Checkpoint

svn path=/myrpki.rototill/examples/myrpki.conf; revision=2981

2 files changed, 144 insertions, 24 deletions

diff --git a/myrpki.rototill/examples/myrpki.conf b/myrpki.rototill/examples/myrpki.conf
index b91c82c1..068da6f9 100644
--- a/myrpki.rototill/examples/myrpki.conf
+++ b/myrpki.rototill/examples/myrpki.conf
@@ -51,27 +51,22 @@ xml_filename			= myrpki.xml
 
 myrpki_bpki_directory		= bpki/myrpki
 
-# Base of service URL for pubd.  myirbe.py uses this value to
-# configure <repository/> objects in rpkid.  If you are running your
-# own copy of pubd (see "want_pubd"), myirbe.py also uses this to
-# contact your copy of pubd in order to configure it.
-#
-# You need to configure this.
-
-pubd_base			= https://${pubd::server-host}:${pubd::server-port}/
-
-# Base of service URL for rpkid.  myirbe.py uses this to contact your
-# rpkid so it can configure it.
-#
-# You need to configure this.
-
-rpkid_base			= https://${rpkid::server-host}:${rpkid::server-port}
-
 # Whether you want to run your own copy of rpkid (and irdbd).  In
 # general, if you're running myirbe.py at all, you want this on.
 
 want_rpkid			= true
 
+# DNS hostname and server port numbers for rpkid and irdbd, if you're
+# running them.  rpkid's server host has to be a publicly reachable
+# name to be useful; irdbd's server host should always be localhost
+# unless you really know what you are doing.  Port numbers can be any
+# legal TCP port number that you're not using for something else.
+
+rpkid_server_host     		= rpkid.example.org
+rpkid_server_port     		= 4404
+irdbd_server_host		= localhost
+irdbd_server_port		= 4403
+
 # Whether you want myirbe.py to attempt to configure your own copy of
 # pubd.  In general, it's best to use your parent's pubd if you can,
 # to reduce the overall number of publication sites that relying
@@ -84,6 +79,14 @@ want_rpkid			= true
 
 want_pubd			= false
 
+# DNS hostname and server port number for pubd, if you're running it.
+# Hostname has to be a publicly reachable name to be useful, port can
+# be any legal TCP port number that you're not using for something
+# else.
+
+pubd_server_host             	= pubd.example.org
+pubd_server_port             	= 4402
+
 # Whether you want myirbe.py to generate BPKI certs for running your
 # very own copy of rootd.  Don't enable this unless you really know
 # what you're doing.  See [rootd] section below for further comments.
@@ -95,6 +98,13 @@ want_rootd			= false
 
 myirbe_bpki_directory		= bpki/myirbe
 
+# Don't touch these, they're here because I haven't yet updated all of
+# the myrpki tools to use the latest config file variables.  These
+# will go away eventually, for now just leave them alone.
+
+pubd_base	= https://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/
+rpkid_base	= https://${myrpki::rpkid_server_host}:${myrpki::rpkid_server_port}
+
 #################################################################
 
 [rpkid]
@@ -110,14 +120,14 @@ sql-password    		= fnord
 # requests.  These should match rpkid_base in the [myirbe] section.
 # You need to configure these.
 
-server-host     		= rpkid.example.org
-server-port     		= 4404
+server-host     		= ${myrpki::rpkid_server_host}
+server-port     		= ${myrpki::rpkid_server_port}
 
 # HTTPS service URL rpkid should use to contact irdbd.  If irdbd is
 # running on the same machine as rpkid, this can and probably should
 # be a loopback URL, since nobody but rpkid needs to talk to irdbd.
 
-irdb-url        		= https://localhost:4403/
+irdb-url        		= https://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/
 
 # Where rpkid should look for BPKI certs and keys used in the
 # left-right protocol.  The following values match where myirbe.py
@@ -143,7 +153,7 @@ sql-password    		= fnord
 # HTTP service URL irdbd should listen on.  This should match the
 # irdb-url parameter in the [rpkid] section; see comments there.
 
-https-url			= https://localhost:4403/
+https-url			= https://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/
 
 # Where irdbd should look for BPKI certs and keys used in the
 # left-right protocol.  The following values match where myirbe.py
@@ -179,8 +189,8 @@ publication-base        	= publication/
 # requests.  These should match pubd_base in the [myirbe] section.
 # You need to configure these.
 
-server-host             	= pubd.example.org
-server-port             	= 4402
+server-host             	= ${myrpki::pubd_server_host}
+server-port             	= ${myrpki::pubd_server_port}
 
 # Where pubd should look for BPKI certs and keys used in the
 # left-right protocol.  The following values match where myirbe.py
@@ -197,7 +207,7 @@ irbe-cert               	= ${myrpki::myirbe_bpki_directory}/irbe.cer
 
 # HTTPS service URL for rpkid
 
-rpkid-url                       = https://rpkid.example.org:4404/left-right/
+rpkid-url                       = https://${myrpki::rpkid_server_host}:${myrpki::rpkid_server_port}/left-right/
 
 # BPKI certificates and keys for talking to rpkid
 
@@ -208,7 +218,7 @@ rpkid-cert                      = ${myrpki::myirbe_bpki_directory}/rpkid.cer
 
 # HTTPS service URL for pubd
 
-pubd-url                        = https://localhost:4402/control/
+pubd-url                        = https://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/control/
 
 # BPKI certificates and keys for talking to pubd
 
diff --git a/myrpki.rototill/initialize.py b/myrpki.rototill/initialize.py
new file mode 100644
index 00000000..f40b3e86
--- /dev/null
+++ b/myrpki.rototill/initialize.py
@@ -0,0 +1,110 @@
+"""
+Step 1: User runs a new "initialize" script.  This reads the .conf file
+        and creates the resource-holding "self" BPKI identity (what
+        we've been calling bpki.myrpki/ca.cer, although that name
+        should change and the user shouldn't need to know it anymore).
+        If the .conf file says that this user will be running any
+        servers at all (rpkid, irdbd, pubd, rootd), this script also
+        creates what we've been calling bpki.myirbe/ca.cer and issues
+        bpki ee certificates for all the servers we will be running.
+        It bundles up the "self" identity (bpki.myrpki/ca.cer and the
+        "handle" value from the [myrpki] section of the .conf file) as
+        an xml blob, which it writes out to some filename (call it
+        me.xml for now).
+
+	The general idea here is to start with all the setup that we
+	can do based just on the .conf file without talking to anybody
+	else.
+
+$Id$
+
+Copyright (C) 2010  Internet Systems Consortium ("ISC")
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+"""
+
+import subprocess, csv, re, os, getopt, sys, base64, time, myrpki, rpki.config
+
+from xml.etree.ElementTree import Element, SubElement, ElementTree
+
+os.environ["TZ"] = "UTC"
+time.tzset()
+
+cfg_file = "myrpki.conf"
+
+opts, argv = getopt.getopt(sys.argv[1:], "c:h?", ["config=", "help"])
+for o, a in opts:
+  if o in ("-c", "--config"):
+    cfg_file = a
+  elif o in ("-h", "--help", "-?"):
+    print __doc__
+    sys.exit(0)
+
+cfg = rpki.config.parser(cfg_file, "myrpki")
+
+handle     = cfg.get("handle")
+want_rpkid = cfg.getboolean("want_rpkid")
+want_pubd  = cfg.getboolean("want_pubd")
+want_rootd = cfg.getboolean("want_rootd")
+
+myrpki.openssl = cfg.get("openssl", "openssl")
+
+# First create the "myrpki" (resource holding) BPKI and trust anchor
+
+bpki_myrpki = myrpki.CA(cfg_file, cfg.get("myrpki_bpki_directory"))
+
+bpki_myrpki.setup(cfg.get("bpki_myrpki_ta_dn",
+                          "/CN=%s BPKI Resource Trust Anchor" % handle))
+
+# If we're running any daemons at all, we also need to set up the
+# "myirbe" (server-operating) BPKI, its trust anchor, and EE certs for
+# each program we need to run.
+
+if want_rpkid or want_pubd or want_rootd:
+
+  bpki_myirbe = myrpki.CA(cfg_file, cfg.get("myirbe_bpki_directory"))
+
+  bpki_myirbe.setup(cfg.get("bpki_myirbe_ta_dn",
+                            "/CN=%s BPKI Server Trust Anchor" % handle))
+
+  if want_rpkid:                        # rpkid implies irdbd
+
+    bpki_myirbe.ee(cfg.get("bpki_rpkid_ee_dn",
+                           "/CN=%s rpkid server certificate" % handle), "rpkid")
+
+    bpki_myirbe.ee(cfg.get("bpki_irdbd_ee_dn",
+                           "/CN=%s irdbd server certificate" % handle), "irdbd")
+
+  if want_pubd:
+    bpki_myirbe.ee(cfg.get("bpki_pubd_ee_dn",
+                           "/CN=%s pubd server certificate" % handle), "pubd")
+
+  if want_rpkid or want_irdbd:          # Client cert for myirbe and irbe_cli
+    
+    bpki_myirbe.ee(cfg.get("bpki_irbe_ee_dn",
+                           "/CN=%s irbe client certificate" % handle), "irbe")
+
+  if want_rootd:
+
+    bpki_myirbe.ee(cfg.get("bpki_rootd_ee_dn",
+                           "/CN=%s rootd server certificate" % handle), "rootd")
+
+# Now build the me.xml file (name should be configurable, and should
+# check for existing file so we don't overwrite, ... hack later ...).
+
+e = Element("me", xmlns = myrpki.namespace, version = "1", handle = handle)
+
+myrpki.PEMElement(e, "bpki_ca_certificate", bpki_myrpki.cer)
+
+ElementTree(e).write("me.xml.tmp")
+os.rename("me.xml.tmp", "me.xml")