From 1e5944cff413765cfb344bb0b4138f14be29218d Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Fri, 13 Sep 2024 12:05:55 +0200 Subject: [PATCH] Update EST and ACME pkispawn to share realm config --- base/server/etc/default.cfg | 21 ++++++++++---- base/server/python/pki/server/cli/acme.py | 14 ++++----- .../python/pki/server/deployment/__init__.py | 29 ++++++++++++------- base/server/python/pki/server/pkispawn.py | 25 +++++++--------- base/server/python/pki/server/subsystem.py | 12 ++++---- 5 files changed, 57 insertions(+), 44 deletions(-) diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index f97689b6563..65f8db1c2f0 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -672,8 +672,10 @@ pki_registry_enable=False ## required information which MAY be overridden by users as necessary. ## ############################################################################### [EST] +pki_external=False pki_realm_config=True -pki_import_admin_cert=True +pki_registry_enable=False +pki_import_admin_cert=False pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s @@ -681,13 +683,20 @@ pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instanc pki_admin_uid=estadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s EST pki_audit_signing_subject_dn=cn=EST Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s -pki_ds_base_dn=o=%(pki_instance_name)s-EST -pki_ds_database=%(pki_instance_name)s-EST -pki_ds_hostname=%(pki_hostname)s +pki_ds_setup=False +pki_realm_type=ds +pki_realm_url=ldap://%(pki_hostname)s:3389 +pki_realm_auth_type=BasicAuth +pki_realm_bind_dn=cn=Directory Manager +pki_realm_bind_password= +pki_realm_nickname= +pki_realm_user= +pki_realm_username= +pki_realm_password= +pki_realm_users_dn=ou=people,dc=est,dc=pki,dc=example,dc=com +pki_realm_groups_dn=ou=groups,dc=est,dc=pki,dc=example,dc=com pki_subsystem_name=EST %(pki_hostname)s %(pki_https_port)s pki_ca_uri=https://%(pki_hostname)s:%(pki_https_port)s -pki_share_db=True -pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s pki_est_ca_profile=estServiceCert pki_est_ca_user= pki_est_ca_password= diff --git a/base/server/python/pki/server/cli/acme.py b/base/server/python/pki/server/cli/acme.py index 07a9202d7ed..2c04e061491 100644 --- a/base/server/python/pki/server/cli/acme.py +++ b/base/server/python/pki/server/cli/acme.py @@ -1224,7 +1224,7 @@ def execute(self, argv): realm_class = config.get('class') - realm_type = pki.server.subsystem.ACME_REALM_TYPES.get(realm_class) + realm_type = pki.server.subsystem.REALM_TYPES.get(realm_class) print(' Realm Type: %s' % realm_type) if realm_type == 'in-memory': @@ -1297,7 +1297,7 @@ def print_help(self): print() print(' -i, --instance Instance ID (default: pki-tomcat).') print(' --type Realm type: {0}' - .format(', '.join(pki.server.subsystem.ACME_REALM_TYPES.values()))) + .format(', '.join(pki.server.subsystem.REALM_TYPES.values()))) print(' -D= Set property value.') print(' -v, --verbose Run in verbose mode.') print(' --debug Run in debug mode.') @@ -1326,7 +1326,7 @@ def execute(self, argv): elif o == '--type': realm_type = a - if realm_type not in pki.server.subsystem.ACME_REALM_TYPES.values(): + if realm_type not in pki.server.subsystem.REALM_TYPES.values(): raise Exception('Invalid realm type: {0}'.format(realm_type)) elif o == '-D': @@ -1383,19 +1383,19 @@ def execute(self, argv): print() print( 'Enter the type of the realm. ' - 'Available types: %s.' % ', '.join(pki.server.subsystem.ACME_REALM_TYPES.values())) - realm_type = pki.server.subsystem.ACME_REALM_TYPES.get(realm_class) + 'Available types: %s.' % ', '.join(pki.server.subsystem.REALM_TYPES.values())) + realm_type = pki.server.subsystem.REALM_TYPES.get(realm_class) orig_realm_type = realm_type realm_type = pki.util.read_text( ' Realm Type', - options=pki.server.subsystem.ACME_REALM_TYPES.values(), + options=pki.server.subsystem.REALM_TYPES.values(), default=realm_type, required=True) pki.util.set_property( config, 'class', - pki.server.subsystem.ACME_REALM_CLASSES.get(realm_type)) + pki.server.subsystem.REALM_CLASSES.get(realm_type)) if orig_realm_type != realm_type: source = '/usr/share/pki/acme/realm/{0}/realm.conf'.format(realm_type) diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 3ef8db5738d..0d25b7288f2 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -4979,16 +4979,23 @@ def finalize_tps(self, subsystem): def finalize_est(self, subsystem): if config.str2bool(self.mdict['pki_realm_config']): logger.info('Configuring EST Realm') - realm_config = { - 'class': 'com.netscape.cms.realm.PKILDAPRealm', - 'url': self.mdict['pki_ds_url'], - 'authType': 'BasicAuth', - 'bindDN': self.mdict['pki_ds_bind_dn'], - 'bindPassword': self.mdict['pki_ds_password'], - 'usersDN': 'ou=people,{}'.format(self.mdict['pki_ds_base_dn']), - 'groupsDN': 'ou=groups,{}'.format(self.mdict['pki_ds_base_dn']) - } - subsystem.add_realm(realm_config) + if self.mdict['pki_realm_type'] in REALM_TYPE: + realm_config = { + 'class': REALM_CLASS[self.mdict['pki_realm_type']], + 'url': self.mdict['pki_realm_url'], + 'authType': self.mdict['pki_realm_auth_type'], + 'bindDN': self.mdict['pki_realm_bind_dn'], + 'bindPassword': self.mdict['pki_realm_bind_password'], + 'user': self.mdict['pki_realm_user'], + 'username': self.mdict['pki_realm_username'], + 'password': self.mdict['pki_realm_password'], + 'usersDN': self.mdict['pki_realm_users_dn'], + 'groupsDN': self.mdict['pki_realm_groups_dn'] + } + subsystem.add_realm(realm_config) + elif not self.mdict['pki_realm_type'] or self.mdict['pki_realm_type'] != 'custom': + raise Exception('Realm type %s not supported.'%self.mdict['pki_realm_type']) + backend_config = { 'class': 'org.dogtagpki.est.DogtagRABackend', 'url': self.mdict['pki_ca_uri'], @@ -5343,7 +5350,7 @@ def configure_acme_realm(self, subsystem): realm_type = self.mdict['acme_realm_type'] props = subsystem.get_realm_config(realm_type=realm_type) - realm_class = pki.server.subsystem.ACME_REALM_CLASSES.get(realm_type) + realm_class = pki.server.subsystem.REALM_CLASSES.get(realm_type) pki.util.set_property(props, 'class', realm_class) if realm_type == 'in-memory': diff --git a/base/server/python/pki/server/pkispawn.py b/base/server/python/pki/server/pkispawn.py index 79a79fbd979..2a62b49da4f 100644 --- a/base/server/python/pki/server/pkispawn.py +++ b/base/server/python/pki/server/pkispawn.py @@ -670,8 +670,8 @@ def main(argv): elif deployer.subsystem_type == 'TPS': print_tps_step_one_information(parser.mdict, deployer.instance) - elif deployer.subsystem_type == 'EST': - print_est_step_one_information(parser.mdict, deployer.instance) + elif deployer.subsystem_type == 'EST': + print_est_step_information(parser.mdict, deployer.instance) elif deployer.subsystem_type == 'ACME': print_acme_install_information() @@ -927,18 +927,6 @@ def print_tps_step_one_information(mdict, instance): print(log.PKI_SPAWN_INFORMATION_FOOTER) -def print_est_step_one_information(mdict, instance): - - print(log.PKI_SPAWN_INFORMATION_HEADER) - print(" The %s subsystem of the '%s' instance is still incomplete." % - (deployer.subsystem_type, instance.name)) - print() - print(" NSS database: %s" % instance.nssdb_dir) - print() - print(log.PKI_RUN_INSTALLATION_STEP_TWO) - print(log.PKI_SPAWN_INFORMATION_FOOTER) - - def print_skip_configuration_information(mdict, instance): print(log.PKI_SPAWN_INFORMATION_HEADER) @@ -972,6 +960,15 @@ def print_acme_install_information(): print(log.PKI_SPAWN_INFORMATION_FOOTER) +def print_est_information(mdict, instance): + + print(log.PKI_SPAWN_INFORMATION_HEADER) + print(log.PKI_ACCESS_URL % (deployer.mdict['pki_hostname'], + deployer.mdict['pki_https_port'], + '.well-known/est/')) + print(log.PKI_SPAWN_INFORMATION_FOOTER) + + def print_final_install_information(mdict, instance): print(log.PKI_SPAWN_INFORMATION_HEADER) diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index 58a30d6e657..04f3dfcbed1 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -66,13 +66,13 @@ ACME_ISSUER_TYPES = {value: key for key, value in ACME_ISSUER_CLASSES.items()} # TODO: auto-populate this map from /usr/share/pki/acme/realm -ACME_REALM_CLASSES = { - 'ds': 'org.dogtagpki.acme.realm.DSRealm', - 'in-memory': 'org.dogtagpki.acme.realm.InMemoryRealm', - 'postgresql': 'org.dogtagpki.acme.realm.PostgreSQLRealm' +REALM_CLASSES = { + 'ds': 'com.netscape.cms.realm.PKILDAPRealm', + 'in-memory': 'com.netscape.cms.realm.PKIInMemoryRealm', + 'postgresql': 'com.netscape.cms.realm.PKIPostgreSQLRealm' } -ACME_REALM_TYPES = {value: key for key, value in ACME_REALM_CLASSES.items()} +REALM_TYPES = {value: key for key, value in REALM_CLASSES.items()} logger = logging.getLogger(__name__) @@ -2862,7 +2862,7 @@ class ESTSubsystem(PKISubsystem): def __init__(self, instance): super().__init__(instance, 'est') - def add_realm(self, params): + def add_realm(self, paramOBs): realm_conf = os.path.join(self.conf_dir, 'realm.conf') self.instance.touch(realm_conf) with open(realm_conf, 'w', encoding='utf-8') as realm: