install/tools/ipa-drm-install


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

#! /usr/bin/python2 -E
# Authors: Ade Lee <alee@redhat.com>
#
# Copyright (C) 2014  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
#


import os
import sys
from ConfigParser import SafeConfigParser, NoOptionError

from ipalib import api
from ipaserver.install import drminstance
from ipaserver.install import dsinstance
from ipaserver.install import installutils
from ipapython import version
from ipaserver.install.installutils import read_password
from ipapython import certmonger
from ipapython.ipa_log_manager import *
from ipapython import dogtag
from ipapython.config import IPAOptionParser
from ipapython import services as ipaservices


log_file_name = "/var/log/ipa-drm-install.log"


def uninstall(realm_name):
    dogtag_constants = dogtag.configured_constants()

    drm_instance = drminstance.DRMInstance(
        realm_name, dogtag_constants=dogtag_constants)
    drm_instance.stop_tracking_certificates(dogtag_constants)
    if drm_instance.is_installed():
        drm_instance.uninstall()

    dirs = [dogtag_constants.ALIAS_DIR]
    ids = certmonger.check_state(dirs)
    if ids:
        root_logger.error(
            "Some certificates may still be tracked by certmonger.\n"
            "This will cause re-installation to fail.\n"
            "Start the certmonger service and list the certificates being tracked\n"
            "# getcert list\nThese may be untracked by executing\n"
            "# getcert stop-tracking -i <request_id>\n"
            "for each id in: %s"
            % ', '.join(ids))


def parse_options():
    usage = "%prog [options]"
    parser = IPAOptionParser(usage=usage, version=version.VERSION)
    parser.add_option("-d", "--debug", dest="debug", action="store_true",
                      default=False, help="gather extra debugging information")
    parser.add_option("-p", "--password", dest="password", sensitive=True,
                      help="Directory Manager (existing master) password")
    parser.add_option("-U", "--unattended", dest="unattended",
                      action="store_true", default=False,
                      help="unattended installation never prompts the user")
    parser.add_option("", "--uninstall", dest="uninstall",
                      action="store_true", default=False,
                      help="uninstall an existing installation. The uninstall can "
                           "be run with --unattended option")

    options, args = parser.parse_args()
    safe_options = parser.get_safe_opts(options)

    return safe_options, options


def main():
    log_file = "/var/log/ipa-drm-install.log"
    safe_options, options = parse_options()

    if os.geteuid() != 0:
        sys.exit("\nYou must be root to run this script.\n")

    if options.uninstall:
        log_file = "/var/log/ipa-drm-uninstall.log"

    standard_logging_setup(log_file, debug=options.debug)

    print "\nThe log file for this operation can be found in " + log_file_name
    root_logger.debug('%s was invoked with options: %s' %
                      (sys.argv[0], safe_options))

    if options.unattended and options.password is None:
        sys.exit("Directory Manager password must be specified using -p"
                 " in unattended mode")

    dm_password = options.password or \
                  read_password("Directory Manager", confirm=False)
    if dm_password is None:
        sys.exit("Directory Manager password required")

    p = SafeConfigParser()
    p.read("/etc/ipa/default.conf")

    try:
        host_name = p.get('global', 'host')
        realm_name = p.get('global', 'realm')
        domain_name = p.get('global', 'domain')
    except NoOptionError as e:
        print "\nA required parameter is missing from /etc/ipa/default.conf\n"
        raise e

    try:
        dogtag_version = int(p.get('global', 'dogtag_version'))
        ra_plugin = p.get('global', 'ra_plugin')
        enable_ra = p.get('global', 'enable_ra')
    except NoOptionError as e:
        print "\nA Dogtag CA must first be installed, or a required " \
              "parameter is missing from /etc/ipa/default.conf\n"
        raise e

    try:
        enable_drm = p.get('global', 'enable_drm')
    except NoOptionError:
        enable_drm = None

    subject = dsinstance.DsInstance().find_subject_base()

    if options.uninstall:
        if enable_drm is None:
            sys.exit("There is no DRM installed on this system")
        uninstall(realm_name)

    if enable_drm is not None and enable_drm == 'True':
        sys.exit("DRM is already installed.")

    if enable_ra is not None and enable_ra == "True" and \
                    ra_plugin is not None and ra_plugin == "dogtag":
        if dogtag_version is not None and dogtag_version >= 10:
            # correct dogtag version of CA installed
            pass
        else:
            sys.exit("Dogtag must be version 10.1 or above to install DRM")
    else:
        sys.exit("Dogtag CA is not installed.  Please install the CA first")

    # Initialize the ipalib api
    cfg = dict(
        in_server=True,
        debug=options.debug,
    )
    api.bootstrap(**cfg)
    api.finalize()

    print "=============================================================================="
    print "This program will setup Dogtag DRM for the FreeIPA Server."
    print ""

    drm = drminstance.DRMInstance(realm_name,
                                  dogtag_constants=dogtag.install_constants)

    drm.configure_instance(host_name, domain_name, dm_password,
                           dm_password, subject_base=subject)

    drm.enable_client_auth_to_db(drm.dogtag_constants.DRM_CS_CFG_PATH)

    # Restart apache for new proxy config file
    ipaservices.knownservices.httpd.restart(capture_output=True)

    try:
        with open("/etc/ipa/default.conf", "a") as fd:
            fd.write("drm_enabled=True")
    except IOError, e:
        print "Failed to update /etc/ipa/default.conf"
        root_logger.error(str(e))
        sys.exit(1)


fail_message = '''
Your system may be partly configured.
Run /usr/sbin/ipa-drm-install --uninstall to clean up.
'''

if __name__ == '__main__':
    with installutils.private_ccache():
        installutils.run_script(main, log_file_name=log_file_name,
                                operation_name='ipa-drm-add',
                                fail_message=fail_message)