diff options
| author | Endi Sukma Dewata <edewata@redhat.com> | 2013-04-05 15:20:01 -0400 |
|---|---|---|
| committer | Endi Sukma Dewata <edewata@redhat.com> | 2013-04-09 09:40:09 -0400 |
| commit | 62ccd4ca0addd8a4c74bcbdfca6aea0c9381907f (patch) | |
| tree | ad78a933e29a517bae7876248820c40b9b5db197 /base/deploy/src/engine | |
| parent | 2e0194dd7791eaf07d6e9eb26df57e5a4677f426 (diff) | |
| download | pki-62ccd4ca0addd8a4c74bcbdfca6aea0c9381907f.tar.gz pki-62ccd4ca0addd8a4c74bcbdfca6aea0c9381907f.tar.xz pki-62ccd4ca0addd8a4c74bcbdfca6aea0c9381907f.zip | |
Renamed base/deploy to base/server.
The base/deploy folder has been renamed to base/server to match the
package name. The pki.conf has been moved into pki-base package.
Ticket #553, #564
Diffstat (limited to 'base/deploy/src/engine')
| -rw-r--r-- | base/deploy/src/engine/pkiconfig.py | 185 | ||||
| -rw-r--r-- | base/deploy/src/engine/pkihelper.py | 3397 | ||||
| -rw-r--r-- | base/deploy/src/engine/pkilogging.py | 76 | ||||
| -rw-r--r-- | base/deploy/src/engine/pkimanifest.py | 101 | ||||
| -rw-r--r-- | base/deploy/src/engine/pkimessages.py | 361 | ||||
| -rw-r--r-- | base/deploy/src/engine/pkiparser.py | 1069 | ||||
| -rw-r--r-- | base/deploy/src/engine/pkiscriptlet.py | 46 |
7 files changed, 0 insertions, 5235 deletions
diff --git a/base/deploy/src/engine/pkiconfig.py b/base/deploy/src/engine/pkiconfig.py deleted file mode 100644 index ad6c22251..000000000 --- a/base/deploy/src/engine/pkiconfig.py +++ /dev/null @@ -1,185 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen <mharmsen@redhat.com> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# -import re - -# PKI Deployment Constants -PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS = 00755 -PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS = 00770 -PKI_DEPLOYMENT_DEFAULT_EXE_PERMISSIONS = 00770 -PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS = 00660 -PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS = 00600 -PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770 -PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777 -PKI_DEPLOYMENT_DEFAULT_UMASK = 00002 - -PKI_DEPLOYMENT_DEFAULT_COMMENT = "'Certificate System'" -PKI_DEPLOYMENT_DEFAULT_GID = 17 -PKI_DEPLOYMENT_DEFAULT_GROUP = "pkiuser" -PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin" -PKI_DEPLOYMENT_DEFAULT_UID = 17 -PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser" - -PKI_SUBSYSTEMS = ["CA","KRA","OCSP","RA","TKS","TPS"] -PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS","TPS"] -PKI_APACHE_SUBSYSTEMS = ["RA","TPS"] -PKI_TOMCAT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS"] -PKI_BASE_RESERVED_NAMES = ["alias", "bin", "ca", "common", "conf", "kra", - "lib", "logs", "ocsp", "temp", "tks", "webapps", - "work"] -PKI_CONFIGURATION_RESERVED_NAMES = ["CA", "java", "nssdb", "rpm-gpg", - "rsyslog", "tls"] -PKI_APACHE_REGISTRY_RESERVED_NAMES = ["ra", "tps"] -PKI_TOMCAT_REGISTRY_RESERVED_NAMES = ["ca", "kra", "ocsp", "tks"] - -PKI_INDENTATION_LEVEL_0 = {'indent' : ''} -PKI_INDENTATION_LEVEL_1 = {'indent' : '... '} -PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '} -PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '} -PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} - -PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\ - "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-" - -PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki" -PKI_DEPLOYMENT_BASE_ROOT = "/var/lib/pki" -# NOTE: Top-level "/etc/pki" is owned by the "filesystem" package! -PKI_DEPLOYMENT_CONFIGURATION_ROOT = "/etc/pki" -PKI_DEPLOYMENT_LOG_ROOT = "/var/log/pki" -# NOTE: Well-known 'registry root', default 'instance', and default -# 'configuration file' names MUST be created in order to potentially -# obtain an instance-specific configuration file -# (presuming one has not been specified during command-line parsing) -# because command-line parsing happens prior to reading any -# configuration files. Although the 'registry root' MUST remain fixed, -# the default 'instance' name may be overridden by the value specified -# in the configuration file (the value in the default configuration file -# should always match the 'default' instance name specified below). -PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME = "pki-apache" -PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME = "pki-tomcat" - -DEFAULT_DEPLOYMENT_CONFIGURATION = "default.cfg" -USER_DEPLOYMENT_CONFIGURATION = "deployment.cfg" - -PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE =\ - PKI_DEPLOYMENT_CONFIGURATION_ROOT + "/" + DEFAULT_DEPLOYMENT_CONFIGURATION -PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\ - PKI_DEPLOYMENT_SOURCE_ROOT + "/deployment/config/pkislots.cfg" - -# subtypes of PKI subsystems -PKI_DEPLOYMENT_CLONED_PKI_SUBSYSTEM = "Cloned" -PKI_DEPLOYMENT_EXTERNAL_CA = "External" -PKI_DEPLOYMENT_SUBORDINATE_CA = "Subordinate" - -# default ports (for defined selinux policy) -PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT = 8080 -PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT = 8443 -PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT = 8005 -PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT = 8009 - -# PKI Deployment Global Variables -pki_install_time = None -pki_timestamp = None -pki_architecture = None -pki_hostname = None - - -# PKI Deployment Command-Line Variables -pki_deployment_executable = None - -# PKI Deployment "Mandatory" Command-Line Variables -pki_subsystem = None -# 'pkispawn' ONLY -default_deployment_cfg = None -user_deployment_cfg = None -# 'pkidestroy' ONLY -pki_deployed_instance_name = None -pki_secdomain_user = None -pki_secdomain_pass = None - -# PKI Deployment "Optional" Command-Line Variables -# 'pkispawn' ONLY -pki_update_flag = False - -# PKI Deployment "Test" Command-Line Variables -pki_root_prefix = None - - -# PKI Deployment Helper Functions -def str2bool(string): - return string.lower() in ("yes", "true", "t", "1") - -# NOTE: To utilize the 'preparations_for_an_external_java_debugger(master)' -# and 'wait_to_attach_an_external_java_debugger(master)' functions, -# change 'pki_enable_java_debugger=False' to -# 'pki_enable_java_debugger=True' in the appropriate -# deployment configuration file. -def prepare_for_an_external_java_debugger(instance): - print - print PKI_DEPLOYMENT_INTERRUPT_BANNER - print - print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in" - print "'%s':" % instance - print - print " JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\"" - print " \"address=8000,server=y,suspend\"" - print - raw_input("Enable external java debugger 'JAVA_OPTS' "\ - "and press return to continue . . . ") - print - print PKI_DEPLOYMENT_INTERRUPT_BANNER - print - return - -def wait_to_attach_an_external_java_debugger(): - print - print PKI_DEPLOYMENT_INTERRUPT_BANNER - print - print "Attach the java debugger to this process on the port specified by" - print "the 'address' selected by 'JAVA_OPTS' (e. g. - port 8000) and" - print "set any desired breakpoints" - print - raw_input("Please attach an external java debugger "\ - "and press return to continue . . . ") - print - print PKI_DEPLOYMENT_INTERRUPT_BANNER - print - return - - -# PKI Deployment Logger Variables -pki_log = None -pki_log_dir = None -pki_log_name = None -pki_log_level = None -pki_console_log_level = None - - -# PKI Deployment Global Dictionaries -pki_master_dict = {} -pki_slots_dict = None - -# PKI Selinux Constants and parameters -PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t" -PKI_LOG_SELINUX_CONTEXT = "pki_tomcat_log_t" -PKI_CFG_SELINUX_CONTEXT = "pki_tomcat_etc_rw_t" -PKI_CERTDB_SELINUX_CONTEXT = "pki_tomcat_cert_t" -PKI_PORT_SELINUX_CONTEXT = "http_port_t" -pki_selinux_config_ports = [] diff --git a/base/deploy/src/engine/pkihelper.py b/base/deploy/src/engine/pkihelper.py deleted file mode 100644 index df71978ed..000000000 --- a/base/deploy/src/engine/pkihelper.py +++ /dev/null @@ -1,3397 +0,0 @@ -#!/usr/bin/python -t - -# Authors: -# Matthew Harmsen <mharmsen@redhat.com> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import errno -import sys -import os -import fileinput -import pickle -import random -import re -import requests -import shutil -import string -import subprocess -import time -from datetime import datetime -from grp import getgrgid -from grp import getgrnam -from pwd import getpwnam -from pwd import getpwuid -import xml.etree.ElementTree as ET -import zipfile -import selinux -if selinux.is_selinux_enabled(): - import seobject - - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -from pkiconfig import pki_slots_dict as slots -from pkiconfig import pki_selinux_config_ports as ports -import pkimanifest as manifest -import pkimessages as log -from pkiparser import PKIConfigParser -import pki.account -import pki.client -import pki.system - -# PKI Deployment Helper Functions -def pki_copytree(src, dst, symlinks=False, ignore=None): - """Recursively copy a directory tree using copy2(). - - PATCH: This code was copied from 'shutil.py' and patched to - allow 'The destination directory to already exist.' - - If exception(s) occur, an Error is raised with a list of reasons. - - If the optional symlinks flag is true, symbolic links in the - source tree result in symbolic links in the destination tree; if - it is false, the contents of the files pointed to by symbolic - links are copied. - - The optional ignore argument is a callable. If given, it - is called with the `src` parameter, which is the directory - being visited by pki_copytree(), and `names` which is the list of - `src` contents, as returned by os.listdir(): - - callable(src, names) -> ignored_names - - Since pki_copytree() is called recursively, the callable will be - called once for each directory that is copied. It returns a - list of names relative to the `src` directory that should - not be copied. - - XXX Consider this example code rather than the ultimate tool. - - """ - names = os.listdir(src) - if ignore is not None: - ignored_names = ignore(src, names) - else: - ignored_names = set() - - # PATCH: ONLY execute 'os.makedirs(dst)' if the top-level - # destination directory does NOT exist! - if not os.path.exists(dst): - os.makedirs(dst) - errors = [] - for name in names: - if name in ignored_names: - continue - srcname = os.path.join(src, name) - dstname = os.path.join(dst, name) - try: - if symlinks and os.path.islink(srcname): - linkto = os.readlink(srcname) - os.symlink(linkto, dstname) - elif os.path.isdir(srcname): - pki_copytree(srcname, dstname, symlinks, ignore) - else: - # Will raise a SpecialFileError for unsupported file types - shutil.copy2(srcname, dstname) - # catch the Error from the recursive pki_copytree so that we can - # continue with other files - except Error, err: - errors.extend(err.args[0]) - except EnvironmentError, why: - errors.append((srcname, dstname, str(why))) - try: - shutil.copystat(src, dst) - except OSError, why: - if WindowsError is not None and isinstance(why, WindowsError): - # Copying file access times may fail on Windows - pass - else: - errors.extend((src, dst, str(why))) - if errors: - raise Error, errors - -# PKI Deployment Identity Class -class identity: - def __add_gid(self, pki_group): - pki_gid = None - try: - # Does the specified 'pki_group' exist? - pki_gid = getgrnam(pki_group)[2] - # Yes, group 'pki_group' exists! - config.pki_log.info(log.PKIHELPER_GROUP_ADD_2, pki_group, pki_gid, - extra=config.PKI_INDENTATION_LEVEL_2) - except KeyError as exc: - # No, group 'pki_group' does not exist! - config.pki_log.debug(log.PKIHELPER_GROUP_ADD_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - try: - # Is the default well-known GID already defined? - group = getgrgid(config.PKI_DEPLOYMENT_DEFAULT_GID)[0] - # Yes, the default well-known GID exists! - config.pki_log.info(log.PKIHELPER_GROUP_ADD_DEFAULT_2, - group, config.PKI_DEPLOYMENT_DEFAULT_GID, - extra=config.PKI_INDENTATION_LEVEL_2) - # Attempt to create 'pki_group' using a random GID. - command = "/usr/sbin/groupadd" + " " +\ - pki_group + " " +\ - "> /dev/null 2>&1" - except KeyError as exc: - # No, the default well-known GID does not exist! - config.pki_log.debug(log.PKIHELPER_GROUP_ADD_GID_KEYERROR_1, - exc, extra=config.PKI_INDENTATION_LEVEL_2) - # Is the specified 'pki_group' the default well-known group? - if pki_group == config.PKI_DEPLOYMENT_DEFAULT_GROUP: - # Yes, attempt to create the default well-known group - # using the default well-known GID. - command = "/usr/sbin/groupadd" + " " +\ - "-g" + " " +\ - str(config.PKI_DEPLOYMENT_DEFAULT_GID) + " " +\ - "-r" + " " +\ - pki_group + " " +\ - "> /dev/null 2>&1" - else: - # No, attempt to create 'pki_group' using a random GID. - command = "/usr/sbin/groupadd" + " " +\ - pki_group + " " +\ - "> /dev/null 2>&1" - # Execute this "groupadd" command. - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def __add_uid(self, pki_user, pki_group): - pki_uid = None - try: - # Does the specified 'pki_user' exist? - pki_uid = getpwnam(pki_user)[2] - # Yes, user 'pki_user' exists! - config.pki_log.info(log.PKIHELPER_USER_ADD_2, pki_user, pki_uid, - extra=config.PKI_INDENTATION_LEVEL_2) - # NOTE: For now, never check validity of specified 'pki_group'! - except KeyError as exc: - # No, user 'pki_user' does not exist! - config.pki_log.debug(log.PKIHELPER_USER_ADD_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - try: - # Is the default well-known UID already defined? - user = getpwuid(config.PKI_DEPLOYMENT_DEFAULT_UID)[0] - # Yes, the default well-known UID exists! - config.pki_log.info(log.PKIHELPER_USER_ADD_DEFAULT_2, - user, config.PKI_DEPLOYMENT_DEFAULT_UID, - extra=config.PKI_INDENTATION_LEVEL_2) - # Attempt to create 'pki_user' using a random UID. - command = "/usr/sbin/useradd" + " " +\ - "-g" + " " +\ - pki_group + " " +\ - "-d" + " " +\ - config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ - "-s" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ - "-c" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ - pki_user + " " +\ - "> /dev/null 2>&1" - except KeyError as exc: - # No, the default well-known UID does not exist! - config.pki_log.debug(log.PKIHELPER_USER_ADD_UID_KEYERROR_1, - exc, extra=config.PKI_INDENTATION_LEVEL_2) - # Is the specified 'pki_user' the default well-known user? - if pki_user == config.PKI_DEPLOYMENT_DEFAULT_USER: - # Yes, attempt to create the default well-known user - # using the default well-known UID. - command = "/usr/sbin/useradd" + " " +\ - "-g" + " " +\ - pki_group + " " +\ - "-d" + " " +\ - config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ - "-s" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ - "-c" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ - "-u" + " " +\ - str(config.PKI_DEPLOYMENT_DEFAULT_UID) + " " +\ - "-r" + " " +\ - pki_user + " " +\ - "> /dev/null 2>&1" - else: - # No, attempt to create 'pki_user' using a random UID. - command = "/usr/sbin/useradd" + " " +\ - "-g" + " " +\ - pki_group + " " +\ - "-d" + " " +\ - config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ - "-s" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ - "-c" + " " +\ - config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ - pki_user + " " +\ - "> /dev/null 2>&1" - # Execute this "useradd" command. - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def add_uid_and_gid(self, pki_user, pki_group): - self.__add_gid(pki_group) - self.__add_uid(pki_user, pki_group) - return - - def get_uid(self, critical_failure=True): - try: - pki_uid = master['pki_uid'] - except KeyError as exc: - config.pki_log.error(log.PKI_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return pki_uid - - def get_gid(self, critical_failure=True): - try: - pki_gid = master['pki_gid'] - except KeyError as exc: - config.pki_log.error(log.PKI_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return pki_gid - - def set_uid(self, name, critical_failure=True): - try: - config.pki_log.debug(log.PKIHELPER_USER_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - # id -u <name> - pki_uid = getpwnam(name)[2] - master['pki_uid']=pki_uid - config.pki_log.debug(log.PKIHELPER_UID_2, name, pki_uid, - extra=config.PKI_INDENTATION_LEVEL_3) - except KeyError as exc: - config.pki_log.error(log.PKI_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return pki_uid - - def set_gid(self, name, critical_failure=True): - try: - config.pki_log.debug(log.PKIHELPER_GROUP_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - # id -g <name> - pki_gid = getgrnam(name)[2] - master['pki_gid']=pki_gid - config.pki_log.debug(log.PKIHELPER_GID_2, name, pki_gid, - extra=config.PKI_INDENTATION_LEVEL_3) - except KeyError as exc: - config.pki_log.error(log.PKI_KEYERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return pki_gid - - -# PKI Deployment Namespace Class -class namespace: - # Silently verify that the selected 'pki_instance_name' will - # NOT produce any namespace collisions - def collision_detection(self): - # Run simple checks for pre-existing namespace collisions - if os.path.exists(master['pki_instance_path']): - if os.path.exists(master['pki_subsystem_path']): - # Top-Level PKI base path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_instance_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - if os.path.exists(master['pki_target_tomcat_conf_instance_id']): - # Top-Level "/etc/sysconfig" path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_target_tomcat_conf_instance_id'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(master['pki_cgroup_systemd_service']): - # Systemd cgroup path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_cgroup_systemd_service_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(master['pki_cgroup_cpu_systemd_service']): - # Systemd cgroup CPU path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_cgroup_cpu_systemd_service_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(master['pki_instance_log_path']) and\ - os.path.exists(master['pki_subsystem_log_path']): - # Top-Level PKI log path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_instance_log_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(master['pki_instance_configuration_path']) and\ - os.path.exists(master['pki_subsystem_configuration_path']): - # Top-Level PKI configuration path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_instance_configuration_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(master['pki_instance_registry_path']) and\ - os.path.exists(master['pki_subsystem_registry_path']): - # Top-Level PKI registry path collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_COLLISION_2, - master['pki_instance_name'], - master['pki_instance_registry_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Run simple checks for reserved name namespace collisions - if master['pki_instance_name'] in config.PKI_BASE_RESERVED_NAMES: - # Top-Level PKI base path reserved name collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, - master['pki_instance_name'], - master['pki_instance_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # No need to check for reserved name under Top-Level PKI log path - if master['pki_instance_name'] in config.PKI_CONFIGURATION_RESERVED_NAMES: - # Top-Level PKI configuration path reserved name collision - config.pki_log.error( - log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, - master['pki_instance_name'], - master['pki_instance_configuration_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - # Top-Level Apache PKI registry path reserved name collision - if master['pki_instance_name'] in\ - config.PKI_APACHE_REGISTRY_RESERVED_NAMES: - config.pki_log.error( - log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, - master['pki_instance_name'], - master['pki_instance_registry_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # Top-Level Tomcat PKI registry path reserved name collision - if master['pki_instance_name'] in\ - config.PKI_TOMCAT_REGISTRY_RESERVED_NAMES: - config.pki_log.error( - log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, - master['pki_instance_name'], - master['pki_instance_registry_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - -# PKI Deployment Configuration File Class -class configuration_file: - def log_configuration_url(self): - # NOTE: This is the one and only parameter containing a sensitive - # parameter that may be stored in a log file. - config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_URL_1, - master['pki_configuration_url'], - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_RESTART_1, - master['pki_registry_initscript_command'], - extra=config.PKI_INDENTATION_LEVEL_2) - - def display_configuration_url(self): - # NOTE: This is the one and only parameter containing a sensitive - # parameter that may be displayed to the screen. - print log.PKI_CONFIGURATION_URL_1 % master['pki_configuration_url'] - print - print log.PKI_CONFIGURATION_RESTART_1 %\ - master['pki_registry_initscript_command'] - print - - def verify_sensitive_data(self): - # Silently verify the existence of 'sensitive' data - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # Verify existence of Directory Server Password (ALWAYS) - if not master.has_key('pki_ds_password') or\ - not len(master['pki_ds_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Verify existence of Admin Password (except for Clones) - if not config.str2bool(master['pki_clone']): - if not master.has_key('pki_admin_password') or\ - not len(master['pki_admin_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_admin_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # If required, verify existence of Backup Password - if config.str2bool(master['pki_backup_keys']): - if not master.has_key('pki_backup_password') or\ - not len(master['pki_backup_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_backup_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Verify existence of Client Pin for NSS client security databases - if not master.has_key('pki_client_database_password') or\ - not len(master['pki_client_database_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2, - "pki_client_database_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Verify existence of Client PKCS #12 Password for Admin Cert - if not master.has_key('pki_client_pkcs12_password') or\ - not len(master['pki_client_pkcs12_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_client_pkcs12_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Verify existence of PKCS #12 Password (ONLY for Clones) - if config.str2bool(master['pki_clone']): - if not master.has_key('pki_clone_pkcs12_password') or\ - not len(master['pki_clone_pkcs12_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_pkcs12_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Verify existence of Security Domain Password File - # (ONLY for Clones, KRA, OCSP, TKS, or Subordinate CA) - if config.str2bool(master['pki_clone']) or\ - not master['pki_subsystem'] == "CA" or\ - config.str2bool(master['pki_subordinate']): - if not master.has_key('pki_security_domain_password') or\ - not len(master['pki_security_domain_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_security_domain_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # If required, verify existence of Token Password - if not master['pki_token_name'] == "internal": - if not master.has_key('pki_token_password') or\ - not len(master['pki_token_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_token_password", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def verify_mutually_exclusive_data(self): - # Silently verify the existence of 'mutually exclusive' data - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - if master['pki_subsystem'] == "CA": - if config.str2bool(master['pki_clone']) and\ - config.str2bool(master['pki_external']) and\ - config.str2bool(master['pki_subordinate']): - config.pki_log.error( - log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA, - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif config.str2bool(master['pki_clone']) and\ - config.str2bool(master['pki_external']): - config.pki_log.error( - log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA, - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif config.str2bool(master['pki_clone']) and\ - config.str2bool(master['pki_subordinate']): - config.pki_log.error( - log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA, - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif config.str2bool(master['pki_external']) and\ - config.str2bool(master['pki_subordinate']): - config.pki_log.error( - log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA, - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def verify_predefined_configuration_file_data(self): - # Silently verify the existence of any required 'predefined' data - # - # FUTURE: As much as is possible, alter this routine to verify - # ALL name/value pairs for the requested configuration - # scenario. This should include checking for the - # "existence" of ALL required "name" parameters, as well as - # the "existence", "type" (e. g. - string, boolean, number, - # etc.), and "correctness" (e. g. - file, directory, boolean - # 'True' or 'False', etc.) of ALL required "value" parameters. - # - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - if config.str2bool(master['pki_clone']): - # Verify existence of clone parameters - if not master.has_key('pki_ds_base_dn') or\ - not len(master['pki_ds_base_dn']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_base_dn", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_ds_ldap_port') or\ - not len(master['pki_ds_ldap_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_ldap_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_ds_ldaps_port') or\ - not len(master['pki_ds_ldaps_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_ldaps_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # NOTE: Although this will be checked prior to getting to - # this method, this clone's 'pki_instance_name' MUST - # be different from the master's 'pki_instance_name' - # IF AND ONLY IF the master and clone are located on - # the same host! - if not master.has_key('pki_ajp_port') or\ - not len(master['pki_ajp_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ajp_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_http_port') or\ - not len(master['pki_http_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_http_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_https_port') or\ - not len(master['pki_https_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_https_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_tomcat_server_port') or\ - not len(master['pki_tomcat_server_port']): - # FUTURE: Check for unused port value - # (e. g. - must be different from master if the - # master is located on the same host) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_tomcat_server_port", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_clone_pkcs12_path') or\ - not len(master['pki_clone_pkcs12_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_pkcs12_path", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif not os.path.isfile(master['pki_clone_pkcs12_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - master['pki_clone_pkcs12_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_clone_replication_security') or\ - not len(master['pki_clone_replication_security']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_replication_security", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_clone_uri') or\ - not len(master['pki_clone_uri']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_clone_uri", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external']): - if not master.has_key('pki_external_step_two') or\ - not len(master['pki_external_step_two']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_step_two", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not config.str2bool(master['pki_external_step_two']): - # External CA (Step 1) - if not master.has_key('pki_external_csr_path') or\ - not len(master['pki_external_csr_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_csr_path", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif os.path.exists(master['pki_external_csr_path']) and\ - not os.path.isfile(master['pki_external_csr_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - master['pki_external_csr_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - # External CA (Step 2) - if not master.has_key('pki_external_ca_cert_chain_path') or\ - not len(master['pki_external_ca_cert_chain_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_ca_cert_chain_path", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif os.path.exists( - master['pki_external_ca_cert_chain_path']) and\ - not os.path.isfile( - master['pki_external_ca_cert_chain_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - master['pki_external_ca_cert_chain_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not master.has_key('pki_external_ca_cert_path') or\ - not len(master['pki_external_ca_cert_path']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_external_ca_cert_path", - master['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif os.path.exists(master['pki_external_ca_cert_path']) and\ - not os.path.isfile( - master['pki_external_ca_cert_path']): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - master['pki_external_ca_cert_path'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def populate_non_default_ports(self): - if master['pki_http_port'] != \ - str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT): - ports.append(master['pki_http_port']) - if master['pki_https_port'] != \ - str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT): - ports.append(master['pki_https_port']) - if master['pki_tomcat_server_port'] != \ - str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT): - ports.append(master['pki_tomcat_server_port']) - if master['pki_ajp_port'] != \ - str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT): - ports.append(master['pki_ajp_port']) - return - - def verify_selinux_ports(self): - # Determine which ports still need to be labelled, and if any are - # incorrectly labelled - if len(ports) == 0: - return - - if not bool(selinux.is_selinux_enabled()): - config.pki_log.error( - log.PKIHELPER_SELINUX_DISABLED, - extra=config.PKI_INDENTATION_LEVEL_2) - return - - portrecs = seobject.portRecords().get_all() - portlist = ports[:] - for port in portlist: - context = "" - for i in portrecs: - if portrecs[i][0] == "unreserved_port_t" or \ - portrecs[i][0] == "reserved_port_t" or \ - i[2] != "tcp": - continue - if i[0] <= int(port) and int(port) <= i[1]: - context = portrecs[i][0] - break - if context == "": - # port has no current context - # leave it in list of ports to set - continue - elif context == config.PKI_PORT_SELINUX_CONTEXT: - # port is already set correctly - # remove from list of ports to set - ports.remove(port) - else: - config.pki_log.error( - log.PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT, - port, context, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def verify_command_matches_configuration_file(self): - # Silently verify that the command-line parameters match the values - # that are present in the corresponding configuration file - if master['pki_deployment_executable'] == 'pkidestroy': - if master['pki_deployed_instance_name'] !=\ - master['pki_instance_name']: - config.pki_log.error( - log.PKIHELPER_COMMAND_LINE_PARAMETER_MISMATCH_2, - master['pki_deployed_instance_name'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - - -# PKI Deployment XML File Class -#class xml_file: -# def remove_filter_section_from_web_xml(self, -# web_xml_source, -# web_xml_target): -# config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1, -# master['pki_target_subsystem_web_xml'], -# extra=config.PKI_INDENTATION_LEVEL_2) -# begin_filters_section = False -# begin_servlet_section = False -# FILE = open(web_xml_target, "w") -# for line in fileinput.FileInput(web_xml_source): -# if not begin_filters_section: -# # Read and write lines until first "<filter>" tag -# if line.count("<filter>") >= 1: -# # Mark filters section -# begin_filters_section = True -# else: -# FILE.write(line) -# elif not begin_servlet_section: -# # Skip lines until first "<servlet>" tag -# if line.count("<servlet>") >= 1: -# # Mark servlets section and write out the opening tag -# begin_servlet_section = True -# FILE.write(line) -# else: -# continue -# else: -# # Read and write lines all lines after "<servlet>" tag -# FILE.write(line) -# FILE.close() - - -# PKI Deployment Instance Class -class instance: - def apache_instance_subsystems(self): - rv = 0 - try: - # count number of PKI subsystems present - # within the specified Apache instance - for subsystem in config.PKI_APACHE_SUBSYSTEMS: - path = master['pki_instance_path'] + "/" + subsystem.lower() - if os.path.exists(path) and os.path.isdir(path): - rv = rv + 1 - config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], - rv, extra=config.PKI_INDENTATION_LEVEL_2) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return rv - - def apache_instances(self): - rv = 0 - try: - # Since ALL directories under the top-level PKI 'apache' registry - # directory SHOULD represent PKI Apache instances, and there - # shouldn't be any stray files or symbolic links at this level, - # simply count the number of PKI 'apache' instances (directories) - # present within the PKI 'apache' registry directory - for instance in\ - os.listdir(master['pki_instance_type_registry_path']): - if os.path.isdir( - os.path.join(master['pki_instance_type_registry_path'], - instance)) and not\ - os.path.islink( - os.path.join(master['pki_instance_type_registry_path'], - instance)): - rv = rv + 1 - config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, - master['pki_instance_type_registry_path'], - rv, - extra=config.PKI_INDENTATION_LEVEL_2) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return rv - - def pki_instance_subsystems(self): - rv = 0 - try: - # Since ALL directories within the top-level PKI infrastructure - # SHOULD represent PKI instances, look for all possible - # PKI instances within the top-level PKI infrastructure - for instance in os.listdir(master['pki_path']): - if os.path.isdir(os.path.join(master['pki_path'],instance))\ - and not\ - os.path.islink(os.path.join(master['pki_path'],instance)): - dir = os.path.join(master['pki_path'],instance) - # Since ANY directory within this PKI instance COULD - # be a PKI subsystem, look for all possible - # PKI subsystems within this PKI instance - for name in os.listdir(dir): - if os.path.isdir(os.path.join(dir,name)) and\ - not os.path.islink(os.path.join(dir,name)): - if name.upper() in config.PKI_SUBSYSTEMS: - rv = rv + 1 - config.pki_log.debug(log.PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], rv, - extra=config.PKI_INDENTATION_LEVEL_2) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return rv - - def tomcat_instance_subsystems(self): - # Return list of PKI subsystems in the specified tomcat instance - rv = [] - try: - for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - path = master['pki_instance_path'] + "/" + subsystem.lower() - if os.path.exists(path) and os.path.isdir(path): - rv.append(subsystem) - except OSErr as e: - config.pki_log.error(log.PKI_OSERROR_1, str(e), - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return rv - - def tomcat_instances(self): - rv = 0 - try: - # Since ALL directories under the top-level PKI 'tomcat' registry - # directory SHOULD represent PKI Tomcat instances, and there - # shouldn't be any stray files or symbolic links at this level, - # simply count the number of PKI 'tomcat' instances (directories) - # present within the PKI 'tomcat' registry directory - for instance in\ - os.listdir(master['pki_instance_type_registry_path']): - if os.path.isdir( - os.path.join(master['pki_instance_type_registry_path'], - instance)) and not\ - os.path.islink( - os.path.join(master['pki_instance_type_registry_path'], - instance)): - rv = rv + 1 - config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, - master['pki_instance_type_registry_path'], - rv, - extra=config.PKI_INDENTATION_LEVEL_2) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return rv - - def verify_subsystem_exists(self): - try: - if not os.path.exists(master['pki_subsystem_path']): - config.pki_log.error(log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2, - master['pki_subsystem'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def verify_subsystem_does_not_exist(self): - try: - if os.path.exists(master['pki_subsystem_path']): - config.pki_log.error(log.PKI_SUBSYSTEM_ALREADY_EXISTS_2, - master['pki_subsystem'], - master['pki_instance_name'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def get_instance_status(self): - self.connection = pki.client.PKIConnection( - protocol='https', - hostname=master['pki_hostname'], - port=master['pki_https_port'], - subsystem=master['pki_subsystem_type'], - accept = 'application/xml') - - try: - client = pki.system.SystemStatusClient(self.connection) - response = client.getStatus() - config.pki_log.debug(response, - extra=config.PKI_INDENTATION_LEVEL_3) - - root = ET.fromstring(response) - status = root.findtext("Status") - return status - except requests.exceptions.ConnectionError: - config.pki_log.debug("No connection", - extra=config.PKI_INDENTATION_LEVEL_3) - return None - - def wait_for_startup(self, timeout): - start_time = datetime.today() - status = None - while status != "running": - status = self.get_instance_status() - time.sleep(1); - stop_time = datetime.today() - if (stop_time - start_time).total_seconds() >= timeout: - break - return status - -# PKI Deployment Directory Class -class directory: - def create(self, name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, - acls=None, critical_failure=True): - try: - if not os.path.exists(name): - # mkdir -p <name> - config.pki_log.info(log.PKIHELPER_MKDIR_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - os.makedirs(name) - # chmod <perms> <name> - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown <uid>:<gid> <name> - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_DIRECTORY - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - elif not os.path.isdir(name): - config.pki_log.error( - log.PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - if exc.errno == errno.EEXIST: - pass - else: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def modify(self, name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, - acls=None, silent=False, critical_failure=True): - try: - if os.path.exists(name): - if not os.path.isdir(name): - config.pki_log.error( - log.PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - # Always re-process each directory whether it needs it or not - if not silent: - config.pki_log.info(log.PKIHELPER_MODIFY_DIR_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - # chmod <perms> <name> - if not silent: - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown <uid>:<gid> <name> - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - if not silent: - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - if not silent: - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_DIRECTORY - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - else: - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def delete(self, name, recursive_flag=True, critical_failure=True): - try: - if not os.path.exists(name) or not os.path.isdir(name): - # Simply issue a warning and continue - config.pki_log.warning( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - if recursive_flag == True: - # rm -rf <name> - config.pki_log.info(log.PKIHELPER_RM_RF_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - shutil.rmtree(name) - else: - # rmdir <name> - config.pki_log.info(log.PKIHELPER_RMDIR_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - os.rmdir(name) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def exists(self, name): - try: - if not os.path.exists(name) or not os.path.isdir(name): - return False - else: - return True - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def is_empty(self, name): - try: - if not os.listdir(name): - config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_EMPTY_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - return True - else: - config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - return False - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def set_mode(self, name, uid=None, gid=None, - dir_perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, - file_perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - symlink_perms=\ - config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS, - dir_acls=None, file_acls=None, symlink_acls=None, - recursive_flag=True, critical_failure=True): - try: - if not os.path.exists(name) or not os.path.isdir(name): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - config.pki_log.info( - log.PKIHELPER_SET_MODE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - if recursive_flag == True: - for root, dirs, files in os.walk(name): - for name in files: - entity = os.path.join(root, name) - if not os.path.islink(entity): - file = entity - config.pki_log.debug( - log.PKIHELPER_IS_A_FILE_1, file, - extra=config.PKI_INDENTATION_LEVEL_3) - # chmod <file_perms> <name> - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - file_perms, file, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(file, file_perms) - # chown <uid>:<gid> <name> - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, file, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(file, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = file_perms - record.acls = file_acls - manifest.database.append(record) - else: - symlink = entity - config.pki_log.debug( - log.PKIHELPER_IS_A_SYMLINK_1, symlink, - extra=config.PKI_INDENTATION_LEVEL_3) - # REMINDER: Due to POSIX compliance, 'lchmod' - # is NEVER implemented on Linux - # systems since 'chmod' CANNOT be - # run directly against symbolic - # links! - # chown -h <uid>:<gid> <symlink> - config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, - uid, gid, symlink, - extra=config.PKI_INDENTATION_LEVEL_3) - os.lchown(symlink, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_SYMLINK - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = symlink_perms - record.acls = symlink_acls - manifest.database.append(record) - for name in dirs: - dir = os.path.join(root, name) - config.pki_log.debug( - log.PKIHELPER_IS_A_DIRECTORY_1, dir, - extra=config.PKI_INDENTATION_LEVEL_3) - # chmod <dir_perms> <name> - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - dir_perms, dir, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(dir, dir_perms) - # chown <uid>:<gid> <name> - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, dir, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(dir, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_DIRECTORY - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = dir_perms - record.acls = dir_acls - manifest.database.append(record) - else: - config.pki_log.debug( - log.PKIHELPER_IS_A_DIRECTORY_1, name, - extra=config.PKI_INDENTATION_LEVEL_3) - name = os.path.join(root, name) - # chmod <dir_perms> <name> - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - dir_perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, dir_perms) - # chown <uid>:<gid> <name> - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_DIRECTORY - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = dir_perms - record.acls = dir_acls - manifest.database.append(record) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - - def copy(self, old_name, new_name, uid=None, gid=None, - dir_perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, - file_perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - symlink_perms=config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS, - dir_acls=None, file_acls=None, symlink_acls=None, - recursive_flag=True, overwrite_flag=False, critical_failure=True): - try: - if not os.path.exists(old_name) or not os.path.isdir(old_name): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, old_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - if os.path.exists(new_name): - if not overwrite_flag: - config.pki_log.error( - log.PKI_DIRECTORY_ALREADY_EXISTS_1, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if recursive_flag == True: - # cp -rp <old_name> <new_name> - config.pki_log.info(log.PKIHELPER_CP_RP_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - # Due to a limitation in the 'shutil.copytree()' - # implementation which requires that - # 'The destination directory must not already exist.', - # an OSError exception is always thrown due to the - # implementation's unchecked call to 'os.makedirs(dst)'. - # Consequently, a 'patched' local copy of this routine has - # been included in this file with the appropriate fix. - pki_copytree(old_name, new_name) - else: - # cp -p <old_name> <new_name> - config.pki_log.info(log.PKIHELPER_CP_P_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - shutil.copy2(old_name, new_name) - # set ownerships, permissions, and acls - # of newly created top-level directory - self.modify(new_name, uid, gid, dir_perms, dir_acls, - True, critical_failure) - # set ownerships, permissions, and acls - # of contents of newly created top-level directory - self.set_mode(new_name, uid, gid, - dir_perms, file_perms, symlink_perms, - dir_acls, file_acls, symlink_acls, - recursive_flag, critical_failure) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except shutil.Error as exc: - config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - -# PKI Deployment File Class (also used for executables) -class file: - def create(self, name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, critical_failure=True): - try: - if not os.path.exists(name): - # touch <name> - config.pki_log.info(log.PKIHELPER_TOUCH_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - open(name, "w").close() - # chmod <perms> <name> - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown <uid>:<gid> <name> - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - elif not os.path.isfile(name): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - if exc.errno == errno.EEXIST: - pass - else: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def modify(self, name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, silent=False, critical_failure=True): - try: - if os.path.exists(name): - if not os.path.isfile(name): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - # Always re-process each file whether it needs it or not - if not silent: - config.pki_log.info(log.PKIHELPER_MODIFY_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - # chmod <perms> <name> - if not silent: - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown <uid>:<gid> <name> - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - if not silent: - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - if not silent: - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - else: - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def delete(self, name, critical_failure=True): - try: - if not os.path.exists(name) or not os.path.isfile(name): - # Simply issue a warning and continue - config.pki_log.warning( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - # rm -f <name> - config.pki_log.info(log.PKIHELPER_RM_F_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - os.remove(name) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def exists(self, name): - try: - if not os.path.exists(name) or not os.path.isfile(name): - return False - else: - return True - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def copy(self, old_name, new_name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, acls=None, - overwrite_flag=False, critical_failure=True): - try: - if not os.path.exists(old_name) or not os.path.isfile(old_name): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - if os.path.exists(new_name): - if not overwrite_flag: - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_1, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # cp -p <old_name> <new_name> - config.pki_log.info(log.PKIHELPER_CP_P_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - shutil.copy2(old_name, new_name) - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - # chmod <perms> <new_name> - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - perms, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(new_name, perms) - # chown <uid>:<gid> <new_name> - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(new_name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = new_name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except shutil.Error as exc: - config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def apply_slot_substitution( - self, name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, critical_failure=True): - try: - if not os.path.exists(name) or not os.path.isfile(name): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # applying in-place slot substitutions on <name> - config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1, - name, - extra=config.PKI_INDENTATION_LEVEL_2) - for line in fileinput.FileInput(name, inplace=1): - for slot in slots: - if slot != '__name__' and slots[slot] in line: - config.pki_log.debug( - log.PKIHELPER_SLOT_SUBSTITUTION_2, - slots[slot], master[slot], - extra=config.PKI_INDENTATION_LEVEL_3) - line=line.replace(slots[slot],master[slot]) - sys.stdout.write(line) - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - # chmod <perms> <name> - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown <uid>:<gid> <name> - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except shutil.Error as exc: - config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def copy_with_slot_substitution( - self, old_name, new_name, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, overwrite_flag=False, - critical_failure=True): - try: - if not os.path.exists(old_name) or not os.path.isfile(old_name): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - if os.path.exists(new_name): - if not overwrite_flag: - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_1, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # copy <old_name> to <new_name> with slot substitutions - config.pki_log.info(log.PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - FILE = open(new_name, "w") - for line in fileinput.FileInput(old_name): - for slot in slots: - if slot != '__name__' and slots[slot] in line: - config.pki_log.debug( - log.PKIHELPER_SLOT_SUBSTITUTION_2, - slots[slot], master[slot], - extra=config.PKI_INDENTATION_LEVEL_3) - line=line.replace(slots[slot],master[slot]) - FILE.write(line) - FILE.close() - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - # chmod <perms> <new_name> - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - perms, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(new_name, perms) - # chown <uid>:<gid> <new_name> - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(new_name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = new_name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except shutil.Error as exc: - config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def generate_noise_file(self, name, bytes, uid=None, gid=None, - perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, - acls=None, critical_failure=True): - try: - if not os.path.exists(name): - # generating noise file called <name> and - # filling it with <bytes> random bytes - config.pki_log.info(log.PKIHELPER_NOISE_FILE_2, name, bytes, - extra=config.PKI_INDENTATION_LEVEL_2) - open(name, "w").close() - FILE = open(name, "w") - noise = ''.join(random.choice(string.ascii_letters +\ - string.digits) for x in range(bytes)) - FILE.write(noise) - FILE.close() - # chmod <perms> <name> - config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown <uid>:<gid> <name> - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) - elif not os.path.isfile(name): - config.pki_log.error( - log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - if exc.errno == errno.EEXIST: - pass - else: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - -# PKI Deployment Symbolic Link Class -class symlink: - def create(self, name, link, uid=None, gid=None, - acls=None, allow_dangling_symlink=False, critical_failure=True): - try: - if not os.path.exists(link): - if not os.path.exists(name): - config.pki_log.warning( - log.PKIHELPER_DANGLING_SYMLINK_2, link, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if not allow_dangling_symlink: - sys.exit(1) - # ln -s <name> <link> - config.pki_log.info(log.PKIHELPER_LINK_S_2, name, link, - extra=config.PKI_INDENTATION_LEVEL_2) - os.symlink(name, link) - # REMINDER: Due to POSIX compliance, 'lchmod' is NEVER - # implemented on Linux systems since 'chmod' - # CANNOT be run directly against symbolic links! - # chown -h <uid>:<gid> <link> - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, - uid, gid, link, - extra=config.PKI_INDENTATION_LEVEL_3) - os.lchown(link, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = link - record.type = manifest.RECORD_TYPE_SYMLINK - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions =\ - config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS - record.acls = acls - manifest.database.append(record) - elif not os.path.islink(link): - config.pki_log.error( - log.PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - if exc.errno == errno.EEXIST: - pass - else: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def modify(self, link, uid=None, gid=None, - acls=None, silent=False, critical_failure=True): - try: - if os.path.exists(link): - if not os.path.islink(link): - config.pki_log.error( - log.PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1, - link, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - # Always re-process each link whether it needs it or not - if not silent: - config.pki_log.info(log.PKIHELPER_MODIFY_SYMLINK_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - # REMINDER: Due to POSIX compliance, 'lchmod' is NEVER - # implemented on Linux systems since 'chmod' - # CANNOT be run directly against symbolic links! - # chown -h <uid>:<gid> <link> - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - if not silent: - config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, - uid, gid, link, - extra=config.PKI_INDENTATION_LEVEL_3) - os.lchown(link, uid, gid) - # Store record in installation manifest - if not silent: - record = manifest.record() - record.name = link - record.type = manifest.RECORD_TYPE_SYMLINK - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions =\ - config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS - record.acls = acls - manifest.database.append(record) - else: - config.pki_log.error( - log.PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def delete(self, link, critical_failure=True): - try: - if not os.path.exists(link) or not os.path.islink(link): - # Simply issue a warning and continue - config.pki_log.warning( - log.PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - # rm -f <link> - config.pki_log.info(log.PKIHELPER_RM_F_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - os.remove(link) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def exists(self, name): - try: - if not os.path.exists(name) or not os.path.islink(name): - return False - else: - return True - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - -# PKI Deployment War File Class -class war: - def explode(self, name, path, critical_failure=True): - try: - if os.path.exists(name) and os.path.isfile(name): - if not zipfile.is_zipfile(name): - config.pki_log.error( - log.PKI_FILE_NOT_A_WAR_FILE_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - if not os.path.exists(path) or not os.path.isdir(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - path, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - # jar -xf <name> -C <path> - config.pki_log.info(log.PKIHELPER_JAR_XF_C_2, name, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # Open war file - war = zipfile.ZipFile(name, 'r') - # Extract contents of war file to path - war.extractall(path) - else: - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except zipfile.BadZipfile as exc: - config.pki_log.error(log.PKI_BADZIPFILE_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except zipfile.LargeZipFile as exc: - config.pki_log.error(log.PKI_LARGEZIPFILE_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - -# PKI Deployment Password Class -class password: - def create_password_conf(self, path, pin, pin_sans_token=False, - overwrite_flag=False, critical_failure=True): - try: - if os.path.exists(path): - if overwrite_flag: - config.pki_log.info( - log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # overwrite the existing 'password.conf' file - with open(path, "wt") as fd: - if pin_sans_token == True: - fd.write(str(pin)) - elif master['pki_subsystem'] in\ - config.PKI_APACHE_SUBSYSTEMS: - fd.write(master['pki_self_signed_token'] +\ - ":" + str(pin)) - else: - fd.write(master['pki_self_signed_token'] +\ - "=" + str(pin)) - fd.closed - else: - config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # create a new 'password.conf' file - with open(path, "wt") as fd: - if pin_sans_token == True: - fd.write(str(pin)) - elif master['pki_subsystem'] in\ - config.PKI_APACHE_SUBSYSTEMS: - fd.write(master['pki_self_signed_token'] +\ - ":" + str(pin)) - else: - fd.write(master['pki_self_signed_token'] +\ - "=" + str(pin)) - fd.closed - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def create_client_pkcs12_password_conf(self, path, overwrite_flag=False, - critical_failure=True): - try: - if os.path.exists(path): - if overwrite_flag: - config.pki_log.info( - log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # overwrite the existing 'pkcs12_password.conf' file - with open(path, "wt") as fd: - fd.write(master['pki_client_pkcs12_password']) - fd.closed - else: - config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # create a new 'pkcs12_password.conf' file - with open(path, "wt") as fd: - fd.write(master['pki_client_pkcs12_password']) - fd.closed - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def get_password(self, path, token_name, critical_failure=True): - if os.path.exists(path) and os.path.isfile(path) and\ - os.access(path, os.R_OK): - tokens = PKIConfigParser.read_simple_configuration_file(path) - hardware_token = "hardware-" + token_name - if tokens.has_key(hardware_token): - token_name = hardware_token - token_pwd = tokens[hardware_token] - elif tokens.has_key(token_name): - token_pwd = tokens[token_name] - - if token_pwd is None or token_pwd == '': - # TODO prompt for this password - config.pki_log.error(log.PKIHELPER_PASSWORD_NOT_FOUND_1, - token_name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - return token_pwd - - -# PKI Deployment NSS 'certutil' Class -class certutil: - def create_security_databases(self, path, pki_cert_database, - pki_key_database, pki_secmod_database, - password_file=None, prefix=None, - critical_failure=True): - try: - # Compose this "certutil" command - command = "certutil" + " " + "-N" - # Provide a path to the NSS security databases - if path: - command = command + " " + "-d" + " " + path - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_PATH, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if password_file != None: - command = command + " " + "-f" + " " + password_file - if prefix != None: - command = command + " " + "-P" + " " + prefix - if not os.path.exists(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(pki_cert_database) or\ - os.path.exists(pki_key_database) or\ - os.path.exists(pki_secmod_database): - # Simply notify user that the security databases exist - config.pki_log.info( - log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, - pki_cert_database, - pki_key_database, - pki_secmod_database, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - if password_file != None: - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Display this "certutil" command - config.pki_log.info( - log.PKIHELPER_CREATE_SECURITY_DATABASES_1, - command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Execute this "certutil" command - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def verify_certificate_exists(self, path, pki_cert_database, - pki_key_database, pki_secmod_database, - token, nickname, password_file=None, - silent=True): - rv = 0 - try: - # Compose this "certutil" command - command = "certutil" + " " + "-L" - # Provide a path to the NSS security databases - if path: - command = command + " " + "-d" + " " + path - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_PATH, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the 'token' - if token: - command = command + " " + "-h" + " " + "'" + token + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_TOKEN, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the nickname of this self-signed certificate - if nickname: - command = command + " " + "-n" + " " + "'" + nickname + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # OPTIONALLY specify a password file - if password_file != None: - command = command + " " + "-f" + " " + password_file - # By default, execute this command silently - if silent != False: - command = command + " > /dev/null 2>&1" - if not os.path.exists(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(pki_cert_database) or\ - not os.path.exists(pki_key_database) or\ - not os.path.exists(pki_secmod_database): - # NSS security databases MUST exist! - config.pki_log.error( - log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, - pki_cert_database, - pki_key_database, - pki_secmod_database, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if password_file != None: - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Execute this "certutil" command - subprocess.check_call(command, shell=True) - except subprocess.CalledProcessError as exc: - return False - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return True - - def generate_self_signed_certificate(self, path, pki_cert_database, - pki_key_database, pki_secmod_database, - token, nickname, - subject, serial_number, - validity_period, issuer_name, - trustargs, noise_file, - password_file=None, - critical_failure=True): - try: - # Compose this "certutil" command - command = "certutil" + " " + "-S" - # Provide a path to the NSS security databases - if path: - command = command + " " + "-d" + " " + path - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_PATH, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the 'token' - if token: - command = command + " " + "-h" + " " + "'" + token + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_TOKEN, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the nickname of this self-signed certificate - if nickname: - command = command + " " + "-n" + " " + "'" + nickname + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the subject name (RFC1485) - if subject: - command = command + " " + "-s" + " " + "'" + subject + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the serial number - if serial_number != None: - command = command + " " + "-m" + " " + str(serial_number) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the months valid - if validity_period != None: - command = command + " " + "-v" + " " + str(validity_period) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the nickname of the issuer certificate - if issuer_name: - command = command + " " + "-c" + " " +\ - "'" + issuer_name + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify the certificate trust attributes - if trustargs: - command = command + " " + "-t" + " " + "'" + trustargs + "'" - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Specify a noise file to be used for key generation - if noise_file: - command = command + " " + "-z" + " " + noise_file - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # OPTIONALLY specify a password file - if password_file != None: - command = command + " " + "-f" + " " + password_file - # ALWAYS self-sign this certificate - command = command + " " + "-x" - # ALWAYS mask the command-line output of this command - command = command + " " + "> /dev/null 2>&1" - # Display this "certutil" command - config.pki_log.info( - log.PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1, command, - extra=config.PKI_INDENTATION_LEVEL_2) - if not os.path.exists(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(pki_cert_database) or\ - not os.path.exists(pki_key_database) or\ - not os.path.exists(pki_secmod_database): - # NSS security databases MUST exist! - config.pki_log.error( - log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, - pki_cert_database, - pki_key_database, - pki_secmod_database, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(noise_file): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - noise_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if password_file != None: - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Execute this "certutil" command - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def import_cert(self, nickname, trust, input_file, password_file, - path=None, token=None, critical_failure=True): - try: - command = ["certutil","-A"] - if path: - command.extend(["-d", path]) - - if token: - command.extend(["-h", token]) - - if nickname: - command.extend(["-n", nickname ]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if trust: - command.extend(["-t", trust]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if input_file: - command.extend(["-i", input_file]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_INPUT_FILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if password_file: - command.extend(["-f", password_file]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - config.pki_log.info(command, - extra=config.PKI_INDENTATION_LEVEL_2) - subprocess.call(command) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def generate_certificate_request(self, subject, key_size, - password_file, noise_file, - output_file = None, path = None, - ascii_format = None, token = None, - critical_failure=True): - try: - command = ["certutil", "-R"] - if path: - command.extend(["-d", path]) - else: - command.extend(["-d", "."]) - - if token: - command.extend(["-h", token]) - - if subject: - command.extend(["-s", subject]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if key_size: - command.extend(["-g", str(key_size)]) - - if noise_file: - command.extend(["-z", noise_file]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if password_file: - command.extend(["-f", password_file]) - else: - config.pki_log.error( - log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - if output_file: - command.extend(["-o", output_file]) - - # set acsii output - if ascii_format: - command.append("-a") - - # Display this "certutil" command - config.pki_log.info( - log.PKIHELPER_CERTUTIL_GENERATE_CSR_1, command, - extra=config.PKI_INDENTATION_LEVEL_2) - if not os.path.exists(noise_file): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - noise_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Execute this "certutil" command - with open(os.devnull, "w") as fnull: - subprocess.call(command, stdout=fnull, stderr=fnull) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - -# pk12util class -class pk12util: - def create_file(self, out_file, nickname, out_pwfile, - db_pwfile, path=None): - try: - command = ["pk12util"] - if path: - command.extend(["-d", path]) - if out_file: - command.extend(["-o", out_file]) - else: - config.pki_log.error( - log.PKIHELPER_PK12UTIL_MISSING_OUTFILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if nickname: - command.extend(["-n", nickname]) - else: - config.pki_log.error( - log.PKIHELPER_PK12UTIL_MISSING_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if out_pwfile: - command.extend(["-w", out_pwfile]) - else: - config.pki_log.error( - log.PKIHELPER_PK12UTIL_MISSING_OUTPWFILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if db_pwfile: - command.extend(["-k", db_pwfile]) - else: - config.pki_log.error( - log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - config.pki_log.info(command, - extra=config.PKI_INDENTATION_LEVEL_2) - with open(os.devnull, "w") as fnull: - subprocess.call(command, stdout=fnull, stderr=fnull) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - -# KRA Connector Class -class kra_connector: - def deregister(self, critical_failure=False): - try: - # this is applicable to KRAs only - if master['pki_subsystem_type'] != "kra": - return - - config.pki_log.info( - log.PKIHELPER_KRACONNECTOR_UPDATE_CONTACT, - extra=config.PKI_INDENTATION_LEVEL_2) - - cs_cfg = PKIConfigParser.read_simple_configuration_file( - master['pki_target_cs_cfg']) - krahost = cs_cfg.get('service.machineName') - kraport = cs_cfg.get('pkicreate.secure_port') - cahost = cs_cfg.get('cloning.ca.hostname') - caport = cs_cfg.get('cloning.ca.httpsport') - if cahost is None or\ - caport is None: - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CA_HOST_PORT, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - # retrieve subsystem nickname - subsystemnick = cs_cfg.get('kra.cert.subsystem.nickname') - if subsystemnick is None: - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - # retrieve name of token based upon type (hardware/software) - if ':' in subsystemnick: - token_name = subsystemnick.split(':')[0] - else: - token_name = "internal" - - token_pwd = password.get_password( - master['pki_shared_password_conf'], - token_name, - critical_failure) - - if token_pwd is None or token_pwd == '': - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_TOKEN_PASSWD_1, - token_name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - self.execute_using_sslget(caport, cahost, subsystemnick, - token_pwd, krahost, kraport) - - except subprocess.CalledProcessError as exc: - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2, - str(krahost), - str(kraport), - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - return - - def execute_using_pki(self, caport, cahost, subsystemnick, - token_pwd, krahost, kraport, critical_failure=False): - command = "/bin/pki -p '{}' -h '{}' -n '{}' -P https -d '{}' -w '{}' "\ - "kraconnector-del {} {}".format( - caport, cahost, subsystemnick, - master['pki_database_path'], - token_pwd, krahost, kraport) - - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - - error = re.findall("ClientResponseFailure:(.*?)", output) - if error: - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2, - str(krahost), - str(kraport), - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, output, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - - def execute_using_sslget(self, caport, cahost, subsystemnick, - token_pwd, krahost, kraport): - urlheader = "https://{}:{}".format(cahost, caport) - updateURL = "/ca/rest/admin/kraconnector/remove" - - params = "host=" + str(krahost) +\ - "&port=" + str(kraport) - - command = "/usr/bin/sslget -n '{}' -p '{}' -d '{}' -e '{}' "\ - "-v -r '{}' {}:{} 2>&1".format( - subsystemnick, token_pwd, - master['pki_database_path'], - params, updateURL, - cahost, caport) - - # update KRA connector - # Execute this "sslget" command - # Note that sslget will return non-zero value for HTTP code != 200 - # and this will raise an exception - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - -# PKI Deployment Security Domain Class -class security_domain: - def deregister(self, install_token, critical_failure=False): - # process this PKI subsystem instance's 'CS.cfg' - cs_cfg = PKIConfigParser.read_simple_configuration_file( - master['pki_target_cs_cfg']) - - # assign key name/value pairs - machinename = cs_cfg.get('service.machineName') - sport = cs_cfg.get('service.securityDomainPort') - ncsport = cs_cfg.get('service.non_clientauth_securePort', '') - sechost = cs_cfg.get('securitydomain.host') - httpport = cs_cfg.get('securitydomain.httpport') - seceeport = cs_cfg.get('securitydomain.httpseeport') - secagentport = cs_cfg.get('securitydomain.httpsagentport') - secadminport = cs_cfg.get('securitydomain.httpsadminport') - secname = cs_cfg.get('securitydomain.name', 'unknown') - secselect = cs_cfg.get('securitydomain.select') - adminsport = cs_cfg.get('pkicreate.admin_secure_port', '') - typeval = cs_cfg.get('cs.type', '') - agentsport = cs_cfg.get('pkicreate.agent_secure_port', '') - - # NOTE: Don't check for the existence of 'httpport', as this will - # be undefined for a Security Domain that has been migrated! - if sechost is None or\ - seceeport is None or\ - secagentport is None or\ - secadminport is None: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_UNDEFINED, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - config.pki_log.info(log.PKIHELPER_SECURITY_DOMAIN_CONTACT_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - listval = typeval.lower() + "List" - urlheader = "https://{}:{}".format(sechost, seceeport) - urlagentheader = "https://{}:{}".format(sechost, secagentport) - urladminheader = "https://{}:{}".format(sechost, secadminport) - updateURL = "/ca/agent/ca/updateDomainXML" - - params = "name=" + "\"" + master['pki_instance_path'] + "\"" +\ - "&type=" + str(typeval) +\ - "&list=" + str(listval) +\ - "&host=" + str(machinename) +\ - "&sport=" + str(sport) +\ - "&ncsport=" + str(ncsport) +\ - "&adminsport=" + str(adminsport) +\ - "&agentsport=" + str(agentsport) +\ - "&operation=remove" - - if install_token: - try: - # first try install token-based servlet - params += "&sessionID=" + str(install_token) - adminUpdateURL = "/ca/admin/ca/updateDomainXML" - command = "/usr/bin/sslget -p 123456 -d '{}' -e '{}' "\ - "-v -r '{}' {}:{} 2>&1".format( - master['pki_database_path'], - params, adminUpdateURL, - sechost, secadminport) - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - output = self.update_domain_using_agent_port(typeval, - secname, params, updateURL, sechost, secagentport, - critical_failure) - else: - output = self.update_domain_using_agent_port(typeval, - secname, params, updateURL, sechost, secagentport, - critical_failure) - - if not output: - if critical_failure == True: - sys.exit(-1) - else: - return - - config.pki_log.debug(log.PKIHELPER_SSLGET_OUTPUT_1, - output, - extra=config.PKI_INDENTATION_LEVEL_2) - # Search the output for Status - status = re.findall("\<Status\>(.*?)\<\/Status\>", output) - if not status: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - elif status[0] != "0": - error = re.findall("\<Error\>(.*?)\<\/Error\>", output) - if not error: - error = "" - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3, - typeval, - secname, - error, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - config.pki_log.info( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - - def update_domain_using_agent_port(self, typeval, secname, params, - updateURL, sechost, secagentport, critical_failure= False): - token_pwd = None - cs_cfg = PKIConfigParser.read_simple_configuration_file( - master['pki_target_cs_cfg']) - # retrieve subsystem nickname - subsystemnick_param = typeval.lower() + ".cert.subsystem.nickname" - subsystemnick = cs_cfg.get(subsystemnick_param) - if subsystemnick is None: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - # retrieve name of token based upon type (hardware/software) - if ':' in subsystemnick: - token_name = subsystemnick.split(':')[0] - else: - token_name = "internal" - - token_pwd = password.get_password( - master['pki_shared_password_conf'], - token_name, - critical_failure) - - if token_pwd is None or token_pwd == '': - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - command = "/usr/bin/sslget -n '{}' -p '{}' -d '{}' -e '{}' "\ - "-v -r '{}' {}:{} 2>&1".format( - subsystemnick, token_pwd, - master['pki_database_path'], - params, updateURL, - sechost, secagentport) - try: - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - return output - except subprocess.CalledProcessError as exc: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - - return None - - - def get_installation_token(self, secuser, secpass, critical_failure=True): - token = None - - if not secuser or not secpass: - return None - - # process this PKI subsystem instance's 'CS.cfg' - cs_cfg = PKIConfigParser.read_simple_configuration_file( - master['pki_target_cs_cfg']) - - # assign key name/value pairs - machinename = cs_cfg.get('service.machineName') - cstype = cs_cfg.get('cs.type', '') - sechost = cs_cfg.get('securitydomain.host') - secadminport = cs_cfg.get('securitydomain.httpsadminport') - secselect = cs_cfg.get('securitydomain.select') - - command = "/bin/pki -p '{}' -h '{}' -P https -u '{}' -w '{}' "\ - "securitydomain-get-install-token --hostname {} "\ - "--subsystem {}".format( - secadminport, sechost, secuser, secpass, - machinename, cstype) - try: - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - - token_list = re.findall("Install token: \"(.*)\"", output) - if not token_list: - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2, - str(sechost), - str(secadminport), - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, output, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - token = token_list[0] - return token - except subprocess.CalledProcessError as exc: - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2, - str(sechost), - str(secadminport), - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - return None - -# PKI Deployment 'systemd' Execution Management Class -class systemd: - def start(self, critical_failure=True): - try: - # Compose this "systemd" execution management command - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - command = "systemctl" + " " +\ - "start" + " " +\ - "pki-apached" + "@" +\ - master['pki_instance_name'] + "." + "service" - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - command = "systemctl" + " " +\ - "start" + " " +\ - "pki-tomcatd" + "@" +\ - master['pki_instance_name'] + "." + "service" - # Display this "systemd" execution managment command - config.pki_log.info( - log.PKIHELPER_SYSTEMD_COMMAND_1, command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Execute this "systemd" execution management command - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def stop(self, critical_failure=True): - try: - # Compose this "systemd" execution management command - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - command = "systemctl" + " " +\ - "stop" + " " +\ - "pki-apached" + "@" +\ - master['pki_instance_name'] + "." + "service" - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - command = "systemctl" + " " +\ - "stop" + " " +\ - "pki-tomcatd" + "@" +\ - master['pki_instance_name'] + "." + "service" - # Display this "systemd" execution managment command - config.pki_log.info( - log.PKIHELPER_SYSTEMD_COMMAND_1, command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Execute this "systemd" execution management command - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - def restart(self, critical_failure=True): - try: - # Compose this "systemd" execution management command - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - command = "systemctl" + " " +\ - "restart" + " " +\ - "pki-apached" + "@" +\ - master['pki_instance_name'] + "." + "service" - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - command = "systemctl" + " " +\ - "restart" + " " +\ - "pki-tomcatd" + "@" +\ - master['pki_instance_name'] + "." + "service" - # Display this "systemd" execution managment command - config.pki_log.info( - log.PKIHELPER_SYSTEMD_COMMAND_1, command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Execute this "systemd" execution management command - subprocess.call(command, shell=True) - except subprocess.CalledProcessError as exc: - config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) - return - - -class config_client: - - def configure_pki_data(self, data): - config.pki_log.info(log.PKI_CONFIG_CONFIGURING_PKI_DATA, - extra=config.PKI_INDENTATION_LEVEL_2) - - self.connection = pki.client.PKIConnection( - protocol='https', - hostname=master['pki_hostname'], - port=master['pki_https_port'], - subsystem=master['pki_subsystem_type']) - - try: - client = pki.system.SystemConfigClient(self.connection) - response = client.configure(data) - - config.pki_log.debug(log.PKI_CONFIG_RESPONSE_STATUS +\ - " " + str(response['status']), - extra=config.PKI_INDENTATION_LEVEL_2) - certs = response['systemCerts'] - for cdata in certs: - if master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external']) and\ - not config.str2bool(master['pki_external_step_two']): - # External CA Step 1 - if cdata['tag'].lower() == "signing": - config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST +\ - " " + cdata['request'], - extra=config.PKI_INDENTATION_LEVEL_2) - - # Save 'External CA Signing Certificate' CSR (Step 1) - config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE +\ - " '" + master['pki_external_csr_path'] + "'", - extra=config.PKI_INDENTATION_LEVEL_2) - directory.create( - os.path.dirname(master['pki_external_csr_path'])) - with open(master['pki_external_csr_path'], "w") as f: - f.write(cdata['request']) - return - else: - config.pki_log.debug(log.PKI_CONFIG_CDATA_TAG +\ - " " + cdata['tag'], - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.debug(log.PKI_CONFIG_CDATA_CERT +\ - " " + cdata['cert'], - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.debug(log.PKI_CONFIG_CDATA_REQUEST +\ - " " + cdata['request'], - extra=config.PKI_INDENTATION_LEVEL_2) - - # Cloned PKI subsystems do not return an Admin Certificate - if not config.str2bool(master['pki_clone']) and \ - not config.str2bool(master['pki_import_admin_cert']): - admin_cert = response['adminCert']['cert'] - self.process_admin_cert(admin_cert) - except Exception, e: - config.pki_log.error( - log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + str(e), - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - def process_admin_cert(self, admin_cert): - config.pki_log.debug(log.PKI_CONFIG_RESPONSE_ADMIN_CERT +\ - " " + admin_cert, - extra=config.PKI_INDENTATION_LEVEL_2) - - # Store the Administration Certificate in a file - admin_cert_file = master['pki_client_admin_cert'] - admin_cert_bin_file = admin_cert_file + ".der" - config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE +\ - " '" + admin_cert_file + "'", - extra=config.PKI_INDENTATION_LEVEL_2) - with open(admin_cert_file, "w") as f: - f.write(admin_cert) - - # convert the cert file to binary - command = ["AtoB", admin_cert_file, admin_cert_bin_file] - config.pki_log.info(command, - extra=config.PKI_INDENTATION_LEVEL_2) - subprocess.call(command) - - os.chmod(admin_cert_file, - config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) - - os.chmod(admin_cert_bin_file, - config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) - - # Import the Administration Certificate - # into the client NSS security database - certutil.import_cert( - re.sub("'", "'", master['pki_admin_nickname']), - "u,u,u", - admin_cert_bin_file, - master['pki_client_password_conf'], - master['pki_client_database_dir'], - None, - True) - - # create directory for p12 file if it does not exist - directory.create(os.path.dirname( - master['pki_client_admin_cert_p12'])) - - # Export the Administration Certificate from the - # client NSS security database into a PKCS #12 file - pk12util.create_file( - master['pki_client_admin_cert_p12'], - re.sub("'","'", master['pki_admin_nickname']), - master['pki_client_pkcs12_password_conf'], - master['pki_client_password_conf'], - master['pki_client_database_dir']) - - os.chmod(master['pki_client_admin_cert_p12'], - config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - - - def construct_pki_configuration_data(self): - config.pki_log.info(log.PKI_CONFIG_CONSTRUCTING_PKI_DATA, - extra=config.PKI_INDENTATION_LEVEL_2) - - data = pki.system.ConfigurationRequest() - - # Miscellaneous Configuration Information - data.pin = master['pki_one_time_pin'] - data.subsystemName = master['pki_subsystem_name'] - - # Cloning parameters - if master['pki_instance_type'] == "Tomcat": - if config.str2bool(master['pki_clone']): - self.set_cloning_parameters(data) - else: - data.isClone = "false" - - # Hierarchy - self.set_hierarchy_parameters(data) - - # Security Domain - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or - # Subordinate CA - self.set_existing_security_domain(data) - else: - # PKI CA or External CA - self.set_new_security_domain(data) - - # database - if master['pki_subsystem'] != "RA": - self.set_database_parameters(data) - - # backup - if master['pki_instance_type'] == "Tomcat": - self.set_backup_parameters(data) - - # admin user - if not config.str2bool(master['pki_clone']): - self.set_admin_parameters(data) - - # Issuing CA Information - self.set_issuing_ca_parameters(data) - - # Create system certs - self.set_system_certs(data) - - return data - - def set_system_certs(self, data): - systemCerts = [] - - # Create 'CA Signing Certificate' - if master['pki_subsystem'] == "CA": - if not config.str2bool(master['pki_clone']): - cert1 = self.create_system_cert("ca_signing") - cert1.signingAlgorithm =\ - master['pki_ca_signing_signing_algorithm'] - if config.str2bool(master['pki_external_step_two']): - # Load the 'External CA Signing Certificate' (Step 2) - print( - log.PKI_CONFIG_EXTERNAL_CA_LOAD + " " +\ - "'" + master['pki_external_ca_cert_path'] + "'") - with open(master['pki_external_ca_cert_path']) as f: - external_cert = f.read() - cert1.cert = external_cert - - # Load the 'External CA Signing Certificate Chain' (Step 2) - print( - log.PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD + " " +\ - "'" + master['pki_external_ca_cert_chain_path'] +\ - "'") - with open(master['pki_external_ca_cert_chain_path']) as f: - external_cert_chain = f.read() - - cert1.certChain = external_cert_chain - systemCerts.append(cert1) - - # Create 'OCSP Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "CA" or\ - master['pki_subsystem'] == "OCSP": - # External CA, Subordinate CA, PKI CA, or PKI OCSP - cert2 = self.create_system_cert("ocsp_signing") - cert2.signingAlgorithm =\ - master['pki_ocsp_signing_signing_algorithm'] - systemCerts.append(cert2) - - # Create 'SSL Server Certificate' - # all subsystems - - # create new sslserver cert only if this is a new instance - cert3 = None - system_list = instance.tomcat_instance_subsystems() - if len(system_list) >= 2: - data.generateServerCert = "false" - for subsystem in system_list: - dst = master['pki_instance_path'] + '/conf/' +\ - subsystem.lower() + '/CS.cfg' - if subsystem != master['pki_subsystem'] and \ - os.path.exists(dst): - cert3 = self.retrieve_existing_server_cert(dst) - break - else: - cert3 = self.create_system_cert("ssl_server") - systemCerts.append(cert3) - - # Create 'Subsystem Certificate' - if not config.str2bool(master['pki_clone']): - cert4 = self.create_system_cert("subsystem") - systemCerts.append(cert4) - - # Create 'Audit Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] != "RA": - cert5 = self.create_system_cert("audit_signing") - cert5.signingAlgorithm =\ - master['pki_audit_signing_signing_algorithm'] - systemCerts.append(cert5) - - # Create DRM Transport and storage Certificates - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "KRA": - cert6 = self.create_system_cert("transport") - systemCerts.append(cert6) - - cert7 = self.create_system_cert("storage") - systemCerts.append(cert7) - - data.systemCerts = systemCerts - - def set_cloning_parameters(self, data): - data.isClone = "true" - data.cloneUri = master['pki_clone_uri'] - data.p12File = master['pki_clone_pkcs12_path'] - data.p12Password = master['pki_clone_pkcs12_password'] - data.replicateSchema = master['pki_clone_replicate_schema'] - data.replicationSecurity =\ - master['pki_clone_replication_security'] - if master['pki_clone_replication_master_port']: - data.masterReplicationPort =\ - master['pki_clone_replication_master_port'] - if master['pki_clone_replication_clone_port']: - data.cloneReplicationPort =\ - master['pki_clone_replication_clone_port'] - - def set_hierarchy_parameters(self, data): - if master['pki_subsystem'] == "CA": - if config.str2bool(master['pki_clone']): - # Cloned CA - data.hierarchy = "root" - elif config.str2bool(master['pki_external']): - # External CA - data.hierarchy = "join" - elif config.str2bool(master['pki_subordinate']): - # Subordinate CA - data.hierarchy = "join" - else: - # PKI CA - data.hierarchy = "root" - - def set_existing_security_domain(self, data): - data.securityDomainType = "existingdomain" - data.securityDomainUri = master['pki_security_domain_uri'] - data.securityDomainUser = master['pki_security_domain_user'] - data.securityDomainPassword = master['pki_security_domain_password'] - - def set_new_security_domain(self, data): - data.securityDomainType = "newdomain" - data.securityDomainName = master['pki_security_domain_name'] - - def set_database_parameters(self, data): - data.dsHost = master['pki_ds_hostname'] - data.dsPort = master['pki_ds_ldap_port'] - data.baseDN = master['pki_ds_base_dn'] - data.bindDN = master['pki_ds_bind_dn'] - data.database = master['pki_ds_database'] - data.bindpwd = master['pki_ds_password'] - if config.str2bool(master['pki_ds_remove_data']): - data.removeData = "true" - else: - data.removeData = "false" - if config.str2bool(master['pki_ds_secure_connection']): - data.secureConn = "true" - else: - data.secureConn = "false" - - def set_backup_parameters(self, data): - if config.str2bool(master['pki_backup_keys']): - data.backupKeys = "true" - data.backupFile = master['pki_backup_keys_p12'] - data.backupPassword = master['pki_backup_password'] - else: - data.backupKeys = "false" - - def set_admin_parameters(self, data): - data.adminEmail = master['pki_admin_email'] - data.adminName = master['pki_admin_name'] - data.adminPassword = master['pki_admin_password'] - data.adminProfileID = master['pki_admin_profile_id'] - data.adminUID = master['pki_admin_uid'] - data.adminSubjectDN = master['pki_admin_subject_dn'] - if config.str2bool(master['pki_import_admin_cert']): - data.importAdminCert = "true" - # read config from file - with open(master['pki_admin_cert_file']) as f: - b64 = f.read().replace('\n','') - data.adminCert = b64 - else: - data.importAdminCert = "false" - data.adminSubjectDN = master['pki_admin_subject_dn'] - if master['pki_admin_cert_request_type'] == "pkcs10": - data.adminCertRequestType = "pkcs10" - - noise_file = os.path.join( - master['pki_client_database_dir'], "noise") - - output_file = os.path.join( - master['pki_client_database_dir'], "admin_pkcs10.bin") - - file.generate_noise_file( - noise_file, int(master['pki_admin_keysize'])) - - certutil.generate_certificate_request( - master['pki_admin_subject_dn'], - master['pki_admin_keysize'], - master['pki_client_password_conf'], - noise_file, - output_file, - master['pki_client_database_dir'], - None, None, True) - - # convert output to ascii - command = ["BtoA", output_file, output_file + ".asc"] - config.pki_log.info(command, - extra=config.PKI_INDENTATION_LEVEL_2) - subprocess.call(command) - - with open(output_file + ".asc") as f: - b64 = f.read().replace('\n','') - - data.adminCertRequest = b64 - else: - print "log.PKI_CONFIG_PKCS10_SUPPORT_ONLY" - sys.exit(1) - - def set_issuing_ca_parameters(self, data): - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']) or\ - config.str2bool(master['pki_external']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, - # Subordinate CA, or External CA - data.issuingCA = master['pki_issuing_ca'] - if master['pki_subsystem'] == "CA" and\ - config.str2bool(master['pki_external_step_two']): - # External CA Step 2 - data.stepTwo = "true"; - - def create_system_cert(self, tag): - cert = pki.system.SystemCertData() - cert.tag = master["pki_%s_tag" % tag] - cert.keyAlgorithm = master["pki_%s_key_algorithm" % tag] - cert.keySize = master["pki_%s_key_size" % tag] - cert.keyType = master["pki_%s_key_type" % tag] - cert.nickname = master["pki_%s_nickname" % tag] - cert.subjectDN = master["pki_%s_subject_dn" % tag] - cert.token = master["pki_%s_token" % tag] - return cert - - def retrieve_existing_server_cert(self, cfg_file): - cs_cfg = PKIConfigParser.read_simple_configuration_file(cfg_file) - cstype = cs_cfg.get('cs.type').lower() - cert = pki.system.SystemCertData() - cert.tag = master["pki_ssl_server_tag"] - cert.keyAlgorithm = master["pki_ssl_server_key_algorithm"] - cert.keySize = master["pki_ssl_server_key_size"] - cert.keyType = master["pki_ssl_server_key_type"] - cert.nickname = cs_cfg.get(cstype + ".sslserver.nickname") - cert.cert = cs_cfg.get(cstype + ".sslserver.cert") - cert.request = cs_cfg.get(cstype + ".sslserver.certreq") - cert.subjectDN = master["pki_ssl_server_subject_dn"] - cert.token = cs_cfg.get(cstype + ".sslserver.tokenname") - return cert - -# PKI Deployment Helper Class Instances -identity = identity() -namespace = namespace() -configuration_file = configuration_file() -#xml_file = xml_file() -instance = instance() -directory = directory() -file = file() -symlink = symlink() -war = war() -password = password() -certutil = certutil() -pk12util = pk12util() -security_domain = security_domain() -kra_connector = kra_connector() -systemd = systemd() diff --git a/base/deploy/src/engine/pkilogging.py b/base/deploy/src/engine/pkilogging.py deleted file mode 100644 index 319616145..000000000 --- a/base/deploy/src/engine/pkilogging.py +++ /dev/null @@ -1,76 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen <mharmsen@redhat.com> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import logging -import os -import pprint - -sensitive_parameters = [] - -# Initialize 'pretty print' for objects -pp = pprint.PrettyPrinter(indent=4) - -def format(dict): - new_dict = {} - - # mask sensitive data - for key in dict: - if key in sensitive_parameters: - value = 'XXXXXXXX' - else: - value = dict[key] - new_dict[key] = value - - return pp.pformat(new_dict) - -# PKI Deployment Logging Functions -def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name): - if not os.path.isdir(log_dir): - try: - os.makedirs(log_dir) - except OSError: - return OSError - - # Configure logger - logger = logging.getLogger(name) - logger.setLevel(log_level) - - # Configure console handler - console = logging.StreamHandler() - console.setLevel(console_log_level) - console_format = logging.Formatter('%(name)-12s: ' +\ - '%(levelname)-8s ' +\ - '%(indent)s%(message)s') - console.setFormatter(console_format) - logger.addHandler(console) - - # Configure file handler - file = logging.FileHandler(log_dir + "/" + log_name, 'w') - file.setLevel(log_level) - file_format = logging.Formatter('%(asctime)s %(name)-12s: ' +\ - '%(levelname)-8s ' +\ - '%(indent)s%(message)s', - '%Y-%m-%d %H:%M:%S') - file.setFormatter(file_format) - logger.addHandler(file) - - return logger diff --git a/base/deploy/src/engine/pkimanifest.py b/base/deploy/src/engine/pkimanifest.py deleted file mode 100644 index 04a638f06..000000000 --- a/base/deploy/src/engine/pkimanifest.py +++ /dev/null @@ -1,101 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen <mharmsen@redhat.com> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -from collections import namedtuple -import csv -import sys - - -# PKI Deployment Imports -import pkiconfig as config -import pkimessages as log - - -# PKI Deployment Manifest Constants -RECORD_TYPE_DIRECTORY = "directory" -RECORD_TYPE_FILE = "file" -RECORD_TYPE_SYMLINK = "symlink" - - -# PKI Deployment Manifest Record Class -class record(object): - __slots__= "name",\ - "type",\ - "user",\ - "group",\ - "uid",\ - "gid",\ - "permissions",\ - "acls", - - def items(self): - "dict style items" - return [ - (field_name, getattr(self, field_name)) - for field_name in self.__slots__] - - def __iter__(self): - "iterate over fields tuple/list style" - for field_name in self.__slots__: - yield getattr(self, field_name) - - def __getitem__(self, index): - "tuple/list style getitem" - return getattr(self, self.__slots__[index]) - - -# PKI Deployment Manifest File Class -class file: - global database - filename = None - - def register(self, name): - self.filename = name - - def write(self): - try: - fd = open(self.filename, "wt") - c = csv.writer(fd) - for record in database: - c.writerow(tuple(record)) - fd.close() - except IOError as exc: - config.pki_log.error(log.PKI_IOERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_1) - sys.exit(1) - - def read(self): - try: - fd = open(self.filename, "rt") - cr = csv.reader(fd) - for row in cr: - print tuple(row) - fd.close() - except IOError as exc: - config.pki_log.error(log.PKI_IOERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_1) - sys.exit(1) - - -# PKI Deployment Global Named Tuples -database = [] -file = file() diff --git a/base/deploy/src/engine/pkimessages.py b/base/deploy/src/engine/pkimessages.py deleted file mode 100644 index a6361dc8b..000000000 --- a/base/deploy/src/engine/pkimessages.py +++ /dev/null @@ -1,361 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen <mharmsen@redhat.com> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Engine Messages -PKI_DICTIONARY_DEFAULT ="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI DEFAULT DICTIONARY\n"\ -"=====================================================" -PKI_DICTIONARY_MASTER="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI MASTER DICTIONARY\n"\ -"=====================================================" -PKI_DICTIONARY_SLOTS="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI SLOTS DICTIONARY\n"\ -"=====================================================" -PKI_DICTIONARY_SUBSYSTEM="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI SUBSYSTEM DICTIONARY\n"\ -"=====================================================" -PKI_DICTIONARY_WEB_SERVER="\n"\ -"=====================================================\n"\ -" DISPLAY CONTENTS OF PKI WEB SERVER DICTIONARY\n"\ -"=====================================================" -# NEVER print out 'sensitive' data dictionary!!! - - -# PKI Deployment Log Messages -PKI_VERBOSITY=\ -"VERBOSITY FLAGS CONSOLE MESSAGE LEVEL LOG MESSAGE LEVEL\n"\ -"=======================================================================\n"\ -" NONE error|warning error|warning|info\n"\ -" -v error|warning|info error|warning|info\n"\ -" -vv error|warning|info error|warning|info|debug\n"\ -" -vvv error|warning|info|debug error|warning|info|debug\n"\ -" " - -# PKI Deployment Error Messages -PKI_BADZIPFILE_ERROR_1 = "zipfile.BadZipFile: %s!" -PKI_CONFIGURATION_RESTART_1 = "After configuration, the server can be "\ - "operated by the command:\n\n%s" -PKI_CONFIGURATION_URL_1 = "Please start the configuration by accessing:\n\n%s" -PKI_CONFIGURATION_WIZARD_RESTART_1 = "After configuration, the server can be "\ - "operated by the command:\n%s" -PKI_CONFIGURATION_WIZARD_URL_1 = "Configuration Wizard listening on\n%s" -PKI_DIRECTORY_ALREADY_EXISTS_1 = "Directory '%s' already exists!" -PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1 = "Directory '%s' already "\ - "exists BUT it is NOT a "\ - "directory!" -PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 = "Directory '%s' is either "\ - "missing or is NOT a directory!" -PKI_DNS_DOMAIN_NOT_SET = "A valid DNS domain name MUST be established "\ - "to use PKI services!" -PKI_FILE_ALREADY_EXISTS_1 = "File '%s' already exists!" -PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 = "File '%s' already "\ - "exists BUT it is NOT a "\ - "file!" -PKI_FILE_MISSING_OR_NOT_A_FILE_1 = "File '%s' is either missing "\ - "or is NOT a regular file!" -PKI_FILE_NOT_A_WAR_FILE_1 = "File '%s' is NOT a war file!" -PKI_INSTANCE_DOES_NOT_EXIST_1 = "PKI instance '%s' does NOT exist!" -PKI_SECURITY_DATABASES_ALREADY_EXIST_3 = "Security databases '%s', '%s', "\ - "and/or '%s' already exist!" -PKI_SECURITY_DATABASES_DO_NOT_EXIST_3 = "Security databases '%s', '%s', "\ - "and/or '%s' do NOT exist!" -PKI_SUBSYSTEM_NOT_INSTALLED_1 = "Package pki-%s is NOT installed!" -PKI_SUBSYSTEM_ALREADY_EXISTS_2 = "PKI subsystem '%s' for instance '%s' "\ - "already exists!" -PKI_SUBSYSTEM_DOES_NOT_EXIST_2 = "PKI subsystem '%s' for instance '%s' "\ - "does NOT exist!" - -PKI_IOERROR_1 = "IOError: %s!" -PKI_KEYERROR_1 = "KeyError: %s!" -PKI_LARGEZIPFILE_ERROR_1 = "zipfile.LargeZipFile: %s!" -PKI_MANIFEST_MESSAGE_1 = "generating manifest file called '%s'" -PKI_OSERROR_1 = "OSError: %s!" -PKI_SHUTIL_ERROR_1 = "shutil.Error: %s!" -PKI_SUBPROCESS_ERROR_1 = "subprocess.CalledProcessError: %s!" -PKI_SYMLINK_ALREADY_EXISTS_1 = "Symlink '%s' already exists!" -PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1 = "Symlink '%s' already "\ - "exists BUT it is NOT a "\ - "symlink!" -PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1 = "Symlink '%s' is either missing "\ - "or is NOT a symbolic link!" -PKI_UNABLE_TO_PARSE_1 = "'Could not parse: '%s'" -PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 = "Could not create log directory '%s'!" -PKI_VERBOSITY_LEVELS_MESSAGE = "Only up to 3 levels of verbosity are supported!" - - -# PKI Deployment 'pkispawn' and 'pkidestroy' Messages -PKIDESTROY_BEGIN_MESSAGE_2 = "BEGIN destroying subsystem '%s' of "\ - "instance '%s' . . ." -PKIDESTROY_END_MESSAGE_2 = "END destroying subsystem '%s' of "\ - "instance '%s'" -PKIDESTROY_EPILOG =\ -"REMINDER:\n\n"\ -" The default PKI instance path will be calculated and placed in front\n"\ -" of the mandatory '-i <instance>' parameter, and the values that reside\n"\ -" in deployment configuration file that was most recently used\n"\ -" by this instance's 'pkispawn' (or 'pkispawn -u') command will be\n"\ -" utilized by 'pkidestroy' to remove this instance.\n\n"\ -" Finally, if an optional '-p <prefix>' is defined, this value WILL be\n"\ -" prepended to the default PKI instance path which is placed in front\n"\ -" of the specified '-i <instance>' parameter.\n\n" +\ -PKI_VERBOSITY -PKIRESPAWN_BEGIN_MESSAGE_2 = "BEGIN respawning subsystem '%s' of "\ - "instance '%s' . . ." -PKIRESPAWN_END_MESSAGE_2 = "END respawning subsystem '%s' of "\ - "instance '%s'" -PKISPAWN_BEGIN_MESSAGE_2 = "BEGIN spawning subsystem '%s' of "\ - "instance '%s' . . ." -PKISPAWN_END_MESSAGE_2 = "END spawning subsystem '%s' of "\ - "instance '%s'" -PKISPAWN_EPILOG =\ -"REMINDER:\n\n"\ -" If two or more Apache or Tomcat PKI 'instances' are specified via\n"\ -" separate configuration files, remember that the following parameters\n"\ -" MUST differ between PKI 'instances':\n\n"\ -" Apache: 'pki_instance_name', 'pki_http_port', and 'pki_https_port'\n"\ -" Tomcat: 'pki_instance_name', 'pki_http_port', 'pki_https_port',\n"\ -" 'pki_ajp_port', and 'pki_tomcat_server_port'\n\n"\ -" Finally, if an optional '-p <prefix>' is defined, this value WILL NOT\n"\ -" be prepended in front of the mandatory '-f <configuration_file>'.\n\n" +\ -PKI_VERBOSITY - - -# PKI Deployment "Helper" Messages -PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ - "Apache PKI subsystems" -PKIHELPER_APACHE_INSTANCES_2 = "PKI Apache registry '%s' contains '%d' "\ - "Apache PKI instances" -PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\ - "slot substitutions on '%s'" -PKIHELPER_CERTUTIL_GENERATE_CSR_1 = "executing '%s'" -PKIHELPER_CERTUTIL_MISSING_INPUT_FILE = "certutil: Missing "\ - "'-i input-file' option!" -PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = "certutil: Missing "\ - "'-c issuer-name' option!" -PKIHELPER_CERTUTIL_MISSING_NICKNAME = "certutil: Missing "\ - "'-n nickname' option!" -PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = "certutil: Missing "\ - "'-z noise-file' option!" -PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE = "certutil: Missing "\ - "'-f password-file' option!" -PKIHELPER_CERTUTIL_MISSING_PATH = "certutil: Missing '-d path' option!" -PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER = "certutil: Missing "\ - "'-m serial-number' option!" -PKIHELPER_CERTUTIL_MISSING_SUBJECT = "certutil: Missing '-s subject' option!" -PKIHELPER_CERTUTIL_MISSING_TOKEN = "certutil: Missing '-h token' option!" -PKIHELPER_CERTUTIL_MISSING_TRUSTARGS = "certutil: Missing "\ - "'-t trustargs' option!" -PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD = "certutil: Missing "\ - "'-v months-valid' option!" -PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1 = "executing '%s'" -PKIHELPER_CHMOD_2 = "chmod %o %s" -PKIHELPER_CHOWN_3 = "chown %s:%s %s" -PKIHELPER_CHOWN_H_3 = "chown -h %s:%s %s" -PKIHELPER_COMMAND_LINE_PARAMETER_MISMATCH_2 = "the command-line parameter "\ - "'%s' DOES NOT match the "\ - "configuration file value '%s'!" -PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2 = "copying '%s' --> '%s' "\ - "with slot substitution" -PKIHELPER_CP_P_2 = "cp -p %s %s" -PKIHELPER_CP_RP_2 = "cp -rp %s %s" -PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'" -PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'" -PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError: Master dictionary "\ - "is missing the key called '%s'!" -PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty" -PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty" -PKIHELPER_GID_2 = "GID of '%s' is %s" -PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ." -PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." -PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." -PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" -PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" -PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\ - "context %s" -PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" -PKIHELPER_IS_A_FILE_1 = "'%s' is a file" -PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink" -PKIHELPER_JAR_XF_C_2 = "jar -xf %s -C %s" -PKIHELPER_KRACONNECTOR_UPDATE_CONTACT =\ - "contacting the CA to update the KRA connector" -PKIHELPER_KRACONNECTOR_UPDATE_FAILURE = "Failed to update KRA connector on CA" -PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2 = "Failed to update KRA connector for %s:%s" -PKIHELPER_LINK_S_2 = "ln -s %s %s" -PKIHELPER_MKDIR_1 = "mkdir -p %s" -PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" -PKIHELPER_MODIFY_FILE_1 = "modifying '%s'" -PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'" -PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = "cloned CAs and external "\ - "CAs MUST be MUTUALLY "\ - "EXCLUSIVE in '%s'" -PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\ - "CAs, and subordinate CAs"\ - "MUST ALL be MUTUALLY "\ - "EXCLUSIVE in '%s'" -PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\ - "CAs MUST be MUTUALLY "\ - "EXCLUSIVE in '%s'" -PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA = "external CAs and subordinate "\ - "CAs MUST be MUTUALLY "\ - "EXCLUSIVE in '%s'" -PKIHELPER_NAMESPACE_COLLISION_2 = "PKI instance '%s' would produce a "\ - "namespace collision with '%s'!" -PKIHELPER_NAMESPACE_RESERVED_NAME_2 = "PKI instance '%s' is already a "\ - "reserved name under '%s'!" -PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\ - "filling it with '%d' random bytes" -PKIHELPER_PASSWORD_CONF_1 = "generating '%s'" -PKIHELPER_PASSWORD_NOT_FOUND_1 = "no password found for '%s'!" -PKIHELPER_PK12UTIL_MISSING_DBPWFILE = "pk12util missing "\ - "-k db-password-file option!" -PKIHELPER_PK12UTIL_MISSING_NICKNAME = "pk12util missing "\ - "-n nickname option!" -PKIHELPER_PK12UTIL_MISSING_OUTFILE = "pk12util missing "\ - "-o output-file option!" -PKIHELPER_PK12UTIL_MISSING_PWFILE = "pk12util missing "\ - "-w pw-file option!" - -PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ - "PKI subsystems" -PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'" -PKIHELPER_RM_F_1 = "rm -f %s" -PKIHELPER_RM_RF_1 = "rm -rf %s" -PKIHELPER_RMDIR_1 = "rmdir %s" -PKIHELPER_SECURITY_DOMAIN_CONTACT_1 =\ - "contacting the security domain master to update security domain '%s'" -PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2 =\ - "Failed to get installation token from security domain '%s:%s'" -PKIHELPER_SECURITY_DOMAIN_UNDEFINED =\ - "No security domain defined.\n"\ - "If this is an unconfigured instance, then that is OK.\n"\ - "Otherwise, manually delete the entry from the security domain master." -PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1 =\ - "security domain '%s' may be offline or unreachable!" -PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2 =\ - "this '%s' entry may not be registered with security domain '%s'!" -PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2 =\ - "this '%s' entry will NOT be deleted from security domain '%s'!" -PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3 =\ - "updateDomainXML FAILED to delete this '%s' entry from "\ - "security domain '%s': '%s'" -PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2 =\ - "updateDomainXML SUCCESSFULLY deleted this '%s' entry from "\ - "security domain '%s'" -PKIHELPER_SELINUX_DISABLED = "Selinux is disabled. Not checking port contexts" -PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'" -PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'" -PKIHELPER_SSLGET_OUTPUT_1 = "\n"\ - "Dump of 'sslget' output:\n"\ - "=====================================================\n"\ - "%s\n"\ - "=====================================================" -PKIHELPER_SYSTEMD_COMMAND_1 = "executing '%s'" -PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ - "Tomcat PKI subsystems" -PKIHELPER_TOMCAT_INSTANCES_2 = "PKI Tomcat registry '%s' contains '%d' "\ - "Tomcat PKI instances" -PKIHELPER_TOUCH_1 = "touch %s" -PKIHELPER_UID_2 = "UID of '%s' is %s" -PKIHELPER_UNDEFINED_CA_HOST_PORT = "CA Host or Port is undefined" -PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2 =\ - "Either a value for '%s' MUST be defined in '%s', or "\ - "the randomly generated client pin MUST be used" -PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 =\ - "A value for '%s' MUST be defined in '%s'" -PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME = "subsystem nickname not defined" -PKIHELPER_UNDEFINED_TOKEN_PASSWD_1 = "Password for token '%s' not defined" -PKIHELPER_USER_1 = "retrieving UID for '%s' . . ." -PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ." -PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." -PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" -PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" - -PKI_CONFIG_ADMIN_CERT_SAVE = "saving Admin Certificate to file:" -PKI_CONFIG_ADMIN_CERT_ATOB = "converting Admin Certificate to binary:" -PKI_CONFIG_CDATA_TAG = "tag:" -PKI_CONFIG_CDATA_CERT = "cert:" -PKI_CONFIG_CDATA_REQUEST = "request:" -PKI_CONFIG_CONFIGURING_PKI_DATA = "configuring PKI configuration data." -PKI_CONFIG_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data." -PKI_CONFIG_PKCS10_SUPPORT_ONLY = "only the 'pkcs10' certificate request type "\ - "is currently supported" -PKI_CONFIG_EXTERNAL_CA_LOAD = "loading external CA signing certificate "\ - "from file:" -PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD = "loading external CA signing certificate "\ - "chain from file:" -PKI_CONFIG_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" -PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION =\ - "Exception from Java Configuration Servlet:" -PKI_CONFIG_RESPONSE_ADMIN_CERT = "adminCert:" -PKI_CONFIG_RESPONSE_STATUS = "status:" -PKI_CONFIG_NOT_YET_IMPLEMENTED_1 = " %s NOT YET IMPLEMENTED" - -# PKI Deployment "Scriptlet" Messages -ADMIN_DOMAIN_DESTROY_1 = "depopulating '%s'" -ADMIN_DOMAIN_RESPAWN_1 = "repopulating '%s'" -ADMIN_DOMAIN_SPAWN_1 = "populating '%s'" -CONFIGURATION_DESTROY_1 = "unconfiguring '%s'" -CONFIGURATION_RESPAWN_1 = "reconfiguring '%s'" -CONFIGURATION_SPAWN_1 = "configuring '%s'" -FINALIZATION_DESTROY_1 = "finalizing '%s'" -FINALIZATION_RESPAWN_1 = "finalizing '%s'" -FINALIZATION_SPAWN_1 = "finalizing '%s'" -INITIALIZATION_DESTROY_1 = "initializing '%s'" -INITIALIZATION_RESPAWN_1 = "initializing '%s'" -INITIALIZATION_SPAWN_1 = "initializing '%s'" -INSTANCE_DESTROY_1 = "depopulating '%s'" -INSTANCE_RESPAWN_1 = "repopulating '%s'" -INSTANCE_SPAWN_1 = "populating '%s'" -RESIDUAL_DESTROY_1 = "depopulating '%s'" -RESIDUAL_RESPAWN_1 = "repopulating '%s'" -RESIDUAL_SPAWN_1 = "populating '%s'" -SECURITY_DATABASES_DESTROY_1 = "removing '%s'" -SECURITY_DATABASES_RESPAWN_1 = "regenerating '%s'" -SECURITY_DATABASES_SPAWN_1 = "generating '%s'" -SELINUX_DESTROY_1 = "depopulating '%s'" -SELINUX_RESPAWN_1 = "repopulating '%s'" -SELINUX_SPAWN_1 = "populating '%s'" -SELINUX_DISABLED_DESTROY_1 = "selinux disabled. skipping unlabelling '%s'" -SELINUX_DISABLED_SPAWN_1 = "selinux disabled. skipping labelling '%s'" -SLOT_ASSIGNMENT_DESTROY_1 = "unassigning slots for '%s'" -SLOT_ASSIGNMENT_RESPAWN_1 = "reassigning slots for '%s'" -SLOT_ASSIGNMENT_SPAWN_1 = "assigning slots for '%s'" -SUBSYSTEM_DESTROY_1 = "depopulating '%s'" -SUBSYSTEM_RESPAWN_1 = "repopulating '%s'" -SUBSYSTEM_SPAWN_1 = "populating '%s'" -WEBAPP_DEPLOYMENT_DESTROY_1 = "removing '%s'" -WEBAPP_DEPLOYMENT_RESPAWN_1 = "redeploying '%s'" -WEBAPP_DEPLOYMENT_SPAWN_1 = "deploying '%s'" -SKIP_ADMIN_DOMAIN_SPAWN_1 = "skip populating '%s'" -SKIP_CONFIGURATION_SPAWN_1 = "skip configuring '%s'" -SKIP_FINALIZATION_SPAWN_1 = "skip finalizing '%s'" -SKIP_INITIALIZATION_SPAWN_1 = "skip initializing '%s'" -SKIP_INSTANCE_SPAWN_1 = "skip populating '%s'" -SKIP_RESIDUAL_SPAWN_1 = "skip populating '%s'" -SKIP_SECURITY_DATABASES_SPAWN_1 = "skip generating '%s'" -SKIP_SELINUX_SPAWN_1 = "skip populating '%s'" -SKIP_SLOT_ASSIGNMENT_SPAWN_1 = "skip assigning slots for '%s'" -SKIP_SUBSYSTEM_SPAWN_1 = "skip populating '%s'" -SKIP_WEBAPP_DEPLOYMENT_SPAWN_1 = "skip deploying '%s'" diff --git a/base/deploy/src/engine/pkiparser.py b/base/deploy/src/engine/pkiparser.py deleted file mode 100644 index c4bf9b886..000000000 --- a/base/deploy/src/engine/pkiparser.py +++ /dev/null @@ -1,1069 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen <mharmsen@redhat.com> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import ConfigParser -import argparse -import getpass -import ldap -import logging -import os -import random -import string -import subprocess -import sys -import time - - -# PKI Deployment Imports -import pkilogging -import pkiconfig as config -import pkimessages as log - -import pki.account -import pki.client -import pki.system - -class PKIConfigParser: - - COMMENT_CHAR = '#' - OPTION_CHAR = '=' - - def __init__(self, description, epilog): - self.pki_config = None - - "Read and process command-line options" - self.arg_parser = argparse.ArgumentParser( - description=description, - add_help=False, - formatter_class=argparse.RawDescriptionHelpFormatter, - epilog=epilog) - - # Establish 'Mandatory' command-line options - self.mandatory = self.arg_parser.add_argument_group('mandatory arguments') - - # Establish 'Optional' command-line options - self.optional = self.arg_parser.add_argument_group('optional arguments') - self.optional.add_argument('-s', - dest='pki_subsystem', action='store', - nargs=1, choices=config.PKI_SUBSYSTEMS, - metavar='<subsystem>', - help='where <subsystem> is ' - 'CA, KRA, OCSP, RA, TKS, or TPS') - self.optional.add_argument('-h', '--help', - dest='help', action='help', - help='show this help message and exit') - self.optional.add_argument('-v', - dest='pki_verbosity', action='count', - help='display verbose information (details below)') - - # Establish 'Test' command-line options - test = self.arg_parser.add_argument_group('test arguments') - test.add_argument('-p', - dest='pki_root_prefix', action='store', - nargs=1, metavar='<prefix>', - help='directory prefix to specify local directory ' - '[TEST ONLY]') - - self.indent = 0 - - # PKI Deployment Helper Functions - def process_command_line_arguments(self, argv): - - # Parse command-line options - args = self.arg_parser.parse_args() - - # Process 'Mandatory' command-line options - - # Process 'Optional' command-line options - # '-v' - if args.pki_verbosity == 1: - config.pki_console_log_level = logging.INFO - config.pki_log_level = logging.INFO - elif args.pki_verbosity == 2: - config.pki_console_log_level = logging.INFO - config.pki_log_level = logging.DEBUG - elif args.pki_verbosity == 3: - config.pki_console_log_level = logging.DEBUG - config.pki_log_level = logging.DEBUG - elif args.pki_verbosity > 3: - print "ERROR: " + log.PKI_VERBOSITY_LEVELS_MESSAGE - print - self.arg_parser.print_help() - self.arg_parser.exit(-1); - else: - # Set default log levels - config.pki_console_log_level = logging.WARNING - config.pki_log_level = logging.INFO - - # Process 'Test' command-line options - # '-p' - if args.pki_root_prefix is None: - config.pki_root_prefix = "" - else: - config.pki_root_prefix = str(args.pki_root_prefix).strip('[\']') - - return args - - - def validate(self): - - # Validate command-line options - if len(config.pki_root_prefix) > 0: - if not os.path.exists(config.pki_root_prefix) or\ - not os.path.isdir(config.pki_root_prefix): - print "ERROR: " +\ - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 %\ - config.pki_root_prefix - print - self.arg_parser.print_help() - self.arg_parser.exit(-1); - - # always default that configuration file exists - if not os.path.exists(config.default_deployment_cfg) or\ - not os.path.isfile(config.default_deployment_cfg): - print "ERROR: " +\ - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ - config.default_deployment_cfg - print - self.arg_parser.print_help() - self.arg_parser.exit(-1); - - if config.user_deployment_cfg: - # verify user configuration file exists - if not os.path.exists(config.user_deployment_cfg) or\ - not os.path.isfile(config.user_deployment_cfg): - print "ERROR: " +\ - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ - config.user_deployment_cfg - print - parser.arg_parser.print_help() - parser.arg_parser.exit(-1); - - - def init_config(self): - - # RESTEasy - resteasy_lib = subprocess.check_output(\ - 'source /etc/pki/pki.conf && echo $RESTEASY_LIB', - shell=True).strip() - - # JNI jar location - jni_jar_dir = subprocess.check_output(\ - 'source /etc/pki/pki.conf && echo $JNI_JAR_DIR', - shell=True).strip() - - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - default_instance_name = 'pki-tomcat' - default_http_port = '8080' - default_https_port = '8443' - else: - default_instance_name = 'pki-apache' - default_http_port = '80' - default_https_port = '443' - - self.pki_config = ConfigParser.SafeConfigParser({ - 'pki_instance_name': default_instance_name, - 'pki_http_port': default_http_port, - 'pki_https_port': default_https_port, - 'pki_dns_domainname': config.pki_dns_domainname, - 'pki_subsystem': config.pki_subsystem, - 'pki_subsystem_type': config.pki_subsystem.lower(), - 'pki_root_prefix' : config.pki_root_prefix, - 'resteasy_lib': resteasy_lib, - 'jni_jar_dir': jni_jar_dir, - 'home_dir': os.path.expanduser("~"), - 'pki_hostname': config.pki_hostname}) - - # Make keys case-sensitive! - self.pki_config.optionxform = str - - config.user_config = ConfigParser.SafeConfigParser() - config.user_config.optionxform = str - - with open(config.default_deployment_cfg) as f: - self.pki_config.readfp(f) - - self.flatten_master_dict() - - - # The following code is based heavily upon - # "http://www.decalage.info/en/python/configparser" - @staticmethod - def read_simple_configuration_file(filename): - values = {} - f = open(filename) - for line in f: - # First, remove comments: - if PKIConfigParser.COMMENT_CHAR in line: - # split on comment char, keep only the part before - line, comment = line.split(PKIConfigParser.COMMENT_CHAR, 1) - # Second, find lines with an name=value: - if PKIConfigParser.OPTION_CHAR in line: - # split on name char: - name, value = line.split(PKIConfigParser.OPTION_CHAR, 1) - # strip spaces: - name = name.strip() - value = value.strip() - # store in dictionary: - values[name] = value - f.close() - return values - - - def set_property(self, section, property, value): - if section != "DEFAULT" and not self.pki_config.has_section(section): - self.pki_config.add_section(section) - self.pki_config.set(section, property, value) - self.flatten_master_dict() - - if section != "DEFAULT" and not config.user_config.has_section(section): - config.user_config.add_section(section) - config.user_config.set(section, property, value) - - - def print_text(self, message): - print ' ' * self.indent + message - - def read_text(self, message, - section=None, property=None, default=None, - options=None, sign=':', allowEmpty=True, caseSensitive=True): - - if default is None and property is not None: - default = config.pki_master_dict[property] - if default: - message = message + ' [' + default + ']' - message = ' ' * self.indent + message + sign + ' ' - - done = False - while not done: - value = raw_input(message) - value = value.strip() - - if len(value) == 0: # empty value - if allowEmpty: - value = default - done = True - break - - else: # non-empty value - if options is not None: - for v in options: - if caseSensitive: - if v == value: - done = True - break - else: - if v.lower() == value.lower(): - done = True - break - else: - done = True - break - - value = value.replace("%", "%%") - if section: - self.set_property(section, property, value) - - return value - - - def read_password(self, message, section=None, property=None, - verifyMessage=None): - message = ' ' * self.indent + message + ': ' - if verifyMessage is not None: - verifyMessage = ' ' * self.indent + verifyMessage + ': ' - - while True: - password = '' - while len(password) == 0: - password = getpass.getpass(prompt=message) - - if verifyMessage is not None: - verification = '' - while len(verification) == 0: - verification = getpass.getpass(prompt=verifyMessage) - - if password != verification: - self.print_text('Passwords do not match.') - continue - - break - - password = password.replace("%", "%%") - if section: - self.set_property(section, property, password) - - return password - - def read_pki_configuration_file(self): - "Read configuration file sections into dictionaries" - rv = 0 - try: - if config.user_deployment_cfg: - print 'Loading deployment configuration from ' + config.user_deployment_cfg + '.' - self.pki_config.read([config.user_deployment_cfg]) - - except ConfigParser.ParsingError, err: - print err - rv = err - return rv - - - def flatten_master_dict(self): - config.pki_master_dict.update(__name__="PKI Master Dictionary") - - default_dict = dict(self.pki_config.items('DEFAULT')) - default_dict[0] = None - config.pki_master_dict.update(default_dict) - - web_server_dict = None - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - if self.pki_config.has_section('Tomcat'): - web_server_dict = dict(self.pki_config.items('Tomcat')) - else: - if self.pki_config.has_section('Apache'): - web_server_dict = dict(self.pki_config.items('Apache')) - - if web_server_dict: - web_server_dict[0] = None - config.pki_master_dict.update(web_server_dict) - - if self.pki_config.has_section(config.pki_subsystem): - subsystem_dict = dict(self.pki_config.items(config.pki_subsystem)) - subsystem_dict[0] = None - config.pki_master_dict.update(subsystem_dict) - - - def ds_connect(self): - - hostname = config.pki_master_dict['pki_ds_hostname'] - - if config.str2bool(config.pki_master_dict['pki_ds_secure_connection']): - protocol = 'ldaps' - port = config.pki_master_dict['pki_ds_ldaps_port'] - else: - protocol = 'ldap' - port = config.pki_master_dict['pki_ds_ldap_port'] - - self.ds_connection = ldap.initialize(protocol + '://' + hostname + ':' + port) - self.ds_connection.search_s('', ldap.SCOPE_BASE) - - def ds_bind(self): - self.ds_connection.simple_bind_s( - config.pki_master_dict['pki_ds_bind_dn'], - config.pki_master_dict['pki_ds_password']) - - def ds_base_dn_exists(self): - try: - results = self.ds_connection.search_s( - config.pki_master_dict['pki_ds_base_dn'], - ldap.SCOPE_BASE) - - if results is None or len(results) == 0: - return False - - return True - - except ldap.NO_SUCH_OBJECT as e: - return False - - def ds_close(self): - self.ds_connection.unbind_s() - - def sd_connect(self): - self.sd_connection = pki.client.PKIConnection( - protocol='https', - hostname=config.pki_master_dict['pki_security_domain_hostname'], - port=config.pki_master_dict['pki_security_domain_https_port'], - subsystem='ca') - - def sd_get_info(self): - sd = pki.system.SecurityDomainClient(self.sd_connection) - return sd.getSecurityDomainInfo() - - def sd_authenticate(self): - self.sd_connection.authenticate( - config.pki_master_dict['pki_security_domain_user'], - config.pki_master_dict['pki_security_domain_password']) - - account = pki.account.AccountClient(self.sd_connection) - account.login() - account.logout() - - def compose_pki_master_dictionary(self): - "Create a single master PKI dictionary from the sectional dictionaries" - try: - # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs - config.pki_master_dict['pki_deployment_executable'] =\ - config.pki_deployment_executable - config.pki_master_dict['pki_install_time'] = config.pki_install_time - config.pki_master_dict['pki_timestamp'] = config.pki_timestamp - config.pki_master_dict['pki_certificate_timestamp'] =\ - config.pki_certificate_timestamp - config.pki_master_dict['pki_architecture'] = config.pki_architecture - config.pki_master_dict['pki_default_deployment_cfg'] = config.default_deployment_cfg - config.pki_master_dict['pki_user_deployment_cfg'] = config.user_deployment_cfg - config.pki_master_dict['pki_deployed_instance_name'] =\ - config.pki_deployed_instance_name - # Generate random 'pin's for use as security database passwords - # and add these to the "sensitive" key value pairs read in from - # the configuration file - pin_low = 100000000000 - pin_high = 999999999999 - config.pki_master_dict['pki_pin'] =\ - random.randint(pin_low, pin_high) - config.pki_master_dict['pki_client_pin'] =\ - random.randint(pin_low, pin_high) - - self.flatten_master_dict() - - pkilogging.sensitive_parameters = config.pki_master_dict['sensitive_parameters'].split() - - # PKI Target (slot substitution) name/value pairs - config.pki_master_dict['pki_target_cs_cfg'] =\ - os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], - "CS.cfg") - config.pki_master_dict['pki_target_registry'] =\ - os.path.join(config.pki_master_dict['pki_instance_registry_path'], - config.pki_master_dict['pki_instance_name']) - if config.pki_master_dict['pki_subsystem'] == "CA" and\ - config.str2bool(config.pki_master_dict['pki_external_step_two']): - # Use the 'pki_one_time_pin' established during the setup of - # External CA Step 1 - if os.path.exists(config.pki_master_dict['pki_target_cs_cfg'])\ - and\ - os.path.isfile(config.pki_master_dict['pki_target_cs_cfg']): - cs_cfg = self.read_simple_configuration_file( - config.pki_master_dict['pki_target_cs_cfg']) - config.pki_master_dict['pki_one_time_pin'] =\ - cs_cfg.get('preop.pin') - else: - config.pki_log.error(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - config.pki_master_dict['pki_target_cs_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - # Generate a one-time pin to be used prior to configuration - # and add this to the "sensitive" key value pairs read in from - # the configuration file - config.pki_master_dict['pki_one_time_pin'] =\ - ''.join(random.choice(string.ascii_letters + string.digits)\ - for x in range(20)) - if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_master_dict['pki_target_catalina_properties'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "catalina.properties") - config.pki_master_dict['pki_target_servercertnick_conf'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "serverCertNick.conf") - config.pki_master_dict['pki_target_server_xml'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "server.xml") - config.pki_master_dict['pki_target_context_xml'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "context.xml") - config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\ - config.pki_master_dict['pki_root_prefix'] +\ - "/etc/sysconfig/" +\ - config.pki_master_dict['pki_instance_name'] - config.pki_master_dict['pki_target_tomcat_conf'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "tomcat.conf") - # in-place slot substitution name/value pairs - config.pki_master_dict['pki_target_velocity_properties'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "velocity.properties") - config.pki_master_dict['pki_target_subsystem_web_xml'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "web.xml") - config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], - "WEB-INF", - "web.xml.orig") - # subystem-specific slot substitution name/value pairs - if config.pki_master_dict['pki_subsystem'] == "CA": - config.pki_master_dict['pki_target_flatfile_txt'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "flatfile.txt") - config.pki_master_dict['pki_target_proxy_conf'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "proxy.conf") - config.pki_master_dict['pki_target_registry_cfg'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "registry.cfg") - # '*.profile' - config.pki_master_dict['pki_target_admincert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "adminCert.profile") - config.pki_master_dict['pki_target_caauditsigningcert_profile']\ - = os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "caAuditSigningCert.profile") - config.pki_master_dict['pki_target_cacert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "caCert.profile") - config.pki_master_dict['pki_target_caocspcert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "caOCSPCert.profile") - config.pki_master_dict['pki_target_servercert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "serverCert.profile") - config.pki_master_dict['pki_target_subsystemcert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "subsystemCert.profile") - # in-place slot substitution name/value pairs - config.pki_master_dict['pki_target_profileselect_template'] =\ - os.path.join( - config.pki_master_dict\ - ['pki_tomcat_webapps_subsystem_path'], - "ee", - config.pki_master_dict['pki_subsystem'].lower(), - "ProfileSelect.template") - elif config.pki_master_dict['pki_subsystem'] == "KRA": - # '*.profile' - config.pki_master_dict['pki_target_servercert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "serverCert.profile") - config.pki_master_dict['pki_target_storagecert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "storageCert.profile") - config.pki_master_dict['pki_target_subsystemcert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "subsystemCert.profile") - config.pki_master_dict['pki_target_transportcert_profile'] =\ - os.path.join(config.pki_master_dict\ - ['pki_subsystem_configuration_path'], - "transportCert.profile") - # Slot assignment name/value pairs - # NOTE: Master key == Slots key; Master value ==> Slots value - config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ - config.pki_master_dict['pki_instance_name'] - config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\ - os.path.join(config.pki_master_dict['pki_instance_path'], - config.pki_master_dict['pki_instance_name']) - config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\ - os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], - config.pki_master_dict['pki_instance_name']) - if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_APACHE_SUBSYSTEMS: - config.pki_master_dict['FORTITUDE_APACHE_SLOT'] = None - config.pki_master_dict['FORTITUDE_AUTH_MODULES_SLOT'] = None - config.pki_master_dict['FORTITUDE_DIR_SLOT'] = None - config.pki_master_dict['FORTITUDE_LIB_DIR_SLOT'] = None - config.pki_master_dict['FORTITUDE_MODULE_SLOT'] = None - config.pki_master_dict['FORTITUDE_NSS_MODULES_SLOT'] = None - config.pki_master_dict['HTTPD_CONF_SLOT'] = None - config.pki_master_dict['LIB_PREFIX_SLOT'] = None - config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None - config.pki_master_dict['NSS_CONF_SLOT'] = None - config.pki_master_dict['OBJ_EXT_SLOT'] = None - config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ - os.path.join("/var/lock/pki", - "apache") - config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ - os.path.join("/var/run/pki", - "apache") - config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] = "apache" - config.pki_master_dict['PORT_SLOT'] = None - config.pki_master_dict['PROCESS_ID_SLOT'] = None - config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None - config.pki_master_dict['SECURE_PORT_SLOT'] = None - config.pki_master_dict['SECURITY_LIBRARIES_SLOT'] = None - config.pki_master_dict['SERVER_NAME_SLOT'] = None - config.pki_master_dict['SERVER_ROOT_SLOT'] = None - config.pki_master_dict['SYSTEM_LIBRARIES_SLOT'] = None - config.pki_master_dict['SYSTEM_USER_LIBRARIES_SLOT'] = None - config.pki_master_dict['TMP_DIR_SLOT'] = None - config.pki_master_dict['TPS_DIR_SLOT'] = None - elif config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_master_dict['INSTALL_TIME_SLOT'] =\ - config.pki_master_dict['pki_install_time'] - config.pki_master_dict['PKI_ADMIN_SECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict\ - ['PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ - "Unused" - config.pki_master_dict\ - ['PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_AGENT_CLIENTAUTH_SLOT'] =\ - "want" - config.pki_master_dict['PKI_AGENT_SECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict['PKI_AJP_PORT_SLOT'] =\ - config.pki_master_dict['pki_ajp_port'] - config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\ - config.pki_master_dict['pki_pin'] - config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\ - config.pki_master_dict['pki_target_cs_cfg'] - config.pki_master_dict\ - ['PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\ - "-->" - config.pki_master_dict\ - ['PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\ - "-->" - config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict\ - ['PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT'] =\ - "Unused" - config.pki_master_dict\ - ['PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict['PKI_EE_SECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict['PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ - "Unused" - config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_GROUP_SLOT'] =\ - config.pki_master_dict['pki_group'] - config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\ - config.pki_master_dict['pki_instance_path'] - config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ - config.pki_master_dict['pki_path'] - config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ - os.path.join("/var/lock/pki", - "tomcat") - config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\ - config.pki_master_dict['pki_hostname'] - config.pki_master_dict\ - ['PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\ - "<!--" - config.pki_master_dict\ - ['PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\ - "<!--" - config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ - os.path.join("/var/run/pki", - "tomcat") - if config.str2bool(config.pki_master_dict['pki_enable_proxy']): - config.pki_master_dict['PKI_CLOSE_AJP_PORT_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_proxy_https_port'] - config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_proxy_http_port'] - config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ - "" - config.pki_master_dict['PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT'] =\ - "" - else: - config.pki_master_dict['PKI_CLOSE_AJP_PORT_COMMENT_SLOT'] =\ - "-->" - config.pki_master_dict['PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT'] =\ - "-->" - config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] = "" - config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] = "" - config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ - "<!--" - config.pki_master_dict['PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT'] =\ - "<!--" - config.pki_master_dict['PKI_TMPDIR_SLOT'] =\ - config.pki_master_dict['pki_tomcat_tmpdir_path'] - config.pki_master_dict['PKI_RESTEASY_LIB_SLOT'] =\ - config.pki_master_dict['resteasy_lib'] - config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\ - config.pki_master_dict['pki_one_time_pin'] - config.pki_master_dict['PKI_SECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_https_port'] - config.pki_master_dict['PKI_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ - "Secure" - config.pki_master_dict['PKI_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ - "<!-- " +\ - "Shared Ports: Agent, EE, and Admin Secure Port Connector " +\ - "-->" - config.pki_master_dict['PKI_SECURITY_MANAGER_SLOT'] =\ - config.pki_master_dict['pki_security_manager'] - config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\ - config.pki_master_dict['pki_target_server_xml'] - config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\ - config.pki_master_dict['pki_subsystem'].lower() + "/" - config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ - config.pki_master_dict['pki_subsystem'].lower() - config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ - "pki-tomcatd" + "@" +\ - config.pki_master_dict['pki_instance_name'] + ".service" - config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\ - config.pki_master_dict['pki_http_port'] - config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\ - "Unsecure" - config.pki_master_dict['PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT'] =\ - "<!-- Shared Ports: Unsecure Port Connector -->" - config.pki_master_dict['PKI_USER_SLOT'] =\ - config.pki_master_dict['pki_user'] - config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] =\ - "tomcat" - config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\ - "webapps" - config.pki_master_dict['TOMCAT_CFG_SLOT'] =\ - config.pki_master_dict['pki_target_tomcat_conf'] - config.pki_master_dict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] =\ - os.path.join( - config.pki_master_dict['pki_tomcat_common_lib_path'], - "*.jar") - config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\ - config.pki_master_dict['pki_instance_log_path'] - config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\ - "/var/run/pki/tomcat/" + config.pki_master_dict['pki_instance_name'] + ".pid" - config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\ - config.pki_master_dict['pki_tomcat_server_port'] - config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\ - "-SSL2_RC4_128_WITH_MD5," +\ - "-SSL2_RC4_128_EXPORT40_WITH_MD5," +\ - "-SSL2_RC2_128_CBC_WITH_MD5," +\ - "-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5," +\ - "-SSL2_DES_64_CBC_WITH_MD5," +\ - "-SSL2_DES_192_EDE3_CBC_WITH_MD5" - config.pki_master_dict['TOMCAT_SSL3_CIPHERS_SLOT'] =\ - "-SSL3_FORTEZZA_DMS_WITH_NULL_SHA," +\ - "-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA," +\ - "+SSL3_RSA_WITH_RC4_128_SHA," +\ - "-SSL3_RSA_EXPORT_WITH_RC4_40_MD5," +\ - "+SSL3_RSA_WITH_3DES_EDE_CBC_SHA," +\ - "+SSL3_RSA_WITH_DES_CBC_SHA," +\ - "-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5," +\ - "-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA," +\ - "-SSL_RSA_FIPS_WITH_DES_CBC_SHA," +\ - "+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," +\ - "-SSL3_RSA_WITH_NULL_MD5," +\ - "-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," +\ - "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ - "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" - config.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] =\ - "ssl2=true," +\ - "ssl3=true," +\ - "tls=true" - config.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] =\ - "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +\ - "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +\ - "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +\ - "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ - "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +\ - "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_RSA_WITH_AES_128_CBC_SHA," +\ - "+TLS_RSA_WITH_AES_256_CBC_SHA," +\ - "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +\ - "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ - "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +\ - "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +\ - "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," +\ - "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," +\ - "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ - "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\ - "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" - # Shared Apache/Tomcat NSS security database name/value pairs - config.pki_master_dict['pki_shared_pfile'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "pfile") - config.pki_master_dict['pki_shared_password_conf'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "password.conf") - config.pki_master_dict['pki_cert_database'] =\ - os.path.join(config.pki_master_dict['pki_database_path'], - "cert8.db") - config.pki_master_dict['pki_key_database'] =\ - os.path.join(config.pki_master_dict['pki_database_path'], - "key3.db") - config.pki_master_dict['pki_secmod_database'] =\ - os.path.join(config.pki_master_dict['pki_database_path'], - "secmod.db") - config.pki_master_dict['pki_self_signed_token'] = "internal" - config.pki_master_dict['pki_self_signed_nickname'] =\ - "Server-Cert cert-" + config.pki_master_dict['pki_instance_name'] - config.pki_master_dict['pki_self_signed_subject'] =\ - "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ - "o=" + config.pki_master_dict['pki_certificate_timestamp'] - config.pki_master_dict['pki_self_signed_serial_number'] = 0 - config.pki_master_dict['pki_self_signed_validity_period'] = 12 - config.pki_master_dict['pki_self_signed_issuer_name'] =\ - "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ - "o=" + config.pki_master_dict['pki_certificate_timestamp'] - config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu" - config.pki_master_dict['pki_self_signed_noise_file'] =\ - os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], - "noise") - config.pki_master_dict['pki_self_signed_noise_bytes'] = 1024 - # Shared Apache/Tomcat NSS security database convenience symbolic links - config.pki_master_dict\ - ['pki_subsystem_configuration_password_conf_link'] =\ - os.path.join( - config.pki_master_dict['pki_subsystem_configuration_path'], - "password.conf") - - if not len(config.pki_master_dict['pki_client_database_password']): - # use randomly generated client 'pin' - config.pki_master_dict['pki_client_database_password'] =\ - str(config.pki_master_dict['pki_client_pin']) - - # Configuration scriptlet - # 'Security Domain' Configuration name/value pairs - # 'Subsystem Name' Configuration name/value pairs - # 'Token' Configuration name/value pairs - # - # Apache - [RA], [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are defined below: - # - # config.pki_master_dict['pki_security_domain_type'] - # config.pki_master_dict['pki_security_domain_uri'] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_clone_pkcs12_password'] - # config.pki_master_dict['pki_security_domain_password'] - # config.pki_master_dict['pki_token_password'] - # config.pki_master_dict['pki_clone_pkcs12_path'] - # config.pki_master_dict['pki_clone_uri'] - # config.pki_master_dict['pki_security_domain_https_port'] - # config.pki_master_dict['pki_token_name'] - # - # The following variables are established via the specified PKI - # deployment configuration file and potentially overridden below: - # - # config.pki_master_dict['pki_security_domain_user'] - # config.pki_master_dict['pki_issuing_ca'] - # - - # if security domain user is not defined - if not len(config.pki_master_dict['pki_security_domain_user']): - - # use the CA admin uid if it's defined - if self.pki_config.has_option('CA', 'pki_admin_uid') and\ - len(self.pki_config.get('CA', 'pki_admin_uid')) > 0: - config.pki_master_dict['pki_security_domain_user'] =\ - self.pki_config.get('CA', 'pki_admin_uid') - - # or use the Default admin uid if it's defined - elif self.pki_config.has_option('DEFAULT', 'pki_admin_uid') and\ - len(self.pki_config.get('DEFAULT', 'pki_admin_uid')) > 0: - config.pki_master_dict['pki_security_domain_user'] =\ - self.pki_config.get('DEFAULT', 'pki_admin_uid') - - # otherwise use the default CA admin uid - else: - config.pki_master_dict['pki_security_domain_user'] = "caadmin" - - if config.pki_subsystem != "CA" or\ - config.str2bool(config.pki_master_dict['pki_clone']) or\ - config.str2bool(config.pki_master_dict['pki_subordinate']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or - # Subordinate CA - config.pki_master_dict['pki_security_domain_type'] = "existing" - config.pki_master_dict['pki_security_domain_uri'] =\ - "https" + "://" +\ - config.pki_master_dict['pki_security_domain_hostname'] + ":" +\ - config.pki_master_dict['pki_security_domain_https_port'] - - elif config.str2bool(config.pki_master_dict['pki_external']): - # External CA - config.pki_master_dict['pki_security_domain_type'] = "new" - if not len(config.pki_master_dict['pki_issuing_ca']): - config.pki_master_dict['pki_issuing_ca'] = "External CA" - else: - # PKI CA - config.pki_master_dict['pki_security_domain_type'] = "new" - - # 'External CA' Configuration name/value pairs - # - # Tomcat - [External CA] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_external_ca_cert_chain_path'] - # config.pki_master_dict['pki_external_ca_cert_path'] - # config.pki_master_dict['pki_external_csr_path'] - # config.pki_master_dict['pki_external_step_two'] - # - - # 'Backup' Configuration name/value pairs - # - # Apache - [RA], [TPS] - # Tomcat - [CA], [KRA], [OCSP], [TKS] - # - [External CA] - # - [Subordinate CA] - # - # The following variables are established via the specified PKI - # deployment configuration file and are NOT redefined below: - # - # config.pki_master_dict['pki_backup_password'] - # config.pki_master_dict['pki_backup_keys'] - # - if config.str2bool(config.pki_master_dict['pki_backup_keys']): - # NOTE: ALWAYS store the PKCS #12 backup keys file - # in with the NSS "server" security databases - config.pki_master_dict['pki_backup_keys_p12'] =\ - config.pki_master_dict['pki_database_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() + "_" +\ - "backup" + "_" + "keys" + "." + "p12" - - config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert" - - if not 'pki_import_admin_cert' in config.pki_master_dict: - config.pki_master_dict['pki_import_admin_cert'] = 'false' - - config.pki_master_dict['pki_ca_signing_tag'] = "signing" - if config.pki_master_dict['pki_subsystem'] == "CA": - config.pki_master_dict['pki_ocsp_signing_tag'] = "ocsp_signing" - elif config.pki_master_dict['pki_subsystem'] == "OCSP": - config.pki_master_dict['pki_ocsp_signing_tag'] = "signing" - config.pki_master_dict['pki_ssl_server_tag'] = "sslserver" - config.pki_master_dict['pki_subsystem_tag'] = "subsystem" - config.pki_master_dict['pki_audit_signing_tag'] = "audit_signing" - config.pki_master_dict['pki_transport_tag'] = "transport" - config.pki_master_dict['pki_storage_tag'] = "storage" - - # Finalization name/value pairs - config.pki_master_dict['pki_default_deployment_cfg_replica'] =\ - os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], - config.DEFAULT_DEPLOYMENT_CONFIGURATION) - config.pki_master_dict['pki_user_deployment_cfg_replica'] =\ - os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], - config.USER_DEPLOYMENT_CONFIGURATION) - config.pki_master_dict['pki_user_deployment_cfg_spawn_archive'] =\ - config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ - "spawn" + "_" +\ - config.USER_DEPLOYMENT_CONFIGURATION + "." +\ - config.pki_master_dict['pki_timestamp'] - config.pki_master_dict['pki_default_deployment_cfg_respawn_archive'] =\ - config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ - "respawn" + "_" +\ - config.DEFAULT_DEPLOYMENT_CONFIGURATION + "." +\ - config.pki_master_dict['pki_timestamp'] - config.pki_master_dict['pki_user_deployment_cfg_respawn_archive'] =\ - config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ - "respawn" + "_" +\ - config.USER_DEPLOYMENT_CONFIGURATION + "." +\ - config.pki_master_dict['pki_timestamp'] - config.pki_master_dict['pki_manifest'] =\ - config.pki_master_dict['pki_subsystem_registry_path'] + "/" +\ - "manifest" - config.pki_master_dict['pki_manifest_spawn_archive'] =\ - config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ - "spawn" + "_" + "manifest" + "." +\ - config.pki_master_dict['pki_timestamp'] - config.pki_master_dict['pki_manifest_respawn_archive'] =\ - config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ - "respawn" + "_" + "manifest" + "." +\ - config.pki_master_dict['pki_timestamp'] - # Construct the configuration URL containing the one-time pin - # and add this to the "sensitive" key value pairs read in from - # the configuration file - # - # NOTE: This is the one and only parameter containing a sensitive - # parameter that may be stored in a log file and displayed - # to the screen. - # - config.pki_master_dict['pki_configuration_url'] =\ - "https://{}:{}/{}/{}?pin={}".format( - config.pki_master_dict['pki_hostname'], - config.pki_master_dict['pki_https_port'], - config.pki_master_dict['pki_subsystem'].lower(), - "admin/console/config/login", - config.pki_master_dict['pki_one_time_pin']) - # Compose this "systemd" execution management command - if config.pki_master_dict['pki_subsystem'] in\ - config.PKI_APACHE_SUBSYSTEMS: - config.pki_master_dict['pki_registry_initscript_command'] =\ - "systemctl" + " " +\ - "restart" + " " +\ - "pki-apached" + "@" +\ - config.pki_master_dict['pki_instance_name'] + "." + "service" - elif config.pki_master_dict['pki_subsystem'] in\ - config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_master_dict['pki_registry_initscript_command'] =\ - "systemctl" + " " +\ - "restart" + " " +\ - "pki-tomcatd" + "@" +\ - config.pki_master_dict['pki_instance_name'] + "." + "service" - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - except KeyError as err: - config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1, - err, extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - return - - - def compose_pki_slots_dictionary(self): - """Read the slots configuration file to create - the appropriate PKI slots dictionary""" - rv = 0 - try: - config.pki_slots_dict = dict() - parser = ConfigParser.ConfigParser() - # Make keys case-sensitive! - parser.optionxform = str - parser.read(config.PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE) - # Slots configuration file name/value pairs - if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - config.pki_slots_dict = dict(parser._sections['Apache']) - elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_slots_dict = dict(parser._sections['Tomcat']) - except ConfigParser.ParsingError, err: - rv = err - return rv diff --git a/base/deploy/src/engine/pkiscriptlet.py b/base/deploy/src/engine/pkiscriptlet.py deleted file mode 100644 index 767b3c609..000000000 --- a/base/deploy/src/engine/pkiscriptlet.py +++ /dev/null @@ -1,46 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen <mharmsen@redhat.com> -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# System Imports -import abc - - -# PKI Deployment Abstract Base PKI Scriptlet -class AbstractBasePkiScriptlet(object): - __metaclass__ = abc.ABCMeta - - @abc.abstractmethod - def spawn(self): - """Retrieve data from the specified PKI dictionary and - use it to install a new PKI instance.""" - return - - @abc.abstractmethod - def respawn(self): - """Retrieve data from the specified PKI dictionary and - use it to update an existing PKI instance.""" - return - - @abc.abstractmethod - def destroy(self): - """Retrieve data from the specified PKI dictionary and - use it to destroy an existing PKI instance.""" - return |