Enable ephemeral KRA requests

Enabling ephemeral KRA requests will reduce the amount of LDAP
write operations and improve overall performance.

Re-order some imports and shorten some lines to make pep8 happy.

Fixes: https://pagure.io/freeipa/issue/6703

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>

ipaserver/install/cainstance.py

@@ -396,14 +396,18 @@ class CAInstance(DogtagInstance):
                       self.__spawn_instance)
             self.step("exporting Dogtag certificate store pin",
                       self.create_certstore_passwdfile)
-            self.step("stopping certificate server instance to update CS.cfg", self.stop_instance)
+            self.step("stopping certificate server instance to update CS.cfg",
-            self.step("backing up CS.cfg", self.backup_config)
+                      self.stop_instance)
+            self.step("backing up CS.cfg", self.safe_backup_config)
             self.step("disabling nonces", self.__disable_nonce)
             self.step("set up CRL publishing", self.__enable_crl_publish)
-            self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
+            self.step("enable PKIX certificate path discovery and validation",
+                      self.enable_pkix)
             if promote:
-                self.step("destroying installation admin user", self.teardown_admin)
+                self.step("destroying installation admin user",
-            self.step("starting certificate server instance", self.start_instance)
+                          self.teardown_admin)
+            self.step("starting certificate server instance",
+                      self.start_instance)
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
@@ -641,9 +645,16 @@ class CAInstance(DogtagInstance):
 
         logger.debug("completed creating ca instance")
 
-    def backup_config(self):
+    def safe_backup_config(self):
+        """
+        Safely handle exceptions if backup_config fails
+
+        The parent class raises an exception if the configuration
+        cannot be backed up. Catch that and log the message but
+        don't stop the current installer.
+        """
         try:
-            backup_config()
+            super(CAInstance, self).backup_config()
         except Exception as e:
             logger.warning("Failed to backup CS.cfg: %s", e)
 
@@ -1177,7 +1188,7 @@ class CAInstance(DogtagInstance):
                       'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
 
         try:
-            backup_config()
+            self.backup_config()
         except Exception as e:
             syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
 
@@ -1353,16 +1364,6 @@ def replica_ca_install_check(config, promote):
         exit('IPA schema missing on master CA directory server')
 
 
-def backup_config():
-    """
-    Create a backup copy of CS.cfg
-    """
-    path = paths.CA_CS_CFG_PATH
-    if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'):
-        raise RuntimeError(
-            "Dogtag must be stopped when creating backup of %s" % path)
-    shutil.copy(path, path + '.ipabkp')
-
 def __update_entry_from_cert(make_filter, make_entry, cert):
     """
     Given a certificate and functions to make a filter based on the

ipaserver/install/dogtaginstance.py

@@ -463,3 +463,13 @@ class DogtagInstance(service.Service):
         config.set(self.subsystem, "pki_ds_secure_connection", "True")
         config.set(self.subsystem, "pki_ds_secure_connection_ca_pem_file",
                    ds_cacert)
+
+    def backup_config(self):
+        """
+        Create a backup copy of CS.cfg
+        """
+        path = self.config
+        if services.knownservices['pki_tomcatd'].is_running('pki-tomcat'):
+            raise RuntimeError(
+                "Dogtag must be stopped when creating backup of %s" % path)
+        shutil.copy(path, path + '.ipabkp')

ipaserver/install/krainstance.py

@@ -121,6 +121,7 @@ class KRAInstance(DogtagInstance):
         if promote:
             self.step("destroying installation admin user",
                       self.teardown_admin)
+        self.step("enabling ephemeral requests", self.enable_ephemeral)
         self.step("restarting KRA", self.restart_instance)
         self.step("configure certmonger for renewals",
                   self.configure_certmonger_renewal)

ipaserver/install/server/upgrade.py

@@ -11,19 +11,8 @@ import shutil
 import pwd
 import fileinput
 import sys
-
 from augeas import Augeas
 import dns.exception
-
-import six
-# pylint: disable=import-error
-if six.PY3:
-    # The SafeConfigParser class has been renamed to ConfigParser in Py3
-    from configparser import ConfigParser as SafeConfigParser
-else:
-    from ConfigParser import SafeConfigParser
-# pylint: enable=import-error
-
 from ipalib import api
 from ipalib.install import certmonger, sysrestore
 import SSSDConfig
@@ -44,6 +33,7 @@ from ipaserver.install import ntpinstance
 from ipaserver.install import bindinstance
 from ipaserver.install import service
 from ipaserver.install import cainstance
+from ipaserver.install import krainstance
 from ipaserver.install import certs
 from ipaserver.install import otpdinstance
 from ipaserver.install import schemaupdate
@@ -56,6 +46,15 @@ from ipaserver.install import adtrustinstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
 from ipaserver.install.ldapupdate import BadSyntax
 
+import six
+# pylint: disable=import-error
+if six.PY3:
+    # The SafeConfigParser class has been renamed to ConfigParser in Py3
+    from configparser import ConfigParser as SafeConfigParser
+else:
+    from ConfigParser import SafeConfigParser
+# pylint: enable=import-error
+
 if six.PY3:
     unicode = str
 
@@ -1668,6 +1667,8 @@ def upgrade_configuration():
             api.env.realm, host_name=api.env.host)
     ca_running = ca.is_running()
 
+    kra = krainstance.KRAInstance(api.env.realm)
+
     # create passswd.txt file in PKI_TOMCAT_ALIAS_DIR if it does not exist
     # this file will be required on most actions over this NSS DB in FIPS
     if ca.is_configured() and not os.path.exists(os.path.join(
@@ -1709,11 +1710,27 @@ def upgrade_configuration():
             )
         upgrade_pki(ca, fstore)
 
+        if kra.is_configured():
+            logger.info('[Ensuring ephemeralRequest is enabled in KRA]')
+            kra.backup_config()
+            value = installutils.get_directive(
+                paths.KRA_CS_CFG_PATH,
+                'kra.ephemeralRequests',
+                separator='=')
+            if value is None or value.lower() != 'true':
+                logger.info('Enabling ephemeralRequest')
+                kra.enable_ephemeral()
+            else:
+                logger.info('ephemeralRequest is already enabled')
+
     # several upgrade steps require running CA.  If CA is configured,
     # always run ca.start() because we need to wait until CA is really ready
     # by checking status using http
     if ca.is_configured():
         ca.start('pki-tomcat')
+    if kra.is_configured() and not kra.is_running():
+        # This is for future-proofing in case the KRA is ever standalone.
+        kra.start('pki-tomcat')
 
     certmonger_service = services.knownservices.certmonger
     if ca.is_configured() and not certmonger_service.is_running():