IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove DL0 specific code from ipa-ca-install

Browse Source 
Replica files are DL0 specific therefore all the code that is related to
replica files have been removed. An additional check for the new minimal
domain level has been added.

See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Thomas Woerner
2018-09-10 16:19:24 +02:00
parent 167791f370
commit 418da605c9
1 changed files with 37 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

126
install/tools/ipa-ca-install.in
View File

@@ -31,14 +31,13 @@ from ipapython import ipautil
from ipaclient.install import ipa_certupdate
from ipaserver.install import installutils
from ipaserver.install.installutils import create_replica_config
from ipaserver.install.installutils import check_creds, ReplicaConfig
from ipaserver.install import dsinstance, ca
from ipaserver.install import cainstance, service
from ipaserver.install import custodiainstance
from ipapython import version
from ipalib import api
from ipalib.constants import DOMAIN_LEVEL_0
from ipalib.constants import DOMAIN_LEVEL_1
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import standard_logging_setup
from ipaplatform.paths import paths
@@ -105,33 +104,23 @@ def parse_options():
safe_options = parser.get_safe_opts(options)
if args:
parser.error("Domain level 0 is not supported anymore")
filename = args[0]
parser.error("Too many arguments provided")
if len(args) != 1:
parser.error("you must provide a file generated by "
"ipa-replica-prepare")
if options.external_ca:
if options.external_cert_files:
parser.error("You cannot specify --external-cert-file "
"together with --external-ca")
options.external_ca = None
options.external_cert_files = None
else:
filename = None
if options.external_ca_type and not options.external_ca:
parser.error(
"You cannot specify --external-ca-type without --external-ca")
if options.external_ca:
if options.external_cert_files:
parser.error("You cannot specify --external-cert-file "
"together with --external-ca")
if options.external_ca_profile and not options.external_ca:
parser.error(
"You cannot specify --external-ca-profile "
"without --external-ca")
if options.external_ca_type and not options.external_ca:
parser.error(
"You cannot specify --external-ca-type without --external-ca")
if options.external_ca_profile and not options.external_ca:
parser.error(
"You cannot specify --external-ca-profile "
"without --external-ca")
return safe_options, options, filename
return safe_options, options
def _get_dirman_password(password=None, unattended=False):
@@ -151,34 +140,19 @@ def _get_dirman_password(password=None, unattended=False):
return password
def install_replica(safe_options, options, filename):
def install_replica(safe_options, options):
if options.ca_subject:
sys.exit("--ca-subject cannot be used when installing a CA replica")
if options.subject_base:
sys.exit("--subject-base cannot be used when installing a CA replica")
if options.promote:
if filename is not None:
sys.exit("Too many parameters provided. "
"No replica file is required")
else:
if filename is None:
sys.exit("A replica file is required")
if not os.path.isfile(filename):
sys.exit("Replica file %s does not exist" % filename)
if not options.promote:
# Check if we have admin creds already, otherwise acquire them
check_creds(options, api.env.realm)
# Check if we have admin creds already, otherwise acquire them
check_creds(options, api.env.realm)
# get the directory manager password
dirman_password = _get_dirman_password(
options.password, options.unattended)
if (not options.promote and not options.admin_password and
not options.skip_conncheck and options.unattended):
sys.exit('admin password required')
# Run ipa-certupdate to ensure we have the CA cert. This is
# necessary if the admin has just promoted the topology from
# CA-less to CA-ful, and ipa-certupdate has not been run yet.
@@ -189,21 +163,16 @@ def install_replica(safe_options, options, filename):
api.Backend.ldap2.disconnect()
api.Backend.ldap2.connect()
if options.promote:
config = ReplicaConfig()
config.ca_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = dirman_password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
cafile = paths.IPA_CA_CRT
else:
config = create_replica_config(dirman_password, filename, options)
config.ca_host_name = config.master_host_name
cafile = config.dir + '/ca.crt'
config = ReplicaConfig()
config.ca_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = dirman_password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
cafile = paths.IPA_CA_CRT
global REPLICA_INFO_TOP_DIR
REPLICA_INFO_TOP_DIR = config.top_dir
@@ -271,7 +240,7 @@ def install_master(safe_options, options):
# No CA peer available yet.
custodia = custodiainstance.get_custodia_instance(
options, custodiainstance.CustodiaModes.STANDALONE)
options, custodiainstance.CustodiaModes.FIRST_MASTER)
ca.install(True, None, options, custodia=custodia)
# Run ipa-certupdate to add the new CA certificate to
@@ -280,28 +249,7 @@ def install_master(safe_options, options):
ipa_certupdate.run_with_args(api)
def install(safe_options, options, filename):
options.promote = False
try:
if filename is None:
install_master(safe_options, options)
else:
install_replica(safe_options, options, filename)
finally:
# Clean up if we created custom credentials
created_ccache_file = getattr(options, 'created_ccache_file', None)
if created_ccache_file is not None:
try:
os.unlink(created_ccache_file)
except OSError:
pass
def promote(safe_options, options, filename):
options.promote = True
def install(safe_options, options):
with ipautil.private_ccache():
ccache = os.environ['KRB5CCNAME']
@@ -314,11 +262,11 @@ def promote(safe_options, options, filename):
if ca_host is None:
install_master(safe_options, options)
else:
install_replica(safe_options, options, filename)
install_replica(safe_options, options)
def main():
safe_options, options, filename = parse_options()
safe_options, options = parse_options()
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
@@ -331,8 +279,8 @@ def main():
sys.exit("CA is already installed on this host.")
standard_logging_setup(log_file_name, debug=options.debug)
logger.debug("%s was invoked with options: %s,%s",
sys.argv[0], safe_options, filename)
logger.debug("%s was invoked with options: %s",
sys.argv[0], safe_options)
logger.debug("IPA version %s", version.VENDOR_VERSION)
# override ra_plugin setting read from default.conf so that we have
@@ -344,11 +292,11 @@ def main():
api.finalize()
api.Backend.ldap2.connect()
domain_level = dsinstance.get_domain_level(api)
if domain_level < DOMAIN_LEVEL_1:
api.Backend.ldap2.disconnect()
sys.exit("Unsupported domain level %d" % domain_level)
if domain_level > DOMAIN_LEVEL_0:
promote(safe_options, options, filename)
else:
install(safe_options, options, filename)
install(safe_options, options)
# pki-spawn restarts 389-DS, reconnect
api.Backend.ldap2.close()