Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

3 files changed, 31 insertions, 92 deletions

diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am
index fc45ecc88..58057aa31 100644
--- a/install/restart_scripts/Makefile.am
+++ b/install/restart_scripts/Makefile.am
@@ -4,7 +4,6 @@ appdir = $(libdir)/ipa/certmonger
 app_DATA =                              \
 	restart_dirsrv			\
 	restart_httpd			\
-	restart_pkicad			\
 	renew_ca_cert			\
 	renew_ra_cert			\
 	stop_pkicad			\
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 9b1b45d87..2663887d6 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -44,6 +44,23 @@ def main():
     dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
     dogtag_instance = configured_constants.PKI_INSTANCE_NAME
 
+    # dogtag opens its NSS database in read/write mode so we need it
+    # shut down so certmonger can open it read/write mode. This avoids
+    # database corruption. It should already be stopped by the pre-command
+    # but lets be sure.
+    if dogtag_service.is_running(dogtag_instance):
+        syslog.syslog(
+            syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
+        try:
+            dogtag_service.stop(dogtag_instance)
+        except Exception, e:
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Cannot stop %s: %s" % (dogtag_service.service_name, e))
+        else:
+            syslog.syslog(
+                syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
+
     # Fetch the new certificate
     db = certs.CertDB(api.env.realm, nssdir=alias_dir)
     cert = db.get_cert_from_db(nickname, pem=False)
@@ -51,22 +68,26 @@ def main():
         syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
         sys.exit(1)
 
-    # Done withing stopped_service context, CA restarted here
     cainstance.update_cert_config(nickname, cert, configured_constants)
-    cainstance.update_people_entry(cert)
+
+    ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    if ca.is_renewal_master():
+        cainstance.update_people_entry(cert)
 
     if nickname == 'auditSigningCert cert-pki-ca':
         # Fix trust on the audit cert
-        db = certs.CertDB(api.env.realm, nssdir=alias_dir)
-        args = ['-M',
-                '-n', nickname,
-                '-t', 'u,u,Pu',
-               ]
         try:
-            db.run_certutil(args)
-            syslog.syslog(syslog.LOG_NOTICE, 'Updated trust on certificate %s in %s' % (nickname, db.secdir))
+            db.run_certutil(['-M',
+                             '-n', nickname,
+                             '-t', 'u,u,Pu'])
+            syslog.syslog(
+                syslog.LOG_NOTICE,
+                "Updated trust on certificate %s in %s" % (nickname, db.secdir))
         except ipautil.CalledProcessError:
-             syslog.syslog(syslog.LOG_ERR, 'Updating trust on certificate %s failed in %s' % (nickname, db.secdir))
+            syslog.syslog(
+                syslog.LOG_ERR,
+                "Updating trust on certificate %s failed in %s" %
+                (nickname, db.secdir))
 
     # Now we can start the CA. Using the ipaservices start should fire
     # off the servlet to verify that the CA is actually up and responding so
diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad
deleted file mode 100644
index 4e14577ae..000000000
--- a/install/restart_scripts/restart_pkicad
+++ /dev/null
@@ -1,81 +0,0 @@
-#!/usr/bin/python2 -E
-#
-# Authors:
-#   Rob Crittenden <rcritten@redhat.com>
-#
-# Copyright (C) 2012  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-import sys
-import syslog
-import traceback
-from ipapython import services as ipaservices
-from ipapython import dogtag
-from ipaserver.install import certs
-from ipalib import api
-
-def main():
-    nickname = sys.argv[1]
-
-    api.bootstrap(context='restart')
-    api.finalize()
-
-    configured_constants = dogtag.configured_constants(api)
-    alias_dir = configured_constants.ALIAS_DIR
-    dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
-    dogtag_instance = configured_constants.PKI_INSTANCE_NAME
-
-    # dogtag opens its NSS database in read/write mode so we need it
-    # shut down so certmonger can open it read/write mode. This avoids
-    # database corruption. It should already be stopped by the pre-command
-    # but lets be sure.
-    if dogtag_service.is_running(dogtag_instance):
-        syslog.syslog(
-            syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
-        try:
-            dogtag_service.stop(dogtag_instance)
-        except Exception, e:
-            syslog.syslog(
-                syslog.LOG_ERR,
-                "Cannot stop %s: %s" % (dogtag_service.service_name, e))
-        else:
-            syslog.syslog(
-                syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
-
-    # Fix permissions on the audit cert if we're updating it
-    if nickname == 'auditSigningCert cert-pki-ca':
-        db = certs.CertDB(api.env.realm, nssdir=alias_dir)
-        args = ['-M',
-                '-n', nickname,
-                '-t', 'u,u,Pu',
-               ]
-        db.run_certutil(args)
-
-    syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
-    try:
-        dogtag_service.start(dogtag_instance)
-    except Exception, e:
-        syslog.syslog(
-            syslog.LOG_ERR,
-            "Cannot start %s: %s" % (dogtag_service.service_name, e))
-    else:
-        syslog.syslog(
-            syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
-
-try:
-    main()
-except Exception:
-    syslog.syslog(syslog.LOG_ERR, traceback.format_exc())