On 05/21/2015 10:16 AM, Martin Babinsky wrote:
On 05/19/2015 08:23 PM, Martin Babinsky wrote:
This patch is required for the installer ref@#$%&ing work
(https://fedorahosted.org/freeipa/ticket/4468).

It required quite a bit of hacking to get it work as expected, but I
hope that it's not so bad.

Requires PATCH 0035 "do not check for directory manager password during
KRA uninstall" to apply.



Attaching rebased patch that should apply cleanly on current master
without prerequisites.



Attaching updated patch.

--
Martin^3 Babinsky
From bbc4fbf6831eeecb1b423fcb717db1097dc3e35b Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Fri, 15 May 2015 19:02:22 +0200
Subject: [PATCH] merge KRA installation machinery to a single module

This is a prerequisite to further refactoring of KRA install/uninstall
functionality in all IPA install scripts.

https://fedorahosted.org/freeipa/ticket/4468
---
 install/tools/ipa-replica-install    | 21 ++++-----
 install/tools/ipa-server-install     | 29 +++++-------
 ipaserver/install/ipa_kra_install.py | 83 ++++++-----------------------------
 ipaserver/install/kra.py             | 85 ++++++++++++++++++++++++++++++++++++
 4 files changed, 118 insertions(+), 100 deletions(-)
 create mode 100644 ipaserver/install/kra.py

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index f68cc8cf4722264ecea2f1f50de3aa245be24ef9..c75848b1ada91254a41245df240ede24c477d5b1 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -37,10 +37,10 @@ from ipaserver.install import memcacheinstance, dnskeysyncinstance
 from ipaserver.install import otpdinstance
 from ipaserver.install.replication import replica_conn_check, ReplicationManager
 from ipaserver.install.installutils import (
-    create_replica_config, read_replica_info_kra_enabled, private_ccache)
+    create_replica_config, private_ccache)
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import cainstance
-from ipaserver.install import krainstance
+from ipaserver.install import kra
 from ipaserver.install import dns as dns_installer
 from ipalib import api, create_api, errors, util, certstore, x509
 from ipalib.constants import CACERT
@@ -473,12 +473,12 @@ def main():
 
     config.setup_kra = options.setup_kra
     if config.setup_kra:
-        if not config.setup_ca:
-            print "CA must be installed with the KRA"
-            sys.exit(1)
-        if not read_replica_info_kra_enabled(config.dir):
-            print "KRA is not installed on the master system"
-            sys.exit(1)
+        try:
+            kra.install_check(config, options, False,
+                              dogtag.install_constants.DOGTAG_VERSION)
+        except RuntimeError as e:
+            print str(e)
+            exit(1)
 
     installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
 
@@ -660,10 +660,7 @@ def main():
     ds.apply_updates()
 
     if options.setup_kra:
-        kra = krainstance.install_replica_kra(config)
-        service.print_msg("Restarting the directory server")
-        ds.restart()
-        kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+        kra.install(config, options, dirman_password)
     else:
         service.print_msg("Restarting the directory server")
         ds.restart()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index cb6e1abe2016c0f8cefc35b1d685373f05b3ef89..9bb8955dc15d1682edf33d7652de0829771267f3 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -53,13 +53,13 @@ from ipaserver.install import httpinstance
 from ipaserver.install import ntpinstance
 from ipaserver.install import certs
 from ipaserver.install import cainstance
-from ipaserver.install import krainstance
 from ipaserver.install import memcacheinstance
 from ipaserver.install import otpdinstance
 from ipaserver.install import sysupgrade
 from ipaserver.install import replication
 from ipaserver.install import dns as dns_installer
 from ipaserver.install import service, installutils
+from ipaserver.install import kra
 from ipapython import version
 from ipapython import certmonger
 from ipapython import ipaldap
@@ -577,11 +577,7 @@ def uninstall():
         if cads_instance.is_configured():
             cads_instance.uninstall()
 
-    kra_instance = krainstance.KRAInstance(
-        api.env.realm, dogtag_constants=dogtag_constants)
-    kra_instance.stop_tracking_certificates()
-    if kra_instance.is_installed():
-        kra_instance.uninstall()
+    kra.uninstall()
 
     ca_instance = cainstance.CAInstance(
         api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants)
@@ -1036,6 +1032,14 @@ def main():
     else:
         admin_password = options.admin_password
 
+    if setup_kra:
+        try:
+            kra.install_check(None, options, False,
+                              dogtag.install_constants.DOGTAG_VERSION)
+        except RuntimeError as e:
+            print str(e)
+            exit(1)
+
     if options.setup_dns:
         dns_installer.install_check(False, False, options, host_name)
         ip_addresses = dns_installer.ip_addresses
@@ -1290,18 +1294,7 @@ def main():
     http.restart()
 
     if setup_kra:
-        kra = krainstance.KRAInstance(realm_name,
-            dogtag_constants=dogtag.install_constants)
-        kra.configure_instance(host_name, domain_name, dm_password,
-                               dm_password, subject_base=options.subject)
-
-        # This is done within stopped_service context, which restarts KRA
-        service.print_msg("Restarting the directory server")
-        ds.restart()
-
-        service.print_msg("Enabling KRA to authenticate with the database "
-                          "using client certificates")
-        kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+        kra.install(None, options, dm_password)
 
     # Set the admin user kerberos password
     ds.change_admin_password(admin_password)
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index 386da286ab11b043ebd12e18047c73e23baa5672..edb622583cd5ca9d2ea42472f4b7b570e59e6546 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -18,22 +18,16 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
-from ConfigParser import RawConfigParser
 from textwrap import dedent
 from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import admintool
-from ipapython import dogtag
 from ipapython import ipautil
-from ipaserver.install import cainstance
-from ipaserver.install import dogtaginstance
-from ipaserver.install import krainstance
-from ipaserver.install import dsinstance
 from ipaserver.install import installutils
-from ipaserver.install import service
-from ipaserver.install.installutils import (
-    read_replica_info_kra_enabled, create_replica_config)
+from ipaserver.install.installutils import create_replica_config
+from ipaserver.install import dogtaginstance
+from ipaserver.install import kra
 
 
 class KRAInstall(admintool.AdminTool):
@@ -101,21 +95,7 @@ class KRAUninstaller(KRAInstall):
 
     def run(self):
         super(KRAUninstaller, self).run()
-        dogtag_constants = dogtag.configured_constants()
-
-        kra_instance = krainstance.KRAInstance(
-            api.env.realm, dogtag_constants=dogtag_constants)
-        kra_instance.stop_tracking_certificates()
-        if kra_instance.is_installed():
-            kra_instance.uninstall()
-
-        # Update config file
-        parser = RawConfigParser()
-        parser.read(paths.IPA_DEFAULT_CONF)
-        parser.set('global', 'enable_kra', 'False')
-
-        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-            parser.write(f)
+        kra.uninstall()
 
 
 class KRAInstaller(KRAInstall):
@@ -141,26 +121,8 @@ class KRAInstaller(KRAInstall):
                 " in unattended mode"
             )
 
-        dogtag_version = int(api.env.dogtag_version)
-        enable_kra = api.env.enable_kra
-
-        if enable_kra:
-            self.option_parser.error("KRA is already installed.")
-
-        ca_installed = cainstance.is_ca_installed_locally()
-
-        if ca_installed:
-            if dogtag_version >= 10:
-                # correct dogtag version of CA installed
-                pass
-            else:
-                self.option_parser.error(
-                    "Dogtag must be version 10.2 or above to install KRA")
-        else:
-            self.option_parser.error(
-                "Dogtag CA is not installed.  Please install the CA first")
-
         self.installing_replica = dogtaginstance.is_installing_replica("KRA")
+
         if self.installing_replica:
             if not self.args:
                 self.option_parser.error("A replica file is required.")
@@ -191,46 +153,27 @@ class KRAInstaller(KRAInstall):
         super(KRAInstaller, self).run()
         print dedent(self.INSTALLER_START_MESSAGE)
 
-        subject = dsinstance.DsInstance().find_subject_base()
         if not self.installing_replica:
-            kra = krainstance.KRAInstance(
-                api.env.realm,
-                dogtag_constants=dogtag.install_constants)
-
-            kra.configure_instance(
-                api.env.host, api.env.domain, self.options.password,
-                self.options.password, subject_base=subject)
+            replica_config = None
         else:
             replica_config = create_replica_config(
                 self.options.password,
                 self.replica_file,
                 self.options)
 
-            if not read_replica_info_kra_enabled(replica_config.dir):
-                raise admintool.ScriptError(
-                    "Either KRA is not installed on the master system or "
-                    "your replica file is out of date"
-                )
+        self.options.setup_ca = False
 
-            kra = krainstance.install_replica_kra(replica_config)
-            service.print_msg("Restarting the directory server")
+        try:
+            kra.install_check(replica_config, self.options, api.env.enable_kra,
+                              int(api.env.dogtag_version))
+        except RuntimeError as e:
+            raise admintool.ScriptError(str(e))
 
-            ds = dsinstance.DsInstance()
-            ds.restart()
-
-        kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+        kra.install(replica_config, self.options, self.options.password)
 
         # Restart apache for new proxy config file
         services.knownservices.httpd.restart(capture_output=True)
 
-        # Update config file
-        parser = RawConfigParser()
-        parser.read(paths.IPA_DEFAULT_CONF)
-        parser.set('global', 'enable_kra', 'True')
-
-        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-            parser.write(f)
-
     def run(self):
         try:
             self._run()
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
new file mode 100644
index 0000000000000000000000000000000000000000..966d171dc558a1c301c6522d1cd20bdf26879147
--- /dev/null
+++ b/ipaserver/install/kra.py
@@ -0,0 +1,85 @@
+#
+# Copyright (C) 2015  FreeIPA Contributors see COPYING for license
+#
+
+import os
+from ConfigParser import RawConfigParser
+from ipalib import api
+from ipaplatform.paths import paths
+from ipapython import dogtag
+from ipaserver.install import cainstance
+from ipaserver.install import krainstance
+from ipaserver.install import dsinstance
+from ipaserver.install import service
+from ipaserver.install.installutils import read_replica_info_kra_enabled
+
+
+def install_check(replica_config, options, enable_kra, dogtag_version):
+    if enable_kra:
+        raise RuntimeError("KRA is already installed.")
+
+    if not options.setup_ca:
+        if cainstance.is_ca_installed_locally():
+            if dogtag_version >= 10:
+                # correct dogtag version of CA installed
+                pass
+            else:
+                raise RuntimeError(
+                    "Dogtag must be version 10.2 or above to install KRA")
+        else:
+            raise RuntimeError(
+                "Dogtag CA is not installed.  Please install the CA first")
+
+    if replica_config is not None:
+        if not read_replica_info_kra_enabled(replica_config.dir):
+            raise RuntimeError(
+                "Either KRA is not installed on the master system or "
+                "your replica file is out of date"
+            )
+
+
+def install(replica_config, options, dm_password):
+    subject = dsinstance.DsInstance().find_subject_base()
+    if replica_config is None:
+        kra = krainstance.KRAInstance(
+            api.env.realm,
+            dogtag_constants=dogtag.install_constants)
+
+        kra.configure_instance(
+            api.env.host, api.env.domain, dm_password,
+            dm_password, subject_base=subject)
+    else:
+        kra = krainstance.install_replica_kra(replica_config)
+
+    service.print_msg("Restarting the directory server")
+    ds = dsinstance.DsInstance()
+    ds.restart()
+
+    kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
+
+    # Update config file
+    parser = RawConfigParser()
+    parser.read(paths.IPA_DEFAULT_CONF)
+    parser.set('global', 'enable_kra', 'True')
+
+    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+        parser.write(f)
+
+
+def uninstall():
+    dogtag_constants = dogtag.configured_constants()
+
+    kra_instance = krainstance.KRAInstance(
+        api.env.realm, dogtag_constants=dogtag_constants)
+    kra_instance.stop_tracking_certificates()
+    if kra_instance.is_installed():
+        kra_instance.uninstall()
+
+    # Check if config file exists, then update it
+    if os.path.exists(paths.IPA_DEFAULT_CONF):
+        parser = RawConfigParser()
+        parser.read(paths.IPA_DEFAULT_CONF)
+        parser.set('global', 'enable_kra', 'False')
+
+        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+            parser.write(f)
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to