diff options
author | Simo Sorce <simo@redhat.com> | 2016-12-22 18:55:33 -0500 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
commit | 4bd2d6ad46c9151e11f9223dd5383555fdedb249 (patch) | |
tree | 7f982762df2644cb48e348fda0469bb0e8733548 /ipaserver/install | |
parent | 4fd89833ee5421b05c10329d627d0e0fc8496046 (diff) | |
download | freeipa-4bd2d6ad46c9151e11f9223dd5383555fdedb249.tar.gz freeipa-4bd2d6ad46c9151e11f9223dd5383555fdedb249.tar.xz freeipa-4bd2d6ad46c9151e11f9223dd5383555fdedb249.zip |
Rationalize creation of RA and HTTPD NSS databases
The RA database sould not be created by the HTTP instance,
but in the code path that creates the CA instance.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/certs.py | 41 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 13 | ||||
-rw-r--r-- | ipaserver/install/server/install.py | 20 | ||||
-rw-r--r-- | ipaserver/install/server/replicainstall.py | 14 |
4 files changed, 51 insertions, 37 deletions
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 83a4bb057..bca2504ca 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -23,6 +23,7 @@ import sys import tempfile import shutil import xml.dom.minidom +import grp import pwd import base64 import fcntl @@ -76,7 +77,8 @@ class CertDB(object): """ # TODO: Remove all selfsign code def __init__(self, realm, nssdir=paths.IPA_RADB_DIR, fstore=None, - host_name=None, subject_base=None, ca_subject=None): + host_name=None, subject_base=None, ca_subject=None, + user=None, group=None, mode=None, truncate=False): self.nssdb = NSSDatabase(nssdir) self.secdir = nssdir @@ -101,14 +103,29 @@ class CertDB(object): self.cacert_name = get_ca_nickname(self.realm) - # We are going to set the owner of all of the cert - # files to the owner of the containing directory - # instead of that of the process. This works when - # this is called by root for a daemon that runs as - # a normal user - mode = os.stat(self.secdir) - self.uid = mode[stat.ST_UID] - self.gid = mode[stat.ST_GID] + self.user = user + self.group = group + self.mode = mode + self.uid = 0 + self.gid = 0 + + if not truncate and os.path.exists(self.secdir): + # We are going to set the owner of all of the cert + # files to the owner of the containing directory + # instead of that of the process. This works when + # this is called by root for a daemon that runs as + # a normal user + mode = os.stat(self.secdir) + self.uid = mode[stat.ST_UID] + self.gid = mode[stat.ST_GID] + else: + if user is not None: + pu = pwd.getpwnam(user) + self.uid = pu.pw_uid + self.gid = pu.pw_gid + if group is not None: + self.gid = grp.getgrnam(group).gr_gid + self.create_certdbs() if fstore: self.fstore = fstore @@ -189,10 +206,8 @@ class CertDB(object): self.set_perms(self.passwd_fname) def create_certdbs(self): - ipautil.backup_file(self.certdb_fname) - ipautil.backup_file(self.keydb_fname) - ipautil.backup_file(self.secmod_fname) - self.nssdb.create_db() + self.nssdb.create_db(user=self.user, group=self.group, mode=self.mode, + backup=True) self.set_perms(self.passwd_fname, write=True) def list_certs(self): diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 3ca2300b8..7317fbacc 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -30,12 +30,11 @@ import locale import six -from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP +from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger from ipaserver.install import service from ipaserver.install import certs from ipaserver.install import installutils -from ipapython import certdb from ipapython import dogtag from ipapython import ipautil from ipapython.dn import DN @@ -314,12 +313,6 @@ class HTTPInstance(service.Service): if certmonger_stopped: certmonger.stop() - def create_cert_dbs(self): - nssdb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR) - nssdb.create_db(user="root", group=constants.HTTPD_GROUP, backup=True) - nssdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR) - nssdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True) - def request_anon_keytab(self): parent = os.path.dirname(paths.ANON_KEYTAB) if not os.path.exists(parent): @@ -350,7 +343,9 @@ class HTTPInstance(service.Service): def __setup_ssl(self): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, - subject_base=self.subject_base) + subject_base=self.subject_base, user="root", + group=constants.HTTPD_GROUP, + truncate=(not self.promote)) if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 0b3ea4786..a4490bbfc 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -14,6 +14,7 @@ import textwrap import six +from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP from ipalib.install import certmonger, sysrestore from ipapython import ipautil from ipapython.ipa_log_manager import root_logger @@ -713,10 +714,6 @@ def install(installer): create_ipaapi_user() tasks.create_tmpfiles_dirs() - # create NSS Databases - http_instance = httpinstance.HTTPInstance() - http_instance.create_cert_dbs() - # Create DS user/group if it doesn't exist yet dsinstance.create_ds_user() @@ -777,11 +774,15 @@ def install(installer): if n in options.__dict__} write_cache(cache_vars) + # Create RA DB + radb = certs.CertDB(realm_name, nssdir=paths.IPA_RADB_DIR, + user=IPAAPI_USER, group=IPAAPI_GROUP, + truncate=True) + ca.install_step_0(False, None, options) - # Now put the CA cert where other instances exepct it - ca_db = certs.CertDB(realm_name) - ca_db.publish_ca_cert(paths.IPA_CA_CRT) + # Now put the CA cert where other instances expect it + radb.publish_ca_cert(paths.IPA_CA_CRT) else: # Put the CA cert where other instances expect it x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) @@ -1114,6 +1115,11 @@ def uninstall(installer): ' # getcert stop-tracking -i <request_id>\n' 'for each id in: %s' % ', '.join(ids)) + try: + shutil.rmtree(paths.IPA_RADB_DIR) + except Exception: + pass + # Remove the cert renewal lock file try: os.remove(paths.IPA_RENEWAL_LOCK) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 018cebcd9..0d3a69f2e 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -26,6 +26,7 @@ from ipapython.dn import DN from ipapython.ipa_log_manager import root_logger from ipapython.admintool import ScriptError from ipaplatform import services +from ipaplatform.constants import constants as pconstants from ipaplatform.tasks import tasks from ipaplatform.paths import paths from ipalib import api, constants, create_api, errors, rpc, x509 @@ -77,13 +78,14 @@ def make_pkcs12_info(directory, cert_name, password_name): def install_http_certs(host_name, realm_name, subject_base): principal = 'HTTP/%s@%s' % (host_name, realm_name) + subject = subject_base or DN(('O', realm_name)) + db = certs.CertDB(realm_name, nssdir=paths.HTTPD_ALIAS_DIR, + subject_base=subject, user="root", + group=pconstants.HTTPD_GROUP, truncate=True) + db.request_service_cert('Server-Cert', principal, host_name) # Obtain certificate for the HTTP service http = httpinstance.HTTPInstance() http.create_password_conf() - nssdir = paths.HTTPD_ALIAS_DIR - subject = subject_base or DN(('O', realm_name)) - db = certs.CertDB(realm_name, nssdir=nssdir, subject_base=subject_base) - db.request_service_cert('Server-Cert', principal, host_name) def install_replica_ds(config, options, ca_is_configured, remote_api, @@ -1337,10 +1339,6 @@ def install(installer): dsinstance.create_ds_user() - # create NSS Databases - http_instance = httpinstance.HTTPInstance() - http_instance.create_cert_dbs() - try: conn.connect(ccache=ccache) # Update and istall updated CA file |