4 files changed, 128 insertions, 19 deletions

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 7f88a05d..9cc4466c 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -26,6 +26,7 @@ import sys
 import re
 import time
 from ipapython import ipautil
+from ipapython import dogtag
 
 REQUEST_DIR='/var/lib/certmonger/requests/'
 CA_DIR='/var/lib/certmonger/cas/'
@@ -337,8 +338,7 @@ def get_pin(token):
 
     The caller is expected to handle any exceptions raised.
     """
-    filename = '/var/lib/pki/pki-tomcat/conf/password.conf'
-    with open(filename, 'r') as f:
+    with open(dogtag.configured_constants().PASSWORD_CONF_PATH, 'r') as f:
         for line in f:
             (tok, pin) = line.split('=', 1)
             if token == tok:
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 8298ecfe..22a5a6d1 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -17,17 +17,118 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import os
 import httplib
 import xml.dom.minidom
+import ConfigParser
+from urllib import urlencode
+
 import nss.nss as nss
 from nss.error import NSPRError
-from urllib import urlencode
 
 from ipalib import api, errors
-from ipapython import nsslib, ipautil
 from ipalib.errors import NetworkError, CertificateOperationError
-from ipapython.ipa_log_manager import *
 from ipalib.text import _
+from ipapython import nsslib, ipautil
+from ipapython.ipa_log_manager import *
+
+# IPA can use either Dogtag version 9 or 10.
+#
+# Install tools should use the constants from install_constants, so that they
+# install with version 10 if it is available, and with 9 if not.
+# After IPA installation, the Dogtag version used is stored in the
+# "dogtag_version" config option. (If that is missing, version 9 is assumed.)
+# The configured_constants() function below provides constants relevant to
+# the configured version.
+
+class Dogtag10Constants(object):
+    DOGTAG_VERSION = 10
+    UNSECURE_PORT = 8080
+    AGENT_SECURE_PORT = 8443
+    EE_SECURE_PORT = 8443
+    AJP_PORT = 8009
+
+    SPAWN_BINARY = '/usr/sbin/pkispawn'
+    DESTROY_BINARY = '/usr/sbin/pkidestroy'
+
+    SERVER_ROOT = '/var/lib/pki'
+    PKI_INSTANCE_NAME = 'pki-tomcat'
+    PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
+    CRL_PUBLISH_PATH = '%s/ca/publish' % PKI_ROOT
+    CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
+    PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
+    SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
+    ALIAS_DIR = '/etc/pki/pki-tomcat/alias'
+
+    RACERT_LINE_SEP = '\n'
+
+    IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+    SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
+
+class Dogtag9Constants(object):
+    DOGTAG_VERSION = 9
+    UNSECURE_PORT = 9180
+    AGENT_SECURE_PORT = 9443
+    EE_SECURE_PORT = 9444
+    AJP_PORT = 9447
+
+    SPAWN_BINARY = '/bin/pkicreate'
+    DESTROY_BINARY = '/bin/pkisilent'
+
+    SERVER_ROOT = '/var/lib'
+    PKI_INSTANCE_NAME = 'pki-ca'
+    PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
+    CRL_PUBLISH_PATH = '%s/publish' % PKI_ROOT
+    CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
+    PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
+    SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
+    ALIAS_DIR = '%s/alias' % PKI_ROOT
+
+    RACERT_LINE_SEP = '\r\n'
+
+    ADMIN_SECURE_PORT = 9445
+    EE_CLIENT_AUTH_PORT = 9446
+    TOMCAT_SERVER_PORT = 9701
+
+    IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+    SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
+
+
+if os.path.exists('/usr/sbin/pkispawn'):
+    install_constants = Dogtag10Constants
+else:
+    install_constants = Dogtag9Constants
+
+
+def _get_configured_version(api):
+    """Get the version of Dogtag IPA is configured to use
+
+    If an API is given, use information in its environment.
+    Otherwise, use information from the global config file.
+    """
+    if api:
+        return int(api.env.dogtag_version)
+    else:
+        p = ConfigParser.SafeConfigParser()
+        p.read("/etc/ipa/default.conf")
+        try:
+            version = p.get('global', 'dogtag_version')
+        except (ConfigParser.NoOptionError, ConfigParser.NoSectionError):
+            return 9
+        else:
+            return int(version)
+
+
+def configured_constants(api=None):
+    """Get the name of the Dogtag CA instance
+
+    See get_configured_version
+    """
+    if _get_configured_version(api) >= 10:
+        return Dogtag10Constants
+    else:
+        return Dogtag9Constants
+
 
 def get_ca_certchain(ca_host=None):
     """
@@ -36,7 +137,8 @@ def get_ca_certchain(ca_host=None):
     if ca_host is None:
         ca_host = api.env.ca_host
     chain = None
-    conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
+    conn = httplib.HTTPConnection(ca_host,
+        api.env.ca_install_port or configured_constants().UNSECURE_PORT)
     conn.request("GET", "/ca/ee/ca/getCertChain")
     res = conn.getresponse()
     doc = None
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index a3fd83e4..d6e97b89 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -293,19 +293,12 @@ def run(args, stdin=None, raiseonerr=True,
         raise
 
     # The command and its output may include passwords that we don't want
-    # to log. Run through the nolog items.
+    # to log. Replace those.
     args = ' '.join(args)
-    for value in nolog:
-        if not isinstance(value, basestring):
-            continue
-
-        quoted = urllib2.quote(value)
-        shquoted = shell_quote(value)
-        for nolog_value in (shquoted, value, quoted):
-            if capture_output:
-                stdout = stdout.replace(nolog_value, 'XXXXXXXX')
-                stderr = stderr.replace(nolog_value, 'XXXXXXXX')
-            args = args.replace(nolog_value, 'XXXXXXXX')
+    if capture_output:
+        stdout = nolog_replace(stdout, nolog)
+        stderr = nolog_replace(stderr, nolog)
+    args = nolog_replace(args, nolog)
 
     root_logger.debug('args=%s' % args)
     if capture_output:
@@ -317,6 +310,20 @@ def run(args, stdin=None, raiseonerr=True,
 
     return (stdout, stderr, p.returncode)
 
+
+def nolog_replace(string, nolog):
+    """Replace occurences of strings given in `nolog` with XXXXXXXX"""
+    for value in nolog:
+        if not isinstance(value, basestring):
+            continue
+
+        quoted = urllib2.quote(value)
+        shquoted = shell_quote(value)
+        for nolog_value in (shquoted, value, quoted):
+            string = string.replace(nolog_value, 'XXXXXXXX')
+    return string
+
+
 def file_exists(filename):
     try:
         mode = os.stat(filename)[stat.ST_MODE]
diff --git a/ipapython/platform/base.py b/ipapython/platform/base.py
index b71e2f32..a1e6b4e0 100644
--- a/ipapython/platform/base.py
+++ b/ipapython/platform/base.py
@@ -34,10 +34,10 @@ wellknownports = {
     'dirsrv@PKI-IPA.service': [7389],
     'PKI-IPA': [7389],
     'dirsrv': [389], # this is only used if the incoming instance name is blank
+    'pki-cad': [9180],
     'pki-tomcatd@pki-tomcat.service': [8080],
     'pki-tomcat': [8080],
     'pki-tomcatd': [8080], # used if the incoming instance name is blank
-    'pki-cad': [9180]
 }
 
 class AuthConfig(object):