Imported Debian patch 4.0.5-6~numeezy

2016-02-17 15:07:45 +01:00
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -19,23 +19,27 @@
 #

 import sys
-import os
-import shutil
-import tempfile
+import socket
+
+import os, shutil
+
 from ipapython import ipautil

-from ipaserver.install import installutils
+from ipaserver.install import installutils, service
 from ipaserver.install import certs
-from ipaserver.install.installutils import create_replica_config
-from ipaserver.install.installutils import check_creds, ReplicaConfig
-from ipaserver.install import dsinstance, ca
-from ipaserver.install import cainstance, custodiainstance, service
+from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
+        expand_replica_info, read_replica_info, get_host_name, BadHostError,
+        private_ccache, read_replica_info_dogtag_port)
+from ipaserver.install import dsinstance, cainstance, bindinstance
+from ipaserver.install.replication import replica_conn_check
 from ipapython import version
-from ipalib import api
-from ipalib.constants import DOMAIN_LEVEL_0
+from ipalib import api, util
 from ipapython.dn import DN
 from ipapython.config import IPAOptionParser
+from ipapython import sysrestore
+from ipapython import dogtag
 from ipapython.ipa_log_manager import *
+from ipaplatform import services
 from ipaplatform.paths import paths

 log_file_name = paths.IPAREPLICA_CA_INSTALL_LOG
@@ -59,67 +63,64 @@ def parse_options():
                      default=False, help="skip check for updated CA DS schema on the remote master")
    parser.add_option("-U", "--unattended", dest="unattended", action="store_true",
                      default=False, help="unattended installation never prompts the user")
-    parser.add_option("--external-ca", dest="external_ca", action="store_true",
-                      default=False, help="Generate a CSR to be signed by an external CA")
-    parser.add_option("--external-ca-type", dest="external_ca_type",
-                      type="choice", choices=("generic", "ms-cs"),
-                      help="Type of the external CA")
-    parser.add_option("--external-cert-file", dest="external_cert_files",
-                      action="append", metavar="FILE",
-                      help="File containing the IPA CA certificate and the external CA certificate chain")
-    parser.add_option("--ca-signing-algorithm", dest="ca_signing_algorithm",
-                      type="choice",
-                      choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
-                      help="Signing algorithm of the IPA CA certificate")
-    parser.add_option("-P", "--principal", dest="principal", sensitive=True,
-                      default=None, help="User allowed to manage replicas")

    options, args = parser.parse_args()
    safe_options = parser.get_safe_opts(options)

-    if args:
-        filename = args[0]
-
-        if len(args) != 1:
-            parser.error("you must provide a file generated by "
-                         "ipa-replica-prepare")
-
-        options.external_ca = None
-        options.external_cert_files = None
-    else:
-        filename = None
-
-        if options.external_ca:
-            if options.external_cert_files:
-                parser.error("You cannot specify --external-cert-file "
-                             "together with --external-ca")
-
-        if options.external_ca_type and not options.external_ca:
-            parser.error(
-                "You cannot specify --external-ca-type without --external-ca")
-
-    return safe_options, options, filename
+    if len(args) != 1:
+        parser.error("you must provide a file generated by ipa-replica-prepare")

+    return safe_options, options, args[0]

 def get_dirman_password():
-    return installutils.read_password(
-        "Directory Manager (existing master)", confirm=False, validate=False)
+    return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)

+def check_ca():
+    if not cainstance.check_port():
+        print "IPA requires port 8443 for PKI but it is currently in use."
+        sys.exit(1)

-def install_replica(safe_options, options, filename):
-    if options.promote:
-        if filename is not None:
-            sys.exit("Too many parameters provided. "
-                     "No replica file is required")
-    else:
-        if filename is None:
-            sys.exit("A replica file is required")
-        if not ipautil.file_exists(filename):
-            sys.exit("Replica file %s does not exist" % filename)
+def install_dns_records(config, options):

-    if not options.promote:
-        # Check if we have admin creds already, otherwise acquire them
-        check_creds(options, api.env.realm)
+    if not bindinstance.dns_container_exists(config.master_host_name,
+                                             ipautil.realm_to_suffix(config.realm_name),
+                                             dm_password=config.dirman_password):
+        return
+
+    bind = bindinstance.BindInstance(dm_password=config.dirman_password)
+    try:
+        api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+                                  bind_pw=config.dirman_password)
+        bind.add_ipa_ca_dns_records(config.host_name, config.domain_name)
+    finally:
+        if api.Backend.ldap2.isconnected():
+             api.Backend.ldap2.disconnect()
+
+def main():
+    safe_options, options, filename = parse_options()
+
+    if os.geteuid() != 0:
+        sys.exit("\nYou must be root to run this script.\n")
+
+    standard_logging_setup(log_file_name, debug=options.debug)
+
+    root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
+    root_logger.debug('IPA version %s' % version.VENDOR_VERSION)
+
+    if not ipautil.file_exists(filename):
+        sys.exit("Replica file %s does not exist" % filename)
+
+    global sstore
+    sstore = sysrestore.StateFile(paths.SYSRESTORE)
+
+    if not dsinstance.DsInstance().is_configured():
+        sys.exit("IPA server is not configured on this system.\n")
+
+    api.bootstrap(in_server=True)
+    api.finalize()
+
+    if api.env.ra_plugin == 'selfsign':
+        sys.exit('A selfsign CA can not be added')

    # get the directory manager password
    dirman_password = options.password
@@ -133,172 +134,82 @@ def install_replica(safe_options, options, filename):
        if dirman_password is None:
            sys.exit("Directory Manager password required")

-    if (not options.promote and not options.admin_password and
-            not options.skip_conncheck and options.unattended):
-        sys.exit('admin password required')
-
-    if options.promote:
-        config = ReplicaConfig()
-        config.master_host_name = None
-        config.realm_name = api.env.realm
-        config.host_name = api.env.host
-        config.domain_name = api.env.domain
-        config.dirman_password = dirman_password
-        config.ca_ds_port = 389
-        config.top_dir = tempfile.mkdtemp("ipa")
-        config.dir = config.top_dir
-        cafile = paths.IPA_CA_CRT
-    else:
-        config = create_replica_config(dirman_password, filename, options)
-        cafile = config.dir + '/ca.crt'
-
-    global REPLICA_INFO_TOP_DIR
-    REPLICA_INFO_TOP_DIR = config.top_dir
-    config.setup_ca = True
-
-    conn = api.Backend.ldap2
-    conn.connect(bind_dn=DN(('cn', 'Directory Manager')),
-                            bind_pw=dirman_password)
-
-    if config.subject_base is None:
-        attrs = conn.get_ipa_config()
-        config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
-
-    if config.master_host_name is None:
-        config.ca_host_name = \
-            service.find_providing_server('CA', conn, api.env.ca_host)
-        config.master_host_name = config.ca_host_name
-    else:
-        config.ca_host_name = config.master_host_name
-
-    options.realm_name = config.realm_name
-    options.domain_name = config.domain_name
-    options.dm_password = config.dirman_password
-    options.host_name = config.host_name
-    options.subject = config.subject_base
-    if os.path.exists(cafile):
-        options.ca_cert_file = cafile
-    else:
-        options.ca_cert_file = None
-
-    ca.install_check(True, config, options)
-    if options.promote:
-        ca_data = (os.path.join(config.dir, 'cacert.p12'),
-                   config.dirman_password)
-        custodia = custodiainstance.CustodiaInstance(config.host_name,
-                                                     config.realm_name)
-        custodia.get_ca_keys(config.ca_host_name, ca_data[0], ca_data[1])
-
-        CA = cainstance.CAInstance(config.realm_name, certs.NSS_DIR,
-                                   host_name=config.host_name,
-                                   dm_password=config.dirman_password)
-        CA.configure_replica(config.ca_host_name,
-                             subject_base=config.subject_base,
-                             ca_cert_bundle=ca_data)
-    else:
-        ca.install(True, config, options)
-
-
-def install_master(safe_options, options):
-    dm_password = options.password
-    if not dm_password:
-        if options.unattended:
-            sys.exit('Directory Manager password required')
-        try:
-            dm_password = get_dirman_password()
-        except KeyboardInterrupt:
-            sys.exit(0)
-        if dm_password is None:
-            sys.exit("Directory Manager password required")
-
-    api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
-                              bind_pw=dm_password)
-
-    config = api.Command['config_show']()['result']
-    subject_base = config['ipacertificatesubjectbase'][0]
-
-    options.realm_name = api.env.realm
-    options.domain_name = api.env.domain
-    options.dm_password = dm_password
-    options.host_name = api.env.host
-    options.subject = subject_base
-
-    ca.install_check(True, None, options)
-    ca.install(True, None, options)
-
-
-def install(safe_options, options, filename):
-    options.promote = False
+    if not options.admin_password and not options.skip_conncheck and \
+        options.unattended:
+            sys.exit('admin password required')

    try:
-        if filename is None:
-            install_master(safe_options, options)
-        else:
-            install_replica(safe_options, options, filename)
+        top_dir, dir = expand_replica_info(filename, dirman_password)
+        global REPLICA_INFO_TOP_DIR
+        REPLICA_INFO_TOP_DIR = top_dir
+    except Exception, e:
+        print "ERROR: Failed to decrypt or open the replica file."
+        print "Verify you entered the correct Directory Manager password."
+        sys.exit(1)

-    finally:
-        # Clean up if we created custom credentials
-        created_ccache_file = getattr(options, 'created_ccache_file', None)
-        if created_ccache_file is not None:
-            try:
-                os.unlink(created_ccache_file)
-            except OSError:
-                pass
+    config = ReplicaConfig()
+    read_replica_info(dir, config)
+    config.dirman_password = dirman_password
+    try:
+        host = get_host_name(options.no_host_dns)
+    except BadHostError, e:
+        root_logger.error(str(e))
+        sys.exit(1)
+    if config.host_name != host:
+        try:
+            print "This replica was created for '%s' but this machine is named '%s'" % (config.host_name, host)
+            if not ipautil.user_input("This may cause problems. Continue?", True):
+                sys.exit(0)
+            config.host_name = host
+            print ""
+        except KeyboardInterrupt:
+            sys.exit(0)
+    config.dir = dir
+    config.setup_ca = True
+    config.ca_ds_port = read_replica_info_dogtag_port(config.dir)

+    if not ipautil.file_exists(config.dir + "/cacert.p12"):
+        print 'CA cannot be installed in CA-less setup.'
+        sys.exit(1)

-def promote(safe_options, options, filename):
-    options.promote = True
+    if not options.skip_conncheck:
+        replica_conn_check(
+            config.master_host_name, config.host_name, config.realm_name, True,
+            config.ca_ds_port, options.admin_password)

-    with ipautil.private_ccache():
-        ccache = os.environ['KRB5CCNAME']
-
-        ipautil.kinit_keytab(
-            'host/{env.host}@{env.realm}'.format(env=api.env),
-            paths.KRB5_KEYTAB,
-            ccache)
-
-        conn = api.Backend.ldap2
-        conn.connect(ccache=ccache)
-        ca_host = service.find_providing_server('CA', conn)
-        conn.disconnect()
-        if ca_host is None:
-            install_master(safe_options, options)
-        else:
-            install_replica(safe_options, options, filename)
-
-
-def main():
-    safe_options, options, filename = parse_options()
-
-    if os.geteuid() != 0:
-        sys.exit("\nYou must be root to run this script.\n")
-
-    if not dsinstance.DsInstance().is_configured():
-        sys.exit("IPA server is not configured on this system.\n")
-
-    if (not options.external_cert_files and
-            cainstance.is_ca_installed_locally()):
-        sys.exit("CA is already installed on this host.")
-
-    standard_logging_setup(paths.IPASERVER_CA_INSTALL_LOG, debug=options.debug)
-    root_logger.debug("%s was invoked with options: %s,%s",
-                      sys.argv[0], safe_options, filename)
-    root_logger.debug("IPA version %s", version.VENDOR_VERSION)
-
-    # override ra_plugin setting read from default.conf so that we have
-    # functional dogtag backend plugins during CA install
-    api.bootstrap(in_server=True, ra_plugin='dogtag')
-    api.finalize()
-
-    domain_level = dsinstance.get_domain_level(api)
-    if domain_level > DOMAIN_LEVEL_0:
-        promote(safe_options, options, filename)
+    if options.skip_schema_check:
+        root_logger.info("Skipping CA DS schema check")
    else:
-        install(safe_options, options, filename)
+        cainstance.replica_ca_install_check(config)

-    # execute ipactl to refresh services status
-    ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
-                raiseonerr=False)
+    check_ca()
+
+    # Configure the CA if necessary
+    CA = cainstance.install_replica_ca(config, postinstall=True)
+
+    # We need to ldap_enable the CA now that DS is up and running
+    CA.ldap_enable('CA', config.host_name, config.dirman_password,
+                   ipautil.realm_to_suffix(config.realm_name))
+
+    # This is done within stopped_service context, which restarts CA
+    CA.enable_client_auth_to_db()
+
+    # Install CA DNS records
+    install_dns_records(config, options)
+
+    # We need to restart apache as we drop a new config file in there
+    services.knownservices.httpd.restart(capture_output=True)
+
+    #update dogtag version in config file
+    try:
+        fd = open(paths.IPA_DEFAULT_CONF, "a")
+        fd.write(
+            "dogtag_version=%s\n" % dogtag.install_constants.DOGTAG_VERSION)
+        fd.close()
+    except IOError, e:
+        print "Failed to update /etc/ipa/default.conf"
+        root_logger.error(str(e))
+        sys.exit(1)

 fail_message = '''
 Your system may be partly configured.
@@ -307,9 +218,10 @@ Run /usr/sbin/ipa-server-install --uninstall to clean up.

 if __name__ == '__main__':
    try:
-        installutils.run_script(main, log_file_name=log_file_name,
-                                operation_name='ipa-ca-install',
-                                fail_message=fail_message)
+        with private_ccache():
+            installutils.run_script(main, log_file_name=log_file_name,
+                    operation_name='ipa-ca-install',
+                    fail_message=fail_message)
    finally:
        # always try to remove decrypted replica file
        try: