Simplify NSSDatabase password file handling

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

5 files changed, 21 insertions, 30 deletions

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 6d6523c1c..f3478630d 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -83,7 +83,6 @@ class CertDB(object):
         self.realm = realm
 
         self.noise_fname = self.secdir + "/noise.txt"
-        self.passwd_fname = self.secdir + "/pwdfile.txt"
         self.certdb_fname = self.secdir + "/cert8.db"
         self.keydb_fname = self.secdir + "/key3.db"
         self.secmod_fname = self.secdir + "/secmod.db"
@@ -119,6 +118,10 @@ class CertDB(object):
     ca_subject = ipautil.dn_attribute_property('_ca_subject')
     subject_base = ipautil.dn_attribute_property('_subject_base')
 
+    @property
+    def passwd_fname(self):
+        return self.nssdb.pwd_file
+
     def __del__(self):
         if self.reqdir is not None:
             shutil.rmtree(self.reqdir, ignore_errors=True)
@@ -189,7 +192,7 @@ class CertDB(object):
         ipautil.backup_file(self.certdb_fname)
         ipautil.backup_file(self.keydb_fname)
         ipautil.backup_file(self.secmod_fname)
-        self.nssdb.create_db(self.passwd_fname)
+        self.nssdb.create_db()
         self.set_perms(self.passwd_fname, write=True)
 
     def list_certs(self):
@@ -510,7 +513,7 @@ class CertDB(object):
         return self.nssdb.find_server_certs()
 
     def import_pkcs12(self, pkcs12_fname, pkcs12_passwd=None):
-        return self.nssdb.import_pkcs12(pkcs12_fname, self.passwd_fname,
+        return self.nssdb.import_pkcs12(pkcs12_fname,
                                         pkcs12_passwd=pkcs12_passwd)
 
     def export_pkcs12(self, pkcs12_fname, pkcs12_pwd_fname, nickname=None):
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 8602f59ca..9230e7005 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1003,19 +1003,16 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
         the CA certificate of the CA that issued the server certificate
     """
     with certs.NSSDatabase() as nssdb:
-        db_password = ipautil.ipa_generate_password()
-        db_pwdfile = ipautil.write_tmp_file(db_password)
-        nssdb.create_db(db_pwdfile.name)
+        nssdb.create_db()
 
         try:
-            nssdb.import_files(cert_files, db_pwdfile.name,
-                               True, key_password, key_nickname)
+            nssdb.import_files(cert_files, True, key_password, key_nickname)
         except RuntimeError as e:
             raise ScriptError(str(e))
 
         if ca_cert_files:
             try:
-                nssdb.import_files(ca_cert_files, db_pwdfile.name)
+                nssdb.import_files(ca_cert_files)
             except RuntimeError as e:
                 raise ScriptError(str(e))
 
@@ -1068,7 +1065,7 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
             '-o', out_file.name,
             '-n', key_nickname,
             '-d', nssdb.secdir,
-            '-k', db_pwdfile.name,
+            '-k', nssdb.pwd_file,
             '-w', out_pwdfile.name,
         ]
         ipautil.run(args)
@@ -1143,12 +1140,10 @@ def load_external_cert(files, ca_subject):
         with the external CA certificate chain
     """
     with certs.NSSDatabase() as nssdb:
-        db_password = ipautil.ipa_generate_password()
-        db_pwdfile = ipautil.write_tmp_file(db_password)
-        nssdb.create_db(db_pwdfile.name)
+        nssdb.create_db()
 
         try:
-            nssdb.import_files(files, db_pwdfile.name)
+            nssdb.import_files(files)
         except RuntimeError as e:
             raise ScriptError(str(e))
 
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index 787f1f645..dc0644300 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -25,7 +25,7 @@ import optparse  # pylint: disable=deprecated-module
 
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
-from ipapython import admintool, ipautil
+from ipapython import admintool
 from ipapython.certdb import get_ca_nickname, NSSDatabase
 from ipapython.dn import DN
 from ipalib import api, errors
@@ -164,14 +164,11 @@ class ServerCertInstall(admintool.AdminTool):
     def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb):
         # create a temp nssdb
         with NSSDatabase() as tempnssdb:
-            db_password = ipautil.ipa_generate_password()
-            db_pwdfile = ipautil.write_tmp_file(db_password)
-            tempnssdb.create_db(db_pwdfile.name)
+            tempnssdb.create_db()
 
             # import the PKCS12 file, then delete all CA certificates
             # this leaves only the server certs in the temp db
-            tempnssdb.import_pkcs12(
-                pkcs12_filename, db_pwdfile.name, pkcs12_pin)
+            tempnssdb.import_pkcs12(pkcs12_filename, pkcs12_pin)
             for nickname, flags in tempnssdb.list_certs():
                 if 'u' not in flags:
                     while tempnssdb.has_nickname(nickname):
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 0d1ed8e5c..6f5c22bc7 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -54,9 +54,8 @@ def install_check(api, replica_config, options):
             return
 
         with certdb.NSSDatabase() as tmpdb:
-            pw = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-            tmpdb.create_db(pw.name)
-            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12", pw.name,
+            tmpdb.create_db()
+            tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12",
                                 replica_config.dirman_password)
             kra_cert_nicknames = [
                 "storageCert cert-pki-kra", "transportCert cert-pki-kra",
diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py
index 84e556919..3d1ce9506 100644
--- a/ipaserver/install/plugins/update_ra_cert_store.py
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -37,8 +37,7 @@ class update_ra_cert_store(Updater):
                 return False, []
         else:
             # Create the DB
-            newdb.create_db(os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt'),
-                            user=constants.HTTPD_USER,
+            newdb.create_db(user=constants.HTTPD_USER,
                             group=constants.HTTPD_GROUP,
                             mode=0o751, backup=True)
 
@@ -58,18 +57,16 @@ class update_ra_cert_store(Updater):
                                  "chain: {}".format(name, str(e)))
 
         # As the last step export/import/delete the RA Cert
-        ipa_httpd_pwdfile = os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt')
-        ipa_radb_pwdfile = os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt')
         pw = binascii.hexlify(os.urandom(10))
         p12file = os.path.join(paths.IPA_RADB_DIR, 'ipaCert.p12')
-        olddb.export_pkcs12('ipaCert', p12file, ipa_httpd_pwdfile, pw)
-        newdb.import_pkcs12(p12file, ipa_radb_pwdfile, pw)
+        olddb.export_pkcs12('ipaCert', p12file, pw)
+        newdb.import_pkcs12(p12file, pw)
 
         certmonger.stop_tracking(secdir=olddb.secdir,
                                  nickname='ipaCert')
         certmonger.start_tracking(secdir=newdb.secdir,
                                   nickname='ipaCert',
-                                  password_file=ipa_radb_pwdfile)
+                                  password_file=newdb.pwd_file)
 
         olddb.delete_cert('ipaCert')