URL: https://github.com/freeipa/freeipa/pull/706 Author: stlaz Title: #706: Fix CA-less to CA-full upgrade Action: opened
PR body: """ CertDB would have always created a directory on initialization. This behavior changes here by replacing the truncate argument with create which will only create the database when really required. https://pagure.io/freeipa/issue/6853 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/706/head:pr706 git checkout pr706
From 41b4c6ca7b64ae2294be450acd2c488c6e06d3d2 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka <slazn...@redhat.com> Date: Tue, 11 Apr 2017 10:21:15 +0200 Subject: [PATCH] Fix CA-less to CA-full upgrade CertDB would have always created a directory on initialization. This behavior changes here by replacing the truncate argument with create which will only create the database when really required. https://pagure.io/freeipa/issue/6853 --- ipaserver/install/ca.py | 2 ++ ipaserver/install/certs.py | 38 ++++++++++++++++++++++++++++---------- ipaserver/install/httpinstance.py | 2 +- 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index db3b744..8ee0fda 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -183,6 +183,8 @@ def install_check(standalone, replica_config, options): realm_name, nssdir=dirname, subject_base=options._subject_base) for db in (cadb, dsdb): + if not db.exists(): + continue for nickname, _trust_flags in db.list_certs(): if nickname == certdb.get_ca_nickname(realm_name): raise ScriptError( diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 16139f8..89e5713 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -99,7 +99,7 @@ class CertDB(object): # TODO: Remove all selfsign code def __init__(self, realm, nssdir, fstore=None, host_name=None, subject_base=None, ca_subject=None, - user=None, group=None, mode=None, truncate=False): + user=None, group=None, mode=None, create=False): self.nssdb = NSSDatabase(nssdir) self.secdir = nssdir @@ -132,15 +132,16 @@ def __init__(self, realm, nssdir, fstore=None, self.uid = 0 self.gid = 0 - if not truncate and os.path.exists(self.secdir): - # We are going to set the owner of all of the cert - # files to the owner of the containing directory - # instead of that of the process. This works when - # this is called by root for a daemon that runs as - # a normal user - mode = os.stat(self.secdir) - self.uid = mode[stat.ST_UID] - self.gid = mode[stat.ST_GID] + if not create: + if os.path.isdir(self.secdir): + # We are going to set the owner of all of the cert + # files to the owner of the containing directory + # instead of that of the process. This works when + # this is called by root for a daemon that runs as + # a normal user + mode = os.stat(self.secdir) + self.uid = mode[stat.ST_UID] + self.gid = mode[stat.ST_GID] else: if user is not None: pu = pwd.getpwnam(user) @@ -162,6 +163,23 @@ def __init__(self, realm, nssdir, fstore=None, def passwd_fname(self): return self.nssdb.pwd_file + def exists(self): + """ + Checks whether all NSS database files + our pwd_file exist + """ + db_files = ( + self.secdir, + self.certdb_fname, + self.keydb_fname, + self.secmod_fname, + self.nssdb.pwd_file, + ) + + for f in db_files: + if not os.path.exists(f): + return False + return True + def __del__(self): if self.reqdir is not None: shutil.rmtree(self.reqdir, ignore_errors=True) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 45bf479..584832b 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -379,7 +379,7 @@ def __setup_ssl(self): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, subject_base=self.subject_base, user="root", group=constants.HTTPD_GROUP, - truncate=True) + create=True) self.disable_system_trust() self.create_password_conf() if self.pkcs12_info:
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code