diff options
Diffstat (limited to 'base/server/src/scriptlets')
-rw-r--r-- | base/server/src/scriptlets/configuration.py | 150 | ||||
-rw-r--r-- | base/server/src/scriptlets/finalization.py | 114 | ||||
-rw-r--r-- | base/server/src/scriptlets/infrastructure_layout.py | 116 | ||||
-rw-r--r-- | base/server/src/scriptlets/initialization.py | 126 | ||||
-rw-r--r-- | base/server/src/scriptlets/instance_layout.py | 190 | ||||
-rw-r--r-- | base/server/src/scriptlets/security_databases.py | 119 | ||||
-rw-r--r-- | base/server/src/scriptlets/selinux_setup.py | 175 | ||||
-rw-r--r-- | base/server/src/scriptlets/slot_substitution.py | 103 | ||||
-rw-r--r-- | base/server/src/scriptlets/subsystem_layout.py | 126 | ||||
-rw-r--r-- | base/server/src/scriptlets/webapp_deployment.py | 170 |
10 files changed, 1389 insertions, 0 deletions
diff --git a/base/server/src/scriptlets/configuration.py b/base/server/src/scriptlets/configuration.py new file mode 100644 index 000000000..7bd1b017a --- /dev/null +++ b/base/server/src/scriptlets/configuration.py @@ -0,0 +1,150 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import json +import pki.system +import pki.encoder + + +# PKI Deployment Configuration Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_configuration']): + config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # Place "slightly" less restrictive permissions on + # the top-level client directory ONLY + util.directory.create(master['pki_client_subsystem_dir'], + uid=0, gid=0, + perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a client password file + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_client_password_conf'], + master['pki_client_database_password'], pin_sans_token=True) + util.file.modify(master['pki_client_password_conf'], + uid=0, gid=0) + # Similarly, create a simple password file containing the + # PKCS #12 password used when exporting the "Admin Certificate" + # into a PKCS #12 file + util.password.create_client_pkcs12_password_conf( + master['pki_client_pkcs12_password_conf']) + util.file.modify(master['pki_client_pkcs12_password_conf']) + util.directory.create(master['pki_client_database_dir'], + uid=0, gid=0) + util.certutil.create_security_databases( + master['pki_client_database_dir'], + master['pki_client_cert_database'], + master['pki_client_key_database'], + master['pki_client_secmod_database'], + password_file=master['pki_client_password_conf']) + util.symlink.create(master['pki_systemd_service'], + master['pki_systemd_service_link']) + + # Start/Restart this Apache/Tomcat PKI Process + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + apache_instance_subsystems =\ + util.instance.apache_instance_subsystems() + if apache_instance_subsystems == 1: + util.systemd.start() + elif apache_instance_subsystems > 1: + util.systemd.restart() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Optionally prepare to enable a java debugger + # (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.prepare_for_an_external_java_debugger( + master['pki_target_tomcat_conf_instance_id']) + tomcat_instance_subsystems =\ + len(util.instance.tomcat_instance_subsystems()) + if tomcat_instance_subsystems == 1: + util.systemd.start() + elif tomcat_instance_subsystems > 1: + util.systemd.restart() + + # wait for startup + status = util.instance.wait_for_startup(60) + if status == None: + config.pki_log.error("server failed to restart", + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + # Optionally wait for debugger to attach (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.wait_to_attach_an_external_java_debugger() + + config_client = util.config_client() + # Construct PKI Subsystem Configuration Data + data = None + if master['pki_instance_type'] == "Apache": + if master['pki_subsystem'] == "RA": + config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, + master['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + return rv + elif master['pki_subsystem'] == "TPS": + config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, + master['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + return rv + elif master['pki_instance_type'] == "Tomcat": + # CA, KRA, OCSP, or TKS + data = config_client.construct_pki_configuration_data() + + # Configure the substem + config_client.configure_pki_data( + json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) + + return self.rv + + def respawn(self): + config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 1: + if util.directory.exists(master['pki_client_dir']): + util.directory.delete(master['pki_client_dir']) + util.symlink.delete(master['pki_systemd_service_link']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 1: + if util.directory.exists(master['pki_client_dir']): + util.directory.delete(master['pki_client_dir']) + util.symlink.delete(master['pki_systemd_service_link']) + return self.rv diff --git a/base/server/src/scriptlets/finalization.py b/base/server/src/scriptlets/finalization.py new file mode 100644 index 000000000..6ddc98d03 --- /dev/null +++ b/base/server/src/scriptlets/finalization.py @@ -0,0 +1,114 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimanifest as manifest +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Finalization Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external_step_two']): + # must check for 'External CA Step 2' installation PRIOR to + # 'pki_skip_installation' since this value has been set to true + # by the initialization scriptlet + pass + elif config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_FINALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.FINALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # For debugging/auditing purposes, save a timestamped copy of + # this configuration file in the subsystem archive + util.file.copy(master['pki_user_deployment_cfg_replica'], + master['pki_user_deployment_cfg_spawn_archive']) + # Save a copy of the installation manifest file + config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, master['pki_manifest'], + extra=config.PKI_INDENTATION_LEVEL_2) + # for record in manifest.database: + # print tuple(record) + manifest.file.register(master['pki_manifest']) + manifest.file.write() + util.file.modify(master['pki_manifest'], silent=True) + + # Also, for debugging/auditing purposes, save a timestamped copy of + # this installation manifest file + util.file.copy(master['pki_manifest'], + master['pki_manifest_spawn_archive']) + # Optionally, programmatically 'restart' the configured PKI instance + if config.str2bool(master['pki_restart_configured_instance']): + util.systemd.restart() + # Optionally, 'purge' the entire temporary client infrastructure + # including the client NSS security databases and password files + # + # WARNING: If the PKCS #12 file containing the Admin Cert was + # placed under this infrastructure, it may accidentally + # be deleted! + # + if config.str2bool(master['pki_client_database_purge']): + if util.directory.exists(master['pki_client_subsystem_dir']): + util.directory.delete(master['pki_client_subsystem_dir']) + # If instance has not been configured, print the + # configuration URL to the log + if config.str2bool(master['pki_skip_configuration']): + util.configuration_file.log_configuration_url() + # Log final process messages + config.pki_log.info(log.PKISPAWN_END_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + util.file.modify(master['pki_spawn_log'], silent=True) + # If instance has not been configured, print the + # configuration URL to the screen + if config.str2bool(master['pki_skip_configuration']): + util.configuration_file.display_configuration_url() + return self.rv + + def respawn(self): + config.pki_log.info(log.FINALIZATION_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.FINALIZATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.file.modify(master['pki_destroy_log'], silent=True) + # Start this Apache/Tomcat PKI Process + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() >= 1: + util.systemd.start() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) >= 1: + util.systemd.start() + config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + return self.rv diff --git a/base/server/src/scriptlets/infrastructure_layout.py b/base/server/src/scriptlets/infrastructure_layout.py new file mode 100644 index 000000000..69a905849 --- /dev/null +++ b/base/server/src/scriptlets/infrastructure_layout.py @@ -0,0 +1,116 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Top-Level Infrastructure Layout Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_ADMIN_DOMAIN_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.ADMIN_DOMAIN_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # NOTE: It was determined that since the "pkidestroy" command + # relies upon a symbolic link to a replica of the original + # deployment configuration file used by the + # "pkispawn" command of an instance, it is necessary to + # create any required instance and subsystem directories + # in this top-level "infrastructure_layout" scriptlet + # (rather than the "instance_layout" and "subsystem_layout" + # scriptlets) so that a copy of this configuration file can + # be saved, and the required symbolic link can be created. + # + # establish the top-level infrastructure, instance, and subsystem + # registry directories for storage of a copy of the original + # deployment configuration file used to spawn this instance, + # and save a copy of this file + util.directory.create(master['pki_registry_path']) + util.directory.create(master['pki_instance_type_registry_path']) + util.directory.create(master['pki_instance_registry_path']) + util.directory.create(master['pki_subsystem_registry_path']) + util.file.copy(master['pki_default_deployment_cfg'], + master['pki_default_deployment_cfg_replica']) + + print "Storing deployment configuration into " + config.pki_master_dict['pki_user_deployment_cfg_replica'] + "." + if master['pki_user_deployment_cfg']: + util.file.copy(master['pki_user_deployment_cfg'], + master['pki_user_deployment_cfg_replica']) + else: + with open(master['pki_user_deployment_cfg_replica'], 'w') as f: + config.user_config.write(f) + + # establish top-level infrastructure, instance, and subsystem + # base directories and create the "registry" symbolic link that + # the "pkidestroy" executable relies upon + util.directory.create(master['pki_path']) + util.directory.create(master['pki_instance_path']) + util.directory.create(master['pki_subsystem_path']) + util.symlink.create(master['pki_instance_registry_path'], + master['pki_subsystem_registry_link']) + # + # NOTE: If "infrastructure_layout" scriptlet execution has been + # successfully executed to this point, the "pkidestroy" command + # may always be utilized to remove the entire infrastructure. + # + # no need to establish top-level infrastructure logs + # since it now stores 'pkispawn'/'pkidestroy' logs + # and will already exist + # util.directory.create(master['pki_log_path']) + # establish top-level infrastructure configuration + if master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.create(master['pki_configuration_path']) + return self.rv + + def respawn(self): + config.pki_log.info(log.ADMIN_DOMAIN_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.ADMIN_DOMAIN_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # remove top-level infrastructure base + if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + util.instance.pki_instance_subsystems() == 0: + # remove top-level infrastructure base + util.directory.delete(master['pki_path']) + # do NOT remove top-level infrastructure logs + # since it now stores 'pkispawn'/'pkidestroy' logs + # util.directory.delete(master['pki_log_path']) + # remove top-level infrastructure configuration + if util.directory.is_empty(master['pki_configuration_path'])\ + and master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.delete(master['pki_configuration_path']) + # remove top-level infrastructure registry + util.directory.delete(master['pki_registry_path']) + return self.rv diff --git a/base/server/src/scriptlets/initialization.py b/base/server/src/scriptlets/initialization.py new file mode 100644 index 000000000..3494ebdc7 --- /dev/null +++ b/base/server/src/scriptlets/initialization.py @@ -0,0 +1,126 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Initialization Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + # begin official logging + config.pki_log.info(log.PKISPAWN_BEGIN_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_INITIALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + else: + config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external_step_two']): + # verify that this type of "subsystem" currently EXISTS + # for this "instance" (External CA Step 2) + util.instance.verify_subsystem_exists() + master['pki_skip_installation'] = "True"; + else: + # verify that this type of "subsystem" does NOT yet + # exist for this "instance" + util.instance.verify_subsystem_does_not_exist() + # detect and avoid any namespace collisions + util.namespace.collision_detection() + # initialize 'uid' and 'gid' + util.identity.add_uid_and_gid(master['pki_user'], master['pki_group']) + # establish 'uid' and 'gid' + util.identity.set_uid(master['pki_user']) + util.identity.set_gid(master['pki_group']) + # verify existence of SENSITIVE configuration file data + util.configuration_file.verify_sensitive_data() + # verify existence of MUTUALLY EXCLUSIVE configuration file data + util.configuration_file.verify_mutually_exclusive_data() + # verify existence of PREDEFINED configuration file data + util.configuration_file.verify_predefined_configuration_file_data() + # verify selinux context of selected ports + util.configuration_file.populate_non_default_ports() + util.configuration_file.verify_selinux_ports() + return self.rv + + def respawn(self): + # begin official logging + config.pki_log.info(log.PKIRESPAWN_BEGIN_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.info(log.INITIALIZATION_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # verify that this type of "subsystem" currently EXISTS + # for this "instance" + util.instance.verify_subsystem_exists() + return self.rv + + def destroy(self): + # begin official logging + config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # verify that this type of "subsystem" currently EXISTS + # for this "instance" + util.instance.verify_subsystem_exists() + # verify that the command-line parameters match the values + # that are present in the corresponding configuration file + util.configuration_file.verify_command_matches_configuration_file() + # establish 'uid' and 'gid' + util.identity.set_uid(master['pki_user']) + util.identity.set_gid(master['pki_group']) + # get ports to remove selinux context + util.configuration_file.populate_non_default_ports() + + # get deinstallation token + token = util.security_domain.get_installation_token( + config.pki_secdomain_user, config.pki_secdomain_pass) + + # remove kra connector from CA if this is a KRA + util.kra_connector.deregister() + + # de-register instance from its Security Domain + # + # NOTE: Since the security domain of an instance must be up + # and running in order to be de-registered, this step + # must be done PRIOR to instance shutdown because this + # instance's security domain may be a part of a + # tightly-coupled shared instance. + # + util.security_domain.deregister(token) + # ALWAYS Stop this Apache/Tomcat PKI Process + util.systemd.stop() + return self.rv diff --git a/base/server/src/scriptlets/instance_layout.py b/base/server/src/scriptlets/instance_layout.py new file mode 100644 index 000000000..843227a84 --- /dev/null +++ b/base/server/src/scriptlets/instance_layout.py @@ -0,0 +1,190 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import os + + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import os + + +# PKI Deployment Instance Layout Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_INSTANCE_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.INSTANCE_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # establish instance logs + util.directory.create(master['pki_instance_log_path']) + # establish instance configuration + util.directory.create(master['pki_instance_configuration_path']) + # establish Apache/Tomcat specific instance + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # establish Tomcat instance configuration + util.directory.copy(master['pki_source_server_path'], + master['pki_instance_configuration_path'], + overwrite_flag=True) + # establish Tomcat instance base + util.directory.create(master['pki_tomcat_common_path']) + util.directory.create(master['pki_tomcat_common_lib_path']) + # establish Tomcat instance library + util.directory.create(master['pki_instance_lib']) + for name in os.listdir(master['pki_tomcat_lib_path']): + util.symlink.create( + os.path.join( + master['pki_tomcat_lib_path'], + name), + os.path.join( + master['pki_instance_lib'], + name)) + util.symlink.create(master['pki_instance_conf_log4j_properties'], + master['pki_instance_lib_log4j_properties']) + util.directory.create(master['pki_tomcat_tmpdir_path']) + util.directory.create(master['pki_tomcat_webapps_path']) + util.directory.create(master['pki_tomcat_work_path']) + util.directory.create(master['pki_tomcat_work_catalina_path']) + util.directory.create(master['pki_tomcat_work_catalina_host_path']) + util.directory.create( + master['pki_tomcat_work_catalina_host_run_path']) + util.directory.create( + master['pki_tomcat_work_catalina_host_subsystem_path']) + # establish Tomcat instance logs + # establish Tomcat instance registry + # establish Tomcat instance convenience symbolic links + util.symlink.create(master['pki_tomcat_bin_path'], + master['pki_tomcat_bin_link']) + util.symlink.create(master['pki_tomcat_systemd'], + master['pki_instance_systemd_link'], + uid=0, gid=0) + # establish Tomcat instance common lib jar symbolic links + util.symlink.create(master['pki_apache_commons_collections_jar'], + master['pki_apache_commons_collections_jar_link']) + util.symlink.create(master['pki_apache_commons_lang_jar'], + master['pki_apache_commons_lang_jar_link']) + util.symlink.create(master['pki_apache_commons_logging_jar'], + master['pki_apache_commons_logging_jar_link']) + util.symlink.create(master['pki_commons_codec_jar'], + master['pki_commons_codec_jar_link']) + util.symlink.create(master['pki_httpclient_jar'], + master['pki_httpclient_jar_link']) + util.symlink.create(master['pki_httpcore_jar'], + master['pki_httpcore_jar_link']) + util.symlink.create(master['pki_javassist_jar'], + master['pki_javassist_jar_link']) + util.symlink.create(master['pki_resteasy_jaxrs_api_jar'], + master['pki_resteasy_jaxrs_api_jar_link']) + util.symlink.create(master['pki_jettison_jar'], + master['pki_jettison_jar_link']) + util.symlink.create(master['pki_jss_jar'], + master['pki_jss_jar_link']) + util.symlink.create(master['pki_ldapjdk_jar'], + master['pki_ldapjdk_jar_link']) + util.symlink.create(master['pki_tomcat_jar'], + master['pki_tomcat_jar_link']) + util.symlink.create(master['pki_resteasy_atom_provider_jar'], + master['pki_resteasy_atom_provider_jar_link']) + util.symlink.create(master['pki_resteasy_jaxb_provider_jar'], + master['pki_resteasy_jaxb_provider_jar_link']) + util.symlink.create(master['pki_resteasy_jaxrs_jar'], + master['pki_resteasy_jaxrs_jar_link']) + util.symlink.create(master['pki_resteasy_jettison_provider_jar'], + master['pki_resteasy_jettison_provider_jar_link']) + util.symlink.create(master['pki_scannotation_jar'], + master['pki_scannotation_jar_link']) + if master['pki_subsystem'] == 'TKS': + util.symlink.create(master['pki_symkey_jar'], + master['pki_symkey_jar_link']) + util.symlink.create(master['pki_tomcatjss_jar'], + master['pki_tomcatjss_jar_link']) + util.symlink.create(master['pki_velocity_jar'], + master['pki_velocity_jar_link']) + util.symlink.create(master['pki_xerces_j2_jar'], + master['pki_xerces_j2_jar_link']) + util.symlink.create(master['pki_xml_commons_apis_jar'], + master['pki_xml_commons_apis_jar_link']) + util.symlink.create(master['pki_xml_commons_resolver_jar'], + master['pki_xml_commons_resolver_jar_link']) + # establish shared NSS security databases for this instance + util.directory.create(master['pki_database_path']) + # establish instance convenience symbolic links + util.symlink.create(master['pki_database_path'], + master['pki_instance_database_link']) + util.symlink.create(master['pki_instance_configuration_path'], + master['pki_instance_conf_link']) + util.symlink.create(master['pki_instance_log_path'], + master['pki_instance_logs_link']) + return self.rv + + def respawn(self): + config.pki_log.info(log.INSTANCE_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.INSTANCE_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] == 'TKS': + util.symlink.delete(master['pki_symkey_jar_link']) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0: + # remove Apache instance base + util.directory.delete(master['pki_instance_path']) + # remove Apache instance logs + # remove shared NSS security database path for this instance + util.directory.delete(master['pki_database_path']) + # remove Apache instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove Apache instance registry + util.directory.delete(master['pki_instance_registry_path']) + # remove Apache PKI registry (if empty) + if util.instance.apache_instances() == 0: + util.directory.delete( + master['pki_instance_type_registry_path']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 0: + # remove Tomcat instance base + util.directory.delete(master['pki_instance_path']) + # remove Tomcat instance logs + util.directory.delete(master['pki_instance_log_path']) + # remove shared NSS security database path for this instance + util.directory.delete(master['pki_database_path']) + # remove Tomcat instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove PKI 'tomcat.conf' instance file + util.file.delete(master['pki_target_tomcat_conf_instance_id']) + # remove Tomcat instance registry + util.directory.delete(master['pki_instance_registry_path']) + # remove Tomcat PKI registry (if empty) + if util.instance.tomcat_instances() == 0: + util.directory.delete( + master['pki_instance_type_registry_path']) + return self.rv diff --git a/base/server/src/scriptlets/security_databases.py b/base/server/src/scriptlets/security_databases.py new file mode 100644 index 000000000..9ac4784e5 --- /dev/null +++ b/base/server/src/scriptlets/security_databases.py @@ -0,0 +1,119 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Security Databases Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.password.create_password_conf( + master['pki_shared_password_conf'], + master['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_shared_pfile'], + master['pki_pin'], pin_sans_token=True) + util.file.modify(master['pki_shared_password_conf']) + util.certutil.create_security_databases( + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + password_file=master['pki_shared_pfile']) + util.file.modify(master['pki_cert_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_key_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_secmod_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + + if len(util.instance.tomcat_instance_subsystems()) < 2: + # only create a self signed cert for a new instance + rv = util.certutil.verify_certificate_exists( + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + password_file=master['pki_shared_pfile']) + if not rv: + util.file.generate_noise_file( + master['pki_self_signed_noise_file'], + master['pki_self_signed_noise_bytes']) + util.certutil.generate_self_signed_certificate( + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + master['pki_self_signed_subject'], + master['pki_self_signed_serial_number'], + master['pki_self_signed_validity_period'], + master['pki_self_signed_issuer_name'], + master['pki_self_signed_trustargs'], + master['pki_self_signed_noise_file'], + password_file=master['pki_shared_pfile']) + # Delete the temporary 'noise' file + util.file.delete(master['pki_self_signed_noise_file']) + # Delete the temporary 'pfile' + util.file.delete(master['pki_shared_pfile']) + return self.rv + + def respawn(self): + config.pki_log.info(log.SECURITY_DATABASES_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + return self.rv diff --git a/base/server/src/scriptlets/selinux_setup.py b/base/server/src/scriptlets/selinux_setup.py new file mode 100644 index 000000000..552ab3f41 --- /dev/null +++ b/base/server/src/scriptlets/selinux_setup.py @@ -0,0 +1,175 @@ +#!/usr/bin/python -t +# Authors: +# Ade Lee <alee@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_selinux_config_ports as ports +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import selinux +if selinux.is_selinux_enabled(): + import seobject + + +# PKI Deployment Selinux Setup Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + suffix = "(/.*)?" + + def restore_context(self): + selinux.restorecon(master['pki_instance_path'], True) + selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True) + selinux.restorecon(master['pki_instance_log_path'], True) + selinux.restorecon(master['pki_instance_configuration_path'], True) + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SELINUX_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + if not bool(selinux.is_selinux_enabled()): + config.pki_log.info(log.SELINUX_DISABLED_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + config.pki_log.info(log.SELINUX_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # check first if any transactions are required + if len(ports) == 0 and master['pki_instance_name'] == \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + self.restore_context() + return self.rv + + # add SELinux contexts when adding the first subsystem + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 1 or\ + master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 1: + + trans = seobject.semanageRecords("targeted") + trans.start() + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + + fcon = seobject.fcontextRecords() + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_path'] + self.suffix, + config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_log_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_log_path'] + self.suffix, + config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_configuration_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_configuration_path'] + self.suffix, + config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_database_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_database_path'] + self.suffix, + config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") + + portRecords = seobject.portRecords() + for port in ports: + config.pki_log.info("adding selinux port %s", port, + extra=config.PKI_INDENTATION_LEVEL_2) + portRecords.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) + + trans.finish() + + self.restore_context() + return self.rv + + def respawn(self): + config.pki_log.info(log.SELINUX_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + self.restore_context() + return self.rv + + def destroy(self): + if not bool(selinux.is_selinux_enabled()): + config.pki_log.info(log.SELINUX_DISABLED_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SELINUX_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # check first if any transactions are required + if len(ports) == 0 and master['pki_instance_name'] == \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + return self.rv + + # remove SELinux contexts when removing the last subsystem + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0 or\ + master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 0: + + trans = seobject.semanageRecords("targeted") + trans.start() + + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + + fcon = seobject.fcontextRecords() + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_path'] + self.suffix , "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_log_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_log_path'] + self.suffix, "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_configuration_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_configuration_path'] + \ + self.suffix, "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_database_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_database_path'] + self.suffix , "") + + portRecords = seobject.portRecords() + for port in ports: + config.pki_log.info("deleting selinux port %s", port, + extra=config.PKI_INDENTATION_LEVEL_2) + portRecords.delete(port, "tcp") + + trans.finish() + + return self.rv diff --git a/base/server/src/scriptlets/slot_substitution.py b/base/server/src/scriptlets/slot_substitution.py new file mode 100644 index 000000000..205ed49f6 --- /dev/null +++ b/base/server/src/scriptlets/slot_substitution.py @@ -0,0 +1,103 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_slots_dict as slots +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Slot Substitution Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SLOT_ASSIGNMENT_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SLOT_ASSIGNMENT_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'], + master['pki_target_cs_cfg']) + util.file.copy_with_slot_substitution(master['pki_source_registry'], + master['pki_target_registry'], + uid=0, gid=0, overwrite_flag=True) + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + util.file.copy_with_slot_substitution( + master['pki_source_catalina_properties'], + master['pki_target_catalina_properties'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_servercertnick_conf'], + master['pki_target_servercertnick_conf'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_server_xml'], + master['pki_target_server_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_context_xml'], + master['pki_target_context_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf_instance_id'], + uid=0, gid=0, overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf'], + overwrite_flag=True) + util.file.apply_slot_substitution( + master['pki_target_velocity_properties']) + util.file.apply_slot_substitution( + master['pki_target_subsystem_web_xml']) + # Strip "<filter>" section from subsystem "web.xml" + # This is ONLY necessary because XML comments cannot be "nested"! + #util.file.copy(master['pki_target_subsystem_web_xml'], + # master['pki_target_subsystem_web_xml_orig']) + #util.file.delete(master['pki_target_subsystem_web_xml']) + #util.xml_file.remove_filter_section_from_web_xml( + # master['pki_target_subsystem_web_xml_orig'], + # master['pki_target_subsystem_web_xml']) + #util.file.delete(master['pki_target_subsystem_web_xml_orig']) + if master['pki_subsystem'] == "CA": + util.file.copy_with_slot_substitution( + master['pki_source_proxy_conf'], + master['pki_target_proxy_conf']) + util.file.apply_slot_substitution( + master['pki_target_profileselect_template']) + return self.rv + + def respawn(self): + config.pki_log.info(log.SLOT_ASSIGNMENT_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.SLOT_ASSIGNMENT_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + config.pki_log.info("NOTHING NEEDS TO BE IMPLEMENTED", + extra=config.PKI_INDENTATION_LEVEL_2) + return self.rv diff --git a/base/server/src/scriptlets/subsystem_layout.py b/base/server/src/scriptlets/subsystem_layout.py new file mode 100644 index 000000000..c4c4c2283 --- /dev/null +++ b/base/server/src/scriptlets/subsystem_layout.py @@ -0,0 +1,126 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Subsystem Layout Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SUBSYSTEM_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SUBSYSTEM_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # establish instance-based subsystem logs + util.directory.create(master['pki_subsystem_log_path']) + util.directory.create(master['pki_subsystem_archive_log_path']) + if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: + util.directory.create(master['pki_subsystem_signed_audit_log_path']) + # establish instance-based subsystem configuration + util.directory.create(master['pki_subsystem_configuration_path']) + # util.directory.copy(master['pki_source_conf_path'], + # master['pki_subsystem_configuration_path']) + # establish instance-based Apache/Tomcat specific subsystems + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # establish instance-based Tomcat PKI subsystem base + if master['pki_subsystem'] == "CA": + util.directory.copy(master['pki_source_emails'], + master['pki_subsystem_emails_path']) + util.directory.copy(master['pki_source_profiles'], + master['pki_subsystem_profiles_path']) + # establish instance-based Tomcat PKI subsystem logs + # establish instance-based Tomcat PKI subsystem configuration + if master['pki_subsystem'] == "CA": + util.file.copy(master['pki_source_flatfile_txt'], + master['pki_target_flatfile_txt']) + util.file.copy(master['pki_source_registry_cfg'], + master['pki_target_registry_cfg']) + # '*.profile' + util.file.copy(master['pki_source_admincert_profile'], + master['pki_target_admincert_profile']) + util.file.copy(master['pki_source_caauditsigningcert_profile'], + master['pki_target_caauditsigningcert_profile']) + util.file.copy(master['pki_source_cacert_profile'], + master['pki_target_cacert_profile']) + util.file.copy(master['pki_source_caocspcert_profile'], + master['pki_target_caocspcert_profile']) + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile']) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile']) + elif master['pki_subsystem'] == "KRA": + # '*.profile' + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile']) + util.file.copy(master['pki_source_storagecert_profile'], + master['pki_target_storagecert_profile']) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile']) + util.file.copy(master['pki_source_transportcert_profile'], + master['pki_target_transportcert_profile']) + # establish instance-based Tomcat PKI subsystem registry + # establish instance-based Tomcat PKI subsystem convenience + # symbolic links + util.symlink.create(master['pki_tomcat_webapps_path'], + master['pki_subsystem_tomcat_webapps_link']) + # establish instance-based subsystem convenience symbolic links + util.symlink.create(master['pki_instance_database_link'], + master['pki_subsystem_database_link']) + util.symlink.create(master['pki_subsystem_configuration_path'], + master['pki_subsystem_conf_link']) + util.symlink.create(master['pki_subsystem_log_path'], + master['pki_subsystem_logs_link']) + util.symlink.create(master['pki_instance_registry_path'], + master['pki_subsystem_registry_link']) + return self.rv + + def respawn(self): + config.pki_log.info(log.SUBSYSTEM_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.SUBSYSTEM_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # remove instance-based subsystem base + if master['pki_subsystem'] == "CA": + util.directory.delete(master['pki_subsystem_emails_path']) + util.directory.delete(master['pki_subsystem_profiles_path']) + util.directory.delete(master['pki_subsystem_path']) + # remove instance-based subsystem logs + if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: + util.directory.delete(master['pki_subsystem_signed_audit_log_path']) + util.directory.delete(master['pki_subsystem_archive_log_path']) + util.directory.delete(master['pki_subsystem_log_path']) + # remove instance-based subsystem configuration + util.directory.delete(master['pki_subsystem_configuration_path']) + # remove instance-based subsystem registry + util.directory.delete(master['pki_subsystem_registry_path']) + return self.rv diff --git a/base/server/src/scriptlets/webapp_deployment.py b/base/server/src/scriptlets/webapp_deployment.py new file mode 100644 index 000000000..e72752ee8 --- /dev/null +++ b/base/server/src/scriptlets/webapp_deployment.py @@ -0,0 +1,170 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import os + + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Web Application Deployment Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_WEBAPP_DEPLOYMENT_SPAWN_1, + __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.WEBAPP_DEPLOYMENT_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # Copy /usr/share/pki/server/webapps/ROOT + # to <instance>/webapps/ROOT + util.directory.create(master['pki_tomcat_webapps_root_path']) + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "ROOT"), + master['pki_tomcat_webapps_root_path'], + overwrite_flag=True) + + util.directory.create(master['pki_tomcat_webapps_common_path']) + + # If desired and available, + # copy selected server theme + # to <instance>/webapps/pki + if config.str2bool(master['pki_theme_enable']) and\ + os.path.exists(master['pki_theme_server_dir']): + util.directory.copy(master['pki_theme_server_dir'], + master['pki_tomcat_webapps_common_path'], + overwrite_flag=True) + + # Copy /usr/share/pki/server/webapps/pki/js + # to <instance>/webapps/pki/js + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "pki", + "js"), + os.path.join( + master['pki_tomcat_webapps_common_path'], + "js"), + overwrite_flag=True) + + # Copy /usr/share/pki/server/webapps/pki/META-INF + # to <instance>/webapps/pki/META-INF + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "pki", + "META-INF"), + os.path.join( + master['pki_tomcat_webapps_common_path'], + "META-INF"), + overwrite_flag=True) + + # Copy /usr/share/pki/server/webapps/pki/admin + # to <instance>/webapps/<subsystem>/admin + # TODO: common templates should be deployed in common webapp + util.directory.create(master['pki_tomcat_webapps_subsystem_path']) + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "pki", + "admin"), + os.path.join( + master['pki_tomcat_webapps_subsystem_path'], + "admin"), + overwrite_flag=True) + + # Copy /usr/share/pki/<subsystem>/webapps/<subsystem> + # to <instance>/webapps/<subsystem> + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + master['pki_subsystem'].lower(), + "webapps", + master['pki_subsystem'].lower()), + master['pki_tomcat_webapps_subsystem_path'], + overwrite_flag=True) + + util.directory.create( + master['pki_tomcat_webapps_subsystem_webinf_classes_path']) + util.directory.create( + master['pki_tomcat_webapps_subsystem_webinf_lib_path']) + # establish Tomcat webapps subsystem WEB-INF lib symbolic links + util.symlink.create(master['pki_certsrv_jar'], + master['pki_certsrv_jar_link']) + util.symlink.create(master['pki_cmsbundle'], + master['pki_cmsbundle_jar_link']) + util.symlink.create(master['pki_cmscore'], + master['pki_cmscore_jar_link']) + util.symlink.create(master['pki_cms'], + master['pki_cms_jar_link']) + util.symlink.create(master['pki_cmsutil'], + master['pki_cmsutil_jar_link']) + util.symlink.create(master['pki_nsutil'], + master['pki_nsutil_jar_link']) + if master['pki_subsystem'] == "CA": + util.symlink.create(master['pki_ca_jar'], + master['pki_ca_jar_link']) + elif master['pki_subsystem'] == "KRA": + util.symlink.create(master['pki_kra_jar'], + master['pki_kra_jar_link']) + elif master['pki_subsystem'] == "OCSP": + util.symlink.create(master['pki_ocsp_jar'], + master['pki_ocsp_jar_link']) + elif master['pki_subsystem'] == "TKS": + util.symlink.create(master['pki_tks_jar'], + master['pki_tks_jar_link']) + # set ownerships, permissions, and acls + util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path']) + return self.rv + + def respawn(self): + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_log.info(log.WEBAPP_DEPLOYMENT_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_log.info(log.WEBAPP_DEPLOYMENT_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.directory.delete(master['pki_tomcat_webapps_subsystem_path']) + return self.rv |