[IMP] Add force option to regenerate PKI and security to protect this option

common.py

@@ -96,7 +96,8 @@ class TisPKI:
 
 
 def check_directories(path,verbose=False):
-    print('Check directories')
+    if verbose:
+        Printing.information('Check directories')
 
     directories_list = ['certs','config','crl','newcerts','private','csr','crl','p12']
 
@@ -117,15 +118,23 @@ def check_directories(path,verbose=False):
             pass
 
 
-def create_openssl_config(verbose=False):
+def create_openssl_config(force=False,verbose=False):
     Printing.information('Check Root CA OpenSSL Config')
 
     if config.get('general','pki_dir'):
-        check_directories(path=config.get('general','pki_dir'),verbose)
+        check_directories(path=config.get('general','pki_dir'),verbose=verbose)
     else:
         Printing.error('No pki_dir set in samba-pki-tools.ini')
         sys.exit(1)
 
+    if force:
+        Printing.error("Do you realy want to remove ALL you PKI ? This will destroy ALL YOUR CERTIFICATES AND PRIVATE KEY")
+        Printing.error("After that, you MUST REGENERATE YOUR PKI with NEW certificates and private key for ALL YOUR DOMAIN CONTROLLERS AND USERS")
+        destroy = input('If you are realy sure, please enter : "I want to remove all my PKI"')
+        if destroy == 'I want to remove all my PKI':
+            Printing.information('OK, too late ! Destroying your PKI !')
+            os.removedirs(TisPKI.pki_dir())
+
     root_ca_config = os.path.join(TisPKI.pki_dir(),'config','openssl_root_ca.ini')
 
     if not os.path.isfile(root_ca_config):

manage_pki.py

@@ -9,7 +9,7 @@
 # Licence:      <your licence>
 #-------------------------------------------------------------------------------
 
-from optparse import OptionParser
+from optparse import OptionParser, OptionGroup
 
 from common import *
 
@@ -19,12 +19,19 @@ def main():
     parser.add_option('--initialize', dest="initialize", action="store_true", help="Create PKI")
     parser.add_option('--create-intermediate', dest="create_intermediate", action="store_true", help="Create an intermediate CA")
     parser.add_option('--create-dc-cert', dest="create_dc_cert", action="store_true", help="Create a certificat for a Domain Controler")
-    parser.add_option('-v', '--verbose', dest="verbose", action="store_true", help="Print all command")
+
+    dangerous_group = OptionGroup(parser,'Dangerous options', "Caution: use these options at your own risk.")
+    dangerous_group.add_option('-f', '--force', dest="force", action="store_true", help="Force reinitialize PKI. VERY DANGEROUS")
+    parser.add_option_group(dangerous_group)
+
+    debug_group = OptionGroup(parser, 'Debug options', 'Get more information to debug')
+    debug_group.add_option('-v', '--verbose', dest="verbose", action="store_true", help="Print all command")
+    parser.add_option_group(debug_group)
 
     (options, args) = parser.parse_args()
 
     if options.initialize:
-        create_openssl_config(verbose=options.verbose)
+        create_openssl_config(force=options.force,verbose=options.verbose)
 
 
 if __name__ == '__main__':