From a1b3b34b906808c2deb69a3838edd0cf4739b467 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 29 Jun 2020 14:06:18 +1000 Subject: [PATCH] cainstance: extract function import_ra_key After upgrading a deployment from CA-less to CA-ful it is necessary to install the RA Agent credential on non-CA servers. To facilitate this, extract this behaviour from CAInstance so that it is callable from other code. Several other methods became @staticmethod as a result of this change. This makes those methods callable without an instance of CAInstance and also documents that those methods do not use 'self'. Part of: https://pagure.io/freeipa/issue/7188 Reviewed-By: Florence Blanc-Renaud --- ipaserver/install/cainstance.py | 21 +++++++++++++-------- ipaserver/install/dogtaginstance.py | 3 ++- 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 9b9d32f5e..f44ca2ff4 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -722,17 +722,15 @@ class CAInstance(DogtagInstance): "-clcerts", "-nokeys", "-out", paths.RA_AGENT_PEM, "-passin", pwdarg]) - self.__set_ra_cert_perms() + self._set_ra_cert_perms() self.configure_agent_renewal() def __import_ra_key(self): - self._custodia.import_ra_key() - self.__set_ra_cert_perms() + import_ra_key(self._custodia) - self.configure_agent_renewal() - - def __set_ra_cert_perms(self): + @staticmethod + def _set_ra_cert_perms(): """ Sets the correct permissions for the RA_AGENT_PEM, RA_AGENT_KEY files """ @@ -889,7 +887,7 @@ class CAInstance(DogtagInstance): storage="FILE", resubmit_timeout=api.env.certmonger_wait_timeout ) - self.__set_ra_cert_perms() + self._set_ra_cert_perms() self.requestId = str(reqId) self.ra_cert = x509.load_certificate_from_file( @@ -1063,7 +1061,8 @@ class CAInstance(DogtagInstance): ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) - def configure_agent_renewal(self): + @staticmethod + def configure_agent_renewal(): try: certmonger.start_tracking( certpath=(paths.RA_AGENT_PEM, paths.RA_AGENT_KEY), @@ -2223,6 +2222,12 @@ def update_ipa_conf(ca_host=None): parser.write(f) +def import_ra_key(custodia): + custodia.import_ra_key() + CAInstance._set_ra_cert_perms() + CAInstance.configure_agent_renewal() + + if __name__ == "__main__": standard_logging_setup("install.log") ds = dsinstance.DsInstance() diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index 058aa24fe..d590cefe5 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -386,7 +386,8 @@ class DogtagInstance(service.Service): fd.write(template) os.fchmod(fd.fileno(), 0o640) - def configure_certmonger_renewal_helpers(self): + @staticmethod + def configure_certmonger_renewal_helpers(): """ Create a new CA type for certmonger that will retrieve updated certificates from the dogtag master server.