def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
running = self.restore_state("running")
enabled = self.restore_state("enabled")
try:
self.stop()
except Exception:
pass
for f in [paths.KRB5KDC_KDC_CONF, paths.KRB5_CONF]:
try:
self.fstore.restore_file(f)
except ValueError as error:
logger.debug("%s", error)
# disabled by default, by ldap_configure()
if enabled:
self.enable()
# stop tracking and remove certificates
self.stop_tracking_certs()
installutils.remove_file(paths.CACERT_PEM)
self.delete_pkinit_cert()
if running:
self.restart()
self.kpasswd = KpasswdInstance()
self.kpasswd.uninstall()
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
# Just eat states
self.restore_state("running")
self.restore_state("enabled")
self.restore_state("configured")
# stop and disable service (IPA service, we do not need it anymore)
self.stop()
self.disable()
for f in [paths.SYSCONFIG_NAMED]:
try:
self.fstore.restore_file(f)
except ValueError as error:
logger.debug('%s', error)
# remove softhsm pin, to make sure new installation will generate
# new token database
# do not delete *so pin*, user can need it to get token data
installutils.remove_file(paths.DNSSEC_SOFTHSM_PIN)
installutils.remove_file(paths.DNSSEC_SOFTHSM2_CONF)
try:
shutil.rmtree(paths.DNSSEC_TOKENS_DIR)
except OSError as e:
if e.errno != errno.ENOENT:
logger.exception(
"Failed to remove %s", paths.DNSSEC_TOKENS_DIR
)
installutils.remove_keytab(self.keytab)
def uninstall():
ca_instance = cainstance.CAInstance(api.env.realm)
ca_instance.stop_tracking_certificates()
installutils.remove_file(paths.RA_AGENT_PEM)
installutils.remove_file(paths.RA_AGENT_KEY)
if ca_instance.is_configured():
ca_instance.uninstall()
def remove_httpd_ccaches(self):
# Clean up existing ccaches
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
installutils.remove_file(paths.HTTP_CCACHE)
for f in os.listdir(paths.IPA_CCACHES):
os.remove(os.path.join(paths.IPA_CCACHES, f))
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
running = self.restore_state("running")
enabled = self.restore_state("enabled")
try:
self.stop()
except Exception:
pass
for f in [paths.KRB5KDC_KDC_CONF, paths.KRB5_CONF]:
try:
self.fstore.restore_file(f)
except ValueError as error:
logger.debug("%s", error)
# disabled by default, by ldap_configure()
if enabled:
self.enable()
# stop tracking and remove certificates
self.stop_tracking_certs()
installutils.remove_file(paths.CACERT_PEM)
self.delete_pkinit_cert()
if running:
self.restart()
self.kpasswd = KpasswdInstance()
self.kpasswd.uninstall()
def uninstall():
ca_instance = cainstance.CAInstance(api.env.realm)
ca_instance.stop_tracking_certificates()
installutils.remove_file(paths.RA_AGENT_PEM)
installutils.remove_file(paths.RA_AGENT_KEY)
if ca_instance.is_configured():
ca_instance.uninstall()
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
# Just eat states
self.restore_state("running")
self.restore_state("enabled")
self.restore_state("configured")
# stop and disable service (IPA service, we do not need it anymore)
self.stop()
self.disable()
for f in [paths.SYSCONFIG_NAMED]:
try:
self.fstore.restore_file(f)
except ValueError as error:
logger.debug('%s', error)
# remove softhsm pin, to make sure new installation will generate
# new token database
# do not delete *so pin*, user can need it to get token data
installutils.remove_file(paths.DNSSEC_SOFTHSM_PIN)
installutils.remove_file(paths.DNSSEC_SOFTHSM2_CONF)
try:
shutil.rmtree(paths.DNSSEC_TOKENS_DIR)
except OSError as e:
if e.errno != errno.ENOENT:
logger.exception("Failed to remove %s",
paths.DNSSEC_TOKENS_DIR)
installutils.remove_keytab(self.keytab)
def remove_httpd_ccaches(self):
# Clean up existing ccaches
# Make sure that empty env is passed to avoid passing KRB5CCNAME from
# current env
installutils.remove_file(paths.HTTP_CCACHE)
for f in os.listdir(paths.IPA_CCACHES):
os.remove(os.path.join(paths.IPA_CCACHES, f))
def uninstall(self):
super(CustodiaInstance, self).uninstall()
keystore = IPAKEMKeys({
'server_keys': self.server_keys,
'ldap_uri': self.ldap_uri
})
keystore.remove_server_keys_file()
installutils.remove_file(self.config_file)
sysupgrade.set_upgrade_state('custodia', 'installed', False)
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
running = self.restore_state("running")
enabled = self.restore_state("enabled")
self.stop_tracking_certificates()
helper = self.restore_state('certmonger_ipa_helper')
if helper:
bus = dbus.SystemBus()
obj = bus.get_object('org.fedorahosted.certmonger',
'/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
path = iface.find_ca_by_nickname('IPA')
if path:
ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
ca_iface = dbus.Interface(ca_obj,
'org.freedesktop.DBus.Properties')
ca_iface.Set('org.fedorahosted.certmonger.ca',
'external-helper', helper)
for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]:
try:
self.fstore.restore_file(f)
except ValueError as error:
root_logger.debug(error)
pass
# Remove the ccache file for the HTTPD service
ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas='apache',
raiseonerr=False)
# Remove the configuration files we create
installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
installutils.remove_file(paths.HTTPD_IPA_CONF)
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
# Restore SELinux boolean states
boolean_states = {name: self.restore_state(name)
for name in SELINUX_BOOLEAN_SETTINGS}
try:
tasks.set_selinux_booleans(boolean_states)
except ipapython.errors.SetseboolError as e:
self.print_msg('WARNING: ' + str(e))
if running:
self.restart()
# disabled by default, by ldap_enable()
if enabled:
self.enable()
def package_replica_file(self):
replicafile = paths.REPLICA_INFO_TEMPLATE % self.replica_fqdn
encfile = "%s.gpg" % replicafile
self.log.info("Packaging replica information into %s", encfile)
ipautil.run([paths.TAR, "cf", replicafile, "-C", self.top_dir, "realm_info"])
ipautil.encrypt_file(replicafile, encfile, self.dirman_password, self.top_dir)
os.chmod(encfile, 0o600)
installutils.remove_file(replicafile)
def disable_nss_conf(self):
"""
Backs up and removes the original nss.conf file.
There is no safe way to co-exist since there is no safe port
to make mod_nss use, disable it completely.
"""
if os.path.exists(paths.HTTPD_NSS_CONF):
# check that we don't have a backup already
# (mod_nss -> mod_ssl upgrade scenario)
if not self.fstore.has_file(paths.HTTPD_NSS_CONF):
self.fstore.backup_file(paths.HTTPD_NSS_CONF)
installutils.remove_file(paths.HTTPD_NSS_CONF)
def package_replica_file(self):
replicafile = paths.REPLICA_INFO_TEMPLATE % self.replica_fqdn
encfile = "%s.gpg" % replicafile
logger.info("Packaging replica information into %s", encfile)
ipautil.run(
[paths.TAR, "cf", replicafile, "-C", self.top_dir, "realm_info"])
installutils.encrypt_file(replicafile, encfile, self.dirman_password,
self.top_dir)
os.chmod(encfile, 0o600)
installutils.remove_file(replicafile)
def disable_nss_conf(self):
"""
Backs up and removes the original nss.conf file.
There is no safe way to co-exist since there is no safe port
to make mod_nss use, disable it completely.
"""
if os.path.exists(paths.HTTPD_NSS_CONF):
# check that we don't have a backup already
# (mod_nss -> mod_ssl upgrade scenario)
if not self.fstore.has_file(paths.HTTPD_NSS_CONF):
self.fstore.backup_file(paths.HTTPD_NSS_CONF)
installutils.remove_file(paths.HTTPD_NSS_CONF)
def package_replica_file(self):
replicafile = "/var/lib/ipa/replica-info-%s" % self.replica_fqdn
encfile = "%s.gpg" % replicafile
self.log.info("Packaging replica information into %s", encfile)
ipautil.run(
["/bin/tar", "cf", replicafile, "-C", self.top_dir, "realm_info"])
ipautil.encrypt_file(
replicafile, encfile, self.dirman_password, self.top_dir)
os.chmod(encfile, 0600)
installutils.remove_file(replicafile)
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring directory server")
enabled = self.restore_state("enabled")
# Just eat this state if it exists
running = self.restore_state("running")
try:
self.fstore.restore_file(paths.LIMITS_CONF)
self.fstore.restore_file(paths.SYSCONFIG_DIRSRV)
except ValueError as error:
root_logger.debug(error)
pass
# disabled during IPA installation
if enabled:
self.enable()
serverid = self.restore_state("serverid")
if serverid is not None:
self.stop_tracking_certificates(serverid)
root_logger.debug("Removing DS instance %s" % serverid)
try:
remove_ds_instance(serverid)
root_logger.debug("Removing DS keytab")
installutils.remove_file(paths.DS_KEYTAB)
except ipautil.CalledProcessError:
root_logger.error("Failed to remove DS instance. You may "
"need to remove instance data manually")
# At one time we removed this user on uninstall. That can potentially
# orphan files, or worse, if another useradd runs in the intermim,
# cause files to have a new owner.
user_exists = self.restore_state("user_exists")
# Make sure some upgrade-related state is removed. This could cause
# re-installation problems.
self.restore_state('nsslapd-port')
self.restore_state('nsslapd-security')
self.restore_state('nsslapd-ldapiautobind')
# If any dirsrv instances remain after we've removed ours then
# (re)start them.
for ds_instance in get_ds_instances():
try:
services.knownservices.dirsrv.restart(ds_instance, wait=False)
except Exception as e:
root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e)
def check_hostkeytab(self):
"""Ensure the host keytab can get a TGT"""
ccache_dir = tempfile.mkdtemp()
ccache_name = os.path.join(ccache_dir, 'ccache')
try:
try:
host_princ = str('host/%s@%s' % (api.env.host, api.env.realm))
kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
except gssapi.exceptions.GSSError as e:
self.failure('Failed to obtain host TGT: %s' % e)
finally:
installutils.remove_file(ccache_name)
os.rmdir(ccache_dir)
def check(self):
ccache_dir = tempfile.mkdtemp()
ccache_name = os.path.join(ccache_dir, 'ccache')
try:
try:
host_princ = str('host/%s@%s' % (api.env.host, api.env.realm))
kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name)
except gssapi.exceptions.GSSError as e:
yield Result(self, constants.ERROR,
msg='Failed to obtain host TGT: %s' % e)
finally:
installutils.remove_file(ccache_name)
os.rmdir(ccache_dir)
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
# Call restore_state so that we do not leave mess in the statestore
# Otherwise this does nothing
self.restore_state("running")
self.restore_state("enabled")
winbind = services.service("winbind", api)
# Always try to stop and disable smb service, since we do not leave
# working configuration after uninstall
try:
self.stop()
self.disable()
winbind.stop()
winbind.disable()
except Exception:
pass
# Since we do not guarantee restoring back to working samba state,
# we should not restore smb.conf
# Restore the state of affected selinux booleans
boolean_states = {
name: self.restore_state(name)
for name in constants.SELINUX_BOOLEAN_ADTRUST
}
try:
tasks.set_selinux_booleans(boolean_states)
except ipapython.errors.SetseboolError as e:
self.print_msg('WARNING: ' + str(e))
# Remove samba's credentials cache
installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA)
# Remove samba's configuration file
installutils.remove_file(self.smb_conf)
# Remove samba's persistent and temporary tdb files
tdb_files = [
tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR)
if tdb_file.endswith(".tdb")
]
for tdb_file in tdb_files:
installutils.remove_file(tdb_file)
# Remove our keys from samba's keytab
self.clean_samba_keytab()
def uninstall(self):
super(CustodiaInstance, self).uninstall()
keystore = IPAKEMKeys({
'server_keys': self.server_keys,
'ldap_uri': self.ldap_uri
})
# Call remove_server_keys_file explicitly to ensure that the key
# file is always removed.
keystore.remove_server_keys_file()
try:
keystore.remove_server_keys()
except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN):
logger.debug(
"Cannot remove custodia keys now, server_del takes care of "
"them later.")
installutils.remove_file(self.config_file)
sysupgrade.set_upgrade_state('custodia', 'installed', False)
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
# Call restore_state so that we do not leave mess in the statestore
# Otherwise this does nothing
self.restore_state("running")
self.restore_state("enabled")
winbind = services.service("winbind", api)
# Always try to stop and disable smb service, since we do not leave
# working configuration after uninstall
try:
self.stop()
self.disable()
winbind.stop()
winbind.disable()
except Exception:
pass
# Since we do not guarantee restoring back to working samba state,
# we should not restore smb.conf
# Restore the state of affected selinux booleans
boolean_states = {name: self.restore_state(name)
for name in constants.SELINUX_BOOLEAN_ADTRUST}
try:
tasks.set_selinux_booleans(boolean_states)
except ipapython.errors.SetseboolError as e:
self.print_msg('WARNING: ' + str(e))
# Remove samba's credentials cache
installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA)
# Remove samba's configuration file
installutils.remove_file(self.smb_conf)
# Remove samba's persistent and temporary tdb files
tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR)
if tdb_file.endswith(".tdb")]
for tdb_file in tdb_files:
installutils.remove_file(tdb_file)
# Remove our keys from samba's keytab
self.clean_samba_keytab()
def uninstall(self):
super(CustodiaInstance, self).uninstall()
keystore = IPAKEMKeys({
'server_keys': self.server_keys,
'ldap_uri': self.ldap_uri
})
# Call remove_server_keys_file explicitly to ensure that the key
# file is always removed.
keystore.remove_server_keys_file()
try:
keystore.remove_server_keys()
except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN):
logger.debug(
"Cannot remove custodia keys now, server_del takes care of "
"them later."
)
installutils.remove_file(self.config_file)
sysupgrade.set_upgrade_state('custodia', 'installed', False)
def export_certdb(self, fname, passwd_fname, is_kdc=False):
"""Export a cert database
:param fname: The file to export to (relative to the info directory)
:param passwd_fname: File that holds the cert DB password
:param is_kdc: True if we're exporting KDC certs
"""
options = self.options
hostname = self.replica_fqdn
subject_base = self.subject_base
if is_kdc:
nickname = "KDC-Cert"
else:
nickname = "Server-Cert"
try:
db = certs.CertDB(
api.env.realm, nssdir=self.dir, subject_base=subject_base)
db.create_passwd_file()
ca_db = certs.CertDB(
api.env.realm, host_name=api.env.host,
subject_base=subject_base)
db.create_from_cacert(ca_db.cacert_fname)
db.create_server_cert(nickname, hostname, ca_db)
pkcs12_fname = os.path.join(self.dir, fname + ".p12")
try:
if is_kdc:
ca_db.export_pem_p12(pkcs12_fname, passwd_fname,
nickname, os.path.join(self.dir, "kdc.pem"))
else:
db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
except ipautil.CalledProcessError as e:
self.log.info("error exporting Server certificate: %s", e)
installutils.remove_file(pkcs12_fname)
installutils.remove_file(passwd_fname)
self.remove_info_file("cert8.db")
self.remove_info_file("key3.db")
self.remove_info_file("secmod.db")
self.remove_info_file("noise.txt")
if is_kdc:
self.remove_info_file("kdc.pem")
orig_filename = passwd_fname + ".orig"
if ipautil.file_exists(orig_filename):
installutils.remove_file(orig_filename)
except errors.CertificateOperationError as e:
raise admintool.ScriptError(str(e))
def export_certdb(self, fname, passwd_fname, is_kdc=False):
"""Export a cert database
:param fname: The file to export to (relative to the info directory)
:param passwd_fname: File that holds the cert DB password
:param is_kdc: True if we're exporting KDC certs
"""
hostname = self.replica_fqdn
subject_base = self.subject_base
if is_kdc:
nickname = "KDC-Cert"
else:
nickname = "Server-Cert"
try:
db = certs.CertDB(api.env.realm,
nssdir=self.dir,
subject_base=subject_base)
db.create_passwd_file()
ca_db = certs.CertDB(api.env.realm,
host_name=api.env.host,
subject_base=subject_base)
db.create_from_cacert()
db.create_server_cert(nickname, hostname, ca_db)
pkcs12_fname = os.path.join(self.dir, fname + ".p12")
try:
if is_kdc:
ca_db.export_pem_p12(pkcs12_fname, passwd_fname, nickname,
os.path.join(self.dir, "kdc.pem"))
else:
db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
except ipautil.CalledProcessError as e:
self.log.info("error exporting Server certificate: %s", e)
installutils.remove_file(pkcs12_fname)
installutils.remove_file(passwd_fname)
self.remove_info_file("cert8.db")
self.remove_info_file("key3.db")
self.remove_info_file("secmod.db")
self.remove_info_file("noise.txt")
if is_kdc:
self.remove_info_file("kdc.pem")
orig_filename = passwd_fname + ".orig"
if ipautil.file_exists(orig_filename):
installutils.remove_file(orig_filename)
except errors.CertificateOperationError as e:
raise admintool.ScriptError(str(e))
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring %s" % self.service_name)
# Call restore_state so that we do not leave mess in the statestore
# Otherwise this does nothing
self.restore_state("running")
self.restore_state("enabled")
# Always try to stop and disable smb service, since we do not leave
# working configuration after uninstall
try:
self.stop()
self.disable()
except:
pass
# Since we do not guarantee restoring back to working samba state,
# we should not restore smb.conf
# Restore the state of affected selinux booleans
for var in self.selinux_booleans:
sebool_state = self.restore_state(var)
if not sebool_state is None:
try:
ipautil.run(["/usr/sbin/setsebool",
"-P", var, sebool_state])
except:
self.print_msg(SELINUX_WARNING % dict(var=var))
# Remove samba's credentials cache
krb5cc_samba = '/var/run/samba/krb5cc_samba'
installutils.remove_file(krb5cc_samba)
# Remove samba's configuration file
installutils.remove_file(self.smb_conf)
# Remove samba's persistent and temporary tdb files
tdb_files = [tdb_file for tdb_file in os.listdir("/var/lib/samba/")
if tdb_file.endswith(".tdb")]
for tdb_file in tdb_files:
installutils.remove_file(tdb_file)
# Remove our keys from samba's keytab
self.clean_samba_keytab()
def export_certdb(self, fname, passwd_fname):
"""Export a cert database
:param fname: The file to export to (relative to the info directory)
:param passwd_fname: File that holds the cert DB password
"""
hostname = self.replica_fqdn
subject_base = self.subject_base
ca_subject = ca.lookup_ca_subject(api, subject_base)
nickname = "Server-Cert"
try:
db = certs.CertDB(api.env.realm,
nssdir=self.dir,
host_name=api.env.host,
subject_base=subject_base,
ca_subject=ca_subject)
db.create_passwd_file()
db.create_from_cacert()
db.create_server_cert(nickname, hostname)
pkcs12_fname = os.path.join(self.dir, fname + ".p12")
try:
db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
except ipautil.CalledProcessError as e:
logger.info("error exporting Server certificate: %s", e)
installutils.remove_file(pkcs12_fname)
installutils.remove_file(passwd_fname)
for fname in (certdb.NSS_SQL_FILES + certdb.NSS_SQL_FILES):
self.remove_info_file(fname)
self.remove_info_file("noise.txt")
orig_filename = passwd_fname + ".orig"
if os.path.isfile(orig_filename):
installutils.remove_file(orig_filename)
except errors.CertificateOperationError as e:
raise admintool.ScriptError(str(e))
def export_certdb(self, fname, passwd_fname):
"""Export a cert database
:param fname: The file to export to (relative to the info directory)
:param passwd_fname: File that holds the cert DB password
"""
hostname = self.replica_fqdn
subject_base = self.subject_base
ca_subject = ca.lookup_ca_subject(api, subject_base)
nickname = "Server-Cert"
try:
db = certs.CertDB(
api.env.realm, nssdir=self.dir, host_name=api.env.host,
subject_base=subject_base, ca_subject=ca_subject)
db.create_passwd_file()
db.create_from_cacert()
db.create_server_cert(nickname, hostname)
pkcs12_fname = os.path.join(self.dir, fname + ".p12")
try:
db.export_pkcs12(pkcs12_fname, passwd_fname, nickname)
except ipautil.CalledProcessError as e:
logger.info("error exporting Server certificate: %s", e)
installutils.remove_file(pkcs12_fname)
installutils.remove_file(passwd_fname)
self.remove_info_file("cert8.db")
self.remove_info_file("key3.db")
self.remove_info_file("secmod.db")
self.remove_info_file("noise.txt")
orig_filename = passwd_fname + ".orig"
if ipautil.file_exists(orig_filename):
installutils.remove_file(orig_filename)
except errors.CertificateOperationError as e:
raise admintool.ScriptError(str(e))
def remove_info_file(self, filename):
"""Remove a file from the info directory
:param filename: The unneeded file (relative to the info directory)
"""
installutils.remove_file(os.path.join(self.dir, filename))
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
running = self.restore_state("running")
enabled = self.restore_state("enabled")
# Restore oddjobd to its original state
oddjobd = services.service('oddjobd', api)
if not self.sstore.restore_state('oddjobd', 'running'):
try:
oddjobd.stop()
except Exception:
pass
if not self.sstore.restore_state('oddjobd', 'enabled'):
try:
oddjobd.disable()
except Exception:
pass
self.stop_tracking_certificates()
helper = self.restore_state('certmonger_ipa_helper')
if helper:
bus = dbus.SystemBus()
obj = bus.get_object('org.fedorahosted.certmonger',
'/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
path = iface.find_ca_by_nickname('IPA')
if path:
ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
ca_iface = dbus.Interface(ca_obj,
'org.freedesktop.DBus.Properties')
ca_iface.Set('org.fedorahosted.certmonger.ca',
'external-helper', helper)
for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF,
paths.HTTPD_SSL_SITE_CONF, paths.HTTPD_NSS_CONF]:
try:
self.fstore.restore_file(f)
except ValueError as error:
logger.debug("%s", error)
# Remove the configuration files we create
installutils.remove_keytab(self.keytab)
remove_files = [
paths.HTTP_CCACHE,
paths.HTTPD_CERT_FILE,
paths.HTTPD_KEY_FILE,
paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host),
paths.HTTPD_IPA_REWRITE_CONF,
paths.HTTPD_IPA_CONF,
paths.HTTPD_IPA_PKI_PROXY_CONF,
paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK,
paths.HTTPD_IPA_KDCPROXY_CONF,
paths.GSSPROXY_CONF,
paths.GSSAPI_SESSION_KEY,
paths.HTTPD_PASSWORD_CONF,
paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
]
# NSS DB backups
remove_files.extend(
glob.glob(os.path.join(paths.HTTPD_ALIAS_DIR, '*.ipasave'))
)
if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None:
remove_files.append(paths.HTTPD_IPA_WSGI_MODULES_CONF)
for filename in remove_files:
installutils.remove_file(filename)
try:
os.rmdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR)
except OSError as e:
if e.errno not in {errno.ENOENT, errno.ENOTEMPTY}:
logger.error(
"Failed to remove directory %s",
paths.SYSTEMD_SYSTEM_HTTPD_D_DIR
)
# Restore SELinux boolean states
boolean_states = {name: self.restore_state(name)
for name in constants.SELINUX_BOOLEAN_HTTPD}
try:
tasks.set_selinux_booleans(boolean_states)
except ipapython.errors.SetseboolError as e:
self.print_msg('WARNING: ' + str(e))
if running:
self.restart()
# disabled by default, by ldap_enable()
if enabled:
self.enable()
def remove_info_file(self, filename):
"""Remove a file from the info directory
:param filename: The unneeded file (relative to the info directory)
"""
installutils.remove_file(os.path.join(self.dir, filename))
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
running = self.restore_state("running")
enabled = self.restore_state("enabled")
# Restore oddjobd to its original state
oddjobd = services.service('oddjobd')
if not self.sstore.restore_state('oddjobd', 'running'):
try:
oddjobd.stop()
except Exception:
pass
if not self.sstore.restore_state('oddjobd', 'enabled'):
try:
oddjobd.disable()
except Exception:
pass
self.stop_tracking_certificates()
helper = self.restore_state('certmonger_ipa_helper')
if helper:
bus = dbus.SystemBus()
obj = bus.get_object('org.fedorahosted.certmonger',
'/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
path = iface.find_ca_by_nickname('IPA')
if path:
ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
ca_iface = dbus.Interface(ca_obj,
'org.freedesktop.DBus.Properties')
ca_iface.Set('org.fedorahosted.certmonger.ca',
'external-helper', helper)
for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]:
try:
self.fstore.restore_file(f)
except ValueError as error:
root_logger.debug(error)
installutils.remove_keytab(paths.IPA_KEYTAB)
installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
run_as=HTTPD_USER)
# Remove the configuration files we create
installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
installutils.remove_file(paths.HTTPD_IPA_CONF)
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
tasks.remove_httpd_service_ipa_conf()
# Restore SELinux boolean states
boolean_states = {name: self.restore_state(name)
for name in SELINUX_BOOLEAN_SETTINGS}
try:
tasks.set_selinux_booleans(boolean_states)
except ipapython.errors.SetseboolError as e:
self.print_msg('WARNING: ' + str(e))
if running:
self.restart()
# disabled by default, by ldap_enable()
if enabled:
self.enable()
def delete_pkinit_cert(self):
installutils.remove_file(paths.KDC_CERT)
installutils.remove_file(paths.KDC_KEY)
def uninstall(installer):
fstore = installer._fstore
sstore = installer._sstore
rv = 0
print("Shutting down all IPA services")
try:
services.knownservices.ipa.stop()
except Exception:
# Fallback to direct ipactl stop only if system command fails
try:
run([paths.IPACTL, "stop"], raiseonerr=False)
except Exception:
pass
ipaclient.install.client.restore_time_sync(sstore, fstore)
kra.uninstall()
ca.uninstall()
dns.uninstall()
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
dsinstance.DsInstance(fstore=fstore).uninstall()
if _server_trust_ad_installed:
adtrustinstance.ADTRUSTInstance(fstore).uninstall()
# realm isn't used, but IPAKEMKeys parses /etc/ipa/default.conf
# otherwise, see https://pagure.io/freeipa/issue/7474 .
custodiainstance.CustodiaInstance(realm='REALM.INVALID').uninstall()
otpdinstance.OtpdInstance().uninstall()
tasks.restore_hostname(fstore, sstore)
fstore.restore_all_files()
try:
os.remove(paths.ROOT_IPA_CACHE)
except Exception:
pass
try:
os.remove(paths.ROOT_IPA_CSR)
except Exception:
pass
# ipa-client-install removes /etc/ipa/default.conf
sstore._load()
ipaclient.install.timeconf.restore_forced_timeservices(sstore)
# Clean up group_exists (unused since IPA 2.2, not being set since 4.1)
sstore.restore_state("install", "group_exists")
services.knownservices.ipa.disable()
# remove upgrade state file
sysupgrade.remove_upgrade_file()
if fstore.has_files():
logger.error('Some files have not been restored, see '
'%s/sysrestore.index', SYSRESTORE_DIR_PATH)
has_state = False
for module in IPA_MODULES: # from installutils
if sstore.has_state(module):
logger.error('Some installation state for %s has not been '
'restored, see %s/sysrestore.state',
module, SYSRESTORE_DIR_PATH)
has_state = True
rv = 1
if has_state:
logger.error('Some installation state has not been restored.\n'
'This may cause re-installation to fail.\n'
'It should be safe to remove %s/sysrestore.state '
'but it may\n'
'mean your system hasn\'t be restored to its '
'pre-installation state.', SYSRESTORE_DIR_PATH)
else:
# sysrestore.state has no state left, remove it
sysrestore = os.path.join(SYSRESTORE_DIR_PATH, 'sysrestore.state')
installutils.remove_file(sysrestore)
# Note that this name will be wrong after the first uninstall.
dirname = dsinstance.config_dirname(
ipaldap.realm_to_serverid(api.env.realm))
dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR]
ids = certmonger.check_state(dirs)
if ids:
logger.error('Some certificates may still be tracked by '
'certmonger.\n'
'This will cause re-installation to fail.\n'
'Start the certmonger service and list the '
'certificates being tracked\n'
' # getcert list\n'
'These may be untracked by executing\n'
' # getcert stop-tracking -i <request_id>\n'
'for each id in: %s', ', '.join(ids))
# Remove the cert renewal lock file
try:
os.remove(paths.IPA_RENEWAL_LOCK)
except OSError as e:
if e.errno != errno.ENOENT:
logger.warning("Failed to remove file %s: %s",
paths.IPA_RENEWAL_LOCK, e)
print("Removing IPA client configuration")
try:
result = run([paths.IPA_CLIENT_INSTALL, "--on-master",
"--unattended", "--uninstall"],
raiseonerr=False, redirect_output=True)
if result.returncode not in [0, 2]:
raise RuntimeError("Failed to configure the client")
except Exception:
rv = 1
print("Uninstall of client side components failed!")
sys.exit(rv)
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
running = self.restore_state("running")
enabled = self.restore_state("enabled")
# Restore oddjobd to its original state
oddjobd = services.service('oddjobd', api)
if not self.sstore.restore_state('oddjobd', 'running'):
try:
oddjobd.stop()
except Exception:
pass
if not self.sstore.restore_state('oddjobd', 'enabled'):
try:
oddjobd.disable()
except Exception:
pass
self.stop_tracking_certificates()
helper = self.restore_state('certmonger_ipa_helper')
if helper:
bus = dbus.SystemBus()
obj = bus.get_object('org.fedorahosted.certmonger',
'/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
path = iface.find_ca_by_nickname('IPA')
if path:
ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
ca_iface = dbus.Interface(ca_obj,
'org.freedesktop.DBus.Properties')
ca_iface.Set('org.fedorahosted.certmonger.ca',
'external-helper', helper)
for f in [
paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF,
paths.HTTPD_SSL_SITE_CONF, paths.HTTPD_NSS_CONF
]:
try:
self.fstore.restore_file(f)
except ValueError as error:
logger.debug("%s", error)
# Remove the configuration files we create
installutils.remove_keytab(self.keytab)
remove_files = [
paths.HTTP_CCACHE,
paths.HTTPD_CERT_FILE,
paths.HTTPD_KEY_FILE,
paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host),
paths.HTTPD_IPA_REWRITE_CONF,
paths.HTTPD_IPA_CONF,
paths.HTTPD_IPA_PKI_PROXY_CONF,
paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK,
paths.HTTPD_IPA_KDCPROXY_CONF,
paths.GSSPROXY_CONF,
paths.GSSAPI_SESSION_KEY,
paths.HTTPD_PASSWORD_CONF,
paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
]
# NSS DB backups
remove_files.extend(
glob.glob(os.path.join(paths.HTTPD_ALIAS_DIR, '*.ipasave')))
if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None:
remove_files.append(paths.HTTPD_IPA_WSGI_MODULES_CONF)
for filename in remove_files:
installutils.remove_file(filename)
try:
os.rmdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR)
except OSError as e:
if e.errno not in {errno.ENOENT, errno.ENOTEMPTY}:
logger.error("Failed to remove directory %s",
paths.SYSTEMD_SYSTEM_HTTPD_D_DIR)
# Restore SELinux boolean states
boolean_states = {
name: self.restore_state(name)
for name in constants.SELINUX_BOOLEAN_HTTPD
}
try:
tasks.set_selinux_booleans(boolean_states)
except ipapython.errors.SetseboolError as e:
self.print_msg('WARNING: ' + str(e))
if running:
self.restart()
# disabled by default, by ldap_enable()
if enabled:
self.enable()
def delete_pkinit_cert(self):
installutils.remove_file(paths.KDC_CERT)
installutils.remove_file(paths.KDC_KEY)
def uninstall(installer):
fstore = installer._fstore
sstore = installer._sstore
rv = 0
print("Shutting down all IPA services")
try:
services.knownservices.ipa.stop()
except Exception:
# Fallback to direct ipactl stop only if system command fails
try:
run([paths.IPACTL, "stop"], raiseonerr=False)
except Exception:
pass
ipaclient.install.client.restore_time_sync(sstore, fstore)
kra.uninstall()
ca.uninstall()
dns.uninstall()
httpinstance.HTTPInstance(fstore).uninstall()
krbinstance.KrbInstance(fstore).uninstall()
dsinstance.DsInstance(fstore=fstore).uninstall()
if _server_trust_ad_installed:
adtrustinstance.ADTRUSTInstance(fstore).uninstall()
# realm isn't used, but IPAKEMKeys parses /etc/ipa/default.conf
# otherwise, see https://pagure.io/freeipa/issue/7474 .
custodiainstance.CustodiaInstance(realm='REALM.INVALID').uninstall()
otpdinstance.OtpdInstance().uninstall()
tasks.restore_hostname(fstore, sstore)
fstore.restore_all_files()
try:
os.remove(paths.ROOT_IPA_CACHE)
except Exception:
pass
try:
os.remove(paths.ROOT_IPA_CSR)
except Exception:
pass
# ipa-client-install removes /etc/ipa/default.conf
sstore._load()
ipaclient.install.timeconf.restore_forced_timeservices(sstore)
# Clean up group_exists (unused since IPA 2.2, not being set since 4.1)
sstore.restore_state("install", "group_exists")
services.knownservices.ipa.disable()
# remove upgrade state file
sysupgrade.remove_upgrade_file()
if fstore.has_files():
logger.error(
'Some files have not been restored, see '
'%s/sysrestore.index', SYSRESTORE_DIR_PATH)
has_state = False
for module in IPA_MODULES: # from installutils
if sstore.has_state(module):
logger.error(
'Some installation state for %s has not been '
'restored, see %s/sysrestore.state', module,
SYSRESTORE_DIR_PATH)
has_state = True
rv = 1
if has_state:
logger.error(
'Some installation state has not been restored.\n'
'This may cause re-installation to fail.\n'
'It should be safe to remove %s/sysrestore.state '
'but it may\n'
'mean your system hasn\'t be restored to its '
'pre-installation state.', SYSRESTORE_DIR_PATH)
else:
# sysrestore.state has no state left, remove it
sysrestore = os.path.join(SYSRESTORE_DIR_PATH, 'sysrestore.state')
installutils.remove_file(sysrestore)
# Note that this name will be wrong after the first uninstall.
dirname = dsinstance.config_dirname(
installutils.realm_to_serverid(api.env.realm))
dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR]
ids = certmonger.check_state(dirs)
if ids:
logger.error(
'Some certificates may still be tracked by '
'certmonger.\n'
'This will cause re-installation to fail.\n'
'Start the certmonger service and list the '
'certificates being tracked\n'
' # getcert list\n'
'These may be untracked by executing\n'
' # getcert stop-tracking -i <request_id>\n'
'for each id in: %s', ', '.join(ids))
# Remove the cert renewal lock file
try:
os.remove(paths.IPA_RENEWAL_LOCK)
except OSError as e:
if e.errno != errno.ENOENT:
logger.warning("Failed to remove file %s: %s",
paths.IPA_RENEWAL_LOCK, e)
print("Removing IPA client configuration")
try:
result = run([
paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended",
"--uninstall"
],
raiseonerr=False,
redirect_output=True)
if result.returncode not in [0, 2]:
raise RuntimeError("Failed to configure the client")
except Exception:
rv = 1
print("Uninstall of client side components failed!")
sys.exit(rv)
def check(self):
validate = []
ca_pw_fname = None
if self.ca.is_configured():
try:
ca_passwd = get_dogtag_cert_password()
except IOError as e:
yield Result(
self,
constants.ERROR,
error=str(e),
msg='Unable to read CA NSSDB token password: {error}')
return
else:
with tempfile.NamedTemporaryFile(mode='w',
delete=False) as ca_pw_file:
ca_pw_file.write(ca_passwd)
ca_pw_fname = ca_pw_file.name
validate.append((
paths.PKI_TOMCAT_ALIAS_DIR,
'Server-Cert cert-pki-ca',
ca_pw_fname,
), )
validate.append((
dsinstance.config_dirname(self.serverid),
self.ds.get_server_cert_nickname(self.serverid),
os.path.join(dsinstance.config_dirname(self.serverid),
'pwdfile.txt'),
))
# Wrap in try/except to ensure the temporary password file is
# removed
try:
for (dbdir, nickname, pinfile) in validate:
# detect the database type so we have the right prefix
db = certdb.NSSDatabase(dbdir)
key = os.path.normpath(dbdir) + ':' + nickname
try:
response = self.validate_nss(dbdir, db.dbtype, pinfile,
nickname)
except ipautil.CalledProcessError as e:
logger.debug('Validation of NSS certificate failed %s', e)
yield Result(
self,
constants.ERROR,
key=key,
dbdir=dbdir,
nickname=nickname,
reason=response.output_error,
msg='Validation of {nickname} in {dbdir} failed: '
'{reason}')
else:
if 'certificate is valid' not in \
response.raw_output.decode('utf-8'):
yield Result(
self,
constants.ERROR,
key=key,
dbdir=dbdir,
nickname=nickname,
reason="%s: %s" %
(response.raw_output.decode('utf-8'),
response.error_log),
msg='Validation of {nickname} in {dbdir} failed: '
'{reason}')
else:
yield Result(self,
constants.SUCCESS,
dbdir=dbdir,
nickname=nickname,
key=key)
finally:
if ca_pw_fname:
installutils.remove_file(ca_pw_fname)
def uninstall(self):
if self.is_configured():
self.print_msg("Unconfiguring web server")
running = self.restore_state("running")
enabled = self.restore_state("enabled")
# Restore oddjobd to its original state
oddjobd = services.service('oddjobd')
if not self.sstore.restore_state('oddjobd', 'running'):
try:
oddjobd.stop()
except Exception:
pass
if not self.sstore.restore_state('oddjobd', 'enabled'):
try:
oddjobd.disable()
except Exception:
pass
self.stop_tracking_certificates()
helper = self.restore_state('certmonger_ipa_helper')
if helper:
bus = dbus.SystemBus()
obj = bus.get_object('org.fedorahosted.certmonger',
'/org/fedorahosted/certmonger')
iface = dbus.Interface(obj, 'org.fedorahosted.certmonger')
path = iface.find_ca_by_nickname('IPA')
if path:
ca_obj = bus.get_object('org.fedorahosted.certmonger', path)
ca_iface = dbus.Interface(ca_obj,
'org.freedesktop.DBus.Properties')
ca_iface.Set('org.fedorahosted.certmonger.ca',
'external-helper', helper)
for f in [
paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF,
paths.HTTPD_NSS_CONF
]:
try:
self.fstore.restore_file(f)
except ValueError as error:
root_logger.debug(error)
installutils.remove_keytab(self.keytab)
installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD,
run_as=self.service_user)
# Remove the configuration files we create
installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF)
installutils.remove_file(paths.HTTPD_IPA_CONF)
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
tasks.remove_httpd_service_ipa_conf()
# Restore SELinux boolean states
boolean_states = {
name: self.restore_state(name)
for name in SELINUX_BOOLEAN_SETTINGS
}
try:
tasks.set_selinux_booleans(boolean_states)
except ipapython.errors.SetseboolError as e:
self.print_msg('WARNING: ' + str(e))
if running:
self.restart()
# disabled by default, by ldap_enable()
if enabled:
self.enable()
def validate_certs(self):
"""Use certutil -V to validate the certs we can"""
ca_pw_name = None
if self.ca.is_configured():
ca_passwd = None
token = 'internal'
with open(paths.PKI_TOMCAT_PASSWORD_CONF, 'r') as f:
for line in f:
(tok, pin) = line.split('=', 1)
if token == tok:
ca_passwd = pin.strip()
break
else:
self.failure("The password to the 'internal' "
"token of the Dogtag certificate "
"store was not found.")
with tempfile.NamedTemporaryFile(mode='w',
delete=False) as ca_pw_file:
ca_pw_file.write(ca_passwd)
ca_pw_name = ca_pw_file.name
try:
validate = [
(
dsinstance.config_dirname(self.serverid),
self.ds.get_server_cert_nickname(self.serverid),
os.path.join(dsinstance.config_dirname(self.serverid),
'pwdfile.txt'),
),
]
if self.ca.is_configured():
validate.append((
paths.PKI_TOMCAT_ALIAS_DIR,
'Server-Cert cert-pki-ca',
ca_pw_name,
), )
if version.NUM_VERSION < 40700:
validate.append((
paths.HTTPD_ALIAS_DIR,
self.http.get_mod_nss_nickname(),
os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt'),
), )
for (dbdir, nickname, pinfile) in validate:
args = [paths.CERTUTIL, "-V", "-u", "V", "-e"]
args.extend(["-d", dbdir])
args.extend(["-n", nickname])
args.extend(["-f", pinfile])
try:
result = ipautil.run(args)
except ipautil.CalledProcessError as e:
self.failure('Validation of %s in %s failed: %s' %
(nickname, dbdir, e))
else:
if 'certificate is valid' not in \
result.raw_output.decode('utf-8'):
self.failure('Validation of %s in %s failed: '
'%s %s' %
(nickname, dbdir, result.raw_output,
result.error_log))
finally:
if ca_pw_name:
installutils.remove_file(ca_pw_name)
if version.NUM_VERSION >= 40700:
self.validate_openssl(paths.HTTPD_CERT_FILE)
self.validate_openssl(paths.RA_AGENT_PEM)