|
|
ff14fa |
From 0ae346b514a1bd093c8ae6166f206138a5035efa Mon Sep 17 00:00:00 2001
|
|
|
99b6f7 |
From: Martin Kosek <mkosek@redhat.com>
|
|
|
e3ffab |
Date: Fri, 5 Sep 2014 11:24:27 +0200
|
|
|
031d60 |
Subject: [PATCH] Hide pkinit functionality from production version
|
|
|
99b6f7 |
|
|
|
99b6f7 |
Rebased from original patch from Jan Zeleny and Rob Crittenden.
|
|
|
99b6f7 |
|
|
|
99b6f7 |
https://fedorahosted.org/freeipa/ticket/616
|
|
|
99b6f7 |
---
|
|
|
403b09 |
ipaserver/install/ipa_replica_prepare.py | 21 ++++-----------------
|
|
|
403b09 |
ipaserver/install/server/common.py | 30 ++++++++----------------------
|
|
|
403b09 |
ipaserver/install/server/install.py | 11 -----------
|
|
|
403b09 |
ipaserver/install/server/replicainstall.py | 1 -
|
|
|
403b09 |
4 files changed, 12 insertions(+), 51 deletions(-)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
|
|
|
403b09 |
index 80813086c6a7212bdb6ef9d54202b28808b80076..9ba536163bf5c2882d8fc593457dab78a08e849a 100644
|
|
|
99b6f7 |
--- a/ipaserver/install/ipa_replica_prepare.py
|
|
|
99b6f7 |
+++ b/ipaserver/install/ipa_replica_prepare.py
|
|
|
403b09 |
@@ -85,9 +85,6 @@ class ReplicaPrepare(admintool.AdminTool):
|
|
|
403b09 |
parser.add_option("--allow-zone-overlap", dest="allow_zone_overlap",
|
|
|
403b09 |
action="store_true", default=False, help="create DNS "
|
|
|
403b09 |
"zone even if it already exists")
|
|
|
99b6f7 |
- parser.add_option("--no-pkinit", dest="setup_pkinit",
|
|
|
99b6f7 |
- action="store_false", default=True,
|
|
|
99b6f7 |
- help="disables pkinit setup steps")
|
|
|
e3ffab |
parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
|
|
|
99b6f7 |
metavar="FILE",
|
|
|
99b6f7 |
help="location of CA PKCS#12 file, default /root/cacert.p12")
|
|
|
403b09 |
@@ -109,12 +106,6 @@ class ReplicaPrepare(admintool.AdminTool):
|
|
|
e3ffab |
group.add_option("--http_pkcs12", dest="http_cert_files",
|
|
|
e3ffab |
action="append",
|
|
|
e3ffab |
help=SUPPRESS_HELP)
|
|
|
e3ffab |
- group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
|
|
|
e3ffab |
- action="append", metavar="FILE",
|
|
|
e3ffab |
- help="File containing the Kerberos KDC SSL certificate and private key")
|
|
|
e3ffab |
- group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
|
|
|
e3ffab |
- action="append",
|
|
|
e3ffab |
- help=SUPPRESS_HELP)
|
|
|
e3ffab |
group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
|
|
|
e3ffab |
metavar="PIN",
|
|
|
e3ffab |
help="The password to unlock the Directory Server private key")
|
|
|
403b09 |
@@ -125,20 +116,12 @@ class ReplicaPrepare(admintool.AdminTool):
|
|
|
e3ffab |
help="The password to unlock the Apache Server private key")
|
|
|
e3ffab |
group.add_option("--http_pin", dest="http_pin", sensitive=True,
|
|
|
e3ffab |
help=SUPPRESS_HELP)
|
|
|
e3ffab |
- group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
|
|
|
e3ffab |
- metavar="PIN",
|
|
|
e3ffab |
- help="The password to unlock the Kerberos KDC private key")
|
|
|
e3ffab |
- group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
|
|
|
e3ffab |
- help=SUPPRESS_HELP)
|
|
|
e3ffab |
group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
|
|
|
e3ffab |
metavar="NAME",
|
|
|
e3ffab |
help="Name of the Directory Server SSL certificate to install")
|
|
|
e3ffab |
group.add_option("--http-cert-name", dest="http_cert_name",
|
|
|
e3ffab |
metavar="NAME",
|
|
|
e3ffab |
help="Name of the Apache Server SSL certificate to install")
|
|
|
e3ffab |
- group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
|
|
|
e3ffab |
- metavar="NAME",
|
|
|
e3ffab |
- help="Name of the Kerberos KDC SSL certificate to install")
|
|
|
99b6f7 |
parser.add_option_group(group)
|
|
|
99b6f7 |
|
|
|
99b6f7 |
def validate_options(self):
|
|
|
403b09 |
@@ -158,7 +141,11 @@ class ReplicaPrepare(admintool.AdminTool):
|
|
|
99b6f7 |
"option together with --no-reverse")
|
|
|
99b6f7 |
|
|
|
99b6f7 |
#Automatically disable pkinit w/ dogtag until that is supported
|
|
|
99b6f7 |
+ # pkinit is disabled in production version
|
|
|
99b6f7 |
options.setup_pkinit = False
|
|
|
403b09 |
+ options.pkinit_cert_files = None
|
|
|
403b09 |
+ options.pkinit_pin = None
|
|
|
403b09 |
+ options.pkinit_cert_name = None
|
|
|
99b6f7 |
|
|
|
99b6f7 |
# If any of the PKCS#12 options are selected, all are required.
|
|
|
e3ffab |
cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
|
|
|
403b09 |
diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
|
|
|
403b09 |
index e6093d15cd1067a83ed89945c4a9c983c66ec06f..a64a0938f3829ce58e22b5b9043373aa7eb7dfe2 100644
|
|
|
403b09 |
--- a/ipaserver/install/server/common.py
|
|
|
403b09 |
+++ b/ipaserver/install/server/common.py
|
|
|
403b09 |
@@ -72,13 +72,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
|
|
|
403b09 |
cli_metavar='FILE',
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
403b09 |
- pkinit_cert_files = Knob(
|
|
|
403b09 |
- (list, str), None,
|
|
|
403b09 |
- description=("File containing the Kerberos KDC SSL certificate and "
|
|
|
403b09 |
- "private key"),
|
|
|
403b09 |
- cli_name='pkinit-cert-file',
|
|
|
403b09 |
- cli_metavar='FILE',
|
|
|
403b09 |
- )
|
|
|
403b09 |
+ pkinit_cert_files = None
|
|
|
590d18 |
|
|
|
403b09 |
dirsrv_pin = Knob(
|
|
|
590d18 |
str, None,
|
|
|
403b09 |
@@ -94,12 +88,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
|
|
|
403b09 |
cli_metavar='PIN',
|
|
|
403b09 |
)
|
|
|
403b09 |
|
|
|
403b09 |
- pkinit_pin = Knob(
|
|
|
403b09 |
- str, None,
|
|
|
403b09 |
- sensitive=True,
|
|
|
403b09 |
- description="The password to unlock the Kerberos KDC private key",
|
|
|
403b09 |
- cli_metavar='PIN',
|
|
|
403b09 |
- )
|
|
|
403b09 |
+ pkinit_pin = None
|
|
|
590d18 |
|
|
|
403b09 |
dirsrv_cert_name = Knob(
|
|
|
590d18 |
str, None,
|
|
|
403b09 |
@@ -113,11 +102,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
|
|
|
590d18 |
cli_metavar='NAME',
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
403b09 |
- pkinit_cert_name = Knob(
|
|
|
403b09 |
- str, None,
|
|
|
403b09 |
- description="Name of the Kerberos KDC SSL certificate to install",
|
|
|
403b09 |
- cli_metavar='NAME',
|
|
|
403b09 |
- )
|
|
|
403b09 |
+ pkinit_cert_name = None
|
|
|
403b09 |
|
|
|
403b09 |
ca_cert_files = Knob(
|
|
|
403b09 |
(list, str), None,
|
|
|
403b09 |
@@ -341,10 +326,7 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
|
|
|
403b09 |
cli_short_name='N',
|
|
|
403b09 |
)
|
|
|
403b09 |
|
|
|
403b09 |
- no_pkinit = Knob(
|
|
|
403b09 |
- bool, False,
|
|
|
403b09 |
- description="disables pkinit setup steps",
|
|
|
403b09 |
- )
|
|
|
403b09 |
+ no_pkinit = False
|
|
|
403b09 |
|
|
|
403b09 |
no_ui_redirect = Knob(
|
|
|
590d18 |
bool, False,
|
|
|
403b09 |
@@ -384,6 +366,10 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
|
|
|
403b09 |
if not os.path.exists(value):
|
|
|
403b09 |
raise ValueError("File %s does not exist." % value)
|
|
|
403b09 |
|
|
|
403b09 |
+ pkinit_cert_files = None
|
|
|
403b09 |
+ pkinit_pin = None
|
|
|
403b09 |
+ pkinit_cert_name = None
|
|
|
403b09 |
+ no_pkinit = False
|
|
|
403b09 |
|
|
|
403b09 |
def __init__(self, **kwargs):
|
|
|
403b09 |
super(BaseServer, self).__init__(**kwargs)
|
|
|
403b09 |
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
|
|
|
403b09 |
index b33b0243d4d909a561b59d93f0014c390146b333..c292c4d24bfde1484769698ee2a7ef59a6fcc52c 100644
|
|
|
403b09 |
--- a/ipaserver/install/server/install.py
|
|
|
403b09 |
+++ b/ipaserver/install/server/install.py
|
|
|
403b09 |
@@ -1169,11 +1169,6 @@ class ServerCA(BaseServerCA):
|
|
|
403b09 |
cli_aliases=['http_pkcs12'],
|
|
|
403b09 |
)
|
|
|
403b09 |
|
|
|
403b09 |
- pkinit_cert_files = Knob(
|
|
|
403b09 |
- BaseServerCA.pkinit_cert_files,
|
|
|
403b09 |
- cli_aliases=['pkinit_pkcs12'],
|
|
|
403b09 |
- )
|
|
|
403b09 |
-
|
|
|
403b09 |
dirsrv_pin = Knob(
|
|
|
403b09 |
BaseServerCA.dirsrv_pin,
|
|
|
403b09 |
cli_aliases=['dirsrv_pin'],
|
|
|
403b09 |
@@ -1184,14 +1179,8 @@ class ServerCA(BaseServerCA):
|
|
|
403b09 |
cli_aliases=['http_pin'],
|
|
|
590d18 |
)
|
|
|
590d18 |
|
|
|
403b09 |
- pkinit_pin = Knob(
|
|
|
403b09 |
- BaseServerCA.pkinit_pin,
|
|
|
403b09 |
- cli_aliases=['pkinit_pin'],
|
|
|
403b09 |
- )
|
|
|
403b09 |
-
|
|
|
403b09 |
dirsrv_cert_name = Knob(BaseServerCA.dirsrv_cert_name)
|
|
|
403b09 |
http_cert_name = Knob(BaseServerCA.http_cert_name)
|
|
|
403b09 |
- pkinit_cert_name = Knob(BaseServerCA.pkinit_cert_name)
|
|
|
403b09 |
ca_cert_files = Knob(BaseServerCA.ca_cert_files)
|
|
|
403b09 |
subject = Knob(BaseServerCA.subject)
|
|
|
403b09 |
ca_signing_algorithm = Knob(BaseServerCA.ca_signing_algorithm)
|
|
|
403b09 |
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
|
|
ff14fa |
index 2a1c290351d8ce1dade5eea2f67539659555af2e..aaa56c4691ae47d764d86b627df913c5e320c411 100644
|
|
|
403b09 |
--- a/ipaserver/install/server/replicainstall.py
|
|
|
403b09 |
+++ b/ipaserver/install/server/replicainstall.py
|
|
|
ff14fa |
@@ -1595,7 +1595,6 @@ class Replica(BaseServer):
|
|
|
403b09 |
mkhomedir = Knob(BaseServer.mkhomedir)
|
|
|
403b09 |
no_host_dns = Knob(BaseServer.no_host_dns)
|
|
|
403b09 |
no_ntp = Knob(BaseServer.no_ntp)
|
|
|
403b09 |
- no_pkinit = Knob(BaseServer.no_pkinit)
|
|
|
403b09 |
no_ui_redirect = Knob(BaseServer.no_ui_redirect)
|
|
|
403b09 |
ssh_trust_dns = Knob(BaseServer.ssh_trust_dns)
|
|
|
403b09 |
no_ssh = Knob(BaseServer.no_ssh)
|
|
|
99b6f7 |
--
|
|
|
403b09 |
2.9.3
|
|
|
99b6f7 |
|