Rationalize creation of RA and HTTPD NSS databases

The RA database sould not be created by the HTTP instance, but in the code path that creates the CA instance. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2024-12-27 09:21:59 -06:00 · 2016-12-22 18:55:33 -05:00 · 2016-12-22 18:55:33 -05:00 · 4bd2d6ad46
commit 4bd2d6ad46
parent 4fd89833ee
4 changed files with 51 additions and 37 deletions
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@ -23,6 +23,7 @@ import sys
 import tempfile
 import shutil
 import xml.dom.minidom
+import grp
 import pwd
 import base64
 import fcntl
@ -76,7 +77,8 @@ class CertDB(object):
    """
    # TODO: Remove all selfsign code
    def __init__(self, realm, nssdir=paths.IPA_RADB_DIR, fstore=None,
-                 host_name=None, subject_base=None, ca_subject=None):
+                 host_name=None, subject_base=None, ca_subject=None,
+                 user=None, group=None, mode=None, truncate=False):
        self.nssdb = NSSDatabase(nssdir)

        self.secdir = nssdir
@ -101,14 +103,29 @@ class CertDB(object):

        self.cacert_name = get_ca_nickname(self.realm)

-        # We are going to set the owner of all of the cert
-        # files to the owner of the containing directory
-        # instead of that of the process. This works when
-        # this is called by root for a daemon that runs as
-        # a normal user
-        mode = os.stat(self.secdir)
-        self.uid = mode[stat.ST_UID]
-        self.gid = mode[stat.ST_GID]
+        self.user = user
+        self.group = group
+        self.mode = mode
+        self.uid = 0
+        self.gid = 0
+
+        if not truncate and os.path.exists(self.secdir):
+            # We are going to set the owner of all of the cert
+            # files to the owner of the containing directory
+            # instead of that of the process. This works when
+            # this is called by root for a daemon that runs as
+            # a normal user
+            mode = os.stat(self.secdir)
+            self.uid = mode[stat.ST_UID]
+            self.gid = mode[stat.ST_GID]
+        else:
+            if user is not None:
+                pu = pwd.getpwnam(user)
+                self.uid = pu.pw_uid
+                self.gid = pu.pw_gid
+            if group is not None:
+                self.gid = grp.getgrnam(group).gr_gid
+            self.create_certdbs()

        if fstore:
            self.fstore = fstore
@ -189,10 +206,8 @@ class CertDB(object):
        self.set_perms(self.passwd_fname)

    def create_certdbs(self):
-        ipautil.backup_file(self.certdb_fname)
-        ipautil.backup_file(self.keydb_fname)
-        ipautil.backup_file(self.secmod_fname)
-        self.nssdb.create_db()
+        self.nssdb.create_db(user=self.user, group=self.group, mode=self.mode,
+                             backup=True)
        self.set_perms(self.passwd_fname, write=True)

    def list_certs(self):
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -30,12 +30,11 @@ import locale

 import six

-from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP
+from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
 from ipaserver.install import service
 from ipaserver.install import certs
 from ipaserver.install import installutils
-from ipapython import certdb
 from ipapython import dogtag
 from ipapython import ipautil
 from ipapython.dn import DN
@ -314,12 +313,6 @@ class HTTPInstance(service.Service):
            if certmonger_stopped:
                certmonger.stop()

-    def create_cert_dbs(self):
-        nssdb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
-        nssdb.create_db(user="root", group=constants.HTTPD_GROUP, backup=True)
-        nssdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR)
-        nssdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True)
-
    def request_anon_keytab(self):
        parent = os.path.dirname(paths.ANON_KEYTAB)
        if not os.path.exists(parent):
@ -350,7 +343,9 @@ class HTTPInstance(service.Service):

    def __setup_ssl(self):
        db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
-                          subject_base=self.subject_base)
+                          subject_base=self.subject_base, user="root",
+                          group=constants.HTTPD_GROUP,
+                          truncate=(not self.promote))
        if self.pkcs12_info:
            if self.ca_is_configured:
                trust_flags = 'CT,C,C'
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -14,6 +14,7 @@ import textwrap

 import six

+from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP
 from ipalib.install import certmonger, sysrestore
 from ipapython import ipautil
 from ipapython.ipa_log_manager import root_logger
@ -713,10 +714,6 @@ def install(installer):
    create_ipaapi_user()
    tasks.create_tmpfiles_dirs()

-    # create NSS Databases
-    http_instance = httpinstance.HTTPInstance()
-    http_instance.create_cert_dbs()
-
    # Create DS user/group if it doesn't exist yet
    dsinstance.create_ds_user()

@ -777,11 +774,15 @@ def install(installer):
                          if n in options.__dict__}
            write_cache(cache_vars)

+        # Create RA DB
+        radb = certs.CertDB(realm_name, nssdir=paths.IPA_RADB_DIR,
+                            user=IPAAPI_USER, group=IPAAPI_GROUP,
+                            truncate=True)
+
        ca.install_step_0(False, None, options)

-        # Now put the CA cert where other instances exepct it
-        ca_db = certs.CertDB(realm_name)
-        ca_db.publish_ca_cert(paths.IPA_CA_CRT)
+        # Now put the CA cert where other instances expect it
+        radb.publish_ca_cert(paths.IPA_CA_CRT)
    else:
        # Put the CA cert where other instances expect it
        x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
@ -1114,6 +1115,11 @@ def uninstall(installer):
                          ' # getcert stop-tracking -i <request_id>\n'
                          'for each id in: %s' % ', '.join(ids))

+    try:
+        shutil.rmtree(paths.IPA_RADB_DIR)
+    except Exception:
+        pass
+
    # Remove the cert renewal lock file
    try:
        os.remove(paths.IPA_RENEWAL_LOCK)
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -26,6 +26,7 @@ from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 from ipapython.admintool import ScriptError
 from ipaplatform import services
+from ipaplatform.constants import constants as pconstants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
 from ipalib import api, constants, create_api, errors, rpc, x509
@ -77,13 +78,14 @@ def make_pkcs12_info(directory, cert_name, password_name):

 def install_http_certs(host_name, realm_name, subject_base):
    principal = 'HTTP/%s@%s' % (host_name, realm_name)
+    subject = subject_base or DN(('O', realm_name))
+    db = certs.CertDB(realm_name, nssdir=paths.HTTPD_ALIAS_DIR,
+                      subject_base=subject, user="root",
+                      group=pconstants.HTTPD_GROUP, truncate=True)
+    db.request_service_cert('Server-Cert', principal, host_name)
    # Obtain certificate for the HTTP service
    http = httpinstance.HTTPInstance()
    http.create_password_conf()
-    nssdir = paths.HTTPD_ALIAS_DIR
-    subject = subject_base or DN(('O', realm_name))
-    db = certs.CertDB(realm_name, nssdir=nssdir, subject_base=subject_base)
-    db.request_service_cert('Server-Cert', principal, host_name)


 def install_replica_ds(config, options, ca_is_configured, remote_api,
@ -1337,10 +1339,6 @@ def install(installer):

    dsinstance.create_ds_user()

-    # create NSS Databases
-    http_instance = httpinstance.HTTPInstance()
-    http_instance.create_cert_dbs()
-
    try:
        conn.connect(ccache=ccache)
        # Update and istall updated CA file