From 78d42fcb8def1c21dc9a82251b760ab1b7a23f88 Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen@redhat.com>
Date: Wed, 30 Mar 2016 15:16:06 -0600
Subject: [PATCH] Fixed KRA install problem.

Currently when installing an additional subsystem to an existing
instance the install tool always generates a new random password in
the pki_pin property which would not work with the existing NSS
database. The code has been modified to load the existing NSS
database password from the instance if the instance already exists.

The PKIInstance class has been modified to allow loading partially
created instance to help the installation.

https://fedorahosted.org/pki/ticket/2247

Altered from 'master' (10.3.0) so that it could be applied
to 'DOGTAG_10_2_5_RHEL_BRANCH' (10.2.5).
---
 base/server/python/pki/server/__init__.py          | 54 ++++++++++++----------
 .../python/pki/server/deployment/pkiparser.py      | 18 ++++++--
 2 files changed, 44 insertions(+), 28 deletions(-)

diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 22b6fcf..971a3f6 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -413,40 +413,44 @@ class PKIInstance(object):
 
     def load(self):
         # load UID and GID
-        with open(self.registry_file, 'r') as registry:
-            lines = registry.readlines()
+        if os.path.exists(self.registry_file):
 
-        for line in lines:
+            with open(self.registry_file, 'r') as registry:
+                lines = registry.readlines()
 
-            m = re.search('^PKI_USER=(.*)$', line)
-            if m:
-                self.user = m.group(1)
-                self.uid = pwd.getpwnam(self.user).pw_uid
+            for line in lines:
+                m = re.search('^PKI_USER=(.*)$', line)
+                if m:
+                    self.user = m.group(1)
+                    self.uid = pwd.getpwnam(self.user).pw_uid
 
-            m = re.search('^PKI_GROUP=(.*)$', line)
-            if m:
-                self.group = m.group(1)
-                self.gid = grp.getgrnam(self.group).gr_gid
+                m = re.search('^PKI_GROUP=(.*)$', line)
+                if m:
+                    self.group = m.group(1)
+                    self.gid = grp.getgrnam(self.group).gr_gid
 
         # load passwords
         self.passwords.clear()
-        lines = open(self.password_conf).read().splitlines()
+        if os.path.exists(self.password_conf):
 
-        for line in lines:
-            parts = line.split('=', 1)
-            name = parts[0]
-            value = parts[1]
-            self.passwords[name] = value
+            lines = open(self.password_conf).read().splitlines()
+
+            for line in lines:
+                parts = line.split('=', 1)
+                name = parts[0]
+                value = parts[1]
+                self.passwords[name] = value
 
         # load subsystems
-        for subsystem_name in os.listdir(self.registry_dir):
-            if subsystem_name in SUBSYSTEM_TYPES:
-                if subsystem_name in SUBSYSTEM_CLASSES:
-                    subsystem = SUBSYSTEM_CLASSES[subsystem_name](self)
-                else:
-                    subsystem = PKISubsystem(self, subsystem_name)
-                subsystem.load()
-                self.subsystems.append(subsystem)
+        if os.path.exists(self.registry_dir):
+            for subsystem_name in os.listdir(self.registry_dir):
+                if subsystem_name in SUBSYSTEM_TYPES:
+                    if subsystem_name in SUBSYSTEM_CLASSES:
+                        subsystem = SUBSYSTEM_CLASSES[subsystem_name](self)
+                    else:
+                        subsystem = PKISubsystem(self, subsystem_name)
+                    subsystem.load()
+                    self.subsystems.append(subsystem)
 
     def get_password(self, name):
         if name in self.passwords:
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 14fe519..a5aaa97 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -569,9 +569,21 @@ class PKIConfigParser:
             pin_low = 100000000000
             pin_high = 999999999999
 
-            # use user-provided PIN if specified
-            if 'pki_pin' not in self.mdict:
-                # otherwise generate a random password
+            instance = pki.server.PKIInstance(self.mdict['pki_instance_name'])
+            instance.load()
+
+            internal_password = self.mdict['pki_self_signed_token']
+
+            # if instance already exists and has password, reuse the password
+            if internal_password in instance.passwords:
+                self.mdict['pki_pin'] = instance.passwords.get(internal_password)
+
+            # otherwise, use user-provided password if specified
+            elif 'pki_pin' in self.mdict:
+                pass
+
+            # otherwise, generate a random password
+            else:
                 self.mdict['pki_pin'] = \
                     random.randint(pin_low, pin_high)
 
-- 
1.8.3.1