[yast-commit] r41626 - /trunk/ca-management/src/ca_mgm_proposal.ycp
Author: mcalmer Date: Mon Oct 29 18:10:02 2007 New Revision: 41626 URL: http://svn.opensuse.org/viewcvs/yast?rev=41626&view=rev Log: - merge SP1 changes to trunk * detect existing default Root CA during installation (#238754) - popup password dialog if root password cannot be read Modified: trunk/ca-management/src/ca_mgm_proposal.ycp Modified: trunk/ca-management/src/ca_mgm_proposal.ycp URL: http://svn.opensuse.org/viewcvs/yast/trunk/ca-management/src/ca_mgm_proposal.ycp?rev=41626&r1=41625&r2=41626&view=diff ============================================================================== --- trunk/ca-management/src/ca_mgm_proposal.ycp (original) +++ trunk/ca-management/src/ca_mgm_proposal.ycp Mon Oct 29 18:10:02 2007 @@ -26,6 +26,7 @@ import "DNS"; import "Timezone"; import "Users"; + import "String"; include "ca-management/new_cert_read_write.ycp"; @@ -36,203 +37,306 @@ if (func == "MakeProposal") { - boolean force_reset = param["force_reset"]:false; - string proposal = ""; - string warning = nil; - symbol warning_level = nil; - - map retmap = (map) SCR::Execute (.target.bash_output, - "/bin/hostname --long", - $[] ); - y2milestone("Hostname :%1", retmap); - if (retmap["exit"]:0 != 0 - && CaMgm::prop_selection == `def - && (!CaMgm::prop_server_commonNameChanged - || !CaMgm::prop_emailChanged - || force_reset)) - { - ret = add( ret, "warning", _("Cannot evaluate the name of the local machine. Change the values of Server Name and E-Mail.")); - ret = add( ret, "warning_level", `blocker ); - } - - string longhostname = strip(retmap["stdout"]:"linux.site"); - if(size(longhostname) <= 0) - { - longhostname = "linux.site"; - } - string hostname = ((list<string>) splitstring (longhostname, "."))[0]:""; - string domain = substring (longhostname, findfirstof(longhostname,".")+1); - - if (size (domain) <= 0) - { - domain = longhostname; - } - - if (!CaMgm::prop_ca_commonNameChanged) - { - CaMgm::prop_ca_commonName = "YaST Default CA (" + hostname + ")"; - } - if (!CaMgm::prop_server_commonNameChanged) - { - CaMgm::prop_server_commonName = longhostname; - } - if (!CaMgm::prop_CANameChanged) - { - CaMgm::prop_CAName = "YaST_Default_CA"; - } - if (!CaMgm::prop_countryChanged) - { - CaMgm::prop_country = Timezone::GetCountryForTimezone(""); - } - if (!CaMgm::prop_passwordChanged) - { - CaMgm::prop_password = Users::GetRootPassword(); - } - if (!CaMgm::prop_emailChanged) - { - CaMgm::prop_email = "postmaster@" + domain; - } - - if(ret["warning"]:"" != "") - { - return ret; - } - - if (force_reset) - { - y2milestone("FORCE RESET"); - if (CaMgm::prop_settingsWritten) - { - if( !Popup::YesNo(_("CA Management") + "\n" + - _("Settings have already been written.") + "\n" + - _("Delete the old settings?"))) - { - ret = $[ "workflow_sequence" : `auto ]; - } - else - { - YaPI::CaManagement::DeleteCA ($[ "caName":CaMgm::currentCA, - "caPasswd":getPassword(CaMgm::currentCA), - "force": true]); - CaMgm::prop_settingsWritten = false; - } - } - else - { - CaMgm::prop_selection = `def; - CaMgm::prop_ca_commonName = "YaST Default CA (" + hostname + ")"; - CaMgm::prop_CAName = "YaST_Default_CA"; - CaMgm::prop_country = Timezone::GetCountryForTimezone(""); - CaMgm::prop_password = Users::GetRootPassword(); - CaMgm::prop_email = "postmaster@" + domain; - CaMgm::prop_server_commonName = longhostname; - } - } - - if (!check_mail_address(CaMgm::prop_email)) - { - ret = add( ret, "warning", _("Invalid e-mail format.")); - ret = add( ret, "warning_level", `blocker ); - } + boolean force_reset = param["force_reset"]:false; + string proposal = ""; + string warning = nil; + symbol warning_level = nil; + + map retmap = (map) SCR::Execute (.target.bash_output, + "/bin/hostname --long", + $[] ); + y2milestone("Hostname :%1", retmap); + if (retmap["exit"]:0 != 0 + && CaMgm::prop_selection == `def + && (!CaMgm::prop_server_commonNameChanged + || !CaMgm::prop_emailChanged + || force_reset)) + { + ret = add( ret, "warning", _("Cannot evaluate the name of the local machine. Change the values of Server Name and E-Mail.")); + ret = add( ret, "warning_level", `blocker ); + } + + string longhostname = strip(retmap["stdout"]:"linux.site"); + if(size(longhostname) <= 0) + { + longhostname = "linux.site"; + } + string hostname = ((list<string>) splitstring (longhostname, "."))[0]:""; + string domain = substring (longhostname, findfirstof(longhostname,".")+1); + + if (size (domain) <= 0) + { + domain = longhostname; + } + + if (!CaMgm::prop_ca_commonNameChanged) + { + CaMgm::prop_ca_commonName = "YaST Default CA (" + hostname + ")"; + } + if (!CaMgm::prop_server_commonNameChanged) + { + CaMgm::prop_server_commonName = longhostname; + } + if (!CaMgm::prop_CANameChanged) + { + CaMgm::prop_CAName = "YaST_Default_CA"; + } + if (!CaMgm::prop_countryChanged) + { + CaMgm::prop_country = Timezone::GetCountryForTimezone(""); + } + if (!CaMgm::prop_passwordChanged) + { + CaMgm::prop_password = Users::GetRootPassword(); + } + if (!CaMgm::prop_emailChanged) + { + CaMgm::prop_email = "postmaster@" + domain; + } + + if(ret["warning"]:"" != "") + { + return ret; + } + - if (CaMgm::prop_selection == `def) - { - if (!CaMgm::prop_passwordChanged) - { - proposal = HTML::Para(_("Creating default CA and certificate.") - + HTML::Newline() - + _("With higher security requirements, you should change the password.")); - } - else - { - proposal = HTML::Para(_("Creating default CA and certificate.") - + HTML::Newline()); - } - string passwordString = (string) (CaMgm::prop_passwordChanged ? _("[manually set]") : _("[root password]")); - proposal = proposal+ HTML::List( [ _("CA Name: ") + CaMgm::prop_CAName, - _("Common Name: ") + CaMgm::prop_ca_commonName, - _("Server Name: ") + CaMgm::prop_server_commonName, - _("Country: ") + CaMgm::prop_country, - _("Password: ") + passwordString, - _("E-Mail: ") + CaMgm::prop_email - ] ); - if ( Users::GetRootPassword() == "" && size(CaMgm::prop_password) == 0) - { - ret = add( ret, "warning", _("Unable to retrieve the system root password. Set a CA password to continue.")); - ret = add( ret, "warning_level", `blocker ); - } - else if ( size(CaMgm::prop_password) < 4) - { - ret = add( ret, "warning", _("The root password is too short for use as the password for the certificates. + // new handling of force reset because of (#238754) + if (force_reset) + { + y2milestone("FORCE RESET"); + if (CaMgm::prop_settingsWritten) + { + if( !Popup::YesNo(_("CA Management") + "\n" + + _("Settings have already been written.") + "\n" + + _("Delete the old settings?"))) + { + ret = $[ "workflow_sequence" : `auto ]; + } + else + { + YaPI::CaManagement::DeleteCA ($[ "caName":CaMgm::currentCA, + "caPasswd":getPassword(CaMgm::currentCA), + "force": true]); + CaMgm::prop_settingsWritten = false; + } + } + else + { + CaMgm::prop_selection = `def; + CaMgm::prop_ca_commonName = "YaST Default CA (" + hostname + ")"; + CaMgm::prop_CAName = "YaST_Default_CA"; + CaMgm::prop_country = Timezone::GetCountryForTimezone(""); + CaMgm::prop_password = Users::GetRootPassword(); + CaMgm::prop_email = "postmaster@" + domain; + CaMgm::prop_server_commonName = longhostname; + } + } + else // NO FORCE RESET + { // Try to read default Root CA and ask if it should be reused or deleted + map defaultRootCA = nil; + defaultRootCA = (map) YaPI::CaManagement::ReadFile( $["inFile":"/var/lib/CAM/" + CaMgm::prop_CAName + "/cacert.pem", + "type":"parsed", + "datatype":"CERTIFICATE", + "inForm":"PEM" + ]); + CaMgm::prop_settingsWritten = defaultRootCA != nil ? true:false; + + + if (CaMgm::prop_settingsWritten) + { + if( !Popup::YesNo(_("CA Management") + "\n" + + _("Settings have already been written.") + "\n" + + _("Delete the old settings?"))) + { + // read the details directly from the server certificate + map defaultServerCert = (map) YaPI::CaManagement::ReadFile( $[ + "inFile":"/etc/ssl/servercerts/servercert.pem", + "type":"parsed", + "datatype":"CERTIFICATE", + "inForm":"PEM" ]); + + map defaultServerCertIssuer = defaultServerCert["ISSUER_HASH"]:$[]; + // CaMgm::prop_selection = `def; + CaMgm::prop_ca_commonName = ((list)defaultServerCertIssuer["CN"]:[])[0]:""; + CaMgm::prop_country = ((list)defaultServerCertIssuer["C"]:[])[0]:""; + CaMgm::prop_email = ((list)defaultServerCertIssuer["emailAddress"]:[])[0]:""; + CaMgm::prop_CAName = CaMgm::prop_CAName; + CaMgm::prop_password = Users::GetRootPassword(); + + + map defaultSCmap = defaultServerCert["DN_HASH"]:$[]; + + CaMgm::prop_server_commonName = ((list)defaultSCmap["CN"]:[])[0]:""; + + + ret = $[ "workflow_sequence" : `auto ]; + } + else + { // delete the default Root CA manually because the root PW may be different in a repeated run of second-Stage + SCR::Execute(.target.bash, sformat(" rm -rf /var/lib/CAM/%1 ", CaMgm::prop_CAName )); + CaMgm::prop_settingsWritten = false; + } + } + } + + if (!check_mail_address(CaMgm::prop_email)) + { + ret = add( ret, "warning", _("Invalid e-mail format.")); + ret = add( ret, "warning_level", `blocker ); + } + + if (CaMgm::prop_selection == `def) + { + + if ( Users::GetRootPassword() == "" && size(CaMgm::prop_password) == 0) + { + + UI::OpenDialog (`opt(`decorated ), + `HBox(`VSpacing(10), + `VBox ( + `Label("Unable to retrieve the system root password. Set a CA password to continue."), + `HSpacing(10), + `Password(`id(`pw1), _("&Password:"), ""), + `Password(`id(`pw2), _("Co&nfirm Password"), ""), + `HSpacing(10), + `HBox(`PushButton (`id(`cancel), `opt(`key_F9), Label::CancelButton()), + `HStretch(), + `PushButton (`id(`ok), `opt(`default, `key_F10), Label::OKButton()) + ) + ), + `VSpacing(10) + ) + ); + UI::SetFocus (`id(`ok)); + while (true) + { + any rt = UI::UserInput(); + if (rt == `ok) + { + string pw1 = (string) UI::QueryWidget(`id(`pw1), `Value); + string pw2 = (string) UI::QueryWidget(`id(`pw2), `Value); + if(pw1 != pw2) + { + Popup::Error( _("New passwords do not match.") ); + continue; + } + if ( size(pw1) < 4) + { + Popup::Error(_("The password is too short for use as the password for the certificates. Enter a valid password for the certificates or disable certificate creation. ")); - ret = add( ret, "warning_level", `blocker ); - } - } - else if (CaMgm::prop_selection == `none) - { - proposal = HTML::Para(_("Not creating a CA and certificate.")); - } - else if (CaMgm::prop_selection == `disk) - { - proposal = HTML::Para(_("Importing a CA and certificate from file")); - } - - ret = add (ret, "preformatted_proposal", proposal); - if ( ((list<string>) splitstring (CaMgm::prop_server_commonName, "."))[0]:"" == "linux") - { - ret = add (ret, "warning" , - _("<p>Is the default hostname <b>linux</b> really unique? The certificate is only valid if the hostname is correct.</p>")); - } + continue; + } + CaMgm::prop_password = pw1; + CaMgm::prop_passwordChanged = true; + break; + } + else if (rt == `cancel) + { + ret = add( ret, "warning", _("Unable to retrieve the system root password. Set a CA password to continue.")); + ret = add( ret, "warning_level", `blocker ); + break; + } + } + + UI::CloseDialog (); + } + + if (!CaMgm::prop_passwordChanged) + { + proposal = HTML::Para(_("Creating default CA and certificate.") + + HTML::Newline() + + _("With higher security requirements, you should change the password.")); + } + else + { + proposal = HTML::Para(_("Creating default CA and certificate.") + + HTML::Newline()); + } + + string passwordString = (string) (CaMgm::prop_passwordChanged ? _("[manually set]") : _("[root password]")); + proposal = proposal+ HTML::List( [ _("CA Name: ") + CaMgm::prop_CAName, + _("Common Name: ") + CaMgm::prop_ca_commonName, + _("Server Name: ") + CaMgm::prop_server_commonName, + _("Country: ") + CaMgm::prop_country, + _("Password: ") + passwordString, + _("E-Mail: ") + CaMgm::prop_email + ] ); + + + if ( size(CaMgm::prop_password) < 4) + { + ret = add( ret, "warning", _("The root password is too short for use as the password for the certificates. + Enter a valid password for the certificates or disable certificate creation. +")); + ret = add( ret, "warning_level", `blocker ); + } + } + else if (CaMgm::prop_selection == `none) + { + proposal = HTML::Para(_("Not creating a CA and certificate.")); + } + else if (CaMgm::prop_selection == `disk) + { + proposal = HTML::Para(_("Importing a CA and certificate from file")); + } + + ret = add (ret, "preformatted_proposal", proposal); + if ( ((list<string>) splitstring (CaMgm::prop_server_commonName, "."))[0]:"" == "linux") + { + ret = add (ret, "warning" , + _("<p>Is the default hostname <b>linux</b> really unique? The certificate is only valid if the hostname is correct.</p>")); + } } else if (func == "AskUser") { - any sequence = WFM::CallFunction ( "ca_select_proposal", [] ); - if (CaMgm::prop_settingsWritten) - { - if( !Popup::YesNo(_("CA Management") + "\n" + - _("Settings have already been written.") + "\n" + - _("Delete the old settings?"))) - { - ret = $[ "workflow_sequence" : `auto ]; - } - else - { - YaPI::CaManagement::DeleteCA ($[ "caName":CaMgm::currentCA, - "caPasswd":getPassword(CaMgm::currentCA), - "force": true]); - CaMgm::prop_settingsWritten = false; - } - } + any sequence = WFM::CallFunction ( "ca_select_proposal", [] ); + if (CaMgm::prop_settingsWritten) + { + if( !Popup::YesNo(_("CA Management") + "\n" + + _("Settings have already been written.") + "\n" + + _("Delete the old settings?"))) + { + ret = $[ "workflow_sequence" : `auto ]; + } + else + { + YaPI::CaManagement::DeleteCA ($["caName":CaMgm::currentCA, + "caPasswd":getPassword(CaMgm::currentCA), + "force": true]); + CaMgm::prop_settingsWritten = false; + } + } } else if (func == "Description") { - // richtext label - ret = $[ "rich_text_title" : _("CA Management"), - // menu title - "menu_title" : _("&CA Management"), - "id" : "ca_mgm", - ]; + // richtext label + ret = $[ "rich_text_title" : _("CA Management"), + // menu title + "menu_title" : _("&CA Management"), + "id" : "ca_mgm", + ]; } else if (func == "Write") { - boolean success = true; - - if (!CaMgm::prop_settingsWritten) - { - if (CaMgm::prop_selection == `def) - { - success = create_default_CA_certificate(); - } - else if (CaMgm::prop_selection == `disk) - { - success = importCertificateFromDisk (); - } - if( success ) { - CaMgm::prop_settingsWritten = true; - } - } - + boolean success = true; + + if (!CaMgm::prop_settingsWritten) + { + if (CaMgm::prop_selection == `def) + { + success = create_default_CA_certificate(); + } + else if (CaMgm::prop_selection == `disk) + { + success = importCertificateFromDisk (); + } + if( success ) + { + CaMgm::prop_settingsWritten = true; + } + } + ret = $[ "success" : success ]; } return ret; -- To unsubscribe, e-mail: yast-commit+unsubscribe@opensuse.org For additional commands, e-mail: yast-commit+help@opensuse.org
participants (1)
-
mcalmer@svn.opensuse.org