summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEndi Sukma Dewata <edewata@redhat.com>2012-12-18 14:46:41 -0500
committerEndi Sukma Dewata <edewata@redhat.com>2013-01-31 12:26:01 -0500
commitb7b3bcfecc792ea689af2ecc554e12b42a58f1ce (patch)
treed23d7331d80c858f8c92f68a415cde1a3aaf24f8
parentae6e575f56917107b2a3de7997bc13e203c2c856 (diff)
downloadpki-ticket-380-8.zip
pki-ticket-380-8.tar.gz
pki-ticket-380-8.tar.xz
Added interactive subsystem installation.ticket-380-8
The pkispawn has been modified such that the configuration file and subsystem type are optional. The pkidestroy has been modified such that the instance name and subsystem type are optional. If any of these options are not specified they will enter an interactive mode. Ticket #380
-rw-r--r--base/deploy/etc/default.cfg13
-rw-r--r--base/deploy/man/man5/pki_default.cfg.54
-rw-r--r--base/deploy/man/man8/pkispawn.82
-rwxr-xr-xbase/deploy/src/pkidestroy68
-rwxr-xr-xbase/deploy/src/pkispawn128
-rw-r--r--base/deploy/src/scriptlets/infrastructure_layout.py11
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py5
-rw-r--r--base/deploy/src/scriptlets/pkijython.py4
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py265
9 files changed, 355 insertions, 145 deletions
diff --git a/base/deploy/etc/default.cfg b/base/deploy/etc/default.cfg
index 3106ba5..9dfc4b2 100644
--- a/base/deploy/etc/default.cfg
+++ b/base/deploy/etc/default.cfg
@@ -57,12 +57,12 @@ destroy_scriplets=
# case someone wants to override them in their config file.
#
# Tomcat instances:
-# pki_instance_name=pki_tomcat
+# pki_instance_name=pki-tomcat
# pki_https_port=8443
# pki_http_port=8080
#
# Apache instances:
-# pki_instance_name=pki_tomcat
+# pki_instance_name=pki-apache
# pki_https_port=443
# pki_http_port=80
@@ -91,13 +91,16 @@ pki_ds_password=
pki_ds_remove_data=True
pki_ds_secure_connection=False
pki_group=pkiuser
-pki_issuing_ca=
+pki_issuing_ca_hostname=%(pki_security_domain_hostname)s
+pki_issuing_ca_https_port=%(pki_security_domain_https_port)s
+pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s
+pki_issuing_ca=%(pki_issuing_ca_uri)s
pki_restart_configured_instance=True
pki_security_domain_hostname=%(pki_hostname)s
pki_security_domain_https_port=8443
pki_security_domain_name=%(pki_dns_domainname)s Security Domain
pki_security_domain_password=
-pki_security_domain_user=
+pki_security_domain_user=caadmin
pki_skip_configuration=False
pki_skip_installation=False
pki_ssl_server_key_algorithm=SHA256withRSA
@@ -125,7 +128,7 @@ pki_client_pkcs12_password_conf=%(pki_client_subsystem_dir)s/pkcs12_password.con
pki_client_cert_database=%(pki_client_database_dir)s/cert8.db
pki_client_key_database=%(pki_client_database_dir)s/key3.db
pki_client_secmod_database=%(pki_client_database_dir)s/secmod.db
-pki_client_admin_cert=%(pki_subsystem_type)s_admin.cert
+pki_client_admin_cert=%(pki_client_dir)s/%(pki_subsystem_type)s_admin.cert
pki_source_conf_path=/usr/share/pki/%(pki_subsystem_type)s/conf
pki_source_setup_path=/usr/share/pki/setup
pki_source_server_path=/usr/share/pki/server/conf
diff --git a/base/deploy/man/man5/pki_default.cfg.5 b/base/deploy/man/man5/pki_default.cfg.5
index e31002e..ec2379a 100644
--- a/base/deploy/man/man5/pki_default.cfg.5
+++ b/base/deploy/man/man5/pki_default.cfg.5
@@ -178,9 +178,9 @@ The base DN for the internal database. It is advised that the Certificate Serve
.IP
Name of the back-end database. It is advised that the Certificate Server have its own base DN for its internal database. If the back-end does not exist, it will be created during the running of \fBpkispawn\fP.
.SS ISSUING CA PARAMETERS
-\x'-1'\fBpki_issuing_ca\fR
+\x'-1'\fBpki_issuing_ca_hostname, pki_issuing_ca_https_port, pki_issuing_ca_uri\fR
.IP
-Required for installations of subordinate CA and non-CA subsystems. This is the URI for the CA that will issue the relevant system certificates for the subsystem. In a default install, this defaults to the CA subsystem within the same instance. This has the format https://<ca_hostname>/<ca_https_port>.
+Hostname and port, or URI of the issuing CA. Required for installations of subordinate CA and non-CA subsystems. This should point to the CA that will issue the relevant system certificates for the subsystem. In a default install, this defaults to the CA subsystem within the same instance. The URI has the format https://<ca_hostname>:<ca_https_port>.
.SS MISCELLANEOUS PARAMETERS
\x'-1'\fBpki_restart_configured_instance\fR
diff --git a/base/deploy/man/man8/pkispawn.8 b/base/deploy/man/man8/pkispawn.8
index 312f433..c5361c3 100644
--- a/base/deploy/man/man8/pkispawn.8
+++ b/base/deploy/man/man8/pkispawn.8
@@ -131,7 +131,7 @@ pki_security_domain_password=\fIpassword123\fP
pki_security_domain_hostname=<ca_hostname>
pki_security_domain_https_port=<ca_port>
pki_security_domain_user=caadmin
-pki_issuing_ca=https://<ca_hostname>:<ca_port>
+pki_issuing_ca_uri=https://<ca_hostname>:<ca_port>
[KRA]
pki_import_admin_cert=False
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index edb57e9..ba52d96 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -1,4 +1,4 @@
-#!/usr/bin/python -t
+#!/usr/bin/python -tu
# Authors:
# Matthew Harmsen <mharmsen@redhat.com>
#
@@ -94,17 +94,53 @@ def main(argv):
'PKI Instance Removal',
log.PKIDESTROY_EPILOG)
- parser.mandatory.add_argument('-i',
+ parser.optional.add_argument('-i',
dest='pki_deployed_instance_name',
action='store',
- nargs=1, required=True, metavar='<instance>',
+ nargs=1, metavar='<instance>',
help='FORMAT: ${pki_instance_name}')
args = parser.process_command_line_arguments(argv)
- # -i <instance name>
- config.pki_deployed_instance_name =\
- str(args.pki_deployed_instance_name).strip('[\']')
+ interactive = False
+
+ while True:
+
+ # -s <subsystem>
+ if args.pki_subsystem is None:
+ interactive = True
+ config.pki_subsystem = parser.read_text('Subsystem (CA/KRA/OCSP/TKS)',
+ options=['CA', 'KRA', 'OCSP', 'TKS'],
+ default='CA', caseSensitive=False).upper()
+ else:
+ config.pki_subsystem = str(args.pki_subsystem).strip('[\']')
+
+ # -i <instance name>
+ if args.pki_deployed_instance_name is None:
+ interactive = True
+ config.pki_deployed_instance_name = parser.read_text('Instance', default='pki-tomcat')
+ else:
+ config.pki_deployed_instance_name = str(args.pki_deployed_instance_name).strip('[\']')
+
+ if interactive:
+ print
+ parser.indent = 0
+
+ begin = parser.read_text('Begin uninstallation (Yes/No/Quit)',
+ options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'],
+ sign='?', allowEmpty=False, caseSensitive=False).lower()
+
+ print
+
+ if begin == 'q' or begin == 'quit':
+ print "Uninstallation canceled."
+ sys.exit(0)
+
+ elif begin == 'y' or begin == 'yes':
+ break
+
+ else:
+ break
# verify that previously deployed instance exists
deployed_pki_instance_path = config.pki_root_prefix +\
@@ -135,6 +171,7 @@ def main(argv):
config.USER_DEPLOYMENT_CONFIGURATION
parser.validate()
+ parser.init_config()
# Enable 'pkidestroy' logging.
config.pki_log_dir = config.pki_root_prefix +\
@@ -161,20 +198,6 @@ def main(argv):
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
- # NEVER print out 'sensitive' name/value pairs!!!
- config.pki_log.debug(log.PKI_DICTIONARY_DEFAULT,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_default_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(log.PKI_DICTIONARY_SUBSYSTEM,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_subsystem_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
-
# Combine the various sectional dictionaries into a PKI master dictionary
parser.compose_pki_master_dictionary()
config.pki_master_dict['pki_destroy_log'] = config.pki_log_dir + "/" +\
@@ -184,6 +207,8 @@ def main(argv):
config.pki_log.debug(pkilogging.format(config.pki_master_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
+ print "Uninstalling " + config.pki_subsystem + " from " + deployed_pki_instance_path + "."
+
# Process the various "scriptlets" to remove the specified PKI subsystem.
pki_subsystem_scriptlets = config.pki_master_dict['destroy_scriplets'].split()
rv = 0
@@ -200,6 +225,9 @@ def main(argv):
config.pki_log.debug(pkilogging.format(config.pki_master_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
+ print
+ print "Uninstallation complete."
+
# PKI Deployment Entry Point
if __name__ == "__main__":
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index f64d795..f03bc15 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -1,4 +1,4 @@
-#!/usr/bin/python -t
+#!/usr/bin/python -tu
# Authors:
# Matthew Harmsen <mharmsen@redhat.com>
#
@@ -94,9 +94,9 @@ def main(argv):
'PKI Instance Installation and Configuration',
log.PKISPAWN_EPILOG)
- parser.mandatory.add_argument('-f',
+ parser.optional.add_argument('-f',
dest='user_deployment_cfg', action='store',
- nargs=1, required=True, metavar='<file>',
+ nargs=1, metavar='<file>',
help='configuration filename '
'(MUST specify complete path)')
@@ -109,12 +109,112 @@ def main(argv):
config.default_deployment_cfg = config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE
# -f <user deployment config>
- config.user_deployment_cfg = str(args.user_deployment_cfg).strip('[\']')
+ if args.user_deployment_cfg is not None:
+ config.user_deployment_cfg = str(args.user_deployment_cfg).strip('[\']')
# -u
config.pki_update_flag = args.pki_update_flag
parser.validate()
+ interactive = False
+
+ while True:
+
+ # -s <subsystem>
+ if args.pki_subsystem is None:
+ interactive = True
+ parser.indent = 0
+
+ config.pki_subsystem = parser.read_text('Subsystem (CA/KRA/OCSP/TKS)',
+ options=['CA', 'KRA', 'OCSP', 'TKS'],
+ default='CA', caseSensitive=False).upper()
+ print
+ else:
+ config.pki_subsystem = str(args.pki_subsystem).strip('[\']')
+
+ parser.init_config()
+
+ if config.user_deployment_cfg is None:
+ interactive = True
+ parser.indent = 2
+
+ print "Tomcat:"
+ parser.read_text('Instance', 'DEFAULT', 'pki_instance_name')
+ parser.read_text('HTTP port', config.pki_subsystem, 'pki_http_port')
+ parser.read_text('Secure HTTP port', config.pki_subsystem, 'pki_https_port')
+ parser.read_text('AJP port', config.pki_subsystem, 'pki_ajp_port')
+ parser.read_text('Management port', config.pki_subsystem, 'pki_tomcat_server_port')
+ print
+
+ print "Administrator:"
+ parser.read_text('Username', config.pki_subsystem, 'pki_admin_uid')
+
+ admin_password = parser.read_password(
+ 'Password', config.pki_subsystem, 'pki_admin_password',
+ verifyMessage='Verify password')
+
+ parser.set_property(config.pki_subsystem, 'pki_backup_password', admin_password)
+ parser.set_property(config.pki_subsystem, 'pki_client_database_password', admin_password)
+ parser.set_property(config.pki_subsystem, 'pki_client_pkcs12_password', admin_password)
+
+ if config.pki_master_dict['pki_import_admin_cert'] == 'True':
+ import_cert = 'Y'
+ else:
+ import_cert = 'N'
+
+ import_cert = parser.read_text('Import certificate (Yes/No)',
+ default=import_cert, options=['Yes', 'Y', 'No', 'N'],
+ sign='?', caseSensitive=False).lower()
+
+ if import_cert == 'y' or import_cert == 'yes':
+ parser.set_property(config.pki_subsystem, 'pki_import_admin_cert', 'True')
+ parser.read_text('Import certificate from', config.pki_subsystem, 'pki_admin_cert_file')
+ else:
+ parser.set_property(config.pki_subsystem, 'pki_import_admin_cert', 'False')
+
+ parser.read_text('Export certificate to', config.pki_subsystem, 'pki_client_admin_cert')
+ print
+
+ print "Directory Server:"
+ parser.read_text('Hostname', config.pki_subsystem, 'pki_ds_hostname')
+ parser.read_text('Port', config.pki_subsystem, 'pki_ds_ldap_port')
+ parser.read_text('Base DN', config.pki_subsystem, 'pki_ds_base_dn')
+ parser.read_text('Bind DN', config.pki_subsystem, 'pki_ds_bind_dn')
+ parser.read_password(
+ 'Password', config.pki_subsystem, 'pki_ds_password',
+ verifyMessage='Verify password')
+ print
+
+ print "Security Domain:"
+ parser.read_text('Name', config.pki_subsystem, 'pki_security_domain_name')
+
+ if config.pki_subsystem != "CA":
+ parser.read_text('Hostname', config.pki_subsystem, 'pki_security_domain_hostname')
+ parser.read_text('Secure HTTP port', config.pki_subsystem, 'pki_security_domain_https_port')
+ parser.read_text('Username', config.pki_subsystem, 'pki_security_domain_user')
+ parser.read_password(
+ 'Password', config.pki_subsystem, 'pki_security_domain_password',
+ verifyMessage='Verify password')
+
+ print
+
+ if interactive:
+ parser.indent = 0
+
+ begin = parser.read_text('Begin installation (Yes/No/Quit)',
+ options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'],
+ sign='?', allowEmpty=False, caseSensitive=False).lower()
+ print
+
+ if begin == 'q' or begin == 'quit':
+ print "Installation canceled."
+ sys.exit(0)
+
+ elif begin == 'y' or begin == 'yes':
+ break
+
+ else:
+ break
if not os.path.exists(config.PKI_DEPLOYMENT_SOURCE_ROOT +\
"/" + config.pki_subsystem.lower()):
@@ -161,20 +261,6 @@ def main(argv):
extra=config.PKI_INDENTATION_LEVEL_0)
sys.exit(1)
- # NEVER print out 'sensitive' name/value pairs!!!
- config.pki_log.debug(log.PKI_DICTIONARY_DEFAULT,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_default_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(log.PKI_DICTIONARY_WEB_SERVER,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_web_server_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(log.PKI_DICTIONARY_SUBSYSTEM,
- extra=config.PKI_INDENTATION_LEVEL_0)
- config.pki_log.debug(pkilogging.format(config.pki_subsystem_dict),
- extra=config.PKI_INDENTATION_LEVEL_0)
-
# Read in the PKI slots configuration file.
parser.compose_pki_slots_dictionary()
config.pki_log.debug(log.PKI_DICTIONARY_SLOTS,
@@ -184,6 +270,7 @@ def main(argv):
# Combine the various sectional dictionaries into a PKI master dictionary
parser.compose_pki_master_dictionary()
+
if not config.pki_update_flag:
config.pki_master_dict['pki_spawn_log'] = config.pki_log_dir + "/" +\
config.pki_log_name
@@ -195,6 +282,8 @@ def main(argv):
config.pki_log.debug(pkilogging.format(config.pki_master_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
+ print "Installing " + config.pki_subsystem + " into " + config.pki_master_dict['pki_instance_path'] + "."
+
# Process the various "scriptlets" to create the specified PKI subsystem.
pki_subsystem_scriptlets = config.pki_master_dict['spawn_scriplets'].split()
rv = 0
@@ -214,6 +303,9 @@ def main(argv):
config.pki_log.debug(pkilogging.format(config.pki_master_dict),
extra=config.PKI_INDENTATION_LEVEL_0)
+ print
+ print "Installation complete."
+
# PKI Deployment Entry Point
if __name__ == "__main__":
diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py
index 947fbcd..69a9058 100644
--- a/base/deploy/src/scriptlets/infrastructure_layout.py
+++ b/base/deploy/src/scriptlets/infrastructure_layout.py
@@ -58,8 +58,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
util.directory.create(master['pki_subsystem_registry_path'])
util.file.copy(master['pki_default_deployment_cfg'],
master['pki_default_deployment_cfg_replica'])
- util.file.copy(master['pki_user_deployment_cfg'],
- master['pki_user_deployment_cfg_replica'])
+
+ print "Storing deployment configuration into " + config.pki_master_dict['pki_user_deployment_cfg_replica'] + "."
+ if master['pki_user_deployment_cfg']:
+ util.file.copy(master['pki_user_deployment_cfg'],
+ master['pki_user_deployment_cfg_replica'])
+ else:
+ with open(master['pki_user_deployment_cfg_replica'], 'w') as f:
+ config.user_config.write(f)
+
# establish top-level infrastructure, instance, and subsystem
# base directories and create the "registry" symbolic link that
# the "pkidestroy" executable relies upon
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 4a88461..cdd671c 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -180,10 +180,7 @@ pki_console_log_level = None
# PKI Deployment Global Dictionaries
-pki_default_dict = None
-pki_web_server_dict = None
-pki_subsystem_dict = None
-pki_master_dict = None
+pki_master_dict = {}
pki_slots_dict = None
pki_master_jython_dict = None
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index a7635c1..4768d8a 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -566,9 +566,7 @@ class rest_client:
javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\
" " + admin_cert)
# Store the Administration Certificate in a file
- admin_cert_file = os.path.join(
- master['pki_client_dir'],
- master['pki_client_admin_cert'])
+ admin_cert_file = master['pki_client_admin_cert']
admin_cert_bin_file = admin_cert_file + ".der"
javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\
" " + "'" + admin_cert_file + "'")
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index ba4f376..7f2d585 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -22,6 +22,7 @@
# System Imports
import ConfigParser
import argparse
+import getpass
import logging
import os
import random
@@ -54,14 +55,15 @@ class PKIConfigParser:
# Establish 'Mandatory' command-line options
self.mandatory = self.arg_parser.add_argument_group('mandatory arguments')
- self.mandatory.add_argument('-s',
+
+ # Establish 'Optional' command-line options
+ self.optional = self.arg_parser.add_argument_group('optional arguments')
+ self.optional.add_argument('-s',
dest='pki_subsystem', action='store',
nargs=1, choices=config.PKI_SUBSYSTEMS,
- required=True, metavar='<subsystem>',
+ metavar='<subsystem>',
help='where <subsystem> is '
'CA, KRA, OCSP, RA, TKS, or TPS')
- # Establish 'Optional' command-line options
- self.optional = self.arg_parser.add_argument_group('optional arguments')
self.optional.add_argument('-h', '--help',
dest='help', action='help',
help='show this help message and exit')
@@ -77,6 +79,8 @@ class PKIConfigParser:
help='directory prefix to specify local directory '
'[TEST ONLY]')
+ self.indent = 0
+
# PKI Deployment Helper Functions
def process_command_line_arguments(self, argv):
@@ -84,8 +88,6 @@ class PKIConfigParser:
args = self.arg_parser.parse_args()
# Process 'Mandatory' command-line options
- # '-s'
- config.pki_subsystem = str(args.pki_subsystem).strip('[\']')
# Process 'Optional' command-line options
# '-v'
@@ -145,15 +147,63 @@ class PKIConfigParser:
self.arg_parser.print_help()
self.arg_parser.exit(-1);
- # verify user configuration file exists
- if not os.path.exists(config.user_deployment_cfg) or\
- not os.path.isfile(config.user_deployment_cfg):
- print "ERROR: " +\
- log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\
- config.user_deployment_cfg
- print
- self.arg_parser.print_help()
- self.arg_parser.exit(-1);
+ if config.user_deployment_cfg:
+ # verify user configuration file exists
+ if not os.path.exists(config.user_deployment_cfg) or\
+ not os.path.isfile(config.user_deployment_cfg):
+ print "ERROR: " +\
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\
+ config.user_deployment_cfg
+ print
+ parser.arg_parser.print_help()
+ parser.arg_parser.exit(-1);
+
+
+ def init_config(self):
+
+ # RESTEasy
+ resteasy_lib = subprocess.check_output(\
+ 'source /etc/pki/pki.conf && echo $RESTEASY_LIB',
+ shell=True).strip()
+
+ # arch dependent libpath
+ if config.pki_architecture == 64:
+ arch_java_lib = '/usr/lib64/java'
+ else:
+ arch_java_lib = '/usr/lib/java'
+
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ default_instance_name = 'pki-tomcat'
+ default_http_port = '8080'
+ default_https_port = '8443'
+ else:
+ default_instance_name = 'pki-apache'
+ default_http_port = '80'
+ default_https_port = '443'
+
+ self.pki_config = ConfigParser.SafeConfigParser({
+ 'pki_instance_name': default_instance_name,
+ 'pki_http_port': default_http_port,
+ 'pki_https_port': default_https_port,
+ 'pki_dns_domainname': config.pki_dns_domainname,
+ 'pki_subsystem': config.pki_subsystem,
+ 'pki_subsystem_type': config.pki_subsystem.lower(),
+ 'pki_root_prefix' : config.pki_root_prefix,
+ 'resteasy_lib': resteasy_lib,
+ 'arch_java_lib': arch_java_lib,
+ 'home_dir': os.path.expanduser("~"),
+ 'pki_hostname': config.pki_hostname})
+
+ # Make keys case-sensitive!
+ self.pki_config.optionxform = str
+
+ config.user_config = ConfigParser.SafeConfigParser()
+ config.user_config.optionxform = str
+
+ with open(config.default_deployment_cfg) as f:
+ self.pki_config.readfp(f)
+
+ self.flatten_master_dict()
# The following code is based heavily upon
@@ -180,83 +230,124 @@ class PKIConfigParser:
return values
+ def set_property(self, section, property, value):
+ if section != "DEFAULT" and not self.pki_config.has_section(section):
+ self.pki_config.add_section(section)
+ self.pki_config.set(section, property, value)
+ self.flatten_master_dict()
+
+ if section != "DEFAULT" and not config.user_config.has_section(section):
+ config.user_config.add_section(section)
+ config.user_config.set(section, property, value)
+
+
+ def read_text(self, message,
+ section=None, property=None, default=None,
+ options=None, sign=':', allowEmpty=True, caseSensitive=True):
+
+ if default is None and property is not None:
+ default = config.pki_master_dict[property]
+ if default:
+ message = message + ' [' + default + ']'
+ message = ' ' * self.indent + message + sign + ' '
+
+ done = False
+ while not done:
+ value = raw_input(message)
+ value = value.strip()
+
+ if len(value) == 0: # empty value
+ if allowEmpty:
+ value = default
+ done = True
+ break
+
+ else: # non-empty value
+ if options is not None:
+ for v in options:
+ if caseSensitive:
+ if v == value:
+ done = True
+ break
+ else:
+ if v.lower() == value.lower():
+ done = True
+ break
+ else:
+ done = True
+ break
+
+ if section:
+ self.set_property(section, property, value)
+
+ return value
+
+
+ def read_password(self, message, section=None, property=None,
+ verifyMessage=None):
+ message = ' ' * self.indent + message + ': '
+ verifyMessage = ' ' * self.indent + verifyMessage + ': '
+ while True:
+ password = ''
+ while len(password) == 0:
+ password = getpass.getpass(prompt=message)
+
+ verification = ''
+ while len(verification) == 0:
+ verification = getpass.getpass(prompt=verifyMessage)
+
+ if password == verification:
+ break
+ else:
+ print ' ' * self.indent + 'Passwords do not match.'
+
+ if section:
+ self.set_property(section, property, password)
+
+ return password
+
def read_pki_configuration_file(self):
"Read configuration file sections into dictionaries"
rv = 0
try:
- if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
- default_instance_name = 'pki-tomcat'
- default_http_port = '8080'
- default_https_port = '8443'
- else:
- default_instance_name = 'pki-apache'
- default_http_port = '80'
- default_https_port = '443'
-
- # RESTEasy
- resteasy_lib = subprocess.check_output(\
- 'source /etc/pki/pki.conf && echo $RESTEASY_LIB',
- shell=True).strip()
-
- # arch dependent libpath
- if config.pki_architecture == 64:
- arch_java_lib = '/usr/lib64/java'
- else:
- arch_java_lib = '/usr/lib/java'
-
- predefined_dict = {'pki_instance_name': default_instance_name,
- 'pki_http_port': default_http_port,
- 'pki_https_port': default_https_port,
- 'pki_dns_domainname': config.pki_dns_domainname,
- 'pki_subsystem' : config.pki_subsystem,
- 'pki_subsystem_type': config.pki_subsystem.lower(),
- 'pki_root_prefix' : config.pki_root_prefix,
- 'resteasy_lib': resteasy_lib,
- 'arch_java_lib': arch_java_lib,
- 'home_dir': os.path.expanduser("~"),
- 'pki_hostname': config.pki_hostname}
-
- self.pki_config = ConfigParser.SafeConfigParser(predefined_dict)
- # Make keys case-sensitive!
- self.pki_config.optionxform = str
- self.pki_config.read([
- config.default_deployment_cfg,
- config.user_deployment_cfg])
- config.pki_default_dict = dict(self.pki_config.items('DEFAULT'))
- pkilogging.sensitive_parameters = config.pki_default_dict['sensitive_parameters'].split()
- if config.pki_subsystem == "CA":
- config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
- config.pki_subsystem_dict = dict(self.pki_config.items('CA'))
- elif config.pki_subsystem == "KRA":
- config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
- config.pki_subsystem_dict = dict(self.pki_config.items('KRA'))
- elif config.pki_subsystem == "OCSP":
- config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
- config.pki_subsystem_dict = dict(self.pki_config.items('OCSP'))
- elif config.pki_subsystem == "RA":
- config.pki_web_server_dict = dict(self.pki_config.items('Apache'))
- config.pki_subsystem_dict = dict(self.pki_config.items('RA'))
- elif config.pki_subsystem == "TKS":
- config.pki_web_server_dict = dict(self.pki_config.items('Tomcat'))
- config.pki_subsystem_dict = dict(self.pki_config.items('TKS'))
- elif config.pki_subsystem == "TPS":
- config.pki_web_server_dict = dict(self.pki_config.items('Apache'))
- config.pki_subsystem_dict = dict(self.pki_config.items('TPS'))
- # Insert empty record into dictionaries for "pretty print" statements
- # NEVER print "sensitive" key value pairs!!!
- config.pki_default_dict[0] = None
- config.pki_web_server_dict[0] = None
- config.pki_subsystem_dict[0] = None
+ if config.user_deployment_cfg:
+ print 'Loading deployment configuration from ' + config.user_deployment_cfg + '.'
+ self.pki_config.read([config.user_deployment_cfg])
+
except ConfigParser.ParsingError, err:
print err
rv = err
return rv
+ def flatten_master_dict(self):
+ config.pki_master_dict.update(__name__="PKI Master Dictionary")
+
+ default_dict = dict(self.pki_config.items('DEFAULT'))
+ default_dict[0] = None
+ config.pki_master_dict.update(default_dict)
+
+ web_server_dict = None
+ if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS:
+ if self.pki_config.has_section('Tomcat'):
+ web_server_dict = dict(self.pki_config.items('Tomcat'))
+ else:
+ if self.pki_config.has_section('Apache'):
+ web_server_dict = dict(self.pki_config.items('Apache'))
+
+ if web_server_dict:
+ web_server_dict[0] = None
+ config.pki_master_dict.update(web_server_dict)
+
+ if self.pki_config.has_section(config.pki_subsystem):
+ subsystem_dict = dict(self.pki_config.items(config.pki_subsystem))
+ subsystem_dict[0] = None
+ config.pki_master_dict.update(subsystem_dict)
+
+
def compose_pki_master_dictionary(self):
"Create a single master PKI dictionary from the sectional dictionaries"
try:
- config.pki_master_dict = dict()
# 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs
config.pki_master_dict['pki_deployment_executable'] =\
config.pki_deployment_executable
@@ -280,12 +371,10 @@ class PKIConfigParser:
random.randint(pin_low, pin_high)
config.pki_master_dict['pki_client_pin'] =\
random.randint(pin_low, pin_high)
- # Configuration file name/value pairs
- # NEVER add "sensitive" key value pairs to the master dictionary!!!
- config.pki_master_dict.update(config.pki_default_dict)
- config.pki_master_dict.update(config.pki_web_server_dict)
- config.pki_master_dict.update(config.pki_subsystem_dict)
- config.pki_master_dict.update(__name__="PKI Master Dictionary")
+
+ self.flatten_master_dict()
+
+ pkilogging.sensitive_parameters = config.pki_master_dict['sensitive_parameters'].split()
# PKI Target (slot substitution) name/value pairs
config.pki_master_dict['pki_target_cs_cfg'] =\
@@ -783,11 +872,7 @@ class PKIConfigParser:
"https" + "://" +\
config.pki_master_dict['pki_security_domain_hostname'] + ":" +\
config.pki_master_dict['pki_security_domain_https_port']
- if not len(config.pki_master_dict['pki_issuing_ca']):
- # Guess that it is the same as the
- # config.pki_master_dict['pki_security_domain_uri']
- config.pki_master_dict['pki_issuing_ca'] =\
- config.pki_master_dict['pki_security_domain_uri']
+
elif config.str2bool(config.pki_master_dict['pki_external']):
# External CA
config.pki_master_dict['pki_security_domain_type'] = "new"