Make CS.cfg edits with CA instance stopped

This patch makes sure that all edits to CS.cfg configuration file
are performed while pki-tomcatd service is stopped.

Introduces a new contextmanager stopped_service for handling
a general problem of performing a task that needs certain service
being stopped.

https://fedorahosted.org/freeipa/ticket/3804

install/restart_scripts/renew_ca_cert

@@ -83,6 +83,7 @@ except Exception, e:
 finally:
     shutil.rmtree(tmpdir)
 
+# Done withing stopped_service context, CA restarted here
 update_cert_config(nickname, cert)
 
 if nickname == 'subsystemCert cert-pki-ca':

install/tools/ipa-ca-install

@@ -189,8 +189,8 @@ def main():
     CA.ldap_enable('CA', config.host_name, config.dirman_password,
                    ipautil.realm_to_suffix(config.realm_name))
 
+    # This is done within stopped_service context, which restarts CA
     CA.enable_client_auth_to_db()
-    CA.restart()
 
     # Install CA DNS records
     install_dns_records(config, options)

install/tools/ipa-replica-install

@@ -675,8 +675,9 @@ def main():
     if CA and config.setup_ca:
         CA.ldap_enable('CA', config.host_name, config.dirman_password,
                        ipautil.realm_to_suffix(config.realm_name))
+
+        # This is done within stopped_service context, which restarts CA
         CA.enable_client_auth_to_db()
-        CA.restart()
 
     krb = install_krb(config, setup_pkinit=options.setup_pkinit)
     http = install_http(config, auto_redirect=options.ui_redirect)

install/tools/ipa-server-install

@@ -1054,8 +1054,9 @@ def main():
         # We need to ldap_enable the CA now that DS is up and running
         ca.ldap_enable('CA', host_name, dm_password,
                        ipautil.realm_to_suffix(realm_name))
+
+        # This is done within stopped_service context, which restarts CA
         ca.enable_client_auth_to_db()
-        ca.restart()
 
         # Upload the CA cert to the directory
         ds.upload_ca_cert()

ipaserver/install/cainstance.py

@@ -53,6 +53,7 @@ from ipaserver.install import service
 from ipaserver.install import installutils
 from ipaserver.install import dsinstance
 from ipaserver.install import certs
+from ipaserver.install.installutils import stopped_service
 from ipaserver.plugins import ldap2
 from ipapython.ipa_log_manager import *
 
@@ -443,7 +444,10 @@ class CAInstance(service.Service):
             if not ipautil.dir_exists("/var/lib/pki-ca"):
                 self.step("creating pki-ca instance", self.create_instance)
             self.step("configuring certificate server instance", self.__configure_instance)
+        self.step("stopping certificate server instance to update CS.cfg", self.__stop)
         self.step("disabling nonces", self.__disable_nonce)
+        self.step("set up CRL publishing", self.__enable_crl_publish)
+        self.step("starting certificate server instance", self.__start)
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
@@ -454,7 +458,6 @@ class CAInstance(service.Service):
             self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
             self.step("fixing RA database permissions", self.fix_ra_perms)
             self.step("setting up signing cert profile", self.__setup_sign_profile)
-            self.step("set up CRL publishing", self.__enable_crl_publish)
             self.step("set certificate subject base", self.__set_subject_in_config)
             self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
             self.step("enabling CRL and OCSP extensions for certificates", self.__set_crl_ocsp_extensions)
@@ -474,6 +477,13 @@ class CAInstance(service.Service):
 
         self.start_creation(runtime=210)
 
+    def __stop(self):
+        self.stop()
+
+    def __start(self):
+        self.start()
+
+
     def __spawn_instance(self):
         """
         Create and configure a new CA instance using pkispawn.
@@ -781,7 +791,8 @@ class CAInstance(service.Service):
         if update_result != 0:
             raise RuntimeError("Disabling nonces failed")
         pent = pwd.getpwnam(PKI_USER)
-        os.chown(self.dogtag_constants.CS_CFG_PATH, pent.pw_uid, pent.pw_gid)
+        os.chown(self.dogtag_constants.CS_CFG_PATH,
+                 pent.pw_uid, pent.pw_gid)
 
     def __issue_ra_cert(self):
         # The CA certificate is in the agent DB but isn't trusted
@@ -1272,36 +1283,40 @@ class CAInstance(service.Service):
         """
         caconfig = dogtag.install_constants.CS_CFG_PATH
 
-        # Enable file publishing, disable LDAP
-        installutils.set_directive(caconfig,
-            'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
-            'SslClientAuth', quotes=False, separator='=')
-        installutils.set_directive(caconfig,
-            'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN',
-            'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
-        installutils.set_directive(caconfig,
-            'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
-            'subsystemCert cert-pki-ca', quotes=False, separator='=')
-        installutils.set_directive(caconfig,
-            'authz.instance.DirAclAuthz.ldap.ldapconn.port',
-            str(dogtag.install_constants.DS_SECURE_PORT),
-            quotes=False, separator='=')
-        installutils.set_directive(caconfig,
-            'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
-            'true', quotes=False, separator='=')
+        with stopped_service('pki_tomcatd',
+                        instance_name=self.dogtag_constants.PKI_INSTANCE_NAME):
 
-        installutils.set_directive(caconfig, 'internaldb.ldapauth.authtype',
-            'SslClientAuth', quotes=False, separator='=')
-        installutils.set_directive(caconfig, 'internaldb.ldapauth.bindDN',
-            'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
-        installutils.set_directive(caconfig,
-            'internaldb.ldapauth.clientCertNickname',
-            'subsystemCert cert-pki-ca', quotes=False, separator='=')
-        installutils.set_directive(caconfig, 'internaldb.ldapconn.port',
-            str(dogtag.install_constants.DS_SECURE_PORT),
-            quotes=False, separator='=')
-        installutils.set_directive(caconfig, 'internaldb.ldapconn.secureConn',
-            'true', quotes=False, separator='=')
+            # Enable file publishing, disable LDAP
+            installutils.set_directive(caconfig,
+                'authz.instance.DirAclAuthz.ldap.ldapauth.authtype',
+                'SslClientAuth', quotes=False, separator='=')
+            installutils.set_directive(caconfig,
+                'authz.instance.DirAclAuthz.ldap.ldapauth.bindDN',
+                'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
+            installutils.set_directive(caconfig,
+                'authz.instance.DirAclAuthz.ldap.ldapauth.clientCertNickname',
+                'subsystemCert cert-pki-ca', quotes=False, separator='=')
+            installutils.set_directive(caconfig,
+                'authz.instance.DirAclAuthz.ldap.ldapconn.port',
+                str(dogtag.install_constants.DS_SECURE_PORT),
+                quotes=False, separator='=')
+            installutils.set_directive(caconfig,
+                'authz.instance.DirAclAuthz.ldap.ldapconn.secureConn',
+                'true', quotes=False, separator='=')
+
+            installutils.set_directive(caconfig, 'internaldb.ldapauth.authtype',
+                'SslClientAuth', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'internaldb.ldapauth.bindDN',
+                'uid=pkidbuser,ou=people,o=ipa-ca', quotes=False, separator='=')
+            installutils.set_directive(caconfig,
+                'internaldb.ldapauth.clientCertNickname',
+                'subsystemCert cert-pki-ca', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'internaldb.ldapconn.port',
+                str(dogtag.install_constants.DS_SECURE_PORT),
+                quotes=False, separator='=')
+            installutils.set_directive(caconfig,
+                 'internaldb.ldapconn.secureConn', 'true', quotes=False,
+                 separator='=')
 
     def uninstall(self):
         if self.is_configured():
@@ -1687,7 +1702,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
 
     return ca
 
-def update_cert_config(nickname, cert):
+def update_cert_config(nickname, cert, dogtag_constants=None):
     """
     When renewing a CA subsystem certificate the configuration file
     needs to get the new certificate as well.
@@ -1695,6 +1710,10 @@ def update_cert_config(nickname, cert):
     nickname is one of the known nicknames.
     cert is a DER-encoded certificate.
     """
+
+    if dogtag_constants is None:
+        dogtag_constants = dogtag.configured_constants()
+
     # The cert directive to update per nickname
     directives = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
                   'ocspSigningCert cert-pki-ca': 'ca.ocsp_signing.cert',
@@ -1702,10 +1721,13 @@ def update_cert_config(nickname, cert):
                   'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
                   'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
 
-    installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
-                                directives[nickname],
-                                base64.b64encode(cert),
-                                quotes=False, separator='=')
+    with stopped_service('pki_tomcatd',
+                         instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+
+        installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
+                                    directives[nickname],
+                                    base64.b64encode(cert),
+                                    quotes=False, separator='=')
 
 def update_people_entry(uid, dercert):
     """

ipaserver/install/installutils.py

@@ -42,6 +42,7 @@ from ipapython import config
 from ipalib import errors
 from ipapython.dn import DN
 from ipaserver.install import certs
+from ipapython import services as ipaservices
 
 # Used to determine install status
 IPA_MODULES = [
@@ -792,3 +793,38 @@ def private_ccache(path=None):
 
     if os.path.exists(path):
         os.remove(path)
+
+
+@contextmanager
+def stopped_service(service, instance_name=""):
+    """
+    Ensure that the specified service is stopped while the commands within
+    this context are executed.
+
+    Service is started at the end of the execution.
+    """
+
+    if instance_name:
+        log_instance_name = "@{instance}".format(instance=instance_name)
+    else:
+        log_instance_name = ""
+
+    root_logger.debug('Ensuring that service %s%s is not running while '
+                      'the next set of commands is being executed.', service,
+                      log_instance_name)
+
+    # Figure out if the service is running, if not, yield
+    if not ipaservices.knownservices[service].is_running(instance_name):
+        root_logger.debug('Service %s%s is not running, continue.', service,
+                          log_instance_name)
+        yield
+        root_logger.debug('Starting %s%s.', service, log_instance_name)
+        ipaservices.knownservices[service].start(instance_name)
+        return
+    else:
+        # Stop the service, do the required stuff and start it again
+        root_logger.debug('Stopping %s%s.', service, log_instance_name)
+        ipaservices.knownservices[service].stop(instance_name)
+        yield
+        root_logger.debug('Starting %s%s.', service, log_instance_name)
+        ipaservices.knownservices[service].start(instance_name)