diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-10-26 09:44:49 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-11-11 12:13:56 +0100 |
commit | 0933e080aa9635bba12efc53d904d524b309027f (patch) | |
tree | d478101989c6970afcefb29c75536ead0bd2a21c /ipaserver/install | |
parent | dc38d53de1eff71570ec5ef55db6de2c6f9b5bbd (diff) | |
download | freeipa-0933e080aa9635bba12efc53d904d524b309027f.tar.gz freeipa-0933e080aa9635bba12efc53d904d524b309027f.tar.xz freeipa-0933e080aa9635bba12efc53d904d524b309027f.zip |
install: merge all KRA install code paths into one
Merge KRA install code paths use in ipa-replica-install in either domain
level and ipa-kra-install into one.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/kra.py | 60 | ||||
-rw-r--r-- | ipaserver/install/krainstance.py | 109 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 11 |
3 files changed, 50 insertions, 130 deletions
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index 85ae57d20..ad67061b6 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -3,6 +3,7 @@ # import os +import shutil from ipalib import api, errors from ipaplatform import services @@ -59,38 +60,53 @@ def install_check(api, replica_config, options): def install(api, replica_config, options): - subject = dsinstance.DsInstance().find_subject_base() if replica_config is None: - kra = krainstance.KRAInstance(api.env.realm) - kra.configure_instance( - api.env.realm, api.env.host, options.dm_password, - options.dm_password, subject_base=subject) + realm_name = api.env.realm + dm_password = options.dm_password + host_name = api.env.host + subject_base = dsinstance.DsInstance().find_subject_base() + + pkcs12_info = None + master_host = None + promote = False else: + krafile = os.path.join(replica_config.dir, 'kracert.p12') if options.promote: - ca_data = (os.path.join(replica_config.dir, 'kracert.p12'), - replica_config.dirman_password) - custodia = custodiainstance.CustodiaInstance( - replica_config.host_name, replica_config.realm_name) - custodia.get_kra_keys(replica_config.kra_host_name, - ca_data[0], ca_data[1]) - - kra = krainstance.KRAInstance(replica_config.realm_name) - kra.configure_replica(replica_config.host_name, - replica_config.kra_host_name, - replica_config.dirman_password, - kra_cert_bundle=ca_data) - return - + replica_config.host_name, + replica_config.realm_name) + custodia.get_kra_keys( + replica_config.kra_host_name, + krafile, + replica_config.dirman_password) else: - kra = krainstance.install_replica_kra(replica_config) + cafile = os.path.join(replica_config.dir, 'cacert.p12') + if not ipautil.file_exists(cafile): + raise RuntimeError( + "Unable to clone KRA." + " cacert.p12 file not found in replica file") + shutil.copy(cafile, krafile) + + realm_name = replica_config.realm_name + dm_password = replica_config.dirman_password + host_name = replica_config.host_name + subject_base = replica_config.subject_base + + pkcs12_info = (krafile,) + master_host = replica_config.kra_host_name + promote = options.promote + + kra = krainstance.KRAInstance(realm_name) + kra.configure_instance(realm_name, host_name, dm_password, dm_password, + subject_base=subject_base, + pkcs12_info=pkcs12_info, + master_host=master_host, + promote=promote) service.print_msg("Restarting the directory server") ds = dsinstance.DsInstance() ds.restart() - kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn) - kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH) # Restart apache for new proxy config file diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index 22fe38ac6..edce4aa9e 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -28,18 +28,15 @@ from six.moves.configparser import ConfigParser from ipalib import api from ipalib import x509 -from ipaplatform import services from ipaplatform.constants import constants from ipaplatform.paths import paths from ipapython import certdb from ipapython import ipautil from ipapython.dn import DN -from ipapython.admintool import ScriptError from ipaserver.install import certs from ipaserver.install import cainstance from ipaserver.install import installutils from ipaserver.install import ldapupdate -from ipaserver.install import service from ipaserver.install.dogtaginstance import (export_kra_agent_pem, DogtagInstance) from ipaserver.plugins import ldap2 @@ -82,16 +79,17 @@ class KRAInstance(DogtagInstance): def configure_instance(self, realm_name, host_name, dm_password, admin_password, pkcs12_info=None, master_host=None, - subject_base=None): + subject_base=None, promote=False): """Create a KRA instance. To create a clone, pass in pkcs12_info. """ self.fqdn = host_name self.dm_password = dm_password + self.admin_groups = ADMIN_GROUPS self.admin_password = admin_password self.pkcs12_info = pkcs12_info - if self.pkcs12_info is not None: + if self.pkcs12_info is not None or promote: self.clone = True self.master_host = master_host if subject_base is None: @@ -106,16 +104,20 @@ class KRAInstance(DogtagInstance): raise RuntimeError( "KRA already installed.") # Confirm that a Dogtag 10 CA instance already exists - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + ca = cainstance.CAInstance(self.realm, certs.NSS_DIR) if not ca.is_installed(): raise RuntimeError( "KRA configuration failed. " "A Dogtag CA must be installed first") + if promote: + self.step("creating installation admin user", self.setup_admin) self.step("configuring KRA instance", self.__spawn_instance) if not self.clone: self.step("create KRA agent", self.__create_kra_agent) + if promote: + self.step("destroying installation admin user", self.teardown_admin) self.step("restarting KRA", self.restart_instance) self.step("configure certmonger for renewals", self.configure_certmonger_renewal) @@ -125,6 +127,8 @@ class KRAInstance(DogtagInstance): self.step("add vault container", self.__add_vault_container) self.step("apply LDAP updates", self.__apply_updates) + self.step("enabling KRA instance", self.__enable_instance) + self.start_creation(runtime=126) def __spawn_instance(self): @@ -352,96 +356,3 @@ class KRAInstance(DogtagInstance): def __enable_instance(self): self.ldap_enable('KRA', self.fqdn, None, self.suffix) - - def configure_replica(self, host_name, master_host, dm_password, - kra_cert_bundle=None, subject_base=None): - """Create a KRA instance. - - To create a clone, pass in pkcs12_info. - """ - self.fqdn = host_name - self.dm_password = dm_password - self.master_host = master_host - if subject_base is None: - self.subject_base = DN(('O', self.realm)) - else: - self.subject_base = subject_base - self.suffix = ipautil.realm_to_suffix(self.realm) - - self.pkcs12_info = kra_cert_bundle - self.clone = True - self.admin_groups = ADMIN_GROUPS - - # Confirm that a KRA does not already exist - if self.is_installed(): - raise RuntimeError( - "KRA already installed.") - # Confirm that a Dogtag 10 CA instance already exists - ca = cainstance.CAInstance(self.realm, certs.NSS_DIR) - if not ca.is_installed(): - raise RuntimeError( - "KRA configuration failed. " - "A Dogtag CA must be installed first") - - self.step("creating installation admin user", self.setup_admin) - self.step("configuring KRA instance", self.__spawn_instance) - self.step("destroying installation admin user", self.teardown_admin) - self.step("restarting KRA", self.restart_instance) - self.step("configure certmonger for renewals", - self.configure_certmonger_renewal) - self.step("configure certificate renewals", self.configure_renewal) - self.step("add vault container", self.__add_vault_container) - - self.step("enabling KRA instance", self.__enable_instance) - - self.start_creation(runtime=126) - - -def install_replica_kra(config, postinstall=False): - """ - Install a KRA on a replica. - - There are two modes of doing this controlled: - - While the replica is being installed - - Post-replica installation - - config is a ReplicaConfig object - - Returns a KRA instance - """ - # note that the cacert.p12 file is regenerated during the - # ipa-replica-prepare process and should include all the certs - # for the CA and KRA - krafile = config.dir + "/cacert.p12" - - if not ipautil.file_exists(krafile): - raise RuntimeError( - "Unable to clone KRA." - " cacert.p12 file not found in replica file") - - _kra = KRAInstance(config.realm_name) - _kra.dm_password = config.dirman_password - _kra.subject_base = config.subject_base - if _kra.is_installed(): - raise ScriptError("A KRA is already configured on this system.") - - _kra.configure_instance(config.realm_name, config.host_name, - config.dirman_password, config.dirman_password, - pkcs12_info=(krafile,), - master_host=config.kra_host_name, - subject_base=config.subject_base) - - # Restart httpd since we changed it's config and added ipa-pki-proxy.conf - if postinstall: - services.knownservices.httpd.restart() - - # The dogtag DS instance needs to be restarted after installation. - # The procedure for this is: stop dogtag, stop DS, start DS, start - # dogtag - - service.print_msg("Restarting the directory and KRA servers") - _kra.stop('pki-tomcat') - installutils.restart_dirsrv() - _kra.start('pki-tomcat') - - return _kra diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 86bf30c67..be9038b4e 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -37,7 +37,7 @@ import ipaclient.ipachangeconf import ipaclient.ntpconf from ipaserver.install import ( bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance, - installutils, kra, krainstance, krbinstance, memcacheinstance, + installutils, kra, krbinstance, memcacheinstance, ntpinstance, otpdinstance, custodiainstance, service) from ipaserver.install.installutils import ( create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured) @@ -1510,14 +1510,7 @@ def promote(installer): ca.install(False, config, options) if options.setup_kra: - ca_data = (os.path.join(config.dir, 'kracert.p12'), - config.dirman_password) - custodia.get_kra_keys(config.kra_host_name, ca_data[0], ca_data[1]) - - kra = krainstance.KRAInstance(config.realm_name) - kra.configure_replica(config.host_name, config.kra_host_name, - config.dirman_password, - kra_cert_bundle=ca_data) + kra.install(api, config, options) custodia.import_dm_password(config.master_host_name) |