On 12.7.2013 10:19, Tomas Babej wrote:
Just a nitpick:
+ # If any of the PKCS#12 options are selected, all are required.
+ pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
+ pkcs12_opt = (options.pkinit_pkcs12,)
+ if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):
parser.error("All PKCS#12 options are required if any are used.")
This error message is somewhat misleading, since --pkinit-pkcs12 options
is not required.
Fixed.
Updated patches attached.
Honza
--
Jan Cholasta
>From 6b21db9dc6c2cc3b7fb5a13877cbe8cb3aec1213 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 9 Jul 2013 10:23:47 +0000
Subject: [PATCH 1/3] Ask for PKCS#12 password interactively in
ipa-server-install.
https://fedorahosted.org/freeipa/ticket/3717
---
install/tools/ipa-server-install | 76 ++++++++++++++++++++++++++--------------
1 file changed, 50 insertions(+), 26 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cc88a0b..4ba6f0e 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -276,13 +276,20 @@ def parse_options():
if not options.forwarders and not options.no_forwarders:
parser.error("You must specify at least one --forwarder option or --no-forwarders option")
- # If any of the PKCS#12 options are selected, all are required. Create a
- # list of the options and count it to enforce that all are required without
- # having a huge set of it blocks.
- pkcs12 = [options.dirsrv_pkcs12, options.http_pkcs12, options.dirsrv_pin, options.http_pin]
- cnt = pkcs12.count(None)
- if cnt > 0 and cnt < 4:
- parser.error("All PKCS#12 options are required if any are used.")
+ # If any of the PKCS#12 options are selected, all are required.
+ pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
+ pkcs12_opt = (options.pkinit_pkcs12,)
+ if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):
+ parser.error("--dirsrv_pkcs12 and --http_pkcs12 are required if any "
+ "PKCS#12 options are used.")
+
+ if options.unattended:
+ if options.dirsrv_pkcs12 and not options.dirsrv_pin:
+ parser.error("You must specify --dirsrv_pin with --dirsrv_pkcs12")
+ if options.http_pkcs12 and not options.http_pin:
+ parser.error("You must specify --http_pin with --http_pkcs12")
+ if options.pkinit_pkcs12 and not options.pkinit_pin:
+ parser.error("You must specify --pkinit_pin with --pkinit_pkcs12")
if options.dirsrv_pkcs12 and not options.root_ca_file:
parser.error(
@@ -704,18 +711,6 @@ def main():
sys.exit(1)
cert = certdict[certissuer]
- if options.http_pkcs12:
- http_pin_file = ipautil.write_tmp_file(options.http_pin)
- http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
-
- if options.dirsrv_pkcs12:
- dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
- dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
-
- if options.pkinit_pkcs12:
- pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
- pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name)
-
# We only set up the CA if the PKCS#12 options are not given.
if options.dirsrv_pkcs12:
setup_ca = False
@@ -834,13 +829,6 @@ def main():
else:
domain_name = options.domain_name
- if options.http_pkcs12:
- # Check the given PKCS#12 files
- ca_file = options.root_ca_file
- check_pkcs12 = installutils.check_pkcs12
- http_cert_name = check_pkcs12(http_pkcs12_info, ca_file, host_name)
- dirsrv_cert_name = check_pkcs12(dirsrv_pkcs12_info, ca_file, host_name)
-
domain_name = domain_name.lower()
ip = get_server_ip_address(host_name, fstore, options.unattended, options)
@@ -858,6 +846,42 @@ def main():
if not options.subject:
options.subject = DN(('O', realm_name))
+ ca_file = options.root_ca_file
+
+ if options.http_pkcs12:
+ if not options.http_pin:
+ options.http_pin = installutils.read_password(
+ "Enter %s unlock" % options.http_pkcs12,
+ confirm=False, validate=False)
+ if options.http_pin is None:
+ sys.exit("%s unlock password required" % options.http_pkcs12)
+ http_pin_file = ipautil.write_tmp_file(options.http_pin)
+ http_pkcs12_info = (options.http_pkcs12, http_pin_file.name)
+ http_cert_name = installutils.check_pkcs12(
+ http_pkcs12_info, ca_file, host_name)
+
+ if options.dirsrv_pkcs12:
+ if not options.dirsrv_pin:
+ options.dirsrv_pin = installutils.read_password(
+ "Enter %s unlock" % options.dirsrv_pkcs12,
+ confirm=False, validate=False)
+ if options.dirsrv_pin is None:
+ sys.exit("%s unlock password required" % options.dirsrv_pkcs12)
+ dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
+ dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
+ dirsrv_cert_name = installutils.check_pkcs12(
+ dirsrv_pkcs12_info, ca_file, host_name)
+
+ if options.pkinit_pkcs12:
+ if not options.pkinit_pin:
+ options.pkinit_pin = installutils.read_password(
+ "Enter %s unlock" % options.pkinit_pkcs12,
+ confirm=False, validate=False)
+ if options.pkinit_pin is None:
+ sys.exit("%s unlock password required" % options.pkinit_pkcs12)
+ pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
+ pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name)
+
if not options.dm_password:
dm_password = read_dm_password()
--
1.8.3.1
>From 89efa1c77c0613ceaea4a4138ebb6c8dd1668cb7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 9 Jul 2013 10:24:14 +0000
Subject: [PATCH 2/3] Ask for PKCS#12 password interactively in
ipa-replica-prepare.
https://fedorahosted.org/freeipa/ticket/3717
---
ipaserver/install/ipa_replica_prepare.py | 49 ++++++++++++++++++++++----------
1 file changed, 34 insertions(+), 15 deletions(-)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index a92e9a1..83bf2b2 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -103,17 +103,12 @@ class ReplicaPrepare(admintool.AdminTool):
options.setup_pkinit = False
# If any of the PKCS#12 options are selected, all are required.
- pkcs12_opts = [options.dirsrv_pkcs12, options.dirsrv_pin,
- options.http_pkcs12, options.http_pin]
- if options.setup_pkinit:
- pkcs12_opts.extend([options.pkinit_pkcs12, options.pkinit_pin])
- if pkcs12_opts[0]:
- pkcs12_okay = all(opt for opt in pkcs12_opts)
- else:
- pkcs12_okay = all(opt is None for opt in pkcs12_opts)
- if not pkcs12_okay:
+ pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
+ pkcs12_opt = (options.pkinit_pkcs12,)
+ if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):
self.option_parser.error(
- "All PKCS#12 options are required if any are used.")
+ "--dirsrv_pkcs12 and --http_pkcs12 are required if any "
+ "PKCS#12 options are used.")
if len(self.args) < 1:
self.option_parser.error(
@@ -136,11 +131,6 @@ class ReplicaPrepare(admintool.AdminTool):
"--http_pkcs12, --dirsrv_pkcs12 options to provide custom "
"certificates.")
- if options.http_pkcs12:
- # Check the given PKCS#12 files
- self.check_pkcs12(options.http_pkcs12, options.http_pin)
- self.check_pkcs12(options.dirsrv_pkcs12, options.dirsrv_pin)
-
config_dir = dsinstance.config_dirname(
dsinstance.realm_to_serverid(api.env.realm))
if not ipautil.dir_exists(config_dir):
@@ -220,6 +210,35 @@ class ReplicaPrepare(admintool.AdminTool):
options.reverse_zone, options.ip_address):
raise admintool.ScriptError("Invalid reverse zone")
+ if options.http_pkcs12:
+ if not options.http_pin:
+ options.http_pin = installutils.read_password(
+ "Enter %s unlock" % options.http_pkcs12,
+ confirm=False, validate=False)
+ if options.http_pin is None:
+ raise admintool.ScriptError(
+ "%s unlock password required" % options.http_pkcs12)
+ self.check_pkcs12(options.http_pkcs12, options.http_pin)
+
+ if options.dirsrv_pkcs12:
+ if not options.dirsrv_pin:
+ options.dirsrv_pin = installutils.read_password(
+ "Enter %s unlock" % options.dirsrv_pkcs12,
+ confirm=False, validate=False)
+ if options.dirsrv_pin is None:
+ raise admintool.ScriptError(
+ "%s unlock password required" % options.dirsrv_pkcs12)
+ self.check_pkcs12(options.dirsrv_pkcs12, options.dirsrv_pin)
+
+ if options.pkinit_pkcs12:
+ if not options.pkinit_pin:
+ options.pkinit_pin = installutils.read_password(
+ "Enter %s unlock" % options.pkinit_pkcs12,
+ confirm=False, validate=False)
+ if options.pkinit_pin is None:
+ raise admintool.ScriptError(
+ "%s unlock password required" % options.pkinit_pkcs12)
+
if (not ipautil.file_exists(
dogtag.configured_constants().CS_CFG_PATH) and
not options.dirsrv_pin):
--
1.8.3.1
>From 82cd1e56727f184e4e2cd989f4801b2b792ebbf1 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 9 Jul 2013 10:29:21 +0000
Subject: [PATCH 3/3] Print newline after receiving EOF in
installutils.read_password.
---
install/tools/ipa-ca-install | 2 +-
install/tools/ipa-compat-manage | 2 +-
install/tools/ipa-csreplica-manage | 2 +-
install/tools/ipa-dns-install | 2 +-
install/tools/ipa-managed-entries | 2 +-
install/tools/ipa-nis-manage | 2 +-
install/tools/ipa-replica-conncheck | 2 +-
install/tools/ipa-replica-install | 2 +-
install/tools/ipa-replica-manage | 2 +-
install/tools/ipa-server-certinstall | 2 +-
install/tools/ipa-server-install | 6 +++---
ipaserver/install/installutils.py | 3 ++-
12 files changed, 15 insertions(+), 14 deletions(-)
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 1fd59ec..636f63d 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -125,7 +125,7 @@ def main():
except KeyboardInterrupt:
sys.exit(0)
if dirman_password is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
if not options.admin_password and not options.skip_conncheck and \
options.unattended:
diff --git a/install/tools/ipa-compat-manage b/install/tools/ipa-compat-manage
index 87fa47f..7061a3e 100755
--- a/install/tools/ipa-compat-manage
+++ b/install/tools/ipa-compat-manage
@@ -98,7 +98,7 @@ def main():
else:
dirman_password = get_dirman_password()
if dirman_password is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
api.bootstrap(context='cli', debug=options.debug)
api.finalize()
diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 4e11ffd..ce027be 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -401,7 +401,7 @@ def main():
dirman_passwd = installutils.read_password("Directory Manager", confirm=False,
validate=False, retry=False)
if dirman_passwd is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
options.dirman_passwd = dirman_passwd
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 47bc31b..275e699 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -142,7 +142,7 @@ def main():
dm_password = options.dm_password or read_password("Directory Manager",
confirm=False, validate=False)
if dm_password is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
bind = bindinstance.BindInstance(fstore, dm_password)
# try the connection
diff --git a/install/tools/ipa-managed-entries b/install/tools/ipa-managed-entries
index 5bf3ad6..2cf37e2 100755
--- a/install/tools/ipa-managed-entries
+++ b/install/tools/ipa-managed-entries
@@ -95,7 +95,7 @@ def main():
except errors.ACIError:
dirman_password = get_dirman_password()
if dirman_password is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
try:
conn.do_simple_bind(bindpw=dirman_password)
except errors.ACIError:
diff --git a/install/tools/ipa-nis-manage b/install/tools/ipa-nis-manage
index a35e19f..71c0761 100755
--- a/install/tools/ipa-nis-manage
+++ b/install/tools/ipa-nis-manage
@@ -108,7 +108,7 @@ def main():
else:
dirman_password = get_dirman_password()
if dirman_password is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
if not dirman_password:
sys.exit("No password supplied")
diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 3b0b1d0..583b5d5 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -340,7 +340,7 @@ def main():
password = installutils.read_password(principal, confirm=False,
validate=False, retry=False)
if password is None:
- sys.exit("\nPrincipal password required")
+ sys.exit("Principal password required")
stderr=''
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c013c29..79f8a7a 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -480,7 +480,7 @@ def main():
except KeyboardInterrupt:
sys.exit(0)
if dirman_password is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
try:
top_dir, dir = expand_replica_info(filename, dirman_password)
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 2fb32fa..e2bd38e 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -1178,7 +1178,7 @@ def main():
dirman_passwd = installutils.read_password("Directory Manager",
confirm=False, validate=False, retry=False)
if dirman_passwd is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
options.dirman_passwd = dirman_passwd
diff --git a/install/tools/ipa-server-certinstall b/install/tools/ipa-server-certinstall
index bc4dde2..5b498b1 100755
--- a/install/tools/ipa-server-certinstall
+++ b/install/tools/ipa-server-certinstall
@@ -141,7 +141,7 @@ def main():
dm_password = installutils.read_password("Directory Manager",
confirm=False, validate=False, retry=False)
if dm_password is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
realm = get_realm_name()
dirname = dsinstance.config_dirname(dsinstance.realm_to_serverid(realm))
fd = open(dirname + "/pwdfile.txt")
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 4ba6f0e..672369c 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -666,7 +666,7 @@ def main():
else:
dm_password = read_password("Directory Manager", confirm=False)
if dm_password is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
try:
options._update_loose(read_cache(dm_password))
except Exception, e:
@@ -886,7 +886,7 @@ def main():
dm_password = read_dm_password()
if dm_password is None:
- sys.exit("\nDirectory Manager password required")
+ sys.exit("Directory Manager password required")
else:
dm_password = options.dm_password
@@ -898,7 +898,7 @@ def main():
if not options.admin_password:
admin_password = read_admin_password()
if admin_password is None:
- sys.exit("\nIPA admin password required")
+ sys.exit("IPA admin password required")
else:
admin_password = options.admin_password
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index a716525..295bb12 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -291,7 +291,8 @@ def read_password(user, confirm=True, validate=True, retry=True, validator=_read
correct = True
except EOFError:
return None
- print ""
+ finally:
+ print ""
return pwd
def update_file(filename, orig, subst):
--
1.8.3.1
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
