diff options
Diffstat (limited to 'base/server/python/pki/server/deployment/scriptlets/client_database.py')
-rw-r--r-- | base/server/python/pki/server/deployment/scriptlets/client_database.py | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/base/server/python/pki/server/deployment/scriptlets/client_database.py b/base/server/python/pki/server/deployment/scriptlets/client_database.py new file mode 100644 index 000000000..31abb6feb --- /dev/null +++ b/base/server/python/pki/server/deployment/scriptlets/client_database.py @@ -0,0 +1,83 @@ +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. +# + +from __future__ import absolute_import + +# PKI Deployment Imports +from .. import pkiconfig as config +from .. import pkimessages as log +from .. import pkiscriptlet + + +# PKI Deployment Client Database Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + + def spawn(self, deployer): + + if config.str2bool(deployer.mdict['pki_skip_configuration']): + config.pki_log.info(log.SKIP_CLIENT_DATABASE_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return + + # Place "slightly" less restrictive permissions on + # the top-level client directory ONLY + + deployer.directory.create( + deployer.mdict['pki_client_subsystem_dir'], + uid=0, gid=0, + perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) + + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a client password file + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + + deployer.password.create_password_conf( + deployer.mdict['pki_client_password_conf'], + deployer.mdict['pki_client_database_password'], pin_sans_token=True) + + deployer.file.modify( + deployer.mdict['pki_client_password_conf'], + uid=0, gid=0) + + # Similarly, create a simple password file containing the + # PKCS #12 password used when exporting the "Admin Certificate" + # into a PKCS #12 file + + deployer.password.create_client_pkcs12_password_conf( + deployer.mdict['pki_client_pkcs12_password_conf']) + + deployer.file.modify(deployer.mdict['pki_client_pkcs12_password_conf']) + + deployer.directory.create( + deployer.mdict['pki_client_database_dir'], + uid=0, gid=0) + + deployer.certutil.create_security_databases( + deployer.mdict['pki_client_database_dir'], + deployer.mdict['pki_client_cert_database'], + deployer.mdict['pki_client_key_database'], + deployer.mdict['pki_client_secmod_database'], + password_file=deployer.mdict['pki_client_password_conf']) + + + def destroy(self, deployer): + + pass |