Use Dogtag 10 only when it is available

Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
author: Petr Viktorin <pviktori@redhat.com> 2012-08-23 12:38:45 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2012-09-17 18:43:59 -0400
commit: 4f76c143d2f2036af02677469c542f563a10158d (patch)
tree: 8ed4716135c53486710950b453f17bb71f36c658 /ipapython/dogtag.py
parent: 3dd31a875650c7fe7c67ca6b47f2058c1181dafb (diff)
download: freeipa.git-4f76c143d2f2036af02677469c542f563a10158d.tar.gz
freeipa.git-4f76c143d2f2036af02677469c542f563a10158d.tar.xz
freeipa.git-4f76c143d2f2036af02677469c542f563a10158d.zip
1 files changed, 106 insertions, 4 deletions
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 8298ecfe..22a5a6d1 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -17,17 +17,118 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import os
 import httplib
 import xml.dom.minidom
+import ConfigParser
+from urllib import urlencode
+
 import nss.nss as nss
 from nss.error import NSPRError
-from urllib import urlencode
 
 from ipalib import api, errors
-from ipapython import nsslib, ipautil
 from ipalib.errors import NetworkError, CertificateOperationError
-from ipapython.ipa_log_manager import *
 from ipalib.text import _
+from ipapython import nsslib, ipautil
+from ipapython.ipa_log_manager import *
+
+# IPA can use either Dogtag version 9 or 10.
+#
+# Install tools should use the constants from install_constants, so that they
+# install with version 10 if it is available, and with 9 if not.
+# After IPA installation, the Dogtag version used is stored in the
+# "dogtag_version" config option. (If that is missing, version 9 is assumed.)
+# The configured_constants() function below provides constants relevant to
+# the configured version.
+
+class Dogtag10Constants(object):
+    DOGTAG_VERSION = 10
+    UNSECURE_PORT = 8080
+    AGENT_SECURE_PORT = 8443
+    EE_SECURE_PORT = 8443
+    AJP_PORT = 8009
+
+    SPAWN_BINARY = '/usr/sbin/pkispawn'
+    DESTROY_BINARY = '/usr/sbin/pkidestroy'
+
+    SERVER_ROOT = '/var/lib/pki'
+    PKI_INSTANCE_NAME = 'pki-tomcat'
+    PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
+    CRL_PUBLISH_PATH = '%s/ca/publish' % PKI_ROOT
+    CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
+    PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
+    SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
+    ALIAS_DIR = '/etc/pki/pki-tomcat/alias'
+
+    RACERT_LINE_SEP = '\n'
+
+    IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+    SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
+
+class Dogtag9Constants(object):
+    DOGTAG_VERSION = 9
+    UNSECURE_PORT = 9180
+    AGENT_SECURE_PORT = 9443
+    EE_SECURE_PORT = 9444
+    AJP_PORT = 9447
+
+    SPAWN_BINARY = '/bin/pkicreate'
+    DESTROY_BINARY = '/bin/pkisilent'
+
+    SERVER_ROOT = '/var/lib'
+    PKI_INSTANCE_NAME = 'pki-ca'
+    PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
+    CRL_PUBLISH_PATH = '%s/publish' % PKI_ROOT
+    CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
+    PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
+    SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
+    ALIAS_DIR = '%s/alias' % PKI_ROOT
+
+    RACERT_LINE_SEP = '\r\n'
+
+    ADMIN_SECURE_PORT = 9445
+    EE_CLIENT_AUTH_PORT = 9446
+    TOMCAT_SERVER_PORT = 9701
+
+    IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+    SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
+
+
+if os.path.exists('/usr/sbin/pkispawn'):
+    install_constants = Dogtag10Constants
+else:
+    install_constants = Dogtag9Constants
+
+
+def _get_configured_version(api):
+    """Get the version of Dogtag IPA is configured to use
+
+    If an API is given, use information in its environment.
+    Otherwise, use information from the global config file.
+    """
+    if api:
+        return int(api.env.dogtag_version)
+    else:
+        p = ConfigParser.SafeConfigParser()
+        p.read("/etc/ipa/default.conf")
+        try:
+            version = p.get('global', 'dogtag_version')
+        except (ConfigParser.NoOptionError, ConfigParser.NoSectionError):
+            return 9
+        else:
+            return int(version)
+
+
+def configured_constants(api=None):
+    """Get the name of the Dogtag CA instance
+
+    See get_configured_version
+    """
+    if _get_configured_version(api) >= 10:
+        return Dogtag10Constants
+    else:
+        return Dogtag9Constants
+
 
 def get_ca_certchain(ca_host=None):
     """
@@ -36,7 +137,8 @@ def get_ca_certchain(ca_host=None):
     if ca_host is None:
         ca_host = api.env.ca_host
     chain = None
-    conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
+    conn = httplib.HTTPConnection(ca_host,
+        api.env.ca_install_port or configured_constants().UNSECURE_PORT)
     conn.request("GET", "/ca/ee/ca/getCertChain")
     res = conn.getresponse()
     doc = None
author	Petr Viktorin <pviktori@redhat.com>	2012-08-23 12:38:45 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2012-09-17 18:43:59 -0400
commit	4f76c143d2f2036af02677469c542f563a10158d (patch)
tree	8ed4716135c53486710950b453f17bb71f36c658 /ipapython/dogtag.py
parent	3dd31a875650c7fe7c67ca6b47f2058c1181dafb (diff)
download	freeipa.git-4f76c143d2f2036af02677469c542f563a10158d.tar.gz freeipa.git-4f76c143d2f2036af02677469c542f563a10158d.tar.xz freeipa.git-4f76c143d2f2036af02677469c542f563a10158d.zip