IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

replica install: merge KRA agent cert export into KRA install

Browse Source 
Merge all KRA agent cert export code paths into a single code path in KRA
install.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit is contained in:
Jan Cholasta 2016-10-26 15:28:53 +02:00
parent 822e1bc82a
commit 89bb5ed1eb
5 changed files with 65 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ipaserver/install/cainstance.py
View File

@ -66,10 +66,7 @@ from ipaserver.install import installutils
from ipaserver.install import ldapupdate from ipaserver.install import ldapupdate
from ipaserver.install import replication from ipaserver.install import replication
from ipaserver.install import sysupgrade from ipaserver.install import sysupgrade
# pylint: disable=unused-import from ipaserver.install.dogtaginstance import DogtagInstance
from ipaserver.install.dogtaginstance import (export_kra_agent_pem,
DogtagInstance)
# pylint: enable=unused-import
from ipaserver.plugins import ldap2 from ipaserver.plugins import ldap2
# We need to reset the template because the CA uses the regular boot # We need to reset the template because the CA uses the regular boot

2
ipaserver/install/ipa_kra_install.py
View File

@ -203,6 +203,8 @@ class KRAInstaller(KRAInstall):
self.options) self.options)
config.kra_host_name = config.master_host_name config.kra_host_name = config.master_host_name
config.setup_kra = True
if config.subject_base is None: if config.subject_base is None:
attrs = api.Backend.ldap2.get_ipa_config() attrs = api.Backend.ldap2.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0] config.subject_base = attrs.get('ipacertificatesubjectbase')[0]

7
ipaserver/install/kra.py
View File

@ -19,6 +19,9 @@ from ipaserver.install import service
def install_check(api, replica_config, options): def install_check(api, replica_config, options):
if replica_config is not None and not replica_config.setup_kra:
return
kra = krainstance.KRAInstance(api.env.realm) kra = krainstance.KRAInstance(api.env.realm)
if kra.is_installed(): if kra.is_installed():
raise RuntimeError("KRA is already installed.") raise RuntimeError("KRA is already installed.")
@ -68,6 +71,7 @@ def install(api, replica_config, options):
pkcs12_info = None pkcs12_info = None
master_host = None master_host = None
ra_only = False
promote = False promote = False
else: else:
krafile = os.path.join(replica_config.dir, 'kracert.p12') krafile = os.path.join(replica_config.dir, 'kracert.p12')
@ -94,6 +98,7 @@ def install(api, replica_config, options):
pkcs12_info = (krafile,) pkcs12_info = (krafile,)
master_host = replica_config.kra_host_name master_host = replica_config.kra_host_name
ra_only = not replica_config.setup_kra
promote = options.promote promote = options.promote
kra = krainstance.KRAInstance(realm_name) kra = krainstance.KRAInstance(realm_name)
@ -101,12 +106,14 @@ def install(api, replica_config, options):
subject_base=subject_base, subject_base=subject_base,
pkcs12_info=pkcs12_info, pkcs12_info=pkcs12_info,
master_host=master_host, master_host=master_host,
ra_only=ra_only,
promote=promote) promote=promote)
service.print_msg("Restarting the directory server") service.print_msg("Restarting the directory server")
ds = dsinstance.DsInstance() ds = dsinstance.DsInstance()
ds.restart() ds.restart()
if not ra_only:
kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH) kra.enable_client_auth_to_db(paths.KRA_CS_CFG_PATH)
# Restart apache for new proxy config file # Restart apache for new proxy config file

5
ipaserver/install/krainstance.py
View File

@ -79,7 +79,7 @@ class KRAInstance(DogtagInstance):
def configure_instance(self, realm_name, host_name, dm_password, def configure_instance(self, realm_name, host_name, dm_password,
admin_password, pkcs12_info=None, master_host=None, admin_password, pkcs12_info=None, master_host=None,
subject_base=None, promote=False): subject_base=None, ra_only=False, promote=False):
"""Create a KRA instance. """Create a KRA instance.
To create a clone, pass in pkcs12_info. To create a clone, pass in pkcs12_info.
@ -99,6 +99,7 @@ class KRAInstance(DogtagInstance):
self.realm = realm_name self.realm = realm_name
self.suffix = ipautil.realm_to_suffix(realm_name) self.suffix = ipautil.realm_to_suffix(realm_name)
if not ra_only:
# Confirm that a KRA does not already exist # Confirm that a KRA does not already exist
if self.is_installed(): if self.is_installed():
raise RuntimeError( raise RuntimeError(
@ -116,6 +117,8 @@ class KRAInstance(DogtagInstance):
if not self.clone: if not self.clone:
self.step("create KRA agent", self.step("create KRA agent",
self.__create_kra_agent) self.__create_kra_agent)
self.step("exporting KRA agent cert", export_kra_agent_pem)
if not ra_only:
if promote: if promote:
self.step("destroying installation admin user", self.teardown_admin) self.step("destroying installation admin user", self.teardown_admin)
self.step("restarting KRA", self.restart_instance) self.step("restarting KRA", self.restart_instance)

38
ipaserver/install/server/replicainstall.py
View File

@ -36,7 +36,7 @@ from ipalib.util import (
import ipaclient.ipachangeconf import ipaclient.ipachangeconf
import ipaclient.ntpconf import ipaclient.ntpconf
from ipaserver.install import ( from ipaserver.install import (
bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance, bindinstance, ca, certs, dns, dsinstance, httpinstance,
installutils, kra, krbinstance, memcacheinstance, installutils, kra, krbinstance, memcacheinstance,
ntpinstance, otpdinstance, custodiainstance, service) ntpinstance, otpdinstance, custodiainstance, service)
from ipaserver.install.installutils import ( from ipaserver.install.installutils import (
@ -713,13 +713,15 @@ def install_check(installer):
root_logger.debug('No IPA DNS servers, ' root_logger.debug('No IPA DNS servers, '
'skipping forward/reverse resolution check') 'skipping forward/reverse resolution check')
kra_enabled = remote_api.Command.kra_is_enabled()['result']
if ca_enabled: if ca_enabled:
options.realm_name = config.realm_name options.realm_name = config.realm_name
options.host_name = config.host_name options.host_name = config.host_name
options.subject = config.subject_base options.subject = config.subject_base
ca.install_check(False, config, options) ca.install_check(False, config, options)
if config.setup_kra: if kra_enabled:
try: try:
kra.install_check(remote_api, config, options) kra.install_check(remote_api, config, options)
except RuntimeError as e: except RuntimeError as e:
@ -763,6 +765,7 @@ def install_check(installer):
ca_cert_file=cafile) ca_cert_file=cafile)
installer._ca_enabled = ca_enabled installer._ca_enabled = ca_enabled
installer._kra_enabled = kra_enabled
installer._remote_api = remote_api installer._remote_api = remote_api
installer._fstore = fstore installer._fstore = fstore
installer._sstore = sstore installer._sstore = sstore
@ -773,6 +776,7 @@ def install_check(installer):
def install(installer): def install(installer):
options = installer options = installer
ca_enabled = installer._ca_enabled ca_enabled = installer._ca_enabled
kra_enabled = installer._kra_enabled
fstore = installer._fstore fstore = installer._fstore
sstore = installer._sstore sstore = installer._sstore
config = installer._config config = installer._config
@ -835,9 +839,6 @@ def install(installer):
otpd.create_instance('OTPD', config.host_name, otpd.create_instance('OTPD', config.host_name,
ipautil.realm_to_suffix(config.realm_name)) ipautil.realm_to_suffix(config.realm_name))
if ca_enabled:
cainstance.export_kra_agent_pem()
custodia = custodiainstance.CustodiaInstance(config.host_name, custodia = custodiainstance.CustodiaInstance(config.host_name,
config.realm_name) config.realm_name)
custodia.create_instance() custodia.create_instance()
@ -850,11 +851,8 @@ def install(installer):
service.print_msg("Applying LDAP updates") service.print_msg("Applying LDAP updates")
ds.apply_updates() ds.apply_updates()
if options.setup_kra: if kra_enabled:
kra.install(api, config, options) kra.install(api, config, options)
else:
service.print_msg("Restarting the directory server")
ds.restart()
service.print_msg("Restarting the KDC") service.print_msg("Restarting the KDC")
krb.restart() krb.restart()
@ -1276,12 +1274,17 @@ def promote_check(installer):
"custom certificates.") "custom certificates.")
raise ScriptError(rval=3) raise ScriptError(rval=3)
config.kra_host_name = service.find_providing_server( kra_host = service.find_providing_server(
'KRA', conn, config.kra_host_name) 'KRA', conn, config.kra_host_name)
if options.setup_kra and config.kra_host_name is None: if kra_host is not None:
root_logger.error("There is no KRA server in the domain, can't " config.kra_host_name = kra_host
"setup a KRA clone") kra_enabled = True
else:
if options.setup_kra:
root_logger.error("There is no KRA server in the domain, "
"can't setup a KRA clone")
raise ScriptError(rval=3) raise ScriptError(rval=3)
kra_enabled = False
if ca_enabled: if ca_enabled:
options.realm_name = config.realm_name options.realm_name = config.realm_name
@ -1289,7 +1292,7 @@ def promote_check(installer):
options.subject = config.subject_base options.subject = config.subject_base
ca.install_check(False, config, options) ca.install_check(False, config, options)
if config.setup_kra: if kra_enabled:
try: try:
kra.install_check(remote_api, config, options) kra.install_check(remote_api, config, options)
except RuntimeError as e: except RuntimeError as e:
@ -1344,6 +1347,7 @@ def promote_check(installer):
raise RuntimeError("CA cert file is not available.") raise RuntimeError("CA cert file is not available.")
installer._ca_enabled = ca_enabled installer._ca_enabled = ca_enabled
installer._kra_enabled = kra_enabled
installer._fstore = fstore installer._fstore = fstore
installer._sstore = sstore installer._sstore = sstore
installer._config = config installer._config = config
@ -1361,6 +1365,7 @@ def promote_check(installer):
def promote(installer): def promote(installer):
options = installer options = installer
ca_enabled = installer._ca_enabled ca_enabled = installer._ca_enabled
kra_enabled = installer._kra_enabled
fstore = installer._fstore fstore = installer._fstore
sstore = installer._sstore sstore = installer._sstore
config = installer._config config = installer._config
@ -1471,9 +1476,6 @@ def promote(installer):
config.realm_name) config.realm_name)
custodia.create_replica(config.master_host_name) custodia.create_replica(config.master_host_name)
if installer._ca_enabled:
cainstance.export_kra_agent_pem()
install_krb( install_krb(
config, config,
setup_pkinit=not options.no_pkinit, setup_pkinit=not options.no_pkinit,
@ -1500,7 +1502,7 @@ def promote(installer):
options.dm_password = config.dirman_password options.dm_password = config.dirman_password
ca.install(False, config, options) ca.install(False, config, options)
if options.setup_kra: if kra_enabled:
kra.install(api, config, options) kra.install(api, config, options)
custodia.import_dm_password(config.master_host_name) custodia.import_dm_password(config.master_host_name)