From 4b71c97287f1471ad2d1736d34014383d29dfa8d Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Mon, 21 Oct 2024 15:27:23 +0200 Subject: [PATCH] Modify pki-server ca-range-generator-* to ca-id-generator-* --- .../workflows/ca-clone-sequential-test.yml | 58 +++++- .github/workflows/ca-sequential-test.yml | 8 +- .../org/dogtagpki/server/ca/cli/CACLI.java | 1 + .../org/dogtagpki/server/ca/cli/CAIdCLI.java | 19 ++ ...eneratorCLI.java => CAIdGeneratorCLI.java} | 8 +- ...teCLI.java => CAIdGeneratorUpdateCLI.java} | 10 +- .../dogtagpki/server/ca/cli/CARangeCLI.java | 1 - .../org/dogtagpki/server/kra/cli/KRACLI.java | 1 + .../dogtagpki/server/kra/cli/KRAIdCLI.java | 19 ++ ...neratorCLI.java => KRAIdGeneratorCLI.java} | 6 +- .../dogtagpki/server/kra/cli/KRARangeCLI.java | 1 - ...eCLI.java => kraIdGeneratorUpdateCLI.java} | 9 +- base/server/python/pki/server/cli/ca.py | 2 + base/server/python/pki/server/cli/id.py | 186 ++++++++++++++++++ base/server/python/pki/server/cli/range.py | 163 --------------- base/server/python/pki/server/subsystem.py | 4 +- ...ava => SubsystemIdGeneratorUpdateCLI.java} | 26 ++- .../server/cli/SubsystemRangeUpdateCLI.java | 2 - 18 files changed, 310 insertions(+), 214 deletions(-) create mode 100644 base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdCLI.java rename base/ca/src/main/java/org/dogtagpki/server/ca/cli/{CARangeGeneratorCLI.java => CAIdGeneratorCLI.java} (51%) rename base/ca/src/main/java/org/dogtagpki/server/ca/cli/{CARangeGeneratorUpdateCLI.java => CAIdGeneratorUpdateCLI.java} (85%) create mode 100644 base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRAIdCLI.java rename base/kra/src/main/java/org/dogtagpki/server/kra/cli/{KRARangeGeneratorCLI.java => KRAIdGeneratorCLI.java} (66%) rename base/kra/src/main/java/org/dogtagpki/server/kra/cli/{kraRangeGeneratorUpdateCLI.java => kraIdGeneratorUpdateCLI.java} (86%) create mode 100644 base/server/python/pki/server/cli/id.py rename base/server/src/main/java/org/dogtagpki/server/cli/{SubsystemRangeGeneratorUpdateCLI.java => SubsystemIdGeneratorUpdateCLI.java} (94%) diff --git a/.github/workflows/ca-clone-sequential-test.yml b/.github/workflows/ca-clone-sequential-test.yml index 61b53f41136..9ef202c918c 100644 --- a/.github/workflows/ca-clone-sequential-test.yml +++ b/.github/workflows/ca-clone-sequential-test.yml @@ -989,18 +989,53 @@ jobs: # have gaps when range is updated # # It should work like the legacy but with correct range. - - name: Switch primary to legacy2 + - name: Stop the CAs run: | docker exec primary pki-server stop - docker exec primary pki-server ca-range-generator-update --type request legacy2 - docker exec primary pki-server ca-range-generator-update --type cert legacy2 - docker exec primary pki-server start --wait + docker exec secondary pki-server stop + + - name: Switch primary to legacy2 + run: | + docker exec primary pki-server ca-id-generator-update --type request legacy2 + docker exec primary pki-server ca-id-generator-update --type cert legacy2 + + - name: Check request range objects + run: | + tests/ca/bin/ca-request-range-objects.sh primaryds | tee output + + # request ranges should remain the same + cat > expected << EOF + SecurePort: 8443 + beginRange: 11 + endRange: 20 + host: primary.example.com + + SecurePort: 8443 + beginRange: 21 + endRange: 30 + host: secondary.example.com + + EOF + + diff expected output + + - name: Check request next range + run: | + tests/ca/bin/ca-request-next-range.sh primaryds | tee output + + # request nextRange should remain the same + cat > expected << EOF + nextRange: 31 + EOF + + diff expected output - name: Check cert range objects run: | tests/ca/bin/ca-cert-range-objects.sh primaryds | tee output - # cert ranges should remain the same + # cert ranges should remain the same but converted from hex to decimal + # the range value for the primary move from 13-30 (hex) to 19-48 (dec) cat > expected << EOF SecurePort: 8443 beginRange: 31 @@ -1029,9 +1064,12 @@ jobs: - name: Switch secondary to legacy2 run: | - docker exec secondary pki-server stop - docker exec secondary pki-server ca-range-generator-update --type request legacy2 - docker exec secondary pki-server ca-range-generator-update --type cert legacy2 + docker exec secondary pki-server ca-id-generator-update --type request legacy2 + docker exec secondary pki-server ca-id-generator-update --type cert legacy2 + + - name: Start the CAs + run: | + docker exec primary pki-server start --wait docker exec secondary pki-server start --wait - name: Check request range config in primary CA @@ -1123,7 +1161,9 @@ jobs: run: | tests/ca/bin/ca-cert-range-objects.sh primaryds | tee output - # cert ranges should remain the same + # cert ranges should remain the same but in dec. + # the range value for the primary move from 13-30 (hex) to 19-48 (dec) + # the range value for the secondary move from 31-48 (hex) to 49-72 (dec) cat > expected << EOF SecurePort: 8443 beginRange: 19 diff --git a/.github/workflows/ca-sequential-test.yml b/.github/workflows/ca-sequential-test.yml index fd55f188a70..a2991fb6d9f 100644 --- a/.github/workflows/ca-sequential-test.yml +++ b/.github/workflows/ca-sequential-test.yml @@ -1151,8 +1151,8 @@ jobs: - name: Switch to legacy2 run: | docker exec pki pki-server stop - docker exec pki pki-server ca-range-generator-update --type request legacy2 - docker exec pki pki-server ca-range-generator-update --type cert legacy2 + docker exec pki pki-server ca-id-generator-update --type request legacy2 + docker exec pki pki-server ca-id-generator-update --type cert legacy2 docker exec pki pki-server start --wait @@ -1239,7 +1239,9 @@ jobs: run: | tests/ca/bin/ca-cert-range-objects.sh ds | tee output - # new cert range should be 27 - 42 decimal (total: 16) + # new cert range should be the same but converted to decimal + # first range move from 19-36 (hex) to 25-54 (dec) + # second range move from 37-54 (hex) to 55-84 (dec) cat > expected << EOF SecurePort: 8443 beginRange: 25 diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACLI.java index 6c32799000b..0adb076183e 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACLI.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CACLI.java @@ -36,6 +36,7 @@ public CACLI(CLI parent) { addModule(new SubsystemGroupCLI(this)); addModule(new CAProfileCLI(this)); addModule(new CARangeCLI(this)); + addModule(new CAIdCLI(this)); addModule(new SubsystemUserCLI(this)); addModule(new SDCLI(this)); } diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdCLI.java new file mode 100644 index 00000000000..899e7bb77d2 --- /dev/null +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdCLI.java @@ -0,0 +1,19 @@ +// +// Copyright Red Hat, Inc. +// +// SPDX-License-Identifier: GPL-2.0-or-later +// +package org.dogtagpki.server.ca.cli; + +import org.dogtagpki.cli.CLI; + +/** + * @author Marco Fargetta {@literal } + */ +public class CAIdCLI extends CLI { + public CAIdCLI(CLI parent) { + super("id", "CA id generator management commands", parent); + + addModule(new CAIdGeneratorCLI(this)); + } +} diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeGeneratorCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorCLI.java similarity index 51% rename from base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeGeneratorCLI.java rename to base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorCLI.java index fd5085a5fdf..b74b8832414 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeGeneratorCLI.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorCLI.java @@ -10,12 +10,12 @@ /** * @author Marco Fargetta {@literal } */ -public class CARangeGeneratorCLI extends CLI { +public class CAIdGeneratorCLI extends CLI { - public CARangeGeneratorCLI(CLI parent) { - super("generator", "CA range generator commands", parent); + public CAIdGeneratorCLI(CLI parent) { + super("generator", "CA id generator commands", parent); - addModule(new CARangeGeneratorUpdateCLI(this)); + addModule(new CAIdGeneratorUpdateCLI(this)); } } diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeGeneratorUpdateCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorUpdateCLI.java similarity index 85% rename from base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeGeneratorUpdateCLI.java rename to base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorUpdateCLI.java index 1985f733906..07f2bc9f801 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeGeneratorUpdateCLI.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CAIdGeneratorUpdateCLI.java @@ -5,26 +5,24 @@ // package org.dogtagpki.server.ca.cli; -import com.netscape.certsrv.base.EBaseException; import com.netscape.cmscore.apps.DatabaseConfig; import com.netscape.cmscore.dbs.CertificateRepository; -import com.netscape.cmscore.dbs.Repository; import com.netscape.cmscore.dbs.Repository.IDGenerator; import com.netscape.cmscore.ldapconn.LdapAuthInfo; import com.netscape.cmscore.ldapconn.LdapConnInfo; import com.netscape.cmscore.ldapconn.PKISocketFactory; import org.dogtagpki.cli.CLI; -import org.dogtagpki.server.cli.SubsystemRangeGeneratorUpdateCLI; +import org.dogtagpki.server.cli.SubsystemIdGeneratorUpdateCLI; import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** * @author Marco Fargetta {@literal } */ -public class CARangeGeneratorUpdateCLI extends SubsystemRangeGeneratorUpdateCLI { - private static final Logger logger = LoggerFactory.getLogger(CARangeGeneratorUpdateCLI.class); +public class CAIdGeneratorUpdateCLI extends SubsystemIdGeneratorUpdateCLI { + private static final Logger logger = LoggerFactory.getLogger(CAIdGeneratorUpdateCLI.class); - public CARangeGeneratorUpdateCLI(CLI parent) { + public CAIdGeneratorUpdateCLI(CLI parent) { super(parent); } diff --git a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeCLI.java b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeCLI.java index 8bf22010cec..749eb737758 100644 --- a/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeCLI.java +++ b/base/ca/src/main/java/org/dogtagpki/server/ca/cli/CARangeCLI.java @@ -16,6 +16,5 @@ public CARangeCLI(CLI parent) { super("range", "CA range management commands", parent); addModule(new CARangeUpdateCLI(this)); - addModule(new CARangeGeneratorCLI(this)); } } diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java index 4861c02d4ec..08c2427866b 100644 --- a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java +++ b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRACLI.java @@ -35,6 +35,7 @@ public KRACLI(CLI parent) { addModule(new SubsystemDBCLI(this)); addModule(new SubsystemGroupCLI(this)); addModule(new KRARangeCLI(this)); + addModule(new KRAIdCLI(this)); addModule(new SubsystemUserCLI(this)); addModule(new SDCLI(this)); } diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRAIdCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRAIdCLI.java new file mode 100644 index 00000000000..1e8cd8ef601 --- /dev/null +++ b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRAIdCLI.java @@ -0,0 +1,19 @@ +// +// Copyright Red Hat, Inc. +// +// SPDX-License-Identifier: GPL-2.0-or-later +// +package org.dogtagpki.server.kra.cli; + +import org.dogtagpki.cli.CLI; + +/** + * @author Marco Fargetta {@literal } + */ +public class KRAIdCLI extends CLI { + public KRAIdCLI(CLI parent) { + super("id", "CA id generator management commands", parent); + + addModule(new KRAIdGeneratorCLI(this)); + } +} diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeGeneratorCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRAIdGeneratorCLI.java similarity index 66% rename from base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeGeneratorCLI.java rename to base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRAIdGeneratorCLI.java index 6a611b526e8..8ebd8385bd2 100644 --- a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeGeneratorCLI.java +++ b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRAIdGeneratorCLI.java @@ -9,10 +9,10 @@ /** * @author Marco Fargetta {@literal } */ -public class KRARangeGeneratorCLI extends CLI { - public KRARangeGeneratorCLI(CLI parent) { +public class KRAIdGeneratorCLI extends CLI { + public KRAIdGeneratorCLI(CLI parent) { super("generator", "kra range generator commands", parent); - addModule(new kraRangeGeneratorUpdateCLI(this)); + addModule(new kraIdGeneratorUpdateCLI(this)); } } diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeCLI.java index 0a4b9f707cb..b8e28aae04b 100644 --- a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeCLI.java +++ b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/KRARangeCLI.java @@ -16,6 +16,5 @@ public KRARangeCLI(CLI parent) { super("range", "KRA range management commands", parent); addModule(new KRARangeUpdateCLI(this)); - addModule(new KRARangeGeneratorCLI(this)); } } diff --git a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/kraRangeGeneratorUpdateCLI.java b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/kraIdGeneratorUpdateCLI.java similarity index 86% rename from base/kra/src/main/java/org/dogtagpki/server/kra/cli/kraRangeGeneratorUpdateCLI.java rename to base/kra/src/main/java/org/dogtagpki/server/kra/cli/kraIdGeneratorUpdateCLI.java index 163458071d4..5050b4b71d4 100644 --- a/base/kra/src/main/java/org/dogtagpki/server/kra/cli/kraRangeGeneratorUpdateCLI.java +++ b/base/kra/src/main/java/org/dogtagpki/server/kra/cli/kraIdGeneratorUpdateCLI.java @@ -12,15 +12,14 @@ import com.netscape.cmscore.ldapconn.LdapConnInfo; import com.netscape.cmscore.ldapconn.PKISocketFactory; import org.dogtagpki.cli.CLI; -import org.dogtagpki.server.cli.SubsystemRangeGeneratorUpdateCLI; +import org.dogtagpki.server.cli.SubsystemIdGeneratorUpdateCLI; /** - * - * @author mfargetta + * @author Marco Fargetta {@literal } */ -public class kraRangeGeneratorUpdateCLI extends SubsystemRangeGeneratorUpdateCLI { +public class kraIdGeneratorUpdateCLI extends SubsystemIdGeneratorUpdateCLI { - public kraRangeGeneratorUpdateCLI(CLI parent) { + public kraIdGeneratorUpdateCLI(CLI parent) { super(parent); } diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py index a96d3213abe..a8b4a9d892f 100644 --- a/base/server/python/pki/server/cli/ca.py +++ b/base/server/python/pki/server/cli/ca.py @@ -36,6 +36,7 @@ import pki.server.cli.config import pki.server.cli.db import pki.server.cli.group +import pki.server.cli.id import pki.server.cli.range import pki.server.cli.subsystem import pki.server.cli.user @@ -61,6 +62,7 @@ def __init__(self): self.add_module(pki.server.cli.group.GroupCLI(self)) self.add_module(CAProfileCLI()) self.add_module(pki.server.cli.range.RangeCLI(self)) + self.add_module(pki.server.cli.id.IdCLI(self)) self.add_module(pki.server.cli.user.UserCLI(self)) diff --git a/base/server/python/pki/server/cli/id.py b/base/server/python/pki/server/cli/id.py new file mode 100644 index 00000000000..36ce522b02a --- /dev/null +++ b/base/server/python/pki/server/cli/id.py @@ -0,0 +1,186 @@ +# +# Copyright Red Hat, Inc. +# +# SPDX-License-Identifier: GPL-2.0-or-later +# +from __future__ import absolute_import +from __future__ import print_function +import getopt +import logging +import sys + +import pki.cli + +logger = logging.getLogger(__name__) + + +class IdCLI(pki.cli.CLI): + + def __init__(self, parent): + super().__init__( + 'id', + '%s id configuration management commands' % parent.name.upper()) + + self.parent = parent + self.add_module(IdGeneratorCLI(self)) + +class IdGeneratorCLI(pki.cli.CLI): + + def __init__(self, parent): + super().__init__('generator', + '%s id generator configuration' % parent.parent.name.upper()) + + self.parent = parent + self.add_module(IdGeneratorShowCLI(self)) + self.add_module(IdGeneratorUpdateCLI(self)) + + +class IdGeneratorShowCLI(pki.cli.CLI): + + def __init__(self, parent): + super().__init__('show', 'Display %s id generator' % parent.parent.parent.name.upper()) + + self.parent = parent + + def print_help(self): + print('Usage: pki-server %s-id-generator-show [OPTIONS]' % + self.parent.parent.parent.name) + print() + print(' -i, --instance Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --debug Run in debug mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + try: + opts, _ = getopt.gnu_getopt(argv, 'i:v', [ + 'instance=', + 'verbose', 'debug', 'help']) + + except getopt.GetoptError as e: + logger.error(e) + self.print_help() + sys.exit(1) + + instance_name = 'pki-tomcat' + subsystem_name = self.parent.parent.parent.name + + for o, a in opts: + if o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + logging.getLogger().setLevel(logging.INFO) + + elif o == '--debug': + logging.getLogger().setLevel(logging.DEBUG) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + logger.error('Invalid option: %s', o) + self.print_help() + sys.exit(1) + + instance = pki.server.PKIServerFactory.create(instance_name) + if not instance.exists(): + logger.error('Invalid instance: %s', instance_name) + sys.exit(1) + + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + + if not subsystem: + logger.error('No %s subsystem in instance %s', + subsystem_name.upper(), instance_name) + sys.exit(1) + + print(' Request ID generator: %s' % subsystem.config.get('dbs.request.id.generator')) + print(' Cert ID generator: %s' % subsystem.config.get('dbs.cert.id.generator')) + + +class IdGeneratorUpdateCLI(pki.cli.CLI): + + def __init__(self, parent): + super().__init__('update', 'Update %s id generator' % parent.parent.parent.name.upper()) + + self.parent = parent + + def print_help(self): + print('Usage: pki-server %s-id-generator-update [OPTIONS] ' % + self.parent.parent.parent.name) + print() + print(' -t, --type Type for the generator (request or cert).') + print(' -i, --instance Instance ID (default: pki-tomcat).') + print(' -v, --verbose Run in verbose mode.') + print(' --debug Run in debug mode.') + print(' --help Show help message.') + print() + + def execute(self, argv): + try: + opts, args = getopt.gnu_getopt(argv, 'i:t:v', [ + 'instance=', 'type=', + 'verbose', 'debug', 'help']) + + except getopt.GetoptError as e: + logger.error(e) + self.print_help() + sys.exit(1) + + if len(args) != 1: + logger.error('Missing new generator') + self.print_help() + sys.exit(1) + + new_generator = args[0] + instance_name = 'pki-tomcat' + subsystem_name = self.parent.parent.parent.name + generator_type = None + + for o, a in opts: + if o in ('-t', '--type'): + generator_type = a + + elif o in ('-i', '--instance'): + instance_name = a + + elif o in ('-v', '--verbose'): + logging.getLogger().setLevel(logging.INFO) + + elif o == '--debug': + logging.getLogger().setLevel(logging.DEBUG) + + elif o == '--help': + self.print_help() + sys.exit() + + else: + logger.error('Invalid option: %s', o) + self.print_help() + sys.exit(1) + + if not generator_type: + logger.error('No specified') + self.print_help() + sys.exit(1) + + instance = pki.server.PKIServerFactory.create(instance_name) + if not instance.exists(): + logger.error('Invalid instance: %s', instance_name) + sys.exit(1) + + instance.load() + + subsystem = instance.get_subsystem(subsystem_name) + + if not subsystem: + logger.error('No %s subsystem in instance %s', + subsystem_name.upper(), instance_name) + sys.exit(1) + + subsystem.update_id_generator(new_generator, generator_type) diff --git a/base/server/python/pki/server/cli/range.py b/base/server/python/pki/server/cli/range.py index 4d2f4b19412..45777c6e03e 100644 --- a/base/server/python/pki/server/cli/range.py +++ b/base/server/python/pki/server/cli/range.py @@ -25,7 +25,6 @@ def __init__(self, parent): self.add_module(RangeShowCLI(self)) self.add_module(RangeRequestCLI(self)) self.add_module(RangeUpdateCLI(self)) - self.add_module(RangeGeneratorCLI(self)) class RangeShowCLI(pki.cli.CLI): @@ -259,165 +258,3 @@ def execute(self, argv): sys.exit(1) subsystem.update_ranges() - - -class RangeGeneratorCLI(pki.cli.CLI): - - def __init__(self, parent): - super().__init__('generator', - '%s range generator configuration' % parent.parent.name.upper()) - - self.parent = parent - self.add_module(RangeGeneratorShowCLI(self)) - self.add_module(RangeGeneratorUpdateCLI(self)) - - -class RangeGeneratorShowCLI(pki.cli.CLI): - - def __init__(self, parent): - super().__init__('show', 'Display %s range generator' % parent.parent.parent.name.upper()) - - self.parent = parent - - def print_help(self): - print('Usage: pki-server %s-range-generator-show [OPTIONS]' % - self.parent.parent.parent.name) - print() - print(' -i, --instance Instance ID (default: pki-tomcat).') - print(' -v, --verbose Run in verbose mode.') - print(' --debug Run in debug mode.') - print(' --help Show help message.') - print() - - def execute(self, argv): - try: - opts, _ = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', - 'verbose', 'debug', 'help']) - - except getopt.GetoptError as e: - logger.error(e) - self.print_help() - sys.exit(1) - - instance_name = 'pki-tomcat' - subsystem_name = self.parent.parent.parent.name - - for o, a in opts: - if o in ('-i', '--instance'): - instance_name = a - - elif o in ('-v', '--verbose'): - logging.getLogger().setLevel(logging.INFO) - - elif o == '--debug': - logging.getLogger().setLevel(logging.DEBUG) - - elif o == '--help': - self.print_help() - sys.exit() - - else: - logger.error('Invalid option: %s', o) - self.print_help() - sys.exit(1) - - instance = pki.server.PKIServerFactory.create(instance_name) - if not instance.exists(): - logger.error('Invalid instance: %s', instance_name) - sys.exit(1) - - instance.load() - - subsystem = instance.get_subsystem(subsystem_name) - - if not subsystem: - logger.error('No %s subsystem in instance %s', - subsystem_name.upper(), instance_name) - sys.exit(1) - - print(' Request ID generator: %s' % subsystem.config.get('dbs.request.id.generator')) - print(' Cert ID generator: %s' % subsystem.config.get('dbs.cert.id.generator')) - - -class RangeGeneratorUpdateCLI(pki.cli.CLI): - - def __init__(self, parent): - super().__init__('update', 'Update %s range generator' % parent.parent.parent.name.upper()) - - self.parent = parent - - def print_help(self): - print('Usage: pki-server %s-range-generator-update [OPTIONS] ' % - self.parent.parent.parent.name) - print() - print(' -t, --type Type for the generator (request or cert).') - print(' -i, --instance Instance ID (default: pki-tomcat).') - print(' -v, --verbose Run in verbose mode.') - print(' --debug Run in debug mode.') - print(' --help Show help message.') - print() - - def execute(self, argv): - try: - opts, args = getopt.gnu_getopt(argv, 'i:t:v', [ - 'instance=', 'type=', - 'verbose', 'debug', 'help']) - - except getopt.GetoptError as e: - logger.error(e) - self.print_help() - sys.exit(1) - - if len(args) != 1: - logger.error('Missing new generator') - self.print_help() - sys.exit(1) - - new_generator = args[0] - instance_name = 'pki-tomcat' - subsystem_name = self.parent.parent.parent.name - generator_type = None - - for o, a in opts: - if o in ('-t', '--type'): - generator_type = a - - elif o in ('-i', '--instance'): - instance_name = a - - elif o in ('-v', '--verbose'): - logging.getLogger().setLevel(logging.INFO) - - elif o == '--debug': - logging.getLogger().setLevel(logging.DEBUG) - - elif o == '--help': - self.print_help() - sys.exit() - - else: - logger.error('Invalid option: %s', o) - self.print_help() - sys.exit(1) - - if not generator_type: - logger.error('No specified') - self.print_help() - sys.exit(1) - - instance = pki.server.PKIServerFactory.create(instance_name) - if not instance.exists(): - logger.error('Invalid instance: %s', instance_name) - sys.exit(1) - - instance.load() - - subsystem = instance.get_subsystem(subsystem_name) - - if not subsystem: - logger.error('No %s subsystem in instance %s', - subsystem_name.upper(), instance_name) - sys.exit(1) - - subsystem.update_range_generator(new_generator, generator_type) diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py index 24d78208d91..8c5382d97f9 100644 --- a/base/server/python/pki/server/subsystem.py +++ b/base/server/python/pki/server/subsystem.py @@ -1563,9 +1563,9 @@ def update_ranges(self, as_current_user=False): self.run(cmd, as_current_user=as_current_user) - def update_range_generator(self, generator, generator_type, as_current_user=False): + def update_id_generator(self, generator, generator_type, as_current_user=False): - cmd = [self.name + '-range-generator-update'] + cmd = [self.name + '-id-generator-update'] if logger.isEnabledFor(logging.DEBUG): cmd.append('--debug') diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeGeneratorUpdateCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemIdGeneratorUpdateCLI.java similarity index 94% rename from base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeGeneratorUpdateCLI.java rename to base/server/src/main/java/org/dogtagpki/server/cli/SubsystemIdGeneratorUpdateCLI.java index def6778bfc1..d1e3b0a71bb 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeGeneratorUpdateCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemIdGeneratorUpdateCLI.java @@ -39,24 +39,15 @@ /** * @author Marco Fargetta {@literal } */ -public abstract class SubsystemRangeGeneratorUpdateCLI extends SubsystemCLI { - private static final Logger logger = LoggerFactory.getLogger(SubsystemRangeGeneratorUpdateCLI.class); +public abstract class SubsystemIdGeneratorUpdateCLI extends SubsystemCLI { + private static final Logger logger = LoggerFactory.getLogger(SubsystemIdGeneratorUpdateCLI.class); protected IDGenerator idGenerator; - public SubsystemRangeGeneratorUpdateCLI(CLI parent) { + public SubsystemIdGeneratorUpdateCLI(CLI parent) { super("update", "Update " + parent.getParent().getParent().getName().toUpperCase() + " range generator", parent); } @Override public void createOptions() { - - Option option = new Option("d", true, "NSS database location"); - option.setArgName("database"); - options.addOption(option); - - option = new Option("f", true, "NSS database password configuration"); - option.setArgName("password config"); - options.addOption(option); - options.addOption("t", "type", true, "Generator type to update."); } @@ -186,8 +177,8 @@ protected void updateSerialNumberRangeGenerator(PKISocketFactory socketFactory, nextEndSerial = attrNextEnd.getStringValues().nextElement(); } dbConfig.setNextEndSerialNumber("0x" + nextEndSerial); + endSerialNumber = nextEndSerial; } - updateRanges(dbConfig, conn, baseDN, rangeDN, endSerialNumber, hostName, securePort); } finally { conn.disconnect(); @@ -224,13 +215,15 @@ protected void updateRequestNumberRangeGenerator(PKISocketFactory socketFactory, throw new EBaseException("Update to " + newGenerator + " not supported"); } - private void updateRanges(DatabaseConfig dbConfig, LdapBoundConnection conn, String baseDN, String rangeDN, String defaultEndSerialNumber, + private void updateRanges(DatabaseConfig dbConfig, LdapBoundConnection conn, String baseDN, String rangeDN, String configEndSerialNumber, String hostName, String securePort) throws Exception{ LDAPSearchResults ranges = conn.search(rangeDN, LDAPv3.SCOPE_SUB, "(objectClass=pkiRange)", null, false); BigInteger lastUsedSerial = BigInteger.ZERO; boolean nextRangeToUpdate = true; + // Search for the last range entry. If it is associated to the CA to update or ranges are not defined + // then the nextRange is while (ranges.hasMoreElements()) { LDAPEntry entry = ranges.next(); String endRange = entry.getAttribute("endRange").getStringValues().nextElement(); @@ -245,8 +238,9 @@ private void updateRanges(DatabaseConfig dbConfig, LdapBoundConnection conn, Str } if (nextRangeToUpdate) { + // nextRange is updated using last range entry or, if no ranges, the configured endSerialNumber if (lastUsedSerial == BigInteger.ZERO) { - lastUsedSerial = new BigInteger(defaultEndSerialNumber, 16); + lastUsedSerial = new BigInteger(configEndSerialNumber, 16); } BigInteger nextSerialNumber = lastUsedSerial.add(BigInteger.ONE); String serialDN = dbConfig.getSerialDN() + "," + baseDN; @@ -260,6 +254,8 @@ private void updateRanges(DatabaseConfig dbConfig, LdapBoundConnection conn, Str LDAPSearchResults instanceRanges = conn.search(rangeDN, LDAPv3.SCOPE_SUB, "(&(objectClass=pkiRange)(host= " + hostName + ")(SecurePort=" + securePort + "))", null, false); + + // update all ranges associated to the CA to update to decimal while (instanceRanges.hasMoreElements()) { LDAPEntry entry = instanceRanges.next(); String beginRange = entry.getAttribute("beginRange").getStringValues().nextElement(); diff --git a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java index 5f7cdecca52..3578dabeeed 100644 --- a/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java +++ b/base/server/src/main/java/org/dogtagpki/server/cli/SubsystemRangeUpdateCLI.java @@ -119,7 +119,6 @@ public void updateSerialNumberRange( // NOTE: this is a bug, cert range is stored as hex in CS.cfg endSerialNumber = new BigInteger(dbConfig.getEndSerialNumber()); } - // generate nextRange in decimal BigInteger nextSerialNumber = endSerialNumber.add(BigInteger.ONE); String serialDN = dbConfig.getSerialDN() + "," + baseDN; @@ -165,7 +164,6 @@ public void updateRequestNumberRange( // parse the end of current range as decimal endRequestNumber = new BigInteger(dbConfig.getEndRequestNumber()); } - // generate nextRange in decimal BigInteger nextRequestNumber = endRequestNumber.add(BigInteger.ONE); String requestDN = dbConfig.getRequestDN() + "," + baseDN;