ff14fa
From 0ae346b514a1bd093c8ae6166f206138a5035efa Mon Sep 17 00:00:00 2001
99b6f7
From: Martin Kosek <mkosek@redhat.com>
e3ffab
Date: Fri, 5 Sep 2014 11:24:27 +0200
031d60
Subject: [PATCH] Hide pkinit functionality from production version
99b6f7
99b6f7
Rebased from original patch from Jan Zeleny and Rob Crittenden.
99b6f7
99b6f7
https://fedorahosted.org/freeipa/ticket/616
99b6f7
---
403b09
 ipaserver/install/ipa_replica_prepare.py   | 21 ++++-----------------
403b09
 ipaserver/install/server/common.py         | 30 ++++++++----------------------
403b09
 ipaserver/install/server/install.py        | 11 -----------
403b09
 ipaserver/install/server/replicainstall.py |  1 -
403b09
 4 files changed, 12 insertions(+), 51 deletions(-)
99b6f7
99b6f7
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
403b09
index 80813086c6a7212bdb6ef9d54202b28808b80076..9ba536163bf5c2882d8fc593457dab78a08e849a 100644
99b6f7
--- a/ipaserver/install/ipa_replica_prepare.py
99b6f7
+++ b/ipaserver/install/ipa_replica_prepare.py
403b09
@@ -85,9 +85,6 @@ class ReplicaPrepare(admintool.AdminTool):
403b09
         parser.add_option("--allow-zone-overlap", dest="allow_zone_overlap",
403b09
             action="store_true", default=False, help="create DNS "
403b09
             "zone even if it already exists")
99b6f7
-        parser.add_option("--no-pkinit", dest="setup_pkinit",
99b6f7
-            action="store_false", default=True,
99b6f7
-            help="disables pkinit setup steps")
e3ffab
         parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
99b6f7
             metavar="FILE",
99b6f7
             help="location of CA PKCS#12 file, default /root/cacert.p12")
403b09
@@ -109,12 +106,6 @@ class ReplicaPrepare(admintool.AdminTool):
e3ffab
         group.add_option("--http_pkcs12", dest="http_cert_files",
e3ffab
             action="append",
e3ffab
             help=SUPPRESS_HELP)
e3ffab
-        group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
e3ffab
-            action="append", metavar="FILE",
e3ffab
-            help="File containing the Kerberos KDC SSL certificate and private key")
e3ffab
-        group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
e3ffab
-            action="append",
e3ffab
-            help=SUPPRESS_HELP)
e3ffab
         group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
e3ffab
             metavar="PIN",
e3ffab
             help="The password to unlock the Directory Server private key")
403b09
@@ -125,20 +116,12 @@ class ReplicaPrepare(admintool.AdminTool):
e3ffab
             help="The password to unlock the Apache Server private key")
e3ffab
         group.add_option("--http_pin", dest="http_pin", sensitive=True,
e3ffab
             help=SUPPRESS_HELP)
e3ffab
-        group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
e3ffab
-            metavar="PIN",
e3ffab
-            help="The password to unlock the Kerberos KDC private key")
e3ffab
-        group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
e3ffab
-            help=SUPPRESS_HELP)
e3ffab
         group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
e3ffab
             metavar="NAME",
e3ffab
             help="Name of the Directory Server SSL certificate to install")
e3ffab
         group.add_option("--http-cert-name", dest="http_cert_name",
e3ffab
             metavar="NAME",
e3ffab
             help="Name of the Apache Server SSL certificate to install")
e3ffab
-        group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
e3ffab
-            metavar="NAME",
e3ffab
-            help="Name of the Kerberos KDC SSL certificate to install")
99b6f7
         parser.add_option_group(group)
99b6f7
 
99b6f7
     def validate_options(self):
403b09
@@ -158,7 +141,11 @@ class ReplicaPrepare(admintool.AdminTool):
99b6f7
                 "option together with --no-reverse")
99b6f7
 
99b6f7
         #Automatically disable pkinit w/ dogtag until that is supported
99b6f7
+        # pkinit is disabled in production version
99b6f7
         options.setup_pkinit = False
403b09
+        options.pkinit_cert_files = None
403b09
+        options.pkinit_pin = None
403b09
+        options.pkinit_cert_name = None
99b6f7
 
99b6f7
         # If any of the PKCS#12 options are selected, all are required.
e3ffab
         cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
403b09
diff --git a/ipaserver/install/server/common.py b/ipaserver/install/server/common.py
403b09
index e6093d15cd1067a83ed89945c4a9c983c66ec06f..a64a0938f3829ce58e22b5b9043373aa7eb7dfe2 100644
403b09
--- a/ipaserver/install/server/common.py
403b09
+++ b/ipaserver/install/server/common.py
403b09
@@ -72,13 +72,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
403b09
         cli_metavar='FILE',
590d18
     )
590d18
 
403b09
-    pkinit_cert_files = Knob(
403b09
-        (list, str), None,
403b09
-        description=("File containing the Kerberos KDC SSL certificate and "
403b09
-                     "private key"),
403b09
-        cli_name='pkinit-cert-file',
403b09
-        cli_metavar='FILE',
403b09
-    )
403b09
+    pkinit_cert_files = None
590d18
 
403b09
     dirsrv_pin = Knob(
590d18
         str, None,
403b09
@@ -94,12 +88,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
403b09
         cli_metavar='PIN',
403b09
     )
403b09
 
403b09
-    pkinit_pin = Knob(
403b09
-        str, None,
403b09
-        sensitive=True,
403b09
-        description="The password to unlock the Kerberos KDC private key",
403b09
-        cli_metavar='PIN',
403b09
-    )
403b09
+    pkinit_pin = None
590d18
 
403b09
     dirsrv_cert_name = Knob(
590d18
         str, None,
403b09
@@ -113,11 +102,7 @@ class BaseServerCA(common.Installable, core.Group, core.Composite):
590d18
         cli_metavar='NAME',
590d18
     )
590d18
 
403b09
-    pkinit_cert_name = Knob(
403b09
-        str, None,
403b09
-        description="Name of the Kerberos KDC SSL certificate to install",
403b09
-        cli_metavar='NAME',
403b09
-    )
403b09
+    pkinit_cert_name = None
403b09
 
403b09
     ca_cert_files = Knob(
403b09
         (list, str), None,
403b09
@@ -341,10 +326,7 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
403b09
         cli_short_name='N',
403b09
     )
403b09
 
403b09
-    no_pkinit = Knob(
403b09
-        bool, False,
403b09
-        description="disables pkinit setup steps",
403b09
-    )
403b09
+    no_pkinit = False
403b09
 
403b09
     no_ui_redirect = Knob(
590d18
         bool, False,
403b09
@@ -384,6 +366,10 @@ class BaseServer(common.Installable, common.Interactive, core.Composite):
403b09
         if not os.path.exists(value):
403b09
             raise ValueError("File %s does not exist." % value)
403b09
 
403b09
+    pkinit_cert_files = None
403b09
+    pkinit_pin = None
403b09
+    pkinit_cert_name = None
403b09
+    no_pkinit = False
403b09
 
403b09
     def __init__(self, **kwargs):
403b09
         super(BaseServer, self).__init__(**kwargs)
403b09
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
403b09
index b33b0243d4d909a561b59d93f0014c390146b333..c292c4d24bfde1484769698ee2a7ef59a6fcc52c 100644
403b09
--- a/ipaserver/install/server/install.py
403b09
+++ b/ipaserver/install/server/install.py
403b09
@@ -1169,11 +1169,6 @@ class ServerCA(BaseServerCA):
403b09
         cli_aliases=['http_pkcs12'],
403b09
     )
403b09
 
403b09
-    pkinit_cert_files = Knob(
403b09
-        BaseServerCA.pkinit_cert_files,
403b09
-        cli_aliases=['pkinit_pkcs12'],
403b09
-    )
403b09
-
403b09
     dirsrv_pin = Knob(
403b09
         BaseServerCA.dirsrv_pin,
403b09
         cli_aliases=['dirsrv_pin'],
403b09
@@ -1184,14 +1179,8 @@ class ServerCA(BaseServerCA):
403b09
         cli_aliases=['http_pin'],
590d18
     )
590d18
 
403b09
-    pkinit_pin = Knob(
403b09
-        BaseServerCA.pkinit_pin,
403b09
-        cli_aliases=['pkinit_pin'],
403b09
-    )
403b09
-
403b09
     dirsrv_cert_name = Knob(BaseServerCA.dirsrv_cert_name)
403b09
     http_cert_name = Knob(BaseServerCA.http_cert_name)
403b09
-    pkinit_cert_name = Knob(BaseServerCA.pkinit_cert_name)
403b09
     ca_cert_files = Knob(BaseServerCA.ca_cert_files)
403b09
     subject = Knob(BaseServerCA.subject)
403b09
     ca_signing_algorithm = Knob(BaseServerCA.ca_signing_algorithm)
403b09
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
ff14fa
index 2a1c290351d8ce1dade5eea2f67539659555af2e..aaa56c4691ae47d764d86b627df913c5e320c411 100644
403b09
--- a/ipaserver/install/server/replicainstall.py
403b09
+++ b/ipaserver/install/server/replicainstall.py
ff14fa
@@ -1595,7 +1595,6 @@ class Replica(BaseServer):
403b09
     mkhomedir = Knob(BaseServer.mkhomedir)
403b09
     no_host_dns = Knob(BaseServer.no_host_dns)
403b09
     no_ntp = Knob(BaseServer.no_ntp)
403b09
-    no_pkinit = Knob(BaseServer.no_pkinit)
403b09
     no_ui_redirect = Knob(BaseServer.no_ui_redirect)
403b09
     ssh_trust_dns = Knob(BaseServer.ssh_trust_dns)
403b09
     no_ssh = Knob(BaseServer.no_ssh)
99b6f7
-- 
403b09
2.9.3
99b6f7