def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) running = self.restore_state("running") enabled = self.restore_state("enabled") try: self.stop() except Exception: pass for f in [paths.KRB5KDC_KDC_CONF, paths.KRB5_CONF]: try: self.fstore.restore_file(f) except ValueError as error: logger.debug("%s", error) # disabled by default, by ldap_configure() if enabled: self.enable() # stop tracking and remove certificates self.stop_tracking_certs() installutils.remove_file(paths.CACERT_PEM) self.delete_pkinit_cert() if running: self.restart() self.kpasswd = KpasswdInstance() self.kpasswd.uninstall()
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) # Just eat states self.restore_state("running") self.restore_state("enabled") self.restore_state("configured") # stop and disable service (IPA service, we do not need it anymore) self.stop() self.disable() for f in [paths.SYSCONFIG_NAMED]: try: self.fstore.restore_file(f) except ValueError as error: logger.debug('%s', error) # remove softhsm pin, to make sure new installation will generate # new token database # do not delete *so pin*, user can need it to get token data installutils.remove_file(paths.DNSSEC_SOFTHSM_PIN) installutils.remove_file(paths.DNSSEC_SOFTHSM2_CONF) try: shutil.rmtree(paths.DNSSEC_TOKENS_DIR) except OSError as e: if e.errno != errno.ENOENT: logger.exception( "Failed to remove %s", paths.DNSSEC_TOKENS_DIR ) installutils.remove_keytab(self.keytab)
def uninstall(): ca_instance = cainstance.CAInstance(api.env.realm) ca_instance.stop_tracking_certificates() installutils.remove_file(paths.RA_AGENT_PEM) installutils.remove_file(paths.RA_AGENT_KEY) if ca_instance.is_configured(): ca_instance.uninstall()
def remove_httpd_ccaches(self): # Clean up existing ccaches # Make sure that empty env is passed to avoid passing KRB5CCNAME from # current env installutils.remove_file(paths.HTTP_CCACHE) for f in os.listdir(paths.IPA_CCACHES): os.remove(os.path.join(paths.IPA_CCACHES, f))
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) # Just eat states self.restore_state("running") self.restore_state("enabled") self.restore_state("configured") # stop and disable service (IPA service, we do not need it anymore) self.stop() self.disable() for f in [paths.SYSCONFIG_NAMED]: try: self.fstore.restore_file(f) except ValueError as error: logger.debug('%s', error) # remove softhsm pin, to make sure new installation will generate # new token database # do not delete *so pin*, user can need it to get token data installutils.remove_file(paths.DNSSEC_SOFTHSM_PIN) installutils.remove_file(paths.DNSSEC_SOFTHSM2_CONF) try: shutil.rmtree(paths.DNSSEC_TOKENS_DIR) except OSError as e: if e.errno != errno.ENOENT: logger.exception("Failed to remove %s", paths.DNSSEC_TOKENS_DIR) installutils.remove_keytab(self.keytab)
def uninstall(self): super(CustodiaInstance, self).uninstall() keystore = IPAKEMKeys({ 'server_keys': self.server_keys, 'ldap_uri': self.ldap_uri }) keystore.remove_server_keys_file() installutils.remove_file(self.config_file) sysupgrade.set_upgrade_state('custodia', 'installed', False)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") self.stop_tracking_certificates() helper = self.restore_state('certmonger_ipa_helper') if helper: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]: try: self.fstore.restore_file(f) except ValueError as error: root_logger.debug(error) pass # Remove the ccache file for the HTTPD service ipautil.run([paths.KDESTROY, '-c', paths.KRB5CC_HTTPD], runas='apache', raiseonerr=False) # Remove the configuration files we create installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) installutils.remove_file(paths.HTTPD_IPA_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) for name in SELINUX_BOOLEAN_SETTINGS} try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) if running: self.restart() # disabled by default, by ldap_enable() if enabled: self.enable()
def package_replica_file(self): replicafile = paths.REPLICA_INFO_TEMPLATE % self.replica_fqdn encfile = "%s.gpg" % replicafile self.log.info("Packaging replica information into %s", encfile) ipautil.run([paths.TAR, "cf", replicafile, "-C", self.top_dir, "realm_info"]) ipautil.encrypt_file(replicafile, encfile, self.dirman_password, self.top_dir) os.chmod(encfile, 0o600) installutils.remove_file(replicafile)
def disable_nss_conf(self): """ Backs up and removes the original nss.conf file. There is no safe way to co-exist since there is no safe port to make mod_nss use, disable it completely. """ if os.path.exists(paths.HTTPD_NSS_CONF): # check that we don't have a backup already # (mod_nss -> mod_ssl upgrade scenario) if not self.fstore.has_file(paths.HTTPD_NSS_CONF): self.fstore.backup_file(paths.HTTPD_NSS_CONF) installutils.remove_file(paths.HTTPD_NSS_CONF)
def package_replica_file(self): replicafile = paths.REPLICA_INFO_TEMPLATE % self.replica_fqdn encfile = "%s.gpg" % replicafile logger.info("Packaging replica information into %s", encfile) ipautil.run( [paths.TAR, "cf", replicafile, "-C", self.top_dir, "realm_info"]) installutils.encrypt_file(replicafile, encfile, self.dirman_password, self.top_dir) os.chmod(encfile, 0o600) installutils.remove_file(replicafile)
def package_replica_file(self): replicafile = "/var/lib/ipa/replica-info-%s" % self.replica_fqdn encfile = "%s.gpg" % replicafile self.log.info("Packaging replica information into %s", encfile) ipautil.run( ["/bin/tar", "cf", replicafile, "-C", self.top_dir, "realm_info"]) ipautil.encrypt_file( replicafile, encfile, self.dirman_password, self.top_dir) os.chmod(encfile, 0600) installutils.remove_file(replicafile)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring directory server") enabled = self.restore_state("enabled") # Just eat this state if it exists running = self.restore_state("running") try: self.fstore.restore_file(paths.LIMITS_CONF) self.fstore.restore_file(paths.SYSCONFIG_DIRSRV) except ValueError as error: root_logger.debug(error) pass # disabled during IPA installation if enabled: self.enable() serverid = self.restore_state("serverid") if serverid is not None: self.stop_tracking_certificates(serverid) root_logger.debug("Removing DS instance %s" % serverid) try: remove_ds_instance(serverid) root_logger.debug("Removing DS keytab") installutils.remove_file(paths.DS_KEYTAB) except ipautil.CalledProcessError: root_logger.error("Failed to remove DS instance. You may " "need to remove instance data manually") # At one time we removed this user on uninstall. That can potentially # orphan files, or worse, if another useradd runs in the intermim, # cause files to have a new owner. user_exists = self.restore_state("user_exists") # Make sure some upgrade-related state is removed. This could cause # re-installation problems. self.restore_state('nsslapd-port') self.restore_state('nsslapd-security') self.restore_state('nsslapd-ldapiautobind') # If any dirsrv instances remain after we've removed ours then # (re)start them. for ds_instance in get_ds_instances(): try: services.knownservices.dirsrv.restart(ds_instance, wait=False) except Exception as e: root_logger.error('Unable to restart ds instance %s: %s', ds_instance, e)
def check_hostkeytab(self): """Ensure the host keytab can get a TGT""" ccache_dir = tempfile.mkdtemp() ccache_name = os.path.join(ccache_dir, 'ccache') try: try: host_princ = str('host/%s@%s' % (api.env.host, api.env.realm)) kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name) except gssapi.exceptions.GSSError as e: self.failure('Failed to obtain host TGT: %s' % e) finally: installutils.remove_file(ccache_name) os.rmdir(ccache_dir)
def check(self): ccache_dir = tempfile.mkdtemp() ccache_name = os.path.join(ccache_dir, 'ccache') try: try: host_princ = str('host/%s@%s' % (api.env.host, api.env.realm)) kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_name) except gssapi.exceptions.GSSError as e: yield Result(self, constants.ERROR, msg='Failed to obtain host TGT: %s' % e) finally: installutils.remove_file(ccache_name) os.rmdir(ccache_dir)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) # Call restore_state so that we do not leave mess in the statestore # Otherwise this does nothing self.restore_state("running") self.restore_state("enabled") winbind = services.service("winbind", api) # Always try to stop and disable smb service, since we do not leave # working configuration after uninstall try: self.stop() self.disable() winbind.stop() winbind.disable() except Exception: pass # Since we do not guarantee restoring back to working samba state, # we should not restore smb.conf # Restore the state of affected selinux booleans boolean_states = { name: self.restore_state(name) for name in constants.SELINUX_BOOLEAN_ADTRUST } try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) # Remove samba's credentials cache installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA) # Remove samba's configuration file installutils.remove_file(self.smb_conf) # Remove samba's persistent and temporary tdb files tdb_files = [ tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR) if tdb_file.endswith(".tdb") ] for tdb_file in tdb_files: installutils.remove_file(tdb_file) # Remove our keys from samba's keytab self.clean_samba_keytab()
def uninstall(self): super(CustodiaInstance, self).uninstall() keystore = IPAKEMKeys({ 'server_keys': self.server_keys, 'ldap_uri': self.ldap_uri }) # Call remove_server_keys_file explicitly to ensure that the key # file is always removed. keystore.remove_server_keys_file() try: keystore.remove_server_keys() except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN): logger.debug( "Cannot remove custodia keys now, server_del takes care of " "them later.") installutils.remove_file(self.config_file) sysupgrade.set_upgrade_state('custodia', 'installed', False)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) # Call restore_state so that we do not leave mess in the statestore # Otherwise this does nothing self.restore_state("running") self.restore_state("enabled") winbind = services.service("winbind", api) # Always try to stop and disable smb service, since we do not leave # working configuration after uninstall try: self.stop() self.disable() winbind.stop() winbind.disable() except Exception: pass # Since we do not guarantee restoring back to working samba state, # we should not restore smb.conf # Restore the state of affected selinux booleans boolean_states = {name: self.restore_state(name) for name in constants.SELINUX_BOOLEAN_ADTRUST} try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) # Remove samba's credentials cache installutils.remove_ccache(ccache_path=paths.KRB5CC_SAMBA) # Remove samba's configuration file installutils.remove_file(self.smb_conf) # Remove samba's persistent and temporary tdb files tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR) if tdb_file.endswith(".tdb")] for tdb_file in tdb_files: installutils.remove_file(tdb_file) # Remove our keys from samba's keytab self.clean_samba_keytab()
def uninstall(self): super(CustodiaInstance, self).uninstall() keystore = IPAKEMKeys({ 'server_keys': self.server_keys, 'ldap_uri': self.ldap_uri }) # Call remove_server_keys_file explicitly to ensure that the key # file is always removed. keystore.remove_server_keys_file() try: keystore.remove_server_keys() except (ldap.CONNECT_ERROR, ldap.SERVER_DOWN): logger.debug( "Cannot remove custodia keys now, server_del takes care of " "them later." ) installutils.remove_file(self.config_file) sysupgrade.set_upgrade_state('custodia', 'installed', False)
def export_certdb(self, fname, passwd_fname, is_kdc=False): """Export a cert database :param fname: The file to export to (relative to the info directory) :param passwd_fname: File that holds the cert DB password :param is_kdc: True if we're exporting KDC certs """ options = self.options hostname = self.replica_fqdn subject_base = self.subject_base if is_kdc: nickname = "KDC-Cert" else: nickname = "Server-Cert" try: db = certs.CertDB( api.env.realm, nssdir=self.dir, subject_base=subject_base) db.create_passwd_file() ca_db = certs.CertDB( api.env.realm, host_name=api.env.host, subject_base=subject_base) db.create_from_cacert(ca_db.cacert_fname) db.create_server_cert(nickname, hostname, ca_db) pkcs12_fname = os.path.join(self.dir, fname + ".p12") try: if is_kdc: ca_db.export_pem_p12(pkcs12_fname, passwd_fname, nickname, os.path.join(self.dir, "kdc.pem")) else: db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) except ipautil.CalledProcessError as e: self.log.info("error exporting Server certificate: %s", e) installutils.remove_file(pkcs12_fname) installutils.remove_file(passwd_fname) self.remove_info_file("cert8.db") self.remove_info_file("key3.db") self.remove_info_file("secmod.db") self.remove_info_file("noise.txt") if is_kdc: self.remove_info_file("kdc.pem") orig_filename = passwd_fname + ".orig" if ipautil.file_exists(orig_filename): installutils.remove_file(orig_filename) except errors.CertificateOperationError as e: raise admintool.ScriptError(str(e))
def export_certdb(self, fname, passwd_fname, is_kdc=False): """Export a cert database :param fname: The file to export to (relative to the info directory) :param passwd_fname: File that holds the cert DB password :param is_kdc: True if we're exporting KDC certs """ hostname = self.replica_fqdn subject_base = self.subject_base if is_kdc: nickname = "KDC-Cert" else: nickname = "Server-Cert" try: db = certs.CertDB(api.env.realm, nssdir=self.dir, subject_base=subject_base) db.create_passwd_file() ca_db = certs.CertDB(api.env.realm, host_name=api.env.host, subject_base=subject_base) db.create_from_cacert() db.create_server_cert(nickname, hostname, ca_db) pkcs12_fname = os.path.join(self.dir, fname + ".p12") try: if is_kdc: ca_db.export_pem_p12(pkcs12_fname, passwd_fname, nickname, os.path.join(self.dir, "kdc.pem")) else: db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) except ipautil.CalledProcessError as e: self.log.info("error exporting Server certificate: %s", e) installutils.remove_file(pkcs12_fname) installutils.remove_file(passwd_fname) self.remove_info_file("cert8.db") self.remove_info_file("key3.db") self.remove_info_file("secmod.db") self.remove_info_file("noise.txt") if is_kdc: self.remove_info_file("kdc.pem") orig_filename = passwd_fname + ".orig" if ipautil.file_exists(orig_filename): installutils.remove_file(orig_filename) except errors.CertificateOperationError as e: raise admintool.ScriptError(str(e))
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring %s" % self.service_name) # Call restore_state so that we do not leave mess in the statestore # Otherwise this does nothing self.restore_state("running") self.restore_state("enabled") # Always try to stop and disable smb service, since we do not leave # working configuration after uninstall try: self.stop() self.disable() except: pass # Since we do not guarantee restoring back to working samba state, # we should not restore smb.conf # Restore the state of affected selinux booleans for var in self.selinux_booleans: sebool_state = self.restore_state(var) if not sebool_state is None: try: ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state]) except: self.print_msg(SELINUX_WARNING % dict(var=var)) # Remove samba's credentials cache krb5cc_samba = '/var/run/samba/krb5cc_samba' installutils.remove_file(krb5cc_samba) # Remove samba's configuration file installutils.remove_file(self.smb_conf) # Remove samba's persistent and temporary tdb files tdb_files = [tdb_file for tdb_file in os.listdir("/var/lib/samba/") if tdb_file.endswith(".tdb")] for tdb_file in tdb_files: installutils.remove_file(tdb_file) # Remove our keys from samba's keytab self.clean_samba_keytab()
def export_certdb(self, fname, passwd_fname): """Export a cert database :param fname: The file to export to (relative to the info directory) :param passwd_fname: File that holds the cert DB password """ hostname = self.replica_fqdn subject_base = self.subject_base ca_subject = ca.lookup_ca_subject(api, subject_base) nickname = "Server-Cert" try: db = certs.CertDB(api.env.realm, nssdir=self.dir, host_name=api.env.host, subject_base=subject_base, ca_subject=ca_subject) db.create_passwd_file() db.create_from_cacert() db.create_server_cert(nickname, hostname) pkcs12_fname = os.path.join(self.dir, fname + ".p12") try: db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) except ipautil.CalledProcessError as e: logger.info("error exporting Server certificate: %s", e) installutils.remove_file(pkcs12_fname) installutils.remove_file(passwd_fname) for fname in (certdb.NSS_SQL_FILES + certdb.NSS_SQL_FILES): self.remove_info_file(fname) self.remove_info_file("noise.txt") orig_filename = passwd_fname + ".orig" if os.path.isfile(orig_filename): installutils.remove_file(orig_filename) except errors.CertificateOperationError as e: raise admintool.ScriptError(str(e))
def export_certdb(self, fname, passwd_fname): """Export a cert database :param fname: The file to export to (relative to the info directory) :param passwd_fname: File that holds the cert DB password """ hostname = self.replica_fqdn subject_base = self.subject_base ca_subject = ca.lookup_ca_subject(api, subject_base) nickname = "Server-Cert" try: db = certs.CertDB( api.env.realm, nssdir=self.dir, host_name=api.env.host, subject_base=subject_base, ca_subject=ca_subject) db.create_passwd_file() db.create_from_cacert() db.create_server_cert(nickname, hostname) pkcs12_fname = os.path.join(self.dir, fname + ".p12") try: db.export_pkcs12(pkcs12_fname, passwd_fname, nickname) except ipautil.CalledProcessError as e: logger.info("error exporting Server certificate: %s", e) installutils.remove_file(pkcs12_fname) installutils.remove_file(passwd_fname) self.remove_info_file("cert8.db") self.remove_info_file("key3.db") self.remove_info_file("secmod.db") self.remove_info_file("noise.txt") orig_filename = passwd_fname + ".orig" if ipautil.file_exists(orig_filename): installutils.remove_file(orig_filename) except errors.CertificateOperationError as e: raise admintool.ScriptError(str(e))
def remove_info_file(self, filename): """Remove a file from the info directory :param filename: The unneeded file (relative to the info directory) """ installutils.remove_file(os.path.join(self.dir, filename))
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") # Restore oddjobd to its original state oddjobd = services.service('oddjobd', api) if not self.sstore.restore_state('oddjobd', 'running'): try: oddjobd.stop() except Exception: pass if not self.sstore.restore_state('oddjobd', 'enabled'): try: oddjobd.disable() except Exception: pass self.stop_tracking_certificates() helper = self.restore_state('certmonger_ipa_helper') if helper: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_SSL_SITE_CONF, paths.HTTPD_NSS_CONF]: try: self.fstore.restore_file(f) except ValueError as error: logger.debug("%s", error) # Remove the configuration files we create installutils.remove_keytab(self.keytab) remove_files = [ paths.HTTP_CCACHE, paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE, paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host), paths.HTTPD_IPA_REWRITE_CONF, paths.HTTPD_IPA_CONF, paths.HTTPD_IPA_PKI_PROXY_CONF, paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK, paths.HTTPD_IPA_KDCPROXY_CONF, paths.GSSPROXY_CONF, paths.GSSAPI_SESSION_KEY, paths.HTTPD_PASSWORD_CONF, paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, ] # NSS DB backups remove_files.extend( glob.glob(os.path.join(paths.HTTPD_ALIAS_DIR, '*.ipasave')) ) if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None: remove_files.append(paths.HTTPD_IPA_WSGI_MODULES_CONF) for filename in remove_files: installutils.remove_file(filename) try: os.rmdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR) except OSError as e: if e.errno not in {errno.ENOENT, errno.ENOTEMPTY}: logger.error( "Failed to remove directory %s", paths.SYSTEMD_SYSTEM_HTTPD_D_DIR ) # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) for name in constants.SELINUX_BOOLEAN_HTTPD} try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) if running: self.restart() # disabled by default, by ldap_enable() if enabled: self.enable()
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") # Restore oddjobd to its original state oddjobd = services.service('oddjobd') if not self.sstore.restore_state('oddjobd', 'running'): try: oddjobd.stop() except Exception: pass if not self.sstore.restore_state('oddjobd', 'enabled'): try: oddjobd.disable() except Exception: pass self.stop_tracking_certificates() helper = self.restore_state('certmonger_ipa_helper') if helper: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]: try: self.fstore.restore_file(f) except ValueError as error: root_logger.debug(error) installutils.remove_keytab(paths.IPA_KEYTAB) installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD, run_as=HTTPD_USER) # Remove the configuration files we create installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) installutils.remove_file(paths.HTTPD_IPA_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) tasks.remove_httpd_service_ipa_conf() # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) for name in SELINUX_BOOLEAN_SETTINGS} try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) if running: self.restart() # disabled by default, by ldap_enable() if enabled: self.enable()
def delete_pkinit_cert(self): installutils.remove_file(paths.KDC_CERT) installutils.remove_file(paths.KDC_KEY)
def uninstall(installer): fstore = installer._fstore sstore = installer._sstore rv = 0 print("Shutting down all IPA services") try: services.knownservices.ipa.stop() except Exception: # Fallback to direct ipactl stop only if system command fails try: run([paths.IPACTL, "stop"], raiseonerr=False) except Exception: pass ipaclient.install.client.restore_time_sync(sstore, fstore) kra.uninstall() ca.uninstall() dns.uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall() if _server_trust_ad_installed: adtrustinstance.ADTRUSTInstance(fstore).uninstall() # realm isn't used, but IPAKEMKeys parses /etc/ipa/default.conf # otherwise, see https://pagure.io/freeipa/issue/7474 . custodiainstance.CustodiaInstance(realm='REALM.INVALID').uninstall() otpdinstance.OtpdInstance().uninstall() tasks.restore_hostname(fstore, sstore) fstore.restore_all_files() try: os.remove(paths.ROOT_IPA_CACHE) except Exception: pass try: os.remove(paths.ROOT_IPA_CSR) except Exception: pass # ipa-client-install removes /etc/ipa/default.conf sstore._load() ipaclient.install.timeconf.restore_forced_timeservices(sstore) # Clean up group_exists (unused since IPA 2.2, not being set since 4.1) sstore.restore_state("install", "group_exists") services.knownservices.ipa.disable() # remove upgrade state file sysupgrade.remove_upgrade_file() if fstore.has_files(): logger.error('Some files have not been restored, see ' '%s/sysrestore.index', SYSRESTORE_DIR_PATH) has_state = False for module in IPA_MODULES: # from installutils if sstore.has_state(module): logger.error('Some installation state for %s has not been ' 'restored, see %s/sysrestore.state', module, SYSRESTORE_DIR_PATH) has_state = True rv = 1 if has_state: logger.error('Some installation state has not been restored.\n' 'This may cause re-installation to fail.\n' 'It should be safe to remove %s/sysrestore.state ' 'but it may\n' 'mean your system hasn\'t be restored to its ' 'pre-installation state.', SYSRESTORE_DIR_PATH) else: # sysrestore.state has no state left, remove it sysrestore = os.path.join(SYSRESTORE_DIR_PATH, 'sysrestore.state') installutils.remove_file(sysrestore) # Note that this name will be wrong after the first uninstall. dirname = dsinstance.config_dirname( ipaldap.realm_to_serverid(api.env.realm)) dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR] ids = certmonger.check_state(dirs) if ids: logger.error('Some certificates may still be tracked by ' 'certmonger.\n' 'This will cause re-installation to fail.\n' 'Start the certmonger service and list the ' 'certificates being tracked\n' ' # getcert list\n' 'These may be untracked by executing\n' ' # getcert stop-tracking -i <request_id>\n' 'for each id in: %s', ', '.join(ids)) # Remove the cert renewal lock file try: os.remove(paths.IPA_RENEWAL_LOCK) except OSError as e: if e.errno != errno.ENOENT: logger.warning("Failed to remove file %s: %s", paths.IPA_RENEWAL_LOCK, e) print("Removing IPA client configuration") try: result = run([paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--uninstall"], raiseonerr=False, redirect_output=True) if result.returncode not in [0, 2]: raise RuntimeError("Failed to configure the client") except Exception: rv = 1 print("Uninstall of client side components failed!") sys.exit(rv)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") # Restore oddjobd to its original state oddjobd = services.service('oddjobd', api) if not self.sstore.restore_state('oddjobd', 'running'): try: oddjobd.stop() except Exception: pass if not self.sstore.restore_state('oddjobd', 'enabled'): try: oddjobd.disable() except Exception: pass self.stop_tracking_certificates() helper = self.restore_state('certmonger_ipa_helper') if helper: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) for f in [ paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_SSL_SITE_CONF, paths.HTTPD_NSS_CONF ]: try: self.fstore.restore_file(f) except ValueError as error: logger.debug("%s", error) # Remove the configuration files we create installutils.remove_keytab(self.keytab) remove_files = [ paths.HTTP_CCACHE, paths.HTTPD_CERT_FILE, paths.HTTPD_KEY_FILE, paths.HTTPD_PASSWD_FILE_FMT.format(host=api.env.host), paths.HTTPD_IPA_REWRITE_CONF, paths.HTTPD_IPA_CONF, paths.HTTPD_IPA_PKI_PROXY_CONF, paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK, paths.HTTPD_IPA_KDCPROXY_CONF, paths.GSSPROXY_CONF, paths.GSSAPI_SESSION_KEY, paths.HTTPD_PASSWORD_CONF, paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, ] # NSS DB backups remove_files.extend( glob.glob(os.path.join(paths.HTTPD_ALIAS_DIR, '*.ipasave'))) if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None: remove_files.append(paths.HTTPD_IPA_WSGI_MODULES_CONF) for filename in remove_files: installutils.remove_file(filename) try: os.rmdir(paths.SYSTEMD_SYSTEM_HTTPD_D_DIR) except OSError as e: if e.errno not in {errno.ENOENT, errno.ENOTEMPTY}: logger.error("Failed to remove directory %s", paths.SYSTEMD_SYSTEM_HTTPD_D_DIR) # Restore SELinux boolean states boolean_states = { name: self.restore_state(name) for name in constants.SELINUX_BOOLEAN_HTTPD } try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) if running: self.restart() # disabled by default, by ldap_enable() if enabled: self.enable()
def uninstall(installer): fstore = installer._fstore sstore = installer._sstore rv = 0 print("Shutting down all IPA services") try: services.knownservices.ipa.stop() except Exception: # Fallback to direct ipactl stop only if system command fails try: run([paths.IPACTL, "stop"], raiseonerr=False) except Exception: pass ipaclient.install.client.restore_time_sync(sstore, fstore) kra.uninstall() ca.uninstall() dns.uninstall() httpinstance.HTTPInstance(fstore).uninstall() krbinstance.KrbInstance(fstore).uninstall() dsinstance.DsInstance(fstore=fstore).uninstall() if _server_trust_ad_installed: adtrustinstance.ADTRUSTInstance(fstore).uninstall() # realm isn't used, but IPAKEMKeys parses /etc/ipa/default.conf # otherwise, see https://pagure.io/freeipa/issue/7474 . custodiainstance.CustodiaInstance(realm='REALM.INVALID').uninstall() otpdinstance.OtpdInstance().uninstall() tasks.restore_hostname(fstore, sstore) fstore.restore_all_files() try: os.remove(paths.ROOT_IPA_CACHE) except Exception: pass try: os.remove(paths.ROOT_IPA_CSR) except Exception: pass # ipa-client-install removes /etc/ipa/default.conf sstore._load() ipaclient.install.timeconf.restore_forced_timeservices(sstore) # Clean up group_exists (unused since IPA 2.2, not being set since 4.1) sstore.restore_state("install", "group_exists") services.knownservices.ipa.disable() # remove upgrade state file sysupgrade.remove_upgrade_file() if fstore.has_files(): logger.error( 'Some files have not been restored, see ' '%s/sysrestore.index', SYSRESTORE_DIR_PATH) has_state = False for module in IPA_MODULES: # from installutils if sstore.has_state(module): logger.error( 'Some installation state for %s has not been ' 'restored, see %s/sysrestore.state', module, SYSRESTORE_DIR_PATH) has_state = True rv = 1 if has_state: logger.error( 'Some installation state has not been restored.\n' 'This may cause re-installation to fail.\n' 'It should be safe to remove %s/sysrestore.state ' 'but it may\n' 'mean your system hasn\'t be restored to its ' 'pre-installation state.', SYSRESTORE_DIR_PATH) else: # sysrestore.state has no state left, remove it sysrestore = os.path.join(SYSRESTORE_DIR_PATH, 'sysrestore.state') installutils.remove_file(sysrestore) # Note that this name will be wrong after the first uninstall. dirname = dsinstance.config_dirname( installutils.realm_to_serverid(api.env.realm)) dirs = [dirname, paths.PKI_TOMCAT_ALIAS_DIR, paths.HTTPD_ALIAS_DIR] ids = certmonger.check_state(dirs) if ids: logger.error( 'Some certificates may still be tracked by ' 'certmonger.\n' 'This will cause re-installation to fail.\n' 'Start the certmonger service and list the ' 'certificates being tracked\n' ' # getcert list\n' 'These may be untracked by executing\n' ' # getcert stop-tracking -i <request_id>\n' 'for each id in: %s', ', '.join(ids)) # Remove the cert renewal lock file try: os.remove(paths.IPA_RENEWAL_LOCK) except OSError as e: if e.errno != errno.ENOENT: logger.warning("Failed to remove file %s: %s", paths.IPA_RENEWAL_LOCK, e) print("Removing IPA client configuration") try: result = run([ paths.IPA_CLIENT_INSTALL, "--on-master", "--unattended", "--uninstall" ], raiseonerr=False, redirect_output=True) if result.returncode not in [0, 2]: raise RuntimeError("Failed to configure the client") except Exception: rv = 1 print("Uninstall of client side components failed!") sys.exit(rv)
def check(self): validate = [] ca_pw_fname = None if self.ca.is_configured(): try: ca_passwd = get_dogtag_cert_password() except IOError as e: yield Result( self, constants.ERROR, error=str(e), msg='Unable to read CA NSSDB token password: {error}') return else: with tempfile.NamedTemporaryFile(mode='w', delete=False) as ca_pw_file: ca_pw_file.write(ca_passwd) ca_pw_fname = ca_pw_file.name validate.append(( paths.PKI_TOMCAT_ALIAS_DIR, 'Server-Cert cert-pki-ca', ca_pw_fname, ), ) validate.append(( dsinstance.config_dirname(self.serverid), self.ds.get_server_cert_nickname(self.serverid), os.path.join(dsinstance.config_dirname(self.serverid), 'pwdfile.txt'), )) # Wrap in try/except to ensure the temporary password file is # removed try: for (dbdir, nickname, pinfile) in validate: # detect the database type so we have the right prefix db = certdb.NSSDatabase(dbdir) key = os.path.normpath(dbdir) + ':' + nickname try: response = self.validate_nss(dbdir, db.dbtype, pinfile, nickname) except ipautil.CalledProcessError as e: logger.debug('Validation of NSS certificate failed %s', e) yield Result( self, constants.ERROR, key=key, dbdir=dbdir, nickname=nickname, reason=response.output_error, msg='Validation of {nickname} in {dbdir} failed: ' '{reason}') else: if 'certificate is valid' not in \ response.raw_output.decode('utf-8'): yield Result( self, constants.ERROR, key=key, dbdir=dbdir, nickname=nickname, reason="%s: %s" % (response.raw_output.decode('utf-8'), response.error_log), msg='Validation of {nickname} in {dbdir} failed: ' '{reason}') else: yield Result(self, constants.SUCCESS, dbdir=dbdir, nickname=nickname, key=key) finally: if ca_pw_fname: installutils.remove_file(ca_pw_fname)
def uninstall(self): if self.is_configured(): self.print_msg("Unconfiguring web server") running = self.restore_state("running") enabled = self.restore_state("enabled") # Restore oddjobd to its original state oddjobd = services.service('oddjobd') if not self.sstore.restore_state('oddjobd', 'running'): try: oddjobd.stop() except Exception: pass if not self.sstore.restore_state('oddjobd', 'enabled'): try: oddjobd.disable() except Exception: pass self.stop_tracking_certificates() helper = self.restore_state('certmonger_ipa_helper') if helper: bus = dbus.SystemBus() obj = bus.get_object('org.fedorahosted.certmonger', '/org/fedorahosted/certmonger') iface = dbus.Interface(obj, 'org.fedorahosted.certmonger') path = iface.find_ca_by_nickname('IPA') if path: ca_obj = bus.get_object('org.fedorahosted.certmonger', path) ca_iface = dbus.Interface(ca_obj, 'org.freedesktop.DBus.Properties') ca_iface.Set('org.fedorahosted.certmonger.ca', 'external-helper', helper) for f in [ paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF ]: try: self.fstore.restore_file(f) except ValueError as error: root_logger.debug(error) installutils.remove_keytab(self.keytab) installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD, run_as=self.service_user) # Remove the configuration files we create installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) installutils.remove_file(paths.HTTPD_IPA_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK) installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF) tasks.remove_httpd_service_ipa_conf() # Restore SELinux boolean states boolean_states = { name: self.restore_state(name) for name in SELINUX_BOOLEAN_SETTINGS } try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: self.print_msg('WARNING: ' + str(e)) if running: self.restart() # disabled by default, by ldap_enable() if enabled: self.enable()
def validate_certs(self): """Use certutil -V to validate the certs we can""" ca_pw_name = None if self.ca.is_configured(): ca_passwd = None token = 'internal' with open(paths.PKI_TOMCAT_PASSWORD_CONF, 'r') as f: for line in f: (tok, pin) = line.split('=', 1) if token == tok: ca_passwd = pin.strip() break else: self.failure("The password to the 'internal' " "token of the Dogtag certificate " "store was not found.") with tempfile.NamedTemporaryFile(mode='w', delete=False) as ca_pw_file: ca_pw_file.write(ca_passwd) ca_pw_name = ca_pw_file.name try: validate = [ ( dsinstance.config_dirname(self.serverid), self.ds.get_server_cert_nickname(self.serverid), os.path.join(dsinstance.config_dirname(self.serverid), 'pwdfile.txt'), ), ] if self.ca.is_configured(): validate.append(( paths.PKI_TOMCAT_ALIAS_DIR, 'Server-Cert cert-pki-ca', ca_pw_name, ), ) if version.NUM_VERSION < 40700: validate.append(( paths.HTTPD_ALIAS_DIR, self.http.get_mod_nss_nickname(), os.path.join(paths.HTTPD_ALIAS_DIR, 'pwdfile.txt'), ), ) for (dbdir, nickname, pinfile) in validate: args = [paths.CERTUTIL, "-V", "-u", "V", "-e"] args.extend(["-d", dbdir]) args.extend(["-n", nickname]) args.extend(["-f", pinfile]) try: result = ipautil.run(args) except ipautil.CalledProcessError as e: self.failure('Validation of %s in %s failed: %s' % (nickname, dbdir, e)) else: if 'certificate is valid' not in \ result.raw_output.decode('utf-8'): self.failure('Validation of %s in %s failed: ' '%s %s' % (nickname, dbdir, result.raw_output, result.error_log)) finally: if ca_pw_name: installutils.remove_file(ca_pw_name) if version.NUM_VERSION >= 40700: self.validate_openssl(paths.HTTPD_CERT_FILE) self.validate_openssl(paths.RA_AGENT_PEM)