mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
Remove DM password files after successfull pkispawn run
https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This commit is contained in:
parent
728a6bd422
commit
a39effed76
@ -449,7 +449,10 @@ class CAInstance(DogtagInstance):
|
||||
self.step("configuring certmonger renewal for lightweight CAs",
|
||||
self.__add_lightweight_ca_tracking_requests)
|
||||
|
||||
self.start_creation(runtime=210)
|
||||
try:
|
||||
self.start_creation(runtime=210)
|
||||
finally:
|
||||
self.clean_pkispawn_files()
|
||||
|
||||
def __spawn_instance(self):
|
||||
"""
|
||||
@ -463,6 +466,9 @@ class CAInstance(DogtagInstance):
|
||||
os.close(cfg_fd)
|
||||
pent = pwd.getpwnam(self.service_user)
|
||||
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
|
||||
self.tmp_agent_db = tempfile.mkdtemp(
|
||||
prefix="tmp-", dir=paths.VAR_LIB_IPA)
|
||||
self.tmp_agent_pwd = ipautil.ipa_generate_password()
|
||||
|
||||
# Create CA configuration
|
||||
config = ConfigParser()
|
||||
@ -482,8 +488,8 @@ class CAInstance(DogtagInstance):
|
||||
ipautil.format_netloc(api.env.domain)))
|
||||
|
||||
# Client security database
|
||||
config.set("CA", "pki_client_database_dir", self.agent_db)
|
||||
config.set("CA", "pki_client_database_password", self.admin_password)
|
||||
config.set("CA", "pki_client_database_dir", self.tmp_agent_db)
|
||||
config.set("CA", "pki_client_database_password", self.tmp_agent_pwd)
|
||||
config.set("CA", "pki_client_database_purge", "False")
|
||||
config.set("CA", "pki_client_pkcs12_password", self.admin_password)
|
||||
|
||||
@ -787,7 +793,7 @@ class CAInstance(DogtagInstance):
|
||||
# create a temp file storing the pwd
|
||||
agent_file = tempfile.NamedTemporaryFile(
|
||||
mode="w", dir=paths.VAR_LIB_IPA, delete=False)
|
||||
agent_file.write(self.admin_password)
|
||||
agent_file.write(self.tmp_agent_pwd)
|
||||
agent_file.close()
|
||||
|
||||
# create a temp pem file storing the CA chain
|
||||
@ -807,7 +813,7 @@ class CAInstance(DogtagInstance):
|
||||
], stdin=data, capture_output=False)
|
||||
|
||||
agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
|
||||
"--dbdir", self.agent_db,
|
||||
"--dbdir", self.tmp_agent_db,
|
||||
"--nickname", "ipa-ca-agent",
|
||||
"--cafile", chain_file.name,
|
||||
"--ee-url", 'http://%s:8080/ca/ee/ca/' % self.fqdn,
|
||||
|
@ -127,7 +127,7 @@ class DogtagInstance(service.Service):
|
||||
self.admin_dn = DN(('uid', self.admin_user),
|
||||
('ou', 'people'), ('o', 'ipaca'))
|
||||
self.admin_groups = None
|
||||
self.agent_db = tempfile.mkdtemp(prefix="tmp-", dir=paths.VAR_LIB_IPA)
|
||||
self.tmp_agent_db = None
|
||||
self.subsystem = subsystem
|
||||
self.security_domain_name = "IPA"
|
||||
# replication parameters
|
||||
@ -138,9 +138,6 @@ class DogtagInstance(service.Service):
|
||||
|
||||
self.log = log_mgr.get_logger(self)
|
||||
|
||||
def __del__(self):
|
||||
shutil.rmtree(self.agent_db, ignore_errors=True)
|
||||
|
||||
def is_installed(self):
|
||||
"""
|
||||
Determine if subsystem instance has been installed.
|
||||
@ -171,6 +168,14 @@ class DogtagInstance(service.Service):
|
||||
except ipautil.CalledProcessError as e:
|
||||
self.handle_setup_error(e)
|
||||
|
||||
def clean_pkispawn_files(self):
|
||||
if self.tmp_agent_db is not None:
|
||||
shutil.rmtree(self.tmp_agent_db, ignore_errors=True)
|
||||
|
||||
shutil.rmtree('/root/.dogtag/pki-tomcat/{subsystem}/'
|
||||
.format(subsystem=self.subsystem.lower()),
|
||||
ignore_errors=True)
|
||||
|
||||
def restart_instance(self):
|
||||
try:
|
||||
self.restart('pki-tomcat')
|
||||
|
@ -134,7 +134,10 @@ class KRAInstance(DogtagInstance):
|
||||
|
||||
self.step("enabling KRA instance", self.__enable_instance)
|
||||
|
||||
self.start_creation(runtime=126)
|
||||
try:
|
||||
self.start_creation(runtime=126)
|
||||
finally:
|
||||
self.clean_pkispawn_files()
|
||||
|
||||
def __spawn_instance(self):
|
||||
"""
|
||||
@ -148,6 +151,8 @@ class KRAInstance(DogtagInstance):
|
||||
os.close(cfg_fd)
|
||||
pent = pwd.getpwnam(self.service_user)
|
||||
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
|
||||
self.tmp_agent_db = tempfile.mkdtemp(
|
||||
prefix="tmp-", dir=paths.VAR_LIB_IPA)
|
||||
|
||||
# Create KRA configuration
|
||||
config = ConfigParser()
|
||||
@ -170,9 +175,10 @@ class KRAInstance(DogtagInstance):
|
||||
config.set("KRA", "pki_backup_password", self.admin_password)
|
||||
|
||||
# Client security database
|
||||
config.set("KRA", "pki_client_database_dir", self.agent_db)
|
||||
config.set("KRA", "pki_client_database_password", self.admin_password)
|
||||
config.set("KRA", "pki_client_database_purge", "False")
|
||||
config.set("KRA", "pki_client_database_dir", self.tmp_agent_db)
|
||||
config.set("KRA", "pki_client_database_password",
|
||||
ipautil.ipa_generate_password())
|
||||
config.set("KRA", "pki_client_database_purge", "True")
|
||||
config.set("KRA", "pki_client_pkcs12_password", self.admin_password)
|
||||
|
||||
# Administrator
|
||||
|
@ -282,6 +282,27 @@ def cleanup_adtrust(fstore):
|
||||
root_logger.debug('Removing %s from backup', backed_up_file)
|
||||
|
||||
|
||||
def cleanup_dogtag():
|
||||
"""
|
||||
pkispawn leaves some mess we were not cleaning up until recently. Try
|
||||
to clean up what we can.
|
||||
"""
|
||||
subsystems = []
|
||||
if api.Command.ca_is_enabled()['result']:
|
||||
subsystems.append('CA')
|
||||
if api.Command.kra_is_enabled()['result']:
|
||||
subsystems.append('KRA')
|
||||
|
||||
for system in subsystems:
|
||||
root_logger.debug(
|
||||
"Cleaning up after pkispawn for the {sub} subsystem"
|
||||
.format(sub=system))
|
||||
instance = dogtaginstance.DogtagInstance(
|
||||
api.env.realm, system, service_desc=None,
|
||||
)
|
||||
instance.clean_pkispawn_files()
|
||||
|
||||
|
||||
def upgrade_adtrust_config():
|
||||
"""
|
||||
Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
|
||||
@ -1672,6 +1693,7 @@ def upgrade_configuration():
|
||||
|
||||
cleanup_kdc(fstore)
|
||||
cleanup_adtrust(fstore)
|
||||
cleanup_dogtag()
|
||||
upgrade_adtrust_config()
|
||||
|
||||
bind = bindinstance.BindInstance(fstore)
|
||||
|
Loading…
Reference in New Issue
Block a user