summaryrefslogtreecommitdiffstats
path: root/base/server/src/scriptlets
diff options
context:
space:
mode:
Diffstat (limited to 'base/server/src/scriptlets')
-rw-r--r--base/server/src/scriptlets/configuration.py150
-rw-r--r--base/server/src/scriptlets/finalization.py114
-rw-r--r--base/server/src/scriptlets/infrastructure_layout.py116
-rw-r--r--base/server/src/scriptlets/initialization.py126
-rw-r--r--base/server/src/scriptlets/instance_layout.py190
-rw-r--r--base/server/src/scriptlets/security_databases.py119
-rw-r--r--base/server/src/scriptlets/selinux_setup.py175
-rw-r--r--base/server/src/scriptlets/slot_substitution.py103
-rw-r--r--base/server/src/scriptlets/subsystem_layout.py126
-rw-r--r--base/server/src/scriptlets/webapp_deployment.py170
10 files changed, 1389 insertions, 0 deletions
diff --git a/base/server/src/scriptlets/configuration.py b/base/server/src/scriptlets/configuration.py
new file mode 100644
index 000000000..7bd1b017a
--- /dev/null
+++ b/base/server/src/scriptlets/configuration.py
@@ -0,0 +1,150 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+import json
+import pki.system
+import pki.encoder
+
+
+# PKI Deployment Configuration Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ if config.str2bool(master['pki_skip_configuration']):
+ config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+ config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+
+ # Place "slightly" less restrictive permissions on
+ # the top-level client directory ONLY
+ util.directory.create(master['pki_client_subsystem_dir'],
+ uid=0, gid=0,
+ perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS)
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a client password file
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
+ util.password.create_password_conf(
+ master['pki_client_password_conf'],
+ master['pki_client_database_password'], pin_sans_token=True)
+ util.file.modify(master['pki_client_password_conf'],
+ uid=0, gid=0)
+ # Similarly, create a simple password file containing the
+ # PKCS #12 password used when exporting the "Admin Certificate"
+ # into a PKCS #12 file
+ util.password.create_client_pkcs12_password_conf(
+ master['pki_client_pkcs12_password_conf'])
+ util.file.modify(master['pki_client_pkcs12_password_conf'])
+ util.directory.create(master['pki_client_database_dir'],
+ uid=0, gid=0)
+ util.certutil.create_security_databases(
+ master['pki_client_database_dir'],
+ master['pki_client_cert_database'],
+ master['pki_client_key_database'],
+ master['pki_client_secmod_database'],
+ password_file=master['pki_client_password_conf'])
+ util.symlink.create(master['pki_systemd_service'],
+ master['pki_systemd_service_link'])
+
+ # Start/Restart this Apache/Tomcat PKI Process
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ apache_instance_subsystems =\
+ util.instance.apache_instance_subsystems()
+ if apache_instance_subsystems == 1:
+ util.systemd.start()
+ elif apache_instance_subsystems > 1:
+ util.systemd.restart()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # Optionally prepare to enable a java debugger
+ # (e. g. - 'eclipse'):
+ if config.str2bool(master['pki_enable_java_debugger']):
+ config.prepare_for_an_external_java_debugger(
+ master['pki_target_tomcat_conf_instance_id'])
+ tomcat_instance_subsystems =\
+ len(util.instance.tomcat_instance_subsystems())
+ if tomcat_instance_subsystems == 1:
+ util.systemd.start()
+ elif tomcat_instance_subsystems > 1:
+ util.systemd.restart()
+
+ # wait for startup
+ status = util.instance.wait_for_startup(60)
+ if status == None:
+ config.pki_log.error("server failed to restart",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+
+ # Optionally wait for debugger to attach (e. g. - 'eclipse'):
+ if config.str2bool(master['pki_enable_java_debugger']):
+ config.wait_to_attach_an_external_java_debugger()
+
+ config_client = util.config_client()
+ # Construct PKI Subsystem Configuration Data
+ data = None
+ if master['pki_instance_type'] == "Apache":
+ if master['pki_subsystem'] == "RA":
+ config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1,
+ master['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ return rv
+ elif master['pki_subsystem'] == "TPS":
+ config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1,
+ master['pki_subsystem'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ return rv
+ elif master['pki_instance_type'] == "Tomcat":
+ # CA, KRA, OCSP, or TKS
+ data = config_client.construct_pki_configuration_data()
+
+ # Configure the substem
+ config_client.configure_pki_data(
+ json.dumps(data, cls=pki.encoder.CustomTypeEncoder))
+
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instance_subsystems() == 1:
+ if util.directory.exists(master['pki_client_dir']):
+ util.directory.delete(master['pki_client_dir'])
+ util.symlink.delete(master['pki_systemd_service_link'])
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ len(util.instance.tomcat_instance_subsystems()) == 1:
+ if util.directory.exists(master['pki_client_dir']):
+ util.directory.delete(master['pki_client_dir'])
+ util.symlink.delete(master['pki_systemd_service_link'])
+ return self.rv
diff --git a/base/server/src/scriptlets/finalization.py b/base/server/src/scriptlets/finalization.py
new file mode 100644
index 000000000..6ddc98d03
--- /dev/null
+++ b/base/server/src/scriptlets/finalization.py
@@ -0,0 +1,114 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+import pkihelper as util
+import pkimanifest as manifest
+import pkimessages as log
+import pkiscriptlet
+
+
+# PKI Deployment Finalization Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ if master['pki_subsystem'] == "CA" and\
+ config.str2bool(master['pki_external_step_two']):
+ # must check for 'External CA Step 2' installation PRIOR to
+ # 'pki_skip_installation' since this value has been set to true
+ # by the initialization scriptlet
+ pass
+ elif config.str2bool(master['pki_skip_installation']):
+ config.pki_log.info(log.SKIP_FINALIZATION_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+ config.pki_log.info(log.FINALIZATION_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # For debugging/auditing purposes, save a timestamped copy of
+ # this configuration file in the subsystem archive
+ util.file.copy(master['pki_user_deployment_cfg_replica'],
+ master['pki_user_deployment_cfg_spawn_archive'])
+ # Save a copy of the installation manifest file
+ config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, master['pki_manifest'],
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # for record in manifest.database:
+ # print tuple(record)
+ manifest.file.register(master['pki_manifest'])
+ manifest.file.write()
+ util.file.modify(master['pki_manifest'], silent=True)
+
+ # Also, for debugging/auditing purposes, save a timestamped copy of
+ # this installation manifest file
+ util.file.copy(master['pki_manifest'],
+ master['pki_manifest_spawn_archive'])
+ # Optionally, programmatically 'restart' the configured PKI instance
+ if config.str2bool(master['pki_restart_configured_instance']):
+ util.systemd.restart()
+ # Optionally, 'purge' the entire temporary client infrastructure
+ # including the client NSS security databases and password files
+ #
+ # WARNING: If the PKCS #12 file containing the Admin Cert was
+ # placed under this infrastructure, it may accidentally
+ # be deleted!
+ #
+ if config.str2bool(master['pki_client_database_purge']):
+ if util.directory.exists(master['pki_client_subsystem_dir']):
+ util.directory.delete(master['pki_client_subsystem_dir'])
+ # If instance has not been configured, print the
+ # configuration URL to the log
+ if config.str2bool(master['pki_skip_configuration']):
+ util.configuration_file.log_configuration_url()
+ # Log final process messages
+ config.pki_log.info(log.PKISPAWN_END_MESSAGE_2,
+ master['pki_subsystem'],
+ master['pki_instance_name'],
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ util.file.modify(master['pki_spawn_log'], silent=True)
+ # If instance has not been configured, print the
+ # configuration URL to the screen
+ if config.str2bool(master['pki_skip_configuration']):
+ util.configuration_file.display_configuration_url()
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.FINALIZATION_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.FINALIZATION_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ util.file.modify(master['pki_destroy_log'], silent=True)
+ # Start this Apache/Tomcat PKI Process
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instance_subsystems() >= 1:
+ util.systemd.start()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ len(util.instance.tomcat_instance_subsystems()) >= 1:
+ util.systemd.start()
+ config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2,
+ master['pki_subsystem'],
+ master['pki_instance_name'],
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ return self.rv
diff --git a/base/server/src/scriptlets/infrastructure_layout.py b/base/server/src/scriptlets/infrastructure_layout.py
new file mode 100644
index 000000000..69a905849
--- /dev/null
+++ b/base/server/src/scriptlets/infrastructure_layout.py
@@ -0,0 +1,116 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+
+
+# PKI Deployment Top-Level Infrastructure Layout Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ if config.str2bool(master['pki_skip_installation']):
+ config.pki_log.info(log.SKIP_ADMIN_DOMAIN_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+ config.pki_log.info(log.ADMIN_DOMAIN_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # NOTE: It was determined that since the "pkidestroy" command
+ # relies upon a symbolic link to a replica of the original
+ # deployment configuration file used by the
+ # "pkispawn" command of an instance, it is necessary to
+ # create any required instance and subsystem directories
+ # in this top-level "infrastructure_layout" scriptlet
+ # (rather than the "instance_layout" and "subsystem_layout"
+ # scriptlets) so that a copy of this configuration file can
+ # be saved, and the required symbolic link can be created.
+ #
+ # establish the top-level infrastructure, instance, and subsystem
+ # registry directories for storage of a copy of the original
+ # deployment configuration file used to spawn this instance,
+ # and save a copy of this file
+ util.directory.create(master['pki_registry_path'])
+ util.directory.create(master['pki_instance_type_registry_path'])
+ util.directory.create(master['pki_instance_registry_path'])
+ util.directory.create(master['pki_subsystem_registry_path'])
+ util.file.copy(master['pki_default_deployment_cfg'],
+ master['pki_default_deployment_cfg_replica'])
+
+ print "Storing deployment configuration into " + config.pki_master_dict['pki_user_deployment_cfg_replica'] + "."
+ if master['pki_user_deployment_cfg']:
+ util.file.copy(master['pki_user_deployment_cfg'],
+ master['pki_user_deployment_cfg_replica'])
+ else:
+ with open(master['pki_user_deployment_cfg_replica'], 'w') as f:
+ config.user_config.write(f)
+
+ # establish top-level infrastructure, instance, and subsystem
+ # base directories and create the "registry" symbolic link that
+ # the "pkidestroy" executable relies upon
+ util.directory.create(master['pki_path'])
+ util.directory.create(master['pki_instance_path'])
+ util.directory.create(master['pki_subsystem_path'])
+ util.symlink.create(master['pki_instance_registry_path'],
+ master['pki_subsystem_registry_link'])
+ #
+ # NOTE: If "infrastructure_layout" scriptlet execution has been
+ # successfully executed to this point, the "pkidestroy" command
+ # may always be utilized to remove the entire infrastructure.
+ #
+ # no need to establish top-level infrastructure logs
+ # since it now stores 'pkispawn'/'pkidestroy' logs
+ # and will already exist
+ # util.directory.create(master['pki_log_path'])
+ # establish top-level infrastructure configuration
+ if master['pki_configuration_path'] !=\
+ config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
+ util.directory.create(master['pki_configuration_path'])
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.ADMIN_DOMAIN_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.ADMIN_DOMAIN_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # remove top-level infrastructure base
+ if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
+ util.instance.pki_instance_subsystems() == 0:
+ # remove top-level infrastructure base
+ util.directory.delete(master['pki_path'])
+ # do NOT remove top-level infrastructure logs
+ # since it now stores 'pkispawn'/'pkidestroy' logs
+ # util.directory.delete(master['pki_log_path'])
+ # remove top-level infrastructure configuration
+ if util.directory.is_empty(master['pki_configuration_path'])\
+ and master['pki_configuration_path'] !=\
+ config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
+ util.directory.delete(master['pki_configuration_path'])
+ # remove top-level infrastructure registry
+ util.directory.delete(master['pki_registry_path'])
+ return self.rv
diff --git a/base/server/src/scriptlets/initialization.py b/base/server/src/scriptlets/initialization.py
new file mode 100644
index 000000000..3494ebdc7
--- /dev/null
+++ b/base/server/src/scriptlets/initialization.py
@@ -0,0 +1,126 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+
+
+# PKI Deployment Initialization Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ # begin official logging
+ config.pki_log.info(log.PKISPAWN_BEGIN_MESSAGE_2,
+ master['pki_subsystem'],
+ master['pki_instance_name'],
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ if config.str2bool(master['pki_skip_installation']):
+ config.pki_log.info(log.SKIP_INITIALIZATION_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+ else:
+ config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ if master['pki_subsystem'] == "CA" and\
+ config.str2bool(master['pki_external_step_two']):
+ # verify that this type of "subsystem" currently EXISTS
+ # for this "instance" (External CA Step 2)
+ util.instance.verify_subsystem_exists()
+ master['pki_skip_installation'] = "True";
+ else:
+ # verify that this type of "subsystem" does NOT yet
+ # exist for this "instance"
+ util.instance.verify_subsystem_does_not_exist()
+ # detect and avoid any namespace collisions
+ util.namespace.collision_detection()
+ # initialize 'uid' and 'gid'
+ util.identity.add_uid_and_gid(master['pki_user'], master['pki_group'])
+ # establish 'uid' and 'gid'
+ util.identity.set_uid(master['pki_user'])
+ util.identity.set_gid(master['pki_group'])
+ # verify existence of SENSITIVE configuration file data
+ util.configuration_file.verify_sensitive_data()
+ # verify existence of MUTUALLY EXCLUSIVE configuration file data
+ util.configuration_file.verify_mutually_exclusive_data()
+ # verify existence of PREDEFINED configuration file data
+ util.configuration_file.verify_predefined_configuration_file_data()
+ # verify selinux context of selected ports
+ util.configuration_file.populate_non_default_ports()
+ util.configuration_file.verify_selinux_ports()
+ return self.rv
+
+ def respawn(self):
+ # begin official logging
+ config.pki_log.info(log.PKIRESPAWN_BEGIN_MESSAGE_2,
+ master['pki_subsystem'],
+ master['pki_instance_name'],
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.info(log.INITIALIZATION_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # verify that this type of "subsystem" currently EXISTS
+ # for this "instance"
+ util.instance.verify_subsystem_exists()
+ return self.rv
+
+ def destroy(self):
+ # begin official logging
+ config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2,
+ master['pki_subsystem'],
+ master['pki_instance_name'],
+ extra=config.PKI_INDENTATION_LEVEL_0)
+ config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # verify that this type of "subsystem" currently EXISTS
+ # for this "instance"
+ util.instance.verify_subsystem_exists()
+ # verify that the command-line parameters match the values
+ # that are present in the corresponding configuration file
+ util.configuration_file.verify_command_matches_configuration_file()
+ # establish 'uid' and 'gid'
+ util.identity.set_uid(master['pki_user'])
+ util.identity.set_gid(master['pki_group'])
+ # get ports to remove selinux context
+ util.configuration_file.populate_non_default_ports()
+
+ # get deinstallation token
+ token = util.security_domain.get_installation_token(
+ config.pki_secdomain_user, config.pki_secdomain_pass)
+
+ # remove kra connector from CA if this is a KRA
+ util.kra_connector.deregister()
+
+ # de-register instance from its Security Domain
+ #
+ # NOTE: Since the security domain of an instance must be up
+ # and running in order to be de-registered, this step
+ # must be done PRIOR to instance shutdown because this
+ # instance's security domain may be a part of a
+ # tightly-coupled shared instance.
+ #
+ util.security_domain.deregister(token)
+ # ALWAYS Stop this Apache/Tomcat PKI Process
+ util.systemd.stop()
+ return self.rv
diff --git a/base/server/src/scriptlets/instance_layout.py b/base/server/src/scriptlets/instance_layout.py
new file mode 100644
index 000000000..843227a84
--- /dev/null
+++ b/base/server/src/scriptlets/instance_layout.py
@@ -0,0 +1,190 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# System Imports
+import os
+
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+import os
+
+
+# PKI Deployment Instance Layout Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ if config.str2bool(master['pki_skip_installation']):
+ config.pki_log.info(log.SKIP_INSTANCE_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+ config.pki_log.info(log.INSTANCE_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # establish instance logs
+ util.directory.create(master['pki_instance_log_path'])
+ # establish instance configuration
+ util.directory.create(master['pki_instance_configuration_path'])
+ # establish Apache/Tomcat specific instance
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # establish Tomcat instance configuration
+ util.directory.copy(master['pki_source_server_path'],
+ master['pki_instance_configuration_path'],
+ overwrite_flag=True)
+ # establish Tomcat instance base
+ util.directory.create(master['pki_tomcat_common_path'])
+ util.directory.create(master['pki_tomcat_common_lib_path'])
+ # establish Tomcat instance library
+ util.directory.create(master['pki_instance_lib'])
+ for name in os.listdir(master['pki_tomcat_lib_path']):
+ util.symlink.create(
+ os.path.join(
+ master['pki_tomcat_lib_path'],
+ name),
+ os.path.join(
+ master['pki_instance_lib'],
+ name))
+ util.symlink.create(master['pki_instance_conf_log4j_properties'],
+ master['pki_instance_lib_log4j_properties'])
+ util.directory.create(master['pki_tomcat_tmpdir_path'])
+ util.directory.create(master['pki_tomcat_webapps_path'])
+ util.directory.create(master['pki_tomcat_work_path'])
+ util.directory.create(master['pki_tomcat_work_catalina_path'])
+ util.directory.create(master['pki_tomcat_work_catalina_host_path'])
+ util.directory.create(
+ master['pki_tomcat_work_catalina_host_run_path'])
+ util.directory.create(
+ master['pki_tomcat_work_catalina_host_subsystem_path'])
+ # establish Tomcat instance logs
+ # establish Tomcat instance registry
+ # establish Tomcat instance convenience symbolic links
+ util.symlink.create(master['pki_tomcat_bin_path'],
+ master['pki_tomcat_bin_link'])
+ util.symlink.create(master['pki_tomcat_systemd'],
+ master['pki_instance_systemd_link'],
+ uid=0, gid=0)
+ # establish Tomcat instance common lib jar symbolic links
+ util.symlink.create(master['pki_apache_commons_collections_jar'],
+ master['pki_apache_commons_collections_jar_link'])
+ util.symlink.create(master['pki_apache_commons_lang_jar'],
+ master['pki_apache_commons_lang_jar_link'])
+ util.symlink.create(master['pki_apache_commons_logging_jar'],
+ master['pki_apache_commons_logging_jar_link'])
+ util.symlink.create(master['pki_commons_codec_jar'],
+ master['pki_commons_codec_jar_link'])
+ util.symlink.create(master['pki_httpclient_jar'],
+ master['pki_httpclient_jar_link'])
+ util.symlink.create(master['pki_httpcore_jar'],
+ master['pki_httpcore_jar_link'])
+ util.symlink.create(master['pki_javassist_jar'],
+ master['pki_javassist_jar_link'])
+ util.symlink.create(master['pki_resteasy_jaxrs_api_jar'],
+ master['pki_resteasy_jaxrs_api_jar_link'])
+ util.symlink.create(master['pki_jettison_jar'],
+ master['pki_jettison_jar_link'])
+ util.symlink.create(master['pki_jss_jar'],
+ master['pki_jss_jar_link'])
+ util.symlink.create(master['pki_ldapjdk_jar'],
+ master['pki_ldapjdk_jar_link'])
+ util.symlink.create(master['pki_tomcat_jar'],
+ master['pki_tomcat_jar_link'])
+ util.symlink.create(master['pki_resteasy_atom_provider_jar'],
+ master['pki_resteasy_atom_provider_jar_link'])
+ util.symlink.create(master['pki_resteasy_jaxb_provider_jar'],
+ master['pki_resteasy_jaxb_provider_jar_link'])
+ util.symlink.create(master['pki_resteasy_jaxrs_jar'],
+ master['pki_resteasy_jaxrs_jar_link'])
+ util.symlink.create(master['pki_resteasy_jettison_provider_jar'],
+ master['pki_resteasy_jettison_provider_jar_link'])
+ util.symlink.create(master['pki_scannotation_jar'],
+ master['pki_scannotation_jar_link'])
+ if master['pki_subsystem'] == 'TKS':
+ util.symlink.create(master['pki_symkey_jar'],
+ master['pki_symkey_jar_link'])
+ util.symlink.create(master['pki_tomcatjss_jar'],
+ master['pki_tomcatjss_jar_link'])
+ util.symlink.create(master['pki_velocity_jar'],
+ master['pki_velocity_jar_link'])
+ util.symlink.create(master['pki_xerces_j2_jar'],
+ master['pki_xerces_j2_jar_link'])
+ util.symlink.create(master['pki_xml_commons_apis_jar'],
+ master['pki_xml_commons_apis_jar_link'])
+ util.symlink.create(master['pki_xml_commons_resolver_jar'],
+ master['pki_xml_commons_resolver_jar_link'])
+ # establish shared NSS security databases for this instance
+ util.directory.create(master['pki_database_path'])
+ # establish instance convenience symbolic links
+ util.symlink.create(master['pki_database_path'],
+ master['pki_instance_database_link'])
+ util.symlink.create(master['pki_instance_configuration_path'],
+ master['pki_instance_conf_link'])
+ util.symlink.create(master['pki_instance_log_path'],
+ master['pki_instance_logs_link'])
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.INSTANCE_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.INSTANCE_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ if master['pki_subsystem'] == 'TKS':
+ util.symlink.delete(master['pki_symkey_jar_link'])
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instance_subsystems() == 0:
+ # remove Apache instance base
+ util.directory.delete(master['pki_instance_path'])
+ # remove Apache instance logs
+ # remove shared NSS security database path for this instance
+ util.directory.delete(master['pki_database_path'])
+ # remove Apache instance configuration
+ util.directory.delete(master['pki_instance_configuration_path'])
+ # remove Apache instance registry
+ util.directory.delete(master['pki_instance_registry_path'])
+ # remove Apache PKI registry (if empty)
+ if util.instance.apache_instances() == 0:
+ util.directory.delete(
+ master['pki_instance_type_registry_path'])
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ len(util.instance.tomcat_instance_subsystems()) == 0:
+ # remove Tomcat instance base
+ util.directory.delete(master['pki_instance_path'])
+ # remove Tomcat instance logs
+ util.directory.delete(master['pki_instance_log_path'])
+ # remove shared NSS security database path for this instance
+ util.directory.delete(master['pki_database_path'])
+ # remove Tomcat instance configuration
+ util.directory.delete(master['pki_instance_configuration_path'])
+ # remove PKI 'tomcat.conf' instance file
+ util.file.delete(master['pki_target_tomcat_conf_instance_id'])
+ # remove Tomcat instance registry
+ util.directory.delete(master['pki_instance_registry_path'])
+ # remove Tomcat PKI registry (if empty)
+ if util.instance.tomcat_instances() == 0:
+ util.directory.delete(
+ master['pki_instance_type_registry_path'])
+ return self.rv
diff --git a/base/server/src/scriptlets/security_databases.py b/base/server/src/scriptlets/security_databases.py
new file mode 100644
index 000000000..9ac4784e5
--- /dev/null
+++ b/base/server/src/scriptlets/security_databases.py
@@ -0,0 +1,119 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+
+
+# PKI Deployment Security Databases Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ if config.str2bool(master['pki_skip_installation']):
+ config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+ config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ util.password.create_password_conf(
+ master['pki_shared_password_conf'],
+ master['pki_pin'])
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a temporary server 'pfile'
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
+ util.password.create_password_conf(
+ master['pki_shared_pfile'],
+ master['pki_pin'], pin_sans_token=True)
+ util.file.modify(master['pki_shared_password_conf'])
+ util.certutil.create_security_databases(
+ master['pki_database_path'],
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ password_file=master['pki_shared_pfile'])
+ util.file.modify(master['pki_cert_database'], perms=\
+ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ util.file.modify(master['pki_key_database'], perms=\
+ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ util.file.modify(master['pki_secmod_database'], perms=\
+ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+
+ if len(util.instance.tomcat_instance_subsystems()) < 2:
+ # only create a self signed cert for a new instance
+ rv = util.certutil.verify_certificate_exists(
+ master['pki_database_path'],
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ master['pki_self_signed_token'],
+ master['pki_self_signed_nickname'],
+ password_file=master['pki_shared_pfile'])
+ if not rv:
+ util.file.generate_noise_file(
+ master['pki_self_signed_noise_file'],
+ master['pki_self_signed_noise_bytes'])
+ util.certutil.generate_self_signed_certificate(
+ master['pki_database_path'],
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ master['pki_self_signed_token'],
+ master['pki_self_signed_nickname'],
+ master['pki_self_signed_subject'],
+ master['pki_self_signed_serial_number'],
+ master['pki_self_signed_validity_period'],
+ master['pki_self_signed_issuer_name'],
+ master['pki_self_signed_trustargs'],
+ master['pki_self_signed_noise_file'],
+ password_file=master['pki_shared_pfile'])
+ # Delete the temporary 'noise' file
+ util.file.delete(master['pki_self_signed_noise_file'])
+ # Delete the temporary 'pfile'
+ util.file.delete(master['pki_shared_pfile'])
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.SECURITY_DATABASES_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instance_subsystems() == 0:
+ util.file.delete(master['pki_cert_database'])
+ util.file.delete(master['pki_key_database'])
+ util.file.delete(master['pki_secmod_database'])
+ util.file.delete(master['pki_shared_password_conf'])
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ len(util.instance.tomcat_instance_subsystems()) == 0:
+ util.file.delete(master['pki_cert_database'])
+ util.file.delete(master['pki_key_database'])
+ util.file.delete(master['pki_secmod_database'])
+ util.file.delete(master['pki_shared_password_conf'])
+ return self.rv
diff --git a/base/server/src/scriptlets/selinux_setup.py b/base/server/src/scriptlets/selinux_setup.py
new file mode 100644
index 000000000..552ab3f41
--- /dev/null
+++ b/base/server/src/scriptlets/selinux_setup.py
@@ -0,0 +1,175 @@
+#!/usr/bin/python -t
+# Authors:
+# Ade Lee <alee@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+from pkiconfig import pki_selinux_config_ports as ports
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+import selinux
+if selinux.is_selinux_enabled():
+ import seobject
+
+
+# PKI Deployment Selinux Setup Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+ suffix = "(/.*)?"
+
+ def restore_context(self):
+ selinux.restorecon(master['pki_instance_path'], True)
+ selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True)
+ selinux.restorecon(master['pki_instance_log_path'], True)
+ selinux.restorecon(master['pki_instance_configuration_path'], True)
+
+ def spawn(self):
+ if config.str2bool(master['pki_skip_installation']):
+ config.pki_log.info(log.SKIP_SELINUX_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+
+ if not bool(selinux.is_selinux_enabled()):
+ config.pki_log.info(log.SELINUX_DISABLED_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+
+ config.pki_log.info(log.SELINUX_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+
+ # check first if any transactions are required
+ if len(ports) == 0 and master['pki_instance_name'] == \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+ self.restore_context()
+ return self.rv
+
+ # add SELinux contexts when adding the first subsystem
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instance_subsystems() == 1 or\
+ master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ len(util.instance.tomcat_instance_subsystems()) == 1:
+
+ trans = seobject.semanageRecords("targeted")
+ trans.start()
+ if master['pki_instance_name'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+
+ fcon = seobject.fcontextRecords()
+
+ config.pki_log.info("adding selinux fcontext \"%s\"",
+ master['pki_instance_path'] + self.suffix,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ fcon.add(master['pki_instance_path'] + self.suffix,
+ config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "")
+
+ config.pki_log.info("adding selinux fcontext \"%s\"",
+ master['pki_instance_log_path'] + self.suffix,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ fcon.add(master['pki_instance_log_path'] + self.suffix,
+ config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "")
+
+ config.pki_log.info("adding selinux fcontext \"%s\"",
+ master['pki_instance_configuration_path'] + self.suffix,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ fcon.add(master['pki_instance_configuration_path'] + self.suffix,
+ config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")
+
+ config.pki_log.info("adding selinux fcontext \"%s\"",
+ master['pki_database_path'] + self.suffix,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ fcon.add(master['pki_database_path'] + self.suffix,
+ config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "")
+
+ portRecords = seobject.portRecords()
+ for port in ports:
+ config.pki_log.info("adding selinux port %s", port,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ portRecords.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT)
+
+ trans.finish()
+
+ self.restore_context()
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.SELINUX_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ self.restore_context()
+ return self.rv
+
+ def destroy(self):
+ if not bool(selinux.is_selinux_enabled()):
+ config.pki_log.info(log.SELINUX_DISABLED_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+ config.pki_log.info(log.SELINUX_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+
+ # check first if any transactions are required
+ if len(ports) == 0 and master['pki_instance_name'] == \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+ return self.rv
+
+ # remove SELinux contexts when removing the last subsystem
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instance_subsystems() == 0 or\
+ master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ len(util.instance.tomcat_instance_subsystems()) == 0:
+
+ trans = seobject.semanageRecords("targeted")
+ trans.start()
+
+ if master['pki_instance_name'] != \
+ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+
+ fcon = seobject.fcontextRecords()
+
+ config.pki_log.info("deleting selinux fcontext \"%s\"",
+ master['pki_instance_path'] + self.suffix,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ fcon.delete(master['pki_instance_path'] + self.suffix , "")
+
+ config.pki_log.info("deleting selinux fcontext \"%s\"",
+ master['pki_instance_log_path'] + self.suffix,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ fcon.delete(master['pki_instance_log_path'] + self.suffix, "")
+
+ config.pki_log.info("deleting selinux fcontext \"%s\"",
+ master['pki_instance_configuration_path'] + self.suffix,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ fcon.delete(master['pki_instance_configuration_path'] + \
+ self.suffix, "")
+
+ config.pki_log.info("deleting selinux fcontext \"%s\"",
+ master['pki_database_path'] + self.suffix,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ fcon.delete(master['pki_database_path'] + self.suffix , "")
+
+ portRecords = seobject.portRecords()
+ for port in ports:
+ config.pki_log.info("deleting selinux port %s", port,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ portRecords.delete(port, "tcp")
+
+ trans.finish()
+
+ return self.rv
diff --git a/base/server/src/scriptlets/slot_substitution.py b/base/server/src/scriptlets/slot_substitution.py
new file mode 100644
index 000000000..205ed49f6
--- /dev/null
+++ b/base/server/src/scriptlets/slot_substitution.py
@@ -0,0 +1,103 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+from pkiconfig import pki_slots_dict as slots
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+
+
+# PKI Deployment Slot Substitution Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ if config.str2bool(master['pki_skip_installation']):
+ config.pki_log.info(log.SKIP_SLOT_ASSIGNMENT_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+ config.pki_log.info(log.SLOT_ASSIGNMENT_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'],
+ master['pki_target_cs_cfg'])
+ util.file.copy_with_slot_substitution(master['pki_source_registry'],
+ master['pki_target_registry'],
+ uid=0, gid=0, overwrite_flag=True)
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ util.file.copy_with_slot_substitution(
+ master['pki_source_catalina_properties'],
+ master['pki_target_catalina_properties'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_servercertnick_conf'],
+ master['pki_target_servercertnick_conf'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_server_xml'],
+ master['pki_target_server_xml'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_context_xml'],
+ master['pki_target_context_xml'],
+ overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_tomcat_conf'],
+ master['pki_target_tomcat_conf_instance_id'],
+ uid=0, gid=0, overwrite_flag=True)
+ util.file.copy_with_slot_substitution(
+ master['pki_source_tomcat_conf'],
+ master['pki_target_tomcat_conf'],
+ overwrite_flag=True)
+ util.file.apply_slot_substitution(
+ master['pki_target_velocity_properties'])
+ util.file.apply_slot_substitution(
+ master['pki_target_subsystem_web_xml'])
+ # Strip "<filter>" section from subsystem "web.xml"
+ # This is ONLY necessary because XML comments cannot be "nested"!
+ #util.file.copy(master['pki_target_subsystem_web_xml'],
+ # master['pki_target_subsystem_web_xml_orig'])
+ #util.file.delete(master['pki_target_subsystem_web_xml'])
+ #util.xml_file.remove_filter_section_from_web_xml(
+ # master['pki_target_subsystem_web_xml_orig'],
+ # master['pki_target_subsystem_web_xml'])
+ #util.file.delete(master['pki_target_subsystem_web_xml_orig'])
+ if master['pki_subsystem'] == "CA":
+ util.file.copy_with_slot_substitution(
+ master['pki_source_proxy_conf'],
+ master['pki_target_proxy_conf'])
+ util.file.apply_slot_substitution(
+ master['pki_target_profileselect_template'])
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.SLOT_ASSIGNMENT_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.SLOT_ASSIGNMENT_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ config.pki_log.info("NOTHING NEEDS TO BE IMPLEMENTED",
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ return self.rv
diff --git a/base/server/src/scriptlets/subsystem_layout.py b/base/server/src/scriptlets/subsystem_layout.py
new file mode 100644
index 000000000..c4c4c2283
--- /dev/null
+++ b/base/server/src/scriptlets/subsystem_layout.py
@@ -0,0 +1,126 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+
+
+# PKI Deployment Subsystem Layout Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ if config.str2bool(master['pki_skip_installation']):
+ config.pki_log.info(log.SKIP_SUBSYSTEM_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+ config.pki_log.info(log.SUBSYSTEM_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # establish instance-based subsystem logs
+ util.directory.create(master['pki_subsystem_log_path'])
+ util.directory.create(master['pki_subsystem_archive_log_path'])
+ if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS:
+ util.directory.create(master['pki_subsystem_signed_audit_log_path'])
+ # establish instance-based subsystem configuration
+ util.directory.create(master['pki_subsystem_configuration_path'])
+ # util.directory.copy(master['pki_source_conf_path'],
+ # master['pki_subsystem_configuration_path'])
+ # establish instance-based Apache/Tomcat specific subsystems
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # establish instance-based Tomcat PKI subsystem base
+ if master['pki_subsystem'] == "CA":
+ util.directory.copy(master['pki_source_emails'],
+ master['pki_subsystem_emails_path'])
+ util.directory.copy(master['pki_source_profiles'],
+ master['pki_subsystem_profiles_path'])
+ # establish instance-based Tomcat PKI subsystem logs
+ # establish instance-based Tomcat PKI subsystem configuration
+ if master['pki_subsystem'] == "CA":
+ util.file.copy(master['pki_source_flatfile_txt'],
+ master['pki_target_flatfile_txt'])
+ util.file.copy(master['pki_source_registry_cfg'],
+ master['pki_target_registry_cfg'])
+ # '*.profile'
+ util.file.copy(master['pki_source_admincert_profile'],
+ master['pki_target_admincert_profile'])
+ util.file.copy(master['pki_source_caauditsigningcert_profile'],
+ master['pki_target_caauditsigningcert_profile'])
+ util.file.copy(master['pki_source_cacert_profile'],
+ master['pki_target_cacert_profile'])
+ util.file.copy(master['pki_source_caocspcert_profile'],
+ master['pki_target_caocspcert_profile'])
+ util.file.copy(master['pki_source_servercert_profile'],
+ master['pki_target_servercert_profile'])
+ util.file.copy(master['pki_source_subsystemcert_profile'],
+ master['pki_target_subsystemcert_profile'])
+ elif master['pki_subsystem'] == "KRA":
+ # '*.profile'
+ util.file.copy(master['pki_source_servercert_profile'],
+ master['pki_target_servercert_profile'])
+ util.file.copy(master['pki_source_storagecert_profile'],
+ master['pki_target_storagecert_profile'])
+ util.file.copy(master['pki_source_subsystemcert_profile'],
+ master['pki_target_subsystemcert_profile'])
+ util.file.copy(master['pki_source_transportcert_profile'],
+ master['pki_target_transportcert_profile'])
+ # establish instance-based Tomcat PKI subsystem registry
+ # establish instance-based Tomcat PKI subsystem convenience
+ # symbolic links
+ util.symlink.create(master['pki_tomcat_webapps_path'],
+ master['pki_subsystem_tomcat_webapps_link'])
+ # establish instance-based subsystem convenience symbolic links
+ util.symlink.create(master['pki_instance_database_link'],
+ master['pki_subsystem_database_link'])
+ util.symlink.create(master['pki_subsystem_configuration_path'],
+ master['pki_subsystem_conf_link'])
+ util.symlink.create(master['pki_subsystem_log_path'],
+ master['pki_subsystem_logs_link'])
+ util.symlink.create(master['pki_instance_registry_path'],
+ master['pki_subsystem_registry_link'])
+ return self.rv
+
+ def respawn(self):
+ config.pki_log.info(log.SUBSYSTEM_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+
+ def destroy(self):
+ config.pki_log.info(log.SUBSYSTEM_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ # remove instance-based subsystem base
+ if master['pki_subsystem'] == "CA":
+ util.directory.delete(master['pki_subsystem_emails_path'])
+ util.directory.delete(master['pki_subsystem_profiles_path'])
+ util.directory.delete(master['pki_subsystem_path'])
+ # remove instance-based subsystem logs
+ if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS:
+ util.directory.delete(master['pki_subsystem_signed_audit_log_path'])
+ util.directory.delete(master['pki_subsystem_archive_log_path'])
+ util.directory.delete(master['pki_subsystem_log_path'])
+ # remove instance-based subsystem configuration
+ util.directory.delete(master['pki_subsystem_configuration_path'])
+ # remove instance-based subsystem registry
+ util.directory.delete(master['pki_subsystem_registry_path'])
+ return self.rv
diff --git a/base/server/src/scriptlets/webapp_deployment.py b/base/server/src/scriptlets/webapp_deployment.py
new file mode 100644
index 000000000..e72752ee8
--- /dev/null
+++ b/base/server/src/scriptlets/webapp_deployment.py
@@ -0,0 +1,170 @@
+#!/usr/bin/python -t
+# Authors:
+# Matthew Harmsen <mharmsen@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2012 Red Hat, Inc.
+# All rights reserved.
+#
+
+# System Imports
+import os
+
+
+# PKI Deployment Imports
+import pkiconfig as config
+from pkiconfig import pki_master_dict as master
+import pkihelper as util
+import pkimessages as log
+import pkiscriptlet
+
+
+# PKI Web Application Deployment Scriptlet
+class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ rv = 0
+
+ def spawn(self):
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ if config.str2bool(master['pki_skip_installation']):
+ config.pki_log.info(log.SKIP_WEBAPP_DEPLOYMENT_SPAWN_1,
+ __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+ config.pki_log.info(log.WEBAPP_DEPLOYMENT_SPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+
+ # Copy /usr/share/pki/server/webapps/ROOT
+ # to <instance>/webapps/ROOT
+ util.directory.create(master['pki_tomcat_webapps_root_path'])
+ util.directory.copy(
+ os.path.join(
+ config.PKI_DEPLOYMENT_SOURCE_ROOT,
+ "server",
+ "webapps",
+ "ROOT"),
+ master['pki_tomcat_webapps_root_path'],
+ overwrite_flag=True)
+
+ util.directory.create(master['pki_tomcat_webapps_common_path'])
+
+ # If desired and available,
+ # copy selected server theme
+ # to <instance>/webapps/pki
+ if config.str2bool(master['pki_theme_enable']) and\
+ os.path.exists(master['pki_theme_server_dir']):
+ util.directory.copy(master['pki_theme_server_dir'],
+ master['pki_tomcat_webapps_common_path'],
+ overwrite_flag=True)
+
+ # Copy /usr/share/pki/server/webapps/pki/js
+ # to <instance>/webapps/pki/js
+ util.directory.copy(
+ os.path.join(
+ config.PKI_DEPLOYMENT_SOURCE_ROOT,
+ "server",
+ "webapps",
+ "pki",
+ "js"),
+ os.path.join(
+ master['pki_tomcat_webapps_common_path'],
+ "js"),
+ overwrite_flag=True)
+
+ # Copy /usr/share/pki/server/webapps/pki/META-INF
+ # to <instance>/webapps/pki/META-INF
+ util.directory.copy(
+ os.path.join(
+ config.PKI_DEPLOYMENT_SOURCE_ROOT,
+ "server",
+ "webapps",
+ "pki",
+ "META-INF"),
+ os.path.join(
+ master['pki_tomcat_webapps_common_path'],
+ "META-INF"),
+ overwrite_flag=True)
+
+ # Copy /usr/share/pki/server/webapps/pki/admin
+ # to <instance>/webapps/<subsystem>/admin
+ # TODO: common templates should be deployed in common webapp
+ util.directory.create(master['pki_tomcat_webapps_subsystem_path'])
+ util.directory.copy(
+ os.path.join(
+ config.PKI_DEPLOYMENT_SOURCE_ROOT,
+ "server",
+ "webapps",
+ "pki",
+ "admin"),
+ os.path.join(
+ master['pki_tomcat_webapps_subsystem_path'],
+ "admin"),
+ overwrite_flag=True)
+
+ # Copy /usr/share/pki/<subsystem>/webapps/<subsystem>
+ # to <instance>/webapps/<subsystem>
+ util.directory.copy(
+ os.path.join(
+ config.PKI_DEPLOYMENT_SOURCE_ROOT,
+ master['pki_subsystem'].lower(),
+ "webapps",
+ master['pki_subsystem'].lower()),
+ master['pki_tomcat_webapps_subsystem_path'],
+ overwrite_flag=True)
+
+ util.directory.create(
+ master['pki_tomcat_webapps_subsystem_webinf_classes_path'])
+ util.directory.create(
+ master['pki_tomcat_webapps_subsystem_webinf_lib_path'])
+ # establish Tomcat webapps subsystem WEB-INF lib symbolic links
+ util.symlink.create(master['pki_certsrv_jar'],
+ master['pki_certsrv_jar_link'])
+ util.symlink.create(master['pki_cmsbundle'],
+ master['pki_cmsbundle_jar_link'])
+ util.symlink.create(master['pki_cmscore'],
+ master['pki_cmscore_jar_link'])
+ util.symlink.create(master['pki_cms'],
+ master['pki_cms_jar_link'])
+ util.symlink.create(master['pki_cmsutil'],
+ master['pki_cmsutil_jar_link'])
+ util.symlink.create(master['pki_nsutil'],
+ master['pki_nsutil_jar_link'])
+ if master['pki_subsystem'] == "CA":
+ util.symlink.create(master['pki_ca_jar'],
+ master['pki_ca_jar_link'])
+ elif master['pki_subsystem'] == "KRA":
+ util.symlink.create(master['pki_kra_jar'],
+ master['pki_kra_jar_link'])
+ elif master['pki_subsystem'] == "OCSP":
+ util.symlink.create(master['pki_ocsp_jar'],
+ master['pki_ocsp_jar_link'])
+ elif master['pki_subsystem'] == "TKS":
+ util.symlink.create(master['pki_tks_jar'],
+ master['pki_tks_jar_link'])
+ # set ownerships, permissions, and acls
+ util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path'])
+ return self.rv
+
+ def respawn(self):
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ config.pki_log.info(log.WEBAPP_DEPLOYMENT_RESPAWN_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ return self.rv
+
+ def destroy(self):
+ if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ config.pki_log.info(log.WEBAPP_DEPLOYMENT_DESTROY_1, __name__,
+ extra=config.PKI_INDENTATION_LEVEL_1)
+ util.directory.delete(master['pki_tomcat_webapps_subsystem_path'])
+ return self.rv
generated by cgit (git 2.34.1) at 2024-06-20 20:30:07 +0000