mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
install: drop support for Dogtag 9
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing Dogtag 9 CA and CA DS instances are disabled on upgrade. Creating a replica of a Dogtag 9 IPA master is still supported. https://fedorahosted.org/freeipa/ticket/5197 Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Jan Cholasta
@@ -32,7 +32,6 @@ import shlex
|
||||
import subprocess
|
||||
import tempfile
|
||||
from ipapython import ipautil
|
||||
from ipapython import dogtag
|
||||
from ipapython.ipa_log_manager import *
|
||||
from ipaplatform.paths import paths
|
||||
from ipaplatform import services
|
||||
@@ -444,15 +443,13 @@ def remove_principal_from_cas():
|
||||
ca.prop_if.Set(DBUS_CM_CA_IF, 'external-helper', ext_helper)
|
||||
|
||||
|
||||
def get_pin(token, dogtag_constants=None):
|
||||
def get_pin(token):
|
||||
"""
|
||||
Dogtag stores its NSS pin in a file formatted as token:PIN.
|
||||
|
||||
The caller is expected to handle any exceptions raised.
|
||||
"""
|
||||
if dogtag_constants is None:
|
||||
dogtag_constants = dogtag.configured_constants()
|
||||
with open(dogtag_constants.PASSWORD_CONF_PATH, 'r') as f:
|
||||
with open(paths.PKI_TOMCAT_PASSWORD_CONF, 'r') as f:
|
||||
for line in f:
|
||||
(tok, pin) = line.split('=', 1)
|
||||
if token == tok:
|
||||
|
||||
@@ -18,19 +18,16 @@
|
||||
#
|
||||
|
||||
import collections
|
||||
import os
|
||||
import xml.dom.minidom
|
||||
|
||||
import nss.nss as nss
|
||||
import six
|
||||
from six.moves import configparser
|
||||
from six.moves.urllib.parse import urlencode
|
||||
|
||||
from ipalib import api, errors
|
||||
from ipalib.errors import NetworkError
|
||||
from ipalib.text import _
|
||||
from ipapython import nsslib, ipautil
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.ipa_log_manager import *
|
||||
|
||||
# Python 3 rename. The package is available in "six.moves.http_client", but
|
||||
@@ -43,16 +40,6 @@ except ImportError:
|
||||
if six.PY3:
|
||||
unicode = str
|
||||
|
||||
# IPA can use either Dogtag version 9 or 10.
|
||||
#
|
||||
# Install tools should use the constants from install_constants, so that they
|
||||
# install with version 10 if it is available, and with 9 if not.
|
||||
# After IPA installation, the Dogtag version used is stored in the
|
||||
# "dogtag_version" config option. (If that is missing, version 9 is assumed.)
|
||||
# The configured_constants() function below provides constants relevant to
|
||||
# the configured version.
|
||||
|
||||
|
||||
Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store_issued'])
|
||||
|
||||
INCLUDED_PROFILES = {
|
||||
@@ -62,113 +49,6 @@ INCLUDED_PROFILES = {
|
||||
|
||||
DEFAULT_PROFILE = u'caIPAserviceCert'
|
||||
|
||||
class Dogtag10Constants(object):
|
||||
DOGTAG_VERSION = 10
|
||||
UNSECURE_PORT = 8080
|
||||
AGENT_SECURE_PORT = 8443
|
||||
EE_SECURE_PORT = 8443
|
||||
AJP_PORT = 8009
|
||||
DS_PORT = 389
|
||||
DS_SECURE_PORT = 636
|
||||
|
||||
SPAWN_BINARY = paths.PKISPAWN
|
||||
DESTROY_BINARY = paths.PKIDESTROY
|
||||
|
||||
SERVER_ROOT = paths.VAR_LIB_PKI_DIR
|
||||
PKI_INSTALL_LOG = paths.PKI_CA_INSTALL_LOG
|
||||
PKI_INSTANCE_NAME = 'pki-tomcat'
|
||||
PKI_LOG_TOP_LEVEL = os.path.join(paths.VAR_LOG_PKI_DIR, PKI_INSTANCE_NAME)
|
||||
PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
|
||||
CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR
|
||||
CS_CFG_PATH = '%s/conf/ca/CS.cfg' % PKI_ROOT
|
||||
PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
|
||||
SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
|
||||
ALIAS_DIR = paths.PKI_TOMCAT_ALIAS_DIR.rstrip('/')
|
||||
SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME)
|
||||
KRA_CS_CFG_PATH = '%s/conf/kra/CS.cfg' % PKI_ROOT
|
||||
|
||||
SERVICE_NAME = 'pki_tomcatd'
|
||||
|
||||
RACERT_LINE_SEP = '\n'
|
||||
|
||||
SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
|
||||
SHARED_DB = True
|
||||
DS_USER = "dirsrv"
|
||||
DS_NAME = "dirsrv"
|
||||
|
||||
|
||||
class Dogtag9Constants(object):
|
||||
DOGTAG_VERSION = 9
|
||||
UNSECURE_PORT = 9180
|
||||
AGENT_SECURE_PORT = 9443
|
||||
EE_SECURE_PORT = 9444
|
||||
AJP_PORT = 9447
|
||||
DS_PORT = 7389
|
||||
DS_SECURE_PORT = 7636
|
||||
|
||||
SPAWN_BINARY = paths.PKICREATE
|
||||
DESTROY_BINARY = paths.PKISILENT
|
||||
|
||||
SERVER_ROOT = paths.VAR_LIB
|
||||
PKI_INSTALL_LOG = paths.PKI_CA_INSTALL_LOG
|
||||
PKI_INSTANCE_NAME = 'pki-ca'
|
||||
PKI_LOG_TOP_LEVEL = paths.PKI_CA_LOG_DIR
|
||||
PKI_ROOT = '%s/%s' % (SERVER_ROOT, PKI_INSTANCE_NAME)
|
||||
CRL_PUBLISH_PATH = paths.PKI_CA_PUBLISH_DIR
|
||||
CS_CFG_PATH = '%s/conf/CS.cfg' % PKI_ROOT
|
||||
PASSWORD_CONF_PATH = '%s/conf/password.conf' % PKI_ROOT
|
||||
SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
|
||||
ALIAS_DIR = '%s/alias' % PKI_ROOT
|
||||
SYSCONFIG_FILE_PATH = '%s/%s' % (paths.ETC_SYSCONFIG_DIR, PKI_INSTANCE_NAME)
|
||||
|
||||
SERVICE_NAME = 'pki-cad'
|
||||
|
||||
RACERT_LINE_SEP = '\r\n'
|
||||
|
||||
ADMIN_SECURE_PORT = 9445
|
||||
EE_CLIENT_AUTH_PORT = 9446
|
||||
TOMCAT_SERVER_PORT = 9701
|
||||
|
||||
SIGN_PROFILE = '%s/caJarSigningCert.cfg' % SERVICE_PROFILE_DIR
|
||||
SHARED_DB = False
|
||||
DS_USER = "pkisrv"
|
||||
DS_NAME = "PKI-IPA"
|
||||
|
||||
if os.path.exists(paths.PKISPAWN):
|
||||
install_constants = Dogtag10Constants
|
||||
else:
|
||||
install_constants = Dogtag9Constants
|
||||
|
||||
|
||||
def _get_configured_version(api):
|
||||
"""Get the version of Dogtag IPA is configured to use
|
||||
|
||||
If an API is given, use information in its environment.
|
||||
Otherwise, use information from the global config file.
|
||||
"""
|
||||
if api:
|
||||
return int(api.env.dogtag_version)
|
||||
else:
|
||||
p = configparser.SafeConfigParser()
|
||||
p.read(paths.IPA_DEFAULT_CONF)
|
||||
try:
|
||||
version = p.get('global', 'dogtag_version')
|
||||
except (configparser.NoOptionError, configparser.NoSectionError):
|
||||
return 9
|
||||
else:
|
||||
return int(version)
|
||||
|
||||
|
||||
def configured_constants(api=None):
|
||||
"""Get the name of the Dogtag CA instance
|
||||
|
||||
See get_configured_version
|
||||
"""
|
||||
if _get_configured_version(api) >= 10:
|
||||
return Dogtag10Constants
|
||||
else:
|
||||
return Dogtag9Constants
|
||||
|
||||
|
||||
def error_from_xml(doc, message_template):
|
||||
try:
|
||||
@@ -179,18 +59,16 @@ def error_from_xml(doc, message_template):
|
||||
return errors.RemoteRetrieveError(reason=message_template % e)
|
||||
|
||||
|
||||
def get_ca_certchain(ca_host=None, dogtag_constants=None):
|
||||
def get_ca_certchain(ca_host=None):
|
||||
"""
|
||||
Retrieve the CA Certificate chain from the configured Dogtag server.
|
||||
"""
|
||||
if ca_host is None:
|
||||
ca_host = api.env.ca_host
|
||||
if dogtag_constants is None:
|
||||
dogtag_constants = configured_constants()
|
||||
chain = None
|
||||
conn = httplib.HTTPConnection(
|
||||
ca_host,
|
||||
api.env.ca_install_port or dogtag_constants.UNSECURE_PORT)
|
||||
api.env.ca_install_port or 8080)
|
||||
conn.request("GET", "/ca/ee/ca/getCertChain")
|
||||
res = conn.getresponse()
|
||||
doc = None
|
||||
|
||||
Reference in New Issue
Block a user