From 7b9f8b3ba5c2768879906227e4f526b2675337ea Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Wed, 22 May 2013 09:38:50 +0200
Subject: [PATCH 1001/1006] Hide pkinit functionality from production version

Rebased from original patch from Jan Zeleny and Rob Crittenden.

https://fedorahosted.org/freeipa/ticket/616
---
 install/tools/ipa-replica-install        |  5 +++--
 install/tools/ipa-server-install         | 10 ++++------
 ipaserver/install/ipa_replica_prepare.py | 11 +++--------
 3 files changed, 10 insertions(+), 16 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 79f8a7ab48f75ac2d9cd5149df6eda4784b3854a..36bf492946d5e4873827d7d3149be659447065aa 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -96,8 +96,6 @@ def parse_options():
     parser.add_option_group(basic_group)
 
     cert_group = OptionGroup(parser, "certificate system options")
-    cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
-                      default=True, help="disables pkinit setup steps")
     cert_group.add_option("--skip-schema-check", dest="skip_schema_check", action="store_true",
                       default=False, help="skip check for updated CA DS schema on the remote master")
     parser.add_option_group(cert_group)
@@ -122,6 +120,9 @@ def parse_options():
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
 
+    # pkinit is disabled in production version
+    options.setup_pkinit = False
+
     if len(args) != 1:
         parser.error("you must provide a file generated by ipa-replica-prepare")
 
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index fafa14ea18195546b160c175d7fd656a066327b5..00aed1953f58c7f7c6a3c9bae8dcab8b8a669b62 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -173,20 +173,14 @@ def parse_options():
                       help="PEM file containing a certificate signed by the external CA")
     cert_group.add_option("", "--external_ca_file", dest="external_ca_file",
                       help="PEM file containing the external CA chain")
-    cert_group.add_option("--no-pkinit", dest="setup_pkinit", action="store_false",
-                      default=True, help="disables pkinit setup steps")
     cert_group.add_option("--dirsrv_pkcs12", dest="dirsrv_pkcs12",
                       help="PKCS#12 file containing the Directory Server SSL certificate")
     cert_group.add_option("--http_pkcs12", dest="http_pkcs12",
                       help="PKCS#12 file containing the Apache Server SSL certificate")
-    cert_group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
-                      help="PKCS#12 file containing the Kerberos KDC SSL certificate")
     cert_group.add_option("--dirsrv_pin", dest="dirsrv_pin", sensitive=True,
                       help="The password of the Directory Server PKCS#12 file")
     cert_group.add_option("--http_pin", dest="http_pin", sensitive=True,
                       help="The password of the Apache Server PKCS#12 file")
-    cert_group.add_option("--pkinit_pin", dest="pkinit_pin",
-                      help="The password of the Kerberos KDC PKCS#12 file")
     cert_group.add_option("--root-ca-file", dest="root_ca_file",
                       help="PEM file with root CA certificate(s) to trust")
     cert_group.add_option("--subject", action="callback", callback=subject_callback,
@@ -236,6 +230,10 @@ def parse_options():
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
 
+    # pkinit is disabled in production version
+    options.pkinit_pin = False
+    options.pkinit_pkcs12 = False
+
     if options.dm_password is not None:
         try:
             validate_dm_password(options.dm_password)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 83bf2b28c370c77c5e901dfd0627ea7140b4cf0a..606c3e607682d3dca8d31ed25cce006b17683f51 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -57,9 +57,6 @@ def add_options(cls, parser):
         parser.add_option("--no-reverse", dest="no_reverse",
             action="store_true", default=False,
             help="do not create reverse DNS zone")
-        parser.add_option("--no-pkinit", dest="setup_pkinit",
-            action="store_false", default=True,
-            help="disables pkinit setup steps")
         parser.add_option("--ca", dest="ca_file", default="/root/cacert.p12",
             metavar="FILE",
             help="location of CA PKCS#12 file, default /root/cacert.p12")
@@ -72,15 +69,10 @@ def add_options(cls, parser):
         group.add_option("--http_pkcs12", dest="http_pkcs12",
             metavar="FILE",
             help="install certificate for the http server")
-        group.add_option("--pkinit_pkcs12", dest="pkinit_pkcs12",
-            metavar="FILE",
-            help="install certificate for the KDC")
         group.add_option("--dirsrv_pin", dest="dirsrv_pin", metavar="PIN",
             help="PIN for the Directory Server PKCS#12 file")
         group.add_option("--http_pin", dest="http_pin", metavar="PIN",
             help="PIN for the Apache Server PKCS#12 file")
-        group.add_option("--pkinit_pin", dest="pkinit_pin", metavar="PIN",
-            help="PIN for the KDC pkinit PKCS#12 file")
         parser.add_option_group(group)
 
     def validate_options(self):
@@ -100,7 +92,10 @@ def validate_options(self):
                 "option together with --no-reverse")
 
         #Automatically disable pkinit w/ dogtag until that is supported
+        # pkinit is disabled in production version
         options.setup_pkinit = False
+        options.pkinit_pin = False
+        options.pkinit_pkcs12 = False
 
         # If any of the PKCS#12 options are selected, all are required.
         pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
-- 
1.8.3.1