Use Dogtag 10 only when it is available

Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846

4 files changed, 128 insertions, 19 deletions

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 7f88a05d..9cc4466c 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -26,6 +26,7 @@ import sys
 import re
 import time
 from ipapython import ipautil
+from ipapython import dogtag
 
 REQUEST_DIR='/var/lib/certmonger/requests/'
 CA_DIR='/var/lib/certmonger/cas/'
@@ -337,8 +338,7 @@ def get_pin(token):
 
     The caller is expected to handle any exceptions raised.
     """
-    filename = '/var/lib/pki/pki-tomcat/conf/password.conf'
-    with open(filename, 'r') as f:
+    with open(dogtag.configured_constants().PASSWORD_CONF_PATH, 'r') as f:
         for line in f:
             (tok, pin) = line.split('=', 1)
             if token == tok:
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 8298ecfe..22a5a6d1 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -17,17 +17,118 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import os
 import httplib
 import xml.dom.minidom
+import ConfigParser
+from urllib import urlencode
+
 import nss.nss as nss
 from nss.error import NSPRError
-from urllib import urlencode
 
 from ipalib import api, errors
-from ipapython import nsslib, ipautil
 from ipalib.errors import NetworkError, CertificateOperationError
-from ipapython.ipa_log_manager import *
 from ipalib.text import _
+from ipapython import nsslib, ipautil
+from ipapython.ipa_log_manager import *
+
+# IPA can use either Dogtag version 9 or 10.
+#
+# Install tools should use the constants from install_constants, so that they
+# install with version 10 if it is available, and with 9 if not.
+# After IPA installation, the Dogtag version used is stored in the
+# "dogtag_version" config option. (If that is missing, version 9 is assumed.)
+# The configured_constants() function below provides constants relevant to
+# the configured version.
+
+class Dogtag10Constants(object):
+    DOGTAG_VERSION = 10
+    UNSECURE_PORT = 8080
+    AGENT_SECURE_PORT = 8443
+    EE_SECURE_PORT = 8443
+    AJP_PORT = 8009
+
+    SPAWN_BINARY = '/usr/sbin/pkispawn'
+    DESTROY_BINARY = '/usr/sbin/pkidestroy'
+
+    SERVER_ROOT = '/var/lib/pki'
+    PKI_INSTANCE_NAME = 'pki-tomcat'
+    PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
+    CRL_PUBLISH_PATH = '%s/ca/publish' % PKI_ROOT
+    CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
+    PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
+    SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
+    ALIAS_DIR = '/etc/pki/pki-tomcat/alias'
+
+    RACERT_LINE_SEP = '\n'
+
+    IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+    SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
+
+class Dogtag9Constants(object):
+    DOGTAG_VERSION = 9
+    UNSECURE_PORT = 9180
+    AGENT_SECURE_PORT = 9443
+    EE_SECURE_PORT = 9444
+    AJP_PORT = 9447
+
+    SPAWN_BINARY = '/bin/pkicreate'
+    DESTROY_BINARY = '/bin/pkisilent'
+
+    SERVER_ROOT = '/var/lib'
+    PKI_INSTANCE_NAME = 'pki-ca'
+    PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
+    CRL_PUBLISH_PATH = '%s/publish' % PKI_ROOT
+    CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
+    PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
+    SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
+    ALIAS_DIR = '%s/alias' % PKI_ROOT
+
+    RACERT_LINE_SEP = '\r\n'
+
+    ADMIN_SECURE_PORT = 9445
+    EE_CLIENT_AUTH_PORT = 9446
+    TOMCAT_SERVER_PORT = 9701
+
+    IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+    SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
+
+
+if os.path.exists('/usr/sbin/pkispawn'):
+    install_constants = Dogtag10Constants
+else:
+    install_constants = Dogtag9Constants
+
+
+def _get_configured_version(api):
+    """Get the version of Dogtag IPA is configured to use
+
+    If an API is given, use information in its environment.
+    Otherwise, use information from the global config file.
+    """
+    if api:
+        return int(api.env.dogtag_version)
+    else:
+        p = ConfigParser.SafeConfigParser()
+        p.read("/etc/ipa/default.conf")
+        try:
+            version = p.get('global', 'dogtag_version')
+        except (ConfigParser.NoOptionError, ConfigParser.NoSectionError):
+            return 9
+        else:
+            return int(version)
+
+
+def configured_constants(api=None):
+    """Get the name of the Dogtag CA instance
+
+    See get_configured_version
+    """
+    if _get_configured_version(api) >= 10:
+        return Dogtag10Constants
+    else:
+        return Dogtag9Constants
+
 
 def get_ca_certchain(ca_host=None):
     """
@@ -36,7 +137,8 @@ def get_ca_certchain(ca_host=None):
     if ca_host is None:
         ca_host = api.env.ca_host
     chain = None
-    conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
+    conn = httplib.HTTPConnection(ca_host,
+        api.env.ca_install_port or configured_constants().UNSECURE_PORT)
     conn.request("GET", "/ca/ee/ca/getCertChain")
     res = conn.getresponse()
     doc = None
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index a3fd83e4..d6e97b89 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -293,19 +293,12 @@ def run(args, stdin=None, raiseonerr=True,
         raise
 
     # The command and its output may include passwords that we don't want
-    # to log. Run through the nolog items.
+    # to log. Replace those.
     args = ' '.join(args)
-    for value in nolog:
-        if not isinstance(value, basestring):
-            continue
-
-        quoted = urllib2.quote(value)
-        shquoted = shell_quote(value)
-        for nolog_value in (shquoted, value, quoted):
-            if capture_output:
-                stdout = stdout.replace(nolog_value, 'XXXXXXXX')
-                stderr = stderr.replace(nolog_value, 'XXXXXXXX')
-            args = args.replace(nolog_value, 'XXXXXXXX')
+    if capture_output:
+        stdout = nolog_replace(stdout, nolog)
+        stderr = nolog_replace(stderr, nolog)
+    args = nolog_replace(args, nolog)
 
     root_logger.debug('args=%s' % args)
     if capture_output:
@@ -317,6 +310,20 @@ def run(args, stdin=None, raiseonerr=True,
 
     return (stdout, stderr, p.returncode)
 
+
+def nolog_replace(string, nolog):
+    """Replace occurences of strings given in `nolog` with XXXXXXXX"""
+    for value in nolog:
+        if not isinstance(value, basestring):
+            continue
+
+        quoted = urllib2.quote(value)
+        shquoted = shell_quote(value)
+        for nolog_value in (shquoted, value, quoted):
+            string = string.replace(nolog_value, 'XXXXXXXX')
+    return string
+
+
 def file_exists(filename):
     try:
         mode = os.stat(filename)[stat.ST_MODE]
diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py
index b71e2f32..a1e6b4e0 100644
--- a/ipapython/platform/base.py
+++ b/ipapython/platform/base.py
@@ -34,10 +34,10 @@ wellknownports = {
     'dirsrv@PKI-IPA.service': [7389],
     'PKI-IPA': [7389],
     'dirsrv': [389], # this is only used if the incoming instance name is blank
+    'pki-cad': [9180],
     'pki-tomcatd@pki-tomcat.service': [8080],
     'pki-tomcat': [8080],
     'pki-tomcatd': [8080], # used if the incoming instance name is blank
-    'pki-cad': [9180]
 }
 
 class AuthConfig(object):