initialize empty /etc/http/alias during server/replica install

In order to reduce coupling between httpinstance and other service installers,
the HTTP installer is now tasked with initialization of /etc/httpd/alias (RA
agent database) in the beginning of server/replica installation

Part of https://fedorahosted.org/freeipa/ticket/6429

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ipaserver/install/cainstance.py

@@ -22,14 +22,12 @@
 from __future__ import print_function
 
 import base64
-import binascii
 import dbus
 import ldap
 import os
 import pwd
 import re
 import shutil
-import stat
 import sys
 import syslog
 import time
@@ -388,10 +386,7 @@ class CAInstance(DogtagInstance):
         # Step 1 of external is getting a CSR so we don't need to do these
         # steps until we get a cert back from the external CA.
         if self.external != 1:
-            if self.create_ra_agent_db:
-                self.step("creating RA agent certificate database", self.__create_ra_agent_db)
             self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
-            self.step("fixing RA database permissions", self.fix_ra_perms)
             self.step("setting up signing cert profile", self.__setup_sign_profile)
             self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
             self.step("configure certmonger for renewals",
@@ -695,26 +690,6 @@ class CAInstance(DogtagInstance):
         new_args = new_args + args
         return ipautil.run(new_args, stdin, nolog=(pwd_file,), **kwargs)
 
-    def __create_ra_agent_db(self):
-        if ipautil.file_exists(self.ra_agent_db + "/cert8.db"):
-            ipautil.backup_file(self.ra_agent_db + "/cert8.db")
-            ipautil.backup_file(self.ra_agent_db + "/key3.db")
-            ipautil.backup_file(self.ra_agent_db + "/secmod.db")
-            ipautil.backup_file(self.ra_agent_db + "/pwdfile.txt")
-
-        if not ipautil.dir_exists(self.ra_agent_db):
-            os.mkdir(self.ra_agent_db)
-            os.chmod(self.ra_agent_db, 0o755)
-
-        # Create the password file for this db
-        hex_str = binascii.hexlify(os.urandom(10))
-        f = os.open(self.ra_agent_pwd, os.O_CREAT | os.O_RDWR)
-        os.write(f, hex_str)
-        os.close(f)
-        os.chmod(self.ra_agent_pwd, stat.S_IRUSR)
-
-        self.__run_certutil(["-N"])
-
     def __get_ca_chain(self):
         try:
             return dogtag.get_ca_certchain(ca_host=self.fqdn)
@@ -844,17 +819,6 @@ class CAInstance(DogtagInstance):
             os.remove(agent_pwdfile)
             os.remove(chain_file)
 
-    def fix_ra_perms(self):
-        os.chmod(self.ra_agent_db + "/cert8.db", 0o640)
-        os.chmod(self.ra_agent_db + "/key3.db", 0o640)
-        os.chmod(self.ra_agent_db + "/secmod.db", 0o640)
-
-        pent = pwd.getpwnam(constants.HTTPD_USER)
-        os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
-        os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
-        os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
-        os.chown(self.ra_agent_pwd, pent.pw_uid, pent.pw_gid)
-
     def __setup_sign_profile(self):
         # Tell the profile to automatically issue certs for RAs
         installutils.set_directive(
@@ -1274,7 +1238,6 @@ class CAInstance(DogtagInstance):
 
         self.step("importing CA chain to RA certificate database",
                   self.__import_ca_chain)
-        self.step("fixing RA database permissions", self.fix_ra_perms)
         self.step("setting up signing cert profile", self.__setup_sign_profile)
         self.step("setting audit signing renewal to 2 years",
                   self.set_audit_renewal)

ipaserver/install/httpinstance.py

@@ -19,6 +19,7 @@
 
 from __future__ import print_function
 
+import binascii
 import os
 import os.path
 import pwd
@@ -69,6 +70,8 @@ NSS_CIPHER_SUITE = [
 ]
 NSS_CIPHER_REVISION = '20160129'
 
+NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
+
 
 def httpd_443_configured():
     """
@@ -306,6 +309,33 @@ class HTTPInstance(service.Service):
             if certmonger_stopped:
                 certmonger.stop()
 
+    def create_cert_db(self):
+        database = certs.NSS_DIR
+        pwd_file = os.path.join(database, 'pwdfile.txt')
+
+        for p in NSS_FILES:
+            nss_path = os.path.join(database, p)
+            ipautil.backup_file(nss_path)
+
+        # Create the password file for this db
+        hex_str = binascii.hexlify(os.urandom(10))
+        f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
+        os.write(f, hex_str)
+        os.close(f)
+
+        ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
+
+        self.fix_cert_db_perms()
+
+    def fix_cert_db_perms(self):
+        pent = pwd.getpwnam(constants.HTTPD_USER)
+
+        for filename in NSS_FILES:
+            nss_path = os.path.join(certs.NSS_DIR, filename)
+            os.chmod(nss_path, 0o640)
+            os.chown(nss_path, 0, pent.pw_gid)
+            tasks.restore_context(nss_path)
+
     def __setup_ssl(self):
         db = certs.CertDB(self.realm, subject_base=self.subject_base)
         if self.pkcs12_info:
@@ -313,9 +343,9 @@ class HTTPInstance(service.Service):
                 trust_flags = 'CT,C,C'
             else:
                 trust_flags = None
-            db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
+            db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
-                                  passwd=None, ca_file=self.ca_file,
+                                ca_file=self.ca_file,
-                                  trust_flags=trust_flags)
+                                trust_flags=trust_flags)
             server_certs = db.find_server_certs()
             if len(server_certs) == 0:
                 raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
@@ -372,22 +402,6 @@ class HTTPInstance(service.Service):
             nickname = server_certs[0][0]
             db.export_ca_cert(nickname)
 
-        # Fix the database permissions
-        os.chmod(certs.NSS_DIR + "/cert8.db", 0o660)
-        os.chmod(certs.NSS_DIR + "/key3.db", 0o660)
-        os.chmod(certs.NSS_DIR + "/secmod.db", 0o660)
-        os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0o660)
-
-        pent = pwd.getpwnam(HTTPD_USER)
-        os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
-        os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
-        os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
-        os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid )
-
-        # Fix SELinux permissions on the database
-        tasks.restore_context(certs.NSS_DIR + "/cert8.db")
-        tasks.restore_context(certs.NSS_DIR + "/key3.db")
-
     def __import_ca_certs(self):
         db = certs.CertDB(self.realm, subject_base=self.subject_base)
         self.import_ca_certs(db, self.ca_is_configured)

ipaserver/install/server/install.py

@@ -716,6 +716,9 @@ def install(installer):
     if installer._update_hosts_file:
         update_hosts_file(ip_addresses, host_name, fstore)
 
+    http_instance = httpinstance.HTTPInstance()
+    http_instance.create_cert_db()
+
     # Create DS user/group if it doesn't exist yet
     dsinstance.create_ds_user()
 

ipaserver/install/server/replicainstall.py

@@ -776,6 +776,9 @@ def install(installer):
     if installer._update_hosts_file:
         installutils.update_hosts_file(config.ips, config.host_name, fstore)
 
+    http_instance = httpinstance.HTTPInstance()
+    http_instance.create_cert_db()
+
     ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")
 
     # Create DS user/group if it doesn't exist yet
@@ -840,7 +843,6 @@ def install(installer):
 
         CA.configure_certmonger_renewal()
         CA.import_ra_cert(config.dir + "/ra.p12")
-        CA.fix_ra_perms()
 
     custodia = custodiainstance.CustodiaInstance(config.host_name,
                                                  config.realm_name)
@@ -1394,6 +1396,9 @@ def promote(installer):
     config.promote = installer.promote
     config.dirman_password = hexlify(ipautil.ipa_generate_password())
 
+    http_instance = httpinstance.HTTPInstance()
+    http_instance.create_cert_db()
+
     # FIXME: allow to use passed in certs instead
     if installer._ca_enabled:
         configure_certmonger()
@@ -1476,7 +1481,6 @@ def promote(installer):
         CA.configure_certmonger_renewal()
         CA.configure_agent_renewal()
         cainstance.export_kra_agent_pem()
-        CA.fix_ra_perms()
 
     install_krb(
         config,