#
# iscsi.py - iscsi class
#
# Copyright 2005, 2006 IBM, Inc.
#
# This software may be freely redistributed under the terms of the GNU
# general public license.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#

import os
import string
import signal
import iutil
from flags import flags
import logging
import shutil
import time
log = logging.getLogger("anaconda")

from rhpl.translate import _, N_

# Note that stage2 copies all files under /sbin to /usr/sbin
ISCSID="/usr/sbin/iscsid"
ISCSIADM = "/usr/sbin/iscsiadm"
INITIATOR_FILE="/etc/iscsi/initiatorname.iscsi"

class iscsi:
    def __init__(self):
        self.targets = []
        self.initiator = ""
        self.iscsidStarted = False


    def action(self, action, ipaddr = None):
        #
        # run action for all iSCSI targets.
        #
        # For each record (line of output) in:
        #     iscsiadm -m node
        #
        # Where each line in the output is of the form:
        #     [recnum] stuff
        #
        # Issue the "action" request to recnum.
        #
        argv = [ "-m", "node" ]

        if ipaddr is not None:
            argv.extend(["-p", ipaddr])

        log.info("going to run iscsiadm: %s" %(argv,))
        records = iutil.execWithCapture(ISCSIADM, argv)
        for line in records.split("\n"):
            if line and line.find("no records found!") == -1:
                (portal, node) = line.split()
                argv = [ "-m", "node", "-T", node, "-p", portal, action ]
                log.info("going to run iscsiadm: %s" %(argv,))
                rc = iutil.execWithRedirect(ISCSIADM, argv, searchPath = 1,
                                            stdout = "/dev/tty5",
                                            stderr = "/dev/tty5")
                if rc != 0:
                    log.info("iscsiadm failed!")
                    continue

                if action != "--login":
                    continue
                
                # ... and now we have to make it start automatically
                argv = [ "-m", "node", "-T", node, "-p", portal,
                         "-o", "update", "-n", "node.conn[0].startup",
                         "-v", "automatic" ]
                iutil.execWithRedirect(ISCSIADM, argv, searchPath = 1,
                                       stdout = "/dev/tty5",
                                       stderr = "/dev/tty5")

    def shutdown(self):
        if not self.iscsidStarted:
            return

        log.info("iSCSI shutdown")
        self.action("--logout")

        # XXX use iscsiadm shutdown when it's available.
        argv = [ "--no-headers", "-C", "%s" % (ISCSID,) ]
        psout = iutil.execWithCapture("/usr/bin/ps", argv)
        for line in psout.split("\n"):
            if line:
                pid = string.atoi(string.split(line)[0])
                log.info("Killing %s %d" % (ISCSID, pid))
                os.kill(pid, signal.SIGKILL)
        self.iscsidStarted = False;

    def discoverTarget(self, ipaddr, port = "3260", intf = None):
        if not self.iscsidStarted:
            self.startup(intf)
        if flags.test:
            return
            
        argv = [ "-m", "discovery", "-t", "st", "-p", 
                 "%s:%s" % (ipaddr, port) ]
        log.info("going to run with args: %s" %(argv,))
        iutil.execWithRedirect(ISCSIADM, argv,
                               stdout = "/dev/tty5", stderr="/dev/tty5")

    def loginTarget(self, ipaddr = None):
        if flags.test:
            return
        self.action("--login", ipaddr)

    def startup(self, intf = None):
        if flags.test:
            return
        if not self.initiator:
            log.info("no initiator set")
            return
        if self.iscsidStarted:
            return
        
        log.info("iSCSI initiator name %s", self.initiator)

        if intf:
            w = intf.waitWindow(_("Initializing iSCSI initiator"),
                                _("Initializing iSCSI initiator"))

        log.debug("Setting up %s" % (INITIATOR_FILE, ))
        if os.path.exists(INITIATOR_FILE):
            os.unlink(INITIATOR_FILE)
        if not os.path.isdir("/etc/iscsi"):
            os.makedirs("/etc/iscsi", 0755)
        fd = os.open(INITIATOR_FILE, os.O_RDWR | os.O_CREAT)
        os.write(fd, "InitiatorName=%s\n" %(self.initiator))
        os.close(fd)

        log.info("ISCSID is %s", ISCSID)
        iutil.execWithRedirect(ISCSID, [],
                               stdout="/dev/tty5", stderr="/dev/tty5")
        self.iscsidStarted = True
        time.sleep(2)

        for t in self.targets:
            idx = t.rfind(":")
            if idx == -1:
                ipaddr = t
                port = "3260"
            else:
                ipaddr = t[:idx]
                port = t[idx+1:]

            self.discoverTarget(ipaddr, port, intf)
            self.loginTarget(ipaddr)

        if intf:
            w.pop()

    def writeKS(self):
        # XXX Useful if we have auto-generated kickstart files.
        return

    def write(self, instPath):
        if not self.initiator:
            return

        if not os.path.isdir(instPath + "/etc/iscsi"):
            os.makedirs(instPath + "/etc/iscsi", 0755)
        fd = os.open(instPath + INITIATOR_FILE, os.O_RDWR | os.O_CREAT)
        os.write(fd, "InitiatorName=%s\n" %(self.initiator))
        os.close(fd)

        # copy "db" files.  *sigh*
        for d in ("/etc/iscsi/nodes", "/etc/iscsi/send_targets"):
            if os.path.isdir(d):
                shutil.copytree(d, instPath + d)

# vim:tw=78:ts=4:et:sw=4
6' href='#n66'>66</a>
<a id='n67' href='#n67'>67</a>
<a id='n68' href='#n68'>68</a>
<a id='n69' href='#n69'>69</a>
<a id='n70' href='#n70'>70</a>
<a id='n71' href='#n71'>71</a>
<a id='n72' href='#n72'>72</a>
<a id='n73' href='#n73'>73</a>
<a id='n74' href='#n74'>74</a>
<a id='n75' href='#n75'>75</a>
<a id='n76' href='#n76'>76</a>
<a id='n77' href='#n77'>77</a>
<a id='n78' href='#n78'>78</a>
<a id='n79' href='#n79'>79</a>
<a id='n80' href='#n80'>80</a>
<a id='n81' href='#n81'>81</a>
<a id='n82' href='#n82'>82</a>
<a id='n83' href='#n83'>83</a>
<a id='n84' href='#n84'>84</a>
<a id='n85' href='#n85'>85</a>
<a id='n86' href='#n86'>86</a>
<a id='n87' href='#n87'>87</a>
<a id='n88' href='#n88'>88</a>
<a id='n89' href='#n89'>89</a>
<a id='n90' href='#n90'>90</a>
<a id='n91' href='#n91'>91</a>
<a id='n92' href='#n92'>92</a>
<a id='n93' href='#n93'>93</a>
<a id='n94' href='#n94'>94</a>
<a id='n95' href='#n95'>95</a>
<a id='n96' href='#n96'>96</a>
<a id='n97' href='#n97'>97</a>
<a id='n98' href='#n98'>98</a>
<a id='n99' href='#n99'>99</a>
<a id='n100' href='#n100'>100</a>
<a id='n101' href='#n101'>101</a>
<a id='n102' href='#n102'>102</a>
<a id='n103' href='#n103'>103</a>
<a id='n104' href='#n104'>104</a>
<a id='n105' href='#n105'>105</a>
<a id='n106' href='#n106'>106</a>
<a id='n107' href='#n107'>107</a>
<a id='n108' href='#n108'>108</a>
<a id='n109' href='#n109'>109</a>
<a id='n110' href='#n110'>110</a>
<a id='n111' href='#n111'>111</a>
<a id='n112' href='#n112'>112</a>
<a id='n113' href='#n113'>113</a>
<a id='n114' href='#n114'>114</a>
<a id='n115' href='#n115'>115</a>
<a id='n116' href='#n116'>116</a>
<a id='n117' href='#n117'>117</a>
<a id='n118' href='#n118'>118</a>
<a id='n119' href='#n119'>119</a>
<a id='n120' href='#n120'>120</a>
<a id='n121' href='#n121'>121</a>
<a id='n122' href='#n122'>122</a>
<a id='n123' href='#n123'>123</a>
<a id='n124' href='#n124'>124</a>
<a id='n125' href='#n125'>125</a>
<a id='n126' href='#n126'>126</a>
<a id='n127' href='#n127'>127</a>
<a id='n128' href='#n128'>128</a>
<a id='n129' href='#n129'>129</a>
<a id='n130' href='#n130'>130</a>
<a id='n131' href='#n131'>131</a>
<a id='n132' href='#n132'>132</a>
<a id='n133' href='#n133'>133</a>
<a id='n134' href='#n134'>134</a>
<a id='n135' href='#n135'>135</a>
<a id='n136' href='#n136'>136</a>
<a id='n137' href='#n137'>137</a>
<a id='n138' href='#n138'>138</a>
<a id='n139' href='#n139'>139</a>
<a id='n140' href='#n140'>140</a>
<a id='n141' href='#n141'>141</a>
<a id='n142' href='#n142'>142</a>
<a id='n143' href='#n143'>143</a>
<a id='n144' href='#n144'>144</a>
<a id='n145' href='#n145'>145</a>
<a id='n146' href='#n146'>146</a>
<a id='n147' href='#n147'>147</a>
<a id='n148' href='#n148'>148</a>
<a id='n149' href='#n149'>149</a>
<a id='n150' href='#n150'>150</a>
<a id='n151' href='#n151'>151</a>
<a id='n152' href='#n152'>152</a>
<a id='n153' href='#n153'>153</a>
<a id='n154' href='#n154'>154</a>
<a id='n155' href='#n155'>155</a>
<a id='n156' href='#n156'>156</a>
<a id='n157' href='#n157'>157</a>
<a id='n158' href='#n158'>158</a>
<a id='n159' href='#n159'>159</a>
<a id='n160' href='#n160'>160</a>
<a id='n161' href='#n161'>161</a>
<a id='n162' href='#n162'>162</a>
<a id='n163' href='#n163'>163</a>
<a id='n164' href='#n164'>164</a>
<a id='n165' href='#n165'>165</a>
<a id='n166' href='#n166'>166</a>
<a id='n167' href='#n167'>167</a>
<a id='n168' href='#n168'>168</a>
<a id='n169' href='#n169'>169</a>
<a id='n170' href='#n170'>170</a>
<a id='n171' href='#n171'>171</a>
<a id='n172' href='#n172'>172</a>
<a id='n173' href='#n173'>173</a>
<a id='n174' href='#n174'>174</a>
<a id='n175' href='#n175'>175</a>
<a id='n176' href='#n176'>176</a>
<a id='n177' href='#n177'>177</a>
<a id='n178' href='#n178'>178</a>
<a id='n179' href='#n179'>179</a>
<a id='n180' href='#n180'>180</a>
<a id='n181' href='#n181'>181</a>
<a id='n182' href='#n182'>182</a>
<a id='n183' href='#n183'>183</a>
<a id='n184' href='#n184'>184</a>
<a id='n185' href='#n185'>185</a>
<a id='n186' href='#n186'>186</a>
<a id='n187' href='#n187'>187</a>
<a id='n188' href='#n188'>188</a>
<a id='n189' href='#n189'>189</a>
<a id='n190' href='#n190'>190</a>
<a id='n191' href='#n191'>191</a>
<a id='n192' href='#n192'>192</a>
<a id='n193' href='#n193'>193</a>
<a id='n194' href='#n194'>194</a>
<a id='n195' href='#n195'>195</a>
<a id='n196' href='#n196'>196</a>
<a id='n197' href='#n197'>197</a>
<a id='n198' href='#n198'>198</a>
<a id='n199' href='#n199'>199</a>
<a id='n200' href='#n200'>200</a>
<a id='n201' href='#n201'>201</a>
<a id='n202' href='#n202'>202</a>
<a id='n203' href='#n203'>203</a>
<a id='n204' href='#n204'>204</a>
<a id='n205' href='#n205'>205</a>
<a id='n206' href='#n206'>206</a>
<a id='n207' href='#n207'>207</a>
<a id='n208' href='#n208'>208</a>
<a id='n209' href='#n209'>209</a>
<a id='n210' href='#n210'>210</a>
<a id='n211' href='#n211'>211</a>
<a id='n212' href='#n212'>212</a>
<a id='n213' href='#n213'>213</a>
<a id='n214' href='#n214'>214</a>
<a id='n215' href='#n215'>215</a>
<a id='n216' href='#n216'>216</a>
<a id='n217' href='#n217'>217</a>
<a id='n218' href='#n218'>218</a>
<a id='n219' href='#n219'>219</a>
<a id='n220' href='#n220'>220</a>
<a id='n221' href='#n221'>221</a>
<a id='n222' href='#n222'>222</a>
<a id='n223' href='#n223'>223</a>
<a id='n224' href='#n224'>224</a>
<a id='n225' href='#n225'>225</a>
<a id='n226' href='#n226'>226</a>
<a id='n227' href='#n227'>227</a>
<a id='n228' href='#n228'>228</a>
<a id='n229' href='#n229'>229</a>
<a id='n230' href='#n230'>230</a>
<a id='n231' href='#n231'>231</a>
<a id='n232' href='#n232'>232</a>
<a id='n233' href='#n233'>233</a>
<a id='n234' href='#n234'>234</a>
<a id='n235' href='#n235'>235</a>
<a id='n236' href='#n236'>236</a>
<a id='n237' href='#n237'>237</a>
<a id='n238' href='#n238'>238</a>
<a id='n239' href='#n239'>239</a>
<a id='n240' href='#n240'>240</a>
<a id='n241' href='#n241'>241</a>
<a id='n242' href='#n242'>242</a>
<a id='n243' href='#n243'>243</a>
<a id='n244' href='#n244'>244</a>
<a id='n245' href='#n245'>245</a>
<a id='n246' href='#n246'>246</a>
<a id='n247' href='#n247'>247</a>
<a id='n248' href='#n248'>248</a>
<a id='n249' href='#n249'>249</a>
<a id='n250' href='#n250'>250</a>
<a id='n251' href='#n251'>251</a>
<a id='n252' href='#n252'>252</a>
<a id='n253' href='#n253'>253</a>
<a id='n254' href='#n254'>254</a>
<a id='n255' href='#n255'>255</a>
<a id='n256' href='#n256'>256</a>
<a id='n257' href='#n257'>257</a>
<a id='n258' href='#n258'>258</a>
<a id='n259' href='#n259'>259</a>
<a id='n260' href='#n260'>260</a>
<a id='n261' href='#n261'>261</a>
<a id='n262' href='#n262'>262</a>
<a id='n263' href='#n263'>263</a>
<a id='n264' href='#n264'>264</a>
<a id='n265' href='#n265'>265</a>
<a id='n266' href='#n266'>266</a>
<a id='n267' href='#n267'>267</a>
<a id='n268' href='#n268'>268</a>
<a id='n269' href='#n269'>269</a>
<a id='n270' href='#n270'>270</a>
<a id='n271' href='#n271'>271</a>
<a id='n272' href='#n272'>272</a>
<a id='n273' href='#n273'>273</a>
<a id='n274' href='#n274'>274</a>
<a id='n275' href='#n275'>275</a>
<a id='n276' href='#n276'>276</a>
<a id='n277' href='#n277'>277</a>
<a id='n278' href='#n278'>278</a>
<a id='n279' href='#n279'>279</a>
<a id='n280' href='#n280'>280</a>
<a id='n281' href='#n281'>281</a>
<a id='n282' href='#n282'>282</a>
<a id='n283' href='#n283'>283</a>
<a id='n284' href='#n284'>284</a>
<a id='n285' href='#n285'>285</a>
<a id='n286' href='#n286'>286</a>
<a id='n287' href='#n287'>287</a>
<a id='n288' href='#n288'>288</a>
<a id='n289' href='#n289'>289</a>
<a id='n290' href='#n290'>290</a>
<a id='n291' href='#n291'>291</a>
<a id='n292' href='#n292'>292</a>
<a id='n293' href='#n293'>293</a>
<a id='n294' href='#n294'>294</a>
<a id='n295' href='#n295'>295</a>
<a id='n296' href='#n296'>296</a>
<a id='n297' href='#n297'>297</a>
<a id='n298' href='#n298'>298</a>
<a id='n299' href='#n299'>299</a>
<a id='n300' href='#n300'>300</a>
<a id='n301' href='#n301'>301</a>
<a id='n302' href='#n302'>302</a>
<a id='n303' href='#n303'>303</a>
<a id='n304' href='#n304'>304</a>
<a id='n305' href='#n305'>305</a>
<a id='n306' href='#n306'>306</a>
<a id='n307' href='#n307'>307</a>
<a id='n308' href='#n308'>308</a>
<a id='n309' href='#n309'>309</a>
<a id='n310' href='#n310'>310</a>
<a id='n311' href='#n311'>311</a>
<a id='n312' href='#n312'>312</a>
<a id='n313' href='#n313'>313</a>
<a id='n314' href='#n314'>314</a>
<a id='n315' href='#n315'>315</a>
<a id='n316' href='#n316'>316</a>
<a id='n317' href='#n317'>317</a>
<a id='n318' href='#n318'>318</a>
<a id='n319' href='#n319'>319</a>
<a id='n320' href='#n320'>320</a>
<a id='n321' href='#n321'>321</a>
<a id='n322' href='#n322'>322</a>
<a id='n323' href='#n323'>323</a>
<a id='n324' href='#n324'>324</a>
<a id='n325' href='#n325'>325</a>
<a id='n326' href='#n326'>326</a>
<a id='n327' href='#n327'>327</a>
<a id='n328' href='#n328'>328</a>
<a id='n329' href='#n329'>329</a>
<a id='n330' href='#n330'>330</a>
<a id='n331' href='#n331'>331</a>
<a id='n332' href='#n332'>332</a>
<a id='n333' href='#n333'>333</a>
<a id='n334' href='#n334'>334</a>
<a id='n335' href='#n335'>335</a>
<a id='n336' href='#n336'>336</a>
<a id='n337' href='#n337'>337</a>
<a id='n338' href='#n338'>338</a>
<a id='n339' href='#n339'>339</a>
<a id='n340' href='#n340'>340</a>
<a id='n341' href='#n341'>341</a>
<a id='n342' href='#n342'>342</a>
<a id='n343' href='#n343'>343</a>
<a id='n344' href='#n344'>344</a>
<a id='n345' href='#n345'>345</a>
<a id='n346' href='#n346'>346</a>
<a id='n347' href='#n347'>347</a>
<a id='n348' href='#n348'>348</a>
<a id='n349' href='#n349'>349</a>
<a id='n350' href='#n350'>350</a>
<a id='n351' href='#n351'>351</a>
<a id='n352' href='#n352'>352</a>
<a id='n353' href='#n353'>353</a>
<a id='n354' href='#n354'>354</a>
<a id='n355' href='#n355'>355</a>
<a id='n356' href='#n356'>356</a>
<a id='n357' href='#n357'>357</a>
<a id='n358' href='#n358'>358</a>
<a id='n359' href='#n359'>359</a>
<a id='n360' href='#n360'>360</a>
<a id='n361' href='#n361'>361</a>
<a id='n362' href='#n362'>362</a>
<a id='n363' href='#n363'>363</a>
<a id='n364' href='#n364'>364</a>
<a id='n365' href='#n365'>365</a>
<a id='n366' href='#n366'>366</a>
<a id='n367' href='#n367'>367</a>
<a id='n368' href='#n368'>368</a>
<a id='n369' href='#n369'>369</a>
<a id='n370' href='#n370'>370</a>
<a id='n371' href='#n371'>371</a>
<a id='n372' href='#n372'>372</a>
<a id='n373' href='#n373'>373</a>
<a id='n374' href='#n374'>374</a>
<a id='n375' href='#n375'>375</a>
<a id='n376' href='#n376'>376</a>
<a id='n377' href='#n377'>377</a>
<a id='n378' href='#n378'>378</a>
<a id='n379' href='#n379'>379</a>
<a id='n380' href='#n380'>380</a>
<a id='n381' href='#n381'>381</a>
<a id='n382' href='#n382'>382</a>
<a id='n383' href='#n383'>383</a>
<a id='n384' href='#n384'>384</a>
<a id='n385' href='#n385'>385</a>
<a id='n386' href='#n386'>386</a>
<a id='n387' href='#n387'>387</a>
<a id='n388' href='#n388'>388</a>
<a id='n389' href='#n389'>389</a>
<a id='n390' href='#n390'>390</a>
<a id='n391' href='#n391'>391</a>
<a id='n392' href='#n392'>392</a>
<a id='n393' href='#n393'>393</a>
<a id='n394' href='#n394'>394</a>
<a id='n395' href='#n395'>395</a>
</pre></td>
<td class='lines'><pre><code><span class="hl slc"># Authors: Rob Crittenden &lt;rcritten&#64;redhat.com&gt;</span>
<span class="hl slc">#</span>
<span class="hl slc"># Copyright (C) 2007  Red Hat</span>
<span class="hl slc"># see file &#39;COPYING&#39; for use and warranty information</span>
<span class="hl slc">#</span>
<span class="hl slc"># This program is free software; you can redistribute it and/or modify</span>
<span class="hl slc"># it under the terms of the GNU General Public License as published by</span>
<span class="hl slc"># the Free Software Foundation, either version 3 of the License, or</span>
<span class="hl slc"># (at your option) any later version.</span>
<span class="hl slc">#</span>
<span class="hl slc"># This program is distributed in the hope that it will be useful,</span>
<span class="hl slc"># but WITHOUT ANY WARRANTY; without even the implied warranty of</span>
<span class="hl slc"># MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the</span>
<span class="hl slc"># GNU General Public License for more details.</span>
<span class="hl slc">#</span>
<span class="hl slc"># You should have received a copy of the GNU General Public License</span>
<span class="hl slc"># along with this program.  If not, see &lt;http://www.gnu.org/licenses/&gt;.</span>
<span class="hl slc">#</span>

<span class="hl kwa">import</span> os
<span class="hl kwa">import</span> os<span class="hl opt">.</span>path
<span class="hl kwa">import</span> tempfile
<span class="hl kwa">from</span> ipapython<span class="hl opt">.</span>ipa_log_manager <span class="hl kwa">import</span> <span class="hl opt">*</span>
<span class="hl kwa">import</span> pwd
<span class="hl kwa">import</span> shutil

<span class="hl kwa">import</span> service
<span class="hl kwa">import</span> certs
<span class="hl kwa">import</span> dsinstance
<span class="hl kwa">import</span> installutils
<span class="hl kwa">from</span> ipapython <span class="hl kwa">import</span> sysrestore
<span class="hl kwa">from</span> ipapython <span class="hl kwa">import</span> ipautil
<span class="hl kwa">from</span> ipapython <span class="hl kwa">import</span> services <span class="hl kwa">as</span> ipaservices
<span class="hl kwa">from</span> ipapython <span class="hl kwa">import</span> dogtag
<span class="hl kwa">from</span> ipalib <span class="hl kwa">import</span> util<span class="hl opt">,</span> api

HTTPD_DIR <span class="hl opt">=</span> <span class="hl str">&quot;/etc/httpd&quot;</span>
SSL_CONF <span class="hl opt">=</span> HTTPD_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/conf.d/ssl.conf&quot;</span>
NSS_CONF <span class="hl opt">=</span> HTTPD_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/conf.d/nss.conf&quot;</span>

selinux_warning <span class="hl opt">=</span> <span class="hl str">&quot;&quot;&quot;</span>
<span class="hl str">WARNING: could not set selinux boolean(s)</span> <span class="hl ipl">%(var)s</span> <span class="hl str">to true.  The web</span>
<span class="hl str">interface may not function correctly until this boolean is successfully</span>
<span class="hl str">change with the command:</span>
<span class="hl str">   /usr/sbin/setsebool -P</span> <span class="hl ipl">%(var)s</span> <span class="hl str">true</span>
<span class="hl str">Try updating the policycoreutils and selinux-policy packages.</span>
<span class="hl str">&quot;&quot;&quot;</span>

<span class="hl kwa">class</span> <span class="hl kwd">WebGuiInstance</span><span class="hl opt">(</span>service<span class="hl opt">.</span>SimpleServiceInstance<span class="hl opt">):</span>
    <span class="hl kwa">def</span> <span class="hl kwd">__init__</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        service<span class="hl opt">.</span>SimpleServiceInstance<span class="hl num">.__</span>init<span class="hl num">__</span><span class="hl opt">(</span>self<span class="hl opt">,</span> <span class="hl str">&quot;ipa_webgui&quot;</span><span class="hl opt">)</span>

<span class="hl kwa">class</span> <span class="hl kwd">HTTPInstance</span><span class="hl opt">(</span>service<span class="hl opt">.</span>Service<span class="hl opt">):</span>
    <span class="hl kwa">def</span> <span class="hl kwd">__init__</span><span class="hl opt">(</span>self<span class="hl opt">,</span> fstore <span class="hl opt">=</span> <span class="hl kwa">None</span><span class="hl opt">):</span>
        service<span class="hl opt">.</span>Service<span class="hl num">.__</span>init<span class="hl num">__</span><span class="hl opt">(</span>self<span class="hl opt">,</span> <span class="hl str">&quot;httpd&quot;</span><span class="hl opt">,</span> service_desc<span class="hl opt">=</span><span class="hl str">&quot;the web interface&quot;</span><span class="hl opt">)</span>
        <span class="hl kwa">if</span> fstore<span class="hl opt">:</span>
            self<span class="hl opt">.</span>fstore <span class="hl opt">=</span> fstore
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            self<span class="hl opt">.</span>fstore <span class="hl opt">=</span> sysrestore<span class="hl opt">.</span><span class="hl kwd">FileStore</span><span class="hl opt">(</span><span class="hl str">&#39;/var/lib/ipa/sysrestore&#39;</span><span class="hl opt">)</span>

    subject_base <span class="hl opt">=</span> ipautil<span class="hl opt">.</span><span class="hl kwd">dn_attribute_property</span><span class="hl opt">(</span><span class="hl str">&#39;_subject_base&#39;</span><span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">create_instance</span><span class="hl opt">(</span>self<span class="hl opt">,</span> realm<span class="hl opt">,</span> fqdn<span class="hl opt">,</span> domain_name<span class="hl opt">,</span> dm_password<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> autoconfig<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">,</span> pkcs12_info<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> self_signed_ca<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">,</span> subject_base<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">,</span> auto_redirect<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">):</span>
        self<span class="hl opt">.</span>fqdn <span class="hl opt">=</span> fqdn
        self<span class="hl opt">.</span>realm <span class="hl opt">=</span> realm
        self<span class="hl opt">.</span>domain <span class="hl opt">=</span> domain_name
        self<span class="hl opt">.</span>dm_password <span class="hl opt">=</span> dm_password
        self<span class="hl opt">.</span>suffix <span class="hl opt">=</span> ipautil<span class="hl opt">.</span><span class="hl kwd">realm_to_suffix</span><span class="hl opt">(</span>self<span class="hl opt">.</span>realm<span class="hl opt">)</span>
        self<span class="hl opt">.</span>pkcs12_info <span class="hl opt">=</span> pkcs12_info
        self<span class="hl opt">.</span>self_signed_ca <span class="hl opt">=</span> self_signed_ca
        self<span class="hl opt">.</span>principal <span class="hl opt">=</span> <span class="hl str">&quot;HTTP/</span><span class="hl ipl">%s</span><span class="hl str">&#64;</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">% (</span>self<span class="hl opt">.</span>fqdn<span class="hl opt">,</span> self<span class="hl opt">.</span>realm<span class="hl opt">)</span>
        self<span class="hl opt">.</span>dercert <span class="hl opt">=</span> <span class="hl kwa">None</span>
        self<span class="hl opt">.</span>subject_base <span class="hl opt">=</span> subject_base
        self<span class="hl opt">.</span>sub_dict <span class="hl opt">=</span> <span class="hl kwb">dict</span><span class="hl opt">(</span>
            REALM<span class="hl opt">=</span>realm<span class="hl opt">,</span>
            FQDN<span class="hl opt">=</span>fqdn<span class="hl opt">,</span>
            DOMAIN<span class="hl opt">=</span>self<span class="hl opt">.</span>domain<span class="hl opt">,</span>
            AUTOREDIR<span class="hl opt">=</span><span class="hl str">&#39;&#39;</span> <span class="hl kwa">if</span> auto_redirect <span class="hl kwa">else</span> <span class="hl str">&#39;#&#39;</span><span class="hl opt">,</span>
            CRL_PUBLISH_PATH<span class="hl opt">=</span>dogtag<span class="hl opt">.</span>install_constants<span class="hl opt">.</span>CRL_PUBLISH_PATH<span class="hl opt">,</span>
        <span class="hl opt">)</span>

        <span class="hl slc"># get a connection to the DS</span>
        self<span class="hl opt">.</span><span class="hl kwd">ldap_connect</span><span class="hl opt">()</span>


        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;disabling mod_ssl in httpd&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>disable<span class="hl num">_</span>mod<span class="hl num">_</span>ssl<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;setting mod_nss port to 443&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>set<span class="hl num">_</span>mod<span class="hl num">_</span>nss<span class="hl num">_</span>port<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;setting mod_nss password file&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>set<span class="hl num">_</span>mod<span class="hl num">_</span>nss<span class="hl num">_</span>passwordfile<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;enabling mod_nss renegotiate&quot;</span><span class="hl opt">,</span> self<span class="hl opt">.</span>enable_mod_nss_renegotiate<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;adding URL rewriting rules&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>add<span class="hl num">_</span>include<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;configuring httpd&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>configure<span class="hl num">_</span>http<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;setting up ssl&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>setup<span class="hl num">_</span>ssl<span class="hl opt">)</span>
        <span class="hl kwa">if</span> autoconfig<span class="hl opt">:</span>
            self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;setting up browser autoconfig&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>setup<span class="hl num">_</span>autoconfig<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;publish CA cert&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>publish<span class="hl num">_</span>ca<span class="hl num">_</span>cert<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;creating a keytab for httpd&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>create<span class="hl num">_</span>http<span class="hl num">_</span>keytab<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;clean up any existing httpd ccache&quot;</span><span class="hl opt">,</span> self<span class="hl opt">.</span>remove_httpd_ccache<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;configuring SELinux for httpd&quot;</span><span class="hl opt">,</span> self<span class="hl opt">.</span>configure_selinux_for_httpd<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;restarting httpd&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>start<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">step</span><span class="hl opt">(</span><span class="hl str">&quot;configuring httpd to start on boot&quot;</span><span class="hl opt">,</span> self<span class="hl num">.__</span>enable<span class="hl opt">)</span>

        self<span class="hl opt">.</span><span class="hl kwd">start_creation</span><span class="hl opt">(</span>runtime<span class="hl opt">=</span><span class="hl num">60</span><span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__start</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        self<span class="hl opt">.</span><span class="hl kwd">backup_state</span><span class="hl opt">(</span><span class="hl str">&quot;running&quot;</span><span class="hl opt">,</span> self<span class="hl opt">.</span><span class="hl kwd">is_running</span><span class="hl opt">())</span>
        self<span class="hl opt">.</span><span class="hl kwd">restart</span><span class="hl opt">()</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__enable</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        self<span class="hl opt">.</span><span class="hl kwd">backup_state</span><span class="hl opt">(</span><span class="hl str">&quot;enabled&quot;</span><span class="hl opt">,</span> self<span class="hl opt">.</span><span class="hl kwd">is_running</span><span class="hl opt">())</span>
        <span class="hl slc"># We do not let the system start IPA components on its own,</span>
        <span class="hl slc"># Instead we reply on the IPA init script to start only enabled</span>
        <span class="hl slc"># components as found in our LDAP configuration tree</span>
        self<span class="hl opt">.</span><span class="hl kwd">ldap_enable</span><span class="hl opt">(</span><span class="hl str">&#39;HTTP&#39;</span><span class="hl opt">,</span> self<span class="hl opt">.</span>fqdn<span class="hl opt">,</span> self<span class="hl opt">.</span>dm_password<span class="hl opt">,</span> self<span class="hl opt">.</span>suffix<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">configure_selinux_for_httpd</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        <span class="hl kwa">def</span> <span class="hl kwd">get_setsebool_args</span><span class="hl opt">(</span>changes<span class="hl opt">):</span>
            <span class="hl kwa">if</span> <span class="hl kwb">len</span><span class="hl opt">(</span>changes<span class="hl opt">) ==</span> <span class="hl num">1</span><span class="hl opt">:</span>
                <span class="hl slc"># workaround https://bugzilla.redhat.com/show_bug.cgi?id=825163</span>
                updates <span class="hl opt">=</span> changes<span class="hl opt">.</span><span class="hl kwd">items</span><span class="hl opt">()[</span><span class="hl num">0</span><span class="hl opt">]</span>
            <span class="hl kwa">else</span><span class="hl opt">:</span>
                updates <span class="hl opt">= [</span><span class="hl str">&quot;</span><span class="hl ipl">%s</span><span class="hl str">=</span><span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> update <span class="hl kwa">for</span> update <span class="hl kwa">in</span> changes<span class="hl opt">.</span><span class="hl kwd">iteritems</span><span class="hl opt">()]</span>

            args <span class="hl opt">= [</span><span class="hl str">&quot;/usr/sbin/setsebool&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;-P&quot;</span><span class="hl opt">]</span>
            args<span class="hl opt">.</span><span class="hl kwd">extend</span><span class="hl opt">(</span>updates<span class="hl opt">)</span>

            <span class="hl kwa">return</span> args

        selinux <span class="hl opt">=</span> <span class="hl kwa">False</span>
        <span class="hl kwa">try</span><span class="hl opt">:</span>
            <span class="hl kwa">if</span> <span class="hl opt">(</span>os<span class="hl opt">.</span>path<span class="hl opt">.</span><span class="hl kwd">exists</span><span class="hl opt">(</span><span class="hl str">&#39;/usr/sbin/selinuxenabled&#39;</span><span class="hl opt">)):</span>
                ipautil<span class="hl opt">.</span><span class="hl kwd">run</span><span class="hl opt">([</span><span class="hl str">&quot;/usr/sbin/selinuxenabled&quot;</span><span class="hl opt">])</span>
                selinux <span class="hl opt">=</span> <span class="hl kwa">True</span>
        <span class="hl kwa">except</span> ipautil<span class="hl opt">.</span>CalledProcessError<span class="hl opt">:</span>
            <span class="hl slc"># selinuxenabled returns 1 if not enabled</span>
            <span class="hl kwa">pass</span>

        <span class="hl kwa">if</span> selinux<span class="hl opt">:</span>
            <span class="hl slc"># Don&#39;t assume all vars are available</span>
            updated_vars <span class="hl opt">= {}</span>
            failed_vars <span class="hl opt">= {}</span>
            required_settings <span class="hl opt">= ((</span><span class="hl str">&quot;httpd_can_network_connect&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;on&quot;</span><span class="hl opt">),</span>
                                 <span class="hl opt">(</span><span class="hl str">&quot;httpd_manage_ipa&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;on&quot;</span><span class="hl opt">))</span>
            <span class="hl kwa">for</span> setting<span class="hl opt">,</span> state <span class="hl kwa">in</span> required_settings<span class="hl opt">:</span>
                <span class="hl kwa">try</span><span class="hl opt">:</span>
                    <span class="hl opt">(</span>stdout<span class="hl opt">,</span> stderr<span class="hl opt">,</span> returncode<span class="hl opt">) =</span> ipautil<span class="hl opt">.</span><span class="hl kwd">run</span><span class="hl opt">([</span><span class="hl str">&quot;/usr/sbin/getsebool&quot;</span><span class="hl opt">,</span> setting<span class="hl opt">])</span>
                    original_state <span class="hl opt">=</span> stdout<span class="hl opt">.</span><span class="hl kwd">split</span><span class="hl opt">()[</span><span class="hl num">2</span><span class="hl opt">]</span>
                    self<span class="hl opt">.</span><span class="hl kwd">backup_state</span><span class="hl opt">(</span>setting<span class="hl opt">,</span> original_state<span class="hl opt">)</span>

                    <span class="hl kwa">if</span> original_state <span class="hl opt">!=</span> state<span class="hl opt">:</span>
                        updated_vars<span class="hl opt">[</span>setting<span class="hl opt">] =</span> state
                <span class="hl kwa">except</span> ipautil<span class="hl opt">.</span>CalledProcessError<span class="hl opt">,</span> e<span class="hl opt">:</span>
                    root_logger<span class="hl opt">.</span><span class="hl kwd">debug</span><span class="hl opt">(</span><span class="hl str">&quot;Cannot get SELinux boolean &#39;</span><span class="hl ipl">%s</span><span class="hl str">&#39;:</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span><span class="hl opt">,</span> setting<span class="hl opt">,</span> e<span class="hl opt">)</span>
                    failed_vars<span class="hl opt">[</span>setting<span class="hl opt">] =</span> state

            <span class="hl slc"># Allow apache to connect to the dogtag UI and the session cache</span>
            <span class="hl slc"># This can still fail even if selinux is enabled. Execute these</span>
            <span class="hl slc"># together so it is speedier.</span>
            <span class="hl kwa">if</span> updated_vars<span class="hl opt">:</span>
                args <span class="hl opt">=</span> <span class="hl kwd">get_setsebool_args</span><span class="hl opt">(</span>updated_vars<span class="hl opt">)</span>
                <span class="hl kwa">try</span><span class="hl opt">:</span>
                    ipautil<span class="hl opt">.</span><span class="hl kwd">run</span><span class="hl opt">(</span>args<span class="hl opt">)</span>
                <span class="hl kwa">except</span> ipautil<span class="hl opt">.</span>CalledProcessError<span class="hl opt">:</span>
                    failed_vars<span class="hl opt">.</span><span class="hl kwd">update</span><span class="hl opt">(</span>updated_vars<span class="hl opt">)</span>

            <span class="hl kwa">if</span> failed_vars<span class="hl opt">:</span>
                args <span class="hl opt">=</span> <span class="hl kwd">get_setsebool_args</span><span class="hl opt">(</span>failed_vars<span class="hl opt">)</span>
                names <span class="hl opt">= [</span>update<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">]</span> <span class="hl kwa">for</span> update <span class="hl kwa">in</span> updated_vars<span class="hl opt">]</span>
                message <span class="hl opt">= [</span><span class="hl str">&#39;WARNING: could not set the following SELinux boolean(s):&#39;</span><span class="hl opt">]</span>
                <span class="hl kwa">for</span> update <span class="hl kwa">in</span> failed_vars<span class="hl opt">.</span><span class="hl kwd">iteritems</span><span class="hl opt">():</span>
                    message<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span><span class="hl str">&#39;</span>  <span class="hl ipl">%s</span> <span class="hl str">-&gt;</span> <span class="hl ipl">%s</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> update<span class="hl opt">)</span>
                message<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span><span class="hl str">&#39;The web interface may not function correctly until the booleans&#39;</span><span class="hl opt">)</span>
                message<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span><span class="hl str">&#39;are successfully changed with the command:&#39;</span><span class="hl opt">)</span>
                message<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span><span class="hl str">&#39; &#39;</span><span class="hl opt">.</span><span class="hl kwd">join</span><span class="hl opt">(</span>args<span class="hl opt">))</span>
                message<span class="hl opt">.</span><span class="hl kwd">append</span><span class="hl opt">(</span><span class="hl str">&#39;Try updating the policycoreutils and selinux-policy packages.&#39;</span><span class="hl opt">)</span>

                self<span class="hl opt">.</span><span class="hl kwd">print_msg</span><span class="hl opt">(</span><span class="hl str">&quot;</span><span class="hl esc">\n</span><span class="hl str">&quot;</span><span class="hl opt">.</span><span class="hl kwd">join</span><span class="hl opt">(</span>message<span class="hl opt">))</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__create_http_keytab</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        installutils<span class="hl opt">.</span><span class="hl kwd">kadmin_addprinc</span><span class="hl opt">(</span>self<span class="hl opt">.</span>principal<span class="hl opt">)</span>
        installutils<span class="hl opt">.</span><span class="hl kwd">create_keytab</span><span class="hl opt">(</span><span class="hl str">&quot;/etc/httpd/conf/ipa.keytab&quot;</span><span class="hl opt">,</span> self<span class="hl opt">.</span>principal<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">move_service</span><span class="hl opt">(</span>self<span class="hl opt">.</span>principal<span class="hl opt">)</span>
        self<span class="hl opt">.</span><span class="hl kwd">add_cert_to_service</span><span class="hl opt">()</span>

        pent <span class="hl opt">=</span> pwd<span class="hl opt">.</span><span class="hl kwd">getpwnam</span><span class="hl opt">(</span><span class="hl str">&quot;apache&quot;</span><span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chown</span><span class="hl opt">(</span><span class="hl str">&quot;/etc/httpd/conf/ipa.keytab&quot;</span><span class="hl opt">,</span> pent<span class="hl opt">.</span>pw_uid<span class="hl opt">,</span> pent<span class="hl opt">.</span>pw_gid<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">remove_httpd_ccache</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        <span class="hl slc"># Clean up existing ccache</span>
        pent <span class="hl opt">=</span> pwd<span class="hl opt">.</span><span class="hl kwd">getpwnam</span><span class="hl opt">(</span><span class="hl str">&quot;apache&quot;</span><span class="hl opt">)</span>
        installutils<span class="hl opt">.</span><span class="hl kwd">remove_file</span><span class="hl opt">(</span><span class="hl str">&#39;/tmp/krb5cc_</span><span class="hl ipl">%d</span><span class="hl str">&#39;</span> <span class="hl opt">%</span> pent<span class="hl opt">.</span>pw_uid<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__configure_http</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        target_fname <span class="hl opt">=</span> <span class="hl str">&#39;/etc/httpd/conf.d/ipa.conf&#39;</span>
        http_txt <span class="hl opt">=</span> ipautil<span class="hl opt">.</span><span class="hl kwd">template_file</span><span class="hl opt">(</span>ipautil<span class="hl opt">.</span>SHARE_DIR <span class="hl opt">+</span> <span class="hl str">&quot;ipa.conf&quot;</span><span class="hl opt">,</span> self<span class="hl opt">.</span>sub_dict<span class="hl opt">)</span>
        self<span class="hl opt">.</span>fstore<span class="hl opt">.</span><span class="hl kwd">backup_file</span><span class="hl opt">(</span><span class="hl str">&quot;/etc/httpd/conf.d/ipa.conf&quot;</span><span class="hl opt">)</span>
        http_fd <span class="hl opt">=</span> <span class="hl kwb">open</span><span class="hl opt">(</span>target_fname<span class="hl opt">,</span> <span class="hl str">&quot;w&quot;</span><span class="hl opt">)</span>
        http_fd<span class="hl opt">.</span><span class="hl kwd">write</span><span class="hl opt">(</span>http_txt<span class="hl opt">)</span>
        http_fd<span class="hl opt">.</span><span class="hl kwd">close</span><span class="hl opt">()</span>
        os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>target_fname<span class="hl opt">,</span> <span class="hl num">0644</span><span class="hl opt">)</span>

        target_fname <span class="hl opt">=</span> <span class="hl str">&#39;/etc/httpd/conf.d/ipa-rewrite.conf&#39;</span>
        http_txt <span class="hl opt">=</span> ipautil<span class="hl opt">.</span><span class="hl kwd">template_file</span><span class="hl opt">(</span>ipautil<span class="hl opt">.</span>SHARE_DIR <span class="hl opt">+</span> <span class="hl str">&quot;ipa-rewrite.conf&quot;</span><span class="hl opt">,</span> self<span class="hl opt">.</span>sub_dict<span class="hl opt">)</span>
        self<span class="hl opt">.</span>fstore<span class="hl opt">.</span><span class="hl kwd">backup_file</span><span class="hl opt">(</span><span class="hl str">&quot;/etc/httpd/conf.d/ipa-rewrite.conf&quot;</span><span class="hl opt">)</span>
        http_fd <span class="hl opt">=</span> <span class="hl kwb">open</span><span class="hl opt">(</span>target_fname<span class="hl opt">,</span> <span class="hl str">&quot;w&quot;</span><span class="hl opt">)</span>
        http_fd<span class="hl opt">.</span><span class="hl kwd">write</span><span class="hl opt">(</span>http_txt<span class="hl opt">)</span>
        http_fd<span class="hl opt">.</span><span class="hl kwd">close</span><span class="hl opt">()</span>
        os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>target_fname<span class="hl opt">,</span> <span class="hl num">0644</span><span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__disable_mod_ssl</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        <span class="hl kwa">if</span> os<span class="hl opt">.</span>path<span class="hl opt">.</span><span class="hl kwd">exists</span><span class="hl opt">(</span>SSL_CONF<span class="hl opt">):</span>
            self<span class="hl opt">.</span>fstore<span class="hl opt">.</span><span class="hl kwd">backup_file</span><span class="hl opt">(</span>SSL_CONF<span class="hl opt">)</span>
            os<span class="hl opt">.</span><span class="hl kwd">unlink</span><span class="hl opt">(</span>SSL_CONF<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__set_mod_nss_port</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        self<span class="hl opt">.</span>fstore<span class="hl opt">.</span><span class="hl kwd">backup_file</span><span class="hl opt">(</span>NSS_CONF<span class="hl opt">)</span>
        <span class="hl kwa">if</span> installutils<span class="hl opt">.</span><span class="hl kwd">update_file</span><span class="hl opt">(</span>NSS_CONF<span class="hl opt">,</span> <span class="hl str">&#39;8443&#39;</span><span class="hl opt">,</span> <span class="hl str">&#39;443&#39;</span><span class="hl opt">) !=</span> <span class="hl num">0</span><span class="hl opt">:</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Updating port in</span> <span class="hl ipl">%s</span> <span class="hl str">failed.&quot;</span> <span class="hl opt">%</span> NSS_CONF

    <span class="hl kwa">def</span> <span class="hl kwd">__set_mod_nss_nickname</span><span class="hl opt">(</span>self<span class="hl opt">,</span> nickname<span class="hl opt">):</span>
        installutils<span class="hl opt">.</span><span class="hl kwd">set_directive</span><span class="hl opt">(</span>NSS_CONF<span class="hl opt">,</span> <span class="hl str">&#39;NSSNickname&#39;</span><span class="hl opt">,</span> nickname<span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">enable_mod_nss_renegotiate</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        installutils<span class="hl opt">.</span><span class="hl kwd">set_directive</span><span class="hl opt">(</span>NSS_CONF<span class="hl opt">,</span> <span class="hl str">&#39;NSSRenegotiation&#39;</span><span class="hl opt">,</span> <span class="hl str">&#39;on&#39;</span><span class="hl opt">,</span> <span class="hl kwa">False</span><span class="hl opt">)</span>
        installutils<span class="hl opt">.</span><span class="hl kwd">set_directive</span><span class="hl opt">(</span>NSS_CONF<span class="hl opt">,</span> <span class="hl str">&#39;NSSRequireSafeNegotiation&#39;</span><span class="hl opt">,</span> <span class="hl str">&#39;on&#39;</span><span class="hl opt">,</span> <span class="hl kwa">False</span><span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__set_mod_nss_passwordfile</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        installutils<span class="hl opt">.</span><span class="hl kwd">set_directive</span><span class="hl opt">(</span>NSS_CONF<span class="hl opt">,</span> <span class="hl str">&#39;NSSPassPhraseDialog&#39;</span><span class="hl opt">,</span> <span class="hl str">&#39;file:/etc/httpd/conf/password.conf&#39;</span><span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__add_include</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;This should run after __set_mod_nss_port so is already backed up&quot;&quot;&quot;</span>
        <span class="hl kwa">if</span> installutils<span class="hl opt">.</span><span class="hl kwd">update_file</span><span class="hl opt">(</span>NSS_CONF<span class="hl opt">,</span> <span class="hl str">&#39;&lt;/VirtualHost&gt;&#39;</span><span class="hl opt">,</span> <span class="hl str">&#39;Include conf.d/ipa-rewrite.conf</span><span class="hl esc">\n</span><span class="hl str">&lt;/VirtualHost&gt;&#39;</span><span class="hl opt">) !=</span> <span class="hl num">0</span><span class="hl opt">:</span>
            <span class="hl kwa">print</span> <span class="hl str">&quot;Adding Include conf.d/ipa-rewrite to</span> <span class="hl ipl">%s</span> <span class="hl str">failed.&quot;</span> <span class="hl opt">%</span> NSS_CONF

    <span class="hl kwa">def</span> <span class="hl kwd">__setup_ssl</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        fqdn <span class="hl opt">=</span> <span class="hl kwa">None</span>
        <span class="hl kwa">if not</span> self<span class="hl opt">.</span>self_signed_ca<span class="hl opt">:</span>
            fqdn <span class="hl opt">=</span> self<span class="hl opt">.</span>fqdn

        ca_db <span class="hl opt">=</span> certs<span class="hl opt">.</span><span class="hl kwd">CertDB</span><span class="hl opt">(</span>self<span class="hl opt">.</span>realm<span class="hl opt">,</span> host_name<span class="hl opt">=</span>fqdn<span class="hl opt">,</span> subject_base<span class="hl opt">=</span>self<span class="hl opt">.</span>subject_base<span class="hl opt">)</span>

        db <span class="hl opt">=</span> certs<span class="hl opt">.</span><span class="hl kwd">CertDB</span><span class="hl opt">(</span>self<span class="hl opt">.</span>realm<span class="hl opt">,</span> subject_base<span class="hl opt">=</span>self<span class="hl opt">.</span>subject_base<span class="hl opt">)</span>
        <span class="hl kwa">if</span> self<span class="hl opt">.</span>pkcs12_info<span class="hl opt">:</span>
            db<span class="hl opt">.</span><span class="hl kwd">create_from_pkcs12</span><span class="hl opt">(</span>self<span class="hl opt">.</span>pkcs12_info<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">],</span> self<span class="hl opt">.</span>pkcs12_info<span class="hl opt">[</span><span class="hl num">1</span><span class="hl opt">],</span> passwd<span class="hl opt">=</span><span class="hl kwa">None</span><span class="hl opt">)</span>
            server_certs <span class="hl opt">=</span> db<span class="hl opt">.</span><span class="hl kwd">find_server_certs</span><span class="hl opt">()</span>
            <span class="hl kwa">if</span> <span class="hl kwb">len</span><span class="hl opt">(</span>server_certs<span class="hl opt">) ==</span> <span class="hl num">0</span><span class="hl opt">:</span>
                <span class="hl kwa">raise</span> <span class="hl kwc">RuntimeError</span><span class="hl opt">(</span><span class="hl str">&quot;Could not find a suitable server cert in import in</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> <span class="hl opt">%</span> self<span class="hl opt">.</span>pkcs12_info<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">])</span>

            db<span class="hl opt">.</span><span class="hl kwd">create_password_conf</span><span class="hl opt">()</span>
            <span class="hl slc"># We only handle one server cert</span>
            nickname <span class="hl opt">=</span> server_certs<span class="hl opt">[</span><span class="hl num">0</span><span class="hl opt">][</span><span class="hl num">0</span><span class="hl opt">]</span>
            self<span class="hl opt">.</span>dercert <span class="hl opt">=</span> db<span class="hl opt">.</span><span class="hl kwd">get_cert_from_db</span><span class="hl opt">(</span>nickname<span class="hl opt">,</span> pem<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">)</span>
            db<span class="hl opt">.</span><span class="hl kwd">track_server_cert</span><span class="hl opt">(</span>nickname<span class="hl opt">,</span> self<span class="hl opt">.</span>principal<span class="hl opt">,</span> db<span class="hl opt">.</span>passwd_fname<span class="hl opt">,</span> <span class="hl str">&#39;restart_httpd&#39;</span><span class="hl opt">)</span>

            self<span class="hl num">.__</span>set<span class="hl num">_</span>mod<span class="hl num">_</span>nss<span class="hl num">_</span>nickname<span class="hl opt">(</span>nickname<span class="hl opt">)</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            <span class="hl kwa">if</span> self<span class="hl opt">.</span>self_signed_ca<span class="hl opt">:</span>
                db<span class="hl opt">.</span><span class="hl kwd">create_from_cacert</span><span class="hl opt">(</span>ca_db<span class="hl opt">.</span>cacert_fname<span class="hl opt">)</span>

            db<span class="hl opt">.</span><span class="hl kwd">create_password_conf</span><span class="hl opt">()</span>
            self<span class="hl opt">.</span>dercert <span class="hl opt">=</span> db<span class="hl opt">.</span><span class="hl kwd">create_server_cert</span><span class="hl opt">(</span><span class="hl str">&quot;Server-Cert&quot;</span><span class="hl opt">,</span> self<span class="hl opt">.</span>fqdn<span class="hl opt">,</span> ca_db<span class="hl opt">)</span>
            db<span class="hl opt">.</span><span class="hl kwd">track_server_cert</span><span class="hl opt">(</span><span class="hl str">&quot;Server-Cert&quot;</span><span class="hl opt">,</span> self<span class="hl opt">.</span>principal<span class="hl opt">,</span> db<span class="hl opt">.</span>passwd_fname<span class="hl opt">,</span> <span class="hl str">&#39;restart_httpd&#39;</span><span class="hl opt">)</span>
            db<span class="hl opt">.</span><span class="hl kwd">create_signing_cert</span><span class="hl opt">(</span><span class="hl str">&quot;Signing-Cert&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;Object Signing Cert&quot;</span><span class="hl opt">,</span> ca_db<span class="hl opt">)</span>

        <span class="hl slc"># Fix the database permissions</span>
        os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>NSS_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/cert8.db&quot;</span><span class="hl opt">,</span> <span class="hl num">0660</span><span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>NSS_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/key3.db&quot;</span><span class="hl opt">,</span> <span class="hl num">0660</span><span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>NSS_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/secmod.db&quot;</span><span class="hl opt">,</span> <span class="hl num">0660</span><span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>NSS_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/pwdfile.txt&quot;</span><span class="hl opt">,</span> <span class="hl num">0660</span><span class="hl opt">)</span>

        pent <span class="hl opt">=</span> pwd<span class="hl opt">.</span><span class="hl kwd">getpwnam</span><span class="hl opt">(</span><span class="hl str">&quot;apache&quot;</span><span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chown</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>NSS_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/cert8.db&quot;</span><span class="hl opt">,</span> <span class="hl num">0</span><span class="hl opt">,</span> pent<span class="hl opt">.</span>pw_gid <span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chown</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>NSS_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/key3.db&quot;</span><span class="hl opt">,</span> <span class="hl num">0</span><span class="hl opt">,</span> pent<span class="hl opt">.</span>pw_gid <span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chown</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>NSS_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/secmod.db&quot;</span><span class="hl opt">,</span> <span class="hl num">0</span><span class="hl opt">,</span> pent<span class="hl opt">.</span>pw_gid <span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chown</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>NSS_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/pwdfile.txt&quot;</span><span class="hl opt">,</span> <span class="hl num">0</span><span class="hl opt">,</span> pent<span class="hl opt">.</span>pw_gid <span class="hl opt">)</span>

        <span class="hl slc"># Fix SELinux permissions on the database</span>
        ipaservices<span class="hl opt">.</span><span class="hl kwd">restore_context</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>NSS_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/cert8.db&quot;</span><span class="hl opt">)</span>
        ipaservices<span class="hl opt">.</span><span class="hl kwd">restore_context</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>NSS_DIR <span class="hl opt">+</span> <span class="hl str">&quot;/key3.db&quot;</span><span class="hl opt">)</span>

        <span class="hl slc"># In case this got generated as part of the install, reset the</span>
        <span class="hl slc"># context</span>
        <span class="hl kwa">if</span> ipautil<span class="hl opt">.</span><span class="hl kwd">file_exists</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>CA_SERIALNO<span class="hl opt">):</span>
            ipaservices<span class="hl opt">.</span><span class="hl kwd">restore_context</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>CA_SERIALNO<span class="hl opt">)</span>
            os<span class="hl opt">.</span><span class="hl kwd">chown</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>CA_SERIALNO<span class="hl opt">,</span> <span class="hl num">0</span><span class="hl opt">,</span> pent<span class="hl opt">.</span>pw_gid<span class="hl opt">)</span>
            os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>certs<span class="hl opt">.</span>CA_SERIALNO<span class="hl opt">,</span> <span class="hl num">0664</span><span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__setup_autoconfig</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        target_fname <span class="hl opt">=</span> <span class="hl str">&#39;/usr/share/ipa/html/preferences.html&#39;</span>
        ipautil<span class="hl opt">.</span><span class="hl kwd">copy_template_file</span><span class="hl opt">(</span>
            ipautil<span class="hl opt">.</span>SHARE_DIR <span class="hl opt">+</span> <span class="hl str">&quot;preferences.html.template&quot;</span><span class="hl opt">,</span>
            target_fname<span class="hl opt">,</span> self<span class="hl opt">.</span>sub_dict<span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>target_fname<span class="hl opt">,</span> <span class="hl num">0644</span><span class="hl opt">)</span>

        <span class="hl slc"># The signing cert is generated in __setup_ssl</span>
        db <span class="hl opt">=</span> certs<span class="hl opt">.</span><span class="hl kwd">CertDB</span><span class="hl opt">(</span>self<span class="hl opt">.</span>realm<span class="hl opt">,</span> subject_base<span class="hl opt">=</span>self<span class="hl opt">.</span>subject_base<span class="hl opt">)</span>
        with <span class="hl kwb">open</span><span class="hl opt">(</span>db<span class="hl opt">.</span>passwd_fname<span class="hl opt">)</span> <span class="hl kwa">as</span> pwdfile<span class="hl opt">:</span>
            pwd <span class="hl opt">=</span> pwdfile<span class="hl opt">.</span><span class="hl kwd">read</span><span class="hl opt">()</span>

        <span class="hl slc"># Setup configure.jar</span>
        tmpdir <span class="hl opt">=</span> tempfile<span class="hl opt">.</span><span class="hl kwd">mkdtemp</span><span class="hl opt">(</span>prefix<span class="hl opt">=</span><span class="hl str">&quot;tmp-&quot;</span><span class="hl opt">)</span>
        target_fname <span class="hl opt">=</span> <span class="hl str">&#39;/usr/share/ipa/html/configure.jar&#39;</span>
        shutil<span class="hl opt">.</span><span class="hl kwd">copy</span><span class="hl opt">(</span><span class="hl str">&quot;/usr/share/ipa/html/preferences.html&quot;</span><span class="hl opt">,</span> tmpdir<span class="hl opt">)</span>
        db<span class="hl opt">.</span><span class="hl kwd">run_signtool</span><span class="hl opt">([</span><span class="hl str">&quot;-k&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;Signing-Cert&quot;</span><span class="hl opt">,</span>
                         <span class="hl str">&quot;-Z&quot;</span><span class="hl opt">,</span> target_fname<span class="hl opt">,</span>
                         <span class="hl str">&quot;-e&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;.html&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;-p&quot;</span><span class="hl opt">,</span> pwd<span class="hl opt">,</span>
                         tmpdir<span class="hl opt">])</span>
        shutil<span class="hl opt">.</span><span class="hl kwd">rmtree</span><span class="hl opt">(</span>tmpdir<span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>target_fname<span class="hl opt">,</span> <span class="hl num">0644</span><span class="hl opt">)</span>

        self<span class="hl opt">.</span><span class="hl kwd">setup_firefox_extension</span><span class="hl opt">(</span>self<span class="hl opt">.</span>realm<span class="hl opt">,</span> self<span class="hl opt">.</span>domain<span class="hl opt">,</span> force<span class="hl opt">=</span><span class="hl kwa">True</span><span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">setup_firefox_extension</span><span class="hl opt">(</span>self<span class="hl opt">,</span> realm<span class="hl opt">,</span> domain<span class="hl opt">,</span> force<span class="hl opt">=</span><span class="hl kwa">False</span><span class="hl opt">):</span>
        <span class="hl str">&quot;&quot;&quot;Set up the signed browser configuration extension</span>
<span class="hl str"></span>
<span class="hl str">        If the extension is already set up, skip the installation unless</span>
<span class="hl str">        ``force`` is true.</span>
<span class="hl str">        &quot;&quot;&quot;</span>

        target_fname <span class="hl opt">=</span> <span class="hl str">&#39;/usr/share/ipa/html/krb.js&#39;</span>
        <span class="hl kwa">if</span> os<span class="hl opt">.</span>path<span class="hl opt">.</span><span class="hl kwd">exists</span><span class="hl opt">(</span>target_fname<span class="hl opt">)</span> <span class="hl kwa">and not</span> force<span class="hl opt">:</span>
            root_logger<span class="hl opt">.</span><span class="hl kwd">info</span><span class="hl opt">(</span>
                <span class="hl str">&#39;</span><span class="hl ipl">%s</span> <span class="hl str">exists, skipping install of Firefox extension&#39;</span><span class="hl opt">,</span>
                    target_fname<span class="hl opt">)</span>
            <span class="hl kwa">return</span>

        sub_dict <span class="hl opt">=</span> <span class="hl kwb">dict</span><span class="hl opt">(</span>REALM<span class="hl opt">=</span>realm<span class="hl opt">,</span> DOMAIN<span class="hl opt">=</span>domain<span class="hl opt">)</span>
        db <span class="hl opt">=</span> certs<span class="hl opt">.</span><span class="hl kwd">CertDB</span><span class="hl opt">(</span>realm<span class="hl opt">)</span>
        with <span class="hl kwb">open</span><span class="hl opt">(</span>db<span class="hl opt">.</span>passwd_fname<span class="hl opt">)</span> <span class="hl kwa">as</span> pwdfile<span class="hl opt">:</span>
            pwd <span class="hl opt">=</span> pwdfile<span class="hl opt">.</span><span class="hl kwd">read</span><span class="hl opt">()</span>

        ipautil<span class="hl opt">.</span><span class="hl kwd">copy_template_file</span><span class="hl opt">(</span>ipautil<span class="hl opt">.</span>SHARE_DIR <span class="hl opt">+</span> <span class="hl str">&quot;krb.js.template&quot;</span><span class="hl opt">,</span>
            target_fname<span class="hl opt">,</span> sub_dict<span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>target_fname<span class="hl opt">,</span> <span class="hl num">0644</span><span class="hl opt">)</span>

        <span class="hl slc"># Setup extension</span>
        tmpdir <span class="hl opt">=</span> tempfile<span class="hl opt">.</span><span class="hl kwd">mkdtemp</span><span class="hl opt">(</span>prefix<span class="hl opt">=</span><span class="hl str">&quot;tmp-&quot;</span><span class="hl opt">)</span>
        extdir <span class="hl opt">=</span> tmpdir <span class="hl opt">+</span> <span class="hl str">&quot;/ext&quot;</span>
        target_fname <span class="hl opt">=</span> <span class="hl str">&quot;/usr/share/ipa/html/kerberosauth.xpi&quot;</span>
        shutil<span class="hl opt">.</span><span class="hl kwd">copytree</span><span class="hl opt">(</span><span class="hl str">&quot;/usr/share/ipa/ffextension&quot;</span><span class="hl opt">,</span> extdir<span class="hl opt">)</span>
        <span class="hl kwa">if</span> db<span class="hl opt">.</span><span class="hl kwd">has_nickname</span><span class="hl opt">(</span><span class="hl str">&#39;Signing-Cert&#39;</span><span class="hl opt">):</span>
            db<span class="hl opt">.</span><span class="hl kwd">run_signtool</span><span class="hl opt">([</span><span class="hl str">&quot;-k&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;Signing-Cert&quot;</span><span class="hl opt">,</span>
                                <span class="hl str">&quot;-p&quot;</span><span class="hl opt">,</span> pwd<span class="hl opt">,</span>
                                <span class="hl str">&quot;-X&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;-Z&quot;</span><span class="hl opt">,</span> target_fname<span class="hl opt">,</span>
                                extdir<span class="hl opt">])</span>
        <span class="hl kwa">else</span><span class="hl opt">:</span>
            root_logger<span class="hl opt">.</span><span class="hl kwd">warning</span><span class="hl opt">(</span><span class="hl str">&#39;Object-signing certificate was not found. &#39;</span>
                <span class="hl str">&#39;Creating unsigned Firefox configuration extension.&#39;</span><span class="hl opt">)</span>
            filenames <span class="hl opt">=</span> os<span class="hl opt">.</span><span class="hl kwd">listdir</span><span class="hl opt">(</span>extdir<span class="hl opt">)</span>
            ipautil<span class="hl opt">.</span><span class="hl kwd">run</span><span class="hl opt">([</span><span class="hl str">&#39;/usr/bin/zip&#39;</span><span class="hl opt">,</span> <span class="hl str">&#39;-r&#39;</span><span class="hl opt">,</span> target_fname<span class="hl opt">] +</span> filenames<span class="hl opt">,</span>
                cwd<span class="hl opt">=</span>extdir<span class="hl opt">)</span>
        shutil<span class="hl opt">.</span><span class="hl kwd">rmtree</span><span class="hl opt">(</span>tmpdir<span class="hl opt">)</span>
        os<span class="hl opt">.</span><span class="hl kwd">chmod</span><span class="hl opt">(</span>target_fname<span class="hl opt">,</span> <span class="hl num">0644</span><span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">__publish_ca_cert</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        ca_db <span class="hl opt">=</span> certs<span class="hl opt">.</span><span class="hl kwd">CertDB</span><span class="hl opt">(</span>self<span class="hl opt">.</span>realm<span class="hl opt">)</span>
        ca_db<span class="hl opt">.</span><span class="hl kwd">publish_ca_cert</span><span class="hl opt">(</span><span class="hl str">&quot;/usr/share/ipa/html/ca.crt&quot;</span><span class="hl opt">)</span>

    <span class="hl kwa">def</span> <span class="hl kwd">uninstall</span><span class="hl opt">(</span>self<span class="hl opt">):</span>
        <span class="hl kwa">if</span> self<span class="hl opt">.</span><span class="hl kwd">is_configured</span><span class="hl opt">():</span>
            self<span class="hl opt">.</span><span class="hl kwd">print_msg</span><span class="hl opt">(</span><span class="hl str">&quot;Unconfiguring web server&quot;</span><span class="hl opt">)</span>

        running <span class="hl opt">=</span> self<span class="hl opt">.</span><span class="hl kwd">restore_state</span><span class="hl opt">(</span><span class="hl str">&quot;running&quot;</span><span class="hl opt">)</span>
        enabled <span class="hl opt">=</span> self<span class="hl opt">.</span><span class="hl kwd">restore_state</span><span class="hl opt">(</span><span class="hl str">&quot;enabled&quot;</span><span class="hl opt">)</span>

        <span class="hl kwa">if not</span> running <span class="hl kwa">is None</span><span class="hl opt">:</span>
            self<span class="hl opt">.</span><span class="hl kwd">stop</span><span class="hl opt">()</span>

        db <span class="hl opt">=</span> certs<span class="hl opt">.</span><span class="hl kwd">CertDB</span><span class="hl opt">(</span>api<span class="hl opt">.</span>env<span class="hl opt">.</span>realm<span class="hl opt">)</span>
        db<span class="hl opt">.</span><span class="hl kwd">untrack_server_cert</span><span class="hl opt">(</span><span class="hl str">&quot;Server-Cert&quot;</span><span class="hl opt">)</span>
        <span class="hl kwa">if not</span> enabled <span class="hl kwa">is None and not</span> enabled<span class="hl opt">:</span>
            self<span class="hl opt">.</span><span class="hl kwd">disable</span><span class="hl opt">()</span>

        <span class="hl kwa">for</span> f <span class="hl kwa">in</span> <span class="hl opt">[</span><span class="hl str">&quot;/etc/httpd/conf.d/ipa.conf&quot;</span><span class="hl opt">,</span> SSL_CONF<span class="hl opt">,</span> NSS_CONF<span class="hl opt">]:</span>
            <span class="hl kwa">try</span><span class="hl opt">:</span>
                self<span class="hl opt">.</span>fstore<span class="hl opt">.</span><span class="hl kwd">restore_file</span><span class="hl opt">(</span>f<span class="hl opt">)</span>
            <span class="hl kwa">except</span> <span class="hl kwc">ValueError</span><span class="hl opt">,</span> error<span class="hl opt">:</span>
                root_logger<span class="hl opt">.</span><span class="hl kwd">debug</span><span class="hl opt">(</span>error<span class="hl opt">)</span>
                <span class="hl kwa">pass</span>

        <span class="hl slc"># Remove the configuration files we create</span>
        installutils<span class="hl opt">.</span><span class="hl kwd">remove_file</span><span class="hl opt">(</span><span class="hl str">&quot;/etc/httpd/conf.d/ipa-rewrite.conf&quot;</span><span class="hl opt">)</span>
        installutils<span class="hl opt">.</span><span class="hl kwd">remove_file</span><span class="hl opt">(</span><span class="hl str">&quot;/etc/httpd/conf.d/ipa.conf&quot;</span><span class="hl opt">)</span>
        installutils<span class="hl opt">.</span><span class="hl kwd">remove_file</span><span class="hl opt">(</span><span class="hl str">&quot;/etc/httpd/conf.d/ipa-pki-proxy.conf&quot;</span><span class="hl opt">)</span>

        <span class="hl kwa">for</span> var <span class="hl kwa">in</span> <span class="hl opt">[</span><span class="hl str">&quot;httpd_can_network_connect&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;httpd_manage_ipa&quot;</span><span class="hl opt">]:</span>
            sebool_state <span class="hl opt">=</span> self<span class="hl opt">.</span><span class="hl kwd">restore_state</span><span class="hl opt">(</span>var<span class="hl opt">)</span>
            <span class="hl kwa">if not</span> sebool_state <span class="hl kwa">is None</span><span class="hl opt">:</span>
                <span class="hl kwa">try</span><span class="hl opt">:</span>
                    ipautil<span class="hl opt">.</span><span class="hl kwd">run</span><span class="hl opt">([</span><span class="hl str">&quot;/usr/sbin/setsebool&quot;</span><span class="hl opt">,</span> <span class="hl str">&quot;-P&quot;</span><span class="hl opt">,</span> var<span class="hl opt">,</span> sebool_state<span class="hl opt">])</span>
                <span class="hl kwa">except</span> ipautil<span class="hl opt">.</span>CalledProcessError<span class="hl opt">,</span> e<span class="hl opt">:</span>
                    self<span class="hl opt">.</span><span class="hl kwd">print_msg</span><span class="hl opt">(</span><span class="hl str">&quot;Cannot restore SELinux boolean &#39;</span><span class="hl ipl">%s</span><span class="hl str">&#39; back to &#39;</span><span class="hl ipl">%s</span><span class="hl str">&#39;:</span> <span class="hl ipl">%s</span><span class="hl str">&quot;</span> \
                            <span class="hl opt">% (</span>var<span class="hl opt">,</span> sebool_state<span class="hl opt">,</span> e<span class="hl opt">))</span>

        <span class="hl kwa">if not</span> running <span class="hl kwa">is None and</span> running<span class="hl opt">:</span>
            self<span class="hl opt">.</span><span class="hl kwd">start</span><span class="hl opt">()</span>
</code></pre></td></tr></table>
</div> <!-- class=content -->
<div class='footer'>generated by <a href='https://git.zx2c4.com/cgit/about/'>cgit </a> (<a href='https://git-scm.com/'>git 2.34.1</a>) at 2025-09-04 07:45:21 +0000</div>
</div> <!-- id=cgit -->
</body>
</html>