From b30152e2225fed9a991423c35506f3aa62b38350 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:24:27 +0200
Subject: [PATCH] Hide pkinit functionality from production version

Rebased from original patch from Jan Zeleny and Rob Crittenden.

https://fedorahosted.org/freeipa/ticket/616
---
 ipaserver/install/ipa_replica_prepare.py   | 20 +++-----------------
 ipaserver/install/server/install.py        |  4 ++++
 ipaserver/install/server/replicainstall.py |  1 +
 3 files changed, 8 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index b9ae60e9bc9d40be5f86e312980846b2ad80f67d..62cc8368abd999bec07154dc2c715431ff0c3b1a 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -65,9 +65,6 @@ class ReplicaPrepare(admintool.AdminTool):
         parser.add_option("--no-reverse", dest="no_reverse",
             action="store_true", default=False,
             help="do not create reverse DNS zone")
-        parser.add_option("--no-pkinit", dest="setup_pkinit",
-            action="store_false", default=True,
-            help="disables pkinit setup steps")
         parser.add_option("--ca", dest="ca_file", default=paths.CACERT_P12,
             metavar="FILE",
             help="location of CA PKCS#12 file, default /root/cacert.p12")
@@ -89,12 +86,6 @@ class ReplicaPrepare(admintool.AdminTool):
         group.add_option("--http_pkcs12", dest="http_cert_files",
             action="append",
             help=SUPPRESS_HELP)
-        group.add_option("--pkinit-cert-file", dest="pkinit_cert_files",
-            action="append", metavar="FILE",
-            help="File containing the Kerberos KDC SSL certificate and private key")
-        group.add_option("--pkinit_pkcs12", dest="pkinit_cert_files",
-            action="append",
-            help=SUPPRESS_HELP)
         group.add_option("--dirsrv-pin", dest="dirsrv_pin", sensitive=True,
             metavar="PIN",
             help="The password to unlock the Directory Server private key")
@@ -105,20 +96,12 @@ class ReplicaPrepare(admintool.AdminTool):
             help="The password to unlock the Apache Server private key")
         group.add_option("--http_pin", dest="http_pin", sensitive=True,
             help=SUPPRESS_HELP)
-        group.add_option("--pkinit-pin", dest="pkinit_pin", sensitive=True,
-            metavar="PIN",
-            help="The password to unlock the Kerberos KDC private key")
-        group.add_option("--pkinit_pin", dest="pkinit_pin", sensitive=True,
-            help=SUPPRESS_HELP)
         group.add_option("--dirsrv-cert-name", dest="dirsrv_cert_name",
             metavar="NAME",
             help="Name of the Directory Server SSL certificate to install")
         group.add_option("--http-cert-name", dest="http_cert_name",
             metavar="NAME",
             help="Name of the Apache Server SSL certificate to install")
-        group.add_option("--pkinit-cert-name", dest="pkinit_cert_name",
-            metavar="NAME",
-            help="Name of the Kerberos KDC SSL certificate to install")
         parser.add_option_group(group)
 
     def validate_options(self):
@@ -138,7 +121,10 @@ class ReplicaPrepare(admintool.AdminTool):
                 "option together with --no-reverse")
 
         #Automatically disable pkinit w/ dogtag until that is supported
+        # pkinit is disabled in production version
         options.setup_pkinit = False
+        options.pkinit_pin = False
+        options.pkinit_cert_files = False
 
         # If any of the PKCS#12 options are selected, all are required.
         cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 01dffd08d4c929ebc5ecb6e6b0a8b685c1320dbd..a2a22c6334edf442e07ff3a1b4b9b309de2bc8a5 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1172,6 +1172,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
 
     no_pkinit = Knob(
         bool, False,
+        initializable=False,
         description="disables pkinit setup steps",
     )
 
@@ -1195,6 +1196,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
 
     pkinit_cert_files = Knob(
         (list, str), None,
+        initializable=False,
         description=("File containing the Kerberos KDC SSL certificate and "
                      "private key"),
         cli_name='pkinit-cert-file',
@@ -1220,6 +1222,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
 
     pkinit_pin = Knob(
         str, None,
+        initializable=False,
         sensitive=True,
         description="The password to unlock the Kerberos KDC private key",
         cli_aliases=['pkinit_pin'],
@@ -1240,6 +1243,7 @@ class ServerCA(common.Installable, core.Group, core.Composite):
 
     pkinit_cert_name = Knob(
         str, None,
+        initializable=False,
         description="Name of the Kerberos KDC SSL certificate to install",
         cli_metavar='NAME',
     )
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 2ab95add90d33eb191d4e75b62cb4eceac40551b..b000e8ce84df3cb2a6bc90520cb4713ab416f4da 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -690,6 +690,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite):
 
     no_pkinit = Knob(
         bool, False,
+        initializable=False,
         description="disables pkinit setup steps",
     )
 
-- 
2.5.0