vault: Fix ipa-kra-install

Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-06-10 08:50:42 +00:00 · 2015-06-10 08:50:42 +00:00 · e7ac57e139
commit e7ac57e139
parent cbcd86b500
11 changed files with 102 additions and 96 deletions
--- a/API.txt
+++ b/API.txt
@ -2487,6 +2487,12 @@ option: Str('version?', exclude='webui')
 output: Output('commands', <type 'dict'>, None)
 output: Output('methods', <type 'dict'>, None)
 output: Output('objects', <type 'dict'>, None)
 command: kra_is_enabled
 args: 0,1,3
 option: Str('version?', exclude='webui')
 output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: krbtpolicy_mod
 args: 1,9,3
 arg: Str('uid', attribute=True, cli_name='user', multivalue=False, primary_key=True, query=True, required=False)
--- a/4
+++ b/4
@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=126
+IPA_API_VERSION_MINOR=127
-# Last change: edewata - added vault-archive and vault-retrieve
+# Last change: jcholast - add kra_is_enabled
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@ -33,7 +33,7 @@ from ipalib import output
 from ipalib.crud import PKQuery, Retrieve, Update
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
-    LDAPSearch, LDAPUpdate, LDAPRetrieve
+    LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value
 from ipalib.request import context
 from ipalib.plugins.user import split_principal
 from ipalib import _, ngettext
@ -320,7 +320,7 @@ class vault_add(LDAPCreate):
                     **options):
        assert isinstance(dn, DN)
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
            raise errors.InvocationError(
                format=_('KRA service is not enabled'))
@ -344,7 +344,7 @@ class vault_del(LDAPDelete):
    def pre_callback(self, ldap, dn, *keys, **options):
        assert isinstance(dn, DN)
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
            raise errors.InvocationError(
                format=_('KRA service is not enabled'))
@ -390,7 +390,7 @@ class vault_find(LDAPSearch):
                     **options):
        assert isinstance(base_dn, DN)
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
            raise errors.InvocationError(
                format=_('KRA service is not enabled'))
@ -422,7 +422,7 @@ class vault_mod(LDAPUpdate):
        assert isinstance(dn, DN)
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
            raise errors.InvocationError(
                format=_('KRA service is not enabled'))
@ -438,7 +438,7 @@ class vault_show(LDAPRetrieve):
    def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
        assert isinstance(dn, DN)
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
            raise errors.InvocationError(
                format=_('KRA service is not enabled'))
@ -486,7 +486,7 @@ class vaultconfig_show(Retrieve):
    def execute(self, *args, **options):
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
            raise errors.InvocationError(
                format=_('KRA service is not enabled'))
@ -624,7 +624,7 @@ class vault_archive_encrypted(Update):
    def execute(self, *args, **options):
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
            raise errors.InvocationError(
                format=_('KRA service is not enabled'))
@ -774,7 +774,7 @@ class vault_retrieve_encrypted(Retrieve):
    def execute(self, *args, **options):
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
            raise errors.InvocationError(
                format=_('KRA service is not enabled'))
@ -813,3 +813,23 @@ class vault_retrieve_encrypted(Retrieve):
        kra_account.logout()
        return result
@register()
 class kra_is_enabled(Command):
    NO_CLI = True
    has_output = output.standard_value
    def execute(self, *args, **options):
        base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
                     self.api.env.basedn)
        filter = '(&(objectClass=ipaConfigObject)(cn=KRA))'
        try:
            self.api.Backend.ldap2.find_entries(
                base_dn=base_dn, filter=filter, attrs_list=[])
        except errors.NotFound:
            result = False
        else:
            result = True
        return dict(result=result, value=pkey_to_value(None, options))
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@ -309,6 +309,8 @@ class BasePathNamespace(object):
    IPARESTORE_LOG = "/var/log/iparestore.log"
    IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
    IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
    IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
    IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
    IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
    IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
    KADMIND_LOG = "/var/log/kadmind.log"
@ -316,8 +318,6 @@ class BasePathNamespace(object):
    PKI_CA_LOG_DIR = "/var/log/pki-ca"
    PKI_CA_INSTALL_LOG = "/var/log/pki-ca-install.log"
    PKI_CA_UNINSTALL_LOG = "/var/log/pki-ca-uninstall.log"
    PKI_KRA_INSTALL_LOG = "/var/log/pki-kra-install.log"
    PKI_KRA_UNINSTALL_LOG = "/var/log/pki-kra-uninstall.log"
    VAR_LOG_PKI_DIR = "/var/log/pki/"
    TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
    TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@ -584,22 +584,6 @@ def read_replica_info_dogtag_port(config_dir):
    return dogtag_master_ds_port
 def read_replica_info_kra_enabled(config_dir):
    """
    Check the replica info to determine if a KRA has been installed
    on the master
    """
    default_file = config_dir + "/default.conf"
    if not ipautil.file_exists(default_file):
        return False
    else:
        with open(default_file) as fd:
            config = SafeConfigParser()
            config.readfp(fd)
            enable_kra = config.getboolean("global", "enable_kra")
            return enable_kra
 def create_replica_config(dirman_password, filename, options):
    top_dir = None
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@ -23,7 +23,10 @@ from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import admintool
 from ipapython import dogtag
 from ipapython import ipautil
 from ipapython.dn import DN
 from ipaserver.install import krainstance
 from ipaserver.install import installutils
 from ipaserver.install.installutils import create_replica_config
 from ipaserver.install import dogtaginstance
@ -80,7 +83,7 @@ class KRAInstall(admintool.AdminTool):
 class KRAUninstaller(KRAInstall):
-    log_file_name = paths.PKI_KRA_UNINSTALL_LOG
+    log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG
    def validate_options(self, needs_root=True):
        super(KRAUninstaller, self).validate_options(needs_root=True)
@ -88,18 +91,20 @@ class KRAUninstaller(KRAInstall):
        if self.args:
            self.option_parser.error("Too many parameters provided.")
-        if not api.env.enable_kra:
+        dogtag_constants = dogtag.configured_constants(api)
        _kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants)
        if not _kra.is_installed():
            self.option_parser.error(
                "Cannot uninstall.  There is no KRA installed on this system."
            )
    def run(self):
        super(KRAUninstaller, self).run()
-        kra.uninstall()
+        kra.uninstall(True)
 class KRAInstaller(KRAInstall):
-    log_file_name = paths.PKI_KRA_INSTALL_LOG
+    log_file_name = paths.IPASERVER_KRA_INSTALL_LOG
    INSTALLER_START_MESSAGE = '''
        ===================================================================
@ -161,15 +166,18 @@ class KRAInstaller(KRAInstall):
                self.replica_file,
                self.options)
        self.options.dm_password = self.options.password
        self.options.setup_ca = False
        api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'),
                                  bind_pw=self.options.dm_password)
        try:
-            kra.install_check(replica_config, self.options, api.env.enable_kra,
+            kra.install_check(api, replica_config, self.options)
                              int(api.env.dogtag_version))
        except RuntimeError as e:
            raise admintool.ScriptError(str(e))
-        kra.install(replica_config, self.options, self.options.password)
+        kra.install(api, replica_config, self.options)
        # Restart apache for new proxy config file
        services.knownservices.httpd.restart(capture_output=True)
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@ -2,25 +2,25 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
-import os
+from ipalib import api, errors
 from ConfigParser import RawConfigParser
 from ipalib import api
 from ipaplatform.paths import paths
 from ipapython import dogtag
 from ipapython.dn import DN
 from ipaserver.install import cainstance
 from ipaserver.install import krainstance
 from ipaserver.install import dsinstance
 from ipaserver.install import service
 from ipaserver.install.installutils import read_replica_info_kra_enabled
-def install_check(replica_config, options, enable_kra, dogtag_version):
+def install_check(api, replica_config, options):
-    if enable_kra:
+    dogtag_constants = dogtag.configured_constants(api=api)
    kra = krainstance.KRAInstance(api.env.realm,
                                  dogtag_constants=dogtag_constants)
    if kra.is_installed():
        raise RuntimeError("KRA is already installed.")
    if not options.setup_ca:
        if cainstance.is_ca_installed_locally():
-            if dogtag_version >= 10:
+            if api.env.dogtag_version >= 10:
                # correct dogtag version of CA installed
                pass
            else:
@ -31,14 +31,11 @@ def install_check(replica_config, options, enable_kra, dogtag_version):
                "Dogtag CA is not installed.  Please install the CA first")
    if replica_config is not None:
-        if not read_replica_info_kra_enabled(replica_config.dir):
+        if not api.Command.kra_is_enabled()['result']:
-            raise RuntimeError(
+            raise RuntimeError("KRA is not installed on the master system")
                "Either KRA is not installed on the master system or "
                "your replica file is out of date"
            )
-def install(replica_config, options, dm_password):
+def install(api, replica_config, options):
    subject = dsinstance.DsInstance().find_subject_base()
    if replica_config is None:
        kra = krainstance.KRAInstance(
@ -55,31 +52,25 @@ def install(replica_config, options, dm_password):
    ds = dsinstance.DsInstance()
    ds.restart()
    kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn)
    kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
    # Update config file
    parser = RawConfigParser()
    parser.read(paths.IPA_DEFAULT_CONF)
    parser.set('global', 'enable_kra', 'True')
-    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+def uninstall(standalone):
-        parser.write(f)
+    dogtag_constants = dogtag.configured_constants(api)
    kra = krainstance.KRAInstance(api.env.realm,
                                  dogtag_constants=dogtag_constants)
    if standalone:
        kra.ldap_connect()
        try:
            kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
                                           ('cn', 'masters'), ('cn', 'ipa'),
                                           ('cn', 'etc'), api.env.basedn))
        except errors.NotFound:
            pass
-def uninstall():
+    kra.stop_tracking_certificates()
-    dogtag_constants = dogtag.configured_constants(api=api)
+    if kra.is_installed():
-
+        kra.uninstall()
    kra_instance = krainstance.KRAInstance(
        api.env.realm, dogtag_constants=dogtag_constants)
    kra_instance.stop_tracking_certificates()
    if kra_instance.is_installed():
        kra_instance.uninstall()
    # Check if config file exists, then update it
    if os.path.exists(paths.IPA_DEFAULT_CONF):
        parser = RawConfigParser()
        parser.read(paths.IPA_DEFAULT_CONF)
        parser.set('global', 'enable_kra', 'False')
        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
            parser.write(f)
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -602,8 +602,7 @@ def install_check(installer):
    if setup_kra:
        try:
-            kra.install_check(None, options, False,
+            kra.install_check(api, None, options)
                              dogtag.install_constants.DOGTAG_VERSION)
        except RuntimeError as e:
            print str(e)
            sys.exit(1)
@ -865,7 +864,7 @@ def install(installer):
    http.restart()
    if setup_kra:
-        kra.install(None, options, dm_password)
+        kra.install(api, None, options)
    # Set the admin user kerberos password
    ds.change_admin_password(admin_password)
@ -1060,7 +1059,7 @@ def uninstall(installer):
    ntpinstance.NTPInstance(fstore).uninstall()
-    kra.uninstall()
+    kra.uninstall(False)
    ca.uninstall(dogtag_constants)
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -379,8 +379,6 @@ def install_check(installer):
            fd.write("enable_ra=False\n")
            fd.write("ra_plugin=none\n")
        fd.write("enable_kra=%s\n" % config.setup_kra)
        fd.write("mode=production\n")
        fd.close()
    finally:
@ -480,6 +478,18 @@ def install_check(installer):
            root_logger.debug('No IPA DNS servers, '
                              'skipping forward/reverse resolution check')
        if options.setup_ca:
            options.realm_name = config.realm_name
            options.host_name = config.host_name
            options.subject = config.subject_base
            ca.install_check(False, config, options)
        if config.setup_kra:
            try:
                kra.install_check(remote_api, config, options)
            except RuntimeError as e:
                print str(e)
                sys.exit(1)
    except errors.ACIError:
        sys.exit("\nThe password provided is incorrect for LDAP server "
                 "%s" % config.master_host_name)
@ -492,20 +502,6 @@ def install_check(installer):
        if conn.isconnected():
            conn.disconnect()
    if options.setup_ca:
        options.realm_name = config.realm_name
        options.host_name = config.host_name
        options.subject = config.subject_base
        ca.install_check(False, config, options)
    if config.setup_kra:
        try:
            kra.install_check(config, options, False,
                              dogtag.install_constants.DOGTAG_VERSION)
        except RuntimeError as e:
            print str(e)
            sys.exit(1)
    if options.setup_dns:
        dns.install_check(False, True, options, config.host_name)
    else:
@ -567,10 +563,11 @@ def install(installer):
        if conn.isconnected():
            conn.disconnect()
    options.dm_password = config.dirman_password
    if config.setup_ca:
        options.realm_name = config.realm_name
        options.domain_name = config.domain_name
        options.dm_password = config.dirman_password
        options.host_name = config.host_name
        ca.install(False, config, options)
@ -591,7 +588,7 @@ def install(installer):
    ds.apply_updates()
    if options.setup_kra:
-        kra.install(config, options, config.dirman_password)
+        kra.install(api, config, options)
    else:
        service.print_msg("Restarting the directory server")
        ds.restart()
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -41,6 +41,7 @@ SERVICE_LIST = {
    'MEMCACHE': ('ipa_memcached', 39),
    'HTTP': ('httpd', 40),
    'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
    'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51),
    'ADTRUST': ('smb', 60),
    'EXTID': ('winbind', 70),
    'OTPD': ('ipa-otpd', 80),
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@ -1909,7 +1909,7 @@ class kra(Backend):
        Raises a generic exception if KRA is not enabled.
        """
-        if not api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
            # TODO: replace this with a more specific exception
            raise RuntimeError('KRA service is not enabled')