6 files changed, 80 insertions, 3 deletions

diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
new file mode 100644
index 000000000..c21b4537d
--- /dev/null
+++ b/ipaserver/install/custodiainstance.py
@@ -0,0 +1,51 @@
+# Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
+
+from ipapython.secrets.kem import IPAKEMKeys
+from ipaplatform.paths import paths
+from service import SimpleServiceInstance
+from ipapython import ipautil
+from ipaserver.install import installutils
+import os
+
+
+class CustodiaInstance(SimpleServiceInstance):
+    def __init__(self):
+        super(CustodiaInstance, self).__init__("ipa-custodia")
+        self.config_file = paths.IPA_CUSTODIA_CONF
+        self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR,
+                                        'server.keys')
+
+    def __config_file(self):
+        template_file = os.path.basename(self.config_file) + '.template'
+        template = os.path.join(ipautil.SHARE_DIR, template_file)
+        sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
+                        IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
+                        IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
+                        LDAP_URI=installutils.realm_to_ldapi_uri(self.realm))
+        conf = ipautil.template_file(template, sub_dict)
+        fd = open(self.config_file, "w+")
+        fd.write(conf)
+        fd.flush()
+        fd.close()
+
+    def create_instance(self, *args, **kwargs):
+        self.step("Generating ipa-custodia config file", self.__config_file)
+        self.step("Generating ipa-custodia keys", self.__gen_keys)
+        super(CustodiaInstance, self).create_instance(*args, **kwargs)
+
+    def __gen_keys(self):
+        KeyStore = IPAKEMKeys({'server_keys': self.server_keys})
+        KeyStore.generate_server_keys()
+
+    def upgrade_instance(self, realm):
+        self.realm = realm
+        if not os.path.exists(self.config_file):
+            self.__config_file()
+        if not os.path.exists(self.server_keys):
+            self.__gen_keys()
+
+    def __start(self):
+        super(CustodiaInstance, self).__start()
+
+    def __enable(self):
+        super(CustodiaInstance, self).__enable()
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index ad79f8896..acf309e78 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -36,6 +36,7 @@ from contextlib import contextmanager
 from dns import resolver, rdatatype
 from dns.exception import DNSException
 import ldap
+import ldapurl
 from nss.error import NSPRError
 import six
 
@@ -1097,6 +1098,13 @@ def check_version():
 def realm_to_serverid(realm_name):
     return "-".join(realm_name.split("."))
 
+
+def realm_to_ldapi_uri(realm_name):
+    serverid = realm_to_serverid(realm_name)
+    socketname = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % (serverid,)
+    return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
+
+
 def enable_and_start_oddjobd(sstore):
     oddjobd = services.service('oddjobd')
     sstore.backup_state('oddjobd', 'running', oddjobd.is_running())
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 72f6e4d8d..e936b6798 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -33,7 +33,7 @@ import ipaclient.ntpconf
 from ipaserver.install import (
     bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance,
     installutils, kra, krbinstance, memcacheinstance, ntpinstance,
-    otpdinstance, replication, service, sysupgrade)
+    otpdinstance, custodiainstance, replication, service, sysupgrade)
 from ipaserver.install.installutils import (
     IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address,
     is_ipa_configured, load_pkcs12, read_password, verify_fqdn,
@@ -814,6 +814,11 @@ def install(installer):
     otpd.create_instance('OTPD', host_name, dm_password,
                          ipautil.realm_to_suffix(realm_name))
 
+    custodia = custodiainstance.CustodiaInstance()
+    custodia.create_instance('KEYS', host_name, dm_password,
+                             ipautil.realm_to_suffix(realm_name),
+                             realm_name)
+
     # Create a HTTP instance
     http = httpinstance.HTTPInstance(fstore)
     if options.http_cert_files:
@@ -1078,6 +1083,7 @@ def uninstall(installer):
     dsinstance.DsInstance(fstore=fstore).uninstall()
     if _server_trust_ad_installed:
         adtrustinstance.ADTRUSTInstance(fstore).uninstall()
+    custodiainstance.CustodiaInstance().uninstall()
     memcacheinstance.MemcacheInstance().uninstall()
     otpdinstance.OtpdInstance().uninstall()
     tasks.restore_network_configuration(fstore, sstore)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 3087091e4..c0b0761eb 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -28,7 +28,7 @@ import ipaclient.ntpconf
 from ipaserver.install import (
     bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance,
     installutils, kra, krbinstance, memcacheinstance, ntpinstance,
-    otpdinstance, service)
+    otpdinstance, custodiainstance, service)
 from ipaserver.install.installutils import create_replica_config
 from ipaserver.install.replication import (
     ReplicationManager, replica_conn_check)
@@ -596,6 +596,13 @@ def install(installer):
         CA.import_ra_cert(config.dir + "/ra.p12")
         CA.fix_ra_perms()
 
+    # FIXME: must be done earlier in replica to fetch keys for CA/ldap server
+    # before they are configured
+    custodia = custodiainstance.CustodiaInstance()
+    custodia.create_instance('KEYS', config.host_name,
+                             config.dirman_password,
+                             ipautil.realm_to_suffix(config.realm_name))
+
     # The DS instance is created before the keytab, add the SSL cert we
     # generated
     ds.add_cert_to_service()
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 4df621947..42c9cf0f5 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -36,6 +36,7 @@ from ipaserver.install import cainstance
 from ipaserver.install import certs
 from ipaserver.install import otpdinstance
 from ipaserver.install import schemaupdate
+from ipaserver.install import custodiainstance
 from ipaserver.install import sysupgrade
 from ipaserver.install import dnskeysyncinstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
@@ -1465,7 +1466,7 @@ def upgrade_configuration():
         service.ldapi = True
         try:
             if not service.is_configured():
-                # 389-ds needs to be running to create the memcache instance
+                # 389-ds needs to be running to create the instances
                 # because we record the new service in cn=masters.
                 ds.start()
                 service.create_instance(ldap_name, fqdn, None,
@@ -1514,6 +1515,9 @@ def upgrade_configuration():
         except ipautil.CalledProcessError as e:
             root_logger.error("Failed to restart %s: %s", bind.service_name, e)
 
+    custodia = custodiainstance.CustodiaInstance()
+    custodia.upgrade_instance(api.env.realm)
+
     ca_restart = any([
         ca_restart,
         ca_upgrade_schema(ca),
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index ac65f7b09..b2d111cdf 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -40,6 +40,7 @@ SERVICE_LIST = {
     'DNS': ('named', 30),
     'MEMCACHE': ('ipa_memcached', 39),
     'HTTP': ('httpd', 40),
+    'KEYS': ('ipa-custodia', 41),
     'CA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 50),
     'KRA': ('%sd' % dogtag.configured_constants().PKI_INSTANCE_NAME, 51),
     'ADTRUST': ('smb', 60),