diff options
author | Stanislav Laznicka <slaznick@redhat.com> | 2017-02-14 16:54:43 +0100 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2017-02-23 14:54:43 +0100 |
commit | 728a6bd4229ba170b2e94f216127b19d5d94e2ba (patch) | |
tree | 6ea6c0346ec5fbb59a2d5ae482e12cd01f64b7e7 /ipaserver/install | |
parent | b367c3a622c8c8b96777e4ce50334d2a4477bbe7 (diff) | |
download | freeipa-728a6bd4229ba170b2e94f216127b19d5d94e2ba.tar.gz freeipa-728a6bd4229ba170b2e94f216127b19d5d94e2ba.tar.xz freeipa-728a6bd4229ba170b2e94f216127b19d5d94e2ba.zip |
Remove ra_db argument from CAInstance init
The ra_db argument to CAInstance init is a constant so it can
be removed. This constant corresponds to the default CertDB directory
and since CertDB now passes passwords to its inner NSSDatabase instance
we do need to care about having our own run_certutil() method.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/ca.py | 8 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 32 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 2 |
3 files changed, 14 insertions, 28 deletions
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 8e92ef082..e346a2b92 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -265,8 +265,7 @@ def install_step_0(standalone, replica_config, options): 'certmap.conf', 'subject_base', str(subject_base)) dsinstance.write_certmap_conf(realm_name, ca_subject) - ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR, - host_name=host_name) + ca = cainstance.CAInstance(realm_name, host_name=host_name) ca.configure_instance(host_name, dm_password, dm_password, subject_base=subject_base, ca_subject=ca_subject, @@ -293,8 +292,7 @@ def install_step_1(standalone, replica_config, options): subject_base = options._subject_base basedn = ipautil.realm_to_suffix(realm_name) - ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR, - host_name=host_name) + ca = cainstance.CAInstance(realm_name, host_name=host_name) ca.stop('pki-tomcat') @@ -356,7 +354,7 @@ def install_step_1(standalone, replica_config, options): def uninstall(): - ca_instance = cainstance.CAInstance(api.env.realm, paths.IPA_RADB_DIR) + ca_instance = cainstance.CAInstance(api.env.realm) ca_instance.stop_tracking_certificates() if ca_instance.is_configured(): ca_instance.uninstall() diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 3c86b9154..c9c4cb84a 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -294,7 +294,7 @@ class CAInstance(DogtagInstance): ('caSigningCert cert-pki-ca', 'ipaCACertRenewal')) server_cert_name = 'Server-Cert cert-pki-ca' - def __init__(self, realm=None, ra_db=None, host_name=None): + def __init__(self, realm=None, host_name=None): super(CAInstance, self).__init__( realm=realm, subsystem="CA", @@ -313,11 +313,8 @@ class CAInstance(DogtagInstance): self.canickname = get_ca_nickname(realm) else: self.canickname = None - self.ra_agent_db = ra_db - if self.ra_agent_db is not None: - self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt" - else: - self.ra_agent_pwd = None + self.ra_agent_db = paths.IPA_RADB_DIR + self.ra_agent_pwd = os.path.join(self.ra_agent_db, "pwdfile.txt") self.ra_cert = None self.requestId = None self.log = log_mgr.get_logger(self) @@ -738,16 +735,6 @@ class CAInstance(DogtagInstance): conn.disconnect() - def __run_certutil(self, args, database=None, pwd_file=None, stdin=None, - **kwargs): - if not database: - database = self.ra_agent_db - if not pwd_file: - pwd_file = self.ra_agent_pwd - new_args = [paths.CERTUTIL, "-d", database, "-f", pwd_file] - new_args = new_args + args - return ipautil.run(new_args, stdin, nolog=(pwd_file,), **kwargs) - def __get_ca_chain(self): try: return dogtag.get_ca_certchain(ca_host=self.fqdn) @@ -787,7 +774,7 @@ class CAInstance(DogtagInstance): else: nick = str(subject_dn) trust_flags = ',,' - self.__run_certutil( + certdb.run_certutil( ['-A', '-t', trust_flags, '-n', nick, '-a', '-i', chain_file.name] ) @@ -848,7 +835,8 @@ class CAInstance(DogtagInstance): post_command='renew_ra_cert') self.requestId = str(reqId) - result = self.__run_certutil( + certdb = certs.CertDB(self.realm) + result = certdb.run_certutil( ['-L', '-n', 'ipaCert', '-a'], capture_output=True) self.ra_cert = x509.strip_header(result.output) self.ra_cert = "\n".join( @@ -1013,8 +1001,8 @@ class CAInstance(DogtagInstance): ca='dogtag-ipa-ca-renew-agent', nickname='ipaCert', pin=None, - pinfile=os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt'), - secdir=paths.IPA_RADB_DIR, + pinfile=self.ra_agent_pwd, + secdir=self.ra_agent_db, pre_command='renew_ra_cert_pre', post_command='renew_ra_cert') except RuntimeError as e: @@ -1033,7 +1021,7 @@ class CAInstance(DogtagInstance): certmonger.stop_tracking(self.nss_db, nickname=nickname) try: - certmonger.stop_tracking(paths.IPA_RADB_DIR, nickname='ipaCert') + certmonger.stop_tracking(self.ra_agent_db, nickname='ipaCert') except RuntimeError as e: root_logger.error( "certmonger failed to stop tracking certificate: %s", e) @@ -1859,5 +1847,5 @@ if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() - ca = CAInstance("EXAMPLE.COM", paths.HTTPD_ALIAS_DIR) + ca = CAInstance("EXAMPLE.COM") ca.configure_instance("catest.example.com", "password", "password") diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index e5d9de4d7..5ecd83678 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1540,7 +1540,7 @@ def upgrade_configuration(): sub_dict['SUBJECT_BASE'] = subject_base ca = cainstance.CAInstance( - api.env.realm, paths.IPA_RADB_DIR, host_name=api.env.host) + api.env.realm, host_name=api.env.host) ca_running = ca.is_running() # create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist |