diff options
-rw-r--r-- | base/server/etc/default.cfg | 2 | ||||
-rwxr-xr-x | base/server/sbin/pkispawn | 177 |
2 files changed, 103 insertions, 76 deletions
diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 1c1ae92b3..aefe0f45c 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -112,7 +112,9 @@ pki_security_domain_user=caadmin pki_san_inject=False pki_san_for_server_cert= pki_skip_configuration=False +pki_skip_ds_verify=False pki_skip_installation=False +pki_skip_sd_verify=False pki_ssl_server_key_algorithm=SHA256withRSA pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn index 5892a671f..e7b22ef1e 100755 --- a/base/server/sbin/pkispawn +++ b/base/server/sbin/pkispawn @@ -110,6 +110,11 @@ def main(argv): help='configuration filename ' '(MUST specify complete path)') + parser.optional.add_argument( + '--precheck', + dest='precheck', action='store_true', + help='Execute pre-checks and exit') + args = parser.process_command_line_arguments() config.default_deployment_cfg = \ @@ -149,6 +154,9 @@ def main(argv): parser.init_config() if config.user_deployment_cfg is None: + if args.precheck: + sys.exit( + 'precheck mode is only valid for non-interactive installs') interactive = True parser.indent = 2 @@ -488,6 +496,62 @@ def main(argv): config.pki_subsystem.lower()) sys.exit(1) + start_logging() + create_master_dictionary(parser) + + if not interactive and \ + not config.str2bool(parser.mdict['pki_skip_configuration']): + check_ds(parser) + check_security_domain(parser) + + if args.precheck: + print('pre-checks completed successfully.') + sys.exit(0) + + print("Installing " + config.pki_subsystem + " into " + + parser.mdict['pki_instance_path'] + ".") + + # Process the various "scriptlets" to create the specified PKI subsystem. + pki_subsystem_scriptlets = parser.mdict['spawn_scriplets'].split() + deployer = util.PKIDeployer(parser.mdict, parser.slots_dict) + rv = 0 + for pki_scriptlet in pki_subsystem_scriptlets: + scriptlet = __import__("pki.server.deployment.scriptlets." + + pki_scriptlet, + fromlist=[pki_scriptlet]) + instance = scriptlet.PkiScriptlet() + try: + rv = instance.spawn(deployer) + # pylint: disable=W0703 + except Exception: + log_error_details() + print() + print("Installation failed.") + print() + sys.exit(1) + if rv != 0: + print("Nothing here!!!") + print("Installation failed.") + sys.exit(1) + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.log_format(parser.mdict), + extra=config.PKI_INDENTATION_LEVEL_0) + + external = deployer.configuration_file.external + step_one = deployer.configuration_file.external_step_one + + if external and step_one: + external_csr_path = deployer.mdict['pki_external_csr_path'] + if external_csr_path: + print_external_ca_step_one_information(parser.mdict) + else: + print_existing_ca_step_one_information(parser.mdict) + else: + print_install_information(parser.mdict) + + +def start_logging(): # Enable 'pkispawn' logging. config.pki_log_dir = config.pki_root_prefix + \ config.PKI_DEPLOYMENT_LOG_ROOT @@ -496,7 +560,6 @@ def main(argv): "-" + "spawn" + "." + \ config.pki_timestamp + "." + "log" print('Log file: %s/%s' % (config.pki_log_dir, config.pki_log_name)) - rv = pkilogging.enable_pki_logger(config.pki_log_dir, config.pki_log_name, config.pki_log_level, @@ -508,6 +571,8 @@ def main(argv): print(log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir) sys.exit(1) + +def create_master_dictionary(parser): # Read the specified PKI configuration file. rv = parser.read_pki_configuration_file() if rv != 0: @@ -521,10 +586,8 @@ def main(argv): extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.debug(pkilogging.log_format(parser.slots_dict), extra=config.PKI_INDENTATION_LEVEL_0) - # Combine the various sectional dictionaries into a PKI master dictionary parser.compose_pki_master_dictionary() - parser.mdict['pki_spawn_log'] = \ config.pki_log_dir + "/" + config.pki_log_name config.pki_log.debug(log.PKI_DICTIONARY_MASTER, @@ -532,43 +595,21 @@ def main(argv): config.pki_log.debug(pkilogging.log_format(parser.mdict), extra=config.PKI_INDENTATION_LEVEL_0) - if not interactive and \ - not config.str2bool(parser.mdict['pki_skip_configuration']): + +def check_security_domain(parser): + if parser.mdict['pki_security_domain_type'] != "new": try: - # Verify existence of Directory Server Password - if 'pki_ds_password' not in parser.mdict or\ - not len(parser.mdict['pki_ds_password']): + # Verify existence of Security Domain Password + if 'pki_security_domain_password' not in parser.mdict or \ + not len(parser.mdict['pki_security_domain_password']): config.pki_log.error( log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_ds_password", + "pki_security_domain_password", parser.mdict['pki_user_deployment_cfg'], extra=config.PKI_INDENTATION_LEVEL_0) sys.exit(1) - parser.ds_verify_configuration() - - if parser.ds_base_dn_exists() and\ - not config.str2bool(parser.mdict['pki_ds_remove_data']): - print('ERROR: Base DN already exists.') - sys.exit(1) - - except ldap.LDAPError as e: - print('ERROR: Unable to access directory server: ' + - e.args[0]['desc']) - sys.exit(1) - - if parser.mdict['pki_security_domain_type'] != "new": - try: - # Verify existence of Security Domain Password - if 'pki_security_domain_password' not in parser.mdict or\ - not len(parser.mdict['pki_security_domain_password']): - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, - "pki_security_domain_password", - parser.mdict['pki_user_deployment_cfg'], - extra=config.PKI_INDENTATION_LEVEL_0) - sys.exit(1) - + if not config.str2bool(parser.mdict['pki_skip_sd_verify']): parser.sd_connect() info = parser.sd_get_info() parser.set_property(config.pki_subsystem, @@ -576,55 +617,39 @@ def main(argv): info.name) parser.sd_authenticate() - except requests.exceptions.ConnectionError as e: - print(('ERROR: Unable to access security domain: ' + str(e))) - sys.exit(1) + except requests.exceptions.ConnectionError as e: + print(('ERROR: Unable to access security domain: ' + str(e))) + sys.exit(1) - except requests.exceptions.HTTPError as e: - print(('ERROR: Unable to access security domain: ' + str(e))) - sys.exit(1) + except requests.exceptions.HTTPError as e: + print(('ERROR: Unable to access security domain: ' + str(e))) + sys.exit(1) - print("Installing " + config.pki_subsystem + " into " + - parser.mdict['pki_instance_path'] + ".") - # Process the various "scriptlets" to create the specified PKI subsystem. - pki_subsystem_scriptlets = parser.mdict['spawn_scriplets'].split() - deployer = util.PKIDeployer(parser.mdict, parser.slots_dict) - rv = 0 - for pki_scriptlet in pki_subsystem_scriptlets: - scriptlet = __import__("pki.server.deployment.scriptlets." + - pki_scriptlet, - fromlist=[pki_scriptlet]) - instance = scriptlet.PkiScriptlet() - try: - rv = instance.spawn(deployer) - # pylint: disable=W0703 - except Exception: - log_error_details() - print() - print("Installation failed.") - print() - sys.exit(1) - if rv != 0: - print("Nothing here!!!") - print("Installation failed.") +def check_ds(parser): + try: + # Verify existence of Directory Server Password + if 'pki_ds_password' not in parser.mdict or \ + not len(parser.mdict['pki_ds_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ds_password", + parser.mdict['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_0) sys.exit(1) - config.pki_log.debug(log.PKI_DICTIONARY_MASTER, - extra=config.PKI_INDENTATION_LEVEL_0) - config.pki_log.debug(pkilogging.log_format(parser.mdict), - extra=config.PKI_INDENTATION_LEVEL_0) - external = deployer.configuration_file.external - step_one = deployer.configuration_file.external_step_one + if not config.str2bool(parser.mdict['pki_skip_ds_verify']): + parser.ds_verify_configuration() - if external and step_one: - external_csr_path = deployer.mdict['pki_external_csr_path'] - if external_csr_path: - print_external_ca_step_one_information(parser.mdict) - else: - print_existing_ca_step_one_information(parser.mdict) - else: - print_install_information(parser.mdict) + if parser.ds_base_dn_exists() and not \ + config.str2bool(parser.mdict['pki_ds_remove_data']): + print('ERROR: Base DN already exists.') + sys.exit(1) + + except ldap.LDAPError as e: + print('ERROR: Unable to access directory server: ' + + e.args[0]['desc']) + sys.exit(1) def set_port(parser, tag, prompt, existing_data): |