certdb: move IPA NSS DB install functions to ipaclient.install

The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform. Move them to ipaclient.install.client as they are used only from the client installer and ipa-restore. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2016-11-23 06:23:47 +01:00
parent 26c46a447f
commit fba6c21da3
4 changed files with 53 additions and 52 deletions
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2300,6 +2300,54 @@ def install_check(options):
        raise ScriptError(rval=CLIENT_INSTALL_ERROR)


+def create_ipa_nssdb():
+    db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+    pwdfile = os.path.join(db.secdir, 'pwdfile.txt')
+
+    ipautil.backup_file(pwdfile)
+    ipautil.backup_file(os.path.join(db.secdir, 'cert8.db'))
+    ipautil.backup_file(os.path.join(db.secdir, 'key3.db'))
+    ipautil.backup_file(os.path.join(db.secdir, 'secmod.db'))
+
+    with open(pwdfile, 'w') as f:
+        f.write(ipautil.ipa_generate_password(pwd_len=40))
+    os.chmod(pwdfile, 0o600)
+
+    db.create_db(pwdfile)
+    os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
+    os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
+    os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
+
+
+def update_ipa_nssdb():
+    ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
+    sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR)
+
+    if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')):
+        create_ipa_nssdb()
+
+    for nickname, trust_flags in (('IPA CA', 'CT,C,C'),
+                                  ('External CA cert', 'C,,')):
+        try:
+            cert = sys_db.get_cert(nickname)
+        except RuntimeError:
+            continue
+        try:
+            ipa_db.add_cert(cert, nickname, trust_flags)
+        except ipautil.CalledProcessError as e:
+            raise RuntimeError("Failed to add %s to %s: %s" %
+                               (nickname, ipa_db.secdir, e))
+
+    # Remove IPA certs from /etc/pki/nssdb
+    for nickname, trust_flags in ipa_db.list_certs():
+        while sys_db.has_nickname(nickname):
+            try:
+                sys_db.delete_cert(nickname)
+            except ipautil.CalledProcessError as e:
+                raise RuntimeError("Failed to remove %s from %s: %s" %
+                                   (nickname, sys_db.secdir, e))
+
+
 def install(options):
    try:
        _install(options)
@@ -2708,7 +2756,7 @@ def _install(options):

    # Create IPA NSS database
    try:
-        certdb.create_ipa_nssdb()
+        create_ipa_nssdb()
    except ipautil.CalledProcessError as e:
        root_logger.error("Failed to create IPA NSS database: %s", e)
        return CLIENT_INSTALL_ERROR