Skip to content

Commit

Permalink
Update EST and ACME pkispawn to share realm config
Browse files Browse the repository at this point in the history
  • Loading branch information
fmarco76 committed Sep 13, 2024
1 parent 20c3289 commit e01ae7b
Show file tree
Hide file tree
Showing 6 changed files with 61 additions and 44 deletions.
21 changes: 15 additions & 6 deletions base/server/etc/default.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -672,22 +672,31 @@ pki_registry_enable=False
## required information which MAY be overridden by users as necessary. ##
###############################################################################
[EST]
pki_external=False
pki_realm_config=True
pki_import_admin_cert=True
pki_registry_enable=False
pki_import_admin_cert=False
pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s
pki_admin_name=%(pki_admin_uid)s
pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s
pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_admin_uid=estadmin
pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s EST
pki_audit_signing_subject_dn=cn=EST Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s
pki_ds_base_dn=o=%(pki_instance_name)s-EST
pki_ds_database=%(pki_instance_name)s-EST
pki_ds_hostname=%(pki_hostname)s
pki_ds_setup=False
pki_realm_type=ds
pki_realm_url=ldap://%(pki_hostname)s:3389
pki_realm_auth_type=BasicAuth
pki_realm_bind_dn=cn=Directory Manager
pki_realm_bind_password=
pki_realm_nickname=
pki_realm_user=
pki_realm_username=
pki_realm_password=
pki_realm_users_dn=ou=people,dc=est,dc=pki,dc=example,dc=com
pki_realm_groups_dn=ou=groups,dc=est,dc=pki,dc=example,dc=com
pki_subsystem_name=EST %(pki_hostname)s %(pki_https_port)s
pki_ca_uri=https://%(pki_hostname)s:%(pki_https_port)s
pki_share_db=True
pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s
pki_est_ca_profile=estServiceCert
pki_est_ca_user=
pki_est_ca_password=
Expand Down
14 changes: 7 additions & 7 deletions base/server/python/pki/server/cli/acme.py
Original file line number Diff line number Diff line change
Expand Up @@ -1224,7 +1224,7 @@ def execute(self, argv):

realm_class = config.get('class')

realm_type = pki.server.subsystem.ACME_REALM_TYPES.get(realm_class)
realm_type = pki.server.subsystem.REALM_TYPES.get(realm_class)
print(' Realm Type: %s' % realm_type)

if realm_type == 'in-memory':
Expand Down Expand Up @@ -1297,7 +1297,7 @@ def print_help(self):
print()
print(' -i, --instance <instance ID> Instance ID (default: pki-tomcat).')
print(' --type <type> Realm type: {0}'
.format(', '.join(pki.server.subsystem.ACME_REALM_TYPES.values())))
.format(', '.join(pki.server.subsystem.REALM_TYPES.values())))
print(' -D<name>=<value> Set property value.')
print(' -v, --verbose Run in verbose mode.')
print(' --debug Run in debug mode.')
Expand Down Expand Up @@ -1326,7 +1326,7 @@ def execute(self, argv):

elif o == '--type':
realm_type = a
if realm_type not in pki.server.subsystem.ACME_REALM_TYPES.values():
if realm_type not in pki.server.subsystem.REALM_TYPES.values():
raise Exception('Invalid realm type: {0}'.format(realm_type))

elif o == '-D':
Expand Down Expand Up @@ -1383,19 +1383,19 @@ def execute(self, argv):
print()
print(
'Enter the type of the realm. '
'Available types: %s.' % ', '.join(pki.server.subsystem.ACME_REALM_TYPES.values()))
realm_type = pki.server.subsystem.ACME_REALM_TYPES.get(realm_class)
'Available types: %s.' % ', '.join(pki.server.subsystem.REALM_TYPES.values()))
realm_type = pki.server.subsystem.REALM_TYPES.get(realm_class)
orig_realm_type = realm_type

realm_type = pki.util.read_text(
' Realm Type',
options=pki.server.subsystem.ACME_REALM_TYPES.values(),
options=pki.server.subsystem.REALM_TYPES.values(),
default=realm_type,
required=True)
pki.util.set_property(
config,
'class',
pki.server.subsystem.ACME_REALM_CLASSES.get(realm_type))
pki.server.subsystem.REALM_CLASSES.get(realm_type))

if orig_realm_type != realm_type:
source = '/usr/share/pki/acme/realm/{0}/realm.conf'.format(realm_type)
Expand Down
29 changes: 18 additions & 11 deletions base/server/python/pki/server/deployment/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -4979,16 +4979,23 @@ def finalize_tps(self, subsystem):
def finalize_est(self, subsystem):
if config.str2bool(self.mdict['pki_realm_config']):
logger.info('Configuring EST Realm')
realm_config = {
'class': 'com.netscape.cms.realm.PKILDAPRealm',
'url': self.mdict['pki_ds_url'],
'authType': 'BasicAuth',
'bindDN': self.mdict['pki_ds_bind_dn'],
'bindPassword': self.mdict['pki_ds_password'],
'usersDN': 'ou=people,{}'.format(self.mdict['pki_ds_base_dn']),
'groupsDN': 'ou=groups,{}'.format(self.mdict['pki_ds_base_dn'])
}
subsystem.add_realm(realm_config)
if self.mdict['pki_realm_type'] in REALM_TYPE:
realm_config = {
'class': REALM_CLASS[self.mdict['pki_realm_type']],
'url': self.mdict['pki_realm_url'],
'authType': self.mdict['pki_realm_auth_type'],
'bindDN': self.mdict['pki_realm_bind_dn'],
'bindPassword': self.mdict['pki_realm_bind_password'],
'user': self.mdict['pki_realm_user'],
'username': self.mdict['pki_realm_username'],
'password': self.mdict['pki_realm_password'],
'usersDN': self.mdict['pki_realm_users_dn'],
'groupsDN': self.mdict['pki_realm_groups_dn']
}
subsystem.add_realm(realm_config)
elif not self.mdict['pki_realm_type'] or self.mdict['pki_realm_type'] != 'custom':
raise Exception('Realm type %s not supported.'%self.mdict['pki_realm_type'])

backend_config = {
'class': 'org.dogtagpki.est.DogtagRABackend',
'url': self.mdict['pki_ca_uri'],
Expand Down Expand Up @@ -5343,7 +5350,7 @@ def configure_acme_realm(self, subsystem):
realm_type = self.mdict['acme_realm_type']
props = subsystem.get_realm_config(realm_type=realm_type)

realm_class = pki.server.subsystem.ACME_REALM_CLASSES.get(realm_type)
realm_class = pki.server.subsystem.REALM_CLASSES.get(realm_type)
pki.util.set_property(props, 'class', realm_class)

if realm_type == 'in-memory':
Expand Down
25 changes: 11 additions & 14 deletions base/server/python/pki/server/pkispawn.py
Original file line number Diff line number Diff line change
Expand Up @@ -670,8 +670,8 @@ def main(argv):
elif deployer.subsystem_type == 'TPS':
print_tps_step_one_information(parser.mdict, deployer.instance)

elif deployer.subsystem_type == 'EST':
print_est_step_one_information(parser.mdict, deployer.instance)
elif deployer.subsystem_type == 'EST':
print_est_step_information(parser.mdict, deployer.instance)

elif deployer.subsystem_type == 'ACME':
print_acme_install_information()
Expand Down Expand Up @@ -927,18 +927,6 @@ def print_tps_step_one_information(mdict, instance):
print(log.PKI_SPAWN_INFORMATION_FOOTER)


def print_est_step_one_information(mdict, instance):

print(log.PKI_SPAWN_INFORMATION_HEADER)
print(" The %s subsystem of the '%s' instance is still incomplete." %
(deployer.subsystem_type, instance.name))
print()
print(" NSS database: %s" % instance.nssdb_dir)
print()
print(log.PKI_RUN_INSTALLATION_STEP_TWO)
print(log.PKI_SPAWN_INFORMATION_FOOTER)


def print_skip_configuration_information(mdict, instance):

print(log.PKI_SPAWN_INFORMATION_HEADER)
Expand Down Expand Up @@ -972,6 +960,15 @@ def print_acme_install_information():
print(log.PKI_SPAWN_INFORMATION_FOOTER)


def print_est_information(mdict, instance):

print(log.PKI_SPAWN_INFORMATION_HEADER)
print(log.PKI_ACCESS_URL % (deployer.mdict['pki_hostname'],
deployer.mdict['pki_https_port'],
'.well-known/est/'))
print(log.PKI_SPAWN_INFORMATION_FOOTER)


def print_final_install_information(mdict, instance):

print(log.PKI_SPAWN_INFORMATION_HEADER)
Expand Down
12 changes: 6 additions & 6 deletions base/server/python/pki/server/subsystem.py
Original file line number Diff line number Diff line change
Expand Up @@ -66,13 +66,13 @@
ACME_ISSUER_TYPES = {value: key for key, value in ACME_ISSUER_CLASSES.items()}

# TODO: auto-populate this map from /usr/share/pki/acme/realm
ACME_REALM_CLASSES = {
'ds': 'org.dogtagpki.acme.realm.DSRealm',
'in-memory': 'org.dogtagpki.acme.realm.InMemoryRealm',
'postgresql': 'org.dogtagpki.acme.realm.PostgreSQLRealm'
REALM_CLASSES = {
'ds': 'com.netscape.cms.realm.PKILDAPRealm',
'in-memory': 'com.netscape.cms.realm.PKIInMemoryRealm',
'postgresql': 'com.netscape.cms.realm.PKIPostgreSQLRealm'
}

ACME_REALM_TYPES = {value: key for key, value in ACME_REALM_CLASSES.items()}
REALM_TYPES = {value: key for key, value in REALM_CLASSES.items()}

logger = logging.getLogger(__name__)

Expand Down Expand Up @@ -2862,7 +2862,7 @@ class ESTSubsystem(PKISubsystem):
def __init__(self, instance):
super().__init__(instance, 'est')

def add_realm(self, params):
def add_realm(self, paramOBs):
realm_conf = os.path.join(self.conf_dir, 'realm.conf')
self.instance.touch(realm_conf)
with open(realm_conf, 'w', encoding='utf-8') as realm:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ public void initInternal () throws LifecycleException {
String statementsFilename = info.getProperty(
"statements");

if (statementsFilename == null || statementsFilename.isBlank()) {
statementsFilename = "/usr/share/pki/acme/realm/postgresql/statements.conf";
}

logger.info("Loading statements from " + statementsFilename);

statements = new Properties();
Expand Down

0 comments on commit e01ae7b

Please sign in to comment.