diff options
Diffstat (limited to 'ipaserver/install/server/install.py')
-rw-r--r-- | ipaserver/install/server/install.py | 411 |
1 files changed, 22 insertions, 389 deletions
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index dcdfa59d0..9137e1a9b 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -49,15 +49,9 @@ try: except ImportError: _server_trust_ad_installed = False -SYSRESTORE_DIR_PATH = paths.SYSRESTORE +from .common import BaseServer -VALID_SUBJECT_ATTRS = ['st', 'o', 'ou', 'dnqualifier', 'c', - 'serialnumber', 'l', 'title', 'sn', 'givenname', - 'initials', 'generationqualifier', 'dc', 'mail', - 'uid', 'postaladdress', 'postalcode', 'postofficebox', - 'houseidentifier', 'e', 'street', 'pseudonym', - 'incorporationlocality', 'incorporationstate', - 'incorporationcountry', 'businesscategory'] +SYSRESTORE_DIR_PATH = paths.SYSRESTORE def validate_dm_password(password): @@ -1152,243 +1146,18 @@ def uninstall(installer): sys.exit(rv) -class ServerCA(common.Installable, core.Group, core.Composite): - description = "certificate system" - - external_ca = Knob( - bool, False, - description=("Generate a CSR for the IPA CA certificate to be signed " - "by an external CA"), - ) - - external_ca_type = Knob( - {'generic', 'ms-cs'}, None, - description="Type of the external CA", - ) - - external_cert_files = Knob( - (list, str), None, - description=("File containing the IPA CA certificate and the external " - "CA certificate chain"), - cli_name='external-cert-file', - cli_aliases=['external_cert_file', 'external_ca_file'], - cli_metavar='FILE', - ) - - @external_cert_files.validator - def external_cert_files(self, value): - if any(not os.path.isabs(path) for path in value): - raise ValueError("must use an absolute path") - - no_pkinit = Knob( - bool, False, - description="disables pkinit setup steps", - ) - - dirsrv_cert_files = Knob( - (list, str), None, - description=("File containing the Directory Server SSL certificate " - "and private key"), - cli_name='dirsrv-cert-file', - cli_aliases=['dirsrv_pkcs12'], - cli_metavar='FILE', - ) - - http_cert_files = Knob( - (list, str), None, - description=("File containing the Apache Server SSL certificate and " - "private key"), - cli_name='http-cert-file', - cli_aliases=['http_pkcs12'], - cli_metavar='FILE', - ) +class Server(BaseServer): + realm_name = Knob(BaseServer.realm_name) + domain_name = Knob(BaseServer.domain_name) - pkinit_cert_files = Knob( - (list, str), None, - description=("File containing the Kerberos KDC SSL certificate and " - "private key"), - cli_name='pkinit-cert-file', - cli_aliases=['pkinit_pkcs12'], - cli_metavar='FILE', - ) - - dirsrv_pin = Knob( - str, None, - sensitive=True, - description="The password to unlock the Directory Server private key", - cli_aliases=['dirsrv_pin'], - cli_metavar='PIN', - ) - - http_pin = Knob( - str, None, - sensitive=True, - description="The password to unlock the Apache Server private key", - cli_aliases=['http_pin'], - cli_metavar='PIN', - ) - - pkinit_pin = Knob( - str, None, - sensitive=True, - description="The password to unlock the Kerberos KDC private key", - cli_aliases=['pkinit_pin'], - cli_metavar='PIN', - ) - - dirsrv_cert_name = Knob( - str, None, - description="Name of the Directory Server SSL certificate to install", - cli_metavar='NAME', - ) - - http_cert_name = Knob( - str, None, - description="Name of the Apache Server SSL certificate to install", - cli_metavar='NAME', - ) - - pkinit_cert_name = Knob( - str, None, - description="Name of the Kerberos KDC SSL certificate to install", - cli_metavar='NAME', - ) - - ca_cert_files = Knob( - (list, str), None, - description=("File containing CA certificates for the service " - "certificate files"), - cli_name='ca-cert-file', - cli_aliases=['root-ca-file'], - cli_metavar='FILE', - ) - - subject = Knob( - str, None, - description="The certificate subject base (default O=<realm-name>)", - ) - - @subject.validator - def subject(self, value): - v = unicode(value, 'utf-8') - if any(ord(c) < 0x20 for c in v): - raise ValueError("must not contain control characters") - if '&' in v: - raise ValueError("must not contain an ampersand (\"&\")") - try: - dn = DN(v) - for rdn in dn: - if rdn.attr.lower() not in VALID_SUBJECT_ATTRS: - raise ValueError("invalid attribute: \"%s\"" % rdn.attr) - except ValueError as e: - raise ValueError("invalid subject base format: %s" % e) - - ca_signing_algorithm = Knob( - {'SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'}, None, - description="Signing algorithm of the IPA CA certificate", - ) - - -class ServerDNS(common.Installable, core.Group, core.Composite): - description = "DNS" - - setup_dns = Knob( - bool, False, - description="configure bind with our zone", - ) - - forwarders = Knob( - (list, 'ip'), None, - description=("Add a DNS forwarder. This option can be used multiple " - "times"), - cli_name='forwarder', - ) - - no_forwarders = Knob( - bool, False, - description="Do not add any DNS forwarders, use root servers instead", - ) - - reverse_zones = Knob( - (list, str), [], - description=("The reverse DNS zone to use. This option can be used " - "multiple times"), - cli_name='reverse-zone', - cli_metavar='REVERSE_ZONE', - ) - - no_reverse = Knob( - bool, False, - description="Do not create reverse DNS zone", - ) - - no_dnssec_validation = Knob( - bool, False, - description="Disable DNSSEC validation", - ) - - zonemgr = Knob( - str, None, - description=("DNS zone manager e-mail address. Defaults to " - "hostmaster@DOMAIN"), - ) - - @zonemgr.validator - def zonemgr(self, value): - # validate the value first - try: - # IDNA support requires unicode - encoding = getattr(sys.stdin, 'encoding', None) - if encoding is None: - encoding = 'utf-8' - value = value.decode(encoding) - bindinstance.validate_zonemgr_str(value) - except ValueError as e: - # FIXME we can do this in better way - # https://fedorahosted.org/freeipa/ticket/4804 - # decode to proper stderr encoding - stderr_encoding = getattr(sys.stderr, 'encoding', None) - if stderr_encoding is None: - stderr_encoding = 'utf-8' - error = unicode(e).encode(stderr_encoding) - raise ValueError(error) - - no_host_dns = Knob( - bool, False, - description="Do not use DNS for hostname lookup during installation", - ) - - no_dns_sshfp = Knob( - bool, False, - description="Do not automatically create DNS SSHFP records", - ) - - -class Server(common.Installable, common.Interactive, core.Composite): - realm_name = Knob( - str, None, - description="realm name", - cli_name='realm', - cli_short_name='r', - ) - - domain_name = Knob( - str, None, - description="domain name", - cli_name='domain', - cli_short_name='n', - ) - - @domain_name.validator - def domain_name(self, value): - validate_domain_name(value) + setup_ca = None + setup_kra = None + setup_dns = Knob(BaseServer.setup_dns) dm_password = Knob( - str, None, - sensitive=True, + BaseServer.dm_password, description="Directory Manager password", cli_name='ds-password', - cli_short_name='p', ) @dm_password.validator @@ -1403,8 +1172,7 @@ class Server(common.Installable, common.Interactive, core.Composite): ) admin_password = Knob( - str, None, - sensitive=True, + BaseServer.admin_password, description="admin user kerberos password", cli_short_name='a', ) @@ -1413,16 +1181,8 @@ class Server(common.Installable, common.Interactive, core.Composite): def admin_password(self, value): validate_admin_password(value) - mkhomedir = Knob( - bool, False, - description="create home directories for users on their first login", - ) - - host_name = Knob( - str, None, - description="fully qualified name of server", - cli_name='hostname', - ) + mkhomedir = Knob(BaseServer.mkhomedir) + host_name = Knob(BaseServer.host_name) domainlevel = Knob( int, constants.MAX_DOMAIN_LEVEL, @@ -1443,18 +1203,13 @@ class Server(common.Installable, common.Interactive, core.Composite): constants.MAX_DOMAIN_LEVEL)) ip_addresses = Knob( - (list, 'ip-local'), None, + BaseServer.ip_addresses, description=("Master Server IP Address. This option can be used " "multiple times"), - cli_name='ip-address', - cli_metavar='IP_ADDRESS', ) - no_ntp = Knob( - bool, False, - description="do not configure ntp", - cli_short_name='N', - ) + no_host_dns = Knob(BaseServer.no_host_dns) + no_ntp = Knob(BaseServer.no_ntp) idstart = Knob( int, random.randint(1, 10000) * 200000, @@ -1477,25 +1232,14 @@ class Server(common.Installable, common.Interactive, core.Composite): cli_name='no_hbac_allow', ) - no_ui_redirect = Knob( - bool, False, - description="Do not automatically redirect to the Web UI", - ) - - ssh_trust_dns = Knob( - bool, False, - description="configure OpenSSH client to trust DNS SSHFP records", - ) - - no_ssh = Knob( - bool, False, - description="do not configure OpenSSH client", - ) + # ca + skip_schema_check = None - no_sshd = Knob( - bool, False, - description="do not configure OpenSSH server", - ) + # dns + dnssec_master = None + disable_dnssec_master = None + kasp_db_file = None + force = None def __init__(self, **kwargs): super(Server, self).__init__(**kwargs) @@ -1514,125 +1258,17 @@ class Server(common.Installable, common.Interactive, core.Composite): self._ca_cert = None self._update_hosts_file = False - #pylint: disable=no-member - - if not self.dns.setup_dns: - if self.dns.forwarders: - raise RuntimeError( - "You cannot specify a --forwarder option without the " - "--setup-dns option") - if self.dns.no_forwarders: - raise RuntimeError( - "You cannot specify a --no-forwarders option without the " - "--setup-dns option") - if self.dns.reverse_zones: - raise RuntimeError( - "You cannot specify a --reverse-zone option without the " - "--setup-dns option") - if self.dns.no_reverse: - raise RuntimeError( - "You cannot specify a --no-reverse option without the " - "--setup-dns option") - if self.dns.no_dnssec_validation: - raise RuntimeError( - "You cannot specify a --no-dnssec-validation option " - "without the --setup-dns option") - elif self.dns.forwarders and self.dns.no_forwarders: - raise RuntimeError( - "You cannot specify a --forwarder option together with " - "--no-forwarders") - elif self.dns.reverse_zones and self.dns.no_reverse: - raise RuntimeError( - "You cannot specify a --reverse-zone option together with " - "--no-reverse") - if self.uninstalling: if (self.realm_name or self.admin_password or self.master_password): raise RuntimeError( "In uninstall mode, -a, -r and -P options are not allowed") - elif not self.interactive: - if (not self.realm_name or not self.dm_password or - not self.admin_password): - raise RuntimeError( - "In unattended mode you need to provide at least -r, -p " - "and -a options") - if self.dns.setup_dns: - if not self.dns.forwarders and not self.dns.no_forwarders: - raise RuntimeError( - "You must specify at least one --forwarder option or " - "--no-forwarders option") - - # If any of the key file options are selected, all are required. - cert_file_req = (self.ca.dirsrv_cert_files, self.ca.http_cert_files) - cert_file_opt = (self.ca.pkinit_cert_files,) - if any(cert_file_req + cert_file_opt) and not all(cert_file_req): - raise RuntimeError( - "--dirsrv-cert-file and --http-cert-file are required if any " - "key file options are used.") - - if not self.interactive: - if self.ca.dirsrv_cert_files and self.ca.dirsrv_pin is None: - raise RuntimeError( - "You must specify --dirsrv-pin with --dirsrv-cert-file") - if self.ca.http_cert_files and self.ca.http_pin is None: - raise RuntimeError( - "You must specify --http-pin with --http-cert-file") - if self.ca.pkinit_cert_files and self.ca.pkinit_pin is None: - raise RuntimeError( - "You must specify --pkinit-pin with --pkinit-cert-file") - - if self.ca.external_cert_files and self.ca.dirsrv_cert_files: - raise RuntimeError( - "Service certificate file options cannot be used with the " - "external CA options.") - - if self.ca.external_ca_type and not self.ca.external_ca: - raise RuntimeError( - "You cannot specify --external-ca-type without --external-ca") if self.idmax < self.idstart: raise RuntimeError( "idmax (%s) cannot be smaller than idstart (%s)" % (self.idmax, self.idstart)) - # Automatically disable pkinit w/ dogtag until that is supported - self.ca.no_pkinit = True - - self.setup_ca = False - self.setup_kra = False - self.external_ca = self.ca.external_ca - self.external_ca_type = self.ca.external_ca_type - self.external_cert_files = self.ca.external_cert_files - self.no_pkinit = self.ca.no_pkinit - self.dirsrv_cert_files = self.ca.dirsrv_cert_files - self.http_cert_files = self.ca.http_cert_files - self.pkinit_cert_files = self.ca.pkinit_cert_files - self.dirsrv_pin = self.ca.dirsrv_pin - self.http_pin = self.ca.http_pin - self.pkinit_pin = self.ca.pkinit_pin - self.dirsrv_cert_name = self.ca.dirsrv_cert_name - self.http_cert_name = self.ca.http_cert_name - self.pkinit_cert_name = self.ca.pkinit_cert_name - self.ca_cert_files = self.ca.ca_cert_files - self.subject = self.ca.subject - self.ca_signing_algorithm = self.ca.ca_signing_algorithm - self.setup_dns = self.dns.setup_dns - self.forwarders = self.dns.forwarders - self.no_forwarders = self.dns.no_forwarders - self.reverse_zones = self.dns.reverse_zones - self.no_reverse = self.dns.no_reverse - self.no_dnssec_validation = self.dns.no_dnssec_validation - self.dnssec_master = False - self.disable_dnssec_master = False - self.kasp_db_file = None - self.force = False - self.zonemgr = self.dns.zonemgr - self.no_host_dns = self.dns.no_host_dns - self.no_dns_sshfp = self.dns.no_dns_sshfp - - self.unattended = not self.interactive - @step() def main(self): install_check(self) @@ -1644,6 +1280,3 @@ class Server(common.Installable, common.Interactive, core.Composite): uninstall_check(self) yield uninstall(self) - - ca = core.Component(ServerCA) - dns = core.Component(ServerDNS) |