cainstance: extract function import_ra_key

After upgrading a deployment from CA-less to CA-ful it is necessary to install the RA Agent credential on non-CA servers. To facilitate this, extract this behaviour from CAInstance so that it is callable from other code. Several other methods became @staticmethod as a result of this change. This makes those methods callable without an instance of CAInstance and also documents that those methods do not use 'self'. Part of: https://pagure.io/freeipa/issue/7188 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-06-29 14:06:18 +10:00 · 2020-06-29 14:06:18 +10:00 · a1b3b34b90
commit a1b3b34b90
parent 2fcc260cae
2 changed files with 15 additions and 9 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -722,17 +722,15 @@ class CAInstance(DogtagInstance):
                         "-clcerts", "-nokeys",
                         "-out", paths.RA_AGENT_PEM,
                         "-passin", pwdarg])
-        self.__set_ra_cert_perms()
+        self._set_ra_cert_perms()

        self.configure_agent_renewal()

    def __import_ra_key(self):
-        self._custodia.import_ra_key()
-        self.__set_ra_cert_perms()
+        import_ra_key(self._custodia)

-        self.configure_agent_renewal()
-
-    def __set_ra_cert_perms(self):
+    @staticmethod
+    def _set_ra_cert_perms():
        """
        Sets the correct permissions for the RA_AGENT_PEM, RA_AGENT_KEY files
        """
@ -889,7 +887,7 @@ class CAInstance(DogtagInstance):
                storage="FILE",
                resubmit_timeout=api.env.certmonger_wait_timeout
            )
-            self.__set_ra_cert_perms()
+            self._set_ra_cert_perms()

            self.requestId = str(reqId)
            self.ra_cert = x509.load_certificate_from_file(
@ -1063,7 +1061,8 @@ class CAInstance(DogtagInstance):
                ca_iface.Set('org.fedorahosted.certmonger.ca',
                             'external-helper', helper)

-    def configure_agent_renewal(self):
+    @staticmethod
+    def configure_agent_renewal():
        try:
            certmonger.start_tracking(
                certpath=(paths.RA_AGENT_PEM, paths.RA_AGENT_KEY),
@ -2223,6 +2222,12 @@ def update_ipa_conf(ca_host=None):
        parser.write(f)


+def import_ra_key(custodia):
+    custodia.import_ra_key()
+    CAInstance._set_ra_cert_perms()
+    CAInstance.configure_agent_renewal()
+
+
 if __name__ == "__main__":
    standard_logging_setup("install.log")
    ds = dsinstance.DsInstance()
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@ -386,7 +386,8 @@ class DogtagInstance(service.Service):
            fd.write(template)
            os.fchmod(fd.fileno(), 0o640)

-    def configure_certmonger_renewal_helpers(self):
+    @staticmethod
+    def configure_certmonger_renewal_helpers():
        """
        Create a new CA type for certmonger that will retrieve updated
        certificates from the dogtag master server.