diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2016-11-23 06:23:47 +0100 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-11-29 14:50:51 +0100 |
| commit | fba6c21da3fbe0a62a96118eb32f205249ab3736 (patch) | |
| tree | 9cec30d420b3a51e7b5ab9d4976cff2882898757 /ipaclient | |
| parent | 26c46a447f82b4cf37a5076b72cf6328857d5f35 (diff) | |
| download | freeipa-fba6c21da3fbe0a62a96118eb32f205249ab3736.tar.gz freeipa-fba6c21da3fbe0a62a96118eb32f205249ab3736.tar.xz freeipa-fba6c21da3fbe0a62a96118eb32f205249ab3736.zip | |
certdb: move IPA NSS DB install functions to ipaclient.install
The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform.
Move them to ipaclient.install.client as they are used only from the client
installer and ipa-restore.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Diffstat (limited to 'ipaclient')
| -rw-r--r-- | ipaclient/install/client.py | 50 |
1 files changed, 49 insertions, 1 deletions
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index fa84ff8bc..3073527db 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2300,6 +2300,54 @@ def install_check(options): raise ScriptError(rval=CLIENT_INSTALL_ERROR) +def create_ipa_nssdb(): + db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) + pwdfile = os.path.join(db.secdir, 'pwdfile.txt') + + ipautil.backup_file(pwdfile) + ipautil.backup_file(os.path.join(db.secdir, 'cert8.db')) + ipautil.backup_file(os.path.join(db.secdir, 'key3.db')) + ipautil.backup_file(os.path.join(db.secdir, 'secmod.db')) + + with open(pwdfile, 'w') as f: + f.write(ipautil.ipa_generate_password(pwd_len=40)) + os.chmod(pwdfile, 0o600) + + db.create_db(pwdfile) + os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644) + os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644) + os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644) + + +def update_ipa_nssdb(): + ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) + sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) + + if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): + create_ipa_nssdb() + + for nickname, trust_flags in (('IPA CA', 'CT,C,C'), + ('External CA cert', 'C,,')): + try: + cert = sys_db.get_cert(nickname) + except RuntimeError: + continue + try: + ipa_db.add_cert(cert, nickname, trust_flags) + except ipautil.CalledProcessError as e: + raise RuntimeError("Failed to add %s to %s: %s" % + (nickname, ipa_db.secdir, e)) + + # Remove IPA certs from /etc/pki/nssdb + for nickname, trust_flags in ipa_db.list_certs(): + while sys_db.has_nickname(nickname): + try: + sys_db.delete_cert(nickname) + except ipautil.CalledProcessError as e: + raise RuntimeError("Failed to remove %s from %s: %s" % + (nickname, sys_db.secdir, e)) + + def install(options): try: _install(options) @@ -2708,7 +2756,7 @@ def _install(options): # Create IPA NSS database try: - certdb.create_ipa_nssdb() + create_ipa_nssdb() except ipautil.CalledProcessError as e: root_logger.error("Failed to create IPA NSS database: %s", e) return CLIENT_INSTALL_ERROR |