subject:"\[Freeipa\-devel\] \[PATCH\] 365 Fix CA certificate backup and restore"

Re: [Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore

2014-11-11 Thread Jan Cholasta


Dne 10.11.2014 v 17:46 Jan Cholasta napsal(a):

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4711.

Honza


Forgot to include /etc/pki/ca-trust/source/anchors/ipa-ca.crt in backup.

Updated patch attached.

--
Jan Cholasta
From f61c3b242e9eb83fa585b091da4d60b7262d124f Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 16:24:22 +
Subject: [PATCH] Fix CA certificate backup and restore

Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.

Create /etc/ipa/nssdb after restore if necessary.

https://fedorahosted.org/freeipa/ticket/4711
---
 ipaplatform/base/paths.py|  2 +-
 ipaplatform/base/tasks.py|  9 +
 ipaplatform/redhat/tasks.py  | 43 
 ipaserver/install/ipa_backup.py  |  2 ++
 ipaserver/install/ipa_restore.py | 35 +++-
 5 files changed, 67 insertions(+), 24 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index af50262..e28147a 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -92,7 +92,7 @@ class BasePathNamespace(object):
 PAM_LDAP_CONF = /etc/pam_ldap.conf
 PASSWD = /etc/passwd
 ETC_PKI_CA_DIR = /etc/pki-ca
-SYSTEMWIDE_CA_STORE = /etc/pki/ca-trust/source/anchors/
+SYSTEMWIDE_IPA_CA_CRT = /etc/pki/ca-trust/source/anchors/ipa-ca.crt
 IPA_P11_KIT = /etc/pki/ca-trust/source/ipa.p11-kit
 NSS_DB_DIR = /etc/pki/nssdb
 PKI_TOMCAT = /etc/pki/pki-tomcat
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index f2ba81f..9b15119 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -55,6 +55,15 @@ class BaseTaskNamespace(object):
 
 return
 
+def reload_systemwide_ca_store(self):
+
+Reloads the systemwide CA store.
+
+Returns True if the operation succeeded, False otherwise.
+
+
+return True
+
 def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
 
 Adds CA certificates from 'ca_certs' to the systemwide CA store
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 3f5fc90..d0e3cde 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -158,8 +158,19 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 auth_config.add_option(nostart)
 auth_config.execute()
 
+def reload_systemwide_ca_store(self):
+try:
+ipautil.run([paths.UPDATE_CA_TRUST])
+except CalledProcessError, e:
+root_logger.error(
+Could not update systemwide CA trust database: %s, e)
+return False
+else:
+root_logger.info(Systemwide CA database updated.)
+return True
+
 def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
-new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT
 
 if os.path.exists(new_cacert_path):
 try:
@@ -248,24 +259,18 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 f.close()
 
 # Add the CA to the systemwide CA trust database
-try:
-ipautil.run([paths.UPDATE_CA_TRUST])
-except CalledProcessError, e:
-root_logger.info(Failed to add CA to the systemwide 
- CA trust database: %s % str(e))
-else:
-root_logger.info('Added the CA to the systemwide CA trust '
- 'database.')
-return True
+if not self.reload_systemwide_ca_store():
+return False
 
-return False
+return True
 
 def remove_ca_certs_from_systemwide_ca_store(self):
-ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+result = True
 update = False
 
 # Remove CA cert from systemwide store
-for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt):
+for new_cacert_path in (paths.IPA_P11_KIT,
+paths.SYSTEMWIDE_IPA_CA_CRT):
 if not os.path.exists(new_cacert_path):
 continue
 try:
@@ -273,21 +278,15 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 except OSError, e:
 root_logger.error(
 Could not remove %s: %s, new_cacert_path, e)
+result = False
 else:
 update = True
 
 if update:
-try:
-ipautil.run([paths.UPDATE_CA_TRUST])
-except CalledProcessError, e:
-root_logger.error(
-Could not update systemwide CA trust database: %s, e)
+if not self.reload_systemwide_ca_store():
 return False
-else:
-root_logger.info(Systemwide CA database updated.)
-return True
 
-return False
+return

Re: [Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore

2014-11-11 Thread Petr Viktorin


On 11/11/2014 09:52 AM, Jan Cholasta wrote:

Dne 10.11.2014 v 17:46 Jan Cholasta napsal(a):

Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4711.

Honza


Forgot to include /etc/pki/ca-trust/source/anchors/ipa-ca.crt in backup.

Updated patch attached.


Looks good

ACK, pushed to:
master: 2639997dfee43d66e94ef9b5441289816c465e7d
ipa-4-1: 7c2aad17da8bd5f50b9c1409f91c413bc454ce28



--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore

2014-11-10 Thread Jan Cholasta


Hi,

the attached patch fixes https://fedorahosted.org/freeipa/ticket/4711.

Honza

--
Jan Cholasta
From 5c00f80cce0e0952252df4f7ec3922d71e8f2cc9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 16:24:22 +
Subject: [PATCH] Fix CA certificate backup and restore

Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.

Create /etc/ipa/nssdb after restore if necessary.

https://fedorahosted.org/freeipa/ticket/4711
---
 ipaplatform/base/paths.py|  2 +-
 ipaplatform/base/tasks.py|  9 +
 ipaplatform/redhat/tasks.py  | 43 
 ipaserver/install/ipa_backup.py  |  1 +
 ipaserver/install/ipa_restore.py | 35 +++-
 5 files changed, 66 insertions(+), 24 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index af50262..e28147a 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -92,7 +92,7 @@ class BasePathNamespace(object):
 PAM_LDAP_CONF = /etc/pam_ldap.conf
 PASSWD = /etc/passwd
 ETC_PKI_CA_DIR = /etc/pki-ca
-SYSTEMWIDE_CA_STORE = /etc/pki/ca-trust/source/anchors/
+SYSTEMWIDE_IPA_CA_CRT = /etc/pki/ca-trust/source/anchors/ipa-ca.crt
 IPA_P11_KIT = /etc/pki/ca-trust/source/ipa.p11-kit
 NSS_DB_DIR = /etc/pki/nssdb
 PKI_TOMCAT = /etc/pki/pki-tomcat
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index f2ba81f..9b15119 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -55,6 +55,15 @@ class BaseTaskNamespace(object):
 
 return
 
+def reload_systemwide_ca_store(self):
+
+Reloads the systemwide CA store.
+
+Returns True if the operation succeeded, False otherwise.
+
+
+return True
+
 def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
 
 Adds CA certificates from 'ca_certs' to the systemwide CA store
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 3f5fc90..d0e3cde 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -158,8 +158,19 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 auth_config.add_option(nostart)
 auth_config.execute()
 
+def reload_systemwide_ca_store(self):
+try:
+ipautil.run([paths.UPDATE_CA_TRUST])
+except CalledProcessError, e:
+root_logger.error(
+Could not update systemwide CA trust database: %s, e)
+return False
+else:
+root_logger.info(Systemwide CA database updated.)
+return True
+
 def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
-new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT
 
 if os.path.exists(new_cacert_path):
 try:
@@ -248,24 +259,18 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 f.close()
 
 # Add the CA to the systemwide CA trust database
-try:
-ipautil.run([paths.UPDATE_CA_TRUST])
-except CalledProcessError, e:
-root_logger.info(Failed to add CA to the systemwide 
- CA trust database: %s % str(e))
-else:
-root_logger.info('Added the CA to the systemwide CA trust '
- 'database.')
-return True
+if not self.reload_systemwide_ca_store():
+return False
 
-return False
+return True
 
 def remove_ca_certs_from_systemwide_ca_store(self):
-ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+result = True
 update = False
 
 # Remove CA cert from systemwide store
-for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt):
+for new_cacert_path in (paths.IPA_P11_KIT,
+paths.SYSTEMWIDE_IPA_CA_CRT):
 if not os.path.exists(new_cacert_path):
 continue
 try:
@@ -273,21 +278,15 @@ class RedHatTaskNamespace(BaseTaskNamespace):
 except OSError, e:
 root_logger.error(
 Could not remove %s: %s, new_cacert_path, e)
+result = False
 else:
 update = True
 
 if update:
-try:
-ipautil.run([paths.UPDATE_CA_TRUST])
-except CalledProcessError, e:
-root_logger.error(
-Could not update systemwide CA trust database: %s, e)
+if not self.reload_systemwide_ca_store():
 return False
-else:
-root_logger.info(Systemwide CA database updated.)
-return True
 
-return False
+return result
 
 def backup_and_replace_hostname(self, fstore, statestore, hostname):
 old_hostname = socket.gethostname()
diff --git

Re: [Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore

Re: [Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore

[Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore

3 matches

Site Navigation

Mail list logo

Footer information