Remove DL0 specific code from kra in ipaserver/install

The code to add missing KRA certificates has been removed from install_check
as it was only reached if replica_config is not None and promote was False
for DL0 replica installations. Also the other places.

Promote is now hard set to True if replica_config is not None in install
for later use in krainstance.

See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Thomas Woerner 2018-09-10 15:07:55 +02:00
parent eaae9935f4
commit 71e19f11b4

View File

@ -9,13 +9,11 @@ KRA installer module
from __future__ import absolute_import from __future__ import absolute_import
import os import os
import shutil
from ipalib import api from ipalib import api
from ipalib.install.kinit import kinit_keytab from ipalib.install.kinit import kinit_keytab
from ipaplatform import services from ipaplatform import services
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython import certdb
from ipapython import ipautil from ipapython import ipautil
from ipapython.install.core import group from ipapython.install.core import group
from ipaserver.install import cainstance from ipaserver.install import cainstance
@ -52,22 +50,6 @@ def install_check(api, replica_config, options):
"KRA is not installed on the master system. Please use " "KRA is not installed on the master system. Please use "
"'ipa-kra-install' command to install the first instance.") "'ipa-kra-install' command to install the first instance.")
if options.promote:
return
with certdb.NSSDatabase() as tmpdb:
tmpdb.create_db()
tmpdb.import_pkcs12(replica_config.dir + "/cacert.p12",
replica_config.dirman_password)
kra_cert_nicknames = [
"storageCert cert-pki-kra", "transportCert cert-pki-kra",
"auditSigningCert cert-pki-kra"
]
if not all(tmpdb.has_nickname(nickname)
for nickname in kra_cert_nicknames):
raise RuntimeError("Missing KRA certificates, please create a "
"new replica file.")
def install(api, replica_config, options, custodia): def install(api, replica_config, options, custodia):
if replica_config is None: if replica_config is None:
@ -85,23 +67,15 @@ def install(api, replica_config, options, custodia):
if not replica_config.setup_kra: if not replica_config.setup_kra:
return return
krafile = os.path.join(replica_config.dir, 'kracert.p12') krafile = os.path.join(replica_config.dir, 'kracert.p12')
if options.promote: with ipautil.private_ccache():
with ipautil.private_ccache(): ccache = os.environ['KRB5CCNAME']
ccache = os.environ['KRB5CCNAME'] kinit_keytab(
kinit_keytab( 'host/{env.host}@{env.realm}'.format(env=api.env),
'host/{env.host}@{env.realm}'.format(env=api.env), paths.KRB5_KEYTAB,
paths.KRB5_KEYTAB, ccache)
ccache) custodia.get_kra_keys(
custodia.get_kra_keys( krafile,
krafile, replica_config.dirman_password)
replica_config.dirman_password)
else:
cafile = os.path.join(replica_config.dir, 'cacert.p12')
if not os.path.isfile(cafile):
raise RuntimeError(
"Unable to clone KRA."
" cacert.p12 file not found in replica file")
shutil.copy(cafile, krafile)
realm_name = replica_config.realm_name realm_name = replica_config.realm_name
dm_password = replica_config.dirman_password dm_password = replica_config.dirman_password
@ -110,7 +84,7 @@ def install(api, replica_config, options, custodia):
pkcs12_info = (krafile,) pkcs12_info = (krafile,)
master_host = replica_config.kra_host_name master_host = replica_config.kra_host_name
promote = options.promote promote = True
kra = krainstance.KRAInstance(realm_name) kra = krainstance.KRAInstance(realm_name)
kra.configure_instance(realm_name, host_name, dm_password, dm_password, kra.configure_instance(realm_name, host_name, dm_password, dm_password,