From 391d345b5a6a1a905e3db4105a65dd4fdd0d19a9 Mon Sep 17 00:00:00 2001 From: Matthew Harmsen Date: Fri, 4 May 2012 20:29:35 -0700 Subject: PKI Deployment Scriptlets * Re-aligned code to account for revised layout documented at http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment * Massaged logic to comply with PKI subsystem running within a shared instance * Developed code to take advantage of a single shared NSS security database model * Completed the following two 'scriptlets': * Dogtag 10: Python 'slot_assignment.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/146) * Dogtag 10: Python 'security_databases.py' Installation Scriptlet (https://fedorahosted.org/pki/ticket/136) * Created several additional PKI deployment helper utilities. --- base/deploy/CMakeLists.txt | 27 +- base/deploy/config/pkideployment.cfg | 11 +- base/deploy/config/pkislots.cfg | 88 +++ base/deploy/src/pkidestroy | 25 +- base/deploy/src/pkispawn | 32 +- base/deploy/src/scriptlets/finalization.py | 2 + base/deploy/src/scriptlets/initialization.py | 9 + base/deploy/src/scriptlets/instance_layout.py | 72 ++- base/deploy/src/scriptlets/pkiconfig.py | 10 +- base/deploy/src/scriptlets/pkihelper.py | 711 +++++++++++++++++++-- base/deploy/src/scriptlets/pkimanifest.py | 6 + base/deploy/src/scriptlets/pkimessages.py | 47 +- base/deploy/src/scriptlets/pkiparser.py | 777 +++++++++++++++++++---- base/deploy/src/scriptlets/security_databases.py | 89 ++- base/deploy/src/scriptlets/slot_assignment.py | 52 -- base/deploy/src/scriptlets/slot_substitution.py | 120 ++++ base/deploy/src/scriptlets/subsystem_layout.py | 72 ++- base/deploy/src/scriptlets/war_explosion.py | 22 +- base/deploy/src/scriptlets/webserver_layout.py | 169 +++-- 19 files changed, 1948 insertions(+), 393 deletions(-) create mode 100644 base/deploy/config/pkislots.cfg delete mode 100644 base/deploy/src/scriptlets/slot_assignment.py create mode 100644 base/deploy/src/scriptlets/slot_substitution.py (limited to 'base/deploy') diff --git a/base/deploy/CMakeLists.txt b/base/deploy/CMakeLists.txt index 397c9a336..f1bdafec4 100644 --- a/base/deploy/CMakeLists.txt +++ b/base/deploy/CMakeLists.txt @@ -36,6 +36,7 @@ install( install( FILES config/pkideployment.cfg + config/pkislots.cfg DESTINATION ${DATA_INSTALL_DIR}/deployment/config PERMISSIONS @@ -67,7 +68,7 @@ install( src/scriptlets/pkiparser.py src/scriptlets/pkiscriptlet.py src/scriptlets/security_databases.py - src/scriptlets/slot_assignment.py + src/scriptlets/slot_substitution.py src/scriptlets/subsystem_layout.py src/scriptlets/war_explosion.py src/scriptlets/webserver_layout.py @@ -133,13 +134,13 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS}) ) install(CODE "execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink - \"${PYTHON_SITE_PACKAGES}/pki/deployment/security_databases.py\" - \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/050_security_databases\")" + \"${PYTHON_SITE_PACKAGES}/pki/deployment/slot_substitution.py\" + \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/050_slot_substitution\")" ) install(CODE "execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink - \"${PYTHON_SITE_PACKAGES}/pki/deployment/slot_assignment.py\" - \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/060_slot_assignment\")" + \"${PYTHON_SITE_PACKAGES}/pki/deployment/security_databases.py\" + \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/spawn/${TOMCAT_SUBSYSTEM}/060_security_databases\")" ) install(CODE "execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink @@ -171,23 +172,23 @@ foreach(TOMCAT_SUBSYSTEM ${TOMCAT_SUBSYSTEMS}) ) # install(CODE "execute_process(COMMAND # ${CMAKE_COMMAND} -E create_symlink -# \"${PYTHON_SITE_PACKAGES}/pki/deployment/slot_assignment.py\" -# \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/940_slot_assignment\")" +# \"${PYTHON_SITE_PACKAGES}/pki/deployment/slot_substitution.py\" +# \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/940_slot_substitution\")" # ) install(CODE "execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink - \"${PYTHON_SITE_PACKAGES}/pki/deployment/security_databases.py\" - \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/950_security_databases\")" + \"${PYTHON_SITE_PACKAGES}/pki/deployment/war_explosion.py\" + \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/950_war_explosion\")" ) install(CODE "execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink - \"${PYTHON_SITE_PACKAGES}/pki/deployment/war_explosion.py\" - \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/960_war_explosion\")" + \"${PYTHON_SITE_PACKAGES}/pki/deployment/subsystem_layout.py\" + \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/960_subsystem_layout\")" ) install(CODE "execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink - \"${PYTHON_SITE_PACKAGES}/pki/deployment/subsystem_layout.py\" - \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/970_subsystem_layout\")" + \"${PYTHON_SITE_PACKAGES}/pki/deployment/security_databases.py\" + \"\$ENV{DESTDIR}${DATA_INSTALL_DIR}/deployment/destroy/${TOMCAT_SUBSYSTEM}/970_security_databases\")" ) install(CODE "execute_process(COMMAND ${CMAKE_COMMAND} -E create_symlink diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index 954fa935d..1122daa9f 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -1,9 +1,9 @@ [Common] pki_source_root=/usr/share/pki pki_instance_root=/var/lib/pki -pki_instance_configuration_root=/etc/pki pki_instance_log_root=/var/log/pki -pki_instance_name=instance +pki_instance_configuration_root=/etc/pki +pki_instance_name=default pki_user=pkiuser pki_group=pkiuser pki_audit_group=pkiaudit @@ -14,23 +14,30 @@ pki_https_port=443 [Tomcat] pki_web_server=Tomcat pki_tomcat_root=/usr/share/tomcat +pki_tomcat_systemd=/usr/sbin/tomcat-sysd pki_http_port=8080 pki_https_port=8443 pki_ajp_port=8009 +pki_proxy_https_port=443 +pki_proxy_http_port=80 pki_security_manager=true [CA] pki_subsystem=CA pki_war_name=ca.war +tomcat_server_port=9701 [KRA] pki_subsystem=KRA pki_war_name=kra.war +tomcat_server_port=10701 [OCSP] pki_subsystem=OCSP pki_war_name=ocsp.war +tomcat_server_port=11701 [RA] pki_subsystem=RA [TKS] pki_subsystem=TKS pki_war_name=tks.war +tomcat_server_port=13701 [TPS] pki_subsystem=TPS diff --git a/base/deploy/config/pkislots.cfg b/base/deploy/config/pkislots.cfg new file mode 100644 index 000000000..b04b8efa0 --- /dev/null +++ b/base/deploy/config/pkislots.cfg @@ -0,0 +1,88 @@ +[Apache] +FORTITUDE_APACHE_SLOT=[FORTITUDE_APACHE] +FORTITUDE_AUTH_MODULES_SLOT=[FORTITUDE_AUTH_MODULES] +FORTITUDE_DIR_SLOT=[FORTITUDE_DIR] +FORTITUDE_LIB_DIR_SLOT=[FORTITUDE_LIB_DIR] +FORTITUDE_MODULE_SLOT=[FORTITUDE_MODULE] +FORTITUDE_NSS_MODULES_SLOT=[FORTITUDE_NSS_MODULES] +HTTPD_CONF_SLOT=[HTTPD_CONF] +LIB_PREFIX_SLOT=[LIB_PREFIX] +NON_CLIENTAUTH_SECURE_PORT_SLOT=[NON_CLIENTAUTH_SECURE_PORT] +NSS_CONF_SLOT=[NSS_CONF] +OBJ_EXT_SLOT=[OBJ_EXT] +PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID] +PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] +PKI_LOCKDIR_SLOT=[PKI_LOCKDIR] +PKI_PIDDIR_SLOT=[PKI_PIDDIR] +PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE] +PORT_SLOT=[PORT] +PROCESS_ID_SLOT=[PROCESS_ID] +REQUIRE_CFG_PL_SLOT=[REQUIRE_CFG_PL] +SECURE_PORT_SLOT=[SECURE_PORT] +SECURITY_LIBRARIES_SLOT=[SECURITY_LIBRARIES] +SERVER_NAME_SLOT=[SERVER_NAME] +SERVER_ROOT_SLOT=[SERVER_ROOT] +SYSTEM_LIBRARIES_SLOT=[SYSTEM_LIBRARIES] +SYSTEM_USER_LIBRARIES_SLOT=[SYSTEM_USER_LIBRARIES] +TMP_DIR_SLOT=[TMP_DIR] +TPS_DIR_SLOT=[TPS_DIR] +[Tomcat] +INSTALL_TIME_SLOT=[INSTALL_TIME] +PKI_ADMIN_SECURE_PORT_SLOT=[PKI_ADMIN_SECURE_PORT] +PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME] +PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_ADMIN_SECURE_PORT_SERVER_COMMENT] +PKI_AGENT_CLIENTAUTH_SLOT=[PKI_AGENT_CLIENTAUTH] +PKI_AGENT_SECURE_PORT_SLOT=[PKI_AGENT_SECURE_PORT] +PKI_AJP_PORT_SLOT=[PKI_AJP_PORT] +PKI_AJP_REDIRECT_PORT_SLOT=[PKI_AJP_REDIRECT_PORT] +PKI_CERT_DB_PASSWORD_SLOT=[PKI_CERT_DB_PASSWORD] +PKI_CFG_PATH_NAME_SLOT=[PKI_CFG_PATH_NAME] +PKI_CLOSE_AJP_PORT_COMMENT_SLOT=[PKI_CLOSE_AJP_PORT_COMMENT] +PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT=[PKI_CLOSE_ENABLE_PROXY_COMMENT] +PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT] +PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT] +PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT] +PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME] +PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT] +PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_UI] +PKI_EE_SECURE_PORT_SLOT=[PKI_EE_SECURE_PORT] +PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_PORT_CONNECTOR_NAME] +PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_PORT_SERVER_COMMENT] +PKI_FLAVOR_SLOT=[PKI_FLAVOR] +PKI_GROUP_SLOT=[PKI_GROUP] +PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID] +PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] +PKI_INSTANCE_PATH_SLOT=[PKI_INSTANCE_PATH] +PKI_INSTANCE_ROOT_SLOT=[PKI_INSTANCE_ROOT] +PKI_LOCKDIR_SLOT=[PKI_LOCKDIR] +PKI_MACHINE_NAME_SLOT=[PKI_MACHINE_NAME] +PKI_OPEN_AJP_PORT_COMMENT_SLOT=[PKI_OPEN_AJP_PORT_COMMENT] +PKI_OPEN_ENABLE_PROXY_COMMENT_SLOT=[PKI_OPEN_ENABLE_PROXY_COMMENT] +PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_SERVER_COMMENT] +PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT_SLOT=[PKI_OPEN_SEPARATE_PORTS_WEB_COMMENT] +PKI_PIDDIR_SLOT=[PKI_PIDDIR] +PKI_PROXY_SECURE_PORT_SLOT=[PKI_PROXY_SECURE_PORT] +PKI_PROXY_UNSECURE_PORT_SLOT=[PKI_PROXY_UNSECURE_PORT] +PKI_RANDOM_NUMBER_SLOT=[PKI_RANDOM_NUMBER] +PKI_REGISTRY_FILE_SLOT=[PKI_REGISTRY_FILE] +PKI_SECURE_PORT_SLOT=[PKI_SECURE_PORT] +PKI_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_SECURE_PORT_CONNECTOR_NAME] +PKI_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_SECURE_PORT_SERVER_COMMENT] +PKI_SECURITY_MANAGER_SLOT=[PKI_SECURITY_MANAGER] +PKI_SERVER_XML_CONF_SLOT=[PKI_SERVER_XML_CONF] +PKI_SUBSYSTEM_TYPE_SLOT=[PKI_SUBSYSTEM_TYPE] +PKI_SYSTEMD_SERVICENAME_SLOT=[PKI_SYSTEMD_SERVICENAME] +PKI_UNSECURE_PORT_SLOT=[PKI_UNSECURE_PORT] +PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_UNSECURE_PORT_CONNECTOR_NAME] +PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT=[PKI_UNSECURE_PORT_SERVER_COMMENT] +PKI_USER_SLOT=[PKI_USER] +PKI_WEBAPPS_NAME_SLOT=[PKI_WEBAPPS_NAME] +TOMCAT_CFG_SLOT=[TOMCAT_CFG] +TOMCAT_INSTANCE_COMMON_LIB_SLOT=[TOMCAT_INSTANCE_COMMON_LIB] +TOMCAT_LOG_DIR_SLOT=[TOMCAT_LOG_DIR] +TOMCAT_PIDFILE_SLOT=[TOMCAT_PIDFILE] +TOMCAT_SERVER_PORT_SLOT=[TOMCAT_SERVER_PORT] +TOMCAT_SSL2_CIPHERS_SLOT=[TOMCAT_SSL2_CIPHERS] +TOMCAT_SSL3_CIPHERS_SLOT=[TOMCAT_SSL3_CIPHERS] +TOMCAT_SSL_OPTIONS_SLOT=[TOMCAT_SSL_OPTIONS] +TOMCAT_TLS_CIPHERS_SLOT=[TOMCAT_TLS_CIPHERS] diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 6d0afd2b0..c54ba9a78 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -30,6 +30,10 @@ try: import logging import os import pprint + import random + import socket + import string + import time from time import strftime as date from pki.deployment import pkiconfig as config from pki.deployment import pkiparser as parse @@ -56,8 +60,27 @@ def main(argv): # Set the umask os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK) + # Set installation time + ticks = time.time() + config.pki_install_time = time.asctime(time.localtime(ticks)) + # Generate a timestamp - config.pki_timestamp = date('%Y%m%d%H%M%S') + config.pki_timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) + config.pki_certificate_timestamp =\ + date('%Y-%m-%d %H:%M:%S', time.localtime(ticks)) + + # Retrieve hostname + config.pki_hostname = socket.gethostname() + + # Generate a random 'pin' for use as the security database password + pin_low = 100000000000 + pin_high = 999999999999 + config.pki_pin = random.randint(pin_low, pin_high) + + # Generate a one-time pin to be used prior to configuration + config.pki_one_time_pin =\ + ''.join(random.choice(string.ascii_letters + string.digits)\ + for x in range(20)) # Initialize 'pretty print' for objects pp = pprint.PrettyPrinter(indent=4) diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index 2ac21a60a..c537b8e4d 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -30,6 +30,10 @@ try: import logging import os import pprint + import random + import socket + import string + import time from time import strftime as date from pki.deployment import pkiconfig as config from pki.deployment import pkiparser as parse @@ -56,8 +60,27 @@ def main(argv): # Set the umask os.umask(config.PKI_DEPLOYMENT_DEFAULT_UMASK) + # Set installation time + ticks = time.time() + config.pki_install_time = time.asctime(time.localtime(ticks)) + # Generate a timestamp - config.pki_timestamp = date('%Y%m%d%H%M%S') + config.pki_timestamp = date('%Y%m%d%H%M%S', time.localtime(ticks)) + config.pki_certificate_timestamp =\ + date('%Y-%m-%d %H:%M:%S', time.localtime(ticks)) + + # Retrieve hostname + config.pki_hostname = socket.gethostname() + + # Generate a random 'pin' for use as the security database password + pin_low = 100000000000 + pin_high = 999999999999 + config.pki_pin = random.randint(pin_low, pin_high) + + # Generate a one-time pin to be used prior to configuration + config.pki_one_time_pin =\ + ''.join(random.choice(string.ascii_letters + string.digits)\ + for x in range(20)) # Initialize 'pretty print' for objects pp = pprint.PrettyPrinter(indent=4) @@ -151,6 +174,13 @@ def main(argv): config.pki_log.debug(pp.pformat(config.pki_subsystem_dict), extra=config.PKI_INDENTATION_LEVEL_0) + # Read in the PKI slots configuration file. + parse.compose_pki_slots_dictionary() + config.pki_log.debug(log.PKI_DICTIONARY_SLOTS, + extra=config.PKI_INDENTATION_LEVEL_0) + config.pki_log.debug(pp.pformat(config.pki_slots_dict), + extra=config.PKI_INDENTATION_LEVEL_0) + # Combine the various sectional dictionaries into a PKI master dictionary parse.compose_pki_master_dictionary() if not config.pki_update_flag: diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py index 60073262d..9a3c23cb5 100644 --- a/base/deploy/src/scriptlets/finalization.py +++ b/base/deploy/src/scriptlets/finalization.py @@ -44,6 +44,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): filename = master['pki_root_prefix'] +\ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ master['pki_instance_name'] + "/" +\ + master['pki_web_server'].lower() + "/" +\ master['pki_subsystem'].lower() +"/" +\ "spawn" + "_" + "manifest" + "." +\ master['pki_timestamp'] + "." + "csv" @@ -77,6 +78,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): filename = master['pki_root_prefix'] +\ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ master['pki_instance_name'] + "/" +\ + master['pki_web_server'].lower() + "/" +\ master['pki_subsystem'].lower() +"/" +\ "respawn" + "_" + "manifest" + "." +\ master['pki_timestamp'] + "." + "csv" diff --git a/base/deploy/src/scriptlets/initialization.py b/base/deploy/src/scriptlets/initialization.py index 67c93254d..408ddfb59 100644 --- a/base/deploy/src/scriptlets/initialization.py +++ b/base/deploy/src/scriptlets/initialization.py @@ -38,6 +38,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) + # verify that this type of "subsystem" does NOT yet + # exist for this "instance" + util.instance.verify_subsystem_does_not_exist() # establish 'uid' and 'gid' util.identity.set_uid(master['pki_user']) util.identity.set_gid(master['pki_group']) @@ -50,6 +53,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.info(log.INITIALIZATION_RESPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) + # verify that this type of "subsystem" currently EXISTS + # for this "instance" + util.instance.verify_subsystem_exists() # establish 'uid' and 'gid' util.identity.set_uid(master['pki_user']) util.identity.set_gid(master['pki_group']) @@ -62,6 +68,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_0) config.pki_log.info(log.INITIALIZATION_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) + # verify that this type of "subsystem" currently EXISTS + # for this "instance" + util.instance.verify_subsystem_exists() # establish 'uid' and 'gid' util.identity.set_uid(master['pki_user']) util.identity.set_gid(master['pki_group']) diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py index 38234f4cc..baa261cad 100644 --- a/base/deploy/src/scriptlets/instance_layout.py +++ b/base/deploy/src/scriptlets/instance_layout.py @@ -48,6 +48,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # establish instance registry util.directory.create(master['pki_registry_path']) util.directory.create(master['pki_instance_registry_path']) + # establish shared NSS security databases + util.directory.create(master['pki_database_path']) + # establish convenience symbolic links + util.symlink.create(master['pki_database_path'], + master['pki_instance_database_link']) return self.rv def respawn(self): @@ -67,31 +72,56 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # update instance registry util.directory.modify(master['pki_registry_path']) util.directory.modify(master['pki_instance_registry_path']) + # update shared NSS security databases + util.directory.modify(master['pki_database_path']) + # update convenience symbolic links + util.symlink.modify(master['pki_instance_database_link']) return self.rv def destroy(self): config.pki_log.info(log.INSTANCE_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # remove instance base - if util.directory.is_empty(master['pki_instance_path']): - util.directory.delete(master['pki_instance_path']) - if util.directory.is_empty(master['pki_path']): - util.directory.delete(master['pki_path']) - # remove instance logs - if util.directory.is_empty(master['pki_instance_log_path']): - util.directory.delete(master['pki_instance_log_path']) - if util.directory.is_empty(master['pki_log_path']): - util.directory.delete(master['pki_log_path']) - # remove instance configuration - if util.directory.is_empty(master['pki_instance_configuration_path']): - util.directory.delete(master['pki_instance_configuration_path']) - if util.directory.is_empty(master['pki_configuration_path']) and\ - master['pki_configuration_path'] !=\ - config.PKI_SHARED_CONFIGURATION_ROOT: - util.directory.delete(master['pki_configuration_path']) - # remove instance registry - if util.directory.is_empty(master['pki_instance_registry_path']): - util.directory.delete(master['pki_instance_registry_path']) - if util.directory.is_empty(master['pki_registry_path']): - util.directory.delete(master['pki_registry_path']) + if not config.pki_dry_run_flag: + if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + util.instance.pki_subsystem_instances() == 0: + # remove instance base + util.directory.delete(master['pki_instance_path']) + util.directory.delete(master['pki_path']) + # remove instance logs + util.directory.delete(master['pki_instance_log_path']) + util.directory.delete(master['pki_log_path']) + # remove shared NSS security database path + util.directory.delete(master['pki_database_path']) + # remove instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + if util.directory.is_empty(master['pki_configuration_path'])\ + and master['pki_configuration_path'] !=\ + config.PKI_SHARED_CONFIGURATION_ROOT: + util.directory.delete(master['pki_configuration_path']) + # remove instance registry + util.directory.delete(master['pki_instance_registry_path']) + util.directory.delete(master['pki_registry_path']) + util.file.delete(master['pki_target_tomcat_conf']) + + else: + # ALWAYS display correct information (even during dry_run) + if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + util.instance.pki_subsystem_instances() == 1: + # remove instance base + util.directory.delete(master['pki_instance_path']) + util.directory.delete(master['pki_path']) + # remove instance logs + util.directory.delete(master['pki_instance_log_path']) + util.directory.delete(master['pki_log_path']) + # remove shared NSS security database path + util.directory.delete(master['pki_database_path']) + if util.directory.is_empty(master['pki_configuration_path'])\ + and master['pki_configuration_path'] !=\ + config.PKI_SHARED_CONFIGURATION_ROOT: + util.directory.delete(master['pki_configuration_path']) + # remove instance registry + util.directory.delete(master['pki_instance_registry_path']) + util.directory.delete(master['pki_registry_path']) + util.file.delete(master['pki_target_tomcat_conf']) return self.rv diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 505bfc039..31b05312c 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -27,6 +27,7 @@ import logging PKI_DEPLOYMENT_DEFAULT_DIR_PERMISSIONS = 00770 PKI_DEPLOYMENT_DEFAULT_EXE_PERMISSIONS = 00770 PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS = 00660 +PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS = 00600 PKI_DEPLOYMENT_DEFAULT_SGID_DIR_PERMISSIONS = 02770 PKI_DEPLOYMENT_DEFAULT_SYMLINK_PERMISSIONS = 00777 PKI_DEPLOYMENT_DEFAULT_UMASK = 00002 @@ -52,15 +53,21 @@ PKI_INDENTATION_LEVEL_4 = {'indent' : '............... '} # in the configuration file (the value in the default configuration file # should always match the 'default' instance name specified below). PKI_DEPLOYMENT_REGISTRY_ROOT = "/etc/sysconfig/pki" -PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME = "instance" +PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME = "default" PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE = "pkideployment.cfg" +PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE =\ + "/usr/share/pki/deployment/config/pkislots.cfg" # NOTE: Top-level "/etc/pki" is owned by the "filesystem" package! PKI_SHARED_CONFIGURATION_ROOT = "/etc/pki" # PKI Deployment Global Variables +pki_install_time = None pki_timestamp = None +pki_hostname = None +pki_pin = None +pki_one_time_pin = None # PKI Deployment "Mandatory" Command-Line Variables @@ -92,3 +99,4 @@ pki_common_dict = None pki_web_server_dict = None pki_subsystem_dict = None pki_master_dict = None +pki_slots_dict = None diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index 95b5bf0a7..b04af2db0 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -1,4 +1,5 @@ #!/usr/bin/python -t + # Authors: # Matthew Harmsen # @@ -23,7 +24,11 @@ import errno import sys import os +import fileinput +import random import shutil +import string +import subprocess from grp import getgrnam from pwd import getpwnam import zipfile @@ -32,11 +37,12 @@ import zipfile # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master +from pkiconfig import pki_slots_dict as slots import pkimanifest as manifest import pkimessages as log -# PKI Deployment Functions +# PKI Deployment Helper Functions def pki_copytree(src, dst, symlinks=False, ignore=None): """Recursively copy a directory tree using copy2(). @@ -165,27 +171,30 @@ class identity: # PKI Deployment Instance Class class instance: - def apache_instances(self, name): + def apache_instances(self): rv = 0 try: - if not os.path.exists(name) or not os.path.isdir(name): + if not os.path.exists(master['pki_webserver_path']) or\ + not os.path.isdir(master['pki_webserver_path']): config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + master['pki_webserver_path'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # count number of PKI subsystems present # within the specfied Apache instance for subsystem in config.PKI_APACHE_SUBSYSTEMS: - path = name + "/" + subsystem.lower() + path = master['pki_webserver_path'] + "/" + subsystem.lower() if os.path.exists(path) and os.path.isdir(path): rv = rv + 1 # always display correct information (even during dry_run) if config.pki_dry_run_flag and rv > 0: config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, - name, rv - 1, + master['pki_webserver_path'], rv - 1, extra=config.PKI_INDENTATION_LEVEL_2) else: - config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, name, + config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, + master['pki_webserver_path'], rv, extra=config.PKI_INDENTATION_LEVEL_2) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, @@ -193,28 +202,38 @@ class instance: sys.exit(1) return rv - def pki_subsystem_instances(self, name): + def pki_subsystem_instances(self): rv = 0 try: - if not os.path.exists(name) or not os.path.isdir(name): + if not os.path.exists(master['pki_instance_path']) or\ + not os.path.isdir(master['pki_instance_path']): config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + master['pki_instance_path'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) - # count total number of PKI subsystems present + # count total number of Apache PKI subsystems present # within the specfied PKI instance - for subsystem in config.PKI_SUBSYSTEMS: - path = name + "/" + subsystem.lower() - if os.path.exists(path) and os.path.isdir(path): + for apache_subsystem in config.PKI_APACHE_SUBSYSTEMS: + apache_path = master['pki_instance_path'] + "/" + "apache" +\ + "/" + apache_subsystem.lower() + if os.path.exists(apache_path) and os.path.isdir(apache_path): + rv = rv + 1 + # count total number of Tomcat PKI subsystems present + # within the specfied PKI instance + for tomcat_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + tomcat_path = master['pki_instance_path'] + "/" + "tomcat" +\ + "/" + tomcat_subsystem.lower() + if os.path.exists(tomcat_path) and os.path.isdir(tomcat_path): rv = rv + 1 # always display correct information (even during dry_run) if config.pki_dry_run_flag and rv > 0: config.pki_log.debug(log.PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2, - name, rv - 1, + master['pki_instance_path'], rv - 1, extra=config.PKI_INDENTATION_LEVEL_2) else: config.pki_log.debug(log.PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2, - name, rv, + master['pki_instance_path'], rv, extra=config.PKI_INDENTATION_LEVEL_2) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, @@ -222,27 +241,30 @@ class instance: sys.exit(1) return rv - def tomcat_instances(self, name): + def tomcat_instances(self): rv = 0 try: - if not os.path.exists(name) or not os.path.isdir(name): + if not os.path.exists(master['pki_webserver_path']) or\ + not os.path.isdir(master['pki_webserver_path']): config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + master['pki_webserver_path'], extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) # count number of PKI subsystems present # within the specfied Tomcat instance for subsystem in config.PKI_TOMCAT_SUBSYSTEMS: - path = name + "/" + subsystem.lower() + path = master['pki_webserver_path'] + "/" + subsystem.lower() if os.path.exists(path) and os.path.isdir(path): rv = rv + 1 # always display correct information (even during dry_run) if config.pki_dry_run_flag and rv > 0: config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, - name, rv - 1, + master['pki_webserver_path'], rv - 1, extra=config.PKI_INDENTATION_LEVEL_2) else: - config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, name, + config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, + master['pki_webserver_path'], rv, extra=config.PKI_INDENTATION_LEVEL_2) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, @@ -250,6 +272,32 @@ class instance: sys.exit(1) return rv + def verify_subsystem_exists(self): + try: + if not os.path.exists(master['pki_subsystem_path']): + config.pki_log.error(log.PKI_SUBSYSTEM_DOES_NOT_EXIST_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_1) + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + + def verify_subsystem_does_not_exist(self): + try: + if os.path.exists(master['pki_subsystem_path']): + config.pki_log.error(log.PKI_SUBSYSTEM_ALREADY_EXISTS_2, + master['pki_subsystem'], + master['pki_instance_name'], + extra=config.PKI_INDENTATION_LEVEL_1) + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # PKI Deployment Directory Class class directory: @@ -295,11 +343,6 @@ class directory: extra=config.PKI_INDENTATION_LEVEL_2) if critical_failure == True: sys.exit(1) - else: - config.pki_log.error(log.PKI_DIRECTORY_ALREADY_EXISTS_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) except OSError as exc: if exc.errno == errno.EEXIST: pass @@ -397,13 +440,13 @@ class directory: def is_empty(self, name): try: if not os.listdir(name): - config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1, - name, extra=config.PKI_INDENTATION_LEVEL_2) - return False - else: config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_EMPTY_1, name, extra=config.PKI_INDENTATION_LEVEL_2) return True + else: + config.pki_log.debug(log.PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1, + name, extra=config.PKI_INDENTATION_LEVEL_2) + return False except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -561,12 +604,7 @@ class directory: dir_acls=None, file_acls=None, symlink_acls=None, recursive_flag=True, overwrite_flag=False, critical_failure=True): try: - if not os.path.exists(old_name) or not os.path.isdir(old_name): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, old_name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - elif config.pki_dry_run_flag: + if config.pki_dry_run_flag: if recursive_flag == True: # cp -rp config.pki_log.info(log.PKIHELPER_CP_RP_2, @@ -580,6 +618,11 @@ class directory: config.pki_log.info( log.PKIHELPER_SET_MODE_1, new_name, extra=config.PKI_INDENTATION_LEVEL_2) + elif not os.path.exists(old_name) or not os.path.isdir(old_name): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, old_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) else: if os.path.exists(new_name): if not overwrite_flag: @@ -673,11 +716,6 @@ class file: extra=config.PKI_INDENTATION_LEVEL_2) if critical_failure == True: sys.exit(1) - else: - config.pki_log.error(log.PKI_FILE_ALREADY_EXISTS_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) except OSError as exc: if exc.errno == errno.EEXIST: pass @@ -769,16 +807,174 @@ class file: perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, acls=None, overwrite_flag=False, critical_failure=True): try: - if not os.path.exists(old_name) or not os.path.isfile(old_name): + if config.pki_dry_run_flag: + # cp -p + config.pki_log.info(log.PKIHELPER_CP_P_2, + old_name, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + elif not os.path.exists(old_name) or not os.path.isfile(old_name): config.pki_log.error( log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) - elif config.pki_dry_run_flag: + else: + if os.path.exists(new_name): + if not overwrite_flag: + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_1, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) # cp -p config.pki_log.info(log.PKIHELPER_CP_P_2, old_name, new_name, extra=config.PKI_INDENTATION_LEVEL_2) + shutil.copy2(old_name, new_name) + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(new_name, perms) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, new_name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(new_name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = new_name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except shutil.Error as exc: + config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def apply_slot_substitution( + self, name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, critical_failure=True): + try: + if config.pki_dry_run_flag: + # applying in-place slot substitutions on + config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1, + name, + extra=config.PKI_INDENTATION_LEVEL_2) + # NOTE: During dry_run, this file may not exist! + if os.path.exists(name) and os.path.isfile(name): + for line in fileinput.FileInput(name, inplace=1): + for slot in slots: + if slot != '__name__' and slots[slot] in line: + config.pki_log.debug( + log.PKIHELPER_SLOT_SUBSTITUTION_2, + slots[slot], master[slot], + extra=config.PKI_INDENTATION_LEVEL_3) + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + else: + if not os.path.exists(name) or not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # applying in-place slot substitutions on + config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1, + name, + extra=config.PKI_INDENTATION_LEVEL_2) + for line in fileinput.FileInput(name, inplace=1): + for slot in slots: + if slot != '__name__' and slots[slot] in line: + config.pki_log.debug( + log.PKIHELPER_SLOT_SUBSTITUTION_2, + slots[slot], master[slot], + extra=config.PKI_INDENTATION_LEVEL_3) + line=line.replace(slots[slot],master[slot]) + sys.stdout.write(line) + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except shutil.Error as exc: + config.pki_log.error(log.PKI_SHUTIL_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def copy_with_slot_substitution( + self, old_name, new_name, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, overwrite_flag=False, + critical_failure=True): + try: + if config.pki_dry_run_flag: + # copy to with slot substitutions + config.pki_log.info(log.PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2, + old_name, new_name, + extra=config.PKI_INDENTATION_LEVEL_2) + for line in fileinput.FileInput(old_name): + for slot in slots: + if slot != '__name__' and slots[slot] in line: + config.pki_log.debug( + log.PKIHELPER_SLOT_SUBSTITUTION_2, + slots[slot], master[slot], + extra=config.PKI_INDENTATION_LEVEL_3) # chmod config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, new_name, @@ -787,6 +983,11 @@ class file: config.pki_log.debug(log.PKIHELPER_CHOWN_3, uid, gid, new_name, extra=config.PKI_INDENTATION_LEVEL_3) + elif not os.path.exists(old_name) or not os.path.isfile(old_name): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) else: if os.path.exists(new_name): if not overwrite_flag: @@ -794,11 +995,21 @@ class file: log.PKI_FILE_ALREADY_EXISTS_1, new_name, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) - # cp -p - config.pki_log.info(log.PKIHELPER_CP_P_2, + # copy to with slot substitutions + config.pki_log.info(log.PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2, old_name, new_name, extra=config.PKI_INDENTATION_LEVEL_2) - shutil.copy2(old_name, new_name) + FILE = open(new_name, "w") + for line in fileinput.FileInput(old_name): + for slot in slots: + if slot != '__name__' and slots[slot] in line: + config.pki_log.debug( + log.PKIHELPER_SLOT_SUBSTITUTION_2, + slots[slot], master[slot], + extra=config.PKI_INDENTATION_LEVEL_3) + line=line.replace(slots[slot],master[slot]) + FILE.write(line) + FILE.close() if uid == None: uid = identity.get_uid() if gid == None: @@ -836,6 +1047,64 @@ class file: sys.exit(1) return + def generate_noise_file(self, name, bytes, uid=None, gid=None, + perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, + acls=None, critical_failure=True): + try: + if not os.path.exists(name): + # generating noise file called and + # filling it with random bytes + config.pki_log.info(log.PKIHELPER_NOISE_FILE_2, name, bytes, + extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + open(name, "w").close() + FILE = open(name, "w") + noise = ''.join(random.choice(string.ascii_letters +\ + string.digits) for x in range(bytes)) + FILE.write(noise) + FILE.close() + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + if not config.pki_dry_run_flag: + os.chmod(name, perms) + # chown : + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + if not config.pki_dry_run_flag: + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) + elif not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + if exc.errno == errno.EEXIST: + pass + else: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + # PKI Deployment Symbolic Link Class class symlink: @@ -886,11 +1155,6 @@ class symlink: extra=config.PKI_INDENTATION_LEVEL_2) if critical_failure == True: sys.exit(1) - else: - config.pki_log.error(log.PKI_SYMLINK_ALREADY_EXISTS_1, link, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) except OSError as exc: if exc.errno == errno.EEXIST: pass @@ -1026,6 +1290,347 @@ class war: return +# PKI Deployment Password Class +class password: + def create_password_conf(self, path, overwrite_flag=False): + try: + if not config.pki_dry_run_flag: + if os.path.exists(path): + if overwrite_flag: + config.pki_log.info( + log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # overwrite the existing 'password.conf' file + with open(path, "wt") as fd: + if master['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + fd.write("internal" + ":" +\ + str(master['pki_pin'])) + else: + fd.write("internal" + "=" +\ + str(master['pki_pin'])) + fd.closed + else: + config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # create a new 'password.conf' file + with open(path, "wt") as fd: + if master['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + fd.write("internal" + ":" +\ + str(master['pki_pin'])) + else: + fd.write("internal" + "=" +\ + str(master['pki_pin'])) + fd.closed + else: + if not os.path.exists(path) or overwrite_flag: + config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + +# PKI Deployment NSS 'certutil' Class +class certutil: + def create_security_databases(self, path, password_file=None, prefix=None, + critical_failure=True): + try: + # Compose this "certutil" command + command = "certutil" + " " + "-N" + # Provide a path to the NSS security databases + if path: + command = command + " " + "-d" + " " + path + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + command = command + " " + "-f" + " " + password_file + if prefix != None: + command = command + " " + "-P" + " " + prefix + if not config.pki_dry_run_flag: + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(master['pki_cert_database']) or\ + os.path.exists(master['pki_key_database']) or\ + os.path.exists(master['pki_secmod_database']): + # Simply notify user that the security databases exist + config.pki_log.info( + log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + extra=config.PKI_INDENTATION_LEVEL_2) + else: + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CREATE_SECURITY_DATABASES_1, + command, + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "certutil" command + subprocess.call(command, shell=True) + else: + if os.path.exists(master['pki_cert_database']) or\ + os.path.exists(master['pki_key_database']) or\ + os.path.exists(master['pki_secmod_database']): + # Simply notify user that the security databases exist + config.pki_log.info( + log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + extra=config.PKI_INDENTATION_LEVEL_2) + else: + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CREATE_SECURITY_DATABASES_1, + command, + extra=config.PKI_INDENTATION_LEVEL_2) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + def verify_certificate_exists(self, path, token, nickname, + password_file=None): + rv = 0 + try: + # Compose this "certutil" command + command = "certutil" + " " + "-L" + # Provide a path to the NSS security databases + if path: + command = command + " " + "-d" + " " + path + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the 'token' + if token: + command = command + " " + "-h" + " " + "'" + token + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TOKEN, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the nickname of this self-signed certificate + if nickname: + command = command + " " + "-n" + " " + "'" + nickname + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # OPTIONALLY specify a password file + if password_file != None: + command = command + " " + "-f" + " " + password_file + # Always execute this command silently + command = command + " > /dev/null 2>&1" + if not config.pki_dry_run_flag: + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(master['pki_cert_database']) or\ + not os.path.exists(master['pki_key_database']) or\ + not os.path.exists(master['pki_secmod_database']): + # NSS security databases MUST exist! + config.pki_log.error( + log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + else: + # Check for first time through as dry_run + if not os.path.exists(master['pki_cert_database']) or\ + not os.path.exists(master['pki_key_database']) or\ + not os.path.exists(master['pki_secmod_database']): + return False + # Execute this "certutil" command + subprocess.check_call(command, shell=True) + except subprocess.CalledProcessError as exc: + return False + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return True + + def generate_self_signed_certificate(self, path, token, nickname, + subject, serial_number, + validity_period, issuer_name, + trustargs, noise_file, + password_file=None, + critical_failure=True): + try: + # Compose this "certutil" command + command = "certutil" + " " + "-S" + # Provide a path to the NSS security databases + if path: + command = command + " " + "-d" + " " + path + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_PATH, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the 'token' + if token: + command = command + " " + "-h" + " " + "'" + token + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TOKEN, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the nickname of this self-signed certificate + if nickname: + command = command + " " + "-n" + " " + "'" + nickname + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NICKNAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the subject name (RFC1485) + if subject: + command = command + " " + "-s" + " " + "'" + subject + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_SUBJECT, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the serial number + if serial_number != None: + command = command + " " + "-m" + " " + str(serial_number) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the months valid + if validity_period != None: + command = command + " " + "-v" + " " + str(validity_period) + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the nickname of the issuer certificate + if issuer_name: + command = command + " " + "-c" + " " +\ + "'" + issuer_name + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify the certificate trust attributes + if trustargs: + command = command + " " + "-t" + " " + "'" + trustargs + "'" + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_TRUSTARGS, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Specify a noise file to be used for key generation + if noise_file: + command = command + " " + "-z" + " " + noise_file + else: + config.pki_log.error( + log.PKIHELPER_CERTUTIL_MISSING_NOISE_FILE, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # OPTIONALLY specify a password file + if password_file != None: + command = command + " " + "-f" + " " + password_file + # ALWAYS self-sign this certificate + command = command + " " + "-x" + # ALWAYS mask the command-line output of this command + command = command + " " + "> /dev/null 2>&1" + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1, command, + extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(master['pki_cert_database']) or\ + not os.path.exists(master['pki_key_database']) or\ + not os.path.exists(master['pki_secmod_database']): + # NSS security databases MUST exist! + config.pki_log.error( + log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(noise_file): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + noise_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Execute this "certutil" command + subprocess.call(command, shell=True) + except subprocess.CalledProcessError as exc: + config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) + return + + # PKI Deployment Helper Class Instances identity = identity() instance = instance() @@ -1033,3 +1638,5 @@ directory = directory() file = file() symlink = symlink() war = war() +password = password() +certutil = certutil() diff --git a/base/deploy/src/scriptlets/pkimanifest.py b/base/deploy/src/scriptlets/pkimanifest.py index dfd18fbaf..4f45e4b61 100644 --- a/base/deploy/src/scriptlets/pkimanifest.py +++ b/base/deploy/src/scriptlets/pkimanifest.py @@ -22,6 +22,12 @@ # System Imports from collections import namedtuple import csv +import sys + + +# PKI Deployment Imports +import pkiconfig as config +import pkimessages as log # PKI Deployment Manifest Constants diff --git a/base/deploy/src/scriptlets/pkimessages.py b/base/deploy/src/scriptlets/pkimessages.py index 81f0eadfe..774b1f169 100644 --- a/base/deploy/src/scriptlets/pkimessages.py +++ b/base/deploy/src/scriptlets/pkimessages.py @@ -28,6 +28,10 @@ PKI_DICTIONARY_MASTER="\n"\ "=====================================================\n"\ " DISPLAY CONTENTS OF PKI MASTER DICTIONARY\n"\ "=====================================================" +PKI_DICTIONARY_SLOTS="\n"\ +"=====================================================\n"\ +" DISPLAY CONTENTS OF PKI SLOTS DICTIONARY\n"\ +"=====================================================" PKI_DICTIONARY_SUBSYSTEM="\n"\ "=====================================================\n"\ " DISPLAY CONTENTS OF PKI SUBSYSTEM DICTIONARY\n"\ @@ -74,6 +78,14 @@ PKI_FILE_ALREADY_EXISTS_NOT_A_FILE_1 = "File '%s' already "\ PKI_FILE_MISSING_OR_NOT_A_FILE_1 = "File '%s' is either missing "\ "or is NOT a regular file!" PKI_FILE_NOT_A_WAR_FILE_1 = "File '%s' is NOT a war file!" +PKI_SECURITY_DATABASES_ALREADY_EXIST_3 = "Security databases '%s', '%s', "\ + "and/or '%s' already exist!" +PKI_SECURITY_DATABASES_DO_NOT_EXIST_3 = "Security databases '%s', '%s', "\ + "and/or '%s' do NOT exist!" +PKI_SUBSYSTEM_ALREADY_EXISTS_2 = "PKI subsystem '%s' for instance '%s' "\ + "already exists!" +PKI_SUBSYSTEM_DOES_NOT_EXIST_2 = "PKI subsystem '%s' for instance '%s' "\ + "does NOT exist!" PKI_IOERROR_1 = "IOError: %s!" PKI_KEYERROR_1 = "KeyError: %s!" @@ -81,6 +93,7 @@ PKI_LARGEZIPFILE_ERROR_1 = "zipfile.LargeZipFile: %s!" PKI_MANIFEST_MESSAGE_1 = "generating manifest file called '%s'" PKI_OSERROR_1 = "OSError: %s!" PKI_SHUTIL_ERROR_1 = "shutil.Error: %s!" +PKI_SUBPROCESS_ERROR_1 = "subprocess.CalledProcessError: %s!" PKI_SYMLINK_ALREADY_EXISTS_1 = "Symlink '%s' already exists!" PKI_SYMLINK_ALREADY_EXISTS_NOT_A_SYMLINK_1 = "Symlink '%s' already "\ "exists BUT it is NOT a "\ @@ -108,12 +121,32 @@ PKISPAWN_END_MESSAGE_2 = "END spawning subsystem '%s' of "\ # PKI Deployment "Helper" Messages -PKIHELPER_APACHE_INSTANCES_2 = "instance '%s' contains '%d' Apache PKI subsystems" +PKIHELPER_APACHE_INSTANCES_2 = "instance '%s' contains '%d' "\ + "Apache PKI subsystems" +PKIHELPER_CERTUTIL_MISSING_ISSUER_NAME = "certutil: Missing "\ + "'-c issuer-name' option!" +PKIHELPER_CERTUTIL_MISSING_NICKNAME = "certutil: Missing "\ + "'-n nickname' option!" +PKIHELPER_CERTUTIL_MISSING_NOISE_FILE = "certutil: Missing "\ + "'-z noise-file' option!" +PKIHELPER_CERTUTIL_MISSING_PATH = "certutil: Missing '-d path' option!" +PKIHELPER_CERTUTIL_MISSING_SERIAL_NUMBER = "certutil: Missing "\ + "'-m serial-number' option!" +PKIHELPER_CERTUTIL_MISSING_SUBJECT = "certutil: Missing '-s subject' option!" +PKIHELPER_CERTUTIL_MISSING_TOKEN = "certutil: Missing '-h token' option!" +PKIHELPER_CERTUTIL_MISSING_TRUSTARGS = "certutil: Missing "\ + "'-t trustargs' option!" +PKIHELPER_CERTUTIL_MISSING_VALIDITY_PERIOD = "certutil: Missing "\ + "'-v months-valid' option!" +PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1 = "executing '%s'" PKIHELPER_CHMOD_2 = "chmod %o %s" PKIHELPER_CHOWN_3 = "chown %s:%s %s" PKIHELPER_CHOWN_H_3 = "chown -h %s:%s %s" +PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2 = "copying '%s' --> '%s' "\ + "with slot substitution" PKIHELPER_CP_P_2 = "cp -p %s %s" PKIHELPER_CP_RP_2 = "cp -rp %s %s" +PKIHELPER_CREATE_SECURITY_DATABASES_1 = "executing '%s'" PKIHELPER_DANGLING_SYMLINK_2 = "Dangling symlink '%s'-->'%s'" PKIHELPER_DIRECTORY_IS_EMPTY_1 = "directory '%s' is empty" PKIHELPER_DIRECTORY_IS_NOT_EMPTY_1 = "directory '%s' is NOT empty" @@ -124,16 +157,24 @@ PKIHELPER_IS_A_FILE_1 = "'%s' is a file" PKIHELPER_IS_A_SYMLINK_1 = "'%s' is a symlink" PKIHELPER_JAR_XF_C_2 = "jar -xf %s -C %s" PKIHELPER_LINK_S_2 = "ln -s %s %s" +PKIHELPER_APPLY_SLOT_SUBSTITUTION_1 = "applying in-place "\ + "slot substitutions on '%s'" PKIHELPER_MKDIR_1 = "mkdir -p %s" PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" PKIHELPER_MODIFY_FILE_1 = "modifying '%s'" PKIHELPER_MODIFY_SYMLINK_1 = "modifying '%s'" -PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2 = "instance '%s' contains '%d' PKI subsystems" +PKIHELPER_NOISE_FILE_2 = "generating noise file called '%s' and "\ + "filling it with '%d' random bytes" +PKIHELPER_PASSWORD_CONF_1 = "generating '%s'" +PKIHELPER_PKI_SUBSYSTEM_INSTANCES_2 = "instance '%s' contains '%d' "\ + "PKI subsystems" PKIHELPER_RM_F_1 = "rm -f %s" PKIHELPER_RM_RF_1 = "rm -rf %s" PKIHELPER_RMDIR_1 = "rmdir %s" PKIHELPER_SET_MODE_1 = "setting ownerships, permissions, and acls on '%s'" -PKIHELPER_TOMCAT_INSTANCES_2 = "instance '%s' contains '%d' Tomcat PKI subsystems" +PKIHELPER_SLOT_SUBSTITUTION_2 = "slot substitution: '%s' ==> '%s'" +PKIHELPER_TOMCAT_INSTANCES_2 = "instance '%s' contains '%d' "\ + "Tomcat PKI subsystems" PKIHELPER_TOUCH_1 = "touch %s" PKIHELPER_UID_2 = "UID of '%s' is %s" PKIHELPER_USER_1 = "retrieving UID for '%s' . . ." diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index bff405955..19c9119a6 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -24,6 +24,7 @@ import ConfigParser import argparse import logging import os +import time # PKI Deployment Imports @@ -171,9 +172,14 @@ def process_command_line_arguments(argv): # NOTE: When performing 'pkidestroy', a configuration file must be # explicitly specified if it does not use the default location # and/or default configuration file name. + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + pki_web_server = "Apache" + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + pki_web_server = "Tomcat" config.pkideployment_cfg = config.pki_root_prefix +\ config.PKI_DEPLOYMENT_REGISTRY_ROOT + "/" +\ config.PKI_DEPLOYMENT_DEFAULT_INSTANCE_NAME + "/" +\ + pki_web_server.lower() +"/" +\ config.pki_subsystem.lower() +"/" +\ config.PKI_DEPLOYMENT_DEFAULT_CONFIGURATION_FILE if not os.path.exists(config.pkideployment_cfg) or\ @@ -192,6 +198,8 @@ def read_pki_configuration_file(): rv = 0 try: parser = ConfigParser.ConfigParser() + # Make keys case-sensitive! + parser.optionxform = str parser.read(config.pkideployment_cfg) config.pki_common_dict = dict(parser._sections['Common']) if config.pki_subsystem == "CA": @@ -223,140 +231,637 @@ def read_pki_configuration_file(): def compose_pki_master_dictionary(): "Create a single master PKI dictionary from the sectional dictionaries" - config.pki_master_dict = dict() - # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs - config.pki_master_dict['pki_timestamp'] = config.pki_timestamp - # Configuration file name/value pairs - config.pki_master_dict.update(config.pki_common_dict) - config.pki_master_dict.update(config.pki_web_server_dict) - config.pki_master_dict.update(config.pki_subsystem_dict) - config.pki_master_dict.update(__name__="PKI Master Dictionary") - config.pki_master_dict['pki_source_conf'] =\ - config.pki_master_dict['pki_source_root'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() + "/" + "conf" - if config.pki_master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_master_dict['pki_war'] =\ - config.pki_master_dict['pki_source_root'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() + "/" +\ - "war" + "/" + config.pki_master_dict['pki_war_name'] - config.pki_master_dict['pki_tomcat_bin_path'] =\ - config.pki_master_dict['pki_tomcat_root'] + "/" + "bin" - config.pki_master_dict['pki_tomcat_lib_path'] =\ - config.pki_master_dict['pki_tomcat_root'] + "/" + "lib" - if config.pki_master_dict['pki_subsystem'] == "CA": - config.pki_master_dict['pki_source_emails'] =\ - config.pki_master_dict['pki_source_root'] + "/" +\ - "ca" + "/" + "emails" - config.pki_master_dict['pki_source_profiles'] =\ - config.pki_master_dict['pki_source_root'] + "/" +\ - "ca" + "/" + "profiles" - # Instance layout base name/value pairs - config.pki_master_dict['pki_root_prefix'] = config.pki_root_prefix - config.pki_master_dict['pki_path'] =\ - config.pki_master_dict['pki_root_prefix'] +\ - config.pki_master_dict['pki_instance_root'] - config.pki_master_dict['pki_instance_path'] =\ - config.pki_master_dict['pki_path'] + "/" +\ - config.pki_master_dict['pki_instance_name'] - config.pki_master_dict['pki_instance_database_link'] =\ - config.pki_master_dict['pki_instance_path'] + "/" + "alias" - # Instance layout log name/value pairs - config.pki_master_dict['pki_log_path'] =\ - config.pki_master_dict['pki_root_prefix'] +\ - config.pki_master_dict['pki_instance_log_root'] - config.pki_master_dict['pki_instance_log_path'] =\ - config.pki_master_dict['pki_log_path'] + "/" +\ - config.pki_master_dict['pki_instance_name'] - # Instance layout configuration name/value pairs - config.pki_master_dict['pki_configuration_path'] =\ - config.pki_master_dict['pki_root_prefix'] +\ - config.pki_master_dict['pki_instance_configuration_root'] - config.pki_master_dict['pki_instance_configuration_path'] =\ - config.pki_master_dict['pki_configuration_path'] + "/" +\ - config.pki_master_dict['pki_instance_name'] - # Instance layout registry name/value pairs - config.pki_master_dict['pki_registry_path'] =\ - config.pki_master_dict['pki_root_prefix'] +\ - config.PKI_DEPLOYMENT_REGISTRY_ROOT - config.pki_master_dict['pki_instance_registry_path'] =\ - config.pki_master_dict['pki_registry_path'] + "/" +\ - config.pki_master_dict['pki_instance_name'] - # Instance-based webserver Apache base name/value pairs - if config.pki_master_dict['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - config.pki_master_dict['pki_apache_path'] =\ - config.pki_master_dict['pki_instance_path'] + "/apache" - # Instance-based webserver Tomcat base name/value pairs - if config.pki_master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - config.pki_master_dict['pki_tomcat_path'] =\ - config.pki_master_dict['pki_instance_path'] + "/" + "tomcat" - config.pki_master_dict['pki_tomcat_bin_link'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "bin" - config.pki_master_dict['pki_common_path'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "common" - config.pki_master_dict['pki_common_lib_path'] =\ - config.pki_master_dict['pki_common_path'] + "/" + "lib" - config.pki_master_dict['pki_conf_path'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "conf" - config.pki_master_dict['pki_tomcat_lib_link'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "lib" - config.pki_master_dict['pki_tomcat_logs_link'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "logs" - config.pki_master_dict['pki_webapps_path'] =\ - config.pki_master_dict['pki_tomcat_path'] + "/" + "webapps" - config.pki_master_dict['pki_webapps_root_path'] =\ - config.pki_master_dict['pki_webapps_path'] + "/" + "ROOT" - config.pki_master_dict['pki_webapps_root_webinf_path'] =\ - config.pki_master_dict['pki_webapps_root_path'] + "/" + "WEB-INF" - config.pki_master_dict['pki_webapps_webinf_path'] =\ - config.pki_master_dict['pki_webapps_path'] + "/" + "WEB-INF" - config.pki_master_dict['pki_webapps_webinf_classes_path'] =\ - config.pki_master_dict['pki_webapps_webinf_path'] + "/" + "classes" - config.pki_master_dict['pki_webapps_webinf_lib_path'] =\ - config.pki_master_dict['pki_webapps_webinf_path'] + "/" + "lib" - config.pki_master_dict['pki_webapps_subsystem_path'] =\ - config.pki_master_dict['pki_webapps_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() - config.pki_master_dict['pki_webapps_subsystem_webinf_classes_link'] =\ - config.pki_master_dict['pki_webapps_subsystem_path'] + "/" +\ - "WEB-INF" + "/" + "classes" - config.pki_master_dict['pki_webapps_subsystem_webinf_lib_link'] =\ - config.pki_master_dict['pki_webapps_subsystem_path'] + "/" +\ - "WEB-INF" + "/" + "lib" - # Instance-based webserver Apache/Tomcat configuration name/value pairs - config.pki_master_dict['pki_database_path'] =\ - config.pki_master_dict['pki_instance_configuration_path'] + "/" +\ - "alias" - # Instance-based subsystem base name/value pairs - config.pki_master_dict['pki_subsystem_path'] =\ - config.pki_master_dict['pki_instance_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() - config.pki_master_dict['pki_subsystem_database_link'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "alias" - config.pki_master_dict['pki_subsystem_configuration_link'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "conf" - config.pki_master_dict['pki_subsystem_logs_link'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "logs" - if config.pki_master_dict['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - if config.pki_master_dict['pki_subsystem'] == "CA": - config.pki_master_dict['pki_subsystem_emails_path'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "emails" - config.pki_master_dict['pki_subsystem_profiles_path'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "profiles" - config.pki_master_dict['pki_subsystem_webapps_link'] =\ - config.pki_master_dict['pki_subsystem_path'] + "/" + "webapps" - # Instance-based subsystem log name/value pairs - config.pki_master_dict['pki_subsystem_log_path'] =\ - config.pki_master_dict['pki_instance_log_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() - config.pki_master_dict['pki_subsystem_signed_audit_log_path'] =\ - config.pki_master_dict['pki_subsystem_log_path'] + "/" +\ - "signedAudit" - # Instance-based subsystem configuration name/value pairs - config.pki_master_dict['pki_subsystem_configuration_path'] =\ - config.pki_master_dict['pki_instance_configuration_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() - # Instance-based subsystem registry name/value pairs - config.pki_master_dict['pki_subsystem_registry_path'] =\ - config.pki_master_dict['pki_instance_registry_path'] + "/" +\ - config.pki_master_dict['pki_subsystem'].lower() + try: + config.pki_master_dict = dict() + # 'pkispawn'/'pkirespawn'/'pkidestroy' name/value pairs + config.pki_master_dict['pki_install_time'] = config.pki_install_time + config.pki_master_dict['pki_timestamp'] = config.pki_timestamp + config.pki_master_dict['pki_certificate_timestamp'] =\ + config.pki_certificate_timestamp + config.pki_master_dict['pki_hostname'] = config.pki_hostname + config.pki_master_dict['pki_pin'] = config.pki_pin + config.pki_master_dict['pki_one_time_pin'] = config.pki_one_time_pin + # Configuration file name/value pairs + config.pki_master_dict.update(config.pki_common_dict) + config.pki_master_dict.update(config.pki_web_server_dict) + config.pki_master_dict.update(config.pki_subsystem_dict) + config.pki_master_dict.update(__name__="PKI Master Dictionary") + # IMPORTANT: A "PKI instance" no longer corresponds to a single + # pki subystem, but rather to zero or one unique + # "Tomcat web instance" AND/OR zero or one unique + # "Apache web instance". Obviously, each + # "PKI instance" must contain at least one of these + # two web instances. The name of the default + # "PKI instance" is called "default" and may be + # changed in the PKI deployment configuration file, + # and/or overridden via the command-line interface. + # + # A "Tomcat instance" consists of a single process + # which may itself contain zero or one unique + # "CA" and/or "KRA" and/or "OCSP" and/or "TKS" + # pki subystems. Obviously, the "Tomcat instance" must + # contain at least one of these four pki subystems. + # + # Similarly, an "Apache instance" consists of a single + # process which may itself contain zero or one unique + # "RA" and/or "TPS" pki subsystems. Obviously, the + # "Apache instance" must contain at least one of these + # two pki subystems. + # + # To emulate the original behavior of having a CA and + # KRA be unique PKI instances, each must be located + # within a separately named "PKI instance" if residing + # on the same host machine, or may be located within + # an identically named "PKI instance" when residing on + # two separate host machines. + # + # PKI INSTANCE NAMING CONVENTION: + # + # OLD: "pki-${pki_subsystem}" + # (e. g. Tomcat - "pki-ca", "pki-kra", "pki-ocsp", "pki-tks") + # (e. g. Apache - "pki-ra", "pki-tps") + # NEW: "pki-${pki_instance_name}-${pki_web_server}" + # (e. g. Tomcat: "pki-default-tomcat") + # (e. g. Apache: "pki-default-apache") + # + config.pki_master_dict['pki_instance_id'] =\ + "pki" + "-" + config.pki_master_dict['pki_instance_name'] + "-" +\ + config.pki_master_dict['pki_web_server'].lower() + # PKI Source name/value pairs + config.pki_master_dict['pki_source_conf_path'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + config.pki_master_dict['pki_subsystem'].lower(), + "conf") + config.pki_master_dict['pki_source_setup_path'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + config.pki_master_dict['pki_subsystem'].lower(), + "setup") + config.pki_master_dict['pki_source_cs_cfg'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "CS.cfg") + config.pki_master_dict['pki_source_registry'] =\ + os.path.join(config.pki_master_dict['pki_source_setup_path'], + "registry_instance") + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_tomcat_bin_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_root'], + "bin") + config.pki_master_dict['pki_tomcat_lib_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_root'], + "lib") + config.pki_master_dict['pki_war_path'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + config.pki_master_dict['pki_subsystem'].lower(), + "war") + config.pki_master_dict['pki_source_webapps_path'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + config.pki_master_dict['pki_subsystem'].lower(), + "webapps") + config.pki_master_dict['pki_war'] =\ + os.path.join(config.pki_master_dict['pki_war_path'], + config.pki_master_dict['pki_war_name']) + config.pki_master_dict['pki_source_catalina_properties'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "catalina.properties") + config.pki_master_dict['pki_source_servercertnick_conf'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "serverCertNick.conf") + config.pki_master_dict['pki_source_server_xml'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "server.xml") + config.pki_master_dict['pki_source_tomcat_conf'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "tomcat.conf") + config.pki_master_dict['pki_source_index_jsp'] =\ + os.path.join(config.pki_master_dict['pki_source_webapps_path'], + "ROOT", + "index.jsp") + config.pki_master_dict['pki_source_webapps_root_web_xml'] =\ + os.path.join(config.pki_master_dict['pki_source_webapps_path'], + "ROOT", + "WEB-INF", + "web.xml") + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_source_emails'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + "ca", + "emails") + config.pki_master_dict['pki_source_profiles'] =\ + os.path.join(config.pki_master_dict['pki_source_root'], + "ca", + "profiles") + config.pki_master_dict['pki_source_proxy_conf'] =\ + os.path.join(config.pki_master_dict['pki_source_conf_path'], + "proxy.conf") + # Instance layout base name/value pairs + # NOTE: Never use 'os.path.join()' whenever 'pki_root_prefix' + # is being prepended!!! + config.pki_master_dict['pki_root_prefix'] = config.pki_root_prefix + config.pki_master_dict['pki_path'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + config.pki_master_dict['pki_instance_root'] + config.pki_master_dict['pki_instance_path'] =\ + os.path.join(config.pki_master_dict['pki_path'], + config.pki_master_dict['pki_instance_name']) + # Instance layout log name/value pairs + config.pki_master_dict['pki_log_path'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + config.pki_master_dict['pki_instance_log_root'] + config.pki_master_dict['pki_instance_log_path'] =\ + os.path.join(config.pki_master_dict['pki_log_path'], + config.pki_master_dict['pki_instance_name']) + # Instance layout configuration name/value pairs + config.pki_master_dict['pki_configuration_path'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + config.pki_master_dict['pki_instance_configuration_root'] + config.pki_master_dict['pki_instance_configuration_path'] =\ + os.path.join(config.pki_master_dict['pki_configuration_path'], + config.pki_master_dict['pki_instance_name']) + # Instance layout registry name/value pairs + config.pki_master_dict['pki_registry_path'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + config.PKI_DEPLOYMENT_REGISTRY_ROOT + config.pki_master_dict['pki_instance_registry_path'] =\ + os.path.join(config.pki_master_dict['pki_registry_path'], + config.pki_master_dict['pki_instance_name']) + # Instance layout NSS security database name/value pairs + config.pki_master_dict['pki_database_path'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "alias") + # Instance layout convenience symbolic links + config.pki_master_dict['pki_instance_database_link'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + "alias") + # Instance-based Apache/Tomcat webserver base name/value pairs + config.pki_master_dict['pki_webserver_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_path'], + config.pki_master_dict['pki_web_server'].lower()) + # Instance-based Apache/Tomcat webserver log name/value pairs + config.pki_master_dict['pki_webserver_log_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_log_path'], + config.pki_master_dict['pki_web_server'].lower()) + # Instance-based Apache/Tomcat webserver configuration name/value pairs + config.pki_master_dict['pki_webserver_configuration_path'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + config.pki_master_dict['pki_web_server'].lower()) + # Instance-based Apache/Tomcat webserver registry name/value pairs + config.pki_master_dict['pki_webserver_registry_path'] =\ + os.path.join(config.pki_master_dict['pki_instance_registry_path'], + config.pki_master_dict['pki_web_server'].lower()) + # Instance-based Tomcat-specific webserver name/value pairs + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + # Instance-based Tomcat webserver base name/value pairs + config.pki_master_dict['pki_tomcat_common_path'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "common") + config.pki_master_dict['pki_tomcat_common_lib_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_common_path'], + "lib") + config.pki_master_dict['pki_tomcat_webapps_path'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "webapps") + config.pki_master_dict['pki_tomcat_webapps_root_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], + "ROOT") + config.pki_master_dict['pki_tomcat_webapps_root_webinf_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_root_path'], + "WEB-INF") + config.pki_master_dict['pki_tomcat_webapps_webinf_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], + "WEB-INF") + config.pki_master_dict['pki_tomcat_webapps_webinf_classes_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_webinf_path'], + "classes") + config.pki_master_dict['pki_tomcat_webapps_webinf_lib_path'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_webinf_path'], + "lib") + config.pki_master_dict['pki_tomcat_webapps_root_webinf_web_xml'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_webapps_root_webinf_path'], + "web.xml") + # Instance-based Tomcat webserver log name/value pairs + # Instance-based Tomcat webserver configuration name/value pairs + # Instance-based Tomcat webserver registry name/value pairs + # Instance-based Tomcat webserver convenience symbolic links + config.pki_master_dict['pki_tomcat_bin_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "bin") + config.pki_master_dict['pki_tomcat_lib_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "lib") + config.pki_master_dict['pki_webserver_systemd_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + config.pki_master_dict['pki_instance_id']) + # Instance-based Apache/Tomcat webserver convenience symbolic links + config.pki_master_dict['pki_webserver_database_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "alias") + config.pki_master_dict['pki_webserver_conf_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "conf") + config.pki_master_dict['pki_webserver_logs_link'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + "logs") + # Instance-based PKI subsystem base name/value pairs + config.pki_master_dict['pki_subsystem_path'] =\ + os.path.join(config.pki_master_dict['pki_webserver_path'], + config.pki_master_dict['pki_subsystem'].lower()) + # Instance-based PKI subsystem log name/value pairs + config.pki_master_dict['pki_subsystem_log_path'] =\ + os.path.join(config.pki_master_dict['pki_webserver_log_path'], + config.pki_master_dict['pki_subsystem'].lower()) + # Instance-based PKI subsystem configuration name/value pairs + config.pki_master_dict['pki_subsystem_configuration_path'] =\ + os.path.join( + config.pki_master_dict['pki_webserver_configuration_path'], + config.pki_master_dict['pki_subsystem'].lower()) + # Instance-based PKI subsystem registry name/value pairs + config.pki_master_dict['pki_subsystem_registry_path'] =\ + os.path.join(config.pki_master_dict['pki_webserver_registry_path'], + config.pki_master_dict['pki_subsystem'].lower()) + # Instance-based Apache/Tomcat PKI subsystem name/value pairs + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + # Instance-based Apache PKI subsystem base name/value pairs + # Instance-based Apache PKI subsystem log name/value pairs + if config.pki_master_dict['pki_subsystem'] == "TPS": + config.pki_master_dict['pki_subsystem_signed_audit_log_path'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_log_path'], + "signedAudit") + # Instance-based Apache PKI subsystem configuration name/value pairs + # Instance-based Apache PKI subsystem registry name/value pairs + # Instance-based Apache PKI subsystem convenience symbolic links + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + # Instance-based Tomcat PKI subsystem base name/value pairs + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'] =\ + os.path.join(config.pki_master_dict['pki_tomcat_webapps_path'], + config.pki_master_dict['pki_subsystem'].lower()) + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_subsystem_emails_path'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "emails") + config.pki_master_dict['pki_subsystem_profiles_path'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "profiles") + # Instance-based Tomcat PKI subsystem log name/value pairs + config.pki_master_dict['pki_subsystem_signed_audit_log_path'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_log_path'], + "signedAudit") + # Instance-based Tomcat PKI subsystem configuration name/value pairs + # Instance-based Tomcat PKI subsystem registry name/value pairs + # Instance-based Tomcat PKI subsystem convenience symbolic links + config.pki_master_dict['pki_subsystem_tomcat_webapps_link'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "webapps") + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_classes_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "classes") + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_webinf_lib_link'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "lib") + # Instance-based Apache/Tomcat PKI subsystem convenience symbolic links + config.pki_master_dict['pki_subsystem_database_link'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "alias") + config.pki_master_dict['pki_subsystem_conf_link'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "conf") + config.pki_master_dict['pki_subsystem_logs_link'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + "logs") + # PKI Target (slot substitution) name/value pairs + config.pki_master_dict['pki_target_cs_cfg'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "CS.cfg") + config.pki_master_dict['pki_target_registry'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.pki_master_dict['pki_instance_id']) + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['pki_target_catalina_properties'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "catalina.properties") + config.pki_master_dict['pki_target_servercertnick_conf'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "serverCertNick.conf") + config.pki_master_dict['pki_target_server_xml'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "server.xml") + config.pki_master_dict['pki_target_tomcat_conf'] =\ + config.pki_master_dict['pki_root_prefix'] +\ + "/etc/sysconfig/" +\ + config.pki_master_dict['pki_instance_id'] + config.pki_master_dict['pki_target_index_jsp'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_root_path'], + "index.jsp") + # in-place slot substitution name/value pairs + config.pki_master_dict['pki_target_velocity_properties'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "velocity.properties") + config.pki_master_dict['pki_target_subsystem_web_xml'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_webapps_subsystem_path'], + "WEB-INF", + "web.xml") + # subystem-specific slot substitution name/value pairs + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['pki_target_proxy_conf'] =\ + os.path.join(config.pki_master_dict\ + ['pki_subsystem_configuration_path'], + "proxy.conf") + # in-place slot substitution name/value pairs + config.pki_master_dict['pki_target_profileselect_template'] =\ + os.path.join( + config.pki_master_dict\ + ['pki_tomcat_webapps_subsystem_path'], + "ee", + config.pki_master_dict['pki_subsystem'].lower(), + "ProfileSelect.template") + # Slot assignment name/value pairs + # NOTE: Master key == Slots key; Master value ==> Slots value + config.pki_master_dict['PKI_INSTANCE_ID_SLOT'] =\ + config.pki_master_dict['pki_instance_id'] + config.pki_master_dict['PKI_INSTANCE_INITSCRIPT_SLOT'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_path'], + config.pki_master_dict['pki_instance_id']) + config.pki_master_dict['PKI_LOCKDIR_SLOT'] =\ + os.path.join("/var/lock/pki", + config.pki_master_dict['pki_subsystem'].lower()) + config.pki_master_dict['PKI_PIDDIR_SLOT'] =\ + os.path.join("/var/run/pki", + config.pki_master_dict['pki_subsystem'].lower()) + config.pki_master_dict['PKI_REGISTRY_FILE_SLOT'] =\ + os.path.join(config.pki_master_dict['pki_subsystem_registry_path'], + config.pki_master_dict['pki_instance_id']) + if config.pki_master_dict['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + config.pki_master_dict['FORTITUDE_APACHE_SLOT'] = None + config.pki_master_dict['FORTITUDE_AUTH_MODULES_SLOT'] = None + config.pki_master_dict['FORTITUDE_DIR_SLOT'] = None + config.pki_master_dict['FORTITUDE_LIB_DIR_SLOT'] = None + config.pki_master_dict['FORTITUDE_MODULE_SLOT'] = None + config.pki_master_dict['FORTITUDE_NSS_MODULES_SLOT'] = None + config.pki_master_dict['HTTPD_CONF_SLOT'] = None + config.pki_master_dict['LIB_PREFIX_SLOT'] = None + config.pki_master_dict['NON_CLIENTAUTH_SECURE_PORT_SLOT'] = None + config.pki_master_dict['NSS_CONF_SLOT'] = None + config.pki_master_dict['OBJ_EXT_SLOT'] = None + config.pki_master_dict['PORT_SLOT'] = None + config.pki_master_dict['PROCESS_ID_SLOT'] = None + config.pki_master_dict['REQUIRE_CFG_PL_SLOT'] = None + config.pki_master_dict['SECURE_PORT_SLOT'] = None + config.pki_master_dict['SECURITY_LIBRARIES_SLOT'] = None + config.pki_master_dict['SERVER_NAME_SLOT'] = None + config.pki_master_dict['SERVER_ROOT_SLOT'] = None + config.pki_master_dict['SYSTEM_LIBRARIES_SLOT'] = None + config.pki_master_dict['SYSTEM_USER_LIBRARIES_SLOT'] = None + config.pki_master_dict['TMP_DIR_SLOT'] = None + config.pki_master_dict['TPS_DIR_SLOT'] = None + elif config.pki_master_dict['pki_subsystem'] in\ + config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_master_dict['INSTALL_TIME_SLOT'] =\ + config.pki_master_dict['pki_install_time'] + config.pki_master_dict['PKI_ADMIN_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict\ + ['PKI_ADMIN_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict\ + ['PKI_ADMIN_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_AGENT_CLIENTAUTH_SLOT'] =\ + "agent" + config.pki_master_dict['PKI_AGENT_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_AJP_PORT_SLOT'] =\ + config.pki_master_dict['pki_ajp_port'] + config.pki_master_dict['PKI_AJP_REDIRECT_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_CERT_DB_PASSWORD_SLOT'] =\ + config.pki_master_dict['pki_pin'] + config.pki_master_dict['PKI_CFG_PATH_NAME_SLOT'] =\ + config.pki_master_dict['pki_target_cs_cfg'] + config.pki_master_dict['PKI_CLOSE_AJP_PORT_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict['PKI_CLOSE_ENABLE_PROXY_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict\ + ['PKI_CLOSE_SEPARATE_PORTS_SERVER_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict\ + ['PKI_CLOSE_SEPARATE_PORTS_WEB_COMMENT_SLOT'] =\ + "-->" + config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict\ + ['PKI_EE_SECURE_CLIENT_AUTH_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict\ + ['PKI_EE_SECURE_CLIENT_AUTH_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_EE_SECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_https_port'] + config.pki_master_dict['PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unused" + config.pki_master_dict['PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_FLAVOR_SLOT'] =\ + "pki" + config.pki_master_dict['PKI_GROUP_SLOT'] =\ + config.pki_master_dict['pki_group'] + config.pki_master_dict['PKI_INSTANCE_PATH_SLOT'] =\ + config.pki_master_dict['pki_subsystem_path'] + config.pki_master_dict['PKI_INSTANCE_ROOT_SLOT'] =\ + config.pki_master_dict['pki_webserver_path'] + config.pki_master_dict['PKI_MACHINE_NAME_SLOT'] =\ + config.pki_master_dict['pki_hostname'] + config.pki_master_dict['PKI_OPEN_AJP_PORT_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_SECURITY_MANAGER_SLOT'] =\ + config.pki_master_dict['pki_security_manager'] + config.pki_master_dict['PKI_SERVER_XML_CONF_SLOT'] =\ + config.pki_master_dict['pki_target_server_xml'] + config.pki_master_dict['PKI_SUBSYSTEM_TYPE_SLOT'] =\ + config.pki_master_dict['pki_subsystem'].lower() + config.pki_master_dict['PKI_SYSTEMD_SERVICENAME_SLOT'] =\ + "pki-" + config.pki_master_dict['pki_subsystem'].lower() +\ + "d" + "@" + "pki-" +\ + config.pki_master_dict['pki_subsystem'].lower() + ".service" + config.pki_master_dict['PKI_UNSECURE_PORT_SLOT'] =\ + config.pki_master_dict['pki_http_port'] + config.pki_master_dict['PKI_UNSECURE_PORT_CONNECTOR_NAME_SLOT'] =\ + "Unsecure" + config.pki_master_dict['PKI_UNSECURE_PORT_SERVER_COMMENT_SLOT'] =\ + "" + config.pki_master_dict['PKI_USER_SLOT'] =\ + config.pki_master_dict['pki_user'] + config.pki_master_dict['PKI_WEBAPPS_NAME_SLOT'] =\ + "webapps" + config.pki_master_dict['TOMCAT_CFG_SLOT'] =\ + config.pki_master_dict['pki_target_tomcat_conf'] + config.pki_master_dict['TOMCAT_INSTANCE_COMMON_LIB_SLOT'] =\ + os.path.join( + config.pki_master_dict['pki_tomcat_common_lib_path'], + "*.jar") + config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\ + config.pki_master_dict['pki_subsystem_log_path'] + config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\ + "/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid" + config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\ + config.pki_master_dict['tomcat_server_port'] + config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\ + "-SSL2_RC4_128_WITH_MD5," +\ + "-SSL2_RC4_128_EXPORT40_WITH_MD5," +\ + "-SSL2_RC2_128_CBC_WITH_MD5," +\ + "-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5," +\ + "-SSL2_DES_64_CBC_WITH_MD5," +\ + "-SSL2_DES_192_EDE3_CBC_WITH_MD5" + config.pki_master_dict['TOMCAT_SSL3_CIPHERS_SLOT'] =\ + "-SSL3_FORTEZZA_DMS_WITH_NULL_SHA," +\ + "-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA," +\ + "+SSL3_RSA_WITH_RC4_128_SHA," +\ + "-SSL3_RSA_EXPORT_WITH_RC4_40_MD5," +\ + "+SSL3_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+SSL3_RSA_WITH_DES_CBC_SHA," +\ + "-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5," +\ + "-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA," +\ + "-SSL_RSA_FIPS_WITH_DES_CBC_SHA," +\ + "+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA," +\ + "-SSL3_RSA_WITH_NULL_MD5," +\ + "-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" + config.pki_master_dict['TOMCAT_SSL_OPTIONS_SLOT'] =\ + "ssl2=true," +\ + "ssl3=true," +\ + "tls=true" + config.pki_master_dict['TOMCAT_TLS_CIPHERS_SLOT'] =\ + "-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA," +\ + "-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_RSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA," +\ + "-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_AES_128_CBC_SHA," +\ + "+TLS_DHE_DSS_WITH_AES_256_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\ + "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + # Shared Apache/Tomcat NSS security database name/value pairs + config.pki_master_dict['pki_shared_password_conf'] =\ + os.path.join( + config.pki_master_dict['pki_instance_configuration_path'], + "password.conf") + config.pki_master_dict['pki_cert_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "cert8.db") + config.pki_master_dict['pki_key_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "key3.db") + config.pki_master_dict['pki_secmod_database'] =\ + os.path.join(config.pki_master_dict['pki_database_path'], + "secmod.db") + config.pki_master_dict['pki_self_signed_token'] = "internal" + config.pki_master_dict['pki_self_signed_nickname'] =\ + "Server-Cert cert-" + config.pki_master_dict['pki_instance_id'] + config.pki_master_dict['pki_self_signed_subject'] =\ + "CN=" + config.pki_master_dict['pki_hostname'] + "," +\ + "O=" + config.pki_master_dict['pki_certificate_timestamp'] + config.pki_master_dict['pki_self_signed_serial_number'] = 0 + config.pki_master_dict['pki_self_signed_validity_period'] = 12 + config.pki_master_dict['pki_self_signed_issuer_name'] =\ + "CN=" + config.pki_master_dict['pki_hostname'] + "," +\ + "O=" + config.pki_master_dict['pki_certificate_timestamp'] + config.pki_master_dict['pki_self_signed_trustargs'] = "CTu,CTu,CTu" + config.pki_master_dict['pki_self_signed_noise_file'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "noise") + config.pki_master_dict['pki_self_signed_noise_bytes'] = 1024 + # Shared Apache/Tomcat NSS security database convenience symbolic links + config.pki_master_dict\ + ['pki_subsystem_configuration_password_conf_link'] =\ + os.path.join( + config.pki_master_dict['pki_subsystem_configuration_path'], + "password.conf") + except OSError as exc: + config.pki_log.error(log.PKI_OSERROR_1, exc, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) return + + +def compose_pki_slots_dictionary(): + """Read the slots configuration file to create + the appropriate PKI slots dictionary""" + rv = 0 + try: + config.pki_slots_dict = dict() + parser = ConfigParser.ConfigParser() + # Make keys case-sensitive! + parser.optionxform = str + parser.read(config.PKI_DEPLOYMENT_SLOTS_CONFIGURATION_FILE) + # Slots configuration file name/value pairs + if config.pki_subsystem in config.PKI_APACHE_SUBSYSTEMS: + config.pki_slots_dict = dict(parser._sections['Apache']) + elif config.pki_subsystem in config.PKI_TOMCAT_SUBSYSTEMS: + config.pki_slots_dict = dict(parser._sections['Tomcat']) + except ConfigParser.ParsingError, err: + rv = err + return rv diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index 093e5ec36..f32b7e497 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -22,6 +22,7 @@ # PKI Deployment Imports import pkiconfig as config from pkiconfig import pki_master_dict as master +import pkihelper as util import pkimessages as log import pkiscriptlet @@ -33,20 +34,96 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def spawn(self): config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - config.pki_log.info("NOT YET IMPLEMENTED", - extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + util.password.create_password_conf( + master['pki_shared_password_conf']) + util.file.modify(master['pki_shared_password_conf']) + util.certutil.create_security_databases( + master['pki_database_path'], + master['pki_shared_password_conf']) + util.file.modify(master['pki_cert_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_key_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_secmod_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + rv = util.certutil.verify_certificate_exists( + master['pki_database_path'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + password_file=master['pki_shared_password_conf']) + if not rv: + util.file.generate_noise_file( + master['pki_self_signed_noise_file'], + master['pki_self_signed_noise_bytes']) + util.certutil.generate_self_signed_certificate( + master['pki_database_path'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + master['pki_self_signed_subject'], + master['pki_self_signed_serial_number'], + master['pki_self_signed_validity_period'], + master['pki_self_signed_issuer_name'], + master['pki_self_signed_trustargs'], + master['pki_self_signed_noise_file'], + password_file=master['pki_shared_password_conf']) + util.file.delete(master['pki_self_signed_noise_file']) + else: + util.password.create_password_conf( + master['pki_shared_password_conf']) + util.certutil.create_security_databases( + master['pki_database_path'], + master['pki_shared_password_conf']) + rv = util.certutil.verify_certificate_exists( + master['pki_database_path'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + password_file=master['pki_shared_password_conf']) + if not rv: + util.file.generate_noise_file( + master['pki_self_signed_noise_file'], + master['pki_self_signed_noise_bytes']) + util.certutil.generate_self_signed_certificate( + master['pki_database_path'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + master['pki_self_signed_subject'], + master['pki_self_signed_serial_number'], + master['pki_self_signed_validity_period'], + master['pki_self_signed_issuer_name'], + master['pki_self_signed_trustargs'], + master['pki_self_signed_noise_file'], + password_file=master['pki_shared_password_conf']) return self.rv def respawn(self): config.pki_log.info(log.SECURITY_DATABASES_RESPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - config.pki_log.info("NOT YET IMPLEMENTED", - extra=config.PKI_INDENTATION_LEVEL_2) + util.file.modify(master['pki_shared_password_conf']) + util.file.modify(master['pki_cert_database'], + perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_key_database'], + perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_secmod_database'], + perms=config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) return self.rv def destroy(self): config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - config.pki_log.info("NOT YET IMPLEMENTED", - extra=config.PKI_INDENTATION_LEVEL_2) + if not config.pki_dry_run_flag: + if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + util.instance.pki_subsystem_instances() == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + else: + # ALWAYS display correct information (even during dry_run) + if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + util.instance.pki_subsystem_instances() == 1: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) return self.rv diff --git a/base/deploy/src/scriptlets/slot_assignment.py b/base/deploy/src/scriptlets/slot_assignment.py deleted file mode 100644 index 6b23ea621..000000000 --- a/base/deploy/src/scriptlets/slot_assignment.py +++ /dev/null @@ -1,52 +0,0 @@ -#!/usr/bin/python -t -# Authors: -# Matthew Harmsen -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2012 Red Hat, Inc. -# All rights reserved. -# - -# PKI Deployment Imports -import pkiconfig as config -from pkiconfig import pki_master_dict as master -import pkimessages as log -import pkiscriptlet - - -# PKI Deployment Instance Population Classes -class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): - rv = 0 - - def spawn(self): - config.pki_log.info(log.SLOT_ASSIGNMENT_SPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - config.pki_log.info("NOT YET IMPLEMENTED", - extra=config.PKI_INDENTATION_LEVEL_2) - return self.rv - - def respawn(self): - config.pki_log.info(log.SLOT_ASSIGNMENT_RESPAWN_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - config.pki_log.info("NOT YET IMPLEMENTED", - extra=config.PKI_INDENTATION_LEVEL_2) - return self.rv - - def destroy(self): - config.pki_log.info(log.SLOT_ASSIGNMENT_DESTROY_1, __name__, - extra=config.PKI_INDENTATION_LEVEL_1) - config.pki_log.info("NOT YET IMPLEMENTED", - extra=config.PKI_INDENTATION_LEVEL_2) - return self.rv diff --git a/base/deploy/src/scriptlets/slot_substitution.py b/base/deploy/src/scriptlets/slot_substitution.py new file mode 100644 index 000000000..0a52af9f0 --- /dev/null +++ b/base/deploy/src/scriptlets/slot_substitution.py @@ -0,0 +1,120 @@ +#!/usr/bin/python -t +# Authors: +# Matthew Harmsen +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2012 Red Hat, Inc. +# All rights reserved. +# + +# PKI Deployment Imports +import pkiconfig as config +from pkiconfig import pki_master_dict as master +from pkiconfig import pki_slots_dict as slots +import pkihelper as util +import pkimessages as log +import pkiscriptlet + + +# PKI Deployment Instance Population Classes +class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + rv = 0 + + def spawn(self): + config.pki_log.info(log.SLOT_ASSIGNMENT_SPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'], + master['pki_target_cs_cfg']) + util.file.copy_with_slot_substitution(master['pki_source_registry'], + master['pki_target_registry']) + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + util.file.copy_with_slot_substitution( + master['pki_source_catalina_properties'], + master['pki_target_catalina_properties']) + util.file.copy_with_slot_substitution( + master['pki_source_servercertnick_conf'], + master['pki_target_servercertnick_conf']) + util.file.copy_with_slot_substitution( + master['pki_source_server_xml'], + master['pki_target_server_xml']) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_index_jsp'], + master['pki_target_index_jsp'], + overwrite_flag=True) + util.file.apply_slot_substitution( + master['pki_target_velocity_properties']) + util.file.apply_slot_substitution( + master['pki_target_subsystem_web_xml']) + if master['pki_subsystem'] == "CA": + util.file.copy_with_slot_substitution( + master['pki_source_proxy_conf'], + master['pki_target_proxy_conf']) + util.file.apply_slot_substitution( + master['pki_target_profileselect_template']) + return self.rv + + def respawn(self): + config.pki_log.info(log.SLOT_ASSIGNMENT_RESPAWN_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + util.file.copy_with_slot_substitution(master['pki_source_cs_cfg'], + master['pki_target_cs_cfg'], + overwrite_flag=True) + util.file.copy_with_slot_substitution(master['pki_source_registry'], + master['pki_target_registry'], + overwrite_flag=True) + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + util.file.copy_with_slot_substitution( + master['pki_source_catalina_properties'], + master['pki_target_catalina_properties'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_servercertnick_conf'], + master['pki_target_servercertnick_conf'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_server_xml'], + master['pki_target_server_xml'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_tomcat_conf'], + master['pki_target_tomcat_conf'], + overwrite_flag=True) + util.file.copy_with_slot_substitution( + master['pki_source_index_jsp'], + master['pki_target_index_jsp'], + overwrite_flag=True) + util.file.apply_slot_substitution( + master['pki_target_velocity_properties']) + util.file.apply_slot_substitution( + master['pki_target_subsystem_web_xml']) + if master['pki_subsystem'] == "CA": + util.file.copy_with_slot_substitution( + master['pki_source_proxy_conf'], + master['pki_target_proxy_conf'], + overwrite_flag=True) + util.file.apply_slot_substitution( + master['pki_target_profileselect_template']) + return self.rv + + def destroy(self): + config.pki_log.info(log.SLOT_ASSIGNMENT_DESTROY_1, __name__, + extra=config.PKI_INDENTATION_LEVEL_1) + config.pki_log.info("NOTHING NEEDS TO BE IMPLEMENTED", + extra=config.PKI_INDENTATION_LEVEL_2) + return self.rv diff --git a/base/deploy/src/scriptlets/subsystem_layout.py b/base/deploy/src/scriptlets/subsystem_layout.py index b71fe39f0..7dc347167 100644 --- a/base/deploy/src/scriptlets/subsystem_layout.py +++ b/base/deploy/src/scriptlets/subsystem_layout.py @@ -36,29 +36,38 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) # establish instance-based subsystem base util.directory.create(master['pki_subsystem_path']) - if master['pki_subsystem'] == "CA": - util.directory.copy(master['pki_source_emails'], - master['pki_subsystem_emails_path']) - util.directory.copy(master['pki_source_profiles'], - master['pki_subsystem_profiles_path']) # establish instance-based subsystem logs util.directory.create(master['pki_subsystem_log_path']) if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: util.directory.create(master['pki_subsystem_signed_audit_log_path']) # establish instance-based subsystem configuration - util.directory.copy(master['pki_source_conf'], - master['pki_subsystem_configuration_path']) + util.directory.create(master['pki_subsystem_configuration_path']) + # util.directory.copy(master['pki_source_conf_path'], + # master['pki_subsystem_configuration_path']) # establish instance-based subsystem registry util.directory.create(master['pki_subsystem_registry_path']) - # establish convenience symbolic links - util.symlink.create(master['pki_database_path'], + # establish instance-based Apache/Tomcat specific subsystems + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # establish instance-based Tomcat PKI subsystem base + if master['pki_subsystem'] == "CA": + util.directory.copy(master['pki_source_emails'], + master['pki_subsystem_emails_path']) + util.directory.copy(master['pki_source_profiles'], + master['pki_subsystem_profiles_path']) + # establish instance-based Tomcat PKI subsystem logs + # establish instance-based Tomcat PKI subsystem configuration + # establish instance-based Tomcat PKI subsystem registry + # establish instance-based Tomcat PKI subsystem convenience + # symbolic links + util.symlink.create(master['pki_tomcat_webapps_path'], + master['pki_subsystem_tomcat_webapps_link']) + # establish instance-based subsystem convenience symbolic links + util.symlink.create(master['pki_webserver_database_link'], master['pki_subsystem_database_link']) util.symlink.create(master['pki_subsystem_configuration_path'], - master['pki_subsystem_configuration_link']) + master['pki_subsystem_conf_link']) util.symlink.create(master['pki_subsystem_log_path'], master['pki_subsystem_logs_link']) - util.symlink.create(master['pki_webapps_path'], - master['pki_subsystem_webapps_link']) return self.rv def respawn(self): @@ -66,28 +75,37 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) # update instance-based subsystem base util.directory.modify(master['pki_subsystem_path']) - if master['pki_subsystem'] == "CA": - util.directory.copy(master['pki_source_emails'], - master['pki_subsystem_emails_path'], - overwrite_flag=True) - util.directory.copy(master['pki_source_profiles'], - master['pki_subsystem_profiles_path'], - overwrite_flag=True) # update instance-based subsystem logs util.directory.modify(master['pki_subsystem_log_path']) if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: util.directory.modify(master['pki_subsystem_signed_audit_log_path']) # update instance-based subsystem configuration - util.directory.copy(master['pki_source_conf'], - master['pki_subsystem_configuration_path'], - overwrite_flag=True) + util.directory.modify(master['pki_subsystem_configuration_path']) + # util.directory.copy(master['pki_source_conf_path'], + # master['pki_subsystem_configuration_path']) + # overwrite_flag=True) # update instance-based subsystem registry util.directory.modify(master['pki_subsystem_registry_path']) - # update convenience symbolic links + # establish instance-based Apache/Tomcat specific subsystems + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # update instance-based Tomcat PKI subsystem base + if master['pki_subsystem'] == "CA": + util.directory.copy(master['pki_source_emails'], + master['pki_subsystem_emails_path'], + overwrite_flag=True) + util.directory.copy(master['pki_source_profiles'], + master['pki_subsystem_profiles_path'], + overwrite_flag=True) + # update instance-based Tomcat PKI subsystem logs + # update instance-based Tomcat PKI subsystem configuration + # update instance-based Tomcat PKI subsystem registry + # update instance-based Tomcat PKI subsystem convenience + # symbolic links + util.symlink.modify(master['pki_subsystem_tomcat_webapps_link']) + # update instance-based subsystem convenience symbolic links util.symlink.modify(master['pki_subsystem_database_link']) - util.symlink.modify(master['pki_subsystem_configuration_link']) + util.symlink.modify(master['pki_subsystem_conf_link']) util.symlink.modify(master['pki_subsystem_logs_link']) - util.symlink.modify(master['pki_subsystem_webapps_link']) return self.rv def destroy(self): @@ -95,10 +113,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) # remove instance-based subsystem base if master['pki_subsystem'] == "CA": - util.directory.delete(master['pki_subsystem_profiles_path']) util.directory.delete(master['pki_subsystem_emails_path']) + util.directory.delete(master['pki_subsystem_profiles_path']) util.directory.delete(master['pki_subsystem_path']) # remove instance-based subsystem logs + if master['pki_subsystem'] in config.PKI_SIGNED_AUDIT_SUBSYSTEMS: + util.directory.delete(master['pki_subsystem_signed_audit_log_path']) util.directory.delete(master['pki_subsystem_log_path']) # remove instance-based subsystem configuration util.directory.delete(master['pki_subsystem_configuration_path']) diff --git a/base/deploy/src/scriptlets/war_explosion.py b/base/deploy/src/scriptlets/war_explosion.py index 4f235d8d7..1a89c9f7c 100644 --- a/base/deploy/src/scriptlets/war_explosion.py +++ b/base/deploy/src/scriptlets/war_explosion.py @@ -36,16 +36,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.WAR_EXPLOSION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # deploy war file - util.directory.create(master['pki_webapps_subsystem_path']) + util.directory.create(master['pki_tomcat_webapps_subsystem_path']) util.war.explode(master['pki_war'], - master['pki_webapps_subsystem_path']) + master['pki_tomcat_webapps_subsystem_path']) # establish convenience symbolic links - util.symlink.create(master['pki_webapps_webinf_classes_path'], - master['pki_webapps_subsystem_webinf_classes_link']) - util.symlink.create(master['pki_webapps_webinf_lib_path'], - master['pki_webapps_subsystem_webinf_lib_link']) + util.symlink.create(master['pki_tomcat_webapps_webinf_classes_path'], + master['pki_tomcat_webapps_subsystem_webinf_classes_link']) + util.symlink.create(master['pki_tomcat_webapps_webinf_lib_path'], + master['pki_tomcat_webapps_subsystem_webinf_lib_link']) # set ownerships, permissions, and acls - util.directory.set_mode(master['pki_webapps_subsystem_path']) + util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path']) return self.rv def respawn(self): @@ -53,17 +53,17 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.WAR_EXPLOSION_RESPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # redeploy war file - util.directory.modify(master['pki_webapps_subsystem_path']) + util.directory.modify(master['pki_tomcat_webapps_subsystem_path']) util.war.explode(master['pki_war'], - master['pki_webapps_subsystem_path']) + master['pki_tomcat_webapps_subsystem_path']) # update ownerships, permissions, and acls # NOTE: This includes existing convenience symbolic links - util.directory.set_mode(master['pki_webapps_subsystem_path']) + util.directory.set_mode(master['pki_tomcat_webapps_subsystem_path']) return self.rv def destroy(self): if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: config.pki_log.info(log.WAR_EXPLOSION_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - util.directory.delete(master['pki_webapps_subsystem_path']) + util.directory.delete(master['pki_tomcat_webapps_subsystem_path']) return self.rv diff --git a/base/deploy/src/scriptlets/webserver_layout.py b/base/deploy/src/scriptlets/webserver_layout.py index 9b3deb7b4..ca24b7000 100644 --- a/base/deploy/src/scriptlets/webserver_layout.py +++ b/base/deploy/src/scriptlets/webserver_layout.py @@ -35,85 +35,118 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.WEBSERVER_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # establish instance-based webserver base - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - util.directory.create(master['pki_apache_path']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - util.directory.create(master['pki_tomcat_path']) - util.directory.create(master['pki_common_path']) - util.directory.create(master['pki_common_lib_path']) - util.directory.create(master['pki_conf_path']) - util.directory.create(master['pki_webapps_path']) - util.directory.create(master['pki_webapps_root_path']) - util.directory.create(master['pki_webapps_root_webinf_path']) - util.directory.create(master['pki_webapps_webinf_path']) - util.directory.create(master['pki_webapps_webinf_classes_path']) - util.directory.create(master['pki_webapps_webinf_lib_path']) + util.directory.create(master['pki_webserver_path']) + # establish instance-based webserver logs + util.directory.create(master['pki_webserver_log_path']) # establish instance-based webserver configuration - util.directory.create(master['pki_database_path']) - # establish convenience symbolic links - util.symlink.create(master['pki_database_path'], - master['pki_instance_database_link']) - util.symlink.create(master['pki_tomcat_bin_path'], - master['pki_tomcat_bin_link']) - util.symlink.create(master['pki_tomcat_lib_path'], - master['pki_tomcat_lib_link']) - util.symlink.create(master['pki_instance_log_path'], - master['pki_tomcat_logs_link']) + util.directory.create(master['pki_webserver_configuration_path']) + # establish instance-based webserver registry + util.directory.create(master['pki_webserver_registry_path']) + # establish instance-based Apache/Tomcat specific webserver + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # establish instance-based Tomcat webserver base + util.directory.create(master['pki_tomcat_common_path']) + util.directory.create(master['pki_tomcat_common_lib_path']) + util.directory.create(master['pki_tomcat_webapps_path']) + util.directory.create(master['pki_tomcat_webapps_root_path']) + util.directory.create(master['pki_tomcat_webapps_root_webinf_path']) + util.file.copy(master['pki_source_webapps_root_web_xml'], + master['pki_tomcat_webapps_root_webinf_web_xml'], + overwrite_flag=True) + util.directory.create(master['pki_tomcat_webapps_webinf_path']) + util.directory.create(\ + master['pki_tomcat_webapps_webinf_classes_path']) + util.directory.create(master['pki_tomcat_webapps_webinf_lib_path']) + # establish instance-based Tomcat webserver logs + # establish instance-based Tomcat webserver configuration + # establish instance-based Tomcat webserver registry + # establish instance-based Tomcat webserver convenience + # symbolic links + util.symlink.create(master['pki_tomcat_bin_path'], + master['pki_tomcat_bin_link']) + util.symlink.create(master['pki_tomcat_lib_path'], + master['pki_tomcat_lib_link']) + util.symlink.create(master['pki_tomcat_systemd'], + master['pki_webserver_systemd_link']) + # establish instance-based webserver convenience symbolic links + util.symlink.create(master['pki_instance_database_link'], + master['pki_webserver_database_link']) + util.symlink.create(master['pki_webserver_configuration_path'], + master['pki_webserver_conf_link']) + util.symlink.create(master['pki_webserver_log_path'], + master['pki_webserver_logs_link']) return self.rv def respawn(self): config.pki_log.info(log.WEBSERVER_RESPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # update instance-based webserver base - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - util.directory.modify(master['pki_apache_path']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - util.directory.modify(master['pki_tomcat_path']) - util.directory.modify(master['pki_common_path']) - util.directory.modify(master['pki_common_lib_path']) - util.directory.modify(master['pki_conf_path']) - util.directory.modify(master['pki_webapps_path']) - util.directory.modify(master['pki_webapps_root_path']) - util.directory.modify(master['pki_webapps_root_webinf_path']) - util.directory.modify(master['pki_webapps_webinf_path']) - util.directory.modify(master['pki_webapps_webinf_classes_path']) - util.directory.modify(master['pki_webapps_webinf_lib_path']) + util.directory.modify(master['pki_webserver_path']) + # update instance-based webserver logs + util.directory.modify(master['pki_webserver_log_path']) # update instance-based webserver configuration - util.directory.modify(master['pki_database_path']) - # update convenience symbolic links - util.symlink.modify(master['pki_instance_database_link']) - util.symlink.modify(master['pki_tomcat_bin_link']) - util.symlink.modify(master['pki_tomcat_lib_link']) - util.symlink.modify(master['pki_tomcat_logs_link']) + util.directory.modify(master['pki_webserver_configuration_path']) + # update instance-based webserver registry + util.directory.modify(master['pki_webserver_registry_path']) + # update instance-based Apache/Tomcat specific webserver + if master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # update instance-based Tomcat webserver base + util.directory.modify(master['pki_tomcat_common_path']) + util.directory.modify(master['pki_tomcat_common_lib_path']) + util.directory.modify(master['pki_tomcat_webapps_path']) + util.directory.modify(master['pki_tomcat_webapps_root_path']) + util.directory.modify(master['pki_tomcat_webapps_root_webinf_path']) + util.file.copy(master['pki_source_webapps_root_web_xml'], + master['pki_tomcat_webapps_root_webinf_web_xml'], + overwrite_flag=True) + util.directory.modify(master['pki_tomcat_webapps_webinf_path']) + util.directory.modify(\ + master['pki_tomcat_webapps_webinf_classes_path']) + util.directory.modify(master['pki_tomcat_webapps_webinf_lib_path']) + # update instance-based Tomcat webserver logs + # update instance-based Tomcat webserver configuration + # update instance-based Tomcat webserver registry + # update instance-based Tomcat webserver convenience symbolic links + util.symlink.modify(master['pki_tomcat_bin_link']) + util.symlink.modify(master['pki_tomcat_lib_link']) + # update instance-based webserver convenience symbolic links + util.symlink.modify(master['pki_webserver_database_link']) + util.symlink.modify(master['pki_webserver_conf_link']) + util.symlink.modify(master['pki_webserver_logs_link']) return self.rv def destroy(self): config.pki_log.info(log.WEBSERVER_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - # remove instance-based webserver base - if not config.pki_dry_run_flag and\ - master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instances(master['pki_instance_path']) == 0: - util.directory.delete(master['pki_apache_path']) - elif master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instances(master['pki_instance_path']) == 1: - # always display correct information (even during dry_run) - util.directory.delete(master['pki_apache_path']) - if not config.pki_dry_run_flag and\ - master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instances(master['pki_instance_path']) == 0: - util.directory.delete(master['pki_tomcat_path']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instances(master['pki_instance_path']) == 1: - # always display correct information (even during dry_run) - util.directory.delete(master['pki_tomcat_path']) - # remove instance-based webserver configuration - if not config.pki_dry_run_flag and\ - util.instance.pki_subsystem_instances(\ - master['pki_instance_path']) == 0: - util.directory.delete(master['pki_database_path']) - elif util.instance.pki_subsystem_instances(\ - master['pki_instance_path']) == 1: - # always display correct information (even during dry_run) - util.directory.delete(master['pki_database_path']) + if not config.pki_dry_run_flag: + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 0: + # remove instance-based webserver base + util.directory.delete(master['pki_webserver_path']) + # remove instance-based webserver logs + # remove instance-based webserver configuration + # remove instance-based webserver registry + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 0: + # remove instance-based webserver base + util.directory.delete(master['pki_webserver_path']) + # remove instance-based webserver logs + # remove instance-based webserver configuration + # remove instance-based webserver registry + else: + # ALWAYS display correct information (even during dry_run) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instances() == 1: + # remove instance-based webserver base + util.directory.delete(master['pki_webserver_path']) + # remove instance-based webserver logs + # remove instance-based webserver configuration + # remove instance-based webserver registry + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instances() == 1: + # remove instance-based webserver base + util.directory.delete(master['pki_webserver_path']) + # remove instance-based webserver logs + # remove instance-based webserver configuration + # remove instance-based webserver registry return self.rv -- cgit