IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb

Browse Source 
Previously a list of nicknames was kept in /etc/pki/nssdb/ipa.txt. The file
is removed now.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Jan Cholasta 2014-09-22 11:13:15 +02:00 committed by Martin Kosek
parent 9c07228084
commit 483ebf9cea
3 changed files with 43 additions and 97 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
ipa-client/ipa-install/ipa-client-install
View File

@ -226,41 +226,6 @@ def logging_setup(options):
def log_service_error(name, action, error): def log_service_error(name, action, error):
root_logger.error("%s failed to %s: %s", name, action, str(error)) root_logger.error("%s failed to %s: %s", name, action, str(error))
def purge_ipa_certs(additional=[]):
filename = paths.NSSDB_IPA_TXT
if file_exists(filename):
try:
with open(filename, 'r') as f:
lines = f.readlines()
except IOError, e:
root_logger.error("Failed to open %s: %s", filename, e)
return False
finally:
try:
os.unlink(filename)
except OSError, e:
root_logger.error("Failed to remove %s: %s", filename, e)
return False
else:
lines = []
nicknames = set(additional)
for line in lines:
nickname = line.strip()
if nickname:
nicknames.add(nickname)
sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
for nickname in nicknames:
while sys_db.has_nickname(nickname):
try:
sys_db.delete_cert(nickname)
except Exception, e:
root_logger.error(
"Failed to remove %s from /etc/pki/nssdb: %s", nickname, e)
return True
def cert_summary(msg, certs, indent=' '): def cert_summary(msg, certs, indent=' '):
if msg: if msg:
s = '%s\n' % msg s = '%s\n' % msg
@ -541,16 +506,32 @@ def uninstall(options, env):
cmonger.service_name, str(e)) cmonger.service_name, str(e))
# Remove our host cert and CA cert # Remove our host cert and CA cert
for filename in (os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db'), ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
os.path.join(paths.IPA_NSSDB_DIR, 'key3.db'), try:
os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db'), ipa_certs = ipa_db.list_certs()
os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')): except CalledProcessError, e:
root_logger.error(
"Failed to list certificates in %s: %s", ipa_db.secdir, e)
ipa_certs = []
for filename in (os.path.join(ipa_db.secdir, 'cert8.db'),
os.path.join(ipa_db.secdir, 'key3.db'),
os.path.join(ipa_db.secdir, 'secmod.db'),
os.path.join(ipa_db.secdir, 'pwdfile.txt')):
try: try:
os.remove(filename) os.remove(filename)
except OSError, e: except OSError, e:
root_logger.error("Failed to remove %s: %s", filename, e) root_logger.error("Failed to remove %s: %s", filename, e)
purge_ipa_certs({client_nss_nickname, 'IPA CA', 'External CA cert'}) sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
for nickname, trust_flags in ipa_certs:
while sys_db.has_nickname(nickname):
try:
sys_db.delete_cert(nickname)
except Exception, e:
root_logger.error("Failed to remove %s from %s: %s",
nickname, sys_db.secdir, e)
break
try: try:
cmonger.stop() cmonger.stop()
@ -2617,18 +2598,6 @@ def install(options, env, fstore, statestore):
tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs) tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
# Add the CA certificates to the default NSS database # Add the CA certificates to the default NSS database
if not purge_ipa_certs():
root_logger.info(
"Failed to remove old IPA certificates from the default NSS "
"database.")
return CLIENT_INSTALL_ERROR
try:
list_file = open(paths.NSSDB_IPA_TXT, 'w')
except IOError, e:
root_logger.error("Failed to open /etc/pki/nssdb/ipa.txt: %s", e)
return CLIENT_INSTALL_ERROR
root_logger.debug( root_logger.debug(
"Attempting to add CA certificates to the default NSS database.") "Attempting to add CA certificates to the default NSS database.")
sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
@ -2638,14 +2607,9 @@ def install(options, env, fstore, statestore):
except CalledProcessError, e: except CalledProcessError, e:
root_logger.error( root_logger.error(
"Failed to add %s to the default NSS database.", nickname) "Failed to add %s to the default NSS database.", nickname)
list_file.close()
return CLIENT_INSTALL_ERROR return CLIENT_INSTALL_ERROR
else:
list_file.write(nickname + '\n')
root_logger.info("Added CA certificates to the default NSS database.") root_logger.info("Added CA certificates to the default NSS database.")
list_file.close()
if not options.on_master: if not options.on_master:
client_dns(cli_server[0], hostname, options.dns_updates) client_dns(cli_server[0], hostname, options.dns_updates)

61
ipa-client/ipaclient/ipa_certupdate.py
View File

@ -70,49 +70,32 @@ class CertUpdate(admintool.AdminTool):
def update_client(self, certs): def update_client(self, certs):
self.update_file(paths.IPA_CA_CRT, certs) self.update_file(paths.IPA_CA_CRT, certs)
self.update_db(paths.IPA_NSSDB_DIR, certs)
ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
# Remove IPA certs from /etc/pki/nssdb
for nickname, trust_flags in ipa_db.list_certs():
while sys_db.has_nickname(nickname):
try:
sys_db.delete_cert(nickname)
except ipautil.CalledProcessError, e:
self.log.error("Failed to remove %s from %s: %s",
nickname, sys_db.secdir, e)
break
# Remove old IPA certs from /etc/ipa/nssdb
for nickname in ('IPA CA', 'External CA cert'): for nickname in ('IPA CA', 'External CA cert'):
try: while ipa_db.has_nickname(nickname):
sys_db.delete_cert(nickname)
except ipautil.CalledProcessError, e:
pass
self.update_db(paths.NSS_DB_DIR, certs)
new_nicknames = set(c[1] for c in certs)
old_nicknames = set()
if ipautil.file_exists(paths.NSSDB_IPA_TXT):
try:
list_file = open(paths.NSSDB_IPA_TXT, 'r')
except IOError, e:
self.log.error("failed to open %s: %s", paths.NSSDB_IPA_TXT, e)
else:
try: try:
lines = list_file.readlines() ipa_db.delete_cert(nickname)
except IOError, e: except ipautil.CalledProcessError, e:
self.log.error( self.log.error("Failed to remove %s from %s: %s",
"failed to read %s: %s", paths.NSSDB_IPA_TXT, e) nickname, ipa_db.secdir, e)
else: break
for line in lines:
nickname = line.strip() self.update_db(ipa_db.secdir, certs)
if nickname: self.update_db(sys_db.secdir, certs)
old_nicknames.add(nickname)
list_file.close()
if new_nicknames != old_nicknames:
try:
list_file = open(paths.NSSDB_IPA_TXT, 'w')
except IOError, e:
self.log.error("failed to open %s: %s", paths.NSSDB_IPA_TXT, e)
else:
try:
for nickname in new_nicknames:
list_file.write(nickname + '\n')
except IOError, e:
self.log.error(
"failed to write %s: %s", paths.NSSDB_IPA_TXT, e)
list_file.close()
tasks.remove_ca_certs_from_systemwide_ca_store() tasks.remove_ca_certs_from_systemwide_ca_store()
tasks.insert_ca_certs_into_systemwide_ca_store(certs) tasks.insert_ca_certs_into_systemwide_ca_store(certs)

1
ipaplatform/base/paths.py
View File

@ -85,7 +85,6 @@ class BasePathNamespace(object):
NSSDB_CERT8_DB = "/etc/pki/nssdb/cert8.db" NSSDB_CERT8_DB = "/etc/pki/nssdb/cert8.db"
NSSDB_KEY3_DB = "/etc/pki/nssdb/key3.db" NSSDB_KEY3_DB = "/etc/pki/nssdb/key3.db"
NSSDB_SECMOD_DB = "/etc/pki/nssdb/secmod.db" NSSDB_SECMOD_DB = "/etc/pki/nssdb/secmod.db"
NSSDB_IPA_TXT = "/etc/pki/nssdb/ipa.txt"
PKI_TOMCAT = "/etc/pki/pki-tomcat" PKI_TOMCAT = "/etc/pki/pki-tomcat"
PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"