diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2013-03-08 14:37:38 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-04-02 15:28:50 +0200 |
| commit | 9c215b61acb939eab16a871b3ef06d116c6540e8 (patch) | |
| tree | 6b4f8a9dd5f674cf42487682264d2100430c6e14 /install/tools/ipa-server-install | |
| parent | cf8c532ca9ae8fa2abfcfe9d74d543c8c7e53a4c (diff) | |
| download | freeipa-9c215b61acb939eab16a871b3ef06d116c6540e8.tar.gz freeipa-9c215b61acb939eab16a871b3ef06d116c6540e8.tar.xz freeipa-9c215b61acb939eab16a871b3ef06d116c6540e8.zip | |
ipa-server-install: Make temporary pin files available for the whole installation
We pass names of files with pkcs12 pins to installers which may continue to
use the files after the initial call to create_instance, at which point
the installer has already removed them.
Also, some of the files were not properly removed on failure.
Use ipautil.write_tmp_file for the pin files, which returns a
NamedTemporaryFile object that removes the underlying file when it is
garbage-collected.
Create the files at start of installation. This will allow checking
the pkcs#12 files before the system is modified.
Diffstat (limited to 'install/tools/ipa-server-install')
| -rwxr-xr-x | install/tools/ipa-server-install | 58 |
1 files changed, 21 insertions, 37 deletions
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index a289941e4..c205a2aaa 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -70,7 +70,6 @@ from ipapython.dn import DN import ipaclient.ntpconf -pw_name = None uninstalling = False installation_cleanup = True @@ -567,7 +566,6 @@ def set_subject_in_config(realm_name, dm_password, suffix, subject_base): def main(): global ds - global pw_name global uninstalling global installation_cleanup ds = None @@ -697,6 +695,18 @@ def main(): sys.exit(1) cert = certdict[certissuer] + if options.http_pkcs12: + http_pin_file = ipautil.write_tmp_file(options.http_pin) + http_pkcs12_info = (options.dirsrv_pkcs12, http_pin_file.name) + + if options.dirsrv_pkcs12: + dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin) + dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name) + + if options.pkinit_pkcs12: + pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin) + pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name) + # Figure out what external CA step we're in. See cainstance.py for more # info on the 3 states. if options.external_cert_file: @@ -942,12 +952,6 @@ def main(): except ipautil.CalledProcessError, e: root_logger.critical("failed to add DS group: %s" % e) - if options.dirsrv_pin: - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, options.dirsrv_pin) - os.close(pw_fd) - pkcs12_info = (options.dirsrv_pkcs12, pw_name) - if external != 2: # Configure ntpd if options.conf_ntp: @@ -960,13 +964,10 @@ def main(): ds = dsinstance.DsInstance(fstore=fstore) if options.dirsrv_pkcs12: - try: - ds.create_instance(realm_name, host_name, domain_name, - dm_password, pkcs12_info, - subject_base=options.subject, - hbac_allow=not options.hbac_allow) - finally: - os.remove(pw_name) + ds.create_instance(realm_name, host_name, domain_name, + dm_password, dirsrv_pkcs12_info, + subject_base=options.subject, + hbac_allow=not options.hbac_allow) else: ds.create_instance(realm_name, host_name, domain_name, dm_password, self_signed_ca=options.selfsign, @@ -1052,19 +1053,12 @@ def main(): # Upload the CA cert to the directory ds.upload_ca_cert() - # Create a kerberos instance - if options.pkinit_pin: - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, options.dirsrv_pin) - os.close(pw_fd) - krb = krbinstance.KrbInstance(fstore) if options.pkinit_pkcs12: - pkcs12_info = (options.pkinit_pkcs12, pw_name) krb.create_instance(realm_name, host_name, domain_name, dm_password, master_password, setup_pkinit=options.setup_pkinit, - pkcs12_info=pkcs12_info, + pkcs12_info=pkinit_pkcs12_info, subject_base=options.subject) else: krb.create_instance(realm_name, host_name, domain_name, @@ -1073,28 +1067,21 @@ def main(): self_signed_ca=options.selfsign, subject_base=options.subject) - if options.pkinit_pin: - os.remove(pw_name) - # The DS instance is created before the keytab, add the SSL cert we # generated ds.add_cert_to_service() # Create a HTTP instance - if options.http_pin: - [pw_fd, pw_name] = tempfile.mkstemp() - os.write(pw_fd, options.http_pin) - os.close(pw_fd) - memcache = memcacheinstance.MemcacheInstance() memcache.create_instance('MEMCACHE', host_name, dm_password, ipautil.realm_to_suffix(realm_name)) http = httpinstance.HTTPInstance(fstore) if options.http_pkcs12: - pkcs12_info = (options.http_pkcs12, pw_name) - http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=False, pkcs12_info=pkcs12_info, subject_base=options.subject, auto_redirect=options.ui_redirect) - os.remove(pw_name) + http.create_instance( + realm_name, host_name, domain_name, dm_password, autoconfig=False, + pkcs12_info=http_pkcs12_info, subject_base=options.subject, + auto_redirect=options.ui_redirect) else: http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject, auto_redirect=options.ui_redirect) ipaservices.restore_context("/var/cache/ipa/sessions") @@ -1220,9 +1207,6 @@ if __name__ == '__main__': success = True finally: - if pw_name and ipautil.file_exists(pw_name): - os.remove(pw_name) - if not success and installation_cleanup: # Do a cautious clean up as we don't know what failed and what is # the state of the environment |