diff options
Diffstat (limited to 'base/server/src')
19 files changed, 7301 insertions, 0 deletions
diff --git a/base/server/src/engine/pkiconfig.py b/base/server/src/engine/pkiconfig.py new file mode 100644 index 000000000..ad6c22251 --- /dev/null +++ b/base/server/src/engine/pkiconfig.py @@ -0,0 +1,185 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# +import re + +# PKI Deployment Constants +PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS = 00755 +PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS = 00770 +PKI_DEPLOYMENT_DEFAULT_EXE_PERMISSIONS = 00770 +PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS = 00660 +PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS = 00600 +PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770 +PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777 +PKI_DEPLOYMENT_DEFAULT_UMASK = 00002 + +PKI_DEPLOYMENT_DEFAULT_COMMENT = "'Certificate System'" +PKI_DEPLOYMENT_DEFAULT_GID = 17 +PKI_DEPLOYMENT_DEFAULT_GROUP = "pkiuser" +PKI_DEPLOYMENT_DEFAULT_SHELL = "/sbin/nologin" +PKI_DEPLOYMENT_DEFAULT_UID = 17 +PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser" + +PKI_SUBSYSTEMS = ["CA","KRA","OCSP","RA","TKS","TPS"] +PKI_SIGNED_AUDIT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS","TPS"] +PKI_APACHE_SUBSYSTEMS = ["RA","TPS"] +PKI_TOMCAT_SUBSYSTEMS = ["CA","KRA","OCSP","TKS"] +PKI_BASE_RESERVED_NAMES = ["alias", "bin", "ca", "common", "conf", "kra", + "lib", "logs", "ocsp", "temp", "tks", "webapps", + "work"] +PKI_CONFIGURATION_RESERVED_NAMES = ["CA", "java", "nssdb", "rpm-gpg", + "rsyslog", "tls"] +PKI_APACHE_REGISTRY_RESERVED_NAMES = ["ra", "tps"] +PKI_TOMCAT_REGISTRY_RESERVED_NAMES = ["ca", "kra", "ocsp", "tks"] + +PKI_INDENTATION_LEVEL_0 = {'indent' : ''} +PKI_INDENTATION_LEVEL_1 = {'indent' : '... '} +PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '} +PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '} +PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} + +PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\ + "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-" + +PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki" +PKI_DEPLOYMENT_BASE_ROOT = "/var/lib/pki" +# NOTE: Top-level "/etc/pki" is owned by the "filesystem" package! +PKI_DEPLOYMENT_CONFIGURATION_ROOT = "/etc/pki" +PKI_DEPLOYMENT_LOG_ROOT = "/var/log/pki" +# NOTE: Well-known 'registry root', default 'instance', and default +# 'configuration file' names MUST be created in order to potentially +# obtain an instance-specific configuration file +# (presuming one has not been specified during command-line parsing) +# because command-line parsing happens prior to reading any +# configuration files. Although the 'registry root' MUST remain fixed, +# the default 'instance' name may be overridden by the value specified +# in the configuration file (the value in the default configuration file +# should always match the 'default' instance name specified below). +PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME = "pki-apache" +PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME = "pki-tomcat" + +DEFAULT_DEPLOYMENT_CONFIGURATION = "default.cfg" +USER_DEPLOYMENT_CONFIGURATION = "deployment.cfg" + +PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE =\ + PKI_DEPLOYMENT_CONFIGURATION_ROOT + "/" + DEFAULT_DEPLOYMENT_CONFIGURATION +PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\ + PKI_DEPLOYMENT_SOURCE_ROOT + "/deployment/config/pkislots.cfg" + +# subtypes of PKI subsystems +PKI_DEPLOYMENT_CLONED_PKI_SUBSYSTEM = "Cloned" +PKI_DEPLOYMENT_EXTERNAL_CA = "External" +PKI_DEPLOYMENT_SUBORDINATE_CA = "Subordinate" + +# default ports (for defined selinux policy) +PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT = 8080 +PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT = 8443 +PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT = 8005 +PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT = 8009 + +# PKI Deployment Global Variables +pki_install_time = None +pki_timestamp = None +pki_architecture = None +pki_hostname = None + + +# PKI Deployment Command-Line Variables +pki_deployment_executable = None + +# PKI Deployment "Mandatory" Command-Line Variables +pki_subsystem = None +# 'pkispawn' ONLY +default_deployment_cfg = None +user_deployment_cfg = None +# 'pkidestroy' ONLY +pki_deployed_instance_name = None +pki_secdomain_user = None +pki_secdomain_pass = None + +# PKI Deployment "Optional" Command-Line Variables +# 'pkispawn' ONLY +pki_update_flag = False + +# PKI Deployment "Test" Command-Line Variables +pki_root_prefix = None + + +# PKI Deployment Helper Functions +def str2bool(string): + return string.lower() in ("yes", "true", "t", "1") + +# NOTE: To utilize the 'preparations_for_an_external_java_debugger(master)' +# and 'wait_to_attach_an_external_java_debugger(master)' functions, +# change 'pki_enable_java_debugger=False' to +# 'pki_enable_java_debugger=True' in the appropriate +# deployment configuration file. +def prepare_for_an_external_java_debugger(instance): + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in" + print "'%s':" % instance + print + print " JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\"" + print " \"address=8000,server=y,suspend\"" + print + raw_input("Enable external java debugger 'JAVA_OPTS' "\ + "and press return to continue . . . ") + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + return + +def wait_to_attach_an_external_java_debugger(): + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + print "Attach the java debugger to this process on the port specified by" + print "the 'address' selected by 'JAVA_OPTS' (e. g. - port 8000) and" + print "set any desired breakpoints" + print + raw_input("Please attach an external java debugger "\ + "and press return to continue . . . ") + print + print PKI_DEPLOYMENT_INTERRUPT_BANNER + print + return + + +# PKI Deployment Logger Variables +pki_log = None +pki_log_dir = None +pki_log_name = None +pki_log_level = None +pki_console_log_level = None + + +# PKI Deployment Global Dictionaries +pki_master_dict = {} +pki_slots_dict = None + +# PKI Selinux Constants and parameters +PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t" +PKI_LOG_SELINUX_CONTEXT = "pki_tomcat_log_t" +PKI_CFG_SELINUX_CONTEXT = "pki_tomcat_etc_rw_t" +PKI_CERTDB_SELINUX_CONTEXT = "pki_tomcat_cert_t" +PKI_PORT_SELINUX_CONTEXT = "http_port_t" +pki_selinux_config_ports = [] diff --git a/base/server/src/engine/pkihelper.py b/base/server/src/engine/pkihelper.py new file mode 100644 index 000000000..df71978ed --- /dev/null +++ b/base/server/src/engine/pkihelper.py @@ -0,0 +1,3397 @@ +#!/usr/bin/python -t + +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import errno +import sys +import os +import fileinput +import pickle +import random +import re +import requests +import shutil +import string +import subprocess +import time +from datetime import datetime +from grp import getgrgid +from grp import getgrnam +from pwd import getpwnam +from pwd import getpwuid +import xml.etree.ElementTree as ET +import zipfile +import selinux +if selinux.is_selinux_enabled(): + import seobject + + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_slots_dict as slots +from pkiconfig import pki_selinux_config_ports as ports +import pkimanifest as manifest +import pkimessages as log +from pkiparser import PKIConfigParser +import pki.account +import pki.client +import pki.system + +# PKI Deployment Helper Functions +def pki_copytree(src, dst, symlinks=False, ignore=None): + """Recursively copy a directory tree using copy2(). + + PATCH: This code was copied from 'shutil.py' and patched to + allow 'The destination directory to already exist.' + + If exception(s) occur, an Error is raised with a list of reasons. + + If the optional symlinks flag is true, symbolic links in the + source tree result in symbolic links in the destination tree; if + it is false, the contents of the files pointed to by symbolic + links are copied. + + The optional ignore argument is a callable. If given, it + is called with the `src` parameter, which is the directory + being visited by pki_copytree(), and `names` which is the list of + `src` contents, as returned by os.listdir(): + + callable(src, names) -> ignored_names + + Since pki_copytree() is called recursively, the callable will be + called once for each directory that is copied. It returns a + list of names relative to the `src` directory that should + not be copied. + + XXX Consider this example code rather than the ultimate tool. + + """ + names = os.listdir(src) + if ignore is not None: + ignored_names = ignore(src, names) + else: + ignored_names = set() + + # PATCH: ONLY execute 'os.makedirs(dst)' if the top-level + # destination directory does NOT exist! + if not os.path.exists(dst): + os.makedirs(dst) + errors = [] + for name in names: + if name in ignored_names: + continue + srcname = os.path.join(src, name) + dstname = os.path.join(dst, name) + try: + if symlinks and os.path.islink(srcname): + linkto = os.readlink(srcname) + os.symlink(linkto, dstname) + elif os.path.isdir(srcname): + pki_copytree(srcname, dstname, symlinks, ignore) + else: + # Will raise a SpecialFileError for unsupported file types + shutil.copy2(srcname, dstname) + # catch the Error from the recursive pki_copytree so that we can + # continue with other files + except Error, err: + errors.extend(err.args[0]) + except EnvironmentError, why: + errors.append((srcname, dstname, str(why))) + try: + shutil.copystat(src, dst) + except OSError, why: + if WindowsError is not None and isinstance(why, WindowsError): + # Copying file access times may fail on Windows + pass + else: + errors.extend((src, dst, str(why))) + if errors: + raise Error, errors + +# PKI Deployment Identity Class +class identity: + def __add_gid(self, pki_group): + pki_gid = None + try: + # Does the specified 'pki_group' exist? + pki_gid = getgrnam(pki_group)[2] + # Yes, group 'pki_group' exists! + config.pki_log.info(log.PKIHELPER_GROUP_ADD_2, pki_group, pki_gid, + extra=config.PKI_INDENTATION_LEVEL_2) + except KeyError as exc: + # No, group 'pki_group' does not exist! + config.pki_log.debug(log.PKIHELPER_GROUP_ADD_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + try: + # Is the default well-known GID already defined? + group = getgrgid(config.PKI_DEPLOYMENT_DEFAULT_GID)[0] + # Yes, the default well-known GID exists! + config.pki_log.info(log.PKIHELPER_GROUP_ADD_DEFAULT_2, + group, config.PKI_DEPLOYMENT_DEFAULT_GID, + extra=config.PKI_INDENTATION_LEVEL_2) + # Attempt to create 'pki_group' using a random GID. + command = "/usr/sbin/groupadd" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + except KeyError as exc: + # No, the default well-known GID does not exist! + config.pki_log.debug(log.PKIHELPER_GROUP_ADD_GID_KEYERROR_1, + exc, extra=config.PKI_INDENTATION_LEVEL_2) + # Is the specified 'pki_group' the default well-known group? + if pki_group == config.PKI_DEPLOYMENT_DEFAULT_GROUP: + # Yes, attempt to create the default well-known group + # using the default well-known GID. + command = "/usr/sbin/groupadd" + " " +\ + "-g" + " " +\ + str(config.PKI_DEPLOYMENT_DEFAULT_GID) + " " +\ + "-r" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + else: + # No, attempt to create 'pki_group' using a random GID. + command = "/usr/sbin/groupadd" + " " +\ + pki_group + " " +\ + "> /dev/null 2>&1" + # Execute this "groupadd" command. + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def __add_uid(self, pki_user, pki_group): + pki_uid = None + try: + # Does the specified 'pki_user' exist? + pki_uid = getpwnam(pki_user)[2] + # Yes, user 'pki_user' exists! + config.pki_log.info(log.PKIHELPER_USER_ADD_2, pki_user, pki_uid, + extra=config.PKI_INDENTATION_LEVEL_2) + # NOTE: For now, never check validity of specified 'pki_group'! + except KeyError as exc: + # No, user 'pki_user' does not exist! + config.pki_log.debug(log.PKIHELPER_USER_ADD_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + try: + # Is the default well-known UID already defined? + user = getpwuid(config.PKI_DEPLOYMENT_DEFAULT_UID)[0] + # Yes, the default well-known UID exists! + config.pki_log.info(log.PKIHELPER_USER_ADD_DEFAULT_2, + user, config.PKI_DEPLOYMENT_DEFAULT_UID, + extra=config.PKI_INDENTATION_LEVEL_2) + # Attempt to create 'pki_user' using a random UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + except KeyError as exc: + # No, the default well-known UID does not exist! + config.pki_log.debug(log.PKIHELPER_USER_ADD_UID_KEYERROR_1, + exc, extra=config.PKI_INDENTATION_LEVEL_2) + # Is the specified 'pki_user' the default well-known user? + if pki_user == config.PKI_DEPLOYMENT_DEFAULT_USER: + # Yes, attempt to create the default well-known user + # using the default well-known UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + "-u" + " " +\ + str(config.PKI_DEPLOYMENT_DEFAULT_UID) + " " +\ + "-r" + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + else: + # No, attempt to create 'pki_user' using a random UID. + command = "/usr/sbin/useradd" + " " +\ + "-g" + " " +\ + pki_group + " " +\ + "-d" + " " +\ + config.PKI_DEPLOYMENT_SOURCE_ROOT + " " +\ + "-s" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_SHELL + " " +\ + "-c" + " " +\ + config.PKI_DEPLOYMENT_DEFAULT_COMMENT + " " +\ + pki_user + " " +\ + "> /dev/null 2>&1" + # Execute this "useradd" command. + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def add_uid_and_gid(self, pki_user, pki_group): + self.__add_gid(pki_group) + self.__add_uid(pki_user, pki_group) + return + + def get_uid(self, critical_failure=True): + try: + pki_uid = master['pki_uid'] + except KeyError as exc: + config.pki_log.error(log.PKI_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return pki_uid + + def get_gid(self, critical_failure=True): + try: + pki_gid = master['pki_gid'] + except KeyError as exc: + config.pki_log.error(log.PKI_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return pki_gid + + def set_uid(self, name, critical_failure=True): + try: + config.pki_log.debug(log.PKIHELPER_USER_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + # id -u <name> + pki_uid = getpwnam(name)[2] + master['pki_uid']=pki_uid + config.pki_log.debug(log.PKIHELPER_UID_2, name, pki_uid, + extra=config.PKI_INDENTATION_LEVEL_3) + except KeyError as exc: + config.pki_log.error(log.PKI_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return pki_uid + + def set_gid(self, name, critical_failure=True): + try: + config.pki_log.debug(log.PKIHELPER_GROUP_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + # id -g <name> + pki_gid = getgrnam(name)[2] + master['pki_gid']=pki_gid + config.pki_log.debug(log.PKIHELPER_GID_2, name, pki_gid, + extra=config.PKI_INDENTATION_LEVEL_3) + except KeyError as exc: + config.pki_log.error(log.PKI_KEYERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return pki_gid + + +# PKI Deployment Namespace Class +class namespace: + # Silently verify that the selected 'pki_instance_name' will + # NOT produce any namespace collisions + def collision_detection(self): + # Run simple checks for pre-existing namespace collisions + if os.path.exists(master['pki_instance_path']): + if os.path.exists(master['pki_subsystem_path']): + # Top-Level PKI base path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_instance_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + if os.path.exists(master['pki_target_tomcat_conf_instance_id']): + # Top-Level "/etc/sysconfig" path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_target_tomcat_conf_instance_id'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_cgroup_systemd_service']): + # Systemd cgroup path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_cgroup_systemd_service_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_cgroup_cpu_systemd_service']): + # Systemd cgroup CPU path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_cgroup_cpu_systemd_service_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_instance_log_path']) and\ + os.path.exists(master['pki_subsystem_log_path']): + # Top-Level PKI log path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_instance_log_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_instance_configuration_path']) and\ + os.path.exists(master['pki_subsystem_configuration_path']): + # Top-Level PKI configuration path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_instance_configuration_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_instance_registry_path']) and\ + os.path.exists(master['pki_subsystem_registry_path']): + # Top-Level PKI registry path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_name'], + master['pki_instance_registry_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Run simple checks for reserved name namespace collisions + if master['pki_instance_name'] in config.PKI_BASE_RESERVED_NAMES: + # Top-Level PKI base path reserved name collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_name'], + master['pki_instance_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # No need to check for reserved name under Top-Level PKI log path + if master['pki_instance_name'] in config.PKI_CONFIGURATION_RESERVED_NAMES: + # Top-Level PKI configuration path reserved name collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_name'], + master['pki_instance_configuration_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + # Top-Level Apache PKI registry path reserved name collision + if master['pki_instance_name'] in\ + config.PKI_APACHE_REGISTRY_RESERVED_NAMES: + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_name'], + master['pki_instance_registry_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Top-Level Tomcat PKI registry path reserved name collision + if master['pki_instance_name'] in\ + config.PKI_TOMCAT_REGISTRY_RESERVED_NAMES: + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_name'], + master['pki_instance_registry_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + +# PKI Deployment Configuration File Class +class configuration_file: + def log_configuration_url(self): + # NOTE: This is the one and only parameter containing a sensitive + # parameter that may be stored in a log file. + config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_URL_1, + master['pki_configuration_url'], + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.info(log.PKI_CONFIGURATION_WIZARD_RESTART_1, + master['pki_registry_initscript_command'], + extra=config.PKI_INDENTATION_LEVEL_2) + + def display_configuration_url(self): + # NOTE: This is the one and only parameter containing a sensitive + # parameter that may be displayed to the screen. + print log.PKI_CONFIGURATION_URL_1 % master['pki_configuration_url'] + print + print log.PKI_CONFIGURATION_RESTART_1 %\ + master['pki_registry_initscript_command'] + print + + def verify_sensitive_data(self): + # Silently verify the existence of 'sensitive' data + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Verify existence of Directory Server Password (ALWAYS) + if not master.has_key('pki_ds_password') or\ + not len(master['pki_ds_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ds_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Admin Password (except for Clones) + if not config.str2bool(master['pki_clone']): + if not master.has_key('pki_admin_password') or\ + not len(master['pki_admin_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_admin_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # If required, verify existence of Backup Password + if config.str2bool(master['pki_backup_keys']): + if not master.has_key('pki_backup_password') or\ + not len(master['pki_backup_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_backup_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Client Pin for NSS client security databases + if not master.has_key('pki_client_database_password') or\ + not len(master['pki_client_database_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2, + "pki_client_database_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Client PKCS #12 Password for Admin Cert + if not master.has_key('pki_client_pkcs12_password') or\ + not len(master['pki_client_pkcs12_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_client_pkcs12_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of PKCS #12 Password (ONLY for Clones) + if config.str2bool(master['pki_clone']): + if not master.has_key('pki_clone_pkcs12_password') or\ + not len(master['pki_clone_pkcs12_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_clone_pkcs12_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Verify existence of Security Domain Password File + # (ONLY for Clones, KRA, OCSP, TKS, or Subordinate CA) + if config.str2bool(master['pki_clone']) or\ + not master['pki_subsystem'] == "CA" or\ + config.str2bool(master['pki_subordinate']): + if not master.has_key('pki_security_domain_password') or\ + not len(master['pki_security_domain_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_security_domain_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # If required, verify existence of Token Password + if not master['pki_token_name'] == "internal": + if not master.has_key('pki_token_password') or\ + not len(master['pki_token_password']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_token_password", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def verify_mutually_exclusive_data(self): + # Silently verify the existence of 'mutually exclusive' data + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_external']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA, + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_external']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA, + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_clone']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA, + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif config.str2bool(master['pki_external']) and\ + config.str2bool(master['pki_subordinate']): + config.pki_log.error( + log.PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA, + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def verify_predefined_configuration_file_data(self): + # Silently verify the existence of any required 'predefined' data + # + # FUTURE: As much as is possible, alter this routine to verify + # ALL name/value pairs for the requested configuration + # scenario. This should include checking for the + # "existence" of ALL required "name" parameters, as well as + # the "existence", "type" (e. g. - string, boolean, number, + # etc.), and "correctness" (e. g. - file, directory, boolean + # 'True' or 'False', etc.) of ALL required "value" parameters. + # + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + if config.str2bool(master['pki_clone']): + # Verify existence of clone parameters + if not master.has_key('pki_ds_base_dn') or\ + not len(master['pki_ds_base_dn']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ds_base_dn", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_ds_ldap_port') or\ + not len(master['pki_ds_ldap_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ds_ldap_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_ds_ldaps_port') or\ + not len(master['pki_ds_ldaps_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ds_ldaps_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # NOTE: Although this will be checked prior to getting to + # this method, this clone's 'pki_instance_name' MUST + # be different from the master's 'pki_instance_name' + # IF AND ONLY IF the master and clone are located on + # the same host! + if not master.has_key('pki_ajp_port') or\ + not len(master['pki_ajp_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_ajp_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_http_port') or\ + not len(master['pki_http_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_http_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_https_port') or\ + not len(master['pki_https_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_https_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_tomcat_server_port') or\ + not len(master['pki_tomcat_server_port']): + # FUTURE: Check for unused port value + # (e. g. - must be different from master if the + # master is located on the same host) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_tomcat_server_port", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_clone_pkcs12_path') or\ + not len(master['pki_clone_pkcs12_path']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_clone_pkcs12_path", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif not os.path.isfile(master['pki_clone_pkcs12_path']): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, + master['pki_clone_pkcs12_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_clone_replication_security') or\ + not len(master['pki_clone_replication_security']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_clone_replication_security", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_clone_uri') or\ + not len(master['pki_clone_uri']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_clone_uri", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external']): + if not master.has_key('pki_external_step_two') or\ + not len(master['pki_external_step_two']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_external_step_two", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not config.str2bool(master['pki_external_step_two']): + # External CA (Step 1) + if not master.has_key('pki_external_csr_path') or\ + not len(master['pki_external_csr_path']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_external_csr_path", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif os.path.exists(master['pki_external_csr_path']) and\ + not os.path.isfile(master['pki_external_csr_path']): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, + master['pki_external_csr_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + # External CA (Step 2) + if not master.has_key('pki_external_ca_cert_chain_path') or\ + not len(master['pki_external_ca_cert_chain_path']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_external_ca_cert_chain_path", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif os.path.exists( + master['pki_external_ca_cert_chain_path']) and\ + not os.path.isfile( + master['pki_external_ca_cert_chain_path']): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, + master['pki_external_ca_cert_chain_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not master.has_key('pki_external_ca_cert_path') or\ + not len(master['pki_external_ca_cert_path']): + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2, + "pki_external_ca_cert_path", + master['pki_user_deployment_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif os.path.exists(master['pki_external_ca_cert_path']) and\ + not os.path.isfile( + master['pki_external_ca_cert_path']): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, + master['pki_external_ca_cert_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def populate_non_default_ports(self): + if master['pki_http_port'] != \ + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT): + ports.append(master['pki_http_port']) + if master['pki_https_port'] != \ + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT): + ports.append(master['pki_https_port']) + if master['pki_tomcat_server_port'] != \ + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT): + ports.append(master['pki_tomcat_server_port']) + if master['pki_ajp_port'] != \ + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT): + ports.append(master['pki_ajp_port']) + return + + def verify_selinux_ports(self): + # Determine which ports still need to be labelled, and if any are + # incorrectly labelled + if len(ports) == 0: + return + + if not bool(selinux.is_selinux_enabled()): + config.pki_log.error( + log.PKIHELPER_SELINUX_DISABLED, + extra=config.PKI_INDENTATION_LEVEL_2) + return + + portrecs = seobject.portRecords().get_all() + portlist = ports[:] + for port in portlist: + context = "" + for i in portrecs: + if portrecs[i][0] == "unreserved_port_t" or \ + portrecs[i][0] == "reserved_port_t" or \ + i[2] != "tcp": + continue + if i[0] <= int(port) and int(port) <= i[1]: + context = portrecs[i][0] + break + if context == "": + # port has no current context + # leave it in list of ports to set + continue + elif context == config.PKI_PORT_SELINUX_CONTEXT: + # port is already set correctly + # remove from list of ports to set + ports.remove(port) + else: + config.pki_log.error( + log.PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT, + port, context, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def verify_command_matches_configuration_file(self): + # Silently verify that the command-line parameters match the values + # that are present in the corresponding configuration file + if master['pki_deployment_executable'] == 'pkidestroy': + if master['pki_deployed_instance_name'] !=\ + master['pki_instance_name']: + config.pki_log.error( + log.PKIHELPER_COMMAND_LINE_PARAMETER_MISMATCH_2, + master['pki_deployed_instance_name'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + + +# PKI Deployment XML File Class +#class xml_file: +# def remove_filter_section_from_web_xml(self, +# web_xml_source, +# web_xml_target): +# config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1, +# master['pki_target_subsystem_web_xml'], +# extra=config.PKI_INDENTATION_LEVEL_2) +# begin_filters_section = False +# begin_servlet_section = False +# FILE = open(web_xml_target, "w") +# for line in fileinput.FileInput(web_xml_source): +# if not begin_filters_section: +# # Read and write lines until first "<filter>" tag +# if line.count("<filter>") >= 1: +# # Mark filters section +# begin_filters_section = True +# else: +# FILE.write(line) +# elif not begin_servlet_section: +# # Skip lines until first "<servlet>" tag +# if line.count("<servlet>") >= 1: +# # Mark servlets section and write out the opening tag +# begin_servlet_section = True +# FILE.write(line) +# else: +# continue +# else: +# # Read and write lines all lines after "<servlet>" tag +# FILE.write(line) +# FILE.close() + + +# PKI Deployment Instance Class +class instance: + def apache_instance_subsystems(self): + rv = 0 + try: + # count number of PKI subsystems present + # within the specified Apache instance + for subsystem in config.PKI_APACHE_SUBSYSTEMS: + path = master['pki_instance_path'] + "/" + subsystem.lower() + if os.path.exists(path) and os.path.isdir(path): + rv = rv + 1 + config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2, + master['pki_instance_path'], + rv, extra=config.PKI_INDENTATION_LEVEL_2) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return rv + + def apache_instances(self): + rv = 0 + try: + # Since ALL directories under the top-level PKI 'apache' registry + # directory SHOULD represent PKI Apache instances, and there + # shouldn't be any stray files or symbolic links at this level, + # simply count the number of PKI 'apache' instances (directories) + # present within the PKI 'apache' registry directory + for instance in\ + os.listdir(master['pki_instance_type_registry_path']): + if os.path.isdir( + os.path.join(master['pki_instance_type_registry_path'], + instance)) and not\ + os.path.islink( + os.path.join(master['pki_instance_type_registry_path'], + instance)): + rv = rv + 1 + config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, + master['pki_instance_type_registry_path'], + rv, + extra=config.PKI_INDENTATION_LEVEL_2) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return rv + + def pki_instance_subsystems(self): + rv = 0 + try: + # Since ALL directories within the top-level PKI infrastructure + # SHOULD represent PKI instances, look for all possible + # PKI instances within the top-level PKI infrastructure + for instance in os.listdir(master['pki_path']): + if os.path.isdir(os.path.join(master['pki_path'],instance))\ + and not\ + os.path.islink(os.path.join(master['pki_path'],instance)): + dir = os.path.join(master['pki_path'],instance) + # Since ANY directory within this PKI instance COULD + # be a PKI subsystem, look for all possible + # PKI subsystems within this PKI instance + for name in os.listdir(dir): + if os.path.isdir(os.path.join(dir,name)) and\ + not os.path.islink(os.path.join(dir,name)): + if name.upper() in config.PKI_SUBSYSTEMS: + rv = rv + 1 + config.pki_log.debug(log.PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2, + master['pki_instance_path'], rv, + extra=config.PKI_INDENTATION_LEVEL_2) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return rv + + def tomcat_instance_subsystems(self): + # Return list of PKI subsystems in the specified tomcat instance + rv = [] + try: + for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + path = master['pki_instance_path'] + "/" + subsystem.lower() + if os.path.exists(path) and os.path.isdir(path): + rv.append(subsystem) + except OSErr as e: + config.pki_log.error(log.PKI_OSERROR_1, str(e), + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return rv + + def tomcat_instances(self): + rv = 0 + try: + # Since ALL directories under the top-level PKI 'tomcat' registry + # directory SHOULD represent PKI Tomcat instances, and there + # shouldn't be any stray files or symbolic links at this level, + # simply count the number of PKI 'tomcat' instances (directories) + # present within the PKI 'tomcat' registry directory + for instance in\ + os.listdir(master['pki_instance_type_registry_path']): + if os.path.isdir( + os.path.join(master['pki_instance_type_registry_path'], + instance)) and not\ + os.path.islink( + os.path.join(master['pki_instance_type_registry_path'], + instance)): + rv = rv + 1 + config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, + master['pki_instance_type_registry_path'], + rv, + extra=config.PKI_INDENTATION_LEVEL_2) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return rv + + def verify_subsystem_exists(self): + try: + if not os.path.exists(master['pki_subsystem_path']): + config.pki_log.error(log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def verify_subsystem_does_not_exist(self): + try: + if os.path.exists(master['pki_subsystem_path']): + config.pki_log.error(log.PKI_SUBSYSTEM_ALREADY_EXISTS_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def get_instance_status(self): + self.connection = pki.client.PKIConnection( + protocol='https', + hostname=master['pki_hostname'], + port=master['pki_https_port'], + subsystem=master['pki_subsystem_type'], + accept = 'application/xml') + + try: + client = pki.system.SystemStatusClient(self.connection) + response = client.getStatus() + config.pki_log.debug(response, + extra=config.PKI_INDENTATION_LEVEL_3) + + root = ET.fromstring(response) + status = root.findtext("Status") + return status + except requests.exceptions.ConnectionError: + config.pki_log.debug("No connection", + extra=config.PKI_INDENTATION_LEVEL_3) + return None + + def wait_for_startup(self, timeout): + start_time = datetime.today() + status = None + while status != "running": + status = self.get_instance_status() + time.sleep(1); + stop_time = datetime.today() + if (stop_time - start_time).total_seconds() >= timeout: + break + return status + +# PKI Deployment Directory Class +class directory: + def create(self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, + acls=None, critical_failure=True): + try: + if not os.path.exists(name): + # mkdir -p <name> + config.pki_log.info(log.PKIHELPER_MKDIR_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + os.makedirs(name) + # chmod <perms> <name> + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown <uid>:<gid> <name> + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_DIRECTORY + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + elif not os.path.isdir(name): + config.pki_log.error( + log.PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + if exc.errno == errno.EEXIST: + pass + else: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def modify(self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, + acls=None, silent=False, critical_failure=True): + try: + if os.path.exists(name): + if not os.path.isdir(name): + config.pki_log.error( + log.PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + # Always re-process each directory whether it needs it or not + if not silent: + config.pki_log.info(log.PKIHELPER_MODIFY_DIR_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + # chmod <perms> <name> + if not silent: + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown <uid>:<gid> <name> + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + if not silent: + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + if not silent: + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_DIRECTORY + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + else: + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def delete(self, name, recursive_flag=True, critical_failure=True): + try: + if not os.path.exists(name) or not os.path.isdir(name): + # Simply issue a warning and continue + config.pki_log.warning( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + else: + if recursive_flag == True: + # rm -rf <name> + config.pki_log.info(log.PKIHELPER_RM_RF_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + shutil.rmtree(name) + else: + # rmdir <name> + config.pki_log.info(log.PKIHELPER_RMDIR_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + os.rmdir(name) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def exists(self, name): + try: + if not os.path.exists(name) or not os.path.isdir(name): + return False + else: + return True + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def is_empty(self, name): + try: + if not os.listdir(name): + config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_EMPTY_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + return True + else: + config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + return False + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def set_mode(self, name, uid=None, gid=None, + dir_perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, + file_perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + symlink_perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS, + dir_acls=None, file_acls=None, symlink_acls=None, + recursive_flag=True, critical_failure=True): + try: + if not os.path.exists(name) or not os.path.isdir(name): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + config.pki_log.info( + log.PKIHELPER_SET_MODE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + if recursive_flag == True: + for root, dirs, files in os.walk(name): + for name in files: + entity = os.path.join(root, name) + if not os.path.islink(entity): + file = entity + config.pki_log.debug( + log.PKIHELPER_IS_A_FILE_1, file, + extra=config.PKI_INDENTATION_LEVEL_3) + # chmod <file_perms> <name> + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + file_perms, file, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(file, file_perms) + # chown <uid>:<gid> <name> + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, file, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(file, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = file_perms + record.acls = file_acls + manifest.database.append(record) + else: + symlink = entity + config.pki_log.debug( + log.PKIHELPER_IS_A_SYMLINK_1, symlink, + extra=config.PKI_INDENTATION_LEVEL_3) + # REMINDER: Due to POSIX compliance, 'lchmod' + # is NEVER implemented on Linux + # systems since 'chmod' CANNOT be + # run directly against symbolic + # links! + # chown -h <uid>:<gid> <symlink> + config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, + uid, gid, symlink, + extra=config.PKI_INDENTATION_LEVEL_3) + os.lchown(symlink, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_SYMLINK + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = symlink_perms + record.acls = symlink_acls + manifest.database.append(record) + for name in dirs: + dir = os.path.join(root, name) + config.pki_log.debug( + log.PKIHELPER_IS_A_DIRECTORY_1, dir, + extra=config.PKI_INDENTATION_LEVEL_3) + # chmod <dir_perms> <name> + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + dir_perms, dir, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(dir, dir_perms) + # chown <uid>:<gid> <name> + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, dir, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(dir, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_DIRECTORY + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = dir_perms + record.acls = dir_acls + manifest.database.append(record) + else: + config.pki_log.debug( + log.PKIHELPER_IS_A_DIRECTORY_1, name, + extra=config.PKI_INDENTATION_LEVEL_3) + name = os.path.join(root, name) + # chmod <dir_perms> <name> + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + dir_perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, dir_perms) + # chown <uid>:<gid> <name> + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_DIRECTORY + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = dir_perms + record.acls = dir_acls + manifest.database.append(record) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + + def copy(self, old_name, new_name, uid=None, gid=None, + dir_perms=config.PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS, + file_perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + symlink_perms=config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS, + dir_acls=None, file_acls=None, symlink_acls=None, + recursive_flag=True, overwrite_flag=False, critical_failure=True): + try: + if not os.path.exists(old_name) or not os.path.isdir(old_name): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, old_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + if os.path.exists(new_name): + if not overwrite_flag: + config.pki_log.error( + log.PKI_DIRECTORY_ALREADY_EXISTS_1, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if recursive_flag == True: + # cp -rp <old_name> <new_name> + config.pki_log.info(log.PKIHELPER_CP_RP_2, + old_name, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + # Due to a limitation in the 'shutil.copytree()' + # implementation which requires that + # 'The destination directory must not already exist.', + # an OSError exception is always thrown due to the + # implementation's unchecked call to 'os.makedirs(dst)'. + # Consequently, a 'patched' local copy of this routine has + # been included in this file with the appropriate fix. + pki_copytree(old_name, new_name) + else: + # cp -p <old_name> <new_name> + config.pki_log.info(log.PKIHELPER_CP_P_2, + old_name, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + shutil.copy2(old_name, new_name) + # set ownerships, permissions, and acls + # of newly created top-level directory + self.modify(new_name, uid, gid, dir_perms, dir_acls, + True, critical_failure) + # set ownerships, permissions, and acls + # of contents of newly created top-level directory + self.set_mode(new_name, uid, gid, + dir_perms, file_perms, symlink_perms, + dir_acls, file_acls, symlink_acls, + recursive_flag, critical_failure) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except shutil.Error as exc: + config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +# PKI Deployment File Class (also used for executables) +class file: + def create(self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, critical_failure=True): + try: + if not os.path.exists(name): + # touch <name> + config.pki_log.info(log.PKIHELPER_TOUCH_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + open(name, "w").close() + # chmod <perms> <name> + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown <uid>:<gid> <name> + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + elif not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + if exc.errno == errno.EEXIST: + pass + else: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def modify(self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, silent=False, critical_failure=True): + try: + if os.path.exists(name): + if not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + # Always re-process each file whether it needs it or not + if not silent: + config.pki_log.info(log.PKIHELPER_MODIFY_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + # chmod <perms> <name> + if not silent: + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown <uid>:<gid> <name> + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + if not silent: + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + if not silent: + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + else: + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def delete(self, name, critical_failure=True): + try: + if not os.path.exists(name) or not os.path.isfile(name): + # Simply issue a warning and continue + config.pki_log.warning( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + else: + # rm -f <name> + config.pki_log.info(log.PKIHELPER_RM_F_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + os.remove(name) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def exists(self, name): + try: + if not os.path.exists(name) or not os.path.isfile(name): + return False + else: + return True + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def copy(self, old_name, new_name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, acls=None, + overwrite_flag=False, critical_failure=True): + try: + if not os.path.exists(old_name) or not os.path.isfile(old_name): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + if os.path.exists(new_name): + if not overwrite_flag: + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_1, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # cp -p <old_name> <new_name> + config.pki_log.info(log.PKIHELPER_CP_P_2, + old_name, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + shutil.copy2(old_name, new_name) + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + # chmod <perms> <new_name> + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(new_name, perms) + # chown <uid>:<gid> <new_name> + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(new_name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = new_name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except shutil.Error as exc: + config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def apply_slot_substitution( + self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, critical_failure=True): + try: + if not os.path.exists(name) or not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # applying in-place slot substitutions on <name> + config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1, + name, + extra=config.PKI_INDENTATION_LEVEL_2) + for line in fileinput.FileInput(name, inplace=1): + for slot in slots: + if slot != '__name__' and slots[slot] in line: + config.pki_log.debug( + log.PKIHELPER_SLOT_SUBSTITUTION_2, + slots[slot], master[slot], + extra=config.PKI_INDENTATION_LEVEL_3) + line=line.replace(slots[slot],master[slot]) + sys.stdout.write(line) + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + # chmod <perms> <name> + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown <uid>:<gid> <name> + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except shutil.Error as exc: + config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def copy_with_slot_substitution( + self, old_name, new_name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, overwrite_flag=False, + critical_failure=True): + try: + if not os.path.exists(old_name) or not os.path.isfile(old_name): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + if os.path.exists(new_name): + if not overwrite_flag: + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_1, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # copy <old_name> to <new_name> with slot substitutions + config.pki_log.info(log.PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2, + old_name, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + FILE = open(new_name, "w") + for line in fileinput.FileInput(old_name): + for slot in slots: + if slot != '__name__' and slots[slot] in line: + config.pki_log.debug( + log.PKIHELPER_SLOT_SUBSTITUTION_2, + slots[slot], master[slot], + extra=config.PKI_INDENTATION_LEVEL_3) + line=line.replace(slots[slot],master[slot]) + FILE.write(line) + FILE.close() + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + # chmod <perms> <new_name> + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(new_name, perms) + # chown <uid>:<gid> <new_name> + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(new_name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = new_name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except shutil.Error as exc: + config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def generate_noise_file(self, name, bytes, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, critical_failure=True): + try: + if not os.path.exists(name): + # generating noise file called <name> and + # filling it with <bytes> random bytes + config.pki_log.info(log.PKIHELPER_NOISE_FILE_2, name, bytes, + extra=config.PKI_INDENTATION_LEVEL_2) + open(name, "w").close() + FILE = open(name, "w") + noise = ''.join(random.choice(string.ascii_letters +\ + string.digits) for x in range(bytes)) + FILE.write(noise) + FILE.close() + # chmod <perms> <name> + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown <uid>:<gid> <name> + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + elif not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + if exc.errno == errno.EEXIST: + pass + else: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +# PKI Deployment Symbolic Link Class +class symlink: + def create(self, name, link, uid=None, gid=None, + acls=None, allow_dangling_symlink=False, critical_failure=True): + try: + if not os.path.exists(link): + if not os.path.exists(name): + config.pki_log.warning( + log.PKIHELPER_DANGLING_SYMLINK_2, link, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if not allow_dangling_symlink: + sys.exit(1) + # ln -s <name> <link> + config.pki_log.info(log.PKIHELPER_LINK_S_2, name, link, + extra=config.PKI_INDENTATION_LEVEL_2) + os.symlink(name, link) + # REMINDER: Due to POSIX compliance, 'lchmod' is NEVER + # implemented on Linux systems since 'chmod' + # CANNOT be run directly against symbolic links! + # chown -h <uid>:<gid> <link> + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, + uid, gid, link, + extra=config.PKI_INDENTATION_LEVEL_3) + os.lchown(link, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = link + record.type = manifest.RECORD_TYPE_SYMLINK + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions =\ + config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS + record.acls = acls + manifest.database.append(record) + elif not os.path.islink(link): + config.pki_log.error( + log.PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1, link, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + if exc.errno == errno.EEXIST: + pass + else: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def modify(self, link, uid=None, gid=None, + acls=None, silent=False, critical_failure=True): + try: + if os.path.exists(link): + if not os.path.islink(link): + config.pki_log.error( + log.PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1, + link, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + # Always re-process each link whether it needs it or not + if not silent: + config.pki_log.info(log.PKIHELPER_MODIFY_SYMLINK_1, link, + extra=config.PKI_INDENTATION_LEVEL_2) + # REMINDER: Due to POSIX compliance, 'lchmod' is NEVER + # implemented on Linux systems since 'chmod' + # CANNOT be run directly against symbolic links! + # chown -h <uid>:<gid> <link> + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + if not silent: + config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, + uid, gid, link, + extra=config.PKI_INDENTATION_LEVEL_3) + os.lchown(link, uid, gid) + # Store record in installation manifest + if not silent: + record = manifest.record() + record.name = link + record.type = manifest.RECORD_TYPE_SYMLINK + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions =\ + config.PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS + record.acls = acls + manifest.database.append(record) + else: + config.pki_log.error( + log.PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1, link, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def delete(self, link, critical_failure=True): + try: + if not os.path.exists(link) or not os.path.islink(link): + # Simply issue a warning and continue + config.pki_log.warning( + log.PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1, link, + extra=config.PKI_INDENTATION_LEVEL_2) + else: + # rm -f <link> + config.pki_log.info(log.PKIHELPER_RM_F_1, link, + extra=config.PKI_INDENTATION_LEVEL_2) + os.remove(link) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def exists(self, name): + try: + if not os.path.exists(name) or not os.path.islink(name): + return False + else: + return True + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + +# PKI Deployment War File Class +class war: + def explode(self, name, path, critical_failure=True): + try: + if os.path.exists(name) and os.path.isfile(name): + if not zipfile.is_zipfile(name): + config.pki_log.error( + log.PKI_FILE_NOT_A_WAR_FILE_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + if not os.path.exists(path) or not os.path.isdir(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + path, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + # jar -xf <name> -C <path> + config.pki_log.info(log.PKIHELPER_JAR_XF_C_2, name, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # Open war file + war = zipfile.ZipFile(name, 'r') + # Extract contents of war file to path + war.extractall(path) + else: + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except zipfile.BadZipfile as exc: + config.pki_log.error(log.PKI_BADZIPFILE_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except zipfile.LargeZipFile as exc: + config.pki_log.error(log.PKI_LARGEZIPFILE_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +# PKI Deployment Password Class +class password: + def create_password_conf(self, path, pin, pin_sans_token=False, + overwrite_flag=False, critical_failure=True): + try: + if os.path.exists(path): + if overwrite_flag: + config.pki_log.info( + log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # overwrite the existing 'password.conf' file + with open(path, "wt") as fd: + if pin_sans_token == True: + fd.write(str(pin)) + elif master['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + fd.write(master['pki_self_signed_token'] +\ + ":" + str(pin)) + else: + fd.write(master['pki_self_signed_token'] +\ + "=" + str(pin)) + fd.closed + else: + config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # create a new 'password.conf' file + with open(path, "wt") as fd: + if pin_sans_token == True: + fd.write(str(pin)) + elif master['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + fd.write(master['pki_self_signed_token'] +\ + ":" + str(pin)) + else: + fd.write(master['pki_self_signed_token'] +\ + "=" + str(pin)) + fd.closed + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def create_client_pkcs12_password_conf(self, path, overwrite_flag=False, + critical_failure=True): + try: + if os.path.exists(path): + if overwrite_flag: + config.pki_log.info( + log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # overwrite the existing 'pkcs12_password.conf' file + with open(path, "wt") as fd: + fd.write(master['pki_client_pkcs12_password']) + fd.closed + else: + config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # create a new 'pkcs12_password.conf' file + with open(path, "wt") as fd: + fd.write(master['pki_client_pkcs12_password']) + fd.closed + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def get_password(self, path, token_name, critical_failure=True): + if os.path.exists(path) and os.path.isfile(path) and\ + os.access(path, os.R_OK): + tokens = PKIConfigParser.read_simple_configuration_file(path) + hardware_token = "hardware-" + token_name + if tokens.has_key(hardware_token): + token_name = hardware_token + token_pwd = tokens[hardware_token] + elif tokens.has_key(token_name): + token_pwd = tokens[token_name] + + if token_pwd is None or token_pwd == '': + # TODO prompt for this password + config.pki_log.error(log.PKIHELPER_PASSWORD_NOT_FOUND_1, + token_name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + return token_pwd + + +# PKI Deployment NSS 'certutil' Class +class certutil: + def create_security_databases(self, path, pki_cert_database, + pki_key_database, pki_secmod_database, + password_file=None, prefix=None, + critical_failure=True): + try: + # Compose this "certutil" command + command = "certutil" + " " + "-N" + # Provide a path to the NSS security databases + if path: + command = command + " " + "-d" + " " + path + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + command = command + " " + "-f" + " " + password_file + if prefix != None: + command = command + " " + "-P" + " " + prefix + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(pki_cert_database) or\ + os.path.exists(pki_key_database) or\ + os.path.exists(pki_secmod_database): + # Simply notify user that the security databases exist + config.pki_log.info( + log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, + pki_cert_database, + pki_key_database, + pki_secmod_database, + extra=config.PKI_INDENTATION_LEVEL_2) + else: + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CREATE_SECURITY_DATABASES_1, + command, + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "certutil" command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def verify_certificate_exists(self, path, pki_cert_database, + pki_key_database, pki_secmod_database, + token, nickname, password_file=None, + silent=True): + rv = 0 + try: + # Compose this "certutil" command + command = "certutil" + " " + "-L" + # Provide a path to the NSS security databases + if path: + command = command + " " + "-d" + " " + path + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the 'token' + if token: + command = command + " " + "-h" + " " + "'" + token + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TOKEN, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the nickname of this self-signed certificate + if nickname: + command = command + " " + "-n" + " " + "'" + nickname + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # OPTIONALLY specify a password file + if password_file != None: + command = command + " " + "-f" + " " + password_file + # By default, execute this command silently + if silent != False: + command = command + " > /dev/null 2>&1" + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(pki_cert_database) or\ + not os.path.exists(pki_key_database) or\ + not os.path.exists(pki_secmod_database): + # NSS security databases MUST exist! + config.pki_log.error( + log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, + pki_cert_database, + pki_key_database, + pki_secmod_database, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Execute this "certutil" command + subprocess.check_call(command, shell=True) + except subprocess.CalledProcessError as exc: + return False + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return True + + def generate_self_signed_certificate(self, path, pki_cert_database, + pki_key_database, pki_secmod_database, + token, nickname, + subject, serial_number, + validity_period, issuer_name, + trustargs, noise_file, + password_file=None, + critical_failure=True): + try: + # Compose this "certutil" command + command = "certutil" + " " + "-S" + # Provide a path to the NSS security databases + if path: + command = command + " " + "-d" + " " + path + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the 'token' + if token: + command = command + " " + "-h" + " " + "'" + token + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TOKEN, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the nickname of this self-signed certificate + if nickname: + command = command + " " + "-n" + " " + "'" + nickname + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the subject name (RFC1485) + if subject: + command = command + " " + "-s" + " " + "'" + subject + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the serial number + if serial_number != None: + command = command + " " + "-m" + " " + str(serial_number) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the months valid + if validity_period != None: + command = command + " " + "-v" + " " + str(validity_period) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the nickname of the issuer certificate + if issuer_name: + command = command + " " + "-c" + " " +\ + "'" + issuer_name + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the certificate trust attributes + if trustargs: + command = command + " " + "-t" + " " + "'" + trustargs + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify a noise file to be used for key generation + if noise_file: + command = command + " " + "-z" + " " + noise_file + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # OPTIONALLY specify a password file + if password_file != None: + command = command + " " + "-f" + " " + password_file + # ALWAYS self-sign this certificate + command = command + " " + "-x" + # ALWAYS mask the command-line output of this command + command = command + " " + "> /dev/null 2>&1" + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(pki_cert_database) or\ + not os.path.exists(pki_key_database) or\ + not os.path.exists(pki_secmod_database): + # NSS security databases MUST exist! + config.pki_log.error( + log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, + pki_cert_database, + pki_key_database, + pki_secmod_database, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(noise_file): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + noise_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Execute this "certutil" command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def import_cert(self, nickname, trust, input_file, password_file, + path=None, token=None, critical_failure=True): + try: + command = ["certutil","-A"] + if path: + command.extend(["-d", path]) + + if token: + command.extend(["-h", token]) + + if nickname: + command.extend(["-n", nickname ]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if trust: + command.extend(["-t", trust]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if input_file: + command.extend(["-i", input_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_INPUT_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if password_file: + command.extend(["-f", password_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def generate_certificate_request(self, subject, key_size, + password_file, noise_file, + output_file = None, path = None, + ascii_format = None, token = None, + critical_failure=True): + try: + command = ["certutil", "-R"] + if path: + command.extend(["-d", path]) + else: + command.extend(["-d", "."]) + + if token: + command.extend(["-h", token]) + + if subject: + command.extend(["-s", subject]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if key_size: + command.extend(["-g", str(key_size)]) + + if noise_file: + command.extend(["-z", noise_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if password_file: + command.extend(["-f", password_file]) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + if output_file: + command.extend(["-o", output_file]) + + # set acsii output + if ascii_format: + command.append("-a") + + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CERTUTIL_GENERATE_CSR_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not os.path.exists(noise_file): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + noise_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Execute this "certutil" command + with open(os.devnull, "w") as fnull: + subprocess.call(command, stdout=fnull, stderr=fnull) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + +# pk12util class +class pk12util: + def create_file(self, out_file, nickname, out_pwfile, + db_pwfile, path=None): + try: + command = ["pk12util"] + if path: + command.extend(["-d", path]) + if out_file: + command.extend(["-o", out_file]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_OUTFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if nickname: + command.extend(["-n", nickname]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if out_pwfile: + command.extend(["-w", out_pwfile]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_OUTPWFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if db_pwfile: + command.extend(["-k", db_pwfile]) + else: + config.pki_log.error( + log.PKIHELPER_PK12UTIL_MISSING_DBPWFILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + with open(os.devnull, "w") as fnull: + subprocess.call(command, stdout=fnull, stderr=fnull) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +# KRA Connector Class +class kra_connector: + def deregister(self, critical_failure=False): + try: + # this is applicable to KRAs only + if master['pki_subsystem_type'] != "kra": + return + + config.pki_log.info( + log.PKIHELPER_KRACONNECTOR_UPDATE_CONTACT, + extra=config.PKI_INDENTATION_LEVEL_2) + + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + krahost = cs_cfg.get('service.machineName') + kraport = cs_cfg.get('pkicreate.secure_port') + cahost = cs_cfg.get('cloning.ca.hostname') + caport = cs_cfg.get('cloning.ca.httpsport') + if cahost is None or\ + caport is None: + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_CA_HOST_PORT, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + # retrieve subsystem nickname + subsystemnick = cs_cfg.get('kra.cert.subsystem.nickname') + if subsystemnick is None: + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + # retrieve name of token based upon type (hardware/software) + if ':' in subsystemnick: + token_name = subsystemnick.split(':')[0] + else: + token_name = "internal" + + token_pwd = password.get_password( + master['pki_shared_password_conf'], + token_name, + critical_failure) + + if token_pwd is None or token_pwd == '': + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_TOKEN_PASSWD_1, + token_name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + self.execute_using_sslget(caport, cahost, subsystemnick, + token_pwd, krahost, kraport) + + except subprocess.CalledProcessError as exc: + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2, + str(krahost), + str(kraport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + return + + def execute_using_pki(self, caport, cahost, subsystemnick, + token_pwd, krahost, kraport, critical_failure=False): + command = "/bin/pki -p '{}' -h '{}' -n '{}' -P https -d '{}' -w '{}' "\ + "kraconnector-del {} {}".format( + caport, cahost, subsystemnick, + master['pki_database_path'], + token_pwd, krahost, kraport) + + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + + error = re.findall("ClientResponseFailure:(.*?)", output) + if error: + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2, + str(krahost), + str(kraport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, output, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + + def execute_using_sslget(self, caport, cahost, subsystemnick, + token_pwd, krahost, kraport): + urlheader = "https://{}:{}".format(cahost, caport) + updateURL = "/ca/rest/admin/kraconnector/remove" + + params = "host=" + str(krahost) +\ + "&port=" + str(kraport) + + command = "/usr/bin/sslget -n '{}' -p '{}' -d '{}' -e '{}' "\ + "-v -r '{}' {}:{} 2>&1".format( + subsystemnick, token_pwd, + master['pki_database_path'], + params, updateURL, + cahost, caport) + + # update KRA connector + # Execute this "sslget" command + # Note that sslget will return non-zero value for HTTP code != 200 + # and this will raise an exception + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + +# PKI Deployment Security Domain Class +class security_domain: + def deregister(self, install_token, critical_failure=False): + # process this PKI subsystem instance's 'CS.cfg' + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + + # assign key name/value pairs + machinename = cs_cfg.get('service.machineName') + sport = cs_cfg.get('service.securityDomainPort') + ncsport = cs_cfg.get('service.non_clientauth_securePort', '') + sechost = cs_cfg.get('securitydomain.host') + httpport = cs_cfg.get('securitydomain.httpport') + seceeport = cs_cfg.get('securitydomain.httpseeport') + secagentport = cs_cfg.get('securitydomain.httpsagentport') + secadminport = cs_cfg.get('securitydomain.httpsadminport') + secname = cs_cfg.get('securitydomain.name', 'unknown') + secselect = cs_cfg.get('securitydomain.select') + adminsport = cs_cfg.get('pkicreate.admin_secure_port', '') + typeval = cs_cfg.get('cs.type', '') + agentsport = cs_cfg.get('pkicreate.agent_secure_port', '') + + # NOTE: Don't check for the existence of 'httpport', as this will + # be undefined for a Security Domain that has been migrated! + if sechost is None or\ + seceeport is None or\ + secagentport is None or\ + secadminport is None: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_UNDEFINED, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + config.pki_log.info(log.PKIHELPER_SECURITY_DOMAIN_CONTACT_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + listval = typeval.lower() + "List" + urlheader = "https://{}:{}".format(sechost, seceeport) + urlagentheader = "https://{}:{}".format(sechost, secagentport) + urladminheader = "https://{}:{}".format(sechost, secadminport) + updateURL = "/ca/agent/ca/updateDomainXML" + + params = "name=" + "\"" + master['pki_instance_path'] + "\"" +\ + "&type=" + str(typeval) +\ + "&list=" + str(listval) +\ + "&host=" + str(machinename) +\ + "&sport=" + str(sport) +\ + "&ncsport=" + str(ncsport) +\ + "&adminsport=" + str(adminsport) +\ + "&agentsport=" + str(agentsport) +\ + "&operation=remove" + + if install_token: + try: + # first try install token-based servlet + params += "&sessionID=" + str(install_token) + adminUpdateURL = "/ca/admin/ca/updateDomainXML" + command = "/usr/bin/sslget -p 123456 -d '{}' -e '{}' "\ + "-v -r '{}' {}:{} 2>&1".format( + master['pki_database_path'], + params, adminUpdateURL, + sechost, secadminport) + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + output = self.update_domain_using_agent_port(typeval, + secname, params, updateURL, sechost, secagentport, + critical_failure) + else: + output = self.update_domain_using_agent_port(typeval, + secname, params, updateURL, sechost, secagentport, + critical_failure) + + if not output: + if critical_failure == True: + sys.exit(-1) + else: + return + + config.pki_log.debug(log.PKIHELPER_SSLGET_OUTPUT_1, + output, + extra=config.PKI_INDENTATION_LEVEL_2) + # Search the output for Status + status = re.findall("\<Status\>(.*?)\<\/Status\>", output) + if not status: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + elif status[0] != "0": + error = re.findall("\<Error\>(.*?)\<\/Error\>", output) + if not error: + error = "" + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3, + typeval, + secname, + error, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + config.pki_log.info( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + + def update_domain_using_agent_port(self, typeval, secname, params, + updateURL, sechost, secagentport, critical_failure= False): + token_pwd = None + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + # retrieve subsystem nickname + subsystemnick_param = typeval.lower() + ".cert.subsystem.nickname" + subsystemnick = cs_cfg.get(subsystemnick_param) + if subsystemnick is None: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + # retrieve name of token based upon type (hardware/software) + if ':' in subsystemnick: + token_name = subsystemnick.split(':')[0] + else: + token_name = "internal" + + token_pwd = password.get_password( + master['pki_shared_password_conf'], + token_name, + critical_failure) + + if token_pwd is None or token_pwd == '': + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + command = "/usr/bin/sslget -n '{}' -p '{}' -d '{}' -e '{}' "\ + "-v -r '{}' {}:{} 2>&1".format( + subsystemnick, token_pwd, + master['pki_database_path'], + params, updateURL, + sechost, secagentport) + try: + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + return output + except subprocess.CalledProcessError as exc: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + + return None + + + def get_installation_token(self, secuser, secpass, critical_failure=True): + token = None + + if not secuser or not secpass: + return None + + # process this PKI subsystem instance's 'CS.cfg' + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + + # assign key name/value pairs + machinename = cs_cfg.get('service.machineName') + cstype = cs_cfg.get('cs.type', '') + sechost = cs_cfg.get('securitydomain.host') + secadminport = cs_cfg.get('securitydomain.httpsadminport') + secselect = cs_cfg.get('securitydomain.select') + + command = "/bin/pki -p '{}' -h '{}' -P https -u '{}' -w '{}' "\ + "securitydomain-get-install-token --hostname {} "\ + "--subsystem {}".format( + secadminport, sechost, secuser, secpass, + machinename, cstype) + try: + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + + token_list = re.findall("Install token: \"(.*)\"", output) + if not token_list: + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2, + str(sechost), + str(secadminport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, output, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + token = token_list[0] + return token + except subprocess.CalledProcessError as exc: + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2, + str(sechost), + str(secadminport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + return None + +# PKI Deployment 'systemd' Execution Management Class +class systemd: + def start(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "start" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_name'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "start" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_name'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def stop(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "stop" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_name'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "stop" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_name'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def restart(self, critical_failure=True): + try: + # Compose this "systemd" execution management command + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + command = "systemctl" + " " +\ + "restart" + " " +\ + "pki-apached" + "@" +\ + master['pki_instance_name'] + "." + "service" + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + command = "systemctl" + " " +\ + "restart" + " " +\ + "pki-tomcatd" + "@" +\ + master['pki_instance_name'] + "." + "service" + # Display this "systemd" execution managment command + config.pki_log.info( + log.PKIHELPER_SYSTEMD_COMMAND_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +class config_client: + + def configure_pki_data(self, data): + config.pki_log.info(log.PKI_CONFIG_CONFIGURING_PKI_DATA, + extra=config.PKI_INDENTATION_LEVEL_2) + + self.connection = pki.client.PKIConnection( + protocol='https', + hostname=master['pki_hostname'], + port=master['pki_https_port'], + subsystem=master['pki_subsystem_type']) + + try: + client = pki.system.SystemConfigClient(self.connection) + response = client.configure(data) + + config.pki_log.debug(log.PKI_CONFIG_RESPONSE_STATUS +\ + " " + str(response['status']), + extra=config.PKI_INDENTATION_LEVEL_2) + certs = response['systemCerts'] + for cdata in certs: + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external']) and\ + not config.str2bool(master['pki_external_step_two']): + # External CA Step 1 + if cdata['tag'].lower() == "signing": + config.pki_log.info(log.PKI_CONFIG_CDATA_REQUEST +\ + " " + cdata['request'], + extra=config.PKI_INDENTATION_LEVEL_2) + + # Save 'External CA Signing Certificate' CSR (Step 1) + config.pki_log.info(log.PKI_CONFIG_EXTERNAL_CSR_SAVE +\ + " '" + master['pki_external_csr_path'] + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + directory.create( + os.path.dirname(master['pki_external_csr_path'])) + with open(master['pki_external_csr_path'], "w") as f: + f.write(cdata['request']) + return + else: + config.pki_log.debug(log.PKI_CONFIG_CDATA_TAG +\ + " " + cdata['tag'], + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKI_CONFIG_CDATA_CERT +\ + " " + cdata['cert'], + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKI_CONFIG_CDATA_REQUEST +\ + " " + cdata['request'], + extra=config.PKI_INDENTATION_LEVEL_2) + + # Cloned PKI subsystems do not return an Admin Certificate + if not config.str2bool(master['pki_clone']) and \ + not config.str2bool(master['pki_import_admin_cert']): + admin_cert = response['adminCert']['cert'] + self.process_admin_cert(admin_cert) + except Exception, e: + config.pki_log.error( + log.PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION + " " + str(e), + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + def process_admin_cert(self, admin_cert): + config.pki_log.debug(log.PKI_CONFIG_RESPONSE_ADMIN_CERT +\ + " " + admin_cert, + extra=config.PKI_INDENTATION_LEVEL_2) + + # Store the Administration Certificate in a file + admin_cert_file = master['pki_client_admin_cert'] + admin_cert_bin_file = admin_cert_file + ".der" + config.pki_log.debug(log.PKI_CONFIG_ADMIN_CERT_SAVE +\ + " '" + admin_cert_file + "'", + extra=config.PKI_INDENTATION_LEVEL_2) + with open(admin_cert_file, "w") as f: + f.write(admin_cert) + + # convert the cert file to binary + command = ["AtoB", admin_cert_file, admin_cert_bin_file] + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + + os.chmod(admin_cert_file, + config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + + os.chmod(admin_cert_bin_file, + config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + + # Import the Administration Certificate + # into the client NSS security database + certutil.import_cert( + re.sub("'", "'", master['pki_admin_nickname']), + "u,u,u", + admin_cert_bin_file, + master['pki_client_password_conf'], + master['pki_client_database_dir'], + None, + True) + + # create directory for p12 file if it does not exist + directory.create(os.path.dirname( + master['pki_client_admin_cert_p12'])) + + # Export the Administration Certificate from the + # client NSS security database into a PKCS #12 file + pk12util.create_file( + master['pki_client_admin_cert_p12'], + re.sub("'","'", master['pki_admin_nickname']), + master['pki_client_pkcs12_password_conf'], + master['pki_client_password_conf'], + master['pki_client_database_dir']) + + os.chmod(master['pki_client_admin_cert_p12'], + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + + + def construct_pki_configuration_data(self): + config.pki_log.info(log.PKI_CONFIG_CONSTRUCTING_PKI_DATA, + extra=config.PKI_INDENTATION_LEVEL_2) + + data = pki.system.ConfigurationRequest() + + # Miscellaneous Configuration Information + data.pin = master['pki_one_time_pin'] + data.subsystemName = master['pki_subsystem_name'] + + # Cloning parameters + if master['pki_instance_type'] == "Tomcat": + if config.str2bool(master['pki_clone']): + self.set_cloning_parameters(data) + else: + data.isClone = "false" + + # Hierarchy + self.set_hierarchy_parameters(data) + + # Security Domain + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or + # Subordinate CA + self.set_existing_security_domain(data) + else: + # PKI CA or External CA + self.set_new_security_domain(data) + + # database + if master['pki_subsystem'] != "RA": + self.set_database_parameters(data) + + # backup + if master['pki_instance_type'] == "Tomcat": + self.set_backup_parameters(data) + + # admin user + if not config.str2bool(master['pki_clone']): + self.set_admin_parameters(data) + + # Issuing CA Information + self.set_issuing_ca_parameters(data) + + # Create system certs + self.set_system_certs(data) + + return data + + def set_system_certs(self, data): + systemCerts = [] + + # Create 'CA Signing Certificate' + if master['pki_subsystem'] == "CA": + if not config.str2bool(master['pki_clone']): + cert1 = self.create_system_cert("ca_signing") + cert1.signingAlgorithm =\ + master['pki_ca_signing_signing_algorithm'] + if config.str2bool(master['pki_external_step_two']): + # Load the 'External CA Signing Certificate' (Step 2) + print( + log.PKI_CONFIG_EXTERNAL_CA_LOAD + " " +\ + "'" + master['pki_external_ca_cert_path'] + "'") + with open(master['pki_external_ca_cert_path']) as f: + external_cert = f.read() + cert1.cert = external_cert + + # Load the 'External CA Signing Certificate Chain' (Step 2) + print( + log.PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD + " " +\ + "'" + master['pki_external_ca_cert_chain_path'] +\ + "'") + with open(master['pki_external_ca_cert_chain_path']) as f: + external_cert_chain = f.read() + + cert1.certChain = external_cert_chain + systemCerts.append(cert1) + + # Create 'OCSP Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA" or\ + master['pki_subsystem'] == "OCSP": + # External CA, Subordinate CA, PKI CA, or PKI OCSP + cert2 = self.create_system_cert("ocsp_signing") + cert2.signingAlgorithm =\ + master['pki_ocsp_signing_signing_algorithm'] + systemCerts.append(cert2) + + # Create 'SSL Server Certificate' + # all subsystems + + # create new sslserver cert only if this is a new instance + cert3 = None + system_list = instance.tomcat_instance_subsystems() + if len(system_list) >= 2: + data.generateServerCert = "false" + for subsystem in system_list: + dst = master['pki_instance_path'] + '/conf/' +\ + subsystem.lower() + '/CS.cfg' + if subsystem != master['pki_subsystem'] and \ + os.path.exists(dst): + cert3 = self.retrieve_existing_server_cert(dst) + break + else: + cert3 = self.create_system_cert("ssl_server") + systemCerts.append(cert3) + + # Create 'Subsystem Certificate' + if not config.str2bool(master['pki_clone']): + cert4 = self.create_system_cert("subsystem") + systemCerts.append(cert4) + + # Create 'Audit Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] != "RA": + cert5 = self.create_system_cert("audit_signing") + cert5.signingAlgorithm =\ + master['pki_audit_signing_signing_algorithm'] + systemCerts.append(cert5) + + # Create DRM Transport and storage Certificates + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + cert6 = self.create_system_cert("transport") + systemCerts.append(cert6) + + cert7 = self.create_system_cert("storage") + systemCerts.append(cert7) + + data.systemCerts = systemCerts + + def set_cloning_parameters(self, data): + data.isClone = "true" + data.cloneUri = master['pki_clone_uri'] + data.p12File = master['pki_clone_pkcs12_path'] + data.p12Password = master['pki_clone_pkcs12_password'] + data.replicateSchema = master['pki_clone_replicate_schema'] + data.replicationSecurity =\ + master['pki_clone_replication_security'] + if master['pki_clone_replication_master_port']: + data.masterReplicationPort =\ + master['pki_clone_replication_master_port'] + if master['pki_clone_replication_clone_port']: + data.cloneReplicationPort =\ + master['pki_clone_replication_clone_port'] + + def set_hierarchy_parameters(self, data): + if master['pki_subsystem'] == "CA": + if config.str2bool(master['pki_clone']): + # Cloned CA + data.hierarchy = "root" + elif config.str2bool(master['pki_external']): + # External CA + data.hierarchy = "join" + elif config.str2bool(master['pki_subordinate']): + # Subordinate CA + data.hierarchy = "join" + else: + # PKI CA + data.hierarchy = "root" + + def set_existing_security_domain(self, data): + data.securityDomainType = "existingdomain" + data.securityDomainUri = master['pki_security_domain_uri'] + data.securityDomainUser = master['pki_security_domain_user'] + data.securityDomainPassword = master['pki_security_domain_password'] + + def set_new_security_domain(self, data): + data.securityDomainType = "newdomain" + data.securityDomainName = master['pki_security_domain_name'] + + def set_database_parameters(self, data): + data.dsHost = master['pki_ds_hostname'] + data.dsPort = master['pki_ds_ldap_port'] + data.baseDN = master['pki_ds_base_dn'] + data.bindDN = master['pki_ds_bind_dn'] + data.database = master['pki_ds_database'] + data.bindpwd = master['pki_ds_password'] + if config.str2bool(master['pki_ds_remove_data']): + data.removeData = "true" + else: + data.removeData = "false" + if config.str2bool(master['pki_ds_secure_connection']): + data.secureConn = "true" + else: + data.secureConn = "false" + + def set_backup_parameters(self, data): + if config.str2bool(master['pki_backup_keys']): + data.backupKeys = "true" + data.backupFile = master['pki_backup_keys_p12'] + data.backupPassword = master['pki_backup_password'] + else: + data.backupKeys = "false" + + def set_admin_parameters(self, data): + data.adminEmail = master['pki_admin_email'] + data.adminName = master['pki_admin_name'] + data.adminPassword = master['pki_admin_password'] + data.adminProfileID = master['pki_admin_profile_id'] + data.adminUID = master['pki_admin_uid'] + data.adminSubjectDN = master['pki_admin_subject_dn'] + if config.str2bool(master['pki_import_admin_cert']): + data.importAdminCert = "true" + # read config from file + with open(master['pki_admin_cert_file']) as f: + b64 = f.read().replace('\n','') + data.adminCert = b64 + else: + data.importAdminCert = "false" + data.adminSubjectDN = master['pki_admin_subject_dn'] + if master['pki_admin_cert_request_type'] == "pkcs10": + data.adminCertRequestType = "pkcs10" + + noise_file = os.path.join( + master['pki_client_database_dir'], "noise") + + output_file = os.path.join( + master['pki_client_database_dir'], "admin_pkcs10.bin") + + file.generate_noise_file( + noise_file, int(master['pki_admin_keysize'])) + + certutil.generate_certificate_request( + master['pki_admin_subject_dn'], + master['pki_admin_keysize'], + master['pki_client_password_conf'], + noise_file, + output_file, + master['pki_client_database_dir'], + None, None, True) + + # convert output to ascii + command = ["BtoA", output_file, output_file + ".asc"] + config.pki_log.info(command, + extra=config.PKI_INDENTATION_LEVEL_2) + subprocess.call(command) + + with open(output_file + ".asc") as f: + b64 = f.read().replace('\n','') + + data.adminCertRequest = b64 + else: + print "log.PKI_CONFIG_PKCS10_SUPPORT_ONLY" + sys.exit(1) + + def set_issuing_ca_parameters(self, data): + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']) or\ + config.str2bool(master['pki_external']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, + # Subordinate CA, or External CA + data.issuingCA = master['pki_issuing_ca'] + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external_step_two']): + # External CA Step 2 + data.stepTwo = "true"; + + def create_system_cert(self, tag): + cert = pki.system.SystemCertData() + cert.tag = master["pki_%s_tag" % tag] + cert.keyAlgorithm = master["pki_%s_key_algorithm" % tag] + cert.keySize = master["pki_%s_key_size" % tag] + cert.keyType = master["pki_%s_key_type" % tag] + cert.nickname = master["pki_%s_nickname" % tag] + cert.subjectDN = master["pki_%s_subject_dn" % tag] + cert.token = master["pki_%s_token" % tag] + return cert + + def retrieve_existing_server_cert(self, cfg_file): + cs_cfg = PKIConfigParser.read_simple_configuration_file(cfg_file) + cstype = cs_cfg.get('cs.type').lower() + cert = pki.system.SystemCertData() + cert.tag = master["pki_ssl_server_tag"] + cert.keyAlgorithm = master["pki_ssl_server_key_algorithm"] + cert.keySize = master["pki_ssl_server_key_size"] + cert.keyType = master["pki_ssl_server_key_type"] + cert.nickname = cs_cfg.get(cstype + ".sslserver.nickname") + cert.cert = cs_cfg.get(cstype + ".sslserver.cert") + cert.request = cs_cfg.get(cstype + ".sslserver.certreq") + cert.subjectDN = master["pki_ssl_server_subject_dn"] + cert.token = cs_cfg.get(cstype + ".sslserver.tokenname") + return cert + +# PKI Deployment Helper Class Instances +identity = identity() +namespace = namespace() +configuration_file = configuration_file() +#xml_file = xml_file() +instance = instance() +directory = directory() +file = file() +symlink = symlink() +war = war() +password = password() +certutil = certutil() +pk12util = pk12util() +security_domain = security_domain() +kra_connector = kra_connector() +systemd = systemd() diff --git a/base/server/src/engine/pkilogging.py b/base/server/src/engine/pkilogging.py new file mode 100644 index 000000000..319616145 --- /dev/null +++ b/base/server/src/engine/pkilogging.py @@ -0,0 +1,76 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import logging +import os +import pprint + +sensitive_parameters = [] + +# Initialize 'pretty print' for objects +pp = pprint.PrettyPrinter(indent=4) + +def format(dict): + new_dict = {} + + # mask sensitive data + for key in dict: + if key in sensitive_parameters: + value = 'XXXXXXXX' + else: + value = dict[key] + new_dict[key] = value + + return pp.pformat(new_dict) + +# PKI Deployment Logging Functions +def enable_pki_logger(log_dir, log_name, log_level, console_log_level, name): + if not os.path.isdir(log_dir): + try: + os.makedirs(log_dir) + except OSError: + return OSError + + # Configure logger + logger = logging.getLogger(name) + logger.setLevel(log_level) + + # Configure console handler + console = logging.StreamHandler() + console.setLevel(console_log_level) + console_format = logging.Formatter('%(name)-12s: ' +\ + '%(levelname)-8s ' +\ + '%(indent)s%(message)s') + console.setFormatter(console_format) + logger.addHandler(console) + + # Configure file handler + file = logging.FileHandler(log_dir + "/" + log_name, 'w') + file.setLevel(log_level) + file_format = logging.Formatter('%(asctime)s %(name)-12s: ' +\ + '%(levelname)-8s ' +\ + '%(indent)s%(message)s', + '%Y-%m-%d %H:%M:%S') + file.setFormatter(file_format) + logger.addHandler(file) + + return logger diff --git a/base/server/src/engine/pkimanifest.py b/base/server/src/engine/pkimanifest.py new file mode 100644 index 000000000..04a638f06 --- /dev/null +++ b/base/server/src/engine/pkimanifest.py @@ -0,0 +1,101 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +from collections import namedtuple +import csv +import sys + + +# PKI Deployment Imports +import pkiconfig as config +import pkimessages as log + + +# PKI Deployment Manifest Constants +RECORD_TYPE_DIRECTORY = "directory" +RECORD_TYPE_FILE = "file" +RECORD_TYPE_SYMLINK = "symlink" + + +# PKI Deployment Manifest Record Class +class record(object): + __slots__= "name",\ + "type",\ + "user",\ + "group",\ + "uid",\ + "gid",\ + "permissions",\ + "acls", + + def items(self): + "dict style items" + return [ + (field_name, getattr(self, field_name)) + for field_name in self.__slots__] + + def __iter__(self): + "iterate over fields tuple/list style" + for field_name in self.__slots__: + yield getattr(self, field_name) + + def __getitem__(self, index): + "tuple/list style getitem" + return getattr(self, self.__slots__[index]) + + +# PKI Deployment Manifest File Class +class file: + global database + filename = None + + def register(self, name): + self.filename = name + + def write(self): + try: + fd = open(self.filename, "wt") + c = csv.writer(fd) + for record in database: + c.writerow(tuple(record)) + fd.close() + except IOError as exc: + config.pki_log.error(log.PKI_IOERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_1) + sys.exit(1) + + def read(self): + try: + fd = open(self.filename, "rt") + cr = csv.reader(fd) + for row in cr: + print tuple(row) + fd.close() + except IOError as exc: + config.pki_log.error(log.PKI_IOERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_1) + sys.exit(1) + + +# PKI Deployment Global Named Tuples +database = [] +file = file() diff --git a/base/server/src/engine/pkimessages.py b/base/server/src/engine/pkimessages.py new file mode 100644 index 000000000..a6361dc8b --- /dev/null +++ b/base/server/src/engine/pkimessages.py @@ -0,0 +1,361 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Engine Messages +PKI_DICTIONARY_DEFAULT ="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI DEFAULT DICTIONARY\n"\ +"=====================================================" +PKI_DICTIONARY_MASTER="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI MASTER DICTIONARY\n"\ +"=====================================================" +PKI_DICTIONARY_SLOTS="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI SLOTS DICTIONARY\n"\ +"=====================================================" +PKI_DICTIONARY_SUBSYSTEM="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI SUBSYSTEM DICTIONARY\n"\ +"=====================================================" +PKI_DICTIONARY_WEB_SERVER="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI WEB SERVER DICTIONARY\n"\ +"=====================================================" +# NEVER print out 'sensitive' data dictionary!!! + + +# PKI Deployment Log Messages +PKI_VERBOSITY=\ +"VERBOSITY FLAGS CONSOLE MESSAGE LEVEL LOG MESSAGE LEVEL\n"\ +"=======================================================================\n"\ +" NONE error|warning error|warning|info\n"\ +" -v error|warning|info error|warning|info\n"\ +" -vv error|warning|info error|warning|info|debug\n"\ +" -vvv error|warning|info|debug error|warning|info|debug\n"\ +" " + +# PKI Deployment Error Messages +PKI_BADZIPFILE_ERROR_1 = "zipfile.BadZipFile: %s!" +PKI_CONFIGURATION_RESTART_1 = "After configuration, the server can be "\ + "operated by the command:\n\n%s" +PKI_CONFIGURATION_URL_1 = "Please start the configuration by accessing:\n\n%s" +PKI_CONFIGURATION_WIZARD_RESTART_1 = "After configuration, the server can be "\ + "operated by the command:\n%s" +PKI_CONFIGURATION_WIZARD_URL_1 = "Configuration Wizard listening on\n%s" +PKI_DIRECTORY_ALREADY_EXISTS_1 = "Directory '%s' already exists!" +PKI_DIRECTORY_ALREADY_EXISTS_NOT_A_DIRECTORY_1 = "Directory '%s' already "\ + "exists BUT it is NOT a "\ + "directory!" +PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 = "Directory '%s' is either "\ + "missing or is NOT a directory!" +PKI_DNS_DOMAIN_NOT_SET = "A valid DNS domain name MUST be established "\ + "to use PKI services!" +PKI_FILE_ALREADY_EXISTS_1 = "File '%s' already exists!" +PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 = "File '%s' already "\ + "exists BUT it is NOT a "\ + "file!" +PKI_FILE_MISSING_OR_NOT_A_FILE_1 = "File '%s' is either missing "\ + "or is NOT a regular file!" +PKI_FILE_NOT_A_WAR_FILE_1 = "File '%s' is NOT a war file!" +PKI_INSTANCE_DOES_NOT_EXIST_1 = "PKI instance '%s' does NOT exist!" +PKI_SECURITY_DATABASES_ALREADY_EXIST_3 = "Security databases '%s', '%s', "\ + "and/or '%s' already exist!" +PKI_SECURITY_DATABASES_DO_NOT_EXIST_3 = "Security databases '%s', '%s', "\ + "and/or '%s' do NOT exist!" +PKI_SUBSYSTEM_NOT_INSTALLED_1 = "Package pki-%s is NOT installed!" +PKI_SUBSYSTEM_ALREADY_EXISTS_2 = "PKI subsystem '%s' for instance '%s' "\ + "already exists!" +PKI_SUBSYSTEM_DOES_NOT_EXIST_2 = "PKI subsystem '%s' for instance '%s' "\ + "does NOT exist!" + +PKI_IOERROR_1 = "IOError: %s!" +PKI_KEYERROR_1 = "KeyError: %s!" +PKI_LARGEZIPFILE_ERROR_1 = "zipfile.LargeZipFile: %s!" +PKI_MANIFEST_MESSAGE_1 = "generating manifest file called '%s'" +PKI_OSERROR_1 = "OSError: %s!" +PKI_SHUTIL_ERROR_1 = "shutil.Error: %s!" +PKI_SUBPROCESS_ERROR_1 = "subprocess.CalledProcessError: %s!" +PKI_SYMLINK_ALREADY_EXISTS_1 = "Symlink '%s' already exists!" +PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1 = "Symlink '%s' already "\ + "exists BUT it is NOT a "\ + "symlink!" +PKI_SYMLINK_MISSING_OR_NOT_A_SYMLINK_1 = "Symlink '%s' is either missing "\ + "or is NOT a symbolic link!" +PKI_UNABLE_TO_PARSE_1 = "'Could not parse: '%s'" +PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 = "Could not create log directory '%s'!" +PKI_VERBOSITY_LEVELS_MESSAGE = "Only up to 3 levels of verbosity are supported!" + + +# PKI Deployment 'pkispawn' and 'pkidestroy' Messages +PKIDESTROY_BEGIN_MESSAGE_2 = "BEGIN destroying subsystem '%s' of "\ + "instance '%s' . . ." +PKIDESTROY_END_MESSAGE_2 = "END destroying subsystem '%s' of "\ + "instance '%s'" +PKIDESTROY_EPILOG =\ +"REMINDER:\n\n"\ +" The default PKI instance path will be calculated and placed in front\n"\ +" of the mandatory '-i <instance>' parameter, and the values that reside\n"\ +" in deployment configuration file that was most recently used\n"\ +" by this instance's 'pkispawn' (or 'pkispawn -u') command will be\n"\ +" utilized by 'pkidestroy' to remove this instance.\n\n"\ +" Finally, if an optional '-p <prefix>' is defined, this value WILL be\n"\ +" prepended to the default PKI instance path which is placed in front\n"\ +" of the specified '-i <instance>' parameter.\n\n" +\ +PKI_VERBOSITY +PKIRESPAWN_BEGIN_MESSAGE_2 = "BEGIN respawning subsystem '%s' of "\ + "instance '%s' . . ." +PKIRESPAWN_END_MESSAGE_2 = "END respawning subsystem '%s' of "\ + "instance '%s'" +PKISPAWN_BEGIN_MESSAGE_2 = "BEGIN spawning subsystem '%s' of "\ + "instance '%s' . . ." +PKISPAWN_END_MESSAGE_2 = "END spawning subsystem '%s' of "\ + "instance '%s'" +PKISPAWN_EPILOG =\ +"REMINDER:\n\n"\ +" If two or more Apache or Tomcat PKI 'instances' are specified via\n"\ +" separate configuration files, remember that the following parameters\n"\ +" MUST differ between PKI 'instances':\n\n"\ +" Apache: 'pki_instance_name', 'pki_http_port', and 'pki_https_port'\n"\ +" Tomcat: 'pki_instance_name', 'pki_http_port', 'pki_https_port',\n"\ +" 'pki_ajp_port', and 'pki_tomcat_server_port'\n\n"\ +" Finally, if an optional '-p <prefix>' is defined, this value WILL NOT\n"\ +" be prepended in front of the mandatory '-f <configuration_file>'.\n\n" +\ +PKI_VERBOSITY + + +# PKI Deployment "Helper" Messages +PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ + "Apache PKI subsystems" +PKIHELPER_APACHE_INSTANCES_2 = "PKI Apache registry '%s' contains '%d' "\ + "Apache PKI instances" +PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\ + "slot substitutions on '%s'" +PKIHELPER_CERTUTIL_GENERATE_CSR_1 = "executing '%s'" +PKIHELPER_CERTUTIL_MISSING_INPUT_FILE = "certutil: Missing "\ + "'-i input-file' option!" +PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = "certutil: Missing "\ + "'-c issuer-name' option!" +PKIHELPER_CERTUTIL_MISSING_NICKNAME = "certutil: Missing "\ + "'-n nickname' option!" +PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = "certutil: Missing "\ + "'-z noise-file' option!" +PKIHELPER_CERTUTIL_MISSING_PASSWORD_FILE = "certutil: Missing "\ + "'-f password-file' option!" +PKIHELPER_CERTUTIL_MISSING_PATH = "certutil: Missing '-d path' option!" +PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER = "certutil: Missing "\ + "'-m serial-number' option!" +PKIHELPER_CERTUTIL_MISSING_SUBJECT = "certutil: Missing '-s subject' option!" +PKIHELPER_CERTUTIL_MISSING_TOKEN = "certutil: Missing '-h token' option!" +PKIHELPER_CERTUTIL_MISSING_TRUSTARGS = "certutil: Missing "\ + "'-t trustargs' option!" +PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD = "certutil: Missing "\ + "'-v months-valid' option!" +PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1 = "executing '%s'" +PKIHELPER_CHMOD_2 = "chmod %o %s" +PKIHELPER_CHOWN_3 = "chown %s:%s %s" +PKIHELPER_CHOWN_H_3 = "chown -h %s:%s %s" +PKIHELPER_COMMAND_LINE_PARAMETER_MISMATCH_2 = "the command-line parameter "\ + "'%s' DOES NOT match the "\ + "configuration file value '%s'!" +PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2 = "copying '%s' --> '%s' "\ + "with slot substitution" +PKIHELPER_CP_P_2 = "cp -p %s %s" +PKIHELPER_CP_RP_2 = "cp -rp %s %s" +PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'" +PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'" +PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1 = "KeyError: Master dictionary "\ + "is missing the key called '%s'!" +PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty" +PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty" +PKIHELPER_GID_2 = "GID of '%s' is %s" +PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ." +PKIHELPER_GROUP_ADD_2 = "adding GID '%s' for group '%s' . . ." +PKIHELPER_GROUP_ADD_DEFAULT_2 = "adding default GID '%s' for group '%s' . . ." +PKIHELPER_GROUP_ADD_GID_KEYERROR_1 = "KeyError: pki_gid %s" +PKIHELPER_GROUP_ADD_KEYERROR_1 = "KeyError: pki_group %s" +PKIHELPER_INVALID_SELINUX_CONTEXT_FOR_PORT = "port %s has invalid selinux "\ + "context %s" +PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" +PKIHELPER_IS_A_FILE_1 = "'%s' is a file" +PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink" +PKIHELPER_JAR_XF_C_2 = "jar -xf %s -C %s" +PKIHELPER_KRACONNECTOR_UPDATE_CONTACT =\ + "contacting the CA to update the KRA connector" +PKIHELPER_KRACONNECTOR_UPDATE_FAILURE = "Failed to update KRA connector on CA" +PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2 = "Failed to update KRA connector for %s:%s" +PKIHELPER_LINK_S_2 = "ln -s %s %s" +PKIHELPER_MKDIR_1 = "mkdir -p %s" +PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" +PKIHELPER_MODIFY_FILE_1 = "modifying '%s'" +PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_CA = "cloned CAs and external "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_EXTERNAL_SUB_CA = "cloned CAs, external "\ + "CAs, and subordinate CAs"\ + "MUST ALL be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_CLONE_SUB_CA = "cloned CAs and subordinate "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_MUTUALLY_EXCLUSIVE_EXTERNAL_SUB_CA = "external CAs and subordinate "\ + "CAs MUST be MUTUALLY "\ + "EXCLUSIVE in '%s'" +PKIHELPER_NAMESPACE_COLLISION_2 = "PKI instance '%s' would produce a "\ + "namespace collision with '%s'!" +PKIHELPER_NAMESPACE_RESERVED_NAME_2 = "PKI instance '%s' is already a "\ + "reserved name under '%s'!" +PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\ + "filling it with '%d' random bytes" +PKIHELPER_PASSWORD_CONF_1 = "generating '%s'" +PKIHELPER_PASSWORD_NOT_FOUND_1 = "no password found for '%s'!" +PKIHELPER_PK12UTIL_MISSING_DBPWFILE = "pk12util missing "\ + "-k db-password-file option!" +PKIHELPER_PK12UTIL_MISSING_NICKNAME = "pk12util missing "\ + "-n nickname option!" +PKIHELPER_PK12UTIL_MISSING_OUTFILE = "pk12util missing "\ + "-o output-file option!" +PKIHELPER_PK12UTIL_MISSING_PWFILE = "pk12util missing "\ + "-w pw-file option!" + +PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ + "PKI subsystems" +PKIHELPER_REMOVE_FILTER_SECTION_1 = "removing filter section from '%s'" +PKIHELPER_RM_F_1 = "rm -f %s" +PKIHELPER_RM_RF_1 = "rm -rf %s" +PKIHELPER_RMDIR_1 = "rmdir %s" +PKIHELPER_SECURITY_DOMAIN_CONTACT_1 =\ + "contacting the security domain master to update security domain '%s'" +PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2 =\ + "Failed to get installation token from security domain '%s:%s'" +PKIHELPER_SECURITY_DOMAIN_UNDEFINED =\ + "No security domain defined.\n"\ + "If this is an unconfigured instance, then that is OK.\n"\ + "Otherwise, manually delete the entry from the security domain master." +PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1 =\ + "security domain '%s' may be offline or unreachable!" +PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2 =\ + "this '%s' entry may not be registered with security domain '%s'!" +PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2 =\ + "this '%s' entry will NOT be deleted from security domain '%s'!" +PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3 =\ + "updateDomainXML FAILED to delete this '%s' entry from "\ + "security domain '%s': '%s'" +PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2 =\ + "updateDomainXML SUCCESSFULLY deleted this '%s' entry from "\ + "security domain '%s'" +PKIHELPER_SELINUX_DISABLED = "Selinux is disabled. Not checking port contexts" +PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'" +PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'" +PKIHELPER_SSLGET_OUTPUT_1 = "\n"\ + "Dump of 'sslget' output:\n"\ + "=====================================================\n"\ + "%s\n"\ + "=====================================================" +PKIHELPER_SYSTEMD_COMMAND_1 = "executing '%s'" +PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2 = "instance '%s' contains '%d' "\ + "Tomcat PKI subsystems" +PKIHELPER_TOMCAT_INSTANCES_2 = "PKI Tomcat registry '%s' contains '%d' "\ + "Tomcat PKI instances" +PKIHELPER_TOUCH_1 = "touch %s" +PKIHELPER_UID_2 = "UID of '%s' is %s" +PKIHELPER_UNDEFINED_CA_HOST_PORT = "CA Host or Port is undefined" +PKIHELPER_UNDEFINED_CLIENT_DATABASE_PASSWORD_2 =\ + "Either a value for '%s' MUST be defined in '%s', or "\ + "the randomly generated client pin MUST be used" +PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2 =\ + "A value for '%s' MUST be defined in '%s'" +PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME = "subsystem nickname not defined" +PKIHELPER_UNDEFINED_TOKEN_PASSWD_1 = "Password for token '%s' not defined" +PKIHELPER_USER_1 = "retrieving UID for '%s' . . ." +PKIHELPER_USER_ADD_2 = "adding UID '%s' for user '%s' . . ." +PKIHELPER_USER_ADD_DEFAULT_2 = "adding default UID '%s' for user '%s' . . ." +PKIHELPER_USER_ADD_KEYERROR_1 = "KeyError: pki_user %s" +PKIHELPER_USER_ADD_UID_KEYERROR_1 = "KeyError: pki_uid %s" + +PKI_CONFIG_ADMIN_CERT_SAVE = "saving Admin Certificate to file:" +PKI_CONFIG_ADMIN_CERT_ATOB = "converting Admin Certificate to binary:" +PKI_CONFIG_CDATA_TAG = "tag:" +PKI_CONFIG_CDATA_CERT = "cert:" +PKI_CONFIG_CDATA_REQUEST = "request:" +PKI_CONFIG_CONFIGURING_PKI_DATA = "configuring PKI configuration data." +PKI_CONFIG_CONSTRUCTING_PKI_DATA = "constructing PKI configuration data." +PKI_CONFIG_PKCS10_SUPPORT_ONLY = "only the 'pkcs10' certificate request type "\ + "is currently supported" +PKI_CONFIG_EXTERNAL_CA_LOAD = "loading external CA signing certificate "\ + "from file:" +PKI_CONFIG_EXTERNAL_CA_CHAIN_LOAD = "loading external CA signing certificate "\ + "chain from file:" +PKI_CONFIG_EXTERNAL_CSR_SAVE = "saving CA Signing CSR to file:" +PKI_CONFIG_JAVA_CONFIGURATION_EXCEPTION =\ + "Exception from Java Configuration Servlet:" +PKI_CONFIG_RESPONSE_ADMIN_CERT = "adminCert:" +PKI_CONFIG_RESPONSE_STATUS = "status:" +PKI_CONFIG_NOT_YET_IMPLEMENTED_1 = " %s NOT YET IMPLEMENTED" + +# PKI Deployment "Scriptlet" Messages +ADMIN_DOMAIN_DESTROY_1 = "depopulating '%s'" +ADMIN_DOMAIN_RESPAWN_1 = "repopulating '%s'" +ADMIN_DOMAIN_SPAWN_1 = "populating '%s'" +CONFIGURATION_DESTROY_1 = "unconfiguring '%s'" +CONFIGURATION_RESPAWN_1 = "reconfiguring '%s'" +CONFIGURATION_SPAWN_1 = "configuring '%s'" +FINALIZATION_DESTROY_1 = "finalizing '%s'" +FINALIZATION_RESPAWN_1 = "finalizing '%s'" +FINALIZATION_SPAWN_1 = "finalizing '%s'" +INITIALIZATION_DESTROY_1 = "initializing '%s'" +INITIALIZATION_RESPAWN_1 = "initializing '%s'" +INITIALIZATION_SPAWN_1 = "initializing '%s'" +INSTANCE_DESTROY_1 = "depopulating '%s'" +INSTANCE_RESPAWN_1 = "repopulating '%s'" +INSTANCE_SPAWN_1 = "populating '%s'" +RESIDUAL_DESTROY_1 = "depopulating '%s'" +RESIDUAL_RESPAWN_1 = "repopulating '%s'" +RESIDUAL_SPAWN_1 = "populating '%s'" +SECURITY_DATABASES_DESTROY_1 = "removing '%s'" +SECURITY_DATABASES_RESPAWN_1 = "regenerating '%s'" +SECURITY_DATABASES_SPAWN_1 = "generating '%s'" +SELINUX_DESTROY_1 = "depopulating '%s'" +SELINUX_RESPAWN_1 = "repopulating '%s'" +SELINUX_SPAWN_1 = "populating '%s'" +SELINUX_DISABLED_DESTROY_1 = "selinux disabled. skipping unlabelling '%s'" +SELINUX_DISABLED_SPAWN_1 = "selinux disabled. skipping labelling '%s'" +SLOT_ASSIGNMENT_DESTROY_1 = "unassigning slots for '%s'" +SLOT_ASSIGNMENT_RESPAWN_1 = "reassigning slots for '%s'" +SLOT_ASSIGNMENT_SPAWN_1 = "assigning slots for '%s'" +SUBSYSTEM_DESTROY_1 = "depopulating '%s'" +SUBSYSTEM_RESPAWN_1 = "repopulating '%s'" +SUBSYSTEM_SPAWN_1 = "populating '%s'" +WEBAPP_DEPLOYMENT_DESTROY_1 = "removing '%s'" +WEBAPP_DEPLOYMENT_RESPAWN_1 = "redeploying '%s'" +WEBAPP_DEPLOYMENT_SPAWN_1 = "deploying '%s'" +SKIP_ADMIN_DOMAIN_SPAWN_1 = "skip populating '%s'" +SKIP_CONFIGURATION_SPAWN_1 = "skip configuring '%s'" +SKIP_FINALIZATION_SPAWN_1 = "skip finalizing '%s'" +SKIP_INITIALIZATION_SPAWN_1 = "skip initializing '%s'" +SKIP_INSTANCE_SPAWN_1 = "skip populating '%s'" +SKIP_RESIDUAL_SPAWN_1 = "skip populating '%s'" +SKIP_SECURITY_DATABASES_SPAWN_1 = "skip generating '%s'" +SKIP_SELINUX_SPAWN_1 = "skip populating '%s'" +SKIP_SLOT_ASSIGNMENT_SPAWN_1 = "skip assigning slots for '%s'" +SKIP_SUBSYSTEM_SPAWN_1 = "skip populating '%s'" +SKIP_WEBAPP_DEPLOYMENT_SPAWN_1 = "skip deploying '%s'" diff --git a/base/server/src/engine/pkiparser.py b/base/server/src/engine/pkiparser.py new file mode 100644 index 000000000..c4bf9b886 --- /dev/null +++ b/base/server/src/engine/pkiparser.py @@ -0,0 +1,1069 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import ConfigParser +import argparse +import getpass +import ldap +import logging +import os +import random +import string +import subprocess +import sys +import time + + +# PKI Deployment Imports +import pkilogging +import pkiconfig as config +import pkimessages as log + +import pki.account +import pki.client +import pki.system + +class PKIConfigParser: + + COMMENT_CHAR = '#' + OPTION_CHAR = '=' + + def __init__(self, description, epilog): + self.pki_config = None + + "Read and process command-line options" + self.arg_parser = argparse.ArgumentParser( + description=description, + add_help=False, + formatter_class=argparse.RawDescriptionHelpFormatter, + epilog=epilog) + + # Establish 'Mandatory' command-line options + self.mandatory = self.arg_parser.add_argument_group('mandatory arguments') + + # Establish 'Optional' command-line options + self.optional = self.arg_parser.add_argument_group('optional arguments') + self.optional.add_argument('-s', + dest='pki_subsystem', action='store', + nargs=1, choices=config.PKI_SUBSYSTEMS, + metavar='<subsystem>', + help='where <subsystem> is ' + 'CA, KRA, OCSP, RA, TKS, or TPS') + self.optional.add_argument('-h', '--help', + dest='help', action='help', + help='show this help message and exit') + self.optional.add_argument('-v', + dest='pki_verbosity', action='count', + help='display verbose information (details below)') + + # Establish 'Test' command-line options + test = self.arg_parser.add_argument_group('test arguments') + test.add_argument('-p', + dest='pki_root_prefix', action='store', + nargs=1, metavar='<prefix>', + help='directory prefix to specify local directory ' + '[TEST ONLY]') + + self.indent = 0 + + # PKI Deployment Helper Functions + def process_command_line_arguments(self, argv): + + # Parse command-line options + args = self.arg_parser.parse_args() + + # Process 'Mandatory' command-line options + + # Process 'Optional' command-line options + # '-v' + if args.pki_verbosity == 1: + config.pki_console_log_level = logging.INFO + config.pki_log_level = logging.INFO + elif args.pki_verbosity == 2: + config.pki_console_log_level = logging.INFO + config.pki_log_level = logging.DEBUG + elif args.pki_verbosity == 3: + config.pki_console_log_level = logging.DEBUG + config.pki_log_level = logging.DEBUG + elif args.pki_verbosity > 3: + print "ERROR: " + log.PKI_VERBOSITY_LEVELS_MESSAGE + print + self.arg_parser.print_help() + self.arg_parser.exit(-1); + else: + # Set default log levels + config.pki_console_log_level = logging.WARNING + config.pki_log_level = logging.INFO + + # Process 'Test' command-line options + # '-p' + if args.pki_root_prefix is None: + config.pki_root_prefix = "" + else: + config.pki_root_prefix = str(args.pki_root_prefix).strip('[\']') + + return args + + + def validate(self): + + # Validate command-line options + if len(config.pki_root_prefix) > 0: + if not os.path.exists(config.pki_root_prefix) or\ + not os.path.isdir(config.pki_root_prefix): + print "ERROR: " +\ + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1 %\ + config.pki_root_prefix + print + self.arg_parser.print_help() + self.arg_parser.exit(-1); + + # always default that configuration file exists + if not os.path.exists(config.default_deployment_cfg) or\ + not os.path.isfile(config.default_deployment_cfg): + print "ERROR: " +\ + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ + config.default_deployment_cfg + print + self.arg_parser.print_help() + self.arg_parser.exit(-1); + + if config.user_deployment_cfg: + # verify user configuration file exists + if not os.path.exists(config.user_deployment_cfg) or\ + not os.path.isfile(config.user_deployment_cfg): + print "ERROR: " +\ + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1 %\ + config.user_deployment_cfg + print + parser.arg_parser.print_help() + parser.arg_parser.exit(-1); + + + def init_config(self): + + # RESTEasy + resteasy_lib = subprocess.check_output(\ + 'source /etc/pki/pki.conf && echo $RESTEASY_LIB', + shell=True).strip() + + # JNI jar location + jni_jar_dir = subprocess.check_output(\ + 'source /etc/pki/pki.conf && echo $JNI_JAR_DIR', + shell=True).strip() + + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + default_instance_name = 'pki-tomcat' + default_http_port = '8080' + default_https_port = '8443' + else: + default_instance_name = 'pki-apache' + default_http_port = '80' + default_https_port = '443' + + self.pki_config = ConfigParser.SafeConfigParser({ + 'pki_instance_name': default_instance_name, + 'pki_http_port': default_http_port, + 'pki_https_port': default_https_port, + 'pki_dns_domainname': config.pki_dns_domainname, + 'pki_subsystem': config.pki_subsystem, + 'pki_subsystem_type': config.pki_subsystem.lower(), + 'pki_root_prefix' : config.pki_root_prefix, + 'resteasy_lib': resteasy_lib, + 'jni_jar_dir': jni_jar_dir, + 'home_dir': os.path.expanduser("~"), + 'pki_hostname': config.pki_hostname}) + + # Make keys case-sensitive! + self.pki_config.optionxform = str + + config.user_config = ConfigParser.SafeConfigParser() + config.user_config.optionxform = str + + with open(config.default_deployment_cfg) as f: + self.pki_config.readfp(f) + + self.flatten_master_dict() + + + # The following code is based heavily upon + # "http://www.decalage.info/en/python/configparser" + @staticmethod + def read_simple_configuration_file(filename): + values = {} + f = open(filename) + for line in f: + # First, remove comments: + if PKIConfigParser.COMMENT_CHAR in line: + # split on comment char, keep only the part before + line, comment = line.split(PKIConfigParser.COMMENT_CHAR, 1) + # Second, find lines with an name=value: + if PKIConfigParser.OPTION_CHAR in line: + # split on name char: + name, value = line.split(PKIConfigParser.OPTION_CHAR, 1) + # strip spaces: + name = name.strip() + value = value.strip() + # store in dictionary: + values[name] = value + f.close() + return values + + + def set_property(self, section, property, value): + if section != "DEFAULT" and not self.pki_config.has_section(section): + self.pki_config.add_section(section) + self.pki_config.set(section, property, value) + self.flatten_master_dict() + + if section != "DEFAULT" and not config.user_config.has_section(section): + config.user_config.add_section(section) + config.user_config.set(section, property, value) + + + def print_text(self, message): + print ' ' * self.indent + message + + def read_text(self, message, + section=None, property=None, default=None, + options=None, sign=':', allowEmpty=True, caseSensitive=True): + + if default is None and property is not None: + default = config.pki_master_dict[property] + if default: + message = message + ' [' + default + ']' + message = ' ' * self.indent + message + sign + ' ' + + done = False + while not done: + value = raw_input(message) + value = value.strip() + + if len(value) == 0: # empty value + if allowEmpty: + value = default + done = True + break + + else: # non-empty value + if options is not None: + for v in options: + if caseSensitive: + if v == value: + done = True + break + else: + if v.lower() == value.lower(): + done = True + break + else: + done = True + break + + value = value.replace("%", "%%") + if section: + self.set_property(section, property, value) + + return value + + + def read_password(self, message, section=None, property=None, + verifyMessage=None): + message = ' ' * self.indent + message + ': ' + if verifyMessage is not None: + verifyMessage = ' ' * self.indent + verifyMessage + ': ' + + while True: + password = '' + while len(password) == 0: + password = getpass.getpass(prompt=message) + + if verifyMessage is not None: + verification = '' + while len(verification) == 0: + verification = getpass.getpass(prompt=verifyMessage) + + if password != verification: + self.print_text('Passwords do not match.') + continue + + break + + password = password.replace("%", "%%") + if section: + self.set_property(section, property, password) + + return password + + def read_pki_configuration_file(self): + "Read configuration file sections into dictionaries" + rv = 0 + try: + if config.user_deployment_cfg: + print 'Loading deployment configuration from ' + config.user_deployment_cfg + '.' + self.pki_config.read([config.user_deployment_cfg]) + + except ConfigParser.ParsingError, err: + print err + rv = err + return rv + + + def flatten_master_dict(self): + config.pki_master_dict.update(__name__="PKI Master Dictionary") + + default_dict = dict(self.pki_config.items('DEFAULT')) + default_dict[0] = None + config.pki_master_dict.update(default_dict) + + web_server_dict = None + if config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + if self.pki_config.has_section('Tomcat'): + web_server_dict = dict(self.pki_config.items('Tomcat')) + else: + if self.pki_config.has_section('Apache'): + web_server_dict = dict(self.pki_config.items('Apache')) + + if web_server_dict: + web_server_dict[0] = None + config.pki_master_dict.update(web_server_dict) + + if self.pki_config.has_section(config.pki_subsystem): + subsystem_dict = dict(self.pki_config.items(config.pki_subsystem)) + subsystem_dict[0] = None + config.pki_master_dict.update(subsystem_dict) + + + def ds_connect(self): + + hostname = config.pki_master_dict['pki_ds_hostname'] + + if config.str2bool(config.pki_master_dict['pki_ds_secure_connection']): + protocol = 'ldaps' + port = config.pki_master_dict['pki_ds_ldaps_port'] + else: + protocol = 'ldap' + port = config.pki_master_dict['pki_ds_ldap_port'] + + self.ds_connection = ldap.initialize(protocol + '://' + hostname + ':' + port) + self.ds_connection.search_s('', ldap.SCOPE_BASE) + + def ds_bind(self): + self.ds_connection.simple_bind_s( + config.pki_master_dict['pki_ds_bind_dn'], + config.pki_master_dict['pki_ds_password']) + + def ds_base_dn_exists(self): + try: + results = self.ds_connection.search_s( + config.pki_master_dict['pki_ds_base_dn'], + ldap.SCOPE_BASE) + + if results is None or len(results) == 0: + return False + + return True + + except ldap.NO_SUCH_OBJECT as e: + return False + + def ds_close(self): + self.ds_connection.unbind_s() + + def sd_connect(self): + self.sd_connection = pki.client.PKIConnection( + protocol='https', + hostname=config.pki_master_dict['pki_security_domain_hostname'], + port=config.pki_master_dict['pki_security_domain_https_port'], + subsystem='ca') + + def sd_get_info(self): + sd = pki.system.SecurityDomainClient(self.sd_connection) + return sd.getSecurityDomainInfo() + + def sd_authenticate(self): + self.sd_connection.authenticate( + config.pki_master_dict['pki_security_domain_user'], + config.pki_master_dict['pki_security_domain_password']) + + account = pki.account.AccountClient(self.sd_connection) + account.login() + account.logout() + + def compose_pki_master_dictionary(self): + "Create a single master PKI dictionary from the sectional dictionaries" + try: + # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs + config.pki_master_dict['pki_deployment_executable'] =\ + config.pki_deployment_executable + config.pki_master_dict['pki_install_time'] = config.pki_install_time + config.pki_master_dict['pki_timestamp'] = config.pki_timestamp + config.pki_master_dict['pki_certificate_timestamp'] =\ + config.pki_certificate_timestamp + config.pki_master_dict['pki_architecture'] = config.pki_architecture + config.pki_master_dict['pki_default_deployment_cfg'] = config.default_deployment_cfg + config.pki_master_dict['pki_user_deployment_cfg'] = config.user_deployment_cfg + config.pki_master_dict['pki_deployed_instance_name'] =\ + config.pki_deployed_instance_name + # Generate random 'pin's for use as security database passwords + # and add these to the "sensitive" key value pairs read in from + # the configuration file + pin_low = 100000000000 + pin_high = 999999999999 + config.pki_master_dict['pki_pin'] =\ + random.randint(pin_low, pin_high) + config.pki_master_dict['pki_client_pin'] =\ + random.randint(pin_low, pin_high) + + self.flatten_master_dict() + + pkilogging.sensitive_parameters = config.pki_master_dict['sensitive_parameters'].split() + + # PKI Target (slot substitution) name/value pairs + config.pki_master_dict['pki_target_cs_cfg'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "CS.cfg") + config.pki_master_dict['pki_target_registry'] =\ + os.path.join(config.pki_master_dict['pki_instance_registry_path'], + config.pki_master_dict['pki_instance_name']) + if config.pki_master_dict['pki_subsystem'] == "CA" and\ + config.str2bool(config.pki_master_dict['pki_external_step_two']): + # Use the 'pki_one_time_pin' established during the setup of + # External CA Step 1 + if os.path.exists(config.pki_master_dict['pki_target_cs_cfg'])\ + and\ + os.path.isfile(config.pki_master_dict['pki_target_cs_cfg']): + cs_cfg = self.read_simple_configuration_file( + config.pki_master_dict['pki_target_cs_cfg']) + config.pki_master_dict['pki_one_time_pin'] =\ + cs_cfg.get('preop.pin') + else: + config.pki_log.error(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + config.pki_master_dict['pki_target_cs_cfg'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + # Generate a one-time pin to be used prior to configuration + # and add this to the "sensitive" key value pairs read in from + # the configuration file + config.pki_master_dict['pki_one_time_pin'] =\ + ''.join(random.choice(string.ascii_letters + string.digits)\ + for x in range(20)) + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_target_catalina_properties'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "catalina.properties") + config.pki_master_dict['pki_target_servercertnick_conf'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "serverCertNick.conf") + config.pki_master_dict['pki_target_server_xml'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "server.xml") + config.pki_master_dict['pki_target_context_xml'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "context.xml") + config.pki_master_dict['pki_target_tomcat_conf_instance_id'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + "/etc/sysconfig/" +\ + config.pki_master_dict['pki_instance_name'] + config.pki_master_dict['pki_target_tomcat_conf'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "tomcat.conf") + # in-place slot substitution name/value pairs + config.pki_master_dict['pki_target_velocity_properties'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "velocity.properties") + config.pki_master_dict['pki_target_subsystem_web_xml'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "web.xml") + config.pki_master_dict['pki_target_subsystem_web_xml_orig'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "web.xml.orig") + # subystem-specific slot substitution name/value pairs + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_target_flatfile_txt'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "flatfile.txt") + config.pki_master_dict['pki_target_proxy_conf'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "proxy.conf") + config.pki_master_dict['pki_target_registry_cfg'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "registry.cfg") + # '*.profile' + config.pki_master_dict['pki_target_admincert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "adminCert.profile") + config.pki_master_dict['pki_target_caauditsigningcert_profile']\ + = os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caAuditSigningCert.profile") + config.pki_master_dict['pki_target_cacert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caCert.profile") + config.pki_master_dict['pki_target_caocspcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "caOCSPCert.profile") + config.pki_master_dict['pki_target_servercert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "serverCert.profile") + config.pki_master_dict['pki_target_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "subsystemCert.profile") + # in-place slot substitution name/value pairs + config.pki_master_dict['pki_target_profileselect_template'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_path'], + "ee", + config.pki_master_dict['pki_subsystem'].lower(), + "ProfileSelect.template") + elif config.pki_master_dict['pki_subsystem'] == "KRA": + # '*.profile' + config.pki_master_dict['pki_target_servercert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "serverCert.profile") + config.pki_master_dict['pki_target_storagecert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "storageCert.profile") + config.pki_master_dict['pki_target_subsystemcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "subsystemCert.profile") + config.pki_master_dict['pki_target_transportcert_profile'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "transportCert.profile") + # Slot assignment name/value pairs + # NOTE: Master key == Slots key; Master value ==> Slots value + config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ + config.pki_master_dict['pki_instance_name'] + config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + config.pki_master_dict['pki_instance_name']) + config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.pki_master_dict['pki_instance_name']) + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['FORTITUDE_APACHE_SLOT'] = None + config.pki_master_dict['FORTITUDE_AUTH_MODULES_SLOT'] = None + config.pki_master_dict['FORTITUDE_DIR_SLOT'] = None + config.pki_master_dict['FORTITUDE_LIB_DIR_SLOT'] = None + config.pki_master_dict['FORTITUDE_MODULE_SLOT'] = None + config.pki_master_dict['FORTITUDE_NSS_MODULES_SLOT'] = None + config.pki_master_dict['HTTPD_CONF_SLOT'] = None + config.pki_master_dict['LIB_PREFIX_SLOT'] = None + config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None + config.pki_master_dict['NSS_CONF_SLOT'] = None + config.pki_master_dict['OBJ_EXT_SLOT'] = None + config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ + os.path.join("/var/lock/pki", + "apache") + config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ + os.path.join("/var/run/pki", + "apache") + config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] = "apache" + config.pki_master_dict['PORT_SLOT'] = None + config.pki_master_dict['PROCESS_ID_SLOT'] = None + config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None + config.pki_master_dict['SECURE_PORT_SLOT'] = None + config.pki_master_dict['SECURITY_LIBRARIES_SLOT'] = None + config.pki_master_dict['SERVER_NAME_SLOT'] = None + config.pki_master_dict['SERVER_ROOT_SLOT'] = None + config.pki_master_dict['SYSTEM_LIBRARIES_SLOT'] = None + config.pki_master_dict['SYSTEM_USER_LIBRARIES_SLOT'] = None + config.pki_master_dict['TMP_DIR_SLOT'] = None + config.pki_master_dict['TPS_DIR_SLOT'] = None + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['INSTALL_TIME_SLOT'] =\ + config.pki_master_dict['pki_install_time'] + config.pki_master_dict['PKI_ADMIN_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict\ + ['PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict\ + ['PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_AGENT_CLIENTAUTH_SLOT'] =\ + "want" + config.pki_master_dict['PKI_AGENT_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_AJP_PORT_SLOT'] =\ + config.pki_master_dict['pki_ajp_port'] + config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\ + config.pki_master_dict['pki_pin'] + config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\ + config.pki_master_dict['pki_target_cs_cfg'] + config.pki_master_dict\ + ['PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict\ + ['PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict\ + ['PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict\ + ['PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_EE_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_GROUP_SLOT'] =\ + config.pki_master_dict['pki_group'] + config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\ + config.pki_master_dict['pki_instance_path'] + config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ + config.pki_master_dict['pki_path'] + config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ + os.path.join("/var/lock/pki", + "tomcat") + config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\ + config.pki_master_dict['pki_hostname'] + config.pki_master_dict\ + ['PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\ + "<!--" + config.pki_master_dict\ + ['PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\ + "<!--" + config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ + os.path.join("/var/run/pki", + "tomcat") + if config.str2bool(config.pki_master_dict['pki_enable_proxy']): + config.pki_master_dict['PKI_CLOSE_AJP_PORT_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_proxy_https_port'] + config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_proxy_http_port'] + config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT'] =\ + "" + else: + config.pki_master_dict['PKI_CLOSE_AJP_PORT_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict['PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict['PKI_PROXY_SECURE_PORT_SLOT'] = "" + config.pki_master_dict['PKI_PROXY_UNSECURE_PORT_SLOT'] = "" + config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ + "<!--" + config.pki_master_dict['PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT'] =\ + "<!--" + config.pki_master_dict['PKI_TMPDIR_SLOT'] =\ + config.pki_master_dict['pki_tomcat_tmpdir_path'] + config.pki_master_dict['PKI_RESTEASY_LIB_SLOT'] =\ + config.pki_master_dict['resteasy_lib'] + config.pki_master_dict['PKI_RANDOM_NUMBER_SLOT'] =\ + config.pki_master_dict['pki_one_time_pin'] + config.pki_master_dict['PKI_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Secure" + config.pki_master_dict['PKI_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "<!-- " +\ + "Shared Ports: Agent, EE, and Admin Secure Port Connector " +\ + "-->" + config.pki_master_dict['PKI_SECURITY_MANAGER_SLOT'] =\ + config.pki_master_dict['pki_security_manager'] + config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\ + config.pki_master_dict['pki_target_server_xml'] + config.pki_master_dict['PKI_SUBSYSTEM_DIR_SLOT'] =\ + config.pki_master_dict['pki_subsystem'].lower() + "/" + config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ + config.pki_master_dict['pki_subsystem'].lower() + config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ + "pki-tomcatd" + "@" +\ + config.pki_master_dict['pki_instance_name'] + ".service" + config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_http_port'] + config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unsecure" + config.pki_master_dict['PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "<!-- Shared Ports: Unsecure Port Connector -->" + config.pki_master_dict['PKI_USER_SLOT'] =\ + config.pki_master_dict['pki_user'] + config.pki_master_dict['PKI_WEB_SERVER_TYPE_SLOT'] =\ + "tomcat" + config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\ + "webapps" + config.pki_master_dict['TOMCAT_CFG_SLOT'] =\ + config.pki_master_dict['pki_target_tomcat_conf'] + config.pki_master_dict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "*.jar") + config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\ + config.pki_master_dict['pki_instance_log_path'] + config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\ + "/var/run/pki/tomcat/" + config.pki_master_dict['pki_instance_name'] + ".pid" + config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\ + config.pki_master_dict['pki_tomcat_server_port'] + config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\ + "-SSL2_RC4_128_WITH_MD5," +\ + "-SSL2_RC4_128_EXPORT40_WITH_MD5," +\ + "-SSL2_RC2_128_CBC_WITH_MD5," +\ + "-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5," +\ + "-SSL2_DES_64_CBC_WITH_MD5," +\ + "-SSL2_DES_192_EDE3_CBC_WITH_MD5" + config.pki_master_dict['TOMCAT_SSL3_CIPHERS_SLOT'] =\ + "-SSL3_FORTEZZA_DMS_WITH_NULL_SHA," +\ + "-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA," +\ + "+SSL3_RSA_WITH_RC4_128_SHA," +\ + "-SSL3_RSA_EXPORT_WITH_RC4_40_MD5," +\ + "+SSL3_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+SSL3_RSA_WITH_DES_CBC_SHA," +\ + "-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5," +\ + "-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA," +\ + "-SSL_RSA_FIPS_WITH_DES_CBC_SHA," +\ + "+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," +\ + "-SSL3_RSA_WITH_NULL_MD5," +\ + "-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + config.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] =\ + "ssl2=true," +\ + "ssl3=true," +\ + "tls=true" + config.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] =\ + "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_RSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + # Shared Apache/Tomcat NSS security database name/value pairs + config.pki_master_dict['pki_shared_pfile'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "pfile") + config.pki_master_dict['pki_shared_password_conf'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "password.conf") + config.pki_master_dict['pki_cert_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "cert8.db") + config.pki_master_dict['pki_key_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "key3.db") + config.pki_master_dict['pki_secmod_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "secmod.db") + config.pki_master_dict['pki_self_signed_token'] = "internal" + config.pki_master_dict['pki_self_signed_nickname'] =\ + "Server-Cert cert-" + config.pki_master_dict['pki_instance_name'] + config.pki_master_dict['pki_self_signed_subject'] =\ + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ + "o=" + config.pki_master_dict['pki_certificate_timestamp'] + config.pki_master_dict['pki_self_signed_serial_number'] = 0 + config.pki_master_dict['pki_self_signed_validity_period'] = 12 + config.pki_master_dict['pki_self_signed_issuer_name'] =\ + "cn=" + config.pki_master_dict['pki_hostname'] + "," +\ + "o=" + config.pki_master_dict['pki_certificate_timestamp'] + config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu" + config.pki_master_dict['pki_self_signed_noise_file'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "noise") + config.pki_master_dict['pki_self_signed_noise_bytes'] = 1024 + # Shared Apache/Tomcat NSS security database convenience symbolic links + config.pki_master_dict\ + ['pki_subsystem_configuration_password_conf_link'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "password.conf") + + if not len(config.pki_master_dict['pki_client_database_password']): + # use randomly generated client 'pin' + config.pki_master_dict['pki_client_database_password'] =\ + str(config.pki_master_dict['pki_client_pin']) + + # Configuration scriptlet + # 'Security Domain' Configuration name/value pairs + # 'Subsystem Name' Configuration name/value pairs + # 'Token' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [CA Clone], [KRA Clone], [OCSP Clone], [TKS Clone] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are defined below: + # + # config.pki_master_dict['pki_security_domain_type'] + # config.pki_master_dict['pki_security_domain_uri'] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_clone_pkcs12_password'] + # config.pki_master_dict['pki_security_domain_password'] + # config.pki_master_dict['pki_token_password'] + # config.pki_master_dict['pki_clone_pkcs12_path'] + # config.pki_master_dict['pki_clone_uri'] + # config.pki_master_dict['pki_security_domain_https_port'] + # config.pki_master_dict['pki_token_name'] + # + # The following variables are established via the specified PKI + # deployment configuration file and potentially overridden below: + # + # config.pki_master_dict['pki_security_domain_user'] + # config.pki_master_dict['pki_issuing_ca'] + # + + # if security domain user is not defined + if not len(config.pki_master_dict['pki_security_domain_user']): + + # use the CA admin uid if it's defined + if self.pki_config.has_option('CA', 'pki_admin_uid') and\ + len(self.pki_config.get('CA', 'pki_admin_uid')) > 0: + config.pki_master_dict['pki_security_domain_user'] =\ + self.pki_config.get('CA', 'pki_admin_uid') + + # or use the Default admin uid if it's defined + elif self.pki_config.has_option('DEFAULT', 'pki_admin_uid') and\ + len(self.pki_config.get('DEFAULT', 'pki_admin_uid')) > 0: + config.pki_master_dict['pki_security_domain_user'] =\ + self.pki_config.get('DEFAULT', 'pki_admin_uid') + + # otherwise use the default CA admin uid + else: + config.pki_master_dict['pki_security_domain_user'] = "caadmin" + + if config.pki_subsystem != "CA" or\ + config.str2bool(config.pki_master_dict['pki_clone']) or\ + config.str2bool(config.pki_master_dict['pki_subordinate']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or + # Subordinate CA + config.pki_master_dict['pki_security_domain_type'] = "existing" + config.pki_master_dict['pki_security_domain_uri'] =\ + "https" + "://" +\ + config.pki_master_dict['pki_security_domain_hostname'] + ":" +\ + config.pki_master_dict['pki_security_domain_https_port'] + + elif config.str2bool(config.pki_master_dict['pki_external']): + # External CA + config.pki_master_dict['pki_security_domain_type'] = "new" + if not len(config.pki_master_dict['pki_issuing_ca']): + config.pki_master_dict['pki_issuing_ca'] = "External CA" + else: + # PKI CA + config.pki_master_dict['pki_security_domain_type'] = "new" + + # 'External CA' Configuration name/value pairs + # + # Tomcat - [External CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_external_ca_cert_chain_path'] + # config.pki_master_dict['pki_external_ca_cert_path'] + # config.pki_master_dict['pki_external_csr_path'] + # config.pki_master_dict['pki_external_step_two'] + # + + # 'Backup' Configuration name/value pairs + # + # Apache - [RA], [TPS] + # Tomcat - [CA], [KRA], [OCSP], [TKS] + # - [External CA] + # - [Subordinate CA] + # + # The following variables are established via the specified PKI + # deployment configuration file and are NOT redefined below: + # + # config.pki_master_dict['pki_backup_password'] + # config.pki_master_dict['pki_backup_keys'] + # + if config.str2bool(config.pki_master_dict['pki_backup_keys']): + # NOTE: ALWAYS store the PKCS #12 backup keys file + # in with the NSS "server" security databases + config.pki_master_dict['pki_backup_keys_p12'] =\ + config.pki_master_dict['pki_database_path'] + "/" +\ + config.pki_master_dict['pki_subsystem'].lower() + "_" +\ + "backup" + "_" + "keys" + "." + "p12" + + config.pki_master_dict['pki_admin_profile_id'] = "caAdminCert" + + if not 'pki_import_admin_cert' in config.pki_master_dict: + config.pki_master_dict['pki_import_admin_cert'] = 'false' + + config.pki_master_dict['pki_ca_signing_tag'] = "signing" + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_ocsp_signing_tag'] = "ocsp_signing" + elif config.pki_master_dict['pki_subsystem'] == "OCSP": + config.pki_master_dict['pki_ocsp_signing_tag'] = "signing" + config.pki_master_dict['pki_ssl_server_tag'] = "sslserver" + config.pki_master_dict['pki_subsystem_tag'] = "subsystem" + config.pki_master_dict['pki_audit_signing_tag'] = "audit_signing" + config.pki_master_dict['pki_transport_tag'] = "transport" + config.pki_master_dict['pki_storage_tag'] = "storage" + + # Finalization name/value pairs + config.pki_master_dict['pki_default_deployment_cfg_replica'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.DEFAULT_DEPLOYMENT_CONFIGURATION) + config.pki_master_dict['pki_user_deployment_cfg_replica'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.USER_DEPLOYMENT_CONFIGURATION) + config.pki_master_dict['pki_user_deployment_cfg_spawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "spawn" + "_" +\ + config.USER_DEPLOYMENT_CONFIGURATION + "." +\ + config.pki_master_dict['pki_timestamp'] + config.pki_master_dict['pki_default_deployment_cfg_respawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "respawn" + "_" +\ + config.DEFAULT_DEPLOYMENT_CONFIGURATION + "." +\ + config.pki_master_dict['pki_timestamp'] + config.pki_master_dict['pki_user_deployment_cfg_respawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "respawn" + "_" +\ + config.USER_DEPLOYMENT_CONFIGURATION + "." +\ + config.pki_master_dict['pki_timestamp'] + config.pki_master_dict['pki_manifest'] =\ + config.pki_master_dict['pki_subsystem_registry_path'] + "/" +\ + "manifest" + config.pki_master_dict['pki_manifest_spawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "spawn" + "_" + "manifest" + "." +\ + config.pki_master_dict['pki_timestamp'] + config.pki_master_dict['pki_manifest_respawn_archive'] =\ + config.pki_master_dict['pki_subsystem_archive_log_path'] + "/" +\ + "respawn" + "_" + "manifest" + "." +\ + config.pki_master_dict['pki_timestamp'] + # Construct the configuration URL containing the one-time pin + # and add this to the "sensitive" key value pairs read in from + # the configuration file + # + # NOTE: This is the one and only parameter containing a sensitive + # parameter that may be stored in a log file and displayed + # to the screen. + # + config.pki_master_dict['pki_configuration_url'] =\ + "https://{}:{}/{}/{}?pin={}".format( + config.pki_master_dict['pki_hostname'], + config.pki_master_dict['pki_https_port'], + config.pki_master_dict['pki_subsystem'].lower(), + "admin/console/config/login", + config.pki_master_dict['pki_one_time_pin']) + # Compose this "systemd" execution management command + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['pki_registry_initscript_command'] =\ + "systemctl" + " " +\ + "restart" + " " +\ + "pki-apached" + "@" +\ + config.pki_master_dict['pki_instance_name'] + "." + "service" + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_registry_initscript_command'] =\ + "systemctl" + " " +\ + "restart" + " " +\ + "pki-tomcatd" + "@" +\ + config.pki_master_dict['pki_instance_name'] + "." + "service" + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + except KeyError as err: + config.pki_log.error(log.PKIHELPER_DICTIONARY_MASTER_MISSING_KEY_1, + err, extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + return + + + def compose_pki_slots_dictionary(self): + """Read the slots configuration file to create + the appropriate PKI slots dictionary""" + rv = 0 + try: + config.pki_slots_dict = dict() + parser = ConfigParser.ConfigParser() + # Make keys case-sensitive! + parser.optionxform = str + parser.read(config.PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE) + # Slots configuration file name/value pairs + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + config.pki_slots_dict = dict(parser._sections['Apache']) + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_slots_dict = dict(parser._sections['Tomcat']) + except ConfigParser.ParsingError, err: + rv = err + return rv diff --git a/base/server/src/engine/pkiscriptlet.py b/base/server/src/engine/pkiscriptlet.py new file mode 100644 index 000000000..767b3c609 --- /dev/null +++ b/base/server/src/engine/pkiscriptlet.py @@ -0,0 +1,46 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import abc + + +# PKI Deployment Abstract Base PKI Scriptlet +class AbstractBasePkiScriptlet(object): + __metaclass__ = abc.ABCMeta + + @abc.abstractmethod + def spawn(self): + """Retrieve data from the specified PKI dictionary and + use it to install a new PKI instance.""" + return + + @abc.abstractmethod + def respawn(self): + """Retrieve data from the specified PKI dictionary and + use it to update an existing PKI instance.""" + return + + @abc.abstractmethod + def destroy(self): + """Retrieve data from the specified PKI dictionary and + use it to destroy an existing PKI instance.""" + return diff --git a/base/server/src/pkidestroy b/base/server/src/pkidestroy new file mode 100755 index 000000000..4e23445f1 --- /dev/null +++ b/base/server/src/pkidestroy @@ -0,0 +1,264 @@ +#!/usr/bin/python -tu +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2011 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import sys +import signal + +if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: + print "Python version %s.%s.%s is too old." % sys.version_info[:3] + print "Please upgrade to at least Python 2.7.0." + sys.exit(1) +try: + import argparse + import logging + import os + import socket + import struct + import subprocess + import time + from time import strftime as date + from pki.deployment import pkiconfig as config + from pki.deployment.pkiparser import PKIConfigParser + from pki.deployment import pkilogging + from pki.deployment import pkimessages as log +except ImportError: + print >> sys.stderr, """\ +There was a problem importing one of the required Python modules. The +error was: + + %s +""" % sys.exc_value + sys.exit(1) + +#Handle the Keyboard Interrupt +def interrupt_handler(signal, frame): + print + print '\nUninstallation canceled.' + sys.exit(1) + +# PKI Deployment Functions +def main(argv): + "main entry point" + + config.pki_deployment_executable = os.path.basename(argv[0]) + + # Only run this program as "root". + if not os.geteuid() == 0: + sys.exit("'%s' must be run as root!" % argv[0]) + + # Set the umask + os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK) + + # Set installation time + ticks = time.time() + config.pki_install_time = time.asctime(time.localtime(ticks)) + + # Generate a timestamp + config.pki_timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) + config.pki_certificate_timestamp =\ + date('%Y-%m-%d %H:%M:%S', time.localtime(ticks)) + + # Obtain the architecture bit-size + config.pki_architecture = struct.calcsize("P") * 8 + + # Retrieve hostname + config.pki_hostname = socket.getfqdn() + + # Retrieve DNS domainname + config.pki_dns_domainname = None + try: + config.pki_dns_domainname = subprocess.check_output("dnsdomainname", + shell=True) + config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') + if not len(config.pki_dns_domainname): + print log.PKI_DNS_DOMAIN_NOT_SET + sys.exit(1) + except subprocess.CalledProcessError as exc: + print log.PKI_SUBPROCESS_ERROR_1 % exc + sys.exit(1) + + # Read and process command-line arguments. + parser = PKIConfigParser( + 'PKI Instance Removal', + log.PKIDESTROY_EPILOG) + + parser.optional.add_argument('-i', + dest='pki_deployed_instance_name', + action='store', + nargs=1, metavar='<instance>', + help='FORMAT: ${pki_instance_name}') + + parser.optional.add_argument('-u', + dest='pki_secdomain_user', + action='store', + nargs=1, metavar='<security domain user>', + help='security domain user') + + parser.optional.add_argument('-W', + dest='pki_secdomain_pass_file', + action='store', + nargs=1, metavar='<security domain password file>', + help='security domain password file path') + + + args = parser.process_command_line_arguments(argv) + + interactive = False + + while True: + + # -s <subsystem> + if args.pki_subsystem is None: + interactive = True + config.pki_subsystem = parser.read_text('Subsystem (CA/KRA/OCSP/TKS)', + options=['CA', 'KRA', 'OCSP', 'TKS'], + default='CA', caseSensitive=False).upper() + else: + config.pki_subsystem = str(args.pki_subsystem).strip('[\']') + + # -i <instance name> + if args.pki_deployed_instance_name is None: + interactive = True + config.pki_deployed_instance_name = parser.read_text('Instance', default='pki-tomcat') + else: + config.pki_deployed_instance_name = str(args.pki_deployed_instance_name).strip('[\']') + + if interactive: + print + parser.indent = 0 + + begin = parser.read_text('Begin uninstallation (Yes/No/Quit)', + options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'], + sign='?', allowEmpty=False, caseSensitive=False).lower() + + print + + if begin == 'q' or begin == 'quit': + print "Uninstallation canceled." + sys.exit(0) + + elif begin == 'y' or begin == 'yes': + break + + else: + break + + # '-u' + if args.pki_secdomain_user: + config.pki_secdomain_user = str(args.pki_secdomain_user).strip('[\']') + + # '-W' password file + if args.pki_secdomain_pass_file: + with open(str(args.pki_secdomain_pass_file).strip('[\']'),'r') as pwd_file: + config.pki_secdomain_pass = pwd_file.readline().strip('\n') + + # verify that previously deployed instance exists + deployed_pki_instance_path = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_BASE_ROOT + "/" +\ + config.pki_deployed_instance_name + if not os.path.exists(deployed_pki_instance_path): + print "ERROR: " + log.PKI_INSTANCE_DOES_NOT_EXIST_1 %\ + deployed_pki_instance_path + print + parser.arg_parser.exit(-1); + + # verify that previously deployed subsystem for this instance exists + deployed_pki_subsystem_path = deployed_pki_instance_path + "/" +\ + config.pki_subsystem.lower() + if not os.path.exists(deployed_pki_subsystem_path): + print "ERROR: " + log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2 %\ + (config.pki_subsystem, deployed_pki_instance_path) + print + parser.arg_parser.exit(-1); + + config.default_deployment_cfg = config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + + # establish complete path to previously deployed configuration file + config.user_deployment_cfg =\ + deployed_pki_subsystem_path + "/" +\ + "registry" + "/" +\ + config.pki_subsystem.lower() + "/" +\ + config.USER_DEPLOYMENT_CONFIGURATION + + parser.validate() + parser.init_config() + + # Enable 'pkidestroy' logging. + config.pki_log_dir = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_LOG_ROOT + config.pki_log_name = "pki" + "-" +\ + config.pki_subsystem.lower() +\ + "-" + "destroy" + "." +\ + config.pki_timestamp + "." + "log" + rv = pkilogging.enable_pki_logger(config.pki_log_dir, + config.pki_log_name, + config.pki_log_level, + config.pki_console_log_level, + "pkidestroy") + if rv != OSError: + config.pki_log = rv + else: + print log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir + sys.exit(1) + + # Read the specified PKI configuration file. + rv = parser.read_pki_configuration_file() + if rv != 0: + config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, + extra=config.PKI_INDENTATION_LEVEL_0) + sys.exit(1) + + # Combine the various sectional dictionaries into a PKI master dictionary + parser.compose_pki_master_dictionary() + config.pki_master_dict['pki_destroy_log'] = config.pki_log_dir + "/" +\ + config.pki_log_name + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.format(config.pki_master_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + + print "Uninstalling " + config.pki_subsystem + " from " + deployed_pki_instance_path + "." + + # Process the various "scriptlets" to remove the specified PKI subsystem. + pki_subsystem_scriptlets = config.pki_master_dict['destroy_scriplets'].split() + rv = 0 + for pki_scriptlet in pki_subsystem_scriptlets: + scriptlet = __import__("pki.deployment." + + pki_scriptlet, + fromlist = [pki_scriptlet]) + instance = scriptlet.PkiScriptlet() + rv = instance.destroy() + if rv != 0: + sys.exit(1) + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.format(config.pki_master_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + + print + print "Uninstallation complete." + + +# PKI Deployment Entry Point +if __name__ == "__main__": + signal.signal(signal.SIGINT, interrupt_handler) + main(sys.argv) diff --git a/base/server/src/pkispawn b/base/server/src/pkispawn new file mode 100755 index 000000000..447240ecf --- /dev/null +++ b/base/server/src/pkispawn @@ -0,0 +1,413 @@ +#!/usr/bin/python -tu +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2011 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import sys +import signal + +if not hasattr(sys, "hexversion") or sys.hexversion < 0x020700f0: + print "Python version %s.%s.%s is too old." % sys.version_info[:3] + print "Please upgrade to at least Python 2.7.0." + sys.exit(1) +try: + import argparse + import ldap + import logging + import os + import requests + import socket + import struct + import subprocess + import time + import urllib2 + from time import strftime as date + from pki.deployment import pkiconfig as config + from pki.deployment.pkiparser import PKIConfigParser + from pki.deployment import pkilogging + from pki.deployment import pkimessages as log +except ImportError: + print >> sys.stderr, """\ +There was a problem importing one of the required Python modules. The +error was: + + %s +""" % sys.exc_value + sys.exit(1) + +#Handle the Keyboard Interrupt +def interrupt_handler(signal, frame): + print + print '\nInstallation canceled.' + sys.exit(1) + +# PKI Deployment Functions +def main(argv): + "main entry point" + + config.pki_deployment_executable = os.path.basename(argv[0]) + + # Only run this program as "root". + if not os.geteuid() == 0: + sys.exit("'%s' must be run as root!" % argv[0]) + + # Set the umask + os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK) + + # Set installation time + ticks = time.time() + config.pki_install_time = time.asctime(time.localtime(ticks)) + + # Generate a timestamp + config.pki_timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) + config.pki_certificate_timestamp =\ + date('%Y-%m-%d %H:%M:%S', time.localtime(ticks)) + + # Obtain the architecture bit-size + config.pki_architecture = struct.calcsize("P") * 8 + + # Retrieve hostname + config.pki_hostname = socket.getfqdn() + + # Retrieve DNS domainname + config.pki_dns_domainname = None + try: + config.pki_dns_domainname = subprocess.check_output("dnsdomainname", + shell=True) + config.pki_dns_domainname = config.pki_dns_domainname.rstrip('\n') + if not len(config.pki_dns_domainname): + print log.PKI_DNS_DOMAIN_NOT_SET + sys.exit(1) + except subprocess.CalledProcessError as exc: + print log.PKI_SUBPROCESS_ERROR_1 % exc + sys.exit(1) + + # Read and process command-line arguments. + parser = PKIConfigParser( + 'PKI Instance Installation and Configuration', + log.PKISPAWN_EPILOG) + + parser.optional.add_argument('-f', + dest='user_deployment_cfg', action='store', + nargs=1, metavar='<file>', + help='configuration filename ' + '(MUST specify complete path)') + + parser.optional.add_argument('-u', + dest='pki_update_flag', action='store_true', + help='update instance of specified subsystem') + + args = parser.process_command_line_arguments(argv) + + config.default_deployment_cfg = config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE + + # -f <user deployment config> + if args.user_deployment_cfg is not None: + config.user_deployment_cfg = str(args.user_deployment_cfg).strip('[\']') + + # -u + config.pki_update_flag = args.pki_update_flag + + parser.validate() + interactive = False + + while True: + + # -s <subsystem> + if args.pki_subsystem is None: + interactive = True + parser.indent = 0 + + config.pki_subsystem = parser.read_text('Subsystem (CA/KRA/OCSP/TKS)', + options=['CA', 'KRA', 'OCSP', 'TKS'], + default='CA', caseSensitive=False).upper() + print + else: + config.pki_subsystem = str(args.pki_subsystem).strip('[\']') + + parser.init_config() + + if config.user_deployment_cfg is None: + interactive = True + parser.indent = 2 + + print "Tomcat:" + parser.read_text('Instance', 'DEFAULT', 'pki_instance_name') + parser.read_text('HTTP port', config.pki_subsystem, 'pki_http_port') + parser.read_text('Secure HTTP port', config.pki_subsystem, 'pki_https_port') + parser.read_text('AJP port', config.pki_subsystem, 'pki_ajp_port') + parser.read_text('Management port', config.pki_subsystem, 'pki_tomcat_server_port') + print + + print "Administrator:" + parser.read_text('Username', config.pki_subsystem, 'pki_admin_uid') + + admin_password = parser.read_password( + 'Password', config.pki_subsystem, 'pki_admin_password', + verifyMessage='Verify password') + + parser.set_property(config.pki_subsystem, 'pki_backup_password', admin_password) + parser.set_property(config.pki_subsystem, 'pki_client_database_password', admin_password) + parser.set_property(config.pki_subsystem, 'pki_client_pkcs12_password', admin_password) + + if config.pki_master_dict['pki_import_admin_cert'] == 'True': + import_cert = 'Y' + else: + import_cert = 'N' + + import_cert = parser.read_text('Import certificate (Yes/No)', + default=import_cert, options=['Yes', 'Y', 'No', 'N'], + sign='?', caseSensitive=False).lower() + + if import_cert == 'y' or import_cert == 'yes': + parser.set_property(config.pki_subsystem, 'pki_import_admin_cert', 'True') + parser.read_text('Import certificate from', config.pki_subsystem, 'pki_admin_cert_file') + else: + parser.set_property(config.pki_subsystem, 'pki_import_admin_cert', 'False') + + parser.read_text('Export certificate to', config.pki_subsystem, 'pki_client_admin_cert') + print + + print "Directory Server:" + while True: + parser.read_text('Hostname', config.pki_subsystem, 'pki_ds_hostname') + parser.read_text('Port', config.pki_subsystem, 'pki_ds_ldap_port') + + try: + parser.ds_connect() + break + + except ldap.LDAPError as e: + parser.print_text('ERROR: ' + e.message['desc']) + + while True: + parser.read_text('Bind DN', config.pki_subsystem, 'pki_ds_bind_dn') + parser.read_password('Password', config.pki_subsystem, 'pki_ds_password') + + try: + parser.ds_bind() + break + + except ldap.LDAPError as e: + parser.print_text('ERROR: ' + e.message['desc']) + + while True: + parser.read_text('Base DN', config.pki_subsystem, 'pki_ds_base_dn') + try: + if not parser.ds_base_dn_exists(): + break + + except ldap.LDAPError as e: + parser.print_text('ERROR: ' + e.message['desc']) + continue + + remove = parser.read_text('Base DN already exists. Overwrite (Yes/No/Quit)', + options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'], + sign='?', allowEmpty=False, caseSensitive=False).lower() + + if remove == 'q' or remove == 'quit': + print "Installation canceled." + sys.exit(0) + + if remove == 'y' or remove == 'yes': + break + + parser.ds_close() + + print + + print "Security Domain:" + + if config.pki_subsystem == "CA": + parser.read_text('Name', config.pki_subsystem, 'pki_security_domain_name') + + else: + while True: + parser.read_text('Hostname', config.pki_subsystem, 'pki_security_domain_hostname') + parser.read_text('Secure HTTP port', config.pki_subsystem, 'pki_security_domain_https_port') + + try: + parser.sd_connect() + info = parser.sd_get_info() + parser.print_text('Name: ' + info.name) + parser.set_property(config.pki_subsystem, 'pki_security_domain_name', info.name) + break + except requests.exceptions.ConnectionError as e: + parser.print_text('ERROR: ' + str(e)) + + while True: + parser.read_text('Username', config.pki_subsystem, 'pki_security_domain_user') + parser.read_password('Password', config.pki_subsystem, 'pki_security_domain_password') + + try: + parser.sd_authenticate() + break + except requests.exceptions.HTTPError as e: + parser.print_text('ERROR: ' + str(e)) + + print + + if interactive: + parser.indent = 0 + + begin = parser.read_text('Begin installation (Yes/No/Quit)', + options=['Yes', 'Y', 'No', 'N', 'Quit', 'Q'], + sign='?', allowEmpty=False, caseSensitive=False).lower() + print + + if begin == 'q' or begin == 'quit': + print "Installation canceled." + sys.exit(0) + + if begin == 'y' or begin == 'yes': + break + + else: + break + + if not os.path.exists(config.PKI_DEPLOYMENT_SOURCE_ROOT +\ + "/" + config.pki_subsystem.lower()): + print "ERROR: " + log.PKI_SUBSYSTEM_NOT_INSTALLED_1 %\ + config.pki_subsystem.lower() + sys.exit(1) + + # Enable 'pkispawn' logging. + rv = 0 + if not config.pki_update_flag: + config.pki_log_dir = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_LOG_ROOT + config.pki_log_name = "pki" + "-" +\ + config.pki_subsystem.lower() +\ + "-" + "spawn" + "." +\ + config.pki_timestamp + "." + "log" + rv = pkilogging.enable_pki_logger(config.pki_log_dir, + config.pki_log_name, + config.pki_log_level, + config.pki_console_log_level, + "pkispawn") + else: + config.pki_log_dir = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_LOG_ROOT + config.pki_log_name = "pki" + "-" +\ + config.pki_subsystem.lower() +\ + "-" + "respawn" + "." +\ + config.pki_timestamp + "." + "log" + rv = pkilogging.enable_pki_logger(config.pki_log_dir, + config.pki_log_name, + config.pki_log_level, + config.pki_console_log_level, + "pkirespawn") + if rv != OSError: + config.pki_log = rv + else: + print log.PKI_UNABLE_TO_CREATE_LOG_DIRECTORY_1 % config.pki_log_dir + sys.exit(1) + + # Read the specified PKI configuration file. + rv = parser.read_pki_configuration_file() + if rv != 0: + config.pki_log.error(log.PKI_UNABLE_TO_PARSE_1, rv, + extra=config.PKI_INDENTATION_LEVEL_0) + sys.exit(1) + + # Read in the PKI slots configuration file. + parser.compose_pki_slots_dictionary() + config.pki_log.debug(log.PKI_DICTIONARY_SLOTS, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.format(config.pki_slots_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + + # Combine the various sectional dictionaries into a PKI master dictionary + parser.compose_pki_master_dictionary() + + if not config.pki_update_flag: + config.pki_master_dict['pki_spawn_log'] = config.pki_log_dir + "/" +\ + config.pki_log_name + else: + config.pki_master_dict['pki_respawn_log'] = config.pki_log_dir + "/" +\ + config.pki_log_name + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.format(config.pki_master_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + + if not interactive and\ + not config.str2bool(config.pki_master_dict['pki_skip_configuration']): + try: + parser.ds_connect() + parser.ds_bind() + + if parser.ds_base_dn_exists() and\ + not config.str2bool(config.pki_master_dict['pki_ds_remove_data']): + print 'ERROR: Base DN already exists.' + sys.exit(1) + + parser.ds_close() + + except ldap.LDAPError as e: + print 'ERROR: Unable to access directory server: ' + e.message['desc'] + sys.exit(1) + + if config.pki_subsystem != "CA" or\ + config.str2bool(config.pki_master_dict['pki_clone']) or\ + config.str2bool(config.pki_master_dict['pki_subordinate']): + try: + parser.sd_connect() + info = parser.sd_get_info() + parser.set_property(config.pki_subsystem, 'pki_security_domain_name', info.name) + parser.sd_authenticate() + + except requests.exceptions.ConnectionError as e: + print('ERROR: Unable to access security domain: ' + str(e)) + sys.exit(1) + + except requests.exceptions.HTTPError as e: + print('ERROR: Unable to access security domain: ' + str(e)) + sys.exit(1) + + print "Installing " + config.pki_subsystem + " into " + config.pki_master_dict['pki_instance_path'] + "." + + # Process the various "scriptlets" to create the specified PKI subsystem. + pki_subsystem_scriptlets = config.pki_master_dict['spawn_scriplets'].split() + rv = 0 + for pki_scriptlet in pki_subsystem_scriptlets: + scriptlet = __import__("pki.deployment." + + pki_scriptlet, + fromlist = [pki_scriptlet]) + instance = scriptlet.PkiScriptlet() + if not config.pki_update_flag: + rv = instance.spawn() + else: + rv = instance.respawn() + if rv != 0: + sys.exit(1) + config.pki_log.debug(log.PKI_DICTIONARY_MASTER, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pkilogging.format(config.pki_master_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + + print + print "Installation complete." + + +# PKI Deployment Entry Point +if __name__ == "__main__": + signal.signal(signal.SIGINT, interrupt_handler) + main(sys.argv) diff --git a/base/server/src/scriptlets/configuration.py b/base/server/src/scriptlets/configuration.py new file mode 100644 index 000000000..7bd1b017a --- /dev/null +++ b/base/server/src/scriptlets/configuration.py @@ -0,0 +1,150 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import json +import pki.system +import pki.encoder + + +# PKI Deployment Configuration Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_configuration']): + config.pki_log.info(log.SKIP_CONFIGURATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # Place "slightly" less restrictive permissions on + # the top-level client directory ONLY + util.directory.create(master['pki_client_subsystem_dir'], + uid=0, gid=0, + perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a client password file + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_client_password_conf'], + master['pki_client_database_password'], pin_sans_token=True) + util.file.modify(master['pki_client_password_conf'], + uid=0, gid=0) + # Similarly, create a simple password file containing the + # PKCS #12 password used when exporting the "Admin Certificate" + # into a PKCS #12 file + util.password.create_client_pkcs12_password_conf( + master['pki_client_pkcs12_password_conf']) + util.file.modify(master['pki_client_pkcs12_password_conf']) + util.directory.create(master['pki_client_database_dir'], + uid=0, gid=0) + util.certutil.create_security_databases( + master['pki_client_database_dir'], + master['pki_client_cert_database'], + master['pki_client_key_database'], + master['pki_client_secmod_database'], + password_file=master['pki_client_password_conf']) + util.symlink.create(master['pki_systemd_service'], + master['pki_systemd_service_link']) + + # Start/Restart this Apache/Tomcat PKI Process + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + apache_instance_subsystems =\ + util.instance.apache_instance_subsystems() + if apache_instance_subsystems == 1: + util.systemd.start() + elif apache_instance_subsystems > 1: + util.systemd.restart() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Optionally prepare to enable a java debugger + # (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.prepare_for_an_external_java_debugger( + master['pki_target_tomcat_conf_instance_id']) + tomcat_instance_subsystems =\ + len(util.instance.tomcat_instance_subsystems()) + if tomcat_instance_subsystems == 1: + util.systemd.start() + elif tomcat_instance_subsystems > 1: + util.systemd.restart() + + # wait for startup + status = util.instance.wait_for_startup(60) + if status == None: + config.pki_log.error("server failed to restart", + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + # Optionally wait for debugger to attach (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.wait_to_attach_an_external_java_debugger() + + config_client = util.config_client() + # Construct PKI Subsystem Configuration Data + data = None + if master['pki_instance_type'] == "Apache": + if master['pki_subsystem'] == "RA": + config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, + master['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + return rv + elif master['pki_subsystem'] == "TPS": + config.pki_log.info(log.PKI_CONFIG_NOT_YET_IMPLEMENTED_1, + master['pki_subsystem'], + extra=config.PKI_INDENTATION_LEVEL_2) + return rv + elif master['pki_instance_type'] == "Tomcat": + # CA, KRA, OCSP, or TKS + data = config_client.construct_pki_configuration_data() + + # Configure the substem + config_client.configure_pki_data( + json.dumps(data, cls=pki.encoder.CustomTypeEncoder)) + + return self.rv + + def respawn(self): + config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 1: + if util.directory.exists(master['pki_client_dir']): + util.directory.delete(master['pki_client_dir']) + util.symlink.delete(master['pki_systemd_service_link']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 1: + if util.directory.exists(master['pki_client_dir']): + util.directory.delete(master['pki_client_dir']) + util.symlink.delete(master['pki_systemd_service_link']) + return self.rv diff --git a/base/server/src/scriptlets/finalization.py b/base/server/src/scriptlets/finalization.py new file mode 100644 index 000000000..6ddc98d03 --- /dev/null +++ b/base/server/src/scriptlets/finalization.py @@ -0,0 +1,114 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimanifest as manifest +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Finalization Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external_step_two']): + # must check for 'External CA Step 2' installation PRIOR to + # 'pki_skip_installation' since this value has been set to true + # by the initialization scriptlet + pass + elif config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_FINALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.FINALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # For debugging/auditing purposes, save a timestamped copy of + # this configuration file in the subsystem archive + util.file.copy(master['pki_user_deployment_cfg_replica'], + master['pki_user_deployment_cfg_spawn_archive']) + # Save a copy of the installation manifest file + config.pki_log.info(log.PKI_MANIFEST_MESSAGE_1, master['pki_manifest'], + extra=config.PKI_INDENTATION_LEVEL_2) + # for record in manifest.database: + # print tuple(record) + manifest.file.register(master['pki_manifest']) + manifest.file.write() + util.file.modify(master['pki_manifest'], silent=True) + + # Also, for debugging/auditing purposes, save a timestamped copy of + # this installation manifest file + util.file.copy(master['pki_manifest'], + master['pki_manifest_spawn_archive']) + # Optionally, programmatically 'restart' the configured PKI instance + if config.str2bool(master['pki_restart_configured_instance']): + util.systemd.restart() + # Optionally, 'purge' the entire temporary client infrastructure + # including the client NSS security databases and password files + # + # WARNING: If the PKCS #12 file containing the Admin Cert was + # placed under this infrastructure, it may accidentally + # be deleted! + # + if config.str2bool(master['pki_client_database_purge']): + if util.directory.exists(master['pki_client_subsystem_dir']): + util.directory.delete(master['pki_client_subsystem_dir']) + # If instance has not been configured, print the + # configuration URL to the log + if config.str2bool(master['pki_skip_configuration']): + util.configuration_file.log_configuration_url() + # Log final process messages + config.pki_log.info(log.PKISPAWN_END_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + util.file.modify(master['pki_spawn_log'], silent=True) + # If instance has not been configured, print the + # configuration URL to the screen + if config.str2bool(master['pki_skip_configuration']): + util.configuration_file.display_configuration_url() + return self.rv + + def respawn(self): + config.pki_log.info(log.FINALIZATION_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.FINALIZATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.file.modify(master['pki_destroy_log'], silent=True) + # Start this Apache/Tomcat PKI Process + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() >= 1: + util.systemd.start() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) >= 1: + util.systemd.start() + config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + return self.rv diff --git a/base/server/src/scriptlets/infrastructure_layout.py b/base/server/src/scriptlets/infrastructure_layout.py new file mode 100644 index 000000000..69a905849 --- /dev/null +++ b/base/server/src/scriptlets/infrastructure_layout.py @@ -0,0 +1,116 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Top-Level Infrastructure Layout Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_ADMIN_DOMAIN_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.ADMIN_DOMAIN_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # NOTE: It was determined that since the "pkidestroy" command + # relies upon a symbolic link to a replica of the original + # deployment configuration file used by the + # "pkispawn" command of an instance, it is necessary to + # create any required instance and subsystem directories + # in this top-level "infrastructure_layout" scriptlet + # (rather than the "instance_layout" and "subsystem_layout" + # scriptlets) so that a copy of this configuration file can + # be saved, and the required symbolic link can be created. + # + # establish the top-level infrastructure, instance, and subsystem + # registry directories for storage of a copy of the original + # deployment configuration file used to spawn this instance, + # and save a copy of this file + util.directory.create(master['pki_registry_path']) + util.directory.create(master['pki_instance_type_registry_path']) + util.directory.create(master['pki_instance_registry_path']) + util.directory.create(master['pki_subsystem_registry_path']) + util.file.copy(master['pki_default_deployment_cfg'], + master['pki_default_deployment_cfg_replica']) + + print "Storing deployment configuration into " + config.pki_master_dict['pki_user_deployment_cfg_replica'] + "." + if master['pki_user_deployment_cfg']: + util.file.copy(master['pki_user_deployment_cfg'], + master['pki_user_deployment_cfg_replica']) + else: + with open(master['pki_user_deployment_cfg_replica'], 'w') as f: + config.user_config.write(f) + + # establish top-level infrastructure, instance, and subsystem + # base directories and create the "registry" symbolic link that + # the "pkidestroy" executable relies upon + util.directory.create(master['pki_path']) + util.directory.create(master['pki_instance_path']) + util.directory.create(master['pki_subsystem_path']) + util.symlink.create(master['pki_instance_registry_path'], + master['pki_subsystem_registry_link']) + # + # NOTE: If "infrastructure_layout" scriptlet execution has been + # successfully executed to this point, the "pkidestroy" command + # may always be utilized to remove the entire infrastructure. + # + # no need to establish top-level infrastructure logs + # since it now stores 'pkispawn'/'pkidestroy' logs + # and will already exist + # util.directory.create(master['pki_log_path']) + # establish top-level infrastructure configuration + if master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.create(master['pki_configuration_path']) + return self.rv + + def respawn(self): + config.pki_log.info(log.ADMIN_DOMAIN_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.ADMIN_DOMAIN_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # remove top-level infrastructure base + if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + util.instance.pki_instance_subsystems() == 0: + # remove top-level infrastructure base + util.directory.delete(master['pki_path']) + # do NOT remove top-level infrastructure logs + # since it now stores 'pkispawn'/'pkidestroy' logs + # util.directory.delete(master['pki_log_path']) + # remove top-level infrastructure configuration + if util.directory.is_empty(master['pki_configuration_path'])\ + and master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.delete(master['pki_configuration_path']) + # remove top-level infrastructure registry + util.directory.delete(master['pki_registry_path']) + return self.rv diff --git a/base/server/src/scriptlets/initialization.py b/base/server/src/scriptlets/initialization.py new file mode 100644 index 000000000..3494ebdc7 --- /dev/null +++ b/base/server/src/scriptlets/initialization.py @@ -0,0 +1,126 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Initialization Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + # begin official logging + config.pki_log.info(log.PKISPAWN_BEGIN_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_INITIALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + else: + config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] == "CA" and\ + config.str2bool(master['pki_external_step_two']): + # verify that this type of "subsystem" currently EXISTS + # for this "instance" (External CA Step 2) + util.instance.verify_subsystem_exists() + master['pki_skip_installation'] = "True"; + else: + # verify that this type of "subsystem" does NOT yet + # exist for this "instance" + util.instance.verify_subsystem_does_not_exist() + # detect and avoid any namespace collisions + util.namespace.collision_detection() + # initialize 'uid' and 'gid' + util.identity.add_uid_and_gid(master['pki_user'], master['pki_group']) + # establish 'uid' and 'gid' + util.identity.set_uid(master['pki_user']) + util.identity.set_gid(master['pki_group']) + # verify existence of SENSITIVE configuration file data + util.configuration_file.verify_sensitive_data() + # verify existence of MUTUALLY EXCLUSIVE configuration file data + util.configuration_file.verify_mutually_exclusive_data() + # verify existence of PREDEFINED configuration file data + util.configuration_file.verify_predefined_configuration_file_data() + # verify selinux context of selected ports + util.configuration_file.populate_non_default_ports() + util.configuration_file.verify_selinux_ports() + return self.rv + + def respawn(self): + # begin official logging + config.pki_log.info(log.PKIRESPAWN_BEGIN_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.info(log.INITIALIZATION_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # verify that this type of "subsystem" currently EXISTS + # for this "instance" + util.instance.verify_subsystem_exists() + return self.rv + + def destroy(self): + # begin official logging + config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # verify that this type of "subsystem" currently EXISTS + # for this "instance" + util.instance.verify_subsystem_exists() + # verify that the command-line parameters match the values + # that are present in the corresponding configuration file + util.configuration_file.verify_command_matches_configuration_file() + # establish 'uid' and 'gid' + util.identity.set_uid(master['pki_user']) + util.identity.set_gid(master['pki_group']) + # get ports to remove selinux context + util.configuration_file.populate_non_default_ports() + + # get deinstallation token + token = util.security_domain.get_installation_token( + config.pki_secdomain_user, config.pki_secdomain_pass) + + # remove kra connector from CA if this is a KRA + util.kra_connector.deregister() + + # de-register instance from its Security Domain + # + # NOTE: Since the security domain of an instance must be up + # and running in order to be de-registered, this step + # must be done PRIOR to instance shutdown because this + # instance's security domain may be a part of a + # tightly-coupled shared instance. + # + util.security_domain.deregister(token) + # ALWAYS Stop this Apache/Tomcat PKI Process + util.systemd.stop() + return self.rv diff --git a/base/server/src/scriptlets/instance_layout.py b/base/server/src/scriptlets/instance_layout.py new file mode 100644 index 000000000..843227a84 --- /dev/null +++ b/base/server/src/scriptlets/instance_layout.py @@ -0,0 +1,190 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import os + + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import os + + +# PKI Deployment Instance Layout Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_INSTANCE_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.INSTANCE_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # establish instance logs + util.directory.create(master['pki_instance_log_path']) + # establish instance configuration + util.directory.create(master['pki_instance_configuration_path']) + # establish Apache/Tomcat specific instance + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # establish Tomcat instance configuration + util.directory.copy(master['pki_source_server_path'], + master['pki_instance_configuration_path'], + overwrite_flag=True) + # establish Tomcat instance base + util.directory.create(master['pki_tomcat_common_path']) + util.directory.create(master['pki_tomcat_common_lib_path']) + # establish Tomcat instance library + util.directory.create(master['pki_instance_lib']) + for name in os.listdir(master['pki_tomcat_lib_path']): + util.symlink.create( + os.path.join( + master['pki_tomcat_lib_path'], + name), + os.path.join( + master['pki_instance_lib'], + name)) + util.symlink.create(master['pki_instance_conf_log4j_properties'], + master['pki_instance_lib_log4j_properties']) + util.directory.create(master['pki_tomcat_tmpdir_path']) + util.directory.create(master['pki_tomcat_webapps_path']) + util.directory.create(master['pki_tomcat_work_path']) + util.directory.create(master['pki_tomcat_work_catalina_path']) + util.directory.create(master['pki_tomcat_work_catalina_host_path']) + util.directory.create( + master['pki_tomcat_work_catalina_host_run_path']) + util.directory.create( + master['pki_tomcat_work_catalina_host_subsystem_path']) + # establish Tomcat instance logs + # establish Tomcat instance registry + # establish Tomcat instance convenience symbolic links + util.symlink.create(master['pki_tomcat_bin_path'], + master['pki_tomcat_bin_link']) + util.symlink.create(master['pki_tomcat_systemd'], + master['pki_instance_systemd_link'], + uid=0, gid=0) + # establish Tomcat instance common lib jar symbolic links + util.symlink.create(master['pki_apache_commons_collections_jar'], + master['pki_apache_commons_collections_jar_link']) + util.symlink.create(master['pki_apache_commons_lang_jar'], + master['pki_apache_commons_lang_jar_link']) + util.symlink.create(master['pki_apache_commons_logging_jar'], + master['pki_apache_commons_logging_jar_link']) + util.symlink.create(master['pki_commons_codec_jar'], + master['pki_commons_codec_jar_link']) + util.symlink.create(master['pki_httpclient_jar'], + master['pki_httpclient_jar_link']) + util.symlink.create(master['pki_httpcore_jar'], + master['pki_httpcore_jar_link']) + util.symlink.create(master['pki_javassist_jar'], + master['pki_javassist_jar_link']) + util.symlink.create(master['pki_resteasy_jaxrs_api_jar'], + master['pki_resteasy_jaxrs_api_jar_link']) + util.symlink.create(master['pki_jettison_jar'], + master['pki_jettison_jar_link']) + util.symlink.create(master['pki_jss_jar'], + master['pki_jss_jar_link']) + util.symlink.create(master['pki_ldapjdk_jar'], + master['pki_ldapjdk_jar_link']) + util.symlink.create(master['pki_tomcat_jar'], + master['pki_tomcat_jar_link']) + util.symlink.create(master['pki_resteasy_atom_provider_jar'], + master['pki_resteasy_atom_provider_jar_link']) + util.symlink.create(master['pki_resteasy_jaxb_provider_jar'], + master['pki_resteasy_jaxb_provider_jar_link']) + util.symlink.create(master['pki_resteasy_jaxrs_jar'], + master['pki_resteasy_jaxrs_jar_link']) + util.symlink.create(master['pki_resteasy_jettison_provider_jar'], + master['pki_resteasy_jettison_provider_jar_link']) + util.symlink.create(master['pki_scannotation_jar'], + master['pki_scannotation_jar_link']) + if master['pki_subsystem'] == 'TKS': + util.symlink.create(master['pki_symkey_jar'], + master['pki_symkey_jar_link']) + util.symlink.create(master['pki_tomcatjss_jar'], + master['pki_tomcatjss_jar_link']) + util.symlink.create(master['pki_velocity_jar'], + master['pki_velocity_jar_link']) + util.symlink.create(master['pki_xerces_j2_jar'], + master['pki_xerces_j2_jar_link']) + util.symlink.create(master['pki_xml_commons_apis_jar'], + master['pki_xml_commons_apis_jar_link']) + util.symlink.create(master['pki_xml_commons_resolver_jar'], + master['pki_xml_commons_resolver_jar_link']) + # establish shared NSS security databases for this instance + util.directory.create(master['pki_database_path']) + # establish instance convenience symbolic links + util.symlink.create(master['pki_database_path'], + master['pki_instance_database_link']) + util.symlink.create(master['pki_instance_configuration_path'], + master['pki_instance_conf_link']) + util.symlink.create(master['pki_instance_log_path'], + master['pki_instance_logs_link']) + return self.rv + + def respawn(self): + config.pki_log.info(log.INSTANCE_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.INSTANCE_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] == 'TKS': + util.symlink.delete(master['pki_symkey_jar_link']) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0: + # remove Apache instance base + util.directory.delete(master['pki_instance_path']) + # remove Apache instance logs + # remove shared NSS security database path for this instance + util.directory.delete(master['pki_database_path']) + # remove Apache instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove Apache instance registry + util.directory.delete(master['pki_instance_registry_path']) + # remove Apache PKI registry (if empty) + if util.instance.apache_instances() == 0: + util.directory.delete( + master['pki_instance_type_registry_path']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 0: + # remove Tomcat instance base + util.directory.delete(master['pki_instance_path']) + # remove Tomcat instance logs + util.directory.delete(master['pki_instance_log_path']) + # remove shared NSS security database path for this instance + util.directory.delete(master['pki_database_path']) + # remove Tomcat instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove PKI 'tomcat.conf' instance file + util.file.delete(master['pki_target_tomcat_conf_instance_id']) + # remove Tomcat instance registry + util.directory.delete(master['pki_instance_registry_path']) + # remove Tomcat PKI registry (if empty) + if util.instance.tomcat_instances() == 0: + util.directory.delete( + master['pki_instance_type_registry_path']) + return self.rv diff --git a/base/server/src/scriptlets/security_databases.py b/base/server/src/scriptlets/security_databases.py new file mode 100644 index 000000000..9ac4784e5 --- /dev/null +++ b/base/server/src/scriptlets/security_databases.py @@ -0,0 +1,119 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Security Databases Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SECURITY_DATABASES_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.password.create_password_conf( + master['pki_shared_password_conf'], + master['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_shared_pfile'], + master['pki_pin'], pin_sans_token=True) + util.file.modify(master['pki_shared_password_conf']) + util.certutil.create_security_databases( + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + password_file=master['pki_shared_pfile']) + util.file.modify(master['pki_cert_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_key_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_secmod_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + + if len(util.instance.tomcat_instance_subsystems()) < 2: + # only create a self signed cert for a new instance + rv = util.certutil.verify_certificate_exists( + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + password_file=master['pki_shared_pfile']) + if not rv: + util.file.generate_noise_file( + master['pki_self_signed_noise_file'], + master['pki_self_signed_noise_bytes']) + util.certutil.generate_self_signed_certificate( + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + master['pki_self_signed_subject'], + master['pki_self_signed_serial_number'], + master['pki_self_signed_validity_period'], + master['pki_self_signed_issuer_name'], + master['pki_self_signed_trustargs'], + master['pki_self_signed_noise_file'], + password_file=master['pki_shared_pfile']) + # Delete the temporary 'noise' file + util.file.delete(master['pki_self_signed_noise_file']) + # Delete the temporary 'pfile' + util.file.delete(master['pki_shared_pfile']) + return self.rv + + def respawn(self): + config.pki_log.info(log.SECURITY_DATABASES_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + return self.rv diff --git a/base/server/src/scriptlets/selinux_setup.py b/base/server/src/scriptlets/selinux_setup.py new file mode 100644 index 000000000..552ab3f41 --- /dev/null +++ b/base/server/src/scriptlets/selinux_setup.py @@ -0,0 +1,175 @@ +#!/usr/bin/python -t +# Authors: +# Ade Lee <alee@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_selinux_config_ports as ports +import pkihelper as util +import pkimessages as log +import pkiscriptlet +import selinux +if selinux.is_selinux_enabled(): + import seobject + + +# PKI Deployment Selinux Setup Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + suffix = "(/.*)?" + + def restore_context(self): + selinux.restorecon(master['pki_instance_path'], True) + selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True) + selinux.restorecon(master['pki_instance_log_path'], True) + selinux.restorecon(master['pki_instance_configuration_path'], True) + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SELINUX_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + if not bool(selinux.is_selinux_enabled()): + config.pki_log.info(log.SELINUX_DISABLED_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + config.pki_log.info(log.SELINUX_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # check first if any transactions are required + if len(ports) == 0 and master['pki_instance_name'] == \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + self.restore_context() + return self.rv + + # add SELinux contexts when adding the first subsystem + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 1 or\ + master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 1: + + trans = seobject.semanageRecords("targeted") + trans.start() + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + + fcon = seobject.fcontextRecords() + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_path'] + self.suffix, + config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_log_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_log_path'] + self.suffix, + config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_configuration_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_configuration_path'] + self.suffix, + config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_database_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_database_path'] + self.suffix, + config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "") + + portRecords = seobject.portRecords() + for port in ports: + config.pki_log.info("adding selinux port %s", port, + extra=config.PKI_INDENTATION_LEVEL_2) + portRecords.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) + + trans.finish() + + self.restore_context() + return self.rv + + def respawn(self): + config.pki_log.info(log.SELINUX_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + self.restore_context() + return self.rv + + def destroy(self): + if not bool(selinux.is_selinux_enabled()): + config.pki_log.info(log.SELINUX_DISABLED_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SELINUX_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # check first if any transactions are required + if len(ports) == 0 and master['pki_instance_name'] == \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + return self.rv + + # remove SELinux contexts when removing the last subsystem + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0 or\ + master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + len(util.instance.tomcat_instance_subsystems()) == 0: + + trans = seobject.semanageRecords("targeted") + trans.start() + + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + + fcon = seobject.fcontextRecords() + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_path'] + self.suffix , "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_log_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_log_path'] + self.suffix, "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_configuration_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_configuration_path'] + \ + self.suffix, "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_database_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_database_path'] + self.suffix , "") + + portRecords = seobject.portRecords() + for port in ports: + config.pki_log.info("deleting selinux port %s", port, + extra=config.PKI_INDENTATION_LEVEL_2) + portRecords.delete(port, "tcp") + + trans.finish() + + return self.rv diff --git a/base/server/src/scriptlets/slot_substitution.py b/base/server/src/scriptlets/slot_substitution.py new file mode 100644 index 000000000..205ed49f6 --- /dev/null +++ b/base/server/src/scriptlets/slot_substitution.py @@ -0,0 +1,103 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_slots_dict as slots +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Slot Substitution Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SLOT_ASSIGNMENT_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SLOT_ASSIGNMENT_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'], + master['pki_target_cs_cfg']) + util.file.copy_with_slot_substitution(master['pki_source_registry'], + master['pki_target_registry'], + uid=0, gid=0, overwrite_flag=True) + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + util.file.copy_with_slot_substitution( + master['pki_source_catalina_properties'], + master['pki_target_catalina_properties'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_servercertnick_conf'], + master['pki_target_servercertnick_conf'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_server_xml'], + master['pki_target_server_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_context_xml'], + master['pki_target_context_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf_instance_id'], + uid=0, gid=0, overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf'], + overwrite_flag=True) + util.file.apply_slot_substitution( + master['pki_target_velocity_properties']) + util.file.apply_slot_substitution( + master['pki_target_subsystem_web_xml']) + # Strip "<filter>" section from subsystem "web.xml" + # This is ONLY necessary because XML comments cannot be "nested"! + #util.file.copy(master['pki_target_subsystem_web_xml'], + # master['pki_target_subsystem_web_xml_orig']) + #util.file.delete(master['pki_target_subsystem_web_xml']) + #util.xml_file.remove_filter_section_from_web_xml( + # master['pki_target_subsystem_web_xml_orig'], + # master['pki_target_subsystem_web_xml']) + #util.file.delete(master['pki_target_subsystem_web_xml_orig']) + if master['pki_subsystem'] == "CA": + util.file.copy_with_slot_substitution( + master['pki_source_proxy_conf'], + master['pki_target_proxy_conf']) + util.file.apply_slot_substitution( + master['pki_target_profileselect_template']) + return self.rv + + def respawn(self): + config.pki_log.info(log.SLOT_ASSIGNMENT_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.SLOT_ASSIGNMENT_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + config.pki_log.info("NOTHING NEEDS TO BE IMPLEMENTED", + extra=config.PKI_INDENTATION_LEVEL_2) + return self.rv diff --git a/base/server/src/scriptlets/subsystem_layout.py b/base/server/src/scriptlets/subsystem_layout.py new file mode 100644 index 000000000..c4c4c2283 --- /dev/null +++ b/base/server/src/scriptlets/subsystem_layout.py @@ -0,0 +1,126 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Subsystem Layout Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_SUBSYSTEM_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.SUBSYSTEM_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # establish instance-based subsystem logs + util.directory.create(master['pki_subsystem_log_path']) + util.directory.create(master['pki_subsystem_archive_log_path']) + if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: + util.directory.create(master['pki_subsystem_signed_audit_log_path']) + # establish instance-based subsystem configuration + util.directory.create(master['pki_subsystem_configuration_path']) + # util.directory.copy(master['pki_source_conf_path'], + # master['pki_subsystem_configuration_path']) + # establish instance-based Apache/Tomcat specific subsystems + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # establish instance-based Tomcat PKI subsystem base + if master['pki_subsystem'] == "CA": + util.directory.copy(master['pki_source_emails'], + master['pki_subsystem_emails_path']) + util.directory.copy(master['pki_source_profiles'], + master['pki_subsystem_profiles_path']) + # establish instance-based Tomcat PKI subsystem logs + # establish instance-based Tomcat PKI subsystem configuration + if master['pki_subsystem'] == "CA": + util.file.copy(master['pki_source_flatfile_txt'], + master['pki_target_flatfile_txt']) + util.file.copy(master['pki_source_registry_cfg'], + master['pki_target_registry_cfg']) + # '*.profile' + util.file.copy(master['pki_source_admincert_profile'], + master['pki_target_admincert_profile']) + util.file.copy(master['pki_source_caauditsigningcert_profile'], + master['pki_target_caauditsigningcert_profile']) + util.file.copy(master['pki_source_cacert_profile'], + master['pki_target_cacert_profile']) + util.file.copy(master['pki_source_caocspcert_profile'], + master['pki_target_caocspcert_profile']) + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile']) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile']) + elif master['pki_subsystem'] == "KRA": + # '*.profile' + util.file.copy(master['pki_source_servercert_profile'], + master['pki_target_servercert_profile']) + util.file.copy(master['pki_source_storagecert_profile'], + master['pki_target_storagecert_profile']) + util.file.copy(master['pki_source_subsystemcert_profile'], + master['pki_target_subsystemcert_profile']) + util.file.copy(master['pki_source_transportcert_profile'], + master['pki_target_transportcert_profile']) + # establish instance-based Tomcat PKI subsystem registry + # establish instance-based Tomcat PKI subsystem convenience + # symbolic links + util.symlink.create(master['pki_tomcat_webapps_path'], + master['pki_subsystem_tomcat_webapps_link']) + # establish instance-based subsystem convenience symbolic links + util.symlink.create(master['pki_instance_database_link'], + master['pki_subsystem_database_link']) + util.symlink.create(master['pki_subsystem_configuration_path'], + master['pki_subsystem_conf_link']) + util.symlink.create(master['pki_subsystem_log_path'], + master['pki_subsystem_logs_link']) + util.symlink.create(master['pki_instance_registry_path'], + master['pki_subsystem_registry_link']) + return self.rv + + def respawn(self): + config.pki_log.info(log.SUBSYSTEM_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + config.pki_log.info(log.SUBSYSTEM_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # remove instance-based subsystem base + if master['pki_subsystem'] == "CA": + util.directory.delete(master['pki_subsystem_emails_path']) + util.directory.delete(master['pki_subsystem_profiles_path']) + util.directory.delete(master['pki_subsystem_path']) + # remove instance-based subsystem logs + if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: + util.directory.delete(master['pki_subsystem_signed_audit_log_path']) + util.directory.delete(master['pki_subsystem_archive_log_path']) + util.directory.delete(master['pki_subsystem_log_path']) + # remove instance-based subsystem configuration + util.directory.delete(master['pki_subsystem_configuration_path']) + # remove instance-based subsystem registry + util.directory.delete(master['pki_subsystem_registry_path']) + return self.rv diff --git a/base/server/src/scriptlets/webapp_deployment.py b/base/server/src/scriptlets/webapp_deployment.py new file mode 100644 index 000000000..e72752ee8 --- /dev/null +++ b/base/server/src/scriptlets/webapp_deployment.py @@ -0,0 +1,170 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen <mharmsen@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# System Imports +import os + + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Web Application Deployment Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + if config.str2bool(master['pki_skip_installation']): + config.pki_log.info(log.SKIP_WEBAPP_DEPLOYMENT_SPAWN_1, + __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + config.pki_log.info(log.WEBAPP_DEPLOYMENT_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + + # Copy /usr/share/pki/server/webapps/ROOT + # to <instance>/webapps/ROOT + util.directory.create(master['pki_tomcat_webapps_root_path']) + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "ROOT"), + master['pki_tomcat_webapps_root_path'], + overwrite_flag=True) + + util.directory.create(master['pki_tomcat_webapps_common_path']) + + # If desired and available, + # copy selected server theme + # to <instance>/webapps/pki + if config.str2bool(master['pki_theme_enable']) and\ + os.path.exists(master['pki_theme_server_dir']): + util.directory.copy(master['pki_theme_server_dir'], + master['pki_tomcat_webapps_common_path'], + overwrite_flag=True) + + # Copy /usr/share/pki/server/webapps/pki/js + # to <instance>/webapps/pki/js + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "pki", + "js"), + os.path.join( + master['pki_tomcat_webapps_common_path'], + "js"), + overwrite_flag=True) + + # Copy /usr/share/pki/server/webapps/pki/META-INF + # to <instance>/webapps/pki/META-INF + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "pki", + "META-INF"), + os.path.join( + master['pki_tomcat_webapps_common_path'], + "META-INF"), + overwrite_flag=True) + + # Copy /usr/share/pki/server/webapps/pki/admin + # to <instance>/webapps/<subsystem>/admin + # TODO: common templates should be deployed in common webapp + util.directory.create(master['pki_tomcat_webapps_subsystem_path']) + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + "server", + "webapps", + "pki", + "admin"), + os.path.join( + master['pki_tomcat_webapps_subsystem_path'], + "admin"), + overwrite_flag=True) + + # Copy /usr/share/pki/<subsystem>/webapps/<subsystem> + # to <instance>/webapps/<subsystem> + util.directory.copy( + os.path.join( + config.PKI_DEPLOYMENT_SOURCE_ROOT, + master['pki_subsystem'].lower(), + "webapps", + master['pki_subsystem'].lower()), + master['pki_tomcat_webapps_subsystem_path'], + overwrite_flag=True) + + util.directory.create( + master['pki_tomcat_webapps_subsystem_webinf_classes_path']) + util.directory.create( + master['pki_tomcat_webapps_subsystem_webinf_lib_path']) + # establish Tomcat webapps subsystem WEB-INF lib symbolic links + util.symlink.create(master['pki_certsrv_jar'], + master['pki_certsrv_jar_link']) + util.symlink.create(master['pki_cmsbundle'], + master['pki_cmsbundle_jar_link']) + util.symlink.create(master['pki_cmscore'], + master['pki_cmscore_jar_link']) + util.symlink.create(master['pki_cms'], + master['pki_cms_jar_link']) + util.symlink.create(master['pki_cmsutil'], + master['pki_cmsutil_jar_link']) + util.symlink.create(master['pki_nsutil'], + master['pki_nsutil_jar_link']) + if master['pki_subsystem'] == "CA": + util.symlink.create(master['pki_ca_jar'], + master['pki_ca_jar_link']) + elif master['pki_subsystem'] == "KRA": + util.symlink.create(master['pki_kra_jar'], + master['pki_kra_jar_link']) + elif master['pki_subsystem'] == "OCSP": + util.symlink.create(master['pki_ocsp_jar'], + master['pki_ocsp_jar_link']) + elif master['pki_subsystem'] == "TKS": + util.symlink.create(master['pki_tks_jar'], + master['pki_tks_jar_link']) + # set ownerships, permissions, and acls + util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path']) + return self.rv + + def respawn(self): + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_log.info(log.WEBAPP_DEPLOYMENT_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + return self.rv + + def destroy(self): + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_log.info(log.WEBAPP_DEPLOYMENT_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.directory.delete(master['pki_tomcat_webapps_subsystem_path']) + return self.rv |