--- loncom/CrGrant.pl	2004/07/05 11:37:39	1.2
+++ loncom/CrGrant.pl	2004/07/06 11:05:45	1.3
@@ -2,7 +2,7 @@
 # The LearningOnline Network
 # CrGrant.pl  - Grant a loncapa SSL certificate.
 #
-# $Id: CrGrant.pl,v 1.2 2004/07/05 11:37:39 foxr Exp $
+# $Id: CrGrant.pl,v 1.3 2004/07/06 11:05:45 foxr Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -66,7 +66,7 @@
 # Import section:
 
 use strict;
-use lib '/home/httpd/lib/perl';
+use lib '/home/httpd/lib/perl';	# An assumption!!!
 use MIME::Entity;
 use LONCAPA::Configuration;
 
@@ -74,12 +74,28 @@ use LONCAPA::Configuration;
 
 # Global variable declarations
 
-my $ssl_command   = "/usr/bin/openssl "; # Command to run openssl.
+
 my $ssl_dir       = "/usr/share/ssl";    # Where ssl config files etc. live
-my $ca_cert_file  = $ssl_dir."/loncapa/cacert.pem"; # CA's certificate file.
+my $ca_cert_file  = $ssl_dir."/loncapaca/cacert.pem"; # CA's certificate file.
 my $ca_config_file= $ssl_dir."/loncapaca.cnf";      # CA's config file. 
 
- 
+
+#   LONCAPA Configuration global variables:
+
+# Items read from our configuration file.
+
+my $ssl_command   = "/usr/bin/openssl "; # Command to run openssl.
+my $loncapa_cert_dir;		# Name of target cert dir (from config)
+my $loncapa_hostcert_name;	# Name of host's signed cert file (config)
+my $loncapa_cacert_name;        # Name of the CA's certificate file (config)
+
+#  Items I just need to know:
+
+my $loncapa_config = "loncapa.conf";   # User's override config file.
+my $loncapa_apache_user = 'www';	# Name of apache daemon's user
+my $loncapa_apache_group = 'www';	# Name of apache daemon's group
+
+
 
 # Debug/log support
 
@@ -111,6 +127,66 @@ Where:
 USAGE
 
 }
+#
+#  Read the loncapa configuration file and pull out the items
+#  we need:
+#
+# Implicit inputs:
+#   $loncapa_config   - The name of the auxilliary config file.
+# Side effects:
+#    - On failure exits with an error message.
+#    - On success set the following variables:
+#      o loncapa_cert_dir      - Path to certificates.
+#      o loncapa_hostcert_name - Name of host's cert file in that dir
+#      o loncapa_cacert_name   - Name of CA's cert file in that dir.
+#      o ssl_command           - Name of ssl utility command.
+sub ReadConfig {
+    Debug("Reading the config files");
+    my $perlvarref = LONCAPA::Configuration::read_conf($loncapa_config);
+
+    #  Pull out the individual variables or die:
+
+    # SSL Command:
+
+    if($perlvarref->{SSLProgram}) {
+	$ssl_command = $perlvarref->{SSLProgram};
+	Debug("SSL utility program is $ssl_command");
+    } 
+    else {
+	die "LonCAPA configuration errror: Can't read SSLProgram variable";
+    }
+    # Certificate directory:
+   
+    if($perlvarref->{lonCertificateDirectory}) {
+	$loncapa_cert_dir = $perlvarref->{lonCertificateDirectory};
+	Debug("Certificates will be installed in $loncapa_cert_dir");
+    } 
+    else {
+	die "LonCAPA configuration error can't read lonCertificateDirectory variable";
+
+    }
+    #  Get the name of the host's certificate:
+
+    if($perlvarref->{lonnetCertificate}) {
+	$loncapa_hostcert_name = $perlvarref->{lonnetCertificate};
+	Debug("Host's certificate will be $loncapa_hostcert_name");
+    }
+    else {
+	die "LonCAPA configuration error: Can't read lonnetCertificate variable";
+    }
+    #   Get the name of the certificate authority's certificate.
+
+    if($perlvarref->{lonnetCertificateAuthority}) {
+	$loncapa_cacert_name = $perlvarref->{lonnetCertificateAuthority};
+	Debug("CA's certificate will be $loncapa_cacert_name");
+    }
+    else {
+	die "LonCAPA configuration error: Can't read lonnetCertificateAuthority variable";
+    }
+
+
+}
+
 #  Create a certificate from the request file.  The certificate
 #  is used, in conjunction with the openssl command with the 
 #  certificate authority configuration to produce a certificate
@@ -214,7 +290,117 @@ sub CreateCertificate {
     return $address;
 
 }
-sub CreateInstallScript {}
+#
+#   Create the installation script.  This will be  bash script
+#   that will install the certifiate and the CA's certificate with ownership
+#   WebUser:WebGroup and permissions 0400.  I thought about using a perl
+#   script in order to be able to get the certificate file/directory from
+#   the configuration files.  Unfortunately this is not as easy as it looks.
+#   Root has a chicken and egg problem.  In order to read the config file
+#   you need to have added the ..../lib/perl to the perl lib path. To do
+#   that correctly, you need to have read the config file to know where
+#   it is...What we will do is read our local configuration file and
+#   assume that our configuration is the same as the target's system in
+#   all respects we care about.
+# Implicit Inputs:
+#    - Bash is in /bin/bash
+#    - $loncapa_cert_dir             -  install target directory.
+#    - $loncapa_hostcert_name        -  Name of installed host cert file.
+#    - $loncapa_cacert_name          -  Name of installed ca cert file.
+#    - $loncapa_apache_user          -  username under which httpd runs.
+#    - $loncapa_apache_group         -  group under which httpd runs.
+#    - 0400                          -  install permissions.
+#    - The host's certificate is now in ./hostCertificate.pem
+#    - The CA's certificate is now in  $ca_cert_file
+#
+# Implicit Outputs:
+#    A file named CertInstall.sh
+#
+sub CreateInstallScript {
+    open INSTALLER,">CertInstall.sh";
+    print INSTALLER <<BASH_HEADER;
+#!/bin/bash
+#
+#    Installer for your lonCAPA certificates.  Please check the
+#    configuration variables to be sure they match your installation.
+#    Then run this script under a root shell to complete the 
+#    installation of the certificates.
+#
+# Configuration Variables:
+CERTDIR="$loncapa_cert_dir"        # Directory with your host key.
+HOSTCERT="$loncapa_hostcert_name"   # Name of host's certificate file.
+CACERT="$loncapa_cacert_name"     # Name of certifiate authority file.
+HTTPDUID="$loncapa_apache_user"     # UID of httpd.
+HTTPDGID="$loncapa_apache_group"    # GID of httpd.
+
+#   End of configuration variables.
+
+MODE=0444                           # certificates get this mode.
+HOSTCERTPATH="\$CERTDIR/\$HOSTCERT"
+CACERTPATH="\$CERTDIR/\$CACERT"
+
+#  Create the host certificate file to install:
+
+echo unpacking host certificate
+
+cat <<-HOSTCERTTEXT   >\$HOSTCERT
+BASH_HEADER
+
+    #   Now copy the host certificate into the script:
+
+    open HOSTCERT, "<hostCertificate.pem";
+    while(my $line = <HOSTCERT>) {
+	print INSTALLER $line;	# Line presumably has a \n.
+    }
+    close HOSTCERT;
+
+    #  Close the here doc, and start up the cat of the ca cert:
+
+    print INSTALLER "HOSTCERTTEXT\n";
+    print INSTALLER "echo unpacking CA certificate\n";
+    print INSTALLER "cat <<-CACERTTEXT >\$CACERT\n";
+    open  CACERT, "<$ca_cert_file";
+    while(my $line = <CACERT>) {
+	print INSTALLER $line;
+    }
+    close CACERT;
+    print INSTALLER "CACERTTEXT\n";
+
+    #  Ok, the script can create the two files, now it must install
+    # install them >and< clean up after itself.
+
+    print INSTALLER <<BASH_TRAILER;
+
+echo Installing certificates
+
+install -m \$MODE -o \$HTTPDUID -g \$HTTPDGID \$CACERT \$CACERTPATH
+install -m \$MODE -o \$HTTPDUID -g \$HTTPDGID \$HOSTCERT \$HOSTCERTPATH
+
+echo done
+
+# rm -f \$CACERT
+# rm -f \$HOSTCERT
+
+#    Do they want to restart loncapa:
+#
+
+echo In order to start running in secure mode you will need to start
+echo lonCAPA.  If you want I can do that now for you.  Otherwise,
+echo you will have to do it yourself later either by rebooting your
+echo system or by typing:
+echo
+echo /etc/init.d/loncontrol restart
+echo
+read -p "Restart loncapa now [yN]?"  yesno
+
+if [ "{\$yesno:0:1}" = "Y" ] 
+then
+   /etc/init.d/loncontrol restart
+fi
+BASH_TRAILER
+
+    close INSTALLER;
+}
 
 sub CreateEmail {
     return "Dummy message";	# Stub.
@@ -238,7 +424,10 @@ if($argc != 1) {
 }
 my $CertificateRequest = $ARGV[0];
 
-my $email_address = CreateCertificate($CertificateRequest);
+&ReadConfig;
+
+my $email_address = &CreateCertificate($CertificateRequest);
+Debug("CreateCertificate returned: $email_address");
 
 if(!defined $email_address) {
     print STDERR "Bad or missing certificate file!!";
@@ -246,9 +435,9 @@ if(!defined $email_address) {
     exit -1;
 }
 
-CreateInstallScript;
-my $Message = CreateEmail;
-SendEmail($email_address, $Message);
-Cleanup;
+&CreateInstallScript;
+my $Message = &CreateEmail;
+&SendEmail($email_address, $Message);
+&Cleanup;
 
 # POD documentation.