From 9c215b61acb939eab16a871b3ef06d116c6540e8 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Fri, 8 Mar 2013 14:37:38 +0100 Subject: ipa-server-install: Make temporary pin files available for the whole installation We pass names of files with pkcs12 pins to installers which may continue to use the files after the initial call to create_instance, at which point the installer has already removed them. Also, some of the files were not properly removed on failure. Use ipautil.write_tmp_file for the pin files, which returns a NamedTemporaryFile object that removes the underlying file when it is garbage-collected. Create the files at start of installation. This will allow checking the pkcs#12 files before the system is modified. --- install/tools/ipa-server-install | 58 +++++++++++++++------------------------- 1 file changed, 21 insertions(+), 37 deletions(-) (limited to 'install') diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index a289941e4..c205a2aaa 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -70,7 +70,6 @@ from ipapython.dn import DN import ipaclient.ntpconf -pw_name = None uninstalling = False installation_cleanup = True @@ -567,7 +566,6 @@ def set_subject_in_config(realm_name, dm_password, suffix, subject_base): def main(): global ds - global pw_name global uninstalling global installation_cleanup ds = None @@ -697,6 +695,18 @@ def main(): sys.exit(1) cert = certdict[certissuer] + if options.http_pkcs12: + http_pin_file = ipautil.write_tmp_file(options.http_pin) + http_pkcs12_info = (options.dirsrv_pkcs12, http_pin_file.name) + + if options.dirsrv_pkcs12: + dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin) + dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name) + + if options.pkinit_pkcs12: + pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin) + pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name) + # Figure out what external CA step we're in. See cainstance.py for more # info on the 3 states. if options.external_cert_file: @@ -942,12 +952,6 @@ def main(): except ipautil.CalledProcessError, e: root_logger.critical("failed to add DS group: %s" % e) - if options.dirsrv_pin: - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, options.dirsrv_pin) - os.close(pw_fd) - pkcs12_info = (options.dirsrv_pkcs12, pw_name) - if external != 2: # Configure ntpd if options.conf_ntp: @@ -960,13 +964,10 @@ def main(): ds = dsinstance.DsInstance(fstore=fstore) if options.dirsrv_pkcs12: - try: - ds.create_instance(realm_name, host_name, domain_name, - dm_password, pkcs12_info, - subject_base=options.subject, - hbac_allow=not options.hbac_allow) - finally: - os.remove(pw_name) + ds.create_instance(realm_name, host_name, domain_name, + dm_password, dirsrv_pkcs12_info, + subject_base=options.subject, + hbac_allow=not options.hbac_allow) else: ds.create_instance(realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, @@ -1052,19 +1053,12 @@ def main(): # Upload the CA cert to the directory ds.upload_ca_cert() - # Create a kerberos instance - if options.pkinit_pin: - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, options.dirsrv_pin) - os.close(pw_fd) - krb = krbinstance.KrbInstance(fstore) if options.pkinit_pkcs12: - pkcs12_info = (options.pkinit_pkcs12, pw_name) krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=options.setup_pkinit, - pkcs12_info=pkcs12_info, + pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject) else: krb.create_instance(realm_name, host_name, domain_name, @@ -1073,28 +1067,21 @@ def main(): self_signed_ca=options.selfsign, subject_base=options.subject) - if options.pkinit_pin: - os.remove(pw_name) - # The DS instance is created before the keytab, add the SSL cert we # generated ds.add_cert_to_service() # Create a HTTP instance - if options.http_pin: - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, options.http_pin) - os.close(pw_fd) - memcache = memcacheinstance.MemcacheInstance() memcache.create_instance('MEMCACHE', host_name, dm_password, ipautil.realm_to_suffix(realm_name)) http = httpinstance.HTTPInstance(fstore) if options.http_pkcs12: - pkcs12_info = (options.http_pkcs12, pw_name) - http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=False, pkcs12_info=pkcs12_info, subject_base=options.subject, auto_redirect=options.ui_redirect) - os.remove(pw_name) + http.create_instance( + realm_name, host_name, domain_name, dm_password, autoconfig=False, + pkcs12_info=http_pkcs12_info, subject_base=options.subject, + auto_redirect=options.ui_redirect) else: http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject, auto_redirect=options.ui_redirect) ipaservices.restore_context("/var/cache/ipa/sessions") @@ -1220,9 +1207,6 @@ if __name__ == '__main__': success = True finally: - if pw_name and ipautil.file_exists(pw_name): - os.remove(pw_name) - if not success and installation_cleanup: # Do a cautious clean up as we don't know what failed and what is # the state of the environment -- cgit