freeipa/install/tools/ipa-ca-install
2016-01-28 16:33:15 +01:00

320 lines
12 KiB
Python
Executable File

#! /usr/bin/python2 -E
# Authors: Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
import shutil
import tempfile
from ipapython import ipautil
from ipaserver.install import installutils
from ipaserver.install import certs
from ipaserver.install.installutils import create_replica_config
from ipaserver.install.installutils import check_creds, ReplicaConfig
from ipaserver.install import dsinstance, ca
from ipaserver.install import cainstance, custodiainstance, service
from ipapython import version
from ipalib import api
from ipalib.constants import DOMAIN_LEVEL_0
from ipapython.dn import DN
from ipapython.config import IPAOptionParser
from ipapython.ipa_log_manager import root_logger, standard_logging_setup
from ipaplatform.paths import paths
log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
REPLICA_INFO_TOP_DIR = None
def parse_options():
usage = "%prog [options] REPLICA_FILE"
parser = IPAOptionParser(usage=usage, version=version.VERSION)
parser.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="gather extra debugging information")
parser.add_option("-p", "--password", dest="password", sensitive=True,
help="Directory Manager (existing master) password")
parser.add_option("-w", "--admin-password", dest="admin_password", sensitive=True,
help="Admin user Kerberos password used for connection check")
parser.add_option("--no-host-dns", dest="no_host_dns", action="store_true",
default=False,
help="Do not use DNS for hostname lookup during installation")
parser.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
default=False, help="skip connection check to remote master")
parser.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
default=False, help="skip check for updated CA DS schema on the remote master")
parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
default=False, help="unattended installation never prompts the user")
parser.add_option("--external-ca", dest="external_ca", action="store_true",
default=False, help="Generate a CSR to be signed by an external CA")
parser.add_option("--external-ca-type", dest="external_ca_type",
type="choice", choices=("generic", "ms-cs"),
help="Type of the external CA")
parser.add_option("--external-cert-file", dest="external_cert_files",
action="append", metavar="FILE",
help="File containing the IPA CA certificate and the external CA certificate chain")
parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
type="choice",
choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
help="Signing algorithm of the IPA CA certificate")
parser.add_option("-P", "--principal", dest="principal", sensitive=True,
default=None, help="User allowed to manage replicas")
options, args = parser.parse_args()
safe_options = parser.get_safe_opts(options)
if args:
filename = args[0]
if len(args) != 1:
parser.error("you must provide a file generated by "
"ipa-replica-prepare")
options.external_ca = None
options.external_cert_files = None
else:
filename = None
if options.external_ca:
if options.external_cert_files:
parser.error("You cannot specify --external-cert-file "
"together with --external-ca")
if options.external_ca_type and not options.external_ca:
parser.error(
"You cannot specify --external-ca-type without --external-ca")
return safe_options, options, filename
def get_dirman_password():
return installutils.read_password(
"Directory Manager (existing master)", confirm=False, validate=False)
def install_replica(safe_options, options, filename):
if options.promote:
if filename is not None:
sys.exit("Too many parameters provided. "
"No replica file is required")
else:
if filename is None:
sys.exit("A replica file is required")
if not ipautil.file_exists(filename):
sys.exit("Replica file %s does not exist" % filename)
if not options.promote:
# Check if we have admin creds already, otherwise acquire them
check_creds(options, api.env.realm)
# get the directory manager password
dirman_password = options.password
if not dirman_password:
if options.unattended:
sys.exit('Directory Manager password required')
try:
dirman_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
if dirman_password is None:
sys.exit("Directory Manager password required")
if (not options.promote and not options.admin_password and
not options.skip_conncheck and options.unattended):
sys.exit('admin password required')
if options.promote:
config = ReplicaConfig()
config.master_host_name = None
config.realm_name = api.env.realm
config.host_name = api.env.host
config.domain_name = api.env.domain
config.dirman_password = dirman_password
config.ca_ds_port = 389
config.top_dir = tempfile.mkdtemp("ipa")
config.dir = config.top_dir
cafile = paths.IPA_CA_CRT
else:
config = create_replica_config(dirman_password, filename, options)
cafile = config.dir + '/ca.crt'
global REPLICA_INFO_TOP_DIR
REPLICA_INFO_TOP_DIR = config.top_dir
config.setup_ca = True
conn = api.Backend.ldap2
conn.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dirman_password)
if config.subject_base is None:
attrs = conn.get_ipa_config()
config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
if config.master_host_name is None:
config.ca_host_name = \
service.find_providing_server('CA', conn, api.env.ca_host)
config.master_host_name = config.ca_host_name
else:
config.ca_host_name = config.master_host_name
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.dm_password = config.dirman_password
options.host_name = config.host_name
options.subject = config.subject_base
if os.path.exists(cafile):
options.ca_cert_file = cafile
else:
options.ca_cert_file = None
ca.install_check(True, config, options)
if options.promote:
ca_data = (os.path.join(config.dir, 'cacert.p12'),
config.dirman_password)
custodia = custodiainstance.CustodiaInstance(config.host_name,
config.realm_name)
custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])
CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR,
host_name=config.host_name,
dm_password=config.dirman_password)
CA.configure_replica(config.ca_host_name,
subject_base=config.subject_base,
ca_cert_bundle=ca_data)
else:
ca.install(True, config, options)
def install_master(safe_options, options):
dm_password = options.password
if not dm_password:
if options.unattended:
sys.exit('Directory Manager password required')
try:
dm_password = get_dirman_password()
except KeyboardInterrupt:
sys.exit(0)
if dm_password is None:
sys.exit("Directory Manager password required")
api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
bind_pw=dm_password)
config = api.Command['config_show']()['result']
subject_base = config['ipacertificatesubjectbase'][0]
options.realm_name = api.env.realm
options.domain_name = api.env.domain
options.dm_password = dm_password
options.host_name = api.env.host
options.subject = subject_base
ca.install_check(True, None, options)
ca.install(True, None, options)
def install(safe_options, options, filename):
options.promote = False
try:
if filename is None:
install_master(safe_options, options)
else:
install_replica(safe_options, options, filename)
finally:
# Clean up if we created custom credentials
created_ccache_file = getattr(options, 'created_ccache_file', None)
if created_ccache_file is not None:
try:
os.unlink(created_ccache_file)
except OSError:
pass
def promote(safe_options, options, filename):
options.promote = True
with ipautil.private_ccache():
ccache = os.environ['KRB5CCNAME']
ipautil.kinit_keytab(
'host/{env.host}@{env.realm}'.format(env=api.env),
paths.KRB5_KEYTAB,
ccache)
conn = api.Backend.ldap2
conn.connect(ccache=ccache)
ca_host = service.find_providing_server('CA', conn)
conn.disconnect()
if ca_host is None:
install_master(safe_options, options)
else:
install_replica(safe_options, options, filename)
def main():
safe_options, options, filename = parse_options()
if os.geteuid() != 0:
sys.exit("\nYou must be root to run this script.\n")
if not dsinstance.DsInstance().is_configured():
sys.exit("IPA server is not configured on this system.\n")
if (not options.external_cert_files and
cainstance.is_ca_installed_locally()):
sys.exit("CA is already installed on this host.")
standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug)
root_logger.debug("%s was invoked with options: %s,%s",
sys.argv[0], safe_options, filename)
root_logger.debug("IPA version %s", version.VENDOR_VERSION)
# override ra_plugin setting read from default.conf so that we have
# functional dogtag backend plugins during CA install
api.bootstrap(in_server=True, ra_plugin='dogtag')
api.finalize()
domain_level = dsinstance.get_domain_level(api)
if domain_level > DOMAIN_LEVEL_0:
promote(safe_options, options, filename)
else:
install(safe_options, options, filename)
# execute ipactl to refresh services status
ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
raiseonerr=False)
fail_message = '''
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
'''
if __name__ == '__main__':
try:
installutils.run_script(main, log_file_name=log_file_name,
operation_name='ipa-ca-install',
fail_message=fail_message)
finally:
# always try to remove decrypted replica file
try:
if REPLICA_INFO_TOP_DIR:
shutil.rmtree(REPLICA_INFO_TOP_DIR)
except OSError:
pass