diff --git a/.github/workflows/ca-clone-replicated-ds-test.yml b/.github/workflows/ca-clone-replicated-ds-test.yml index bd959401288..35b01f4bc28 100644 --- a/.github/workflows/ca-clone-replicated-ds-test.yml +++ b/.github/workflows/ca-clone-replicated-ds-test.yml @@ -136,16 +136,15 @@ jobs: - name: Enable replication on primary DS run: | - docker exec primaryds dsconf \ - -D "cn=Directory Manager" \ - -w Secret.123 \ - ldap://primaryds.example.com:3389 \ - replication enable \ - --suffix=dc=ca,dc=pki,dc=example,dc=com \ - --role=supplier \ - --replica-id=1 \ - --bind-dn="cn=Replication Manager,cn=config" \ - --bind-passwd=Secret.123 + docker exec secondary pki-server ca-db-repl-enable \ + --url ldap://primaryds.example.com:3389 \ + --bind-dn "cn=Directory Manager" \ + --bind-password Secret.123 \ + --replica-bind-dn "cn=Replication Manager,cn=config" \ + --replica-bind-password Secret.123 \ + --replica-id 1 \ + --suffix dc=ca,dc=pki,dc=example,dc=com \ + -v # check replication manager docker exec primaryds ldapsearch \ @@ -171,16 +170,15 @@ jobs: - name: Enable replication on secondary DS run: | - docker exec secondaryds dsconf \ - -D "cn=Directory Manager" \ - -w Secret.123 \ - ldap://secondaryds.example.com:3389 \ - replication enable \ - --suffix=dc=ca,dc=pki,dc=example,dc=com \ - --role=supplier \ - --replica-id=2 \ - --bind-dn="cn=Replication Manager,cn=config" \ - --bind-passwd=Secret.123 + docker exec secondary pki-server ca-db-repl-enable \ + --url ldap://secondaryds.example.com:3389 \ + --bind-dn "cn=Directory Manager" \ + --bind-password Secret.123 \ + --replica-bind-dn "cn=Replication Manager,cn=config" \ + --replica-bind-password Secret.123 \ + --replica-id 2 \ + --suffix dc=ca,dc=pki,dc=example,dc=com \ + -v # check replication manager docker exec secondaryds ldapsearch \ diff --git a/base/server/python/pki/server/cli/db.py b/base/server/python/pki/server/cli/db.py index 96a83234ac6..70173d8a41b 100644 --- a/base/server/python/pki/server/cli/db.py +++ b/base/server/python/pki/server/cli/db.py @@ -1339,9 +1339,153 @@ def __init__(self, parent): subsystem=parent.parent.name.upper())) self.parent = parent + self.add_module(SubsystemDBReplicationEnableCLI(self)) self.add_module(SubsystemDBReplicationAgreementCLI(self)) +class SubsystemDBReplicationEnableCLI(pki.cli.CLI): + ''' + Enable {subsystem} database replication + ''' + + help = '''\ + Usage: pki-server {subsystem}-db-repl-enable [OPTIONS] + + -i, --instance Instance ID (default: pki-tomcat) + --url Database URL + --bind-dn Database bind DN + --bind-password Database bind password + --replica-bind-dn Replica bind DN + --replica-bind-password Replica bind password + --replica-id Replica ID + --suffix Database suffix + -v, --verbose Run in verbose mode. + --debug Run in debug mode. + --help Show help message. + ''' + + def __init__(self, parent): + super(SubsystemDBReplicationEnableCLI, self).__init__( + 'enable', + inspect.cleandoc(self.__class__.__doc__).format( + subsystem=parent.parent.parent.name.upper())) + + self.parent = parent + + def print_help(self): + print(textwrap.dedent(self.__class__.help).format( + subsystem=self.parent.parent.parent.name)) + + def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'url=', 'bind-dn=', 'bind-password=', + 'replica-bind-dn=', 'replica-bind-password=', + 'replica-id=', 'suffix=', + 'verbose', 'debug', 'help']) + + except getopt.GetoptError as e: + logger.error(e) + self.print_help() + sys.exit(1) + + instance_name = 'pki-tomcat' + subsystem_name = self.parent.parent.parent.name + url = None + bind_dn = None + bind_password = None + replica_bind_dn = None + replica_bind_password = None + replica_id = None + suffix = None + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o == '--url': + url = urllib.parse.urlparse(a) + + elif o == '--bind-dn': + bind_dn = a + + elif o == '--bind-password': + bind_password = a + + elif o == '--replica-bind-dn': + replica_bind_dn = a + + elif o == '--replica-bind-password': + replica_bind_password = a + + elif o == '--replica-id': + replica_id = a + + elif o == '--suffix': + suffix = a + + elif o in ('-v', '--verbose'): + logging.getLogger().setLevel(logging.INFO) + + elif o == '--debug': + logging.getLogger().setLevel(logging.DEBUG) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + logger.error('Invalid option: %s', o) + self.print_help() + sys.exit(1) + + # user must provide the replica ID is required since + # in the future the auto-generated replica ID will no + # longer be supported + + if not replica_id: + logger.error('Missing replica ID') + sys.exit(1) + + instance = pki.server.instance.PKIInstance(instance_name) + + if not instance.exists(): + logger.error('Invalid instance: %s', instance_name) + sys.exit(1) + + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + + if not subsystem: + logger.error('No %s subsystem in instance %s.', + subsystem_name.upper(), instance_name) + sys.exit(1) + + ldap_config = {} + + if url.scheme == 'ldaps': + ldap_config['ldapconn.secureConn'] = 'true' + else: + ldap_config['ldapconn.secureConn'] = 'false' + + ldap_config['ldapconn.host'] = url.hostname + ldap_config['ldapconn.port'] = str(url.port) + + ldap_config['ldapauth.authtype'] = 'BasicAuth' + ldap_config['ldapauth.bindDN'] = bind_dn + ldap_config['ldapauth.bindPassword'] = bind_password + + ldap_config['basedn'] = suffix + + subsystem.enable_replication( + ldap_config, + replica_bind_dn, + replica_bind_password, + replica_id) + + class SubsystemDBReplicationAgreementCLI(pki.cli.CLI): ''' {subsystem} replication agreement management commands diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 5b3c8b993b1..08d6e53db40 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -1592,12 +1592,6 @@ def setup_database(self, subsystem, master_config): logger.info('- replication security: %s', replication_security) - subsystem.setup_replication( - master_config['Properties'], - master_replication_port=master_replication_port, - replica_replication_port=replica_replication_port, - replication_security=replication_security) - # get master database config master_ldap_config = {} @@ -1672,6 +1666,24 @@ def setup_database(self, subsystem, master_config): replica_agreement_name replica_bind_password = self.instance.get_password('replicationdb') + logger.info('Enable replication on master') + + # TODO: provide param to specify the replica ID for the master + subsystem.enable_replication( + master_ldap_config, + master_bind_dn, + master_bind_password, + None) + + logger.info('Enable replication on replica') + + # TODO: provide param to specify the replica ID for the replica + subsystem.enable_replication( + replica_ldap_config, + replica_bind_dn, + replica_bind_password, + None) + logger.info('Adding master replication agreement') logger.info('- replica URL: %s', replica_url) diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index f29bb55f6e6..6e4d5fc4535 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -1288,31 +1288,33 @@ def revoke_database_access( as_current_user=as_current_user, capture_output=True) - def setup_replication( + def enable_replication( self, - master_config, - master_replication_port=None, - replica_replication_port=None, - replication_security=None): + ldap_config, + replica_bind_dn, + replica_bind_password, + replica_id): tmpdir = tempfile.mkdtemp() try: - master_config_file = os.path.join(tmpdir, 'master.conf') - pki.util.store_properties(master_config_file, master_config) - - cmd = [self.name + '-db-repl-setup'] - - if master_replication_port: - cmd.extend(['--master-replication-port', master_replication_port]) + ldap_config_file = os.path.join(tmpdir, 'ldap.conf') + pki.util.store_properties(ldap_config_file, ldap_config) + pki.util.chown(tmpdir, self.instance.uid, self.instance.gid) - if replica_replication_port: - cmd.extend(['--replica-replication-port', replica_replication_port]) + password_file = os.path.join(tmpdir, 'password.txt') + with open(password_file, 'w', encoding='utf-8') as f: + f.write(replica_bind_password) + pki.util.chown(password_file, self.instance.uid, self.instance.gid) - if replication_security: - cmd.extend(['--replication-security', replication_security]) + cmd = [ + self.name + '-db-repl-enable', + '--ldap-config', ldap_config_file, + '--replica-bind-dn', replica_bind_dn, + '--replica-bind-password-file', password_file + ] - if master_config_file: - cmd.extend(['--master-config', master_config_file]) + if replica_id: + cmd.extend(['--replica-id', replica_id]) if logger.isEnabledFor(logging.DEBUG): cmd.append('--debug') @@ -1320,8 +1322,7 @@ def setup_replication( elif logger.isEnabledFor(logging.INFO): cmd.append('--verbose') - # run as current user so it can read the input file - self.run(cmd, as_current_user=True) + self.run(cmd) finally: shutil.rmtree(tmpdir) diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationCLI.java index 7daa3220a7b..cbeedff00c0 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationCLI.java @@ -15,7 +15,7 @@ public class SubsystemDBReplicationCLI extends CLI { public SubsystemDBReplicationCLI(CLI parent) { super("repl", parent.parent.name.toUpperCase() + " database replication management commands", parent); - addModule(new SubsystemDBReplicationSetupCLI(this)); + addModule(new SubsystemDBReplicationEnableCLI(this)); addModule(new SubsystemDBReplicationAgreementCLI(this)); } } diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationEnableCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationEnableCLI.java new file mode 100644 index 00000000000..78a59bb862f --- /dev/null +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationEnableCLI.java @@ -0,0 +1,131 @@ +// +// Copyright Red Hat, Inc. +// +// SPDX-License-Identifier: GPL-2.0-or-later +// +package org.dogtagpki.server.cli; + +import java.nio.file.Files; +import java.nio.file.Paths; + +import org.apache.commons.cli.CommandLine; +import org.dogtagpki.cli.CLI; +import org.dogtagpki.cli.CLIException; +import org.dogtagpki.util.logging.PKILogger; +import org.dogtagpki.util.logging.PKILogger.LogLevel; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import com.netscape.cms.servlet.csadmin.LDAPConfigurator; +import com.netscape.cmscore.apps.DatabaseConfig; +import com.netscape.cmscore.apps.EngineConfig; +import com.netscape.cmscore.base.ConfigStorage; +import com.netscape.cmscore.base.FileConfigStorage; +import com.netscape.cmscore.ldapconn.LDAPConfig; +import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; +import com.netscape.cmscore.ldapconn.PKISocketConfig; + +import netscape.ldap.LDAPConnection; + +/** + * @author Endi S. Dewata + */ +public class SubsystemDBReplicationEnableCLI extends SubsystemCLI { + + public static Logger logger = LoggerFactory.getLogger(SubsystemDBReplicationEnableCLI.class); + + public SubsystemDBReplicationEnableCLI(CLI parent) { + super("enable", "Enable " + parent.parent.parent.getName().toUpperCase() + " database replication", parent); + } + + @Override + public void createOptions() { + + options.addOption(null, "ldap-config", true, "LDAP configuration file"); + options.addOption(null, "replica-bind-dn", true, "Replica bind DN"); + options.addOption(null, "replica-bind-password-file", true, "Replica bind password file"); + options.addOption(null, "replica-id", true, "Replica ID"); + + options.addOption("v", "verbose", false, "Run in verbose mode."); + options.addOption(null, "debug", false, "Run in debug mode."); + options.addOption(null, "help", false, "Show help message."); + } + + @Override + public void execute(CommandLine cmd) throws Exception { + + if (cmd.hasOption("debug")) { + PKILogger.setLevel(LogLevel.DEBUG); + + } else if (cmd.hasOption("verbose")) { + PKILogger.setLevel(LogLevel.INFO); + } + + String ldapConfigFile = cmd.getOptionValue("ldap-config"); + + if (ldapConfigFile == null) { + throw new CLIException("Missing LDAP configuration file"); + } + + String replicaBindDN = cmd.getOptionValue("replica-bind-dn"); + String replicaBindPasswordFile = cmd.getOptionValue("replica-bind-password-file"); + + Integer replicaID = null; + if (cmd.hasOption("replica-id")) { + replicaID = Integer.valueOf(cmd.getOptionValue("replica-id")); + } + + initializeTomcatJSS(); + String subsystem = parent.parent.parent.getName(); + EngineConfig cs = getEngineConfig(subsystem); + cs.load(); + + PKISocketConfig socketConfig = cs.getSocketConfig(); + + logger.info("Loading {}", ldapConfigFile); + ConfigStorage masterConfigStorage = new FileConfigStorage(ldapConfigFile); + LDAPConfig ldapConfig = new LDAPConfig(masterConfigStorage); + ldapConfig.load(); + + String replicaBindPassword = Files.readAllLines(Paths.get(replicaBindPasswordFile)).get(0); + + LdapBoundConnFactory connFactory = new LdapBoundConnFactory("LDAPConfigurator"); + connFactory.init(socketConfig, ldapConfig); + LDAPConnection conn = connFactory.getConn(); + + DatabaseConfig dbConfig = cs.getDatabaseConfig(); + + try { + LDAPConfigurator configurator = new LDAPConfigurator(conn, ldapConfig); + + boolean autoGenerateReplicaID = false; + if (replicaID == null) { + // auto-generate replica ID if not provided + + // TODO: remove this mechanism in the future since + // it relies on range-based serial numbers which can + // be problematic + + autoGenerateReplicaID = true; + replicaID = dbConfig.getInteger("beginReplicaNumber", 1); + } + + boolean created = configurator.enableReplication( + replicaBindDN, + replicaBindPassword, + replicaID); + + if (created) { + replicaID++; + } + + if (autoGenerateReplicaID) { + dbConfig.putInteger("beginReplicaNumber", replicaID); + cs.commit(false); + } + + } finally { + if (conn != null) conn.disconnect(); + } + } +} diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationSetupCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationSetupCLI.java deleted file mode 100644 index 96108a76589..00000000000 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemDBReplicationSetupCLI.java +++ /dev/null @@ -1,238 +0,0 @@ -// -// Copyright Red Hat, Inc. -// -// SPDX-License-Identifier: GPL-2.0-or-later -// -package org.dogtagpki.server.cli; - -import org.apache.commons.cli.CommandLine; -import org.dogtagpki.cli.CLI; -import org.dogtagpki.util.logging.PKILogger; -import org.dogtagpki.util.logging.PKILogger.LogLevel; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import com.netscape.cms.servlet.csadmin.LDAPConfigurator; -import com.netscape.cmscore.apps.DatabaseConfig; -import com.netscape.cmscore.apps.EngineConfig; -import com.netscape.cmscore.base.ConfigStorage; -import com.netscape.cmscore.base.ConfigStore; -import com.netscape.cmscore.base.FileConfigStorage; -import com.netscape.cmscore.ldapconn.LDAPAuthenticationConfig; -import com.netscape.cmscore.ldapconn.LDAPConfig; -import com.netscape.cmscore.ldapconn.LDAPConnectionConfig; -import com.netscape.cmscore.ldapconn.LdapBoundConnFactory; -import com.netscape.cmscore.ldapconn.PKISocketConfig; -import com.netscape.cmsutil.ldap.LDAPUtil; -import com.netscape.cmsutil.password.PasswordStore; -import com.netscape.cmsutil.password.PasswordStoreConfig; - -import netscape.ldap.LDAPConnection; - -/** - * @author Endi S. Dewata - */ -public class SubsystemDBReplicationSetupCLI extends SubsystemCLI { - - public static Logger logger = LoggerFactory.getLogger(SubsystemDBReplicationSetupCLI.class); - - public SubsystemDBReplicationSetupCLI(CLI parent) { - super("setup", "Set up " + parent.parent.parent.getName().toUpperCase() + " database replication", parent); - } - - @Override - public void createOptions() { - - options.addOption(null, "master-config", true, "Master configuration file"); - options.addOption(null, "master-replication-port", true, "Master replication port"); - options.addOption(null, "replica-replication-port", true, "Replica replication port"); - options.addOption(null, "replication-security", true, "Replication security: SSL, TLS, None"); - - options.addOption("v", "verbose", false, "Run in verbose mode."); - options.addOption(null, "debug", false, "Run in debug mode."); - options.addOption(null, "help", false, "Show help message."); - } - - @Override - public void execute(CommandLine cmd) throws Exception { - - if (cmd.hasOption("debug")) { - PKILogger.setLevel(LogLevel.DEBUG); - - } else if (cmd.hasOption("verbose")) { - PKILogger.setLevel(LogLevel.INFO); - } - - String masterConfigFile = cmd.getOptionValue("master-config"); - - if (masterConfigFile == null) { - throw new Exception("Missing master configuration file"); - } - - String masterReplicationPort = cmd.getOptionValue("master-replication-port"); - String replicaReplicationPort = cmd.getOptionValue("replica-replication-port"); - String replicationSecurity = cmd.getOptionValue("replication-security"); - - initializeTomcatJSS(); - String subsystem = parent.parent.parent.getName(); - EngineConfig cs = getEngineConfig(subsystem); - cs.load(); - - logger.info("Loading {}", masterConfigFile); - ConfigStorage masterStorage = new FileConfigStorage(masterConfigFile); - ConfigStore masterConfig = new ConfigStore(masterStorage); - masterConfig.load(); - - PasswordStoreConfig psc = cs.getPasswordStoreConfig(); - PasswordStore passwordStore = PasswordStore.create(psc); - - setupReplication( - cs, - passwordStore, - masterConfig, - masterReplicationPort, - replicaReplicationPort, - replicationSecurity); - - cs.commit(false); - } - - public void setupReplication( - EngineConfig cs, - PasswordStore passwordStore, - ConfigStore masterConfig, - String masterReplicationPort, - String replicaReplicationPort, - String replicationSecurity) throws Exception { - - String hostname = cs.getHostname(); - String instanceID = cs.getInstanceID(); - - PKISocketConfig socketConfig = cs.getSocketConfig(); - - LDAPConfig ldapConfig = cs.getInternalDBConfig(); - LDAPConnectionConfig replicaConnConfig = ldapConfig.getConnectionConfig(); - String replicaPort = replicaConnConfig.getString("port", ""); - - if (replicaReplicationPort == null || replicaReplicationPort.equals("")) { - replicaReplicationPort = replicaPort; - } - - LdapBoundConnFactory ldapFactory = new LdapBoundConnFactory("LDAPConfigurator"); - ldapFactory.init(socketConfig, ldapConfig, passwordStore); - - LDAPConnection conn = ldapFactory.getConn(); - LDAPConfigurator ldapConfigurator = new LDAPConfigurator(conn, ldapConfig, instanceID); - - try { - LDAPConfig masterDBConfig = masterConfig.getSubStore("internaldb", LDAPConfig.class); - LDAPConnectionConfig masterConnConfig = masterDBConfig.getConnectionConfig(); - String masterPort = masterConnConfig.getString("port", ""); - - if (masterReplicationPort == null || masterReplicationPort.equals("")) { - masterReplicationPort = masterPort; - } - - String masterReplicationPassword = masterConfig.getString("internaldb.replication.password", ""); - String replicaReplicationPassword = passwordStore.getPassword("replicationdb", 0); - - // Set master LDAP password (if it exists) temporarily in password store - // in case it is needed for replication. Not stored in password.conf. - - LDAPAuthenticationConfig masterAuthConfig = masterDBConfig.getAuthenticationConfig(); - String masterPassword = masterAuthConfig.getString("password", ""); - - if (!masterPassword.equals("")) { - masterAuthConfig.putString("bindPWPrompt", "master_internaldb"); - passwordStore.putPassword("master_internaldb", masterPassword); - passwordStore.commit(); - } - - LdapBoundConnFactory masterFactory = new LdapBoundConnFactory("MasterLDAPConfigurator"); - masterFactory.init(socketConfig, masterDBConfig, passwordStore); - - LDAPConnection masterConn = masterFactory.getConn(); - LDAPConfigurator masterConfigurator = new LDAPConfigurator(masterConn, masterDBConfig); - - try { - String masterAgreementName = "masterAgreement1-" + hostname + "-" + instanceID; - String replicaAgreementName = "cloneAgreement1-" + hostname + "-" + instanceID; - - String masterBindUser = "Replication Manager " + masterAgreementName; - String replicaBindUser = "Replication Manager " + replicaAgreementName; - - String masterBindDN = "cn=" + LDAPUtil.escapeRDNValue(masterBindUser) + ",ou=csusers,cn=config"; - String replicaBindDN = "cn=" + LDAPUtil.escapeRDNValue(replicaBindUser) + ",ou=csusers,cn=config"; - - DatabaseConfig dbConfig = cs.getDatabaseConfig(); - int beginReplicaNumber = dbConfig.getInteger("beginReplicaNumber", 1); - int endReplicaNumber = dbConfig.getInteger("endReplicaNumber", 100); - logger.info("Current replica number range: " + beginReplicaNumber + "-" + endReplicaNumber); - - beginReplicaNumber = enableReplication( - masterConfigurator, - ldapConfigurator, - masterBindDN, - replicaBindDN, - masterReplicationPassword, - replicaReplicationPassword, - beginReplicaNumber); - - logger.info("New replica number range: " + beginReplicaNumber + "-" + endReplicaNumber); - dbConfig.putString("beginReplicaNumber", Integer.toString(beginReplicaNumber)); - - } finally { - if (masterConn != null) masterConn.disconnect(); - } - - // remove master ldap password from password.conf (if present) - - if (!masterPassword.equals("")) { - String passwordFile = cs.getPasswordFile(); - ConfigStorage storage = new FileConfigStorage(passwordFile); - ConfigStore passwords = new ConfigStore(storage); - passwords.load(); - passwords.remove("master_internaldb"); - passwords.commit(false); - } - - } finally { - if (conn != null) conn.disconnect(); - } - } - - public int enableReplication( - LDAPConfigurator masterConfigurator, - LDAPConfigurator replicaConfigurator, - String masterBindDN, - String replicaBindDN, - String masterReplicationPassword, - String replicaReplicationPassword, - int replicaID) - throws Exception { - - logger.info("Enabling replication on master"); - - boolean created = masterConfigurator.enableReplication( - masterBindDN, - masterReplicationPassword, - replicaID); - - if (created) { - replicaID++; - } - - logger.info("Enabling replication on replica"); - - created = replicaConfigurator.enableReplication( - replicaBindDN, - replicaReplicationPassword, - replicaID); - - if (created) { - replicaID++; - } - - return replicaID; - } -}