Author: jdsn
Date: Mon Feb 4 21:34:12 2008
New Revision: 44141
URL: http://svn.opensuse.org/viewcvs/yast?rev=44141&view=rev
Log:
crl export cron support, export script, various small fixes
Added:
trunk/ca-management/scripts/exportCRL.pl (with props)
Modified:
trunk/ca-management/scripts/Makefile.am
trunk/ca-management/src/crlExport.ycp
trunk/ca-management/yast2-ca-management.spec.in
Modified: trunk/ca-management/scripts/Makefile.am
URL: http://svn.opensuse.org/viewcvs/yast/trunk/ca-management/scripts/Makefile.am?rev=44141&r1=44140&r2=44141&view=diff
==============================================================================
--- trunk/ca-management/scripts/Makefile.am (original)
+++ trunk/ca-management/scripts/Makefile.am Mon Feb 4 21:34:12 2008
@@ -5,7 +5,7 @@
bindir = ${exec_prefix}/bin
sysconfdir = /etc
-bin_SCRIPTS = generateCRL.pl
+bin_SCRIPTS = generateCRL.pl exportCRL.pl
sysconf_DATA = generateCRL.conf
Added: trunk/ca-management/scripts/exportCRL.pl
URL: http://svn.opensuse.org/viewcvs/yast/trunk/ca-management/scripts/exportCRL.pl?rev=44141&view=auto
==============================================================================
--- trunk/ca-management/scripts/exportCRL.pl (added)
+++ trunk/ca-management/scripts/exportCRL.pl Mon Feb 4 21:34:12 2008
@@ -0,0 +1,105 @@
+#! /usr/bin/perl -w
+
+BEGIN {
+ push @INC, '/usr/share/YaST2/modules/';
+}
+
+use strict;
+use Config::IniFiles;
+use Getopt::Long;
+use YaPI::CaManagement;
+
+
+# adapt to export to local files as well
+# improve to use new exportcrl.conf files
+
+
+my $config = '/etc/generateCRL.conf';
+my $help = undef;
+
+my @toDo = ();
+
+Getopt::Long::Configure("no_ignore_case", "no_auto_abbrev");
+my $result = GetOptions ("config|c=s" => \$config,
+ "help|?|h" => \$help);
+
+if($help || !$result) {
+ print "usage: generateCRL.pl [-c path] \n";
+ print "\n";
+ print "-c, --config Path to configfile (default: /etc/generateCRL.conf)\n";
+ print "-?, --help, -h This help\n";
+ exit;
+}
+
+my $cfg = new Config::IniFiles( -file => $config );
+if(!defined $cfg) {
+ die "Can not read the configfile:\n @Config::IniFiles::errors\n";
+}
+
+@toDo = $cfg->Sections();
+
+foreach my $gencrl (@toDo) {
+
+ print "Process '$gencrl' ... ";
+ my $ret = doit($gencrl);
+ if($ret eq "") {
+ print "done\n";
+ } else {
+ print "failed\n$ret\n";
+ }
+}
+
+
+sub doit {
+ my $caName = shift;
+
+ my $caPasswd = $cfg->val($caName, "caPasswd");
+ my $host = $cfg->val($caName, "ldapHostname");
+ my $port = $cfg->val($caName, "ldapPort", 389);
+ my $destDN = $cfg->val($caName, "destinationDN");
+ my $bindDN = $cfg->val($caName, "bindDN");
+ my $ldapPasswd = $cfg->val($caName, "ldapPasswd");
+ my $err;
+ my $msg;
+
+ my $res = YaPI::CaManagement->ReadCRLDefaults({caName => $caName});
+ if( not defined $res ) {
+ $err = YaPI::CaManagement->Error();
+ $msg = $err->{summary};
+ $msg .= "[".$err->{description}."]" if(defined $err->{description});
+ return $msg;
+ }
+
+ my $data = {
+ 'caName' => $caName,
+ 'caPasswd' => $caPasswd,
+ 'days' => $res->{days}
+ };
+
+ $res = YaPI::CaManagement->AddCRL($data);
+ if( not defined $res ) {
+ $err = YaPI::CaManagement->Error();
+ $msg = $err->{summary};
+ $msg .= "[".$err->{description}."]" if(defined $err->{description});
+ return $msg;
+ }
+
+ $data = {
+ caName => $caName,
+ ldapHostname => $host,
+ ldapPort => $port,
+ destinationDN => $destDN,
+ BindDN => $bindDN,
+ ldapPasswd => $ldapPasswd
+ };
+
+ $res = YaPI::CaManagement->ExportCRLToLDAP($data);
+ if( not defined $res ) {
+ $err = YaPI::CaManagement->Error();
+ $msg = $err->{summary};
+ $msg .= "[".$err->{description}."]" if(defined $err->{description});
+ return $msg;
+ }
+
+ return "";
+}
Modified: trunk/ca-management/src/crlExport.ycp
URL: http://svn.opensuse.org/viewcvs/yast/trunk/ca-management/src/crlExport.ycp?rev=44141&r1=44140&r2=44141&view=diff
==============================================================================
--- trunk/ca-management/src/crlExport.ycp (original)
+++ trunk/ca-management/src/crlExport.ycp Mon Feb 4 21:34:12 2008
@@ -45,8 +45,8 @@
boolean ldap_active = false; // default off
symbol fileformat = `ffpem; // default is pem
string crlfile = ""; // is set from inside the export function
-integer intervalDays = 30;
-integer intervalHours = 0;
+integer intervalAtHour = 0;
+integer intervalHours = 0;
map ldapCred = $[ "hostname":"", "port":"", "dn":"",
"binddn":"", "password":"" ];
@@ -63,8 +63,8 @@
// Translators: window caption
_("Security Information"),
// Translators: long help text - security information
- `RichText(_("Warning!<br>Activating the automatic creation and export of a CRL will write the CA password to a config file on disk. The password will be stored there in plain text as it is needed to create a CRL. The file will only be readable for the root user.<br>Please note that this is a security risk if there are more people that have root access. They all will be able to read the CA password.")),
- 50, 20
+ `RichText(_("Warning!<br>Activating the automatic creation and export of a CRL will write the CA password to a configuration file on disk. The password will be stored there in plain text as it is needed to create a CRL. The file will only be readable for the root user.")),
+ 50, 12
);
seenSecurityInfo = true;
}
@@ -88,8 +88,9 @@
// write settings to the UI
UI::ChangeWidget(`id(`mode_periodically), `Value, periodic);
UI::ChangeWidget(`id(`periodicInterval), `Enabled, periodic);
- UI::ChangeWidget(`id(`interval_days), `Value, intervalDays);
+ UI::ChangeWidget(`id(`interval_athour), `Value, intervalAtHour);
UI::ChangeWidget(`id(`interval_hours), `Value, intervalHours);
+ UI::ChangeWidget(`id(`atHourSetting), `Enabled, intervalHours == 24 ? true:false);
UI::ChangeWidget(`id(`exportFile), `Value, file_active);
UI::ChangeWidget(`id(`exportLDAP), `Value, ldap_active);
@@ -118,7 +119,7 @@
define void readSettings(string ca)
{
- string crlConf = sformat("/var/lib/CAM/%1/crl-export.conf", ca);
+ string crlConf = sformat("/var/lib/CAM/%1/exportcrl.conf", deletechars(ca, " "));
if (SCR::Execute(.target.bash, sformat("[ -f %1 ]", crlConf) ) == 0 )
{
SCR::RegisterAgent( .temp_crlexport_agent, `ag_ini(
@@ -126,10 +127,12 @@
periodic = SCR::Read(.temp_crlexport_agent.periodic) == "true" ? true:false;
if (periodic) seenSecurityInfo = true;
- integer getDays = (integer) SCR::Read(.temp_crlexport_agent.interval_days);
- intervalDays = getDays != nil ? getDays:intervalDays;
- integer getHours = (integer) SCR::Read(.temp_crlexport_agent.interval_hours);
- intervalHours = getHours != nil ? getHours:intervalHours;
+ integer getAtHour = tointeger( (string)SCR::Read(.temp_crlexport_agent.interval_athour));
+ intervalAtHour = getAtHour != nil ? getAtHour:intervalAtHour;
+ integer getHours = tointeger( (string)SCR::Read(.temp_crlexport_agent.interval_hours));
+ intervalHours = getHours != nil ? getHours:intervalHours;
+ if (intervalHours != 24) intervalAtHour = 0;
+
file_active = SCR::Read(.temp_crlexport_agent.export_file) == "true" ? true:false;
ldap_active = SCR::Read(.temp_crlexport_agent.export_ldap) == "true" ? true:false;
string getCrlfile = (string) SCR::Read(.temp_crlexport_agent.crlfilename);
@@ -156,7 +159,7 @@
define void writeSettings(string ca)
{
- string crlConf = sformat("/var/lib/CAM/%1/crl-export.conf", ca);
+ string crlConf = sformat("/var/lib/CAM/%1/exportcrl.conf", deletechars(ca, " "));
if (! (SCR::Execute(.target.bash, sformat("[ -f %1 ]", crlConf) ) == 0))
{
SCR::Execute(.target.bash, sformat("umask 0077 && touch %1", crlConf) );
@@ -168,8 +171,8 @@
SCR::Write(.temp_crlexport_agent.periodic, periodic ? "true":"false");
SCR::Write(.temp_crlexport_agent.capassword, periodic ? getPassword(ca):"" );
- SCR::Write(.temp_crlexport_agent.interval_days, sformat("%1", intervalDays));
- SCR::Write(.temp_crlexport_agent.interval_hours, sformat("%1",intervalHours));
+ SCR::Write(.temp_crlexport_agent.interval_athour, intervalHours == 24 ? "0":sformat("%1", intervalAtHour));
+ SCR::Write(.temp_crlexport_agent.interval_hours, sformat("%1", intervalHours));
SCR::Write(.temp_crlexport_agent.export_file, file_active == true ? "true":"false");
SCR::Write(.temp_crlexport_agent.export_ldap, ldap_active == true ? "true":"false");
@@ -201,12 +204,12 @@
string caption = _("Export CRL");
// this default can only be set inside this function
- crlfile = sformat("/var/lib/CAM/%1/crl/crl.pem", ca);
+ crlfile = sformat("/var/lib/CAM/%1/crl/crl.pem", deletechars(ca, " "));
string help_para1 = sformat("<p><b>%1</b></p>", caption);
string help_para2 = _("<p>Export the CRL of this CA once by selecting <b>Export once</b>.</p>");
- string help_para3 = _("<p>To setup a repeated recreation of the CRL select <b>Repeated recreation and export</b>. In this case set the interval for the recreation in <b>Periodic interval</b>. The interval is the sum of days and hours you set. To export every few hours set days to 0 and hours to the hourly interval. Please make sure you read and understood the <b>Security Information</b>.</p>");
+ string help_para3 = _("<p>To setup a repeated recreation of the CRL select <b>Repeated recreation and export</b>. In this case set the interval for the recreation in <b>Periodic interval</b>. If you set the interval to 24 hours you can additionally select the hour when the export should happen. Please make sure you read and understood the <b>Security Information</b>.</p>");
string help_para4 = _("<p>You can activate an export of the CRL to a local file or to a LDAP server or both. Setup the respective parameters in <b>Export to local file</b> and <b>Export to LDAP</b>.</p>");
string helptext = help_para1 + help_para2 + help_para3 + help_para4;
@@ -244,9 +247,13 @@
`HBox(
`VBox(`Label(_("Periodic interval")), `VSpacing(1)),
`HSpacing(3),
- `HSquash( `IntField( `id(`interval_days), "&days", 0, 100, 30 )),
- `Label("+"),
- `HSquash( `IntField( `id(`interval_hours), "&hours", 0, 23, 0 )),
+ //`HSquash( `IntField( `id(`interval_days), "&days", 0, 100, 30 )),
+ // Translators: this is used to express a setting of "every XX hour(s)"
+ `Label(_("every")),
+ `HSquash( `IntField( `id(`interval_hours), `opt(`notify), "&hour(s)", 1, 24, 12 )),
+ // Translators: in case "every XX hour(s)" is set to 24, the user can set "at XX o'clock"
+ `HBox(`id(`atHourSetting), `Label(_("at")),
+ `HSquash( `IntField( `id(`interval_athour), "&o'clock", 0, 23, 3 ))),
`HSpacing(3),
`VBox( `VSpacing(1), `PushButton(`id(`securityInfo), _("&Security Information")) )
)
@@ -321,6 +328,11 @@
string newfile = regexpsub(crlfile, formatstr, outputstr);
if (newfile != nil && newfile != "") crlfile = newfile;
}
+ if (ui == `interval_hours || ui == `interval_athour)
+ {
+ intervalHours = (integer) UI::QueryWidget(`id(`interval_hours), `Value);
+ intervalAtHour= (integer) UI::QueryWidget(`id(`interval_athour), `Value);
+ }
if (ui == `securityInfo)
{
showSecurityInfo();
@@ -330,7 +342,7 @@
updateEnabled();
fileformat = (symbol) UI::QueryWidget(`id(`fileformat), `Value);
crlfile = (string) UI::QueryWidget(`id(`crlfile), `Value);
- intervalDays = (integer) UI::QueryWidget(`id(`interval_days), `Value);
+ intervalAtHour= (integer) UI::QueryWidget(`id(`interval_athour), `Value);
intervalHours = (integer) UI::QueryWidget(`id(`interval_hours), `Value);
ldapCred["hostname"] = (string) UI::QueryWidget(`id(`hostname), `Value);
ldapCred["port"] = (string) UI::QueryWidget(`id(`port), `Value);
@@ -338,13 +350,66 @@
ldapCred["binddn"] = (string) UI::QueryWidget(`id(`binddn), `Value);
ldapCred["password"] = (string) UI::QueryWidget(`id(`ldapPassword), `Value);
cleanLdapCred();
-
writeSettings(ca);
- // else export the crl once
- // exportOnce(ca, `file)
- // exportOnce(ca, `ldap)
- // TODO : setup Cronjob when periodically is configured
+ string cronConfFile = sformat("/etc/cron.d/yast2-ca-mgm-exportcrl-%1",ca);
+
+ if (!periodic)
+ {
+ if (file_active)
+ {
+ string exportFormat = "PEM";
+ if (fileformat == `ffder) exportFormat = "DER";
+ string strret = (string) YaPI::CaManagement::ExportCRL ($[ "caName": ca, "caPasswd" : getPassword(ca),
+ "exportFormat" : exportFormat, "destinationFile" : crlfile]);
+ y2milestone ("ExportCRL(%1) returned %2", $["caName": ca, "exportFormat" : exportFormat, "destinationFile" : crlfile], ret);
+ if (strret == nil || strret != "1")
+ {
+ if ( Popup::YesNoHeadline(_("Export to file failed"), _("Do you want to retry?")) )
+ {
+ ui = `retry;
+ }
+ }
+ else { Popup::Message(_("Saved to file successfully")); }
+ }
+
+ if (ldap_active)
+ {
+ boolean boolret = (boolean) YaPI::CaManagement::ExportCRLToLDAP ($[ "caName": ca,
+ "ldapHostname" : ldapCred["hostname"]:"", "ldapPort" : ldapCred["port"]:"",
+ "destinationDN" : ldapCred["dn"]:"", "BindDN" : ldapCred["binddn"]:"",
+ "ldapPasswd" : ldapCred["ldap_password"]:"" ]);
+ if (boolret)
+ {
+ Popup::Message(_("Saved to LDAP successfully."));
+ }
+ else
+ {
+ if ( Popup::YesNoHeadline(_("Export to LDAP failed"), _("Do you want to retry?")) )
+ {
+ ui = `retry;
+ }
+ }
+ }
+
+ // Remove the cronjob if the setting was reset
+ SCR::Execute(.target.remove, cronConfFile);
+ }
+ else
+ {
+ string configString = sformat("## Configuration of a cron job to export the CRL of the CA: %1", ca);
+ configString = configString + "\n##";
+ configString = configString + "\n## Created by yast2-ca-management";
+ configString = configString + "\n## Changes to this file will be overwritten by yast2-ca-management";
+ configString = configString + sformat("\n## Either use yast or change settings here AND in /var/lib/CAM/%1/exportcrl.conf", deletechars(ca, " "));
+ configString = configString + "\n\n\n";
+ string hourset = intervalHours == 24 ? sformat("%1",intervalAtHour) : sformat("*/%1",intervalHours);
+ configString = configString + sformat("* %1 * * * root /usr/bin/exportCRL.pl -c /var/lib/CAM/%2/exportcrl.conf", hourset, deletechars(ca, " "));
+ if ( SCR::Execute(.target.bash, sformat("cat > %1 <http://svn.opensuse.org/viewcvs/yast/trunk/ca-management/yast2-ca-management.spec.in?rev=44141&r1=44140&r2=44141&view=diff
==============================================================================
--- trunk/ca-management/yast2-ca-management.spec.in (original)
+++ trunk/ca-management/yast2-ca-management.spec.in Mon Feb 4 21:34:12 2008
@@ -41,4 +41,5 @@
@schemadir@/autoyast/rnc/ca_mgm.rnc
%doc @docdir@
/usr/bin/generateCRL.pl
+/usr/bin/exportCRL.pl
%attr(600, root, root) %config(noreplace) /etc/generateCRL.conf
--
To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org
For additional commands, e-mail: yast-commit+help@opensuse.org