From b8147e3295b16164f62d05a78dfd25bfa6f178e2 Mon Sep 17 00:00:00 2001

From: Martin Kosek <mkosek@redhat.com>

Date: Fri, 5 Sep 2014 11:24:27 +0200

Subject: [PATCH] Hide pkinit functionality from production version

Rebased from original patch from Jan Zeleny and Rob Crittenden.

https://fedorahosted.org/freeipa/ticket/616

---

 ipaserver/install/ipa_replica_prepare.py   | 20 +++-----------------

 ipaserver/install/server/install.py        |  4 ++++

 ipaserver/install/server/replicainstall.py |  1 +

 3 files changed, 8 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py

index 5246f5f5469c85571d04c99d872f38018802abaa..3ecf44fffad22e11b5008dadc24c9933eac965cf 100644

--- a/ipaserver/install/ipa_replica_prepare.py

+++ b/ipaserver/install/ipa_replica_prepare.py

@@ -65,9 +65,6 @@ class ReplicaPrepare(admintool.AdminTool):

         parser.add_option("--no-reverse", dest="no_reverse",

             action="store_true", default=False,

             help="do not create reverse DNS zone")

-        parser.add_option("--no-pkinit", dest="setup_pkinit",

-            action="store_false", default=True,

-            help="disables pkinit setup steps")

         parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,

             metavar="FILE",

             help="location of CA PKCS#12 file, default /root/cacert.p12")

@@ -89,12 +86,6 @@ class ReplicaPrepare(admintool.AdminTool):

         group.add_option("--http_pkcs12", dest="http_cert_files",

             action="append",

             help=SUPPRESS_HELP)

-        group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",

-            action="append", metavar="FILE",

-            help="File containing the Kerberos KDC SSL certificate and private key")

-        group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",

-            action="append",

-            help=SUPPRESS_HELP)

         group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,

             metavar="PIN",

             help="The password to unlock the Directory Server private key")

@@ -105,20 +96,12 @@ class ReplicaPrepare(admintool.AdminTool):

             help="The password to unlock the Apache Server private key")

         group.add_option("--http_pin", dest="http_pin", sensitive=True,

             help=SUPPRESS_HELP)

-        group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,

-            metavar="PIN",

-            help="The password to unlock the Kerberos KDC private key")

-        group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,

-            help=SUPPRESS_HELP)

         group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",

             metavar="NAME",

             help="Name of the Directory Server SSL certificate to install")

         group.add_option("--http-cert-name", dest="http_cert_name",

             metavar="NAME",

             help="Name of the Apache Server SSL certificate to install")

-        group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",

-            metavar="NAME",

-            help="Name of the Kerberos KDC SSL certificate to install")

         parser.add_option_group(group)

     def validate_options(self):

@@ -138,7 +121,10 @@ class ReplicaPrepare(admintool.AdminTool):

                 "option together with --no-reverse")

         #Automatically disable pkinit w/ dogtag until that is supported

+        # pkinit is disabled in production version

         options.setup_pkinit = False

+        options.pkinit_pin = False

+        options.pkinit_cert_files = False

         # If any of the PKCS#12 options are selected, all are required.

         cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py

index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e943548cd9a30 100644

--- a/ipaserver/install/server/install.py

+++ b/ipaserver/install/server/install.py

@@ -1173,6 +1173,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):

     no_pkinit = Knob(

         bool, False,

+        initializable=False,

         description="disables pkinit setup steps",

     )

@@ -1196,6 +1197,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):

     pkinit_cert_files = Knob(

         (list, str), None,

+        initializable=False,

         description=("File containing the Kerberos KDC SSL certificate and "

                      "private key"),

         cli_name='pkinit-cert-file',

@@ -1221,6 +1223,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):

     pkinit_pin = Knob(

         str, None,

+        initializable=False,

         sensitive=True,

         description="The password to unlock the Kerberos KDC private key",

         cli_aliases=['pkinit_pin'],

@@ -1241,6 +1244,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):

     pkinit_cert_name = Knob(

         str, None,

+        initializable=False,

         description="Name of the Kerberos KDC SSL certificate to install",

         cli_metavar='NAME',

     )

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py

index 6f9a6141fe9af44806244ce52df59c191dc966b0..2d34fdd02b57eb962cdffba508e53cfea0c922e1 100644

--- a/ipaserver/install/server/replicainstall.py

+++ b/ipaserver/install/server/replicainstall.py

@@ -655,6 +655,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):

     no_pkinit = Knob(

         bool, False,

+        initializable=False,

         description="disables pkinit setup steps",

     )

-- 

2.5.1