Remove ra_db argument from CAInstance init

The ra_db argument to CAInstance init is a constant so it can
be removed. This constant corresponds to the default CertDB directory
and since CertDB now passes passwords to its inner NSSDatabase instance
we do need to care about having our own run_certutil() method.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This commit is contained in:
Stanislav Laznicka 2017-02-14 16:54:43 +01:00 committed by Petr Vobornik
parent b367c3a622
commit 728a6bd422
3 changed files with 14 additions and 28 deletions

View File

@ -265,8 +265,7 @@ def install_step_0(standalone, replica_config, options):
'certmap.conf', 'subject_base', str(subject_base))
dsinstance.write_certmap_conf(realm_name, ca_subject)
ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR,
host_name=host_name)
ca = cainstance.CAInstance(realm_name, host_name=host_name)
ca.configure_instance(host_name, dm_password, dm_password,
subject_base=subject_base,
ca_subject=ca_subject,
@ -293,8 +292,7 @@ def install_step_1(standalone, replica_config, options):
subject_base = options._subject_base
basedn = ipautil.realm_to_suffix(realm_name)
ca = cainstance.CAInstance(realm_name, paths.IPA_RADB_DIR,
host_name=host_name)
ca = cainstance.CAInstance(realm_name, host_name=host_name)
ca.stop('pki-tomcat')
@ -356,7 +354,7 @@ def install_step_1(standalone, replica_config, options):
def uninstall():
ca_instance = cainstance.CAInstance(api.env.realm, paths.IPA_RADB_DIR)
ca_instance = cainstance.CAInstance(api.env.realm)
ca_instance.stop_tracking_certificates()
if ca_instance.is_configured():
ca_instance.uninstall()

View File

@ -294,7 +294,7 @@ class CAInstance(DogtagInstance):
('caSigningCert cert-pki-ca', 'ipaCACertRenewal'))
server_cert_name = 'Server-Cert cert-pki-ca'
def __init__(self, realm=None, ra_db=None, host_name=None):
def __init__(self, realm=None, host_name=None):
super(CAInstance, self).__init__(
realm=realm,
subsystem="CA",
@ -313,11 +313,8 @@ class CAInstance(DogtagInstance):
self.canickname = get_ca_nickname(realm)
else:
self.canickname = None
self.ra_agent_db = ra_db
if self.ra_agent_db is not None:
self.ra_agent_pwd = self.ra_agent_db + "/pwdfile.txt"
else:
self.ra_agent_pwd = None
self.ra_agent_db = paths.IPA_RADB_DIR
self.ra_agent_pwd = os.path.join(self.ra_agent_db, "pwdfile.txt")
self.ra_cert = None
self.requestId = None
self.log = log_mgr.get_logger(self)
@ -738,16 +735,6 @@ class CAInstance(DogtagInstance):
conn.disconnect()
def __run_certutil(self, args, database=None, pwd_file=None, stdin=None,
**kwargs):
if not database:
database = self.ra_agent_db
if not pwd_file:
pwd_file = self.ra_agent_pwd
new_args = [paths.CERTUTIL, "-d", database, "-f", pwd_file]
new_args = new_args + args
return ipautil.run(new_args, stdin, nolog=(pwd_file,), **kwargs)
def __get_ca_chain(self):
try:
return dogtag.get_ca_certchain(ca_host=self.fqdn)
@ -787,7 +774,7 @@ class CAInstance(DogtagInstance):
else:
nick = str(subject_dn)
trust_flags = ',,'
self.__run_certutil(
certdb.run_certutil(
['-A', '-t', trust_flags, '-n', nick, '-a',
'-i', chain_file.name]
)
@ -848,7 +835,8 @@ class CAInstance(DogtagInstance):
post_command='renew_ra_cert')
self.requestId = str(reqId)
result = self.__run_certutil(
certdb = certs.CertDB(self.realm)
result = certdb.run_certutil(
['-L', '-n', 'ipaCert', '-a'], capture_output=True)
self.ra_cert = x509.strip_header(result.output)
self.ra_cert = "\n".join(
@ -1013,8 +1001,8 @@ class CAInstance(DogtagInstance):
ca='dogtag-ipa-ca-renew-agent',
nickname='ipaCert',
pin=None,
pinfile=os.path.join(paths.IPA_RADB_DIR, 'pwdfile.txt'),
secdir=paths.IPA_RADB_DIR,
pinfile=self.ra_agent_pwd,
secdir=self.ra_agent_db,
pre_command='renew_ra_cert_pre',
post_command='renew_ra_cert')
except RuntimeError as e:
@ -1033,7 +1021,7 @@ class CAInstance(DogtagInstance):
certmonger.stop_tracking(self.nss_db, nickname=nickname)
try:
certmonger.stop_tracking(paths.IPA_RADB_DIR, nickname='ipaCert')
certmonger.stop_tracking(self.ra_agent_db, nickname='ipaCert')
except RuntimeError as e:
root_logger.error(
"certmonger failed to stop tracking certificate: %s", e)
@ -1859,5 +1847,5 @@ if __name__ == "__main__":
standard_logging_setup("install.log")
ds = dsinstance.DsInstance()
ca = CAInstance("EXAMPLE.COM", paths.HTTPD_ALIAS_DIR)
ca = CAInstance("EXAMPLE.COM")
ca.configure_instance("catest.example.com", "password", "password")

View File

@ -1540,7 +1540,7 @@ def upgrade_configuration():
sub_dict['SUBJECT_BASE'] = subject_base
ca = cainstance.CAInstance(
api.env.realm, paths.IPA_RADB_DIR, host_name=api.env.host)
api.env.realm, host_name=api.env.host)
ca_running = ca.is_running()
# create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist