diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-07-09 10:24:14 +0000 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-07-24 10:00:03 +0200 |
commit | ab2debd1ea6c9b7cf0f35f48620b2609ff0c570c (patch) | |
tree | 2c93b2752e02ba80d7fadd68f6c3b739fdc6fe0d /ipaserver | |
parent | ea544bee4c2abea63129e395e0b27493d0711c01 (diff) | |
download | freeipa-ab2debd1ea6c9b7cf0f35f48620b2609ff0c570c.tar.gz freeipa-ab2debd1ea6c9b7cf0f35f48620b2609ff0c570c.tar.xz freeipa-ab2debd1ea6c9b7cf0f35f48620b2609ff0c570c.zip |
Ask for PKCS#12 password interactively in ipa-replica-prepare.
https://fedorahosted.org/freeipa/ticket/3717
Diffstat (limited to 'ipaserver')
-rw-r--r-- | ipaserver/install/ipa_replica_prepare.py | 49 |
1 files changed, 34 insertions, 15 deletions
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index a92e9a111..83bf2b28c 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -103,17 +103,12 @@ class ReplicaPrepare(admintool.AdminTool): options.setup_pkinit = False # If any of the PKCS#12 options are selected, all are required. - pkcs12_opts = [options.dirsrv_pkcs12, options.dirsrv_pin, - options.http_pkcs12, options.http_pin] - if options.setup_pkinit: - pkcs12_opts.extend([options.pkinit_pkcs12, options.pkinit_pin]) - if pkcs12_opts[0]: - pkcs12_okay = all(opt for opt in pkcs12_opts) - else: - pkcs12_okay = all(opt is None for opt in pkcs12_opts) - if not pkcs12_okay: + pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12) + pkcs12_opt = (options.pkinit_pkcs12,) + if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req): self.option_parser.error( - "All PKCS#12 options are required if any are used.") + "--dirsrv_pkcs12 and --http_pkcs12 are required if any " + "PKCS#12 options are used.") if len(self.args) < 1: self.option_parser.error( @@ -136,11 +131,6 @@ class ReplicaPrepare(admintool.AdminTool): "--http_pkcs12, --dirsrv_pkcs12 options to provide custom " "certificates.") - if options.http_pkcs12: - # Check the given PKCS#12 files - self.check_pkcs12(options.http_pkcs12, options.http_pin) - self.check_pkcs12(options.dirsrv_pkcs12, options.dirsrv_pin) - config_dir = dsinstance.config_dirname( dsinstance.realm_to_serverid(api.env.realm)) if not ipautil.dir_exists(config_dir): @@ -220,6 +210,35 @@ class ReplicaPrepare(admintool.AdminTool): options.reverse_zone, options.ip_address): raise admintool.ScriptError("Invalid reverse zone") + if options.http_pkcs12: + if not options.http_pin: + options.http_pin = installutils.read_password( + "Enter %s unlock" % options.http_pkcs12, + confirm=False, validate=False) + if options.http_pin is None: + raise admintool.ScriptError( + "%s unlock password required" % options.http_pkcs12) + self.check_pkcs12(options.http_pkcs12, options.http_pin) + + if options.dirsrv_pkcs12: + if not options.dirsrv_pin: + options.dirsrv_pin = installutils.read_password( + "Enter %s unlock" % options.dirsrv_pkcs12, + confirm=False, validate=False) + if options.dirsrv_pin is None: + raise admintool.ScriptError( + "%s unlock password required" % options.dirsrv_pkcs12) + self.check_pkcs12(options.dirsrv_pkcs12, options.dirsrv_pin) + + if options.pkinit_pkcs12: + if not options.pkinit_pin: + options.pkinit_pin = installutils.read_password( + "Enter %s unlock" % options.pkinit_pkcs12, + confirm=False, validate=False) + if options.pkinit_pin is None: + raise admintool.ScriptError( + "%s unlock password required" % options.pkinit_pkcs12) + if (not ipautil.file_exists( dogtag.configured_constants().CS_CFG_PATH) and not options.dirsrv_pin): |