Fix kra-connector-remove

The code to remove the connector from the pki CLI was found to be broken
because of invalid message type (partly due to void returns).

On uninstall, we need to remove the kra-connector from all relevant CA's
in the security domain.  The best way to do this is to keep kra-connector
info in LDAP, so that only one call is needed.  Until that change has
been made, we are adding a hack to remove the connector from all CA's
in the secutrity domain (if it exists).

Due to issues with proxy configurations, we will continue to use sslget
and a url-encoded-form version of the servlet.

In addition, it was found that when removing a KRA from a shared subsystem,
the updateDomainXML servlet was erroneously returning failure when it
was unsuccessful in removing a non-existent user from a group.

Ticket 1113

3 files changed, 69 insertions, 20 deletions

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 823a20711..afb7eea29 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -27,6 +27,7 @@ import os
 import fileinput
 import random
 import re
+import requests.exceptions
 import shutil
 from shutil import Error, WindowsError
 import string
@@ -2649,20 +2650,9 @@ class KRAConnector:
                 self.mdict['pki_target_cs_cfg'])
             krahost = cs_cfg.get('service.machineName')
             kraport = cs_cfg.get('pkicreate.secure_port')
-            cahost = cs_cfg.get('cloning.ca.hostname')
-            caport = cs_cfg.get('cloning.ca.httpsport')
-            if cahost is None or\
-               caport is None:
-                config.pki_log.warning(
-                    log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE,
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                config.pki_log.error(
-                    log.PKIHELPER_UNDEFINED_CA_HOST_PORT,
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                if critical_failure:
-                    raise Exception(log.PKIHELPER_UNDEFINED_CA_HOST_PORT)
-                else:
-                    return
+            proxy_secure_port = cs_cfg.get('proxy.securePort', '')
+            if proxy_secure_port != '':
+                kraport = proxy_secure_port
 
             # retrieve subsystem nickname
             subsystemnick = cs_cfg.get('kra.cert.subsystem.nickname')
@@ -2703,9 +2693,49 @@ class KRAConnector:
                 else:
                     return
 
-            self.execute_using_sslget(
-                caport, cahost, subsystemnick,
-                token_pwd, krahost, kraport)
+            # Note: this is a hack to resolve Trac Ticket 1113
+            # We need to remove the KRA connector data from all relevant clones,
+            # but we have no way of easily identifying which instances are
+            # the right ones.  Instead, We will attempt to remove the KRA
+            # connector from all CAs in the security domain.
+            # The better - and long term solution is to store the connector
+            # configuration in LDAP so that updating one clone will
+            # automatically update the rest.
+            # TODO(alee): Fix this logic once we move connector data to LDAP
+
+            # get a list of all the CA's in the security domain
+            # noinspection PyBroadException
+            # pylint: disable-msg=W0703
+            sechost = cs_cfg.get('securitydomain.host')
+            secport = cs_cfg.get('securitydomain.httpsadminport')
+            try:
+                ca_list = self.get_ca_list_from_security_domain(
+                    sechost, secport)
+            except Exception as e:
+                config.pki_log.error(
+                    "unable to access security domain. Continuing .. " + str(e),
+                    extra=config.PKI_INDENTATION_LEVEL_2)
+                ca_list = []
+
+            for ca in ca_list:
+                ca_host = ca.hostname
+                ca_port = ca.secure_port
+
+                # catching all exceptions because we do not want to break if
+                # the auth is not successful or servers are down.  In the
+                # worst case, we will time out anyways.
+                # noinspection PyBroadException
+                # pylint: disable-msg=W0703
+                try:
+                    self.execute_using_sslget(
+                        ca_port, ca_host, subsystemnick,
+                        token_pwd, krahost, kraport)
+                except Exception:
+                    # ignore exceptions
+                    config.pki_log.warning(
+                        log.PKIHELPER_KRACONNECTOR_DEREGISTER_FAILURE_4,
+                        str(krahost), str(kraport), str(ca_host), str(ca_port),
+                        extra=config.PKI_INDENTATION_LEVEL_2)
 
         except subprocess.CalledProcessError as exc:
             config.pki_log.warning(
@@ -2719,6 +2749,24 @@ class KRAConnector:
                 raise
         return
 
+    @staticmethod
+    def get_ca_list_from_security_domain(sechost, secport):
+        sd_connection = pki.client.PKIConnection(
+            protocol='https',
+            hostname=sechost,
+            port=secport,
+            subsystem='ca')
+        sd = pki.system.SecurityDomainClient(sd_connection)
+        try:
+            info = sd.get_security_domain_info()
+        except requests.exceptions.HTTPError as e:
+            config.pki_log.info(
+                "unable to access security domain through REST interface.  " +
+                "Trying old interface. " + str(e),
+                extra=config.PKI_INDENTATION_LEVEL_2)
+            info = sd.get_old_security_domain_info()
+        return info.systems['CA'].hosts.values()
+
     def execute_using_pki(
             self, caport, cahost, subsystemnick,
             token_pwd, krahost, kraport, critical_failure=False):
@@ -2732,8 +2780,7 @@ class KRAConnector:
                    "ca-kraconnector-del", krahost, str(kraport)]
 
         output = subprocess.check_output(command,
-                                         stderr=subprocess.STDOUT,
-                                         shell=True)
+                                         stderr=subprocess.STDOUT)
 
         error = re.findall("ClientResponseFailure:(.*?)", output)
         if error:
diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py
index 8b5ce3f2c..1c21e8689 100644
--- a/base/server/python/pki/server/deployment/pkimessages.py
+++ b/base/server/python/pki/server/deployment/pkimessages.py
@@ -216,6 +216,8 @@ PKIHELPER_KRACONNECTOR_UPDATE_CONTACT = \
 PKIHELPER_KRACONNECTOR_UPDATE_FAILURE = "Failed to update KRA connector on CA"
 PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2 = \
     "Failed to update KRA connector for %s:%s"
+PKIHELPER_KRACONNECTOR_DEREGISTER_FAILURE_4 = \
+    "Failed to deregister KRA connector %s:%s from CA %s:%s"
 PKIHELPER_LINK_S_2 = "ln -s %s %s"
 PKIHELPER_MKDIR_1 = "mkdir -p %s"
 PKIHELPER_MODIFY_DIR_1 = "modifying '%s'"
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 3b2a99c9f..1f6cbe0b4 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -27,7 +27,7 @@ import ldap
 import logging
 import os
 import random
-import requests
+import requests.exceptions
 import string
 import subprocess
 import xml.etree.ElementTree as ET