Patches to get nuxwdog working with systemd

This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.

It also corrects some issues found in additional testing of the nuxwdog
change scripts.

To use nuxwdog to start the instance, a user needs to do the following:

1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
   systemctl start pki-tomcatd-nuxwdog@<instance_name>.service

To revert the instance, simply do the following:

1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
   systemctl start pki-tomcatd@<instance_name>.service

3 files changed, 93 insertions, 17 deletions

diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
index 37db03988..becad1447 100644
--- a/base/server/python/pki/server/cli/instance.py
+++ b/base/server/python/pki/server/cli/instance.py
@@ -378,7 +378,7 @@ class InstanceNuxwdogEnableCLI(pki.cli.CLI):
 
         module.enable_nuxwdog(instance)  # pylint: disable=no-member,maybe-no-member
 
-        self.print_message('nuxwdog enabled for instance %s' % instance_name)
+        self.print_message('Nuxwdog enabled for instance %s.' % instance_name)
 
 
 class InstanceNuxwdogDisableCLI(pki.cli.CLI):
@@ -432,4 +432,4 @@ class InstanceNuxwdogDisableCLI(pki.cli.CLI):
 
         module.disable_nuxwdog(instance)  # pylint: disable=no-member,maybe-no-member
 
-        self.print_message('nuxwdog disabled for instance %s' % instance_name)
+        self.print_message('Nuxwdog disabled for instance %s.' % instance_name)
diff --git a/base/server/python/pki/server/cli/nuxwdog.py b/base/server/python/pki/server/cli/nuxwdog.py
index d439dd7db..d6ef91e43 100644
--- a/base/server/python/pki/server/cli/nuxwdog.py
+++ b/base/server/python/pki/server/cli/nuxwdog.py
@@ -48,7 +48,7 @@ class NuxwdogEnableCLI(pki.cli.CLI):
     def __init__(self):
         self.parser = etree.XMLParser(remove_blank_text=True)
         self.nuxwdog_listener_class = (
-            'com.netscape.cms.tomcat.NuxwdogPasswordStoreInitializer'
+            'com.netscape.cms.tomcat.PKIListener'
         )
         self.nuxwdog_pwstore_class = (
             'com.netscape.cms.tomcat.NuxwdogPasswordStore'
@@ -108,6 +108,12 @@ class NuxwdogEnableCLI(pki.cli.CLI):
         server_xml = os.path.join(instance.conf_dir, 'server.xml')
         self.enable_nuxwdog_server_xml(server_xml, instance)
 
+        # change systemd links
+        self.change_systemd_links(instance)
+
+        # modify CS.cfg
+        self.modify_password_class_in_cs_cfg(instance)
+
     def add_nuxwdog_link(self, instance):
         nuxwdog_jar_path = '/usr/lib/java/nuxwdog.jar'
         if not os.path.exists(nuxwdog_jar_path):
@@ -156,11 +162,9 @@ class NuxwdogEnableCLI(pki.cli.CLI):
             with open(sysconfig_file, 'a') as f:
                 f.write("USE_NUXWDOG=\"true\"\n")
 
-    def get_conf_file(self, instance):
-        if not instance.subsystems:
-            print "Error: Instance has no subsystems."
-            sys.exit(1)
+        os.chown(sysconfig_file, instance.uid, instance.gid)
 
+    def get_conf_file(self, instance):
         # return the path to the first instance
         subsystem = instance.subsystems[0]
         return os.path.join(subsystem.conf_dir, 'CS.cfg')
@@ -192,7 +196,7 @@ class NuxwdogEnableCLI(pki.cli.CLI):
 
         # add before GlobalResourcesLifecycleListener if exists
         if global_naming_resources is not None:
-            index = list(server).index(global_naming_resources)
+            index = list(server).index(global_naming_resources) - 1
         else:
             index = 0
 
@@ -208,13 +212,49 @@ class NuxwdogEnableCLI(pki.cli.CLI):
         with open(filename, 'w') as f:
             f.write(etree.tostring(document, pretty_print=True))
 
+        os.chown(filename, instance.uid, instance.gid)
+
+    def change_systemd_links(self, instance):
+        old_systemd_unit_file = 'pki-tomcatd@' + instance.name + '.service'
+        old_systemd_link = os.path.join(
+            '/etc/systemd/system/pki-tomcatd.target.wants',
+            old_systemd_unit_file)
+
+        new_systemd_unit_file = ('pki-tomcatd-nuxwdog@' + instance.name
+                                 + '.service')
+        new_systemd_link = os.path.join(
+            '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants',
+            new_systemd_unit_file)
+        new_systemd_source = '/lib/systemd/system/pki-tomcatd-nuxwdog@.service'
+
+        if os.path.exists(old_systemd_link):
+            os.unlink(old_systemd_link)
+
+        if os.path.exists(new_systemd_link):
+            os.unlink(new_systemd_link)
+        os.symlink(new_systemd_source, new_systemd_link)
+
+        subprocess.check_call(['systemctl', 'daemon-reload'])
+
+    def modify_password_class_in_cs_cfg(self, instance):
+        pclass = "com.netscape.cmsutil.password.NuxwdogPasswordStore"
+
+        for subsystem in instance.subsystems:
+            cs_cfg = os.path.join(subsystem.conf_dir, 'CS.cfg')
+            for line in fileinput.input(cs_cfg, inplace=1):
+                match = re.search("^passwordClass=(.*)", line)
+                if match:
+                    line = "passwordClass=" + pclass + "\n"
+                sys.stdout.write(line)
+            os.chown(cs_cfg, instance.uid, instance.gid)
+
 
 class NuxwdogDisableCLI(pki.cli.CLI):
 
     def __init__(self):
         self.parser = etree.XMLParser(remove_blank_text=True)
         self.nuxwdog_listener_class = (
-            'com.netscape.cms.tomcat.NuxwdogPasswordStoreInitializer'
+            'com.netscape.cms.tomcat.PKIListener'
         )
         self.plain_pwstore_class = (
             'org.apache.tomcat.util.net.jss.PlainPasswordFile'
@@ -271,6 +311,10 @@ class NuxwdogDisableCLI(pki.cli.CLI):
         server_xml = os.path.join(instance.conf_dir, 'server.xml')
         self.disable_nuxwdog_server_xml(server_xml, instance)
 
+        self.change_systemd_links(instance)
+
+        self.modify_password_class_in_cs_cfg(instance)
+
     def disable_nuxwdog_sysconfig_file(self, instance):
         sysconfig_file = os.path.join('/etc/sysconfig', instance.name)
 
@@ -292,6 +336,8 @@ class NuxwdogDisableCLI(pki.cli.CLI):
 
             sys.stdout.write(line)
 
+        os.chown(sysconfig_file, instance.uid, instance.gid)
+
     def remove_nuxwdog_link(self, instance):
         instance_jar_path = os.path.join(
             instance.base_dir,
@@ -312,13 +358,6 @@ class NuxwdogDisableCLI(pki.cli.CLI):
 
         server = document.getroot()
 
-        children = list(server)
-        for child in children:
-            if child.tag == 'Listener':
-                class_name = child.get('className')
-                if class_name == self.nuxwdog_listener_class:
-                    server.remove(child)
-
         connectors = server.findall('Service/Connector')
         for connector in connectors:
             if connector.get('secure') == 'true':
@@ -327,3 +366,39 @@ class NuxwdogDisableCLI(pki.cli.CLI):
 
         with open(filename, 'w') as f:
             f.write(etree.tostring(document, pretty_print=True))
+
+        os.chown(filename, instance.uid, instance.gid)
+
+    def change_systemd_links(self, instance):
+        old_systemd_unit_file = ('pki-tomcatd-nuxwdog@' + instance.name
+                                 + '.service')
+        old_systemd_link = os.path.join(
+            '/etc/systemd/system/pki-tomcatd-nuxwdog.target.wants',
+            old_systemd_unit_file)
+
+        new_systemd_unit_file = 'pki-tomcatd@' + instance.name + '.service'
+        new_systemd_link = os.path.join(
+            '/etc/systemd/system/pki-tomcatd.target.wants',
+            new_systemd_unit_file)
+        new_systemd_source = '/lib/systemd/system/pki-tomcatd@.service'
+
+        if os.path.exists(old_systemd_link):
+            os.unlink(old_systemd_link)
+
+        if os.path.exists(new_systemd_link):
+            os.unlink(new_systemd_link)
+        os.symlink(new_systemd_source, new_systemd_link)
+
+        subprocess.check_call(['systemctl', 'daemon-reload'])
+
+    def modify_password_class_in_cs_cfg(self, instance):
+        pclass = "com.netscape.cmsutil.password.PlainPasswordFile"
+
+        for subsystem in instance.subsystems:
+            cs_cfg = os.path.join(subsystem.conf_dir, 'CS.cfg')
+            for line in fileinput.input(cs_cfg, inplace=1):
+                match = re.search("^passwordClass=(.*)", line)
+                if match:
+                    line = "passwordClass=" + pclass + "\n"
+                sys.stdout.write(line)
+                os.chown(cs_cfg, instance.uid, instance.gid)
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 3aad00a05..43eb564ee 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -30,7 +30,8 @@ import pki.server
 class SubsystemCLI(pki.cli.CLI):
 
     def __init__(self):
-        super(SubsystemCLI, self).__init__('subsystem', 'Subsystem management commands')
+        super(SubsystemCLI, self).__init__('subsystem',
+                                           'Subsystem management commands')
 
         self.add_module(SubsystemDisableCLI())
         self.add_module(SubsystemEnableCLI())