From f40a0ad325fa2cb1700c264a562350da48ccc066 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Mon, 22 Sep 2014 11:13:15 +0200 Subject: Use /etc/ipa/nssdb to get nicknames of IPA certs installed in /etc/pki/nssdb Previously a list of nicknames was kept in /etc/pki/nssdb/ipa.txt. The file is removed now. https://fedorahosted.org/freeipa/ticket/3259 Reviewed-By: Rob Crittenden --- ipa-client/ipa-install/ipa-client-install | 78 +++++++++---------------------- ipa-client/ipaclient/ipa_certupdate.py | 59 +++++++++-------------- 2 files changed, 42 insertions(+), 95 deletions(-) (limited to 'ipa-client') diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 22085ecfe..2e59df995 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -226,41 +226,6 @@ def logging_setup(options): def log_service_error(name, action, error): root_logger.error("%s failed to %s: %s", name, action, str(error)) -def purge_ipa_certs(additional=[]): - filename = paths.NSSDB_IPA_TXT - if file_exists(filename): - try: - with open(filename, 'r') as f: - lines = f.readlines() - except IOError, e: - root_logger.error("Failed to open %s: %s", filename, e) - return False - finally: - try: - os.unlink(filename) - except OSError, e: - root_logger.error("Failed to remove %s: %s", filename, e) - return False - else: - lines = [] - - nicknames = set(additional) - for line in lines: - nickname = line.strip() - if nickname: - nicknames.add(nickname) - - sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) - for nickname in nicknames: - while sys_db.has_nickname(nickname): - try: - sys_db.delete_cert(nickname) - except Exception, e: - root_logger.error( - "Failed to remove %s from /etc/pki/nssdb: %s", nickname, e) - - return True - def cert_summary(msg, certs, indent=' '): if msg: s = '%s\n' % msg @@ -541,16 +506,32 @@ def uninstall(options, env): cmonger.service_name, str(e)) # Remove our host cert and CA cert - for filename in (os.path.join(paths.IPA_NSSDB_DIR, 'cert8.db'), - os.path.join(paths.IPA_NSSDB_DIR, 'key3.db'), - os.path.join(paths.IPA_NSSDB_DIR, 'secmod.db'), - os.path.join(paths.IPA_NSSDB_DIR, 'pwdfile.txt')): + ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) + try: + ipa_certs = ipa_db.list_certs() + except CalledProcessError, e: + root_logger.error( + "Failed to list certificates in %s: %s", ipa_db.secdir, e) + ipa_certs = [] + + for filename in (os.path.join(ipa_db.secdir, 'cert8.db'), + os.path.join(ipa_db.secdir, 'key3.db'), + os.path.join(ipa_db.secdir, 'secmod.db'), + os.path.join(ipa_db.secdir, 'pwdfile.txt')): try: os.remove(filename) except OSError, e: root_logger.error("Failed to remove %s: %s", filename, e) - purge_ipa_certs({client_nss_nickname, 'IPA CA', 'External CA cert'}) + sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) + for nickname, trust_flags in ipa_certs: + while sys_db.has_nickname(nickname): + try: + sys_db.delete_cert(nickname) + except Exception, e: + root_logger.error("Failed to remove %s from %s: %s", + nickname, sys_db.secdir, e) + break try: cmonger.stop() @@ -2617,18 +2598,6 @@ def install(options, env, fstore, statestore): tasks.insert_ca_certs_into_systemwide_ca_store(ca_certs) # Add the CA certificates to the default NSS database - if not purge_ipa_certs(): - root_logger.info( - "Failed to remove old IPA certificates from the default NSS " - "database.") - return CLIENT_INSTALL_ERROR - - try: - list_file = open(paths.NSSDB_IPA_TXT, 'w') - except IOError, e: - root_logger.error("Failed to open /etc/pki/nssdb/ipa.txt: %s", e) - return CLIENT_INSTALL_ERROR - root_logger.debug( "Attempting to add CA certificates to the default NSS database.") sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) @@ -2638,14 +2607,9 @@ def install(options, env, fstore, statestore): except CalledProcessError, e: root_logger.error( "Failed to add %s to the default NSS database.", nickname) - list_file.close() return CLIENT_INSTALL_ERROR - else: - list_file.write(nickname + '\n') root_logger.info("Added CA certificates to the default NSS database.") - list_file.close() - if not options.on_master: client_dns(cli_server[0], hostname, options.dns_updates) diff --git a/ipa-client/ipaclient/ipa_certupdate.py b/ipa-client/ipaclient/ipa_certupdate.py index f7b0e29ba..8259755b3 100644 --- a/ipa-client/ipaclient/ipa_certupdate.py +++ b/ipa-client/ipaclient/ipa_certupdate.py @@ -70,49 +70,32 @@ class CertUpdate(admintool.AdminTool): def update_client(self, certs): self.update_file(paths.IPA_CA_CRT, certs) - self.update_db(paths.IPA_NSSDB_DIR, certs) + ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) - for nickname in ('IPA CA', 'External CA cert'): - try: - sys_db.delete_cert(nickname) - except ipautil.CalledProcessError, e: - pass - - self.update_db(paths.NSS_DB_DIR, certs) - new_nicknames = set(c[1] for c in certs) - old_nicknames = set() - if ipautil.file_exists(paths.NSSDB_IPA_TXT): - try: - list_file = open(paths.NSSDB_IPA_TXT, 'r') - except IOError, e: - self.log.error("failed to open %s: %s", paths.NSSDB_IPA_TXT, e) - else: + # Remove IPA certs from /etc/pki/nssdb + for nickname, trust_flags in ipa_db.list_certs(): + while sys_db.has_nickname(nickname): try: - lines = list_file.readlines() - except IOError, e: - self.log.error( - "failed to read %s: %s", paths.NSSDB_IPA_TXT, e) - else: - for line in lines: - nickname = line.strip() - if nickname: - old_nicknames.add(nickname) - list_file.close() - if new_nicknames != old_nicknames: - try: - list_file = open(paths.NSSDB_IPA_TXT, 'w') - except IOError, e: - self.log.error("failed to open %s: %s", paths.NSSDB_IPA_TXT, e) - else: + sys_db.delete_cert(nickname) + except ipautil.CalledProcessError, e: + self.log.error("Failed to remove %s from %s: %s", + nickname, sys_db.secdir, e) + break + + # Remove old IPA certs from /etc/ipa/nssdb + for nickname in ('IPA CA', 'External CA cert'): + while ipa_db.has_nickname(nickname): try: - for nickname in new_nicknames: - list_file.write(nickname + '\n') - except IOError, e: - self.log.error( - "failed to write %s: %s", paths.NSSDB_IPA_TXT, e) - list_file.close() + ipa_db.delete_cert(nickname) + except ipautil.CalledProcessError, e: + self.log.error("Failed to remove %s from %s: %s", + nickname, ipa_db.secdir, e) + break + + self.update_db(ipa_db.secdir, certs) + self.update_db(sys_db.secdir, certs) tasks.remove_ca_certs_from_systemwide_ca_store() tasks.insert_ca_certs_into_systemwide_ca_store(certs) -- cgit