ipa-server-install: Make temporary pin files available for the whole installation

We pass names of files with pkcs12 pins to installers which may continue to use the files after the initial call to create_instance, at which point the installer has already removed them. Also, some of the files were not properly removed on failure. Use ipautil.write_tmp_file for the pin files, which returns a NamedTemporaryFile object that removes the underlying file when it is garbage-collected. Create the files at start of installation. This will allow checking the pkcs#12 files before the system is modified.
2025-02-25 18:55:28 -06:00 · 2013-03-08 14:37:38 +01:00 · 2013-03-08 14:37:38 +01:00 · 9c215b61ac
commit 9c215b61ac
parent cf8c532ca9
1 changed files with 21 additions and 37 deletions
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -70,7 +70,6 @@ from ipapython.dn import DN

 import ipaclient.ntpconf

-pw_name = None
 uninstalling = False
 installation_cleanup = True

@ -567,7 +566,6 @@ def set_subject_in_config(realm_name, dm_password, suffix, subject_base):

 def main():
    global ds
-    global pw_name
    global uninstalling
    global installation_cleanup
    ds = None
@ -697,6 +695,18 @@ def main():
                sys.exit(1)
            cert = certdict[certissuer]

+    if options.http_pkcs12:
+        http_pin_file = ipautil.write_tmp_file(options.http_pin)
+        http_pkcs12_info = (options.dirsrv_pkcs12, http_pin_file.name)
+
+    if options.dirsrv_pkcs12:
+        dirsrv_pin_file = ipautil.write_tmp_file(options.dirsrv_pin)
+        dirsrv_pkcs12_info = (options.dirsrv_pkcs12, dirsrv_pin_file.name)
+
+    if options.pkinit_pkcs12:
+        pkinit_pin_file = ipautil.write_tmp_file(options.pkinit_pin)
+        pkinit_pkcs12_info = (options.pkinit_pkcs12, pkinit_pin_file.name)
+
    # Figure out what external CA step we're in. See cainstance.py for more
    # info on the 3 states.
    if options.external_cert_file:
@ -942,12 +952,6 @@ def main():
        except ipautil.CalledProcessError, e:
            root_logger.critical("failed to add DS group: %s" % e)

-    if options.dirsrv_pin:
-        [pw_fd, pw_name] = tempfile.mkstemp()
-        os.write(pw_fd, options.dirsrv_pin)
-        os.close(pw_fd)
-        pkcs12_info = (options.dirsrv_pkcs12, pw_name)
-
    if external != 2:
        # Configure ntpd
        if options.conf_ntp:
@ -960,13 +964,10 @@ def main():
        ds = dsinstance.DsInstance(fstore=fstore)

        if options.dirsrv_pkcs12:
-            try:
-                ds.create_instance(realm_name, host_name, domain_name,
-                                dm_password, pkcs12_info,
-                                subject_base=options.subject,
-                                hbac_allow=not options.hbac_allow)
-            finally:
-                os.remove(pw_name)
+            ds.create_instance(realm_name, host_name, domain_name,
+                            dm_password, dirsrv_pkcs12_info,
+                            subject_base=options.subject,
+                            hbac_allow=not options.hbac_allow)
        else:
            ds.create_instance(realm_name, host_name, domain_name,
                            dm_password, self_signed_ca=options.selfsign,
@ -1052,19 +1053,12 @@ def main():
    # Upload the CA cert to the directory
    ds.upload_ca_cert()

-    # Create a kerberos instance
-    if options.pkinit_pin:
-        [pw_fd, pw_name] = tempfile.mkstemp()
-        os.write(pw_fd, options.dirsrv_pin)
-        os.close(pw_fd)
-
    krb = krbinstance.KrbInstance(fstore)
    if options.pkinit_pkcs12:
-        pkcs12_info = (options.pkinit_pkcs12, pw_name)
        krb.create_instance(realm_name, host_name, domain_name,
                            dm_password, master_password,
                            setup_pkinit=options.setup_pkinit,
-                            pkcs12_info=pkcs12_info,
+                            pkcs12_info=pkinit_pkcs12_info,
                            subject_base=options.subject)
    else:
        krb.create_instance(realm_name, host_name, domain_name,
@ -1073,28 +1067,21 @@ def main():
                            self_signed_ca=options.selfsign,
                            subject_base=options.subject)

-    if options.pkinit_pin:
-        os.remove(pw_name)
-
    # The DS instance is created before the keytab, add the SSL cert we
    # generated
    ds.add_cert_to_service()

    # Create a HTTP instance

-    if options.http_pin:
-        [pw_fd, pw_name] = tempfile.mkstemp()
-        os.write(pw_fd, options.http_pin)
-        os.close(pw_fd)
-
    memcache = memcacheinstance.MemcacheInstance()
    memcache.create_instance('MEMCACHE', host_name, dm_password, ipautil.realm_to_suffix(realm_name))

    http = httpinstance.HTTPInstance(fstore)
    if options.http_pkcs12:
-        pkcs12_info = (options.http_pkcs12, pw_name)
-        http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=False, pkcs12_info=pkcs12_info, subject_base=options.subject, auto_redirect=options.ui_redirect)
-        os.remove(pw_name)
+        http.create_instance(
+            realm_name, host_name, domain_name, dm_password, autoconfig=False,
+            pkcs12_info=http_pkcs12_info, subject_base=options.subject,
+            auto_redirect=options.ui_redirect)
    else:
        http.create_instance(realm_name, host_name, domain_name, dm_password, autoconfig=True, self_signed_ca=options.selfsign, subject_base=options.subject, auto_redirect=options.ui_redirect)
    ipaservices.restore_context("/var/cache/ipa/sessions")
@ -1220,9 +1207,6 @@ if __name__ == '__main__':
        success = True

    finally:
-        if pw_name and ipautil.file_exists(pw_name):
-            os.remove(pw_name)
-
        if not success and installation_cleanup:
            # Do a cautious clean up as we don't know what failed and what is
            # the state of the environment