From 462629bab3163be47b2fc6d79b88781f82fdaf15 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 16 Apr 2014 11:20:29 -0400 Subject: Added nolog to pkispawn and some additional fixes from review. --- install/tools/ipa-drm-install | 2 +- install/tools/ipa-server-install | 2 ++ ipaserver/install/cainstance.py | 26 ++++++++++++-------------- ipaserver/install/dogtaginstance.py | 32 ++++++++++++++++++++++++++++++-- ipaserver/install/drminstance.py | 22 ++++++++-------------- ipaserver/install/dsinstance.py | 20 +++++++++++++------- 6 files changed, 66 insertions(+), 38 deletions(-) diff --git a/install/tools/ipa-drm-install b/install/tools/ipa-drm-install index 7af39a3c7..2a2b2a727 100644 --- a/install/tools/ipa-drm-install +++ b/install/tools/ipa-drm-install @@ -137,7 +137,7 @@ def main(): if options.uninstall: if enable_drm is None: sys.exit("There is no DRM installed on this system") - uninstall(realm_name) + return uninstall(realm_name) if enable_drm is not None and enable_drm == 'True': sys.exit("DRM is already installed.") diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 440d108a6..2ab4e68bc 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -503,6 +503,7 @@ def uninstall(): ca_instance = cainstance.CAInstance( api.env.realm, certs.NSS_DIR, dogtag_constants=dogtag_constants) ca_instance.stop_tracking_certificates(dogtag_constants) + ca_instance.stop_tracking_agent_certificate(dogtag_constants) if ca_instance.is_configured(): ca_instance.uninstall() @@ -762,6 +763,7 @@ def main(): # We only set up the CA if the PKCS#12 options are not given. if options.dirsrv_pkcs12: setup_ca = False + setup_drm = False else: setup_ca = True setup_drm = True diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 6bbb6f545..5768e2939 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -285,7 +285,7 @@ class CADSInstance(service.Service): _user_exists = self.restore_state("user_exists") # At one time we removed this user on uninstall. That can potentially - # orphan files, or worse, if another useradd runs in the intermim, + # orphan files, or worse, if another useradd runs in the interim, # cause files to have a new owner. @@ -325,6 +325,10 @@ class CAInstance(DogtagInstance): self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt" self.ra_cert = None self.requestId = None + self.tracking_nicknames = ['Server-Cert cert-pki-ca', + 'auditSigningCert cert-pki-ca', + 'ocspSigningCert cert-pki-ca', + 'subsystemCert cert-pki-ca'] def configure_instance(self, host_name, domain, dm_password, admin_password, ds_port=DEFAULT_DSPORT, @@ -713,7 +717,7 @@ class CAInstance(DogtagInstance): os.write(admin_fd, self.admin_password) os.close(admin_fd) - # Look thru the cert chain to get all the certs we need to add + # Look through the cert chain to get all the certs we need to add # trust for p = subprocess.Popen(["/usr/bin/certutil", "-d", self.agent_db, "-O", "-n", "ipa-ca-agent"], stdout=subprocess.PIPE) @@ -899,7 +903,7 @@ class CAInstance(DogtagInstance): try: ipautil.run(["/usr/bin/pk12util", "-n", "ipa-ca-agent", - "-o", "/root/ca-agent.p12", + "-o", DogtagInstance.AGENT_P12_PATH, "-d", self.agent_db, "-k", pwd_name, "-w", pwd_name]) @@ -925,7 +929,7 @@ class CAInstance(DogtagInstance): "-print_certs", ], stdin=data) - # Ok, now we have all the certificates in certs, walk thru it + # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database st = 1 @@ -1201,7 +1205,7 @@ class CAInstance(DogtagInstance): root_logger.critical("failed to uninstall CA instance %s" % e) # At one time we removed this user on uninstall. That can potentially - # orphan files, or worse, if another useradd runs in the intermim, + # orphan files, or worse, if another useradd runs in the interim, # cause files to have a new owner. _user_exists = self.restore_state("user_exists") @@ -1316,16 +1320,10 @@ class CAInstance(DogtagInstance): root_logger.error( "certmonger failed to start tracking certificate: %s" % e) - def stop_tracking_system_certificates(self, dogtag_constants): - """Stop tracking our certificates. Called on uninstall. + @staticmethod + def stop_tracking_agent_certificate(dogtag_constants): + """Stop tracking agent certificate. Called on uninstall. """ - nicknames = ['Server-Cert cert-pki-ca', - 'auditSigningCert cert-pki-ca', - 'ocspSigningCert cert-pki-ca', - 'subsystemCert cert-pki-ca'] - DogtagInstance.stop_tracking_certificates( - self, dogtag_constants, nicknames) - cmonger = ipaservices.knownservices.certmonger ipaservices.knownservices.messagebus.start() cmonger.start() diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 14b96ba36..66a76c75d 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -25,6 +25,7 @@ import traceback from ipapython import certmonger from ipapython import dogtag +from ipapython import ipaldap from ipapython import ipautil from ipapython import services as ipaservices from ipapython.dn import DN @@ -66,6 +67,9 @@ class DogtagInstance(service.Service): CA, KRA, and eventually TKS and TPS. """ + ADMIN_CERT_PATH = '/root/.dogtag/pki-tomcat/ca_admin.cert' + AGENT_P12_PATH = '/root/ca-agent.p12' + def __init__(self, realm, subsystem, service_desc, dogtag_constants=None): if dogtag_constants is None: dogtag_constants = dogtag.configured_constants() @@ -84,6 +88,7 @@ class DogtagInstance(service.Service): self.clone = False self.basedn = DN(('o', 'ipa%s' % subsystem.lower())) + self.admin_user = DN(('uid', 'admin'), ('ou', 'people'), ('o', 'ipaca')) self.agent_db = tempfile.mkdtemp(prefix="tmp-") self.ds_port = DEFAULT_DSPORT self.server_root = dogtag_constants.SERVER_ROOT @@ -109,7 +114,7 @@ class DogtagInstance(service.Service): self.server_root, self.dogtag_constants.PKI_INSTANCE_NAME, self.subsystem.lower())) - def spawn_instance(self, cfg_file): + def spawn_instance(self, cfg_file, nolog_list=None): """ Create and configure a new Dogtag instance using pkispawn. Passes in a configuration file with IPA-specific @@ -118,7 +123,10 @@ class DogtagInstance(service.Service): subsystem = self.subsystem # Define the things we don't want logged - nolog = (self.admin_password, self.dm_password,) + if nolog_list is None: + nolog_list = [] + nolog_list.extend([self.admin_password, self.dm_password]) + nolog = tuple(nolog_list) args = ["/usr/sbin/pkispawn", "-s", subsystem, @@ -330,3 +338,23 @@ class DogtagInstance(service.Service): base64.b64encode(cert), quotes=False, separator='=') + + def get_admin_cert(self): + """ + Get the certificate for the admin user by checking the ldap entry + for the user + """ + root_logger.debug('Trying to find the certificate for the admin user') + conn = None + + try: + conn = ipaldap.IPAdmin(self.fqdn, self.ds_port) + conn.do_simple_bind(DN(('cn', 'Directory Manager')), self.dm_password) + + entry_attrs = conn.get_entry(self.admin_user, ['usercertificate']) + admin_cert = entry_attrs.get('usercertificate')[0] + finally: + if conn is not None: + conn.unbind() + + return base64.b64encode(admin_cert) \ No newline at end of file diff --git a/ipaserver/install/drminstance.py b/ipaserver/install/drminstance.py index c4edd2cd4..a251e39a3 100644 --- a/ipaserver/install/drminstance.py +++ b/ipaserver/install/drminstance.py @@ -111,18 +111,6 @@ class DRMInstance(DogtagInstance): self.start_creation(runtime=210) - def start_instance(self): - DogtagInstance.start_instance(self) - - def stop_instance(self): - DogtagInstance.stop_instance(self) - - def restart_instance(self): - DogtagInstance.restart_instance(self) - - def http_proxy(self): - DogtagInstance.http_proxy(self) - def __spawn_instance(self): """ Create and configure a new DRM instance using pkispawn. @@ -172,8 +160,9 @@ class DRMInstance(DogtagInstance): str(DN(('cn', 'ipa-ca-agent'), self.subject_base))) config.set("KRA", "pki_import_admin_cert", "True") config.set("KRA", "pki_admin_cert_file", - "/root/.dogtag/pki-tomcat/ca_admin.cert") - config.set("KRA", "pki_client_admin_cert_p12", "/root/ca-agent.p12") + DogtagInstance.ADMIN_CERT_PATH) + config.set("KRA", "pki_client_admin_cert_p12", + DogtagInstance.AGENT_P12_PATH) # Directory server config.set("KRA", "pki_ds_ldap_port", str(self.ds_port)) @@ -222,6 +211,11 @@ class DRMInstance(DogtagInstance): pent = pwd.getpwnam(PKI_USER) os.chown("/tmp/drm.p12", pent.pw_uid, pent.pw_gid) + # create admin cert file if it does not exist + cert = DogtagInstance.get_admin_cert(self) + with open(DogtagInstance.ADMIN_CERT_PATH, "w") as admin_path: + admin_path.write(cert) + # Security domain registration config.set("KRA", "pki_security_domain_hostname", self.master_host) config.set("KRA", "pki_security_domain_https_port", "443") diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 5c20860fc..96881fade 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -942,6 +942,10 @@ class DsInstance(service.Service): 2) If no value is found there, look in DS (start DS if necessary) 3) Last resort, look in the certmap.conf itself 4) If all fails, log loudly and return None + + Note that this method can only be executed AFTER the ipa server + is configured, the api is initialized elsewhere and + that a ticket already have been acquired. """ root_logger.debug( 'Trying to find certificate subject base in sysupgrade') @@ -963,25 +967,27 @@ class DsInstance(service.Service): if not ds_is_running: try: self.start() + ds_is_running = True except ipautil.CalledProcessError as e: root_logger.error('Cannot start DS to find certificate ' 'subject base: %s', e) - else: - ds_is_running = True if ds_is_running: try: api.Backend.ldap2.connect(autobind=True) - except errors.PublicError, e: - root_logger.error('Cannot connect to DS to find certificate ' - 'subject base: %s', e) - else: ret = api.Command['config_show']() - api.Backend.ldap2.disconnect() subject_base = str( ret['result']['ipacertificatesubjectbase'][0]) root_logger.debug( 'Found certificate subject base in DS: %s', subject_base) + except errors.PublicError, e: + root_logger.error('Cannot connect to DS to find certificate ' + 'subject base: %s', e) + finally: + try: + api.Backend.ldap2.disconnect() + except: + pass if not subject_base: root_logger.debug('Unable to find certificate subject base in DS') -- cgit