From 4651261af43a311d23efa759e61143a6413c5dc5 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:24:27 +0200
Subject: [PATCH] Hide pkinit functionality from production version

Rebased from original patch from Jan Zeleny and Rob Crittenden.

https://fedorahosted.org/freeipa/ticket/616
---
 ipaserver/install/ipa_replica_prepare.py   | 21 ++++-----------------
 ipaserver/install/server/common.py         | 30 ++++++++----------------------
 ipaserver/install/server/install.py        | 11 -----------
 ipaserver/install/server/replicainstall.py |  1 -
 4 files changed, 12 insertions(+), 51 deletions(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 80813086c6a7212bdb6ef9d54202b28808b80076..9ba536163bf5c2882d8fc593457dab78a08e849a 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -85,9 +85,6 @@ class ReplicaPrepare(admintool.AdminTool):
         parser.add_option("--allow-zone-overlap", dest="allow_zone_overlap",
             action="store_true", default=False, help="create DNS "
             "zone even if it already exists")
-        parser.add_option("--no-pkinit", dest="setup_pkinit",
-            action="store_false", default=True,
-            help="disables pkinit setup steps")
         parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
             metavar="FILE",
             help="location of CA PKCS#12 file, default /root/cacert.p12")
@@ -109,12 +106,6 @@ class ReplicaPrepare(admintool.AdminTool):
         group.add_option("--http_pkcs12", dest="http_cert_files",
             action="append",
             help=SUPPRESS_HELP)
-        group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
-            action="append", metavar="FILE",
-            help="File containing the Kerberos KDC SSL certificate and private key")
-        group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
-            action="append",
-            help=SUPPRESS_HELP)
         group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
             metavar="PIN",
             help="The password to unlock the Directory Server private key")
@@ -125,20 +116,12 @@ class ReplicaPrepare(admintool.AdminTool):
             help="The password to unlock the Apache Server private key")
         group.add_option("--http_pin", dest="http_pin", sensitive=True,
             help=SUPPRESS_HELP)
-        group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
-            metavar="PIN",
-            help="The password to unlock the Kerberos KDC private key")
-        group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
-            help=SUPPRESS_HELP)
         group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
             metavar="NAME",
             help="Name of the Directory Server SSL certificate to install")
         group.add_option("--http-cert-name", dest="http_cert_name",
             metavar="NAME",
             help="Name of the Apache Server SSL certificate to install")
-        group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
-            metavar="NAME",
-            help="Name of the Kerberos KDC SSL certificate to install")
         parser.add_option_group(group)
 
     def validate_options(self):
@@ -158,7 +141,11 @@ class ReplicaPrepare(admintool.AdminTool):
                 "option together with --no-reverse")
 
         #Automatically disable pkinit w/ dogtag until that is supported
+        # pkinit is disabled in production version
         options.setup_pkinit = False
+        options.pkinit_cert_files = None
+        options.pkinit_pin = None
+        options.pkinit_cert_name = None
 
         # If any of the PKCS#12 options are selected, all are required.
         cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
index e6093d15cd1067a83ed89945c4a9c983c66ec06f..a64a0938f3829ce58e22b5b9043373aa7eb7dfe2 100644
--- a/ipaserver/install/server/common.py
+++ b/ipaserver/install/server/common.py
@@ -72,13 +72,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         cli_metavar='FILE',
     )
 
-    pkinit_cert_files = Knob(
-        (list, str), None,
-        description=("File containing the Kerberos KDC SSL certificate and "
-                     "private key"),
-        cli_name='pkinit-cert-file',
-        cli_metavar='FILE',
-    )
+    pkinit_cert_files = None
 
     dirsrv_pin = Knob(
         str, None,
@@ -94,12 +88,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         cli_metavar='PIN',
     )
 
-    pkinit_pin = Knob(
-        str, None,
-        sensitive=True,
-        description="The password to unlock the Kerberos KDC private key",
-        cli_metavar='PIN',
-    )
+    pkinit_pin = None
 
     dirsrv_cert_name = Knob(
         str, None,
@@ -113,11 +102,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
         cli_metavar='NAME',
     )
 
-    pkinit_cert_name = Knob(
-        str, None,
-        description="Name of the Kerberos KDC SSL certificate to install",
-        cli_metavar='NAME',
-    )
+    pkinit_cert_name = None
 
     ca_cert_files = Knob(
         (list, str), None,
@@ -341,10 +326,7 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
         cli_short_name='N',
     )
 
-    no_pkinit = Knob(
-        bool, False,
-        description="disables pkinit setup steps",
-    )
+    no_pkinit = False
 
     no_ui_redirect = Knob(
         bool, False,
@@ -384,6 +366,10 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
         if not os.path.exists(value):
             raise ValueError("File %s does not exist." % value)
 
+    pkinit_cert_files = None
+    pkinit_pin = None
+    pkinit_cert_name = None
+    no_pkinit = False
 
     def __init__(self, **kwargs):
         super(BaseServer, self).__init__(**kwargs)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b33b0243d4d909a561b59d93f0014c390146b333..c292c4d24bfde1484769698ee2a7ef59a6fcc52c 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1169,11 +1169,6 @@ class ServerCA(BaseServerCA):
         cli_aliases=['http_pkcs12'],
     )
 
-    pkinit_cert_files = Knob(
-        BaseServerCA.pkinit_cert_files,
-        cli_aliases=['pkinit_pkcs12'],
-    )
-
     dirsrv_pin = Knob(
         BaseServerCA.dirsrv_pin,
         cli_aliases=['dirsrv_pin'],
@@ -1184,14 +1179,8 @@ class ServerCA(BaseServerCA):
         cli_aliases=['http_pin'],
     )
 
-    pkinit_pin = Knob(
-        BaseServerCA.pkinit_pin,
-        cli_aliases=['pkinit_pin'],
-    )
-
     dirsrv_cert_name = Knob(BaseServerCA.dirsrv_cert_name)
     http_cert_name = Knob(BaseServerCA.http_cert_name)
-    pkinit_cert_name = Knob(BaseServerCA.pkinit_cert_name)
     ca_cert_files = Knob(BaseServerCA.ca_cert_files)
     subject = Knob(BaseServerCA.subject)
     ca_signing_algorithm = Knob(BaseServerCA.ca_signing_algorithm)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f54ff7da06c57b9c8251429cbdacc5c300805f84..7695adf0d537237b24660e8871011f04f242e744 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1587,7 +1587,6 @@ class Replica(BaseServer):
     mkhomedir = Knob(BaseServer.mkhomedir)
     no_host_dns = Knob(BaseServer.no_host_dns)
     no_ntp = Knob(BaseServer.no_ntp)
-    no_pkinit = Knob(BaseServer.no_pkinit)
     no_ui_redirect = Knob(BaseServer.no_ui_redirect)
     ssh_trust_dns = Knob(BaseServer.ssh_trust_dns)
     no_ssh = Knob(BaseServer.no_ssh)
-- 
2.9.3