Imported Debian patch 4.7.2-3

2019-05-06 08:43:34 +03:00
parent 27edeba051
commit 8bc559c5a1
917 changed files with 1068993 additions and 1184676 deletions
--- a/ipaclient/install/ipa_certupdate.py
+++ b/ipaclient/install/ipa_certupdate.py
@@ -24,10 +24,11 @@ import os
 import tempfile
 import shutil

-from urllib.parse import urlsplit
+# pylint: disable=import-error
+from six.moves.urllib.parse import urlsplit
+# pylint: enable=import-error

-from ipalib.install import certmonger, certstore
-from ipalib.facts import is_ipa_configured
+from ipalib.install import certmonger, certstore, sysrestore
 from ipalib.install.kinit import kinit_keytab
 from ipapython import admintool, certdb, ipaldap, ipautil
 from ipaplatform import services
@@ -71,7 +72,8 @@ def run_with_args(api):

    """
    server = urlsplit(api.env.jsonrpc_uri).hostname
-    ldap = ipaldap.LDAPClient.from_hostname_secure(server)
+    ldap_uri = ipaldap.get_ldap_uri(server)
+    ldap = ipaldap.LDAPClient(ldap_uri)

    tmpdir = tempfile.mkdtemp(prefix="tmp-")
    ccache_name = os.path.join(tmpdir, 'ccache')
@@ -105,21 +107,17 @@ def run_with_args(api):
            os.environ['KRB5CCNAME'] = old_krb5ccname
        shutil.rmtree(tmpdir)

-    if is_ipa_configured():
+    server_fstore = sysrestore.FileStore(paths.SYSRESTORE)
+    if server_fstore.has_files():
        update_server(certs)
-
-        # pylint: disable=import-error,ipa-forbidden-import
-        from ipaserver.install import cainstance
-        # pylint: enable=import-error,ipa-forbidden-import
-
-        # Add LWCA tracking requests.  Only execute if *this server*
-        # has CA installed (ca_enabled indicates CA-ful topology).
-        if cainstance.CAInstance().is_configured():
-            try:
-                cainstance.add_lightweight_ca_tracking_requests(lwcas)
-            except Exception:
-                logger.exception(
-                    "Failed to add lightweight CA tracking requests")
+        try:
+            # pylint: disable=import-error,ipa-forbidden-import
+            from ipaserver.install import cainstance
+            # pylint: enable=import-error,ipa-forbidden-import
+            cainstance.add_lightweight_ca_tracking_requests(lwcas)
+        except Exception:
+            logger.exception(
+                "Failed to add lightweight CA tracking requests")

    update_client(certs)

@@ -166,17 +164,6 @@ def update_server(certs):
    if request_id is not None:
        timeout = api.env.startup_timeout + 60

-        # The dogtag-ipa-ca-renew-agent-reuse Certmonger CA never
-        # actually renews the certificate; it only pulls it from the
-        # ca_renewal LDAP cert store.
-        #
-        # Why is this needed?  If the CA cert gets renewed long
-        # before its notAfter (expiry) date (e.g. to switch from
-        # self-signed to external, or to switch to new external CA),
-        # then the other (i.e. not caRenewalMaster) CA replicas will
-        # not promptly pick up the new CA cert.  So we make
-        # ipa-certupdate always check for an updated CA cert.
-        #
        logger.debug("resubmitting certmonger request '%s'", request_id)
        certmonger.resubmit_request(
            request_id, ca='dogtag-ipa-ca-renew-agent-reuse', profile='')
@@ -208,16 +195,7 @@ def update_file(filename, certs, mode=0o644):


 def update_db(path, certs):
-    """Drop all CA certs from db then add certs from list provided
-
-       This may result in some churn as existing certs are dropped
-       and re-added but this also provides the ability to change
-       the trust flags.
-    """
    db = certdb.NSSDatabase(path)
-    for name, flags in db.list_certs():
-        if flags.ca:
-            db.delete_cert(name)
    for cert, nickname, trusted, eku in certs:
        trust_flags = certstore.key_policy_to_trust_flags(trusted, True, eku)
        try: