Added ipa-drm-install

ipa-drm-install can be used (with no arguments) to
add a DRM to an existing ipa instance that already contains
a Dogtag CA.

In a subsequent patch, I will add logic to this script to
detect if a drm naming context exists, and if so, to look for
a replica file for installing on a replica.

5 files changed, 202 insertions, 64 deletions

diff --git a/install/po/Makefile.in b/install/po/Makefile.in
index 6dca615c1..c8d7b6353 100644
--- a/install/po/Makefile.in
+++ b/install/po/Makefile.in
@@ -47,6 +47,7 @@ PY_EXPLICIT_FILES = \
      install/tools/ipa-csreplica-manage \
      install/tools/ipactl \
      install/tools/ipa-dns-install \
+     install/tools/ipa-drm-install \
      install/tools/ipa-ldap-updater \
      install/tools/ipa-managed-entries \
      install/tools/ipa-nis-manage \
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 2cf66c6df..7f8e4a5a0 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -7,6 +7,7 @@ SUBDIRS = 			\
 sbin_SCRIPTS =			\
 	ipa-ca-install		\
 	ipa-dns-install		\
+	ipa-drm-install		\
 	ipa-server-install	\
 	ipa-adtrust-install	\
 	ipa-replica-conncheck	\
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 78acc2d9b..468441668 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -31,6 +31,7 @@ from ipapython import ipautil, sysrestore
 from ipalib import api, errors, util
 from ipapython.config import IPAOptionParser
 from ipapython.ipa_log_manager import standard_logging_setup, root_logger
+from ipapython.ipautil import DN
 
 log_file_name = "/var/log/ipaserver-install.log"
 
diff --git a/install/tools/ipa-drm-install b/install/tools/ipa-drm-install
new file mode 100644
index 000000000..7af39a3c7
--- /dev/null
+++ b/install/tools/ipa-drm-install
@@ -0,0 +1,196 @@
+#! /usr/bin/python2 -E
+# Authors: Ade Lee <alee@redhat.com>
+#
+# Copyright (C) 2014  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+import os
+import sys
+from ConfigParser import SafeConfigParser, NoOptionError
+
+from ipalib import api
+from ipaserver.install import drminstance
+from ipaserver.install import dsinstance
+from ipaserver.install import installutils
+from ipapython import version
+from ipaserver.install.installutils import read_password
+from ipapython import certmonger
+from ipapython.ipa_log_manager import *
+from ipapython import dogtag
+from ipapython.config import IPAOptionParser
+from ipapython import services as ipaservices
+
+
+log_file_name = "/var/log/ipa-drm-install.log"
+
+
+def uninstall(realm_name):
+    dogtag_constants = dogtag.configured_constants()
+
+    drm_instance = drminstance.DRMInstance(
+        realm_name, dogtag_constants=dogtag_constants)
+    drm_instance.stop_tracking_certificates(dogtag_constants)
+    if drm_instance.is_installed():
+        drm_instance.uninstall()
+
+    dirs = [dogtag_constants.ALIAS_DIR]
+    ids = certmonger.check_state(dirs)
+    if ids:
+        root_logger.error(
+            "Some certificates may still be tracked by certmonger.\n"
+            "This will cause re-installation to fail.\n"
+            "Start the certmonger service and list the certificates being tracked\n"
+            "# getcert list\nThese may be untracked by executing\n"
+            "# getcert stop-tracking -i <request_id>\n"
+            "for each id in: %s"
+            % ', '.join(ids))
+
+
+def parse_options():
+    usage = "%prog [options]"
+    parser = IPAOptionParser(usage=usage, version=version.VERSION)
+    parser.add_option("-d", "--debug", dest="debug", action="store_true",
+                      default=False, help="gather extra debugging information")
+    parser.add_option("-p", "--password", dest="password", sensitive=True,
+                      help="Directory Manager (existing master) password")
+    parser.add_option("-U", "--unattended", dest="unattended",
+                      action="store_true", default=False,
+                      help="unattended installation never prompts the user")
+    parser.add_option("", "--uninstall", dest="uninstall",
+                      action="store_true", default=False,
+                      help="uninstall an existing installation. The uninstall can "
+                           "be run with --unattended option")
+
+    options, args = parser.parse_args()
+    safe_options = parser.get_safe_opts(options)
+
+    return safe_options, options
+
+
+def main():
+    log_file = "/var/log/ipa-drm-install.log"
+    safe_options, options = parse_options()
+
+    if os.geteuid() != 0:
+        sys.exit("\nYou must be root to run this script.\n")
+
+    if options.uninstall:
+        log_file = "/var/log/ipa-drm-uninstall.log"
+
+    standard_logging_setup(log_file, debug=options.debug)
+
+    print "\nThe log file for this operation can be found in " + log_file_name
+    root_logger.debug('%s was invoked with options: %s' %
+                      (sys.argv[0], safe_options))
+
+    if options.unattended and options.password is None:
+        sys.exit("Directory Manager password must be specified using -p"
+                 " in unattended mode")
+
+    dm_password = options.password or \
+                  read_password("Directory Manager", confirm=False)
+    if dm_password is None:
+        sys.exit("Directory Manager password required")
+
+    p = SafeConfigParser()
+    p.read("/etc/ipa/default.conf")
+
+    try:
+        host_name = p.get('global', 'host')
+        realm_name = p.get('global', 'realm')
+        domain_name = p.get('global', 'domain')
+    except NoOptionError as e:
+        print "\nA required parameter is missing from /etc/ipa/default.conf\n"
+        raise e
+
+    try:
+        dogtag_version = int(p.get('global', 'dogtag_version'))
+        ra_plugin = p.get('global', 'ra_plugin')
+        enable_ra = p.get('global', 'enable_ra')
+    except NoOptionError as e:
+        print "\nA Dogtag CA must first be installed, or a required " \
+              "parameter is missing from /etc/ipa/default.conf\n"
+        raise e
+
+    try:
+        enable_drm = p.get('global', 'enable_drm')
+    except NoOptionError:
+        enable_drm = None
+
+    subject = dsinstance.DsInstance().find_subject_base()
+
+    if options.uninstall:
+        if enable_drm is None:
+            sys.exit("There is no DRM installed on this system")
+        uninstall(realm_name)
+
+    if enable_drm is not None and enable_drm == 'True':
+        sys.exit("DRM is already installed.")
+
+    if enable_ra is not None and enable_ra == "True" and \
+                    ra_plugin is not None and ra_plugin == "dogtag":
+        if dogtag_version is not None and dogtag_version >= 10:
+            # correct dogtag version of CA installed
+            pass
+        else:
+            sys.exit("Dogtag must be version 10.1 or above to install DRM")
+    else:
+        sys.exit("Dogtag CA is not installed.  Please install the CA first")
+
+    # Initialize the ipalib api
+    cfg = dict(
+        in_server=True,
+        debug=options.debug,
+    )
+    api.bootstrap(**cfg)
+    api.finalize()
+
+    print "=============================================================================="
+    print "This program will setup Dogtag DRM for the FreeIPA Server."
+    print ""
+
+    drm = drminstance.DRMInstance(realm_name,
+                                  dogtag_constants=dogtag.install_constants)
+
+    drm.configure_instance(host_name, domain_name, dm_password,
+                           dm_password, subject_base=subject)
+
+    drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH)
+
+    # Restart apache for new proxy config file
+    ipaservices.knownservices.httpd.restart(capture_output=True)
+
+    try:
+        with open("/etc/ipa/default.conf", "a") as fd:
+            fd.write("drm_enabled=True")
+    except IOError, e:
+        print "Failed to update /etc/ipa/default.conf"
+        root_logger.error(str(e))
+        sys.exit(1)
+
+
+fail_message = '''
+Your system may be partly configured.
+Run /usr/sbin/ipa-drm-install --uninstall to clean up.
+'''
+
+if __name__ == '__main__':
+    with installutils.private_ccache():
+        installutils.run_script(main, log_file_name=log_file_name,
+                                operation_name='ipa-drm-add',
+                                fail_message=fail_message)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 5f751becb..b45b3179a 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -40,9 +40,10 @@ from ipapython.config import IPAOptionParser
 from ipapython.ipa_log_manager import *
 from ipapython import certmonger
 from ipapython import dogtag
-from ipaserver.install import installutils
+
 from ipaserver.install import dsinstance
 from ipaserver.install import httpinstance
+from ipaserver.install import installutils
 from ipaserver.install import memcacheinstance
 from ipaserver.install import bindinstance
 from ipaserver.install import service
@@ -51,7 +52,6 @@ from ipaserver.install import certs
 from ipaserver.install import otpdinstance
 from ipaserver.install import sysupgrade
 
-
 def parse_options():
     parser = IPAOptionParser(version=version.VERSION)
     parser.add_option("-d", "--debug", dest="debug", action="store_true",
@@ -824,66 +824,7 @@ def find_subject_base():
     3) Last resort, look in the certmap.conf itself
     4) If all fails, log loudly and return None
     """
-    root_logger.debug('Trying to find certificate subject base in sysupgrade')
-    subject_base = sysupgrade.get_upgrade_state('certmap.conf', 'subject_base')
-
-    if subject_base:
-        root_logger.debug(
-            'Found certificate subject base in sysupgrade: %s',
-            subject_base
-        )
-        return subject_base
-
-    root_logger.debug('Unable to find certificate subject base in sysupgrade')
-    root_logger.debug('Trying to find certificate subject base in DS')
-
-    ds_is_running = services.knownservices.dirsrv.is_running()
-    if not ds_is_running:
-        try:
-            services.knownservices.dirsrv.start()
-        except ipautil.CalledProcessError as e:
-            root_logger.error('Cannot start DS to find certificate '
-                              'subject base: %s', e)
-        else:
-            ds_is_running = True
-
-    if ds_is_running:
-        try:
-            api.Backend.ldap2.connect(autobind=True)
-        except ipalib.errors.PublicError, e:
-            root_logger.error('Cannot connect to DS to find certificate '
-                              'subject base: %s', e)
-        else:
-            ret = api.Command['config_show']()
-            api.Backend.ldap2.disconnect()
-            subject_base = str(ret['result']['ipacertificatesubjectbase'][0])
-            root_logger.debug(
-                'Found certificate subject base in DS: %s',
-                subject_base
-            )
-
-    if not subject_base:
-        root_logger.debug('Unable to find certificate subject base in DS')
-        root_logger.debug('Trying to find certificate subject base in '
-                          'certmap.conf')
-
-        certmap_dir = dsinstance.config_dirname(
-            dsinstance.realm_to_serverid(api.env.realm)
-        )
-        try:
-            with open(os.path.join(certmap_dir, 'certmap.conf')) as f:
-                for line in f:
-                    if line.startswith('certmap ipaca'):
-                        subject_base = line.strip().split(',')[-1]
-                        root_logger.debug(
-                            'Found certificate subject base in certmap.conf: '
-                            '%s',
-                            subject_base
-                        )
-
-        except IOError as e:
-            root_logger.error('Cannot open certmap.conf to find certificate '
-                              'subject base: %s', e.strerror)
+    subject_base =  dsinstance.DsInstance().find_subject_base()
 
     if subject_base:
         sysupgrade.set_upgrade_state(
@@ -893,8 +834,6 @@ def find_subject_base():
         )
         return subject_base
 
-    root_logger.debug('Unable to find certificate subject base in '
-                      'certmap.conf')
     root_logger.error('Unable to determine certificate subject base. '
                       'certmap.conf will not be updated.')