From 14243746edd14be2564b625c4a940c4723c168f1 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Tue, 24 Jul 2012 11:28:29 -0700 Subject: PKI Deployment Scriptlets * PKI TRAC Ticket #244 - Non-user-friendly message when deleting non-existent subsystem with pkidestroy * PKI TRAC Ticket #246 - Incorrect parameter names in pkispawn configuration * PKI TRAC Ticket #248 - pki_ds_database should not be a DN * PKI TRAC Ticket #249 - pki_ds_base_dn causing pkispawn failure * PKI TRAC Ticket #250 - Creating/removing custom instances should not require http/ajp ports * PKI TRAC Ticket #251 - Instance name may conflict with other files * PKI TRAC Ticket #253 - Fix pki-destroy removal of '/var/log/pki/{pki_instance_id}' directory . . . * PKI TRAC Ticket #254 - Dogtag 10: Fix spec file to build successfully via mock on Fedora 17 . . . * PKI TRAC Ticket #255 - Missing resteasy-atom-provider.jar * PKI TRAC Ticket #260 - Dogtag 10: Change the layout of 'pki_instance_id' . . . --- base/deploy/src/scriptlets/pkihelper.py | 156 ++++++++++++++++++++++++-------- 1 file changed, 117 insertions(+), 39 deletions(-) (limited to 'base/deploy/src/scriptlets/pkihelper.py') diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index 1ceb65898..31877bf4f 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -305,6 +305,113 @@ class identity: return pki_gid +# PKI Deployment Namespace Class +class namespace: + # Silently verify that the selected 'pki_instance_name' will + # NOT produce any namespace collisions + def collision_detection(self): + # Run simple checks for pre-existing namespace collisions + if os.path.exists(master['pki_instance_path']): + if os.path.exists(master['pki_subsystem_path']): + # Top-Level PKI base path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_id'], + master['pki_instance_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + if os.path.exists(master['pki_target_tomcat_conf_instance_id']): + # Top-Level "/etc/sysconfig" path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_id'], + master['pki_target_tomcat_conf_instance_id'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_cgroup_systemd_service']): + # Systemd cgroup path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_id'], + master['pki_cgroup_systemd_service_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_cgroup_cpu_systemd_service']): + # Systemd cgroup CPU path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_id'], + master['pki_cgroup_cpu_systemd_service_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_instance_log_path']) and\ + os.path.exists(master['pki_subsystem_log_path']): + # Top-Level PKI log path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_id'], + master['pki_instance_log_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_instance_configuration_path']) and\ + os.path.exists(master['pki_subsystem_configuration_path']): + # Top-Level PKI configuration path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_id'], + master['pki_instance_configuration_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_instance_registry_path']) and\ + os.path.exists(master['pki_subsystem_registry_path']): + # Top-Level PKI registry path collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_COLLISION_2, + master['pki_instance_id'], + master['pki_instance_registry_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Run simple checks for reserved name namespace collisions + if master['pki_instance_id'] in config.PKI_BASE_RESERVED_NAMES: + # Top-Level PKI base path reserved name collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_id'], + master['pki_instance_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # No need to check for reserved name under Top-Level PKI log path + if master['pki_instance_id'] in config.PKI_CONFIGURATION_RESERVED_NAMES: + # Top-Level PKI configuration path reserved name collision + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_id'], + master['pki_instance_configuration_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + # Top-Level Apache PKI registry path reserved name collision + if master['pki_instance_id'] in\ + config.PKI_APACHE_REGISTRY_RESERVED_NAMES: + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_id'], + master['pki_instance_registry_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Top-Level Tomcat PKI registry path reserved name collision + if master['pki_instance_id'] in\ + config.PKI_TOMCAT_REGISTRY_RESERVED_NAMES: + config.pki_log.error( + log.PKIHELPER_NAMESPACE_RESERVED_NAME_2, + master['pki_instance_id'], + master['pki_instance_registry_path'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + # PKI Deployment Configuration File Class class configuration_file: def verify_sensitive_data(self): @@ -346,22 +453,18 @@ class configuration_file: sys.exit(1) # Verify existence of PKCS #12 Password (ONLY for Clones) if config.str2bool(master['pki_clone']): - if not sensitive.has_key('pki_pkcs12_password') or\ - not len(sensitive['pki_pkcs12_password']): + if not sensitive.has_key('pki_clone_pkcs12_password') or\ + not len(sensitive['pki_clone_pkcs12_password']): config.pki_log.error( - log.PKIHELPER_UNDEFINED_PKCS12_PASSWORD_1, + log.PKIHELPER_UNDEFINED_CLONE_PKCS12_PASSWORD_1, config.pkideployment_cfg, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # Verify existence of Security Domain Password File - # (ONLY for Clones, Subordinate CA, KRA, OCSP, RA, TKS, or TPS) + # (ONLY for Clones, KRA, OCSP, TKS, or Subordinate CA) if config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']) or\ - master['pki_subsystem'] == "KRA" or\ - master['pki_subsystem'] == "OCSP" or\ - master['pki_subsystem'] == "RA" or\ - master['pki_subsystem'] == "TKS" or\ - master['pki_subsystem'] == "TPS": + not master['pki_subsystem'] == "CA" or\ + config.str2bool(master['pki_subordinate']): if not sensitive.has_key('pki_security_domain_password') or\ not len(sensitive['pki_security_domain_password']): config.pki_log.error( @@ -407,16 +510,16 @@ class configuration_file: def populate_non_default_ports(self): if master['pki_http_port'] != \ - config.PKI_DEPLOYMENT_DEFAULT_HTTP_PORT: + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT: ports.append(master['pki_http_port']) if master['pki_https_port'] != \ - config.PKI_DEPLOYMENT_DEFAULT_HTTPS_PORT: + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT: ports.append(master['pki_https_port']) if master['pki_tomcat_server_port'] != \ config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT: ports.append(master['pki_tomcat_server_port']) if master['pki_ajp_port'] != \ - config.PKI_DEPLOYMENT_DEFAULT_AJP_PORT: + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT: ports.append(master['pki_ajp_port']) return @@ -574,32 +677,6 @@ class instance: sys.exit(1) return rv - def verify_subsystem_exists(self): - try: - if not os.path.exists(master['pki_subsystem_path']): - config.pki_log.error(log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2, - master['pki_subsystem'], - master['pki_instance_id'], - extra=config.PKI_INDENTATION_LEVEL_1) - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - - def verify_subsystem_does_not_exist(self): - try: - if os.path.exists(master['pki_subsystem_path']): - config.pki_log.error(log.PKI_SUBSYSTEM_ALREADY_EXISTS_2, - master['pki_subsystem'], - master['pki_instance_id'], - extra=config.PKI_INDENTATION_LEVEL_1) - sys.exit(1) - except OSError as exc: - config.pki_log.error(log.PKI_OSERROR_1, exc, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # PKI Deployment Directory Class class directory: @@ -2099,6 +2176,7 @@ class jython: # PKI Deployment Helper Class Instances identity = identity() +namespace = namespace() configuration_file = configuration_file() #xml_file = xml_file() instance = instance() -- cgit