Rationalize creation of RA and HTTPD NSS databases

The RA database sould not be created by the HTTP instance,
but in the code path that creates the CA instance.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaserver/install/certs.py

@@ -23,6 +23,7 @@ import sys
 import tempfile
 import shutil
 import xml.dom.minidom
+import grp
 import pwd
 import base64
 import fcntl
@@ -76,7 +77,8 @@ class CertDB(object):
     """
     # TODO: Remove all selfsign code
     def __init__(self, realm, nssdir=paths.IPA_RADB_DIR, fstore=None,
-                 host_name=None, subject_base=None, ca_subject=None):
+                 host_name=None, subject_base=None, ca_subject=None,
+                 user=None, group=None, mode=None, truncate=False):
         self.nssdb = NSSDatabase(nssdir)
 
         self.secdir = nssdir
@@ -101,14 +103,29 @@ class CertDB(object):
 
         self.cacert_name = get_ca_nickname(self.realm)
 
-        # We are going to set the owner of all of the cert
+        self.user = user
-        # files to the owner of the containing directory
+        self.group = group
-        # instead of that of the process. This works when
+        self.mode = mode
-        # this is called by root for a daemon that runs as
+        self.uid = 0
-        # a normal user
+        self.gid = 0
-        mode = os.stat(self.secdir)
+
-        self.uid = mode[stat.ST_UID]
+        if not truncate and os.path.exists(self.secdir):
-        self.gid = mode[stat.ST_GID]
+            # We are going to set the owner of all of the cert
+            # files to the owner of the containing directory
+            # instead of that of the process. This works when
+            # this is called by root for a daemon that runs as
+            # a normal user
+            mode = os.stat(self.secdir)
+            self.uid = mode[stat.ST_UID]
+            self.gid = mode[stat.ST_GID]
+        else:
+            if user is not None:
+                pu = pwd.getpwnam(user)
+                self.uid = pu.pw_uid
+                self.gid = pu.pw_gid
+            if group is not None:
+                self.gid = grp.getgrnam(group).gr_gid
+            self.create_certdbs()
 
         if fstore:
             self.fstore = fstore
@@ -189,10 +206,8 @@ class CertDB(object):
         self.set_perms(self.passwd_fname)
 
     def create_certdbs(self):
-        ipautil.backup_file(self.certdb_fname)
+        self.nssdb.create_db(user=self.user, group=self.group, mode=self.mode,
-        ipautil.backup_file(self.keydb_fname)
+                             backup=True)
-        ipautil.backup_file(self.secmod_fname)
-        self.nssdb.create_db()
         self.set_perms(self.passwd_fname, write=True)
 
     def list_certs(self):

ipaserver/install/httpinstance.py

@@ -30,12 +30,11 @@ import locale
 
 import six
 
-from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP
+from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
 from ipaserver.install import service
 from ipaserver.install import certs
 from ipaserver.install import installutils
-from ipapython import certdb
 from ipapython import dogtag
 from ipapython import ipautil
 from ipapython.dn import DN
@@ -314,12 +313,6 @@ class HTTPInstance(service.Service):
             if certmonger_stopped:
                 certmonger.stop()
 
-    def create_cert_dbs(self):
-        nssdb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
-        nssdb.create_db(user="root", group=constants.HTTPD_GROUP, backup=True)
-        nssdb = certdb.NSSDatabase(nssdir=paths.IPA_RADB_DIR)
-        nssdb.create_db(user=IPAAPI_USER, group=IPAAPI_GROUP, backup=True)
-
     def request_anon_keytab(self):
         parent = os.path.dirname(paths.ANON_KEYTAB)
         if not os.path.exists(parent):
@@ -350,7 +343,9 @@ class HTTPInstance(service.Service):
 
     def __setup_ssl(self):
         db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
-                          subject_base=self.subject_base)
+                          subject_base=self.subject_base, user="root",
+                          group=constants.HTTPD_GROUP,
+                          truncate=(not self.promote))
         if self.pkcs12_info:
             if self.ca_is_configured:
                 trust_flags = 'CT,C,C'

ipaserver/install/server/install.py

@@ -14,6 +14,7 @@ import textwrap
 
 import six
 
+from ipalib.constants import IPAAPI_USER, IPAAPI_GROUP
 from ipalib.install import certmonger, sysrestore
 from ipapython import ipautil
 from ipapython.ipa_log_manager import root_logger
@@ -713,10 +714,6 @@ def install(installer):
     create_ipaapi_user()
     tasks.create_tmpfiles_dirs()
 
-    # create NSS Databases
-    http_instance = httpinstance.HTTPInstance()
-    http_instance.create_cert_dbs()
-
     # Create DS user/group if it doesn't exist yet
     dsinstance.create_ds_user()
 
@@ -777,11 +774,15 @@ def install(installer):
                           if n in options.__dict__}
             write_cache(cache_vars)
 
+        # Create RA DB
+        radb = certs.CertDB(realm_name, nssdir=paths.IPA_RADB_DIR,
+                            user=IPAAPI_USER, group=IPAAPI_GROUP,
+                            truncate=True)
+
         ca.install_step_0(False, None, options)
 
-        # Now put the CA cert where other instances exepct it
+        # Now put the CA cert where other instances expect it
-        ca_db = certs.CertDB(realm_name)
+        radb.publish_ca_cert(paths.IPA_CA_CRT)
-        ca_db.publish_ca_cert(paths.IPA_CA_CRT)
     else:
         # Put the CA cert where other instances expect it
         x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
@@ -1114,6 +1115,11 @@ def uninstall(installer):
                           ' # getcert stop-tracking -i <request_id>\n'
                           'for each id in: %s' % ', '.join(ids))
 
+    try:
+        shutil.rmtree(paths.IPA_RADB_DIR)
+    except Exception:
+        pass
+
     # Remove the cert renewal lock file
     try:
         os.remove(paths.IPA_RENEWAL_LOCK)

ipaserver/install/server/replicainstall.py

@@ -26,6 +26,7 @@ from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 from ipapython.admintool import ScriptError
 from ipaplatform import services
+from ipaplatform.constants import constants as pconstants
 from ipaplatform.tasks import tasks
 from ipaplatform.paths import paths
 from ipalib import api, constants, create_api, errors, rpc, x509
@@ -77,13 +78,14 @@ def make_pkcs12_info(directory, cert_name, password_name):
 
 def install_http_certs(host_name, realm_name, subject_base):
     principal = 'HTTP/%s@%s' % (host_name, realm_name)
+    subject = subject_base or DN(('O', realm_name))
+    db = certs.CertDB(realm_name, nssdir=paths.HTTPD_ALIAS_DIR,
+                      subject_base=subject, user="root",
+                      group=pconstants.HTTPD_GROUP, truncate=True)
+    db.request_service_cert('Server-Cert', principal, host_name)
     # Obtain certificate for the HTTP service
     http = httpinstance.HTTPInstance()
     http.create_password_conf()
-    nssdir = paths.HTTPD_ALIAS_DIR
-    subject = subject_base or DN(('O', realm_name))
-    db = certs.CertDB(realm_name, nssdir=nssdir, subject_base=subject_base)
-    db.request_service_cert('Server-Cert', principal, host_name)
 
 
 def install_replica_ds(config, options, ca_is_configured, remote_api,
@@ -1337,10 +1339,6 @@ def install(installer):
 
     dsinstance.create_ds_user()
 
-    # create NSS Databases
-    http_instance = httpinstance.HTTPInstance()
-    http_instance.create_cert_dbs()
-
     try:
         conn.connect(ccache=ccache)
         # Update and istall updated CA file