diff options
author | Stanislav Laznicka <slaznick@redhat.com> | 2017-02-14 16:55:11 +0100 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2017-02-23 14:54:43 +0100 |
commit | a39effed7603d66acd238e3142f4df8081ff7bc8 (patch) | |
tree | 17a0fe223328c9546f9c8554eb3c1079a52a9bfb /ipaserver/install | |
parent | 728a6bd4229ba170b2e94f216127b19d5d94e2ba (diff) | |
download | freeipa-a39effed7603d66acd238e3142f4df8081ff7bc8.tar.gz freeipa-a39effed7603d66acd238e3142f4df8081ff7bc8.tar.xz freeipa-a39effed7603d66acd238e3142f4df8081ff7bc8.zip |
Remove DM password files after successfull pkispawn run
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/cainstance.py | 16 | ||||
-rw-r--r-- | ipaserver/install/dogtaginstance.py | 13 | ||||
-rw-r--r-- | ipaserver/install/krainstance.py | 14 | ||||
-rw-r--r-- | ipaserver/install/server/upgrade.py | 22 |
4 files changed, 52 insertions, 13 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index c9c4cb84a..6e3f995f9 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -449,7 +449,10 @@ class CAInstance(DogtagInstance): self.step("configuring certmonger renewal for lightweight CAs", self.__add_lightweight_ca_tracking_requests) - self.start_creation(runtime=210) + try: + self.start_creation(runtime=210) + finally: + self.clean_pkispawn_files() def __spawn_instance(self): """ @@ -463,6 +466,9 @@ class CAInstance(DogtagInstance): os.close(cfg_fd) pent = pwd.getpwnam(self.service_user) os.chown(cfg_file, pent.pw_uid, pent.pw_gid) + self.tmp_agent_db = tempfile.mkdtemp( + prefix="tmp-", dir=paths.VAR_LIB_IPA) + self.tmp_agent_pwd = ipautil.ipa_generate_password() # Create CA configuration config = ConfigParser() @@ -482,8 +488,8 @@ class CAInstance(DogtagInstance): ipautil.format_netloc(api.env.domain))) # Client security database - config.set("CA", "pki_client_database_dir", self.agent_db) - config.set("CA", "pki_client_database_password", self.admin_password) + config.set("CA", "pki_client_database_dir", self.tmp_agent_db) + config.set("CA", "pki_client_database_password", self.tmp_agent_pwd) config.set("CA", "pki_client_database_purge", "False") config.set("CA", "pki_client_pkcs12_password", self.admin_password) @@ -787,7 +793,7 @@ class CAInstance(DogtagInstance): # create a temp file storing the pwd agent_file = tempfile.NamedTemporaryFile( mode="w", dir=paths.VAR_LIB_IPA, delete=False) - agent_file.write(self.admin_password) + agent_file.write(self.tmp_agent_pwd) agent_file.close() # create a temp pem file storing the CA chain @@ -807,7 +813,7 @@ class CAInstance(DogtagInstance): ], stdin=data, capture_output=False) agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, - "--dbdir", self.agent_db, + "--dbdir", self.tmp_agent_db, "--nickname", "ipa-ca-agent", "--cafile", chain_file.name, "--ee-url", 'http://%s:8080/ca/ee/ca/' % self.fqdn, diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 968f4b292..cbaaa2594 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -127,7 +127,7 @@ class DogtagInstance(service.Service): self.admin_dn = DN(('uid', self.admin_user), ('ou', 'people'), ('o', 'ipaca')) self.admin_groups = None - self.agent_db = tempfile.mkdtemp(prefix="tmp-", dir=paths.VAR_LIB_IPA) + self.tmp_agent_db = None self.subsystem = subsystem self.security_domain_name = "IPA" # replication parameters @@ -138,9 +138,6 @@ class DogtagInstance(service.Service): self.log = log_mgr.get_logger(self) - def __del__(self): - shutil.rmtree(self.agent_db, ignore_errors=True) - def is_installed(self): """ Determine if subsystem instance has been installed. @@ -171,6 +168,14 @@ class DogtagInstance(service.Service): except ipautil.CalledProcessError as e: self.handle_setup_error(e) + def clean_pkispawn_files(self): + if self.tmp_agent_db is not None: + shutil.rmtree(self.tmp_agent_db, ignore_errors=True) + + shutil.rmtree('/root/.dogtag/pki-tomcat/{subsystem}/' + .format(subsystem=self.subsystem.lower()), + ignore_errors=True) + def restart_instance(self): try: self.restart('pki-tomcat') diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py index e2bd22e71..d7ab6fdaa 100644 --- a/ipaserver/install/krainstance.py +++ b/ipaserver/install/krainstance.py @@ -134,7 +134,10 @@ class KRAInstance(DogtagInstance): self.step("enabling KRA instance", self.__enable_instance) - self.start_creation(runtime=126) + try: + self.start_creation(runtime=126) + finally: + self.clean_pkispawn_files() def __spawn_instance(self): """ @@ -148,6 +151,8 @@ class KRAInstance(DogtagInstance): os.close(cfg_fd) pent = pwd.getpwnam(self.service_user) os.chown(cfg_file, pent.pw_uid, pent.pw_gid) + self.tmp_agent_db = tempfile.mkdtemp( + prefix="tmp-", dir=paths.VAR_LIB_IPA) # Create KRA configuration config = ConfigParser() @@ -170,9 +175,10 @@ class KRAInstance(DogtagInstance): config.set("KRA", "pki_backup_password", self.admin_password) # Client security database - config.set("KRA", "pki_client_database_dir", self.agent_db) - config.set("KRA", "pki_client_database_password", self.admin_password) - config.set("KRA", "pki_client_database_purge", "False") + config.set("KRA", "pki_client_database_dir", self.tmp_agent_db) + config.set("KRA", "pki_client_database_password", + ipautil.ipa_generate_password()) + config.set("KRA", "pki_client_database_purge", "True") config.set("KRA", "pki_client_pkcs12_password", self.admin_password) # Administrator diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 5ecd83678..90c2be26e 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -282,6 +282,27 @@ def cleanup_adtrust(fstore): root_logger.debug('Removing %s from backup', backed_up_file) +def cleanup_dogtag(): + """ + pkispawn leaves some mess we were not cleaning up until recently. Try + to clean up what we can. + """ + subsystems = [] + if api.Command.ca_is_enabled()['result']: + subsystems.append('CA') + if api.Command.kra_is_enabled()['result']: + subsystems.append('KRA') + + for system in subsystems: + root_logger.debug( + "Cleaning up after pkispawn for the {sub} subsystem" + .format(sub=system)) + instance = dogtaginstance.DogtagInstance( + api.env.realm, system, service_desc=None, + ) + instance.clean_pkispawn_files() + + def upgrade_adtrust_config(): """ Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix @@ -1672,6 +1693,7 @@ def upgrade_configuration(): cleanup_kdc(fstore) cleanup_adtrust(fstore) + cleanup_dogtag() upgrade_adtrust_config() bind = bindinstance.BindInstance(fstore) |