diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-09-22 11:13:15 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-09-30 10:01:38 +0200 |
commit | f40a0ad325fa2cb1700c264a562350da48ccc066 (patch) | |
tree | 2f368004af1a96e27c86ed14e74c9ac111651dea /ipa-client/ipa-install/ipa-client-install | |
parent | bbf962299d23071f238eadbbec4922100cc7c6e8 (diff) | |
download | freeipa-f40a0ad325fa2cb1700c264a562350da48ccc066.tar.gz freeipa-f40a0ad325fa2cb1700c264a562350da48ccc066.tar.xz freeipa-f40a0ad325fa2cb1700c264a562350da48ccc066.zip |
Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb
Previously a list of nicknames was kept in /etc/pki/nssdb/ipa.txt. The file
is removed now.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipa-client/ipa-install/ipa-client-install')
-rwxr-xr-x | ipa-client/ipa-install/ipa-client-install | 78 |
1 files changed, 21 insertions, 57 deletions
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 22085ecfe..2e59df995 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -226,41 +226,6 @@ def logging_setup(options): def log_service_error(name, action, error): root_logger.error("%s failed to %s: %s", name, action, str(error)) -def purge_ipa_certs(additional=[]): - filename = paths.NSSDB_IPA_TXT - if file_exists(filename): - try: - with open(filename, 'r') as f: - lines = f.readlines() - except IOError, e: - root_logger.error("Failed to open %s: %s", filename, e) - return False - finally: - try: - os.unlink(filename) - except OSError, e: - root_logger.error("Failed to remove %s: %s", filename, e) - return False - else: - lines = [] - - nicknames = set(additional) - for line in lines: - nickname = line.strip() - if nickname: - nicknames.add(nickname) - - sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) - for nickname in nicknames: - while sys_db.has_nickname(nickname): - try: - sys_db.delete_cert(nickname) - except Exception, e: - root_logger.error( - "Failed to remove %s from /etc/pki/nssdb: %s", nickname, e) - - return True - def cert_summary(msg, certs, indent=' '): if msg: s = '%s\n' % msg @@ -541,16 +506,32 @@ def uninstall(options, env): cmonger.service_name, str(e)) # Remove our host cert and CA cert - for filename in (os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db'), - os.path.join(paths.IPA_NSSDB_DIR, 'key3.db'), - os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db'), - os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')): + ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) + try: + ipa_certs = ipa_db.list_certs() + except CalledProcessError, e: + root_logger.error( + "Failed to list certificates in %s: %s", ipa_db.secdir, e) + ipa_certs = [] + + for filename in (os.path.join(ipa_db.secdir, 'cert8.db'), + os.path.join(ipa_db.secdir, 'key3.db'), + os.path.join(ipa_db.secdir, 'secmod.db'), + os.path.join(ipa_db.secdir, 'pwdfile.txt')): try: os.remove(filename) except OSError, e: root_logger.error("Failed to remove %s: %s", filename, e) - purge_ipa_certs({client_nss_nickname, 'IPA CA', 'External CA cert'}) + sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) + for nickname, trust_flags in ipa_certs: + while sys_db.has_nickname(nickname): + try: + sys_db.delete_cert(nickname) + except Exception, e: + root_logger.error("Failed to remove %s from %s: %s", + nickname, sys_db.secdir, e) + break try: cmonger.stop() @@ -2617,18 +2598,6 @@ def install(options, env, fstore, statestore): tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs) # Add the CA certificates to the default NSS database - if not purge_ipa_certs(): - root_logger.info( - "Failed to remove old IPA certificates from the default NSS " - "database.") - return CLIENT_INSTALL_ERROR - - try: - list_file = open(paths.NSSDB_IPA_TXT, 'w') - except IOError, e: - root_logger.error("Failed to open /etc/pki/nssdb/ipa.txt: %s", e) - return CLIENT_INSTALL_ERROR - root_logger.debug( "Attempting to add CA certificates to the default NSS database.") sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) @@ -2638,14 +2607,9 @@ def install(options, env, fstore, statestore): except CalledProcessError, e: root_logger.error( "Failed to add %s to the default NSS database.", nickname) - list_file.close() return CLIENT_INSTALL_ERROR - else: - list_file.write(nickname + '\n') root_logger.info("Added CA certificates to the default NSS database.") - list_file.close() - if not options.on_master: client_dns(cli_server[0], hostname, options.dns_updates) |