summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2016-04-28 20:02:05 +0200
committerEndi S. Dewata <edewata@redhat.com>2016-05-03 02:48:24 +0200
commit901141696b2206b35e498b03ff9867564057c84b (patch)
treea906a0f970743f6c206b86ff3b28d100f9620714
parent1b8f5230d01499d97b874d4912c5c1a13e389c5f (diff)
downloadpki-901141696b2206b35e498b03ff9867564057c84b.zip
pki-901141696b2206b35e498b03ff9867564057c84b.tar.gz
pki-901141696b2206b35e498b03ff9867564057c84b.tar.xz
Simplified the code to generate/load one-time PIN.
Instead of checking various installation scenarios (e.g. external CA step 2, standalone step 2, configuration-only mode), the code to generate or load the one-time PIN has been simplified as follows: * if the PIN already exists (in CS.cfg), it will be reused * if the PIN does not exist, the code will generate a new one
-rw-r--r--base/server/python/pki/server/deployment/pkiparser.py55
1 files changed, 32 insertions, 23 deletions
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 4d6e018..ba49cee 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -589,14 +589,22 @@ class PKIConfigParser:
# if instance already exists and has password, reuse the password
if internal_password in instance.passwords:
+ config.pki_log.info(
+ 'loading existing pin',
+ extra=config.PKI_INDENTATION_LEVEL_2)
self.mdict['pki_pin'] = instance.passwords.get(internal_password)
# otherwise, use user-provided password if specified
elif 'pki_pin' in self.mdict:
- pass
+ config.pki_log.info(
+ 'using supplied pin',
+ extra=config.PKI_INDENTATION_LEVEL_2)
# otherwise, generate a random password
else:
+ config.pki_log.info(
+ 'generating a new pin',
+ extra=config.PKI_INDENTATION_LEVEL_2)
self.mdict['pki_pin'] = \
random.randint(pin_low, pin_high)
@@ -637,33 +645,34 @@ class PKIConfigParser:
self.mdict['pki_target_registry'] = \
os.path.join(self.mdict['pki_instance_registry_path'],
self.mdict['pki_instance_name'])
- if config.str2bool(self.mdict['pki_external_step_two']) or\
- config.str2bool(self.mdict['pki_skip_installation']):
- # For CA (External CA Step 2) and Stand-alone PKI (Step 2),
- # use the 'pki_one_time_pin' established during the setup
- # of (Step 1)
- #
- # Similarly, if the only code being processed is for
- # configuration, re-use the 'pki_one_time_pin' generated
- # during the installation phase
- #
- if os.path.exists(self.mdict['pki_target_cs_cfg'])\
- and\
- os.path.isfile(self.mdict['pki_target_cs_cfg']):
- cs_cfg = self.read_simple_configuration_file(
- self.mdict['pki_target_cs_cfg'])
+
+ # If the one-time PIN already exists in CS.cfg from previous
+ # pkispawn execution (e.g. external CA step 1, standalone step 1,
+ # installation-only mode), reuse the existing PIN.
+ if os.path.exists(self.mdict['pki_target_cs_cfg']) and\
+ os.path.isfile(self.mdict['pki_target_cs_cfg']):
+
+ cs_cfg = self.read_simple_configuration_file(
+ self.mdict['pki_target_cs_cfg'])
+
+ if 'preop.pin' in cs_cfg:
+
+ config.pki_log.info(
+ 'loading existing one-time PIN',
+ extra=config.PKI_INDENTATION_LEVEL_2)
+
self.mdict['pki_one_time_pin'] = \
cs_cfg.get('preop.pin')
- else:
- config.pki_log.error(
- log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
- self.mdict['pki_target_cs_cfg'],
- extra=config.PKI_INDENTATION_LEVEL_2)
- raise Exception(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1)
- else:
+
+ if 'pki_one_time_pin' not in self.mdict:
# Generate a one-time pin to be used prior to configuration
# and add this to the "sensitive" key value pairs read in from
# the configuration file
+
+ config.pki_log.info(
+ 'generate new one-time PIN',
+ extra=config.PKI_INDENTATION_LEVEL_2)
+
self.mdict['pki_one_time_pin'] = \
''.join(random.choice(string.ascii_letters + string.digits)
for x in range(20))