From 3d7ff982ec281935ca3c2b55eea03a08723fe1e2 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 23 Oct 2012 16:31:37 -0400
Subject: After unininstall see if certmonger is still tracking any of our
 certs.

Rather than providing a list of nicknames I'm going to look at the NSS
databases directly. Anything in there is suspect and this will help
future-proof us.

certmonger may be tracking other certificates but we only care about
a subset of them, so don't complain if there are other tracked certificates.

This reads the certmonger files directly so the service doesn't need
to be started.

https://fedorahosted.org/freeipa/ticket/2702
---
 ipapython/certmonger.py | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

(limited to 'ipapython/certmonger.py')

diff --git a/ipapython/certmonger.py b/ipapython/certmonger.py
index 9cc4466c..22678dad 100644
--- a/ipapython/certmonger.py
+++ b/ipapython/certmonger.py
@@ -114,6 +114,27 @@ def get_request_id(criteria):
 
     return reqid
 
+def get_requests_for_dir(dir):
+    """
+    Return a list containing the request ids for a given NSS database
+    directory.
+    """
+    reqid=[]
+    fileList=os.listdir(REQUEST_DIR)
+    for file in fileList:
+        rv = find_request_value(os.path.join(REQUEST_DIR, file),
+                                'cert_storage_location')
+        if rv is None:
+            continue
+        rv = os.path.abspath(rv).rstrip()
+        if rv != dir:
+            continue
+        id = find_request_value(os.path.join(REQUEST_DIR, file), 'id')
+        if id is not None:
+            reqid.append(id.rstrip())
+
+    return reqid
+
 def add_request_value(request_id, directive, value):
     """
     Add a new directive to a certmonger request file.
@@ -393,6 +414,21 @@ def dogtag_start_tracking(ca, nickname, pin, pinfile, secdir, command):
 
     (stdout, stderr, returncode) = ipautil.run(args, nolog=[pin])
 
+def check_state(dirs):
+    """
+    Given a set of directories and nicknames verify that we are no longer
+    tracking certificates.
+
+    dirs is a list of directories to test for. We will return a tuple
+    of nicknames for any tracked certificates found.
+
+    This can only check for NSS-based certificates.
+    """
+    reqids = []
+    for dir in dirs:
+        reqids.extend(get_requests_for_dir(dir))
+
+    return reqids
 
 if __name__ == '__main__':
     request_id = request_cert("/etc/httpd/alias", "Test", "cn=tiger.example.com,O=IPA", "HTTP/tiger.example.com@EXAMPLE.COM")
-- 
cgit