Prevent set_directive from clobbering other keys

`set_directive` only looks for a prefix of the line matching the given directive (key). If a directive is encountered for which the given key is prefix, it will be vanquished. This occurs in the case of `{ca,kra}.sslserver.cert[req]`; the `cert` directive gets updated after certificate renewal, and the `certreq` directive gets clobbered. This can cause failures later on during KRA installation, and possibly cloning. Match the whole directive to avoid this issue. Fixes: https://pagure.io/freeipa/issue/7288 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-11-21 08:47:57 +11:00
parent b32a4aef86
commit 2546ef6eb0
3 changed files with 5 additions and 5 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -952,7 +952,7 @@ class CAInstance(DogtagInstance):
        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.enable', 'true', quotes=False, separator='=')
        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.mapper', 'NoMap', quotes=False, separator='=')
        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.pluginName', 'Rule', quotes=False, separator='=')
-        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.predicate=', '', quotes=False, separator='')
+        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.predicate', '', quotes=False, separator='=')
        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.publisher', 'FileBaseCRLPublisher', quotes=False, separator='=')
        installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.type', 'crl', quotes=False, separator='=')

--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -214,7 +214,7 @@ class DogtagInstance(service.Service):
                separator='=')
            # Remove internaldb password as is not needed anymore
            installutils.set_directive(paths.PKI_TOMCAT_PASSWORD_CONF,
-                                       'internaldb', None)
+                                       'internaldb', None, separator='=')

    def uninstall(self):
        if self.is_installed():
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -441,7 +441,7 @@ def set_directive(filename, directive, value, quotes=True, separator=' '):

    A value of None means to drop the directive.

-    This has only been tested with nss.conf
+    Does not tolerate (or put) spaces around the separator.

    :param filename: input filename
    :param directive: directive name
@@ -450,7 +450,7 @@ def set_directive(filename, directive, value, quotes=True, separator=' '):
        any existing double quotes are first escaped to avoid
        unparseable directives.
    :param separator: character serving as separator between directive and
-        value
+        value.  Correct value required even when dropping a directive.
    """

    new_directive_value = ""
@@ -465,7 +465,7 @@ def set_directive(filename, directive, value, quotes=True, separator=' '):
    fd = open(filename)
    newfile = []
    for line in fd:
-        if line.lstrip().startswith(directive):
+        if re.match(r'\s*{}'.format(re.escape(directive + separator)), line):
            valueset = True
            if value is not None:
                newfile.append(new_directive_value)