On 05/19/2015 08:23 PM, Martin Babinsky wrote:
This patch is required for the installer ref@#$%&ing work
(https://fedorahosted.org/freeipa/ticket/4468).

It required quite a bit of hacking to get it work as expected, but I
hope that it's not so bad.

Requires PATCH 0035 "do not check for directory manager password during
KRA uninstall" to apply.



Attaching rebased patch that should apply cleanly on current master without prerequisites.

--
Martin^3 Babinsky
From ae002f2b86eaccb5219322de2ae23e42eb713166 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 15 May 2015 19:02:22 +0200
Subject: [PATCH] merge KRA installation machinery to a single module

This is a prerequisite to further refactoring of KRA install/uninstall
functionality in all IPA install scripts.

https://fedorahosted.org/freeipa/ticket/4468
---
 install/tools/ipa-replica-install    |  21 +++----
 install/tools/ipa-server-install     |  26 +++-----
 ipaserver/install/ipa_kra_install.py | 108 ++++++--------------------------
 ipaserver/install/kra.py             | 116 +++++++++++++++++++++++++++++++++++
 4 files changed, 153 insertions(+), 118 deletions(-)
 create mode 100644 ipaserver/install/kra.py

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index f68cc8cf4722264ecea2f1f50de3aa245be24ef9..d0c4a28fcf0bf0a2693ffef10626a8f99a69c8bc 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -37,10 +37,10 @@ from ipaserver.install import memcacheinstance, dnskeysyncinstance
 from ipaserver.install import otpdinstance
 from ipaserver.install.replication import replica_conn_check, ReplicationManager
 from ipaserver.install.installutils import (
-    create_replica_config, read_replica_info_kra_enabled, private_ccache)
+    create_replica_config, private_ccache)
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import cainstance
-from ipaserver.install import krainstance
+from ipaserver.install import kra
 from ipaserver.install import dns as dns_installer
 from ipalib import api, create_api, errors, util, certstore, x509
 from ipalib.constants import CACERT
@@ -473,12 +473,12 @@ def main():
 
     config.setup_kra = options.setup_kra
     if config.setup_kra:
-        if not config.setup_ca:
-            print "CA must be installed with the KRA"
-            sys.exit(1)
-        if not read_replica_info_kra_enabled(config.dir):
-            print "KRA is not installed on the master system"
-            sys.exit(1)
+        try:
+            kra.check_install(options, dirman_password,
+                              config.setup_ca, filename)
+        except RuntimeError as e:
+            print str(e)
+            exit(1)
 
     installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
 
@@ -660,10 +660,7 @@ def main():
     ds.apply_updates()
 
     if options.setup_kra:
-        kra = krainstance.install_replica_kra(config)
-        service.print_msg("Restarting the directory server")
-        ds.restart()
-        kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+        kra.install(options, dirman_password, replica_file=filename)
     else:
         service.print_msg("Restarting the directory server")
         ds.restart()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cb6e1abe2016c0f8cefc35b1d685373f05b3ef89..f4ef71d84d30d79f70f164c30f274d8769b3e319 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -53,13 +53,13 @@ from ipaserver.install import httpinstance
 from ipaserver.install import ntpinstance
 from ipaserver.install import certs
 from ipaserver.install import cainstance
-from ipaserver.install import krainstance
 from ipaserver.install import memcacheinstance
 from ipaserver.install import otpdinstance
 from ipaserver.install import sysupgrade
 from ipaserver.install import replication
 from ipaserver.install import dns as dns_installer
 from ipaserver.install import service, installutils
+from ipaserver.install import kra
 from ipapython import version
 from ipapython import certmonger
 from ipapython import ipaldap
@@ -577,11 +577,12 @@ def uninstall():
         if cads_instance.is_configured():
             cads_instance.uninstall()
 
-    kra_instance = krainstance.KRAInstance(
-        api.env.realm, dogtag_constants=dogtag_constants)
-    kra_instance.stop_tracking_certificates()
-    if kra_instance.is_installed():
-        kra_instance.uninstall()
+    try:
+        kra.check_uninstall()
+    except RuntimeError:
+        pass
+    else:
+        kra.uninstall()
 
     ca_instance = cainstance.CAInstance(
         api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
@@ -1290,18 +1291,7 @@ def main():
     http.restart()
 
     if setup_kra:
-        kra = krainstance.KRAInstance(realm_name,
-            dogtag_constants=dogtag.install_constants)
-        kra.configure_instance(host_name, domain_name, dm_password,
-                               dm_password, subject_base=options.subject)
-
-        # This is done within stopped_service context, which restarts KRA
-        service.print_msg("Restarting the directory server")
-        ds.restart()
-
-        service.print_msg("Enabling KRA to authenticate with the database "
-                          "using client certificates")
-        kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+        kra.install(options, dm_password)
 
     # Set the admin user kerberos password
     ds.change_admin_password(admin_password)
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index 386da286ab11b043ebd12e18047c73e23baa5672..21b5a79a8e21e9108c010dfec368eb175d369b2d 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -18,22 +18,14 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-from ConfigParser import RawConfigParser
 from textwrap import dedent
 from ipalib import api
-from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import admintool
-from ipapython import dogtag
 from ipapython import ipautil
-from ipaserver.install import cainstance
-from ipaserver.install import dogtaginstance
-from ipaserver.install import krainstance
-from ipaserver.install import dsinstance
 from ipaserver.install import installutils
-from ipaserver.install import service
-from ipaserver.install.installutils import (
-    read_replica_info_kra_enabled, create_replica_config)
+from ipaserver.install import dogtaginstance
+import kra
 
 
 class KRAInstall(admintool.AdminTool):
@@ -93,29 +85,14 @@ class KRAUninstaller(KRAInstall):
 
         if self.args:
             self.option_parser.error("Too many parameters provided.")
-
-        if not api.env.enable_kra:
-            self.option_parser.error(
-                "Cannot uninstall.  There is no KRA installed on this system."
-            )
+        try:
+            kra.check_uninstall()
+        except RuntimeError as e:
+            self.option_parser.error(str(e))
 
     def run(self):
         super(KRAUninstaller, self).run()
-        dogtag_constants = dogtag.configured_constants()
-
-        kra_instance = krainstance.KRAInstance(
-            api.env.realm, dogtag_constants=dogtag_constants)
-        kra_instance.stop_tracking_certificates()
-        if kra_instance.is_installed():
-            kra_instance.uninstall()
-
-        # Update config file
-        parser = RawConfigParser()
-        parser.read(paths.IPA_DEFAULT_CONF)
-        parser.set('global', 'enable_kra', 'False')
-
-        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-            parser.write(f)
+        kra.uninstall()
 
 
 class KRAInstaller(KRAInstall):
@@ -141,26 +118,9 @@ class KRAInstaller(KRAInstall):
                 " in unattended mode"
             )
 
-        dogtag_version = int(api.env.dogtag_version)
-        enable_kra = api.env.enable_kra
-
-        if enable_kra:
-            self.option_parser.error("KRA is already installed.")
-
-        ca_installed = cainstance.is_ca_installed_locally()
-
-        if ca_installed:
-            if dogtag_version >= 10:
-                # correct dogtag version of CA installed
-                pass
-            else:
-                self.option_parser.error(
-                    "Dogtag must be version 10.2 or above to install KRA")
-        else:
-            self.option_parser.error(
-                "Dogtag CA is not installed.  Please install the CA first")
-
         self.installing_replica = dogtaginstance.is_installing_replica("KRA")
+        self.replica_file = None
+
         if self.installing_replica:
             if not self.args:
                 self.option_parser.error("A replica file is required.")
@@ -188,48 +148,20 @@ class KRAInstaller(KRAInstall):
                     "Directory Manager password required")
 
     def _run(self):
+        # installation check has to be done after validating options and asking
+        # for missing ones, because we need dirman password for
+        # `read_replica_info_kra_enabled`
+        try:
+            kra.check_install(self.options, self.options.password, False,
+                              self.replica_file)
+        except RuntimeError as e:
+            self.option_parser.error(str(e))
+
         super(KRAInstaller, self).run()
         print dedent(self.INSTALLER_START_MESSAGE)
 
-        subject = dsinstance.DsInstance().find_subject_base()
-        if not self.installing_replica:
-            kra = krainstance.KRAInstance(
-                api.env.realm,
-                dogtag_constants=dogtag.install_constants)
-
-            kra.configure_instance(
-                api.env.host, api.env.domain, self.options.password,
-                self.options.password, subject_base=subject)
-        else:
-            replica_config = create_replica_config(
-                self.options.password,
-                self.replica_file,
-                self.options)
-
-            if not read_replica_info_kra_enabled(replica_config.dir):
-                raise admintool.ScriptError(
-                    "Either KRA is not installed on the master system or "
-                    "your replica file is out of date"
-                )
-
-            kra = krainstance.install_replica_kra(replica_config)
-            service.print_msg("Restarting the directory server")
-
-            ds = dsinstance.DsInstance()
-            ds.restart()
-
-        kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
-
-        # Restart apache for new proxy config file
-        services.knownservices.httpd.restart(capture_output=True)
-
-        # Update config file
-        parser = RawConfigParser()
-        parser.read(paths.IPA_DEFAULT_CONF)
-        parser.set('global', 'enable_kra', 'True')
-
-        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-            parser.write(f)
+        kra.install(self.options, self.options.password,
+                    self.replica_file)
 
     def run(self):
         try:
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
new file mode 100644
index 0000000000000000000000000000000000000000..c98b989a8a19e0d8858119935bd257f271ad33aa
--- /dev/null
+++ b/ipaserver/install/kra.py
@@ -0,0 +1,116 @@
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+import os
+from ConfigParser import RawConfigParser
+from ipalib import api
+from ipaplatform import services
+from ipaplatform.paths import paths
+from ipapython import dogtag
+from ipaserver.install import cainstance
+from ipaserver.install import krainstance
+from ipaserver.install import dsinstance
+from ipaserver.install import service
+from ipaserver.install.installutils import (
+    read_replica_info_kra_enabled, create_replica_config)
+
+
+def install(options, dm_password, replica_file=None):
+    subject = dsinstance.DsInstance().find_subject_base()
+    if replica_file is None:
+        kra = krainstance.KRAInstance(
+            api.env.realm,
+            dogtag_constants=dogtag.install_constants)
+
+        kra.configure_instance(
+            api.env.host, api.env.domain, dm_password,
+            dm_password, subject_base=subject)
+    else:
+        replica_config = create_replica_config(
+            dm_password,
+            replica_file,
+            options)
+
+        kra = krainstance.install_replica_kra(replica_config)
+        service.print_msg("Restarting the directory server")
+
+        ds = dsinstance.DsInstance()
+        ds.restart()
+
+    kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+
+    # Restart apache for new proxy config file
+    services.knownservices.httpd.restart(capture_output=True)
+
+    # Update config file
+    if os.path.exists(paths.IPA_DEFAULT_CONF):
+        parser = RawConfigParser()
+        parser.read(paths.IPA_DEFAULT_CONF)
+        parser.set('global', 'enable_kra', 'True')
+
+        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+            parser.write(f)
+
+
+def uninstall():
+    dogtag_constants = dogtag.configured_constants()
+
+    kra_instance = krainstance.KRAInstance(
+        api.env.realm, dogtag_constants=dogtag_constants)
+    kra_instance.stop_tracking_certificates()
+    if kra_instance.is_installed():
+        kra_instance.uninstall()
+
+    # Update config file
+    if os.path.exists(paths.IPA_DEFAULT_CONF):
+        parser = RawConfigParser()
+        parser.read(paths.IPA_DEFAULT_CONF)
+        parser.set('global', 'enable_kra', 'False')
+
+        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+            parser.write(f)
+
+
+def check_install(options, dm_password, setup_ca=False, replica_file=None):
+    enable_kra = False
+    dogtag_version = dogtag.install_constants.DOGTAG_VERSION
+
+    if hasattr(api.env, 'enable_kra'):
+        enable_kra = api.env.enable_kra
+    if hasattr(api.env, 'dogtag_version'):
+        dogtag_version = int(api.env.dogtag_version)
+
+    if enable_kra:
+        raise RuntimeError("KRA is already installed.")
+
+    if not setup_ca:
+        if cainstance.is_ca_installed_locally():
+            if dogtag_version >= 10:
+                # correct dogtag version of CA installed
+                pass
+            else:
+                raise RuntimeError(
+                    "Dogtag must be version 10.2 or above to install KRA")
+        else:
+            raise RuntimeError(
+                "Dogtag CA is not installed.  Please install the CA first")
+
+    if replica_file is not None:
+        replica_config = create_replica_config(
+            dm_password,
+            replica_file,
+            options)
+
+        if not read_replica_info_kra_enabled(replica_config.dir):
+            raise RuntimeError(
+                "Either KRA is not installed on the master system or "
+                "your replica file is out of date"
+            )
+
+
+def check_uninstall():
+    if hasattr(api.env, 'enable_kra') and not api.env.enable_kra:
+        raise RuntimeError(
+            "Cannot uninstall.  There is no KRA installed on this system."
+        )
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to