The Identity, Policy and Audit system
CentOS Sources
2016-11-03 403b09ab980c02ef36095973349a13e0181c794a
commit | author | age
403b09 1 From 4651261af43a311d23efa759e61143a6413c5dc5 Mon Sep 17 00:00:00 2001
99b6f7 2 From: Martin Kosek <mkosek@redhat.com>
e3ffab 3 Date: Fri, 5 Sep 2014 11:24:27 +0200
031d60 4 Subject: [PATCH] Hide pkinit functionality from production version
99b6f7 5
CB 6 Rebased from original patch from Jan Zeleny and Rob Crittenden.
7
8 https://fedorahosted.org/freeipa/ticket/616
9 ---
403b09 10  ipaserver/install/ipa_replica_prepare.py   | 21 ++++-----------------
CS 11  ipaserver/install/server/common.py         | 30 ++++++++----------------------
12  ipaserver/install/server/install.py        | 11 -----------
13  ipaserver/install/server/replicainstall.py |  1 -
14  4 files changed, 12 insertions(+), 51 deletions(-)
99b6f7 15
CB 16 diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
403b09 17 index 80813086c6a7212bdb6ef9d54202b28808b80076..9ba536163bf5c2882d8fc593457dab78a08e849a 100644
99b6f7 18 --- a/ipaserver/install/ipa_replica_prepare.py
CB 19 +++ b/ipaserver/install/ipa_replica_prepare.py
403b09 20 @@ -85,9 +85,6 @@ class ReplicaPrepare(admintool.AdminTool):
CS 21          parser.add_option("--allow-zone-overlap", dest="allow_zone_overlap",
22              action="store_true", default=False, help="create DNS "
23              "zone even if it already exists")
99b6f7 24 -        parser.add_option("--no-pkinit", dest="setup_pkinit",
CB 25 -            action="store_false", default=True,
26 -            help="disables pkinit setup steps")
e3ffab 27          parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
99b6f7 28              metavar="FILE",
CB 29              help="location of CA PKCS#12 file, default /root/cacert.p12")
403b09 30 @@ -109,12 +106,6 @@ class ReplicaPrepare(admintool.AdminTool):
e3ffab 31          group.add_option("--http_pkcs12", dest="http_cert_files",
CS 32              action="append",
33              help=SUPPRESS_HELP)
34 -        group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
35 -            action="append", metavar="FILE",
36 -            help="File containing the Kerberos KDC SSL certificate and private key")
37 -        group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
38 -            action="append",
39 -            help=SUPPRESS_HELP)
40          group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
41              metavar="PIN",
42              help="The password to unlock the Directory Server private key")
403b09 43 @@ -125,20 +116,12 @@ class ReplicaPrepare(admintool.AdminTool):
e3ffab 44              help="The password to unlock the Apache Server private key")
CS 45          group.add_option("--http_pin", dest="http_pin", sensitive=True,
46              help=SUPPRESS_HELP)
47 -        group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
48 -            metavar="PIN",
49 -            help="The password to unlock the Kerberos KDC private key")
50 -        group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
51 -            help=SUPPRESS_HELP)
52          group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
53              metavar="NAME",
54              help="Name of the Directory Server SSL certificate to install")
55          group.add_option("--http-cert-name", dest="http_cert_name",
56              metavar="NAME",
57              help="Name of the Apache Server SSL certificate to install")
58 -        group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
59 -            metavar="NAME",
60 -            help="Name of the Kerberos KDC SSL certificate to install")
99b6f7 61          parser.add_option_group(group)
CB 62  
63      def validate_options(self):
403b09 64 @@ -158,7 +141,11 @@ class ReplicaPrepare(admintool.AdminTool):
99b6f7 65                  "option together with --no-reverse")
CB 66  
67          #Automatically disable pkinit w/ dogtag until that is supported
68 +        # pkinit is disabled in production version
69          options.setup_pkinit = False
403b09 70 +        options.pkinit_cert_files = None
CS 71 +        options.pkinit_pin = None
72 +        options.pkinit_cert_name = None
99b6f7 73  
CB 74          # If any of the PKCS#12 options are selected, all are required.
e3ffab 75          cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
403b09 76 diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
CS 77 index e6093d15cd1067a83ed89945c4a9c983c66ec06f..a64a0938f3829ce58e22b5b9043373aa7eb7dfe2 100644
78 --- a/ipaserver/install/server/common.py
79 +++ b/ipaserver/install/server/common.py
80 @@ -72,13 +72,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
81          cli_metavar='FILE',
590d18 82      )
CS 83  
403b09 84 -    pkinit_cert_files = Knob(
CS 85 -        (list, str), None,
86 -        description=("File containing the Kerberos KDC SSL certificate and "
87 -                     "private key"),
88 -        cli_name='pkinit-cert-file',
89 -        cli_metavar='FILE',
90 -    )
91 +    pkinit_cert_files = None
590d18 92  
403b09 93      dirsrv_pin = Knob(
590d18 94          str, None,
403b09 95 @@ -94,12 +88,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
CS 96          cli_metavar='PIN',
97      )
590d18 98  
403b09 99 -    pkinit_pin = Knob(
CS 100 -        str, None,
101 -        sensitive=True,
102 -        description="The password to unlock the Kerberos KDC private key",
103 -        cli_metavar='PIN',
104 -    )
105 +    pkinit_pin = None
106  
107      dirsrv_cert_name = Knob(
590d18 108          str, None,
403b09 109 @@ -113,11 +102,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
590d18 110          cli_metavar='NAME',
CS 111      )
112  
403b09 113 -    pkinit_cert_name = Knob(
CS 114 -        str, None,
115 -        description="Name of the Kerberos KDC SSL certificate to install",
116 -        cli_metavar='NAME',
117 -    )
118 +    pkinit_cert_name = None
119  
120      ca_cert_files = Knob(
121          (list, str), None,
122 @@ -341,10 +326,7 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
123          cli_short_name='N',
590d18 124      )
CS 125  
403b09 126 -    no_pkinit = Knob(
CS 127 -        bool, False,
128 -        description="disables pkinit setup steps",
129 -    )
130 +    no_pkinit = False
131  
132      no_ui_redirect = Knob(
133          bool, False,
134 @@ -384,6 +366,10 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
135          if not os.path.exists(value):
136              raise ValueError("File %s does not exist." % value)
137  
138 +    pkinit_cert_files = None
139 +    pkinit_pin = None
140 +    pkinit_cert_name = None
141 +    no_pkinit = False
142  
143      def __init__(self, **kwargs):
144          super(BaseServer, self).__init__(**kwargs)
145 diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
146 index b33b0243d4d909a561b59d93f0014c390146b333..c292c4d24bfde1484769698ee2a7ef59a6fcc52c 100644
147 --- a/ipaserver/install/server/install.py
148 +++ b/ipaserver/install/server/install.py
149 @@ -1169,11 +1169,6 @@ class ServerCA(BaseServerCA):
150          cli_aliases=['http_pkcs12'],
151      )
152  
153 -    pkinit_cert_files = Knob(
154 -        BaseServerCA.pkinit_cert_files,
155 -        cli_aliases=['pkinit_pkcs12'],
156 -    )
157 -
158      dirsrv_pin = Knob(
159          BaseServerCA.dirsrv_pin,
160          cli_aliases=['dirsrv_pin'],
161 @@ -1184,14 +1179,8 @@ class ServerCA(BaseServerCA):
162          cli_aliases=['http_pin'],
163      )
164  
165 -    pkinit_pin = Knob(
166 -        BaseServerCA.pkinit_pin,
167 -        cli_aliases=['pkinit_pin'],
168 -    )
169 -
170      dirsrv_cert_name = Knob(BaseServerCA.dirsrv_cert_name)
171      http_cert_name = Knob(BaseServerCA.http_cert_name)
172 -    pkinit_cert_name = Knob(BaseServerCA.pkinit_cert_name)
173      ca_cert_files = Knob(BaseServerCA.ca_cert_files)
174      subject = Knob(BaseServerCA.subject)
175      ca_signing_algorithm = Knob(BaseServerCA.ca_signing_algorithm)
176 diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
177 index f54ff7da06c57b9c8251429cbdacc5c300805f84..7695adf0d537237b24660e8871011f04f242e744 100644
178 --- a/ipaserver/install/server/replicainstall.py
179 +++ b/ipaserver/install/server/replicainstall.py
180 @@ -1587,7 +1587,6 @@ class Replica(BaseServer):
181      mkhomedir = Knob(BaseServer.mkhomedir)
182      no_host_dns = Knob(BaseServer.no_host_dns)
183      no_ntp = Knob(BaseServer.no_ntp)
184 -    no_pkinit = Knob(BaseServer.no_pkinit)
185      no_ui_redirect = Knob(BaseServer.no_ui_redirect)
186      ssh_trust_dns = Knob(BaseServer.ssh_trust_dns)
187      no_ssh = Knob(BaseServer.no_ssh)
99b6f7 188 -- 
403b09 189 2.9.3
99b6f7 190