Remove ra_db argument from CAInstance init

The ra_db argument to CAInstance init is a constant so it can
be removed. This constant corresponds to the default CertDB directory
and since CertDB now passes passwords to its inner NSSDatabase instance
we do need to care about having our own run_certutil() method.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>

ipaserver/install/ca.py

@@ -265,8 +265,7 @@ def install_step_0(standalone, replica_config, options):
         'certmap.conf', 'subject_base', str(subject_base))
     dsinstance.write_certmap_conf(realm_name, ca_subject)
 
-    ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR,
+    ca = cainstance.CAInstance(realm_name, host_name=host_name)
-                               host_name=host_name)
     ca.configure_instance(host_name, dm_password, dm_password,
                           subject_base=subject_base,
                           ca_subject=ca_subject,
@@ -293,8 +292,7 @@ def install_step_1(standalone, replica_config, options):
     subject_base = options._subject_base
     basedn = ipautil.realm_to_suffix(realm_name)
 
-    ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR,
+    ca = cainstance.CAInstance(realm_name, host_name=host_name)
-                               host_name=host_name)
 
     ca.stop('pki-tomcat')
 
@@ -356,7 +354,7 @@ def install_step_1(standalone, replica_config, options):
 
 
 def uninstall():
-    ca_instance = cainstance.CAInstance(api.env.realm, paths.IPA_RADB_DIR)
+    ca_instance = cainstance.CAInstance(api.env.realm)
     ca_instance.stop_tracking_certificates()
     if ca_instance.is_configured():
         ca_instance.uninstall()

ipaserver/install/cainstance.py

@@ -294,7 +294,7 @@ class CAInstance(DogtagInstance):
                      ('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
     server_cert_name = 'Server-Cert cert-pki-ca'
 
-    def __init__(self, realm=None, ra_db=None, host_name=None):
+    def __init__(self, realm=None, host_name=None):
         super(CAInstance, self).__init__(
             realm=realm,
             subsystem="CA",
@@ -313,11 +313,8 @@ class CAInstance(DogtagInstance):
             self.canickname = get_ca_nickname(realm)
         else:
             self.canickname = None
-        self.ra_agent_db = ra_db
+        self.ra_agent_db = paths.IPA_RADB_DIR
-        if self.ra_agent_db is not None:
+        self.ra_agent_pwd = os.path.join(self.ra_agent_db, "pwdfile.txt")
-            self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
-        else:
-            self.ra_agent_pwd = None
         self.ra_cert = None
         self.requestId = None
         self.log = log_mgr.get_logger(self)
@@ -738,16 +735,6 @@ class CAInstance(DogtagInstance):
 
         conn.disconnect()
 
-    def __run_certutil(self, args, database=None, pwd_file=None, stdin=None,
-                       **kwargs):
-        if not database:
-            database = self.ra_agent_db
-        if not pwd_file:
-            pwd_file = self.ra_agent_pwd
-        new_args = [paths.CERTUTIL, "-d", database, "-f", pwd_file]
-        new_args = new_args + args
-        return ipautil.run(new_args, stdin, nolog=(pwd_file,), **kwargs)
-
     def __get_ca_chain(self):
         try:
             return dogtag.get_ca_certchain(ca_host=self.fqdn)
@@ -787,7 +774,7 @@ class CAInstance(DogtagInstance):
                 else:
                     nick = str(subject_dn)
                     trust_flags = ',,'
-                self.__run_certutil(
+                certdb.run_certutil(
                     ['-A', '-t', trust_flags, '-n', nick, '-a',
                      '-i', chain_file.name]
                 )
@@ -848,7 +835,8 @@ class CAInstance(DogtagInstance):
                 post_command='renew_ra_cert')
 
             self.requestId = str(reqId)
-            result = self.__run_certutil(
+            certdb = certs.CertDB(self.realm)
+            result = certdb.run_certutil(
                 ['-L', '-n', 'ipaCert', '-a'], capture_output=True)
             self.ra_cert = x509.strip_header(result.output)
             self.ra_cert = "\n".join(
@@ -1013,8 +1001,8 @@ class CAInstance(DogtagInstance):
                 ca='dogtag-ipa-ca-renew-agent',
                 nickname='ipaCert',
                 pin=None,
-                pinfile=os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt'),
+                pinfile=self.ra_agent_pwd,
-                secdir=paths.IPA_RADB_DIR,
+                secdir=self.ra_agent_db,
                 pre_command='renew_ra_cert_pre',
                 post_command='renew_ra_cert')
         except RuntimeError as e:
@@ -1033,7 +1021,7 @@ class CAInstance(DogtagInstance):
                 certmonger.stop_tracking(self.nss_db, nickname=nickname)
 
         try:
-            certmonger.stop_tracking(paths.IPA_RADB_DIR, nickname='ipaCert')
+            certmonger.stop_tracking(self.ra_agent_db, nickname='ipaCert')
         except RuntimeError as e:
             root_logger.error(
                 "certmonger failed to stop tracking certificate: %s", e)
@@ -1859,5 +1847,5 @@ if __name__ == "__main__":
     standard_logging_setup("install.log")
     ds = dsinstance.DsInstance()
 
-    ca = CAInstance("EXAMPLE.COM", paths.HTTPD_ALIAS_DIR)
+    ca = CAInstance("EXAMPLE.COM")
     ca.configure_instance("catest.example.com", "password", "password")

ipaserver/install/server/upgrade.py

@@ -1540,7 +1540,7 @@ def upgrade_configuration():
         sub_dict['SUBJECT_BASE'] = subject_base
 
     ca = cainstance.CAInstance(
-            api.env.realm, paths.IPA_RADB_DIR, host_name=api.env.host)
+            api.env.realm, host_name=api.env.host)
     ca_running = ca.is_running()
 
     # create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist