Renamed pki-server ca-db-upgrade to db-upgrade.

The pki-server ca-db-upgrade command has been renamed to db-upgrade
to be more general. In the future the command can be refactored to
handle additional upgrade scripts. Additional log messages have
been added to show the upgrade activities in verbose mode.

https://fedorahosted.org/pki/ticket/1667

2 files changed, 131 insertions, 81 deletions

diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
index 428345db4..dbf8239f4 100644
--- a/base/server/python/pki/server/cli/ca.py
+++ b/base/server/python/pki/server/cli/ca.py
@@ -22,8 +22,6 @@ from __future__ import absolute_import
 from __future__ import print_function
 import getopt
 import io
-import ldap
-import nss.nss as nss
 import os
 import shutil
 import sys
@@ -40,7 +38,6 @@ class CACLI(pki.cli.CLI):
 
         self.add_module(CACertCLI())
         self.add_module(CACloneCLI())
-        self.add_module(CADBUpgrade())
 
 
 class CACertCLI(pki.cli.CLI):
@@ -410,81 +407,3 @@ class CAClonePrepareCLI(pki.cli.CLI):
 
         finally:
             shutil.rmtree(tmpdir)
-
-
-class CADBUpgrade(pki.cli.CLI):
-    def __init__(self):
-        super(CADBUpgrade, self).__init__(
-            'db-upgrade', 'Upgrade certificate records')
-
-    def usage(self):
-        print('Usage: pki-server ca-db-upgrade [OPTIONS]')
-        print()
-        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
-        print('  -v, --verbose                      Run in verbose mode.')
-        print('      --help                         Show help message.')
-        print()
-
-    def execute(self, args):
-        try:
-            opts, _ = getopt.gnu_getopt(
-                args, 'i:v', ['instance=', 'verbose', 'help'])
-
-        except getopt.GetoptError as e:
-            print('ERROR: ' + str(e))
-            self.usage()
-            sys.exit(1)
-
-        instance_name = 'pki-tomcat'
-
-        for o, a in opts:
-            if o in ('-i', '--instance'):
-                instance_name = a
-
-            elif o in ('-v', '--verbose'):
-                self.set_verbose(True)
-
-            elif o == '--help':
-                self.print_help()
-                sys.exit()
-
-            else:
-                print('ERROR: unknown option ' + o)
-                self.usage()
-                sys.exit(1)
-
-        nss.nss_init_nodb()
-
-        instance = pki.server.PKIInstance(instance_name)
-        instance.load()
-
-        subsystem = instance.get_subsystem('ca')
-        base_dn = subsystem.config['internaldb.basedn']
-        conn = subsystem.open_database()
-        try:
-            entries = conn.ldap.search_s(
-                'ou=certificateRepository,ou=ca,%s' % base_dn,
-                ldap.SCOPE_ONELEVEL,
-                '(&(objectclass=certificateRecord)(!(issuerName=*)))',
-                None)
-            for entry in entries:
-                self.__add_issuer(conn, entry)
-        finally:
-            conn.close()
-
-    @staticmethod
-    def __add_issuer(conn, entry):
-        dn, attrs = entry
-        attr_cert = attrs.get('userCertificate;binary')
-        if not attr_cert:
-            return  # shouldn't happen, but nothing we can do if it does
-
-        cert = nss.Certificate(bytearray(attr_cert[0]))
-        issuer_name = str(cert.issuer)
-
-        try:
-            conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)])
-        except ldap.LDAPError as e:
-            print(
-                'Failed to add issuerName to certificate {}: {}'
-                .format(attrs.get('cn', ['<unknown>'])[0], e))
diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py
new file mode 100644
index 000000000..6cfd6b410
--- /dev/null
+++ b/base/server/python/pki/server/cli/db.py
@@ -0,0 +1,131 @@
+# Authors:
+#     Fraser Tweedale <ftweedal@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+from __future__ import print_function
+import getopt
+import ldap
+import nss.nss as nss
+import sys
+
+import pki.cli
+
+
+class DBCLI(pki.cli.CLI):
+
+    def __init__(self):
+        super(DBCLI, self).__init__(
+            'db', 'DB management commands')
+
+        self.add_module(DBUpgrade())
+
+
+class DBUpgrade(pki.cli.CLI):
+    def __init__(self):
+        super(DBUpgrade, self).__init__(
+            'upgrade', 'Upgrade PKI server database')
+
+    def usage(self):
+        print('Usage: pki-server db-upgrade [OPTIONS]')
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('  -v, --verbose                      Run in verbose mode.')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, args):
+        try:
+            opts, _ = getopt.gnu_getopt(
+                args, 'i:v', ['instance=', 'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.usage()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o in ('-v', '--verbose'):
+                self.set_verbose(True)
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.usage()
+                sys.exit(1)
+
+        nss.nss_init_nodb()
+
+        instance = pki.server.PKIInstance(instance_name)
+        instance.load()
+
+        subsystem = instance.get_subsystem('ca')
+        if not subsystem:
+            print('ERROR: missing subsystem ca')
+            sys.exit(1)
+
+        base_dn = subsystem.config['internaldb.basedn']
+        conn = subsystem.open_database()
+
+        try:
+            repo_dn = 'ou=certificateRepository,ou=ca,%s' % base_dn
+            if self.verbose:
+                print('Searching certificates records with missing issuerName in %s' % repo_dn)
+
+            entries = conn.ldap.search_s(
+                repo_dn,
+                ldap.SCOPE_ONELEVEL,
+                '(&(objectclass=certificateRecord)(!(issuerName=*)))',
+                None)
+
+            for entry in entries:
+                self.add_issuer_name(conn, entry)
+
+        finally:
+            conn.close()
+
+        self.print_message('Upgrade complete')
+
+    def add_issuer_name(self, conn, entry):
+        dn, attrs = entry
+
+        if self.verbose:
+            print('Fixing certificate record %s' % dn)
+
+        attr_cert = attrs.get('userCertificate;binary')
+        if not attr_cert:
+            return  # shouldn't happen, but nothing we can do if it does
+
+        cert = nss.Certificate(bytearray(attr_cert[0]))
+        issuer_name = str(cert.issuer)
+
+        try:
+            conn.ldap.modify_s(dn, [(ldap.MOD_ADD, 'issuerName', issuer_name)])
+        except ldap.LDAPError as e:
+            print(
+                'Failed to add issuerName to certificate {}: {}'
+                .format(attrs.get('cn', ['<unknown>'])[0], e))