Move CACERT definition to a single place.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

install/tools/ipa-csreplica-manage

@@ -27,11 +27,10 @@ from ipapython.ipa_log_manager import *
 
 from ipaserver.install import replication, installutils, bindinstance
 from ipalib import api, errors, util
+from ipalib.constants import CACERT
 from ipapython import ipautil, ipaldap, version, dogtag
 from ipapython.dn import DN
 
-CACERT = "/etc/ipa/ca.crt"
-
 # dict of command name and tuples of min/max num of args needed
 commands = {
     "list":(0, 1, "[master fqdn]", ""),

install/tools/ipa-managed-entries

@@ -25,11 +25,10 @@ from optparse import OptionParser
 from ipapython import ipautil, config, ipaldap
 from ipaserver.install import installutils
 from ipalib import api, errors
+from ipalib.constants import CACERT
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
 
-CACERT = "/etc/ipa/ca.crt"
-
 def parse_options():
     usage = "%prog [options] <status|enable|disable>\n"
     usage += "%prog [options]\n"

install/tools/ipa-replica-install

@@ -42,6 +42,7 @@ from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install import cainstance
 from ipalib import api, errors, util
+from ipalib.constants import CACERT
 from ipapython import version
 from ipapython.config import IPAOptionParser
 from ipapython import sysrestore
@@ -52,7 +53,6 @@ from ipapython.dn import DN
 import ipaclient.ntpconf
 
 log_file_name = "/var/log/ipareplica-install.log"
-CACERT = "/etc/ipa/ca.crt"
 REPLICA_INFO_TOP_DIR = None
 DIRMAN_DN = DN(('cn', 'directory manager'))
 

install/tools/ipa-replica-manage

@@ -32,14 +32,13 @@ from ipaserver.install import bindinstance
 from ipaserver.plugins import ldap2
 from ipapython import version, ipaldap
 from ipalib import api, errors, util
+from ipalib.constants import CACERT
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
 from ipapython.config import IPAOptionParser
 from ipaclient import ipadiscovery
 from xmlrpclib import MAXINT
 
-CACERT = "/etc/ipa/ca.crt"
-
 # dict of command name and tuples of min/max num of args needed
 commands = {
     "list":(0, 1, "[master fqdn]", ""),

install/tools/ipa-server-install

@@ -72,6 +72,7 @@ from ipalib import api, errors, util, x509
 from ipapython.config import IPAOptionParser
 from ipalib.x509 import load_certificate_from_file, load_certificate_chain_from_file
 from ipalib.util import validate_domain_name
+from ipalib.constants import CACERT
 from ipapython import services as ipaservices
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
@@ -1101,7 +1102,7 @@ def main():
                                   subject_base=options.subject)
 
         # Now put the CA cert where other instances exepct it
-        ca.publish_ca_cert("/etc/ipa/ca.crt")
+        ca.publish_ca_cert(CACERT)
 
     # we now need to enable ssl on the ds
     ds.enable_ssl()
@@ -1129,7 +1130,7 @@ def main():
             'External CA cert', 'CT,,', options.root_ca_file)
 
         # Put a CA cert where other instances expect it
-        with open('/etc/ipa/ca.crt', 'wb') as f:
+        with open(CACERT, 'wb') as f:
             f.write(pem_cert)
 
         # Install the CA cert for the HTTP server

ipa-client/ipa-install/ipa-client-install

@@ -36,7 +36,6 @@ try:
 
     from ipapython.ipa_log_manager import standard_logging_setup, root_logger
     from ipaclient import ipadiscovery
-    from ipaclient.ipadiscovery import CACERT
     import ipaclient.ipachangeconf
     import ipaclient.ntpconf
     from ipapython.ipautil import (
@@ -48,6 +47,7 @@ try:
     from ipapython.config import IPAOptionParser
     from ipalib import api, errors
     from ipalib import x509
+    from ipalib.constants import CACERT
     from ipapython.dn import DN
     from ipapython.ssh import SSHPublicKey
     from ipalib.rpc import delete_persistent_client_session_data

ipa-client/ipaclient/ipadiscovery.py

@@ -29,8 +29,6 @@ from ipapython import ipaldap
 from ipapython.ipautil import valid_ip, get_ipa_basedn, realm_to_suffix
 from ipapython.dn import DN
 
-CACERT = '/etc/ipa/ca.crt'
-
 NOT_FQDN = -1
 NO_LDAP_SERVER = -2
 REALM_NOT_FOUND = -3

ipalib/constants.py

@@ -32,6 +32,9 @@ except:
     except:
         FQDN = None
 
+# Path to CA certificate bundle
+CACERT = '/etc/ipa/ca.crt'
+
 # regular expression NameSpace member names must match:
 NAME_REGEX = r'^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$'
 

ipaserver/install/bindinstance.py

@@ -38,6 +38,7 @@ from ipalib import api, errors
 from ipalib.util import (validate_zonemgr, normalize_zonemgr,
         get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy,
         normalize_zone, get_reverse_zone_default, zone_is_reverse)
+from ipalib.constants import CACERT
 
 NAMED_CONF = '/etc/named.conf'
 RESOLV_CONF = '/etc/resolv.conf'
@@ -206,7 +207,7 @@ def dns_container_exists(fqdn, suffix, dm_password=None, ldapi=False, realm=None
         if ldapi:
             conn = ipaldap.IPAdmin(host=fqdn, ldapi=True, realm=realm)
         else:
-            conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=service.CACERT)
+            conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=CACERT)
 
         if dm_password:
             conn.do_simple_bind(bindpw=dm_password)

ipaserver/install/dsinstance.py

@@ -40,11 +40,11 @@ from ipaserver.install import ldapupdate
 from ipaserver.install import replication
 from ipaserver.install import sysupgrade
 from ipalib import errors
+from ipalib.constants import CACERT
 from ipapython.dn import DN
 
 SERVER_ROOT_64 = "/usr/lib64/dirsrv"
 SERVER_ROOT_32 = "/usr/lib/dirsrv"
-CACERT="/etc/ipa/ca.crt"
 
 DS_USER = 'dirsrv'
 DS_GROUP = 'dirsrv'

ipaserver/install/httpinstance.py

@@ -35,6 +35,7 @@ from ipapython import dogtag
 from ipapython.ipa_log_manager import *
 from ipaserver.install import sysupgrade
 from ipalib import api
+from ipalib.constants import CACERT
 
 HTTPD_DIR = "/etc/httpd"
 SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"

ipaserver/install/ipa_backup.py

@@ -38,6 +38,7 @@ from ipaserver.install import installutils
 from ipapython import services as ipaservices
 from ipapython import ipaldap
 from ipalib.session import ISO8601_DATETIME_FMT
+from ipalib.constants import CACERT
 from ConfigParser import SafeConfigParser
 
 """
@@ -149,7 +150,7 @@ class Backup(admintool.AdminTool):
         '/etc/krb5.conf',
         '/etc/group',
         '/etc/passwd',
-        '/etc/ipa/ca.crt',
+        CACERT,
         '/etc/ipa/default.conf',
         '/etc/dirsrv/ds.keytab',
         '/etc/ntp.conf',

ipaserver/install/ipa_replica_prepare.py

@@ -34,6 +34,7 @@ from ipapython.dn import DN
 from ipapython import version
 from ipalib import api
 from ipalib import errors
+from ipalib.constants import CACERT
 
 
 class ReplicaPrepare(admintool.AdminTool):
@@ -139,7 +140,7 @@ class ReplicaPrepare(admintool.AdminTool):
     def check_pkcs12(self, pkcs12_file, pkcs12_pin):
         installutils.check_pkcs12(
             pkcs12_info=(pkcs12_file, pkcs12_pin),
-            ca_file='/etc/ipa/ca.crt',
+            ca_file=CACERT,
             hostname=self.replica_fqdn)
 
     def ask_for_options(self):
@@ -356,7 +357,7 @@ class ReplicaPrepare(admintool.AdminTool):
     def copy_misc_files(self):
         self.log.info("Copying additional files")
 
-        self.copy_info_file("/etc/ipa/ca.crt", "ca.crt")
+        self.copy_info_file(CACERT, "ca.crt")
         preferences_filename = "/usr/share/ipa/html/preferences.html"
         if ipautil.file_exists(preferences_filename):
             self.copy_info_file(preferences_filename, "preferences.html")

ipaserver/install/ipa_server_certinstall.py

@@ -28,11 +28,10 @@ from ipapython import admintool
 from ipapython.dn import DN
 from ipapython.ipautil import user_input, write_tmp_file
 from ipalib import api, errors
+from ipalib.constants import CACERT
 from ipaserver.install import certs, dsinstance, httpinstance, installutils
 from ipaserver.plugins.ldap2 import ldap2
 
-CACERT = "/etc/ipa/ca.crt"
-
 class ServerCertInstall(admintool.AdminTool):
     command_name = 'ipa-server-certinstall'
 

ipaserver/install/krbinstance.py

@@ -33,6 +33,7 @@ from ipapython import ipautil
 from ipapython import services as ipaservices
 from ipapython import kernel_keyring
 from ipalib import errors
+from ipalib.constants import CACERT
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
 
@@ -435,7 +436,7 @@ class KrbInstance(service.Service):
 
         # Finally copy the cacert in the krb directory so we don't
         # have any selinux issues with the file context
-        shutil.copyfile("/etc/ipa/ca.crt", "/var/kerberos/krb5kdc/cacert.pem")
+        shutil.copyfile(CACERT, "/var/kerberos/krb5kdc/cacert.pem")
 
     def __add_anonymous_pkinit_principal(self):
         princ = "WELLKNOWN/ANONYMOUS"

ipaserver/install/replication.py

@@ -25,12 +25,12 @@ import os
 import ldap
 
 from ipalib import api, errors
+from ipalib.constants import CACERT
 from ipapython import services as ipaservices
 from ipapython.ipa_log_manager import *
 from ipapython import ipautil, dogtag, ipaldap
 from ipapython.dn import DN
 
-CACERT = "/etc/ipa/ca.crt"
 # the default container used by AD for user entries
 WIN_USER_CONTAINER = DN(('cn', 'Users'))
 # the default container used by IPA for user entries

ipaserver/install/service.py

@@ -30,8 +30,6 @@ from ipapython.dn import DN
 from ipapython.ipa_log_manager import *
 from ipalib import errors
 
-CACERT = "/etc/ipa/ca.crt"
-
 # Autobind modes
 AUTO = 1
 ENABLED = 2