diff options
Diffstat (limited to 'ipapython/dogtag.py')
-rw-r--r-- | ipapython/dogtag.py | 110 |
1 files changed, 106 insertions, 4 deletions
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 8298ecfe..22a5a6d1 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -17,17 +17,118 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # +import os import httplib import xml.dom.minidom +import ConfigParser +from urllib import urlencode + import nss.nss as nss from nss.error import NSPRError -from urllib import urlencode from ipalib import api, errors -from ipapython import nsslib, ipautil from ipalib.errors import NetworkError, CertificateOperationError -from ipapython.ipa_log_manager import * from ipalib.text import _ +from ipapython import nsslib, ipautil +from ipapython.ipa_log_manager import * + +# IPA can use either Dogtag version 9 or 10. +# +# Install tools should use the constants from install_constants, so that they +# install with version 10 if it is available, and with 9 if not. +# After IPA installation, the Dogtag version used is stored in the +# "dogtag_version" config option. (If that is missing, version 9 is assumed.) +# The configured_constants() function below provides constants relevant to +# the configured version. + +class Dogtag10Constants(object): + DOGTAG_VERSION = 10 + UNSECURE_PORT = 8080 + AGENT_SECURE_PORT = 8443 + EE_SECURE_PORT = 8443 + AJP_PORT = 8009 + + SPAWN_BINARY = '/usr/sbin/pkispawn' + DESTROY_BINARY = '/usr/sbin/pkidestroy' + + SERVER_ROOT = '/var/lib/pki' + PKI_INSTANCE_NAME = 'pki-tomcat' + PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) + CRL_PUBLISH_PATH = '%s/ca/publish' % PKI_ROOT + CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT + PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT + SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT + ALIAS_DIR = '/etc/pki/pki-tomcat/alias' + + RACERT_LINE_SEP = '\n' + + IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR + SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR + +class Dogtag9Constants(object): + DOGTAG_VERSION = 9 + UNSECURE_PORT = 9180 + AGENT_SECURE_PORT = 9443 + EE_SECURE_PORT = 9444 + AJP_PORT = 9447 + + SPAWN_BINARY = '/bin/pkicreate' + DESTROY_BINARY = '/bin/pkisilent' + + SERVER_ROOT = '/var/lib' + PKI_INSTANCE_NAME = 'pki-ca' + PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME) + CRL_PUBLISH_PATH = '%s/publish' % PKI_ROOT + CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT + PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT + SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT + ALIAS_DIR = '%s/alias' % PKI_ROOT + + RACERT_LINE_SEP = '\r\n' + + ADMIN_SECURE_PORT = 9445 + EE_CLIENT_AUTH_PORT = 9446 + TOMCAT_SERVER_PORT = 9701 + + IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR + SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR + + +if os.path.exists('/usr/sbin/pkispawn'): + install_constants = Dogtag10Constants +else: + install_constants = Dogtag9Constants + + +def _get_configured_version(api): + """Get the version of Dogtag IPA is configured to use + + If an API is given, use information in its environment. + Otherwise, use information from the global config file. + """ + if api: + return int(api.env.dogtag_version) + else: + p = ConfigParser.SafeConfigParser() + p.read("/etc/ipa/default.conf") + try: + version = p.get('global', 'dogtag_version') + except (ConfigParser.NoOptionError, ConfigParser.NoSectionError): + return 9 + else: + return int(version) + + +def configured_constants(api=None): + """Get the name of the Dogtag CA instance + + See get_configured_version + """ + if _get_configured_version(api) >= 10: + return Dogtag10Constants + else: + return Dogtag9Constants + def get_ca_certchain(ca_host=None): """ @@ -36,7 +137,8 @@ def get_ca_certchain(ca_host=None): if ca_host is None: ca_host = api.env.ca_host chain = None - conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port) + conn = httplib.HTTPConnection(ca_host, + api.env.ca_install_port or configured_constants().UNSECURE_PORT) conn.request("GET", "/ca/ee/ca/getCertChain") res = conn.getresponse() doc = None |