From 103d784865c4ebab9085e8edda34f9cb47d70150 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA which needs to perform a set of steps against itself accessing 8443 port. This port should however only be available locally so trying to connect to remote master would fail. We need to make sure the right CA host is accessed. https://pagure.io/freeipa/issue/6878 Reviewed-By: Martin Basti Reviewed-By: Christian Heimes --- ipaserver/install/cainstance.py | 5 ++--- ipaserver/plugins/dogtag.py | 30 ++++++++++++++++++------------ 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 84d60bfddc0fb968f31706e54e36557e9543846e..d72feb884964ecf49fe0166cbfeb3cb2c10737fe 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -425,6 +425,8 @@ class CAInstance(DogtagInstance): self.step("Configure HTTP to proxy connections", self.http_proxy) self.step("restarting certificate server", self.restart_instance) + self.step("updating IPA configuration", update_ipa_conf) + self.step("enabling CA instance", self.__enable_instance) if not promote: self.step("migrating certificate profiles to LDAP", migrate_profiles_to_ldap) @@ -432,9 +434,6 @@ class CAInstance(DogtagInstance): import_included_profiles) self.step("adding default CA ACL", ensure_default_caacl) self.step("adding 'ipa' CA entry", ensure_ipa_authority_entry) - self.step("updating IPA configuration", update_ipa_conf) - - self.step("enabling CA instance", self.__enable_instance) self.step("configuring certmonger renewal for lightweight CAs", self.__add_lightweight_ca_tracking_requests) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531032746a22243a4219250af4172e9ae5b3..bddaab58a546196958811f10bb4d049db4aea524 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1202,7 +1202,6 @@ import os import random from ipaserver.plugins import rabase from ipalib.constants import TYPE_ERROR -from ipalib.util import cachedproperty from ipalib import _ from ipaplatform.paths import paths @@ -1250,34 +1249,41 @@ class RestClient(Backend): self.client_keyfile = paths.RA_AGENT_KEY super(RestClient, self).__init__(api) + self._ca_host = None # session cookie self.override_port = None self.cookie = None - @cachedproperty + @property def ca_host(self): """ - :return: host - as str + :returns: FQDN of a host hopefully providing a CA service - Select our CA host. + Select our CA host, cache it for the first time. """ + if self._ca_host is not None: + return self._ca_host + ldap2 = self.api.Backend.ldap2 if host_has_service(api.env.ca_host, ldap2, "CA"): - return api.env.ca_host - if api.env.host != api.env.ca_host: + object.__setattr__(self, '_ca_host', api.env.ca_host) + elif api.env.host != api.env.ca_host: if host_has_service(api.env.host, ldap2, "CA"): - return api.env.host - host = select_any_master(ldap2) - if host: - return host + object.__setattr__(self, '_ca_host', api.env.host) else: - return api.env.ca_host + object.__setattr__(self, '_ca_host', select_any_master(ldap2)) + if self._ca_host is None: + object.__setattr__(self, '_ca_host', api.env.ca_host) + return self._ca_host def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + + # Refresh the ca_host property + object.__setattr__(self, '_ca_host', None) + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', -- 2.12.2