From 4f76c143d2f2036af02677469c542f563a10158d Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 23 Aug 2012 12:38:45 -0400
Subject: Use Dogtag 10 only when it is available

Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
---
 ipapython/dogtag.py | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 106 insertions(+), 4 deletions(-)

(limited to 'ipapython/dogtag.py')

diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 8298ecfe..22a5a6d1 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -17,17 +17,118 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import os
 import httplib
 import xml.dom.minidom
+import ConfigParser
+from urllib import urlencode
+
 import nss.nss as nss
 from nss.error import NSPRError
-from urllib import urlencode
 
 from ipalib import api, errors
-from ipapython import nsslib, ipautil
 from ipalib.errors import NetworkError, CertificateOperationError
-from ipapython.ipa_log_manager import *
 from ipalib.text import _
+from ipapython import nsslib, ipautil
+from ipapython.ipa_log_manager import *
+
+# IPA can use either Dogtag version 9 or 10.
+#
+# Install tools should use the constants from install_constants, so that they
+# install with version 10 if it is available, and with 9 if not.
+# After IPA installation, the Dogtag version used is stored in the
+# "dogtag_version" config option. (If that is missing, version 9 is assumed.)
+# The configured_constants() function below provides constants relevant to
+# the configured version.
+
+class Dogtag10Constants(object):
+    DOGTAG_VERSION = 10
+    UNSECURE_PORT = 8080
+    AGENT_SECURE_PORT = 8443
+    EE_SECURE_PORT = 8443
+    AJP_PORT = 8009
+
+    SPAWN_BINARY = '/usr/sbin/pkispawn'
+    DESTROY_BINARY = '/usr/sbin/pkidestroy'
+
+    SERVER_ROOT = '/var/lib/pki'
+    PKI_INSTANCE_NAME = 'pki-tomcat'
+    PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
+    CRL_PUBLISH_PATH = '%s/ca/publish' % PKI_ROOT
+    CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
+    PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
+    SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
+    ALIAS_DIR = '/etc/pki/pki-tomcat/alias'
+
+    RACERT_LINE_SEP = '\n'
+
+    IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+    SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
+
+class Dogtag9Constants(object):
+    DOGTAG_VERSION = 9
+    UNSECURE_PORT = 9180
+    AGENT_SECURE_PORT = 9443
+    EE_SECURE_PORT = 9444
+    AJP_PORT = 9447
+
+    SPAWN_BINARY = '/bin/pkicreate'
+    DESTROY_BINARY = '/bin/pkisilent'
+
+    SERVER_ROOT = '/var/lib'
+    PKI_INSTANCE_NAME = 'pki-ca'
+    PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
+    CRL_PUBLISH_PATH = '%s/publish' % PKI_ROOT
+    CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
+    PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
+    SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
+    ALIAS_DIR = '%s/alias' % PKI_ROOT
+
+    RACERT_LINE_SEP = '\r\n'
+
+    ADMIN_SECURE_PORT = 9445
+    EE_CLIENT_AUTH_PORT = 9446
+    TOMCAT_SERVER_PORT = 9701
+
+    IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+    SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
+
+
+if os.path.exists('/usr/sbin/pkispawn'):
+    install_constants = Dogtag10Constants
+else:
+    install_constants = Dogtag9Constants
+
+
+def _get_configured_version(api):
+    """Get the version of Dogtag IPA is configured to use
+
+    If an API is given, use information in its environment.
+    Otherwise, use information from the global config file.
+    """
+    if api:
+        return int(api.env.dogtag_version)
+    else:
+        p = ConfigParser.SafeConfigParser()
+        p.read("/etc/ipa/default.conf")
+        try:
+            version = p.get('global', 'dogtag_version')
+        except (ConfigParser.NoOptionError, ConfigParser.NoSectionError):
+            return 9
+        else:
+            return int(version)
+
+
+def configured_constants(api=None):
+    """Get the name of the Dogtag CA instance
+
+    See get_configured_version
+    """
+    if _get_configured_version(api) >= 10:
+        return Dogtag10Constants
+    else:
+        return Dogtag9Constants
+
 
 def get_ca_certchain(ca_host=None):
     """
@@ -36,7 +137,8 @@ def get_ca_certchain(ca_host=None):
     if ca_host is None:
         ca_host = api.env.ca_host
     chain = None
-    conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
+    conn = httplib.HTTPConnection(ca_host,
+        api.env.ca_install_port or configured_constants().UNSECURE_PORT)
     conn.request("GET", "/ca/ee/ca/getCertChain")
     res = conn.getresponse()
     doc = None
-- 
cgit