Remove DM password files after successfull pkispawn run

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This commit is contained in:
Stanislav Laznicka 2017-02-14 16:55:11 +01:00 committed by Petr Vobornik
parent 728a6bd422
commit a39effed76
4 changed files with 52 additions and 13 deletions

View File

@ -449,7 +449,10 @@ class CAInstance(DogtagInstance):
self.step("configuring certmonger renewal for lightweight CAs",
self.__add_lightweight_ca_tracking_requests)
self.start_creation(runtime=210)
try:
self.start_creation(runtime=210)
finally:
self.clean_pkispawn_files()
def __spawn_instance(self):
"""
@ -463,6 +466,9 @@ class CAInstance(DogtagInstance):
os.close(cfg_fd)
pent = pwd.getpwnam(self.service_user)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
self.tmp_agent_db = tempfile.mkdtemp(
prefix="tmp-", dir=paths.VAR_LIB_IPA)
self.tmp_agent_pwd = ipautil.ipa_generate_password()
# Create CA configuration
config = ConfigParser()
@ -482,8 +488,8 @@ class CAInstance(DogtagInstance):
ipautil.format_netloc(api.env.domain)))
# Client security database
config.set("CA", "pki_client_database_dir", self.agent_db)
config.set("CA", "pki_client_database_password", self.admin_password)
config.set("CA", "pki_client_database_dir", self.tmp_agent_db)
config.set("CA", "pki_client_database_password", self.tmp_agent_pwd)
config.set("CA", "pki_client_database_purge", "False")
config.set("CA", "pki_client_pkcs12_password", self.admin_password)
@ -787,7 +793,7 @@ class CAInstance(DogtagInstance):
# create a temp file storing the pwd
agent_file = tempfile.NamedTemporaryFile(
mode="w", dir=paths.VAR_LIB_IPA, delete=False)
agent_file.write(self.admin_password)
agent_file.write(self.tmp_agent_pwd)
agent_file.close()
# create a temp pem file storing the CA chain
@ -807,7 +813,7 @@ class CAInstance(DogtagInstance):
], stdin=data, capture_output=False)
agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT,
"--dbdir", self.agent_db,
"--dbdir", self.tmp_agent_db,
"--nickname", "ipa-ca-agent",
"--cafile", chain_file.name,
"--ee-url", 'http://%s:8080/ca/ee/ca/' % self.fqdn,

View File

@ -127,7 +127,7 @@ class DogtagInstance(service.Service):
self.admin_dn = DN(('uid', self.admin_user),
('ou', 'people'), ('o', 'ipaca'))
self.admin_groups = None
self.agent_db = tempfile.mkdtemp(prefix="tmp-", dir=paths.VAR_LIB_IPA)
self.tmp_agent_db = None
self.subsystem = subsystem
self.security_domain_name = "IPA"
# replication parameters
@ -138,9 +138,6 @@ class DogtagInstance(service.Service):
self.log = log_mgr.get_logger(self)
def __del__(self):
shutil.rmtree(self.agent_db, ignore_errors=True)
def is_installed(self):
"""
Determine if subsystem instance has been installed.
@ -171,6 +168,14 @@ class DogtagInstance(service.Service):
except ipautil.CalledProcessError as e:
self.handle_setup_error(e)
def clean_pkispawn_files(self):
if self.tmp_agent_db is not None:
shutil.rmtree(self.tmp_agent_db, ignore_errors=True)
shutil.rmtree('/root/.dogtag/pki-tomcat/{subsystem}/'
.format(subsystem=self.subsystem.lower()),
ignore_errors=True)
def restart_instance(self):
try:
self.restart('pki-tomcat')

View File

@ -134,7 +134,10 @@ class KRAInstance(DogtagInstance):
self.step("enabling KRA instance", self.__enable_instance)
self.start_creation(runtime=126)
try:
self.start_creation(runtime=126)
finally:
self.clean_pkispawn_files()
def __spawn_instance(self):
"""
@ -148,6 +151,8 @@ class KRAInstance(DogtagInstance):
os.close(cfg_fd)
pent = pwd.getpwnam(self.service_user)
os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
self.tmp_agent_db = tempfile.mkdtemp(
prefix="tmp-", dir=paths.VAR_LIB_IPA)
# Create KRA configuration
config = ConfigParser()
@ -170,9 +175,10 @@ class KRAInstance(DogtagInstance):
config.set("KRA", "pki_backup_password", self.admin_password)
# Client security database
config.set("KRA", "pki_client_database_dir", self.agent_db)
config.set("KRA", "pki_client_database_password", self.admin_password)
config.set("KRA", "pki_client_database_purge", "False")
config.set("KRA", "pki_client_database_dir", self.tmp_agent_db)
config.set("KRA", "pki_client_database_password",
ipautil.ipa_generate_password())
config.set("KRA", "pki_client_database_purge", "True")
config.set("KRA", "pki_client_pkcs12_password", self.admin_password)
# Administrator

View File

@ -282,6 +282,27 @@ def cleanup_adtrust(fstore):
root_logger.debug('Removing %s from backup', backed_up_file)
def cleanup_dogtag():
"""
pkispawn leaves some mess we were not cleaning up until recently. Try
to clean up what we can.
"""
subsystems = []
if api.Command.ca_is_enabled()['result']:
subsystems.append('CA')
if api.Command.kra_is_enabled()['result']:
subsystems.append('KRA')
for system in subsystems:
root_logger.debug(
"Cleaning up after pkispawn for the {sub} subsystem"
.format(sub=system))
instance = dogtaginstance.DogtagInstance(
api.env.realm, system, service_desc=None,
)
instance.clean_pkispawn_files()
def upgrade_adtrust_config():
"""
Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
@ -1672,6 +1693,7 @@ def upgrade_configuration():
cleanup_kdc(fstore)
cleanup_adtrust(fstore)
cleanup_dogtag()
upgrade_adtrust_config()
bind = bindinstance.BindInstance(fstore)