Dne 10.6.2015 v 18:08 David Kupka napsal(a):
Dne 10.6.2015 v 13:25 Jan Cholasta napsal(a):
Hi,

the attached patches fix several shortcomings in ipa-kra-install, see
commit messages.

<https://fedorahosted.org/freeipa/ticket/3872>

(Patch 434 was introduced in
<https://www.redhat.com/archives/freeipa-devel/2015-June/msg00035.html>.)

Honza


There are two issues:
1) https://fedorahosted.org/freeipa/ticket/5059 but it is just missing
check and can be fixed later.

2) kra.install() was called before http_install() but kra installation
needs httpd running. This is fixed in attached patch.



I accidentally included change in Makefile, updated patch attached.
Also I forget to explicitly write 'ACK' to fulfill the process requirements, so: Works for me, ACK.
--
David Kupka
From a56cee4c6e0fc9fa246f5d7c053218a21819eae7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 10 Jun 2015 08:50:42 +0000
Subject: [PATCH] vault: Fix ipa-kra-install

Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.

https://fedorahosted.org/freeipa/ticket/3872
---
 API.txt                                    |  6 +++
 VERSION                                    |  4 +-
 ipalib/plugins/vault.py                    | 38 ++++++++++++-----
 ipaplatform/base/paths.py                  |  4 +-
 ipaserver/install/installutils.py          | 16 --------
 ipaserver/install/ipa_kra_install.py       | 22 ++++++----
 ipaserver/install/kra.py                   | 65 +++++++++++++-----------------
 ipaserver/install/server/install.py        |  7 ++--
 ipaserver/install/server/replicainstall.py | 33 +++++++--------
 ipaserver/install/service.py               |  1 +
 ipaserver/plugins/dogtag.py                |  2 +-
 11 files changed, 102 insertions(+), 96 deletions(-)

diff --git a/API.txt b/API.txt
index 9e3f223b7ac338840d7090299f9108e951ea920a..9e41ece74c94d5d1f9ee2900461b02b56a6f562b 100644
--- a/API.txt
+++ b/API.txt
@@ -2487,6 +2487,12 @@ option: Str('version?', exclude='webui')
 output: Output('commands', <type 'dict'>, None)
 output: Output('methods', <type 'dict'>, None)
 output: Output('objects', <type 'dict'>, None)
+command: kra_is_enabled
+args: 0,1,3
+option: Str('version?', exclude='webui')
+output: Output('result', <type 'bool'>, None)
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
 command: krbtpolicy_mod
 args: 1,9,3
 arg: Str('uid', attribute=True, cli_name='user', multivalue=False, primary_key=True, query=True, required=False)
diff --git a/VERSION b/VERSION
index 535b3e228a3500f2013ea793b19a97d9fbd05021..a8d484cce2a79ed97826a24e06ea0564e99acaa6 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=126
-# Last change: edewata - added vault-archive and vault-retrieve
+IPA_API_VERSION_MINOR=127
+# Last change: jcholast - add kra_is_enabled
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index e1e64aa40331067e610661142fc7e4c1340a56dd..f80ecfdfa72671a68822f9f87599d8d5f2898728 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -33,7 +33,7 @@ from ipalib import output
 from ipalib.crud import PKQuery, Retrieve, Update
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
-    LDAPSearch, LDAPUpdate, LDAPRetrieve
+    LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value
 from ipalib.request import context
 from ipalib.plugins.user import split_principal
 from ipalib import _, ngettext
@@ -320,7 +320,7 @@ class vault_add(LDAPCreate):
                      **options):
         assert isinstance(dn, DN)
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -344,7 +344,7 @@ class vault_del(LDAPDelete):
     def pre_callback(self, ldap, dn, *keys, **options):
         assert isinstance(dn, DN)
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -390,7 +390,7 @@ class vault_find(LDAPSearch):
                      **options):
         assert isinstance(base_dn, DN)
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -422,7 +422,7 @@ class vault_mod(LDAPUpdate):
 
         assert isinstance(dn, DN)
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -438,7 +438,7 @@ class vault_show(LDAPRetrieve):
     def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -486,7 +486,7 @@ class vaultconfig_show(Retrieve):
 
     def execute(self, *args, **options):
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -624,7 +624,7 @@ class vault_archive_encrypted(Update):
 
     def execute(self, *args, **options):
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -774,7 +774,7 @@ class vault_retrieve_encrypted(Retrieve):
 
     def execute(self, *args, **options):
 
-        if not self.api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
@@ -813,3 +813,23 @@ class vault_retrieve_encrypted(Retrieve):
         kra_account.logout()
 
         return result
+
+
+@register()
+class kra_is_enabled(Command):
+    NO_CLI = True
+
+    has_output = output.standard_value
+
+    def execute(self, *args, **options):
+        base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
+                     self.api.env.basedn)
+        filter = '(&(objectClass=ipaConfigObject)(cn=KRA))'
+        try:
+            self.api.Backend.ldap2.find_entries(
+                base_dn=base_dn, filter=filter, attrs_list=[])
+        except errors.NotFound:
+            result = False
+        else:
+            result = True
+        return dict(result=result, value=pkey_to_value(None, options))
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index b83e9482a490a12ec2061f0589ffdb4f1d2fc8d0..174c7d1758b6f81928a0775e76d80b4fccea67e8 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -309,6 +309,8 @@ class BasePathNamespace(object):
     IPARESTORE_LOG = "/var/log/iparestore.log"
     IPASERVER_CA_INSTALL_LOG = "/var/log/ipaserver-ca-install.log"
     IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
+    IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
+    IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
     IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
     IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
     KADMIND_LOG = "/var/log/kadmind.log"
@@ -316,8 +318,6 @@ class BasePathNamespace(object):
     PKI_CA_LOG_DIR = "/var/log/pki-ca"
     PKI_CA_INSTALL_LOG = "/var/log/pki-ca-install.log"
     PKI_CA_UNINSTALL_LOG = "/var/log/pki-ca-uninstall.log"
-    PKI_KRA_INSTALL_LOG = "/var/log/pki-kra-install.log"
-    PKI_KRA_UNINSTALL_LOG = "/var/log/pki-kra-uninstall.log"
     VAR_LOG_PKI_DIR = "/var/log/pki/"
     TOMCAT_TOPLEVEL_DIR = "/var/log/pki/pki-tomcat"
     TOMCAT_CA_DIR = "/var/log/pki/pki-tomcat/ca"
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 9d0998f5f048e8ad99f8dcb0718138942562716f..5fb2bb29fa123d137e3605709690024d62767ad2 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -584,22 +584,6 @@ def read_replica_info_dogtag_port(config_dir):
 
     return dogtag_master_ds_port
 
-def read_replica_info_kra_enabled(config_dir):
-    """
-    Check the replica info to determine if a KRA has been installed
-    on the master
-    """
-    default_file = config_dir + "/default.conf"
-    if not ipautil.file_exists(default_file):
-        return False
-    else:
-        with open(default_file) as fd:
-            config = SafeConfigParser()
-            config.readfp(fd)
-
-            enable_kra = config.getboolean("global", "enable_kra")
-            return enable_kra
-
 
 def create_replica_config(dirman_password, filename, options):
     top_dir = None
diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py
index edb622583cd5ca9d2ea42472f4b7b570e59e6546..d75a2427352851fecc045707a8cf73f99d05843b 100644
--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@@ -23,7 +23,10 @@ from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import admintool
+from ipapython import dogtag
 from ipapython import ipautil
+from ipapython.dn import DN
+from ipaserver.install import krainstance
 from ipaserver.install import installutils
 from ipaserver.install.installutils import create_replica_config
 from ipaserver.install import dogtaginstance
@@ -80,7 +83,7 @@ class KRAInstall(admintool.AdminTool):
 
 
 class KRAUninstaller(KRAInstall):
-    log_file_name = paths.PKI_KRA_UNINSTALL_LOG
+    log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG
 
     def validate_options(self, needs_root=True):
         super(KRAUninstaller, self).validate_options(needs_root=True)
@@ -88,18 +91,20 @@ class KRAUninstaller(KRAInstall):
         if self.args:
             self.option_parser.error("Too many parameters provided.")
 
-        if not api.env.enable_kra:
+        dogtag_constants = dogtag.configured_constants(api)
+        _kra = krainstance.KRAInstance(api, dogtag_constants=dogtag_constants)
+        if not _kra.is_installed():
             self.option_parser.error(
                 "Cannot uninstall.  There is no KRA installed on this system."
             )
 
     def run(self):
         super(KRAUninstaller, self).run()
-        kra.uninstall()
+        kra.uninstall(True)
 
 
 class KRAInstaller(KRAInstall):
-    log_file_name = paths.PKI_KRA_INSTALL_LOG
+    log_file_name = paths.IPASERVER_KRA_INSTALL_LOG
 
     INSTALLER_START_MESSAGE = '''
         ===================================================================
@@ -161,15 +166,18 @@ class KRAInstaller(KRAInstall):
                 self.replica_file,
                 self.options)
 
+        self.options.dm_password = self.options.password
         self.options.setup_ca = False
 
+        api.Backend.ldap2.connect(bind_dn=DN('cn=Directory Manager'),
+                                  bind_pw=self.options.dm_password)
+
         try:
-            kra.install_check(replica_config, self.options, api.env.enable_kra,
-                              int(api.env.dogtag_version))
+            kra.install_check(api, replica_config, self.options)
         except RuntimeError as e:
             raise admintool.ScriptError(str(e))
 
-        kra.install(replica_config, self.options, self.options.password)
+        kra.install(api, replica_config, self.options)
 
         # Restart apache for new proxy config file
         services.knownservices.httpd.restart(capture_output=True)
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 8083c742775796d32cef6d021bc4c87401306172..b55dfb70266af1ac94d19b3c1ee9499194401ef5 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -2,25 +2,25 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import os
-from ConfigParser import RawConfigParser
-from ipalib import api
-from ipaplatform.paths import paths
+from ipalib import api, errors
 from ipapython import dogtag
+from ipapython.dn import DN
 from ipaserver.install import cainstance
 from ipaserver.install import krainstance
 from ipaserver.install import dsinstance
 from ipaserver.install import service
-from ipaserver.install.installutils import read_replica_info_kra_enabled
 
 
-def install_check(replica_config, options, enable_kra, dogtag_version):
-    if enable_kra:
+def install_check(api, replica_config, options):
+    dogtag_constants = dogtag.configured_constants(api=api)
+    kra = krainstance.KRAInstance(api.env.realm,
+                                  dogtag_constants=dogtag_constants)
+    if kra.is_installed():
         raise RuntimeError("KRA is already installed.")
 
     if not options.setup_ca:
         if cainstance.is_ca_installed_locally():
-            if dogtag_version >= 10:
+            if api.env.dogtag_version >= 10:
                 # correct dogtag version of CA installed
                 pass
             else:
@@ -31,14 +31,11 @@ def install_check(replica_config, options, enable_kra, dogtag_version):
                 "Dogtag CA is not installed.  Please install the CA first")
 
     if replica_config is not None:
-        if not read_replica_info_kra_enabled(replica_config.dir):
-            raise RuntimeError(
-                "Either KRA is not installed on the master system or "
-                "your replica file is out of date"
-            )
+        if not api.Command.kra_is_enabled()['result']:
+            raise RuntimeError("KRA is not installed on the master system")
 
 
-def install(replica_config, options, dm_password):
+def install(api, replica_config, options):
     subject = dsinstance.DsInstance().find_subject_base()
     if replica_config is None:
         kra = krainstance.KRAInstance(
@@ -55,31 +52,25 @@ def install(replica_config, options, dm_password):
     ds = dsinstance.DsInstance()
     ds.restart()
 
+    kra.ldap_enable('KRA', api.env.host, options.dm_password, api.env.basedn)
+
     kra.enable_client_auth_to_db(kra.dogtag_constants.KRA_CS_CFG_PATH)
 
-    # Update config file
-    parser = RawConfigParser()
-    parser.read(paths.IPA_DEFAULT_CONF)
-    parser.set('global', 'enable_kra', 'True')
 
-    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-        parser.write(f)
+def uninstall(standalone):
+    dogtag_constants = dogtag.configured_constants(api)
+    kra = krainstance.KRAInstance(api.env.realm,
+                                  dogtag_constants=dogtag_constants)
 
+    if standalone:
+        kra.ldap_connect()
+        try:
+            kra.admin_conn.delete_entry(DN(('cn', 'KRA'), ('cn', api.env.host),
+                                           ('cn', 'masters'), ('cn', 'ipa'),
+                                           ('cn', 'etc'), api.env.basedn))
+        except errors.NotFound:
+            pass
 
-def uninstall():
-    dogtag_constants = dogtag.configured_constants(api=api)
-
-    kra_instance = krainstance.KRAInstance(
-        api.env.realm, dogtag_constants=dogtag_constants)
-    kra_instance.stop_tracking_certificates()
-    if kra_instance.is_installed():
-        kra_instance.uninstall()
-
-    # Check if config file exists, then update it
-    if os.path.exists(paths.IPA_DEFAULT_CONF):
-        parser = RawConfigParser()
-        parser.read(paths.IPA_DEFAULT_CONF)
-        parser.set('global', 'enable_kra', 'False')
-
-        with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-            parser.write(f)
+    kra.stop_tracking_certificates()
+    if kra.is_installed():
+        kra.uninstall()
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 89473dc02b90aeb5a31e19cdf87ed7c074a3d84a..bde34851871f9b9f2bdf6dfecfd428755cc42e31 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -602,8 +602,7 @@ def install_check(installer):
 
     if setup_kra:
         try:
-            kra.install_check(None, options, False,
-                              dogtag.install_constants.DOGTAG_VERSION)
+            kra.install_check(api, None, options)
         except RuntimeError as e:
             print str(e)
             sys.exit(1)
@@ -865,7 +864,7 @@ def install(installer):
     http.restart()
 
     if setup_kra:
-        kra.install(None, options, dm_password)
+        kra.install(api, None, options)
 
     # Set the admin user kerberos password
     ds.change_admin_password(admin_password)
@@ -1060,7 +1059,7 @@ def uninstall(installer):
 
     ntpinstance.NTPInstance(fstore).uninstall()
 
-    kra.uninstall()
+    kra.uninstall(False)
 
     ca.uninstall(dogtag_constants)
 
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0429a4057b14f18f48e2d1d01fe259f094844697..34580ce198b40f922ea984c1eea2dcd0c3aebb08 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -379,8 +379,6 @@ def install_check(installer):
             fd.write("enable_ra=False\n")
             fd.write("ra_plugin=none\n")
 
-        fd.write("enable_kra=%s\n" % config.setup_kra)
-
         fd.write("mode=production\n")
         fd.close()
     finally:
@@ -480,6 +478,18 @@ def install_check(installer):
             root_logger.debug('No IPA DNS servers, '
                               'skipping forward/reverse resolution check')
 
+        if options.setup_ca:
+            options.realm_name = config.realm_name
+            options.host_name = config.host_name
+            options.subject = config.subject_base
+            ca.install_check(False, config, options)
+
+        if config.setup_kra:
+            try:
+                kra.install_check(remote_api, config, options)
+            except RuntimeError as e:
+                print str(e)
+                sys.exit(1)
     except errors.ACIError:
         sys.exit("\nThe password provided is incorrect for LDAP server "
                  "%s" % config.master_host_name)
@@ -492,20 +502,6 @@ def install_check(installer):
         if conn.isconnected():
             conn.disconnect()
 
-    if options.setup_ca:
-        options.realm_name = config.realm_name
-        options.host_name = config.host_name
-        options.subject = config.subject_base
-        ca.install_check(False, config, options)
-
-    if config.setup_kra:
-        try:
-            kra.install_check(config, options, False,
-                              dogtag.install_constants.DOGTAG_VERSION)
-        except RuntimeError as e:
-            print str(e)
-            sys.exit(1)
-
     if options.setup_dns:
         dns.install_check(False, True, options, config.host_name)
     else:
@@ -567,10 +563,11 @@ def install(installer):
         if conn.isconnected():
             conn.disconnect()
 
+    options.dm_password = config.dirman_password
+
     if config.setup_ca:
         options.realm_name = config.realm_name
         options.domain_name = config.domain_name
-        options.dm_password = config.dirman_password
         options.host_name = config.host_name
 
         ca.install(False, config, options)
@@ -591,7 +588,7 @@ def install(installer):
     ds.apply_updates()
 
     if options.setup_kra:
-        kra.install(config, options, config.dirman_password)
+        kra.install(api, config, options)
     else:
         service.print_msg("Restarting the directory server")
         ds.restart()
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index e4e5dd3ac304676df41dff2889eead8d8e253ecf..88307a077eab7a51162cec5e9ad1df5436db9c9b 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -41,6 +41,7 @@ SERVICE_LIST = {
     'MEMCACHE': ('ipa_memcached', 39),
     'HTTP': ('httpd', 40),
     'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
+    'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51),
     'ADTRUST': ('smb', 60),
     'EXTID': ('winbind', 70),
     'OTPD': ('ipa-otpd', 80),
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index e60cced1a35df821d900407df2d9b66371c61510..a5b7d238233036e37edfa5886fb5942f0e06c7ee 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1909,7 +1909,7 @@ class kra(Backend):
         Raises a generic exception if KRA is not enabled.
         """
 
-        if not api.env.enable_kra:
+        if not self.api.Command.kra_is_enabled()['result']:
             # TODO: replace this with a more specific exception
             raise RuntimeError('KRA service is not enabled')
 
-- 
2.4.2

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to