[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] [pki-devel][PATCH] 0032-Fix-1351-pki-securitydomain-get-install-token-fails-.patch



Ticket #1351 : https://fedorahosted.org/pki/ticket/1351


Simple fix to prevent the user from invoking the "securitydomain-get-install-token" sub command of the :

"pki securitydomain" command.


The man page no longer shows this option and the module is no longer callable from the pki command at
the command line prompt.
From 50a091d9507840265532178e5cb6d578a674f999 Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne localhost localdomain>
Date: Wed, 6 May 2015 16:49:59 -0700
Subject: [PATCH] Fix #1351 pki securitydomain-get-install-token fails when run
 with caadmin user.

The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue.

The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point.

A user at the command line of the pki command will no longer be able to attempt this as well.

Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
---
 base/java-tools/man/man1/pki-securitydomain.1      | 10 +--
 .../cmstools/system/SecurityDomainCLI.java         |  1 -
 .../system/SecurityDomainGetInstallTokenCLI.java   | 98 ----------------------
 .../python/pki/server/deployment/pkihelper.py      | 61 --------------
 .../server/deployment/scriptlets/initialization.py | 19 +++--
 5 files changed, 11 insertions(+), 178 deletions(-)
 delete mode 100644 base/java-tools/src/com/netscape/cmstools/system/SecurityDomainGetInstallTokenCLI.java

diff --git a/base/java-tools/man/man1/pki-securitydomain.1 b/base/java-tools/man/man1/pki-securitydomain.1
index a8c36c5..cbefa75 100644
--- a/base/java-tools/man/man1/pki-securitydomain.1
+++ b/base/java-tools/man/man1/pki-securitydomain.1
@@ -20,7 +20,6 @@ pki-securitydomain \- Command-Line Interface for managing Certificate System sec
 .SH SYNOPSIS
 .nf
 \fBpki\fR [CLI options] \fBsecuritydomain\fR
-\fBpki\fR [CLI options] \fBsecuritydomain-get-install-token\fR [command options]
 \fBpki\fR [CLI options] \fBsecuritydomain-show\fR [command options]
 .fi
 
@@ -33,11 +32,6 @@ The \fBpki-securitydomain\fR commands provide command-line interfaces to manage
 This command is to list available security domain commands.
 .RE
 .PP
-\fBpki\fR [CLI options] \fBsecuritydomain-get-install-token\fR [command options]
-.RS 4
-This command is to get an installation token.
-.RE
-.PP
 \fBpki\fR [CLI options] \fBsecuritydomain-show\fR [command options]
 .RS 4
 This command is to show the contents of the security domain.
@@ -49,9 +43,7 @@ The CLI options are described in \fBpki\fR(1).
 .SH OPERATIONS
 To view available security domain commands, type \fBpki securitydomain\fP. To view each command's usage, type \fB pki securitydomain-<command> \-\-help\fP.
 
-To get an installation token (used when installing a new subsystem within a security domain):
-
-\fBpki <security domain admin authentication> securitydomain-get-install-token \-\-hostname <hostname> \-\-subsystem <subsystem>\fP
+." To get an installation token (used when installing a new subsystem within a security domain):
 
 To show the contents of the security domain:
 
diff --git a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java
index 224e215..b1a3597 100644
--- a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java
@@ -35,7 +35,6 @@ public class SecurityDomainCLI extends CLI {
     public SecurityDomainCLI(CLI parent) {
         super("securitydomain", "Security domain commands", parent);
 
-        addModule(new SecurityDomainGetInstallTokenCLI(this));
         addModule(new SecurityDomainShowCLI(this));
     }
 
diff --git a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainGetInstallTokenCLI.java b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainGetInstallTokenCLI.java
deleted file mode 100644
index 86e722a..0000000
--- a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainGetInstallTokenCLI.java
+++ /dev/null
@@ -1,98 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// This program is free software; you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation; version 2 of the License.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License along
-// with this program; if not, write to the Free Software Foundation, Inc.,
-// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-//
-// (C) 2012 Red Hat, Inc.
-// All rights reserved.
-// --- END COPYRIGHT BLOCK ---
-
-package com.netscape.cmstools.system;
-
-import java.net.InetAddress;
-import java.util.Arrays;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.Option;
-
-import com.netscape.certsrv.system.InstallToken;
-import com.netscape.cmstools.cli.CLI;
-import com.netscape.cmstools.cli.MainCLI;
-
-/**
- * @author Endi S. Dewata
- */
-public class SecurityDomainGetInstallTokenCLI extends CLI {
-
-    public SecurityDomainCLI securityDomainCLI;
-
-    public SecurityDomainGetInstallTokenCLI(SecurityDomainCLI securityDomainCLI) {
-        super("get-install-token", "Get install token", securityDomainCLI);
-        this.securityDomainCLI = securityDomainCLI;
-
-        createOptions();
-    }
-
-    public void printHelp() {
-        formatter.printHelp(getFullName() + " --subsystem <subsystem> [OPTIONS...]", options);
-    }
-
-    public void createOptions() {
-        Option option = new Option(null, "hostname", true, "Hostname");
-        option.setArgName("hostname");
-        options.addOption(option);
-
-        option = new Option(null, "subsystem", true, "Subsystem");
-        option.setArgName("subsystem");
-        option.setRequired(true);
-        options.addOption(option);
-    }
-
-    public void execute(String[] args) throws Exception {
-        // Always check for "--help" prior to parsing
-        if (Arrays.asList(args).contains("--help")) {
-            // Display usage
-            printHelp();
-            System.exit(0);
-        }
-
-        CommandLine cmd = null;
-
-        try {
-            cmd = parser.parse(options, args);
-
-        } catch (Exception e) {
-            System.err.println("Error: " + e.getMessage());
-            printHelp();
-            System.exit(-1);
-        }
-
-        String[] cmdArgs = cmd.getArgs();
-
-        if (cmdArgs.length != 0) {
-            System.err.println("Error: Too many arguments specified.");
-            printHelp();
-            System.exit(-1);
-        }
-
-        String hostname = cmd.getOptionValue("hostname");
-        if (hostname == null) {
-            hostname = InetAddress.getLocalHost().getHostName();
-        }
-
-        String subsystem = cmd.getOptionValue("subsystem");
-
-        InstallToken token = securityDomainCLI.securityDomainClient.getInstallToken(hostname, subsystem);
-
-        MainCLI.printMessage("Install token: \"" + token.getToken() + "\"");
-    }
-}
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index b9d48ee..e6f0019 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -3232,67 +3232,6 @@ class SecurityDomain:
 
         return None
 
-    def get_installation_token(self, secuser, secpass, critical_failure=True):
-        if not secuser or not secpass:
-            return None
-
-        # process this PKI subsystem instance's 'CS.cfg'
-        cs_cfg = PKIConfigParser.read_simple_configuration_file(
-            self.mdict['pki_target_cs_cfg'])
-
-        # assign key name/value pairs
-        machinename = cs_cfg.get('service.machineName')
-        cstype = cs_cfg.get('cs.type', '')
-        sechost = cs_cfg.get('securitydomain.host')
-        secadminport = cs_cfg.get('securitydomain.httpsadminport')
-        #secselect = cs_cfg.get('securitydomain.select') - Selected
-        # security domain
-
-        command = ["/bin/pki",
-                   "-p", str(secadminport),
-                   "-h", sechost,
-                   "-P", "https",
-                   "-u", secuser,
-                   "-w", secpass,
-                   "-d", self.mdict['pki_database_path'],
-                   "securitydomain-get-install-token",
-                   "--hostname", machinename,
-                   "--subsystem", cstype]
-        try:
-            output = subprocess.check_output(
-                command,
-                stderr=subprocess.STDOUT,
-                shell=True)
-
-            token_list = re.findall("Install token: \"(.*)\"", output)
-            if not token_list:
-                config.pki_log.error(
-                    log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2,
-                    str(sechost),
-                    str(secadminport),
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                config.pki_log.error(
-                    log.PKI_SUBPROCESS_ERROR_1, output,
-                    extra=config.PKI_INDENTATION_LEVEL_2)
-                if critical_failure:
-                    raise Exception(
-                        log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2 %
-                        (str(sechost), str(secadminport)))
-            else:
-                token = token_list[0]
-                return token
-        except subprocess.CalledProcessError as exc:
-            config.pki_log.error(
-                log.PKIHELPER_SECURITY_DOMAIN_GET_TOKEN_FAILURE_2,
-                str(sechost),
-                str(secadminport),
-                extra=config.PKI_INDENTATION_LEVEL_2)
-            config.pki_log.error(log.PKI_SUBPROCESS_ERROR_1, exc,
-                                 extra=config.PKI_INDENTATION_LEVEL_2)
-            if critical_failure:
-                raise
-        return None
-
 
 class Systemd(object):
     """PKI Deployment Execution Management Class"""
diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
index 0aa4e1c..c209bf9c 100644
--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
@@ -1,6 +1,6 @@
 #!/usr/bin/python -t
 # Authors:
-#     Matthew Harmsen <mharmsen redhat com>
+# Matthew Harmsen <mharmsen redhat com>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -49,9 +49,9 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         else:
             config.pki_log.info(log.INITIALIZATION_SPAWN_1, __name__,
                                 extra=config.PKI_INDENTATION_LEVEL_1)
-            if (deployer.mdict['pki_subsystem'] == "CA" or\
-                config.str2bool(deployer.mdict['pki_standalone'])) and\
-               config.str2bool(deployer.mdict['pki_external_step_two']):
+            if (deployer.mdict['pki_subsystem'] == "CA" or \
+                        config.str2bool(deployer.mdict['pki_standalone'])) and \
+                    config.str2bool(deployer.mdict['pki_external_step_two']):
                 # verify that this External CA (Step 2), or Stand-alone PKI
                 # (Step 2) currently EXISTS for this "instance"
                 deployer.instance.verify_subsystem_exists()
@@ -96,10 +96,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         # get ports to remove selinux context
         deployer.configuration_file.populate_non_default_ports()
 
-        # get deinstallation token
-        token = deployer.security_domain.get_installation_token(
-            config.pki_secdomain_user, config.pki_secdomain_pass)
-
         # remove kra connector from CA if this is a KRA
         deployer.kra_connector.deregister()
 
@@ -114,7 +110,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         #            instance's security domain may be a part of a
         #            tightly-coupled shared instance.
         #
-        deployer.security_domain.deregister(token)
+
+        # Previously we obtained the token through a command line interface
+        # no longer supported. Thus we assume no token and the deregister op will
+        # take place without the token using an alternate method.
+
+        deployer.security_domain.deregister(None)
         # ALWAYS Stop this Tomcat PKI Process
         deployer.systemd.stop()
         return self.rv
-- 
2.1.0


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]