From 318716f3425a1d818e0633453a1d27a68d2f7f5f Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Fri, 9 Nov 2012 12:31:40 -0500 Subject: removed dry_run from pkispawn Ticket 411 --- base/deploy/src/scriptlets/pkijython.py | 508 ++++++++++++++++---------------- 1 file changed, 251 insertions(+), 257 deletions(-) (limited to 'base/deploy/src/scriptlets/pkijython.py') diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index 4321e0a2a..8d027f91a 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -218,15 +218,14 @@ def read_simple_configuration_file(filename): # PKI Deployment 'security databases' Class class security_databases: - def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level): + def initialize_token(self, pki_database_path, log_level): try: if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: print "%s %s '%s'" %\ (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_INITIALIZING_TOKEN, pki_database_path) - if not pki_dry_run_flag: - CryptoManager.initialize(pki_database_path) + CryptoManager.initialize(pki_database_path) except AlreadyInitializedException, e: # it is ok if it is already initialized pass @@ -235,8 +234,7 @@ class security_databases: " " + str(e)) javasystem.exit(1) - def log_into_token(self, pki_database_path, password_conf, - pki_dry_run_flag, log_level): + def log_into_token(self, pki_database_path, password_conf, log_level): token = None try: if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: @@ -244,28 +242,27 @@ class security_databases: (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_LOG_INTO_TOKEN, pki_database_path) - if not pki_dry_run_flag: - manager = CryptoManager.getInstance() - token = manager.getInternalKeyStorageToken() - # Retrieve 'password' from client-side 'password_conf' - # - # NOTE: For now, ONLY read the first line - # (which contains "password") - # - fd = open(password_conf, "r") - token_pwd = fd.readline() - fd.close - # Convert 'token_pwd' into a 'java char[]' - jtoken_pwd = jarray.array(token_pwd, 'c') - password = Password(jtoken_pwd) - try: - token.login(password) - except Exception, e: - javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\ - " " + str(e)) - if not token.isLoggedIn(): - token.initPassword(password, password) - javasystem.exit(1) + manager = CryptoManager.getInstance() + token = manager.getInternalKeyStorageToken() + # Retrieve 'password' from client-side 'password_conf' + # + # NOTE: For now, ONLY read the first line + # (which contains "password") + # + fd = open(password_conf, "r") + token_pwd = fd.readline() + fd.close + # Convert 'token_pwd' into a 'java char[]' + jtoken_pwd = jarray.array(token_pwd, 'c') + password = Password(jtoken_pwd) + try: + token.login(password) + except Exception, e: + javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\ + " " + str(e)) + if not token.isLoggedIn(): + token.initPassword(password, password) + javasystem.exit(1) except Exception, e: javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\ " " + str(e)) @@ -289,8 +286,7 @@ class rest_client: (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_INITIALIZING_REST_CLIENT, client_config.serverURI) - if not master['pki_dry_run_flag']: - self.client = SystemConfigClient(client_config) + self.client = SystemConfigClient(client_config) return self.client except URISyntaxException, e: e.printStackTrace() @@ -421,132 +417,131 @@ class rest_client: (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_CONSTRUCTING_PKI_DATA, master['pki_subsystem']) - if not master['pki_dry_run_flag']: - data = ConfigurationRequest() - - # Miscellaneous Configuration Information - data.setPin(self.sensitive['pki_one_time_pin']) - data.setToken(ConfigurationRequest.TOKEN_DEFAULT) - data.setSubsystemName(master['pki_subsystem_name']) - - # Hierarchy - if master['pki_instance_type'] == "Tomcat": - if master['pki_subsystem'] == "CA": - if config.str2bool(master['pki_clone']): - # Cloned CA - # alee - is this correct? - data.setHierarchy("root") - elif config.str2bool(master['pki_external']): - # External CA - data.setHierarchy("join") - elif config.str2bool(master['pki_subordinate']): - # Subordinate CA - data.setHierarchy("join") - else: - # PKI CA - data.setHierarchy("root") - - # Cloning parameters - if master['pki_instance_type'] == "Tomcat": - if config.str2bool(master['pki_clone']): - self.set_cloning_parameters(data) - else: - data.setIsClone("false") - - # Security Domain - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or - # Subordinate CA - self.set_existing_security_domain(data) - elif not config.str2bool(master['pki_external']): - # PKI CA - self.set_new_security_domain(data) + data = ConfigurationRequest() - if master['pki_subsystem'] != "RA": - self.set_database_parameters(data) + # Miscellaneous Configuration Information + data.setPin(self.sensitive['pki_one_time_pin']) + data.setToken(ConfigurationRequest.TOKEN_DEFAULT) + data.setSubsystemName(master['pki_subsystem_name']) - if master['pki_instance_type'] == "Tomcat": - self.set_backup_parameters(data) - - if not config.str2bool(master['pki_clone']): - self.set_admin_parameters(token, data) - - # Issuing CA Information - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']) or\ - config.str2bool(master['pki_external']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, - # Subordinate CA, or External CA - data.setIssuingCA(master['pki_issuing_ca']) - - # Create system certs - systemCerts = ArrayList() - - # Create 'CA Signing Certificate' + # Hierarchy + if master['pki_instance_type'] == "Tomcat": if master['pki_subsystem'] == "CA": - if not config.str2bool(master['pki_clone']): - cert = self.create_system_cert("ca_signing") - cert.setSigningAlgorithm( - master['pki_ca_signing_signing_algorithm']) - systemCerts.add(cert) + if config.str2bool(master['pki_clone']): + # Cloned CA + # alee - is this correct? + data.setHierarchy("root") + elif config.str2bool(master['pki_external']): + # External CA + data.setHierarchy("join") + elif config.str2bool(master['pki_subordinate']): + # Subordinate CA + data.setHierarchy("join") + else: + # PKI CA + data.setHierarchy("root") - # Create 'OCSP Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "CA" or\ - master['pki_subsystem'] == "OCSP": - # External CA, Subordinate CA, PKI CA, or PKI OCSP - cert2 = self.create_system_cert("ocsp_signing") - cert2.setSigningAlgorithm( - master['pki_ocsp_signing_signing_algorithm']) - systemCerts.add(cert2) - - # Create 'SSL Server Certificate' - # all subsystems - - # create new sslserver cert only if this is a new instance - cert3 = None - system_list = self.tomcat_instance_subsystems() - if len(system_list) >= 2: - data.setGenerateServerCert("false") - for subsystem in system_list: - dst = master['pki_instance_path'] + '/conf/' +\ - subsystem.lower() + '/CS.cfg' - if subsystem != master['pki_subsystem'] and \ - os.path.exists(dst): - cert3 = self.retrieve_existing_server_cert(dst) - break + # Cloning parameters + if master['pki_instance_type'] == "Tomcat": + if config.str2bool(master['pki_clone']): + self.set_cloning_parameters(data) else: - cert3 = self.create_system_cert("ssl_server") - systemCerts.add(cert3) - - # Create 'Subsystem Certificate' + data.setIsClone("false") + + # Security Domain + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or + # Subordinate CA + self.set_existing_security_domain(data) + elif not config.str2bool(master['pki_external']): + # PKI CA + self.set_new_security_domain(data) + + if master['pki_subsystem'] != "RA": + self.set_database_parameters(data) + + if master['pki_instance_type'] == "Tomcat": + self.set_backup_parameters(data) + + if not config.str2bool(master['pki_clone']): + self.set_admin_parameters(token, data) + + # Issuing CA Information + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']) or\ + config.str2bool(master['pki_external']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, + # Subordinate CA, or External CA + data.setIssuingCA(master['pki_issuing_ca']) + + # Create system certs + systemCerts = ArrayList() + + # Create 'CA Signing Certificate' + if master['pki_subsystem'] == "CA": if not config.str2bool(master['pki_clone']): - cert4 = self.create_system_cert("subsystem") - systemCerts.add(cert4) + cert = self.create_system_cert("ca_signing") + cert.setSigningAlgorithm( + master['pki_ca_signing_signing_algorithm']) + systemCerts.add(cert) + + # Create 'OCSP Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA" or\ + master['pki_subsystem'] == "OCSP": + # External CA, Subordinate CA, PKI CA, or PKI OCSP + cert2 = self.create_system_cert("ocsp_signing") + cert2.setSigningAlgorithm( + master['pki_ocsp_signing_signing_algorithm']) + systemCerts.add(cert2) + + # Create 'SSL Server Certificate' + # all subsystems + + # create new sslserver cert only if this is a new instance + cert3 = None + system_list = self.tomcat_instance_subsystems() + if len(system_list) >= 2: + data.setGenerateServerCert("false") + for subsystem in system_list: + dst = master['pki_instance_path'] + '/conf/' +\ + subsystem.lower() + '/CS.cfg' + if subsystem != master['pki_subsystem'] and \ + os.path.exists(dst): + cert3 = self.retrieve_existing_server_cert(dst) + break + else: + cert3 = self.create_system_cert("ssl_server") + systemCerts.add(cert3) - # Create 'Audit Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] != "RA": - cert5 = self.create_system_cert("audit_signing") - cert5.setSigningAlgorithm( - master['pki_audit_signing_signing_algorithm']) - systemCerts.add(cert5) + # Create 'Subsystem Certificate' + if not config.str2bool(master['pki_clone']): + cert4 = self.create_system_cert("subsystem") + systemCerts.add(cert4) - # Create DRM Transport and storage Certificates - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "KRA": - cert6 = self.create_system_cert("transport") - systemCerts.add(cert6) + # Create 'Audit Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] != "RA": + cert5 = self.create_system_cert("audit_signing") + cert5.setSigningAlgorithm( + master['pki_audit_signing_signing_algorithm']) + systemCerts.add(cert5) + + # Create DRM Transport and storage Certificates + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + cert6 = self.create_system_cert("transport") + systemCerts.add(cert6) - cert7 = self.create_system_cert("storage") - systemCerts.add(cert7) + cert7 = self.create_system_cert("storage") + systemCerts.add(cert7) - data.setSystemCerts(systemCerts) + data.setSystemCerts(systemCerts) return data @@ -557,119 +552,118 @@ class rest_client: (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_CONFIGURING_PKI_DATA, master['pki_subsystem']) - if not master['pki_dry_run_flag']: - try: - response = self.client.configure(data) - javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\ - " " + response.getStatus()) - certs = response.getSystemCerts() - iterator = certs.iterator() - while iterator.hasNext(): - cdata = iterator.next() - javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\ - cdata.getTag()) - javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\ - cdata.getCert()) - javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\ - cdata.getRequest()) - # Cloned PKI subsystems do not return an Admin Certificate - if not config.str2bool(master['pki_clone']): - admin_cert = response.getAdminCert().getCert() - javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ - " " + admin_cert) - # Store the Administration Certificate in a file - admin_cert_file = os.path.join( - master['pki_client_dir'], - master['pki_client_admin_cert']) - admin_cert_bin_file = admin_cert_file + ".der" - javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\ - " " + "'" + admin_cert_file + "'") - FILE = open(admin_cert_file, "w") - FILE.write(admin_cert) - FILE.close() - # convert the cert file to binary - command = "AtoB "+ admin_cert_file + " " + admin_cert_bin_file - javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_ATOB +\ - " " + "'" + command + "'") - os.system(command) - - # Since Jython runs under Java, it does NOT support the - # following operating system specific command: - # - # os.chmod( - # admin_cert_file, - # config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) - # - # Emulate it with a system call. - command = "chmod" + " 660 " + admin_cert_file - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - - command = "chmod" + " 660 " + admin_cert_bin_file - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - - # Import the Administration Certificate - # into the client NSS security database - command = "certutil" + " " +\ - "-A" + " " +\ - "-n" + " " + "\"" +\ - re.sub("'", - "'", master['pki_admin_nickname']) +\ - "\"" + " " +\ - "-t" + " " +\ - "\"" + "u,u,u" + "\"" + " " +\ - "-f" + " " +\ - master['pki_client_password_conf'] + " " +\ - "-d" + " " +\ - master['pki_client_database_dir'] + " " +\ - "-i" + " " +\ - admin_cert_bin_file - javasystem.out.println( - log.PKI_JYTHON_ADMIN_CERT_IMPORT +\ - " " + "'" + command + "'") - os.system(command) - # Export the Administration Certificate from the - # client NSS security database into a PKCS #12 file - command = "pk12util" + " " +\ - "-o" + " " +\ - master['pki_client_admin_cert_p12'] + " " +\ - "-n" + " " + "\"" +\ - re.sub("'", - "'", master['pki_admin_nickname']) +\ - "\"" + " " +\ - "-d" + " " +\ - master['pki_client_database_dir'] + " " +\ - "-k" + " " +\ - master['pki_client_password_conf'] + " " +\ - "-w" + " " +\ - master['pki_client_pkcs12_password_conf'] - javasystem.out.println( - log.PKI_JYTHON_ADMIN_CERT_EXPORT +\ - " " + "'" + command + "'") - os.system(command) - # Since Jython runs under Java, it does NOT support the - # following operating system specific command: - # - # os.chmod(master['pki_client_admin_cert_p12'], - # config.\ - # PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - # - # Emulate it with a system call. - command = "chmod" + " " + "664" + " " +\ - master['pki_client_admin_cert_p12'] - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - except Exception, e: + try: + response = self.client.configure(data) + javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\ + " " + response.getStatus()) + certs = response.getSystemCerts() + iterator = certs.iterator() + while iterator.hasNext(): + cdata = iterator.next() + javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\ + cdata.getTag()) + javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\ + cdata.getCert()) + javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\ + cdata.getRequest()) + # Cloned PKI subsystems do not return an Admin Certificate + if not config.str2bool(master['pki_clone']): + admin_cert = response.getAdminCert().getCert() + javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ + " " + admin_cert) + # Store the Administration Certificate in a file + admin_cert_file = os.path.join( + master['pki_client_dir'], + master['pki_client_admin_cert']) + admin_cert_bin_file = admin_cert_file + ".der" + javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\ + " " + "'" + admin_cert_file + "'") + FILE = open(admin_cert_file, "w") + FILE.write(admin_cert) + FILE.close() + # convert the cert file to binary + command = "AtoB "+ admin_cert_file + " " + admin_cert_bin_file + javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_ATOB +\ + " " + "'" + command + "'") + os.system(command) + + # Since Jython runs under Java, it does NOT support the + # following operating system specific command: + # + # os.chmod( + # admin_cert_file, + # config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + # + # Emulate it with a system call. + command = "chmod" + " 660 " + admin_cert_file javasystem.out.println( - log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e)) - javasystem.exit(1) + log.PKI_JYTHON_CHMOD +\ + " " + "'" + command + "'") + os.system(command) + + command = "chmod" + " 660 " + admin_cert_bin_file + javasystem.out.println( + log.PKI_JYTHON_CHMOD +\ + " " + "'" + command + "'") + os.system(command) + + # Import the Administration Certificate + # into the client NSS security database + command = "certutil" + " " +\ + "-A" + " " +\ + "-n" + " " + "\"" +\ + re.sub("'", + "'", master['pki_admin_nickname']) +\ + "\"" + " " +\ + "-t" + " " +\ + "\"" + "u,u,u" + "\"" + " " +\ + "-f" + " " +\ + master['pki_client_password_conf'] + " " +\ + "-d" + " " +\ + master['pki_client_database_dir'] + " " +\ + "-i" + " " +\ + admin_cert_bin_file + javasystem.out.println( + log.PKI_JYTHON_ADMIN_CERT_IMPORT +\ + " " + "'" + command + "'") + os.system(command) + # Export the Administration Certificate from the + # client NSS security database into a PKCS #12 file + command = "pk12util" + " " +\ + "-o" + " " +\ + master['pki_client_admin_cert_p12'] + " " +\ + "-n" + " " + "\"" +\ + re.sub("'", + "'", master['pki_admin_nickname']) +\ + "\"" + " " +\ + "-d" + " " +\ + master['pki_client_database_dir'] + " " +\ + "-k" + " " +\ + master['pki_client_password_conf'] + " " +\ + "-w" + " " +\ + master['pki_client_pkcs12_password_conf'] + javasystem.out.println( + log.PKI_JYTHON_ADMIN_CERT_EXPORT +\ + " " + "'" + command + "'") + os.system(command) + # Since Jython runs under Java, it does NOT support the + # following operating system specific command: + # + # os.chmod(master['pki_client_admin_cert_p12'], + # config.\ + # PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + # + # Emulate it with a system call. + command = "chmod" + " " + "664" + " " +\ + master['pki_client_admin_cert_p12'] + javasystem.out.println( + log.PKI_JYTHON_CHMOD +\ + " " + "'" + command + "'") + os.system(command) + except Exception, e: + javasystem.out.println( + log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e)) + javasystem.exit(1) return -- cgit