/pki/server/deployment/scriptlets/configuration.py32
4 files changed, 85 insertions, 32 deletions
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index dc30468..984c104 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -41,6 +41,7 @@ spawn_scriplets=
webapp_deployment
slot_substitution
security_databases
+ client_database
configuration
finalization
diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
index c8821bb..ee35a2f 100644
--- a/base/server/python/pki/server/deployment/pkimessages.py
+++ b/base/server/python/pki/server/deployment/pkimessages.py
@@ -445,6 +445,7 @@ SUBSYSTEM_SPAWN_1 = "populating '%s'"
WEBAPP_DEPLOYMENT_DESTROY_1 = "removing '%s'"
WEBAPP_DEPLOYMENT_SPAWN_1 = "deploying '%s'"
SKIP_ADMIN_DOMAIN_SPAWN_1 = "skip populating '%s'"
+SKIP_CLIENT_DATABASE_SPAWN_1 = "skip generating '%s'"
SKIP_CONFIGURATION_SPAWN_1 = "skip configuring '%s'"
SKIP_FINALIZATION_SPAWN_1 = "skip finalizing '%s'"
SKIP_INITIALIZATION_SPAWN_1 = "skip initializing '%s'"
diff --git a/base/server/python/pki/server/deployment/scriptlets/client_database.py b/base/server/python/pki/server/deployment/scriptlets/client_database.py
new file mode 100644
index 0000000..31abb6f
--- /dev/null
+++ b/base/server/python/pki/server/deployment/scriptlets/client_database.py
@@ -0,0 +1,83 @@
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+
+# PKI Deployment Imports
+from .. import pkiconfig as config
+from .. import pkimessages as log
+from .. import pkiscriptlet
+
+
+# PKI Deployment Client Database Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+
+ def spawn(self, deployer):
+
+ if config.str2bool(deployer.mdict['pki_skip_configuration']):
+ config.pki_log.info(log.SKIP_CLIENT_DATABASE_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return
+
+ # Place "slightly" less restrictive permissions on
+ # the top-level client directory ONLY
+
+ deployer.directory.create(
+ deployer.mdict['pki_client_subsystem_dir'],
+ uid=0, gid=0,
+ perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS)
+
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a client password file
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
+
+ deployer.password.create_password_conf(
+ deployer.mdict['pki_client_password_conf'],
+ deployer.mdict['pki_client_database_password'], pin_sans_token=True)
+
+ deployer.file.modify(
+ deployer.mdict['pki_client_password_conf'],
+ uid=0, gid=0)
+
+ # Similarly, create a simple password file containing the
+ # PKCS #12 password used when exporting the "Admin Certificate"
+ # into a PKCS #12 file
+
+ deployer.password.create_client_pkcs12_password_conf(
+ deployer.mdict['pki_client_pkcs12_password_conf'])
+
+ deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf'])
+
+ deployer.directory.create(
+ deployer.mdict['pki_client_database_dir'],
+ uid=0, gid=0)
+
+ deployer.certutil.create_security_databases(
+ deployer.mdict['pki_client_database_dir'],
+ deployer.mdict['pki_client_cert_database'],
+ deployer.mdict['pki_client_key_database'],
+ deployer.mdict['pki_client_secmod_database'],
+ password_file=deployer.mdict['pki_client_password_conf'])
+
+
+ def destroy(self, deployer):
+
+ pass
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index fc5dc84..17ca836 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -54,38 +54,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- # Place "slightly" less restrictive permissions on
- # the top-level client directory ONLY
- deployer.directory.create(
- deployer.mdict['pki_client_subsystem_dir'],
- uid=0, gid=0,
- perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS)
- # Since 'certutil' does NOT strip the 'token=' portion of
- # the 'token=password' entries, create a client password file
- # which ONLY contains the 'password' for the purposes of
- # allowing 'certutil' to generate the security databases
- deployer.password.create_password_conf(
- deployer.mdict['pki_client_password_conf'],
- deployer.mdict['pki_client_database_password'], pin_sans_token=True)
- deployer.file.modify(
- deployer.mdict['pki_client_password_conf'],
- uid=0, gid=0)
- # Similarly, create a simple password file containing the
- # PKCS #12 password used when exporting the "Admin Certificate"
- # into a PKCS #12 file
- deployer.password.create_client_pkcs12_password_conf(
- deployer.mdict['pki_client_pkcs12_password_conf'])
- deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf'])
- deployer.directory.create(
- deployer.mdict['pki_client_database_dir'],
- uid=0, gid=0)
- deployer.certutil.create_security_databases(
- deployer.mdict['pki_client_database_dir'],
- deployer.mdict['pki_client_cert_database'],
- deployer.mdict['pki_client_key_database'],
- deployer.mdict['pki_client_secmod_database'],
- password_file=deployer.mdict['pki_client_password_conf'])
-
instance = pki.server.PKIInstance(deployer.mdict['pki_instance_name'])
instance.load()