Fix installing server with external CA

Reorganize ipa-server-instal so that DS (and NTP server) installation
only happens in step one.

Change CAInstance to behave correctly in two-step install.

Add an `init_info` method to DSInstance that includes common
attribute/sub_dict initialization from create_instance and create_replica.
Use it in ipa-server-install to get a properly configured DSInstance
for later tasks.

https://fedorahosted.org/freeipa/ticket/3459

3 files changed, 74 insertions, 65 deletions

diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 15591071b..57511c214 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -691,6 +691,15 @@ def main():
                 sys.exit(1)
             cert = certdict[certissuer]
 
+    # Figure out what external CA step we're in. See cainstance.py for more
+    # info on the 3 states.
+    if options.external_cert_file:
+        external = 2
+    elif options.external_ca:
+        external = 1
+    else:
+        external = 0
+
     print "=============================================================================="
     print "This program will set up the FreeIPA Server."
     print ""
@@ -717,8 +726,9 @@ def main():
     print "To accept the default shown in brackets, press the Enter key."
     print ""
 
-    # Make sure the 389-ds ports are available
-    check_dirsrv(options.unattended)
+    if external != 2:
+        # Make sure the 389-ds ports are available
+        check_dirsrv(options.unattended)
 
     if options.conf_ntp:
         try:
@@ -921,36 +931,43 @@ def main():
         except ipautil.CalledProcessError, e:
             root_logger.critical("failed to add DS group: %s" % e)
 
-    # Configure ntpd
-    if options.conf_ntp:
-        ipaclient.ntpconf.force_ntpd(sstore)
-        ntp = ntpinstance.NTPInstance(fstore)
-        if not ntp.is_configured():
-            ntp.create_instance()
-
-    # Create a directory server instance
-    ds = dsinstance.DsInstance(fstore=fstore)
-
     if options.dirsrv_pin:
         [pw_fd, pw_name] = tempfile.mkstemp()
         os.write(pw_fd, options.dirsrv_pin)
         os.close(pw_fd)
-
-    if options.dirsrv_pkcs12:
         pkcs12_info = (options.dirsrv_pkcs12, pw_name)
-        try:
+
+    if external != 2:
+        # Configure ntpd
+        if options.conf_ntp:
+            ipaclient.ntpconf.force_ntpd(sstore)
+            ntp = ntpinstance.NTPInstance(fstore)
+            if not ntp.is_configured():
+                ntp.create_instance()
+
+        # Create a directory server instance
+        ds = dsinstance.DsInstance(fstore=fstore)
+
+        if options.dirsrv_pkcs12:
+            try:
+                ds.create_instance(realm_name, host_name, domain_name,
+                                dm_password, pkcs12_info,
+                                subject_base=options.subject,
+                                hbac_allow=not options.hbac_allow)
+            finally:
+                os.remove(pw_name)
+        else:
             ds.create_instance(realm_name, host_name, domain_name,
-                               dm_password, pkcs12_info,
-                               subject_base=options.subject,
-                               hbac_allow=not options.hbac_allow)
-        finally:
-            os.remove(pw_name)
+                            dm_password, self_signed_ca=options.selfsign,
+                            idstart=options.idstart, idmax=options.idmax,
+                            subject_base=options.subject,
+                            hbac_allow=not options.hbac_allow)
     else:
-        ds.create_instance(realm_name, host_name, domain_name,
-                           dm_password, self_signed_ca=options.selfsign,
-                           idstart=options.idstart, idmax=options.idmax,
-                           subject_base=options.subject,
-                           hbac_allow=not options.hbac_allow)
+        ds = dsinstance.DsInstance(fstore=fstore)
+        ds.init_info(
+            realm_name, host_name, domain_name, dm_password,
+            options.selfsign, options.subject, 1101, 1100, None)
+
 
     if options.selfsign:
         ca = certs.CertDB(realm_name, host_name=host_name,
@@ -963,15 +980,6 @@ def main():
         except:
             pass
 
-        # Figure out what state we're in. See cainstance.py for more info on
-        # the 3 states.
-        if options.external_cert_file:
-            external = 2
-        elif options.external_ca:
-            external = 1
-        else:
-            external = 0
-
         if not dogtag.install_constants.SHARED_DB:
             cs = cainstance.CADSInstance(
                 host_name, realm_name, domain_name, dm_password)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index a1107cee8..cba5fc9f6 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -238,8 +238,10 @@ def get_crl_files(path=None):
 def is_step_one_done():
     '''Read CS.cfg and determine if step one of an external CA install is done
     '''
-    test = installutils.get_directive(
-        dogtag.install_constants.CS_CFG_PATH, 'preop.ca.type', '=')
+    path = dogtag.install_constants.CS_CFG_PATH
+    if not os.path.exists(path):
+        return False
+    test = installutils.get_directive(path, 'preop.ca.type', '=')
     if test == "otherca":
         return True
     return False
@@ -736,16 +738,16 @@ class CAInstance(service.Service):
         finally:
             os.remove(cfg_file)
 
-        if not self.clone:
-            shutil.move("/root/.pki/pki-tomcat/ca_admin_cert.p12", \
-                        "/root/ca-agent.p12")
-        shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
-                    "/root/cacert.p12")
-
         if self.external == 1:
             print "The next step is to get %s signed by your CA and re-run ipa-server-install as:" % self.csr_file
             print "ipa-server-install --external_cert_file=/path/to/signed_certificate --external_ca_file=/path/to/external_ca_certificate"
             sys.exit(0)
+        else:
+            if not self.clone:
+                shutil.move("/root/.pki/pki-tomcat/ca_admin_cert.p12", \
+                            "/root/ca-agent.p12")
+            shutil.move("/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12", \
+                        "/root/cacert.p12")
 
         root_logger.debug("completed creating ca instance")
 
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 77d76a635..25cac6c27 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -228,24 +228,31 @@ class DsInstance(service.Service):
 
         self.step("configuring directory to start on boot", self.__enable)
 
-    def create_instance(self, realm_name, fqdn, domain_name,
-                        dm_password, pkcs12_info=None, self_signed_ca=False,
-                        idstart=1100, idmax=999999, subject_base=None,
-                        hbac_allow=True):
+    def init_info(self, realm_name, fqdn, domain_name, dm_password,
+                  self_signed_ca, subject_base, idstart, idmax, pkcs12_info):
         self.realm_name = realm_name.upper()
         self.serverid = realm_to_serverid(self.realm_name)
         self.suffix = ipautil.realm_to_suffix(self.realm_name)
         self.fqdn = fqdn
         self.dm_password = dm_password
         self.domain = domain_name
-        self.pkcs12_info = pkcs12_info
-        self.self_signed_ca = self_signed_ca
-        self.idstart = idstart
-        self.idmax = idmax
         self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name)
+        self.self_signed_ca = False
         self.subject_base = subject_base
+        self.idstart = idstart
+        self.idmax = idmax
+        self.pkcs12_info = pkcs12_info
 
         self.__setup_sub_dict()
+
+    def create_instance(self, realm_name, fqdn, domain_name,
+                        dm_password, pkcs12_info=None, self_signed_ca=False,
+                        idstart=1100, idmax=999999, subject_base=None,
+                        hbac_allow=True):
+        self.init_info(
+            realm_name, fqdn, domain_name, dm_password, self_signed_ca,
+            subject_base, idstart, idmax, pkcs12_info)
+
         self.__common_setup()
 
         self.step("adding default layout", self.__add_default_layout)
@@ -266,26 +273,18 @@ class DsInstance(service.Service):
 
     def create_replica(self, realm_name, master_fqdn, fqdn,
                        domain_name, dm_password, pkcs12_info=None):
-        self.realm_name = realm_name.upper()
-        self.serverid = realm_to_serverid(self.realm_name)
-        self.suffix = ipautil.realm_to_suffix(self.realm_name)
-        self.master_fqdn = master_fqdn
-        self.fqdn = fqdn
-        self.dm_password = dm_password
-        self.domain = domain_name
-        self.pkcs12_info = pkcs12_info
-        self.principal = "ldap/%s@%s" % (self.fqdn, self.realm_name)
-
-        self.self_signed_ca = False
-        self.subject_base = None
         # idstart and idmax are configured so that the range is seen as
         # depleted by the DNA plugin and the replica will go and get a
         # new range from the master.
         # This way all servers use the initially defined range by default.
-        self.idstart = 1101
-        self.idmax = 1100
+        idstart = 1101
+        idmax = 1100
+
+        self.init_info(
+            realm_name, fqdn, domain_name, dm_password, None, None,
+            idstart, idmax, pkcs12_info)
+        self.master_fqdn = master_fqdn
 
-        self.__setup_sub_dict()
         self.__common_setup(True)
 
         self.step("setting up initial replication", self.__setup_replica)