diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-10-23 16:31:37 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-11-01 10:52:30 -0400 |
| commit | 71cc3d08a80f0bcaafc9537ca7a1953ca1d3191d (patch) | |
| tree | e64af7ee923bc6da0b80a56e21e2547bab24c6fa /ipapython | |
| parent | 1f1918f97147a9c63b4e8110aa404acc6f7d0324 (diff) | |
| download | freeipa.git-71cc3d08a80f0bcaafc9537ca7a1953ca1d3191d.tar.gz freeipa.git-71cc3d08a80f0bcaafc9537ca7a1953ca1d3191d.tar.xz freeipa.git-71cc3d08a80f0bcaafc9537ca7a1953ca1d3191d.zip | |
After unininstall see if certmonger is still tracking any of our certs.
Rather than providing a list of nicknames I'm going to look at the NSS
databases directly. Anything in there is suspect and this will help
future-proof us.
certmonger may be tracking other certificates but we only care about
a subset of them, so don't complain if there are other tracked certificates.
This reads the certmonger files directly so the service doesn't need
to be started.
https://fedorahosted.org/freeipa/ticket/2702
Diffstat (limited to 'ipapython')
| -rw-r--r-- | ipapython/certmonger.py | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py index 9cc4466c..22678dad 100644 --- a/ipapython/certmonger.py +++ b/ipapython/certmonger.py @@ -114,6 +114,27 @@ def get_request_id(criteria): return reqid +def get_requests_for_dir(dir): + """ + Return a list containing the request ids for a given NSS database + directory. + """ + reqid=[] + fileList=os.listdir(REQUEST_DIR) + for file in fileList: + rv = find_request_value(os.path.join(REQUEST_DIR, file), + 'cert_storage_location') + if rv is None: + continue + rv = os.path.abspath(rv).rstrip() + if rv != dir: + continue + id = find_request_value(os.path.join(REQUEST_DIR, file), 'id') + if id is not None: + reqid.append(id.rstrip()) + + return reqid + def add_request_value(request_id, directive, value): """ Add a new directive to a certmonger request file. @@ -393,6 +414,21 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command): (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin]) +def check_state(dirs): + """ + Given a set of directories and nicknames verify that we are no longer + tracking certificates. + + dirs is a list of directories to test for. We will return a tuple + of nicknames for any tracked certificates found. + + This can only check for NSS-based certificates. + """ + reqids = [] + for dir in dirs: + reqids.extend(get_requests_for_dir(dir)) + + return reqids if __name__ == '__main__': request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM") |