483b06
From 997ebc0f56963769bdcbeda60a2dca222c884b1e Mon Sep 17 00:00:00 2001
483b06
From: Jan Cholasta <jcholast@redhat.com>
483b06
Date: Thu, 27 Apr 2017 09:57:45 +0200
483b06
Subject: [PATCH] certdb, certs: make trust flags argument mandatory
483b06
483b06
Make the trust flags argument mandatory in all functions in `certdb` and
483b06
`certs`.
483b06
483b06
https://pagure.io/freeipa/issue/6831
483b06
483b06
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
483b06
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
483b06
---
483b06
 ipapython/certdb.py                        |  4 +---
483b06
 ipaserver/install/certs.py                 | 11 +++++------
483b06
 ipaserver/install/dsinstance.py            |  2 +-
483b06
 ipaserver/install/httpinstance.py          |  6 ++++--
483b06
 ipaserver/install/installutils.py          |  5 +++--
483b06
 ipaserver/install/server/replicainstall.py |  4 ++--
483b06
 6 files changed, 16 insertions(+), 16 deletions(-)
483b06
483b06
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
483b06
index 44c7bf3197c198295035742e6db48527d76e85a6..88dcae750de5881ae7b4921ca1ae23daa9c5d4b0 100644
483b06
--- a/ipapython/certdb.py
483b06
+++ b/ipapython/certdb.py
483b06
@@ -471,14 +471,12 @@ class NSSDatabase(object):
483b06
 
483b06
             self.import_pkcs12(out_file.name, out_password)
483b06
 
483b06
-    def trust_root_cert(self, root_nickname, trust_flags=None):
483b06
+    def trust_root_cert(self, root_nickname, trust_flags):
483b06
         if root_nickname[:7] == "Builtin":
483b06
             root_logger.debug(
483b06
                 "No need to add trust for built-in root CAs, skipping %s" %
483b06
                 root_nickname)
483b06
         else:
483b06
-            if trust_flags is None:
483b06
-                trust_flags = EXTERNAL_CA_TRUST_FLAGS
483b06
             try:
483b06
                 self.run_certutil(["-M", "-n", root_nickname,
483b06
                                    "-t", trust_flags])
483b06
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
483b06
index f87e00eb5e9c14ed30d39ef9f6e86b6f24bb1c61..17b9ebad4a128e292e453af44ca9d63cfb1e6ea2 100644
483b06
--- a/ipaserver/install/certs.py
483b06
+++ b/ipaserver/install/certs.py
483b06
@@ -550,7 +550,7 @@ class CertDB(object):
483b06
 
483b06
         return root_nicknames
483b06
 
483b06
-    def trust_root_cert(self, root_nickname, trust_flags=None):
483b06
+    def trust_root_cert(self, root_nickname, trust_flags):
483b06
         if root_nickname is None:
483b06
             root_logger.debug("Unable to identify root certificate to trust. Continuing but things are likely to fail.")
483b06
             return
483b06
@@ -600,14 +600,13 @@ class CertDB(object):
483b06
         self.create_certdbs()
483b06
         self.load_cacert(cacert_fname, IPA_CA_TRUST_FLAGS)
483b06
 
483b06
-    def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd, passwd=None,
483b06
-                           ca_file=None, trust_flags=None):
483b06
+    def create_from_pkcs12(self, pkcs12_fname, pkcs12_passwd,
483b06
+                           ca_file, trust_flags):
483b06
         """Create a new NSS database using the certificates in a PKCS#12 file.
483b06
 
483b06
            pkcs12_fname: the filename of the PKCS#12 file
483b06
            pkcs12_pwd_fname: the file containing the pin for the PKCS#12 file
483b06
            nickname: the nickname/friendly-name of the cert we are loading
483b06
-           passwd: The password to use for the new NSS database we are creating
483b06
 
483b06
            The global CA may be added as well in case it wasn't included in the
483b06
            PKCS#12 file. Extra certs won't hurt in any case.
483b06
@@ -615,7 +614,7 @@ class CertDB(object):
483b06
            The global CA may be specified in ca_file, as a PEM filename.
483b06
         """
483b06
         self.create_noise_file()
483b06
-        self.create_passwd_file(passwd)
483b06
+        self.create_passwd_file()
483b06
         self.create_certdbs()
483b06
         self.init_from_pkcs12(
483b06
             pkcs12_fname,
483b06
@@ -624,7 +623,7 @@ class CertDB(object):
483b06
             trust_flags=trust_flags)
483b06
 
483b06
     def init_from_pkcs12(self, pkcs12_fname, pkcs12_passwd,
483b06
-                         ca_file=None, trust_flags=None):
483b06
+                         ca_file, trust_flags):
483b06
         self.import_pkcs12(pkcs12_fname, pkcs12_passwd)
483b06
         server_certs = self.find_server_certs()
483b06
         if len(server_certs) == 0:
483b06
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
483b06
index 0db0368fa4b48495718afd779291ce164d1687c8..0e4ae4bfe6f1445de167df8fe5328d6a421e416f 100644
483b06
--- a/ipaserver/install/dsinstance.py
483b06
+++ b/ipaserver/install/dsinstance.py
483b06
@@ -769,7 +769,7 @@ class DsInstance(service.Service):
483b06
             if self.ca_is_configured:
483b06
                 trust_flags = IPA_CA_TRUST_FLAGS
483b06
             else:
483b06
-                trust_flags = None
483b06
+                trust_flags = EXTERNAL_CA_TRUST_FLAGS
483b06
             dsdb.create_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
483b06
                                     ca_file=self.ca_file,
483b06
                                     trust_flags=trust_flags)
483b06
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
483b06
index a6aeb21edc73783ff9a3f9b526409ea525aa66dd..c76a1a4e484c5777ced92761916c1c586e8b2d5d 100644
483b06
--- a/ipaserver/install/httpinstance.py
483b06
+++ b/ipaserver/install/httpinstance.py
483b06
@@ -32,7 +32,9 @@ import six
483b06
 from augeas import Augeas
483b06
 
483b06
 from ipalib.install import certmonger
483b06
-from ipapython.certdb import IPA_CA_TRUST_FLAGS, TRUSTED_PEER_TRUST_FLAGS
483b06
+from ipapython.certdb import (IPA_CA_TRUST_FLAGS,
483b06
+                              EXTERNAL_CA_TRUST_FLAGS,
483b06
+                              TRUSTED_PEER_TRUST_FLAGS)
483b06
 from ipaserver.install import service
483b06
 from ipaserver.install import certs
483b06
 from ipaserver.install import installutils
483b06
@@ -384,7 +386,7 @@ class HTTPInstance(service.Service):
483b06
             if self.ca_is_configured:
483b06
                 trust_flags = IPA_CA_TRUST_FLAGS
483b06
             else:
483b06
-                trust_flags = None
483b06
+                trust_flags = EXTERNAL_CA_TRUST_FLAGS
483b06
             db.init_from_pkcs12(self.pkcs12_info[0], self.pkcs12_info[1],
483b06
                                 ca_file=self.ca_file,
483b06
                                 trust_flags=trust_flags)
483b06
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
483b06
index b6f01489ccc65dcbc360929e0a7b315b074df8ce..0445a1d3c403fab690e5afb7c8801ed85773b1e0 100644
483b06
--- a/ipaserver/install/installutils.py
483b06
+++ b/ipaserver/install/installutils.py
483b06
@@ -49,6 +49,7 @@ from ipalib.install.kinit import kinit_password
483b06
 import ipaplatform
483b06
 from ipapython import ipautil, admintool, version
483b06
 from ipapython.admintool import ScriptError
483b06
+from ipapython.certdb import EXTERNAL_CA_TRUST_FLAGS
483b06
 from ipapython.ipa_log_manager import root_logger
483b06
 from ipapython.ipaldap import DIRMAN_DN, LDAPClient
483b06
 from ipalib.util import validate_hostname
483b06
@@ -1036,7 +1037,7 @@ def load_pkcs12(cert_files, key_password, key_nickname, ca_cert_files,
483b06
             if 'u' in trust_flags:
483b06
                 key_nickname = nickname
483b06
                 continue
483b06
-            nssdb.trust_root_cert(nickname)
483b06
+            nssdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
483b06
 
483b06
         # Check we have the whole cert chain & the CA is in it
483b06
         trust_chain = list(reversed(nssdb.get_trust_chain(key_nickname)))
483b06
@@ -1176,7 +1177,7 @@ def load_external_cert(files, ca_subject):
483b06
             cache[nickname] = (cert, subject, issuer)
483b06
             if subject == ca_subject:
483b06
                 ca_nickname = nickname
483b06
-            nssdb.trust_root_cert(nickname)
483b06
+            nssdb.trust_root_cert(nickname, EXTERNAL_CA_TRUST_FLAGS)
483b06
 
483b06
         if ca_nickname is None:
483b06
             raise ScriptError(
483b06
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
483b06
index 5e78e6faf51ded2fe7634f230c66aa15ae84bad4..fb738cb9f590f3f9595de92ef025c6032e9343f8 100644
483b06
--- a/ipaserver/install/server/replicainstall.py
483b06
+++ b/ipaserver/install/server/replicainstall.py
483b06
@@ -23,7 +23,7 @@ import ipaclient.install.ntpconf
483b06
 from ipalib.install import certstore, sysrestore
483b06
 from ipalib.install.kinit import kinit_keytab
483b06
 from ipapython import ipaldap, ipautil
483b06
-from ipapython.certdb import IPA_CA_TRUST_FLAGS
483b06
+from ipapython.certdb import IPA_CA_TRUST_FLAGS, EXTERNAL_CA_TRUST_FLAGS
483b06
 from ipapython.dn import DN
483b06
 from ipapython.ipa_log_manager import root_logger
483b06
 from ipapython.admintool import ScriptError
483b06
@@ -740,7 +740,7 @@ def install_check(installer):
483b06
             if ca_enabled:
483b06
                 trust_flags = IPA_CA_TRUST_FLAGS
483b06
             else:
483b06
-                trust_flags = None
483b06
+                trust_flags = EXTERNAL_CA_TRUST_FLAGS
483b06
             tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1],
483b06
                                       ca_file=cafile,
483b06
                                       trust_flags=trust_flags)
483b06
-- 
483b06
2.9.4
483b06