From 924403a14e92112c3c3d696319759b65eb57a30c Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Fri, 18 May 2012 10:52:06 -0700 Subject: PKI Deployment Scriptlets * Introduced concept of "admin-domain" originally as a separate folder, and later incorporated this concept into an optional instance prefix * Revised definition of to be identified as "[-] * Changed NSS security database model from one shared database by BOTH a single Tomcat AND single Apache instance into one per Tomcat instance (shared by CA/KRA/OCSP/TKS) and one per Apache instance (shared by RA/TPS) * Altered Configuration 'scriptlet' to invoke Jython for access to new Java configuration servlet * Renamed various "scriptlets" to comply with this new layout * Re-aligned code to account for revised layout documented at http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment --- base/deploy/src/scriptlets/configuration.jy | 70 ++++++ base/deploy/src/scriptlets/configuration.py | 49 +++- base/deploy/src/scriptlets/finalization.py | 14 +- .../deploy/src/scriptlets/infrastructure_layout.py | 102 ++++++++ base/deploy/src/scriptlets/initialization.py | 8 +- base/deploy/src/scriptlets/instance_layout.py | 145 +++++++---- base/deploy/src/scriptlets/pkiconfig.py | 33 ++- base/deploy/src/scriptlets/pkihelper.py | 197 +++++++++------ base/deploy/src/scriptlets/pkijython.py | 200 +++++++++++++++ base/deploy/src/scriptlets/pkimessages.py | 23 +- base/deploy/src/scriptlets/pkiparser.py | 268 +++++++++++++-------- base/deploy/src/scriptlets/pkiscriptlet.py | 2 +- base/deploy/src/scriptlets/security_databases.py | 50 +++- base/deploy/src/scriptlets/slot_substitution.py | 2 +- base/deploy/src/scriptlets/subsystem_layout.py | 4 +- base/deploy/src/scriptlets/war_explosion.py | 2 +- base/deploy/src/scriptlets/webserver_layout.py | 152 ------------ 17 files changed, 889 insertions(+), 432 deletions(-) create mode 100644 base/deploy/src/scriptlets/configuration.jy create mode 100644 base/deploy/src/scriptlets/infrastructure_layout.py create mode 100644 base/deploy/src/scriptlets/pkijython.py delete mode 100644 base/deploy/src/scriptlets/webserver_layout.py (limited to 'base/deploy/src/scriptlets') diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy new file mode 100644 index 000000000..f7366c723 --- /dev/null +++ b/base/deploy/src/scriptlets/configuration.jy @@ -0,0 +1,70 @@ +#!/usr/bin/jython + +# System Python Imports +import os +import pickle +import sys + + +# PKI Python Imports +import pkijython as jyutil +import pkiconfig as config +from pkiconfig import pki_master_jython_dict as master +import pkimessages as log + + +# System Java Imports +from java.lang import System as javasystem + + +def main(argv): + # Establish 'master' as the PKI jython dictionary + master = dict() + + # import the master dictionary from 'pkispawn' + master = pickle.loads(argv[1]) + + # IMPORTANT: Unfortunately, 'jython 2.2' does NOT support logging! + # + # Until, and unless, 'jython 2.5' or later is used, + # debugging will basically be limited to using 'print' + # since creating a logging mechanism for 'jython 2.2' + # would not make sense at this point in time, although + # a 'customized' manual log process could be created. + # + # Regardless of 'jython' version, the log file generated + # by this standalone 'jython' process would be unique and + # separate to the log file generated for the PKI + # deployment scriptlets 'python' process, as they exist + # as two separate processes (until and unless 'jython 2.7' + # could be used to completely replace 'python 2.7', + # in which case a single process could be executed + # end-to-end from installation through configuration). + # + if master['pki_jython_log_level'] >= config.PKI_JYTHON_DEBUG_LOG_LEVEL: + # javasystem.out.println("Hello") + print "%s %s" %\ + (log.PKI_JYTHON_INDENTATION_2, sys.path) + print "%s %s" %\ + (log.PKI_JYTHON_INDENTATION_2, + javasystem.getProperties()['java.class.path']) + for key in master: + print "%s '%s' = '%s'" %\ + (log.PKI_JYTHON_INDENTATION_2, key, master[key]) + + # Initialize token + jyutil.security_databases.initialize_token( + master['pki_client_database_path'], + master['pki_dry_run_flag'], + master['pki_jython_log_level']) + + # Log into token + jyutil.security_databases.log_into_token( + master['pki_client_database_path'], + master['pki_client_password_conf'], + master['pki_dry_run_flag'], + master['pki_jython_log_level']) + + +if __name__ == "__main__": + main(sys.argv) diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index 45b325ce7..1155e9002 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -22,31 +22,66 @@ # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master +import pkihelper as util import pkimessages as log import pkiscriptlet -# PKI Deployment Instance Population Classes +# PKI Deployment Configuration Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): rv = 0 def spawn(self): config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - config.pki_log.info("NOT YET IMPLEMENTED", - extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + util.directory.create(master['pki_client_path'], uid=0, gid=0) + util.password.create_password_conf( + master['pki_client_password_conf'], + master['pki_client_pin']) + util.directory.create(master['pki_client_database_path'], + uid=0, gid=0) + util.certutil.create_security_databases( + master['pki_client_database_path'], + master['pki_client_cert_database'], + master['pki_client_key_database'], + master['pki_client_secmod_database'], + password_file=master['pki_client_password_conf']) + else: + util.password.create_password_conf( + master['pki_client_password_conf'], + master['pki_client_pin']) + util.certutil.create_security_databases( + master['pki_client_database_path'], + master['pki_client_cert_database'], + master['pki_client_key_database'], + master['pki_client_secmod_database'], + password_file=master['pki_client_password_conf']) + # Pass control to the Java servlet via Jython 2.2 'configuration.jy' + util.jython.invoke(master['pki_jython_configuration_scriptlet']) return self.rv def respawn(self): config.pki_log.info(log.CONFIGURATION_RESPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - config.pki_log.info("NOT YET IMPLEMENTED", - extra=config.PKI_INDENTATION_LEVEL_2) return self.rv def destroy(self): config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - config.pki_log.info("NOT YET IMPLEMENTED", - extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 0: + util.directory.delete(master['pki_client_path']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 0: + util.directory.delete(master['pki_client_path']) + else: + # ALWAYS display correct information (even during dry_run) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 1: + util.directory.delete(master['pki_client_path']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 1: + util.directory.delete(master['pki_client_path']) return self.rv diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py index 9a3c23cb5..acf51391a 100644 --- a/base/deploy/src/scriptlets/finalization.py +++ b/base/deploy/src/scriptlets/finalization.py @@ -28,7 +28,7 @@ import pkimessages as log import pkiscriptlet -# PKI Deployment Instance Population Classes +# PKI Deployment Finalization Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): rv = 0 @@ -43,8 +43,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Save a timestamped copy of the installation manifest file filename = master['pki_root_prefix'] +\ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ - master['pki_instance_name'] + "/" +\ - master['pki_web_server'].lower() + "/" +\ + master['pki_instance_id'] + "/" +\ master['pki_subsystem'].lower() +"/" +\ "spawn" + "_" + "manifest" + "." +\ master['pki_timestamp'] + "." + "csv" @@ -59,7 +58,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Log final process messages config.pki_log.info(log.PKISPAWN_END_MESSAGE_2, master['pki_subsystem'], - master['pki_instance_name'], + master['pki_instance_id'], extra=config.PKI_INDENTATION_LEVEL_0) if not config.pki_dry_run_flag: util.file.modify(master['pki_spawn_log'], silent=True) @@ -77,8 +76,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Save a timestamped copy of the updated manifest file filename = master['pki_root_prefix'] +\ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ - master['pki_instance_name'] + "/" +\ - master['pki_web_server'].lower() + "/" +\ + master['pki_instance_id'] + "/" +\ master['pki_subsystem'].lower() +"/" +\ "respawn" + "_" + "manifest" + "." +\ master['pki_timestamp'] + "." + "csv" @@ -93,7 +91,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Log final process messages config.pki_log.info(log.PKIRESPAWN_END_MESSAGE_2, master['pki_subsystem'], - master['pki_instance_name'], + master['pki_instance_id'], extra=config.PKI_INDENTATION_LEVEL_0) if not config.pki_dry_run_flag: util.file.modify(master['pki_respawn_log'], silent=True) @@ -104,7 +102,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, master['pki_subsystem'], - master['pki_instance_name'], + master['pki_instance_id'], extra=config.PKI_INDENTATION_LEVEL_0) if not config.pki_dry_run_flag: util.file.modify(master['pki_destroy_log'], silent=True) diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py new file mode 100644 index 000000000..fd94de512 --- /dev/null +++ b/base/deploy/src/scriptlets/infrastructure_layout.py @@ -0,0 +1,102 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Top-Level Infrastructure Layout Scriptlet +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + config.pki_log.info(log.ADMIN_DOMAIN_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # establish top-level infrastructure base + util.directory.create(master['pki_path']) + # establish top-level infrastructure logs + util.directory.create(master['pki_log_path']) + # establish top-level infrastructure configuration + if master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.create(master['pki_configuration_path']) + # establish top-level infrastructure registry + util.directory.create(master['pki_registry_path']) + return self.rv + + def respawn(self): + config.pki_log.info(log.ADMIN_DOMAIN_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # update top-level infrastructure base + util.directory.modify(master['pki_path']) + # update top-level infrastructure logs + util.directory.modify(master['pki_log_path']) + # update top-level infrastructure configuration + if master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.modify(master['pki_configuration_path']) + # update top-level infrastructure registry + util.directory.modify(master['pki_registry_path']) + return self.rv + + def destroy(self): + config.pki_log.info(log.ADMIN_DOMAIN_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + # remove top-level infrastructure base + if not config.pki_dry_run_flag: + if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + util.instance.pki_subsystem_instances() == 0: + # remove top-level infrastructure base + util.directory.delete(master['pki_path']) + # remove top-level infrastructure logs + util.directory.delete(master['pki_log_path']) + # remove top-level infrastructure configuration + if util.directory.is_empty(master['pki_configuration_path'])\ + and master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.delete(master['pki_configuration_path']) + # remove top-level infrastructure registry + util.directory.delete(master['pki_registry_path']) + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + util.file.delete(master['pki_target_tomcat_conf']) + + else: + # ALWAYS display correct information (even during dry_run) + if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + util.instance.pki_subsystem_instances() == 1: + # remove top-level infrastructure base + util.directory.delete(master['pki_path']) + # remove top-level infrastructure logs + util.directory.delete(master['pki_log_path']) + # remove top-level infrastructure configuration + if util.directory.is_empty(master['pki_configuration_path'])\ + and master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.delete(master['pki_configuration_path']) + # remove top-level infrastructure registry + util.directory.delete(master['pki_registry_path']) + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + util.file.delete(master['pki_target_tomcat_conf']) + return self.rv diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py index 408ddfb59..3077737c8 100644 --- a/base/deploy/src/scriptlets/initialization.py +++ b/base/deploy/src/scriptlets/initialization.py @@ -27,14 +27,14 @@ import pkimessages as log import pkiscriptlet -# PKI Deployment Instance Population Classes +# PKI Deployment Initialization Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): rv = 0 def spawn(self): config.pki_log.info(log.PKISPAWN_BEGIN_MESSAGE_2, master['pki_subsystem'], - master['pki_instance_name'], + master['pki_instance_id'], extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) @@ -49,7 +49,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def respawn(self): config.pki_log.info(log.PKIRESPAWN_BEGIN_MESSAGE_2, master['pki_subsystem'], - master['pki_instance_name'], + master['pki_instance_id'], extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.info(log.INITIALIZATION_RESPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) @@ -64,7 +64,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def destroy(self): config.pki_log.info(log.PKIDESTROY_BEGIN_MESSAGE_2, master['pki_subsystem'], - master['pki_instance_name'], + master['pki_instance_id'], extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py index baa261cad..60e94d1a1 100644 --- a/base/deploy/src/scriptlets/instance_layout.py +++ b/base/deploy/src/scriptlets/instance_layout.py @@ -27,7 +27,7 @@ import pkimessages as log import pkiscriptlet -# PKI Deployment Instance Population Classes +# PKI Deployment Instance Layout Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): rv = 0 @@ -35,93 +35,134 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.INSTANCE_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # establish instance base - util.directory.create(master['pki_path']) util.directory.create(master['pki_instance_path']) # establish instance logs - util.directory.create(master['pki_log_path']) util.directory.create(master['pki_instance_log_path']) # establish instance configuration - if master['pki_configuration_path'] !=\ - config.PKI_SHARED_CONFIGURATION_ROOT: - util.directory.create(master['pki_configuration_path']) util.directory.create(master['pki_instance_configuration_path']) # establish instance registry - util.directory.create(master['pki_registry_path']) util.directory.create(master['pki_instance_registry_path']) - # establish shared NSS security databases + # establish Apache/Tomcat specific instance + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # establish Tomcat instance base + util.directory.create(master['pki_tomcat_common_path']) + util.directory.create(master['pki_tomcat_common_lib_path']) + util.directory.create(master['pki_tomcat_webapps_path']) + util.directory.create(master['pki_tomcat_webapps_root_path']) + util.directory.create(master['pki_tomcat_webapps_root_webinf_path']) + util.file.copy(master['pki_source_webapps_root_web_xml'], + master['pki_tomcat_webapps_root_webinf_web_xml'], + overwrite_flag=True) + util.directory.create(master['pki_tomcat_webapps_webinf_path']) + util.directory.create( + master['pki_tomcat_webapps_webinf_classes_path']) + util.directory.create(master['pki_tomcat_webapps_webinf_lib_path']) + # establish Tomcat instance logs + # establish Tomcat instance configuration + # establish Tomcat instance registry + # establish Tomcat instance convenience + # symbolic links + util.symlink.create(master['pki_tomcat_bin_path'], + master['pki_tomcat_bin_link']) + util.symlink.create(master['pki_tomcat_lib_path'], + master['pki_tomcat_lib_link']) + util.symlink.create(master['pki_tomcat_systemd'], + master['pki_instance_systemd_link']) + # establish shared NSS security databases for this instance util.directory.create(master['pki_database_path']) - # establish convenience symbolic links + # establish instance convenience symbolic links util.symlink.create(master['pki_database_path'], master['pki_instance_database_link']) + util.symlink.create(master['pki_instance_configuration_path'], + master['pki_instance_conf_link']) + util.symlink.create(master['pki_instance_log_path'], + master['pki_instance_logs_link']) return self.rv def respawn(self): config.pki_log.info(log.INSTANCE_RESPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # update instance base - util.directory.modify(master['pki_path']) util.directory.modify(master['pki_instance_path']) # update instance logs - util.directory.modify(master['pki_log_path']) util.directory.modify(master['pki_instance_log_path']) # update instance configuration - if master['pki_configuration_path'] !=\ - config.PKI_SHARED_CONFIGURATION_ROOT: - util.directory.modify(master['pki_configuration_path']) util.directory.modify(master['pki_instance_configuration_path']) # update instance registry - util.directory.modify(master['pki_registry_path']) util.directory.modify(master['pki_instance_registry_path']) - # update shared NSS security databases + # update Apache/Tomcat specific instance + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # update Tomcat instance base + util.directory.modify(master['pki_tomcat_common_path']) + util.directory.modify(master['pki_tomcat_common_lib_path']) + util.directory.modify(master['pki_tomcat_webapps_path']) + util.directory.modify(master['pki_tomcat_webapps_root_path']) + util.directory.modify(master['pki_tomcat_webapps_root_webinf_path']) + util.file.copy(master['pki_source_webapps_root_web_xml'], + master['pki_tomcat_webapps_root_webinf_web_xml'], + overwrite_flag=True) + util.directory.modify(master['pki_tomcat_webapps_webinf_path']) + util.directory.modify( + master['pki_tomcat_webapps_webinf_classes_path']) + util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path']) + # update Tomcat instance logs + # update Tomcat instance configuration + # update Tomcat instance registry + # update Tomcat instance convenience symbolic links + util.symlink.modify(master['pki_tomcat_bin_link']) + util.symlink.modify(master['pki_tomcat_lib_link']) + # update shared NSS security databases for this instance util.directory.modify(master['pki_database_path']) - # update convenience symbolic links + # update instance convenience symbolic links util.symlink.modify(master['pki_instance_database_link']) + util.symlink.modify(master['pki_instance_conf_link']) + util.symlink.modify(master['pki_instance_logs_link']) return self.rv def destroy(self): config.pki_log.info(log.INSTANCE_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - # remove instance base if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_subsystem_instances() == 0: - # remove instance base + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 0: + # remove Apache instance base util.directory.delete(master['pki_instance_path']) - util.directory.delete(master['pki_path']) - # remove instance logs - util.directory.delete(master['pki_instance_log_path']) - util.directory.delete(master['pki_log_path']) - # remove shared NSS security database path + # remove Apache instance logs + # remove shared NSS security database path for this instance util.directory.delete(master['pki_database_path']) - # remove instance configuration + # remove Apache instance configuration util.directory.delete(master['pki_instance_configuration_path']) - if util.directory.is_empty(master['pki_configuration_path'])\ - and master['pki_configuration_path'] !=\ - config.PKI_SHARED_CONFIGURATION_ROOT: - util.directory.delete(master['pki_configuration_path']) - # remove instance registry - util.directory.delete(master['pki_instance_registry_path']) - util.directory.delete(master['pki_registry_path']) - util.file.delete(master['pki_target_tomcat_conf']) - + # remove Apache instance registry + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 0: + # remove Tomcat instance base + util.directory.delete(master['pki_instance_path']) + # remove Tomcat instance logs + # remove shared NSS security database path for this instance + util.directory.delete(master['pki_database_path']) + # remove Tomcat instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove Tomcat instance registry else: # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_subsystem_instances() == 1: - # remove instance base + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 1: + # remove Apache instance base util.directory.delete(master['pki_instance_path']) - util.directory.delete(master['pki_path']) - # remove instance logs - util.directory.delete(master['pki_instance_log_path']) - util.directory.delete(master['pki_log_path']) - # remove shared NSS security database path + # remove Apache instance logs + # remove shared NSS security database path for this instance util.directory.delete(master['pki_database_path']) - if util.directory.is_empty(master['pki_configuration_path'])\ - and master['pki_configuration_path'] !=\ - config.PKI_SHARED_CONFIGURATION_ROOT: - util.directory.delete(master['pki_configuration_path']) - # remove instance registry - util.directory.delete(master['pki_instance_registry_path']) - util.directory.delete(master['pki_registry_path']) - util.file.delete(master['pki_target_tomcat_conf']) + # remove Apache instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove Apache instance registry + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 1: + # remove Tomcat instance base + util.directory.delete(master['pki_instance_path']) + # remove Tomcat instance logs + # remove shared NSS security database path for this instance + util.directory.delete(master['pki_database_path']) + # remove Tomcat instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove Tomcat instance registry return self.rv diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 31b05312c..76d54ad15 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -19,10 +19,6 @@ # All rights reserved. # -# System Imports -import logging - - # PKI Deployment Constants PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS = 00770 PKI_DEPLOYMENT_DEFAULT_EXE_PERMISSIONS = 00770 @@ -43,6 +39,13 @@ PKI_INDENTATION_LEVEL_2 = {'indent' : '....... '} PKI_INDENTATION_LEVEL_3 = {'indent' : '........... '} PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} +PKI_DEPLOYMENT_SOURCE_ROOT = "/usr/share/pki" +PKI_DEPLOYMENT_TOMCAT_ROOT = "/usr/share/tomcat" +PKI_DEPLOYMENT_TOMCAT_SYSTEMD = "/usr/sbin/tomcat-sysd" +PKI_DEPLOYMENT_BASE_ROOT = "/var/lib/pki" +# NOTE: Top-level "/etc/pki" is owned by the "filesystem" package! +PKI_DEPLOYMENT_CONFIGURATION_ROOT = "/etc/pki" +PKI_DEPLOYMENT_LOG_ROOT = "/var/log/pki" # NOTE: Well-known 'registry root', default 'instance', and default # 'configuration file' names MUST be created in order to potentially # obtain an instance-specific configuration file @@ -53,20 +56,29 @@ PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} # in the configuration file (the value in the default configuration file # should always match the 'default' instance name specified below). PKI_DEPLOYMENT_REGISTRY_ROOT = "/etc/sysconfig/pki" -PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME = "default" +PKI_DEPLOYMENT_DEFAULT_ADMIN_DOMAIN_NAME = None +PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME = "apache" +PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME = "tomcat" PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE = "pkideployment.cfg" PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\ "/usr/share/pki/deployment/config/pkislots.cfg" -# NOTE: Top-level "/etc/pki" is owned by the "filesystem" package! -PKI_SHARED_CONFIGURATION_ROOT = "/etc/pki" + +# PKI Deployment Jython 2.2 Constants +PKI_JYTHON_CRITICAL_LOG_LEVEL = 1 +PKI_JYTHON_ERROR_LOG_LEVEL = 2 +PKI_JYTHON_WARNING_LOG_LEVEL = 3 +PKI_JYTHON_INFO_LOG_LEVEL = 4 +PKI_JYTHON_DEBUG_LOG_LEVEL = 5 # PKI Deployment Global Variables pki_install_time = None pki_timestamp = None +pki_architecture = None pki_hostname = None pki_pin = None +pki_client_pin = None pki_one_time_pin = None @@ -80,6 +92,7 @@ pki_root_prefix = None pki_update_flag = False # PKI Deployment "Custom" Command-Line Variables +pki_admin_domain_name = None pki_instance_name = None pki_http_port = None pki_https_port = None @@ -87,11 +100,12 @@ pki_ajp_port = None # PKI Deployment Logger Variables +pki_jython_log_level = None pki_log = None pki_log_dir = None pki_log_name = None -pki_log_level = logging.INFO -pki_console_log_level = logging.WARNING +pki_log_level = None +pki_console_log_level = None # PKI Deployment Global Dictionaries @@ -100,3 +114,4 @@ pki_web_server_dict = None pki_subsystem_dict = None pki_master_dict = None pki_slots_dict = None +pki_master_jython_dict = None diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index b04af2db0..b88eafe72 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -25,6 +25,7 @@ import errno import sys import os import fileinput +import pickle import random import shutil import string @@ -174,27 +175,27 @@ class instance: def apache_instances(self): rv = 0 try: - if not os.path.exists(master['pki_webserver_path']) or\ - not os.path.isdir(master['pki_webserver_path']): + if not os.path.exists(master['pki_instance_path']) or\ + not os.path.isdir(master['pki_instance_path']): config.pki_log.error( log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - master['pki_webserver_path'], + master['pki_instance_path'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # count number of PKI subsystems present - # within the specfied Apache instance + # within the specified Apache instance for subsystem in config.PKI_APACHE_SUBSYSTEMS: - path = master['pki_webserver_path'] + "/" + subsystem.lower() + path = master['pki_instance_path'] + "/" + subsystem.lower() if os.path.exists(path) and os.path.isdir(path): rv = rv + 1 # always display correct information (even during dry_run) if config.pki_dry_run_flag and rv > 0: config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, - master['pki_webserver_path'], rv - 1, + master['pki_instance_path'], rv - 1, extra=config.PKI_INDENTATION_LEVEL_2) else: config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, - master['pki_webserver_path'], + master['pki_instance_path'], rv, extra=config.PKI_INDENTATION_LEVEL_2) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, @@ -205,27 +206,29 @@ class instance: def pki_subsystem_instances(self): rv = 0 try: - if not os.path.exists(master['pki_instance_path']) or\ - not os.path.isdir(master['pki_instance_path']): + if not os.path.exists(master['pki_path']) or\ + not os.path.isdir(master['pki_path']): config.pki_log.error( log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - master['pki_instance_path'], + master['pki_path'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) - # count total number of Apache PKI subsystems present - # within the specfied PKI instance - for apache_subsystem in config.PKI_APACHE_SUBSYSTEMS: - apache_path = master['pki_instance_path'] + "/" + "apache" +\ - "/" + apache_subsystem.lower() - if os.path.exists(apache_path) and os.path.isdir(apache_path): - rv = rv + 1 - # count total number of Tomcat PKI subsystems present - # within the specfied PKI instance - for tomcat_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - tomcat_path = master['pki_instance_path'] + "/" + "tomcat" +\ - "/" + tomcat_subsystem.lower() - if os.path.exists(tomcat_path) and os.path.isdir(tomcat_path): - rv = rv + 1 + # Since ALL directories within the top-level PKI infrastructure + # SHOULD represent PKI instances, look for all possible + # PKI instances within the top-level PKI infrastructure + for instance in os.listdir(master['pki_path']): + if os.path.isdir(os.path.join(master['pki_path'],instance))\ + and not\ + os.path.islink(os.path.join(master['pki_path'],instance)): + dir = os.path.join(master['pki_path'],instance) + # Since ANY directory within this PKI instance COULD + # be a PKI subsystem, look for all possible + # PKI subsystems within this PKI instance + for name in os.listdir(dir): + if os.path.isdir(os.path.join(dir,name)) and\ + not os.path.islink(os.path.join(dir,name)): + if name.upper() in config.PKI_SUBSYSTEMS: + rv = rv + 1 # always display correct information (even during dry_run) if config.pki_dry_run_flag and rv > 0: config.pki_log.debug(log.PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2, @@ -244,27 +247,27 @@ class instance: def tomcat_instances(self): rv = 0 try: - if not os.path.exists(master['pki_webserver_path']) or\ - not os.path.isdir(master['pki_webserver_path']): + if not os.path.exists(master['pki_instance_path']) or\ + not os.path.isdir(master['pki_instance_path']): config.pki_log.error( log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - master['pki_webserver_path'], + master['pki_instance_path'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # count number of PKI subsystems present - # within the specfied Tomcat instance + # within the specified Tomcat instance for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - path = master['pki_webserver_path'] + "/" + subsystem.lower() + path = master['pki_instance_path'] + "/" + subsystem.lower() if os.path.exists(path) and os.path.isdir(path): rv = rv + 1 # always display correct information (even during dry_run) if config.pki_dry_run_flag and rv > 0: config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, - master['pki_webserver_path'], rv - 1, + master['pki_instance_path'], rv - 1, extra=config.PKI_INDENTATION_LEVEL_2) else: config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, - master['pki_webserver_path'], + master['pki_instance_path'], rv, extra=config.PKI_INDENTATION_LEVEL_2) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, @@ -277,7 +280,7 @@ class instance: if not os.path.exists(master['pki_subsystem_path']): config.pki_log.error(log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2, master['pki_subsystem'], - master['pki_instance_name'], + master['pki_instance_id'], extra=config.PKI_INDENTATION_LEVEL_1) sys.exit(1) except OSError as exc: @@ -290,7 +293,7 @@ class instance: if os.path.exists(master['pki_subsystem_path']): config.pki_log.error(log.PKI_SUBSYSTEM_ALREADY_EXISTS_2, master['pki_subsystem'], - master['pki_instance_name'], + master['pki_instance_id'], extra=config.PKI_INDENTATION_LEVEL_1) sys.exit(1) except OSError as exc: @@ -1292,7 +1295,8 @@ class war: # PKI Deployment Password Class class password: - def create_password_conf(self, path, overwrite_flag=False): + def create_password_conf(self, path, pin, overwrite_flag=False, + critical_failure=True): try: if not config.pki_dry_run_flag: if os.path.exists(path): @@ -1304,11 +1308,11 @@ class password: with open(path, "wt") as fd: if master['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: - fd.write("internal" + ":" +\ - str(master['pki_pin'])) + fd.write(master['pki_self_signed_token'] +\ + ":" + str(pin)) else: - fd.write("internal" + "=" +\ - str(master['pki_pin'])) + fd.write(master['pki_self_signed_token'] +\ + "=" + str(pin)) fd.closed else: config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, @@ -1317,11 +1321,11 @@ class password: with open(path, "wt") as fd: if master['pki_subsystem'] in\ config.PKI_APACHE_SUBSYSTEMS: - fd.write("internal" + ":" +\ - str(master['pki_pin'])) + fd.write(master['pki_self_signed_token'] +\ + ":" + str(pin)) else: - fd.write("internal" + "=" +\ - str(master['pki_pin'])) + fd.write(master['pki_self_signed_token'] +\ + "=" + str(pin)) fd.closed else: if not os.path.exists(path) or overwrite_flag: @@ -1337,7 +1341,9 @@ class password: # PKI Deployment NSS 'certutil' Class class certutil: - def create_security_databases(self, path, password_file=None, prefix=None, + def create_security_databases(self, path, pki_cert_database, + pki_key_database, pki_secmod_database, + password_file=None, prefix=None, critical_failure=True): try: # Compose this "certutil" command @@ -1360,15 +1366,15 @@ class certutil: log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) - if os.path.exists(master['pki_cert_database']) or\ - os.path.exists(master['pki_key_database']) or\ - os.path.exists(master['pki_secmod_database']): + if os.path.exists(pki_cert_database) or\ + os.path.exists(pki_key_database) or\ + os.path.exists(pki_secmod_database): # Simply notify user that the security databases exist config.pki_log.info( log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], + pki_cert_database, + pki_key_database, + pki_secmod_database, extra=config.PKI_INDENTATION_LEVEL_2) else: if password_file != None: @@ -1387,15 +1393,15 @@ class certutil: # Execute this "certutil" command subprocess.call(command, shell=True) else: - if os.path.exists(master['pki_cert_database']) or\ - os.path.exists(master['pki_key_database']) or\ - os.path.exists(master['pki_secmod_database']): + if os.path.exists(pki_cert_database) or\ + os.path.exists(pki_key_database) or\ + os.path.exists(pki_secmod_database): # Simply notify user that the security databases exist config.pki_log.info( log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], + pki_cert_database, + pki_key_database, + pki_secmod_database, extra=config.PKI_INDENTATION_LEVEL_2) else: # Display this "certutil" command @@ -1415,8 +1421,10 @@ class certutil: sys.exit(1) return - def verify_certificate_exists(self, path, token, nickname, - password_file=None): + def verify_certificate_exists(self, path, pki_cert_database, + pki_key_database, pki_secmod_database, + token, nickname, password_file=None, + silent=True): rv = 0 try: # Compose this "certutil" command @@ -1448,7 +1456,8 @@ class certutil: # OPTIONALLY specify a password file if password_file != None: command = command + " " + "-f" + " " + password_file - # Always execute this command silently + # By default, execute this command silently + if silent != False: command = command + " > /dev/null 2>&1" if not config.pki_dry_run_flag: if not os.path.exists(path): @@ -1456,15 +1465,15 @@ class certutil: log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) - if not os.path.exists(master['pki_cert_database']) or\ - not os.path.exists(master['pki_key_database']) or\ - not os.path.exists(master['pki_secmod_database']): + if not os.path.exists(pki_cert_database) or\ + not os.path.exists(pki_key_database) or\ + not os.path.exists(pki_secmod_database): # NSS security databases MUST exist! config.pki_log.error( log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], + pki_cert_database, + pki_key_database, + pki_secmod_database, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) if password_file != None: @@ -1477,9 +1486,9 @@ class certutil: sys.exit(1) else: # Check for first time through as dry_run - if not os.path.exists(master['pki_cert_database']) or\ - not os.path.exists(master['pki_key_database']) or\ - not os.path.exists(master['pki_secmod_database']): + if not os.path.exists(pki_cert_database) or\ + not os.path.exists(pki_key_database) or\ + not os.path.exists(pki_secmod_database): return False # Execute this "certutil" command subprocess.check_call(command, shell=True) @@ -1492,7 +1501,9 @@ class certutil: sys.exit(1) return True - def generate_self_signed_certificate(self, path, token, nickname, + def generate_self_signed_certificate(self, path, pki_cert_database, + pki_key_database, pki_secmod_database, + token, nickname, subject, serial_number, validity_period, issuer_name, trustargs, noise_file, @@ -1591,15 +1602,15 @@ class certutil: log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) - if not os.path.exists(master['pki_cert_database']) or\ - not os.path.exists(master['pki_key_database']) or\ - not os.path.exists(master['pki_secmod_database']): + if not os.path.exists(pki_cert_database) or\ + not os.path.exists(pki_key_database) or\ + not os.path.exists(pki_secmod_database): # NSS security databases MUST exist! config.pki_log.error( log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], + pki_cert_database, + pki_key_database, + pki_secmod_database, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) if not os.path.exists(noise_file): @@ -1631,6 +1642,43 @@ class certutil: return +# PKI Deployment 'jython' Class +class jython: + def invoke(self, scriptlet, critical_failure=True): + try: + # From 'http://www.jython.org/archive/22/userfaq.html': + # Setting this to false will allow Jython to provide access to + # non-public fields, methods, and constructors of Java objects. + property = "-Dpython.security.respectJavaAccessibility=false" + # comment the next line out to use the "property" defined above + property = "" + # Compose this "jython" command + data = pickle.dumps(master) + ld_library_path = "LD_LIBRARY_PATH" + if master['pki_architecture'] == 64: + ld_library_path = ld_library_path + "=" +\ + "/usr/lib64/jss:/usr/lib64:/lib64:" +\ + "/usr/lib/jss:/usr/lib:/lib" + else: + ld_library_path = ld_library_path + "=" +\ + "/usr/lib/jss:/usr/lib:/lib" + command = "export" + " " + ld_library_path + ";" + "jython" + " " +\ + property + " " + scriptlet + " " + "\"" + data + "\"" + # Display this "jython" command + config.pki_log.info( + log.PKIHELPER_INVOKE_JYTHON_3, + ld_library_path, property, scriptlet, + extra=config.PKI_INDENTATION_LEVEL_2) + # Invoke this "jython" command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + # PKI Deployment Helper Class Instances identity = identity() instance = instance() @@ -1640,3 +1688,4 @@ symlink = symlink() war = war() password = password() certutil = certutil() +jython = jython() diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py new file mode 100644 index 000000000..9c8765a80 --- /dev/null +++ b/base/deploy/src/scriptlets/pkijython.py @@ -0,0 +1,200 @@ +#!/usr/bin/jython + +# System Java Imports +from java.io import BufferedReader +from java.io import ByteArrayInputStream +from java.io import FileReader +from java.io import IOException +from java.lang import String as javastring +from java.lang import System as javasystem +from java.net import URISyntaxException +from java.security import KeyPair +from java.security import NoSuchAlgorithmException +from java.util import ArrayList +from java.util import Collection +from java.util import Iterator +from org.python.core import PyDictionary +import jarray + + +# System Python Imports +import os +import sys +pki_python_module_path = os.path.join(sys.prefix, + "lib", + "python" + str(sys.version_info[0]) + + "." + str(sys.version_info[1]), + "site-packages", + "pki", + "deployment", + "configuration.jy") +sys.path.append(pki_python_module_path) + + +# http://www.jython.org/jythonbook/en/1.0/appendixB.html#working-with-classpath +############################################################################### +# from http://forum.java.sun.com/thread.jspa?threadID=300557 +# +# Author: SG Langer Jan 2007 translated the above Java to this Jython class +# Purpose: Allow runtime additions of new Class/jars either from local files +# or URL +############################################################################### +class classPathHacker: + import java.lang.reflect.Method + import java.io.File + import java.net.URL + import java.net.URLClassLoader + import jarray + + def addFile(self, s): + ################################################## + # Purpose: If adding a file/jar call this first + # with s = path_to_jar + ################################################## + + # make a URL out of 's' + f = self.java.io.File (s) + u = f.toURL () + a = self.addURL (u) + return a + + def addURL(self, u): + ########################################### + # Purpose: Call this with u= URL for the + # new Class/jar to be loaded + ########################################### + + parameters = self.jarray.array([self.java.net.URL], + self.java.lang.Class) + sysloader = self.java.lang.ClassLoader.getSystemClassLoader() + sysclass = self.java.net.URLClassLoader + method = sysclass.getDeclaredMethod("addURL", parameters) + a = method.setAccessible(1) + jar_a = self.jarray.array([u], self.java.lang.Object) + b = method.invoke(sysloader, jar_a) + return u + + +# Dynamically Load Additional Java Jars ('append' to existing classpath) +jarLoad = classPathHacker() +# Webserver Jars +jarLoad.addFile("/usr/share/java/httpcomponents/httpclient.jar") +jarLoad.addFile("/usr/share/java/apache-commons-cli.jar") +# Resteasy Jars +jarLoad.addFile("/usr/share/java/glassfish-jaxb/jaxb-impl.jar") +jarLoad.addFile("/usr/share/java/resteasy/jaxrs-api.jar") +jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxb-provider.jar") +jarLoad.addFile("/usr/share/java/resteasy/resteasy-jaxrs.jar") +jarLoad.addFile("/usr/share/java/resteasy/resteasy-jettison-provider.jar") +jarLoad.addFile("/usr/share/java/scannotation.jar") +# PKI Jars +jarLoad.addFile("/usr/share/java/pki/pki-cms.jar") +jarLoad.addFile("/usr/share/java/pki/pki-cmsutil.jar") +jarLoad.addFile("/usr/share/java/pki/pki-nsutil.jar") +# JSS JNI Jars +# +# NOTE: Always load 64-bit JNI 'jss4.jar' +# PRIOR to 32-bit JNI 'jss4.jar' +# +jarLoad.addFile("/usr/lib64/java/jss4.jar") +jarLoad.addFile("/usr/lib/java/jss4.jar") + + +# Apache Commons Java Imports +from org.apache.commons.cli import CommandLine +from org.apache.commons.cli import CommandLineParser +from org.apache.commons.cli import HelpFormatter +from org.apache.commons.cli import Options +from org.apache.commons.cli import ParseException +from org.apache.commons.cli import PosixParser + + +# JSS Java Imports +from org.mozilla.jss import CryptoManager +from org.mozilla.jss.asn1 import ASN1Util +from org.mozilla.jss.asn1 import BIT_STRING +from org.mozilla.jss.asn1 import INTEGER +from org.mozilla.jss.asn1 import InvalidBERException +from org.mozilla.jss.asn1 import SEQUENCE +from org.mozilla.jss.crypto import AlreadyInitializedException +from org.mozilla.jss.crypto import CryptoToken +from org.mozilla.jss.crypto import KeyPairAlgorithm +from org.mozilla.jss.crypto import KeyPairGenerator +from org.mozilla.jss.crypto import TokenException +from org.mozilla.jss.pkix.crmf import CertReqMsg +from org.mozilla.jss.pkix.crmf import CertRequest +from org.mozilla.jss.pkix.crmf import CertTemplate +from org.mozilla.jss.pkix.crmf import POPOPrivKey +from org.mozilla.jss.pkix.crmf import ProofOfPossession +from org.mozilla.jss.pkix.primitive import Name +from org.mozilla.jss.pkix.primitive import SubjectPublicKeyInfo +from org.mozilla.jss.util import Password + + +# PKI Java Imports +from com.netscape.cms.servlet.csadmin import ConfigurationRESTClient +from com.netscape.cms.servlet.csadmin.model import CertData +from com.netscape.cms.servlet.csadmin.model import ConfigurationData +from com.netscape.cms.servlet.csadmin.model import ConfigurationResponseData +from com.netscape.cmsutil.util import Utils +from netscape.security.x509 import X500Name + + +# PKI Python Imports +import pkiconfig as config +import pkimessages as log + + +# PKI Deployment 'security databases' Class +class security_databases: + def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level): + try: + if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: + print "%s %s '%s'" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_INITIALIZING_TOKEN, + pki_database_path) + if not pki_dry_run_flag: + CryptoManager.initialize(pki_database_path) + except AlreadyInitializedException, e: + # it is ok if it is already initialized + pass + except Exception, e: + javasystem.out.println("INITIALIZATION ERROR: " + str(e)) + javasystem.exit(1) + + def log_into_token(self, pki_database_path, password_conf, + pki_dry_run_flag, log_level): + try: + if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: + print "%s %s '%s'" %\ + (log.PKI_JYTHON_INDENTATION_2, + log.PKI_JYTHON_LOG_INTO_TOKEN, + pki_database_path) + if not pki_dry_run_flag: + manager = CryptoManager.getInstance() + token = manager.getInternalKeyStorageToken() + # Retrieve 'token_pwd' from 'password_conf' + # + # NOTE: For now, ONLY read the first line + # (which contains the password) + # + fd = open(password_conf, "r") + token_pwd = fd.readline() + fd.close + # Convert 'token_pwd' into a 'java char[]' + jtoken_pwd = jarray.array(token_pwd, 'c') + password = Password(jtoken_pwd) + try: + token.login(password) + except Exception, e: + javasystem.out.println("login Exception: " + str(e)) + if not token.isLoggedIn(): + token.initPassword(password, password) + except Exception, e: + javasystem.out.println("Exception in logging into token: " +\ + str(e)) + javasystem.exit(1) + +# PKI Deployment Jython Class Instances +security_databases = security_databases() diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index 774b1f169..806a64e4d 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -123,6 +123,8 @@ PKISPAWN_END_MESSAGE_2 = "END spawning subsystem '%s' of "\ # PKI Deployment "Helper" Messages PKIHELPER_APACHE_INSTANCES_2 = "instance '%s' contains '%d' "\ "Apache PKI subsystems" +PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\ + "slot substitutions on '%s'" PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = "certutil: Missing "\ "'-c issuer-name' option!" PKIHELPER_CERTUTIL_MISSING_NICKNAME = "certutil: Missing "\ @@ -152,13 +154,13 @@ PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty" PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty" PKIHELPER_GID_2 = "GID of '%s' is %s" PKIHELPER_GROUP_1 = "retrieving GID for '%s' . . ." +PKIHELPER_INVOKE_JYTHON_3 = "executing 'export %s;"\ + "jython %s %s '" PKIHELPER_IS_A_DIRECTORY_1 = "'%s' is a directory" PKIHELPER_IS_A_FILE_1 = "'%s' is a file" PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink" PKIHELPER_JAR_XF_C_2 = "jar -xf %s -C %s" PKIHELPER_LINK_S_2 = "ln -s %s %s" -PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\ - "slot substitutions on '%s'" PKIHELPER_MKDIR_1 = "mkdir -p %s" PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" PKIHELPER_MODIFY_FILE_1 = "modifying '%s'" @@ -180,7 +182,21 @@ PKIHELPER_UID_2 = "UID of '%s' is %s" PKIHELPER_USER_1 = "retrieving UID for '%s' . . ." +# PKI Deployment Jython "Scriptlet" Messages +# (MUST contain NO embedded formats since Jython 2.2 does not support logging!) +PKI_JYTHON_INDENTATION_0 = "pkispawn : JYTHON " +PKI_JYTHON_INDENTATION_1 = "pkispawn : JYTHON ..." +PKI_JYTHON_INDENTATION_2 = "pkispawn : JYTHON ......." +PKI_JYTHON_INDENTATION_3 = "pkispawn : JYTHON ..........." +PKI_JYTHON_INDENTATION_4 = "pkispawn : JYTHON ..............." +PKI_JYTHON_INITIALIZING_TOKEN = "initializing token located in" +PKI_JYTHON_LOG_INTO_TOKEN = "logging into token located in" + + # PKI Deployment "Scriptlet" Messages +ADMIN_DOMAIN_DESTROY_1 = "depopulating '%s'" +ADMIN_DOMAIN_RESPAWN_1 = "repopulating '%s'" +ADMIN_DOMAIN_SPAWN_1 = "populating '%s'" CONFIGURATION_DESTROY_1 = "unconfiguring '%s'" CONFIGURATION_RESPAWN_1 = "reconfiguring '%s'" CONFIGURATION_SPAWN_1 = "configuring '%s'" @@ -208,6 +224,3 @@ SUBSYSTEM_SPAWN_1 = "populating '%s'" WAR_EXPLOSION_DESTROY_1 = "removing '%s'" WAR_EXPLOSION_RESPAWN_1 = "redeploying '%s'" WAR_EXPLOSION_SPAWN_1 = "deploying '%s'" -WEBSERVER_DESTROY_1 = "depopulating '%s'" -WEBSERVER_RESPAWN_1 = "repopulating '%s'" -WEBSERVER_SPAWN_1 = "populating '%s'" diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index 19c9119a6..a9a53dd76 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -24,6 +24,7 @@ import ConfigParser import argparse import logging import os +import sys import time @@ -66,7 +67,8 @@ def process_command_line_arguments(argv): optional.add_argument('-p', dest='pki_root_prefix', action='store', nargs=1, metavar='', - help='directory prefix to specify local directory') + help='directory prefix to specify local directory ' + '[TEST ONLY]') if os.path.basename(argv[0]) == 'pkispawn': optional.add_argument('-u', dest='pki_update_flag', action='store_true', @@ -76,6 +78,10 @@ def process_command_line_arguments(argv): help='display verbose information (details below)') custom = parser.add_argument_group('custom arguments ' '(OVERRIDES configuration file values)') + custom.add_argument('-d', + dest='pki_admin_domain_name', action='store', + nargs=1, metavar='', + help='PKI admin domain name (instance name prefix)') custom.add_argument('-i', dest='pki_instance_name', action='store', nargs=1, metavar='', @@ -114,12 +120,15 @@ def process_command_line_arguments(argv): if args.pki_update_flag: config.pki_update_flag = args.pki_update_flag if args.pki_verbosity == 1: + config.pki_jython_log_level = config.PKI_JYTHON_INFO_LOG_LEVEL config.pki_console_log_level = logging.INFO config.pki_log_level = logging.INFO elif args.pki_verbosity == 2: + config.pki_jython_log_level = config.PKI_JYTHON_INFO_LOG_LEVEL config.pki_console_log_level = logging.INFO config.pki_log_level = logging.DEBUG elif args.pki_verbosity == 3: + config.pki_jython_log_level = config.PKI_JYTHON_DEBUG_LOG_LEVEL config.pki_console_log_level = logging.DEBUG config.pki_log_level = logging.DEBUG elif args.pki_verbosity > 3: @@ -127,8 +136,17 @@ def process_command_line_arguments(argv): print parser.print_help() parser.exit(-1); + else: + # Set default log levels + config.pki_jython_log_level = config.PKI_JYTHON_WARNING_LOG_LEVEL + config.pki_console_log_level = logging.WARNING + config.pki_log_level = logging.INFO + if not args.pki_admin_domain_name is None: + config.pki_admin_domain_name =\ + str(args.pki_admin_domain_name).strip('[\']') if not args.pki_instance_name is None: - config.pki_instance_name = str(args.pki_instance_name).strip('[\']') + config.pki_instance_name =\ + str(args.pki_instance_name).strip('[\']') if not args.pki_http_port is None: config.pki_http_port = str(args.pki_http_port).strip('[\']') if not args.pki_https_port is None: @@ -173,13 +191,14 @@ def process_command_line_arguments(argv): # explicitly specified if it does not use the default location # and/or default configuration file name. if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: - pki_web_server = "Apache" + default_pki_instance_name =\ + config.PKI_DEPLOYMENT_DEFAULT_APACHE_INSTANCE_NAME elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - pki_web_server = "Tomcat" + default_pki_instance_name =\ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME config.pkideployment_cfg = config.pki_root_prefix +\ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ - config.PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME + "/" +\ - pki_web_server.lower() +"/" +\ + default_pki_instance_name +"/" +\ config.pki_subsystem.lower() +"/" +\ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE if not os.path.exists(config.pkideployment_cfg) or\ @@ -238,62 +257,83 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_timestamp'] = config.pki_timestamp config.pki_master_dict['pki_certificate_timestamp'] =\ config.pki_certificate_timestamp + config.pki_master_dict['pki_architecture'] = config.pki_architecture config.pki_master_dict['pki_hostname'] = config.pki_hostname config.pki_master_dict['pki_pin'] = config.pki_pin + config.pki_master_dict['pki_client_pin'] = config.pki_client_pin config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin + config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag + config.pki_master_dict['pki_jython_log_level'] =\ + config.pki_jython_log_level # Configuration file name/value pairs config.pki_master_dict.update(config.pki_common_dict) config.pki_master_dict.update(config.pki_web_server_dict) config.pki_master_dict.update(config.pki_subsystem_dict) config.pki_master_dict.update(__name__="PKI Master Dictionary") # IMPORTANT: A "PKI instance" no longer corresponds to a single - # pki subystem, but rather to zero or one unique - # "Tomcat web instance" AND/OR zero or one unique - # "Apache web instance". Obviously, each - # "PKI instance" must contain at least one of these - # two web instances. The name of the default - # "PKI instance" is called "default" and may be - # changed in the PKI deployment configuration file, - # and/or overridden via the command-line interface. + # pki subystem, but rather to a unique + # "Tomcat web instance" or a unique "Apache web instance". # - # A "Tomcat instance" consists of a single process + # A "Tomcat web instance" consists of a single process # which may itself contain zero or one unique # "CA" and/or "KRA" and/or "OCSP" and/or "TKS" - # pki subystems. Obviously, the "Tomcat instance" must - # contain at least one of these four pki subystems. + # pki subystems. Obviously, the "Tomcat web instance" + # must contain at least one of these four pki subystems. # - # Similarly, an "Apache instance" consists of a single + # Similarly, an "Apache web instance" consists of a single # process which may itself contain zero or one unique # "RA" and/or "TPS" pki subsystems. Obviously, the - # "Apache instance" must contain at least one of these + # "Apache web instance" must contain at least one of these # two pki subystems. # + # Optionally, to more clearly distinguish a "PKI instance", + # a common PKI "Admin Domain" may be used as a prefix to + # either an "Apache web instance", or a + # "Tomcat web instance". + # + # Thus, a specific "PKI instance" of a CA, KRA, OCSP, + # or TKS subystem must be referenced via the name of + # the particular PKI "Tomcat web instance" containing + # this PKI subsystem optionally preceded by a + # specified PKI "Admin Domain" separated via a "-". + # + # Likewise, a specific "PKI instance" of an RA, or TPS + # subystem must be referenced via the name of + # the particular PKI "Apache web instance" containing + # this PKI subsystem optionally preceded by a + # specified PKI "Admin Domain" separated via a "-". + # # To emulate the original behavior of having a CA and # KRA be unique PKI instances, each must be located - # within a separately named "PKI instance" if residing - # on the same host machine, or may be located within - # an identically named "PKI instance" when residing on - # two separate host machines. + # within separately named "Tomcat web instances" if + # residing on the same host machine, or may be located + # within an identically named "PKI instance" when residing + # on two separate host machines. # # PKI INSTANCE NAMING CONVENTION: # # OLD: "pki-${pki_subsystem}" - # (e. g. Tomcat - "pki-ca", "pki-kra", "pki-ocsp", "pki-tks") - # (e. g. Apache - "pki-ra", "pki-tps") - # NEW: "pki-${pki_instance_name}-${pki_web_server}" - # (e. g. Tomcat: "pki-default-tomcat") - # (e. g. Apache: "pki-default-apache") + # (e. g. Tomcat: "pki-ca", "pki-kra", "pki-ocsp", "pki-tks") + # (e. g. Apache: "pki-ra", "pki-tps") + # NEW: "[${pki_admin_domain_name}-]${pki_instance_name}" + # (e. g. Tomcat: "tomcat", "example.com-tomcat") + # (e. g. Apache: "apache", "example.com-apache") # - config.pki_master_dict['pki_instance_id'] =\ - "pki" + "-" + config.pki_master_dict['pki_instance_name'] + "-" +\ - config.pki_master_dict['pki_web_server'].lower() + if not config.pki_master_dict['pki_admin_domain_name'] is None and\ + not config.pki_master_dict['pki_admin_domain_name'] is '': + config.pki_master_dict['pki_instance_id'] =\ + config.pki_master_dict['pki_admin_domain_name'] +\ + "-" + config.pki_master_dict['pki_instance_name'] + else: + config.pki_master_dict['pki_instance_id'] =\ + config.pki_master_dict['pki_instance_name'] # PKI Source name/value pairs config.pki_master_dict['pki_source_conf_path'] =\ - os.path.join(config.pki_master_dict['pki_source_root'], + os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, config.pki_master_dict['pki_subsystem'].lower(), "conf") config.pki_master_dict['pki_source_setup_path'] =\ - os.path.join(config.pki_master_dict['pki_source_root'], + os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, config.pki_master_dict['pki_subsystem'].lower(), "setup") config.pki_master_dict['pki_source_cs_cfg'] =\ @@ -305,17 +345,19 @@ def compose_pki_master_dictionary(): if config.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: config.pki_master_dict['pki_tomcat_bin_path'] =\ - os.path.join(config.pki_master_dict['pki_tomcat_root'], + os.path.join(config.PKI_DEPLOYMENT_TOMCAT_ROOT, "bin") config.pki_master_dict['pki_tomcat_lib_path'] =\ - os.path.join(config.pki_master_dict['pki_tomcat_root'], + os.path.join(config.PKI_DEPLOYMENT_TOMCAT_ROOT, "lib") + config.pki_master_dict['pki_tomcat_systemd'] =\ + config.PKI_DEPLOYMENT_TOMCAT_SYSTEMD config.pki_master_dict['pki_war_path'] =\ - os.path.join(config.pki_master_dict['pki_source_root'], + os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, config.pki_master_dict['pki_subsystem'].lower(), "war") config.pki_master_dict['pki_source_webapps_path'] =\ - os.path.join(config.pki_master_dict['pki_source_root'], + os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, config.pki_master_dict['pki_subsystem'].lower(), "webapps") config.pki_master_dict['pki_war'] =\ @@ -344,85 +386,60 @@ def compose_pki_master_dictionary(): "web.xml") if config.pki_master_dict['pki_subsystem'] == "CA": config.pki_master_dict['pki_source_emails'] =\ - os.path.join(config.pki_master_dict['pki_source_root'], + os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, "ca", "emails") config.pki_master_dict['pki_source_profiles'] =\ - os.path.join(config.pki_master_dict['pki_source_root'], + os.path.join(config.PKI_DEPLOYMENT_SOURCE_ROOT, "ca", "profiles") config.pki_master_dict['pki_source_proxy_conf'] =\ os.path.join(config.pki_master_dict['pki_source_conf_path'], "proxy.conf") - # Instance layout base name/value pairs + # PKI top-level file system layout name/value pairs # NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix' # is being prepended!!! config.pki_master_dict['pki_root_prefix'] = config.pki_root_prefix config.pki_master_dict['pki_path'] =\ config.pki_master_dict['pki_root_prefix'] +\ - config.pki_master_dict['pki_instance_root'] - config.pki_master_dict['pki_instance_path'] =\ - os.path.join(config.pki_master_dict['pki_path'], - config.pki_master_dict['pki_instance_name']) - # Instance layout log name/value pairs + config.PKI_DEPLOYMENT_BASE_ROOT config.pki_master_dict['pki_log_path'] =\ config.pki_master_dict['pki_root_prefix'] +\ - config.pki_master_dict['pki_instance_log_root'] - config.pki_master_dict['pki_instance_log_path'] =\ - os.path.join(config.pki_master_dict['pki_log_path'], - config.pki_master_dict['pki_instance_name']) - # Instance layout configuration name/value pairs + config.PKI_DEPLOYMENT_LOG_ROOT config.pki_master_dict['pki_configuration_path'] =\ config.pki_master_dict['pki_root_prefix'] +\ - config.pki_master_dict['pki_instance_configuration_root'] - config.pki_master_dict['pki_instance_configuration_path'] =\ - os.path.join(config.pki_master_dict['pki_configuration_path'], - config.pki_master_dict['pki_instance_name']) - # Instance layout registry name/value pairs + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT config.pki_master_dict['pki_registry_path'] =\ config.pki_master_dict['pki_root_prefix'] +\ config.PKI_DEPLOYMENT_REGISTRY_ROOT + # Apache/Tomcat instance base name/value pairs + config.pki_master_dict['pki_instance_path'] =\ + os.path.join(config.pki_master_dict['pki_path'], + config.pki_master_dict['pki_instance_id']) + # Apache/Tomcat instance log name/value pairs + config.pki_master_dict['pki_instance_log_path'] =\ + os.path.join(config.pki_master_dict['pki_log_path'], + config.pki_master_dict['pki_instance_id']) + # Apache/Tomcat instance configuration name/value pairs + config.pki_master_dict['pki_instance_configuration_path'] =\ + os.path.join(config.pki_master_dict['pki_configuration_path'], + config.pki_master_dict['pki_instance_id']) + # Apache/Tomcat instance registry name/value pairs config.pki_master_dict['pki_instance_registry_path'] =\ os.path.join(config.pki_master_dict['pki_registry_path'], - config.pki_master_dict['pki_instance_name']) - # Instance layout NSS security database name/value pairs - config.pki_master_dict['pki_database_path'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - "alias") - # Instance layout convenience symbolic links - config.pki_master_dict['pki_instance_database_link'] =\ - os.path.join(config.pki_master_dict['pki_instance_path'], - "alias") - # Instance-based Apache/Tomcat webserver base name/value pairs - config.pki_master_dict['pki_webserver_path'] =\ - os.path.join(config.pki_master_dict['pki_instance_path'], - config.pki_master_dict['pki_web_server'].lower()) - # Instance-based Apache/Tomcat webserver log name/value pairs - config.pki_master_dict['pki_webserver_log_path'] =\ - os.path.join(config.pki_master_dict['pki_instance_log_path'], - config.pki_master_dict['pki_web_server'].lower()) - # Instance-based Apache/Tomcat webserver configuration name/value pairs - config.pki_master_dict['pki_webserver_configuration_path'] =\ - os.path.join( - config.pki_master_dict['pki_instance_configuration_path'], - config.pki_master_dict['pki_web_server'].lower()) - # Instance-based Apache/Tomcat webserver registry name/value pairs - config.pki_master_dict['pki_webserver_registry_path'] =\ - os.path.join(config.pki_master_dict['pki_instance_registry_path'], - config.pki_master_dict['pki_web_server'].lower()) - # Instance-based Tomcat-specific webserver name/value pairs + config.pki_master_dict['pki_instance_id']) + # Tomcat-specific instance name/value pairs if config.pki_master_dict['pki_subsystem'] in\ config.PKI_TOMCAT_SUBSYSTEMS: - # Instance-based Tomcat webserver base name/value pairs + # Tomcat instance base name/value pairs config.pki_master_dict['pki_tomcat_common_path'] =\ - os.path.join(config.pki_master_dict['pki_webserver_path'], + os.path.join(config.pki_master_dict['pki_instance_path'], "common") config.pki_master_dict['pki_tomcat_common_lib_path'] =\ os.path.join(config.pki_master_dict['pki_tomcat_common_path'], "lib") config.pki_master_dict['pki_tomcat_webapps_path'] =\ - os.path.join(config.pki_master_dict['pki_webserver_path'], + os.path.join(config.pki_master_dict['pki_instance_path'], "webapps") config.pki_master_dict['pki_tomcat_webapps_root_path'] =\ os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], @@ -447,45 +464,50 @@ def compose_pki_master_dictionary(): config.pki_master_dict\ ['pki_tomcat_webapps_root_webinf_path'], "web.xml") - # Instance-based Tomcat webserver log name/value pairs - # Instance-based Tomcat webserver configuration name/value pairs - # Instance-based Tomcat webserver registry name/value pairs - # Instance-based Tomcat webserver convenience symbolic links + # Tomcat instance log name/value pairs + # Tomcat instance configuration name/value pairs + # Tomcat instance registry name/value pairs + # Tomcat instance convenience symbolic links config.pki_master_dict['pki_tomcat_bin_link'] =\ - os.path.join(config.pki_master_dict['pki_webserver_path'], + os.path.join(config.pki_master_dict['pki_instance_path'], "bin") config.pki_master_dict['pki_tomcat_lib_link'] =\ - os.path.join(config.pki_master_dict['pki_webserver_path'], + os.path.join(config.pki_master_dict['pki_instance_path'], "lib") - config.pki_master_dict['pki_webserver_systemd_link'] =\ - os.path.join(config.pki_master_dict['pki_webserver_path'], + config.pki_master_dict['pki_instance_systemd_link'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], config.pki_master_dict['pki_instance_id']) - # Instance-based Apache/Tomcat webserver convenience symbolic links - config.pki_master_dict['pki_webserver_database_link'] =\ - os.path.join(config.pki_master_dict['pki_webserver_path'], + # Instance layout NSS security database name/value pairs + config.pki_master_dict['pki_database_path'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "alias") + # Apache/Tomcat instance convenience symbolic links + config.pki_master_dict['pki_instance_database_link'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], "alias") - config.pki_master_dict['pki_webserver_conf_link'] =\ - os.path.join(config.pki_master_dict['pki_webserver_path'], + config.pki_master_dict['pki_instance_conf_link'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], "conf") - config.pki_master_dict['pki_webserver_logs_link'] =\ - os.path.join(config.pki_master_dict['pki_webserver_path'], + config.pki_master_dict['pki_instance_logs_link'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], "logs") # Instance-based PKI subsystem base name/value pairs config.pki_master_dict['pki_subsystem_path'] =\ - os.path.join(config.pki_master_dict['pki_webserver_path'], + os.path.join(config.pki_master_dict['pki_instance_path'], config.pki_master_dict['pki_subsystem'].lower()) # Instance-based PKI subsystem log name/value pairs config.pki_master_dict['pki_subsystem_log_path'] =\ - os.path.join(config.pki_master_dict['pki_webserver_log_path'], + os.path.join(config.pki_master_dict['pki_instance_log_path'], config.pki_master_dict['pki_subsystem'].lower()) # Instance-based PKI subsystem configuration name/value pairs config.pki_master_dict['pki_subsystem_configuration_path'] =\ os.path.join( - config.pki_master_dict['pki_webserver_configuration_path'], + config.pki_master_dict['pki_instance_configuration_path'], config.pki_master_dict['pki_subsystem'].lower()) # Instance-based PKI subsystem registry name/value pairs config.pki_master_dict['pki_subsystem_registry_path'] =\ - os.path.join(config.pki_master_dict['pki_webserver_registry_path'], + os.path.join(config.pki_master_dict['pki_instance_registry_path'], config.pki_master_dict['pki_subsystem'].lower()) # Instance-based Apache/Tomcat PKI subsystem name/value pairs if config.pki_master_dict['pki_subsystem'] in\ @@ -696,7 +718,7 @@ def compose_pki_master_dictionary(): config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\ config.pki_master_dict['pki_subsystem_path'] config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ - config.pki_master_dict['pki_webserver_path'] + config.pki_master_dict['pki_instance_path'] config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\ config.pki_master_dict['pki_hostname'] config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ @@ -754,7 +776,7 @@ def compose_pki_master_dictionary(): config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\ "/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid" config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\ - config.pki_master_dict['tomcat_server_port'] + config.pki_master_dict['pki_tomcat_server_port'] config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\ "-SSL2_RC4_128_WITH_MD5," +\ "-SSL2_RC4_128_EXPORT40_WITH_MD5," +\ @@ -840,6 +862,38 @@ def compose_pki_master_dictionary(): os.path.join( config.pki_master_dict['pki_subsystem_configuration_path'], "password.conf") + # Client NSS security database name/value pairs + config.pki_master_dict['pki_client_path'] =\ + os.path.join( + "/tmp", + config.pki_master_dict['pki_instance_id'] + "_" + "client") + config.pki_master_dict['pki_client_password_conf'] =\ + os.path.join( + config.pki_master_dict['pki_client_path'], + "password.conf") + config.pki_master_dict['pki_client_database_path'] =\ + os.path.join( + config.pki_master_dict['pki_client_path'], + "alias") + config.pki_master_dict['pki_client_cert_database'] =\ + os.path.join(config.pki_master_dict['pki_client_database_path'], + "cert8.db") + config.pki_master_dict['pki_client_key_database'] =\ + os.path.join(config.pki_master_dict['pki_client_database_path'], + "key3.db") + config.pki_master_dict['pki_client_secmod_database'] =\ + os.path.join(config.pki_master_dict['pki_client_database_path'], + "secmod.db") + # Jython scriptlet name/value pairs + config.pki_master_dict['pki_jython_configuration_scriptlet'] =\ + os.path.join(sys.prefix, + "lib", + "python" + str(sys.version_info[0]) + "." + + str(sys.version_info[1]), + "site-packages", + "pki", + "deployment", + "configuration.jy") except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) diff --git a/base/deploy/src/scriptlets/pkiscriptlet.py b/base/deploy/src/scriptlets/pkiscriptlet.py index 6f29e2c8b..767b3c609 100644 --- a/base/deploy/src/scriptlets/pkiscriptlet.py +++ b/base/deploy/src/scriptlets/pkiscriptlet.py @@ -23,7 +23,7 @@ import abc -# PKI Deployment Classes +# PKI Deployment Abstract Base PKI Scriptlet class AbstractBasePkiScriptlet(object): __metaclass__ = abc.ABCMeta diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index f32b7e497..1a08fdccb 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -27,7 +27,7 @@ import pkimessages as log import pkiscriptlet -# PKI Deployment Security Database Classes +# PKI Deployment Security Databases Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): rv = 0 @@ -36,11 +36,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: util.password.create_password_conf( - master['pki_shared_password_conf']) + master['pki_shared_password_conf'], + master['pki_pin']) util.file.modify(master['pki_shared_password_conf']) util.certutil.create_security_databases( master['pki_database_path'], - master['pki_shared_password_conf']) + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + password_file=master['pki_shared_password_conf']) util.file.modify(master['pki_cert_database'], perms=\ config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) util.file.modify(master['pki_key_database'], perms=\ @@ -49,6 +53,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) rv = util.certutil.verify_certificate_exists( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], password_file=master['pki_shared_password_conf']) @@ -58,6 +65,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_noise_bytes']) util.certutil.generate_self_signed_certificate( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], master['pki_self_signed_subject'], @@ -70,12 +80,19 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.file.delete(master['pki_self_signed_noise_file']) else: util.password.create_password_conf( - master['pki_shared_password_conf']) + master['pki_shared_password_conf'], + master['pki_pin']) util.certutil.create_security_databases( master['pki_database_path'], - master['pki_shared_password_conf']) + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + password_file=master['pki_shared_password_conf']) rv = util.certutil.verify_certificate_exists( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], password_file=master['pki_shared_password_conf']) @@ -85,6 +102,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_self_signed_noise_bytes']) util.certutil.generate_self_signed_certificate( master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], master['pki_self_signed_token'], master['pki_self_signed_nickname'], master['pki_self_signed_subject'], @@ -112,16 +132,28 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_subsystem_instances() == 0: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 0: util.file.delete(master['pki_cert_database']) util.file.delete(master['pki_key_database']) util.file.delete(master['pki_secmod_database']) util.file.delete(master['pki_shared_password_conf']) else: # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_subsystem_instances() == 1: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 1: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 1: util.file.delete(master['pki_cert_database']) util.file.delete(master['pki_key_database']) util.file.delete(master['pki_secmod_database']) diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py index 0a52af9f0..2e2d94545 100644 --- a/base/deploy/src/scriptlets/slot_substitution.py +++ b/base/deploy/src/scriptlets/slot_substitution.py @@ -28,7 +28,7 @@ import pkimessages as log import pkiscriptlet -# PKI Deployment Instance Population Classes +# PKI Deployment Slot Substitution Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): rv = 0 diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py index 7dc347167..4ea5e6f84 100644 --- a/base/deploy/src/scriptlets/subsystem_layout.py +++ b/base/deploy/src/scriptlets/subsystem_layout.py @@ -27,7 +27,7 @@ import pkimessages as log import pkiscriptlet -# PKI Deployment Instance Population Classes +# PKI Deployment Subsystem Layout Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): rv = 0 @@ -62,7 +62,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): util.symlink.create(master['pki_tomcat_webapps_path'], master['pki_subsystem_tomcat_webapps_link']) # establish instance-based subsystem convenience symbolic links - util.symlink.create(master['pki_webserver_database_link'], + util.symlink.create(master['pki_instance_database_link'], master['pki_subsystem_database_link']) util.symlink.create(master['pki_subsystem_configuration_path'], master['pki_subsystem_conf_link']) diff --git a/base/deploy/src/scriptlets/war_explosion.py b/base/deploy/src/scriptlets/war_explosion.py index 1a89c9f7c..ca2ea601b 100644 --- a/base/deploy/src/scriptlets/war_explosion.py +++ b/base/deploy/src/scriptlets/war_explosion.py @@ -27,7 +27,7 @@ import pkimessages as log import pkiscriptlet -# PKI Deployment Instance Population Classes +# PKI Deployment War Explosion Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): rv = 0 diff --git a/base/deploy/src/scriptlets/webserver_layout.py b/base/deploy/src/scriptlets/webserver_layout.py deleted file mode 100644 index ca24b7000..000000000 --- a/base/deploy/src/scriptlets/webserver_layout.py +++ /dev/null @@ -1,152 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -import pkihelper as util -import pkimessages as log -import pkiscriptlet - - -# PKI Deployment Instance Population Classes -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - config.pki_log.info(log.WEBSERVER_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - # establish instance-based webserver base - util.directory.create(master['pki_webserver_path']) - # establish instance-based webserver logs - util.directory.create(master['pki_webserver_log_path']) - # establish instance-based webserver configuration - util.directory.create(master['pki_webserver_configuration_path']) - # establish instance-based webserver registry - util.directory.create(master['pki_webserver_registry_path']) - # establish instance-based Apache/Tomcat specific webserver - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # establish instance-based Tomcat webserver base - util.directory.create(master['pki_tomcat_common_path']) - util.directory.create(master['pki_tomcat_common_lib_path']) - util.directory.create(master['pki_tomcat_webapps_path']) - util.directory.create(master['pki_tomcat_webapps_root_path']) - util.directory.create(master['pki_tomcat_webapps_root_webinf_path']) - util.file.copy(master['pki_source_webapps_root_web_xml'], - master['pki_tomcat_webapps_root_webinf_web_xml'], - overwrite_flag=True) - util.directory.create(master['pki_tomcat_webapps_webinf_path']) - util.directory.create(\ - master['pki_tomcat_webapps_webinf_classes_path']) - util.directory.create(master['pki_tomcat_webapps_webinf_lib_path']) - # establish instance-based Tomcat webserver logs - # establish instance-based Tomcat webserver configuration - # establish instance-based Tomcat webserver registry - # establish instance-based Tomcat webserver convenience - # symbolic links - util.symlink.create(master['pki_tomcat_bin_path'], - master['pki_tomcat_bin_link']) - util.symlink.create(master['pki_tomcat_lib_path'], - master['pki_tomcat_lib_link']) - util.symlink.create(master['pki_tomcat_systemd'], - master['pki_webserver_systemd_link']) - # establish instance-based webserver convenience symbolic links - util.symlink.create(master['pki_instance_database_link'], - master['pki_webserver_database_link']) - util.symlink.create(master['pki_webserver_configuration_path'], - master['pki_webserver_conf_link']) - util.symlink.create(master['pki_webserver_log_path'], - master['pki_webserver_logs_link']) - return self.rv - - def respawn(self): - config.pki_log.info(log.WEBSERVER_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - # update instance-based webserver base - util.directory.modify(master['pki_webserver_path']) - # update instance-based webserver logs - util.directory.modify(master['pki_webserver_log_path']) - # update instance-based webserver configuration - util.directory.modify(master['pki_webserver_configuration_path']) - # update instance-based webserver registry - util.directory.modify(master['pki_webserver_registry_path']) - # update instance-based Apache/Tomcat specific webserver - if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # update instance-based Tomcat webserver base - util.directory.modify(master['pki_tomcat_common_path']) - util.directory.modify(master['pki_tomcat_common_lib_path']) - util.directory.modify(master['pki_tomcat_webapps_path']) - util.directory.modify(master['pki_tomcat_webapps_root_path']) - util.directory.modify(master['pki_tomcat_webapps_root_webinf_path']) - util.file.copy(master['pki_source_webapps_root_web_xml'], - master['pki_tomcat_webapps_root_webinf_web_xml'], - overwrite_flag=True) - util.directory.modify(master['pki_tomcat_webapps_webinf_path']) - util.directory.modify(\ - master['pki_tomcat_webapps_webinf_classes_path']) - util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path']) - # update instance-based Tomcat webserver logs - # update instance-based Tomcat webserver configuration - # update instance-based Tomcat webserver registry - # update instance-based Tomcat webserver convenience symbolic links - util.symlink.modify(master['pki_tomcat_bin_link']) - util.symlink.modify(master['pki_tomcat_lib_link']) - # update instance-based webserver convenience symbolic links - util.symlink.modify(master['pki_webserver_database_link']) - util.symlink.modify(master['pki_webserver_conf_link']) - util.symlink.modify(master['pki_webserver_logs_link']) - return self.rv - - def destroy(self): - config.pki_log.info(log.WEBSERVER_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instances() == 0: - # remove instance-based webserver base - util.directory.delete(master['pki_webserver_path']) - # remove instance-based webserver logs - # remove instance-based webserver configuration - # remove instance-based webserver registry - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instances() == 0: - # remove instance-based webserver base - util.directory.delete(master['pki_webserver_path']) - # remove instance-based webserver logs - # remove instance-based webserver configuration - # remove instance-based webserver registry - else: - # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instances() == 1: - # remove instance-based webserver base - util.directory.delete(master['pki_webserver_path']) - # remove instance-based webserver logs - # remove instance-based webserver configuration - # remove instance-based webserver registry - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instances() == 1: - # remove instance-based webserver base - util.directory.delete(master['pki_webserver_path']) - # remove instance-based webserver logs - # remove instance-based webserver configuration - # remove instance-based webserver registry - return self.rv -- cgit