|
 |
483b06 |
From 103d784865c4ebab9085e8edda34f9cb47d70150 Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
483b06 |
Date: Thu, 27 Apr 2017 12:51:30 +0200
|
|
|
483b06 |
Subject: [PATCH] Refresh Dogtag RestClient.ca_host property
|
|
|
483b06 |
|
|
|
483b06 |
Refresh the ca_host property of the Dogtag's RestClient class when
|
|
|
483b06 |
it's requested as a context manager.
|
|
|
483b06 |
|
|
|
483b06 |
This solves the problem which would occur on DL0 when installing
|
|
|
483b06 |
CA which needs to perform a set of steps against itself accessing
|
|
|
483b06 |
8443 port. This port should however only be available locally so
|
|
|
483b06 |
trying to connect to remote master would fail. We need to make
|
|
|
483b06 |
sure the right CA host is accessed.
|
|
|
483b06 |
|
|
|
483b06 |
https://pagure.io/freeipa/issue/6878
|
|
|
483b06 |
|
|
|
483b06 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
483b06 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
ipaserver/install/cainstance.py | 5 ++---
|
|
|
483b06 |
ipaserver/plugins/dogtag.py | 30 ++++++++++++++++++------------
|
|
|
483b06 |
2 files changed, 20 insertions(+), 15 deletions(-)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
|
|
483b06 |
index 84d60bfddc0fb968f31706e54e36557e9543846e..d72feb884964ecf49fe0166cbfeb3cb2c10737fe 100644
|
|
|
483b06 |
--- a/ipaserver/install/cainstance.py
|
|
|
483b06 |
+++ b/ipaserver/install/cainstance.py
|
|
|
483b06 |
@@ -425,6 +425,8 @@ class CAInstance(DogtagInstance):
|
|
|
483b06 |
self.step("Configure HTTP to proxy connections",
|
|
|
483b06 |
self.http_proxy)
|
|
|
483b06 |
self.step("restarting certificate server", self.restart_instance)
|
|
|
483b06 |
+ self.step("updating IPA configuration", update_ipa_conf)
|
|
|
483b06 |
+ self.step("enabling CA instance", self.__enable_instance)
|
|
|
483b06 |
if not promote:
|
|
|
483b06 |
self.step("migrating certificate profiles to LDAP",
|
|
|
483b06 |
migrate_profiles_to_ldap)
|
|
|
483b06 |
@@ -432,9 +434,6 @@ class CAInstance(DogtagInstance):
|
|
|
483b06 |
import_included_profiles)
|
|
|
483b06 |
self.step("adding default CA ACL", ensure_default_caacl)
|
|
|
483b06 |
self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry)
|
|
|
483b06 |
- self.step("updating IPA configuration", update_ipa_conf)
|
|
|
483b06 |
-
|
|
|
483b06 |
- self.step("enabling CA instance", self.__enable_instance)
|
|
|
483b06 |
|
|
|
483b06 |
self.step("configuring certmonger renewal for lightweight CAs",
|
|
|
483b06 |
self.__add_lightweight_ca_tracking_requests)
|
|
|
483b06 |
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
|
|
|
483b06 |
index 3997531032746a22243a4219250af4172e9ae5b3..bddaab58a546196958811f10bb4d049db4aea524 100644
|
|
|
483b06 |
--- a/ipaserver/plugins/dogtag.py
|
|
|
483b06 |
+++ b/ipaserver/plugins/dogtag.py
|
|
|
483b06 |
@@ -1202,7 +1202,6 @@ import os
|
|
|
483b06 |
import random
|
|
|
483b06 |
from ipaserver.plugins import rabase
|
|
|
483b06 |
from ipalib.constants import TYPE_ERROR
|
|
|
483b06 |
-from ipalib.util import cachedproperty
|
|
|
483b06 |
from ipalib import _
|
|
|
483b06 |
from ipaplatform.paths import paths
|
|
|
483b06 |
|
|
|
483b06 |
@@ -1250,34 +1249,41 @@ class RestClient(Backend):
|
|
|
483b06 |
self.client_keyfile = paths.RA_AGENT_KEY
|
|
|
483b06 |
super(RestClient, self).__init__(api)
|
|
|
483b06 |
|
|
|
483b06 |
+ self._ca_host = None
|
|
|
483b06 |
# session cookie
|
|
|
483b06 |
self.override_port = None
|
|
|
483b06 |
self.cookie = None
|
|
|
483b06 |
|
|
|
483b06 |
- @cachedproperty
|
|
|
483b06 |
+ @property
|
|
|
483b06 |
def ca_host(self):
|
|
|
483b06 |
"""
|
|
|
483b06 |
- :return: host
|
|
|
483b06 |
- as str
|
|
|
483b06 |
+ :returns: FQDN of a host hopefully providing a CA service
|
|
|
483b06 |
|
|
|
483b06 |
- Select our CA host.
|
|
|
483b06 |
+ Select our CA host, cache it for the first time.
|
|
|
483b06 |
"""
|
|
|
483b06 |
+ if self._ca_host is not None:
|
|
|
483b06 |
+ return self._ca_host
|
|
|
483b06 |
+
|
|
|
483b06 |
ldap2 = self.api.Backend.ldap2
|
|
|
483b06 |
if host_has_service(api.env.ca_host, ldap2, "CA"):
|
|
|
483b06 |
- return api.env.ca_host
|
|
|
483b06 |
- if api.env.host != api.env.ca_host:
|
|
|
483b06 |
+ object.__setattr__(self, '_ca_host', api.env.ca_host)
|
|
|
483b06 |
+ elif api.env.host != api.env.ca_host:
|
|
|
483b06 |
if host_has_service(api.env.host, ldap2, "CA"):
|
|
|
483b06 |
- return api.env.host
|
|
|
483b06 |
- host = select_any_master(ldap2)
|
|
|
483b06 |
- if host:
|
|
|
483b06 |
- return host
|
|
|
483b06 |
+ object.__setattr__(self, '_ca_host', api.env.host)
|
|
|
483b06 |
else:
|
|
|
483b06 |
- return api.env.ca_host
|
|
|
483b06 |
+ object.__setattr__(self, '_ca_host', select_any_master(ldap2))
|
|
|
483b06 |
+ if self._ca_host is None:
|
|
|
483b06 |
+ object.__setattr__(self, '_ca_host', api.env.ca_host)
|
|
|
483b06 |
+ return self._ca_host
|
|
|
483b06 |
|
|
|
483b06 |
def __enter__(self):
|
|
|
483b06 |
"""Log into the REST API"""
|
|
|
483b06 |
if self.cookie is not None:
|
|
|
483b06 |
return
|
|
|
483b06 |
+
|
|
|
483b06 |
+ # Refresh the ca_host property
|
|
|
483b06 |
+ object.__setattr__(self, '_ca_host', None)
|
|
|
483b06 |
+
|
|
|
483b06 |
status, resp_headers, _resp_body = dogtag.https_request(
|
|
|
483b06 |
self.ca_host, self.override_port or self.env.ca_agent_port,
|
|
|
483b06 |
url='/ca/rest/account/login',
|
|
|
483b06 |
--
|
|
|
483b06 |
2.12.2
|
|
|
483b06 |
|