Add pki-server password-set/unset

The pki-server password-set/unset have been added to replace pki-server password-add/del so it will be more consistent with pki-server <subsystem>-config-set/unset. The pki-server password-set supports reading the password from file and from console, and also overwriting existing passwords.
dogtagpki · Jan 23, 2025 · 996b7e9 · 996b7e9
1 parent 2f8e957
commit 996b7e9
Show file tree

Hide file tree

Showing 8 changed files with 177 additions and 8 deletions.
diff --git a/.github/workflows/ca-clone-replicated-ds-test.yml b/.github/workflows/ca-clone-replicated-ds-test.yml
@@ -119,7 +119,7 @@ jobs:
       - name: Configure connection to CA database
         run: |
           # store DS password
-          docker exec secondary pki-server password-add \
+          docker exec secondary pki-server password-set \
               --password Secret.123 \
               internaldb
 

diff --git a/.github/workflows/ca-existing-ds-test.yml b/.github/workflows/ca-existing-ds-test.yml
@@ -142,7 +142,7 @@ jobs:
       - name: Configure connection to CA database
         run: |
           # store DS password
-          docker exec pki pki-server password-add \
+          docker exec pki pki-server password-set \
               --password Secret.123 \
               internaldb
 

diff --git a/.github/workflows/ca-existing-hsm-test.yml b/.github/workflows/ca-existing-hsm-test.yml
@@ -70,7 +70,7 @@ jobs:
           docker exec pki pki-server create
           docker exec pki pki-server nss-create --no-password
 
-          docker exec pki pki-server password-add "hardware-HSM" --password "Secret.HSM"
+          docker exec pki pki-server password-set "hardware-HSM" --password "Secret.HSM"
           docker exec pki cat /var/lib/pki/pki-tomcat/conf/password.conf
 
       - name: Create CA signing cert

diff --git a/.github/workflows/kra-clone-replicated-ds-test.yml b/.github/workflows/kra-clone-replicated-ds-test.yml
@@ -136,7 +136,7 @@ jobs:
       - name: Configure connection to CA database
         run: |
           # store DS password
-          docker exec secondary pki-server password-add \
+          docker exec secondary pki-server password-set \
               --password Secret.123 \
               internaldb
 

diff --git a/.github/workflows/kra-existing-ds-test.yml b/.github/workflows/kra-existing-ds-test.yml
@@ -319,7 +319,7 @@ jobs:
       - name: Configure connection to KRA database
         run: |
           # store DS password
-          docker exec kra pki-server password-add \
+          docker exec kra pki-server password-set \
               --password Secret.123 \
               internaldb
 

diff --git a/.github/workflows/kra-existing-hsm-test.yml b/.github/workflows/kra-existing-hsm-test.yml
@@ -111,7 +111,7 @@ jobs:
           docker exec kra pki-server create
           docker exec kra pki-server nss-create --password Secret.123
 
-          docker exec kra pki-server password-add "hardware-HSM" --password "Secret.HSM"
+          docker exec kra pki-server password-set "hardware-HSM" --password "Secret.HSM"
           docker exec kra cat /var/lib/pki/pki-tomcat/conf/password.conf
 
       - name: Issue KRA storage cert

diff --git a/base/server/python/pki/server/cli/password.py b/base/server/python/pki/server/cli/password.py
@@ -31,6 +31,8 @@ def __init__(self):
         self.add_module(PasswordFindCLI())
         self.add_module(PasswordAddCLI())
         self.add_module(PasswordRemoveCLI())
+        self.add_module(PasswordSetCLI())
+        self.add_module(PasswordUnsetCLI())
 
     @staticmethod
     def print_password(name):
@@ -110,7 +112,7 @@ def execute(self, argv, args=None):
 class PasswordAddCLI(pki.cli.CLI):
 
     def __init__(self):
-        super().__init__('add', 'Add password')
+        super().__init__('add', 'Add password', deprecated=True)
 
     def create_parser(self, subparsers=None):
 
@@ -146,6 +148,10 @@ def print_help(self):
 
     def execute(self, argv, args=None):
 
+        logger.warning(
+            'The pki-server password-add has been deprecated. '
+            'Use pki-server password-set instead.')
+
         if not args:
             args = self.parser.parse_args(args=argv)
 
@@ -180,7 +186,7 @@ def execute(self, argv, args=None):
 class PasswordRemoveCLI(pki.cli.CLI):
 
     def __init__(self):
-        super().__init__('del', 'Remove password')
+        super().__init__('del', 'Remove password', deprecated=True)
 
     def create_parser(self, subparsers=None):
 
@@ -212,6 +218,162 @@ def print_help(self):
         print('      --help                      Show help message.')
         print()
 
+    def execute(self, argv, args=None):
+
+        logger.warning(
+            'The pki-server password-del has been deprecated. '
+            'Use pki-server password-unset instead.')
+
+        if not args:
+            args = self.parser.parse_args(args=argv)
+
+        if args.help:
+            self.print_help()
+            return
+
+        if args.debug:
+            logging.getLogger().setLevel(logging.DEBUG)
+
+        elif args.verbose:
+            logging.getLogger().setLevel(logging.INFO)
+
+        instance_name = args.instance
+        name = args.name
+
+        instance = pki.server.PKIServerFactory.create(instance_name)
+
+        if not instance.exists():
+            raise Exception('Invalid instance: %s' % instance_name)
+
+        instance.load()
+
+        instance.passwords.pop(name)
+        instance.store_passwords()
+
+
+class PasswordSetCLI(pki.cli.CLI):
+
+    def __init__(self):
+        super().__init__('set', 'Set password')
+
+    def create_parser(self, subparsers=None):
+
+        self.parser = subparsers.add_parser(
+            self.get_full_name(),
+            add_help=False)
+        self.parser.add_argument(
+            '-i',
+            '--instance',
+            default='pki-tomcat')
+        self.parser.add_argument('--password')
+        self.parser.add_argument('--password-file')
+        self.parser.add_argument(
+            '--force',
+            action='store_true')
+        self.parser.add_argument(
+            '-v',
+            '--verbose',
+            action='store_true')
+        self.parser.add_argument(
+            '--debug',
+            action='store_true')
+        self.parser.add_argument(
+            '--help',
+            action='store_true')
+        self.parser.add_argument('name')
+
+    def print_help(self):
+        print('Usage: pki-server password-set [OPTIONS] <password ID>')
+        print()
+        print('  -i, --instance <instance ID>              Instance ID (default: pki-tomcat).')
+        print('      --password <password>                 Password.')
+        print('      --password-file <path>                Password file.')
+        print('      --force                               Overwrite existing password.')
+        print('  -v, --verbose                             Run in verbose mode.')
+        print('      --debug                               Run in debug mode.')
+        print('      --help                                Show help message.')
+        print()
+
+    def execute(self, argv, args=None):
+
+        if not args:
+            args = self.parser.parse_args(args=argv)
+
+        if args.help:
+            self.print_help()
+            return
+
+        if args.debug:
+            logging.getLogger().setLevel(logging.DEBUG)
+
+        elif args.verbose:
+            logging.getLogger().setLevel(logging.INFO)
+
+        instance_name = args.instance
+        password = args.password
+        password_file = args.password_file
+        force = args.force
+        name = args.name
+
+        instance = pki.server.PKIServerFactory.create(instance_name)
+
+        if not instance.exists():
+            raise Exception('Invalid instance: %s' % instance_name)
+
+        instance.load()
+
+        if name in instance.passwords and not force:
+            raise Exception('Password already exists: %s' % name)
+
+        if password is not None:
+            pass
+
+        elif password_file is not None:
+            with open(password_file, encoding='utf-8') as f:
+                password = f.read().splitlines()[0]
+
+        else:
+            password = getpass.getpass(prompt='Enter password: ')
+
+        instance.passwords[name] = password
+        instance.store_passwords()
+
+
+class PasswordUnsetCLI(pki.cli.CLI):
+
+    def __init__(self):
+        super().__init__('unset', 'Unset password')
+
+    def create_parser(self, subparsers=None):
+
+        self.parser = subparsers.add_parser(
+            self.get_full_name(),
+            add_help=False)
+        self.parser.add_argument(
+            '-i',
+            '--instance',
+            default='pki-tomcat')
+        self.parser.add_argument(
+            '-v',
+            '--verbose',
+            action='store_true')
+        self.parser.add_argument(
+            '--debug',
+            action='store_true')
+        self.parser.add_argument(
+            '--help',
+            action='store_true')
+        self.parser.add_argument('name')
+
+    def print_help(self):
+        print('Usage: pki-server password-unset [OPTIONS] <password ID>')
+        print()
+        print('  -i, --instance <instance ID>    Instance ID (default: pki-tomcat).')
+        print('  -v, --verbose                   Run in verbose mode.')
+        print('      --debug                     Run in debug mode.')
+        print('      --help                      Show help message.')
+        print()
+
     def execute(self, argv, args=None):
 
         if not args:

diff --git a/docs/changes/v11.6.0/Tools-Changes.adoc b/docs/changes/v11.6.0/Tools-Changes.adoc
@@ -65,3 +65,10 @@ The `pkispawn` command has been updated to include ACME and EST subsystem deploy
 == Update pkidestroy
 
 The `pkidestroy` command has been updated to include ACME and EST subsystem removal.
+
+== Add pki-server pki-server password-set/unset ==
+
+The `pki-server password-set/unset` commands have been added
+to replace `pki-server password-add/del`.
+
+The `pki-server password-add/del` commands have been deprecated.