diff options
Diffstat (limited to 'base/server/python/pki')
-rw-r--r-- | base/server/python/pki/server/deployment/pkihelper.py | 85 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/pkimessages.py | 2 | ||||
-rw-r--r-- | base/server/python/pki/server/deployment/pkiparser.py | 2 |
3 files changed, 69 insertions, 20 deletions
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 823a20711..afb7eea29 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -27,6 +27,7 @@ import os import fileinput import random import re +import requests.exceptions import shutil from shutil import Error, WindowsError import string @@ -2649,20 +2650,9 @@ class KRAConnector: self.mdict['pki_target_cs_cfg']) krahost = cs_cfg.get('service.machineName') kraport = cs_cfg.get('pkicreate.secure_port') - cahost = cs_cfg.get('cloning.ca.hostname') - caport = cs_cfg.get('cloning.ca.httpsport') - if cahost is None or\ - caport is None: - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CA_HOST_PORT, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure: - raise Exception(log.PKIHELPER_UNDEFINED_CA_HOST_PORT) - else: - return + proxy_secure_port = cs_cfg.get('proxy.securePort', '') + if proxy_secure_port != '': + kraport = proxy_secure_port # retrieve subsystem nickname subsystemnick = cs_cfg.get('kra.cert.subsystem.nickname') @@ -2703,9 +2693,49 @@ class KRAConnector: else: return - self.execute_using_sslget( - caport, cahost, subsystemnick, - token_pwd, krahost, kraport) + # Note: this is a hack to resolve Trac Ticket 1113 + # We need to remove the KRA connector data from all relevant clones, + # but we have no way of easily identifying which instances are + # the right ones. Instead, We will attempt to remove the KRA + # connector from all CAs in the security domain. + # The better - and long term solution is to store the connector + # configuration in LDAP so that updating one clone will + # automatically update the rest. + # TODO(alee): Fix this logic once we move connector data to LDAP + + # get a list of all the CA's in the security domain + # noinspection PyBroadException + # pylint: disable-msg=W0703 + sechost = cs_cfg.get('securitydomain.host') + secport = cs_cfg.get('securitydomain.httpsadminport') + try: + ca_list = self.get_ca_list_from_security_domain( + sechost, secport) + except Exception as e: + config.pki_log.error( + "unable to access security domain. Continuing .. " + str(e), + extra=config.PKI_INDENTATION_LEVEL_2) + ca_list = [] + + for ca in ca_list: + ca_host = ca.hostname + ca_port = ca.secure_port + + # catching all exceptions because we do not want to break if + # the auth is not successful or servers are down. In the + # worst case, we will time out anyways. + # noinspection PyBroadException + # pylint: disable-msg=W0703 + try: + self.execute_using_sslget( + ca_port, ca_host, subsystemnick, + token_pwd, krahost, kraport) + except Exception: + # ignore exceptions + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_DEREGISTER_FAILURE_4, + str(krahost), str(kraport), str(ca_host), str(ca_port), + extra=config.PKI_INDENTATION_LEVEL_2) except subprocess.CalledProcessError as exc: config.pki_log.warning( @@ -2719,6 +2749,24 @@ class KRAConnector: raise return + @staticmethod + def get_ca_list_from_security_domain(sechost, secport): + sd_connection = pki.client.PKIConnection( + protocol='https', + hostname=sechost, + port=secport, + subsystem='ca') + sd = pki.system.SecurityDomainClient(sd_connection) + try: + info = sd.get_security_domain_info() + except requests.exceptions.HTTPError as e: + config.pki_log.info( + "unable to access security domain through REST interface. " + + "Trying old interface. " + str(e), + extra=config.PKI_INDENTATION_LEVEL_2) + info = sd.get_old_security_domain_info() + return info.systems['CA'].hosts.values() + def execute_using_pki( self, caport, cahost, subsystemnick, token_pwd, krahost, kraport, critical_failure=False): @@ -2732,8 +2780,7 @@ class KRAConnector: "ca-kraconnector-del", krahost, str(kraport)] output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) + stderr=subprocess.STDOUT) error = re.findall("ClientResponseFailure:(.*?)", output) if error: diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index 8b5ce3f2c..1c21e8689 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -216,6 +216,8 @@ PKIHELPER_KRACONNECTOR_UPDATE_CONTACT = \ PKIHELPER_KRACONNECTOR_UPDATE_FAILURE = "Failed to update KRA connector on CA" PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2 = \ "Failed to update KRA connector for %s:%s" +PKIHELPER_KRACONNECTOR_DEREGISTER_FAILURE_4 = \ + "Failed to deregister KRA connector %s:%s from CA %s:%s" PKIHELPER_LINK_S_2 = "ln -s %s %s" PKIHELPER_MKDIR_1 = "mkdir -p %s" PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 3b2a99c9f..1f6cbe0b4 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -27,7 +27,7 @@ import ldap import logging import os import random -import requests +import requests.exceptions import string import subprocess import xml.etree.ElementTree as ET |