From 901141696b2206b35e498b03ff9867564057c84b Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 28 Apr 2016 20:02:05 +0200 Subject: Simplified the code to generate/load one-time PIN. Instead of checking various installation scenarios (e.g. external CA step 2, standalone step 2, configuration-only mode), the code to generate or load the one-time PIN has been simplified as follows: * if the PIN already exists (in CS.cfg), it will be reused * if the PIN does not exist, the code will generate a new one --- .../python/pki/server/deployment/pkiparser.py | 55 +++++++++++++--------- 1 file changed, 32 insertions(+), 23 deletions(-) diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 4d6e0185e..ba49ceefc 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -589,14 +589,22 @@ class PKIConfigParser: # if instance already exists and has password, reuse the password if internal_password in instance.passwords: + config.pki_log.info( + 'loading existing pin', + extra=config.PKI_INDENTATION_LEVEL_2) self.mdict['pki_pin'] = instance.passwords.get(internal_password) # otherwise, use user-provided password if specified elif 'pki_pin' in self.mdict: - pass + config.pki_log.info( + 'using supplied pin', + extra=config.PKI_INDENTATION_LEVEL_2) # otherwise, generate a random password else: + config.pki_log.info( + 'generating a new pin', + extra=config.PKI_INDENTATION_LEVEL_2) self.mdict['pki_pin'] = \ random.randint(pin_low, pin_high) @@ -637,33 +645,34 @@ class PKIConfigParser: self.mdict['pki_target_registry'] = \ os.path.join(self.mdict['pki_instance_registry_path'], self.mdict['pki_instance_name']) - if config.str2bool(self.mdict['pki_external_step_two']) or\ - config.str2bool(self.mdict['pki_skip_installation']): - # For CA (External CA Step 2) and Stand-alone PKI (Step 2), - # use the 'pki_one_time_pin' established during the setup - # of (Step 1) - # - # Similarly, if the only code being processed is for - # configuration, re-use the 'pki_one_time_pin' generated - # during the installation phase - # - if os.path.exists(self.mdict['pki_target_cs_cfg'])\ - and\ - os.path.isfile(self.mdict['pki_target_cs_cfg']): - cs_cfg = self.read_simple_configuration_file( - self.mdict['pki_target_cs_cfg']) + + # If the one-time PIN already exists in CS.cfg from previous + # pkispawn execution (e.g. external CA step 1, standalone step 1, + # installation-only mode), reuse the existing PIN. + if os.path.exists(self.mdict['pki_target_cs_cfg']) and\ + os.path.isfile(self.mdict['pki_target_cs_cfg']): + + cs_cfg = self.read_simple_configuration_file( + self.mdict['pki_target_cs_cfg']) + + if 'preop.pin' in cs_cfg: + + config.pki_log.info( + 'loading existing one-time PIN', + extra=config.PKI_INDENTATION_LEVEL_2) + self.mdict['pki_one_time_pin'] = \ cs_cfg.get('preop.pin') - else: - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - self.mdict['pki_target_cs_cfg'], - extra=config.PKI_INDENTATION_LEVEL_2) - raise Exception(log.PKI_FILE_MISSING_OR_NOT_A_FILE_1) - else: + + if 'pki_one_time_pin' not in self.mdict: # Generate a one-time pin to be used prior to configuration # and add this to the "sensitive" key value pairs read in from # the configuration file + + config.pki_log.info( + 'generate new one-time PIN', + extra=config.PKI_INDENTATION_LEVEL_2) + self.mdict['pki_one_time_pin'] = \ ''.join(random.choice(string.ascii_letters + string.digits) for x in range(20)) -- cgit