Blob Blame History Raw
From c3ee037c2dd92ccb277523919e991471c9caa3c6 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Tue, 11 Apr 2017 10:21:15 +0200
Subject: [PATCH] Fix CA-less to CA-full upgrade

CertDB would have always created a directory on initialization. This
behavior changes here by replacing the truncate argument with create
which will only create the database when really required.

https://pagure.io/freeipa/issue/6853

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
 ipaserver/install/ca.py           |  2 ++
 ipaserver/install/certs.py        | 38 ++++++++++++++++++++++++++++----------
 ipaserver/install/httpinstance.py |  2 +-
 3 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index db3b744a51b0ae2ba12f79c155a1bb0698d94bec..8ee0fda23411563c70b7db5f39f43c2869c108b5 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -183,6 +183,8 @@ def install_check(standalone, replica_config, options):
             realm_name, nssdir=dirname, subject_base=options._subject_base)
 
         for db in (cadb, dsdb):
+            if not db.exists():
+                continue
             for nickname, _trust_flags in db.list_certs():
                 if nickname == certdb.get_ca_nickname(realm_name):
                     raise ScriptError(
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 16139f81f0d0bd6889a9f38948204bb5bc018028..89e57134f24c505d669057eefffb7862b3b8179a 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -99,7 +99,7 @@ class CertDB(object):
     # TODO: Remove all selfsign code
     def __init__(self, realm, nssdir, fstore=None,
                  host_name=None, subject_base=None, ca_subject=None,
-                 user=None, group=None, mode=None, truncate=False):
+                 user=None, group=None, mode=None, create=False):
         self.nssdb = NSSDatabase(nssdir)
 
         self.secdir = nssdir
@@ -132,15 +132,16 @@ class CertDB(object):
         self.uid = 0
         self.gid = 0
 
-        if not truncate and os.path.exists(self.secdir):
-            # We are going to set the owner of all of the cert
-            # files to the owner of the containing directory
-            # instead of that of the process. This works when
-            # this is called by root for a daemon that runs as
-            # a normal user
-            mode = os.stat(self.secdir)
-            self.uid = mode[stat.ST_UID]
-            self.gid = mode[stat.ST_GID]
+        if not create:
+            if os.path.isdir(self.secdir):
+                # We are going to set the owner of all of the cert
+                # files to the owner of the containing directory
+                # instead of that of the process. This works when
+                # this is called by root for a daemon that runs as
+                # a normal user
+                mode = os.stat(self.secdir)
+                self.uid = mode[stat.ST_UID]
+                self.gid = mode[stat.ST_GID]
         else:
             if user is not None:
                 pu = pwd.getpwnam(user)
@@ -162,6 +163,23 @@ class CertDB(object):
     def passwd_fname(self):
         return self.nssdb.pwd_file
 
+    def exists(self):
+        """
+        Checks whether all NSS database files + our pwd_file exist
+        """
+        db_files = (
+            self.secdir,
+            self.certdb_fname,
+            self.keydb_fname,
+            self.secmod_fname,
+            self.nssdb.pwd_file,
+        )
+
+        for f in db_files:
+            if not os.path.exists(f):
+                return False
+        return True
+
     def __del__(self):
         if self.reqdir is not None:
             shutil.rmtree(self.reqdir, ignore_errors=True)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 8e444be2d23ec5e7890d221508bc866de2854c89..aeb5c5e450813469e1b6cd374b30cd4aab338537 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -366,7 +366,7 @@ class HTTPInstance(service.Service):
         db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR,
                           subject_base=self.subject_base, user="root",
                           group=constants.HTTPD_GROUP,
-                          truncate=True)
+                          create=True)
         self.disable_system_trust()
         self.create_password_conf()
         if self.pkcs12_info:
-- 
2.12.2