summaryrefslogtreecommitdiffstats
path: root/base
diff options
context:
space:
mode:
Diffstat (limited to 'base')
-rwxr-xr-xbase/deploy/src/pkidestroy16
-rwxr-xr-xbase/deploy/src/pkispawn32
-rw-r--r--base/deploy/src/scriptlets/configuration.jy2
-rw-r--r--base/deploy/src/scriptlets/configuration.py176
-rw-r--r--base/deploy/src/scriptlets/finalization.py35
-rw-r--r--base/deploy/src/scriptlets/infrastructure_layout.py45
-rw-r--r--base/deploy/src/scriptlets/instance_layout.py102
-rw-r--r--base/deploy/src/scriptlets/pkiconfig.py1
-rw-r--r--base/deploy/src/scriptlets/pkihelper.py757
-rw-r--r--base/deploy/src/scriptlets/pkijython.py508
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py7
-rw-r--r--base/deploy/src/scriptlets/security_databases.py151
12 files changed, 724 insertions, 1108 deletions
diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy
index 165ccb06c..82632fc1a 100755
--- a/base/deploy/src/pkidestroy
+++ b/base/deploy/src/pkidestroy
@@ -95,16 +95,12 @@ def main(argv):
parse.process_command_line_arguments(argv)
# Enable 'pkidestroy' logging.
- if not config.pki_dry_run_flag:
- config.pki_log_dir = config.pki_root_prefix +\
- config.PKI_DEPLOYMENT_LOG_ROOT
- config.pki_log_name = "pki" + "-" +\
- config.pki_subsystem.lower() +\
- "-" + "destroy" + "." +\
- config.pki_timestamp + "." + "log"
- else:
- config.pki_log_dir = "/dev"
- config.pki_log_name = "null"
+ config.pki_log_dir = config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_LOG_ROOT
+ config.pki_log_name = "pki" + "-" +\
+ config.pki_subsystem.lower() +\
+ "-" + "destroy" + "." +\
+ config.pki_timestamp + "." + "log"
rv = pkilogging.enable_pki_logger(config.pki_log_dir,
config.pki_log_name,
config.pki_log_level,
diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn
index d3dfb63ca..4ea678ef6 100755
--- a/base/deploy/src/pkispawn
+++ b/base/deploy/src/pkispawn
@@ -103,32 +103,24 @@ def main(argv):
# Enable 'pkispawn' logging.
rv = 0
if not config.pki_update_flag:
- if not config.pki_dry_run_flag:
- config.pki_log_dir = config.pki_root_prefix +\
- config.PKI_DEPLOYMENT_LOG_ROOT
- config.pki_log_name = "pki" + "-" +\
- config.pki_subsystem.lower() +\
- "-" + "spawn" + "." +\
- config.pki_timestamp + "." + "log"
- else:
- config.pki_log_dir = "/dev"
- config.pki_log_name = "null"
+ config.pki_log_dir = config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_LOG_ROOT
+ config.pki_log_name = "pki" + "-" +\
+ config.pki_subsystem.lower() +\
+ "-" + "spawn" + "." +\
+ config.pki_timestamp + "." + "log"
rv = pkilogging.enable_pki_logger(config.pki_log_dir,
config.pki_log_name,
config.pki_log_level,
config.pki_console_log_level,
"pkispawn")
else:
- if not config.pki_dry_run_flag:
- config.pki_log_dir = config.pki_root_prefix +\
- config.PKI_DEPLOYMENT_LOG_ROOT
- config.pki_log_name = "pki" + "-" +\
- config.pki_subsystem.lower() +\
- "-" + "respawn" + "." +\
- config.pki_timestamp + "." + "log"
- else:
- config.pki_log_dir = "/dev"
- config.pki_log_name = "null"
+ config.pki_log_dir = config.pki_root_prefix +\
+ config.PKI_DEPLOYMENT_LOG_ROOT
+ config.pki_log_name = "pki" + "-" +\
+ config.pki_subsystem.lower() +\
+ "-" + "respawn" + "." +\
+ config.pki_timestamp + "." + "log"
rv = pkilogging.enable_pki_logger(config.pki_log_dir,
config.pki_log_name,
config.pki_log_level,
diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy
index 7180c4546..bf89a0170 100644
--- a/base/deploy/src/scriptlets/configuration.jy
+++ b/base/deploy/src/scriptlets/configuration.jy
@@ -69,14 +69,12 @@ def main(argv):
# Initialize token
jyutil.security_databases.initialize_token(
master['pki_client_database_dir'],
- master['pki_dry_run_flag'],
master['pki_jython_log_level'])
# Log into token
token = jyutil.security_databases.log_into_token(
master['pki_client_database_dir'],
master['pki_client_password_conf'],
- master['pki_dry_run_flag'],
master['pki_jython_log_level'])
# Setup connection parameters
diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py
index f2d3ab1b1..c9454d951 100644
--- a/base/deploy/src/scriptlets/configuration.py
+++ b/base/deploy/src/scriptlets/configuration.py
@@ -39,98 +39,59 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
return self.rv
config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- if not config.pki_dry_run_flag:
- # Place "slightly" less restrictive permissions on
- # the top-level client directory ONLY
- util.directory.create(master['pki_client_dir'],
- uid=0, gid=0,
- perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS)
- # Since 'certutil' does NOT strip the 'token=' portion of
- # the 'token=password' entries, create a client password file
- # which ONLY contains the 'password' for the purposes of
- # allowing 'certutil' to generate the security databases
- util.password.create_password_conf(
- master['pki_client_password_conf'],
- sensitive['pki_client_database_password'], pin_sans_token=True)
- util.file.modify(master['pki_client_password_conf'],
- uid=0, gid=0)
- # Similarly, create a simple password file containing the
- # PKCS #12 password used when exporting the "Admin Certificate"
- # into a PKCS #12 file
- util.password.create_client_pkcs12_password_conf(
- master['pki_client_pkcs12_password_conf'])
- util.file.modify(master['pki_client_pkcs12_password_conf'])
- util.directory.create(master['pki_client_database_dir'],
- uid=0, gid=0)
- util.certutil.create_security_databases(
- master['pki_client_database_dir'],
- master['pki_client_cert_database'],
- master['pki_client_key_database'],
- master['pki_client_secmod_database'],
- password_file=master['pki_client_password_conf'])
- util.symlink.create(master['pki_systemd_service'],
- master['pki_systemd_service_link'])
- else:
- # Since 'certutil' does NOT strip the 'token=' portion of
- # the 'token=password' entries, create a client password file
- # which ONLY contains the 'password' for the purposes of
- # allowing 'certutil' to generate the security databases
- util.password.create_password_conf(
- master['pki_client_password_conf'],
- sensitive['pki_client_database_password'], pin_sans_token=True)
- # Similarly, create a simple password file containing the
- # PKCS #12 password used when exporting the "Admin Certificate"
- # into a PKCS #12 file
- util.password.create_client_pkcs12_password_conf(
- master['pki_client_pkcs12_password_conf'])
- util.certutil.create_security_databases(
- master['pki_client_database_dir'],
- master['pki_client_cert_database'],
- master['pki_client_key_database'],
- master['pki_client_secmod_database'],
- password_file=master['pki_client_password_conf'])
+
+ # Place "slightly" less restrictive permissions on
+ # the top-level client directory ONLY
+ util.directory.create(master['pki_client_dir'],
+ uid=0, gid=0,
+ perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS)
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a client password file
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
+ util.password.create_password_conf(
+ master['pki_client_password_conf'],
+ sensitive['pki_client_database_password'], pin_sans_token=True)
+ util.file.modify(master['pki_client_password_conf'],
+ uid=0, gid=0)
+ # Similarly, create a simple password file containing the
+ # PKCS #12 password used when exporting the "Admin Certificate"
+ # into a PKCS #12 file
+ util.password.create_client_pkcs12_password_conf(
+ master['pki_client_pkcs12_password_conf'])
+ util.file.modify(master['pki_client_pkcs12_password_conf'])
+ util.directory.create(master['pki_client_database_dir'],
+ uid=0, gid=0)
+ util.certutil.create_security_databases(
+ master['pki_client_database_dir'],
+ master['pki_client_cert_database'],
+ master['pki_client_key_database'],
+ master['pki_client_secmod_database'],
+ password_file=master['pki_client_password_conf'])
+ util.symlink.create(master['pki_systemd_service'],
+ master['pki_systemd_service_link'])
+
# Start/Restart this Apache/Tomcat PKI Process
- if not config.pki_dry_run_flag:
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
- apache_instance_subsystems =\
- util.instance.apache_instance_subsystems()
- if apache_instance_subsystems == 1:
- util.systemd.start()
- elif apache_instance_subsystems > 1:
- util.systemd.restart()
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- # Optionally prepare to enable a java debugger
- # (e. g. - 'eclipse'):
- if config.str2bool(master['pki_enable_java_debugger']):
- config.prepare_for_an_external_java_debugger(
- master['pki_target_tomcat_conf_instance_id'])
- tomcat_instance_subsystems =\
- util.instance.tomcat_instance_subsystems()
- if tomcat_instance_subsystems == 1:
- util.systemd.start()
- elif tomcat_instance_subsystems > 1:
- util.systemd.restart()
- else:
- # ALWAYS display correct information (even during dry_run)
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
- apache_instance_subsystems =\
- util.instance.apache_instance_subsystems()
- if apache_instance_subsystems == 0:
- util.systemd.start()
- elif apache_instance_subsystems > 0:
- util.systemd.restart()
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
- # Optionally prepare to enable a java debugger
- # (e. g. - 'eclipse'):
- if config.str2bool(master['pki_enable_java_debugger']):
- config.prepare_for_an_external_java_debugger(
- master['pki_target_tomcat_conf_instance_id'])
- tomcat_instance_subsystems =\
- util.instance.tomcat_instance_subsystems()
- if tomcat_instance_subsystems == 0:
- util.systemd.start()
- elif tomcat_instance_subsystems > 0:
- util.systemd.restart()
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS:
+ apache_instance_subsystems =\
+ util.instance.apache_instance_subsystems()
+ if apache_instance_subsystems == 1:
+ util.systemd.start()
+ elif apache_instance_subsystems > 1:
+ util.systemd.restart()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS:
+ # Optionally prepare to enable a java debugger
+ # (e. g. - 'eclipse'):
+ if config.str2bool(master['pki_enable_java_debugger']):
+ config.prepare_for_an_external_java_debugger(
+ master['pki_target_tomcat_conf_instance_id'])
+ tomcat_instance_subsystems =\
+ util.instance.tomcat_instance_subsystems()
+ if tomcat_instance_subsystems == 1:
+ util.systemd.start()
+ elif tomcat_instance_subsystems > 1:
+ util.systemd.restart()
+
# Pass control to the Java servlet via Jython 2.2 'configuration.jy'
util.jython.invoke(master['pki_jython_configuration_scriptlet'])
return self.rv
@@ -143,27 +104,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def destroy(self):
config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- if not config.pki_dry_run_flag:
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instance_subsystems() == 1:
- if util.directory.exists(master['pki_client_dir']):
- util.directory.delete(master['pki_client_dir'])
- util.symlink.delete(master['pki_systemd_service_link'])
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instance_subsystems() == 1:
- if util.directory.exists(master['pki_client_dir']):
- util.directory.delete(master['pki_client_dir'])
- util.symlink.delete(master['pki_systemd_service_link'])
- else:
- # ALWAYS display correct information (even during dry_run)
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instance_subsystems() == 0:
- if util.directory.exists(master['pki_client_dir']):
- util.directory.delete(master['pki_client_dir'])
- util.symlink.delete(master['pki_systemd_service_link'])
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instance_subsystems() == 0:
- if util.directory.exists(master['pki_client_dir']):
- util.directory.delete(master['pki_client_dir'])
- util.symlink.delete(master['pki_systemd_service_link'])
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instance_subsystems() == 1:
+ if util.directory.exists(master['pki_client_dir']):
+ util.directory.delete(master['pki_client_dir'])
+ util.symlink.delete(master['pki_systemd_service_link'])
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instance_subsystems() == 1:
+ if util.directory.exists(master['pki_client_dir']):
+ util.directory.delete(master['pki_client_dir'])
+ util.symlink.delete(master['pki_systemd_service_link'])
return self.rv
diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py
index a86ffff28..62d92a626 100644
--- a/base/deploy/src/scriptlets/finalization.py
+++ b/base/deploy/src/scriptlets/finalization.py
@@ -48,10 +48,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_2)
# for record in manifest.database:
# print tuple(record)
- if not config.pki_dry_run_flag:
- manifest.file.register(master['pki_manifest'])
- manifest.file.write()
- util.file.modify(master['pki_manifest'], silent=True)
+ manifest.file.register(master['pki_manifest'])
+ manifest.file.write()
+ util.file.modify(master['pki_manifest'], silent=True)
+
# Also, for debugging/auditing purposes, save a timestamped copy of
# this installation manifest file
util.file.copy(master['pki_manifest'],
@@ -78,8 +78,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
master['pki_subsystem'],
master['pki_instance_id'],
extra=config.PKI_INDENTATION_LEVEL_0)
- if not config.pki_dry_run_flag:
- util.file.modify(master['pki_spawn_log'], silent=True)
+ util.file.modify(master['pki_spawn_log'], silent=True)
# If instance has not been configured, print the
# configuration URL to the screen
if config.str2bool(master['pki_skip_configuration']):
@@ -94,24 +93,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def destroy(self):
config.pki_log.info(log.FINALIZATION_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- if not config.pki_dry_run_flag:
- util.file.modify(master['pki_destroy_log'], silent=True)
+ util.file.modify(master['pki_destroy_log'], silent=True)
# Start this Apache/Tomcat PKI Process
- if not config.pki_dry_run_flag:
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instance_subsystems() >= 1:
- util.systemd.start()
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instance_subsystems() >= 1:
- util.systemd.start()
- else:
- # ALWAYS display correct information (even during dry_run)
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instance_subsystems() >= 0:
- util.systemd.start()
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instance_subsystems() >= 0:
- util.systemd.start()
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instance_subsystems() >= 1:
+ util.systemd.start()
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instance_subsystems() >= 1:
+ util.systemd.start()
config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2,
master['pki_subsystem'],
master['pki_instance_id'],
diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py
index d4dc264fd..e79fa8bfe 100644
--- a/base/deploy/src/scriptlets/infrastructure_layout.py
+++ b/base/deploy/src/scriptlets/infrastructure_layout.py
@@ -90,35 +90,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
config.pki_log.info(log.ADMIN_DOMAIN_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# remove top-level infrastructure base
- if not config.pki_dry_run_flag:
- if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
- util.instance.pki_instance_subsystems() == 0:
- # remove top-level infrastructure base
- util.directory.delete(master['pki_path'])
- # do NOT remove top-level infrastructure logs
- # since it now stores 'pkispawn'/'pkidestroy' logs
- # util.directory.delete(master['pki_log_path'])
- # remove top-level infrastructure configuration
- if util.directory.is_empty(master['pki_configuration_path'])\
- and master['pki_configuration_path'] !=\
- config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
- util.directory.delete(master['pki_configuration_path'])
- # remove top-level infrastructure registry
- util.directory.delete(master['pki_registry_path'])
- else:
- # ALWAYS display correct information (even during dry_run)
- if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
- util.instance.pki_instance_subsystems() == 1:
- # remove top-level infrastructure base
- util.directory.delete(master['pki_path'])
- # do NOT remove top-level infrastructure logs
- # since it now stores 'pkispawn'/'pkidestroy' logs
- # util.directory.delete(master['pki_log_path'])
- # remove top-level infrastructure configuration
- if util.directory.is_empty(master['pki_configuration_path'])\
- and master['pki_configuration_path'] !=\
- config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
- util.directory.delete(master['pki_configuration_path'])
- # remove top-level infrastructure registry
- util.directory.delete(master['pki_registry_path'])
+ if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\
+ util.instance.pki_instance_subsystems() == 0:
+ # remove top-level infrastructure base
+ util.directory.delete(master['pki_path'])
+ # do NOT remove top-level infrastructure logs
+ # since it now stores 'pkispawn'/'pkidestroy' logs
+ # util.directory.delete(master['pki_log_path'])
+ # remove top-level infrastructure configuration
+ if util.directory.is_empty(master['pki_configuration_path'])\
+ and master['pki_configuration_path'] !=\
+ config.PKI_DEPLOYMENT_CONFIGURATION_ROOT:
+ util.directory.delete(master['pki_configuration_path'])
+ # remove top-level infrastructure registry
+ util.directory.delete(master['pki_registry_path'])
return self.rv
diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py
index 0df418165..f45293104 100644
--- a/base/deploy/src/scriptlets/instance_layout.py
+++ b/base/deploy/src/scriptlets/instance_layout.py
@@ -248,73 +248,37 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
extra=config.PKI_INDENTATION_LEVEL_1)
if master['pki_subsystem'] == 'TKS':
util.symlink.delete(master['pki_symkey_jar_link'])
- if not config.pki_dry_run_flag:
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instance_subsystems() == 0:
- # remove Apache instance base
- util.directory.delete(master['pki_instance_path'])
- # remove Apache instance logs
- # remove shared NSS security database path for this instance
- util.directory.delete(master['pki_database_path'])
- # remove Apache instance configuration
- util.directory.delete(master['pki_instance_configuration_path'])
- # remove Apache instance registry
- util.directory.delete(master['pki_instance_registry_path'])
- # remove Apache PKI registry (if empty)
- if util.instance.apache_instances() == 0:
- util.directory.delete(
- master['pki_instance_type_registry_path'])
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instance_subsystems() == 0:
- # remove Tomcat instance base
- util.directory.delete(master['pki_instance_path'])
- # remove Tomcat instance logs
- util.directory.delete(master['pki_instance_log_path'])
- # remove shared NSS security database path for this instance
- util.directory.delete(master['pki_database_path'])
- # remove Tomcat instance configuration
- util.directory.delete(master['pki_instance_configuration_path'])
- # remove PKI 'tomcat.conf' instance file
- util.file.delete(master['pki_target_tomcat_conf_instance_id'])
- # remove Tomcat instance registry
- util.directory.delete(master['pki_instance_registry_path'])
- # remove Tomcat PKI registry (if empty)
- if util.instance.tomcat_instances() == 0:
- util.directory.delete(
- master['pki_instance_type_registry_path'])
- else:
- # ALWAYS display correct information (even during dry_run)
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instance_subsystems() == 1:
- # remove Apache instance base
- util.directory.delete(master['pki_instance_path'])
- # remove Apache instance logs
- # remove shared NSS security database path for this instance
- util.directory.delete(master['pki_database_path'])
- # remove Apache instance configuration
- util.directory.delete(master['pki_instance_configuration_path'])
- # remove Apache instance registry
- util.directory.delete(master['pki_instance_registry_path'])
- # remove Apache PKI registry (if empty)
- if util.instance.apache_instances() == 1:
- util.directory.delete(
- master['pki_instance_type_registry_path'])
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instance_subsystems() == 1:
- # remove Tomcat instance base
- util.directory.delete(master['pki_instance_path'])
- # remove Tomcat instance logs
- util.directory.delete(master['pki_instance_log_path'])
- # remove shared NSS security database path for this instance
- util.directory.delete(master['pki_database_path'])
- # remove Tomcat instance configuration
- util.directory.delete(master['pki_instance_configuration_path'])
- # remove PKI 'tomcat.conf' instance file
- util.file.delete(master['pki_target_tomcat_conf_instance_id'])
- # remove Tomcat instance registry
- util.directory.delete(master['pki_instance_registry_path'])
- # remove Tomcat PKI registry (if empty)
- if util.instance.tomcat_instances() == 1:
- util.directory.delete(
- master['pki_instance_type_registry_path'])
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instance_subsystems() == 0:
+ # remove Apache instance base
+ util.directory.delete(master['pki_instance_path'])
+ # remove Apache instance logs
+ # remove shared NSS security database path for this instance
+ util.directory.delete(master['pki_database_path'])
+ # remove Apache instance configuration
+ util.directory.delete(master['pki_instance_configuration_path'])
+ # remove Apache instance registry
+ util.directory.delete(master['pki_instance_registry_path'])
+ # remove Apache PKI registry (if empty)
+ if util.instance.apache_instances() == 0:
+ util.directory.delete(
+ master['pki_instance_type_registry_path'])
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instance_subsystems() == 0:
+ # remove Tomcat instance base
+ util.directory.delete(master['pki_instance_path'])
+ # remove Tomcat instance logs
+ util.directory.delete(master['pki_instance_log_path'])
+ # remove shared NSS security database path for this instance
+ util.directory.delete(master['pki_database_path'])
+ # remove Tomcat instance configuration
+ util.directory.delete(master['pki_instance_configuration_path'])
+ # remove PKI 'tomcat.conf' instance file
+ util.file.delete(master['pki_target_tomcat_conf_instance_id'])
+ # remove Tomcat instance registry
+ util.directory.delete(master['pki_instance_registry_path'])
+ # remove Tomcat PKI registry (if empty)
+ if util.instance.tomcat_instances() == 0:
+ util.directory.delete(
+ master['pki_instance_type_registry_path'])
return self.rv
diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index ba411933d..e8e65970e 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -125,7 +125,6 @@ pkideployment_cfg = None
pki_deployed_instance_name = None
# PKI Deployment "Optional" Command-Line Variables
-pki_dry_run_flag = False
# 'pkispawn' ONLY
pki_update_flag = False
diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py
index ecc1df791..ba67465ef 100644
--- a/base/deploy/src/scriptlets/pkihelper.py
+++ b/base/deploy/src/scriptlets/pkihelper.py
@@ -808,30 +808,29 @@ class configuration_file:
# config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1,
# master['pki_target_subsystem_web_xml'],
# extra=config.PKI_INDENTATION_LEVEL_2)
-# if not config.pki_dry_run_flag:
-# begin_filters_section = False
-# begin_servlet_section = False
-# FILE = open(web_xml_target, "w")
-# for line in fileinput.FileInput(web_xml_source):
-# if not begin_filters_section:
-# # Read and write lines until first "<filter>" tag
-# if line.count("<filter>") >= 1:
-# # Mark filters section
-# begin_filters_section = True
-# else:
-# FILE.write(line)
-# elif not begin_servlet_section:
-# # Skip lines until first "<servlet>" tag
-# if line.count("<servlet>") >= 1:
-# # Mark servlets section and write out the opening tag
-# begin_servlet_section = True
-# FILE.write(line)
-# else:
-# continue
+# begin_filters_section = False
+# begin_servlet_section = False
+# FILE = open(web_xml_target, "w")
+# for line in fileinput.FileInput(web_xml_source):
+# if not begin_filters_section:
+# # Read and write lines until first "<filter>" tag
+# if line.count("<filter>") >= 1:
+# # Mark filters section
+# begin_filters_section = True
# else:
-# # Read and write lines all lines after "<servlet>" tag
# FILE.write(line)
-# FILE.close()
+# elif not begin_servlet_section:
+# # Skip lines until first "<servlet>" tag
+# if line.count("<servlet>") >= 1:
+# # Mark servlets section and write out the opening tag
+# begin_servlet_section = True
+# FILE.write(line)
+# else:
+# continue
+# else:
+# # Read and write lines all lines after "<servlet>" tag
+# FILE.write(line)
+# FILE.close()
# PKI Deployment Instance Class
@@ -845,15 +844,9 @@ class instance:
path = master['pki_instance_path'] + "/" + subsystem.lower()
if os.path.exists(path) and os.path.isdir(path):
rv = rv + 1
- # always display correct information (even during dry_run)
- if config.pki_dry_run_flag and rv > 0:
- config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2,
- master['pki_instance_path'], rv - 1,
- extra=config.PKI_INDENTATION_LEVEL_2)
- else:
- config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2,
- master['pki_instance_path'],
- rv, extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2,
+ master['pki_instance_path'],
+ rv, extra=config.PKI_INDENTATION_LEVEL_2)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -877,17 +870,10 @@ class instance:
os.path.join(master['pki_instance_type_registry_path'],
instance)):
rv = rv + 1
- # always display correct information (even during dry_run)
- if config.pki_dry_run_flag and rv > 0:
- config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2,
- master['pki_instance_type_registry_path'],
- rv - 1,
- extra=config.PKI_INDENTATION_LEVEL_2)
- else:
- config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2,
- master['pki_instance_type_registry_path'],
- rv,
- extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2,
+ master['pki_instance_type_registry_path'],
+ rv,
+ extra=config.PKI_INDENTATION_LEVEL_2)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -913,15 +899,9 @@ class instance:
not os.path.islink(os.path.join(dir,name)):
if name.upper() in config.PKI_SUBSYSTEMS:
rv = rv + 1
- # always display correct information (even during dry_run)
- if config.pki_dry_run_flag and rv > 0:
- config.pki_log.debug(log.PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2,
- master['pki_instance_path'], rv - 1,
- extra=config.PKI_INDENTATION_LEVEL_2)
- else:
- config.pki_log.debug(log.PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2,
- master['pki_instance_path'], rv,
- extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.debug(log.PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2,
+ master['pki_instance_path'], rv,
+ extra=config.PKI_INDENTATION_LEVEL_2)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -937,15 +917,9 @@ class instance:
path = master['pki_instance_path'] + "/" + subsystem.lower()
if os.path.exists(path) and os.path.isdir(path):
rv = rv + 1
- # always display correct information (even during dry_run)
- if config.pki_dry_run_flag and rv > 0:
- config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2,
- master['pki_instance_path'], rv - 1,
- extra=config.PKI_INDENTATION_LEVEL_2)
- else:
- config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2,
- master['pki_instance_path'],
- rv, extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2,
+ master['pki_instance_path'],
+ rv, extra=config.PKI_INDENTATION_LEVEL_2)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -969,17 +943,10 @@ class instance:
os.path.join(master['pki_instance_type_registry_path'],
instance)):
rv = rv + 1
- # always display correct information (even during dry_run)
- if config.pki_dry_run_flag and rv > 0:
- config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2,
- master['pki_instance_type_registry_path'],
- rv - 1,
- extra=config.PKI_INDENTATION_LEVEL_2)
- else:
- config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2,
- master['pki_instance_type_registry_path'],
- rv,
- extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2,
+ master['pki_instance_type_registry_path'],
+ rv,
+ extra=config.PKI_INDENTATION_LEVEL_2)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -1023,13 +990,11 @@ class directory:
# mkdir -p <name>
config.pki_log.info(log.PKIHELPER_MKDIR_1, name,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- os.makedirs(name)
+ os.makedirs(name)
# chmod <perms> <name>
config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chmod(name, perms)
+ os.chmod(name, perms)
# chown <uid>:<gid> <name>
if uid == None:
uid = identity.get_uid()
@@ -1038,8 +1003,7 @@ class directory:
config.pki_log.debug(log.PKIHELPER_CHOWN_3,
uid, gid, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chown(name, uid, gid)
+ os.chown(name, uid, gid)
# Store record in installation manifest
record = manifest.record()
record.name = name
@@ -1086,8 +1050,7 @@ class directory:
if not silent:
config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chmod(name, perms)
+ os.chmod(name, perms)
# chown <uid>:<gid> <name>
if uid == None:
uid = identity.get_uid()
@@ -1097,8 +1060,7 @@ class directory:
config.pki_log.debug(log.PKIHELPER_CHOWN_3,
uid, gid, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chown(name, uid, gid)
+ os.chown(name, uid, gid)
# Store record in installation manifest
if not silent:
record = manifest.record()
@@ -1136,14 +1098,12 @@ class directory:
# rm -rf <name>
config.pki_log.info(log.PKIHELPER_RM_RF_1, name,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- shutil.rmtree(name)
+ shutil.rmtree(name)
else:
# rmdir <name>
config.pki_log.info(log.PKIHELPER_RMDIR_1, name,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- os.rmdir(name)
+ os.rmdir(name)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -1185,11 +1145,7 @@ class directory:
dir_acls=None, file_acls=None, symlink_acls=None,
recursive_flag=True, critical_failure=True):
try:
- if config.pki_dry_run_flag:
- config.pki_log.info(
- log.PKIHELPER_SET_MODE_1, name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- elif not os.path.exists(name) or not os.path.isdir(name):
+ if not os.path.exists(name) or not os.path.isdir(name):
config.pki_log.error(
log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -1215,14 +1171,12 @@ class directory:
config.pki_log.debug(log.PKIHELPER_CHMOD_2,
file_perms, file,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chmod(file, file_perms)
+ os.chmod(file, file_perms)
# chown <uid>:<gid> <name>
config.pki_log.debug(log.PKIHELPER_CHOWN_3,
uid, gid, file,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chown(file, uid, gid)
+ os.chown(file, uid, gid)
# Store record in installation manifest
record = manifest.record()
record.name = name
@@ -1248,8 +1202,7 @@ class directory:
config.pki_log.debug(log.PKIHELPER_CHOWN_H_3,
uid, gid, symlink,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.lchown(symlink, uid, gid)
+ os.lchown(symlink, uid, gid)
# Store record in installation manifest
record = manifest.record()
record.name = name
@@ -1270,14 +1223,12 @@ class directory:
config.pki_log.debug(log.PKIHELPER_CHMOD_2,
dir_perms, dir,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chmod(dir, dir_perms)
+ os.chmod(dir, dir_perms)
# chown <uid>:<gid> <name>
config.pki_log.debug(log.PKIHELPER_CHOWN_3,
uid, gid, dir,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chown(dir, uid, gid)
+ os.chown(dir, uid, gid)
# Store record in installation manifest
record = manifest.record()
record.name = name
@@ -1298,14 +1249,12 @@ class directory:
config.pki_log.debug(log.PKIHELPER_CHMOD_2,
dir_perms, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chmod(name, dir_perms)
+ os.chmod(name, dir_perms)
# chown <uid>:<gid> <name>
config.pki_log.debug(log.PKIHELPER_CHOWN_3,
uid, gid, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chown(name, uid, gid)
+ os.chown(name, uid, gid)
# Store record in installation manifest
record = manifest.record()
record.name = name
@@ -1330,21 +1279,7 @@ class directory:
dir_acls=None, file_acls=None, symlink_acls=None,
recursive_flag=True, overwrite_flag=False, critical_failure=True):
try:
- if config.pki_dry_run_flag:
- if recursive_flag == True:
- # cp -rp <old_name> <new_name>
- config.pki_log.info(log.PKIHELPER_CP_RP_2,
- old_name, new_name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- else:
- # cp -p <old_name> <new_name>
- config.pki_log.info(log.PKIHELPER_CP_P_2,
- old_name, new_name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- config.pki_log.info(
- log.PKIHELPER_SET_MODE_1, new_name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- elif not os.path.exists(old_name) or not os.path.isdir(old_name):
+ if not os.path.exists(old_name) or not os.path.isdir(old_name):
config.pki_log.error(
log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, old_name,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -1408,13 +1343,11 @@ class file:
# touch <name>
config.pki_log.info(log.PKIHELPER_TOUCH_1, name,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- open(name, "w").close()
+ open(name, "w").close()
# chmod <perms> <name>
config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chmod(name, perms)
+ os.chmod(name, perms)
# chown <uid>:<gid> <name>
if uid == None:
uid = identity.get_uid()
@@ -1423,8 +1356,7 @@ class file:
config.pki_log.debug(log.PKIHELPER_CHOWN_3,
uid, gid, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chown(name, uid, gid)
+ os.chown(name, uid, gid)
# Store record in installation manifest
record = manifest.record()
record.name = name
@@ -1471,8 +1403,7 @@ class file:
if not silent:
config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chmod(name, perms)
+ os.chmod(name, perms)
# chown <uid>:<gid> <name>
if uid == None:
uid = identity.get_uid()
@@ -1482,8 +1413,7 @@ class file:
config.pki_log.debug(log.PKIHELPER_CHOWN_3,
uid, gid, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chown(name, uid, gid)
+ os.chown(name, uid, gid)
# Store record in installation manifest
if not silent:
record = manifest.record()
@@ -1520,8 +1450,7 @@ class file:
# rm -f <name>
config.pki_log.info(log.PKIHELPER_RM_F_1, name,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- os.remove(name)
+ os.remove(name)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -1544,20 +1473,7 @@ class file:
perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, acls=None,
overwrite_flag=False, critical_failure=True):
try:
- if config.pki_dry_run_flag:
- # cp -p <old_name> <new_name>
- config.pki_log.info(log.PKIHELPER_CP_P_2,
- old_name, new_name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- # chmod <perms> <new_name>
- config.pki_log.debug(log.PKIHELPER_CHMOD_2,
- perms, new_name,
- extra=config.PKI_INDENTATION_LEVEL_3)
- # chown <uid>:<gid> <new_name>
- config.pki_log.debug(log.PKIHELPER_CHOWN_3,
- uid, gid, new_name,
- extra=config.PKI_INDENTATION_LEVEL_3)
- elif not os.path.exists(old_name) or not os.path.isfile(old_name):
+ if not os.path.exists(old_name) or not os.path.isfile(old_name):
config.pki_log.error(
log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -1616,72 +1532,49 @@ class file:
perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS,
acls=None, critical_failure=True):
try:
- if config.pki_dry_run_flag:
- # applying in-place slot substitutions on <name>
- config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1,
- name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- # NOTE: During dry_run, this file may not exist!
- if os.path.exists(name) and os.path.isfile(name):
- for line in fileinput.FileInput(name, inplace=1):
- for slot in slots:
- if slot != '__name__' and slots[slot] in line:
- config.pki_log.debug(
- log.PKIHELPER_SLOT_SUBSTITUTION_2,
- slots[slot], master[slot],
- extra=config.PKI_INDENTATION_LEVEL_3)
- # chmod <perms> <name>
- config.pki_log.debug(log.PKIHELPER_CHMOD_2,
- perms, name,
- extra=config.PKI_INDENTATION_LEVEL_3)
- # chown <uid>:<gid> <name>
- config.pki_log.debug(log.PKIHELPER_CHOWN_3,
- uid, gid, name,
- extra=config.PKI_INDENTATION_LEVEL_3)
- else:
- if not os.path.exists(name) or not os.path.isfile(name):
- config.pki_log.error(
- log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
- # applying in-place slot substitutions on <name>
- config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1,
- name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- for line in fileinput.FileInput(name, inplace=1):
- for slot in slots:
- if slot != '__name__' and slots[slot] in line:
- config.pki_log.debug(
- log.PKIHELPER_SLOT_SUBSTITUTION_2,
- slots[slot], master[slot],
- extra=config.PKI_INDENTATION_LEVEL_3)
- line=line.replace(slots[slot],master[slot])
- sys.stdout.write(line)
- if uid == None:
- uid = identity.get_uid()
- if gid == None:
- gid = identity.get_gid()
- # chmod <perms> <name>
- config.pki_log.debug(log.PKIHELPER_CHMOD_2,
- perms, name,
- extra=config.PKI_INDENTATION_LEVEL_3)
- os.chmod(name, perms)
- # chown <uid>:<gid> <name>
- config.pki_log.debug(log.PKIHELPER_CHOWN_3,
- uid, gid, name,
- extra=config.PKI_INDENTATION_LEVEL_3)
- os.chown(name, uid, gid)
- # Store record in installation manifest
- record = manifest.record()
- record.name = name
- record.type = manifest.RECORD_TYPE_FILE
- record.user = master['pki_user']
- record.group = master['pki_group']
- record.uid = uid
- record.gid = gid
- record.permissions = perms
- record.acls = acls
- manifest.database.append(record)
+ if not os.path.exists(name) or not os.path.isfile(name):
+ config.pki_log.error(
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # applying in-place slot substitutions on <name>
+ config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1,
+ name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ for line in fileinput.FileInput(name, inplace=1):
+ for slot in slots:
+ if slot != '__name__' and slots[slot] in line:
+ config.pki_log.debug(
+ log.PKIHELPER_SLOT_SUBSTITUTION_2,
+ slots[slot], master[slot],
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ line=line.replace(slots[slot],master[slot])
+ sys.stdout.write(line)
+ if uid == None:
+ uid = identity.get_uid()
+ if gid == None:
+ gid = identity.get_gid()
+ # chmod <perms> <name>
+ config.pki_log.debug(log.PKIHELPER_CHMOD_2,
+ perms, name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ os.chmod(name, perms)
+ # chown <uid>:<gid> <name>
+ config.pki_log.debug(log.PKIHELPER_CHOWN_3,
+ uid, gid, name,
+ extra=config.PKI_INDENTATION_LEVEL_3)
+ os.chown(name, uid, gid)
+ # Store record in installation manifest
+ record = manifest.record()
+ record.name = name
+ record.type = manifest.RECORD_TYPE_FILE
+ record.user = master['pki_user']
+ record.group = master['pki_group']
+ record.uid = uid
+ record.gid = gid
+ record.permissions = perms
+ record.acls = acls
+ manifest.database.append(record)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -1700,27 +1593,7 @@ class file:
acls=None, overwrite_flag=False,
critical_failure=True):
try:
- if config.pki_dry_run_flag:
- # copy <old_name> to <new_name> with slot substitutions
- config.pki_log.info(log.PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2,
- old_name, new_name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- for line in fileinput.FileInput(old_name):
- for slot in slots:
- if slot != '__name__' and slots[slot] in line:
- config.pki_log.debug(
- log.PKIHELPER_SLOT_SUBSTITUTION_2,
- slots[slot], master[slot],
- extra=config.PKI_INDENTATION_LEVEL_3)
- # chmod <perms> <new_name>
- config.pki_log.debug(log.PKIHELPER_CHMOD_2,
- perms, new_name,
- extra=config.PKI_INDENTATION_LEVEL_3)
- # chown <uid>:<gid> <new_name>
- config.pki_log.debug(log.PKIHELPER_CHOWN_3,
- uid, gid, new_name,
- extra=config.PKI_INDENTATION_LEVEL_3)
- elif not os.path.exists(old_name) or not os.path.isfile(old_name):
+ if not os.path.exists(old_name) or not os.path.isfile(old_name):
config.pki_log.error(
log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -1793,18 +1666,16 @@ class file:
# filling it with <bytes> random bytes
config.pki_log.info(log.PKIHELPER_NOISE_FILE_2, name, bytes,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- open(name, "w").close()
- FILE = open(name, "w")
- noise = ''.join(random.choice(string.ascii_letters +\
- string.digits) for x in range(bytes))
- FILE.write(noise)
- FILE.close()
+ open(name, "w").close()
+ FILE = open(name, "w")
+ noise = ''.join(random.choice(string.ascii_letters +\
+ string.digits) for x in range(bytes))
+ FILE.write(noise)
+ FILE.close()
# chmod <perms> <name>
config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chmod(name, perms)
+ os.chmod(name, perms)
# chown <uid>:<gid> <name>
if uid == None:
uid = identity.get_uid()
@@ -1813,8 +1684,7 @@ class file:
config.pki_log.debug(log.PKIHELPER_CHOWN_3,
uid, gid, name,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.chown(name, uid, gid)
+ os.chown(name, uid, gid)
# Store record in installation manifest
record = manifest.record()
record.name = name
@@ -1849,18 +1719,16 @@ class symlink:
acls=None, allow_dangling_symlink=False, critical_failure=True):
try:
if not os.path.exists(link):
- if not config.pki_dry_run_flag:
- if not os.path.exists(name):
- config.pki_log.warning(
- log.PKIHELPER_DANGLING_SYMLINK_2, link, name,
- extra=config.PKI_INDENTATION_LEVEL_2)
- if not allow_dangling_symlink:
- sys.exit(1)
+ if not os.path.exists(name):
+ config.pki_log.warning(
+ log.PKIHELPER_DANGLING_SYMLINK_2, link, name,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if not allow_dangling_symlink:
+ sys.exit(1)
# ln -s <name> <link>
config.pki_log.info(log.PKIHELPER_LINK_S_2, name, link,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- os.symlink(name, link)
+ os.symlink(name, link)
# REMINDER: Due to POSIX compliance, 'lchmod' is NEVER
# implemented on Linux systems since 'chmod'
# CANNOT be run directly against symbolic links!
@@ -1872,8 +1740,7 @@ class symlink:
config.pki_log.debug(log.PKIHELPER_CHOWN_H_3,
uid, gid, link,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.lchown(link, uid, gid)
+ os.lchown(link, uid, gid)
# Store record in installation manifest
record = manifest.record()
record.name = link
@@ -1928,8 +1795,7 @@ class symlink:
config.pki_log.debug(log.PKIHELPER_CHOWN_H_3,
uid, gid, link,
extra=config.PKI_INDENTATION_LEVEL_3)
- if not config.pki_dry_run_flag:
- os.lchown(link, uid, gid)
+ os.lchown(link, uid, gid)
# Store record in installation manifest
if not silent:
record = manifest.record()
@@ -1967,8 +1833,7 @@ class symlink:
# rm -f <link>
config.pki_log.info(log.PKIHELPER_RM_F_1, link,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- os.remove(link)
+ os.remove(link)
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -1999,21 +1864,19 @@ class war:
name, extra=config.PKI_INDENTATION_LEVEL_2)
if critical_failure == True:
sys.exit(1)
- if not config.pki_dry_run_flag:
- if not os.path.exists(path) or not os.path.isdir(path):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- path, extra=config.PKI_INDENTATION_LEVEL_2)
- if critical_failure == True:
- sys.exit(1)
+ if not os.path.exists(path) or not os.path.isdir(path):
+ config.pki_log.error(
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
+ path, extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(1)
# jar -xf <name> -C <path>
config.pki_log.info(log.PKIHELPER_JAR_XF_C_2, name, path,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- # Open war file
- war = zipfile.ZipFile(name, 'r')
- # Extract contents of war file to path
- war.extractall(path)
+ # Open war file
+ war = zipfile.ZipFile(name, 'r')
+ # Extract contents of war file to path
+ war.extractall(path)
else:
config.pki_log.error(
log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name,
@@ -2043,28 +1906,12 @@ class password:
def create_password_conf(self, path, pin, pin_sans_token=False,
overwrite_flag=False, critical_failure=True):
try:
- if not config.pki_dry_run_flag:
- if os.path.exists(path):
- if overwrite_flag:
- config.pki_log.info(
- log.PKIHELPER_PASSWORD_CONF_1, path,
- extra=config.PKI_INDENTATION_LEVEL_2)
- # overwrite the existing 'password.conf' file
- with open(path, "wt") as fd:
- if pin_sans_token == True:
- fd.write(str(pin))
- elif master['pki_subsystem'] in\
- config.PKI_APACHE_SUBSYSTEMS:
- fd.write(master['pki_self_signed_token'] +\
- ":" + str(pin))
- else:
- fd.write(master['pki_self_signed_token'] +\
- "=" + str(pin))
- fd.closed
- else:
- config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
- extra=config.PKI_INDENTATION_LEVEL_2)
- # create a new 'password.conf' file
+ if os.path.exists(path):
+ if overwrite_flag:
+ config.pki_log.info(
+ log.PKIHELPER_PASSWORD_CONF_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # overwrite the existing 'password.conf' file
with open(path, "wt") as fd:
if pin_sans_token == True:
fd.write(str(pin))
@@ -2077,9 +1924,20 @@ class password:
"=" + str(pin))
fd.closed
else:
- if not os.path.exists(path) or overwrite_flag:
- config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
- extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # create a new 'password.conf' file
+ with open(path, "wt") as fd:
+ if pin_sans_token == True:
+ fd.write(str(pin))
+ elif master['pki_subsystem'] in\
+ config.PKI_APACHE_SUBSYSTEMS:
+ fd.write(master['pki_self_signed_token'] +\
+ ":" + str(pin))
+ else:
+ fd.write(master['pki_self_signed_token'] +\
+ "=" + str(pin))
+ fd.closed
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -2090,27 +1948,22 @@ class password:
def create_client_pkcs12_password_conf(self, path, overwrite_flag=False,
critical_failure=True):
try:
- if not config.pki_dry_run_flag:
- if os.path.exists(path):
- if overwrite_flag:
- config.pki_log.info(
- log.PKIHELPER_PASSWORD_CONF_1, path,
- extra=config.PKI_INDENTATION_LEVEL_2)
- # overwrite the existing 'pkcs12_password.conf' file
- with open(path, "wt") as fd:
- fd.write(sensitive['pki_client_pkcs12_password'])
- fd.closed
- else:
- config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
- extra=config.PKI_INDENTATION_LEVEL_2)
- # create a new 'pkcs12_password.conf' file
+ if os.path.exists(path):
+ if overwrite_flag:
+ config.pki_log.info(
+ log.PKIHELPER_PASSWORD_CONF_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # overwrite the existing 'pkcs12_password.conf' file
with open(path, "wt") as fd:
fd.write(sensitive['pki_client_pkcs12_password'])
fd.closed
else:
- if not os.path.exists(path) or overwrite_flag:
- config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
- extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # create a new 'pkcs12_password.conf' file
+ with open(path, "wt") as fd:
+ fd.write(sensitive['pki_client_pkcs12_password'])
+ fd.closed
except OSError as exc:
config.pki_log.error(log.PKI_OSERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -2140,55 +1993,37 @@ class certutil:
command = command + " " + "-f" + " " + password_file
if prefix != None:
command = command + " " + "-P" + " " + prefix
- if not config.pki_dry_run_flag:
- if not os.path.exists(path):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
- if os.path.exists(pki_cert_database) or\
- os.path.exists(pki_key_database) or\
- os.path.exists(pki_secmod_database):
- # Simply notify user that the security databases exist
- config.pki_log.info(
- log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3,
- pki_cert_database,
- pki_key_database,
- pki_secmod_database,
- extra=config.PKI_INDENTATION_LEVEL_2)
- else:
- if password_file != None:
- if not os.path.exists(password_file) or\
- not os.path.isfile(password_file):
- config.pki_log.error(
- log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
- password_file,
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
- # Display this "certutil" command
- config.pki_log.info(
- log.PKIHELPER_CREATE_SECURITY_DATABASES_1,
- command,
- extra=config.PKI_INDENTATION_LEVEL_2)
- # Execute this "certutil" command
- subprocess.call(command, shell=True)
+ if not os.path.exists(path):
+ config.pki_log.error(
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if os.path.exists(pki_cert_database) or\
+ os.path.exists(pki_key_database) or\
+ os.path.exists(pki_secmod_database):
+ # Simply notify user that the security databases exist
+ config.pki_log.info(
+ log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3,
+ pki_cert_database,
+ pki_key_database,
+ pki_secmod_database,
+ extra=config.PKI_INDENTATION_LEVEL_2)
else:
- if os.path.exists(pki_cert_database) or\
- os.path.exists(pki_key_database) or\
- os.path.exists(pki_secmod_database):
- # Simply notify user that the security databases exist
- config.pki_log.info(
- log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3,
- pki_cert_database,
- pki_key_database,
- pki_secmod_database,
- extra=config.PKI_INDENTATION_LEVEL_2)
- else:
- # Display this "certutil" command
- config.pki_log.info(
- log.PKIHELPER_CREATE_SECURITY_DATABASES_1,
- command,
- extra=config.PKI_INDENTATION_LEVEL_2)
+ if password_file != None:
+ if not os.path.exists(password_file) or\
+ not os.path.isfile(password_file):
+ config.pki_log.error(
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
+ password_file,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ # Display this "certutil" command
+ config.pki_log.info(
+ log.PKIHELPER_CREATE_SECURITY_DATABASES_1,
+ command,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # Execute this "certutil" command
+ subprocess.call(command, shell=True)
except subprocess.CalledProcessError as exc:
config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -2239,37 +2074,30 @@ class certutil:
# By default, execute this command silently
if silent != False:
command = command + " > /dev/null 2>&1"
- if not config.pki_dry_run_flag:
- if not os.path.exists(path):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
- if not os.path.exists(pki_cert_database) or\
- not os.path.exists(pki_key_database) or\
- not os.path.exists(pki_secmod_database):
- # NSS security databases MUST exist!
+ if not os.path.exists(path):
+ config.pki_log.error(
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if not os.path.exists(pki_cert_database) or\
+ not os.path.exists(pki_key_database) or\
+ not os.path.exists(pki_secmod_database):
+ # NSS security databases MUST exist!
+ config.pki_log.error(
+ log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3,
+ pki_cert_database,
+ pki_key_database,
+ pki_secmod_database,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if password_file != None:
+ if not os.path.exists(password_file) or\
+ not os.path.isfile(password_file):
config.pki_log.error(
- log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3,
- pki_cert_database,
- pki_key_database,
- pki_secmod_database,
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
+ password_file,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
- if password_file != None:
- if not os.path.exists(password_file) or\
- not os.path.isfile(password_file):
- config.pki_log.error(
- log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
- password_file,
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
- else:
- # Check for first time through as dry_run
- if not os.path.exists(pki_cert_database) or\
- not os.path.exists(pki_key_database) or\
- not os.path.exists(pki_secmod_database):
- return False
# Execute this "certutil" command
subprocess.check_call(command, shell=True)
except subprocess.CalledProcessError as exc:
@@ -2376,39 +2204,38 @@ class certutil:
config.pki_log.info(
log.PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1, command,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- if not os.path.exists(path):
- config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
- if not os.path.exists(pki_cert_database) or\
- not os.path.exists(pki_key_database) or\
- not os.path.exists(pki_secmod_database):
- # NSS security databases MUST exist!
- config.pki_log.error(
- log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3,
- pki_cert_database,
- pki_key_database,
- pki_secmod_database,
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
- if not os.path.exists(noise_file):
+ if not os.path.exists(path):
+ config.pki_log.error(
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if not os.path.exists(pki_cert_database) or\
+ not os.path.exists(pki_key_database) or\
+ not os.path.exists(pki_secmod_database):
+ # NSS security databases MUST exist!
+ config.pki_log.error(
+ log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3,
+ pki_cert_database,
+ pki_key_database,
+ pki_secmod_database,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if not os.path.exists(noise_file):
+ config.pki_log.error(
+ log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
+ noise_file,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ sys.exit(1)
+ if password_file != None:
+ if not os.path.exists(password_file) or\
+ not os.path.isfile(password_file):
config.pki_log.error(
- log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1,
- noise_file,
+ log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
+ password_file,
extra=config.PKI_INDENTATION_LEVEL_2)
sys.exit(1)
- if password_file != None:
- if not os.path.exists(password_file) or\
- not os.path.isfile(password_file):
- config.pki_log.error(
- log.PKI_FILE_MISSING_OR_NOT_A_FILE_1,
- password_file,
- extra=config.PKI_INDENTATION_LEVEL_2)
- sys.exit(1)
- # Execute this "certutil" command
- subprocess.call(command, shell=True)
+ # Execute this "certutil" command
+ subprocess.call(command, shell=True)
except subprocess.CalledProcessError as exc:
config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -2552,46 +2379,45 @@ class security_domain:
params, updateURL,
sechost, secagentport)
# update domainXML
- if not config.pki_dry_run_flag:
- # Execute this "sslget" command
- output = subprocess.check_output(command,
- stderr=subprocess.STDOUT,
- shell=True)
- config.pki_log.debug(log.PKIHELPER_SSLGET_OUTPUT_1,
- output,
- extra=config.PKI_INDENTATION_LEVEL_2)
- # Search the output for Status
- status = re.findall("\<Status\>(.*?)\<\/Status\>", output)
- if not status:
- config.pki_log.warning(
- log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1,
- secname,
- extra=config.PKI_INDENTATION_LEVEL_2)
- if critical_failure == True:
- sys.exit(-1)
- elif status[0] != "0":
- error = re.findall("\<Error\>(.*?)\<\/Error\>", output)
- if not error:
- error = ""
- config.pki_log.warning(
- log.PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2,
- typeval,
- secname,
- extra=config.PKI_INDENTATION_LEVEL_2)
- config.pki_log.error(
- log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3,
- typeval,
- secname,
- error,
- extra=config.PKI_INDENTATION_LEVEL_2)
- if critical_failure == True:
- sys.exit(-1)
- else:
- config.pki_log.info(
- log.PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2,
- typeval,
- secname,
- extra=config.PKI_INDENTATION_LEVEL_2)
+ # Execute this "sslget" command
+ output = subprocess.check_output(command,
+ stderr=subprocess.STDOUT,
+ shell=True)
+ config.pki_log.debug(log.PKIHELPER_SSLGET_OUTPUT_1,
+ output,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ # Search the output for Status
+ status = re.findall("\<Status\>(.*?)\<\/Status\>", output)
+ if not status:
+ config.pki_log.warning(
+ log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1,
+ secname,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(-1)
+ elif status[0] != "0":
+ error = re.findall("\<Error\>(.*?)\<\/Error\>", output)
+ if not error:
+ error = ""
+ config.pki_log.warning(
+ log.PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2,
+ typeval,
+ secname,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ config.pki_log.error(
+ log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3,
+ typeval,
+ secname,
+ error,
+ extra=config.PKI_INDENTATION_LEVEL_2)
+ if critical_failure == True:
+ sys.exit(-1)
+ else:
+ config.pki_log.info(
+ log.PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2,
+ typeval,
+ secname,
+ extra=config.PKI_INDENTATION_LEVEL_2)
except subprocess.CalledProcessError as exc:
config.pki_log.warning(
log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2,
@@ -2628,9 +2454,8 @@ class systemd:
config.pki_log.info(
log.PKIHELPER_SYSTEMD_COMMAND_1, command,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- # Execute this "systemd" execution management command
- subprocess.call(command, shell=True)
+ # Execute this "systemd" execution management command
+ subprocess.call(command, shell=True)
except subprocess.CalledProcessError as exc:
config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -2655,9 +2480,8 @@ class systemd:
config.pki_log.info(
log.PKIHELPER_SYSTEMD_COMMAND_1, command,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- # Execute this "systemd" execution management command
- subprocess.call(command, shell=True)
+ # Execute this "systemd" execution management command
+ subprocess.call(command, shell=True)
except subprocess.CalledProcessError as exc:
config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
@@ -2682,9 +2506,8 @@ class systemd:
config.pki_log.info(
log.PKIHELPER_SYSTEMD_COMMAND_1, command,
extra=config.PKI_INDENTATION_LEVEL_2)
- if not config.pki_dry_run_flag:
- # Execute this "systemd" execution management command
- subprocess.call(command, shell=True)
+ # Execute this "systemd" execution management command
+ subprocess.call(command, shell=True)
except subprocess.CalledProcessError as exc:
config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
extra=config.PKI_INDENTATION_LEVEL_2)
diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py
index 4321e0a2a..8d027f91a 100644
--- a/base/deploy/src/scriptlets/pkijython.py
+++ b/base/deploy/src/scriptlets/pkijython.py
@@ -218,15 +218,14 @@ def read_simple_configuration_file(filename):
# PKI Deployment 'security databases' Class
class security_databases:
- def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level):
+ def initialize_token(self, pki_database_path, log_level):
try:
if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
print "%s %s '%s'" %\
(log.PKI_JYTHON_INDENTATION_2,
log.PKI_JYTHON_INITIALIZING_TOKEN,
pki_database_path)
- if not pki_dry_run_flag:
- CryptoManager.initialize(pki_database_path)
+ CryptoManager.initialize(pki_database_path)
except AlreadyInitializedException, e:
# it is ok if it is already initialized
pass
@@ -235,8 +234,7 @@ class security_databases:
" " + str(e))
javasystem.exit(1)
- def log_into_token(self, pki_database_path, password_conf,
- pki_dry_run_flag, log_level):
+ def log_into_token(self, pki_database_path, password_conf, log_level):
token = None
try:
if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL:
@@ -244,28 +242,27 @@ class security_databases:
(log.PKI_JYTHON_INDENTATION_2,
log.PKI_JYTHON_LOG_INTO_TOKEN,
pki_database_path)
- if not pki_dry_run_flag:
- manager = CryptoManager.getInstance()
- token = manager.getInternalKeyStorageToken()
- # Retrieve 'password' from client-side 'password_conf'
- #
- # NOTE: For now, ONLY read the first line
- # (which contains "password")
- #
- fd = open(password_conf, "r")
- token_pwd = fd.readline()
- fd.close
- # Convert 'token_pwd' into a 'java char[]'
- jtoken_pwd = jarray.array(token_pwd, 'c')
- password = Password(jtoken_pwd)
- try:
- token.login(password)
- except Exception, e:
- javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\
- " " + str(e))
- if not token.isLoggedIn():
- token.initPassword(password, password)
- javasystem.exit(1)
+ manager = CryptoManager.getInstance()
+ token = manager.getInternalKeyStorageToken()
+ # Retrieve 'password' from client-side 'password_conf'
+ #
+ # NOTE: For now, ONLY read the first line
+ # (which contains "password")
+ #
+ fd = open(password_conf, "r")
+ token_pwd = fd.readline()
+ fd.close
+ # Convert 'token_pwd' into a 'java char[]'
+ jtoken_pwd = jarray.array(token_pwd, 'c')
+ password = Password(jtoken_pwd)
+ try:
+ token.login(password)
+ except Exception, e:
+ javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\
+ " " + str(e))
+ if not token.isLoggedIn():
+ token.initPassword(password, password)
+ javasystem.exit(1)
except Exception, e:
javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\
" " + str(e))
@@ -289,8 +286,7 @@ class rest_client:
(log.PKI_JYTHON_INDENTATION_2,
log.PKI_JYTHON_INITIALIZING_REST_CLIENT,
client_config.serverURI)
- if not master['pki_dry_run_flag']:
- self.client = SystemConfigClient(client_config)
+ self.client = SystemConfigClient(client_config)
return self.client
except URISyntaxException, e:
e.printStackTrace()
@@ -421,132 +417,131 @@ class rest_client:
(log.PKI_JYTHON_INDENTATION_2,
log.PKI_JYTHON_CONSTRUCTING_PKI_DATA,
master['pki_subsystem'])
- if not master['pki_dry_run_flag']:
- data = ConfigurationRequest()
-
- # Miscellaneous Configuration Information
- data.setPin(self.sensitive['pki_one_time_pin'])
- data.setToken(ConfigurationRequest.TOKEN_DEFAULT)
- data.setSubsystemName(master['pki_subsystem_name'])
-
- # Hierarchy
- if master['pki_instance_type'] == "Tomcat":
- if master['pki_subsystem'] == "CA":
- if config.str2bool(master['pki_clone']):
- # Cloned CA
- # alee - is this correct?
- data.setHierarchy("root")
- elif config.str2bool(master['pki_external']):
- # External CA
- data.setHierarchy("join")
- elif config.str2bool(master['pki_subordinate']):
- # Subordinate CA
- data.setHierarchy("join")
- else:
- # PKI CA
- data.setHierarchy("root")
-
- # Cloning parameters
- if master['pki_instance_type'] == "Tomcat":
- if config.str2bool(master['pki_clone']):
- self.set_cloning_parameters(data)
- else:
- data.setIsClone("false")
-
- # Security Domain
- if master['pki_subsystem'] != "CA" or\
- config.str2bool(master['pki_clone']) or\
- config.str2bool(master['pki_subordinate']):
- # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
- # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or
- # Subordinate CA
- self.set_existing_security_domain(data)
- elif not config.str2bool(master['pki_external']):
- # PKI CA
- self.set_new_security_domain(data)
+ data = ConfigurationRequest()
- if master['pki_subsystem'] != "RA":
- self.set_database_parameters(data)
+ # Miscellaneous Configuration Information
+ data.setPin(self.sensitive['pki_one_time_pin'])
+ data.setToken(ConfigurationRequest.TOKEN_DEFAULT)
+ data.setSubsystemName(master['pki_subsystem_name'])
- if master['pki_instance_type'] == "Tomcat":
- self.set_backup_parameters(data)
-
- if not config.str2bool(master['pki_clone']):
- self.set_admin_parameters(token, data)
-
- # Issuing CA Information
- if master['pki_subsystem'] != "CA" or\
- config.str2bool(master['pki_clone']) or\
- config.str2bool(master['pki_subordinate']) or\
- config.str2bool(master['pki_external']):
- # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
- # CA Clone, KRA Clone, OCSP Clone, TKS Clone,
- # Subordinate CA, or External CA
- data.setIssuingCA(master['pki_issuing_ca'])
-
- # Create system certs
- systemCerts = ArrayList()
-
- # Create 'CA Signing Certificate'
+ # Hierarchy
+ if master['pki_instance_type'] == "Tomcat":
if master['pki_subsystem'] == "CA":
- if not config.str2bool(master['pki_clone']):
- cert = self.create_system_cert("ca_signing")
- cert.setSigningAlgorithm(
- master['pki_ca_signing_signing_algorithm'])
- systemCerts.add(cert)
+ if config.str2bool(master['pki_clone']):
+ # Cloned CA
+ # alee - is this correct?
+ data.setHierarchy("root")
+ elif config.str2bool(master['pki_external']):
+ # External CA
+ data.setHierarchy("join")
+ elif config.str2bool(master['pki_subordinate']):
+ # Subordinate CA
+ data.setHierarchy("join")
+ else:
+ # PKI CA
+ data.setHierarchy("root")
- # Create 'OCSP Signing Certificate'
- if not config.str2bool(master['pki_clone']):
- if master['pki_subsystem'] == "CA" or\
- master['pki_subsystem'] == "OCSP":
- # External CA, Subordinate CA, PKI CA, or PKI OCSP
- cert2 = self.create_system_cert("ocsp_signing")
- cert2.setSigningAlgorithm(
- master['pki_ocsp_signing_signing_algorithm'])
- systemCerts.add(cert2)
-
- # Create 'SSL Server Certificate'
- # all subsystems
-
- # create new sslserver cert only if this is a new instance
- cert3 = None
- system_list = self.tomcat_instance_subsystems()
- if len(system_list) >= 2:
- data.setGenerateServerCert("false")
- for subsystem in system_list:
- dst = master['pki_instance_path'] + '/conf/' +\
- subsystem.lower() + '/CS.cfg'
- if subsystem != master['pki_subsystem'] and \
- os.path.exists(dst):
- cert3 = self.retrieve_existing_server_cert(dst)
- break
+ # Cloning parameters
+ if master['pki_instance_type'] == "Tomcat":
+ if config.str2bool(master['pki_clone']):
+ self.set_cloning_parameters(data)
else:
- cert3 = self.create_system_cert("ssl_server")
- systemCerts.add(cert3)
-
- # Create 'Subsystem Certificate'
+ data.setIsClone("false")
+
+ # Security Domain
+ if master['pki_subsystem'] != "CA" or\
+ config.str2bool(master['pki_clone']) or\
+ config.str2bool(master['pki_subordinate']):
+ # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
+ # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or
+ # Subordinate CA
+ self.set_existing_security_domain(data)
+ elif not config.str2bool(master['pki_external']):
+ # PKI CA
+ self.set_new_security_domain(data)
+
+ if master['pki_subsystem'] != "RA":
+ self.set_database_parameters(data)
+
+ if master['pki_instance_type'] == "Tomcat":
+ self.set_backup_parameters(data)
+
+ if not config.str2bool(master['pki_clone']):
+ self.set_admin_parameters(token, data)
+
+ # Issuing CA Information
+ if master['pki_subsystem'] != "CA" or\
+ config.str2bool(master['pki_clone']) or\
+ config.str2bool(master['pki_subordinate']) or\
+ config.str2bool(master['pki_external']):
+ # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS,
+ # CA Clone, KRA Clone, OCSP Clone, TKS Clone,
+ # Subordinate CA, or External CA
+ data.setIssuingCA(master['pki_issuing_ca'])
+
+ # Create system certs
+ systemCerts = ArrayList()
+
+ # Create 'CA Signing Certificate'
+ if master['pki_subsystem'] == "CA":
if not config.str2bool(master['pki_clone']):
- cert4 = self.create_system_cert("subsystem")
- systemCerts.add(cert4)
+ cert = self.create_system_cert("ca_signing")
+ cert.setSigningAlgorithm(
+ master['pki_ca_signing_signing_algorithm'])
+ systemCerts.add(cert)
+
+ # Create 'OCSP Signing Certificate'
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "CA" or\
+ master['pki_subsystem'] == "OCSP":
+ # External CA, Subordinate CA, PKI CA, or PKI OCSP
+ cert2 = self.create_system_cert("ocsp_signing")
+ cert2.setSigningAlgorithm(
+ master['pki_ocsp_signing_signing_algorithm'])
+ systemCerts.add(cert2)
+
+ # Create 'SSL Server Certificate'
+ # all subsystems
+
+ # create new sslserver cert only if this is a new instance
+ cert3 = None
+ system_list = self.tomcat_instance_subsystems()
+ if len(system_list) >= 2:
+ data.setGenerateServerCert("false")
+ for subsystem in system_list:
+ dst = master['pki_instance_path'] + '/conf/' +\
+ subsystem.lower() + '/CS.cfg'
+ if subsystem != master['pki_subsystem'] and \
+ os.path.exists(dst):
+ cert3 = self.retrieve_existing_server_cert(dst)
+ break
+ else:
+ cert3 = self.create_system_cert("ssl_server")
+ systemCerts.add(cert3)
- # Create 'Audit Signing Certificate'
- if not config.str2bool(master['pki_clone']):
- if master['pki_subsystem'] != "RA":
- cert5 = self.create_system_cert("audit_signing")
- cert5.setSigningAlgorithm(
- master['pki_audit_signing_signing_algorithm'])
- systemCerts.add(cert5)
+ # Create 'Subsystem Certificate'
+ if not config.str2bool(master['pki_clone']):
+ cert4 = self.create_system_cert("subsystem")
+ systemCerts.add(cert4)
- # Create DRM Transport and storage Certificates
- if not config.str2bool(master['pki_clone']):
- if master['pki_subsystem'] == "KRA":
- cert6 = self.create_system_cert("transport")
- systemCerts.add(cert6)
+ # Create 'Audit Signing Certificate'
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] != "RA":
+ cert5 = self.create_system_cert("audit_signing")
+ cert5.setSigningAlgorithm(
+ master['pki_audit_signing_signing_algorithm'])
+ systemCerts.add(cert5)
+
+ # Create DRM Transport and storage Certificates
+ if not config.str2bool(master['pki_clone']):
+ if master['pki_subsystem'] == "KRA":
+ cert6 = self.create_system_cert("transport")
+ systemCerts.add(cert6)
- cert7 = self.create_system_cert("storage")
- systemCerts.add(cert7)
+ cert7 = self.create_system_cert("storage")
+ systemCerts.add(cert7)
- data.setSystemCerts(systemCerts)
+ data.setSystemCerts(systemCerts)
return data
@@ -557,119 +552,118 @@ class rest_client:
(log.PKI_JYTHON_INDENTATION_2,
log.PKI_JYTHON_CONFIGURING_PKI_DATA,
master['pki_subsystem'])
- if not master['pki_dry_run_flag']:
- try:
- response = self.client.configure(data)
- javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\
- " " + response.getStatus())
- certs = response.getSystemCerts()
- iterator = certs.iterator()
- while iterator.hasNext():
- cdata = iterator.next()
- javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\
- cdata.getTag())
- javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\
- cdata.getCert())
- javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\
- cdata.getRequest())
- # Cloned PKI subsystems do not return an Admin Certificate
- if not config.str2bool(master['pki_clone']):
- admin_cert = response.getAdminCert().getCert()
- javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\
- " " + admin_cert)
- # Store the Administration Certificate in a file
- admin_cert_file = os.path.join(
- master['pki_client_dir'],
- master['pki_client_admin_cert'])
- admin_cert_bin_file = admin_cert_file + ".der"
- javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\
- " " + "'" + admin_cert_file + "'")
- FILE = open(admin_cert_file, "w")
- FILE.write(admin_cert)
- FILE.close()
- # convert the cert file to binary
- command = "AtoB "+ admin_cert_file + " " + admin_cert_bin_file
- javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_ATOB +\
- " " + "'" + command + "'")
- os.system(command)
-
- # Since Jython runs under Java, it does NOT support the
- # following operating system specific command:
- #
- # os.chmod(
- # admin_cert_file,
- # config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS)
- #
- # Emulate it with a system call.
- command = "chmod" + " 660 " + admin_cert_file
- javasystem.out.println(
- log.PKI_JYTHON_CHMOD +\
- " " + "'" + command + "'")
- os.system(command)
-
- command = "chmod" + " 660 " + admin_cert_bin_file
- javasystem.out.println(
- log.PKI_JYTHON_CHMOD +\
- " " + "'" + command + "'")
- os.system(command)
-
- # Import the Administration Certificate
- # into the client NSS security database
- command = "certutil" + " " +\
- "-A" + " " +\
- "-n" + " " + "\"" +\
- re.sub("&#39;",
- "'", master['pki_admin_nickname']) +\
- "\"" + " " +\
- "-t" + " " +\
- "\"" + "u,u,u" + "\"" + " " +\
- "-f" + " " +\
- master['pki_client_password_conf'] + " " +\
- "-d" + " " +\
- master['pki_client_database_dir'] + " " +\
- "-i" + " " +\
- admin_cert_bin_file
- javasystem.out.println(
- log.PKI_JYTHON_ADMIN_CERT_IMPORT +\
- " " + "'" + command + "'")
- os.system(command)
- # Export the Administration Certificate from the
- # client NSS security database into a PKCS #12 file
- command = "pk12util" + " " +\
- "-o" + " " +\
- master['pki_client_admin_cert_p12'] + " " +\
- "-n" + " " + "\"" +\
- re.sub("&#39;",
- "'", master['pki_admin_nickname']) +\
- "\"" + " " +\
- "-d" + " " +\
- master['pki_client_database_dir'] + " " +\
- "-k" + " " +\
- master['pki_client_password_conf'] + " " +\
- "-w" + " " +\
- master['pki_client_pkcs12_password_conf']
- javasystem.out.println(
- log.PKI_JYTHON_ADMIN_CERT_EXPORT +\
- " " + "'" + command + "'")
- os.system(command)
- # Since Jython runs under Java, it does NOT support the
- # following operating system specific command:
- #
- # os.chmod(master['pki_client_admin_cert_p12'],
- # config.\
- # PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
- #
- # Emulate it with a system call.
- command = "chmod" + " " + "664" + " " +\
- master['pki_client_admin_cert_p12']
- javasystem.out.println(
- log.PKI_JYTHON_CHMOD +\
- " " + "'" + command + "'")
- os.system(command)
- except Exception, e:
+ try:
+ response = self.client.configure(data)
+ javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\
+ " " + response.getStatus())
+ certs = response.getSystemCerts()
+ iterator = certs.iterator()
+ while iterator.hasNext():
+ cdata = iterator.next()
+ javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\
+ cdata.getTag())
+ javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\
+ cdata.getCert())
+ javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\
+ cdata.getRequest())
+ # Cloned PKI subsystems do not return an Admin Certificate
+ if not config.str2bool(master['pki_clone']):
+ admin_cert = response.getAdminCert().getCert()
+ javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\
+ " " + admin_cert)
+ # Store the Administration Certificate in a file
+ admin_cert_file = os.path.join(
+ master['pki_client_dir'],
+ master['pki_client_admin_cert'])
+ admin_cert_bin_file = admin_cert_file + ".der"
+ javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\
+ " " + "'" + admin_cert_file + "'")
+ FILE = open(admin_cert_file, "w")
+ FILE.write(admin_cert)
+ FILE.close()
+ # convert the cert file to binary
+ command = "AtoB "+ admin_cert_file + " " + admin_cert_bin_file
+ javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_ATOB +\
+ " " + "'" + command + "'")
+ os.system(command)
+
+ # Since Jython runs under Java, it does NOT support the
+ # following operating system specific command:
+ #
+ # os.chmod(
+ # admin_cert_file,
+ # config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS)
+ #
+ # Emulate it with a system call.
+ command = "chmod" + " 660 " + admin_cert_file
javasystem.out.println(
- log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e))
- javasystem.exit(1)
+ log.PKI_JYTHON_CHMOD +\
+ " " + "'" + command + "'")
+ os.system(command)
+
+ command = "chmod" + " 660 " + admin_cert_bin_file
+ javasystem.out.println(
+ log.PKI_JYTHON_CHMOD +\
+ " " + "'" + command + "'")
+ os.system(command)
+
+ # Import the Administration Certificate
+ # into the client NSS security database
+ command = "certutil" + " " +\
+ "-A" + " " +\
+ "-n" + " " + "\"" +\
+ re.sub("&#39;",
+ "'", master['pki_admin_nickname']) +\
+ "\"" + " " +\
+ "-t" + " " +\
+ "\"" + "u,u,u" + "\"" + " " +\
+ "-f" + " " +\
+ master['pki_client_password_conf'] + " " +\
+ "-d" + " " +\
+ master['pki_client_database_dir'] + " " +\
+ "-i" + " " +\
+ admin_cert_bin_file
+ javasystem.out.println(
+ log.PKI_JYTHON_ADMIN_CERT_IMPORT +\
+ " " + "'" + command + "'")
+ os.system(command)
+ # Export the Administration Certificate from the
+ # client NSS security database into a PKCS #12 file
+ command = "pk12util" + " " +\
+ "-o" + " " +\
+ master['pki_client_admin_cert_p12'] + " " +\
+ "-n" + " " + "\"" +\
+ re.sub("&#39;",
+ "'", master['pki_admin_nickname']) +\
+ "\"" + " " +\
+ "-d" + " " +\
+ master['pki_client_database_dir'] + " " +\
+ "-k" + " " +\
+ master['pki_client_password_conf'] + " " +\
+ "-w" + " " +\
+ master['pki_client_pkcs12_password_conf']
+ javasystem.out.println(
+ log.PKI_JYTHON_ADMIN_CERT_EXPORT +\
+ " " + "'" + command + "'")
+ os.system(command)
+ # Since Jython runs under Java, it does NOT support the
+ # following operating system specific command:
+ #
+ # os.chmod(master['pki_client_admin_cert_p12'],
+ # config.\
+ # PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ #
+ # Emulate it with a system call.
+ command = "chmod" + " " + "664" + " " +\
+ master['pki_client_admin_cert_p12']
+ javasystem.out.println(
+ log.PKI_JYTHON_CHMOD +\
+ " " + "'" + command + "'")
+ os.system(command)
+ except Exception, e:
+ javasystem.out.println(
+ log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e))
+ javasystem.exit(1)
return
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index a10893231..4938e7c8c 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -74,9 +74,6 @@ def process_command_line_arguments(argv):
'[.${pki_admin_domain_name}]')
# Establish 'Optional' command-line options
optional = parser.add_argument_group('optional arguments')
- optional.add_argument('--dry_run',
- dest='pki_dry_run_flag', action='store_true',
- help='do not actually perform any actions')
optional.add_argument('-h', '--help',
dest='help', action='help',
help='show this help message and exit')
@@ -107,9 +104,6 @@ def process_command_line_arguments(argv):
config.pki_deployed_instance_name =\
str(args.pki_deployed_instance_name).strip('[\']')
# Process 'Optional' command-line options
- # '--dry_run'
- if args.pki_dry_run_flag:
- config.pki_dry_run_flag = args.pki_dry_run_flag
if config.pki_deployment_executable == 'pkispawn':
# '-u'
config.pki_update_flag = args.pki_update_flag
@@ -267,7 +261,6 @@ def compose_pki_master_dictionary():
config.pki_master_dict['pki_hostname'] = config.pki_hostname
config.pki_master_dict['pki_dns_domainname'] =\
config.pki_dns_domainname
- config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag
config.pki_master_dict['pki_jython_log_level'] =\
config.pki_jython_log_level
config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg
diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py
index f46f9180a..0cc660b3a 100644
--- a/base/deploy/src/scriptlets/security_databases.py
+++ b/base/deploy/src/scriptlets/security_databases.py
@@ -39,88 +39,40 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
return self.rv
config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- if not config.pki_dry_run_flag:
- util.password.create_password_conf(
- master['pki_shared_password_conf'],
- sensitive['pki_pin'])
- # Since 'certutil' does NOT strip the 'token=' portion of
- # the 'token=password' entries, create a temporary server 'pfile'
- # which ONLY contains the 'password' for the purposes of
- # allowing 'certutil' to generate the security databases
- util.password.create_password_conf(
- master['pki_shared_pfile'],
- sensitive['pki_pin'], pin_sans_token=True)
- util.file.modify(master['pki_shared_password_conf'])
- util.certutil.create_security_databases(
- master['pki_database_path'],
- master['pki_cert_database'],
- master['pki_key_database'],
- master['pki_secmod_database'],
- password_file=master['pki_shared_pfile'])
- util.file.modify(master['pki_cert_database'], perms=\
- config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
- util.file.modify(master['pki_key_database'], perms=\
- config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
- util.file.modify(master['pki_secmod_database'], perms=\
- config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ util.password.create_password_conf(
+ master['pki_shared_password_conf'],
+ sensitive['pki_pin'])
+ # Since 'certutil' does NOT strip the 'token=' portion of
+ # the 'token=password' entries, create a temporary server 'pfile'
+ # which ONLY contains the 'password' for the purposes of
+ # allowing 'certutil' to generate the security databases
+ util.password.create_password_conf(
+ master['pki_shared_pfile'],
+ sensitive['pki_pin'], pin_sans_token=True)
+ util.file.modify(master['pki_shared_password_conf'])
+ util.certutil.create_security_databases(
+ master['pki_database_path'],
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ password_file=master['pki_shared_pfile'])
+ util.file.modify(master['pki_cert_database'], perms=\
+ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ util.file.modify(master['pki_key_database'], perms=\
+ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
+ util.file.modify(master['pki_secmod_database'], perms=\
+ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS)
- if util.instance.tomcat_instance_subsystems() < 2:
- # only create a self signed cert for a new instance
- rv = util.certutil.verify_certificate_exists(
- master['pki_database_path'],
- master['pki_cert_database'],
- master['pki_key_database'],
- master['pki_secmod_database'],
- master['pki_self_signed_token'],
- master['pki_self_signed_nickname'],
- password_file=master['pki_shared_pfile'])
- if not rv:
- util.file.generate_noise_file(
- master['pki_self_signed_noise_file'],
- master['pki_self_signed_noise_bytes'])
- util.certutil.generate_self_signed_certificate(
- master['pki_database_path'],
- master['pki_cert_database'],
- master['pki_key_database'],
- master['pki_secmod_database'],
- master['pki_self_signed_token'],
- master['pki_self_signed_nickname'],
- master['pki_self_signed_subject'],
- master['pki_self_signed_serial_number'],
- master['pki_self_signed_validity_period'],
- master['pki_self_signed_issuer_name'],
- master['pki_self_signed_trustargs'],
- master['pki_self_signed_noise_file'],
- password_file=master['pki_shared_pfile'])
- # Delete the temporary 'noise' file
- util.file.delete(master['pki_self_signed_noise_file'])
- # Delete the temporary 'pfile'
- util.file.delete(master['pki_shared_pfile'])
- else:
- util.password.create_password_conf(
- master['pki_shared_password_conf'],
- sensitive['pki_pin'])
- # Since 'certutil' does NOT strip the 'token=' portion of
- # the 'token=password' entries, create a temporary server 'pfile'
- # which ONLY contains the 'password' for the purposes of
- # allowing 'certutil' to generate the security databases
- util.password.create_password_conf(
- master['pki_shared_pfile'],
- sensitive['pki_pin'], pin_sans_token=True)
- util.certutil.create_security_databases(
- master['pki_database_path'],
- master['pki_cert_database'],
- master['pki_key_database'],
- master['pki_secmod_database'],
- password_file=master['pki_shared_pfile'])
+ if util.instance.tomcat_instance_subsystems() < 2:
+ # only create a self signed cert for a new instance
rv = util.certutil.verify_certificate_exists(
- master['pki_database_path'],
- master['pki_cert_database'],
- master['pki_key_database'],
- master['pki_secmod_database'],
- master['pki_self_signed_token'],
- master['pki_self_signed_nickname'],
- password_file=master['pki_shared_pfile'])
+ master['pki_database_path'],
+ master['pki_cert_database'],
+ master['pki_key_database'],
+ master['pki_secmod_database'],
+ master['pki_self_signed_token'],
+ master['pki_self_signed_nickname'],
+ password_file=master['pki_shared_pfile'])
if not rv:
util.file.generate_noise_file(
master['pki_self_signed_noise_file'],
@@ -153,31 +105,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
def destroy(self):
config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
- if not config.pki_dry_run_flag:
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instance_subsystems() == 0:
- util.file.delete(master['pki_cert_database'])
- util.file.delete(master['pki_key_database'])
- util.file.delete(master['pki_secmod_database'])
- util.file.delete(master['pki_shared_password_conf'])
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instance_subsystems() == 0:
- util.file.delete(master['pki_cert_database'])
- util.file.delete(master['pki_key_database'])
- util.file.delete(master['pki_secmod_database'])
- util.file.delete(master['pki_shared_password_conf'])
- else:
- # ALWAYS display correct information (even during dry_run)
- if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
- util.instance.apache_instance_subsystems() == 1:
- util.file.delete(master['pki_cert_database'])
- util.file.delete(master['pki_key_database'])
- util.file.delete(master['pki_secmod_database'])
- util.file.delete(master['pki_shared_password_conf'])
- elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
- util.instance.tomcat_instance_subsystems() == 1:
- util.file.delete(master['pki_cert_database'])
- util.file.delete(master['pki_key_database'])
- util.file.delete(master['pki_secmod_database'])
- util.file.delete(master['pki_shared_password_conf'])
+ if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\
+ util.instance.apache_instance_subsystems() == 0:
+ util.file.delete(master['pki_cert_database'])
+ util.file.delete(master['pki_key_database'])
+ util.file.delete(master['pki_secmod_database'])
+ util.file.delete(master['pki_shared_password_conf'])
+ elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\
+ util.instance.tomcat_instance_subsystems() == 0:
+ util.file.delete(master['pki_cert_database'])
+ util.file.delete(master['pki_key_database'])
+ util.file.delete(master['pki_secmod_database'])
+ util.file.delete(master['pki_shared_password_conf'])
return self.rv