service_enabled instead of environment variable for dogtag

This change also adds the dogtag installation functions into the
contrib/devstack/lib/barbican scripts, and enables the installation of
dogtag in the extras.d script making the calling of the dogtag
installation from the functional test pre-hook script not necessary.

Depends-on: I749539f387f163e829fdc8390b6bd16cf23c663b
Change-Id: I60ccfaaa43aa4aa68e99affb9837ecab48c36759

contrib/devstack/extras.d/70-barbican.sh

@@ -9,10 +9,15 @@ if is_service_enabled barbican; then
         echo_summary "Installing Barbican"
         install_barbican
         install_barbicanclient
+        if is_service_enabled barbican-dogtag; then
+            echo_summary "Installing Dogtag"
+            install_dogtag_components
+        fi
     elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
         echo_summary "Configuring Barbican"
         configure_barbican
-        if [[ -n $BARBICAN_USE_DOGTAG ]]; then
+        if is_service_enabled barbican-dogtag; then
+            echo_summary "Configuring Dogtag plugin"
             configure_dogtag_plugin
         fi
         configure_barbicanclient

contrib/devstack/lib/barbican

@@ -68,7 +68,7 @@ function configure_barbicanclient {
 
 # configure_dogtag_plugin - Change config to use dogtag plugin
 function configure_dogtag_plugin {
-    openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:PASSWORD -out $BARBICAN_CONF_DIR/kra_admin_cert.pem -nodes
+    sudo openssl pkcs12 -in /root/.dogtag/pki-tomcat/ca_admin_cert.p12 -passin pass:PASSWORD -out $BARBICAN_CONF_DIR/kra_admin_cert.pem -nodes
     sudo chown $USER $BARBICAN_CONF_DIR/kra_admin_cert.pem
     iniset $BARBICAN_CONF dogtag_plugin dogtag_port 8373
     iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins dogtag_crypto
@@ -156,7 +156,7 @@ function init_barbican {
 function install_barbican {
     # Install package requirements
     if is_fedora; then
-        install_package sqlite-devel
+        install_package sqlite-devel openldap-devel
     fi
     # TODO(ravips): We need this until barbican gets into devstack
     ERROR_ON_CLONE=False
@@ -330,6 +330,139 @@ function create_barbican_accounts {
 
 }
 
+# Dogtag functions
+# ----------------
+
+function install_389_directory_server {
+    # Make sure that 127.0.0.1 resolves to localhost.localdomain (fqdn)
+    sudo sed -i "s/^127\.0\.0\.1.*/127\.0\.0\.1\tlocalhost.localdomain localhost/" /etc/hosts
+
+    install_package 389-ds-base
+    sudo mkdir -p /etc/389-ds
+
+    # Instead of spawning a sub-shell to cat this whole chunk into the desired
+    # file. I just cat it into a temporary file that this user will have access
+    # to, and subsequently use elevated privileges to move the already made
+    # file where we need it to be.
+    cat > .tmp.setup.inf <<EOF
+[General]
+FullMachineName= localhost.localdomain
+SuiteSpotUserID= nobody
+SuiteSpotGroup= nobody
+
+[slapd]
+ServerPort= 389
+ServerIdentifier= pki-tomcat
+Suffix= dc=example,dc=com
+RootDN= cn=Directory Manager
+RootDNPwd= PASSWORD
+EOF
+
+    sudo mv .tmp.setup.inf /etc/389-ds/setup.inf
+
+    sudo setup-ds.pl --silent --file=/etc/389-ds/setup.inf
+}
+
+function install_dogtag_ca {
+    install_package pki-ca
+    sudo mkdir -p /etc/dogtag
+
+    cat > .tmp.ca.cfg <<EOF
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=PASSWORD
+pki_admin_uid=caadmin
+pki_backup_password=PASSWORD
+pki_client_database_password=PASSWORD
+pki_client_database_purge=False
+pki_client_pkcs12_password=PASSWORD
+pki_clone_pkcs12_password=PASSWORD
+pki_ds_base_dn=dc=ca,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=PASSWORD
+pki_security_domain_name=EXAMPLE
+pki_token_password=PASSWORD
+pki_https_port=8373
+pki_http_port=8370
+pki_ajp_port=8379
+pki_tomcat_server_port=8375
+EOF
+
+    sudo mv .tmp.ca.cfg /etc/dogtag/ca.cfg
+
+    sudo pkispawn -v -f /etc/dogtag/ca.cfg -s CA
+}
+
+function wait_for_ca {
+    while true; do
+        # If the sleep command is executed "as-is", the subprocess that it
+        # executes will trigger the "exit_trap" and will cause this script to
+        # fail. To avoid this, we run the sleep command inside this sub-shell,
+        # so the signal will not be caught in this process.
+        ca_running=$(sleep 2 && curl -s -k https://localhost:8373/ca/admin/ca/getStatus | grep -c running)
+        if [[ $ca_running == 1 ]]; then
+            break
+        fi
+    done
+}
+
+function install_dogtag_kra {
+    install_package pki-kra
+    sudo mkdir -p /etc/dogtag
+
+    # Even though we are using localhost.localdomain, the server certificate by
+    # default will get the real host name for the server. So we need to
+    # properly configure the KRA to try to communicate with the real host name
+    # instead of the localhost.
+    hostname=$(hostname)
+    cat > .tmp.kra.cfg <<EOF
+[KRA]
+pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=PASSWORD
+pki_admin_uid=kraadmin
+pki_backup_password=PASSWORD
+pki_client_database_password=PASSWORD
+pki_client_database_purge=False
+pki_client_pkcs12_password=PASSWORD
+pki_clone_pkcs12_password=PASSWORD
+pki_ds_base_dn=dc=kra,dc=example,dc=com
+pki_ds_database=kra
+pki_ds_password=PASSWORD
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=PASSWORD
+pki_token_password=PASSWORD
+pki_https_port=8373
+pki_http_port=8370
+pki_ajp_port=8379
+pki_tomcat_server_port=8375
+pki_security_domain_hostname=$hostname
+pki_security_domain_https_port=8373
+EOF
+
+    sudo mv .tmp.kra.cfg /etc/dogtag/kra.cfg
+
+    sudo pkispawn -v -f /etc/dogtag/kra.cfg -s KRA
+}
+
+function install_dogtag_plugin_dependencies {
+    install_package nss-devel
+    pip_install 'python-nss'
+}
+
+function install_dogtag_components {
+    install_dogtag_plugin_dependencies
+    install_389_directory_server
+    install_dogtag_ca
+    wait_for_ca
+    install_dogtag_kra
+}
+
 
 # Restore xtrace
 $XTRACE

contrib/dogtag/install_dogtag.sh

@@ -1,128 +0,0 @@
-#!/bin/bash
-
-# Copyright 2015 Rackspace, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# install_dogtag.sh
-#     Installs a DogTag CA and KRA inside a devstack vm.
-
-function install_389_directory_server {
-    # Make sure that 127.0.0.1 resolves to localhost.localdomain (fqdn)
-    sed -i "s/^127\.0\.0\.1.*/127\.0\.0\.1\tlocalhost.localdomain localhost/" /etc/hosts
-
-    yum install -y 389-ds-base
-    mkdir -p /etc/389-ds
-
-    cat > /etc/389-ds/setup.inf <<EOF
-[General]
-FullMachineName= localhost.localdomain
-SuiteSpotUserID= nobody
-SuiteSpotGroup= nobody
-
-[slapd]
-ServerPort= 389
-ServerIdentifier= pki-tomcat
-Suffix= dc=example,dc=com
-RootDN= cn=Directory Manager
-RootDNPwd= PASSWORD
-EOF
-
-    setup-ds.pl --silent --file=/etc/389-ds/setup.inf
-}
-
-function install_dogtag_ca {
-    yum install -y pki-ca
-    mkdir -p /etc/dogtag
-
-    cat > /etc/dogtag/ca.cfg <<EOF
-[CA]
-pki_admin_email=caadmin@example.com
-pki_admin_name=caadmin
-pki_admin_nickname=caadmin
-pki_admin_password=PASSWORD
-pki_admin_uid=caadmin
-pki_backup_password=PASSWORD
-pki_client_database_password=PASSWORD
-pki_client_database_purge=False
-pki_client_pkcs12_password=PASSWORD
-pki_clone_pkcs12_password=PASSWORD
-pki_ds_base_dn=dc=ca,dc=example,dc=com
-pki_ds_database=ca
-pki_ds_password=PASSWORD
-pki_security_domain_name=EXAMPLE
-pki_token_password=PASSWORD
-pki_https_port=8373
-pki_http_port=8370
-pki_ajp_port=8379
-pki_tomcat_server_port=8375
-EOF
-
-    pkispawn -v -f /etc/dogtag/ca.cfg -s CA
-}
-
-function wait_for_ca {
-    while true; do
-        ca_running=$(curl -s -k https://localhost:8373/ca/admin/ca/getStatus | grep -c running)
-        if [[ $ca_running == 1 ]]; then
-            break
-        fi
-        sleep 1
-    done
-}
-
-function install_dogtag_kra {
-    yum install -y pki-kra
-    mkdir -p /etc/dogtag
-
-    # Even though we are using localhost.localdomain, the server certificate by
-    # default will get the real host name for the server. So we need to
-    # properly configure the KRA to try to communicate with the real host name
-    # instead of the localhost.
-    hostname=$(hostname)
-    cat > /etc/dogtag/kra.cfg <<EOF
-[KRA]
-pki_admin_cert_file=/root/.dogtag/pki-tomcat/ca_admin.cert
-pki_admin_email=kraadmin@example.com
-pki_admin_name=kraadmin
-pki_admin_nickname=kraadmin
-pki_admin_password=PASSWORD
-pki_admin_uid=kraadmin
-pki_backup_password=PASSWORD
-pki_client_database_password=PASSWORD
-pki_client_database_purge=False
-pki_client_pkcs12_password=PASSWORD
-pki_clone_pkcs12_password=PASSWORD
-pki_ds_base_dn=dc=kra,dc=example,dc=com
-pki_ds_database=kra
-pki_ds_password=PASSWORD
-pki_security_domain_name=EXAMPLE
-pki_security_domain_user=caadmin
-pki_security_domain_password=PASSWORD
-pki_token_password=PASSWORD
-pki_https_port=8373
-pki_http_port=8370
-pki_ajp_port=8379
-pki_tomcat_server_port=8375
-pki_security_domain_hostname=$hostname
-pki_security_domain_https_port=8373
-EOF
-
-    pkispawn -v -f /etc/dogtag/kra.cfg -s KRA
-}
-
-
-install_389_directory_server
-install_dogtag_ca
-wait_for_ca
-install_dogtag_kra

functionaltests/pre_test_hook.sh

@@ -20,6 +20,3 @@ DEVSTACK_BASE=/opt/stack/new/devstack
 
 cp $BARBICAN_BASE/lib/* $DEVSTACK_BASE/lib
 cp $BARBICAN_BASE/extras.d/* $DEVSTACK_BASE/extras.d
-if [[ -n $BARBICAN_USE_DOGTAG ]]; then
-    sudo /opt/stack/new/barbican/contrib/dogtag/install_dogtag.sh
-fi