From c3ee037c2dd92ccb277523919e991471c9caa3c6 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Tue, 11 Apr 2017 10:21:15 +0200 Subject: [PATCH] Fix CA-less to CA-full upgrade CertDB would have always created a directory on initialization. This behavior changes here by replacing the truncate argument with create which will only create the database when really required. https://pagure.io/freeipa/issue/6853 Reviewed-By: Tomas Krizek --- ipaserver/install/ca.py | 2 ++ ipaserver/install/certs.py | 38 ++++++++++++++++++++++++++++---------- ipaserver/install/httpinstance.py | 2 +- 3 files changed, 31 insertions(+), 11 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index db3b744a51b0ae2ba12f79c155a1bb0698d94bec..8ee0fda23411563c70b7db5f39f43c2869c108b5 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -183,6 +183,8 @@ def install_check(standalone, replica_config, options): realm_name, nssdir=dirname, subject_base=options._subject_base) for db in (cadb, dsdb): + if not db.exists(): + continue for nickname, _trust_flags in db.list_certs(): if nickname == certdb.get_ca_nickname(realm_name): raise ScriptError( diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 16139f81f0d0bd6889a9f38948204bb5bc018028..89e57134f24c505d669057eefffb7862b3b8179a 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -99,7 +99,7 @@ class CertDB(object): # TODO: Remove all selfsign code def __init__(self, realm, nssdir, fstore=None, host_name=None, subject_base=None, ca_subject=None, - user=None, group=None, mode=None, truncate=False): + user=None, group=None, mode=None, create=False): self.nssdb = NSSDatabase(nssdir) self.secdir = nssdir @@ -132,15 +132,16 @@ class CertDB(object): self.uid = 0 self.gid = 0 - if not truncate and os.path.exists(self.secdir): - # We are going to set the owner of all of the cert - # files to the owner of the containing directory - # instead of that of the process. This works when - # this is called by root for a daemon that runs as - # a normal user - mode = os.stat(self.secdir) - self.uid = mode[stat.ST_UID] - self.gid = mode[stat.ST_GID] + if not create: + if os.path.isdir(self.secdir): + # We are going to set the owner of all of the cert + # files to the owner of the containing directory + # instead of that of the process. This works when + # this is called by root for a daemon that runs as + # a normal user + mode = os.stat(self.secdir) + self.uid = mode[stat.ST_UID] + self.gid = mode[stat.ST_GID] else: if user is not None: pu = pwd.getpwnam(user) @@ -162,6 +163,23 @@ class CertDB(object): def passwd_fname(self): return self.nssdb.pwd_file + def exists(self): + """ + Checks whether all NSS database files + our pwd_file exist + """ + db_files = ( + self.secdir, + self.certdb_fname, + self.keydb_fname, + self.secmod_fname, + self.nssdb.pwd_file, + ) + + for f in db_files: + if not os.path.exists(f): + return False + return True + def __del__(self): if self.reqdir is not None: shutil.rmtree(self.reqdir, ignore_errors=True) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 8e444be2d23ec5e7890d221508bc866de2854c89..aeb5c5e450813469e1b6cd374b30cd4aab338537 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -366,7 +366,7 @@ class HTTPInstance(service.Service): db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, subject_base=self.subject_base, user="root", group=constants.HTTPD_GROUP, - truncate=True) + create=True) self.disable_system_trust() self.create_password_conf() if self.pkcs12_info: -- 2.12.2