[Pki-devel] [PATCH] 705 Fixed KRA install problem.

[Endi Sukma Dewata]

Currently when installing an additional subsystem to an existing
instance the install tool always generates a new random password in
the pki_pin property which would not work with the existing NSS
database. The code has been modified to load the existing NSS
database password from the instance if the instance already exists.

The PKIInstance class has been modified to allow loading partially
created instance to help the installation.

https://fedorahosted.org/pki/ticket/2247

--
Endi S. Dewata

>From f5fd329e5adc5639d358e4588688dfacda09a68f Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Wed, 30 Mar 2016 17:23:06 +0200
Subject: [PATCH] Fixed KRA install problem.

Currently when installing an additional subsystem to an existing
instance the install tool always generates a new random password in
the pki_pin property which would not work with the existing NSS
database. The code has been modified to load the existing NSS
database password from the instance if the instance already exists.

The PKIInstance class has been modified to allow loading partially
created instance to help the installation.

https://fedorahosted.org/pki/ticket/2247
---
 base/server/python/pki/server/__init__.py          | 54 ++++++++++++----------
 .../python/pki/server/deployment/pkiparser.py      | 18 ++++++--
 2 files changed, 44 insertions(+), 28 deletions(-)

diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index b046f177e60f41004ec3ecda724bd1c5b8c0dfd1..64688b3c4ad80ac5371f621f6046d62564317521 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -449,42 +449,46 @@ class PKIInstance(object):
 
     def load(self):
         # load UID and GID
-        with open(self.registry_file, 'r') as registry:
-            lines = registry.readlines()
+        if os.path.exists(self.registry_file):
 
-        for line in lines:
+            with open(self.registry_file, 'r') as registry:
+                lines = registry.readlines()
 
-            m = re.search('^PKI_USER=(.*)$', line)
-            if m:
-                self.user = m.group(1)
-                self.uid = pwd.getpwnam(self.user).pw_uid
+            for line in lines:
+                m = re.search('^PKI_USER=(.*)$', line)
+                if m:
+                    self.user = m.group(1)
+                    self.uid = pwd.getpwnam(self.user).pw_uid
 
-            m = re.search('^PKI_GROUP=(.*)$', line)
-            if m:
-                self.group = m.group(1)
-                self.gid = grp.getgrnam(self.group).gr_gid
+                m = re.search('^PKI_GROUP=(.*)$', line)
+                if m:
+                    self.group = m.group(1)
+                    self.gid = grp.getgrnam(self.group).gr_gid
 
         # load passwords
         self.passwords.clear()
-        lines = open(self.password_conf).read().splitlines()
+        if os.path.exists(self.password_conf):
 
-        for line in lines:
-            parts = line.split('=', 1)
-            name = parts[0]
-            value = parts[1]
-            self.passwords[name] = value
+            lines = open(self.password_conf).read().splitlines()
+
+            for line in lines:
+                parts = line.split('=', 1)
+                name = parts[0]
+                value = parts[1]
+                self.passwords[name] = value
 
         self.load_external_certs(self.external_certs_conf)
 
         # load subsystems
-        for subsystem_name in os.listdir(self.registry_dir):
-            if subsystem_name in SUBSYSTEM_TYPES:
-                if subsystem_name in SUBSYSTEM_CLASSES:
-                    subsystem = SUBSYSTEM_CLASSES[subsystem_name](self)
-                else:
-                    subsystem = PKISubsystem(self, subsystem_name)
-                subsystem.load()
-                self.subsystems.append(subsystem)
+        if os.path.exists(self.registry_dir):
+            for subsystem_name in os.listdir(self.registry_dir):
+                if subsystem_name in SUBSYSTEM_TYPES:
+                    if subsystem_name in SUBSYSTEM_CLASSES:
+                        subsystem = SUBSYSTEM_CLASSES[subsystem_name](self)
+                    else:
+                        subsystem = PKISubsystem(self, subsystem_name)
+                    subsystem.load()
+                    self.subsystems.append(subsystem)
 
     def load_external_certs(self, conf_file):
         self.external_certs = PKIInstance.read_external_certs(conf_file)
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 273b5ac3071640dd836adf1b541cc56b494a24c6..4d6e0185e1ec55d523cdee764f1d61e5e9e454f9 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -582,9 +582,21 @@ class PKIConfigParser:
             pin_low = 100000000000
             pin_high = 999999999999
 
-            # use user-provided PIN if specified
-            if 'pki_pin' not in self.mdict:
-                # otherwise generate a random password
+            instance = pki.server.PKIInstance(self.mdict['pki_instance_name'])
+            instance.load()
+
+            internal_password = self.mdict['pki_self_signed_token']
+
+            # if instance already exists and has password, reuse the password
+            if internal_password in instance.passwords:
+                self.mdict['pki_pin'] = instance.passwords.get(internal_password)
+
+            # otherwise, use user-provided password if specified
+            elif 'pki_pin' in self.mdict:
+                pass
+
+            # otherwise, generate a random password
+            else:
                 self.mdict['pki_pin'] = \
                     random.randint(pin_low, pin_high)
 
-- 
2.7.3


_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel