diff options
Diffstat (limited to 'base/deploy/src/scriptlets')
| -rw-r--r-- | base/deploy/src/scriptlets/infrastructure_layout.py | 10 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkiconfig.py | 5 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkijython.py | 4 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkiparser.py | 271 |
4 files changed, 190 insertions, 100 deletions
diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py index 947fbcdfe..1a2751f63 100644 --- a/base/deploy/src/scriptlets/infrastructure_layout.py +++ b/base/deploy/src/scriptlets/infrastructure_layout.py @@ -58,8 +58,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.directory.create(master['pki_subsystem_registry_path']) util.file.copy(master['pki_default_deployment_cfg'], master['pki_default_deployment_cfg_replica']) - util.file.copy(master['pki_user_deployment_cfg'], - master['pki_user_deployment_cfg_replica']) + + if master['pki_user_deployment_cfg']: + util.file.copy(master['pki_user_deployment_cfg'], + master['pki_user_deployment_cfg_replica']) + else: + with open(master['pki_user_deployment_cfg_replica'], 'w') as f: + config.user_config.write(f) + # establish top-level infrastructure, instance, and subsystem # base directories and create the "registry" symbolic link that # the "pkidestroy" executable relies upon diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 4a884617c..cdd671c91 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -180,10 +180,7 @@ pki_console_log_level = None # PKI Deployment Global Dictionaries -pki_default_dict = None -pki_web_server_dict = None -pki_subsystem_dict = None -pki_master_dict = None +pki_master_dict = {} pki_slots_dict = None pki_master_jython_dict = None diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index a7635c130..4768d8af9 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -566,9 +566,7 @@ class rest_client: javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ " " + admin_cert) # Store the Administration Certificate in a file - admin_cert_file = os.path.join( - master['pki_client_dir'], - master['pki_client_admin_cert']) + admin_cert_file = master['pki_client_admin_cert'] admin_cert_bin_file = admin_cert_file + ".der" javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\ " " + "'" + admin_cert_file + "'") diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index ba4f376da..4ef31cbd8 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -22,6 +22,7 @@ # System Imports import ConfigParser import argparse +import getpass import logging import os import random @@ -54,14 +55,15 @@ class PKIConfigParser: # Establish 'Mandatory' command-line options self.mandatory = self.arg_parser.add_argument_group('mandatory arguments') - self.mandatory.add_argument('-s', + + # Establish 'Optional' command-line options + self.optional = self.arg_parser.add_argument_group('optional arguments') + self.optional.add_argument('-s', dest='pki_subsystem', action='store', nargs=1, choices=config.PKI_SUBSYSTEMS, - required=True, metavar='<subsystem>', + metavar='<subsystem>', help='where <subsystem> is ' 'CA, KRA, OCSP, RA, TKS, or TPS') - # Establish 'Optional' command-line options - self.optional = self.arg_parser.add_argument_group('optional arguments') self.optional.add_argument('-h', '--help', dest='help', action='help', help='show this help message and exit') @@ -84,8 +86,6 @@ class PKIConfigParser: args = self.arg_parser.parse_args() # Process 'Mandatory' command-line options - # '-s' - config.pki_subsystem = str(args.pki_subsystem).strip('[\']') # Process 'Optional' command-line options # '-v' @@ -122,7 +122,7 @@ class PKIConfigParser: return args - def validate(self): + def initialize(self): # Validate command-line options if len(config.pki_root_prefix) > 0: @@ -145,15 +145,63 @@ class PKIConfigParser: self.arg_parser.print_help() self.arg_parser.exit(-1); - # verify user configuration file exists - if not os.path.exists(config.user_deployment_cfg) or\ - not os.path.isfile(config.user_deployment_cfg): - print "ERROR: " +\ - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ - config.user_deployment_cfg - print - self.arg_parser.print_help() - self.arg_parser.exit(-1); + if config.user_deployment_cfg: + # verify user configuration file exists + if not os.path.exists(config.user_deployment_cfg) or\ + not os.path.isfile(config.user_deployment_cfg): + print "ERROR: " +\ + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ + config.user_deployment_cfg + print + parser.arg_parser.print_help() + parser.arg_parser.exit(-1); + + + def initialize_config(self): + + # RESTEasy + resteasy_lib = subprocess.check_output(\ + 'source /etc/pki/pki.conf && echo $RESTEASY_LIB', + shell=True).strip() + + # arch dependent libpath + if config.pki_architecture == 64: + arch_java_lib = '/usr/lib64/java' + else: + arch_java_lib = '/usr/lib/java' + + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + default_instance_name = 'pki-tomcat' + default_http_port = '8080' + default_https_port = '8443' + else: + default_instance_name = 'pki-apache' + default_http_port = '80' + default_https_port = '443' + + self.pki_config = ConfigParser.SafeConfigParser({ + 'pki_instance_name': default_instance_name, + 'pki_http_port': default_http_port, + 'pki_https_port': default_https_port, + 'pki_dns_domainname': config.pki_dns_domainname, + 'pki_subsystem': config.pki_subsystem, + 'pki_subsystem_type': config.pki_subsystem.lower(), + 'pki_root_prefix' : config.pki_root_prefix, + 'resteasy_lib': resteasy_lib, + 'arch_java_lib': arch_java_lib, + 'home_dir': os.path.expanduser("~"), + 'pki_hostname': config.pki_hostname}) + + # Make keys case-sensitive! + self.pki_config.optionxform = str + + config.user_config = ConfigParser.SafeConfigParser() + config.user_config.optionxform = str + + with open(config.default_deployment_cfg) as f: + self.pki_config.readfp(f) + + self.flatten_master_dict() # The following code is based heavily upon @@ -180,83 +228,130 @@ class PKIConfigParser: return values + def set_property(self, section, property, value): + if section != "DEFAULT" and not self.pki_config.has_section(section): + self.pki_config.add_section(section) + self.pki_config.set(section, property, value) + self.flatten_master_dict() + + if section != "DEFAULT" and not config.user_config.has_section(section): + config.user_config.add_section(section) + config.user_config.set(section, property, value) + + + def read_text(self, message, + section=None, property=None, default=None, + options=None, sign=':', allowEmpty=True, caseSensitive=True, + indent=0): + + if default is None and not property is None: + default = config.pki_master_dict[property] + if default: + message = message + ' [' + default + ']' + message = ' ' * indent + message + sign + ' ' + + done = False + while not done: + value = raw_input(message) + value = value.strip() + + if len(value) == 0: # empty value + if allowEmpty: + value = default + done = True + break + + else: # non-empty value + if options is not None: + for v in options: + if caseSensitive: + if v == value: + done = True + break + else: + if v.lower() == value.lower(): + done = True + break + else: + done = True + break + + if section: + self.set_property(section, property, value) + + return value + + + def read_password(self, message, section=None, property=None, + verifyMessage=None, indent=0): + message = ' ' * indent + message + ': ' + verifyMessage = ' ' * indent + verifyMessage + ': ' + while True: + password = '' + while len(password) == 0: + password = getpass.getpass(prompt=message) + + verification = '' + while len(verification) == 0: + verification = getpass.getpass(prompt=verifyMessage) + + if password == verification: + break + else: + print ' ' * indent + 'Passwords do not match.' + + if section: + self.pki_config.set(section, property, password) + self.flatten_master_dict() + + if section != "DEFAULT" and not config.user_config.has_section(section): + config.user_config.add_section(section) + config.user_config.set(section, property, password) + + return password + def read_pki_configuration_file(self): "Read configuration file sections into dictionaries" rv = 0 try: - if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - default_instance_name = 'pki-tomcat' - default_http_port = '8080' - default_https_port = '8443' - else: - default_instance_name = 'pki-apache' - default_http_port = '80' - default_https_port = '443' - - # RESTEasy - resteasy_lib = subprocess.check_output(\ - 'source /etc/pki/pki.conf && echo $RESTEASY_LIB', - shell=True).strip() - - # arch dependent libpath - if config.pki_architecture == 64: - arch_java_lib = '/usr/lib64/java' - else: - arch_java_lib = '/usr/lib/java' - - predefined_dict = {'pki_instance_name': default_instance_name, - 'pki_http_port': default_http_port, - 'pki_https_port': default_https_port, - 'pki_dns_domainname': config.pki_dns_domainname, - 'pki_subsystem' : config.pki_subsystem, - 'pki_subsystem_type': config.pki_subsystem.lower(), - 'pki_root_prefix' : config.pki_root_prefix, - 'resteasy_lib': resteasy_lib, - 'arch_java_lib': arch_java_lib, - 'home_dir': os.path.expanduser("~"), - 'pki_hostname': config.pki_hostname} - - self.pki_config = ConfigParser.SafeConfigParser(predefined_dict) - # Make keys case-sensitive! - self.pki_config.optionxform = str - self.pki_config.read([ - config.default_deployment_cfg, - config.user_deployment_cfg]) - config.pki_default_dict = dict(self.pki_config.items('DEFAULT')) - pkilogging.sensitive_parameters = config.pki_default_dict['sensitive_parameters'].split() - if config.pki_subsystem == "CA": - config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) - config.pki_subsystem_dict = dict(self.pki_config.items('CA')) - elif config.pki_subsystem == "KRA": - config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) - config.pki_subsystem_dict = dict(self.pki_config.items('KRA')) - elif config.pki_subsystem == "OCSP": - config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) - config.pki_subsystem_dict = dict(self.pki_config.items('OCSP')) - elif config.pki_subsystem == "RA": - config.pki_web_server_dict = dict(self.pki_config.items('Apache')) - config.pki_subsystem_dict = dict(self.pki_config.items('RA')) - elif config.pki_subsystem == "TKS": - config.pki_web_server_dict = dict(self.pki_config.items('Tomcat')) - config.pki_subsystem_dict = dict(self.pki_config.items('TKS')) - elif config.pki_subsystem == "TPS": - config.pki_web_server_dict = dict(self.pki_config.items('Apache')) - config.pki_subsystem_dict = dict(self.pki_config.items('TPS')) - # Insert empty record into dictionaries for "pretty print" statements - # NEVER print "sensitive" key value pairs!!! - config.pki_default_dict[0] = None - config.pki_web_server_dict[0] = None - config.pki_subsystem_dict[0] = None + if config.user_deployment_cfg: + print 'Reading configuration file ' + config.user_deployment_cfg + '.' + self.pki_config.read([config.user_deployment_cfg]) + except ConfigParser.ParsingError, err: print err rv = err return rv + def flatten_master_dict(self): + config.pki_master_dict.update(__name__="PKI Master Dictionary") + + default_dict = dict(self.pki_config.items('DEFAULT')) + default_dict[0] = None + config.pki_master_dict.update(default_dict) + + web_server_dict = None + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if self.pki_config.has_section('Tomcat'): + web_server_dict = dict(self.pki_config.items('Tomcat')) + else: + if self.pki_config.has_section('Apache'): + web_server_dict = dict(self.pki_config.items('Apache')) + + if web_server_dict: + web_server_dict[0] = None + config.pki_master_dict.update(web_server_dict) + + if self.pki_config.has_section(config.pki_subsystem): + subsystem_dict = dict(self.pki_config.items(config.pki_subsystem)) + subsystem_dict[0] = None + config.pki_master_dict.update(subsystem_dict) + + def compose_pki_master_dictionary(self): "Create a single master PKI dictionary from the sectional dictionaries" try: - config.pki_master_dict = dict() # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs config.pki_master_dict['pki_deployment_executable'] =\ config.pki_deployment_executable @@ -280,12 +375,10 @@ class PKIConfigParser: random.randint(pin_low, pin_high) config.pki_master_dict['pki_client_pin'] =\ random.randint(pin_low, pin_high) - # Configuration file name/value pairs - # NEVER add "sensitive" key value pairs to the master dictionary!!! - config.pki_master_dict.update(config.pki_default_dict) - config.pki_master_dict.update(config.pki_web_server_dict) - config.pki_master_dict.update(config.pki_subsystem_dict) - config.pki_master_dict.update(__name__="PKI Master Dictionary") + + self.flatten_master_dict() + + pkilogging.sensitive_parameters = config.pki_master_dict['sensitive_parameters'].split() # PKI Target (slot substitution) name/value pairs config.pki_master_dict['pki_target_cs_cfg'] =\ @@ -783,11 +876,7 @@ class PKIConfigParser: "https" + "://" +\ config.pki_master_dict['pki_security_domain_hostname'] + ":" +\ config.pki_master_dict['pki_security_domain_https_port'] - if not len(config.pki_master_dict['pki_issuing_ca']): - # Guess that it is the same as the - # config.pki_master_dict['pki_security_domain_uri'] - config.pki_master_dict['pki_issuing_ca'] =\ - config.pki_master_dict['pki_security_domain_uri'] + elif config.str2bool(config.pki_master_dict['pki_external']): # External CA config.pki_master_dict['pki_security_domain_type'] = "new" |