Compare commits

..

No commits in common. "c8" and "c10s" have entirely different histories.
c8 ... c10s

24 changed files with 206317 additions and 320 deletions

View File

@ -1 +0,0 @@
ab77485e556d96c5c2b885ee3d0f27794276dfee SOURCES/certmonger-0.79.17.tar.gz

140
.gitignore vendored
View File

@ -1 +1,139 @@
SOURCES/certmonger-0.79.17.tar.gz
certmonger-0.17.tar.gz
certmonger-0.18.tar.gz
certmonger-0.19.tar.gz
certmonger-0.20.tar.gz
certmonger-0.21.tar.gz
certmonger-0.22.tar.gz
certmonger-0.23.tar.gz
certmonger-0.24.tar.gz
certmonger-0.26.tar.gz
certmonger-0.28.tar.gz
/certmonger-0.30.tar.gz
/certmonger-0.32.tar.gz
/certmonger-0.34.tar.gz
/certmonger-0.35.tar.gz
/certmonger-0.35.1.tar.gz
/certmonger-0.36.tar.gz
/certmonger-0.37.tar.gz
/certmonger-0.38.tar.gz
/certmonger-0.39.tar.gz
/certmonger-0.40.tar.gz
/certmonger-0.41.tar.gz
/certmonger-0.42.tar.gz
/certmonger-0.43.tar.gz
/certmonger-0.44.tar.gz
/certmonger-0.45.tar.gz
/certmonger-0.46.tar.gz
/certmonger-0.49.tar.gz
/certmonger-0.49.tar.gz.sig
/certmonger-0.50.tar.gz
/certmonger-0.50.tar.gz.sig
/certmonger-0.51.tar.gz
/certmonger-0.51.tar.gz.sig
/certmonger-0.52.tar.gz
/certmonger-0.52.tar.gz.sig
/certmonger-0.54.tar.gz
/certmonger-0.54.tar.gz.sig
/certmonger-0.55.tar.gz
/certmonger-0.55.tar.gz.sig
/certmonger-0.56.tar.gz
/certmonger-0.56.tar.gz.sig
/certmonger-0.59.tar.gz
/certmonger-0.59.tar.gz.sig
/certmonger-0.60.tar.gz
/certmonger-0.60.tar.gz.sig
/certmonger-0.61.tar.gz
/certmonger-0.61.tar.gz.sig
/certmonger-0.62.tar.gz
/certmonger-0.62.tar.gz.sig
/certmonger-0.63.tar.gz
/certmonger-0.63.tar.gz.sig
/certmonger-0.65.tar.gz
/certmonger-0.65.tar.gz.sig
/certmonger-0.67.tar.gz
/certmonger-0.67.tar.gz.sig
/certmonger-0.68.tar.gz
/certmonger-0.68.tar.gz.sig
/certmonger-0.69.tar.gz
/certmonger-0.69.tar.gz.sig
/certmonger-0.70.tar.gz
/certmonger-0.70.tar.gz.sig
/certmonger-0.71.2.tar.gz
/certmonger-0.71.2.tar.gz.sig
/certmonger-0.73.tar.gz
/certmonger-0.73.tar.gz.sig
/certmonger-0.74.tar.gz
/certmonger-0.74.tar.gz.sig
/certmonger-0.75.tar.gz
/certmonger-0.75.tar.gz.sig
/certmonger-0.75.1.tar.gz
/certmonger-0.75.1.tar.gz.sig
/certmonger-0.75.2.tar.gz
/certmonger-0.75.2.tar.gz.sig
/certmonger-0.75.3.tar.gz
/certmonger-0.75.3.tar.gz.sig
/certmonger-0.75.5.tar.gz
/certmonger-0.75.5.tar.gz.sig
/certmonger-0.75.6.tar.gz
/certmonger-0.75.6.tar.gz.sig
/certmonger-0.75.8.tar.gz
/certmonger-0.75.8.tar.gz.sig
/certmonger-0.75.9.tar.gz
/certmonger-0.75.9.tar.gz.sig
/certmonger-0.75.10.tar.gz
/certmonger-0.75.10.tar.gz.sig
/certmonger-0.75.13.tar.gz
/certmonger-0.75.13.tar.gz.sig
/certmonger-0.75.14.tar.gz
/certmonger-0.75.14.tar.gz.sig
/certmonger-0.76.6.tar.gz
/certmonger-0.76.6.tar.gz.sig
/certmonger-0.76.7.tar.gz
/certmonger-0.76.7.tar.gz.sig
/certmonger-0.76.8.tar.gz
/certmonger-0.76.8.tar.gz.sig
/certmonger-0.77.1.tar.gz
/certmonger-0.77.1.tar.gz.sig
/certmonger-0.77.2.tar.gz
/certmonger-0.77.2.tar.gz.sig
/certmonger-0.77.3.tar.gz
/certmonger-0.77.3.tar.gz.sig
/certmonger-0.77.4.tar.gz
/certmonger-0.77.4.tar.gz.sig
/certmonger-0.77.5.tar.gz
/certmonger-0.77.5.tar.gz.sig
/certmonger-0.78.tar.gz
/certmonger-0.78.tar.gz.sig
/certmonger-0.78.1.tar.gz
/certmonger-0.78.1.tar.gz.sig
/certmonger-0.78.2.tar.gz
/certmonger-0.78.2.tar.gz.sig
/certmonger-0.78.3.tar.gz
/certmonger-0.78.3.tar.gz.sig
/certmonger-0.78.4.tar.gz
/certmonger-0.78.4.tar.gz.sig
/certmonger-0.78.5.tar.gz
/certmonger-0.78.5.tar.gz.sig
/certmonger-0.78.6.tar.gz
/certmonger-0.78.6.tar.gz.sig
/certmonger-0.79.2.tar.gz
/certmonger-0.79.2.tar.gz.sig
/certmonger-0.79.3.tar.gz
/certmonger-0.79.3.tar.gz.sig
/certmonger-0.79.4.tar.gz
/certmonger-0.79.5.tar.gz
/certmonger-0.79.6.tar.gz
/certmonger-0.79.7.tar.gz
/certmonger-0.79.8.tar.gz
/certmonger-0.79.9.tar.gz
/certmonger-0.79.10.tar.gz
/certmonger-0.79.11.tar.gz
/certmonger-0.79.12.tar.gz
/certmonger-0.79.13.tar.gz
/certmonger-0.79.14.tar.gz
/certmonger-0.79.15.tar.gz
/certmonger-0.79.16.tar.gz
/certmonger-0.79.17.tar.gz
/certmonger-0.79.18.tar.gz
/certmonger-0.79.19.tar.gz
/certmonger-0.79.20.tar.gz

View File

@ -0,0 +1,29 @@
From c5270bde4dab84f18c347e82376ef00733865247 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 1 Jul 2020 10:46:50 -0400
Subject: [PATCH] Don't free soptions while it is still needed
Introduced in fbcf03dd44007a9b231e9396cc418a00e1a4b49a trying
to avoid leaking soptions and aoptions.
https://pagure.io/certmonger/issue/163
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
src/dogtag.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index 91c9c588..faf81f97 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -579,7 +579,6 @@ main(int argc, const char **argv)
pin = NULL;
}
}
- free(soptions);
/* Add client creds. */
if (uid != NULL) {
uid = cm_submit_u_url_encode(uid);
--
2.25.4

View File

@ -0,0 +1,28 @@
From 00e948049acf0ca1b61ed9c2b8579b06b4bcb46a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 Aug 2020 14:33:17 -0400
Subject: [PATCH 02/11] Don't send SIGKILL to children, give them a chance to
die
This was causing issues in IPA which uses a lock file to
serialize some operations. The kill was leaving the lock in
place causing things to time out.
---
src/subproc.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/subproc.c b/src/subproc.c
index 8df836ae..70d4ed93 100644
--- a/src/subproc.c
+++ b/src/subproc.c
@@ -240,7 +240,6 @@ cm_subproc_done(struct cm_subproc_state *state)
if (state != NULL) {
if (state->pid != -1) {
- kill(state->pid, SIGKILL);
do {
pid = waitpid(state->pid, &state->status, 0);
cm_log(4, "Waited for %ld, got %ld.\n",
--
2.25.4

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,28 @@
From 93974735c31e653acc0d3de7e1cb165dbe764aef Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 16 Sep 2020 15:49:00 +1000
Subject: [PATCH 04/11] remove dead make targets
Commit 13abd68c7b862719e7b0ed065906cc28c6157a41 removed some files,
but left dangling references to those files in tests/Makefile.am,
breaking the build. Delete references to the deleted files.
---
tests/Makefile.am | 2 --
1 file changed, 2 deletions(-)
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c1ce8412..013d34bf 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -156,8 +156,6 @@ EXTRA_DIST = \
002-keygen-dsa/prequal.sh \
002-keygen-dsa/run.sh \
002-keygen-dsa/expected.out \
- 002-keygen-dsa/expected.out.2 \
- 002-keygen-dsa/expected.out.3 \
002-keygen-ec/prequal.sh \
002-keygen-ec/run.sh \
002-keygen-ec/expected.out \
--
2.25.4

View File

@ -0,0 +1,201 @@
From 1de7c2e7d4f3557bb45b9526016b766c7119c6ad Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:52:13 -0400
Subject: [PATCH 05/11] Require jansson for IPA RPC calls, make xmlrpc optional
xmlrpc is now only used for certmaster
IPA will only make JSON RPC calls to retrieve certificates
---
configure.ac | 59 ++++++++++++++++++++++++++++++-------------------
src/Makefile.am | 33 ++++++++++++++++++++-------
2 files changed, 61 insertions(+), 31 deletions(-)
diff --git a/configure.ac b/configure.ac
index abcd6d84..14991244 100644
--- a/configure.ac
+++ b/configure.ac
@@ -278,29 +278,42 @@ if ! ${configure_dist_target_only:-false} ; then
CPPFLAGS="$savedCPPFLAGS"
LDFLAGS="$savedLDFLAGS"
- dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
- savedCFLAGS="$CFLAGS"
- CFLAGS=
- AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
- AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
- if test -z "$XMLRPC_C_CONFIG" ; then
- AC_MSG_ERROR(xmlrpc-c-config not found)
- fi
- AC_MSG_CHECKING(for XMLRPC CFLAGS)
- XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
- AC_MSG_RESULT([$XMLRPC_CFLAGS])
- AC_SUBST(XMLRPC_CFLAGS)
- AC_MSG_CHECKING(for XMLRPC LIBS)
- XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
- AC_MSG_RESULT([$XMLRPC_LIBS])
- AC_SUBST(XMLRPC_LIBS)
- CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
- AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
- [
- #include <xmlrpc-c/client.h>
- #include <xmlrpc-c/transport.h>
- ])
- CFLAGS="$savedCFLAGS"
+ PKG_CHECK_MODULES(JANSSON,jansson)
+ have_jansson=true
+
+ AC_ARG_WITH([xmlrpc],
+ [AC_HELP_STRING([--with-xmlrpc], [Enable XML-RPC support])],
+ [with_xmlrpc=${with_xmlrpc}],
+ [with_xmlrpc=no])
+ AS_IF([test x"$with_xmlrpc" = xyes], [AC_DEFINE([WITH_XMLRPC], [1],
+ [include XMLRPC support])])
+ AM_CONDITIONAL(WITH_XMLRPC,test x"$with_xmlrpc" = xyes)
+
+ AS_IF([test x"$with_xmlrpc" = xyes], [
+ dnl PKG_CHECK_MODULES(XMLRPC,xmlrpc_client) # Not provided in upstream versions.
+ savedCFLAGS="$CFLAGS"
+ CFLAGS=
+ AC_ARG_VAR(XMLRPC_C_CONFIG,[the full path of the xmlrpc-c-config command])
+ AC_PATH_PROG(XMLRPC_C_CONFIG,[xmlrpc-c-config],,[$PATH$PATH_SEPARATOR/usr/xmlrpc/bin$PATH_SEPARATOR/usr/xmlrpc-c/bin])
+ if test -z "$XMLRPC_C_CONFIG" ; then
+ AC_MSG_ERROR(xmlrpc-c-config not found)
+ fi
+ AC_MSG_CHECKING(for XMLRPC CFLAGS)
+ XMLRPC_CFLAGS="`${XMLRPC_C_CONFIG} client --cflags` `${XMLRPC_C_CONFIG} --cflags`"
+ AC_MSG_RESULT([$XMLRPC_CFLAGS])
+ AC_SUBST(XMLRPC_CFLAGS)
+ AC_MSG_CHECKING(for XMLRPC LIBS)
+ XMLRPC_LIBS="`${XMLRPC_C_CONFIG} client --libs` `${XMLRPC_C_CONFIG} --libs`"
+ AC_MSG_RESULT([$XMLRPC_LIBS])
+ AC_SUBST(XMLRPC_LIBS)
+ CFLAGS="$CFLAGS $XMLRPC_CFLAGS"
+ AC_CHECK_MEMBERS(struct xmlrpc_curl_xportparms.gssapi_delegation,,,
+ [
+ #include <xmlrpc-c/client.h>
+ #include <xmlrpc-c/transport.h>
+ ])
+ CFLAGS="$savedCFLAGS"
+ ])
savedCFLAGS="$CFLAGS"
savedCPPFLAGS="$CPPFLAGS"
diff --git a/src/Makefile.am b/src/Makefile.am
index 5343dbc4..13bd87d9 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -11,15 +11,17 @@ LDFLAGS += -Wl,-z,relro,-z,now
endif
man_MANS = certmonger.8 getcert.1 getcert-request.1 getcert-list.1 \
getcert-list-cas.1 getcert-start-tracking.1 getcert-stop-tracking.1 \
- selfsign-getcert.1 ipa-getcert.1 certmaster-getcert.1 \
+ selfsign-getcert.1 ipa-getcert.1 \
getcert-resubmit.1 certmonger-ipa-submit.8 \
- certmonger-certmaster-submit.8 \
certmonger-dogtag-ipa-renew-agent-submit.8 certmonger.conf.5 \
getcert-refresh.1 getcert-refresh-ca.1 local-getcert.1 \
certmonger-local-submit.8 getcert-status.1 \
certmonger-dogtag-submit.8 certmonger-scep-submit.8 \
getcert-add-ca.1 getcert-add-scep-ca.1 getcert-modify-ca.1 \
getcert-remove-ca.1 getcert-rekey.1
+if WITH_XMLRPC
+man_MANS += certmaster-getcert.1 certmonger-certmaster-submit.8
+endif
pkgsysconfdir = $(sysconfdir)/$(PACKAGE)
pkgsysconf_DATA = certmonger.conf
EXTRA_PROGRAMS =
@@ -105,8 +107,6 @@ libcm_a_SOURCES = \
submit-sn.c \
submit-u.c \
submit-u.h \
- submit-x.c \
- submit-x.h \
subproc.c \
subproc.h \
tdbus.c \
@@ -121,6 +121,11 @@ libcm_a_SOURCES = \
util-m.h \
util-n.c \
util-n.h
+if WITH_XMLRPC
+libcm_a_SOURCES += \
+ submit-x.c \
+ submit-x.h
+endif
libcm_o_a_SOURCES =
if HAVE_OPENSSL
libcm_o_a_SOURCES += \
@@ -158,11 +163,13 @@ ipa_getcert_SOURCES = ipa-getcert.c tm.c tm.h
ipa_getcert_LDADD = $(getcert_LDADD)
endif
if WITH_IPA
+if WITH_XMLRPC
bin_PROGRAMS += certmaster-getcert
certmaster_getcert_CFLAGS = $(getcert_CFLAGS)
certmaster_getcert_SOURCES = certmaster-getcert.c tm.c tm.h
certmaster_getcert_LDADD = $(getcert_LDADD)
endif
+endif
bin_PROGRAMS += selfsign-getcert
selfsign_getcert_CFLAGS = $(getcert_CFLAGS)
selfsign_getcert_SOURCES = selfsign-getcert.c tm.c tm.h
@@ -181,21 +188,28 @@ certmonger_session_SOURCES = main.c env-session.c tm.c tm.h
certmonger_session_LDADD = libcm.a \
$(OPENSSL_LIBS) $(CERTMONGER_LIBS) $(KRB5_LIBS) $(IDN_LIBS) \
$(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
-noinst_PROGRAMS = tdbusm-check serial-check nl-check submit-x toklist
+noinst_PROGRAMS = tdbusm-check serial-check nl-check toklist
+if WITH_XMLRPC
+noinst_PROGRAMS += submit-x
+endif
tdbusm_check_SOURCES = tdbusm-check.c tm.c tm.h
tdbusm_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(POPT_LIBS) $(LDAP_LIBS)
serial_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LTLIBICONV) $(LDAP_LIBS)
nl_check_LDADD = libcm.a $(CERTMONGER_LIBS) $(LDAP_LIBS)
+if WITH_XMLRPC
submit_x_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) -DCM_SUBMIT_X_MAIN
submit_x_SOURCES = submit-x.c submit-x.h submit-u.c submit-u.h log.c log.h \
tm.c tm.h
submit_x_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
$(GMP_LIBS) $(UUID_LIBS) $(POPT_LIBS)
+endif
toklist_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
toklist_LDADD = $(NSS_LIBS) $(POPT_LIBS)
if WITH_CERTMASTER
+if WITH_XMLRPC
pkglibexec_PROGRAMS += certmaster-submit
endif
+endif
if WITH_IPA
pkglibexec_PROGRAMS += ipa-submit
endif
@@ -205,19 +219,22 @@ pkglibexec_PROGRAMS += local-submit
pkglibexec_PROGRAMS += scep-submit
endif
noinst_PROGRAMS += submit-h submit-d
-ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
+ipa_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS) $(CURL_CFLAGS) $(JANSSON_CFLAGS)
ipa_submit_SOURCES = ipa.c srvloc.c srvloc.h store.h store-gen.c \
- submit-x.c submit-x.h submit-u.c submit-u.h \
+ submit-h.c submit-h.h submit-u.c submit-u.h \
submit-e.h util.c util.h log.c log.h tm.c tm.h
ipa_submit_LDADD = $(XMLRPC_LIBS) $(LDAP_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
$(GMP_LIBS) $(IDN_LIBS) $(OPENSSL_LIBS) $(UUID_LIBS) \
- $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS)
+ $(RESOLV_LIBS) $(LTLIBICONV) $(POPT_LIBS) $(CURL_LIBS) \
+ $(JANSSON_LIBS)
+if WITH_XMLRPC
certmaster_submit_CFLAGS = $(AM_CFLAGS) $(NSS_CFLAGS)
certmaster_submit_SOURCES = certmaster.c submit-x.c submit-x.h \
submit-e.h submit-u.c submit-u.h util.c util.h log.c log.h \
tm.c tm.h
certmaster_submit_LDADD = $(XMLRPC_LIBS) $(KRB5_LIBS) $(TALLOC_LIBS) \
$(GMP_LIBS) $(UUID_LIBS) $(LTLIBICONV) $(POPT_LIBS)
+endif
dogtag_ipa_renew_agent_submit_CFLAGS = $(AM_CFLAGS) $(XML_CFLAGS) \
$(NSS_CFLAGS) $(CURL_CFLAGS) \
-DDOGTAG_IPA_RENEW_AGENT=1
--
2.25.4

View File

@ -0,0 +1,93 @@
From aedf7f646f28d58c6bc422423401c1d0eb31ee75 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:53:50 -0400
Subject: [PATCH 06/11] Make xmlrpc optional in the certmonger spec file,
disable certmaster
This disables certmaster support by default since it requires
xmlrpc
---
certmonger.spec | 22 +++++++++++++++++++++-
configure.ac | 1 +
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/certmonger.spec b/certmonger.spec
index e1f5536e..a8e1d2e8 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -24,6 +24,8 @@
%global sysvinitdir %{_initrddir}
%endif
+%bcond_with xmlrpc
+
Name: certmonger
Version: 0.79.11
Release: 1%{?dist}
@@ -37,6 +39,7 @@ Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: openldap-devel
+BuildRequires: krb5-devel
BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel, libidn2-devel
BuildRequires: autoconf, automake, gcc, gettext-devel
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
@@ -50,7 +53,11 @@ BuildRequires: libcurl-devel
%else
BuildRequires: curl-devel
%endif
-BuildRequires: libxml2-devel, xmlrpc-c-devel
+BuildRequires: libxml2-devel
+%if %{with xmlrpc}
+BuildRequires: xmlrpc-c-devel
+%endif
+BuildRequires: jansson-devel
%if 0%{?rhel} && 0%{?rhel} < 6
BuildRequires: bind-libbind-devel
BuildRequires: mktemp
@@ -132,10 +139,17 @@ sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
--enable-tmpfiles \
%endif
--with-homedir=/run/certmonger \
+%if %{with xmlrpc}
+ --with-xmlrpc \
+%endif
--with-tmpdir=/run/certmonger --enable-pie --enable-now
+%if %{with xmlrpc}
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
# tell us about libxmlrpc_client, but we need more. Work around.
make %{?_smp_mflags} XMLRPC_LIBS="-lxmlrpc_client -lxmlrpc_util -lxmlrpc"
+%else
+make %{?_smp_mflags}
+%endif
%install
rm -rf $RPM_BUILD_ROOT
@@ -154,6 +168,12 @@ rm -rf $RPM_BUILD_ROOT
if test $1 -eq 1 ; then
%{_bindir}/dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig 2>&1 || :
fi
+%if %{without xmlrpc}
+# remove any existing certmaster CA configuration
+if test $1 -gt 1 ; then
+ %{_bindir}/getcert remove-ca -c certmaster 2>&1 || :
+fi
+%endif
%if %{systemd}
if test $1 -eq 1 ; then
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
diff --git a/configure.ac b/configure.ac
index 14991244..f2964856 100644
--- a/configure.ac
+++ b/configure.ac
@@ -876,6 +876,7 @@ else
AM_CONDITIONAL(HAVE_EC,false)
AM_CONDITIONAL(WITH_IPA,false)
AM_CONDITIONAL(WITH_CERTMASTER,false)
+ AM_CONDITIONAL(WITH_XMLRPC,false)
AM_CONDITIONAL(WITH_LOCAL,false)
AM_CONDITIONAL(HAVE_UUID,false)
fi
--
2.25.4

View File

@ -0,0 +1,155 @@
From 4347ce74b0001c002cb449b8dd63819634e980ae Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:55:36 -0400
Subject: [PATCH 07/11] Add Referer header option to the submit-h API
This will allow IPA API requests that require the Referer header
to be set.
---
src/dogtag.c | 2 +-
src/scep.c | 6 +++---
src/submit-d.c | 2 +-
src/submit-h.c | 20 +++++++++++++++-----
src/submit-h.h | 1 +
5 files changed, 21 insertions(+), 10 deletions(-)
diff --git a/src/dogtag.c b/src/dogtag.c
index faf81f97..d36ac008 100644
--- a/src/dogtag.c
+++ b/src/dogtag.c
@@ -691,7 +691,7 @@ main(int argc, const char **argv)
/* Submit the form(s). */
hctx = NULL;
while (url != NULL) {
- hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, method, url, params, NULL, NULL, NULL,
cainfo, capath, sslcert, sslkey, sslpin,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
diff --git a/src/scep.c b/src/scep.c
index c74ca574..e384e8da 100644
--- a/src/scep.c
+++ b/src/scep.c
@@ -496,7 +496,7 @@ main(int argc, const char **argv)
}
/* Submit the first request. */
- hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, "GET", url, params, NULL, NULL, NULL,
cainfo, NULL, NULL, NULL, NULL,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
@@ -593,7 +593,7 @@ main(int argc, const char **argv)
}
/* Submit a second HTTP request if we have one to make. */
if (params2 != NULL) {
- hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, "GET", url, params2, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
@@ -794,7 +794,7 @@ main(int argc, const char **argv)
OP_GET_CA_CERT
"&message=%d", i++);
hctx = cm_submit_h_init(ctx, "GET", url, params,
- NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
diff --git a/src/submit-d.c b/src/submit-d.c
index 3adaa4a6..f1877c34 100644
--- a/src/submit-d.c
+++ b/src/submit-d.c
@@ -1188,7 +1188,7 @@ restart:
fprintf(stderr, "url = \"%s%s%s\"\n", uri,
params ? "?" : "", params ? params : "");
}
- hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL,
+ hctx = cm_submit_h_init(ctx, method, uri, params, NULL, NULL, NULL,
cainfo, capath, sslcert, sslkey, sslpin,
cm_submit_h_negotiate_off,
cm_submit_h_delegate_off,
diff --git a/src/submit-h.c b/src/submit-h.c
index 9b507dbe..c04909b1 100644
--- a/src/submit-h.c
+++ b/src/submit-h.c
@@ -51,7 +51,7 @@
struct cm_submit_h_context {
int ret;
long response_code;
- char *method, *uri, *args, *accept, *ctype, *cainfo, *capath, *result;
+ char *method, *uri, *args, *accept, *ctype, *referer, *cainfo, *capath, *result;
int result_length;
char *sslcert, *sslkey, *sslpass;
enum cm_submit_h_opt_negotiate negotiate;
@@ -66,7 +66,7 @@ struct cm_submit_h_context *
cm_submit_h_init(void *parent,
const char *method, const char *uri, const char *args,
const char *content_type, const char *accept,
- const char *cainfo, const char *capath,
+ const char *referer, const char *cainfo, const char *capath,
const char *sslcert, const char *sslkey, const char *sslpass,
enum cm_submit_h_opt_negotiate neg,
enum cm_submit_h_opt_delegate del,
@@ -84,6 +84,7 @@ cm_submit_h_init(void *parent,
ctx->ctype = content_type ?
talloc_strdup(ctx, content_type) :
NULL;
+ ctx->referer = referer ? talloc_strdup(ctx, referer) : NULL;
ctx->accept = accept ? talloc_strdup(ctx, accept) : NULL;
ctx->cainfo = cainfo ? talloc_strdup(ctx, cainfo) : NULL;
ctx->capath = capath ? talloc_strdup(ctx, capath) : NULL;
@@ -180,10 +181,11 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
}
}
if (ctx->negotiate == cm_submit_h_negotiate_on) {
-#if defined(CURLOPT_HTTPAUTH) && defined(CURLAUTH_GSSNEGOTIATE)
+#if defined(CURLAUTH_NEGOTIATE)
curl_easy_setopt(ctx->curl,
CURLOPT_HTTPAUTH,
- CURLAUTH_GSSNEGOTIATE);
+ CURLAUTH_NEGOTIATE);
+ curl_easy_setopt(ctx->curl, CURLOPT_USERPWD, ":");
#else
cm_log(-1,
"warning: libcurl doesn't appear to support "
@@ -243,6 +245,14 @@ cm_submit_h_run(struct cm_submit_h_context *ctx)
header);
}
}
+ if (ctx->referer != NULL) {
+ header = talloc_asprintf(ctx, "Referer: %s",
+ ctx->referer);
+ if (header != NULL) {
+ headers = curl_slist_append(headers,
+ header);
+ }
+ }
curl_easy_setopt(ctx->curl, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(ctx->curl, CURLOPT_WRITEFUNCTION,
append_result);
@@ -415,7 +425,7 @@ main(int argc, const char **argv)
}
ctx = cm_submit_h_init(NULL, method, url, poptGetArg(pctx),
- ctype, accept,
+ ctype, accept, NULL,
cainfo, capath, sslcert, sslkey, sslpass,
negotiate, negotiate_delegate,
clientauth, cm_submit_h_env_modify_on,
diff --git a/src/submit-h.h b/src/submit-h.h
index 931cc890..b33544af 100644
--- a/src/submit-h.h
+++ b/src/submit-h.h
@@ -45,6 +45,7 @@ struct cm_submit_h_context *cm_submit_h_init(void *parent,
const char *args,
const char *content_type,
const char *accept,
+ const char *referer,
const char *cainfo,
const char *capath,
const char *sslcert,
--
2.25.4

View File

@ -0,0 +1,838 @@
From fdc2851233f532eb78363784712c597c63e1c4c1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 20 Aug 2020 16:57:38 -0400
Subject: [PATCH 08/11] Switch IPA calls to use the JSON-RPC endpoint instead
of XMLRPC
IPA has provided a JSON-RPC interface for many years now and has
long term plans to drop support for XMLRPC.
---
src/ipa.c | 546 ++++++++++++++++++++++++++++++++++++++--------
src/store-files.c | 2 +
2 files changed, 463 insertions(+), 85 deletions(-)
diff --git a/src/ipa.c b/src/ipa.c
index e4295826..8c089e68 100644
--- a/src/ipa.c
+++ b/src/ipa.c
@@ -33,8 +33,7 @@
#include <talloc.h>
-#include <xmlrpc-c/client.h>
-#include <xmlrpc-c/transport.h>
+#include <jansson.h>
#include <ldap.h>
#include <krb5.h>
@@ -46,7 +45,7 @@
#include "store.h"
#include "submit-e.h"
#include "submit-u.h"
-#include "submit-x.h"
+#include "submit-h.h"
#include "util.h"
#ifdef ENABLE_NLS
@@ -56,6 +55,229 @@
#define _(_text) (_text)
#endif
+static char *
+get_error_message(krb5_context ctx, krb5_error_code kcode)
+{
+ const char *ret;
+#ifdef HAVE_KRB5_GET_ERROR_MESSAGE
+ ret = ctx ? krb5_get_error_message(ctx, kcode) : NULL;
+ if (ret == NULL) {
+ ret = error_message(kcode);
+ }
+#else
+ ret = error_message(kcode);
+#endif
+ return strdup(ret);
+}
+
+char *
+cm_submit_ccache_realm(char **msg)
+{
+ krb5_context ctx;
+ krb5_ccache ccache;
+ krb5_principal princ;
+ krb5_error_code kret;
+ krb5_data *data;
+ char *ret;
+
+ if (msg != NULL) {
+ *msg = NULL;
+ }
+
+ kret = krb5_init_context(&ctx);
+ if (kret != 0) {
+ fprintf(stderr, "Error initializing Kerberos: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return NULL;
+ }
+ kret = krb5_cc_default(ctx, &ccache);
+ if (kret != 0) {
+ fprintf(stderr, "Error resolving default ccache: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return NULL;
+ }
+ kret = krb5_cc_get_principal(ctx, ccache, &princ);
+ if (kret != 0) {
+ fprintf(stderr, "Error reading default principal: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return NULL;
+ }
+ data = krb5_princ_realm(ctx, princ);
+ if (data == NULL) {
+ fprintf(stderr, "Error retrieving principal realm.\n");
+ if (msg != NULL) {
+ *msg = "Error retrieving principal realm.\n";
+ }
+ return NULL;
+ }
+ ret = malloc(data->length + 1);
+ if (ret == NULL) {
+ fprintf(stderr, "Out of memory for principal realm.\n");
+ if (msg != NULL) {
+ *msg = "Out of memory for principal realm.\n";
+ }
+ return NULL;
+ }
+ memcpy(ret, data->data, data->length);
+ ret[data->length] = '\0';
+ return ret;
+}
+
+krb5_error_code
+cm_submit_make_ccache(const char *ktname, const char *principal, char **msg)
+{
+ krb5_context ctx;
+ krb5_keytab keytab;
+ krb5_ccache ccache;
+ krb5_creds creds;
+ krb5_principal princ;
+ krb5_error_code kret;
+ krb5_get_init_creds_opt gicopts, *gicoptsp;
+ char *ret;
+
+ if (msg != NULL) {
+ *msg = NULL;
+ }
+
+ kret = krb5_init_context(&ctx);
+ if (kret != 0) {
+ ret = get_error_message(ctx, kret);
+ fprintf(stderr, "Error initializing Kerberos: %s.\n", ret);
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ if (ktname != NULL) {
+ kret = krb5_kt_resolve(ctx, ktname, &keytab);
+ } else {
+ kret = krb5_kt_default(ctx, &keytab);
+ }
+ if (kret != 0) {
+ fprintf(stderr, "Error resolving keytab: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ princ = NULL;
+ if (principal != NULL) {
+ kret = krb5_parse_name(ctx, principal, &princ);
+ if (kret != 0) {
+ fprintf(stderr, "Error parsing \"%s\": %s.\n",
+ principal, ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ } else {
+ kret = krb5_sname_to_principal(ctx, NULL, NULL,
+ KRB5_NT_SRV_HST, &princ);
+ if (kret != 0) {
+ fprintf(stderr, "Error building client name: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ }
+ memset(&creds, 0, sizeof(creds));
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+ memset(&gicopts, 0, sizeof(gicopts));
+ gicoptsp = NULL;
+ kret = krb5_get_init_creds_opt_alloc(ctx, &gicoptsp);
+ if (kret != 0) {
+ fprintf(stderr, "Internal error: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+#else
+ krb5_get_init_creds_opt_init(&gicopts);
+ gicoptsp = &gicopts;
+#endif
+ krb5_get_init_creds_opt_set_forwardable(gicoptsp, 1);
+ kret = krb5_get_init_creds_keytab(ctx, &creds, princ, keytab,
+ 0, NULL, gicoptsp);
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
+ krb5_get_init_creds_opt_free(ctx, gicoptsp);
+#endif
+ if (kret != 0) {
+ fprintf(stderr, "Error obtaining initial credentials: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ ccache = NULL;
+ kret = krb5_cc_resolve(ctx, "MEMORY:" PACKAGE_NAME "_submit",
+ &ccache);
+ if (kret == 0) {
+ kret = krb5_cc_initialize(ctx, ccache, creds.client);
+ }
+ if (kret != 0) {
+ fprintf(stderr, "Error initializing credential cache: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ kret = krb5_cc_store_cred(ctx, ccache, &creds);
+ if (kret != 0) {
+ fprintf(stderr,
+ "Error storing creds in credential cache: %s.\n",
+ ret = get_error_message(ctx, kret));
+ if (msg != NULL) {
+ *msg = ret;
+ } else {
+ free(ret);
+ }
+ return kret;
+ }
+ krb5_cc_close(ctx, ccache);
+ krb5_kt_close(ctx, keytab);
+ krb5_free_principal(ctx, princ);
+ krb5_free_context(ctx);
+ putenv("KRB5CCNAME=MEMORY:" PACKAGE_NAME "_submit");
+ return 0;
+}
+
static int
interact(LDAP *ld, unsigned flags, void *defaults, void *sasl_interact)
{
@@ -200,7 +422,7 @@ cm_find_default_naming_context(LDAP *ld, char **basedn)
}
static int
-cm_locate_xmlrpc_service(const char *server,
+cm_locate_jsonrpc_service(const char *server,
int ldap_uri_cmd, const char *ldap_uri,
const char *host,
const char *domain,
@@ -213,10 +435,13 @@ cm_locate_xmlrpc_service(const char *server,
LDAPDN rdn;
struct berval *lbv;
char *lattrs[2] = {"cn", NULL};
- const char *relativedn = "cn=masters,cn=ipa,cn=etc", *dn;
+ const char *relativedn = "cn=masters,cn=ipa,cn=etc";
+ char *dn;
char ldn[LINE_MAX], lfilter[LINE_MAX], uri[LINE_MAX] = "", **list;
int i, j, rc, n;
unsigned int flags;
+ int rval = 0;
+ int alloc_basedn = 0;
*uris = NULL;
@@ -231,14 +456,16 @@ cm_locate_xmlrpc_service(const char *server,
if (basedn == NULL) {
i = cm_find_default_naming_context(ld, &basedn);
if (i != 0) {
- free(basedn);
- return i;
+ rval = i;
+ goto done;
}
+ alloc_basedn = 1;
}
if (basedn == NULL) {
printf(_("Unable to determine base DN of "
"domain information on IPA server.\n"));
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
/* Now look up the names of the master CAs. */
snprintf(lfilter, sizeof(lfilter),
@@ -248,26 +475,31 @@ cm_locate_xmlrpc_service(const char *server,
"(ipaConfigString=enabledService)"
")", service);
snprintf(ldn, sizeof(ldn), "%s,%s", relativedn, basedn);
- free(basedn);
+ if (alloc_basedn) {
+ free(basedn);
+ }
rc = ldap_search_ext_s(ld, ldn, LDAP_SCOPE_SUBTREE,
lfilter, lattrs, 0, NULL, NULL, NULL,
LDAP_NO_LIMIT, &lresult);
if (rc != LDAP_SUCCESS) {
fprintf(stderr, "Error searching '%s': %s.\n",
ldn, ldap_err2string(rc));
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
/* Read their parents' for "cn" values. */
n = ldap_count_entries(ld, lresult);
if (n == 0) {
fprintf(stderr, "No CA masters found.\n");
ldap_msgfree(lresult);
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
list = talloc_array_ptrtype(NULL, list, n + 2);
if (list == NULL) {
fprintf(stderr, "Out of memory.\n");
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
i = 0;
for (lmsg = ldap_first_entry(ld, lresult);
@@ -314,7 +546,7 @@ cm_locate_xmlrpc_service(const char *server,
switch (flags & 0x0f) {
case LDAP_AVA_STRING:
list[i] = talloc_asprintf(list,
- "https://%.*s/ipa/xml",
+ "https://%.*s/ipa/json",
(int) lbv->bv_len,
lbv->bv_val);
if (list[i] != NULL) {
@@ -328,15 +560,67 @@ cm_locate_xmlrpc_service(const char *server,
ldap_dnfree(rdn);
}
}
+ ldap_memfree(dn);
}
ldap_msgfree(lresult);
if (i == 0) {
free(list);
- return CM_SUBMIT_STATUS_UNCONFIGURED;
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto done;
}
list[i] = NULL;
*uris = list;
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+
+done:
+ if (ld) {
+ ldap_unbind_ext(ld, NULL, NULL);
+ }
+
+ return rval;
+}
+
+/*
+ * Parse the JSON response from the IPA server.
+ *
+ * It will return one of three types of values:
+ *
+ * < 0 is failure to parse JSON output
+ * 0 is success, no errors were found
+ * > 0 is the IPA API error code
+ */
+static int
+parse_json_result(const char *result, char **error_message) {
+ json_error_t j_error;
+
+ json_t *j_root = NULL;
+ json_t *j_error_obj = NULL;
+
+ int error_code = 0;
+
+ j_root = json_loads(result, 0, &j_error);
+ if (!j_root) {
+ cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
+ return -1;
+ }
+
+ j_error_obj = json_object_get(j_root, "error");
+ if (!j_error_obj || json_is_null(j_error_obj)) {
+ json_decref(j_root);
+ return 0; // no errors
+ }
+
+ if (json_unpack_ex(j_error_obj, &j_error, 0, "{s:i, s:s}",
+ "code", &error_code,
+ "message", error_message) != 0) {
+ cm_log(0, "Failed extracting error from JSON-RPC response: %s\n", j_error.text);
+ json_decref(j_root);
+ return -1;
+ }
+
+ cm_log(0, "JSON-RPC error: %d: %s\n", error_code, *error_message);
+ json_decref(j_root);
+ return error_code;
}
/* Make an XML-RPC request to the "cert_request" method. */
@@ -344,63 +628,98 @@ static int
submit_or_poll_uri(const char *uri, const char *cainfo, const char *capath,
const char *uid, const char *pwd, const char *csr,
const char *reqprinc, const char *profile,
- const char *issuer)
+ const char *issuer, int verbose)
{
- struct cm_submit_x_context *ctx;
- const char *args[2];
+ void *ctx;
+ struct cm_submit_h_context *hctx;
char *s, *p;
int i;
+ json_t *json_req = NULL;
+ json_error_t j_error;
+ const char *results = NULL;
+ char *json_str = NULL;
+ char *error_message = NULL;
+ char *referer = NULL;
+ int rval = 0;
+ json_t *j_root = NULL;
+ json_t *j_result_outer = NULL;
+ json_t *j_result = NULL;
+ json_t *j_cert = NULL;
+ const char *certificate = NULL;
if ((uri == NULL) || (strlen(uri) == 0)) {
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- /* Prepare to make an XML-RPC request. */
+ ctx = talloc_new(NULL);
+
+ referer = talloc_asprintf(ctx, "%s", uri);
+
+ /* Prepare to make a JSON-RPC request. */
submit:
- if ((uid != NULL) && (pwd != NULL) &&
- (strlen(uid) > 0) && (strlen(pwd) > 0)) {
- ctx = cm_submit_x_init(NULL, uri, "cert_request",
- cainfo, capath, uid, pwd,
- cm_submit_x_negotiate_off,
- cm_submit_x_delegate_off);;
- } else {
- ctx = cm_submit_x_init(NULL, uri, "cert_request",
- cainfo, capath, NULL, NULL,
- cm_submit_x_negotiate_on,
- cm_submit_x_delegate_on);
+ json_req = json_pack_ex(&j_error, 0,
+ "{s:s, s:[[s], {s:s, s:s*, s:s*, s:b}]}",
+ "method", "cert_request",
+ "params",
+ csr,
+ "principal", reqprinc,
+ "profile_id", profile,
+ "cacn", issuer,
+ "add", 1);
+ if (!json_req) {
+ cm_log(0, "json_pack_ex() failed: %s\n", j_error.text);
+ return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- if (ctx == NULL) {
- fprintf(stderr, "Error setting up for XMLRPC to %s on "
- "the client.\n", uri);
- printf(_("Error setting up for XMLRPC on the client.\n"));
+ json_str = json_dumps(json_req, 0);
+ json_decref(json_req);
+ if (!json_str) {
+ cm_log(0, "json_dumps() failed\n");
return CM_SUBMIT_STATUS_UNCONFIGURED;
}
- /* Add the CSR contents as the sole unnamed argument. */
- args[0] = csr;
- args[1] = NULL;
- cm_submit_x_add_arg_as(ctx, args);
- /* Add the principal name named argument. */
- cm_submit_x_add_named_arg_s(ctx, "principal", reqprinc);
- /* Add the requested profile name named argument. */
- if (profile != NULL) {
- cm_submit_x_add_named_arg_s(ctx, "profile_id", profile);
- }
- /* Add the requested CA issuer named argument. */
- if (issuer != NULL) {
- cm_submit_x_add_named_arg_s(ctx, "cacn", issuer);
+ hctx = cm_submit_h_init(ctx, "POST", uri, json_str,
+ "application/json", "application/json",
+ referer, cainfo, capath,
+ NULL, NULL, NULL,
+ cm_submit_h_negotiate_on,
+ cm_submit_h_delegate_off,
+ cm_submit_h_clientauth_off,
+ cm_submit_h_env_modify_off,
+ verbose > 1 ?
+ cm_submit_h_curl_verbose_on :
+ cm_submit_h_curl_verbose_off);
+ free(json_str);
+
+ if (hctx == NULL) {
+ fprintf(stderr, "Error setting up JSON-RPC to %s on "
+ "the client.\n", uri);
+ printf(_("Error setting up for JSON-RPC on the client.\n"));
+ rval = CM_SUBMIT_STATUS_UNCONFIGURED;
+ goto cleanup;
}
- /* Tell the server to add entries for a principal if one
- * doesn't exist yet. */
- cm_submit_x_add_named_arg_b(ctx, "add", 1);
/* Submit the request. */
fprintf(stderr, "Submitting request to \"%s\".\n", uri);
- cm_submit_x_run(ctx);
+ cm_submit_h_run(hctx);
/* Check the results. */
- if (cm_submit_x_faulted(ctx) == 0) {
- i = cm_submit_x_fault_code(ctx);
+
+ results = cm_submit_h_results(hctx, NULL);
+ cm_log(1, "%s\n", results);
+ if (cm_submit_h_response_code(hctx) != 200) {
+ cm_log(0, "JSON-RPC call failed with HTTP status code: %d\n",
+ cm_submit_h_response_code(hctx));
+ cm_log(0, "code = %d, code_text = \"%s\"\n",
+ cm_submit_h_result_code(hctx), cm_submit_h_result_code_text(hctx));
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+ i = parse_json_result(results, &error_message);
+ if (i < 0) {
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+ if (i > 0) {
/* Interpret the error. See errors.py to get the
* classifications. */
switch (i / 1000) {
@@ -424,8 +743,9 @@ submit:
}
printf("Server at %s denied our request, "
"giving up: %d (%s).\n", uri, i,
- cm_submit_x_fault_text(ctx));
- return CM_SUBMIT_STATUS_REJECTED;
+ error_message);
+ rval = CM_SUBMIT_STATUS_REJECTED;
+ goto cleanup;
break;
case 1: /* authentication error - transient? */
case 4: /* execution error - transient? */
@@ -433,22 +753,51 @@ submit:
default:
printf("Server at %s failed request, "
"will retry: %d (%s).\n", uri, i,
- cm_submit_x_fault_text(ctx));
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ error_message);
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
break;
}
- } else
- if (cm_submit_x_has_results(ctx) == 0) {
- if (cm_submit_x_get_named_s(ctx, "certificate",
- &s) == 0) {
+ } else {
+ j_root = json_loads(results, 0, &j_error);
+ if (!j_root) {
+ cm_log(0, "Parsing JSON-RPC response failed: %s\n", j_error.text);
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+
+ j_result_outer = json_object_get(j_root, "result");
+ if (!j_result_outer) {
+ cm_log(0, "Parsing JSON-RPC response failed, no outer result\n");
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+
+ j_result = json_object_get(j_result_outer, "result");
+ if (!j_result) {
+ cm_log(0, "Parsing JSON-RPC response failed, no inner result\n");
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+
+ j_cert = json_object_get(j_result, "certificate");
+ if (!j_cert) {
+ cm_log(0, "Parsing JSON-RPC response failed, no certificate\n");
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
+ }
+ certificate = json_string_value(j_cert);
+
+ if (certificate) {
/* If we got a certificate, we're probably
* okay. */
- fprintf(stderr, "Certificate: \"%s\"\n", s);
- s = cm_submit_u_base64_from_text(s);
+ fprintf(stderr, "Certificate: \"%s\"\n", certificate);
+ s = cm_submit_u_base64_from_text(certificate);
if (s == NULL) {
printf("Out of memory parsing server "
"response, will retry.\n");
- return CM_SUBMIT_STATUS_UNREACHABLE;
+ rval = CM_SUBMIT_STATUS_UNREACHABLE;
+ goto cleanup;
}
p = cm_submit_u_pem_from_base64("CERTIFICATE",
FALSE, s);
@@ -457,15 +806,19 @@ submit:
}
free(s);
free(p);
- return CM_SUBMIT_STATUS_ISSUED;
+ rval = CM_SUBMIT_STATUS_ISSUED;
+ goto cleanup;
} else {
- return CM_SUBMIT_STATUS_REJECTED;
+ rval = CM_SUBMIT_STATUS_REJECTED;
}
- } else {
- /* No useful response, no fault. Try again, from
- * scratch, later. */
- return CM_SUBMIT_STATUS_UNREACHABLE;
}
+
+cleanup:
+ json_decref(j_root);
+ cm_submit_h_cleanup(hctx);
+ talloc_free(ctx);
+
+ return rval;
}
static int
@@ -473,16 +826,17 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
const char *server, int ldap_uri_cmd, const char *ldap_uri,
const char *host, const char *domain, char *basedn,
const char *uid, const char *pwd, const char *csr,
- const char *reqprinc, const char *profile, const char *issuer)
+ const char *reqprinc, const char *profile, const char *issuer,
+ int verbose)
{
int i, u;
char **uris;
i = submit_or_poll_uri(uri, cainfo, capath, uid, pwd, csr, reqprinc,
- profile, issuer);
+ profile, issuer, verbose);
if ((i == CM_SUBMIT_STATUS_UNREACHABLE) ||
(i == CM_SUBMIT_STATUS_UNCONFIGURED)) {
- u = cm_locate_xmlrpc_service(server, ldap_uri_cmd, ldap_uri,
+ u = cm_locate_jsonrpc_service(server, ldap_uri_cmd, ldap_uri,
host, domain, basedn, "CA", &uris);
if ((u == 0) && (uris != NULL)) {
for (u = 0; uris[u] != NULL; u++) {
@@ -491,7 +845,7 @@ submit_or_poll(const char *uri, const char *cainfo, const char *capath,
}
i = submit_or_poll_uri(uris[u], cainfo, capath,
uid, pwd, csr, reqprinc,
- profile, issuer);
+ profile, issuer, verbose);
if ((i != CM_SUBMIT_STATUS_UNREACHABLE) &&
(i != CM_SUBMIT_STATUS_UNCONFIGURED)) {
talloc_free(uris);
@@ -562,7 +916,7 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
return CM_SUBMIT_STATUS_ISSUED;
}
/* Read our realm name from our ccache. */
- realm = cm_submit_x_ccache_realm(&kerr);
+ realm = cm_submit_ccache_realm(&kerr);
/* Read all of the certificates. */
for (lmsg = ldap_first_entry(ld, lresult);
lmsg != NULL;
@@ -588,6 +942,9 @@ fetch_roots(const char *server, int ldap_uri_cmd, const char *ldap_uri,
ldap_msgfree(lresult);
free(realm);
free(kerr);
+ if (ld) {
+ ldap_unbind_ext(ld, NULL, NULL);
+ }
return CM_SUBMIT_STATUS_ISSUED;
}
@@ -600,7 +957,8 @@ main(int argc, const char **argv)
char *csr, *p, uri[LINE_MAX], *reqprinc = NULL, *ipaconfig, *kerr;
char *uid = NULL, *pwd = NULL, *pwdfile = NULL;
const char *xmlrpc_uri = NULL, *ldap_uri = NULL, *server = NULL, *csrfile;
- int xmlrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
+ const char *jsonrpc_uri = NULL;
+ int jsonrpc_uri_cmd = 0, ldap_uri_cmd = 0, verbose = 0;
const char *mode = CM_OP_SUBMIT;
char ldn[LINE_MAX], *basedn = NULL, *profile = NULL, *issuer = NULL;
krb5_error_code kret;
@@ -609,6 +967,7 @@ main(int argc, const char **argv)
{"host", 'h', POPT_ARG_STRING, &host, 0, "IPA server hostname", "HOSTNAME"},
{"domain", 'd', POPT_ARG_STRING, &domain, 0, "IPA domain name", "NAME"},
{"xmlrpc-url", 'H', POPT_ARG_STRING, NULL, 'H', "IPA XMLRPC service location", "URL"},
+ {"jsonrpc-url", 'J', POPT_ARG_STRING, NULL, 'J', "IPA JSON-RPC service location", "URL"},
{"ldap-url", 'L', POPT_ARG_STRING, NULL, 'L', "IPA LDAP service location", "URL"},
{"capath", 'C', POPT_ARG_STRING, &capath, 0, NULL, "DIRECTORY"},
{"cafile", 'c', POPT_ARG_STRING, &cainfo, 0, NULL, "FILENAME"},
@@ -659,9 +1018,10 @@ main(int argc, const char **argv)
poptSetOtherOptionHelp(pctx, "[options] [csrfile]");
while ((c = poptGetNextOpt(pctx)) > 0) {
switch (c) {
- case 'H':
- xmlrpc_uri = poptGetOptArg(pctx);
- xmlrpc_uri_cmd++;
+ case 'H': /* XMLRPC URI kept for backwards compatibility */
+ case 'J':
+ jsonrpc_uri = poptGetOptArg(pctx);
+ jsonrpc_uri_cmd++;
break;
case 'L':
ldap_uri = poptGetOptArg(pctx);
@@ -724,6 +1084,11 @@ main(int argc, const char **argv)
"global",
"xmlrpc_uri");
}
+ if (jsonrpc_uri == NULL) {
+ jsonrpc_uri = get_config_entry(ipaconfig,
+ "global",
+ "jsonrpc_uri");
+ }
if (ldap_uri == NULL) {
/* Preferred, but likely to only be set on a
* server. */
@@ -756,6 +1121,7 @@ main(int argc, const char **argv)
}
}
}
+ free(ipaconfig);
csr = NULL;
memset(uri, '\0', sizeof(uri));
memset(ldn, '\0', sizeof(ldn));
@@ -787,16 +1153,25 @@ main(int argc, const char **argv)
(getenv(CM_SUBMIT_ISSUER_ENV) != NULL)) {
issuer = strdup(getenv(CM_SUBMIT_ISSUER_ENV));
}
- if ((server != NULL) && !xmlrpc_uri_cmd) {
+ if ((server != NULL) && !jsonrpc_uri_cmd) {
snprintf(uri, sizeof(uri),
- "https://%s/ipa/xml", server);
+ "https://%s/ipa/json", server);
+ } else
+ if (jsonrpc_uri != NULL) {
+ snprintf(uri, sizeof(uri), "%s", jsonrpc_uri);
} else
if (xmlrpc_uri != NULL) {
- snprintf(uri, sizeof(uri), "%s", xmlrpc_uri);
+ /* strip off the trailing xml and replace with json */
+ if ((strlen(xmlrpc_uri) + 1) > sizeof(uri)) {
+ printf(_("xmlrpc_uri is longer than %ld.\n"), sizeof(uri) - 2);
+ return CM_SUBMIT_STATUS_UNCONFIGURED;
+ }
+ snprintf(uri, strlen(xmlrpc_uri) - 2, "%s", xmlrpc_uri);
+ strcat(uri, "json");
} else
if (host != NULL) {
snprintf(uri, sizeof(uri),
- "https://%s/ipa/xml", host);
+ "https://%s/ipa/json", host);
}
/* Read the CSR from the environment, or from the file named on
@@ -891,7 +1266,7 @@ main(int argc, const char **argv)
/* Setup a ccache unless we're told to use the default one. */
kerr = NULL;
if (make_keytab_ccache &&
- ((kret = cm_submit_x_make_ccache(ktname, kpname, &kerr)) != 0)) {
+ ((kret = cm_submit_make_ccache(ktname, kpname, &kerr)) != 0)) {
fprintf(stderr, "Error setting up ccache at the client: %s.\n",
kerr);
if (ktname == NULL) {
@@ -939,11 +1314,12 @@ main(int argc, const char **argv)
ret = submit_or_poll(uri, cainfo, capath, server,
ldap_uri_cmd, ldap_uri, host, domain,
basedn, uid, pwd, csr, reqprinc, profile,
- issuer);
+ issuer, verbose);
free(csr);
free(profile);
free(issuer);
free(reqprinc);
+ free(basedn);
return ret;
} else
if (strcasecmp(mode, CM_OP_FETCH_ROOTS) == 0) {
diff --git a/src/store-files.c b/src/store-files.c
index 4c3b2232..85ac692e 100644
--- a/src/store-files.c
+++ b/src/store-files.c
@@ -2650,6 +2650,7 @@ cm_store_get_all_cas(void *parent)
j++;
}
#endif
+#ifdef WITH_XMLRPC
#ifdef WITH_CERTMASTER
/* Make sure we get at least one certmaster entry. */
for (k = 0; k < j; k++) {
@@ -2670,6 +2671,7 @@ cm_store_get_all_cas(void *parent)
j++;
}
#endif
+#endif
#ifdef WITH_IPA
/* Make sure we get at least 1 dogtag-ipa-renew-agent entry. */
for (k = 0; k < j; k++) {
--
2.25.4

View File

@ -0,0 +1,201 @@
From dd8dcb899e0a159d1141b713993805565ffb6d28 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Sep 2020 11:28:08 -0400
Subject: [PATCH 09/11] Remove the certmaster CA from the 028-dbus test
The certmaster CA is disabled by default so no longer look for it
in the dbus test.
This test will fail if certmaster is enabled. There is currently no
mechanism to dynamically enable/disable features of the tests. It
can be added if it comes up but its unclear if anyoen took advantage
of the certmaster support in the first place.
---
tests/028-dbus/expected.out | 130 ++----------------------------------
1 file changed, 6 insertions(+), 124 deletions(-)
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index 4d6a9a59..ca7de34f 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -34,10 +34,6 @@ CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: $libexecdir/ipa-submit
-CA 'certmaster':
- is-default: no
- ca-type: EXTERNAL
- helper-location: $libexecdir/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
@@ -45,8 +41,8 @@ CA 'dogtag-ipa-renew-agent':
[[ API ]]
[ simpleprop.py ]
-/org/fedorahosted/certmonger/cas/CA6
-/org/fedorahosted/certmonger/cas/CA6
+/org/fedorahosted/certmonger/cas/CA5
+/org/fedorahosted/certmonger/cas/CA5
: -> : -k admin@localhost -> :
0 -> 1 -> 0
[ walk.py ]
@@ -182,7 +178,7 @@ OK
OK
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -508,7 +504,6 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
<node name="CA2"/>
<node name="CA3"/>
<node name="CA4"/>
- <node name="CA5"/>
</node>
[ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -942,10 +937,10 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-2
+$tmpdir/cas/20180327134236-3
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
-certmaster
+dogtag-ipa-renew-agent
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
0
@@ -957,7 +952,7 @@ EXTERNAL
None
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/certmaster-submit
+$libexecdir/dogtag-ipa-renew-agent-submit
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
dbus.Array([], signature=dbus.Signature('s'))
@@ -965,116 +960,3 @@ dbus.Array([], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
1
-[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
-<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
-"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
-
-<node name="/org/fedorahosted/certmonger/cas/CA5">
- <interface name="org.freedesktop.DBus.Introspectable">
- <method name="Introspect">
- <arg name="xml_data" type="s" direction="out"/>
- </method>
- </interface>
- <interface name="org.freedesktop.DBus.Properties">
- <method name="Get">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="property_name" type="s" direction="in"/>
- <arg name="value" type="v" direction="out"/>
- </method>
- <method name="Set">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="property_name" type="s" direction="in"/>
- <arg name="value" type="v" direction="in"/>
- </method>
- <method name="GetAll">
- <arg name="interface_name" type="s" direction="in"/>
- <arg name="props" type="a{sv}" direction="out"/>
- </method>
- <signal name="PropertiesChanged">
- <arg name="interface_name" type="s"/>
- <arg name="changed_properties" type="a{sv}"/>
- <arg name="invalidated_properties" type="as"/>
- </signal>
- </interface>
- <interface name="org.fedorahosted.certmonger.ca">
- <method name="get_config_file_path">
- <arg name="path" type="s" direction="out"/>
- </method>
- <method name="get_nickname">
- <arg name="nickname" type="s" direction="out"/>
- </method>
- <property name="nickname" type="s" access="read"/>
- <property name="aka" type="s" access="read"/>
- <method name="get_is_default">
- <arg name="default" type="b" direction="out"/>
- </method>
- <property name="is-default" type="b" access="readwrite"/>
- <method name="get_type">
- <arg name="type" type="s" direction="out"/>
- </method>
- <method name="get_serial">
- <arg name="serial_hex" type="s" direction="out"/>
- </method>
- <method name="get_location">
- <arg name="path" type="s" direction="out"/>
- </method>
- <property name="external-helper" type="s" access="readwrite"/>
- <method name="get_issuer_names">
- <arg name="names" type="as" direction="out"/>
- </method>
- <method name="refresh">
- <arg name="working" type="b" direction="out"/>
- </method>
- <property name="ca-error" type="s" access="read"/>
- <property name="issuer-names" type="as" access="read"/>
- <property name="root-certs" type="a(ss)" access="read"/>
- <property name="root-other-certs" type="a(ss)" access="read"/>
- <property name="other-certs" type="a(ss)" access="read"/>
- <property name="required-enroll-attributes" type="as" access="read"/>
- <property name="required-renew-attributes" type="as" access="read"/>
- <property name="supported-profiles" type="as" access="read"/>
- <property name="default-profile" type="s" access="read"/>
- <property name="root-cert-files" type="as" access="readwrite"/>
- <property name="root-other-cert-files" type="as" access="readwrite"/>
- <property name="other-cert-files" type="as" access="readwrite"/>
- <property name="root-cert-nssdbs" type="as" access="readwrite"/>
- <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
- <property name="other-cert-nssdbs" type="as" access="readwrite"/>
- <property name="ca-presave-command" type="s" access="read"/>
- <property name="ca-presave-uid" type="s" access="read"/>
- <property name="ca-postsave-command" type="s" access="read"/>
- <property name="ca-postsave-uid" type="s" access="read"/>
- <property name="scep-cipher" type="s" access="readwrite"/>
- <property name="scep-digest" type="s" access="readwrite"/>
- <property name="scep-ca-identifier" type="s" access="readwrite"/>
- <property name="scep-ca-capabilities" type="as" access="read"/>
- <property name="scep-ra-cert" type="s" access="read"/>
- <property name="scep-ca-cert" type="s" access="read"/>
- <property name="scep-other-certs" type="s" access="read"/>
- </interface>
-</node>
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
-dogtag-ipa-renew-agent
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
-0
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
-EXTERNAL
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
-None
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/dogtag-ipa-renew-agent-submit
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
-dbus.Array([], signature=dbus.Signature('s'))
-
-[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
-1
-
--
2.25.4

View File

@ -0,0 +1,38 @@
From 94dfc2f31b439db37b67d58e635169c29a4f8dde Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Sep 2020 11:29:41 -0400
Subject: [PATCH 10/11] Add a local-srpm target to build an srpm from the
current checkout
The srpm target will pull the origin master branch and build from
that so it isn't useful for testing local changes.
---
Makefile.am | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/Makefile.am b/Makefile.am
index 16d103ec..883c5932 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -29,6 +29,18 @@ ARCHIVEOUTDIR=$(shell cd $(top_srcdir) && pwd)
local-archive:
$(MAKE) archive ORIGIN=$(ARCHIVEOUTDIR)
+local-srpm:
+ repo=`pwd`; \
+ tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
+ if test -d "$$tmpdir" ; then \
+ git clone . $$tmpdir;\
+ cd $$tmpdir;\
+ ./make-srpm.sh;\
+ cp -v $(distdir)-*.src.rpm $(ARCHIVEOUTDIR)/;\
+ chmod -R u+rw $$tmpdir;\
+ rm -fr $$tmpdir;\
+ fi
+
srpm:
repo=`pwd`; \
tmpdir=`mktemp -d /tmp/make_archive_XXXXXX`; \
--
2.25.4

View File

@ -0,0 +1,26 @@
From eda1134a9db1246eb8a24e0e01cfe1fcbff10729 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Sep 2020 11:30:10 -0400
Subject: [PATCH 11/11] Silence a rpm macro warning with an unescaped % in a
comment
---
certmonger.spec | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/certmonger.spec b/certmonger.spec
index a8e1d2e8..f2abd307 100644
--- a/certmonger.spec
+++ b/certmonger.spec
@@ -35,7 +35,7 @@ Group: System Environment/Daemons
License: GPLv3+
URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
-#Source1: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz.sig
+#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: openldap-devel
--
2.25.4

View File

@ -1,195 +0,0 @@
From 14d1b5f9a482a4740706dc1cb86c454662f48d4c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 7 Dec 2022 10:09:55 -0500
Subject: [PATCH] Revert "Remove the certmaster CA from the 028-dbus test"
This reverts commit dd8dcb899e0a159d1141b713993805565ffb6d28.
---
tests/028-dbus/expected.out | 130 ++++++++++++++++++++++++++++++++++--
1 file changed, 124 insertions(+), 6 deletions(-)
diff --git a/tests/028-dbus/expected.out b/tests/028-dbus/expected.out
index 86cba02..544ebd7 100644
--- a/tests/028-dbus/expected.out
+++ b/tests/028-dbus/expected.out
@@ -35,6 +35,10 @@ CA 'IPA':
is-default: no
ca-type: EXTERNAL
helper-location: $libexecdir/ipa-submit
+CA 'certmaster':
+ is-default: no
+ ca-type: EXTERNAL
+ helper-location: $libexecdir/certmaster-submit
CA 'dogtag-ipa-renew-agent':
is-default: no
ca-type: EXTERNAL
@@ -42,8 +46,8 @@ CA 'dogtag-ipa-renew-agent':
[[ API ]]
[ simpleprop.py ]
-/org/fedorahosted/certmonger/cas/CA5
-/org/fedorahosted/certmonger/cas/CA5
+/org/fedorahosted/certmonger/cas/CA6
+/org/fedorahosted/certmonger/cas/CA6
: -> : -k admin@localhost -> :
0 -> 1 -> 0
[ walk.py ]
@@ -179,7 +183,7 @@ OK
OK
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_known_cas ]
-dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4')], signature=dbus.Signature('o'))
+dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA1'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA2'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA3'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA4'), dbus.ObjectPath('/org/fedorahosted/certmonger/cas/CA5')], signature=dbus.Signature('o'))
[ /org/fedorahosted/certmonger: org.fedorahosted.certmonger.get_requests ]
dbus.Array([dbus.ObjectPath('/org/fedorahosted/certmonger/requests/Request2')], signature=dbus.Signature('o'))
@@ -507,6 +511,7 @@ After setting template-eku to 1.2.3.4.5.6.7.8.9.10, we got dbus.Array([dbus.Stri
<node name="CA2"/>
<node name="CA3"/>
<node name="CA4"/>
+ <node name="CA5"/>
</node>
[ /org/fedorahosted/certmonger/cas/CA1: org.freedesktop.DBus.Introspectable.Introspect ]
@@ -940,10 +945,10 @@ dbus.Array([], signature=dbus.Signature('s'))
</node>
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_config_file_path ]
-$tmpdir/cas/20180327134236-3
+$tmpdir/cas/20180327134236-2
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_nickname ]
-dogtag-ipa-renew-agent
+certmaster
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_is_default ]
0
@@ -955,7 +960,7 @@ EXTERNAL
None
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_location ]
-$libexecdir/dogtag-ipa-renew-agent-submit
+$libexecdir/certmaster-submit
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.get_issuer_names ]
dbus.Array([], signature=dbus.Signature('s'))
@@ -963,3 +968,116 @@ dbus.Array([], signature=dbus.Signature('s'))
[ /org/fedorahosted/certmonger/cas/CA4: org.fedorahosted.certmonger.ca.refresh ]
1
+[ /org/fedorahosted/certmonger/cas/CA5: org.freedesktop.DBus.Introspectable.Introspect ]
+<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN"
+"http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
+
+<node name="/org/fedorahosted/certmonger/cas/CA5">
+ <interface name="org.freedesktop.DBus.Introspectable">
+ <method name="Introspect">
+ <arg name="xml_data" type="s" direction="out"/>
+ </method>
+ </interface>
+ <interface name="org.freedesktop.DBus.Properties">
+ <method name="Get">
+ <arg name="interface_name" type="s" direction="in"/>
+ <arg name="property_name" type="s" direction="in"/>
+ <arg name="value" type="v" direction="out"/>
+ </method>
+ <method name="Set">
+ <arg name="interface_name" type="s" direction="in"/>
+ <arg name="property_name" type="s" direction="in"/>
+ <arg name="value" type="v" direction="in"/>
+ </method>
+ <method name="GetAll">
+ <arg name="interface_name" type="s" direction="in"/>
+ <arg name="props" type="a{sv}" direction="out"/>
+ </method>
+ <signal name="PropertiesChanged">
+ <arg name="interface_name" type="s"/>
+ <arg name="changed_properties" type="a{sv}"/>
+ <arg name="invalidated_properties" type="as"/>
+ </signal>
+ </interface>
+ <interface name="org.fedorahosted.certmonger.ca">
+ <method name="get_config_file_path">
+ <arg name="path" type="s" direction="out"/>
+ </method>
+ <method name="get_nickname">
+ <arg name="nickname" type="s" direction="out"/>
+ </method>
+ <property name="nickname" type="s" access="read"/>
+ <property name="aka" type="s" access="read"/>
+ <method name="get_is_default">
+ <arg name="default" type="b" direction="out"/>
+ </method>
+ <property name="is-default" type="b" access="readwrite"/>
+ <method name="get_type">
+ <arg name="type" type="s" direction="out"/>
+ </method>
+ <method name="get_serial">
+ <arg name="serial_hex" type="s" direction="out"/>
+ </method>
+ <method name="get_location">
+ <arg name="path" type="s" direction="out"/>
+ </method>
+ <property name="external-helper" type="s" access="readwrite"/>
+ <method name="get_issuer_names">
+ <arg name="names" type="as" direction="out"/>
+ </method>
+ <method name="refresh">
+ <arg name="working" type="b" direction="out"/>
+ </method>
+ <property name="ca-error" type="s" access="read"/>
+ <property name="issuer-names" type="as" access="read"/>
+ <property name="root-certs" type="a(ss)" access="read"/>
+ <property name="root-other-certs" type="a(ss)" access="read"/>
+ <property name="other-certs" type="a(ss)" access="read"/>
+ <property name="required-enroll-attributes" type="as" access="read"/>
+ <property name="required-renew-attributes" type="as" access="read"/>
+ <property name="supported-profiles" type="as" access="read"/>
+ <property name="default-profile" type="s" access="read"/>
+ <property name="root-cert-files" type="as" access="readwrite"/>
+ <property name="root-other-cert-files" type="as" access="readwrite"/>
+ <property name="other-cert-files" type="as" access="readwrite"/>
+ <property name="root-cert-nssdbs" type="as" access="readwrite"/>
+ <property name="root-other-cert-nssdbs" type="as" access="readwrite"/>
+ <property name="other-cert-nssdbs" type="as" access="readwrite"/>
+ <property name="ca-presave-command" type="s" access="read"/>
+ <property name="ca-presave-uid" type="s" access="read"/>
+ <property name="ca-postsave-command" type="s" access="read"/>
+ <property name="ca-postsave-uid" type="s" access="read"/>
+ <property name="scep-cipher" type="s" access="readwrite"/>
+ <property name="scep-digest" type="s" access="readwrite"/>
+ <property name="scep-ca-identifier" type="s" access="readwrite"/>
+ <property name="scep-ca-capabilities" type="as" access="read"/>
+ <property name="scep-ra-cert" type="s" access="read"/>
+ <property name="scep-ca-cert" type="s" access="read"/>
+ <property name="scep-other-certs" type="s" access="read"/>
+ </interface>
+</node>
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_config_file_path ]
+$tmpdir/cas/20180327134236-3
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_nickname ]
+dogtag-ipa-renew-agent
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_is_default ]
+0
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_type ]
+EXTERNAL
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_serial ]
+None
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_location ]
+$libexecdir/dogtag-ipa-renew-agent-submit
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.get_issuer_names ]
+dbus.Array([], signature=dbus.Signature('s'))
+
+[ /org/fedorahosted/certmonger/cas/CA5: org.fedorahosted.certmonger.ca.refresh ]
+1
+
--
2.38.1

View File

@ -1,24 +0,0 @@
From 6224c3aa01665edddbda1ec7d1e35b03823eefcb Mon Sep 17 00:00:00 2001
From: root <root@ci-vm-10-0-137-168.hosted.upshift.rdu2.redhat.com>
Date: Wed, 7 Dec 2022 14:50:01 -0500
Subject: [PATCH] Don't run the 002-keygen-* tests when root
The permissions tests will fail.
---
tests/002-keygen-dbm/prequal.sh | 5 +++++
1 file changed, 5 insertions(+)
create mode 100755 tests/002-keygen-dbm/prequal.sh
diff --git a/tests/002-keygen-dbm/prequal.sh b/tests/002-keygen-dbm/prequal.sh
new file mode 100755
index 0000000..b6c16e0
--- /dev/null
+++ b/tests/002-keygen-dbm/prequal.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+if test `id -u` -eq 0 ; then
+ echo "This test won't work right if run as root."
+ exit 1
+fi
--
2.31.1

View File

@ -1,47 +1,69 @@
%if 0%{?fedora} > 15 || 0%{?rhel} > 6
%global systemd 1
%global sysvinit 0
%else
%global systemd 0
%global sysvinit 1
%endif
%if 0%{?fedora} > 15 && 0%{?fedora} < 20
%global systemdsysv 1
%else
%global systemdsysv 0
%endif
%if 0%{?fedora} > 14 || 0%{?rhel} > 6
%global tmpfiles 1
%else
%global tmpfiles 0
%endif
%if 0%{?fedora} > 9 || 0%{?rhel} > 5
%global sysvinitdir %{_initddir}
%else
%global sysvinitdir %{_initrddir}
%endif
%bcond_without xmlrpc
%bcond_with xmlrpc
Name: certmonger
Version: 0.79.17
Release: 2%{?dist}
Version: 0.79.20
Release: 3%{?dist}
Summary: Certificate status monitor and PKI enrollment client
Group: System Environment/Daemons
License: GPLv3+
License: GPL-3.0-or-later
URL: http://pagure.io/certmonger/
Source0: http://releases.pagure.org/certmonger/certmonger-%{version}.tar.gz
#Source1: http://releases.pagure.org/certmonger/certmonger-%%{version}.tar.gz.sig
Patch0001: 0001-Revert-Remove-the-certmaster-CA-from-the-028-dbus-te.patch
Patch0002: 0002-Don-t-run-the-002-keygen-tests-when-root.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: gettext-devel
BuildRequires: gcc
BuildRequires: openldap-devel
BuildRequires: krb5-devel
BuildRequires: libidn2-devel
BuildRequires: python3-dbus
BuildRequires: dbus-devel
BuildRequires: nspr-devel
BuildRequires: nss-devel
BuildRequires: openssl-devel
BuildRequires: dbus-devel, nspr-devel, nss-devel, openssl-devel
%if 0%{?fedora} >= 12 || 0%{?rhel} >= 6
BuildRequires: libuuid-devel
%else
BuildRequires: e2fsprogs-devel
%endif
BuildRequires: libtalloc-devel, libtevent-devel
%if 0%{?rhel} >= 6 || 0%{?fedora} >= 9
BuildRequires: libcurl-devel
%else
BuildRequires: curl-devel
%endif
BuildRequires: libxml2-devel
%if %{with xmlrpc}
BuildRequires: xmlrpc-c-devel
%endif
BuildRequires: jansson-devel
%if 0%{?rhel} && 0%{?rhel} < 6
BuildRequires: bind-libbind-devel
BuildRequires: mktemp
%endif
# Required for 'make check':
# for diff and cmp
BuildRequires: diffutils
@ -58,10 +80,9 @@ BuildRequires: /usr/bin/dos2unix
BuildRequires: /usr/bin/unix2dos
# for which
BuildRequires: /usr/bin/which
# for dbus tests
BuildRequires: python3-dbus
BuildRequires: popt-devel
# for make check
BuildRequires: python3-devel
BuildRequires: krb5-devel
# we need a running system bus
Requires: dbus
@ -69,6 +90,7 @@ Requires(post): %{_bindir}/dbus-send
%if %{systemd}
BuildRequires: systemd-units
BuildRequires: make
Requires(post): systemd-units
Requires(preun): systemd-units, dbus, sed
Requires(postun): systemd-units
@ -90,6 +112,10 @@ Requires(post): /sbin/chkconfig, /sbin/service
Requires(preun): /sbin/chkconfig, /sbin/service, dbus, sed
%endif
%if 0%{?fedora} >= 15
# Certain versions of libtevent have incorrect internal ABI versions.
Conflicts: libtevent < 0.9.13
%endif
%description
Certmonger is a service which is primarily concerned with getting your
@ -98,6 +124,12 @@ system enrolled with a certificate authority (CA) and keeping it enrolled.
%prep
%autosetup -p1
%if 0%{?rhel} > 0
# Enabled by default for RHEL for bug #765600, still disabled by default for
# Fedora pending a similar bug report there.
sed -i 's,^# chkconfig: - ,# chkconfig: 345 ,g' sysvinit/certmonger.in
%endif
%build
autoreconf -i -f
%configure \
@ -114,6 +146,7 @@ autoreconf -i -f
%if %{with xmlrpc}
--with-xmlrpc \
%endif
--disable-dsa \
--with-tmpdir=/run/certmonger --enable-pie --enable-now
%if %{with xmlrpc}
# For some reason, some versions of xmlrpc-c-config in Fedora and RHEL just
@ -131,10 +164,6 @@ install -m755 -d $RPM_BUILD_ROOT/run/certmonger
%{find_lang} %{name}
%check
# Seed then openssl RNG if not set
if [ ! -e $HOME/.rnd ] ; then
openssl rand -writerand $HOME/.rnd
fi
make check
%post
@ -212,7 +241,6 @@ exit 0
%endif
%files -f %{name}.lang
%defattr(-,root,root,-)
%doc README.md LICENSE STATUS doc/*.txt
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/*
%{_datadir}/dbus-1/services/*
@ -236,106 +264,155 @@ exit 0
%endif
%changelog
* Wed Dec 7 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-2
- Skip the keygen tests when executed as root.
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.79.20-3
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Tue Dec 6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
- Update to upstream 0.79.17 (#2139523)
- Certificate format validation when adding the SCEP server's CA (#2150025)
- Certmonger SCEP renewal should not use old challenges (#2150030)
- certmonger SEGV during rekey in FIPS mode (#2150070)
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.79.20-2
- Bump release for June 2024 mass rebuild
* Mon Oct 18 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-5
- certmonger creates CSRs with invalid DER syntax for X509v3 extensions
with critical=FALSE (#2012258)
* Mon Jun 10 2024 Rob Crittenden <rcritten@redhat.com> - 0.79.20-1
- Update to upstream 0.79.20
* Wed Oct 06 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-4
- Certmonger SCEP renewal should not use old challenges (#1577570)
- Certmonger segfault after cert renewal request (#1881500)
- Include certificate NotBefore date in output of the 'getcert list' command
(#1940261)
- Certmonger certificates stuck in NEED_GUIDANCE (#2001079)
* Tue Feb 20 2024 Rob Crittenden <rcritten@redhat.com> - 0.79.19-5
- Update tests to be compatible with OpenSSL 3.2
* Wed Apr 28 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.13-3
- Fix local CA to work under FIPS (#1950132)
* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.19-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Nov 10 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-2
- Rebuild with xmlrpc-c support enabled (#1687698)
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.19-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Oct 28 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
- Rebase to 0.79.13 (#1891743)
* Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 0.79.19-2
- Fix C compatibility issues
* Thu Jul 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-15
- Replace the previous fix for dbus restarting with PartOf in the
certmonger systemd service file to link the two (#1687698)
* Tue Oct 10 2023 Rob Crittenden <rcritten@redhat.com> - 0.79.19-1
- Update to upstream 0.79.19
* Tue Jun 2 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-14
- Include &message=CA-IDENT with GetCACaps/GetCACert requests (#1843009)
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.18-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Mon May 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-13
- Exit gracefully if dbus is restarted (#1687698)
* Wed Apr 05 2023 Rob Crittenden <rcritten@redhat.com> - 0.79.18-1
- Update to upstream 0.79.18
* Thu May 14 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-12
- Add long command-line options to man pages and help output (#1782838)
* Thu Feb 23 2023 Rob Crittenden <rcritten@redhat.com> - 0.79.17-4
- migrated to SPDX license
* Mon May 4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-11
- Fix test failure in 039-fromfile
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.17-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Mon May 4 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-10
- Ensure that files read in have a trailing new-line (#1829490)
* Tue Dec 6 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-2
- Rename DBus service and conf files to match canonical name (#2151243)
* Thu Apr 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-9
- Call the secport equivalent of PR_ErrorToString
- Remove a couple of unused varaibles found by coverity
* Wed Nov 30 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.17-1
- Update to upstream 0.79.17
* Mon Apr 13 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.7-8
- Move systemd tmpfiles from /var/run to /run (#1804928)
- Improve logging in the SCEP helper (#1807691)
- Fix sort order of certificates passed into PKCS7_verify (#1808052)
- Add -N option to SCEP helper to separate web server chain from
SCEP issuer chain (#1808613)
- Add template profile, MS v2 template and issuer to getcert list
output (#1734451)
* Thu Aug 25 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.16-1
- Update to upstream 0.79.16
* Tue Dec 17 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-7
- Update gating requirements
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.15-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Mon Dec 16 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-6
- Rebuild
* Mon Apr 11 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.15-3
- Disable DSA key support. They do not work in FIPS mode at all and
are disabled by crypto policy by default.
* Mon Dec 2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-5
- Fix use-after-free issue when retrieving CA chain (#1710632)
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.15-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Mon Dec 2 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-4
- Optimize closing of file descriptors on fork (#1763745)
- Remove NOMODDB flag flag from context init, look for full tokens (#1746543)
- Retrieve full IPA CA chain (#1710632)
* Wed Jan 5 2022 Rob Crittenden <rcritten@redhat.com> - 0.79.15-1
- Update to upstream 0.79.15
* Tue May 14 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
- Rebuild for new annobin (#1708095)
* Tue Oct 05 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-6
- Don't encode critical=FALSE in X509v3 extensions
* Fri May 10 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-2
- Rebuild for new annobin (#1708095)
* Wed Sep 29 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-5
- Fix FTBFS due to OpenSSL 3.0.0 API change between beta1 and 2.
* Thu May 9 2019 Alexander Bokovoy <abokovoy@redhat.com> - 0.79.7-1
- Rebase to 0.79.7 (#1708095)
* Wed Sep 15 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-4
- Port to OpenSSL 3.0.0
* Mon Oct 8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-5
- Address more issues uncovered by static analysis (#1632449)
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.79.14-3
- Rebuilt with OpenSSL 3.0.0
* Tue Oct 2 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-4
- Improve handling of NSS tokens (#1624930)
- Pull in upstream fixes discovered in coverity and clang (#1632449)
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.14-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Mon Aug 13 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-3
- Add BuildRequires on python3-devel (#1615507)
* Tue Jun 15 2021 Rob Crittenden <rcritten@redhat.com> - 0.79.14-1
- Update to upstream 0.79.14
* Thu Aug 2 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-2
- Fix test failure on some platforms
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Aug 1 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-1
* Tue Oct 20 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.13-1
- Update to upstream 0.79.13
* Mon Oct 5 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.12-1
- Update to upstream 0.79.12
* Fri Sep 18 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-4
- Don't send SIGKILL to child processes to terminate them
- Switch to JSON for communication with IPA
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jun 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-2
- Fix for an unnecessary free() which can cause core dump.
* Tue Jun 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.11-1
- Update to upstream 0.79.11
* Thu Jun 25 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.10-1
- Update to upstream 0.79.10
* Thu Jan 30 2020 Rob Crittenden <rcritten@redhat.com> - 0.79.9-1
- Update to upstream 0.79.9
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.8-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Oct 30 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.8-3
- Change python2-dbus build dependency to python3
- Convert tests to pass under python 3
- Skip DSA tests because it is disabled by default crypto policy
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jul 17 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.8-1
- Update to upstream 0.79.8
* Wed May 22 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-3
- Add BuildRequires for krb5-devel, the buildroot changed.
* Mon May 20 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-2
- Move systemd tmpfiles from /var/run to /run (upstream #111)
- Change /var/run -> /run in systemd service file
* Mon Feb 18 2019 Rob Crittenden <rcritten@redhat.com> - 0.79.7-1
- Update to upstream 0.79.7
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.6-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Oct 4 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-4
- Pull in upstream fixes discovered in coverity and clang.
* Mon Oct 1 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-3
- Improve NSS token handling. The updated NSS crypto-policy enables all
tokens which broke requesting certificates due to the way that tokens
were managed.
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.79.6-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue May 8 2018 Rob Crittenden <rcritten@redhat.com> - 0.79.6-1
- Update to upstream 0.79.6
- Fix unit tests to work with python 3
* Wed Mar 14 2018 Iryna Shcherbina <ishcherb@redhat.com> - 0.79.5-7
- Update Python 2 dependency declarations to new packaging standards
(See https://fedoraproject.org/wiki/FinalizingFedoraSwitchtoPython3)
* Fri Feb 23 2018 Rob Crittenden <rcritten@redhat.com> 0.79.5-6
- Fix unit tests. NSS crypto policy disallows keys < 1024

8
gating.yaml Normal file
View File

@ -0,0 +1,8 @@
# recipients: abokovoy, frenaud, kaleem, ftrivino
--- !Policy
product_versions:
- rhel-10
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (certmonger-0.79.20.tar.gz) = 76685185172bbf2c766c477c399ce0b14c9fd2d81637b44b8da80ae045ebf6c650ae3d525a87dccd755a6c92d4a5916bb62f8ea1d8520c47ae64770be6a5d2be

1
tests/.fmf/version Normal file
View File

@ -0,0 +1 @@
1

5
tests/provision.fmf Normal file
View File

@ -0,0 +1,5 @@
---
standard-inventory-qcow2:
qemu:
m: 2G

18
tests/tests.yml Normal file
View File

@ -0,0 +1,18 @@
---
- hosts: localhost
tags: [ always ]
tasks:
- set_fact:
our_required_packages:
- wget # upstream-testsuite-execution-and-rebuild-test needs wget command
- yum-utils # upstream-testsuite-execution-and-rebuild-test needs yum-builddep command
- rpm-build # upstream-testsuite-execution-and-rebuild-test needs rpmbuild command
- hosts: localhost
tags:
- classic
roles:
- role: standard-test-beakerlib
tests:
- upstream-testsuite-execution-and-rebuild-test
required_packages: "{{ our_required_packages }}"

View File

@ -0,0 +1,72 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/sudo/Sanity/upstream-testsuite-execution-and-rebuild-test
# Description: This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
# Author: Ales Marecek <amarecek@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Based on sudo rebuild test
export TEST=/CoreOS/certmonger/Sanity/upstream-testsuite-execution-and-rebuild-test
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Rob Crittenden <rcritten@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution." >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 30m" >> $(METADATA)
@echo "RunFor: sudo" >> $(METADATA)
@echo "Requires: sudo" >> $(METADATA)
@echo "Requires: sed" >> $(METADATA)
@echo "Requires: grep" >> $(METADATA)
@echo "Requires: rpm-build" >> $(METADATA)
@echo "Requires: yum-utils" >> $(METADATA)
@echo "Requires: make" >> $(METADATA)
@echo "Requires: libcap-devel" >> $(METADATA)
@echo "Requires: audit-libs-devel" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
rhts-lint $(METADATA)

View File

@ -0,0 +1,3 @@
PURPOSE of /CoreOS/certmonger/Sanity/upstream-testsuite-execution-and-rebuild-test
Description: This test rebuild certmonger source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
Author: Rob Crittenden <rcritten@redhat.com>

View File

@ -0,0 +1,83 @@
#!/bin/bash
# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /CoreOS/sudo/Sanity/upstream-testsuite-execution-and-rebuild-test
# Description: This test rebuild sudo source rpm and checks that rebuild is OK. The second - main - part is about upstream testsuite execution.
# Author: Ales Marecek <amarecek@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2013 Red Hat, Inc. All rights reserved.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Based on sudo rebuild test
# Include Beaker environment
. /usr/bin/rhts-environment.sh || exit 1
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="certmonger"
_SPEC_DIR="$(rpm --eval=%_specdir)"
_BUILD_DIR="$(rpm --eval=%_builddir)"
_LOG_REBUILD_F="${PACKAGE}-rebuild.log"
_LOG_TESTSUITE_F="${PACKAGE}-testsuite.log"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm $PACKAGE
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
# Source package is needed for code inspection
rlFetchSrcForInstalled "${PACKAGE}" || yumdownloader --source "${PACKAGE}"
rlRun "find . -size 0 -delete" 0 "Remove empty src.rpm-s"
rlRun "yum-builddep -y --nogpgcheck ${PACKAGE}-*.src.rpm" 0 "Installing build dependencies"
[ -d ${_BUILD_DIR} ] && rlRun "rm -rf ${_BUILD_DIR}/*" 0 "Cleaning build directory"
rlRun "rpm -ivh ${PACKAGE}-*.src.rpm" 0 "Installing source rpm"
rlPhaseEnd
rlPhaseStartTest
rlRun "QA_RPATHS=0x0002 rpmbuild -ba --noclean ${_SPEC_DIR}/${PACKAGE}.spec" 0 "Test: Rebuild of source '${PACKAGE}' package"
rlGetPhaseState
if [ $? -eq 0 ]; then
[ -d ${_BUILD_DIR} ] && rlRun "rm -rf ${_BUILD_DIR}/*-SPECPARTS" 0 "Cleaning SPECPARTS directory"
cd ${_BUILD_DIR}/${PACKAGE}-*
rlRun -s "make check" 0 "Test: Upstream testsuite"
cd ${TmpDir}
while read -r I; do
if [[ "$I" =~ $(echo '([^:]+): .+ tests run, .+ errors, (.*)% success rate') ]]; then
[[ "${BASH_REMATCH[2]}" == "100" ]]
rlAssert0 "Test: Checking tests of '${BASH_REMATCH[1]}'" $?
elif [[ "$I" =~ $(echo "([^:]+): .+ tests passed; (.+)/.+ tests failed") ]]; then
[[ "${BASH_REMATCH[2]}" == "0" ]]
rlAssert0 "Test: Checking tests of '${BASH_REMATCH[1]}'" $?
fi
done < $rlRun_LOG
rm -f $rlRun_LOG
else
rlFail "Skipping testsuite part because rebuild part failed."
fi
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd