#! /usr/bin/python2 -E # Authors: Ade Lee # # Copyright (C) 2014 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import os import sys from ConfigParser import SafeConfigParser, NoOptionError from ipalib import api from ipaserver.install import drminstance from ipaserver.install import dsinstance from ipaserver.install import installutils from ipapython import version from ipaserver.install.installutils import read_password from ipapython import certmonger from ipapython.ipa_log_manager import * from ipapython import dogtag from ipapython.config import IPAOptionParser from ipapython import services as ipaservices log_file_name = "/var/log/ipa-drm-install.log" def uninstall(realm_name): dogtag_constants = dogtag.configured_constants() drm_instance = drminstance.DRMInstance( realm_name, dogtag_constants=dogtag_constants) drm_instance.stop_tracking_certificates(dogtag_constants) if drm_instance.is_installed(): drm_instance.uninstall() dirs = [dogtag_constants.ALIAS_DIR] ids = certmonger.check_state(dirs) if ids: root_logger.error( "Some certificates may still be tracked by certmonger.\n" "This will cause re-installation to fail.\n" "Start the certmonger service and list the certificates being tracked\n" "# getcert list\nThese may be untracked by executing\n" "# getcert stop-tracking -i \n" "for each id in: %s" % ', '.join(ids)) def parse_options(): usage = "%prog [options]" parser = IPAOptionParser(usage=usage, version=version.VERSION) parser.add_option("-d", "--debug", dest="debug", action="store_true", default=False, help="gather extra debugging information") parser.add_option("-p", "--password", dest="password", sensitive=True, help="Directory Manager (existing master) password") parser.add_option("-U", "--unattended", dest="unattended", action="store_true", default=False, help="unattended installation never prompts the user") parser.add_option("", "--uninstall", dest="uninstall", action="store_true", default=False, help="uninstall an existing installation. The uninstall can " "be run with --unattended option") options, args = parser.parse_args() safe_options = parser.get_safe_opts(options) return safe_options, options def main(): log_file = "/var/log/ipa-drm-install.log" safe_options, options = parse_options() if os.geteuid() != 0: sys.exit("\nYou must be root to run this script.\n") if options.uninstall: log_file = "/var/log/ipa-drm-uninstall.log" standard_logging_setup(log_file, debug=options.debug) print "\nThe log file for this operation can be found in " + log_file_name root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options)) if options.unattended and options.password is None: sys.exit("Directory Manager password must be specified using -p" " in unattended mode") dm_password = options.password or \ read_password("Directory Manager", confirm=False) if dm_password is None: sys.exit("Directory Manager password required") p = SafeConfigParser() p.read("/etc/ipa/default.conf") try: host_name = p.get('global', 'host') realm_name = p.get('global', 'realm') domain_name = p.get('global', 'domain') except NoOptionError as e: print "\nA required parameter is missing from /etc/ipa/default.conf\n" raise e try: dogtag_version = int(p.get('global', 'dogtag_version')) ra_plugin = p.get('global', 'ra_plugin') enable_ra = p.get('global', 'enable_ra') except NoOptionError as e: print "\nA Dogtag CA must first be installed, or a required " \ "parameter is missing from /etc/ipa/default.conf\n" raise e try: enable_drm = p.get('global', 'enable_drm') except NoOptionError: enable_drm = None subject = dsinstance.DsInstance().find_subject_base() if options.uninstall: if enable_drm is None: sys.exit("There is no DRM installed on this system") return uninstall(realm_name) if enable_drm is not None and enable_drm == 'True': sys.exit("DRM is already installed.") if enable_ra is not None and enable_ra == "True" and \ ra_plugin is not None and ra_plugin == "dogtag": if dogtag_version is not None and dogtag_version >= 10: # correct dogtag version of CA installed pass else: sys.exit("Dogtag must be version 10.1 or above to install DRM") else: sys.exit("Dogtag CA is not installed. Please install the CA first") # Initialize the ipalib api cfg = dict( in_server=True, debug=options.debug, ) api.bootstrap(**cfg) api.finalize() print "==============================================================================" print "This program will setup Dogtag DRM for the FreeIPA Server." print "" drm = drminstance.DRMInstance(realm_name, dogtag_constants=dogtag.install_constants) drm.configure_instance(host_name, domain_name, dm_password, dm_password, subject_base=subject) drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH) # Restart apache for new proxy config file ipaservices.knownservices.httpd.restart(capture_output=True) try: with open("/etc/ipa/default.conf", "a") as fd: fd.write("drm_enabled=True") except IOError, e: print "Failed to update /etc/ipa/default.conf" root_logger.error(str(e)) sys.exit(1) fail_message = ''' Your system may be partly configured. Run /usr/sbin/ipa-drm-install --uninstall to clean up. ''' if __name__ == '__main__': with installutils.private_ccache(): installutils.run_script(main, log_file_name=log_file_name, operation_name='ipa-drm-add', fail_message=fail_message)