Use single Custodia instance in installers

Installers now pass a single CustodiaInstance object around, instead of creating new instances on demand. In case of replica promotion with CA, the instance gets all secrets from a master with CA present. Before, an installer created multiple instances and may have requested CA key material from a different machine than DM password hash. In case of Domain Level 1 and replica promotion, the CustodiaInstance no longer adds the keys to the local instance and waits for replication to other replica. Instead the installer directly uploads the new public keys to the remote 389-DS instance. Without promotion, new Custodia public keys are still added to local 389-DS over LDAPI. Fixes: https://pagure.io/freeipa/issue/7518 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
2025-02-25 18:55:28 -06:00 · 2018-04-26 12:06:36 +02:00
parent 84e60e5f99
commit 994f71ac8a
8 changed files with 155 additions and 74 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -64,7 +64,6 @@ from ipapython.ipa_log_manager import standard_logging_setup
 from ipaserver.secrets.kem import IPAKEMKeys

 from ipaserver.install import certs
-from ipaserver.install import custodiainstance
 from ipaserver.install import dsinstance
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
@@ -298,7 +297,7 @@ class CAInstance(DogtagInstance):
                     'caSigningCert cert-pki-ca')
    server_cert_name = 'Server-Cert cert-pki-ca'

-    def __init__(self, realm=None, host_name=None):
+    def __init__(self, realm=None, host_name=None, custodia=None):
        super(CAInstance, self).__init__(
            realm=realm,
            subsystem="CA",
@@ -323,6 +322,8 @@ class CAInstance(DogtagInstance):
        self.no_db_setup = False
        self.keytab = os.path.join(
            paths.PKI_TOMCAT, self.service_prefix + '.keytab')
+        # Custodia instance for RA key retrieval
+        self._custodia = custodia

    def configure_instance(self, host_name, dm_password, admin_password,
                           pkcs12_info=None, master_host=None, csr_file=None,
@@ -761,9 +762,7 @@ class CAInstance(DogtagInstance):
        self.configure_agent_renewal()

    def __import_ra_key(self):
-        custodia = custodiainstance.CustodiaInstance(host_name=self.fqdn,
-                                                     realm=self.realm)
-        custodia.import_ra_key(self.master_host)
+        self._custodia.import_ra_key(self.master_host)
        self.__set_ra_cert_perms()

        self.configure_agent_renewal()