From 8acab668775a85931c33e68eb79b2cf822b7c631 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Fri, 1 Feb 2013 14:21:25 -0500 Subject: Change pkidestroy to get an install token and use admin interface to update security domain. --- base/deploy/src/pkidestroy | 20 ++ base/deploy/src/scriptlets/initialization.py | 6 +- base/deploy/src/scriptlets/pkiconfig.py | 2 + base/deploy/src/scriptlets/pkihelper.py | 371 ++++++++++++++++----------- base/deploy/src/scriptlets/pkimessages.py | 2 + 5 files changed, 257 insertions(+), 144 deletions(-) diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index ba52d9642..839e1cad5 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -100,6 +100,18 @@ def main(argv): nargs=1, metavar='', help='FORMAT: ${pki_instance_name}') + parser.optional.add_argument('-u', + dest='pki_secdomain_user', + action='store', + nargs=1, metavar='', + help='security domain user') + + parser.optional.add_argument('-w', + dest='pki_secdomain_pass', + action='store', + nargs=1, metavar='', + help='security domain password') + args = parser.process_command_line_arguments(argv) interactive = False @@ -142,6 +154,14 @@ def main(argv): else: break + # '-u' + if args.pki_secdomain_user: + config.pki_secdomain_user = str(args.pki_secdomain_user).strip('[\']') + + # '-w' + if args.pki_secdomain_pass: + config.pki_secdomain_pass = str(args.pki_secdomain_pass).strip('[\']') + # verify that previously deployed instance exists deployed_pki_instance_path = config.pki_root_prefix +\ config.PKI_DEPLOYMENT_BASE_ROOT + "/" +\ diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py index 102fd4245..3494ebdc7 100644 --- a/base/deploy/src/scriptlets/initialization.py +++ b/base/deploy/src/scriptlets/initialization.py @@ -105,6 +105,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # get ports to remove selinux context util.configuration_file.populate_non_default_ports() + # get deinstallation token + token = util.security_domain.get_installation_token( + config.pki_secdomain_user, config.pki_secdomain_pass) + # remove kra connector from CA if this is a KRA util.kra_connector.deregister() @@ -116,7 +120,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # instance's security domain may be a part of a # tightly-coupled shared instance. # - util.security_domain.deregister() + util.security_domain.deregister(token) # ALWAYS Stop this Apache/Tomcat PKI Process util.systemd.stop() return self.rv diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index cdd671c91..1a4c77cb1 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -119,6 +119,8 @@ default_deployment_cfg = None user_deployment_cfg = None # 'pkidestroy' ONLY pki_deployed_instance_name = None +pki_secdomain_user = None +pki_secdomain_pass = None # PKI Deployment "Optional" Command-Line Variables # 'pkispawn' ONLY diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index c58fcf0e8..7eae9324d 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -2415,156 +2415,187 @@ class kra_connector: # PKI Deployment Security Domain Class class security_domain: - def deregister(self, critical_failure=False): - try: - # process this PKI subsystem instance's 'CS.cfg' - cs_cfg = PKIConfigParser.read_simple_configuration_file(master['pki_target_cs_cfg']) - - # assign key name/value pairs - machinename = cs_cfg.get('service.machineName') - sport = cs_cfg.get('service.securityDomainPort') - ncsport = cs_cfg.get('service.non_clientauth_securePort', '') - sechost = cs_cfg.get('securitydomain.host') - httpport = cs_cfg.get('securitydomain.httpport') - seceeport = cs_cfg.get('securitydomain.httpseeport') - secagentport = cs_cfg.get('securitydomain.httpsagentport') - secadminport = cs_cfg.get('securitydomain.httpsadminport') - secname = cs_cfg.get('securitydomain.name', 'unknown') - secselect = cs_cfg.get('securitydomain.select') - adminsport = cs_cfg.get('pkicreate.admin_secure_port', '') - typeval = cs_cfg.get('cs.type', '') - agentsport = cs_cfg.get('pkicreate.agent_secure_port', '') - token_pwd = None + def deregister(self, install_token, critical_failure=False): + # process this PKI subsystem instance's 'CS.cfg' + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + + # assign key name/value pairs + machinename = cs_cfg.get('service.machineName') + sport = cs_cfg.get('service.securityDomainPort') + ncsport = cs_cfg.get('service.non_clientauth_securePort', '') + sechost = cs_cfg.get('securitydomain.host') + httpport = cs_cfg.get('securitydomain.httpport') + seceeport = cs_cfg.get('securitydomain.httpseeport') + secagentport = cs_cfg.get('securitydomain.httpsagentport') + secadminport = cs_cfg.get('securitydomain.httpsadminport') + secname = cs_cfg.get('securitydomain.name', 'unknown') + secselect = cs_cfg.get('securitydomain.select') + adminsport = cs_cfg.get('pkicreate.admin_secure_port', '') + typeval = cs_cfg.get('cs.type', '') + agentsport = cs_cfg.get('pkicreate.agent_secure_port', '') + + # NOTE: Don't check for the existence of 'httpport', as this will + # be undefined for a Security Domain that has been migrated! + if sechost is None or\ + seceeport is None or\ + secagentport is None or\ + secadminport is None: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_UNDEFINED, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return - # retrieve subsystem nickname - subsystemnick_param = typeval.lower() + ".cert.subsystem.nickname" - subsystemnick = cs_cfg.get(subsystemnick_param) - if subsystemnick is None: + config.pki_log.info(log.PKIHELPER_SECURITY_DOMAIN_CONTACT_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + listval = typeval.lower() + "List" + urlheader = "https://{}:{}".format(sechost, seceeport) + urlagentheader = "https://{}:{}".format(sechost, secagentport) + urladminheader = "https://{}:{}".format(sechost, secadminport) + updateURL = "/ca/agent/ca/updateDomainXML" + + params = "name=" + "\"" + master['pki_instance_path'] + "\"" +\ + "&type=" + str(typeval) +\ + "&list=" + str(listval) +\ + "&host=" + str(machinename) +\ + "&sport=" + str(sport) +\ + "&ncsport=" + str(ncsport) +\ + "&adminsport=" + str(adminsport) +\ + "&agentsport=" + str(agentsport) +\ + "&operation=remove" + + if install_token: + try: + # first try install token-based servlet + params += "&sessionID=" + str(install_token) + adminUpdateURL = "/ca/admin/ca/updateDomainXML" + command = "/usr/bin/sslget -p 123456 -d '{}' -e '{}' "\ + "-v -r '{}' {}:{} 2>&1".format( + master['pki_database_path'], + params, adminUpdateURL, + sechost, secadminport) + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + except subprocess.CalledProcessError as exc: config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, + log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, secname, extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return + output = self.update_domain_using_agent_port(typeval, + secname, params, updateURL, sechost, secagentport, + critical_failure) + else: + output = self.update_domain_using_agent_port(typeval, + secname, params, updateURL, sechost, secagentport, + critical_failure) - # retrieve name of token based upon type (hardware/software) - if ':' in subsystemnick: - token_name = subsystemnick.split(':')[0] + if not output: + if critical_failure == True: + sys.exit(-1) else: - token_name = "internal" + return + + config.pki_log.debug(log.PKIHELPER_SSLGET_OUTPUT_1, + output, + extra=config.PKI_INDENTATION_LEVEL_2) + # Search the output for Status + status = re.findall("\(.*?)\<\/Status\>", output) + if not status: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + elif status[0] != "0": + error = re.findall("\(.*?)\<\/Error\>", output) + if not error: + error = "" + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3, + typeval, + secname, + error, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + config.pki_log.info( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) - # NOTE: Don't check for the existence of 'httpport', as this will - # be undefined for a Security Domain that has been migrated! - if sechost is None or\ - seceeport is None or\ - secagentport is None or\ - secadminport is None: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_UNDEFINED, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return + def update_domain_using_agent_port(self, typeval, secname, params, + updateURL, sechost, secagentport, critical_failure= False): + token_pwd = None + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + # retrieve subsystem nickname + subsystemnick_param = typeval.lower() + ".cert.subsystem.nickname" + subsystemnick = cs_cfg.get(subsystemnick_param) + if subsystemnick is None: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_UNDEFINED_SUBSYSTEM_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return - if secselect != "new": - # This is not a domain master, so we need to update the master - config.pki_log.info(log.PKIHELPER_SECURITY_DOMAIN_CONTACT_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - listval = typeval.lower() + "List" - urlheader = "https://{}:{}".format(sechost, seceeport) - urlagentheader = "https://{}:{}".format(sechost, secagentport) - urladminheader = "https://{}:{}".format(sechost, secadminport) - updateURL = "/ca/agent/ca/updateDomainXML" - - token_pwd = password.get_password( - master['pki_shared_password_conf'], - token_name, - critical_failure) - if token_pwd is None or token_pwd == '': - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - return - - params = "name=" + "\"" + master['pki_instance_path'] + "\"" +\ - "&type=" + str(typeval) +\ - "&list=" + str(listval) +\ - "&host=" + str(machinename) +\ - "&sport=" + str(sport) +\ - "&ncsport=" + str(ncsport) +\ - "&adminsport=" + str(adminsport) +\ - "&agentsport=" + str(agentsport) +\ - "&operation=remove" - - # Compose this "sslget" command - # - # REMINDER: NEVER log this command as it contains - # an exposed password in plaintext! - # - command = "/usr/bin/sslget -n '{}' -p '{}' -d '{}' -e '{}' "\ - "-v -r '{}' {}:{} 2>&1".format( - subsystemnick, token_pwd, - master['pki_database_path'], - params, updateURL, - sechost, secagentport) - # update domainXML - # Execute this "sslget" command - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - config.pki_log.debug(log.PKIHELPER_SSLGET_OUTPUT_1, - output, - extra=config.PKI_INDENTATION_LEVEL_2) - # Search the output for Status - status = re.findall("\(.*?)\<\/Status\>", output) - if not status: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - elif status[0] != "0": - error = re.findall("\(.*?)\<\/Error\>", output) - if not error: - error = "" - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3, - typeval, - secname, - error, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - config.pki_log.info( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) + # retrieve name of token based upon type (hardware/software) + if ':' in subsystemnick: + token_name = subsystemnick.split(':')[0] + else: + token_name = "internal" + + token_pwd = password.get_password( + master['pki_shared_password_conf'], + token_name, + critical_failure) + + if token_pwd is None or token_pwd == '': + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + return + + command = "/usr/bin/sslget -n '{}' -p '{}' -d '{}' -e '{}' "\ + "-v -r '{}' {}:{} 2>&1".format( + subsystemnick, token_pwd, + master['pki_database_path'], + params, updateURL, + sechost, secagentport) + try: + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + return output except subprocess.CalledProcessError as exc: config.pki_log.warning( log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, @@ -2579,8 +2610,62 @@ class security_domain: extra=config.PKI_INDENTATION_LEVEL_2) if critical_failure == True: sys.exit(-1) - return + return None + + + def get_installation_token(self, secuser, secpass, critical_failure=True): + token = None + + if not secuser or not secpass: + return None + + # process this PKI subsystem instance's 'CS.cfg' + cs_cfg = PKIConfigParser.read_simple_configuration_file( + master['pki_target_cs_cfg']) + + # assign key name/value pairs + machinename = cs_cfg.get('service.machineName') + cstype = cs_cfg.get('cs.type', '') + sechost = cs_cfg.get('securitydomain.host') + secadminport = cs_cfg.get('securitydomain.httpsadminport') + secselect = cs_cfg.get('securitydomain.select') + + command = "/bin/pki -p '{}' -h '{}' -P https -u '{}' -w '{}' "\ + "securitydomain-get-install-token --hostname {} "\ + "--subsystem {}".format( + secadminport, sechost, secuser, secpass, + machinename, cstype) + try: + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + + token_list = re.findall("Install token: \"(.*)\"", output) + if not token_list: + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2, + str(sechost), + str(secadminport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, output, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + token = token_list[0] + return token + except subprocess.CalledProcessError as exc: + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2, + str(sechost), + str(secadminport), + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + return None # PKI Deployment 'systemd' Execution Management Class class systemd: diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index 3a6bec1e3..c16d3ce46 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -232,6 +232,8 @@ PKIHELPER_RM_RF_1 = "rm -rf %s" PKIHELPER_RMDIR_1 = "rmdir %s" PKIHELPER_SECURITY_DOMAIN_CONTACT_1 =\ "contacting the security domain master to update security domain '%s'" +PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2 =\ + "Failed to get installation token from security domain '%s:%s'" PKIHELPER_SECURITY_DOMAIN_UNDEFINED =\ "No security domain defined.\n"\ "If this is an unconfigured instance, then that is OK.\n"\ -- cgit