ipaserver.install: Consolidate system user creation

Sytem users and their groups are always created together.
Also, users & groups should never be removed once they exist
on the system (see comit a5a55ce).

Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.

Preparation for: https://fedorahosted.org/freeipa/ticket/3866

Reviewed-By: Tomas Babej <tbabej@redhat.com>

install/tools/ipa-replica-install

@@ -582,9 +582,8 @@ def main():
     api.bootstrap(in_server=True, context='installer')
     api.finalize()
 
-    # Create DS group if it doesn't exist yet
-    group_exists = dsinstance.create_ds_group()
-    sstore.backup_state("install", "group_exists", group_exists)
+    # Create DS user/group if it doesn't exist yet
+    dsinstance.create_ds_user()
 
     #Automatically disable pkinit w/ dogtag until that is supported
     options.setup_pkinit = False

install/tools/ipa-server-install

@@ -546,7 +546,8 @@ def uninstall():
 
     ipaclient.ntpconf.restore_forced_ntpd(sstore)
 
-    group_exists = sstore.restore_state("install", "group_exists")
+    # Clean up group_exists (unused since IPA 2.2, not being set since 4.1)
+    sstore.restore_state("install", "group_exists")
 
     services.knownservices.ipa.disable()
 
@@ -1043,8 +1044,8 @@ def main():
         # configure /etc/sysconfig/network to contain the custom hostname
         tasks.backup_and_replace_hostname(fstore, sstore, host_name)
 
-    # Create DS group if it doesn't exist yet
-    dsinstance.create_ds_group()
+    # Create DS user/group if it doesn't exist yet
+    dsinstance.create_ds_user()
 
     # Create a directory server instance
     if external != 2:

ipaserver/install/cainstance.py

@@ -251,6 +251,16 @@ def is_step_one_done():
     return False
 
 
+def create_ca_user():
+    """Create PKI user/group if it doesn't exist yet."""
+    installutils.create_system_user(
+        name=PKI_USER,
+        group=PKI_USER,
+        homedir=paths.VAR_LIB,
+        shell=paths.NOLOGIN,
+    )
+
+
 class CADSInstance(service.Service):
     """Certificate Authority DS instance
 
@@ -447,7 +457,7 @@ class CAInstance(service.Service):
             self.cert_chain_file=cert_chain_file
             self.external=2
 
-        self.step("creating certificate server user", self.__create_ca_user)
+        self.step("creating certificate server user", create_ca_user)
         if self.dogtag_constants.DOGTAG_VERSION >= 10:
             self.step("configuring certificate server instance", self.__spawn_instance)
         else:
@@ -682,22 +692,6 @@ class CAInstance(service.Service):
         # We need to install DS before we can actually ldap_enable a service.
         # so actual enablement is delayed.
 
-    def __create_ca_user(self):
-        try:
-            pwd.getpwnam(PKI_USER)
-            root_logger.debug("ca user %s exists" % PKI_USER)
-        except KeyError:
-            root_logger.debug("adding ca user %s" % PKI_USER)
-            args = [paths.USERADD, "-c", "CA System User",
-                                         "-d", paths.VAR_LIB,
-                                         "-s", paths.NOLOGIN,
-                                         "-M", "-r", PKI_USER]
-            try:
-                ipautil.run(args)
-                root_logger.debug("done adding user")
-            except ipautil.CalledProcessError, e:
-                root_logger.critical("failed to add user %s" % e)
-
     def __configure_instance(self):
         # Only used for Dogtag 9
         preop_pin = get_preop_pin(

ipaserver/install/dsinstance.py

@@ -25,9 +25,7 @@ import os
 import re
 import time
 import tempfile
-import base64
 import stat
-import grp
 
 from ipapython.ipa_log_manager import *
 from ipapython import ipautil, sysrestore, ipaldap
@@ -151,50 +149,15 @@ def is_ds_running(server_id=''):
 
 
 def create_ds_user():
-    """
-    Create DS user if it doesn't exist yet.
-    """
-    try:
-        pwd.getpwnam(DS_USER)
-        root_logger.debug('DS user %s exists', DS_USER)
-    except KeyError:
-        root_logger.debug('Adding DS user %s', DS_USER)
-        args = [
-            paths.USERADD,
-            '-g', DS_GROUP,
-            '-c', 'DS System User',
-            '-d', paths.VAR_LIB_DIRSRV,
-            '-s', paths.NOLOGIN,
-            '-M', '-r', DS_USER
-        ]
-        try:
-            ipautil.run(args)
-            root_logger.debug('Done adding DS user')
-        except ipautil.CalledProcessError, e:
-            root_logger.critical('Failed to add DS user: %s', e)
+    """Create DS user/group if it doesn't exist yet."""
+    installutils.create_system_user(
+        name=DS_USER,
+        group=DS_USER,
+        homedir=paths.VAR_LIB_DIRSRV,
+        shell=paths.NOLOGIN,
+    )
 
 
-def create_ds_group():
-    """
-    Create DS group if it doesn't exist yet.
-    Returns True if the group already exists.
-    """
-    try:
-        grp.getgrnam(DS_GROUP)
-        root_logger.debug('DS group %s exists', DS_GROUP)
-        group_exists = True
-    except KeyError:
-        group_exists = False
-        root_logger.debug('Adding DS group %s', DS_GROUP)
-        args = [paths.GROUPADD, '-r', DS_GROUP]
-        try:
-            ipautil.run(args)
-            root_logger.debug('Done adding DS group')
-        except ipautil.CalledProcessError, e:
-            root_logger.critical('Failed to add DS group: %s', e)
-
-    return group_exists
-
 INF_TEMPLATE = """
 [General]
 FullMachineName=   $FQDN

ipaserver/install/installutils.py

@@ -29,6 +29,8 @@ from ConfigParser import SafeConfigParser, NoOptionError
 import traceback
 import textwrap
 from contextlib import contextmanager
+import pwd
+import grp
 
 from dns import resolver, rdatatype
 from dns.exception import DNSException
@@ -37,7 +39,7 @@ from nss.error import NSPRError
 
 from ipapython import ipautil, sysrestore, admintool, dogtag
 from ipapython.admintool import ScriptError
-from ipapython.ipa_log_manager import *
+from ipapython.ipa_log_manager import root_logger, log_mgr
 from ipalib.util import validate_hostname
 from ipapython import config
 from ipalib import errors, x509
@@ -81,6 +83,8 @@ class ReplicaConfig:
 
     subject_base = ipautil.dn_attribute_property('_subject_base')
 
+log = log_mgr.get_logger(__name__)
+
 def get_fqdn():
     fqdn = ""
     try:
@@ -917,3 +921,41 @@ def validate_external_cert(cert_file, ca_file, subject_base):
             raise ValueError(
                 "The external CA chain is incomplete (%s is missing from the "
                 "chain)." % certsubject)
+
+
+def create_system_user(name, group, homedir, shell):
+    """Create a system user with a corresponding group"""
+    try:
+        grp.getgrnam(group)
+    except KeyError:
+        log.debug('Adding group %s', group)
+        args = [paths.GROUPADD, '-r', group]
+        try:
+            ipautil.run(args)
+            log.debug('Done adding group')
+        except ipautil.CalledProcessError as e:
+            log.critical('Failed to add group: %s', e)
+            raise
+    else:
+        log.debug('group %s exists', group)
+
+    try:
+        pwd.getpwnam(name)
+    except KeyError:
+        log.debug('Adding user %s', name)
+        args = [
+            paths.USERADD,
+            '-g', group,
+            '-c', 'DS System User',
+            '-d', homedir,
+            '-s', shell,
+            '-M', '-r', name,
+        ]
+        try:
+            ipautil.run(args)
+            log.debug('Done adding user')
+        except ipautil.CalledProcessError as e:
+            log.critical('Failed to add user: %s', e)
+            raise
+    else:
+        log.debug('user %s exists', name)

ipaserver/install/ipa_restore.py

@@ -30,7 +30,7 @@ from ipapython import version
 from ipapython.ipautil import run, user_input
 from ipapython import admintool
 from ipapython.dn import DN
-from ipaserver.install.dsinstance import (realm_to_serverid, create_ds_group,
+from ipaserver.install.dsinstance import (realm_to_serverid,
                                           create_ds_user, DS_USER)
 from ipaserver.install.cainstance import PKI_USER
 from ipaserver.install.replication import (wait_for_task, ReplicationManager,
@@ -188,7 +188,6 @@ class Restore(admintool.AdminTool):
         if options.data_only and not instances:
             raise admintool.ScriptError('No instances to restore to')
 
-        create_ds_group()
         create_ds_user()
         pent = pwd.getpwnam(DS_USER)