summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2013-03-08 14:37:38 +0100
committerMartin Kosek <mkosek@redhat.com>2013-04-02 15:28:50 +0200
commit9c215b61acb939eab16a871b3ef06d116c6540e8 (patch)
tree6b4f8a9dd5f674cf42487682264d2100430c6e14
parentcf8c532ca9ae8fa2abfcfe9d74d543c8c7e53a4c (diff)
downloadfreeipa-9c215b61acb939eab16a871b3ef06d116c6540e8.tar.gz
freeipa-9c215b61acb939eab16a871b3ef06d116c6540e8.tar.xz
freeipa-9c215b61acb939eab16a871b3ef06d116c6540e8.zip
ipa-server-install: Make temporary pin files available for the whole installation
We pass names of files with pkcs12 pins to installers which may continue to use the files after the initial call to create_instance, at which point the installer has already removed them. Also, some of the files were not properly removed on failure. Use ipautil.write_tmp_file for the pin files, which returns a NamedTemporaryFile object that removes the underlying file when it is garbage-collected. Create the files at start of installation. This will allow checking the pkcs#12 files before the system is modified.
-rwxr-xr-xinstall/tools/ipa-server-install58
1 files changed, 21 insertions, 37 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index a289941e4..c205a2aaa 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -70,7 +70,6 @@ from ipapython.dn import DN
import ipaclient.ntpconf
-pw_name = None
uninstalling = False
installation_cleanup = True
@@ -567,7 +566,6 @@ def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
def main():
global ds
- global pw_name
global uninstalling
global installation_cleanup
ds = None
@@ -697,6 +695,18 @@ def main():
sys.exit(1)
cert = certdict[certissuer]
+ if options.http_pkcs12:
+ http_pin_file = ipautil.write_tmp_file(options.http_pin)
+ http_pkcs12_info = (options.dirsrv_pkcs12, http_pin_file.name)
+
+ if options.dirsrv_pkcs12:
+ dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
+ dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
+
+ if options.pkinit_pkcs12:
+ pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
+ pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name)
+
# Figure out what external CA step we're in. See cainstance.py for more
# info on the 3 states.
if options.external_cert_file:
@@ -942,12 +952,6 @@ def main():
except ipautil.CalledProcessError, e:
root_logger.critical("failed to add DS group: %s" % e)
- if options.dirsrv_pin:
- [pw_fd, pw_name] = tempfile.mkstemp()
- os.write(pw_fd, options.dirsrv_pin)
- os.close(pw_fd)
- pkcs12_info = (options.dirsrv_pkcs12, pw_name)
-
if external != 2:
# Configure ntpd
if options.conf_ntp:
@@ -960,13 +964,10 @@ def main():
ds = dsinstance.DsInstance(fstore=fstore)
if options.dirsrv_pkcs12:
- try:
- ds.create_instance(realm_name, host_name, domain_name,
- dm_password, pkcs12_info,
- subject_base=options.subject,
- hbac_allow=not options.hbac_allow)
- finally:
- os.remove(pw_name)
+ ds.create_instance(realm_name, host_name, domain_name,
+ dm_password, dirsrv_pkcs12_info,
+ subject_base=options.subject,
+ hbac_allow=not options.hbac_allow)
else:
ds.create_instance(realm_name, host_name, domain_name,
dm_password, self_signed_ca=options.selfsign,
@@ -1052,19 +1053,12 @@ def main():
# Upload the CA cert to the directory
ds.upload_ca_cert()
- # Create a kerberos instance
- if options.pkinit_pin:
- [pw_fd, pw_name] = tempfile.mkstemp()
- os.write(pw_fd, options.dirsrv_pin)
- os.close(pw_fd)
-
krb = krbinstance.KrbInstance(fstore)
if options.pkinit_pkcs12:
- pkcs12_info = (options.pkinit_pkcs12, pw_name)
krb.create_instance(realm_name, host_name, domain_name,
dm_password, master_password,
setup_pkinit=options.setup_pkinit,
- pkcs12_info=pkcs12_info,
+ pkcs12_info=pkinit_pkcs12_info,
subject_base=options.subject)
else:
krb.create_instance(realm_name, host_name, domain_name,
@@ -1073,28 +1067,21 @@ def main():
self_signed_ca=options.selfsign,
subject_base=options.subject)
- if options.pkinit_pin:
- os.remove(pw_name)
-
# The DS instance is created before the keytab, add the SSL cert we
# generated
ds.add_cert_to_service()
# Create a HTTP instance
- if options.http_pin:
- [pw_fd, pw_name] = tempfile.mkstemp()
- os.write(pw_fd, options.http_pin)
- os.close(pw_fd)
-
memcache = memcacheinstance.MemcacheInstance()
memcache.create_instance('MEMCACHE', host_name, dm_password, ipautil.realm_to_suffix(realm_name))
http = httpinstance.HTTPInstance(fstore)
if options.http_pkcs12:
- pkcs12_info = (options.http_pkcs12, pw_name)
- http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=False, pkcs12_info=pkcs12_info, subject_base=options.subject, auto_redirect=options.ui_redirect)
- os.remove(pw_name)
+ http.create_instance(
+ realm_name, host_name, domain_name, dm_password, autoconfig=False,
+ pkcs12_info=http_pkcs12_info, subject_base=options.subject,
+ auto_redirect=options.ui_redirect)
else:
http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject, auto_redirect=options.ui_redirect)
ipaservices.restore_context("/var/cache/ipa/sessions")
@@ -1220,9 +1207,6 @@ if __name__ == '__main__':
success = True
finally:
- if pw_name and ipautil.file_exists(pw_name):
- os.remove(pw_name)
-
if not success and installation_cleanup:
# Do a cautious clean up as we don't know what failed and what is
# the state of the environment