Fixed security domain authentication

Previously pkispawn would only connect to a security domain when installing a new subsystem that joins the security domain (pki_security_domain_type == existing). It also would only authenticate against the security domain if it's not skipping security domain verification (pki_skip_sd_verify == False), which is the default. When installing a subordinate CA with a new security (sub)domain it would have pki_security_domain_type == new, so it would not connect to nor authenticate against the parent security domain, and it would not be able to get the installation token required to complete the installation. The code has been modified such that pkispawn will connect to a security domain when installing a subsystem to join the security domain (pki_security_domain_type == existing) as before, but also when installing a subordinate CA (pki_subordinate == True). It will also authenticate against the security domain regardless of the pki_skip_sd_verify since the authenitcation is required to obtain the installation token. The surrounding try-catch block has also been removed since the original exception will have more detailed information (i.e. the exact URL) about the problem. https://bugzilla.redhat.com/show_bug.cgi?id=1807421
dogtagpki · Mar 2, 2020 · 2c906dd · 2c906dd
1 parent 2b489f5
commit 2c906dd
Showing 1 changed file with 18 additions and 21 deletions.
diff --git a/base/server/python/pki/server/pkispawn.py b/base/server/python/pki/server/pkispawn.py
@@ -710,29 +710,26 @@ def create_master_dictionary(parser):
 
 
 def check_security_domain():
-    if deployer.mdict['pki_security_domain_type'] != "new":
-        try:
-            # Verify existence of Security Domain Password
-            if 'pki_security_domain_password' not in deployer.mdict or \
-                    not len(deployer.mdict['pki_security_domain_password']):
-                logger.error(
-                    log.PKIHELPER_UNDEFINED_CONFIGURATION_FILE_ENTRY_2,
-                    "pki_security_domain_password",
-                    deployer.mdict['pki_user_deployment_cfg'])
-                sys.exit(1)
 
-            if not config.str2bool(deployer.mdict['pki_skip_sd_verify']):
-                deployer.sd_connect()
-                info = deployer.get_domain_info()
-                deployer.set_property('pki_security_domain_name', info.id)
-                deployer.sd_login()
-                deployer.sd_logout()
+    # If the subsystem being installed is joining an existing security domain,
+    # or it is a subordinate CA (either joining the security domain or creating
+    # a new one), connect to and authenticate against the security domain.
 
-        except requests.exceptions.RequestException:
-            logger.error(
-                'Unable to access security domain: %s',
-                deployer.mdict['pki_security_domain_uri'])
-            raise
+    if deployer.mdict['pki_security_domain_type'] == 'existing' \
+            or config.str2bool(deployer.mdict['pki_subordinate']):
+
+        if 'pki_security_domain_password' not in deployer.mdict or \
+                not len(deployer.mdict['pki_security_domain_password']):
+            raise Exception('Missing security domain password')
+
+        deployer.sd_connect()
+
+        info = deployer.get_domain_info()
+        deployer.set_property('pki_security_domain_name', info.id)
+
+        logger.info('Logging into security domain %s', info.id)
+
+        deployer.sd_login()
 
 
 def check_ds():