Added CLI to update cert data and request in CS.cfg.

A set of new pki-server commands have been added to simplify updating the cert data and cert request stored in the CS.cfg with the cert data and cert request stored in the NSS and LDAP database, respectively. https://fedorahosted.org/pki/ticket/1551 (cherry picked from commit 7ed1e32c574a2ee93a62297d16e07a7071e696d7)
author: Endi S. Dewata <edewata@redhat.com> 2015-09-02 04:50:24 +0200
committer: Matthew Harmsen <mharmsen@redhat.com> 2015-09-23 14:56:49 -0600
commit: eb098d51fcab0899a5915383dd5dbe4276184ead (patch)
tree: 055d7da409c635efb5ff42294aef08defcf1d991 /base/server/python/pki/server/__init__.py
parent: f6d99e33c0ba1fe84efe48f0cd51bed45fcf2960 (diff)
download: pki-eb098d51fcab0899a5915383dd5dbe4276184ead.tar.gz
pki-eb098d51fcab0899a5915383dd5dbe4276184ead.tar.xz
pki-eb098d51fcab0899a5915383dd5dbe4276184ead.zip
1 files changed, 112 insertions, 3 deletions
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 9777d221f..d00446567 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -20,7 +20,11 @@
 #
 
 from lxml import etree
+import getpass
 import grp
+import io
+import ldap
+import operator
 import os
 import pwd
 import re
@@ -31,7 +35,7 @@ import pki
 INSTANCE_BASE_DIR = '/var/lib/pki'
 REGISTRY_DIR = '/etc/sysconfig/pki'
 SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps']
-
+SUBSYSTEM_CLASSES = {}
 
 class PKIServer(object):
 
@@ -65,6 +69,7 @@ class PKISubsystem(object):
             self.base_dir = instance.base_dir
 
         self.conf_dir = os.path.join(self.base_dir, 'conf')
+        self.cs_conf = os.path.join(self.conf_dir, 'CS.cfg')
 
         self.context_xml_template = os.path.join(
             pki.SHARE_DIR, self.name, 'conf', 'Catalina', 'localhost', self.name + '.xml')
@@ -72,9 +77,62 @@ class PKISubsystem(object):
         self.context_xml = os.path.join(
             instance.conf_dir, 'Catalina', 'localhost', self.name + '.xml')
 
+        self.config = {}
+        self.type = None
+        self.prefix = None
+
         # custom subsystem location
         self.doc_base = os.path.join(self.base_dir, 'webapps', self.name)
 
+    def load(self):
+        self.config.clear()
+
+        lines = open(self.cs_conf).read().splitlines()
+
+        for line in lines:
+            parts = line.split('=', 1)
+            name = parts[0]
+            value = parts[1]
+            self.config[name] = value
+
+        self.type = self.config['cs.type']
+        self.prefix = self.type.lower()
+
+    def find_subsystem_certs(self):
+        certs = []
+
+        cert_ids = self.config['%s.cert.list' % self.name].split(',')
+        for cert_id in cert_ids:
+            cert = self.create_subsystem_cert_object(cert_id)
+            certs.append(cert)
+
+        return certs
+
+    def get_subsystem_cert(self, cert_id):
+        return self.create_subsystem_cert_object(cert_id)
+
+    def create_subsystem_cert_object(self, cert_id):
+        cert = {}
+        cert['id'] = cert_id
+        cert['nickname'] = self.config.get('%s.%s.nickname' % (self.name, cert_id), None)
+        cert['token'] = self.config.get('%s.%s.tokenname' % (self.name, cert_id), None)
+        cert['data'] = self.config.get('%s.%s.cert' % (self.name, cert_id), None)
+        cert['request'] = self.config.get('%s.%s.certreq' % (self.name, cert_id), None)
+        return cert
+
+    def update_subsystem_cert(self, cert):
+        cert_id = cert['id']
+        self.config['%s.%s.nickname' % (self.name, cert_id)] = cert.get('nickname', None)
+        self.config['%s.%s.tokenname' % (self.name, cert_id)] = cert.get('token', None)
+        self.config['%s.%s.cert' % (self.name, cert_id)] = cert.get('data', None)
+        self.config['%s.%s.certreq' % (self.name, cert_id)] = cert.get('request', None)
+
+    def save(self):
+        sorted_config = sorted(self.config.items(), key=operator.itemgetter(0))
+        with io.open(self.cs_conf, 'wb') as f:
+            for (key, value) in sorted_config:
+                f.write('%s=%s\n' % (key, value))
+
     def is_valid(self):
         return os.path.exists(self.conf_dir)
 
@@ -102,6 +160,21 @@ class PKISubsystem(object):
     def disable(self):
         self.instance.undeploy(self.name)
 
+    def open_database(self, name='internaldb'):
+
+        hostname = self.config['%s.ldapconn.host' % name]
+        port = self.config['%s.ldapconn.port' % name]
+        bind_dn = self.config['%s.ldapauth.bindDN' % name]
+
+        # TODO: add support for other authentication
+        # mechanisms (e.g. client cert authentication, LDAPI)
+        bind_password = self.instance.get_password(name)
+
+        con = ldap.initialize('ldap://%s:%s' % (hostname, port))
+        con.simple_bind_s(bind_dn, bind_password)
+
+        return con
+
     def __repr__(self):
         return str(self.instance) + '/' + self.name
 
@@ -119,6 +192,9 @@ class PKIInstance(object):
             self.base_dir = os.path.join(pki.BASE_DIR, name)
 
         self.conf_dir = os.path.join(self.base_dir, 'conf')
+        self.password_conf = os.path.join(self.conf_dir, 'password.conf')
+
+        self.nssdb_dir = os.path.join(self.base_dir, 'alias')
         self.lib_dir = os.path.join(self.base_dir, 'lib')
 
         self.registry_dir = os.path.join(pki.server.REGISTRY_DIR, 'tomcat', self.name)
@@ -132,6 +208,8 @@ class PKIInstance(object):
         self.uid = None
         self.gid = None
 
+        self.passwords = {}
+
         self.subsystems = []
 
     def is_valid(self):
@@ -153,6 +231,7 @@ class PKIInstance(object):
         return rc == 0
 
     def load(self):
+        # load UID and GID
         with open(self.registry_file, 'r') as registry:
             lines = registry.readlines()
 
@@ -168,11 +247,41 @@ class PKIInstance(object):
                 self.group = m.group(1)
                 self.gid = grp.getgrnam(self.group).gr_gid
 
+        # load passwords
+        self.passwords.clear()
+        lines = open(self.password_conf).read().splitlines()
+
+        for line in lines:
+            parts = line.split('=', 1)
+            name = parts[0]
+            value = parts[1]
+            self.passwords[name] = value
+
+        # load subsystems
         for subsystem_name in os.listdir(self.registry_dir):
-            if subsystem_name in pki.server.SUBSYSTEM_TYPES:
-                subsystem = PKISubsystem(self, subsystem_name)
+            if subsystem_name in SUBSYSTEM_TYPES:
+                if subsystem_name in SUBSYSTEM_CLASSES:
+                    subsystem = SUBSYSTEM_CLASSES[subsystem_name](self)
+                else:
+                    subsystem = PKISubsystem(self, subsystem_name)
+                subsystem.load()
                 self.subsystems.append(subsystem)
 
+    def get_password(self, name):
+        if name in self.passwords:
+            return self.passwords[name]
+
+        password = getpass.getpass(prompt='Enter password for %s: ' % name)
+        self.passwords[name] = password
+
+        return password
+
+    def get_subsystem(self, name):
+        for subsystem in self.subsystems:
+            if name == subsystem.name:
+                return subsystem
+        return None
+
     def is_deployed(self, webapp_name):
         context_xml = os.path.join(
             self.conf_dir, 'Catalina', 'localhost', webapp_name + '.xml')
author	Endi S. Dewata <edewata@redhat.com>	2015-09-02 04:50:24 +0200
committer	Matthew Harmsen <mharmsen@redhat.com>	2015-09-23 14:56:49 -0600
commit	eb098d51fcab0899a5915383dd5dbe4276184ead (patch)
tree	055d7da409c635efb5ff42294aef08defcf1d991 /base/server/python/pki/server/__init__.py
parent	f6d99e33c0ba1fe84efe48f0cd51bed45fcf2960 (diff)
download	pki-eb098d51fcab0899a5915383dd5dbe4276184ead.tar.gz pki-eb098d51fcab0899a5915383dd5dbe4276184ead.tar.xz pki-eb098d51fcab0899a5915383dd5dbe4276184ead.zip