diff --git a/base/ca/database/ds/acl.ldif b/base/ca/database/ds/acl.ldif index 27d89a3131e..74997222874 100644 --- a/base/ca/database/ds/acl.ldif +++ b/base/ca/database/ds/acl.ldif @@ -6,7 +6,7 @@ resourceACLS: certServer.general.configuration:read,modify,delete:allow (read) g resourceACLS: certServer.policy.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read policy configuration but only administrators allowed to modify resourceACLS: certServer.acl.configuration:read,modify:allow (read) group="Administrators" || group="Certificate Manager Agents" || group="Registration Manager Agents" || group="Auditors";allow (modify) group="Administrators":Administrators, agents and auditors are allowed to read ACL configuration but only administrators allowed to modify resourceACLS: certServer.log.configuration:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";allow (modify) group="Administrators":Administrators, Agents, and auditors are allowed to read the log configuration but only administrators are allowed to modify -resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml +resourceACLS: certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml resourceACLS: certServer.log.configuration.fileName:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents" ;deny (modify) user=anybody:Nobody is allowed to modify a fileName parameter #resourceACLS: certServer.log.configuration.signedAudit.expirationTime:read,modify:allow (read) group="Administrators" || group="Auditors" || group="Certificate Manager Agents" || group="Registration Manager Agents";deny (modify) user=anybody:Nobody is allowed to modify an expirationTime parameter. resourceACLS: certServer.log.content.signedAudit:read:allow (read) group="Auditors":Only auditor is allowed to read the signed audit log diff --git a/base/ca/database/ds/create.ldif b/base/ca/database/ds/create.ldif index 704b8d11be7..d4be141f591 100644 --- a/base/ca/database/ds/create.ldif +++ b/base/ca/database/ds/create.ldif @@ -93,6 +93,12 @@ objectClass: groupOfUniqueNames cn: Enterprise TPS Administrators description: People who are the administrators for the security domain for TPS +dn: cn=Enterprise EST Administrators,ou=groups,{rootSuffix} +objectClass: top +objectClass: groupOfUniqueNames +cn: Enterprise EST Administrators +description: People who are the administrators for the security domain for EST + dn: ou=requests,{rootSuffix} objectClass: top objectClass: organizationalUnit diff --git a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg index 86f288e5092..9c7882f0951 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg @@ -3,7 +3,7 @@ visible=false enable=true enableBy=admin auth.instance_id=TokenAuth -authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators" name=Audit Signing Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl diff --git a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg index 23a0850c8ad..9c2d04f3ce0 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthDRMstorageCert.cfg @@ -3,7 +3,7 @@ visible=false enable=true enableBy=admin auth.instance_id=TokenAuth -authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators" name=Security Domain DRM storage Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl diff --git a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg index 6d31fa8443d..0c3bc2bd756 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthOCSPCert.cfg @@ -3,7 +3,7 @@ visible=false enable=true enableBy=admin auth.instance_id=TokenAuth -authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators" name=Security Domain OCSP Manager Signing Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl diff --git a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg index cf8925141ad..e8f7aca5681 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthServerCert.cfg @@ -3,7 +3,7 @@ visible=false enable=true enableBy=admin auth.instance_id=TokenAuth -authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators" name=Security Domain Server Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl diff --git a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg index 41d8cf01cea..03d603b5890 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthSubsystemCert.cfg @@ -3,7 +3,7 @@ visible=false enable=true enableBy=admin auth.instance_id=TokenAuth -authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators" name=Security Domain Subsystem Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl diff --git a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg index e676250437b..b3b49ab9b2c 100644 --- a/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg +++ b/base/ca/shared/profiles/ca/caInternalAuthTransportCert.cfg @@ -3,7 +3,7 @@ visible=false enable=true enableBy=admin auth.instance_id=TokenAuth -authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" || group="Enterprise EST Administrators" name=Security Domain Data Recovery Manager Transport Certificate Enrollment input.list=i1,i2 input.i1.class_id=certReqInputImpl diff --git a/base/est/CMakeLists.txt b/base/est/CMakeLists.txt index 4cace31f0d2..b9e25c45781 100644 --- a/base/est/CMakeLists.txt +++ b/base/est/CMakeLists.txt @@ -1,5 +1,7 @@ project(est NONE) +add_subdirectory(shared/conf) + javac(pki-est-classes SOURCES src/main/java/*.java diff --git a/base/est/shared/conf/CMakeLists.txt b/base/est/shared/conf/CMakeLists.txt new file mode 100644 index 00000000000..874a21a8d47 --- /dev/null +++ b/base/est/shared/conf/CMakeLists.txt @@ -0,0 +1,8 @@ +configure_file(${CMAKE_CURRENT_SOURCE_DIR}/CS.cfg ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg @ONLY) + +install( + FILES + ${CMAKE_CURRENT_BINARY_DIR}/CS.cfg + DESTINATION + ${SHARE_INSTALL_PREFIX}/${APPLICATION_NAME}/${PROJECT_NAME}/conf +) diff --git a/base/est/shared/conf/CS.cfg b/base/est/shared/conf/CS.cfg new file mode 100644 index 00000000000..78c511e1709 --- /dev/null +++ b/base/est/shared/conf/CS.cfg @@ -0,0 +1,14 @@ +_000=## +_001=## Enrollment over Secure Transport (EST) Configuration File +_002=## +est.cert.list=sslserver,subsystem,audit_signing +est.cert.sslserver.certusage=SSLServer +est.cert.subsystem.certusage=SSLClient +est.cert.audit_signing.certusage=ObjectSigner +preop.cert.list=sslserver,subsystem,audit_signing +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.sslserver.profile=caInternalAuthServerCert +preop.cert.subsystem.profile=caInternalAuthSubsystemCert +preop.cert.admin.profile=adminCert.profile +preop.module.token=Internal Key Storage Token + diff --git a/base/est/webapps/est/index.jsp b/base/est/webapps/est/index.jsp new file mode 100644 index 00000000000..59aa5001a03 --- /dev/null +++ b/base/est/webapps/est/index.jsp @@ -0,0 +1,23 @@ + + + + + + + diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index c806aa714cf..fb2e2d5ca0c 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -589,3 +589,33 @@ pki_import_shared_secret=False pki_share_db=True pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s pki_source_phone_home_xml=/usr/share/pki/%(pki_subsystem_type)s/conf/phoneHome.xml + + +############################################################################### +## EST Configuration: ## +## ## +## Values in this section are common to PKI EST subsystems, and contain ## +## required information which MAY be overridden by users as necessary. ## +############################################################################### +[EST] +pki_realm_config=True +pki_import_admin_cert=True +pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s +pki_admin_name=%(pki_admin_uid)s +pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s +pki_admin_uid=estadmin +pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s EST +pki_audit_signing_subject_dn=cn=EST Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s +pki_ds_base_dn=o=%(pki_instance_name)s-EST +pki_ds_database=%(pki_instance_name)s-EST +pki_ds_hostname=%(pki_hostname)s +pki_subsystem_name=EST %(pki_hostname)s %(pki_https_port)s +pki_ca_uri=https://%(pki_hostname)s:%(pki_https_port)s +pki_share_db=True +pki_share_dbuser_dn=uid=pkidbuser,ou=people,%(pki_ds_base_dn)s +pki_est_ca_profile=estServiceCert +pki_est_ca_user= +pki_est_ca_password= +pki_est_ca_certificate=%(pki_subsystem_nickname)s + diff --git a/base/server/examples/installation/est.cfg b/base/server/examples/installation/est.cfg new file mode 100644 index 00000000000..631a491e33f --- /dev/null +++ b/base/server/examples/installation/est.cfg @@ -0,0 +1,26 @@ +[DEFAULT] +pki_server_database_password=Secret.123 + +[EST] +pki_admin_email=estadmin@example.com +pki_admin_name=estadmin +pki_admin_nickname=estadmin +pki_admin_password=Secret.123 +pki_admin_uid=estadmin + +pki_admin_setup=False +pki_realm_config=True + +pki_client_pkcs12_password=Secret.123 + +pki_ds_base_dn=dc=est,dc=pki,dc=example,dc=com +pki_ds_database=est +pki_ds_password=Secret.123 + +pki_security_domain_name=EXAMPLE +pki_security_domain_user=caadmin +pki_security_domain_password=Secret.123 + +pki_audit_signing_nickname=est_audit_signing +pki_sslserver_nickname=sslserver +pki_subsystem_nickname=subsystem diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 6c0cc0edaea..9e6ce470c3a 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -55,7 +55,7 @@ ETC_SYSTEMD_DIR = '/etc/systemd' LIB_SYSTEMD_DIR = '/lib/systemd' -SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps'] +SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps', 'est'] DEFAULT_DIR_MODE = 0o0770 DEFAULT_FILE_MODE = 0o0660 diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 4a0dd857516..489479c516d 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -3615,7 +3615,7 @@ def setup_system_certs(self, nssdb, subsystem): # For external/standalone KRA/OCSP/TKS/TPS case, all system certs will be provided. # No system certs will be generated including the SSL server cert. - if subsystem.type in ['KRA', 'OCSP', 'TKS', 'TPS'] and external: + if subsystem.type in ['KRA', 'OCSP', 'TKS', 'TPS', 'EST'] and external: continue request = self.create_cert_setup_request(subsystem, tag, system_cert) @@ -4071,7 +4071,8 @@ def setup_admin_user(self, subsystem, cert_data): 'Enterprise RA Administrators', 'Enterprise TKS Administrators', 'Enterprise OCSP Administrators', - 'Enterprise TPS Administrators' + 'Enterprise TPS Administrators', + 'Enterprise EST Administrators' ]) elif subsystem.type == 'KRA': @@ -4968,6 +4969,45 @@ def finalize_tps(self, subsystem): logger.info('Setting up shared secret') self.setup_shared_secret(subsystem) + def finalize_est(self, subsystem): + if config.str2bool(self.mdict['pki_realm_config']): + logger.info('Configuring EST Realm') + realm_config = { + 'class': 'com.netscape.cms.realm.PKILDAPRealm', + 'url': self.mdict['pki_ds_url'], + 'authType': 'BasicAuth', + 'bindDN': self.mdict['pki_ds_bind_dn'], + 'bindPassword': self.mdict['pki_ds_password'], + 'usersDN': 'ou=people,{}'.format(self.mdict['pki_ds_base_dn']), + 'groupsDN': 'ou=groups,{}'.format(self.mdict['pki_ds_base_dn']) + } + subsystem.add_realm(realm_config) + backend_config = { + 'class': 'org.dogtagpki.est.DogtagRABackend', + 'url': self.mdict['pki_ca_uri'], + 'profile': self.mdict['pki_est_ca_profile'], + 'username': self.mdict['pki_est_ca_user'], + 'password': self.mdict['pki_est_ca_password'], + 'passwordFile': self.mdict['pki_est_ca_password'], + 'nickname': self.mdict['pki_est_ca_certificate'] + } + subsystem.add_backend(backend_config) + est_auth_exec = '''#!/usr/bin/python3 +import json, sys +ALLOWED_ROLE = 'estclient' +obj = json.loads(sys.stdin.read()) +if not ALLOWED_ROLE in obj['authzData']['principal']['roles']: + print(f'Principal does not have required role {ALLOWED_ROLE!r}') + sys.exit(1)''' + with open('/usr/local/libexec/estauthz', 'w', ) as auth_exec: + auth_exec.write(est_auth_exec) + os.chmod("/usr/local/libexec/estauthz", 0o755) + authorizer_config = { + 'class': 'org.dogtagpki.est.ExternalProcessRequestAuthorizer', + 'executable': '/usr/local/libexec/estauthz' + } + subsystem.add_authorizer(authorizer_config) + def finalize_subsystem(self, subsystem): if subsystem.type == 'CA': @@ -4985,6 +5025,9 @@ def finalize_subsystem(self, subsystem): if subsystem.type == 'TPS': self.finalize_tps(subsystem) + if subsystem.type == 'EST': + self.finalize_est(subsystem) + # save EC type for sslserver cert (if present) ec_type = subsystem.config.get('preop.cert.sslserver.ec.type', 'ECDHE') subsystem.set_config('jss.ssl.sslserver.ectype', ec_type) diff --git a/base/server/python/pki/server/deployment/pkiconfig.py b/base/server/python/pki/server/deployment/pkiconfig.py index 34f2cb6a339..4583b31fdc4 100644 --- a/base/server/python/pki/server/deployment/pkiconfig.py +++ b/base/server/python/pki/server/deployment/pkiconfig.py @@ -36,13 +36,13 @@ PKI_DEPLOYMENT_DEFAULT_UID = 17 PKI_DEPLOYMENT_DEFAULT_USER = "pkiuser" -PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS"] +PKI_SUBSYSTEMS = ["CA", "KRA", "OCSP", "TKS", "TPS", "EST"] PKI_BASE_RESERVED_NAMES = ["alias", "bin", "ca", "common", "conf", "kra", "lib", "logs", "ocsp", "temp", "tks", "tps", - "webapps", "work"] + "est", "webapps", "work"] PKI_CONFIGURATION_RESERVED_NAMES = ["CA", "java", "nssdb", "rpm-gpg", "rsyslog", "tls"] -PKI_TOMCAT_REGISTRY_RESERVED_NAMES = ["ca", "kra", "ocsp", "tks", "tps"] +PKI_TOMCAT_REGISTRY_RESERVED_NAMES = ["ca", "kra", "ocsp", "tks", "tps", "est"] PKI_DEPLOYMENT_INTERRUPT_BANNER = "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"\ "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-" diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 0556bde7d70..c7dee9629f8 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -297,7 +297,7 @@ def __init__(self, description, epilog, deployer=None): nargs=1, choices=config.PKI_SUBSYSTEMS, metavar='', help='where is ' - 'CA, KRA, OCSP, TKS, or TPS') + 'CA, KRA, OCSP, TKS, TPS or EST') self.optional.add_argument( '-h', '--help', dest='help', action='help', diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index e30d00ee4ae..d2a8ed7d765 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -84,7 +84,8 @@ def spawn(self, deployer): if clone: deployer.request_ranges(subsystem) - deployer.setup_database(subsystem, master_config) + if subsystem.type != 'EST' or config.str2bool(deployer.mdict['pki_realm_config']): + deployer.setup_database(subsystem, master_config) if not clone and subsystem.type == 'CA': subsystem.import_profiles( diff --git a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py index c1b34a3e50d..4c30fa8e083 100644 --- a/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py +++ b/base/server/python/pki/server/deployment/scriptlets/subsystem_layout.py @@ -1,3 +1,4 @@ + # Authors: # Matthew Harmsen # diff --git a/base/server/python/pki/server/pkispawn.py b/base/server/python/pki/server/pkispawn.py index 7919d3a52f7..3160f1df3e2 100644 --- a/base/server/python/pki/server/pkispawn.py +++ b/base/server/python/pki/server/pkispawn.py @@ -190,8 +190,8 @@ def main(argv): parser.indent = 0 deployer.subsystem_type = parser.read_text( - 'Subsystem (CA/KRA/OCSP/TKS/TPS)', - options=['CA', 'KRA', 'OCSP', 'TKS', 'TPS'], + 'Subsystem (CA/KRA/OCSP/TKS/TPS/EST)', + options=['CA', 'KRA', 'OCSP', 'TKS', 'TPS', 'EST'], default='CA', case_sensitive=False).upper() print() else: @@ -668,6 +668,9 @@ def main(argv): elif deployer.subsystem_type == 'TPS': print_tps_step_one_information(parser.mdict, deployer.instance) + elif deployer.subsystem_type == 'EST': + print_est_step_one_information(parser.mdict, deployer.instance) + else: print_final_install_information(parser.mdict, deployer.instance) @@ -681,7 +684,7 @@ def validate_user_deployment_cfg(user_deployment_cfg): line = line.strip() if not line.startswith('['): continue - if line not in ['[DEFAULT]', '[Tomcat]', '[CA]', '[KRA]', '[OCSP]', '[TKS]', '[TPS]']: + if line not in ['[DEFAULT]', '[Tomcat]', '[CA]', '[KRA]', '[OCSP]', '[TKS]', '[TPS]', '[EST]']: raise Exception('Invalid deployment configuration section: %s' % line) @@ -906,6 +909,12 @@ def print_tps_step_one_information(mdict, instance): print(log.PKI_RUN_INSTALLATION_STEP_TWO) print(log.PKI_SPAWN_INFORMATION_FOOTER) +def print_tps_step_one_information(mdict, instance): + + print(log.PKI_SPAWN_INFORMATION_HEADER) + print("TO BE COMPLETED") + print(log.PKI_RUN_INSTALLATION_STEP_TWO) + print(log.PKI_SPAWN_INFORMATION_FOOTER) def print_skip_configuration_information(mdict, instance): diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index 9352264e695..b6c67975217 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -2654,7 +2654,6 @@ class KRASubsystem(PKISubsystem): def __init__(self, instance): super().__init__(instance, 'kra') - class OCSPSubsystem(PKISubsystem): def __init__(self, instance): @@ -2721,6 +2720,111 @@ def __init__(self, instance): super().__init__(instance, 'tps') +class ESTSubsystem(PKISubsystem): + + def __init__(self, instance): + super().__init__(instance, 'est') + + def add_realm(self, params): + realm_conf = os.path.join(self.conf_dir, 'realm.conf') + self.instance.touch(realm_conf) + with open(realm_conf, 'w') as realm: + for key, value in params.items(): + if value: + realm.write('{}={}\n'.format(key, value)) + + def add_authorizer(self, params): + authorizer_conf = os.path.join(self.conf_dir, 'authorizer.conf') + self.instance.touch(authorizer_conf) + with open(authorizer_conf, 'w') as authorizer: + for key, value in params.items(): + if value: + authorizer.write('{}={}\n'.format(key, value)) + + def add_backend(self, params): + backend_conf = os.path.join(self.conf_dir, 'backend.conf') + self.instance.touch(backend_conf) + with open(backend_conf, 'w') as backend: + for key, value in params.items(): + if value: + backend.write('{}={}\n'.format(key, value)) + + def create_database(self): + pass + + def init_database( + self, + skip_config=False, + skip_schema=False, + skip_base=False, + skip_containers=False, + as_current_user=False): + pass + + def add_indexes(self): + pass + + def rebuild_indexes(self): + pass + + def empty_database(self, force=False, as_current_user=False): + pass + + def remove_database(self, force=False, as_current_user=False): + pass + + def grant_database_access( + self, + dn, + as_current_user=False): + pass + + def revoke_database_access( + self, + dn, + as_current_user=False): + pass + + def enable_replication( + self, + ldap_config, + replica_bind_dn, + replica_bind_password, + replica_id): + pass + + def add_replication_agreement( + self, + name, + ldap_config, + replica_url, + replica_bind_dn, + replica_bind_password, + replication_security=None): + pass + + def init_replication_agreement( + self, + name, + ldap_config): + pass + + def find_vlv(self, as_current_user=False): + pass + + def add_vlv(self, as_current_user=False): + pass + + def delete_vlv(self, as_current_user=False): + pass + + def reindex_vlv(self, as_current_user=False): + pass + + def wait_for_startup(self, startup_timeout=None, request_timeout=None): + pass + + class PKISubsystemFactory(object): @classmethod @@ -2741,4 +2845,7 @@ def create(cls, instance, name): if name == 'tps': return TPSSubsystem(instance) + if name == 'est': + return ESTSubsystem(instance) + return PKISubsystem(instance, name) diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SDCreateCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SDCreateCLI.java index e6aa4f245c5..01313828168 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SDCreateCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SDCreateCLI.java @@ -120,7 +120,7 @@ public void execute(CommandLine cmd) throws Exception { LDAPEntry entry = new LDAPEntry(sdDN, attrs); conn.add(entry); - String clist[] = { "CAList", "OCSPList", "KRAList", "RAList", "TKSList", "TPSList" }; + String clist[] = { "CAList", "OCSPList", "KRAList", "RAList", "TKSList", "TPSList", "ESTList" }; for (int i = 0; i < clist.length; i++) { String dn = "cn=" + LDAPUtil.escapeRDNValue(clist[i]) + "," + sdDN;