IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

initialize empty /etc/http/alias during server/replica install

Browse Source 
In order to reduce coupling between httpinstance and other service installers,
the HTTP installer is now tasked with initialization of /etc/httpd/alias (RA
agent database) in the beginning of server/replica installation

Part of https://fedorahosted.org/freeipa/ticket/6429

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Martin Babinsky 2016-10-25 15:55:35 +02:00 committed by Jan Cholasta
parent 2fdc2d0cb7
commit b1283c1e56
4 changed files with 42 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
ipaserver/install/cainstance.py
View File

@ -22,14 +22,12 @@
from __future__ import print_function
import base64
import binascii
import dbus
import ldap
import os
import pwd
import re
import shutil
import stat
import sys
import syslog
import time
@ -388,10 +386,7 @@ class CAInstance(DogtagInstance):
# Step 1 of external is getting a CSR so we don't need to do these
# steps until we get a cert back from the external CA.
if self.external != 1:
if self.create_ra_agent_db:
self.step("creating RA agent certificate database", self.__create_ra_agent_db)
self.step("importing CA chain to RA certificate database", self.__import_ca_chain)
self.step("fixing RA database permissions", self.fix_ra_perms)
self.step("setting up signing cert profile", self.__setup_sign_profile)
self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
self.step("configure certmonger for renewals",
@ -695,26 +690,6 @@ class CAInstance(DogtagInstance):
new_args = new_args + args
return ipautil.run(new_args, stdin, nolog=(pwd_file,), **kwargs)
def __create_ra_agent_db(self):
if ipautil.file_exists(self.ra_agent_db + "/cert8.db"):
ipautil.backup_file(self.ra_agent_db + "/cert8.db")
ipautil.backup_file(self.ra_agent_db + "/key3.db")
ipautil.backup_file(self.ra_agent_db + "/secmod.db")
ipautil.backup_file(self.ra_agent_db + "/pwdfile.txt")
if not ipautil.dir_exists(self.ra_agent_db):
os.mkdir(self.ra_agent_db)
os.chmod(self.ra_agent_db, 0o755)
# Create the password file for this db
hex_str = binascii.hexlify(os.urandom(10))
f = os.open(self.ra_agent_pwd, os.O_CREAT | os.O_RDWR)
os.write(f, hex_str)
os.close(f)
os.chmod(self.ra_agent_pwd, stat.S_IRUSR)
self.__run_certutil(["-N"])
def __get_ca_chain(self):
try:
return dogtag.get_ca_certchain(ca_host=self.fqdn)
@ -844,17 +819,6 @@ class CAInstance(DogtagInstance):
os.remove(agent_pwdfile)
os.remove(chain_file)
def fix_ra_perms(self):
os.chmod(self.ra_agent_db + "/cert8.db", 0o640)
os.chmod(self.ra_agent_db + "/key3.db", 0o640)
os.chmod(self.ra_agent_db + "/secmod.db", 0o640)
pent = pwd.getpwnam(constants.HTTPD_USER)
os.chown(self.ra_agent_db + "/cert8.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/key3.db", 0, pent.pw_gid )
os.chown(self.ra_agent_db + "/secmod.db", 0, pent.pw_gid )
os.chown(self.ra_agent_pwd, pent.pw_uid, pent.pw_gid)
def __setup_sign_profile(self):
# Tell the profile to automatically issue certs for RAs
installutils.set_directive(
@ -1274,7 +1238,6 @@ class CAInstance(DogtagInstance):
self.step("importing CA chain to RA certificate database",
self.__import_ca_chain)
self.step("fixing RA database permissions", self.fix_ra_perms)
self.step("setting up signing cert profile", self.__setup_sign_profile)
self.step("setting audit signing renewal to 2 years",
self.set_audit_renewal)

52
ipaserver/install/httpinstance.py
View File

@ -19,6 +19,7 @@
from __future__ import print_function
import binascii
import os
import os.path
import pwd
@ -69,6 +70,8 @@ NSS_CIPHER_SUITE = [
]
NSS_CIPHER_REVISION = '20160129'
NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt")
def httpd_443_configured():
"""
@ -306,6 +309,33 @@ class HTTPInstance(service.Service):
if certmonger_stopped:
certmonger.stop()
def create_cert_db(self):
database = certs.NSS_DIR
pwd_file = os.path.join(database, 'pwdfile.txt')
for p in NSS_FILES:
nss_path = os.path.join(database, p)
ipautil.backup_file(nss_path)
# Create the password file for this db
hex_str = binascii.hexlify(os.urandom(10))
f = os.open(pwd_file, os.O_CREAT | os.O_RDWR)
os.write(f, hex_str)
os.close(f)
ipautil.run([paths.CERTUTIL, "-d", database, "-f", pwd_file, "-N"])
self.fix_cert_db_perms()
def fix_cert_db_perms(self):
pent = pwd.getpwnam(constants.HTTPD_USER)
for filename in NSS_FILES:
nss_path = os.path.join(certs.NSS_DIR, filename)
os.chmod(nss_path, 0o640)
os.chown(nss_path, 0, pent.pw_gid)
tasks.restore_context(nss_path)
def __setup_ssl(self):
db = certs.CertDB(self.realm, subject_base=self.subject_base)
if self.pkcs12_info:
@ -313,9 +343,9 @@ class HTTPInstance(service.Service):
trust_flags = 'CT,C,C'
else:
trust_flags = None
db.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
passwd=None, ca_file=self.ca_file,
trust_flags=trust_flags)
db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
ca_file=self.ca_file,
trust_flags=trust_flags)
server_certs = db.find_server_certs()
if len(server_certs) == 0:
raise RuntimeError("Could not find a suitable server cert in import in %s" % self.pkcs12_info[0])
@ -372,22 +402,6 @@ class HTTPInstance(service.Service):
nickname = server_certs[0][0]
db.export_ca_cert(nickname)
# Fix the database permissions
os.chmod(certs.NSS_DIR + "/cert8.db", 0o660)
os.chmod(certs.NSS_DIR + "/key3.db", 0o660)
os.chmod(certs.NSS_DIR + "/secmod.db", 0o660)
os.chmod(certs.NSS_DIR + "/pwdfile.txt", 0o660)
pent = pwd.getpwnam(HTTPD_USER)
os.chown(certs.NSS_DIR + "/cert8.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/key3.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/secmod.db", 0, pent.pw_gid )
os.chown(certs.NSS_DIR + "/pwdfile.txt", 0, pent.pw_gid )
# Fix SELinux permissions on the database
tasks.restore_context(certs.NSS_DIR + "/cert8.db")
tasks.restore_context(certs.NSS_DIR + "/key3.db")
def __import_ca_certs(self):
db = certs.CertDB(self.realm, subject_base=self.subject_base)
self.import_ca_certs(db, self.ca_is_configured)

3
ipaserver/install/server/install.py
View File

@ -716,6 +716,9 @@ def install(installer):
if installer._update_hosts_file:
update_hosts_file(ip_addresses, host_name, fstore)
http_instance = httpinstance.HTTPInstance()
http_instance.create_cert_db()
# Create DS user/group if it doesn't exist yet
dsinstance.create_ds_user()

8
ipaserver/install/server/replicainstall.py
View File

@ -776,6 +776,9 @@ def install(installer):
if installer._update_hosts_file:
installutils.update_hosts_file(config.ips, config.host_name, fstore)
http_instance = httpinstance.HTTPInstance()
http_instance.create_cert_db()
ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12")
# Create DS user/group if it doesn't exist yet
@ -840,7 +843,6 @@ def install(installer):
CA.configure_certmonger_renewal()
CA.import_ra_cert(config.dir + "/ra.p12")
CA.fix_ra_perms()
custodia = custodiainstance.CustodiaInstance(config.host_name,
config.realm_name)
@ -1394,6 +1396,9 @@ def promote(installer):
config.promote = installer.promote
config.dirman_password = hexlify(ipautil.ipa_generate_password())
http_instance = httpinstance.HTTPInstance()
http_instance.create_cert_db()
# FIXME: allow to use passed in certs instead
if installer._ca_enabled:
configure_certmonger()
@ -1476,7 +1481,6 @@ def promote(installer):
CA.configure_certmonger_renewal()
CA.configure_agent_renewal()
cainstance.export_kra_agent_pem()
CA.fix_ra_perms()
install_krb(
config,