URL: https://github.com/freeipa/freeipa/pull/526 Author: HonzaCholasta Title: #526: server install: properly handle PKINIT-related options Action: opened
PR body: """ Do not ignore --no-pkinit. If --http-cert-file or --dirsrv-cert-file is specified, require that either --pkinit-cert-file or --no-pkinit is specified as well. This prevents the PKINIT cert from being requested via certmonger in CA-less install. https://pagure.io/freeipa/issue/5678 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/526/head:pr526 git checkout pr526
From fff68d4d25f06ae8b060cd69a0ad249b763baf44 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Wed, 1 Mar 2017 11:34:48 +0000 Subject: [PATCH] server install: properly handle PKINIT-related options Do not ignore --no-pkinit. If --http-cert-file or --dirsrv-cert-file is specified, require that either --pkinit-cert-file or --no-pkinit is specified as well. This prevents the PKINIT cert from being requested via certmonger in CA-less install. https://pagure.io/freeipa/issue/5678 --- ipaserver/install/ipa_replica_prepare.py | 15 ++++++++++----- ipaserver/install/server/__init__.py | 15 ++++++++++----- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index 5f6b6e9..da13e74 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -160,16 +160,21 @@ def validate_options(self): self.option_parser.error("You cannot specify a --reverse-zone " "option together with --no-reverse") - #Automatically disable pkinit w/ dogtag until that is supported - options.setup_pkinit = False - # If any of the PKCS#12 options are selected, all are required. cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) cert_file_opt = (options.pkinit_cert_files,) + if options.setup_pkinit: + cert_file_req += cert_file_opt if any(cert_file_req + cert_file_opt) and not all(cert_file_req): self.option_parser.error( - "--dirsrv-cert-file and --http-cert-file are required if any " - "PKCS#12 options are used.") + "--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " + "or --no-pkinit are required if any key file options are used." + ) + if not options.setup_pkinit and options.pkinit_cert_files: + self.option_parser.error( + "--no-pkinit and --pkinit-cert-file cannot be specified " + "together" + ) if len(self.args) < 1: self.option_parser.error( diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 86cb4a9..d3104b8 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -337,10 +337,18 @@ def __init__(self, **kwargs): # If any of the key file options are selected, all are required. cert_file_req = (self.dirsrv_cert_files, self.http_cert_files) cert_file_opt = (self.pkinit_cert_files,) + if not self.no_pkinit: + cert_file_req += cert_file_opt if any(cert_file_req + cert_file_opt) and not all(cert_file_req): raise RuntimeError( - "--dirsrv-cert-file and --http-cert-file are required if any " - "key file options are used.") + "--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file " + "or --no-pkinit are required if any key file options are used." + ) + if self.no_pkinit and self.pkinit_cert_files: + raise RuntimeError( + "--no-pkinit and --pkinit-cert-file cannot be specified " + "together" + ) if not self.interactive: if self.dirsrv_cert_files and self.dirsrv_pin is None: @@ -501,9 +509,6 @@ def __init__(self, **kwargs): "You must specify at least one of --forwarder, " "--auto-forwarders, or --no-forwarders options") - # Automatically enable pkinit w/ dogtag - self.no_pkinit = not self.setup_ca - ServerMasterInstallInterface = installs_master(ServerInstallInterface)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code