From 734afdf936913726b0310ca1d24731b1bdf1b5bd Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 17 Sep 2014 15:04:11 +0200
Subject: Remove ipa-ca.crt from systemwide CA store on client uninstall and
 cert update

The file was used by previous versions of IPA to provide the IPA CA certificate
to p11-kit and has since been obsoleted by ipa.p11-kit, a file which contains
all the CA certificates and associated trust policy from the LDAP certificate
store.

Since p11-kit is hooked into /etc/httpd/alias, ipa-ca.crt must be removed to
prevent certificate import failures in installer code.

Also add ipa.p11-kit to the files owned by the freeipa-python package.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaplatform/base/paths.py   |  1 +
 ipaplatform/fedora/tasks.py | 38 ++++++++++++++++++++++++++++----------
 2 files changed, 29 insertions(+), 10 deletions(-)

(limited to 'ipaplatform')

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index a810e6573..1d936016a 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -80,6 +80,7 @@ class BasePathNamespace(object):
     PAM_LDAP_CONF = "/etc/pam_ldap.conf"
     PASSWD = "/etc/passwd"
     ETC_PKI_CA_DIR = "/etc/pki-ca"
+    SYSTEMWIDE_CA_STORE = "/etc/pki/ca-trust/source/anchors/"
     IPA_P11_KIT = "/etc/pki/ca-trust/source/ipa.p11-kit"
     NSS_DB_DIR = "/etc/pki/nssdb"
     NSSDB_CERT8_DB = "/etc/pki/nssdb/cert8.db"
diff --git a/ipaplatform/fedora/tasks.py b/ipaplatform/fedora/tasks.py
index 9f4a76b82..351f523c1 100644
--- a/ipaplatform/fedora/tasks.py
+++ b/ipaplatform/fedora/tasks.py
@@ -158,6 +158,16 @@ class FedoraTaskNamespace(BaseTaskNamespace):
         auth_config.execute()
 
     def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
+        new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+
+        if os.path.exists(new_cacert_path):
+            try:
+                os.remove(new_cacert_path)
+            except OSError, e:
+                root_logger.error(
+                    "Could not remove %s: %s", new_cacert_path, e)
+                return False
+
         new_cacert_path = paths.IPA_P11_KIT
 
         try:
@@ -250,25 +260,33 @@ class FedoraTaskNamespace(BaseTaskNamespace):
         return False
 
     def remove_ca_certs_from_systemwide_ca_store(self):
-        new_cacert_path = paths.IPA_P11_KIT
+        ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+        update = False
 
         # Remove CA cert from systemwide store
-        if os.path.exists(new_cacert_path):
+        for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt):
+            if not os.path.exists(new_cacert_path):
+                continue
             try:
                 os.remove(new_cacert_path)
-                ipautil.run([paths.UPDATE_CA_TRUST])
             except OSError, e:
-                root_logger.error('Could not remove: %s, %s'
-                                   % (new_cacert_path, str(e)))
-                return False
+                root_logger.error(
+                    "Could not remove %s: %s", new_cacert_path, e)
+            else:
+                update = True
+
+        if update:
+            try:
+                ipautil.run([paths.UPDATE_CA_TRUST])
             except CalledProcessError, e:
-                root_logger.error('Could not update systemwide CA trust '
-                                  'database: %s' % str(e))
+                root_logger.error(
+                    "Could not update systemwide CA trust database: %s", e)
                 return False
             else:
-                root_logger.info('Systemwide CA database updated.')
+                root_logger.info("Systemwide CA database updated.")
+                return True
 
-        return True
+        return False
 
     def backup_and_replace_hostname(self, fstore, statestore, hostname):
         old_hostname = socket.gethostname()
-- 
cgit