Remove DM password files after successfull pkispawn run

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>

4 files changed, 52 insertions, 13 deletions

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c9c4cb84a..6e3f995f9 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -449,7 +449,10 @@ class CAInstance(DogtagInstance):
                 self.step("configuring certmonger renewal for lightweight CAs",
                           self.__add_lightweight_ca_tracking_requests)
 
-        self.start_creation(runtime=210)
+        try:
+            self.start_creation(runtime=210)
+        finally:
+            self.clean_pkispawn_files()
 
     def __spawn_instance(self):
         """
@@ -463,6 +466,9 @@ class CAInstance(DogtagInstance):
         os.close(cfg_fd)
         pent = pwd.getpwnam(self.service_user)
         os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
+        self.tmp_agent_db = tempfile.mkdtemp(
+                prefix="tmp-", dir=paths.VAR_LIB_IPA)
+        self.tmp_agent_pwd = ipautil.ipa_generate_password()
 
         # Create CA configuration
         config = ConfigParser()
@@ -482,8 +488,8 @@ class CAInstance(DogtagInstance):
                 ipautil.format_netloc(api.env.domain)))
 
         # Client security database
-        config.set("CA", "pki_client_database_dir", self.agent_db)
-        config.set("CA", "pki_client_database_password", self.admin_password)
+        config.set("CA", "pki_client_database_dir", self.tmp_agent_db)
+        config.set("CA", "pki_client_database_password", self.tmp_agent_pwd)
         config.set("CA", "pki_client_database_purge", "False")
         config.set("CA", "pki_client_pkcs12_password", self.admin_password)
 
@@ -787,7 +793,7 @@ class CAInstance(DogtagInstance):
         # create a temp file storing the pwd
         agent_file = tempfile.NamedTemporaryFile(
             mode="w", dir=paths.VAR_LIB_IPA, delete=False)
-        agent_file.write(self.admin_password)
+        agent_file.write(self.tmp_agent_pwd)
         agent_file.close()
 
         # create a temp pem file storing the CA chain
@@ -807,7 +813,7 @@ class CAInstance(DogtagInstance):
              ], stdin=data, capture_output=False)
 
         agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
-                      "--dbdir", self.agent_db,
+                      "--dbdir", self.tmp_agent_db,
                       "--nickname", "ipa-ca-agent",
                       "--cafile", chain_file.name,
                       "--ee-url", 'http://%s:8080/ca/ee/ca/' % self.fqdn,
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 968f4b292..cbaaa2594 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -127,7 +127,7 @@ class DogtagInstance(service.Service):
         self.admin_dn = DN(('uid', self.admin_user),
                            ('ou', 'people'), ('o', 'ipaca'))
         self.admin_groups = None
-        self.agent_db = tempfile.mkdtemp(prefix="tmp-", dir=paths.VAR_LIB_IPA)
+        self.tmp_agent_db = None
         self.subsystem = subsystem
         self.security_domain_name = "IPA"
         # replication parameters
@@ -138,9 +138,6 @@ class DogtagInstance(service.Service):
 
         self.log = log_mgr.get_logger(self)
 
-    def __del__(self):
-        shutil.rmtree(self.agent_db, ignore_errors=True)
-
     def is_installed(self):
         """
         Determine if subsystem instance has been installed.
@@ -171,6 +168,14 @@ class DogtagInstance(service.Service):
         except ipautil.CalledProcessError as e:
             self.handle_setup_error(e)
 
+    def clean_pkispawn_files(self):
+        if self.tmp_agent_db is not None:
+            shutil.rmtree(self.tmp_agent_db, ignore_errors=True)
+
+        shutil.rmtree('/root/.dogtag/pki-tomcat/{subsystem}/'
+                      .format(subsystem=self.subsystem.lower()),
+                      ignore_errors=True)
+
     def restart_instance(self):
         try:
             self.restart('pki-tomcat')
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index e2bd22e71..d7ab6fdaa 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -134,7 +134,10 @@ class KRAInstance(DogtagInstance):
 
             self.step("enabling KRA instance", self.__enable_instance)
 
-        self.start_creation(runtime=126)
+        try:
+            self.start_creation(runtime=126)
+        finally:
+            self.clean_pkispawn_files()
 
     def __spawn_instance(self):
         """
@@ -148,6 +151,8 @@ class KRAInstance(DogtagInstance):
         os.close(cfg_fd)
         pent = pwd.getpwnam(self.service_user)
         os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
+        self.tmp_agent_db = tempfile.mkdtemp(
+                prefix="tmp-", dir=paths.VAR_LIB_IPA)
 
         # Create KRA configuration
         config = ConfigParser()
@@ -170,9 +175,10 @@ class KRAInstance(DogtagInstance):
         config.set("KRA", "pki_backup_password", self.admin_password)
 
         # Client security database
-        config.set("KRA", "pki_client_database_dir", self.agent_db)
-        config.set("KRA", "pki_client_database_password", self.admin_password)
-        config.set("KRA", "pki_client_database_purge", "False")
+        config.set("KRA", "pki_client_database_dir", self.tmp_agent_db)
+        config.set("KRA", "pki_client_database_password",
+                   ipautil.ipa_generate_password())
+        config.set("KRA", "pki_client_database_purge", "True")
         config.set("KRA", "pki_client_pkcs12_password", self.admin_password)
 
         # Administrator
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 5ecd83678..90c2be26e 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -282,6 +282,27 @@ def cleanup_adtrust(fstore):
             root_logger.debug('Removing %s from backup', backed_up_file)
 
 
+def cleanup_dogtag():
+    """
+    pkispawn leaves some mess we were not cleaning up until recently. Try
+    to clean up what we can.
+    """
+    subsystems = []
+    if api.Command.ca_is_enabled()['result']:
+        subsystems.append('CA')
+        if api.Command.kra_is_enabled()['result']:
+            subsystems.append('KRA')
+
+    for system in subsystems:
+        root_logger.debug(
+            "Cleaning up after pkispawn for the {sub} subsystem"
+            .format(sub=system))
+        instance = dogtaginstance.DogtagInstance(
+            api.env.realm, system, service_desc=None,
+        )
+        instance.clean_pkispawn_files()
+
+
 def upgrade_adtrust_config():
     """
     Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
@@ -1672,6 +1693,7 @@ def upgrade_configuration():
 
     cleanup_kdc(fstore)
     cleanup_adtrust(fstore)
+    cleanup_dogtag()
     upgrade_adtrust_config()
 
     bind = bindinstance.BindInstance(fstore)