From 81bf72dc350b9c7daab669aaa796e96aee6ecbb8 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Nov 11 2016 11:17:25 +0000
Subject: Make service user name a class member of Service


This will aid further refactoring of service installers, since the user will
be defined only once during parent class initialization.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 6843ef8..bdafd0f 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -619,10 +619,10 @@ class BindInstance(service.Service):
             "named",
             service_desc="DNS",
             fstore=fstore,
-            api=api
+            api=api,
+            service_user=constants.NAMED_USER
         )
         self.dns_backup = DnsBackup(self)
-        self.named_user = None
         self.domain = None
         self.host = None
         self.ip_addresses = []
@@ -637,7 +637,7 @@ class BindInstance(service.Service):
               forward_policy, reverse_zones,
               named_user=constants.NAMED_USER, zonemgr=None,
               no_dnssec_validation=False):
-        self.named_user = named_user
+        self.service_user = named_user
         self.fqdn = fqdn
         self.ip_addresses = ip_addresses
         self.realm = realm_name
@@ -890,7 +890,7 @@ class BindInstance(service.Service):
             dns_principal = p
 
         # Make sure access is strictly reserved to the named user
-        pent = pwd.getpwnam(self.named_user)
+        pent = pwd.getpwnam(self.service_user)
         os.chown(paths.NAMED_KEYTAB, pent.pw_uid, pent.pw_gid)
         os.chmod(paths.NAMED_KEYTAB, 0o400)
 
@@ -1189,4 +1189,4 @@ class BindInstance(service.Service):
             self.named_regular.start()
 
         installutils.remove_keytab(paths.NAMED_KEYTAB)
-        installutils.remove_ccache(run_as=constants.NAMED_USER)
+        installutils.remove_ccache(run_as=self.service_user)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 7a46094..9e257b8 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -458,7 +458,7 @@ class CAInstance(DogtagInstance):
         # Create an empty and secured file
         (cfg_fd, cfg_file) = tempfile.mkstemp()
         os.close(cfg_fd)
-        pent = pwd.getpwnam(constants.PKI_USER)
+        pent = pwd.getpwnam(self.service_user)
         os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
 
         # Create CA configuration
@@ -534,7 +534,7 @@ class CAInstance(DogtagInstance):
 
             cafile = self.pkcs12_info[0]
             shutil.copy(cafile, paths.TMP_CA_P12)
-            pent = pwd.getpwnam(constants.PKI_USER)
+            pent = pwd.getpwnam(self.service_user)
             os.chown(paths.TMP_CA_P12, pent.pw_uid, pent.pw_gid)
 
             # Security domain registration
@@ -633,7 +633,7 @@ class CAInstance(DogtagInstance):
             'ca.enableNonces=false')
         if update_result != 0:
             raise RuntimeError("Disabling nonces failed")
-        pent = pwd.getpwnam(constants.PKI_USER)
+        pent = pwd.getpwnam(self.service_user)
         os.chown(paths.CA_CS_CFG_PATH, pent.pw_uid, pent.pw_gid)
 
     def enable_pkix(self):
@@ -865,7 +865,7 @@ class CAInstance(DogtagInstance):
             os.mkdir(publishdir)
 
         os.chmod(publishdir, 0o775)
-        pent = pwd.getpwnam(constants.PKI_USER)
+        pent = pwd.getpwnam(self.service_user)
         os.chown(publishdir, 0, pent.pw_gid)
 
         tasks.restore_context(publishdir)
@@ -1231,7 +1231,7 @@ class CAInstance(DogtagInstance):
     def __setup_lightweight_ca_key_retrieval_kerberos(self):
         service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME
         principal = '{}/{}@{}'.format(service, api.env.host, self.realm)
-        pent = pwd.getpwnam(constants.PKI_USER)
+        pent = pwd.getpwnam(self.service_user)
 
         root_logger.info('Creating principal')
         installutils.kadmin_addprinc(principal)
@@ -1246,7 +1246,7 @@ class CAInstance(DogtagInstance):
 
     def __setup_lightweight_ca_key_retrieval_custodia(self):
         service = ipalib.constants.PKI_GSSAPI_SERVICE_NAME
-        pent = pwd.getpwnam(constants.PKI_USER)
+        pent = pwd.getpwnam(self.service_user)
 
         root_logger.info('Creating Custodia keys')
         custodia_basedn = DN(
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 38e726e..cf1e5e0 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -114,7 +114,8 @@ class DogtagInstance(service.Service):
         super(DogtagInstance, self).__init__(
             'pki-tomcatd',
             service_desc=service_desc,
-            realm_name=realm
+            realm_name=realm,
+            service_user=constants.PKI_USER
         )
 
         self.admin_password = None
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 1a38efa..d26f838 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -227,6 +227,7 @@ class DsInstance(service.Service):
             "dirsrv",
             service_desc="directory server",
             fstore=fstore,
+            service_user=DS_USER,
             realm_name=realm_name
         )
         self.nickname = 'Server-Cert'
@@ -1242,7 +1243,7 @@ class DsInstance(service.Service):
                                          replacevars=vardict)
 
         # Keytab must be owned by DS itself
-        pent = pwd.getpwnam(DS_USER)
+        pent = pwd.getpwnam(self.service_user)
         os.chown(paths.DS_KEYTAB, pent.pw_uid, pent.pw_gid)
 
     def __get_ds_cert(self):
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 71cdcdd..2869116 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -123,7 +123,8 @@ class HTTPInstance(service.Service):
         super(HTTPInstance, self).__init__(
             "httpd",
             service_desc="the web interface",
-            fstore=fstore)
+            fstore=fstore,
+            service_user=HTTPD_USER)
 
         self.cert_nickname = cert_nickname
         self.ca_is_configured = True
@@ -206,7 +207,7 @@ class HTTPInstance(service.Service):
             installutils.create_keytab(paths.IPA_KEYTAB, self.principal)
             self.move_service(self.principal)
 
-        pent = pwd.getpwnam(HTTPD_USER)
+        pent = pwd.getpwnam(self.service_user)
         os.chown(paths.IPA_KEYTAB, pent.pw_uid, pent.pw_gid)
 
     def remove_httpd_ccache(self):
@@ -214,7 +215,8 @@ class HTTPInstance(service.Service):
         # Make sure that empty env is passed to avoid passing KRB5CCNAME from
         # current env
         ipautil.run(
-            [paths.KDESTROY, '-A'], runas=HTTPD_USER, raiseonerr=False, env={})
+            [paths.KDESTROY, '-A'], runas=self.service_user, raiseonerr=False,
+            env={})
 
     def __configure_http(self):
         self.update_httpd_service_ipa_conf()
@@ -326,7 +328,7 @@ class HTTPInstance(service.Service):
         self.fix_cert_db_perms()
 
     def fix_cert_db_perms(self):
-        pent = pwd.getpwnam(constants.HTTPD_USER)
+        pent = pwd.getpwnam(self.service_user)
 
         for filename in NSS_FILES:
             nss_path = os.path.join(certs.NSS_DIR, filename)
@@ -527,7 +529,7 @@ class HTTPInstance(service.Service):
 
         installutils.remove_keytab(paths.IPA_KEYTAB)
         installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
-                                   run_as=HTTPD_USER)
+                                   run_as=self.service_user)
 
         # Remove the configuration files we create
         installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 2e804b7..90b1369 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -28,7 +28,6 @@ from six.moves.configparser import ConfigParser
 
 from ipalib import api
 from ipalib import x509
-from ipaplatform.constants import constants
 from ipaplatform.paths import paths
 from ipapython import certdb
 from ipapython import ipautil
@@ -144,7 +143,7 @@ class KRAInstance(DogtagInstance):
         # Create an empty and secured file
         (cfg_fd, cfg_file) = tempfile.mkstemp()
         os.close(cfg_fd)
-        pent = pwd.getpwnam(constants.PKI_USER)
+        pent = pwd.getpwnam(self.service_user)
         os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
 
         # Create KRA configuration
@@ -235,7 +234,7 @@ class KRAInstance(DogtagInstance):
         if self.clone:
             krafile = self.pkcs12_info[0]
             shutil.copy(krafile, p12_tmpfile_name)
-            pent = pwd.getpwnam(constants.PKI_USER)
+            pent = pwd.getpwnam(self.service_user)
             os.chown(p12_tmpfile_name, pent.pw_uid, pent.pw_gid)
 
             # Security domain registration
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 909b8e4..79d6ceb 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -131,7 +131,8 @@ def find_providing_server(svcname, conn, host_name=None, api=api):
 
 class Service(object):
     def __init__(self, service_name, service_desc=None, sstore=None,
-                 fstore=None, api=api, realm_name=None):
+                 fstore=None, api=api, realm_name=None,
+                 service_user=None):
         self.service_name = service_name
         self.service_desc = service_desc
         self.service = services.service(service_name)
@@ -155,6 +156,7 @@ class Service(object):
         self.principal = None
         self.dercert = None
         self.api = api
+        self.service_user = service_user
 
     @property
     def admin_conn(self):