py3: cainstance: replace mkstemp with NamedTemporaryFile

With Python3 files must be opened in textual mode to write text, and best practise is to use fileobject instead fo os.write() and manual encodig https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: Martin Basti <mbasti@redhat.com> 2017-01-10 16:44:46 +0100
committer: Martin Basti <mbasti@redhat.com> 2017-01-24 13:25:47 +0100
commit: 232ceed5bbfb0afa45078d8e95b84dabe4d7cafd (patch)
tree: 3d077a0a9a62fb21078aad24346bdbb0a5e452fd /ipaserver/install
parent: 2547bca8df69e6c4d5f4c67a63fbc3c06ccc95c6 (diff)
download: freeipa-232ceed5bbfb0afa45078d8e95b84dabe4d7cafd.tar.gz
freeipa-232ceed5bbfb0afa45078d8e95b84dabe4d7cafd.tar.xz
freeipa-232ceed5bbfb0afa45078d8e95b84dabe4d7cafd.zip
1 files changed, 25 insertions, 24 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 4c9f9670e..20677cf46 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -657,13 +657,12 @@ class CAInstance(DogtagInstance):
         Used when setting up replication
         """
         # Add the new RA cert to the database in /etc/httpd/alias
-        (agent_fd, agent_name) = tempfile.mkstemp()
-        os.write(agent_fd, self.dm_password)
-        os.close(agent_fd)
-        try:
-            import_pkcs12(rafile, agent_name, self.ra_agent_db, self.ra_agent_pwd)
-        finally:
-            os.remove(agent_name)
+        with tempfile.NamedTemporaryFile(mode="w") as agent_file:
+            agent_file.write(self.dm_password)
+            agent_file.flush()
+
+            import_pkcs12(
+                rafile, agent_file.name, self.ra_agent_db, self.ra_agent_pwd)
 
         self.configure_agent_renewal()
 
@@ -759,10 +758,9 @@ class CAInstance(DogtagInstance):
 
         ca_dn = DN(self.ca_subject)
         for cert in certlist:
-            try:
-                chain_fd, chain_name = tempfile.mkstemp()
-                os.write(chain_fd, cert)
-                os.close(chain_fd)
+            with tempfile.NamedTemporaryFile(mode="w") as chain_file:
+                chain_file.write(cert)
+                chain_file.flush()
                 (_rdn, subject_dn) = certs.get_cert_nickname(cert)
                 if subject_dn == ca_dn:
                     nick = get_ca_nickname(self.realm)
@@ -772,10 +770,8 @@ class CAInstance(DogtagInstance):
                     trust_flags = ',,'
                 self.__run_certutil(
                     ['-A', '-t', trust_flags, '-n', nick, '-a',
-                     '-i', chain_name]
+                     '-i', chain_file.name]
                 )
-            finally:
-                os.remove(chain_name)
 
         # Restore NSS trust flags of all previously existing certificates
         for nick, trust_flags in cert_backup_list:
@@ -783,13 +779,15 @@ class CAInstance(DogtagInstance):
 
     def __request_ra_certificate(self):
         # create a temp file storing the pwd
-        (agent_fd, agent_pwdfile) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA)
-        os.write(agent_fd, self.admin_password)
-        os.close(agent_fd)
+        agent_file = tempfile.NamedTemporaryFile(
+            mode="w", dir=paths.VAR_LIB_IPA, delete=False)
+        agent_file.write(self.admin_password)
+        agent_file.close()
 
         # create a temp pem file storing the CA chain
-        (chain_fd, chain_file) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA)
-        os.close(chain_fd)
+        chain_file = tempfile.NamedTemporaryFile(
+            mode="w", dir=paths.VAR_LIB_IPA, delete=False)
+        chain_file.close()
 
         chain = self.__get_ca_chain()
         data = base64.b64decode(chain)
@@ -799,17 +797,17 @@ class CAInstance(DogtagInstance):
              "-inform",
              "DER",
              "-print_certs",
-             "-out", chain_file,
+             "-out", chain_file.name,
              ], stdin=data, capture_output=False)
 
         agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
                       "--dbdir", self.agent_db,
                       "--nickname", "ipa-ca-agent",
-                      "--cafile", chain_file,
+                      "--cafile", chain_file.name,
                       "--ee-url", 'http://%s:8080/ca/ee/ca/' % self.fqdn,
                       "--agent-url",
                       'https://%s:8443/ca/agent/ca/' % self.fqdn,
-                      "--sslpinfile", agent_pwdfile]
+                      "--sslpinfile", agent_file.name]
         helper = " ".join(agent_args)
 
         # configure certmonger renew agent to use temporary agent cert
@@ -842,8 +840,11 @@ class CAInstance(DogtagInstance):
             certmonger.modify_ca_helper(
                 ipalib.constants.RENEWAL_CA_NAME, old_helper)
             # remove the pwdfile
-            os.remove(agent_pwdfile)
-            os.remove(chain_file)
+            for f in (agent_file, chain_file):
+                try:
+                    os.remove(f.name)
+                except OSError:
+                    pass
 
     def __setup_sign_profile(self):
         # Tell the profile to automatically issue certs for RAs
author	Martin Basti <mbasti@redhat.com>	2017-01-10 16:44:46 +0100
committer	Martin Basti <mbasti@redhat.com>	2017-01-24 13:25:47 +0100
commit	232ceed5bbfb0afa45078d8e95b84dabe4d7cafd (patch)
tree	3d077a0a9a62fb21078aad24346bdbb0a5e452fd /ipaserver/install
parent	2547bca8df69e6c4d5f4c67a63fbc3c06ccc95c6 (diff)
download	freeipa-232ceed5bbfb0afa45078d8e95b84dabe4d7cafd.tar.gz freeipa-232ceed5bbfb0afa45078d8e95b84dabe4d7cafd.tar.xz freeipa-232ceed5bbfb0afa45078d8e95b84dabe4d7cafd.zip