merge KRA installation machinery to a single module

This is a prerequisite to further refactoring of KRA install/uninstall
functionality in all IPA install scripts.

https://fedorahosted.org/freeipa/ticket/4468

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

install/tools/ipa-replica-install

@@ -37,10 +37,10 @@ from ipaserver.install import memcacheinstance, dnskeysyncinstance
 from ipaserver.install import otpdinstance
 from ipaserver.install.replication import replica_conn_check, ReplicationManager
 from ipaserver.install.installutils import (
-    create_replica_config, read_replica_info_kra_enabled, private_ccache)
+    create_replica_config, private_ccache)
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import cainstance
-from ipaserver.install import krainstance
+from ipaserver.install import kra
 from ipaserver.install import dns as dns_installer
 from ipalib import api, create_api, errors, util, certstore, x509
 from ipalib.constants import CACERT
@@ -473,12 +473,12 @@ def main():
 
     config.setup_kra = options.setup_kra
     if config.setup_kra:
-        if not config.setup_ca:
-            print "CA must be installed with the KRA"
-            sys.exit(1)
-        if not read_replica_info_kra_enabled(config.dir):
-            print "KRA is not installed on the master system"
-            sys.exit(1)
+        try:
+            kra.install_check(config, options, False,
+                              dogtag.install_constants.DOGTAG_VERSION)
+        except RuntimeError as e:
+            print str(e)
+            exit(1)
 
     installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
 
@@ -660,10 +660,7 @@ def main():
     ds.apply_updates()
 
     if options.setup_kra:
-        kra = krainstance.install_replica_kra(config)
-        service.print_msg("Restarting the directory server")
-        ds.restart()
-        kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+        kra.install(config, options, dirman_password)
     else:
         service.print_msg("Restarting the directory server")
         ds.restart()

install/tools/ipa-server-install

@@ -53,13 +53,13 @@ from ipaserver.install import httpinstance
 from ipaserver.install import ntpinstance
 from ipaserver.install import certs
 from ipaserver.install import cainstance
-from ipaserver.install import krainstance
 from ipaserver.install import memcacheinstance
 from ipaserver.install import otpdinstance
 from ipaserver.install import sysupgrade
 from ipaserver.install import replication
 from ipaserver.install import dns as dns_installer
 from ipaserver.install import service, installutils
+from ipaserver.install import kra
 from ipapython import version
 from ipapython import certmonger
 from ipapython import ipaldap
@@ -577,11 +577,7 @@ def uninstall():
         if cads_instance.is_configured():
             cads_instance.uninstall()
 
-    kra_instance = krainstance.KRAInstance(
-        api.env.realm, dogtag_constants=dogtag_constants)
-    kra_instance.stop_tracking_certificates()
-    if kra_instance.is_installed():
-        kra_instance.uninstall()
+    kra.uninstall()
 
     ca_instance = cainstance.CAInstance(
         api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
@@ -1036,6 +1032,14 @@ def main():
     else:
         admin_password = options.admin_password
 
+    if setup_kra:
+        try:
+            kra.install_check(None, options, False,
+                              dogtag.install_constants.DOGTAG_VERSION)
+        except RuntimeError as e:
+            print str(e)
+            exit(1)
+
     if options.setup_dns:
         dns_installer.install_check(False, False, options, host_name)
         ip_addresses = dns_installer.ip_addresses
@@ -1290,18 +1294,7 @@ def main():
     http.restart()
 
     if setup_kra:
-        kra = krainstance.KRAInstance(realm_name,
-            dogtag_constants=dogtag.install_constants)
-        kra.configure_instance(host_name, domain_name, dm_password,
-                               dm_password, subject_base=options.subject)
-
-        # This is done within stopped_service context, which restarts KRA
-        service.print_msg("Restarting the directory server")
-        ds.restart()
-
-        service.print_msg("Enabling KRA to authenticate with the database "
-                          "using client certificates")
-        kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+        kra.install(None, options, dm_password)
 
     # Set the admin user kerberos password
     ds.change_admin_password(admin_password)

ipaserver/install/ipa_kra_install.py

@@ -18,22 +18,16 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-from ConfigParser import RawConfigParser
 from textwrap import dedent
 from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import admintool
-from ipapython import dogtag
 from ipapython import ipautil
-from ipaserver.install import cainstance
-from ipaserver.install import dogtaginstance
-from ipaserver.install import krainstance
-from ipaserver.install import dsinstance
 from ipaserver.install import installutils
-from ipaserver.install import service
-from ipaserver.install.installutils import (
-    read_replica_info_kra_enabled, create_replica_config)
+from ipaserver.install.installutils import create_replica_config
+from ipaserver.install import dogtaginstance
+from ipaserver.install import kra
 
 
 class KRAInstall(admintool.AdminTool):
@@ -101,21 +95,7 @@ class KRAUninstaller(KRAInstall):
 
     def run(self):
         super(KRAUninstaller, self).run()
-        dogtag_constants = dogtag.configured_constants()
-
-        kra_instance = krainstance.KRAInstance(
-            api.env.realm, dogtag_constants=dogtag_constants)
-        kra_instance.stop_tracking_certificates()
-        if kra_instance.is_installed():
-            kra_instance.uninstall()
-
-        # Update config file
-        parser = RawConfigParser()
-        parser.read(paths.IPA_DEFAULT_CONF)
-        parser.set('global', 'enable_kra', 'False')
-
-        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-            parser.write(f)
+        kra.uninstall()
 
 
 class KRAInstaller(KRAInstall):
@@ -141,26 +121,8 @@ class KRAInstaller(KRAInstall):
                 " in unattended mode"
             )
 
-        dogtag_version = int(api.env.dogtag_version)
-        enable_kra = api.env.enable_kra
-
-        if enable_kra:
-            self.option_parser.error("KRA is already installed.")
-
-        ca_installed = cainstance.is_ca_installed_locally()
-
-        if ca_installed:
-            if dogtag_version >= 10:
-                # correct dogtag version of CA installed
-                pass
-            else:
-                self.option_parser.error(
-                    "Dogtag must be version 10.2 or above to install KRA")
-        else:
-            self.option_parser.error(
-                "Dogtag CA is not installed.  Please install the CA first")
-
         self.installing_replica = dogtaginstance.is_installing_replica("KRA")
+
         if self.installing_replica:
             if not self.args:
                 self.option_parser.error("A replica file is required.")
@@ -191,46 +153,27 @@ class KRAInstaller(KRAInstall):
         super(KRAInstaller, self).run()
         print dedent(self.INSTALLER_START_MESSAGE)
 
-        subject = dsinstance.DsInstance().find_subject_base()
         if not self.installing_replica:
-            kra = krainstance.KRAInstance(
-                api.env.realm,
-                dogtag_constants=dogtag.install_constants)
-
-            kra.configure_instance(
-                api.env.host, api.env.domain, self.options.password,
-                self.options.password, subject_base=subject)
+            replica_config = None
         else:
             replica_config = create_replica_config(
                 self.options.password,
                 self.replica_file,
                 self.options)
 
-            if not read_replica_info_kra_enabled(replica_config.dir):
-                raise admintool.ScriptError(
-                    "Either KRA is not installed on the master system or "
-                    "your replica file is out of date"
-                )
+        self.options.setup_ca = False
 
-            kra = krainstance.install_replica_kra(replica_config)
-            service.print_msg("Restarting the directory server")
+        try:
+            kra.install_check(replica_config, self.options, api.env.enable_kra,
+                              int(api.env.dogtag_version))
+        except RuntimeError as e:
+            raise admintool.ScriptError(str(e))
 
-            ds = dsinstance.DsInstance()
-            ds.restart()
-
-        kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+        kra.install(replica_config, self.options, self.options.password)
 
         # Restart apache for new proxy config file
         services.knownservices.httpd.restart(capture_output=True)
 
-        # Update config file
-        parser = RawConfigParser()
-        parser.read(paths.IPA_DEFAULT_CONF)
-        parser.set('global', 'enable_kra', 'True')
-
-        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-            parser.write(f)
-
     def run(self):
         try:
             self._run()

ipaserver/install/kra.py

@@ -0,0 +1,85 @@
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+import os
+from ConfigParser import RawConfigParser
+from ipalib import api
+from ipaplatform.paths import paths
+from ipapython import dogtag
+from ipaserver.install import cainstance
+from ipaserver.install import krainstance
+from ipaserver.install import dsinstance
+from ipaserver.install import service
+from ipaserver.install.installutils import read_replica_info_kra_enabled
+
+
+def install_check(replica_config, options, enable_kra, dogtag_version):
+    if enable_kra:
+        raise RuntimeError("KRA is already installed.")
+
+    if not options.setup_ca:
+        if cainstance.is_ca_installed_locally():
+            if dogtag_version >= 10:
+                # correct dogtag version of CA installed
+                pass
+            else:
+                raise RuntimeError(
+                    "Dogtag must be version 10.2 or above to install KRA")
+        else:
+            raise RuntimeError(
+                "Dogtag CA is not installed.  Please install the CA first")
+
+    if replica_config is not None:
+        if not read_replica_info_kra_enabled(replica_config.dir):
+            raise RuntimeError(
+                "Either KRA is not installed on the master system or "
+                "your replica file is out of date"
+            )
+
+
+def install(replica_config, options, dm_password):
+    subject = dsinstance.DsInstance().find_subject_base()
+    if replica_config is None:
+        kra = krainstance.KRAInstance(
+            api.env.realm,
+            dogtag_constants=dogtag.install_constants)
+
+        kra.configure_instance(
+            api.env.host, api.env.domain, dm_password,
+            dm_password, subject_base=subject)
+    else:
+        kra = krainstance.install_replica_kra(replica_config)
+
+    service.print_msg("Restarting the directory server")
+    ds = dsinstance.DsInstance()
+    ds.restart()
+
+    kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+
+    # Update config file
+    parser = RawConfigParser()
+    parser.read(paths.IPA_DEFAULT_CONF)
+    parser.set('global', 'enable_kra', 'True')
+
+    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+        parser.write(f)
+
+
+def uninstall():
+    dogtag_constants = dogtag.configured_constants()
+
+    kra_instance = krainstance.KRAInstance(
+        api.env.realm, dogtag_constants=dogtag_constants)
+    kra_instance.stop_tracking_certificates()
+    if kra_instance.is_installed():
+        kra_instance.uninstall()
+
+    # Check if config file exists, then update it
+    if os.path.exists(paths.IPA_DEFAULT_CONF):
+        parser = RawConfigParser()
+        parser.read(paths.IPA_DEFAULT_CONF)
+        parser.set('global', 'enable_kra', 'False')
+
+        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+            parser.write(f)