Fix #1351 pki securitydomain-get-install-token fails when run with caadmin user.

The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue. The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point. A user at the command line of the pki command will no longer be able to attempt this as well. Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
author: Jack Magne <jmagne@localhost.localdomain> 2015-05-06 16:49:59 -0700
committer: Jack Magne <jmagne@localhost.localdomain> 2015-05-07 15:46:21 -0700
commit: 73fb345e06b70d23a852743e4dc81ef6063e738a (patch)
tree: 520bab7b169746ceecda50e47540193b9f041746 /base/server/python/pki/server
parent: 141fc3c9fdfd87b9726a87493331ad6585488461 (diff)
download: pki-73fb345e06b70d23a852743e4dc81ef6063e738a.tar.gz
pki-73fb345e06b70d23a852743e4dc81ef6063e738a.tar.xz
pki-73fb345e06b70d23a852743e4dc81ef6063e738a.zip
2 files changed, 10 insertions, 70 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index b9d48eea3..e6f001910 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3232,67 +3232,6 @@ class SecurityDomain:
 
         return None
 
-    def get_installation_token(self, secuser, secpass, critical_failure=True):
-        if not secuser or not secpass:
-            return None
-
-        # process this PKI subsystem instance's 'CS.cfg'
-        cs_cfg = PKIConfigParser.read_simple_configuration_file(
-            self.mdict['pki_target_cs_cfg'])
-
-        # assign key name/value pairs
-        machinename = cs_cfg.get('service.machineName')
-        cstype = cs_cfg.get('cs.type', '')
-        sechost = cs_cfg.get('securitydomain.host')
-        secadminport = cs_cfg.get('securitydomain.httpsadminport')
-        #secselect = cs_cfg.get('securitydomain.select') - Selected
-        # security domain
-
-        command = ["/bin/pki",
-                   "-p", str(secadminport),
-                   "-h", sechost,
-                   "-P", "https",
-                   "-u", secuser,
-                   "-w", secpass,
-                   "-d", self.mdict['pki_database_path'],
-                   "securitydomain-get-install-token",
-                   "--hostname", machinename,
-                   "--subsystem", cstype]
-        try:
-            output = subprocess.check_output(
-                command,
-                stderr=subprocess.STDOUT,
-                shell=True)
-
-            token_list = re.findall("Install token: \"(.*)\"", output)
-            if not token_list:
-                config.pki_log.error(
-                    log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2,
-                    str(sechost),
-                    str(secadminport),
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                config.pki_log.error(
-                    log.PKI_SUBPROCESS_ERROR_1, output,
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                if critical_failure:
-                    raise Exception(
-                        log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2 %
-                        (str(sechost), str(secadminport)))
-            else:
-                token = token_list[0]
-                return token
-        except subprocess.CalledProcessError as exc:
-            config.pki_log.error(
-                log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2,
-                str(sechost),
-                str(secadminport),
-                extra=config.PKI_INDENTATION_LEVEL_2)
-            config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
-                                 extra=config.PKI_INDENTATION_LEVEL_2)
-            if critical_failure:
-                raise
-        return None
-
 
 class Systemd(object):
     """PKI Deployment Execution Management Class"""
diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
index 0aa4e1c4a..c209bf9c2 100644
--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python -t
 # Authors:
-#     Matthew Harmsen <mharmsen@redhat.com>
+# Matthew Harmsen <mharmsen@redhat.com>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -49,9 +49,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         else:
             config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__,
                                 extra=config.PKI_INDENTATION_LEVEL_1)
-            if (deployer.mdict['pki_subsystem'] == "CA" or\
-                config.str2bool(deployer.mdict['pki_standalone'])) and\
-               config.str2bool(deployer.mdict['pki_external_step_two']):
+            if (deployer.mdict['pki_subsystem'] == "CA" or \
+                        config.str2bool(deployer.mdict['pki_standalone'])) and \
+                    config.str2bool(deployer.mdict['pki_external_step_two']):
                 # verify that this External CA (Step 2), or Stand-alone PKI
                 # (Step 2) currently EXISTS for this "instance"
                 deployer.instance.verify_subsystem_exists()
@@ -96,10 +96,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         # get ports to remove selinux context
         deployer.configuration_file.populate_non_default_ports()
 
-        # get deinstallation token
-        token = deployer.security_domain.get_installation_token(
-            config.pki_secdomain_user, config.pki_secdomain_pass)
-
         # remove kra connector from CA if this is a KRA
         deployer.kra_connector.deregister()
 
@@ -114,7 +110,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         #            instance's security domain may be a part of a
         #            tightly-coupled shared instance.
         #
-        deployer.security_domain.deregister(token)
+
+        # Previously we obtained the token through a command line interface
+        # no longer supported. Thus we assume no token and the deregister op will
+        # take place without the token using an alternate method.
+
+        deployer.security_domain.deregister(None)
         # ALWAYS Stop this Tomcat PKI Process
         deployer.systemd.stop()
         return self.rv
author	Jack Magne <jmagne@localhost.localdomain>	2015-05-06 16:49:59 -0700
committer	Jack Magne <jmagne@localhost.localdomain>	2015-05-07 15:46:21 -0700
commit	73fb345e06b70d23a852743e4dc81ef6063e738a (patch)
tree	520bab7b169746ceecda50e47540193b9f041746 /base/server/python/pki/server
parent	141fc3c9fdfd87b9726a87493331ad6585488461 (diff)
download	pki-73fb345e06b70d23a852743e4dc81ef6063e738a.tar.gz pki-73fb345e06b70d23a852743e4dc81ef6063e738a.tar.xz pki-73fb345e06b70d23a852743e4dc81ef6063e738a.zip