From fba6c21da3fbe0a62a96118eb32f205249ab3736 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Nov 29 2016 13:50:51 +0000 Subject: certdb: move IPA NSS DB install functions to ipaclient.install The create_ipa_nssdb() and update_ipa_nssdb() depend on ipaplatform. Move them to ipaclient.install.client as they are used only from the client installer and ipa-restore. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka --- diff --git a/freeipa.spec.in b/freeipa.spec.in index d76c1a3..6847bed 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -926,7 +926,7 @@ if [ $1 -gt 1 ] ; then fi if [ $restore -ge 2 ]; then - python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 + python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 fi fi diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index fa84ff8..3073527 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2300,6 +2300,54 @@ def install_check(options): raise ScriptError(rval=CLIENT_INSTALL_ERROR) +def create_ipa_nssdb(): + db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) + pwdfile = os.path.join(db.secdir, 'pwdfile.txt') + + ipautil.backup_file(pwdfile) + ipautil.backup_file(os.path.join(db.secdir, 'cert8.db')) + ipautil.backup_file(os.path.join(db.secdir, 'key3.db')) + ipautil.backup_file(os.path.join(db.secdir, 'secmod.db')) + + with open(pwdfile, 'w') as f: + f.write(ipautil.ipa_generate_password(pwd_len=40)) + os.chmod(pwdfile, 0o600) + + db.create_db(pwdfile) + os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644) + os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644) + os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644) + + +def update_ipa_nssdb(): + ipa_db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) + sys_db = certdb.NSSDatabase(paths.NSS_DB_DIR) + + if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): + create_ipa_nssdb() + + for nickname, trust_flags in (('IPA CA', 'CT,C,C'), + ('External CA cert', 'C,,')): + try: + cert = sys_db.get_cert(nickname) + except RuntimeError: + continue + try: + ipa_db.add_cert(cert, nickname, trust_flags) + except ipautil.CalledProcessError as e: + raise RuntimeError("Failed to add %s to %s: %s" % + (nickname, ipa_db.secdir, e)) + + # Remove IPA certs from /etc/pki/nssdb + for nickname, trust_flags in ipa_db.list_certs(): + while sys_db.has_nickname(nickname): + try: + sys_db.delete_cert(nickname) + except ipautil.CalledProcessError as e: + raise RuntimeError("Failed to remove %s from %s: %s" % + (nickname, sys_db.secdir, e)) + + def install(options): try: _install(options) @@ -2708,7 +2756,7 @@ def _install(options): # Create IPA NSS database try: - certdb.create_ipa_nssdb() + create_ipa_nssdb() except ipautil.CalledProcessError as e: root_logger.error("Failed to create IPA NSS database: %s", e) return CLIENT_INSTALL_ERROR diff --git a/ipapython/certdb.py b/ipapython/certdb.py index c2fe599..3095253 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -39,54 +39,6 @@ def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm -def create_ipa_nssdb(): - db = NSSDatabase(paths.IPA_NSSDB_DIR) - pwdfile = os.path.join(db.secdir, 'pwdfile.txt') - - ipautil.backup_file(pwdfile) - ipautil.backup_file(os.path.join(db.secdir, 'cert8.db')) - ipautil.backup_file(os.path.join(db.secdir, 'key3.db')) - ipautil.backup_file(os.path.join(db.secdir, 'secmod.db')) - - with open(pwdfile, 'w') as f: - f.write(ipautil.ipa_generate_password(pwd_len=40)) - os.chmod(pwdfile, 0o600) - - db.create_db(pwdfile) - os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644) - os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644) - os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644) - - -def update_ipa_nssdb(): - ipa_db = NSSDatabase(paths.IPA_NSSDB_DIR) - sys_db = NSSDatabase(paths.NSS_DB_DIR) - - if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): - create_ipa_nssdb() - - for nickname, trust_flags in (('IPA CA', 'CT,C,C'), - ('External CA cert', 'C,,')): - try: - cert = sys_db.get_cert(nickname) - except RuntimeError: - continue - try: - ipa_db.add_cert(cert, nickname, trust_flags) - except ipautil.CalledProcessError as e: - raise RuntimeError("Failed to add %s to %s: %s" % - (nickname, ipa_db.secdir, e)) - - # Remove IPA certs from /etc/pki/nssdb - for nickname, trust_flags in ipa_db.list_certs(): - while sys_db.has_nickname(nickname): - try: - sys_db.delete_cert(nickname) - except ipautil.CalledProcessError as e: - raise RuntimeError("Failed to remove %s from %s: %s" % - (nickname, sys_db.secdir, e)) - - def find_cert_from_txt(cert, start=0): """ Given a cert blob (str) which may or may not contian leading and diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 3dc6522..2987b5a 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -29,9 +29,10 @@ import itertools from six.moves.configparser import SafeConfigParser # pylint: enable=import-error +from ipaclient.install.client import update_ipa_nssdb from ipalib import api, errors from ipalib.constants import FQDN -from ipapython import version, ipautil, certdb +from ipapython import version, ipautil from ipapython.ipautil import run, user_input from ipapython import admintool from ipapython.dn import DN @@ -831,7 +832,7 @@ class Restore(admintool.AdminTool): def cert_restore(self): try: - certdb.update_ipa_nssdb() + update_ipa_nssdb() except RuntimeError as e: self.log.error("%s", e)