From 318716f3425a1d818e0633453a1d27a68d2f7f5f Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Fri, 9 Nov 2012 12:31:40 -0500 Subject: removed dry_run from pkispawn Ticket 411 --- base/deploy/src/pkidestroy | 16 +- base/deploy/src/pkispawn | 32 +- base/deploy/src/scriptlets/configuration.jy | 2 - base/deploy/src/scriptlets/configuration.py | 176 ++--- base/deploy/src/scriptlets/finalization.py | 35 +- .../deploy/src/scriptlets/infrastructure_layout.py | 45 +- base/deploy/src/scriptlets/instance_layout.py | 102 +-- base/deploy/src/scriptlets/pkiconfig.py | 1 - base/deploy/src/scriptlets/pkihelper.py | 757 ++++++++------------- base/deploy/src/scriptlets/pkijython.py | 508 +++++++------- base/deploy/src/scriptlets/pkiparser.py | 7 - base/deploy/src/scriptlets/security_databases.py | 151 ++-- 12 files changed, 724 insertions(+), 1108 deletions(-) (limited to 'base') diff --git a/base/deploy/src/pkidestroy b/base/deploy/src/pkidestroy index 165ccb06c..82632fc1a 100755 --- a/base/deploy/src/pkidestroy +++ b/base/deploy/src/pkidestroy @@ -95,16 +95,12 @@ def main(argv): parse.process_command_line_arguments(argv) # Enable 'pkidestroy' logging. - if not config.pki_dry_run_flag: - config.pki_log_dir = config.pki_root_prefix +\ - config.PKI_DEPLOYMENT_LOG_ROOT - config.pki_log_name = "pki" + "-" +\ - config.pki_subsystem.lower() +\ - "-" + "destroy" + "." +\ - config.pki_timestamp + "." + "log" - else: - config.pki_log_dir = "/dev" - config.pki_log_name = "null" + config.pki_log_dir = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_LOG_ROOT + config.pki_log_name = "pki" + "-" +\ + config.pki_subsystem.lower() +\ + "-" + "destroy" + "." +\ + config.pki_timestamp + "." + "log" rv = pkilogging.enable_pki_logger(config.pki_log_dir, config.pki_log_name, config.pki_log_level, diff --git a/base/deploy/src/pkispawn b/base/deploy/src/pkispawn index d3dfb63ca..4ea678ef6 100755 --- a/base/deploy/src/pkispawn +++ b/base/deploy/src/pkispawn @@ -103,32 +103,24 @@ def main(argv): # Enable 'pkispawn' logging. rv = 0 if not config.pki_update_flag: - if not config.pki_dry_run_flag: - config.pki_log_dir = config.pki_root_prefix +\ - config.PKI_DEPLOYMENT_LOG_ROOT - config.pki_log_name = "pki" + "-" +\ - config.pki_subsystem.lower() +\ - "-" + "spawn" + "." +\ - config.pki_timestamp + "." + "log" - else: - config.pki_log_dir = "/dev" - config.pki_log_name = "null" + config.pki_log_dir = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_LOG_ROOT + config.pki_log_name = "pki" + "-" +\ + config.pki_subsystem.lower() +\ + "-" + "spawn" + "." +\ + config.pki_timestamp + "." + "log" rv = pkilogging.enable_pki_logger(config.pki_log_dir, config.pki_log_name, config.pki_log_level, config.pki_console_log_level, "pkispawn") else: - if not config.pki_dry_run_flag: - config.pki_log_dir = config.pki_root_prefix +\ - config.PKI_DEPLOYMENT_LOG_ROOT - config.pki_log_name = "pki" + "-" +\ - config.pki_subsystem.lower() +\ - "-" + "respawn" + "." +\ - config.pki_timestamp + "." + "log" - else: - config.pki_log_dir = "/dev" - config.pki_log_name = "null" + config.pki_log_dir = config.pki_root_prefix +\ + config.PKI_DEPLOYMENT_LOG_ROOT + config.pki_log_name = "pki" + "-" +\ + config.pki_subsystem.lower() +\ + "-" + "respawn" + "." +\ + config.pki_timestamp + "." + "log" rv = pkilogging.enable_pki_logger(config.pki_log_dir, config.pki_log_name, config.pki_log_level, diff --git a/base/deploy/src/scriptlets/configuration.jy b/base/deploy/src/scriptlets/configuration.jy index 7180c4546..bf89a0170 100644 --- a/base/deploy/src/scriptlets/configuration.jy +++ b/base/deploy/src/scriptlets/configuration.jy @@ -69,14 +69,12 @@ def main(argv): # Initialize token jyutil.security_databases.initialize_token( master['pki_client_database_dir'], - master['pki_dry_run_flag'], master['pki_jython_log_level']) # Log into token token = jyutil.security_databases.log_into_token( master['pki_client_database_dir'], master['pki_client_password_conf'], - master['pki_dry_run_flag'], master['pki_jython_log_level']) # Setup connection parameters diff --git a/base/deploy/src/scriptlets/configuration.py b/base/deploy/src/scriptlets/configuration.py index f2d3ab1b1..c9454d951 100644 --- a/base/deploy/src/scriptlets/configuration.py +++ b/base/deploy/src/scriptlets/configuration.py @@ -39,98 +39,59 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): return self.rv config.pki_log.info(log.CONFIGURATION_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - if not config.pki_dry_run_flag: - # Place "slightly" less restrictive permissions on - # the top-level client directory ONLY - util.directory.create(master['pki_client_dir'], - uid=0, gid=0, - perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) - # Since 'certutil' does NOT strip the 'token=' portion of - # the 'token=password' entries, create a client password file - # which ONLY contains the 'password' for the purposes of - # allowing 'certutil' to generate the security databases - util.password.create_password_conf( - master['pki_client_password_conf'], - sensitive['pki_client_database_password'], pin_sans_token=True) - util.file.modify(master['pki_client_password_conf'], - uid=0, gid=0) - # Similarly, create a simple password file containing the - # PKCS #12 password used when exporting the "Admin Certificate" - # into a PKCS #12 file - util.password.create_client_pkcs12_password_conf( - master['pki_client_pkcs12_password_conf']) - util.file.modify(master['pki_client_pkcs12_password_conf']) - util.directory.create(master['pki_client_database_dir'], - uid=0, gid=0) - util.certutil.create_security_databases( - master['pki_client_database_dir'], - master['pki_client_cert_database'], - master['pki_client_key_database'], - master['pki_client_secmod_database'], - password_file=master['pki_client_password_conf']) - util.symlink.create(master['pki_systemd_service'], - master['pki_systemd_service_link']) - else: - # Since 'certutil' does NOT strip the 'token=' portion of - # the 'token=password' entries, create a client password file - # which ONLY contains the 'password' for the purposes of - # allowing 'certutil' to generate the security databases - util.password.create_password_conf( - master['pki_client_password_conf'], - sensitive['pki_client_database_password'], pin_sans_token=True) - # Similarly, create a simple password file containing the - # PKCS #12 password used when exporting the "Admin Certificate" - # into a PKCS #12 file - util.password.create_client_pkcs12_password_conf( - master['pki_client_pkcs12_password_conf']) - util.certutil.create_security_databases( - master['pki_client_database_dir'], - master['pki_client_cert_database'], - master['pki_client_key_database'], - master['pki_client_secmod_database'], - password_file=master['pki_client_password_conf']) + + # Place "slightly" less restrictive permissions on + # the top-level client directory ONLY + util.directory.create(master['pki_client_dir'], + uid=0, gid=0, + perms=config.PKI_DEPLOYMENT_DEFAULT_CLIENT_DIR_PERMISSIONS) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a client password file + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_client_password_conf'], + sensitive['pki_client_database_password'], pin_sans_token=True) + util.file.modify(master['pki_client_password_conf'], + uid=0, gid=0) + # Similarly, create a simple password file containing the + # PKCS #12 password used when exporting the "Admin Certificate" + # into a PKCS #12 file + util.password.create_client_pkcs12_password_conf( + master['pki_client_pkcs12_password_conf']) + util.file.modify(master['pki_client_pkcs12_password_conf']) + util.directory.create(master['pki_client_database_dir'], + uid=0, gid=0) + util.certutil.create_security_databases( + master['pki_client_database_dir'], + master['pki_client_cert_database'], + master['pki_client_key_database'], + master['pki_client_secmod_database'], + password_file=master['pki_client_password_conf']) + util.symlink.create(master['pki_systemd_service'], + master['pki_systemd_service_link']) + # Start/Restart this Apache/Tomcat PKI Process - if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - apache_instance_subsystems =\ - util.instance.apache_instance_subsystems() - if apache_instance_subsystems == 1: - util.systemd.start() - elif apache_instance_subsystems > 1: - util.systemd.restart() - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # Optionally prepare to enable a java debugger - # (e. g. - 'eclipse'): - if config.str2bool(master['pki_enable_java_debugger']): - config.prepare_for_an_external_java_debugger( - master['pki_target_tomcat_conf_instance_id']) - tomcat_instance_subsystems =\ - util.instance.tomcat_instance_subsystems() - if tomcat_instance_subsystems == 1: - util.systemd.start() - elif tomcat_instance_subsystems > 1: - util.systemd.restart() - else: - # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: - apache_instance_subsystems =\ - util.instance.apache_instance_subsystems() - if apache_instance_subsystems == 0: - util.systemd.start() - elif apache_instance_subsystems > 0: - util.systemd.restart() - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: - # Optionally prepare to enable a java debugger - # (e. g. - 'eclipse'): - if config.str2bool(master['pki_enable_java_debugger']): - config.prepare_for_an_external_java_debugger( - master['pki_target_tomcat_conf_instance_id']) - tomcat_instance_subsystems =\ - util.instance.tomcat_instance_subsystems() - if tomcat_instance_subsystems == 0: - util.systemd.start() - elif tomcat_instance_subsystems > 0: - util.systemd.restart() + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS: + apache_instance_subsystems =\ + util.instance.apache_instance_subsystems() + if apache_instance_subsystems == 1: + util.systemd.start() + elif apache_instance_subsystems > 1: + util.systemd.restart() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS: + # Optionally prepare to enable a java debugger + # (e. g. - 'eclipse'): + if config.str2bool(master['pki_enable_java_debugger']): + config.prepare_for_an_external_java_debugger( + master['pki_target_tomcat_conf_instance_id']) + tomcat_instance_subsystems =\ + util.instance.tomcat_instance_subsystems() + if tomcat_instance_subsystems == 1: + util.systemd.start() + elif tomcat_instance_subsystems > 1: + util.systemd.restart() + # Pass control to the Java servlet via Jython 2.2 'configuration.jy' util.jython.invoke(master['pki_jython_configuration_scriptlet']) return self.rv @@ -143,27 +104,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def destroy(self): config.pki_log.info(log.CONFIGURATION_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 1: - if util.directory.exists(master['pki_client_dir']): - util.directory.delete(master['pki_client_dir']) - util.symlink.delete(master['pki_systemd_service_link']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 1: - if util.directory.exists(master['pki_client_dir']): - util.directory.delete(master['pki_client_dir']) - util.symlink.delete(master['pki_systemd_service_link']) - else: - # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 0: - if util.directory.exists(master['pki_client_dir']): - util.directory.delete(master['pki_client_dir']) - util.symlink.delete(master['pki_systemd_service_link']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 0: - if util.directory.exists(master['pki_client_dir']): - util.directory.delete(master['pki_client_dir']) - util.symlink.delete(master['pki_systemd_service_link']) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 1: + if util.directory.exists(master['pki_client_dir']): + util.directory.delete(master['pki_client_dir']) + util.symlink.delete(master['pki_systemd_service_link']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instance_subsystems() == 1: + if util.directory.exists(master['pki_client_dir']): + util.directory.delete(master['pki_client_dir']) + util.symlink.delete(master['pki_systemd_service_link']) return self.rv diff --git a/base/deploy/src/scriptlets/finalization.py b/base/deploy/src/scriptlets/finalization.py index a86ffff28..62d92a626 100644 --- a/base/deploy/src/scriptlets/finalization.py +++ b/base/deploy/src/scriptlets/finalization.py @@ -48,10 +48,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_2) # for record in manifest.database: # print tuple(record) - if not config.pki_dry_run_flag: - manifest.file.register(master['pki_manifest']) - manifest.file.write() - util.file.modify(master['pki_manifest'], silent=True) + manifest.file.register(master['pki_manifest']) + manifest.file.write() + util.file.modify(master['pki_manifest'], silent=True) + # Also, for debugging/auditing purposes, save a timestamped copy of # this installation manifest file util.file.copy(master['pki_manifest'], @@ -78,8 +78,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): master['pki_subsystem'], master['pki_instance_id'], extra=config.PKI_INDENTATION_LEVEL_0) - if not config.pki_dry_run_flag: - util.file.modify(master['pki_spawn_log'], silent=True) + util.file.modify(master['pki_spawn_log'], silent=True) # If instance has not been configured, print the # configuration URL to the screen if config.str2bool(master['pki_skip_configuration']): @@ -94,24 +93,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def destroy(self): config.pki_log.info(log.FINALIZATION_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - if not config.pki_dry_run_flag: - util.file.modify(master['pki_destroy_log'], silent=True) + util.file.modify(master['pki_destroy_log'], silent=True) # Start this Apache/Tomcat PKI Process - if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() >= 1: - util.systemd.start() - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() >= 1: - util.systemd.start() - else: - # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() >= 0: - util.systemd.start() - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() >= 0: - util.systemd.start() + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() >= 1: + util.systemd.start() + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instance_subsystems() >= 1: + util.systemd.start() config.pki_log.info(log.PKIDESTROY_END_MESSAGE_2, master['pki_subsystem'], master['pki_instance_id'], diff --git a/base/deploy/src/scriptlets/infrastructure_layout.py b/base/deploy/src/scriptlets/infrastructure_layout.py index d4dc264fd..e79fa8bfe 100644 --- a/base/deploy/src/scriptlets/infrastructure_layout.py +++ b/base/deploy/src/scriptlets/infrastructure_layout.py @@ -90,35 +90,18 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.pki_log.info(log.ADMIN_DOMAIN_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) # remove top-level infrastructure base - if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_instance_subsystems() == 0: - # remove top-level infrastructure base - util.directory.delete(master['pki_path']) - # do NOT remove top-level infrastructure logs - # since it now stores 'pkispawn'/'pkidestroy' logs - # util.directory.delete(master['pki_log_path']) - # remove top-level infrastructure configuration - if util.directory.is_empty(master['pki_configuration_path'])\ - and master['pki_configuration_path'] !=\ - config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: - util.directory.delete(master['pki_configuration_path']) - # remove top-level infrastructure registry - util.directory.delete(master['pki_registry_path']) - else: - # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ - util.instance.pki_instance_subsystems() == 1: - # remove top-level infrastructure base - util.directory.delete(master['pki_path']) - # do NOT remove top-level infrastructure logs - # since it now stores 'pkispawn'/'pkidestroy' logs - # util.directory.delete(master['pki_log_path']) - # remove top-level infrastructure configuration - if util.directory.is_empty(master['pki_configuration_path'])\ - and master['pki_configuration_path'] !=\ - config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: - util.directory.delete(master['pki_configuration_path']) - # remove top-level infrastructure registry - util.directory.delete(master['pki_registry_path']) + if master['pki_subsystem'] in config.PKI_SUBSYSTEMS and\ + util.instance.pki_instance_subsystems() == 0: + # remove top-level infrastructure base + util.directory.delete(master['pki_path']) + # do NOT remove top-level infrastructure logs + # since it now stores 'pkispawn'/'pkidestroy' logs + # util.directory.delete(master['pki_log_path']) + # remove top-level infrastructure configuration + if util.directory.is_empty(master['pki_configuration_path'])\ + and master['pki_configuration_path'] !=\ + config.PKI_DEPLOYMENT_CONFIGURATION_ROOT: + util.directory.delete(master['pki_configuration_path']) + # remove top-level infrastructure registry + util.directory.delete(master['pki_registry_path']) return self.rv diff --git a/base/deploy/src/scriptlets/instance_layout.py b/base/deploy/src/scriptlets/instance_layout.py index 0df418165..f45293104 100644 --- a/base/deploy/src/scriptlets/instance_layout.py +++ b/base/deploy/src/scriptlets/instance_layout.py @@ -248,73 +248,37 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): extra=config.PKI_INDENTATION_LEVEL_1) if master['pki_subsystem'] == 'TKS': util.symlink.delete(master['pki_symkey_jar_link']) - if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 0: - # remove Apache instance base - util.directory.delete(master['pki_instance_path']) - # remove Apache instance logs - # remove shared NSS security database path for this instance - util.directory.delete(master['pki_database_path']) - # remove Apache instance configuration - util.directory.delete(master['pki_instance_configuration_path']) - # remove Apache instance registry - util.directory.delete(master['pki_instance_registry_path']) - # remove Apache PKI registry (if empty) - if util.instance.apache_instances() == 0: - util.directory.delete( - master['pki_instance_type_registry_path']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 0: - # remove Tomcat instance base - util.directory.delete(master['pki_instance_path']) - # remove Tomcat instance logs - util.directory.delete(master['pki_instance_log_path']) - # remove shared NSS security database path for this instance - util.directory.delete(master['pki_database_path']) - # remove Tomcat instance configuration - util.directory.delete(master['pki_instance_configuration_path']) - # remove PKI 'tomcat.conf' instance file - util.file.delete(master['pki_target_tomcat_conf_instance_id']) - # remove Tomcat instance registry - util.directory.delete(master['pki_instance_registry_path']) - # remove Tomcat PKI registry (if empty) - if util.instance.tomcat_instances() == 0: - util.directory.delete( - master['pki_instance_type_registry_path']) - else: - # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 1: - # remove Apache instance base - util.directory.delete(master['pki_instance_path']) - # remove Apache instance logs - # remove shared NSS security database path for this instance - util.directory.delete(master['pki_database_path']) - # remove Apache instance configuration - util.directory.delete(master['pki_instance_configuration_path']) - # remove Apache instance registry - util.directory.delete(master['pki_instance_registry_path']) - # remove Apache PKI registry (if empty) - if util.instance.apache_instances() == 1: - util.directory.delete( - master['pki_instance_type_registry_path']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 1: - # remove Tomcat instance base - util.directory.delete(master['pki_instance_path']) - # remove Tomcat instance logs - util.directory.delete(master['pki_instance_log_path']) - # remove shared NSS security database path for this instance - util.directory.delete(master['pki_database_path']) - # remove Tomcat instance configuration - util.directory.delete(master['pki_instance_configuration_path']) - # remove PKI 'tomcat.conf' instance file - util.file.delete(master['pki_target_tomcat_conf_instance_id']) - # remove Tomcat instance registry - util.directory.delete(master['pki_instance_registry_path']) - # remove Tomcat PKI registry (if empty) - if util.instance.tomcat_instances() == 1: - util.directory.delete( - master['pki_instance_type_registry_path']) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0: + # remove Apache instance base + util.directory.delete(master['pki_instance_path']) + # remove Apache instance logs + # remove shared NSS security database path for this instance + util.directory.delete(master['pki_database_path']) + # remove Apache instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove Apache instance registry + util.directory.delete(master['pki_instance_registry_path']) + # remove Apache PKI registry (if empty) + if util.instance.apache_instances() == 0: + util.directory.delete( + master['pki_instance_type_registry_path']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instance_subsystems() == 0: + # remove Tomcat instance base + util.directory.delete(master['pki_instance_path']) + # remove Tomcat instance logs + util.directory.delete(master['pki_instance_log_path']) + # remove shared NSS security database path for this instance + util.directory.delete(master['pki_database_path']) + # remove Tomcat instance configuration + util.directory.delete(master['pki_instance_configuration_path']) + # remove PKI 'tomcat.conf' instance file + util.file.delete(master['pki_target_tomcat_conf_instance_id']) + # remove Tomcat instance registry + util.directory.delete(master['pki_instance_registry_path']) + # remove Tomcat PKI registry (if empty) + if util.instance.tomcat_instances() == 0: + util.directory.delete( + master['pki_instance_type_registry_path']) return self.rv diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index ba411933d..e8e65970e 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -125,7 +125,6 @@ pkideployment_cfg = None pki_deployed_instance_name = None # PKI Deployment "Optional" Command-Line Variables -pki_dry_run_flag = False # 'pkispawn' ONLY pki_update_flag = False diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index ecc1df791..ba67465ef 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -808,30 +808,29 @@ class configuration_file: # config.pki_log.info(log.PKIHELPER_REMOVE_FILTER_SECTION_1, # master['pki_target_subsystem_web_xml'], # extra=config.PKI_INDENTATION_LEVEL_2) -# if not config.pki_dry_run_flag: -# begin_filters_section = False -# begin_servlet_section = False -# FILE = open(web_xml_target, "w") -# for line in fileinput.FileInput(web_xml_source): -# if not begin_filters_section: -# # Read and write lines until first "" tag -# if line.count("") >= 1: -# # Mark filters section -# begin_filters_section = True -# else: -# FILE.write(line) -# elif not begin_servlet_section: -# # Skip lines until first "" tag -# if line.count("") >= 1: -# # Mark servlets section and write out the opening tag -# begin_servlet_section = True -# FILE.write(line) -# else: -# continue +# begin_filters_section = False +# begin_servlet_section = False +# FILE = open(web_xml_target, "w") +# for line in fileinput.FileInput(web_xml_source): +# if not begin_filters_section: +# # Read and write lines until first "" tag +# if line.count("") >= 1: +# # Mark filters section +# begin_filters_section = True # else: -# # Read and write lines all lines after "" tag # FILE.write(line) -# FILE.close() +# elif not begin_servlet_section: +# # Skip lines until first "" tag +# if line.count("") >= 1: +# # Mark servlets section and write out the opening tag +# begin_servlet_section = True +# FILE.write(line) +# else: +# continue +# else: +# # Read and write lines all lines after "" tag +# FILE.write(line) +# FILE.close() # PKI Deployment Instance Class @@ -845,15 +844,9 @@ class instance: path = master['pki_instance_path'] + "/" + subsystem.lower() if os.path.exists(path) and os.path.isdir(path): rv = rv + 1 - # always display correct information (even during dry_run) - if config.pki_dry_run_flag and rv > 0: - config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], rv - 1, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], - rv, extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCE_SUBSYSTEMS_2, + master['pki_instance_path'], + rv, extra=config.PKI_INDENTATION_LEVEL_2) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -877,17 +870,10 @@ class instance: os.path.join(master['pki_instance_type_registry_path'], instance)): rv = rv + 1 - # always display correct information (even during dry_run) - if config.pki_dry_run_flag and rv > 0: - config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, - master['pki_instance_type_registry_path'], - rv - 1, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, - master['pki_instance_type_registry_path'], - rv, - extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKIHELPER_APACHE_INSTANCES_2, + master['pki_instance_type_registry_path'], + rv, + extra=config.PKI_INDENTATION_LEVEL_2) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -913,15 +899,9 @@ class instance: not os.path.islink(os.path.join(dir,name)): if name.upper() in config.PKI_SUBSYSTEMS: rv = rv + 1 - # always display correct information (even during dry_run) - if config.pki_dry_run_flag and rv > 0: - config.pki_log.debug(log.PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], rv - 1, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - config.pki_log.debug(log.PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], rv, - extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKIHELPER_PKI_INSTANCE_SUBSYSTEMS_2, + master['pki_instance_path'], rv, + extra=config.PKI_INDENTATION_LEVEL_2) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -937,15 +917,9 @@ class instance: path = master['pki_instance_path'] + "/" + subsystem.lower() if os.path.exists(path) and os.path.isdir(path): rv = rv + 1 - # always display correct information (even during dry_run) - if config.pki_dry_run_flag and rv > 0: - config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], rv - 1, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2, - master['pki_instance_path'], - rv, extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCE_SUBSYSTEMS_2, + master['pki_instance_path'], + rv, extra=config.PKI_INDENTATION_LEVEL_2) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -969,17 +943,10 @@ class instance: os.path.join(master['pki_instance_type_registry_path'], instance)): rv = rv + 1 - # always display correct information (even during dry_run) - if config.pki_dry_run_flag and rv > 0: - config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, - master['pki_instance_type_registry_path'], - rv - 1, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, - master['pki_instance_type_registry_path'], - rv, - extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.debug(log.PKIHELPER_TOMCAT_INSTANCES_2, + master['pki_instance_type_registry_path'], + rv, + extra=config.PKI_INDENTATION_LEVEL_2) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -1023,13 +990,11 @@ class directory: # mkdir -p config.pki_log.info(log.PKIHELPER_MKDIR_1, name, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - os.makedirs(name) + os.makedirs(name) # chmod config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chmod(name, perms) + os.chmod(name, perms) # chown : if uid == None: uid = identity.get_uid() @@ -1038,8 +1003,7 @@ class directory: config.pki_log.debug(log.PKIHELPER_CHOWN_3, uid, gid, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chown(name, uid, gid) + os.chown(name, uid, gid) # Store record in installation manifest record = manifest.record() record.name = name @@ -1086,8 +1050,7 @@ class directory: if not silent: config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chmod(name, perms) + os.chmod(name, perms) # chown : if uid == None: uid = identity.get_uid() @@ -1097,8 +1060,7 @@ class directory: config.pki_log.debug(log.PKIHELPER_CHOWN_3, uid, gid, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chown(name, uid, gid) + os.chown(name, uid, gid) # Store record in installation manifest if not silent: record = manifest.record() @@ -1136,14 +1098,12 @@ class directory: # rm -rf config.pki_log.info(log.PKIHELPER_RM_RF_1, name, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - shutil.rmtree(name) + shutil.rmtree(name) else: # rmdir config.pki_log.info(log.PKIHELPER_RMDIR_1, name, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - os.rmdir(name) + os.rmdir(name) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -1185,11 +1145,7 @@ class directory: dir_acls=None, file_acls=None, symlink_acls=None, recursive_flag=True, critical_failure=True): try: - if config.pki_dry_run_flag: - config.pki_log.info( - log.PKIHELPER_SET_MODE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - elif not os.path.exists(name) or not os.path.isdir(name): + if not os.path.exists(name) or not os.path.isdir(name): config.pki_log.error( log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, name, extra=config.PKI_INDENTATION_LEVEL_2) @@ -1215,14 +1171,12 @@ class directory: config.pki_log.debug(log.PKIHELPER_CHMOD_2, file_perms, file, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chmod(file, file_perms) + os.chmod(file, file_perms) # chown : config.pki_log.debug(log.PKIHELPER_CHOWN_3, uid, gid, file, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chown(file, uid, gid) + os.chown(file, uid, gid) # Store record in installation manifest record = manifest.record() record.name = name @@ -1248,8 +1202,7 @@ class directory: config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, uid, gid, symlink, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.lchown(symlink, uid, gid) + os.lchown(symlink, uid, gid) # Store record in installation manifest record = manifest.record() record.name = name @@ -1270,14 +1223,12 @@ class directory: config.pki_log.debug(log.PKIHELPER_CHMOD_2, dir_perms, dir, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chmod(dir, dir_perms) + os.chmod(dir, dir_perms) # chown : config.pki_log.debug(log.PKIHELPER_CHOWN_3, uid, gid, dir, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chown(dir, uid, gid) + os.chown(dir, uid, gid) # Store record in installation manifest record = manifest.record() record.name = name @@ -1298,14 +1249,12 @@ class directory: config.pki_log.debug(log.PKIHELPER_CHMOD_2, dir_perms, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chmod(name, dir_perms) + os.chmod(name, dir_perms) # chown : config.pki_log.debug(log.PKIHELPER_CHOWN_3, uid, gid, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chown(name, uid, gid) + os.chown(name, uid, gid) # Store record in installation manifest record = manifest.record() record.name = name @@ -1330,21 +1279,7 @@ class directory: dir_acls=None, file_acls=None, symlink_acls=None, recursive_flag=True, overwrite_flag=False, critical_failure=True): try: - if config.pki_dry_run_flag: - if recursive_flag == True: - # cp -rp - config.pki_log.info(log.PKIHELPER_CP_RP_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - # cp -p - config.pki_log.info(log.PKIHELPER_CP_P_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.info( - log.PKIHELPER_SET_MODE_1, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - elif not os.path.exists(old_name) or not os.path.isdir(old_name): + if not os.path.exists(old_name) or not os.path.isdir(old_name): config.pki_log.error( log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, old_name, extra=config.PKI_INDENTATION_LEVEL_2) @@ -1408,13 +1343,11 @@ class file: # touch config.pki_log.info(log.PKIHELPER_TOUCH_1, name, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - open(name, "w").close() + open(name, "w").close() # chmod config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chmod(name, perms) + os.chmod(name, perms) # chown : if uid == None: uid = identity.get_uid() @@ -1423,8 +1356,7 @@ class file: config.pki_log.debug(log.PKIHELPER_CHOWN_3, uid, gid, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chown(name, uid, gid) + os.chown(name, uid, gid) # Store record in installation manifest record = manifest.record() record.name = name @@ -1471,8 +1403,7 @@ class file: if not silent: config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chmod(name, perms) + os.chmod(name, perms) # chown : if uid == None: uid = identity.get_uid() @@ -1482,8 +1413,7 @@ class file: config.pki_log.debug(log.PKIHELPER_CHOWN_3, uid, gid, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chown(name, uid, gid) + os.chown(name, uid, gid) # Store record in installation manifest if not silent: record = manifest.record() @@ -1520,8 +1450,7 @@ class file: # rm -f config.pki_log.info(log.PKIHELPER_RM_F_1, name, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - os.remove(name) + os.remove(name) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -1544,20 +1473,7 @@ class file: perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, acls=None, overwrite_flag=False, critical_failure=True): try: - if config.pki_dry_run_flag: - # cp -p - config.pki_log.info(log.PKIHELPER_CP_P_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - perms, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - # chown : - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - elif not os.path.exists(old_name) or not os.path.isfile(old_name): + if not os.path.exists(old_name) or not os.path.isfile(old_name): config.pki_log.error( log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, extra=config.PKI_INDENTATION_LEVEL_2) @@ -1616,72 +1532,49 @@ class file: perms=config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS, acls=None, critical_failure=True): try: - if config.pki_dry_run_flag: - # applying in-place slot substitutions on - config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1, - name, - extra=config.PKI_INDENTATION_LEVEL_2) - # NOTE: During dry_run, this file may not exist! - if os.path.exists(name) and os.path.isfile(name): - for line in fileinput.FileInput(name, inplace=1): - for slot in slots: - if slot != '__name__' and slots[slot] in line: - config.pki_log.debug( - log.PKIHELPER_SLOT_SUBSTITUTION_2, - slots[slot], master[slot], - extra=config.PKI_INDENTATION_LEVEL_3) - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - # chown : - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - else: - if not os.path.exists(name) or not os.path.isfile(name): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # applying in-place slot substitutions on - config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1, - name, - extra=config.PKI_INDENTATION_LEVEL_2) - for line in fileinput.FileInput(name, inplace=1): - for slot in slots: - if slot != '__name__' and slots[slot] in line: - config.pki_log.debug( - log.PKIHELPER_SLOT_SUBSTITUTION_2, - slots[slot], master[slot], - extra=config.PKI_INDENTATION_LEVEL_3) - line=line.replace(slots[slot],master[slot]) - sys.stdout.write(line) - if uid == None: - uid = identity.get_uid() - if gid == None: - gid = identity.get_gid() - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - perms, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chmod(name, perms) - # chown : - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, name, - extra=config.PKI_INDENTATION_LEVEL_3) - os.chown(name, uid, gid) - # Store record in installation manifest - record = manifest.record() - record.name = name - record.type = manifest.RECORD_TYPE_FILE - record.user = master['pki_user'] - record.group = master['pki_group'] - record.uid = uid - record.gid = gid - record.permissions = perms - record.acls = acls - manifest.database.append(record) + if not os.path.exists(name) or not os.path.isfile(name): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # applying in-place slot substitutions on + config.pki_log.info(log.PKIHELPER_APPLY_SLOT_SUBSTITUTION_1, + name, + extra=config.PKI_INDENTATION_LEVEL_2) + for line in fileinput.FileInput(name, inplace=1): + for slot in slots: + if slot != '__name__' and slots[slot] in line: + config.pki_log.debug( + log.PKIHELPER_SLOT_SUBSTITUTION_2, + slots[slot], master[slot], + extra=config.PKI_INDENTATION_LEVEL_3) + line=line.replace(slots[slot],master[slot]) + sys.stdout.write(line) + if uid == None: + uid = identity.get_uid() + if gid == None: + gid = identity.get_gid() + # chmod + config.pki_log.debug(log.PKIHELPER_CHMOD_2, + perms, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chmod(name, perms) + # chown : + config.pki_log.debug(log.PKIHELPER_CHOWN_3, + uid, gid, name, + extra=config.PKI_INDENTATION_LEVEL_3) + os.chown(name, uid, gid) + # Store record in installation manifest + record = manifest.record() + record.name = name + record.type = manifest.RECORD_TYPE_FILE + record.user = master['pki_user'] + record.group = master['pki_group'] + record.uid = uid + record.gid = gid + record.permissions = perms + record.acls = acls + manifest.database.append(record) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -1700,27 +1593,7 @@ class file: acls=None, overwrite_flag=False, critical_failure=True): try: - if config.pki_dry_run_flag: - # copy to with slot substitutions - config.pki_log.info(log.PKIHELPER_COPY_WITH_SLOT_SUBSTITUTION_2, - old_name, new_name, - extra=config.PKI_INDENTATION_LEVEL_2) - for line in fileinput.FileInput(old_name): - for slot in slots: - if slot != '__name__' and slots[slot] in line: - config.pki_log.debug( - log.PKIHELPER_SLOT_SUBSTITUTION_2, - slots[slot], master[slot], - extra=config.PKI_INDENTATION_LEVEL_3) - # chmod - config.pki_log.debug(log.PKIHELPER_CHMOD_2, - perms, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - # chown : - config.pki_log.debug(log.PKIHELPER_CHOWN_3, - uid, gid, new_name, - extra=config.PKI_INDENTATION_LEVEL_3) - elif not os.path.exists(old_name) or not os.path.isfile(old_name): + if not os.path.exists(old_name) or not os.path.isfile(old_name): config.pki_log.error( log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, old_name, extra=config.PKI_INDENTATION_LEVEL_2) @@ -1793,18 +1666,16 @@ class file: # filling it with random bytes config.pki_log.info(log.PKIHELPER_NOISE_FILE_2, name, bytes, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - open(name, "w").close() - FILE = open(name, "w") - noise = ''.join(random.choice(string.ascii_letters +\ - string.digits) for x in range(bytes)) - FILE.write(noise) - FILE.close() + open(name, "w").close() + FILE = open(name, "w") + noise = ''.join(random.choice(string.ascii_letters +\ + string.digits) for x in range(bytes)) + FILE.write(noise) + FILE.close() # chmod config.pki_log.debug(log.PKIHELPER_CHMOD_2, perms, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chmod(name, perms) + os.chmod(name, perms) # chown : if uid == None: uid = identity.get_uid() @@ -1813,8 +1684,7 @@ class file: config.pki_log.debug(log.PKIHELPER_CHOWN_3, uid, gid, name, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.chown(name, uid, gid) + os.chown(name, uid, gid) # Store record in installation manifest record = manifest.record() record.name = name @@ -1849,18 +1719,16 @@ class symlink: acls=None, allow_dangling_symlink=False, critical_failure=True): try: if not os.path.exists(link): - if not config.pki_dry_run_flag: - if not os.path.exists(name): - config.pki_log.warning( - log.PKIHELPER_DANGLING_SYMLINK_2, link, name, - extra=config.PKI_INDENTATION_LEVEL_2) - if not allow_dangling_symlink: - sys.exit(1) + if not os.path.exists(name): + config.pki_log.warning( + log.PKIHELPER_DANGLING_SYMLINK_2, link, name, + extra=config.PKI_INDENTATION_LEVEL_2) + if not allow_dangling_symlink: + sys.exit(1) # ln -s config.pki_log.info(log.PKIHELPER_LINK_S_2, name, link, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - os.symlink(name, link) + os.symlink(name, link) # REMINDER: Due to POSIX compliance, 'lchmod' is NEVER # implemented on Linux systems since 'chmod' # CANNOT be run directly against symbolic links! @@ -1872,8 +1740,7 @@ class symlink: config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, uid, gid, link, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.lchown(link, uid, gid) + os.lchown(link, uid, gid) # Store record in installation manifest record = manifest.record() record.name = link @@ -1928,8 +1795,7 @@ class symlink: config.pki_log.debug(log.PKIHELPER_CHOWN_H_3, uid, gid, link, extra=config.PKI_INDENTATION_LEVEL_3) - if not config.pki_dry_run_flag: - os.lchown(link, uid, gid) + os.lchown(link, uid, gid) # Store record in installation manifest if not silent: record = manifest.record() @@ -1967,8 +1833,7 @@ class symlink: # rm -f config.pki_log.info(log.PKIHELPER_RM_F_1, link, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - os.remove(link) + os.remove(link) except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -1999,21 +1864,19 @@ class war: name, extra=config.PKI_INDENTATION_LEVEL_2) if critical_failure == True: sys.exit(1) - if not config.pki_dry_run_flag: - if not os.path.exists(path) or not os.path.isdir(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - path, extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(1) + if not os.path.exists(path) or not os.path.isdir(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + path, extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(1) # jar -xf -C config.pki_log.info(log.PKIHELPER_JAR_XF_C_2, name, path, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - # Open war file - war = zipfile.ZipFile(name, 'r') - # Extract contents of war file to path - war.extractall(path) + # Open war file + war = zipfile.ZipFile(name, 'r') + # Extract contents of war file to path + war.extractall(path) else: config.pki_log.error( log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, name, @@ -2043,28 +1906,12 @@ class password: def create_password_conf(self, path, pin, pin_sans_token=False, overwrite_flag=False, critical_failure=True): try: - if not config.pki_dry_run_flag: - if os.path.exists(path): - if overwrite_flag: - config.pki_log.info( - log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # overwrite the existing 'password.conf' file - with open(path, "wt") as fd: - if pin_sans_token == True: - fd.write(str(pin)) - elif master['pki_subsystem'] in\ - config.PKI_APACHE_SUBSYSTEMS: - fd.write(master['pki_self_signed_token'] +\ - ":" + str(pin)) - else: - fd.write(master['pki_self_signed_token'] +\ - "=" + str(pin)) - fd.closed - else: - config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # create a new 'password.conf' file + if os.path.exists(path): + if overwrite_flag: + config.pki_log.info( + log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # overwrite the existing 'password.conf' file with open(path, "wt") as fd: if pin_sans_token == True: fd.write(str(pin)) @@ -2077,9 +1924,20 @@ class password: "=" + str(pin)) fd.closed else: - if not os.path.exists(path) or overwrite_flag: - config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # create a new 'password.conf' file + with open(path, "wt") as fd: + if pin_sans_token == True: + fd.write(str(pin)) + elif master['pki_subsystem'] in\ + config.PKI_APACHE_SUBSYSTEMS: + fd.write(master['pki_self_signed_token'] +\ + ":" + str(pin)) + else: + fd.write(master['pki_self_signed_token'] +\ + "=" + str(pin)) + fd.closed except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -2090,27 +1948,22 @@ class password: def create_client_pkcs12_password_conf(self, path, overwrite_flag=False, critical_failure=True): try: - if not config.pki_dry_run_flag: - if os.path.exists(path): - if overwrite_flag: - config.pki_log.info( - log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # overwrite the existing 'pkcs12_password.conf' file - with open(path, "wt") as fd: - fd.write(sensitive['pki_client_pkcs12_password']) - fd.closed - else: - config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - # create a new 'pkcs12_password.conf' file + if os.path.exists(path): + if overwrite_flag: + config.pki_log.info( + log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # overwrite the existing 'pkcs12_password.conf' file with open(path, "wt") as fd: fd.write(sensitive['pki_client_pkcs12_password']) fd.closed else: - if not os.path.exists(path) or overwrite_flag: - config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.info(log.PKIHELPER_PASSWORD_CONF_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + # create a new 'pkcs12_password.conf' file + with open(path, "wt") as fd: + fd.write(sensitive['pki_client_pkcs12_password']) + fd.closed except OSError as exc: config.pki_log.error(log.PKI_OSERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -2140,55 +1993,37 @@ class certutil: command = command + " " + "-f" + " " + password_file if prefix != None: command = command + " " + "-P" + " " + prefix - if not config.pki_dry_run_flag: - if not os.path.exists(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if os.path.exists(pki_cert_database) or\ - os.path.exists(pki_key_database) or\ - os.path.exists(pki_secmod_database): - # Simply notify user that the security databases exist - config.pki_log.info( - log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, - pki_cert_database, - pki_key_database, - pki_secmod_database, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - if password_file != None: - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Display this "certutil" command - config.pki_log.info( - log.PKIHELPER_CREATE_SECURITY_DATABASES_1, - command, - extra=config.PKI_INDENTATION_LEVEL_2) - # Execute this "certutil" command - subprocess.call(command, shell=True) + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if os.path.exists(pki_cert_database) or\ + os.path.exists(pki_key_database) or\ + os.path.exists(pki_secmod_database): + # Simply notify user that the security databases exist + config.pki_log.info( + log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, + pki_cert_database, + pki_key_database, + pki_secmod_database, + extra=config.PKI_INDENTATION_LEVEL_2) else: - if os.path.exists(pki_cert_database) or\ - os.path.exists(pki_key_database) or\ - os.path.exists(pki_secmod_database): - # Simply notify user that the security databases exist - config.pki_log.info( - log.PKI_SECURITY_DATABASES_ALREADY_EXIST_3, - pki_cert_database, - pki_key_database, - pki_secmod_database, - extra=config.PKI_INDENTATION_LEVEL_2) - else: - # Display this "certutil" command - config.pki_log.info( - log.PKIHELPER_CREATE_SECURITY_DATABASES_1, - command, - extra=config.PKI_INDENTATION_LEVEL_2) + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): + config.pki_log.error( + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + # Display this "certutil" command + config.pki_log.info( + log.PKIHELPER_CREATE_SECURITY_DATABASES_1, + command, + extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "certutil" command + subprocess.call(command, shell=True) except subprocess.CalledProcessError as exc: config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -2239,37 +2074,30 @@ class certutil: # By default, execute this command silently if silent != False: command = command + " > /dev/null 2>&1" - if not config.pki_dry_run_flag: - if not os.path.exists(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(pki_cert_database) or\ - not os.path.exists(pki_key_database) or\ - not os.path.exists(pki_secmod_database): - # NSS security databases MUST exist! + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(pki_cert_database) or\ + not os.path.exists(pki_key_database) or\ + not os.path.exists(pki_secmod_database): + # NSS security databases MUST exist! + config.pki_log.error( + log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, + pki_cert_database, + pki_key_database, + pki_secmod_database, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): config.pki_log.error( - log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, - pki_cert_database, - pki_key_database, - pki_secmod_database, + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) - if password_file != None: - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - else: - # Check for first time through as dry_run - if not os.path.exists(pki_cert_database) or\ - not os.path.exists(pki_key_database) or\ - not os.path.exists(pki_secmod_database): - return False # Execute this "certutil" command subprocess.check_call(command, shell=True) except subprocess.CalledProcessError as exc: @@ -2376,39 +2204,38 @@ class certutil: config.pki_log.info( log.PKIHELPER_CERTUTIL_SELF_SIGNED_CERTIFICATE_1, command, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - if not os.path.exists(path): - config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(pki_cert_database) or\ - not os.path.exists(pki_key_database) or\ - not os.path.exists(pki_secmod_database): - # NSS security databases MUST exist! - config.pki_log.error( - log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, - pki_cert_database, - pki_key_database, - pki_secmod_database, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - if not os.path.exists(noise_file): + if not os.path.exists(path): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, path, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(pki_cert_database) or\ + not os.path.exists(pki_key_database) or\ + not os.path.exists(pki_secmod_database): + # NSS security databases MUST exist! + config.pki_log.error( + log.PKI_SECURITY_DATABASES_DO_NOT_EXIST_3, + pki_cert_database, + pki_key_database, + pki_secmod_database, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if not os.path.exists(noise_file): + config.pki_log.error( + log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, + noise_file, + extra=config.PKI_INDENTATION_LEVEL_2) + sys.exit(1) + if password_file != None: + if not os.path.exists(password_file) or\ + not os.path.isfile(password_file): config.pki_log.error( - log.PKI_DIRECTORY_MISSING_OR_NOT_A_DIRECTORY_1, - noise_file, + log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, + password_file, extra=config.PKI_INDENTATION_LEVEL_2) sys.exit(1) - if password_file != None: - if not os.path.exists(password_file) or\ - not os.path.isfile(password_file): - config.pki_log.error( - log.PKI_FILE_MISSING_OR_NOT_A_FILE_1, - password_file, - extra=config.PKI_INDENTATION_LEVEL_2) - sys.exit(1) - # Execute this "certutil" command - subprocess.call(command, shell=True) + # Execute this "certutil" command + subprocess.call(command, shell=True) except subprocess.CalledProcessError as exc: config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -2552,46 +2379,45 @@ class security_domain: params, updateURL, sechost, secagentport) # update domainXML - if not config.pki_dry_run_flag: - # Execute this "sslget" command - output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) - config.pki_log.debug(log.PKIHELPER_SSLGET_OUTPUT_1, - output, - extra=config.PKI_INDENTATION_LEVEL_2) - # Search the output for Status - status = re.findall("\(.*?)\<\/Status\>", output) - if not status: - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - elif status[0] != "0": - error = re.findall("\(.*?)\<\/Error\>", output) - if not error: - error = "" - config.pki_log.warning( - log.PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3, - typeval, - secname, - error, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure == True: - sys.exit(-1) - else: - config.pki_log.info( - log.PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2, - typeval, - secname, - extra=config.PKI_INDENTATION_LEVEL_2) + # Execute this "sslget" command + output = subprocess.check_output(command, + stderr=subprocess.STDOUT, + shell=True) + config.pki_log.debug(log.PKIHELPER_SSLGET_OUTPUT_1, + output, + extra=config.PKI_INDENTATION_LEVEL_2) + # Search the output for Status + status = re.findall("\(.*?)\<\/Status\>", output) + if not status: + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREACHABLE_1, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + elif status[0] != "0": + error = re.findall("\(.*?)\<\/Error\>", output) + if not error: + error = "" + config.pki_log.warning( + log.PKIHELPER_SECURITY_DOMAIN_UNREGISTERED_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) + config.pki_log.error( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_3, + typeval, + secname, + error, + extra=config.PKI_INDENTATION_LEVEL_2) + if critical_failure == True: + sys.exit(-1) + else: + config.pki_log.info( + log.PKIHELPER_SECURITY_DOMAIN_UPDATE_SUCCESS_2, + typeval, + secname, + extra=config.PKI_INDENTATION_LEVEL_2) except subprocess.CalledProcessError as exc: config.pki_log.warning( log.PKIHELPER_SECURITY_DOMAIN_UPDATE_FAILURE_2, @@ -2628,9 +2454,8 @@ class systemd: config.pki_log.info( log.PKIHELPER_SYSTEMD_COMMAND_1, command, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - # Execute this "systemd" execution management command - subprocess.call(command, shell=True) + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) except subprocess.CalledProcessError as exc: config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -2655,9 +2480,8 @@ class systemd: config.pki_log.info( log.PKIHELPER_SYSTEMD_COMMAND_1, command, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - # Execute this "systemd" execution management command - subprocess.call(command, shell=True) + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) except subprocess.CalledProcessError as exc: config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) @@ -2682,9 +2506,8 @@ class systemd: config.pki_log.info( log.PKIHELPER_SYSTEMD_COMMAND_1, command, extra=config.PKI_INDENTATION_LEVEL_2) - if not config.pki_dry_run_flag: - # Execute this "systemd" execution management command - subprocess.call(command, shell=True) + # Execute this "systemd" execution management command + subprocess.call(command, shell=True) except subprocess.CalledProcessError as exc: config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc, extra=config.PKI_INDENTATION_LEVEL_2) diff --git a/base/deploy/src/scriptlets/pkijython.py b/base/deploy/src/scriptlets/pkijython.py index 4321e0a2a..8d027f91a 100644 --- a/base/deploy/src/scriptlets/pkijython.py +++ b/base/deploy/src/scriptlets/pkijython.py @@ -218,15 +218,14 @@ def read_simple_configuration_file(filename): # PKI Deployment 'security databases' Class class security_databases: - def initialize_token(self, pki_database_path, pki_dry_run_flag, log_level): + def initialize_token(self, pki_database_path, log_level): try: if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: print "%s %s '%s'" %\ (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_INITIALIZING_TOKEN, pki_database_path) - if not pki_dry_run_flag: - CryptoManager.initialize(pki_database_path) + CryptoManager.initialize(pki_database_path) except AlreadyInitializedException, e: # it is ok if it is already initialized pass @@ -235,8 +234,7 @@ class security_databases: " " + str(e)) javasystem.exit(1) - def log_into_token(self, pki_database_path, password_conf, - pki_dry_run_flag, log_level): + def log_into_token(self, pki_database_path, password_conf, log_level): token = None try: if log_level >= config.PKI_JYTHON_INFO_LOG_LEVEL: @@ -244,28 +242,27 @@ class security_databases: (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_LOG_INTO_TOKEN, pki_database_path) - if not pki_dry_run_flag: - manager = CryptoManager.getInstance() - token = manager.getInternalKeyStorageToken() - # Retrieve 'password' from client-side 'password_conf' - # - # NOTE: For now, ONLY read the first line - # (which contains "password") - # - fd = open(password_conf, "r") - token_pwd = fd.readline() - fd.close - # Convert 'token_pwd' into a 'java char[]' - jtoken_pwd = jarray.array(token_pwd, 'c') - password = Password(jtoken_pwd) - try: - token.login(password) - except Exception, e: - javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\ - " " + str(e)) - if not token.isLoggedIn(): - token.initPassword(password, password) - javasystem.exit(1) + manager = CryptoManager.getInstance() + token = manager.getInternalKeyStorageToken() + # Retrieve 'password' from client-side 'password_conf' + # + # NOTE: For now, ONLY read the first line + # (which contains "password") + # + fd = open(password_conf, "r") + token_pwd = fd.readline() + fd.close + # Convert 'token_pwd' into a 'java char[]' + jtoken_pwd = jarray.array(token_pwd, 'c') + password = Password(jtoken_pwd) + try: + token.login(password) + except Exception, e: + javasystem.out.println(log.PKI_JYTHON_LOGIN_EXCEPTION +\ + " " + str(e)) + if not token.isLoggedIn(): + token.initPassword(password, password) + javasystem.exit(1) except Exception, e: javasystem.out.println(log.PKI_JYTHON_TOKEN_LOGIN_EXCEPTION +\ " " + str(e)) @@ -289,8 +286,7 @@ class rest_client: (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_INITIALIZING_REST_CLIENT, client_config.serverURI) - if not master['pki_dry_run_flag']: - self.client = SystemConfigClient(client_config) + self.client = SystemConfigClient(client_config) return self.client except URISyntaxException, e: e.printStackTrace() @@ -421,132 +417,131 @@ class rest_client: (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_CONSTRUCTING_PKI_DATA, master['pki_subsystem']) - if not master['pki_dry_run_flag']: - data = ConfigurationRequest() - - # Miscellaneous Configuration Information - data.setPin(self.sensitive['pki_one_time_pin']) - data.setToken(ConfigurationRequest.TOKEN_DEFAULT) - data.setSubsystemName(master['pki_subsystem_name']) - - # Hierarchy - if master['pki_instance_type'] == "Tomcat": - if master['pki_subsystem'] == "CA": - if config.str2bool(master['pki_clone']): - # Cloned CA - # alee - is this correct? - data.setHierarchy("root") - elif config.str2bool(master['pki_external']): - # External CA - data.setHierarchy("join") - elif config.str2bool(master['pki_subordinate']): - # Subordinate CA - data.setHierarchy("join") - else: - # PKI CA - data.setHierarchy("root") - - # Cloning parameters - if master['pki_instance_type'] == "Tomcat": - if config.str2bool(master['pki_clone']): - self.set_cloning_parameters(data) - else: - data.setIsClone("false") - - # Security Domain - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or - # Subordinate CA - self.set_existing_security_domain(data) - elif not config.str2bool(master['pki_external']): - # PKI CA - self.set_new_security_domain(data) + data = ConfigurationRequest() - if master['pki_subsystem'] != "RA": - self.set_database_parameters(data) + # Miscellaneous Configuration Information + data.setPin(self.sensitive['pki_one_time_pin']) + data.setToken(ConfigurationRequest.TOKEN_DEFAULT) + data.setSubsystemName(master['pki_subsystem_name']) - if master['pki_instance_type'] == "Tomcat": - self.set_backup_parameters(data) - - if not config.str2bool(master['pki_clone']): - self.set_admin_parameters(token, data) - - # Issuing CA Information - if master['pki_subsystem'] != "CA" or\ - config.str2bool(master['pki_clone']) or\ - config.str2bool(master['pki_subordinate']) or\ - config.str2bool(master['pki_external']): - # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, - # CA Clone, KRA Clone, OCSP Clone, TKS Clone, - # Subordinate CA, or External CA - data.setIssuingCA(master['pki_issuing_ca']) - - # Create system certs - systemCerts = ArrayList() - - # Create 'CA Signing Certificate' + # Hierarchy + if master['pki_instance_type'] == "Tomcat": if master['pki_subsystem'] == "CA": - if not config.str2bool(master['pki_clone']): - cert = self.create_system_cert("ca_signing") - cert.setSigningAlgorithm( - master['pki_ca_signing_signing_algorithm']) - systemCerts.add(cert) + if config.str2bool(master['pki_clone']): + # Cloned CA + # alee - is this correct? + data.setHierarchy("root") + elif config.str2bool(master['pki_external']): + # External CA + data.setHierarchy("join") + elif config.str2bool(master['pki_subordinate']): + # Subordinate CA + data.setHierarchy("join") + else: + # PKI CA + data.setHierarchy("root") - # Create 'OCSP Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "CA" or\ - master['pki_subsystem'] == "OCSP": - # External CA, Subordinate CA, PKI CA, or PKI OCSP - cert2 = self.create_system_cert("ocsp_signing") - cert2.setSigningAlgorithm( - master['pki_ocsp_signing_signing_algorithm']) - systemCerts.add(cert2) - - # Create 'SSL Server Certificate' - # all subsystems - - # create new sslserver cert only if this is a new instance - cert3 = None - system_list = self.tomcat_instance_subsystems() - if len(system_list) >= 2: - data.setGenerateServerCert("false") - for subsystem in system_list: - dst = master['pki_instance_path'] + '/conf/' +\ - subsystem.lower() + '/CS.cfg' - if subsystem != master['pki_subsystem'] and \ - os.path.exists(dst): - cert3 = self.retrieve_existing_server_cert(dst) - break + # Cloning parameters + if master['pki_instance_type'] == "Tomcat": + if config.str2bool(master['pki_clone']): + self.set_cloning_parameters(data) else: - cert3 = self.create_system_cert("ssl_server") - systemCerts.add(cert3) - - # Create 'Subsystem Certificate' + data.setIsClone("false") + + # Security Domain + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, or + # Subordinate CA + self.set_existing_security_domain(data) + elif not config.str2bool(master['pki_external']): + # PKI CA + self.set_new_security_domain(data) + + if master['pki_subsystem'] != "RA": + self.set_database_parameters(data) + + if master['pki_instance_type'] == "Tomcat": + self.set_backup_parameters(data) + + if not config.str2bool(master['pki_clone']): + self.set_admin_parameters(token, data) + + # Issuing CA Information + if master['pki_subsystem'] != "CA" or\ + config.str2bool(master['pki_clone']) or\ + config.str2bool(master['pki_subordinate']) or\ + config.str2bool(master['pki_external']): + # PKI KRA, PKI OCSP, PKI RA, PKI TKS, PKI TPS, + # CA Clone, KRA Clone, OCSP Clone, TKS Clone, + # Subordinate CA, or External CA + data.setIssuingCA(master['pki_issuing_ca']) + + # Create system certs + systemCerts = ArrayList() + + # Create 'CA Signing Certificate' + if master['pki_subsystem'] == "CA": if not config.str2bool(master['pki_clone']): - cert4 = self.create_system_cert("subsystem") - systemCerts.add(cert4) + cert = self.create_system_cert("ca_signing") + cert.setSigningAlgorithm( + master['pki_ca_signing_signing_algorithm']) + systemCerts.add(cert) + + # Create 'OCSP Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "CA" or\ + master['pki_subsystem'] == "OCSP": + # External CA, Subordinate CA, PKI CA, or PKI OCSP + cert2 = self.create_system_cert("ocsp_signing") + cert2.setSigningAlgorithm( + master['pki_ocsp_signing_signing_algorithm']) + systemCerts.add(cert2) + + # Create 'SSL Server Certificate' + # all subsystems + + # create new sslserver cert only if this is a new instance + cert3 = None + system_list = self.tomcat_instance_subsystems() + if len(system_list) >= 2: + data.setGenerateServerCert("false") + for subsystem in system_list: + dst = master['pki_instance_path'] + '/conf/' +\ + subsystem.lower() + '/CS.cfg' + if subsystem != master['pki_subsystem'] and \ + os.path.exists(dst): + cert3 = self.retrieve_existing_server_cert(dst) + break + else: + cert3 = self.create_system_cert("ssl_server") + systemCerts.add(cert3) - # Create 'Audit Signing Certificate' - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] != "RA": - cert5 = self.create_system_cert("audit_signing") - cert5.setSigningAlgorithm( - master['pki_audit_signing_signing_algorithm']) - systemCerts.add(cert5) + # Create 'Subsystem Certificate' + if not config.str2bool(master['pki_clone']): + cert4 = self.create_system_cert("subsystem") + systemCerts.add(cert4) - # Create DRM Transport and storage Certificates - if not config.str2bool(master['pki_clone']): - if master['pki_subsystem'] == "KRA": - cert6 = self.create_system_cert("transport") - systemCerts.add(cert6) + # Create 'Audit Signing Certificate' + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] != "RA": + cert5 = self.create_system_cert("audit_signing") + cert5.setSigningAlgorithm( + master['pki_audit_signing_signing_algorithm']) + systemCerts.add(cert5) + + # Create DRM Transport and storage Certificates + if not config.str2bool(master['pki_clone']): + if master['pki_subsystem'] == "KRA": + cert6 = self.create_system_cert("transport") + systemCerts.add(cert6) - cert7 = self.create_system_cert("storage") - systemCerts.add(cert7) + cert7 = self.create_system_cert("storage") + systemCerts.add(cert7) - data.setSystemCerts(systemCerts) + data.setSystemCerts(systemCerts) return data @@ -557,119 +552,118 @@ class rest_client: (log.PKI_JYTHON_INDENTATION_2, log.PKI_JYTHON_CONFIGURING_PKI_DATA, master['pki_subsystem']) - if not master['pki_dry_run_flag']: - try: - response = self.client.configure(data) - javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\ - " " + response.getStatus()) - certs = response.getSystemCerts() - iterator = certs.iterator() - while iterator.hasNext(): - cdata = iterator.next() - javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\ - cdata.getTag()) - javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\ - cdata.getCert()) - javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\ - cdata.getRequest()) - # Cloned PKI subsystems do not return an Admin Certificate - if not config.str2bool(master['pki_clone']): - admin_cert = response.getAdminCert().getCert() - javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ - " " + admin_cert) - # Store the Administration Certificate in a file - admin_cert_file = os.path.join( - master['pki_client_dir'], - master['pki_client_admin_cert']) - admin_cert_bin_file = admin_cert_file + ".der" - javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\ - " " + "'" + admin_cert_file + "'") - FILE = open(admin_cert_file, "w") - FILE.write(admin_cert) - FILE.close() - # convert the cert file to binary - command = "AtoB "+ admin_cert_file + " " + admin_cert_bin_file - javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_ATOB +\ - " " + "'" + command + "'") - os.system(command) - - # Since Jython runs under Java, it does NOT support the - # following operating system specific command: - # - # os.chmod( - # admin_cert_file, - # config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) - # - # Emulate it with a system call. - command = "chmod" + " 660 " + admin_cert_file - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - - command = "chmod" + " 660 " + admin_cert_bin_file - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - - # Import the Administration Certificate - # into the client NSS security database - command = "certutil" + " " +\ - "-A" + " " +\ - "-n" + " " + "\"" +\ - re.sub("'", - "'", master['pki_admin_nickname']) +\ - "\"" + " " +\ - "-t" + " " +\ - "\"" + "u,u,u" + "\"" + " " +\ - "-f" + " " +\ - master['pki_client_password_conf'] + " " +\ - "-d" + " " +\ - master['pki_client_database_dir'] + " " +\ - "-i" + " " +\ - admin_cert_bin_file - javasystem.out.println( - log.PKI_JYTHON_ADMIN_CERT_IMPORT +\ - " " + "'" + command + "'") - os.system(command) - # Export the Administration Certificate from the - # client NSS security database into a PKCS #12 file - command = "pk12util" + " " +\ - "-o" + " " +\ - master['pki_client_admin_cert_p12'] + " " +\ - "-n" + " " + "\"" +\ - re.sub("'", - "'", master['pki_admin_nickname']) +\ - "\"" + " " +\ - "-d" + " " +\ - master['pki_client_database_dir'] + " " +\ - "-k" + " " +\ - master['pki_client_password_conf'] + " " +\ - "-w" + " " +\ - master['pki_client_pkcs12_password_conf'] - javasystem.out.println( - log.PKI_JYTHON_ADMIN_CERT_EXPORT +\ - " " + "'" + command + "'") - os.system(command) - # Since Jython runs under Java, it does NOT support the - # following operating system specific command: - # - # os.chmod(master['pki_client_admin_cert_p12'], - # config.\ - # PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - # - # Emulate it with a system call. - command = "chmod" + " " + "664" + " " +\ - master['pki_client_admin_cert_p12'] - javasystem.out.println( - log.PKI_JYTHON_CHMOD +\ - " " + "'" + command + "'") - os.system(command) - except Exception, e: + try: + response = self.client.configure(data) + javasystem.out.println(log.PKI_JYTHON_RESPONSE_STATUS +\ + " " + response.getStatus()) + certs = response.getSystemCerts() + iterator = certs.iterator() + while iterator.hasNext(): + cdata = iterator.next() + javasystem.out.println(log.PKI_JYTHON_CDATA_TAG + " " +\ + cdata.getTag()) + javasystem.out.println(log.PKI_JYTHON_CDATA_CERT + " " +\ + cdata.getCert()) + javasystem.out.println(log.PKI_JYTHON_CDATA_REQUEST + " " +\ + cdata.getRequest()) + # Cloned PKI subsystems do not return an Admin Certificate + if not config.str2bool(master['pki_clone']): + admin_cert = response.getAdminCert().getCert() + javasystem.out.println(log.PKI_JYTHON_RESPONSE_ADMIN_CERT +\ + " " + admin_cert) + # Store the Administration Certificate in a file + admin_cert_file = os.path.join( + master['pki_client_dir'], + master['pki_client_admin_cert']) + admin_cert_bin_file = admin_cert_file + ".der" + javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_SAVE +\ + " " + "'" + admin_cert_file + "'") + FILE = open(admin_cert_file, "w") + FILE.write(admin_cert) + FILE.close() + # convert the cert file to binary + command = "AtoB "+ admin_cert_file + " " + admin_cert_bin_file + javasystem.out.println(log.PKI_JYTHON_ADMIN_CERT_ATOB +\ + " " + "'" + command + "'") + os.system(command) + + # Since Jython runs under Java, it does NOT support the + # following operating system specific command: + # + # os.chmod( + # admin_cert_file, + # config.PKI_DEPLOYMENT_DEFAULT_FILE_PERMISSIONS) + # + # Emulate it with a system call. + command = "chmod" + " 660 " + admin_cert_file javasystem.out.println( - log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e)) - javasystem.exit(1) + log.PKI_JYTHON_CHMOD +\ + " " + "'" + command + "'") + os.system(command) + + command = "chmod" + " 660 " + admin_cert_bin_file + javasystem.out.println( + log.PKI_JYTHON_CHMOD +\ + " " + "'" + command + "'") + os.system(command) + + # Import the Administration Certificate + # into the client NSS security database + command = "certutil" + " " +\ + "-A" + " " +\ + "-n" + " " + "\"" +\ + re.sub("'", + "'", master['pki_admin_nickname']) +\ + "\"" + " " +\ + "-t" + " " +\ + "\"" + "u,u,u" + "\"" + " " +\ + "-f" + " " +\ + master['pki_client_password_conf'] + " " +\ + "-d" + " " +\ + master['pki_client_database_dir'] + " " +\ + "-i" + " " +\ + admin_cert_bin_file + javasystem.out.println( + log.PKI_JYTHON_ADMIN_CERT_IMPORT +\ + " " + "'" + command + "'") + os.system(command) + # Export the Administration Certificate from the + # client NSS security database into a PKCS #12 file + command = "pk12util" + " " +\ + "-o" + " " +\ + master['pki_client_admin_cert_p12'] + " " +\ + "-n" + " " + "\"" +\ + re.sub("'", + "'", master['pki_admin_nickname']) +\ + "\"" + " " +\ + "-d" + " " +\ + master['pki_client_database_dir'] + " " +\ + "-k" + " " +\ + master['pki_client_password_conf'] + " " +\ + "-w" + " " +\ + master['pki_client_pkcs12_password_conf'] + javasystem.out.println( + log.PKI_JYTHON_ADMIN_CERT_EXPORT +\ + " " + "'" + command + "'") + os.system(command) + # Since Jython runs under Java, it does NOT support the + # following operating system specific command: + # + # os.chmod(master['pki_client_admin_cert_p12'], + # config.\ + # PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + # + # Emulate it with a system call. + command = "chmod" + " " + "664" + " " +\ + master['pki_client_admin_cert_p12'] + javasystem.out.println( + log.PKI_JYTHON_CHMOD +\ + " " + "'" + command + "'") + os.system(command) + except Exception, e: + javasystem.out.println( + log.PKI_JYTHON_JAVA_CONFIGURATION_EXCEPTION + " " + str(e)) + javasystem.exit(1) return diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index a10893231..4938e7c8c 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -74,9 +74,6 @@ def process_command_line_arguments(argv): '[.${pki_admin_domain_name}]') # Establish 'Optional' command-line options optional = parser.add_argument_group('optional arguments') - optional.add_argument('--dry_run', - dest='pki_dry_run_flag', action='store_true', - help='do not actually perform any actions') optional.add_argument('-h', '--help', dest='help', action='help', help='show this help message and exit') @@ -107,9 +104,6 @@ def process_command_line_arguments(argv): config.pki_deployed_instance_name =\ str(args.pki_deployed_instance_name).strip('[\']') # Process 'Optional' command-line options - # '--dry_run' - if args.pki_dry_run_flag: - config.pki_dry_run_flag = args.pki_dry_run_flag if config.pki_deployment_executable == 'pkispawn': # '-u' config.pki_update_flag = args.pki_update_flag @@ -267,7 +261,6 @@ def compose_pki_master_dictionary(): config.pki_master_dict['pki_hostname'] = config.pki_hostname config.pki_master_dict['pki_dns_domainname'] =\ config.pki_dns_domainname - config.pki_master_dict['pki_dry_run_flag'] = config.pki_dry_run_flag config.pki_master_dict['pki_jython_log_level'] =\ config.pki_jython_log_level config.pki_master_dict['pki_deployment_cfg'] = config.pkideployment_cfg diff --git a/base/deploy/src/scriptlets/security_databases.py b/base/deploy/src/scriptlets/security_databases.py index f46f9180a..0cc660b3a 100644 --- a/base/deploy/src/scriptlets/security_databases.py +++ b/base/deploy/src/scriptlets/security_databases.py @@ -39,88 +39,40 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): return self.rv config.pki_log.info(log.SECURITY_DATABASES_SPAWN_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - if not config.pki_dry_run_flag: - util.password.create_password_conf( - master['pki_shared_password_conf'], - sensitive['pki_pin']) - # Since 'certutil' does NOT strip the 'token=' portion of - # the 'token=password' entries, create a temporary server 'pfile' - # which ONLY contains the 'password' for the purposes of - # allowing 'certutil' to generate the security databases - util.password.create_password_conf( - master['pki_shared_pfile'], - sensitive['pki_pin'], pin_sans_token=True) - util.file.modify(master['pki_shared_password_conf']) - util.certutil.create_security_databases( - master['pki_database_path'], - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], - password_file=master['pki_shared_pfile']) - util.file.modify(master['pki_cert_database'], perms=\ - config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - util.file.modify(master['pki_key_database'], perms=\ - config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - util.file.modify(master['pki_secmod_database'], perms=\ - config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.password.create_password_conf( + master['pki_shared_password_conf'], + sensitive['pki_pin']) + # Since 'certutil' does NOT strip the 'token=' portion of + # the 'token=password' entries, create a temporary server 'pfile' + # which ONLY contains the 'password' for the purposes of + # allowing 'certutil' to generate the security databases + util.password.create_password_conf( + master['pki_shared_pfile'], + sensitive['pki_pin'], pin_sans_token=True) + util.file.modify(master['pki_shared_password_conf']) + util.certutil.create_security_databases( + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + password_file=master['pki_shared_pfile']) + util.file.modify(master['pki_cert_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_key_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) + util.file.modify(master['pki_secmod_database'], perms=\ + config.PKI_DEPLOYMENT_DEFAULT_SECURITY_DATABASE_PERMISSIONS) - if util.instance.tomcat_instance_subsystems() < 2: - # only create a self signed cert for a new instance - rv = util.certutil.verify_certificate_exists( - master['pki_database_path'], - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], - master['pki_self_signed_token'], - master['pki_self_signed_nickname'], - password_file=master['pki_shared_pfile']) - if not rv: - util.file.generate_noise_file( - master['pki_self_signed_noise_file'], - master['pki_self_signed_noise_bytes']) - util.certutil.generate_self_signed_certificate( - master['pki_database_path'], - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], - master['pki_self_signed_token'], - master['pki_self_signed_nickname'], - master['pki_self_signed_subject'], - master['pki_self_signed_serial_number'], - master['pki_self_signed_validity_period'], - master['pki_self_signed_issuer_name'], - master['pki_self_signed_trustargs'], - master['pki_self_signed_noise_file'], - password_file=master['pki_shared_pfile']) - # Delete the temporary 'noise' file - util.file.delete(master['pki_self_signed_noise_file']) - # Delete the temporary 'pfile' - util.file.delete(master['pki_shared_pfile']) - else: - util.password.create_password_conf( - master['pki_shared_password_conf'], - sensitive['pki_pin']) - # Since 'certutil' does NOT strip the 'token=' portion of - # the 'token=password' entries, create a temporary server 'pfile' - # which ONLY contains the 'password' for the purposes of - # allowing 'certutil' to generate the security databases - util.password.create_password_conf( - master['pki_shared_pfile'], - sensitive['pki_pin'], pin_sans_token=True) - util.certutil.create_security_databases( - master['pki_database_path'], - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], - password_file=master['pki_shared_pfile']) + if util.instance.tomcat_instance_subsystems() < 2: + # only create a self signed cert for a new instance rv = util.certutil.verify_certificate_exists( - master['pki_database_path'], - master['pki_cert_database'], - master['pki_key_database'], - master['pki_secmod_database'], - master['pki_self_signed_token'], - master['pki_self_signed_nickname'], - password_file=master['pki_shared_pfile']) + master['pki_database_path'], + master['pki_cert_database'], + master['pki_key_database'], + master['pki_secmod_database'], + master['pki_self_signed_token'], + master['pki_self_signed_nickname'], + password_file=master['pki_shared_pfile']) if not rv: util.file.generate_noise_file( master['pki_self_signed_noise_file'], @@ -153,31 +105,16 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): def destroy(self): config.pki_log.info(log.SECURITY_DATABASES_DESTROY_1, __name__, extra=config.PKI_INDENTATION_LEVEL_1) - if not config.pki_dry_run_flag: - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 0: - util.file.delete(master['pki_cert_database']) - util.file.delete(master['pki_key_database']) - util.file.delete(master['pki_secmod_database']) - util.file.delete(master['pki_shared_password_conf']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 0: - util.file.delete(master['pki_cert_database']) - util.file.delete(master['pki_key_database']) - util.file.delete(master['pki_secmod_database']) - util.file.delete(master['pki_shared_password_conf']) - else: - # ALWAYS display correct information (even during dry_run) - if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ - util.instance.apache_instance_subsystems() == 1: - util.file.delete(master['pki_cert_database']) - util.file.delete(master['pki_key_database']) - util.file.delete(master['pki_secmod_database']) - util.file.delete(master['pki_shared_password_conf']) - elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ - util.instance.tomcat_instance_subsystems() == 1: - util.file.delete(master['pki_cert_database']) - util.file.delete(master['pki_key_database']) - util.file.delete(master['pki_secmod_database']) - util.file.delete(master['pki_shared_password_conf']) + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) + elif master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instance_subsystems() == 0: + util.file.delete(master['pki_cert_database']) + util.file.delete(master['pki_key_database']) + util.file.delete(master['pki_secmod_database']) + util.file.delete(master['pki_shared_password_conf']) return self.rv -- cgit