URL: https://github.com/freeipa/freeipa/pull/615
Author: HonzaCholasta
 Title: #615: httpinstance: clean up /etc/httpd/alias on uninstall
Action: opened

PR body:
"""
**certs: do not implicitly create DS pin.txt**

Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic
replica install.

**httpinstance: clean up /etc/httpd/alias on uninstall**

Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/615/head:pr615
git checkout pr615
From d1dd53e39042925a5b8ec8ded5d3cc46111f939d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 14 Mar 2017 09:32:17 +0100
Subject: [PATCH 1/2] certs: do not implicitly create DS pin.txt

Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic
replica install.

https://pagure.io/freeipa/issue/4639
---
 ipaserver/install/certs.py      | 1 -
 ipaserver/install/dsinstance.py | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 63e7887..9f340b8 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -635,7 +635,6 @@ def init_from_pkcs12(self, pkcs12_fname, pkcs12_passwd,
         self.cacert_name = ca_names[-1]
         self.trust_root_cert(self.cacert_name, trust_flags)
 
-        self.create_pin_file()
         self.export_ca_cert(nickname, False)
 
     def publish_ca_cert(self, location):
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 91cc180..79dc90e 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -838,7 +838,8 @@ def __enable_ssl(self):
                 certmonger.modify_ca_helper('IPA', prev_helper)
 
             self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False)
-            dsdb.create_pin_file()
+
+        dsdb.create_pin_file()
 
         self.cacert_name = dsdb.cacert_name
 

From cd8d3bac3a26c9d084aeea139011067ac5187af9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Wed, 8 Mar 2017 14:24:15 +0000
Subject: [PATCH 2/2] httpinstance: clean up /etc/httpd/alias on uninstall

Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639
---
 ipapython/certdb.py               | 13 +++++++++++++
 ipaserver/install/certs.py        |  3 +++
 ipaserver/install/httpinstance.py |  3 +++
 3 files changed, 19 insertions(+)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 6c89e77..f1410e5 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -169,6 +169,19 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
                     new_mode = filemode
                 os.chmod(path, new_mode)
 
+    def restore(self):
+        for filename in NSS_FILES:
+            path = os.path.join(self.secdir, filename)
+            backup_path = path + '.orig'
+            save_path = path + '.ipasave'
+            try:
+                if os.path.exists(path):
+                    os.rename(path, save_path)
+                if os.path.exists(backup_path):
+                    os.rename(backup_path, path)
+            except OSError as e:
+                root_logger.debug(e)
+
     def list_certs(self):
         """Return nicknames and cert flags for all certs in the database
 
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 9f340b8..0ca9713 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -234,6 +234,9 @@ def create_certdbs(self):
                              backup=True)
         self.set_perms(self.passwd_fname, write=True)
 
+    def restore(self):
+        self.nssdb.restore()
+
     def list_certs(self):
         """
         Return a tuple of tuples containing (nickname, trust)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index ca3bcc8..f6f0b0c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -555,6 +555,9 @@ def uninstall(self):
                 ca_iface.Set('org.fedorahosted.certmonger.ca',
                              'external-helper', helper)
 
+        db = certs.CertDB(self.realm, paths.HTTPD_ALIAS_DIR)
+        db.restore()
+
         for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]:
             try:
                 self.fstore.restore_file(f)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to