mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
vault: Fix ipa-kra-install
Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
parent
cbcd86b500
commit
e7ac57e139
6
API.txt
6
API.txt
@ -2487,6 +2487,12 @@ option: Str('version?', exclude='webui')
|
||||
output: Output('commands', <type 'dict'>, None)
|
||||
output: Output('methods', <type 'dict'>, None)
|
||||
output: Output('objects', <type 'dict'>, None)
|
||||
command: kra_is_enabled
|
||||
args: 0,1,3
|
||||
option: Str('version?', exclude='webui')
|
||||
output: Output('result', <type 'bool'>, None)
|
||||
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
|
||||
output: PrimaryKey('value', None, None)
|
||||
command: krbtpolicy_mod
|
||||
args: 1,9,3
|
||||
arg: Str('uid', attribute=True, cli_name='user', multivalue=False, primary_key=True, query=True, required=False)
|
||||
|
4
VERSION
4
VERSION
@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
|
||||
# #
|
||||
########################################################
|
||||
IPA_API_VERSION_MAJOR=2
|
||||
IPA_API_VERSION_MINOR=126
|
||||
# Last change: edewata - added vault-archive and vault-retrieve
|
||||
IPA_API_VERSION_MINOR=127
|
||||
# Last change: jcholast - add kra_is_enabled
|
||||
|
@ -33,7 +33,7 @@ from ipalib import output
|
||||
from ipalib.crud import PKQuery, Retrieve, Update
|
||||
from ipalib.plugable import Registry
|
||||
from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
|
||||
LDAPSearch, LDAPUpdate, LDAPRetrieve
|
||||
LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value
|
||||
from ipalib.request import context
|
||||
from ipalib.plugins.user import split_principal
|
||||
from ipalib import _, ngettext
|
||||
@ -320,7 +320,7 @@ class vault_add(LDAPCreate):
|
||||
**options):
|
||||
assert isinstance(dn, DN)
|
||||
|
||||
if not self.api.env.enable_kra:
|
||||
if not self.api.Command.kra_is_enabled()['result']:
|
||||
raise errors.InvocationError(
|
||||
format=_('KRA service is not enabled'))
|
||||
|
||||
@ -344,7 +344,7 @@ class vault_del(LDAPDelete):
|
||||
def pre_callback(self, ldap, dn, *keys, **options):
|
||||
assert isinstance(dn, DN)
|
||||
|
||||
if not self.api.env.enable_kra:
|
||||
if not self.api.Command.kra_is_enabled()['result']:
|
||||
raise errors.InvocationError(
|
||||
format=_('KRA service is not enabled'))
|
||||
|
||||
@ -390,7 +390,7 @@ class vault_find(LDAPSearch):
|
||||
**options):
|
||||
assert isinstance(base_dn, DN)
|
||||
|
||||
if not self.api.env.enable_kra:
|
||||
if not self.api.Command.kra_is_enabled()['result']:
|
||||
raise errors.InvocationError(
|
||||
format=_('KRA service is not enabled'))
|
||||
|
||||
@ -422,7 +422,7 @@ class vault_mod(LDAPUpdate):
|
||||
|
||||
assert isinstance(dn, DN)
|
||||
|
||||
if not self.api.env.enable_kra:
|
||||
if not self.api.Command.kra_is_enabled()['result']:
|
||||
raise errors.InvocationError(
|
||||
format=_('KRA service is not enabled'))
|
||||
|
||||
@ -438,7 +438,7 @@ class vault_show(LDAPRetrieve):
|
||||
def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
|
||||
assert isinstance(dn, DN)
|
||||
|
||||
if not self.api.env.enable_kra:
|
||||
if not self.api.Command.kra_is_enabled()['result']:
|
||||
raise errors.InvocationError(
|
||||
format=_('KRA service is not enabled'))
|
||||
|
||||
@ -486,7 +486,7 @@ class vaultconfig_show(Retrieve):
|
||||
|
||||
def execute(self, *args, **options):
|
||||
|
||||
if not self.api.env.enable_kra:
|
||||
if not self.api.Command.kra_is_enabled()['result']:
|
||||
raise errors.InvocationError(
|
||||
format=_('KRA service is not enabled'))
|
||||
|
||||
@ -624,7 +624,7 @@ class vault_archive_encrypted(Update):
|
||||
|
||||
def execute(self, *args, **options):
|
||||
|
||||
if not self.api.env.enable_kra:
|
||||
if not self.api.Command.kra_is_enabled()['result']:
|
||||
raise errors.InvocationError(
|
||||
format=_('KRA service is not enabled'))
|
||||
|
||||
@ -774,7 +774,7 @@ class vault_retrieve_encrypted(Retrieve):
|
||||
|
||||
def execute(self, *args, **options):
|
||||
|
||||
if not self.api.env.enable_kra:
|
||||
if not self.api.Command.kra_is_enabled()['result']:
|
||||
raise errors.InvocationError(
|
||||
format=_('KRA service is not enabled'))
|
||||
|
||||
@ -813,3 +813,23 @@ class vault_retrieve_encrypted(Retrieve):
|
||||
kra_account.logout()
|
||||
|
||||
return result
|
||||
|
||||
|
||||
@register()
|
||||
class kra_is_enabled(Command):
|
||||
NO_CLI = True
|
||||
|
||||
has_output = output.standard_value
|
||||
|
||||
def execute(self, *args, **options):
|
||||
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
|
||||
self.api.env.basedn)
|
||||
filter = '(&(objectClass=ipaConfigObject)(cn=KRA))'
|
||||
try:
|
||||
self.api.Backend.ldap2.find_entries(
|
||||
base_dn=base_dn, filter=filter, attrs_list=[])
|
||||
except errors.NotFound:
|
||||
result = False
|
||||
else:
|
||||
result = True
|
||||
return dict(result=result, value=pkey_to_value(None, options))
|
||||
|
@ -309,6 +309,8 @@ class BasePathNamespace(object):
|
||||
IPARESTORE_LOG = "/var/log/iparestore.log"
|
||||
IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
|
||||
IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
|
||||
IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
|
||||
IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
|
||||
IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
|
||||
IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
|
||||
KADMIND_LOG = "/var/log/kadmind.log"
|
||||
@ -316,8 +318,6 @@ class BasePathNamespace(object):
|
||||
PKI_CA_LOG_DIR = "/var/log/pki-ca"
|
||||
PKI_CA_INSTALL_LOG = "/var/log/pki-ca-install.log"
|
||||
PKI_CA_UNINSTALL_LOG = "/var/log/pki-ca-uninstall.log"
|
||||
PKI_KRA_INSTALL_LOG = "/var/log/pki-kra-install.log"
|
||||
PKI_KRA_UNINSTALL_LOG = "/var/log/pki-kra-uninstall.log"
|
||||
VAR_LOG_PKI_DIR = "/var/log/pki/"
|
||||
TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
|
||||
TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"
|
||||
|
@ -584,22 +584,6 @@ def read_replica_info_dogtag_port(config_dir):
|
||||
|
||||
return dogtag_master_ds_port
|
||||
|
||||
def read_replica_info_kra_enabled(config_dir):
|
||||
"""
|
||||
Check the replica info to determine if a KRA has been installed
|
||||
on the master
|
||||
"""
|
||||
default_file = config_dir + "/default.conf"
|
||||
if not ipautil.file_exists(default_file):
|
||||
return False
|
||||
else:
|
||||
with open(default_file) as fd:
|
||||
config = SafeConfigParser()
|
||||
config.readfp(fd)
|
||||
|
||||
enable_kra = config.getboolean("global", "enable_kra")
|
||||
return enable_kra
|
||||
|
||||
|
||||
def create_replica_config(dirman_password, filename, options):
|
||||
top_dir = None
|
||||
|
@ -23,7 +23,10 @@ from ipalib import api
|
||||
from ipaplatform import services
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython import admintool
|
||||
from ipapython import dogtag
|
||||
from ipapython import ipautil
|
||||
from ipapython.dn import DN
|
||||
from ipaserver.install import krainstance
|
||||
from ipaserver.install import installutils
|
||||
from ipaserver.install.installutils import create_replica_config
|
||||
from ipaserver.install import dogtaginstance
|
||||
@ -80,7 +83,7 @@ class KRAInstall(admintool.AdminTool):
|
||||
|
||||
|
||||
class KRAUninstaller(KRAInstall):
|
||||
log_file_name = paths.PKI_KRA_UNINSTALL_LOG
|
||||
log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG
|
||||
|
||||
def validate_options(self, needs_root=True):
|
||||
super(KRAUninstaller, self).validate_options(needs_root=True)
|
||||
@ -88,18 +91,20 @@ class KRAUninstaller(KRAInstall):
|
||||
if self.args:
|
||||
self.option_parser.error("Too many parameters provided.")
|
||||
|
||||
if not api.env.enable_kra:
|
||||
dogtag_constants = dogtag.configured_constants(api)
|
||||
_kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants)
|
||||
if not _kra.is_installed():
|
||||
self.option_parser.error(
|
||||
"Cannot uninstall. There is no KRA installed on this system."
|
||||
)
|
||||
|
||||
def run(self):
|
||||
super(KRAUninstaller, self).run()
|
||||
kra.uninstall()
|
||||
kra.uninstall(True)
|
||||
|
||||
|
||||
class KRAInstaller(KRAInstall):
|
||||
log_file_name = paths.PKI_KRA_INSTALL_LOG
|
||||
log_file_name = paths.IPASERVER_KRA_INSTALL_LOG
|
||||
|
||||
INSTALLER_START_MESSAGE = '''
|
||||
===================================================================
|
||||
@ -161,15 +166,18 @@ class KRAInstaller(KRAInstall):
|
||||
self.replica_file,
|
||||
self.options)
|
||||
|
||||
self.options.dm_password = self.options.password
|
||||
self.options.setup_ca = False
|
||||
|
||||
api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'),
|
||||
bind_pw=self.options.dm_password)
|
||||
|
||||
try:
|
||||
kra.install_check(replica_config, self.options, api.env.enable_kra,
|
||||
int(api.env.dogtag_version))
|
||||
kra.install_check(api, replica_config, self.options)
|
||||
except RuntimeError as e:
|
||||
raise admintool.ScriptError(str(e))
|
||||
|
||||
kra.install(replica_config, self.options, self.options.password)
|
||||
kra.install(api, replica_config, self.options)
|
||||
|
||||
# Restart apache for new proxy config file
|
||||
services.knownservices.httpd.restart(capture_output=True)
|
||||
|
@ -2,25 +2,25 @@
|
||||
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
|
||||
#
|
||||
|
||||
import os
|
||||
from ConfigParser import RawConfigParser
|
||||
from ipalib import api
|
||||
from ipaplatform.paths import paths
|
||||
from ipalib import api, errors
|
||||
from ipapython import dogtag
|
||||
from ipapython.dn import DN
|
||||
from ipaserver.install import cainstance
|
||||
from ipaserver.install import krainstance
|
||||
from ipaserver.install import dsinstance
|
||||
from ipaserver.install import service
|
||||
from ipaserver.install.installutils import read_replica_info_kra_enabled
|
||||
|
||||
|
||||
def install_check(replica_config, options, enable_kra, dogtag_version):
|
||||
if enable_kra:
|
||||
def install_check(api, replica_config, options):
|
||||
dogtag_constants = dogtag.configured_constants(api=api)
|
||||
kra = krainstance.KRAInstance(api.env.realm,
|
||||
dogtag_constants=dogtag_constants)
|
||||
if kra.is_installed():
|
||||
raise RuntimeError("KRA is already installed.")
|
||||
|
||||
if not options.setup_ca:
|
||||
if cainstance.is_ca_installed_locally():
|
||||
if dogtag_version >= 10:
|
||||
if api.env.dogtag_version >= 10:
|
||||
# correct dogtag version of CA installed
|
||||
pass
|
||||
else:
|
||||
@ -31,14 +31,11 @@ def install_check(replica_config, options, enable_kra, dogtag_version):
|
||||
"Dogtag CA is not installed. Please install the CA first")
|
||||
|
||||
if replica_config is not None:
|
||||
if not read_replica_info_kra_enabled(replica_config.dir):
|
||||
raise RuntimeError(
|
||||
"Either KRA is not installed on the master system or "
|
||||
"your replica file is out of date"
|
||||
)
|
||||
if not api.Command.kra_is_enabled()['result']:
|
||||
raise RuntimeError("KRA is not installed on the master system")
|
||||
|
||||
|
||||
def install(replica_config, options, dm_password):
|
||||
def install(api, replica_config, options):
|
||||
subject = dsinstance.DsInstance().find_subject_base()
|
||||
if replica_config is None:
|
||||
kra = krainstance.KRAInstance(
|
||||
@ -55,31 +52,25 @@ def install(replica_config, options, dm_password):
|
||||
ds = dsinstance.DsInstance()
|
||||
ds.restart()
|
||||
|
||||
kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn)
|
||||
|
||||
kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
|
||||
|
||||
# Update config file
|
||||
parser = RawConfigParser()
|
||||
parser.read(paths.IPA_DEFAULT_CONF)
|
||||
parser.set('global', 'enable_kra', 'True')
|
||||
|
||||
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
|
||||
parser.write(f)
|
||||
def uninstall(standalone):
|
||||
dogtag_constants = dogtag.configured_constants(api)
|
||||
kra = krainstance.KRAInstance(api.env.realm,
|
||||
dogtag_constants=dogtag_constants)
|
||||
|
||||
if standalone:
|
||||
kra.ldap_connect()
|
||||
try:
|
||||
kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
|
||||
('cn', 'masters'), ('cn', 'ipa'),
|
||||
('cn', 'etc'), api.env.basedn))
|
||||
except errors.NotFound:
|
||||
pass
|
||||
|
||||
def uninstall():
|
||||
dogtag_constants = dogtag.configured_constants(api=api)
|
||||
|
||||
kra_instance = krainstance.KRAInstance(
|
||||
api.env.realm, dogtag_constants=dogtag_constants)
|
||||
kra_instance.stop_tracking_certificates()
|
||||
if kra_instance.is_installed():
|
||||
kra_instance.uninstall()
|
||||
|
||||
# Check if config file exists, then update it
|
||||
if os.path.exists(paths.IPA_DEFAULT_CONF):
|
||||
parser = RawConfigParser()
|
||||
parser.read(paths.IPA_DEFAULT_CONF)
|
||||
parser.set('global', 'enable_kra', 'False')
|
||||
|
||||
with open(paths.IPA_DEFAULT_CONF, 'w') as f:
|
||||
parser.write(f)
|
||||
kra.stop_tracking_certificates()
|
||||
if kra.is_installed():
|
||||
kra.uninstall()
|
||||
|
@ -602,8 +602,7 @@ def install_check(installer):
|
||||
|
||||
if setup_kra:
|
||||
try:
|
||||
kra.install_check(None, options, False,
|
||||
dogtag.install_constants.DOGTAG_VERSION)
|
||||
kra.install_check(api, None, options)
|
||||
except RuntimeError as e:
|
||||
print str(e)
|
||||
sys.exit(1)
|
||||
@ -865,7 +864,7 @@ def install(installer):
|
||||
http.restart()
|
||||
|
||||
if setup_kra:
|
||||
kra.install(None, options, dm_password)
|
||||
kra.install(api, None, options)
|
||||
|
||||
# Set the admin user kerberos password
|
||||
ds.change_admin_password(admin_password)
|
||||
@ -1060,7 +1059,7 @@ def uninstall(installer):
|
||||
|
||||
ntpinstance.NTPInstance(fstore).uninstall()
|
||||
|
||||
kra.uninstall()
|
||||
kra.uninstall(False)
|
||||
|
||||
ca.uninstall(dogtag_constants)
|
||||
|
||||
|
@ -379,8 +379,6 @@ def install_check(installer):
|
||||
fd.write("enable_ra=False\n")
|
||||
fd.write("ra_plugin=none\n")
|
||||
|
||||
fd.write("enable_kra=%s\n" % config.setup_kra)
|
||||
|
||||
fd.write("mode=production\n")
|
||||
fd.close()
|
||||
finally:
|
||||
@ -480,6 +478,18 @@ def install_check(installer):
|
||||
root_logger.debug('No IPA DNS servers, '
|
||||
'skipping forward/reverse resolution check')
|
||||
|
||||
if options.setup_ca:
|
||||
options.realm_name = config.realm_name
|
||||
options.host_name = config.host_name
|
||||
options.subject = config.subject_base
|
||||
ca.install_check(False, config, options)
|
||||
|
||||
if config.setup_kra:
|
||||
try:
|
||||
kra.install_check(remote_api, config, options)
|
||||
except RuntimeError as e:
|
||||
print str(e)
|
||||
sys.exit(1)
|
||||
except errors.ACIError:
|
||||
sys.exit("\nThe password provided is incorrect for LDAP server "
|
||||
"%s" % config.master_host_name)
|
||||
@ -492,20 +502,6 @@ def install_check(installer):
|
||||
if conn.isconnected():
|
||||
conn.disconnect()
|
||||
|
||||
if options.setup_ca:
|
||||
options.realm_name = config.realm_name
|
||||
options.host_name = config.host_name
|
||||
options.subject = config.subject_base
|
||||
ca.install_check(False, config, options)
|
||||
|
||||
if config.setup_kra:
|
||||
try:
|
||||
kra.install_check(config, options, False,
|
||||
dogtag.install_constants.DOGTAG_VERSION)
|
||||
except RuntimeError as e:
|
||||
print str(e)
|
||||
sys.exit(1)
|
||||
|
||||
if options.setup_dns:
|
||||
dns.install_check(False, True, options, config.host_name)
|
||||
else:
|
||||
@ -567,10 +563,11 @@ def install(installer):
|
||||
if conn.isconnected():
|
||||
conn.disconnect()
|
||||
|
||||
options.dm_password = config.dirman_password
|
||||
|
||||
if config.setup_ca:
|
||||
options.realm_name = config.realm_name
|
||||
options.domain_name = config.domain_name
|
||||
options.dm_password = config.dirman_password
|
||||
options.host_name = config.host_name
|
||||
|
||||
ca.install(False, config, options)
|
||||
@ -591,7 +588,7 @@ def install(installer):
|
||||
ds.apply_updates()
|
||||
|
||||
if options.setup_kra:
|
||||
kra.install(config, options, config.dirman_password)
|
||||
kra.install(api, config, options)
|
||||
else:
|
||||
service.print_msg("Restarting the directory server")
|
||||
ds.restart()
|
||||
|
@ -41,6 +41,7 @@ SERVICE_LIST = {
|
||||
'MEMCACHE': ('ipa_memcached', 39),
|
||||
'HTTP': ('httpd', 40),
|
||||
'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
|
||||
'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51),
|
||||
'ADTRUST': ('smb', 60),
|
||||
'EXTID': ('winbind', 70),
|
||||
'OTPD': ('ipa-otpd', 80),
|
||||
|
@ -1909,7 +1909,7 @@ class kra(Backend):
|
||||
Raises a generic exception if KRA is not enabled.
|
||||
"""
|
||||
|
||||
if not api.env.enable_kra:
|
||||
if not self.api.Command.kra_is_enabled()['result']:
|
||||
# TODO: replace this with a more specific exception
|
||||
raise RuntimeError('KRA service is not enabled')
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user