initialize empty /etc/http/alias during server/replica install

In order to reduce coupling between httpinstance and other service installers, the HTTP installer is now tasked with initialization of /etc/httpd/alias (RA agent database) in the beginning of server/replica installation Part of https://fedorahosted.org/freeipa/ticket/6429 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-10-25 15:55:35 +02:00 · 2016-10-25 15:55:35 +02:00 · b1283c1e56
commit b1283c1e56
parent 2fdc2d0cb7
4 changed files with 42 additions and 58 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -22,14 +22,12 @@
 from __future__ import print_function

 import base64
-import binascii
 import dbus
 import ldap
 import os
 import pwd
 import re
 import shutil
-import stat
 import sys
 import syslog
 import time
@ -388,10 +386,7 @@ class CAInstance(DogtagInstance):
        # Step 1 of external is getting a CSR so we don't need to do these
        # steps until we get a cert back from the external CA.
        if self.external != 1:
-            if self.create_ra_agent_db:
-                self.step("creating RA agent certificate database", self.__create_ra_agent_db)
            self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
-            self.step("fixing RA database permissions", self.fix_ra_perms)
            self.step("setting up signing cert profile", self.__setup_sign_profile)
            self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
            self.step("configure certmonger for renewals",
@ -695,26 +690,6 @@ class CAInstance(DogtagInstance):
        new_args = new_args + args
        return ipautil.run(new_args, stdin, nolog=(pwd_file,), **kwargs)

-    def __create_ra_agent_db(self):
-        if ipautil.file_exists(self.ra_agent_db + "/cert8.db"):
-            ipautil.backup_file(self.ra_agent_db + "/cert8.db")
-            ipautil.backup_file(self.ra_agent_db + "/key3.db")
-            ipautil.backup_file(self.ra_agent_db + "/secmod.db")
-            ipautil.backup_file(self.ra_agent_db + "/pwdfile.txt")
-
-        if not ipautil.dir_exists(self.ra_agent_db):
-            os.mkdir(self.ra_agent_db)
-            os.chmod(self.ra_agent_db, 0o755)
-
-        # Create the password file for this db
-        hex_str = binascii.hexlify(os.urandom(10))
-        f = os.open(self.ra_agent_pwd, os.O_CREAT | os.O_RDWR)
-        os.write(f, hex_str)
-        os.close(f)
-        os.chmod(self.ra_agent_pwd, stat.S_IRUSR)
-
-        self.__run_certutil(["-N"])
-
    def __get_ca_chain(self):
        try:
            return dogtag.get_ca_certchain(ca_host=self.fqdn)
@ -844,17 +819,6 @@ class CAInstance(DogtagInstance):
            os.remove(agent_pwdfile)
            os.remove(chain_file)

-    def fix_ra_perms(self):
-        os.chmod(self.ra_agent_db + "/cert8.db", 0o640)
-        os.chmod(self.ra_agent_db + "/key3.db", 0o640)
-        os.chmod(self.ra_agent_db + "/secmod.db", 0o640)
-
-        pent = pwd.getpwnam(constants.HTTPD_USER)
-        os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
-        os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
-        os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
-        os.chown(self.ra_agent_pwd, pent.pw_uid, pent.pw_gid)
-
    def __setup_sign_profile(self):
        # Tell the profile to automatically issue certs for RAs
        installutils.set_directive(
@ -1274,7 +1238,6 @@ class CAInstance(DogtagInstance):

        self.step("importing CA chain to RA certificate database",
                  self.__import_ca_chain)
-        self.step("fixing RA database permissions", self.fix_ra_perms)
        self.step("setting up signing cert profile", self.__setup_sign_profile)
        self.step("setting audit signing renewal to 2 years",
                  self.set_audit_renewal)
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -19,6 +19,7 @@

 from __future__ import print_function

+import binascii
 import os
 import os.path
 import pwd
@ -69,6 +70,8 @@ NSS_CIPHER_SUITE = [
 ]
 NSS_CIPHER_REVISION = '20160129'

+NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
+

 def httpd_443_configured():
    """
@ -306,6 +309,33 @@ class HTTPInstance(service.Service):
            if certmonger_stopped:
                certmonger.stop()

+    def create_cert_db(self):
+        database = certs.NSS_DIR
+        pwd_file = os.path.join(database, 'pwdfile.txt')
+
+        for p in NSS_FILES:
+            nss_path = os.path.join(database, p)
+            ipautil.backup_file(nss_path)
+
+        # Create the password file for this db
+        hex_str = binascii.hexlify(os.urandom(10))
+        f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
+        os.write(f, hex_str)
+        os.close(f)
+
+        ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
+
+        self.fix_cert_db_perms()
+
+    def fix_cert_db_perms(self):
+        pent = pwd.getpwnam(constants.HTTPD_USER)
+
+        for filename in NSS_FILES:
+            nss_path = os.path.join(certs.NSS_DIR, filename)
+            os.chmod(nss_path, 0o640)
+            os.chown(nss_path, 0, pent.pw_gid)
+            tasks.restore_context(nss_path)
+
    def __setup_ssl(self):
        db = certs.CertDB(self.realm, subject_base=self.subject_base)
        if self.pkcs12_info:
@ -313,8 +343,8 @@ class HTTPInstance(service.Service):
                trust_flags = 'CT,C,C'
            else:
                trust_flags = None
-            db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
-                                  passwd=None, ca_file=self.ca_file,
+            db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
+                                ca_file=self.ca_file,
                                trust_flags=trust_flags)
            server_certs = db.find_server_certs()
            if len(server_certs) == 0:
@ -372,22 +402,6 @@ class HTTPInstance(service.Service):
            nickname = server_certs[0][0]
            db.export_ca_cert(nickname)

-        # Fix the database permissions
-        os.chmod(certs.NSS_DIR + "/cert8.db", 0o660)
-        os.chmod(certs.NSS_DIR + "/key3.db", 0o660)
-        os.chmod(certs.NSS_DIR + "/secmod.db", 0o660)
-        os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0o660)
-
-        pent = pwd.getpwnam(HTTPD_USER)
-        os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
-        os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
-        os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
-        os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid )
-
-        # Fix SELinux permissions on the database
-        tasks.restore_context(certs.NSS_DIR + "/cert8.db")
-        tasks.restore_context(certs.NSS_DIR + "/key3.db")
-
    def __import_ca_certs(self):
        db = certs.CertDB(self.realm, subject_base=self.subject_base)
        self.import_ca_certs(db, self.ca_is_configured)
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -716,6 +716,9 @@ def install(installer):
    if installer._update_hosts_file:
        update_hosts_file(ip_addresses, host_name, fstore)

+    http_instance = httpinstance.HTTPInstance()
+    http_instance.create_cert_db()
+
    # Create DS user/group if it doesn't exist yet
    dsinstance.create_ds_user()

--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@ -776,6 +776,9 @@ def install(installer):
    if installer._update_hosts_file:
        installutils.update_hosts_file(config.ips, config.host_name, fstore)

+    http_instance = httpinstance.HTTPInstance()
+    http_instance.create_cert_db()
+
    ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")

    # Create DS user/group if it doesn't exist yet
@ -840,7 +843,6 @@ def install(installer):

        CA.configure_certmonger_renewal()
        CA.import_ra_cert(config.dir + "/ra.p12")
-        CA.fix_ra_perms()

    custodia = custodiainstance.CustodiaInstance(config.host_name,
                                                 config.realm_name)
@ -1394,6 +1396,9 @@ def promote(installer):
    config.promote = installer.promote
    config.dirman_password = hexlify(ipautil.ipa_generate_password())

+    http_instance = httpinstance.HTTPInstance()
+    http_instance.create_cert_db()
+
    # FIXME: allow to use passed in certs instead
    if installer._ca_enabled:
        configure_certmonger()
@ -1476,7 +1481,6 @@ def promote(installer):
        CA.configure_certmonger_renewal()
        CA.configure_agent_renewal()
        cainstance.export_kra_agent_pem()
-        CA.fix_ra_perms()

    install_krb(
        config,