aa60fb
From b30152e2225fed9a991423c35506f3aa62b38350 Mon Sep 17 00:00:00 2001
99b6f7
From: Martin Kosek <mkosek@redhat.com>
e3ffab
Date: Fri, 5 Sep 2014 11:24:27 +0200
031d60
Subject: [PATCH] Hide pkinit functionality from production version
99b6f7
99b6f7
Rebased from original patch from Jan Zeleny and Rob Crittenden.
99b6f7
99b6f7
https://fedorahosted.org/freeipa/ticket/616
99b6f7
---
590d18
 ipaserver/install/ipa_replica_prepare.py   | 20 +++-----------------
590d18
 ipaserver/install/server/install.py        |  4 ++++
590d18
 ipaserver/install/server/replicainstall.py |  1 +
590d18
 3 files changed, 8 insertions(+), 17 deletions(-)
99b6f7
99b6f7
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
aa60fb
index b9ae60e9bc9d40be5f86e312980846b2ad80f67d..62cc8368abd999bec07154dc2c715431ff0c3b1a 100644
99b6f7
--- a/ipaserver/install/ipa_replica_prepare.py
99b6f7
+++ b/ipaserver/install/ipa_replica_prepare.py
590d18
@@ -65,9 +65,6 @@ class ReplicaPrepare(admintool.AdminTool):
99b6f7
         parser.add_option("--no-reverse", dest="no_reverse",
99b6f7
             action="store_true", default=False,
99b6f7
             help="do not create reverse DNS zone")
99b6f7
-        parser.add_option("--no-pkinit", dest="setup_pkinit",
99b6f7
-            action="store_false", default=True,
99b6f7
-            help="disables pkinit setup steps")
e3ffab
         parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
99b6f7
             metavar="FILE",
99b6f7
             help="location of CA PKCS#12 file, default /root/cacert.p12")
590d18
@@ -89,12 +86,6 @@ class ReplicaPrepare(admintool.AdminTool):
e3ffab
         group.add_option("--http_pkcs12", dest="http_cert_files",
e3ffab
             action="append",
e3ffab
             help=SUPPRESS_HELP)
e3ffab
-        group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
e3ffab
-            action="append", metavar="FILE",
e3ffab
-            help="File containing the Kerberos KDC SSL certificate and private key")
e3ffab
-        group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
e3ffab
-            action="append",
e3ffab
-            help=SUPPRESS_HELP)
e3ffab
         group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
e3ffab
             metavar="PIN",
e3ffab
             help="The password to unlock the Directory Server private key")
590d18
@@ -105,20 +96,12 @@ class ReplicaPrepare(admintool.AdminTool):
e3ffab
             help="The password to unlock the Apache Server private key")
e3ffab
         group.add_option("--http_pin", dest="http_pin", sensitive=True,
e3ffab
             help=SUPPRESS_HELP)
e3ffab
-        group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
e3ffab
-            metavar="PIN",
e3ffab
-            help="The password to unlock the Kerberos KDC private key")
e3ffab
-        group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
e3ffab
-            help=SUPPRESS_HELP)
e3ffab
         group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
e3ffab
             metavar="NAME",
e3ffab
             help="Name of the Directory Server SSL certificate to install")
e3ffab
         group.add_option("--http-cert-name", dest="http_cert_name",
e3ffab
             metavar="NAME",
e3ffab
             help="Name of the Apache Server SSL certificate to install")
e3ffab
-        group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
e3ffab
-            metavar="NAME",
e3ffab
-            help="Name of the Kerberos KDC SSL certificate to install")
99b6f7
         parser.add_option_group(group)
99b6f7
 
99b6f7
     def validate_options(self):
590d18
@@ -138,7 +121,10 @@ class ReplicaPrepare(admintool.AdminTool):
99b6f7
                 "option together with --no-reverse")
99b6f7
 
99b6f7
         #Automatically disable pkinit w/ dogtag until that is supported
99b6f7
+        # pkinit is disabled in production version
99b6f7
         options.setup_pkinit = False
99b6f7
+        options.pkinit_pin = False
e3ffab
+        options.pkinit_cert_files = False
99b6f7
 
99b6f7
         # If any of the PKCS#12 options are selected, all are required.
e3ffab
         cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
590d18
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
aa60fb
index 01dffd08d4c929ebc5ecb6e6b0a8b685c1320dbd..a2a22c6334edf442e07ff3a1b4b9b309de2bc8a5 100644
590d18
--- a/ipaserver/install/server/install.py
590d18
+++ b/ipaserver/install/server/install.py
aa60fb
@@ -1172,6 +1172,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
590d18
 
590d18
     no_pkinit = Knob(
590d18
         bool, False,
590d18
+        initializable=False,
590d18
         description="disables pkinit setup steps",
590d18
     )
590d18
 
aa60fb
@@ -1195,6 +1196,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
590d18
 
590d18
     pkinit_cert_files = Knob(
590d18
         (list, str), None,
590d18
+        initializable=False,
590d18
         description=("File containing the Kerberos KDC SSL certificate and "
590d18
                      "private key"),
590d18
         cli_name='pkinit-cert-file',
aa60fb
@@ -1220,6 +1222,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
590d18
 
590d18
     pkinit_pin = Knob(
590d18
         str, None,
590d18
+        initializable=False,
590d18
         sensitive=True,
590d18
         description="The password to unlock the Kerberos KDC private key",
590d18
         cli_aliases=['pkinit_pin'],
aa60fb
@@ -1240,6 +1243,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
590d18
 
590d18
     pkinit_cert_name = Knob(
590d18
         str, None,
590d18
+        initializable=False,
590d18
         description="Name of the Kerberos KDC SSL certificate to install",
590d18
         cli_metavar='NAME',
590d18
     )
590d18
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
aa60fb
index 2ab95add90d33eb191d4e75b62cb4eceac40551b..b000e8ce84df3cb2a6bc90520cb4713ab416f4da 100644
590d18
--- a/ipaserver/install/server/replicainstall.py
590d18
+++ b/ipaserver/install/server/replicainstall.py
aa60fb
@@ -690,6 +690,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
590d18
 
590d18
     no_pkinit = Knob(
590d18
         bool, False,
590d18
+        initializable=False,
590d18
         description="disables pkinit setup steps",
590d18
     )
590d18
 
99b6f7
-- 
aa60fb
2.5.0
99b6f7