installer: rename --subject to --subject-base

The --subject option is actually used to provide the "subject base".
We are also going to add an option for fully specifying the IPA CA
subject DN in a subsequent commit.  So to avoid confusion, rename
--subject to --subject-base, retaining --subject as a deprecated
alias.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

install/tools/ipa-ca-install

@@ -172,7 +172,7 @@ def install_replica(safe_options, options, filename):
     options.domain_name = config.domain_name
     options.dm_password = config.dirman_password
     options.host_name = config.host_name
-    options.subject = config.subject_base
+    options.subject_base = config.subject_base
     if os.path.exists(cafile):
         options.ca_cert_file = cafile
     else:
@@ -201,7 +201,7 @@ def install_master(safe_options, options):
     options.domain_name = api.env.domain
     options.dm_password = dm_password
     options.host_name = api.env.host
-    options.subject = subject_base
+    options.subject_base = subject_base
 
     ca.install_check(True, None, options)
     ca.install(True, None, options)

install/tools/man/ipa-server-install.1

@@ -122,8 +122,8 @@ Name of the Kerberos KDC SSL certificate to install
 \fB\-\-ca\-cert\-file\fR=\fIFILE\fR
 File containing the CA certificate of the CA which issued the Directory Server, Apache Server and Kerberos KDC certificates. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. Use this option if the CA certificate is not present in the certificate files.
 .TP
-\fB\-\-subject\fR=\fISUBJECT\fR
+\fB\-\-subject\-base\fR=\fISUBJECT\fR
-The certificate subject base (default O=REALM.NAME)
+The subject base for certificates issued by IPA (default O=REALM.NAME)
 .TP
 \fB\-\-ca\-signing\-algorithm\fR=\fIALGORITHM\fR
 Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SHA256withRSA, SHA512withRSA. Default value is SHA256withRSA. Use this option with --external-ca if the external CA does not support the default signing algorithm.

ipaserver/install/ca.py

@@ -66,7 +66,7 @@ def install_check(standalone, replica_config, options):
 
     realm_name = options.realm_name
     host_name = options.host_name
-    subject_base = options.subject
+    subject_base = options.subject_base
 
     if replica_config is not None:
         if standalone and api.env.ra_plugin == 'selfsign':
@@ -110,7 +110,7 @@ def install_check(standalone, replica_config, options):
 
         external_cert_file, external_ca_file = installutils.load_external_cert(
             options.external_cert_files,
-            DN(('CN', 'Certificate Authority'), options.subject)
+            DN(('CN', 'Certificate Authority'), options.subject_base)
         )
     elif options.external_ca:
         if cainstance.is_step_one_done():
@@ -164,7 +164,7 @@ def install_step_0(standalone, replica_config, options):
     host_name = options.host_name
 
     if replica_config is None:
-        subject_base = options.subject
+        subject_base = options.subject_base
 
         ca_signing_algorithm = options.ca_signing_algorithm
         if options.external_ca:
@@ -236,7 +236,7 @@ def install_step_1(standalone, replica_config, options):
 
     realm_name = options.realm_name
     host_name = options.host_name
-    subject_base = options.subject
+    subject_base = options.subject_base
 
     basedn = ipautil.realm_to_suffix(realm_name)
 
@@ -379,14 +379,15 @@ class CAInstallInterface(dogtag.DogtagInstallInterface,
         if any(not os.path.isabs(path) for path in value):
             raise ValueError("must use an absolute path")
 
-    subject = knob(
+    subject_base = knob(
         str, None,
         description="The certificate subject base (default O=<realm-name>)",
+        cli_deprecated_names=['--subject'],
     )
-    subject = master_install_only(subject)
+    subject_base = master_install_only(subject_base)
 
-    @subject.validator
+    @subject_base.validator
-    def subject(self, value):
+    def subject_base(self, value):
         v = unicode(value, 'utf-8')
         if any(ord(c) < 0x20 for c in v):
             raise ValueError("must not contain control characters")

ipaserver/install/server/install.py

@@ -464,8 +464,8 @@ def install_check(installer):
     else:
         realm_name = options.realm_name.upper()
 
-    if not options.subject:
+    if not options.subject_base:
-        options.subject = DN(('O', realm_name))
+        options.subject_base = DN(('O', realm_name))
 
     if options.http_cert_files:
         if options.http_pin is None:
@@ -725,7 +725,7 @@ def install(installer):
             ds.create_instance(realm_name, host_name, domain_name,
                                dm_password, dirsrv_pkcs12_info,
                                idstart=options.idstart, idmax=options.idmax,
-                               subject_base=options.subject,
+                               subject_base=options.subject_base,
                                hbac_allow=not options.no_hbac_allow)
         else:
             ds = dsinstance.DsInstance(fstore=fstore,
@@ -735,7 +735,7 @@ def install(installer):
             ds.create_instance(realm_name, host_name, domain_name,
                                dm_password,
                                idstart=options.idstart, idmax=options.idmax,
-                               subject_base=options.subject,
+                               subject_base=options.subject_base,
                                hbac_allow=not options.no_hbac_allow)
 
         ntpinstance.ntp_ldap_enable(host_name, ds.suffix, realm_name)
@@ -747,7 +747,7 @@ def install(installer):
         installer._ds = ds
         ds.init_info(
             realm_name, host_name, domain_name, dm_password,
-            options.subject, 1101, 1100, None)
+            options.subject_base, 1101, 1100, None)
 
     if setup_ca:
         if not options.external_cert_files and options.external_ca:
@@ -781,7 +781,7 @@ def install(installer):
                         dm_password, master_password,
                         setup_pkinit=not options.no_pkinit,
                         pkcs12_info=pkinit_pkcs12_info,
-                        subject_base=options.subject)
+                        subject_base=options.subject_base)
 
     # restart DS to enable ipa-pwd-extop plugin
     print("Restarting directory server to enable password extension plugin")
@@ -811,13 +811,13 @@ def install(installer):
     if options.http_cert_files:
         http.create_instance(
             realm_name, host_name, domain_name,
-            pkcs12_info=http_pkcs12_info, subject_base=options.subject,
+            pkcs12_info=http_pkcs12_info, subject_base=options.subject_base,
             auto_redirect=not options.no_ui_redirect,
             ca_is_configured=setup_ca)
     else:
         http.create_instance(
             realm_name, host_name, domain_name,
-            subject_base=options.subject,
+            subject_base=options.subject_base,
             auto_redirect=not options.no_ui_redirect,
             ca_is_configured=setup_ca)
     tasks.restore_context(paths.CACHE_IPA_SESSIONS)

ipaserver/install/server/replicainstall.py

@@ -796,7 +796,7 @@ def install_check(installer):
         if ca_enabled:
             options.realm_name = config.realm_name
             options.host_name = config.host_name
-            options.subject = config.subject_base
+            options.subject_base = config.subject_base
             ca.install_check(False, config, options)
 
         if kra_enabled:
@@ -1203,7 +1203,7 @@ def promote_check(installer):
         if ca_enabled:
             options.realm_name = config.realm_name
             options.host_name = config.host_name
-            options.subject = config.subject_base
+            options.subject_base = config.subject_base
             ca.install_check(False, config, options)
 
         if kra_enabled: