diff options
| author | Endi S. Dewata <edewata@redhat.com> | 2015-09-02 04:50:24 +0200 |
|---|---|---|
| committer | Matthew Harmsen <mharmsen@redhat.com> | 2015-09-23 14:56:49 -0600 |
| commit | eb098d51fcab0899a5915383dd5dbe4276184ead (patch) | |
| tree | 055d7da409c635efb5ff42294aef08defcf1d991 /base/server/python/pki/server/cli | |
| parent | f6d99e33c0ba1fe84efe48f0cd51bed45fcf2960 (diff) | |
| download | pki-eb098d51fcab0899a5915383dd5dbe4276184ead.tar.gz pki-eb098d51fcab0899a5915383dd5dbe4276184ead.tar.xz pki-eb098d51fcab0899a5915383dd5dbe4276184ead.zip | |
Added CLI to update cert data and request in CS.cfg.
A set of new pki-server commands have been added to simplify
updating the cert data and cert request stored in the CS.cfg with
the cert data and cert request stored in the NSS and LDAP database,
respectively.
https://fedorahosted.org/pki/ticket/1551
(cherry picked from commit 7ed1e32c574a2ee93a62297d16e07a7071e696d7)
Diffstat (limited to 'base/server/python/pki/server/cli')
| -rw-r--r-- | base/server/python/pki/server/cli/ca.py | 206 | ||||
| -rw-r--r-- | base/server/python/pki/server/cli/subsystem.py | 383 |
2 files changed, 511 insertions, 78 deletions
diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py new file mode 100644 index 000000000..2ad8652f4 --- /dev/null +++ b/base/server/python/pki/server/cli/ca.py @@ -0,0 +1,206 @@ +#!/usr/bin/python +# Authors: +# Endi S. Dewata <edewata@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2015 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import +from __future__ import print_function +import getopt +import io +import sys + +import pki.cli +import pki.server.ca + + +class CACLI(pki.cli.CLI): + + def __init__(self): + super(CACLI, self).__init__( + 'ca', 'CA management commands') + + self.add_module(CACertCLI()) + + +class CACertCLI(pki.cli.CLI): + + def __init__(self): + super(CACertCLI, self).__init__( + 'cert', 'CA certificates management commands') + + self.add_module(CACertRequestCLI()) + + +class CACertRequestCLI(pki.cli.CLI): + + def __init__(self): + super(CACertRequestCLI, self).__init__( + 'request', 'CA certificate requests management commands') + + self.add_module(CACertRequestFindCLI()) + self.add_module(CACertRequestShowCLI()) + + @staticmethod + def print_request(request, details=False): + print(' Request ID: %s' % request['id']) + print(' Type: %s' % request['type']) + print(' Status: %s' % request['status']) + + if details: + print(' Request: %s' % request['request']) + + +class CACertRequestFindCLI(pki.cli.CLI): + + def __init__(self): + super(CACertRequestFindCLI, self).__init__( + 'find', 'Find CA certificate requests') + + def usage(self): + print('Usage: pki-server ca-cert-request-find [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' --cert Issued certificate.') + print(' --cert-file File containing issued certificate.') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, args): + + try: + opts, _ = getopt.gnu_getopt(args, 'i:v', [ + 'instance=', 'cert=', 'cert-file=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + instance_name = 'pki-tomcat' + cert = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--cert': + cert = a + + elif o == '--cert-file': + with io.open(a, 'rb') as f: + cert = f.read() + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem('ca') + results = subsystem.find_cert_requests(cert=cert) + + self.print_message('%s entries matched' % len(results)) + + first = True + for request in results: + if first: + first = False + else: + print() + + CACertRequestCLI.print_request(request) + + +class CACertRequestShowCLI(pki.cli.CLI): + + def __init__(self): + super(CACertRequestShowCLI, self).__init__( + 'show', 'Show CA certificate request') + + def usage(self): + print('Usage: pki-server ca-cert-request-show <request ID> [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, args): + + try: + opts, args = getopt.gnu_getopt(args, 'i:v', [ + 'instance=', 'output-file=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) != 1: + print('ERROR: missing request ID') + self.usage() + sys.exit(1) + + request_id = args[0] + instance_name = 'pki-tomcat' + output_file = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--output-file': + output_file = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem('ca') + request = subsystem.get_cert_requests(request_id) + + if output_file: + with io.open(output_file, 'wb') as f: + f.write(request['request']) + + else: + CACertRequestCLI.print_request(request, details=True) diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index 43eb564ee..fc89c2747 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -19,8 +19,12 @@ # All rights reserved. # +from __future__ import absolute_import +from __future__ import print_function +import base64 import getopt -import os +import nss.nss as nss +import string import sys import pki.cli @@ -38,11 +42,13 @@ class SubsystemCLI(pki.cli.CLI): self.add_module(SubsystemFindCLI()) self.add_module(SubsystemShowCLI()) + self.add_module(SubsystemCertCLI()) + @staticmethod def print_subsystem(subsystem): - print ' Subsystem ID: %s' % subsystem.name - print ' Instance ID: %s' % subsystem.instance.name - print ' Enabled: %s' % subsystem.is_enabled() + print(' Subsystem ID: %s' % subsystem.name) + print(' Instance ID: %s' % subsystem.instance.name) + print(' Enabled: %s' % subsystem.is_enabled()) class SubsystemFindCLI(pki.cli.CLI): @@ -51,12 +57,12 @@ class SubsystemFindCLI(pki.cli.CLI): super(SubsystemFindCLI, self).__init__('find', 'Find subsystems') def usage(self): - print 'Usage: pki-server subsystem-find [OPTIONS]' - print - print ' -i, --instance <instance ID> Instance ID.' - print ' -v, --verbose Run in verbose mode.' - print ' --help Show help message.' - print + print('Usage: pki-server subsystem-find [OPTIONS]') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() def execute(self, args): @@ -66,11 +72,11 @@ class SubsystemFindCLI(pki.cli.CLI): 'verbose', 'help']) except getopt.GetoptError as e: - print 'ERROR: ' + str(e) + print('ERROR: ' + str(e)) self.usage() sys.exit(1) - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -84,32 +90,17 @@ class SubsystemFindCLI(pki.cli.CLI): sys.exit() else: - print 'ERROR: unknown option ' + o + print('ERROR: unknown option ' + o) self.usage() sys.exit(1) - if not instance_name: - print 'ERROR: missing instance ID' - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - results = [] - - for name in os.listdir(instance.base_dir): - - subsystem = pki.server.PKISubsystem(instance, name) - if not subsystem.is_valid(): - continue - - results.append(subsystem) - - self.print_message('%s entries matched' % len(results)) + self.print_message('%s entries matched' % len(instance.subsystems)) first = True - for subsystem in results: + for subsystem in instance.subsystems: if first: first = False else: @@ -124,12 +115,12 @@ class SubsystemShowCLI(pki.cli.CLI): super(SubsystemShowCLI, self).__init__('show', 'Show subsystem') def usage(self): - print 'Usage: pki-server subsystem-show [OPTIONS] <subsystem ID>' - print - print ' -i, --instance <instance ID> Instance ID.' - print ' -v, --verbose Run in verbose mode.' - print ' --help Show help message.' - print + print('Usage: pki-server subsystem-show [OPTIONS] <subsystem ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() def execute(self, argv): @@ -139,17 +130,17 @@ class SubsystemShowCLI(pki.cli.CLI): 'verbose', 'help']) except getopt.GetoptError as e: - print 'ERROR: ' + str(e) + print('ERROR: ' + str(e)) self.usage() sys.exit(1) if len(args) != 1: - print 'ERROR: missing subsystem ID' + print('ERROR: missing subsystem ID') self.usage() sys.exit(1) subsystem_name = args[0] - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -163,19 +154,14 @@ class SubsystemShowCLI(pki.cli.CLI): sys.exit() else: - print 'ERROR: unknown option ' + o + print('ERROR: unknown option ' + o) self.usage() sys.exit(1) - if not instance_name: - print 'ERROR: missing instance ID' - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - subsystem = pki.server.PKISubsystem(instance, subsystem_name) + subsystem = instance.get_subsystem(subsystem_name) SubsystemCLI.print_subsystem(subsystem) @@ -186,12 +172,12 @@ class SubsystemEnableCLI(pki.cli.CLI): super(SubsystemEnableCLI, self).__init__('enable', 'Enable subsystem') def usage(self): - print 'Usage: pki-server subsystem-enable [OPTIONS] <subsystem ID>' - print - print ' -i, --instance <instance ID> Instance ID.' - print ' -v, --verbose Run in verbose mode.' - print ' --help Show help message.' - print + print('Usage: pki-server subsystem-enable [OPTIONS] <subsystem ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() def execute(self, argv): @@ -201,17 +187,17 @@ class SubsystemEnableCLI(pki.cli.CLI): 'verbose', 'help']) except getopt.GetoptError as e: - print 'ERROR: ' + str(e) + print('ERROR: ' + str(e)) self.usage() sys.exit(1) if len(args) != 1: - print 'ERROR: missing subsystem ID' + print('ERROR: missing subsystem ID') self.usage() sys.exit(1) subsystem_name = args[0] - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -225,19 +211,14 @@ class SubsystemEnableCLI(pki.cli.CLI): sys.exit() else: - print 'ERROR: unknown option ' + o + print('ERROR: unknown option ' + o) self.usage() sys.exit(1) - if not instance_name: - print 'ERROR: missing instance ID' - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - subsystem = pki.server.PKISubsystem(instance, subsystem_name) + subsystem = instance.get_subsystem(subsystem_name) subsystem.enable() self.print_message('Enabled "%s" subsystem' % subsystem_name) @@ -251,12 +232,12 @@ class SubsystemDisableCLI(pki.cli.CLI): super(SubsystemDisableCLI, self).__init__('disable', 'Disable subsystem') def usage(self): - print 'Usage: pki-server subsystem-disable [OPTIONS] <subsystem ID>' - print - print ' -i, --instance <instance ID> Instance ID.' - print ' -v, --verbose Run in verbose mode.' - print ' --help Show help message.' - print + print('Usage: pki-server subsystem-disable [OPTIONS] <subsystem ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() def execute(self, argv): @@ -266,17 +247,17 @@ class SubsystemDisableCLI(pki.cli.CLI): 'verbose', 'help']) except getopt.GetoptError as e: - print 'ERROR: ' + str(e) + print('ERROR: ' + str(e)) self.usage() sys.exit(1) if len(args) != 1: - print 'ERROR: missing subsystem ID' + print('ERROR: missing subsystem ID') self.usage() sys.exit(1) subsystem_name = args[0] - instance_name = None + instance_name = 'pki-tomcat' for o, a in opts: if o in ('-i', '--instance'): @@ -290,21 +271,267 @@ class SubsystemDisableCLI(pki.cli.CLI): sys.exit() else: - print 'ERROR: unknown option ' + o + print('ERROR: unknown option ' + o) self.usage() sys.exit(1) - if not instance_name: - print 'ERROR: missing instance ID' - self.usage() - sys.exit(1) - instance = pki.server.PKIInstance(instance_name) instance.load() - subsystem = pki.server.PKISubsystem(instance, subsystem_name) + subsystem = instance.get_subsystem(subsystem_name) subsystem.disable() self.print_message('Disabled "%s" subsystem' % subsystem_name) SubsystemCLI.print_subsystem(subsystem) + + +class SubsystemCertCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertCLI, self).__init__( + 'cert', 'Subsystem certificate management commands') + + self.add_module(SubsystemCertFindCLI()) + self.add_module(SubsystemCertShowCLI()) + self.add_module(SubsystemCertUpdateCLI()) + + @staticmethod + def print_subsystem_cert(cert): + print(' Cert ID: %s' % cert['id']) + print(' Nickname: %s' % cert['nickname']) + print(' Token: %s' % cert['token']) + print(' Certificate: %s' % cert['data']) + print(' Request: %s' % cert['request']) + + +class SubsystemCertFindCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertFindCLI, self).__init__( + 'find', 'Find subsystem certificates') + + def usage(self): + print('Usage: pki-server subsystem-cert-find [OPTIONS] <subsystem ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, args = getopt.getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) != 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + results = subsystem.find_subsystem_certs() + + self.print_message('%s entries matched' % len(results)) + + first = True + for cert in results: + if first: + first = False + else: + print() + + SubsystemCertCLI.print_subsystem_cert(cert) + + +class SubsystemCertShowCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertShowCLI, self).__init__( + 'show', 'Show subsystem certificate') + + def usage(self): + print('Usage: pki-server subsystem-cert-show [OPTIONS] <subsystem ID> <cert ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, args = getopt.getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) < 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + if len(args) < 2: + print('ERROR: missing cert ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + cert_id = args[1] + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + subsystem_cert = subsystem.get_subsystem_cert(cert_id) + + SubsystemCertCLI.print_subsystem_cert(subsystem_cert) + + +class SubsystemCertUpdateCLI(pki.cli.CLI): + + def __init__(self): + super(SubsystemCertUpdateCLI, self).__init__( + 'update', 'Update subsystem certificate') + + def usage(self): + print('Usage: pki-server subsystem-cert-update [OPTIONS] <subsystem ID> <cert ID>') + print() + print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + + try: + opts, args = getopt.getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'help']) + + except getopt.GetoptError as e: + print('ERROR: ' + str(e)) + self.usage() + sys.exit(1) + + if len(args) < 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + if len(args) < 2: + print('ERROR: missing cert ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + cert_id = args[1] + instance_name = 'pki-tomcat' + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + self.set_verbose(True) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + print('ERROR: unknown option ' + o) + self.usage() + sys.exit(1) + + instance = pki.server.PKIInstance(instance_name) + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + subsystem_cert = subsystem.get_subsystem_cert(cert_id) + + # get cert data from NSS database + nss.nss_init(instance.nssdb_dir) + nss_cert = nss.find_cert_from_nickname(subsystem_cert['nickname']) + data = base64.b64encode(nss_cert.der_data) + del nss_cert + nss.nss_shutdown() + subsystem_cert['data'] = data + + # format cert data for LDAP database + lines = [data[i:i+64] for i in range(0, len(data), 64)] + data = string.join(lines, '\r\n') + '\r\n' + + # get cert request from local CA + # TODO: add support for remote CA + ca = instance.get_subsystem('ca') + results = ca.find_cert_requests(cert=data) + cert_request = results[-1] + request = cert_request['request'] + + # format cert request for CS.cfg + lines = request.splitlines() + if lines[0] == '-----BEGIN CERTIFICATE REQUEST-----': + lines = lines[1:] + if lines[-1] == '-----END CERTIFICATE REQUEST-----': + lines = lines[:-1] + request = string.join(lines, '') + subsystem_cert['request'] = request + + # store cert data and request in CS.cfg + subsystem.update_subsystem_cert(subsystem_cert) + subsystem.save() + + self.print_message('Updated "%s" subsystem certificate' % cert_id) + + SubsystemCertCLI.print_subsystem_cert(subsystem_cert) |