Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb

Previously a list of nicknames was kept in /etc/pki/nssdb/ipa.txt. The file
is removed now.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

ipa-client/ipa-install/ipa-client-install

@@ -226,41 +226,6 @@ def logging_setup(options):
 def log_service_error(name, action, error):
     root_logger.error("%s failed to %s: %s", name, action, str(error))
 
-def purge_ipa_certs(additional=[]):
-    filename = paths.NSSDB_IPA_TXT
-    if file_exists(filename):
-        try:
-            with open(filename, 'r') as f:
-                lines = f.readlines()
-        except IOError, e:
-            root_logger.error("Failed to open %s: %s", filename, e)
-            return False
-        finally:
-            try:
-                os.unlink(filename)
-            except OSError, e:
-                root_logger.error("Failed to remove %s: %s", filename, e)
-                return False
-    else:
-        lines = []
-
-    nicknames = set(additional)
-    for line in lines:
-        nickname = line.strip()
-        if nickname:
-            nicknames.add(nickname)
-
-    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
-    for nickname in nicknames:
-        while sys_db.has_nickname(nickname):
-            try:
-                sys_db.delete_cert(nickname)
-            except Exception, e:
-                root_logger.error(
-                    "Failed to remove %s from /etc/pki/nssdb: %s", nickname, e)
-
-    return True
-
 def cert_summary(msg, certs, indent='    '):
     if msg:
         s = '%s\n' % msg
@@ -541,16 +506,32 @@ def uninstall(options, env):
             cmonger.service_name, str(e))
 
     # Remove our host cert and CA cert
-    for filename in (os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db'),
-                     os.path.join(paths.IPA_NSSDB_DIR, 'key3.db'),
-                     os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db'),
-                     os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')):
+    ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+    try:
+        ipa_certs = ipa_db.list_certs()
+    except CalledProcessError, e:
+        root_logger.error(
+            "Failed to list certificates in %s: %s", ipa_db.secdir, e)
+        ipa_certs = []
+
+    for filename in (os.path.join(ipa_db.secdir, 'cert8.db'),
+                     os.path.join(ipa_db.secdir, 'key3.db'),
+                     os.path.join(ipa_db.secdir, 'secmod.db'),
+                     os.path.join(ipa_db.secdir, 'pwdfile.txt')):
         try:
             os.remove(filename)
         except OSError, e:
             root_logger.error("Failed to remove %s: %s", filename, e)
 
-    purge_ipa_certs({client_nss_nickname, 'IPA CA', 'External CA cert'})
+    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
+    for nickname, trust_flags in ipa_certs:
+        while sys_db.has_nickname(nickname):
+            try:
+                sys_db.delete_cert(nickname)
+            except Exception, e:
+                root_logger.error("Failed to remove %s from %s: %s",
+                                  nickname, sys_db.secdir, e)
+                break
 
     try:
         cmonger.stop()
@@ -2617,18 +2598,6 @@ def install(options, env, fstore, statestore):
     tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs)
 
     # Add the CA certificates to the default NSS database
-    if not purge_ipa_certs():
-        root_logger.info(
-            "Failed to remove old IPA certificates from the default NSS "
-            "database.")
-        return CLIENT_INSTALL_ERROR
-
-    try:
-        list_file = open(paths.NSSDB_IPA_TXT, 'w')
-    except IOError, e:
-        root_logger.error("Failed to open /etc/pki/nssdb/ipa.txt: %s", e)
-        return CLIENT_INSTALL_ERROR
-
     root_logger.debug(
         "Attempting to add CA certificates to the default NSS database.")
     sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
@@ -2638,14 +2607,9 @@ def install(options, env, fstore, statestore):
         except CalledProcessError, e:
             root_logger.error(
                 "Failed to add %s to the default NSS database.", nickname)
-            list_file.close()
             return CLIENT_INSTALL_ERROR
-        else:
-            list_file.write(nickname + '\n')
     root_logger.info("Added CA certificates to the default NSS database.")
 
-    list_file.close()
-
     if not options.on_master:
         client_dns(cli_server[0], hostname, options.dns_updates)
 

ipa-client/ipaclient/ipa_certupdate.py

@@ -70,49 +70,32 @@ class CertUpdate(admintool.AdminTool):
 
     def update_client(self, certs):
         self.update_file(paths.IPA_CA_CRT, certs)
-        self.update_db(paths.IPA_NSSDB_DIR, certs)
 
+        ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
         sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
+
+        # Remove IPA certs from /etc/pki/nssdb
+        for nickname, trust_flags in ipa_db.list_certs():
+            while sys_db.has_nickname(nickname):
+                try:
+                    sys_db.delete_cert(nickname)
+                except ipautil.CalledProcessError, e:
+                    self.log.error("Failed to remove %s from %s: %s",
+                                   nickname, sys_db.secdir, e)
+                    break
+
+        # Remove old IPA certs from /etc/ipa/nssdb
         for nickname in ('IPA CA', 'External CA cert'):
-            try:
-                sys_db.delete_cert(nickname)
-            except ipautil.CalledProcessError, e:
-                pass
-
-        self.update_db(paths.NSS_DB_DIR, certs)
-
-        new_nicknames = set(c[1] for c in certs)
-        old_nicknames = set()
-        if ipautil.file_exists(paths.NSSDB_IPA_TXT):
-            try:
-                list_file = open(paths.NSSDB_IPA_TXT, 'r')
-            except IOError, e:
-                self.log.error("failed to open %s: %s", paths.NSSDB_IPA_TXT, e)
-            else:
+            while ipa_db.has_nickname(nickname):
                 try:
-                    lines = list_file.readlines()
-                except IOError, e:
-                    self.log.error(
-                        "failed to read %s: %s", paths.NSSDB_IPA_TXT, e)
-                else:
-                    for line in lines:
-                        nickname = line.strip()
-                        if nickname:
-                            old_nicknames.add(nickname)
-                list_file.close()
-        if new_nicknames != old_nicknames:
-            try:
-                list_file = open(paths.NSSDB_IPA_TXT, 'w')
-            except IOError, e:
-                self.log.error("failed to open %s: %s", paths.NSSDB_IPA_TXT, e)
-            else:
-                try:
-                    for nickname in new_nicknames:
-                        list_file.write(nickname + '\n')
-                except IOError, e:
-                    self.log.error(
-                        "failed to write %s: %s", paths.NSSDB_IPA_TXT, e)
-                list_file.close()
+                    ipa_db.delete_cert(nickname)
+                except ipautil.CalledProcessError, e:
+                    self.log.error("Failed to remove %s from %s: %s",
+                                   nickname, ipa_db.secdir, e)
+                    break
+
+        self.update_db(ipa_db.secdir, certs)
+        self.update_db(sys_db.secdir, certs)
 
         tasks.remove_ca_certs_from_systemwide_ca_store()
         tasks.insert_ca_certs_into_systemwide_ca_store(certs)

ipaplatform/base/paths.py

@@ -85,7 +85,6 @@ class BasePathNamespace(object):
     NSSDB_CERT8_DB = "/etc/pki/nssdb/cert8.db"
     NSSDB_KEY3_DB = "/etc/pki/nssdb/key3.db"
     NSSDB_SECMOD_DB = "/etc/pki/nssdb/secmod.db"
-    NSSDB_IPA_TXT = "/etc/pki/nssdb/ipa.txt"
     PKI_TOMCAT = "/etc/pki/pki-tomcat"
     PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
     PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"