[Freeipa-devel] [freeipa PR#1257][opened] Backup ipa-custodia conf and keys

Wed, 08 Nov 2017 06:18:04 -0800 

   URL: https://github.com/freeipa/freeipa/pull/1257
Author: tiran
 Title: #1257: Backup ipa-custodia conf and keys
Action: opened

PR body:
"""
https://pagure.io/freeipa/issue/7247

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1257/head:pr1257
git checkout pr1257

From cc3e8aa4a969becb01d414a642567cb46581d56d Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 8 Nov 2017 15:15:30 +0100
Subject: [PATCH] Backup ipa-custodia conf and keys

https://pagure.io/freeipa/issue/7247

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 install/share/custodia.conf.template  |  2 +-
 ipaplatform/base/paths.py             |  1 +
 ipaserver/install/custodiainstance.py | 23 ++++++++++++-----------
 ipaserver/install/ipa_backup.py       |  2 ++
 4 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/install/share/custodia.conf.template b/install/share/custodia.conf.template
index 855a1b3ba2..ee3c43ca7e 100644
--- a/install/share/custodia.conf.template
+++ b/install/share/custodia.conf.template
@@ -16,7 +16,7 @@ header = GSS_NAME
 handler = ipaserver.secrets.kem.IPAKEMKeys
 paths = /keys
 store = ipa
-server_keys = $IPA_CUSTODIA_CONF_DIR/server.keys
+server_keys = $IPA_CUSTODIA_KEYS
 
 [store:ipa]
 handler = ipaserver.secrets.store.IPASecStore
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 1a085b7f92..98372478e0 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -347,6 +347,7 @@ class BasePathNamespace(object):
     NETWORK_MANAGER_CONFIG_DIR = '/etc/NetworkManager/conf.d'
     IPA_CUSTODIA_CONF_DIR = '/etc/ipa/custodia'
     IPA_CUSTODIA_CONF = '/etc/ipa/custodia/custodia.conf'
+    IPA_CUSTODIA_KEYS = '/etc/ipa/custodia/server.keys'
     IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock'
     IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
     IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index aa5261de38..9d24a4793e 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -30,8 +30,7 @@ class CustodiaInstance(SimpleServiceInstance):
     def __init__(self, host_name=None, realm=None):
         super(CustodiaInstance, self).__init__("ipa-custodia")
         self.config_file = paths.IPA_CUSTODIA_CONF
-        self.server_keys = os.path.join(paths.IPA_CUSTODIA_CONF_DIR,
-                                        'server.keys')
+        self.server_keys = paths.IPA_CUSTODIA_KEYS
         self.ldap_uri = None
         self.fqdn = host_name
         self.realm = realm
@@ -40,16 +39,18 @@ def __config_file(self):
         template_file = os.path.basename(self.config_file) + '.template'
         template = os.path.join(paths.USR_SHARE_IPA_DIR, template_file)
         httpd_info = pwd.getpwnam(constants.HTTPD_USER)
-        sub_dict = dict(IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
-                        IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
-                        IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
-                        LDAP_URI=installutils.realm_to_ldapi_uri(self.realm),
-                        UID=httpd_info.pw_uid, GID=httpd_info.pw_gid)
+        sub_dict = dict(
+            IPA_CUSTODIA_CONF_DIR=paths.IPA_CUSTODIA_CONF_DIR,
+            IPA_CUSTODIA_KEYS=paths.IPA_CUSTODIA_KEYS,
+            IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
+            IPA_CUSTODIA_AUDIT_LOG=paths.IPA_CUSTODIA_AUDIT_LOG,
+            LDAP_URI=installutils.realm_to_ldapi_uri(self.realm),
+            UID=httpd_info.pw_uid,
+            GID=httpd_info.pw_gid
+        )
         conf = ipautil.template_file(template, sub_dict)
-        fd = open(self.config_file, "w+")
-        fd.write(conf)
-        fd.flush()
-        fd.close()
+        with open(self.config_file, "w") as f:
+            f.write(conf)
 
     def create_instance(self):
         suffix = ipautil.realm_to_suffix(self.realm)
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index ac9b0fc1d7..d8ff395fd2 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -189,6 +189,8 @@ class Backup(admintool.AdminTool):
         paths.DNSSEC_SOFTHSM_PIN_SO,
         paths.IPA_ODS_EXPORTER_KEYTAB,
         paths.IPA_DNSKEYSYNCD_KEYTAB,
+        paths.IPA_CUSTODIA_KEYS,
+        paths.IPA_CUSTODIA_CONF,
         paths.HOSTS,
     ) + tuple(
         os.path.join(paths.IPA_NSSDB_DIR, file)

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to