external-software/github_OpenIdentityPlatform_OpenDJ.git

parent: 2bafe3d4 | patch | commit | show whitespace

Fix for issue #3625 : CLIs : Avoid certificate interaction in interactive mode

jcambon

18.08.2009 638a9739f265115c9092ddec29c447dfa8c6ab10

Fix for issue #3625 : CLIs : Avoid certificate interaction in interactive mode

This fix improves the ease of use of dsconfig and other CLIs:

1. If the CLI is launched in the same  instance than the server,
there is no anymore the user interaction for certificate checking.
The truststore used is the one of the administration connector (which is always present).

2. The default port is the one of the local configuration file (instead of 4444).


CLIs that will take benefit of this are :
- dsconfig
- status
- dsreplication
- manage-tasks
- uninstall

Note that this change does not break any interface: it just simplifies the user interaction in case of CLI and server running in the same instance (which is what we usually do).
In non-interactive mode, in this case the "-X/--trustAll" is not required anymore (although it can still be used).

4 files modified

	opends/src/messages/messages/dsconfig.properties	2 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/tools/dsreplication/ReplicationCliMain.java	1 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/tools/status/StatusCli.java	28 ●●●●● patch \| view \| raw \| blame \| history
	opends/src/server/org/opends/server/util/cli/LDAPConnectionConsoleInteraction.java	135 ●●●●● patch \| view \| raw \| blame \| history

 opends/src/messages/messages/dsconfig.properties

@@ -469,7 +469,7 @@
SEVERE_ERR_DSCFG_ERROR_LDAP_FAILED_TO_CONNECT_WRONG_PORT_157=Unable to connect to the \
 server at %s on port %s. Check this port is an administration port
SEVERE_ERR_DSCFG_ERROR_LDAP_FAILED_TO_CONNECT_NOT_TRUSTED_158=Unable to connect to the \
 server at %s on port %s. In non-interactive mode, you must use the '--trustAll' option
 server at %s on port %s. In non-interactive mode, you must use the '--trustAll' option for remote connections
SEVERE_ERR_DSCFG_ERROR_VALUE_DOES_NOT_EXIST_159=The value %s for the %s property does not exist
SEVERE_ERR_DSCFG_ERROR_NO_AVAILABLE_TYPES_160=Unable to continue since there are \
 no available types of %s to choose from

 opends/src/server/org/opends/server/tools/dsreplication/ReplicationCliMain.java

@@ -988,6 +988,7 @@
    String bindDn2 = null;
    String pwd2 = null;
    ci.resetHeadingDisplayed();
    ci.resetTrustManager();
    if (!cancelled)
    {
      host2 = argParser.getHostName2();

 opends/src/server/org/opends/server/tools/status/StatusCli.java

@@ -22,7 +22,7 @@
 * CDDL HEADER END
 *
 *
 *      Copyright 2007-2008 Sun Microsystems, Inc.
 *      Copyright 2007-2009 Sun Microsystems, Inc.
 */

package org.opends.server.tools.status;
@@ -330,12 +330,22 @@
          SecureConnectionCliArgs secureArgsList =
            argParser.getSecureArgsList();

          int port =
            AdministrationConnector.DEFAULT_ADMINISTRATION_CONNECTOR_PORT;
          controlInfo.setConnectionPolicy(
            ConnectionProtocolPolicy.USE_ADMIN);
          String ldapUrl = controlInfo.getURLToConnect();
          try {
            URI uri = new URI(ldapUrl);
            port = uri.getPort();
          } catch (Throwable t) {
            LOG.log(Level.SEVERE, "Error parsing url: " + ldapUrl);
          }
          secureArgsList.hostNameArg.setPresent(true);
          secureArgsList.portArg.setPresent(true);
          secureArgsList.hostNameArg.addValue(
            secureArgsList.hostNameArg.getDefaultValue());
          secureArgsList.portArg.addValue(
            secureArgsList.portArg.getDefaultValue());
          secureArgsList.portArg.addValue(Integer.toString(port));
          // We already know if SSL or StartTLS can be used.  If we cannot
          // use them we will not propose them in the connection parameters
          // and if none of them can be used we will just not ask for the
@@ -348,18 +358,6 @@
            bindDn = ci.getBindDN();
            bindPwd = ci.getBindPassword();

            int port =
              AdministrationConnector.DEFAULT_ADMINISTRATION_CONNECTOR_PORT;
            controlInfo.setConnectionPolicy(
              ConnectionProtocolPolicy.USE_ADMIN);
            String ldapUrl = controlInfo.getURLToConnect();
            try {
              URI uri = new URI(ldapUrl);
              port = uri.getPort();
              ci.setPortNumber(port);
            } catch (Throwable t) {
              LOG.log(Level.SEVERE, "Error parsing url: " + ldapUrl);
            }
            LDAPManagementContextFactory factory =
              new LDAPManagementContextFactory(alwaysSSL);
            ctx = factory.getManagementContext(this, ci);

 opends/src/server/org/opends/server/util/cli/LDAPConnectionConsoleInteraction.java

@@ -35,6 +35,7 @@
import org.opends.quicksetup.Step;
import org.opends.quicksetup.UserDataCertificateException;
import org.opends.quicksetup.util.Utils;
import org.opends.server.config.ConfigException;
import org.opends.server.tools.dsconfig.ArgumentExceptionFactory;
import org.opends.server.tools.LDAPConnectionOptions;
import org.opends.server.tools.SSLConnectionFactory;
@@ -61,6 +62,12 @@
import java.util.logging.Level;
import java.util.logging.Logger;
import org.opends.server.admin.AdministrationConnector;
import org.opends.server.admin.server.ServerManagementContext;
import org.opends.server.admin.std.server.AdministrationConnectorCfg;
import org.opends.server.admin.std.server.FileBasedTrustManagerProviderCfg;
import org.opends.server.admin.std.server.RootCfg;
import org.opends.server.admin.std.server.TrustManagerProviderCfg;
import org.opends.server.core.DirectoryServer;

/**
 * Supports interacting with a user through the command line to
@@ -121,6 +128,9 @@
  // The command builder that we can return with the connection information.
  private CommandBuilder commandBuilder;

  private boolean configurationInitialized = false;


  /**
   * Enumeration description protocols for interactive CLI choices.
   */
@@ -397,6 +407,7 @@
    copySecureArgsList.hostNameArg.addValue(hostName);
    commandBuilder.addArgument(copySecureArgsList.hostNameArg);

    // Connection type
    useSSL = secureArgsList.useSSL();
    useStartTLS = secureArgsList.useStartTLS();
    boolean connectionTypeIsSet =
@@ -489,11 +500,6 @@
      commandBuilder.addArgument(copySecureArgsList.useStartTLSArg);
    }

    if ((useSSL || useStartTLS) && (trustManager == null))
    {
      initializeTrustManager();
    }

    // Get the LDAP port.
    if (!useSSL)
    {
@@ -510,6 +516,12 @@
        if (secureArgsList.alwaysSSL()) {
          portNumber =
            AdministrationConnector.DEFAULT_ADMINISTRATION_CONNECTOR_PORT;
          // Try to get the port from the config file
          try {
            portNumber = getAdminPortFromConfig();
          } catch (ConfigException ex) {
            // nothing to do
            }
        } else {
          portNumber = 636;
        }
@@ -576,6 +588,12 @@
    copySecureArgsList.portArg.addValue(String.valueOf(portNumber));
    commandBuilder.addArgument(copySecureArgsList.portArg);

    // Handle certificate
    if ((useSSL || useStartTLS) && (trustManager == null))
    {
      initializeTrustManager();
    }

    // Get the LDAP bind credentials.
    bindDN = secureArgsList.bindDnArg.getValue();
    adminUID = secureArgsList.adminUidArg.getValue();
@@ -827,6 +845,16 @@
          secureArgsList.trustStorePasswordFileArg.isPresent()
        );
    boolean askForTrustStore = false;

    // Try to use the local instance trustore, to avoid certifacte validation
    // when both the CLI and the server are in the same instance.
    if (weDontKnowTheTrustMethod) {
      if (addLocalTrustStore()) {
        weDontKnowTheTrustMethod = false;

      }
    }

    if (app.isInteractive() && weDontKnowTheTrustMethod)
    {
      checkHeadingDisplayed();
@@ -1905,6 +1933,15 @@
 }

 /**
  * Resets the trust manager, so that next time we call the run() method
  * the trust manager takes into account the local truststore.
  */
 public void resetTrustManager()
 {
   trustManager = null;
 }

 /**
  * Forces the initialization of the trust manager with the arguments provided
  * by the user.
  * @throws ArgumentException if there is an error with the arguments provided
@@ -1949,4 +1986,92 @@
 {
   return providedBindDN;
 }

 /**
  * Add the TrustStore of the administration connector of the local instance.
  *
  *  @return true if the local trustore has been added.
  */
  private boolean addLocalTrustStore() {
    TrustManagerProviderCfg trustManagerCfg = null;
    AdministrationConnectorCfg administrationConnectorCfg = null;
    try {
      // If remote host, return
      if (!InetAddress.getLocalHost().getHostName().equals(hostName)) {
        return false;
      }
      // Initialization for admin framework
      if (!configurationInitialized) {
        initializeConfiguration();
      }
      // Get the Directory Server configuration handler and use it.
      RootCfg root =
        ServerManagementContext.getInstance().getRootConfiguration();
      administrationConnectorCfg =
        root.getAdministrationConnector();
      // check if we are in a local instance. Already checked the host,
      // now check the port

      if (administrationConnectorCfg.getListenPort() != portNumber) {
        return false;
      }
      String trustManagerStr = administrationConnectorCfg.
        getTrustManagerProvider();
      trustManagerCfg = root.getTrustManagerProvider(trustManagerStr);
    } catch (Exception ex) {
      // do nothing
      return false;
    }
    if (trustManagerCfg instanceof FileBasedTrustManagerProviderCfg) {
      FileBasedTrustManagerProviderCfg fileBasedTrustManagerCfg =
        (FileBasedTrustManagerProviderCfg) trustManagerCfg;
      String truststoreFile = fileBasedTrustManagerCfg.getTrustStoreFile();
      // Check the file
      String truststoreFileAbsolute = null;
      if (truststoreFile.startsWith(File.separator)) {
        truststoreFileAbsolute = truststoreFile;
      } else {
        truststoreFileAbsolute =
          DirectoryServer.getInstanceRoot() + File.separator + truststoreFile;
      }
      File f = new File(truststoreFileAbsolute);
      if (f.exists() && f.canRead() && !f.isDirectory()) {
        secureArgsList.trustStorePathArg.addValue(truststoreFileAbsolute);
        return true;
      } else {
        return false;
      }
    } else {
      return false;
    }
  }

  private int getAdminPortFromConfig() throws ConfigException {
    // Initialization for admin framework
    if (!configurationInitialized) {
      initializeConfiguration();
    }
    RootCfg root =
      ServerManagementContext.getInstance().getRootConfiguration();
    return root.getAdministrationConnector().getListenPort();
  }

  private boolean initializeConfiguration() {
    // check if the initialization is required
    try {
      ServerManagementContext.getInstance().getRootConfiguration().
        getAdministrationConnector();
    } catch (java.lang.Throwable th) {
      try {
        DirectoryServer.bootstrapClient();
        DirectoryServer.initializeJMX();
        DirectoryServer.getInstance().initializeConfiguration();
      } catch (Exception ex) {
        // do nothing
        return false;
      }
    }
    configurationInitialized = true;
    return true;
  }
}

			@@ -469,7 +469,7 @@
			SEVERE_ERR_DSCFG_ERROR_LDAP_FAILED_TO_CONNECT_WRONG_PORT_157=Unable to connect to the \
			server at %s on port %s. Check this port is an administration port
			SEVERE_ERR_DSCFG_ERROR_LDAP_FAILED_TO_CONNECT_NOT_TRUSTED_158=Unable to connect to the \
			server at %s on port %s. In non-interactive mode, you must use the '--trustAll' option
			server at %s on port %s. In non-interactive mode, you must use the '--trustAll' option for remote connections
			SEVERE_ERR_DSCFG_ERROR_VALUE_DOES_NOT_EXIST_159=The value %s for the %s property does not exist
			SEVERE_ERR_DSCFG_ERROR_NO_AVAILABLE_TYPES_160=Unable to continue since there are \
			no available types of %s to choose from

			@@ -988,6 +988,7 @@
			String bindDn2 = null;
			String pwd2 = null;
			ci.resetHeadingDisplayed();
			ci.resetTrustManager();
			if (!cancelled)
			{
			host2 = argParser.getHostName2();

			@@ -22,7 +22,7 @@
			* CDDL HEADER END
			*
			*
			* Copyright 2007-2008 Sun Microsystems, Inc.
			* Copyright 2007-2009 Sun Microsystems, Inc.
			*/

			package org.opends.server.tools.status;
			@@ -330,12 +330,22 @@
			SecureConnectionCliArgs secureArgsList =
			argParser.getSecureArgsList();

			int port =
			AdministrationConnector.DEFAULT_ADMINISTRATION_CONNECTOR_PORT;
			controlInfo.setConnectionPolicy(
			ConnectionProtocolPolicy.USE_ADMIN);
			String ldapUrl = controlInfo.getURLToConnect();
			try {
			URI uri = new URI(ldapUrl);
			port = uri.getPort();
			} catch (Throwable t) {
			LOG.log(Level.SEVERE, "Error parsing url: " + ldapUrl);
			}
			secureArgsList.hostNameArg.setPresent(true);
			secureArgsList.portArg.setPresent(true);
			secureArgsList.hostNameArg.addValue(
			secureArgsList.hostNameArg.getDefaultValue());
			secureArgsList.portArg.addValue(
			secureArgsList.portArg.getDefaultValue());
			secureArgsList.portArg.addValue(Integer.toString(port));
			// We already know if SSL or StartTLS can be used. If we cannot
			// use them we will not propose them in the connection parameters
			// and if none of them can be used we will just not ask for the
			@@ -348,18 +358,6 @@
			bindDn = ci.getBindDN();
			bindPwd = ci.getBindPassword();

			int port =
			AdministrationConnector.DEFAULT_ADMINISTRATION_CONNECTOR_PORT;
			controlInfo.setConnectionPolicy(
			ConnectionProtocolPolicy.USE_ADMIN);
			String ldapUrl = controlInfo.getURLToConnect();
			try {
			URI uri = new URI(ldapUrl);
			port = uri.getPort();
			ci.setPortNumber(port);
			} catch (Throwable t) {
			LOG.log(Level.SEVERE, "Error parsing url: " + ldapUrl);
			}
			LDAPManagementContextFactory factory =
			new LDAPManagementContextFactory(alwaysSSL);
			ctx = factory.getManagementContext(this, ci);

			@@ -35,6 +35,7 @@
			import org.opends.quicksetup.Step;
			import org.opends.quicksetup.UserDataCertificateException;
			import org.opends.quicksetup.util.Utils;
			import org.opends.server.config.ConfigException;
			import org.opends.server.tools.dsconfig.ArgumentExceptionFactory;
			import org.opends.server.tools.LDAPConnectionOptions;
			import org.opends.server.tools.SSLConnectionFactory;
			@@ -61,6 +62,12 @@
			import java.util.logging.Level;
			import java.util.logging.Logger;
			import org.opends.server.admin.AdministrationConnector;
			import org.opends.server.admin.server.ServerManagementContext;
			import org.opends.server.admin.std.server.AdministrationConnectorCfg;
			import org.opends.server.admin.std.server.FileBasedTrustManagerProviderCfg;
			import org.opends.server.admin.std.server.RootCfg;
			import org.opends.server.admin.std.server.TrustManagerProviderCfg;
			import org.opends.server.core.DirectoryServer;

			/**
			* Supports interacting with a user through the command line to
			@@ -121,6 +128,9 @@
			// The command builder that we can return with the connection information.
			private CommandBuilder commandBuilder;

			private boolean configurationInitialized = false;


			/**
			* Enumeration description protocols for interactive CLI choices.
			*/
			@@ -397,6 +407,7 @@
			copySecureArgsList.hostNameArg.addValue(hostName);
			commandBuilder.addArgument(copySecureArgsList.hostNameArg);

			// Connection type
			useSSL = secureArgsList.useSSL();
			useStartTLS = secureArgsList.useStartTLS();
			boolean connectionTypeIsSet =
			@@ -489,11 +500,6 @@
			commandBuilder.addArgument(copySecureArgsList.useStartTLSArg);
			}

			if ((useSSL \|\| useStartTLS) && (trustManager == null))
			{
			initializeTrustManager();
			}

			// Get the LDAP port.
			if (!useSSL)
			{
			@@ -510,6 +516,12 @@
			if (secureArgsList.alwaysSSL()) {
			portNumber =
			AdministrationConnector.DEFAULT_ADMINISTRATION_CONNECTOR_PORT;
			// Try to get the port from the config file
			try {
			portNumber = getAdminPortFromConfig();
			} catch (ConfigException ex) {
			// nothing to do
			}
			} else {
			portNumber = 636;
			}
			@@ -576,6 +588,12 @@
			copySecureArgsList.portArg.addValue(String.valueOf(portNumber));
			commandBuilder.addArgument(copySecureArgsList.portArg);

			// Handle certificate
			if ((useSSL \|\| useStartTLS) && (trustManager == null))
			{
			initializeTrustManager();
			}

			// Get the LDAP bind credentials.
			bindDN = secureArgsList.bindDnArg.getValue();
			adminUID = secureArgsList.adminUidArg.getValue();
			@@ -827,6 +845,16 @@
			secureArgsList.trustStorePasswordFileArg.isPresent()
			);
			boolean askForTrustStore = false;

			// Try to use the local instance trustore, to avoid certifacte validation
			// when both the CLI and the server are in the same instance.
			if (weDontKnowTheTrustMethod) {
			if (addLocalTrustStore()) {
			weDontKnowTheTrustMethod = false;

			}
			}

			if (app.isInteractive() && weDontKnowTheTrustMethod)
			{
			checkHeadingDisplayed();
			@@ -1905,6 +1933,15 @@
			}

			/**
			* Resets the trust manager, so that next time we call the run() method
			* the trust manager takes into account the local truststore.
			*/
			public void resetTrustManager()
			{
			trustManager = null;
			}

			/**
			* Forces the initialization of the trust manager with the arguments provided
			* by the user.
			* @throws ArgumentException if there is an error with the arguments provided
			@@ -1949,4 +1986,92 @@
			{
			return providedBindDN;
			}

			/**
			* Add the TrustStore of the administration connector of the local instance.
			*
			* @return true if the local trustore has been added.
			*/
			private boolean addLocalTrustStore() {
			TrustManagerProviderCfg trustManagerCfg = null;
			AdministrationConnectorCfg administrationConnectorCfg = null;
			try {
			// If remote host, return
			if (!InetAddress.getLocalHost().getHostName().equals(hostName)) {
			return false;
			}
			// Initialization for admin framework
			if (!configurationInitialized) {
			initializeConfiguration();
			}
			// Get the Directory Server configuration handler and use it.
			RootCfg root =
			ServerManagementContext.getInstance().getRootConfiguration();
			administrationConnectorCfg =
			root.getAdministrationConnector();
			// check if we are in a local instance. Already checked the host,
			// now check the port

			if (administrationConnectorCfg.getListenPort() != portNumber) {
			return false;
			}
			String trustManagerStr = administrationConnectorCfg.
			getTrustManagerProvider();
			trustManagerCfg = root.getTrustManagerProvider(trustManagerStr);
			} catch (Exception ex) {
			// do nothing
			return false;
			}
			if (trustManagerCfg instanceof FileBasedTrustManagerProviderCfg) {
			FileBasedTrustManagerProviderCfg fileBasedTrustManagerCfg =
			(FileBasedTrustManagerProviderCfg) trustManagerCfg;
			String truststoreFile = fileBasedTrustManagerCfg.getTrustStoreFile();
			// Check the file
			String truststoreFileAbsolute = null;
			if (truststoreFile.startsWith(File.separator)) {
			truststoreFileAbsolute = truststoreFile;
			} else {
			truststoreFileAbsolute =
			DirectoryServer.getInstanceRoot() + File.separator + truststoreFile;
			}
			File f = new File(truststoreFileAbsolute);
			if (f.exists() && f.canRead() && !f.isDirectory()) {
			secureArgsList.trustStorePathArg.addValue(truststoreFileAbsolute);
			return true;
			} else {
			return false;
			}
			} else {
			return false;
			}
			}

			private int getAdminPortFromConfig() throws ConfigException {
			// Initialization for admin framework
			if (!configurationInitialized) {
			initializeConfiguration();
			}
			RootCfg root =
			ServerManagementContext.getInstance().getRootConfiguration();
			return root.getAdministrationConnector().getListenPort();
			}

			private boolean initializeConfiguration() {
			// check if the initialization is required
			try {
			ServerManagementContext.getInstance().getRootConfiguration().
			getAdministrationConnector();
			} catch (java.lang.Throwable th) {
			try {
			DirectoryServer.bootstrapClient();
			DirectoryServer.initializeJMX();
			DirectoryServer.getInstance().initializeConfiguration();
			} catch (Exception ex) {
			// do nothing
			return false;
			}
			}
			configurationInitialized = true;
			return true;
			}
			}