import pki-core-10.11.0-0.3.alpha3.module+el8.5.0+11413+57da3eb7
This commit is contained in:
parent
f531904111
commit
1baf7e2e12
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/pki-10.10.5.tar.gz
|
||||
SOURCES/pki-10.11.0-alpha3.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
61641f173fb9de15b4f16bdcef95ca97479bc947 SOURCES/pki-10.10.5.tar.gz
|
||||
a0707cfdb0ae99679e4d101261d8e2a59a90b6d7 SOURCES/pki-10.11.0-alpha3.tar.gz
|
||||
|
@ -1,31 +0,0 @@
|
||||
From 82eaf721ea35d7e6ad5bcdb4c1a5f5862aeed59c Mon Sep 17 00:00:00 2001
|
||||
From: "Endi S. Dewata" <edewata@redhat.com>
|
||||
Date: Mon, 17 May 2021 17:39:50 -0500
|
||||
Subject: [PATCH] Fix permission for existing installation logs
|
||||
|
||||
The spec file has been updated to remove world access
|
||||
from existing installation logs in /var/log/pki.
|
||||
|
||||
Resolves: CVE-2021-3551
|
||||
---
|
||||
pki.spec | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/pki.spec b/pki.spec
|
||||
index a9ea345d8f..64bfd4fe7d 100644
|
||||
--- a/pki.spec
|
||||
+++ b/pki.spec
|
||||
@@ -991,6 +991,10 @@ fi
|
||||
## from EITHER 'sysVinit' OR previous 'systemd' processes to the new
|
||||
## PKI deployment process
|
||||
|
||||
+# CVE-2021-3551
|
||||
+# Remove world access from existing installation logs
|
||||
+find /var/log/pki -maxdepth 1 -type f -exec chmod o-rwx {} \;
|
||||
+
|
||||
# Reload systemd daemons on upgrade only
|
||||
if [ "$1" == "2" ]
|
||||
then
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,49 +0,0 @@
|
||||
From 7da63502137eb8c111b8ae5b5426aec8f7ebdf6b Mon Sep 17 00:00:00 2001
|
||||
From: "Endi S. Dewata" <edewata@redhat.com>
|
||||
Date: Mon, 17 May 2021 15:39:44 -0500
|
||||
Subject: [PATCH] Fix permission for new installation logs
|
||||
|
||||
The enable_pki_logger() has been updated to disable
|
||||
world access for new installation logs to be created
|
||||
in /var/log/pki.
|
||||
|
||||
Resolves: CVE-2021-3551
|
||||
---
|
||||
.../python/pki/server/deployment/pkilogging.py | 12 ++++++++++--
|
||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/base/server/python/pki/server/deployment/pkilogging.py b/base/server/python/pki/server/deployment/pkilogging.py
|
||||
index 089a292559..0926173700 100644
|
||||
--- a/base/server/python/pki/server/deployment/pkilogging.py
|
||||
+++ b/base/server/python/pki/server/deployment/pkilogging.py
|
||||
@@ -21,8 +21,12 @@
|
||||
# System Imports
|
||||
from __future__ import absolute_import
|
||||
import logging
|
||||
+import os
|
||||
+import pathlib
|
||||
import pprint
|
||||
|
||||
+import pki
|
||||
+
|
||||
sensitive_parameters = []
|
||||
|
||||
# Initialize 'pretty print' for objects
|
||||
@@ -51,8 +55,12 @@ def enable_pki_logger(filename, name):
|
||||
console_format = logging.Formatter('%(levelname)s: %(message)s')
|
||||
console.setFormatter(console_format)
|
||||
|
||||
- # Configure file handler
|
||||
- log_file = logging.FileHandler(filename, 'w')
|
||||
+ # Create an empty file with the proper permission
|
||||
+ pathlib.Path(filename).touch()
|
||||
+ os.chmod(filename, pki.server.DEFAULT_FILE_MODE)
|
||||
+
|
||||
+ # Configure file handler with append mode to preserve the permission
|
||||
+ log_file = logging.FileHandler(filename)
|
||||
file_format = logging.Formatter('%(asctime)s %(levelname)s: %(message)s',
|
||||
'%Y-%m-%d %H:%M:%S')
|
||||
log_file.setFormatter(file_format)
|
||||
--
|
||||
2.30.2
|
||||
|
@ -1,170 +0,0 @@
|
||||
From 608e9bbe537aba314b124ceef70f9b606ab7e121 Mon Sep 17 00:00:00 2001
|
||||
From: Fraser Tweedale <ftweedal@redhat.com>
|
||||
Date: Wed, 13 Jan 2021 18:27:46 +1100
|
||||
Subject: [PATCH] Fix renewal profile approval process
|
||||
|
||||
Due to a recent change in PKI CLI, the CLI now passes along user
|
||||
authentication with submissions to the renewal endpoint. Unlike the EE
|
||||
pages, the REST API has passed along this authentication for a while.
|
||||
Due to a bug in the RenewalProcessor, requests with credentials against
|
||||
profiles with no authentication method and no ACLs result in the
|
||||
certificiate automatically being approved. This occurs because, when
|
||||
an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified
|
||||
the code to allow Light-Weight SubCAs to issue certificates, validation
|
||||
wasn't done on the passed principal, to see if it was a trusted agent.
|
||||
Because profiles requring Agent approval have an empty ACL list (as, no
|
||||
user should be able to submit a certificate request and have it
|
||||
automatically signed without agent approval), authorize allows any user
|
||||
to approve this request and thus accepts the AuthToken.
|
||||
|
||||
Critical analysis: the RenewalProcessor code interprets (authToken
|
||||
!= null) as evidence that the authenticated user is /authorized/ to
|
||||
immediately issue the certificate. This mismatch of concerns (authn
|
||||
vs authz) resulted in a misunderstanding of system behaviour. The
|
||||
"latent" AuthToken (from the HTTP request) was assigned to authToken
|
||||
without realising that authorization needed to be performed.
|
||||
|
||||
We fix this by splitting the logic on whether the profile defines an
|
||||
authenticator. If so, we (re)authenticate and authorize the user
|
||||
according to the profile configuration.
|
||||
|
||||
If the profile does not define an authenticator but there is a
|
||||
principal in the HTTP request, if (and only if) the user has
|
||||
permission to approve certificate requests *and* the requested
|
||||
renewal profile is caManualRenewal (which is hardcoded to be used
|
||||
for LWCA renewal), then we issue the certificate immediately. This
|
||||
special case ensures that LWCA renewal keeps working.
|
||||
|
||||
Otherwise, if there is no principal in the HTTP request or the
|
||||
principal does not have permission to approve certificate requests,
|
||||
we leave the authToken unset. The resulting renewal request will be
|
||||
created with status PENDING, i.e. enqueued for agent review.
|
||||
|
||||
Signed-off-by: Fraser Tweedale <ftweedal@redhat.com>
|
||||
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
||||
---
|
||||
.../com/netscape/ca/CertificateAuthority.java | 10 +++
|
||||
.../cms/servlet/cert/RenewalProcessor.java | 75 +++++++++++++++++--
|
||||
2 files changed, 79 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
||||
index 560507168a..431ce9ff78 100644
|
||||
--- a/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
||||
+++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java
|
||||
@@ -1929,6 +1929,16 @@ public class CertificateAuthority
|
||||
}
|
||||
|
||||
ProfileSubsystem ps = engine.getProfileSubsystem();
|
||||
+ /* NOTE: hard-coding the profile to use for Lightweight CA renewal
|
||||
+ * might be OK, but caManualRenewal was not the right one to use.
|
||||
+ * As a consequence, we have an undesirable special case in
|
||||
+ * RenewalProcessor.processRenewal().
|
||||
+ *
|
||||
+ * We should introduce a new profile specifically for LWCA renewal,
|
||||
+ * with an authenticator and ACLs to match the authz requirements
|
||||
+ * for the renewAuthority REST resource itself. Then we can use
|
||||
+ * it here, and remove the workaround from RenewalProcessor.
|
||||
+ */
|
||||
Profile profile = ps.getProfile("caManualRenewal");
|
||||
CertEnrollmentRequest req = CertEnrollmentRequestFactory.create(
|
||||
new ArgBlock(), profile, httpReq.getLocale());
|
||||
diff --git a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
|
||||
index 4293cdd064..fd20f48267 100644
|
||||
--- a/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
|
||||
+++ b/base/ca/src/com/netscape/cms/servlet/cert/RenewalProcessor.java
|
||||
@@ -32,6 +32,7 @@ import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.dogtagpki.server.ca.CAEngine;
|
||||
+import org.dogtagpki.server.authorization.AuthzToken;
|
||||
import org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension;
|
||||
import org.mozilla.jss.netscape.security.x509.X509CertImpl;
|
||||
|
||||
@@ -267,16 +268,78 @@ public class RenewalProcessor extends CertProcessor {
|
||||
|
||||
// before creating the request, authenticate the request
|
||||
IAuthToken authToken = null;
|
||||
- Principal principal = request.getUserPrincipal();
|
||||
- if (principal instanceof PKIPrincipal)
|
||||
- authToken = ((PKIPrincipal) principal).getAuthToken();
|
||||
- if (authToken == null && authenticator != null) {
|
||||
- authToken = authenticate(request, origReq, authenticator, context, true, credentials);
|
||||
+
|
||||
+ if (authenticator != null) {
|
||||
+ /* The profile specifies an authenticator. Use it to
|
||||
+ * authenticate the user. Ignore the "latent" session
|
||||
+ * principal (if any).
|
||||
+ */
|
||||
+ authToken = authenticate(
|
||||
+ request,
|
||||
+ origReq,
|
||||
+ authenticator,
|
||||
+ context,
|
||||
+ true /* isRenewal */,
|
||||
+ credentials);
|
||||
+ } else {
|
||||
+ /* When authenticator is null, we expect manual agent
|
||||
+ * review (leave authToken as null).
|
||||
+ *
|
||||
+ * But as a special case to ensure Lightweight CA (LWCA)
|
||||
+ * renewal works, if there is a latent user in the HTTP
|
||||
+ * request, we use that user (i.e. set authToken to the
|
||||
+ * principal's IAuthToken) if and only if:
|
||||
+ *
|
||||
+ * - The renewal profile is caManualRenewal (LWCA renewal
|
||||
+ * is hardcoded to use this profile); AND
|
||||
+ *
|
||||
+ * - The latent user is authorized to "execute"
|
||||
+ * certificate requests (i.e. agent approval)
|
||||
+ *
|
||||
+ * See also CertificateAuthority.renewAuthority().
|
||||
+ */
|
||||
+
|
||||
+ Principal principal = request.getUserPrincipal();
|
||||
+ if (
|
||||
+ renewProfileId.equals("caManualRenewal")
|
||||
+ && principal instanceof PKIPrincipal
|
||||
+ ) {
|
||||
+ IAuthToken latentToken = ((PKIPrincipal) principal).getAuthToken();
|
||||
+ AuthzToken authzToken = authorize(
|
||||
+ "DirAclAuthz", latentToken, "certServer.ca.certrequests", "execute");
|
||||
+ if (authzToken != null) {
|
||||
+ // Success (no exception); user is authorized to approve
|
||||
+ // cert requests. Set the authToken.
|
||||
+ //
|
||||
+ // NOTE: This authz does not replace or subsume the
|
||||
+ // profile-specific authz check below.
|
||||
+ authToken = latentToken;
|
||||
+ } else {
|
||||
+ // leave authToken as null to enqueue a pending request.
|
||||
+ }
|
||||
+ } else {
|
||||
+ // not caManualRenewal or no latent principal;
|
||||
+ // leave authToken as null to enqueue a pending request.
|
||||
+ }
|
||||
}
|
||||
|
||||
- // authentication success, now authorize
|
||||
+ /* Authorize the request.
|
||||
+ *
|
||||
+ * If authToken != null, it will be checked against ACLs specified
|
||||
+ * in the profile (if any). If ACLs are defined and authToken does
|
||||
+ * not match, throws an authorization exception.
|
||||
+ *
|
||||
+ * If authToken == null, no check is performed (even if the profile
|
||||
+ * defines ACLs). This is fine, because null authToken will cause
|
||||
+ * the request status to be 'pending' [agent approval].
|
||||
+ */
|
||||
authorize(profileId, renewProfile, authToken);
|
||||
|
||||
+ /* At this point, the request will be created. If authToken
|
||||
+ * is non-null, then the certificate will be issued
|
||||
+ * immediately. Otherwise the request will be pending. */
|
||||
+
|
||||
+
|
||||
///////////////////////////////////////////////
|
||||
// create and populate requests
|
||||
///////////////////////////////////////////////
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,23 +0,0 @@
|
||||
From ab8b87af09b26c3c7ec257e0fb8e5ae931153120 Mon Sep 17 00:00:00 2001
|
||||
From: "Endi S. Dewata" <edewata@redhat.com>
|
||||
Date: Sat, 8 Feb 2020 21:56:41 -0600
|
||||
Subject: [PATCH] Removed dependency on pytest-runner
|
||||
|
||||
---
|
||||
base/server/healthcheck/setup.py | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/base/server/healthcheck/setup.py b/base/server/healthcheck/setup.py
|
||||
index 22db8bd0f..c629e34c0 100644
|
||||
--- a/base/server/healthcheck/setup.py
|
||||
+++ b/base/server/healthcheck/setup.py
|
||||
@@ -32,6 +32,5 @@ setup(
|
||||
'Programming Language :: Python :: 3.6',
|
||||
],
|
||||
python_requires='!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*',
|
||||
- setup_requires=['pytest-runner'],
|
||||
tests_require=['pytest'],
|
||||
)
|
||||
--
|
||||
2.21.0
|
||||
|
@ -1,236 +0,0 @@
|
||||
From 5764a80e5edd7fa38323146261c6b4e498d282dd Mon Sep 17 00:00:00 2001
|
||||
From: "Endi S. Dewata" <edewata@redhat.com>
|
||||
Date: Mon, 17 May 2021 18:17:26 -0500
|
||||
Subject: [PATCH] Use password file when creating admin user
|
||||
|
||||
The pki-server <subsystem>-user-add has been updated to
|
||||
provide a --password-file option. The deployment tool
|
||||
has been modified to use this option when creating the
|
||||
admin user to avoid the password from getting logged in
|
||||
the debug mode.
|
||||
|
||||
Resolves: CVE-2021-3551
|
||||
---
|
||||
base/server/python/pki/server/cli/user.py | 9 ++-
|
||||
.../python/pki/server/deployment/__init__.py | 5 +-
|
||||
base/server/python/pki/server/subsystem.py | 74 +++++++++++--------
|
||||
.../server/cli/SubsystemUserAddCLI.java | 11 +++
|
||||
4 files changed, 66 insertions(+), 33 deletions(-)
|
||||
|
||||
diff --git a/base/server/python/pki/server/cli/user.py b/base/server/python/pki/server/cli/user.py
|
||||
index c00a1acb50..c5c8d52956 100644
|
||||
--- a/base/server/python/pki/server/cli/user.py
|
||||
+++ b/base/server/python/pki/server/cli/user.py
|
||||
@@ -47,6 +47,7 @@ class UserAddCLI(pki.cli.CLI):
|
||||
print(' --full-name <full name> Full name')
|
||||
print(' --email <email> Email')
|
||||
print(' --password <password> Password')
|
||||
+ print(' --password-file <path> Password file')
|
||||
print(' --phone <phone> Phone')
|
||||
print(' --type <type> Type')
|
||||
print(' --state <state> State')
|
||||
@@ -59,7 +60,8 @@ class UserAddCLI(pki.cli.CLI):
|
||||
def execute(self, argv):
|
||||
try:
|
||||
opts, args = getopt.gnu_getopt(argv, 'i:v', [
|
||||
- 'instance=', 'full-name=', 'email=', 'password=',
|
||||
+ 'instance=', 'full-name=', 'email=',
|
||||
+ 'password=', 'password-file=',
|
||||
'phone=', 'type=', 'state=', 'tps-profiles=',
|
||||
'verbose', 'debug', 'help'])
|
||||
|
||||
@@ -73,6 +75,7 @@ class UserAddCLI(pki.cli.CLI):
|
||||
full_name = None
|
||||
email = None
|
||||
password = None
|
||||
+ password_file = None
|
||||
phone = None
|
||||
user_type = None
|
||||
state = None
|
||||
@@ -91,6 +94,9 @@ class UserAddCLI(pki.cli.CLI):
|
||||
elif o == '--password':
|
||||
password = a
|
||||
|
||||
+ elif o == '--password-file':
|
||||
+ password_file = a
|
||||
+
|
||||
elif o == '--phone':
|
||||
phone = a
|
||||
|
||||
@@ -149,6 +155,7 @@ class UserAddCLI(pki.cli.CLI):
|
||||
full_name=full_name,
|
||||
email=email,
|
||||
password=password,
|
||||
+ password_file=password_file,
|
||||
phone=phone,
|
||||
user_type=user_type,
|
||||
tps_profiles=tps_profiles,
|
||||
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
|
||||
index 347ab1acdd..6d5f083b47 100644
|
||||
--- a/base/server/python/pki/server/deployment/__init__.py
|
||||
+++ b/base/server/python/pki/server/deployment/__init__.py
|
||||
@@ -373,6 +373,8 @@ class PKIDeployer:
|
||||
|
||||
response = client.setupAdmin(request)
|
||||
|
||||
+ # Run the command as current user such that
|
||||
+ # it can read the temporary password file.
|
||||
subsystem.add_user(
|
||||
uid,
|
||||
full_name=full_name,
|
||||
@@ -380,7 +382,8 @@ class PKIDeployer:
|
||||
password=password,
|
||||
user_type='adminType',
|
||||
state='1',
|
||||
- tps_profiles=tps_profiles)
|
||||
+ tps_profiles=tps_profiles,
|
||||
+ as_current_user=True)
|
||||
|
||||
admin_groups = subsystem.config['preop.admin.group']
|
||||
groups = [x.strip() for x in admin_groups.split(',')]
|
||||
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
|
||||
index a3ed0c7f3a..41d8d67c2e 100644
|
||||
--- a/base/server/python/pki/server/subsystem.py
|
||||
+++ b/base/server/python/pki/server/subsystem.py
|
||||
@@ -1335,54 +1335,66 @@ class PKISubsystem(object):
|
||||
full_name=None,
|
||||
email=None,
|
||||
password=None,
|
||||
+ password_file=None,
|
||||
phone=None,
|
||||
user_type=None,
|
||||
state=None,
|
||||
tps_profiles=None,
|
||||
as_current_user=False):
|
||||
|
||||
- cmd = [self.name + '-user-add']
|
||||
+ tmpdir = tempfile.mkdtemp()
|
||||
|
||||
- if full_name:
|
||||
- cmd.append('--full-name')
|
||||
- cmd.append(full_name)
|
||||
+ try:
|
||||
+ if password and not password_file:
|
||||
+ password_file = os.path.join(tmpdir, 'password.txt')
|
||||
+ with open(password_file, 'w') as f:
|
||||
+ f.write(password)
|
||||
|
||||
- if email:
|
||||
- cmd.append('--email')
|
||||
- cmd.append(email)
|
||||
+ cmd = [self.name + '-user-add']
|
||||
|
||||
- if password:
|
||||
- cmd.append('--password')
|
||||
- cmd.append(password)
|
||||
+ if full_name:
|
||||
+ cmd.append('--full-name')
|
||||
+ cmd.append(full_name)
|
||||
|
||||
- if phone:
|
||||
- cmd.append('--phone')
|
||||
- cmd.append(phone)
|
||||
+ if email:
|
||||
+ cmd.append('--email')
|
||||
+ cmd.append(email)
|
||||
|
||||
- if user_type:
|
||||
- cmd.append('--type')
|
||||
- cmd.append(user_type)
|
||||
+ if password_file:
|
||||
+ cmd.append('--password-file')
|
||||
+ cmd.append(password_file)
|
||||
|
||||
- if state:
|
||||
- cmd.append('--state')
|
||||
- cmd.append(state)
|
||||
+ if phone:
|
||||
+ cmd.append('--phone')
|
||||
+ cmd.append(phone)
|
||||
|
||||
- if tps_profiles:
|
||||
- cmd.append('--tps-profiles')
|
||||
- cmd.append(','.join(tps_profiles))
|
||||
+ if user_type:
|
||||
+ cmd.append('--type')
|
||||
+ cmd.append(user_type)
|
||||
|
||||
- if logger.isEnabledFor(logging.DEBUG):
|
||||
- cmd.append('--debug')
|
||||
+ if state:
|
||||
+ cmd.append('--state')
|
||||
+ cmd.append(state)
|
||||
|
||||
- elif logger.isEnabledFor(logging.INFO):
|
||||
- cmd.append('--verbose')
|
||||
+ if tps_profiles:
|
||||
+ cmd.append('--tps-profiles')
|
||||
+ cmd.append(','.join(tps_profiles))
|
||||
|
||||
- cmd.append(user_id)
|
||||
+ if logger.isEnabledFor(logging.DEBUG):
|
||||
+ cmd.append('--debug')
|
||||
|
||||
- self.run(
|
||||
- cmd,
|
||||
- as_current_user=as_current_user,
|
||||
- capture_output=True)
|
||||
+ elif logger.isEnabledFor(logging.INFO):
|
||||
+ cmd.append('--verbose')
|
||||
+
|
||||
+ cmd.append(user_id)
|
||||
+
|
||||
+ self.run(
|
||||
+ cmd,
|
||||
+ as_current_user=as_current_user,
|
||||
+ capture_output=True)
|
||||
+
|
||||
+ finally:
|
||||
+ shutil.rmtree(tmpdir)
|
||||
|
||||
def modify_user(self, user_id, add_see_also=None, del_see_also=None,
|
||||
as_current_user=False):
|
||||
diff --git a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
|
||||
index 5a385c359f..04d68de758 100644
|
||||
--- a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
|
||||
+++ b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
|
||||
@@ -6,6 +6,8 @@
|
||||
package org.dogtagpki.server.cli;
|
||||
|
||||
import java.io.File;
|
||||
+import java.nio.file.Files;
|
||||
+import java.nio.file.Paths;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
|
||||
@@ -60,6 +62,10 @@ public class SubsystemUserAddCLI extends CommandCLI {
|
||||
option.setArgName("password");
|
||||
options.addOption(option);
|
||||
|
||||
+ option = new Option(null, "password-file", true, "Password file");
|
||||
+ option.setArgName("path");
|
||||
+ options.addOption(option);
|
||||
+
|
||||
option = new Option(null, "phone", true, "Phone");
|
||||
option.setArgName("phone");
|
||||
options.addOption(option);
|
||||
@@ -95,11 +101,16 @@ public class SubsystemUserAddCLI extends CommandCLI {
|
||||
|
||||
String email = cmd.getOptionValue("email");
|
||||
String password = cmd.getOptionValue("password");
|
||||
+ String passwordFile = cmd.getOptionValue("password-file");
|
||||
String phone = cmd.getOptionValue("phone");
|
||||
String type = cmd.getOptionValue("type");
|
||||
String state = cmd.getOptionValue("state");
|
||||
String tpsProfiles = cmd.getOptionValue("tps-profiles");
|
||||
|
||||
+ if (passwordFile != null) {
|
||||
+ password = new String(Files.readAllBytes(Paths.get(passwordFile)), "UTF-8").trim();
|
||||
+ }
|
||||
+
|
||||
String catalinaBase = System.getProperty("catalina.base");
|
||||
|
||||
TomcatJSS tomcatjss = TomcatJSS.getInstance();
|
||||
--
|
||||
2.30.2
|
||||
|
@ -12,9 +12,9 @@ License: GPLv2 and LGPLv2
|
||||
|
||||
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
|
||||
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
|
||||
Version: 10.10.5
|
||||
Release: 3%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
#global _phase -beta1
|
||||
Version: 10.11.0
|
||||
Release: 0.3.alpha3%{?_timestamp}%{?_commit_id}%{?dist}
|
||||
%global _phase -alpha3
|
||||
|
||||
# To create a tarball from a version tag:
|
||||
# $ git archive \
|
||||
@ -31,16 +31,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
|
||||
# > pki-VERSION-RELEASE.patch
|
||||
# Patch: pki-VERSION-RELEASE.patch
|
||||
|
||||
# Do not remove this!! pytest-runner isn't available on RHEL. Removing this
|
||||
# patch will break RHEL builds. The error message is:
|
||||
# BUILDSTDERR: Download error on https://pypi.org/simple/pytest-runner/:
|
||||
# [Errno 111] Connection refused -- Some packages may not be found!
|
||||
Patch1: 0001-Removed-dependency-on-pytest-runner.patch
|
||||
Patch2: 0001-Fix-renewal-profile-approval-process.patch
|
||||
Patch3: 0001-Use-password-file-when-creating-admin-user.patch
|
||||
Patch4: 0001-Fix-permission-for-new-installation-logs.patch
|
||||
Patch5: 0001-Fix-permission-for-existing-installation-logs.patch
|
||||
|
||||
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
|
||||
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
|
||||
# so dropping i686 everywhere but RHEL-8 (which we've already shipped) seems
|
||||
@ -69,15 +59,14 @@ ExcludeArch: i686
|
||||
# Java
|
||||
################################################################################
|
||||
|
||||
%define java_devel java-devel
|
||||
%define java_headless java-headless
|
||||
|
||||
%if 0%{?fedora} >= 33 || 0%{?rhel} > 8
|
||||
%define min_java_version 1:11
|
||||
%define java_home /usr/lib/jvm/java-11-openjdk
|
||||
%if 0%{?fedora} && 0%{?fedora} <= 32 || 0%{?rhel} && 0%{?rhel} <= 8
|
||||
%define java_devel java-1.8.0-openjdk-devel
|
||||
%define java_headless java-1.8.0-openjdk-headless
|
||||
%define java_home /usr/lib/jvm/jre-1.8.0-openjdk
|
||||
%else
|
||||
%define min_java_version 1:1.8.0
|
||||
%define java_home /usr/lib/jvm/java-1.8.0-openjdk
|
||||
%define java_devel java-11-openjdk-devel
|
||||
%define java_headless java-11-openjdk-headless
|
||||
%define java_home /usr/lib/jvm/jre-11-openjdk
|
||||
%endif
|
||||
|
||||
################################################################################
|
||||
@ -94,8 +83,7 @@ ExcludeArch: i686
|
||||
# By default the build will execute unit tests unless --without test
|
||||
# option is specified.
|
||||
|
||||
# bcond_without test
|
||||
%global with_test 1
|
||||
%bcond_without test
|
||||
|
||||
# By default all packages will be built except the ones specified with
|
||||
# --without <package> option (exclusion method).
|
||||
@ -143,8 +131,6 @@ ExcludeArch: i686
|
||||
%define debug_package %{nil}
|
||||
%endif
|
||||
|
||||
%bcond_without sdnotify
|
||||
|
||||
# ignore unpackaged files from native 'tpsclient'
|
||||
# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app
|
||||
%define _unpackaged_files_terminate_build 0
|
||||
@ -182,14 +168,11 @@ fi;
|
||||
# Build Dependencies
|
||||
################################################################################
|
||||
|
||||
# autosetup
|
||||
BuildRequires: git
|
||||
BuildRequires: make
|
||||
|
||||
BuildRequires: cmake >= 3.0.2
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: zip
|
||||
BuildRequires: %java_devel >= %{min_java_version}
|
||||
BuildRequires: %{java_devel}
|
||||
BuildRequires: javapackages-tools
|
||||
BuildRequires: redhat-rpm-config
|
||||
BuildRequires: ldapjdk >= 4.22.0
|
||||
@ -197,8 +180,8 @@ BuildRequires: apache-commons-cli
|
||||
BuildRequires: apache-commons-codec
|
||||
BuildRequires: apache-commons-io
|
||||
BuildRequires: apache-commons-lang3 >= 3.2
|
||||
BuildRequires: apache-commons-logging
|
||||
BuildRequires: apache-commons-net
|
||||
BuildRequires: jakarta-commons-httpclient
|
||||
BuildRequires: glassfish-jaxb-api
|
||||
BuildRequires: slf4j
|
||||
BuildRequires: slf4j-jdk14
|
||||
@ -212,7 +195,6 @@ BuildRequires: policycoreutils
|
||||
BuildRequires: python3-lxml
|
||||
BuildRequires: python3-sphinx
|
||||
|
||||
BuildRequires: velocity
|
||||
BuildRequires: xalan-j2
|
||||
BuildRequires: xerces-j2
|
||||
|
||||
@ -222,7 +204,6 @@ BuildRequires: resteasy >= 3.0.26
|
||||
BuildRequires: jboss-annotations-1.2-api
|
||||
BuildRequires: jboss-jaxrs-2.0-api
|
||||
BuildRequires: jboss-logging
|
||||
BuildRequires: resteasy-atom-provider >= 3.0.17-1
|
||||
BuildRequires: resteasy-client >= 3.0.17-1
|
||||
BuildRequires: resteasy-jaxb-provider >= 3.0.17-1
|
||||
BuildRequires: resteasy-core >= 3.0.17-1
|
||||
@ -236,23 +217,14 @@ BuildRequires: python3-cryptography
|
||||
BuildRequires: python3-lxml
|
||||
BuildRequires: python3-ldap
|
||||
BuildRequires: python3-libselinux
|
||||
BuildRequires: python3-nss
|
||||
BuildRequires: python3-requests >= 2.6.0
|
||||
BuildRequires: python3-six
|
||||
|
||||
%if 0%{?fedora} || 0%{?rhel} > 8
|
||||
BuildRequires: python3-pytest-runner
|
||||
%endif
|
||||
|
||||
BuildRequires: junit
|
||||
BuildRequires: jpackage-utils >= 0:1.7.5-10
|
||||
BuildRequires: jss >= 4.8.1
|
||||
BuildRequires: jss >= 4.9.0
|
||||
BuildRequires: tomcatjss >= 7.6.1
|
||||
|
||||
# JNA is used to bind to libsystemd
|
||||
%if %{with sdnotify}
|
||||
BuildRequires: jna
|
||||
%endif
|
||||
BuildRequires: systemd-units
|
||||
|
||||
%if 0%{?rhel} && ! 0%{?eln}
|
||||
@ -371,9 +343,9 @@ PKI consists of the following components:
|
||||
|
||||
Summary: PKI Symmetric Key Package
|
||||
|
||||
Requires: %java_headless >= %{min_java_version}
|
||||
Requires: %{java_headless}
|
||||
Requires: jpackage-utils >= 0:1.7.5-10
|
||||
Requires: jss >= 4.8.0
|
||||
Requires: jss >= 4.9.0
|
||||
Requires: nss >= 3.38.0
|
||||
|
||||
# Ensure we end up with a useful installation
|
||||
@ -426,7 +398,6 @@ Requires: python3 >= 3.5
|
||||
Requires: python3-cryptography
|
||||
Requires: python3-ldap
|
||||
Requires: python3-lxml
|
||||
Requires: python3-nss
|
||||
Requires: python3-requests >= 2.6.0
|
||||
Requires: python3-six
|
||||
|
||||
@ -440,26 +411,24 @@ This package contains PKI client library for Python 3.
|
||||
Summary: PKI Base Java Package
|
||||
BuildArch: noarch
|
||||
|
||||
Requires: %java_headless >= %{min_java_version}
|
||||
Requires: %{java_headless}
|
||||
Requires: apache-commons-cli
|
||||
Requires: apache-commons-codec
|
||||
Requires: apache-commons-io
|
||||
Requires: apache-commons-lang3 >= 3.2
|
||||
Requires: apache-commons-logging
|
||||
Requires: apache-commons-net
|
||||
Requires: jakarta-commons-httpclient
|
||||
Requires: glassfish-jaxb-api
|
||||
Requires: slf4j
|
||||
Requires: slf4j-jdk14
|
||||
Requires: jpackage-utils >= 0:1.7.5-10
|
||||
Requires: jss >= 4.7.0
|
||||
Requires: jss >= 4.9.0
|
||||
Requires: ldapjdk >= 4.22.0
|
||||
Requires: pki-base = %{version}-%{release}
|
||||
|
||||
%if 0%{?rhel} && 0%{?rhel} <= 8
|
||||
Requires: resteasy >= 3.0.26
|
||||
%else
|
||||
Requires: resteasy-atom-provider >= 3.0.17-1
|
||||
Requires: resteasy-client >= 3.0.17-1
|
||||
Requires: resteasy-jaxb-provider >= 3.0.17-1
|
||||
Requires: resteasy-core >= 3.0.17-1
|
||||
@ -535,7 +504,6 @@ Requires: pki-servlet-engine
|
||||
Requires: tomcat >= 1:9.0.7
|
||||
%endif
|
||||
|
||||
Requires: velocity
|
||||
Requires: sudo
|
||||
Requires: systemd
|
||||
Requires(post): systemd-units
|
||||
@ -544,11 +512,6 @@ Requires(postun): systemd-units
|
||||
Requires(pre): shadow-utils
|
||||
Requires: tomcatjss >= 7.6.1
|
||||
|
||||
# JNA is used to bind to libsystemd
|
||||
%if %{with sdnotify}
|
||||
Requires: jna
|
||||
%endif
|
||||
|
||||
# pki-healthcheck depends on the following library
|
||||
%if 0%{?rhel}
|
||||
Requires: ipa-healthcheck-core
|
||||
@ -861,7 +824,7 @@ This package contains PKI test suite.
|
||||
%prep
|
||||
################################################################################
|
||||
|
||||
%autosetup -n pki-%{version}%{?_phase} -p 1 -S git
|
||||
%autosetup -n pki-%{version}%{?_phase} -p 1
|
||||
|
||||
################################################################################
|
||||
%build
|
||||
@ -875,7 +838,7 @@ java_version=`%{java_home}/bin/java -XshowSettings:properties -version 2>&1 | se
|
||||
java_version=`echo $java_version | sed -e 's/^1\.//' -e 's/\..*$//'`
|
||||
|
||||
# assume tomcat app_server
|
||||
app_server=tomcat-8.5
|
||||
app_server=tomcat-9.0
|
||||
|
||||
%if 0%{?rhel} && 0%{?rhel} <= 8
|
||||
%{__mkdir_p} build
|
||||
@ -888,8 +851,8 @@ cd build
|
||||
-DVAR_INSTALL_DIR:PATH=/var \
|
||||
-DP11_KIT_TRUST=/etc/alternatives/libnssckbi.so.%{_arch} \
|
||||
-DJAVA_VERSION=${java_version} \
|
||||
-DJAVA_HOME=%java_home \
|
||||
-DPKI_JAVA_PATH=%java_home/bin/java \
|
||||
-DJAVA_HOME=%{java_home} \
|
||||
-DPKI_JAVA_PATH=%{java_home}/bin/java \
|
||||
-DJAVA_LIB_INSTALL_DIR=%{_jnidir} \
|
||||
-DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} \
|
||||
-DAPP_SERVER=$app_server \
|
||||
@ -907,7 +870,6 @@ cd build
|
||||
-DWITH_TKS:BOOL=%{?with_tks:ON}%{!?with_tks:OFF} \
|
||||
-DWITH_TPS:BOOL=%{?with_tps:ON}%{!?with_tps:OFF} \
|
||||
-DWITH_ACME:BOOL=%{?with_acme:ON}%{!?with_acme:OFF} \
|
||||
-DWITH_SYSTEMD_NOTIFICATION:BOOL=%{?with_sdnotify:ON}%{!?with_sdnotify:OFF} \
|
||||
-DWITH_JAVADOC:BOOL=%{?with_javadoc:ON}%{!?with_javadoc:OFF} \
|
||||
-DWITH_TEST:BOOL=%{?with_test:ON}%{!?with_test:OFF} \
|
||||
-DBUILD_PKI_CONSOLE:BOOL=%{?with_console:ON}%{!?with_console:OFF} \
|
||||
@ -949,7 +911,7 @@ cd %{_vpath_builddir}
|
||||
--no-print-directory \
|
||||
install
|
||||
|
||||
%if %{with_test}
|
||||
%if %{with test}
|
||||
ctest --output-on-failure
|
||||
%endif
|
||||
|
||||
@ -1251,10 +1213,6 @@ fi
|
||||
%{_datadir}/pki/setup/
|
||||
%{_datadir}/pki/server/
|
||||
|
||||
%if %{with sdnotify}
|
||||
%{_javadir}/pki/pki-systemd.jar
|
||||
%endif
|
||||
|
||||
# with server
|
||||
%endif
|
||||
|
||||
@ -1402,15 +1360,14 @@ fi
|
||||
|
||||
################################################################################
|
||||
%changelog
|
||||
* Wed May 19 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-3
|
||||
- Bug 1960146 - CVE-2021-3551 Dogtag installer "pkispawn" logs admin credentials into a world-readable log file
|
||||
* Mon Jun 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.3
|
||||
- Rebase to PKI 10.11.0-alpha3
|
||||
|
||||
* Tue Mar 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-2
|
||||
- Bug 1914396 - CVE-2021-20179 Unprivileged users can renew any certificate
|
||||
* Thu Jun 03 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.2
|
||||
- Fix JAVA_HOME
|
||||
|
||||
* Tue Feb 23 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.5-1
|
||||
- Rebase to PKI 10.10.5
|
||||
- Bug 1929067 - PKI instance creation failed with new 389-ds-base build
|
||||
* Wed Jun 02 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.0-0.1
|
||||
- Rebase to PKI 10.11.0-alpha2
|
||||
|
||||
* Mon Feb 08 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.10.4-1
|
||||
- Rebase to PKI 10.10.4
|
||||
|
Loading…
Reference in New Issue
Block a user