import pki-core-10.11.2-4.module+el8.5.0+13827+5b1d191d

SOURCES/0001-Fix-AJP-connector-migration.patch

@@ -0,0 +1,217 @@
+From 8a8fc41a10ffb20e9e4902a9e9f74b2f05948b7a Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Wed, 3 Nov 2021 20:46:46 -0500
+Subject: [PATCH] Fix AJP connector migration
+
+In commit e70373ab131aba810f318c1d917896392b49ff4b the AJP
+connector migration code for Tomcat 9.0.31 in pki-server
+migrate CLI was converted into an upgrade script that would
+run regardless of the Tomcat version, and this was causing
+a problem on platforms that only has older Tomcat versions.
+
+To fix the problem, the upgrade script has been converted back
+into pki-server migrate, and it will check the Tomcat version
+before performing the migration. The server.xml has also been
+reverted to have the old AJP connectors by default.
+
+Whenever the server is restarted the pki-server migrate will
+run so it can migrate the AJP connectors automatically in
+case Tomcat is upgraded to a newer version.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=2029023
+---
+ base/server/python/pki/server/cli/migrate.py  | 61 +++++++++++++++++
+ .../upgrade/10.11.0/04-UpdateAJPConnectors.py | 67 -------------------
+ ...lowLinking.py => 04-UpdateAllowLinking.py} |  0
+ ...UpdateJavaHome.py => 05-UpdateJavaHome.py} |  0
+ base/tomcat-9.0/conf/server.xml               |  4 +-
+ 5 files changed, 63 insertions(+), 69 deletions(-)
+ delete mode 100644 base/server/upgrade/10.11.0/04-UpdateAJPConnectors.py
+ rename base/server/upgrade/10.11.0/{05-UpdateAllowLinking.py => 04-UpdateAllowLinking.py} (100%)
+ rename base/server/upgrade/10.11.0/{06-UpdateJavaHome.py => 05-UpdateJavaHome.py} (100%)
+
+diff --git a/base/server/python/pki/server/cli/migrate.py b/base/server/python/pki/server/cli/migrate.py
+index 256b83c845..2005004c4e 100644
+--- a/base/server/python/pki/server/cli/migrate.py
++++ b/base/server/python/pki/server/cli/migrate.py
+@@ -23,6 +23,7 @@ from __future__ import print_function
+ 
+ import getopt
+ import logging
++import re
+ import sys
+ 
+ from lxml import etree
+@@ -96,9 +97,69 @@ class MigrateCLI(pki.cli.CLI):
+ 
+             instance.load()
+             instance.init()
++            instances = [instance]
+ 
+         else:
+             instances = pki.server.instance.PKIInstance.instances()
+ 
+             for instance in instances:
+                 instance.init()
++
++        # update AJP connectors for Tomcat 9.0.31 or later
++
++        tomcat_version = pki.server.Tomcat.get_version()
++        if tomcat_version >= pki.util.Version('9.0.31'):
++
++            for instance in instances:
++                self.update_ajp_connectors(instance)
++
++    def update_ajp_connectors(self, instance):
++
++        logger.info('Updating AJP connectors in %s', instance.server_xml)
++
++        document = etree.parse(instance.server_xml, self.parser)
++        server = document.getroot()
++
++        # replace 'requiredSecret' with 'secret' in comments
++
++        services = server.findall('Service')
++        for service in services:
++
++            children = list(service)
++            for child in children:
++
++                if not isinstance(child, etree._Comment):  # pylint: disable=protected-access
++                    # not a comment -> skip
++                    continue
++
++                if 'protocol="AJP/1.3"' not in child.text:
++                    # not an AJP connector -> skip
++                    continue
++
++                child.text = re.sub(r'requiredSecret=',
++                                    r'secret=',
++                                    child.text,
++                                    flags=re.MULTILINE)
++
++        # replace 'requiredSecret' with 'secret' in Connectors
++
++        connectors = server.findall('Service/Connector')
++        for connector in connectors:
++
++            if connector.get('protocol') != 'AJP/1.3':
++                # not an AJP connector -> skip
++                continue
++
++            if connector.get('secret'):
++                # already has a 'secret' -> skip
++                continue
++
++            if connector.get('requiredSecret') is None:
++                # does not have a 'requiredSecret' -> skip
++                continue
++
++            value = connector.attrib.pop('requiredSecret')
++            connector.set('secret', value)
++
++        with open(instance.server_xml, 'wb') as f:
++            document.write(f, pretty_print=True, encoding='utf-8')
+diff --git a/base/server/upgrade/10.11.0/04-UpdateAJPConnectors.py b/base/server/upgrade/10.11.0/04-UpdateAJPConnectors.py
+deleted file mode 100644
+index 6e7bbdae24..0000000000
+--- a/base/server/upgrade/10.11.0/04-UpdateAJPConnectors.py
++++ /dev/null
+@@ -1,67 +0,0 @@
+-#
+-# Copyright Red Hat, Inc.
+-#
+-# SPDX-License-Identifier: GPL-2.0-or-later
+-#
+-from __future__ import absolute_import
+-import logging
+-from lxml import etree
+-import re
+-
+-import pki
+-
+-logger = logging.getLogger(__name__)
+-
+-
+-class UpdateAJPConnectors(pki.server.upgrade.PKIServerUpgradeScriptlet):
+-
+-    def __init__(self):
+-        super(UpdateAJPConnectors, self).__init__()
+-        self.message = 'Update AJP connectors in server.xml'
+-
+-        self.parser = etree.XMLParser(remove_blank_text=True)
+-
+-    def upgrade_instance(self, instance):
+-
+-        logger.info('Updating %s', instance.server_xml)
+-        self.backup(instance.server_xml)
+-
+-        document = etree.parse(instance.server_xml, self.parser)
+-        server = document.getroot()
+-
+-        logger.info('Renaming requiredSecret to secret')
+-
+-        services = server.findall('Service')
+-        for service in services:
+-
+-            children = list(service)
+-            for child in children:
+-
+-                if isinstance(child, etree._Comment):  # pylint: disable=protected-access
+-                    if 'protocol="AJP/1.3"' in child.text:
+-                        child.text = re.sub(r'requiredSecret=',
+-                                            r'secret=',
+-                                            child.text,
+-                                            flags=re.MULTILINE)
+-
+-        connectors = server.findall('Service/Connector')
+-        for connector in connectors:
+-
+-            if connector.get('protocol') != 'AJP/1.3':
+-                # Only modify AJP connectors.
+-                continue
+-
+-            if connector.get('secret'):
+-                # Nothing to migrate because the secret attribute already
+-                # exists.
+-                continue
+-
+-            if connector.get('requiredSecret') is None:
+-                # No requiredSecret field either; nothing to do.
+-                continue
+-
+-            connector.set('secret', connector.get('requiredSecret'))
+-            connector.attrib.pop('requiredSecret', None)
+-
+-        with open(instance.server_xml, 'wb') as f:
+-            document.write(f, pretty_print=True, encoding='utf-8')
+diff --git a/base/server/upgrade/10.11.0/05-UpdateAllowLinking.py b/base/server/upgrade/10.11.0/04-UpdateAllowLinking.py
+similarity index 100%
+rename from base/server/upgrade/10.11.0/05-UpdateAllowLinking.py
+rename to base/server/upgrade/10.11.0/04-UpdateAllowLinking.py
+diff --git a/base/server/upgrade/10.11.0/06-UpdateJavaHome.py b/base/server/upgrade/10.11.0/05-UpdateJavaHome.py
+similarity index 100%
+rename from base/server/upgrade/10.11.0/06-UpdateJavaHome.py
+rename to base/server/upgrade/10.11.0/05-UpdateJavaHome.py
+diff --git a/base/tomcat-9.0/conf/server.xml b/base/tomcat-9.0/conf/server.xml
+index 528300fd27..d6f3bb7ff0 100644
+--- a/base/tomcat-9.0/conf/server.xml
++++ b/base/tomcat-9.0/conf/server.xml
+@@ -190,12 +190,12 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
+                protocol="AJP/1.3"
+                redirectPort="[PKI_AJP_REDIRECT_PORT]"
+                address="[PKI_AJP_HOST_IPv4]"
+-               secret="[PKI_AJP_SECRET]" />
++               requiredSecret="[PKI_AJP_SECRET]" />
+     <Connector port="[PKI_AJP_PORT]"
+                protocol="AJP/1.3"
+                redirectPort="[PKI_AJP_REDIRECT_PORT]"
+                address="[PKI_AJP_HOST_IPv6]"
+-               secret="[PKI_AJP_SECRET]" />
++               requiredSecret="[PKI_AJP_SECRET]" />
+ [PKI_CLOSE_AJP_PORT_COMMENT]
+ 
+ 
+-- 
+2.33.1
+

SOURCES/0001-Fix-replica-reinstallation.patch

@@ -0,0 +1,289 @@
+From 5d377f31292da71f6ec4a29b13a66a9bea967102 Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 2 Nov 2021 14:46:02 -0500
+Subject: [PATCH] Fix replica reinstallation
+
+The pkispawn and pkidestroy have been modified to ignore
+failures caused by adding an entry or attribute that is
+already exists and to check whether a file exists before
+removing it during replica removal and reinstallation.
+
+One of the CA clone tests has been modified to test
+removing and reinstalling a replica.
+
+Resolves: https://github.com/dogtagpki/pki/issues/3544
+---
+ .github/workflows/ca-tests.yml                |  11 ++
+ .../python/pki/server/deployment/__init__.py  |  39 +++++--
+ .../scriptlets/webapp_deployment.py           |  19 +--
+ .../cms/servlet/csadmin/LDAPConfigurator.java | 110 +++++++++++-------
+ 4 files changed, 116 insertions(+), 63 deletions(-)
+
+diff --git a/.github/workflows/ca-tests.yml b/.github/workflows/ca-tests.yml
+index 4832e73c65..fffcb9c3e4 100644
+--- a/.github/workflows/ca-tests.yml
++++ b/.github/workflows/ca-tests.yml
+@@ -1137,6 +1137,17 @@ jobs:
+               --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
+           docker exec secondary pki -n caadmin ca-user-show caadmin
+ 
++      - name: Remove CA from secondary PKI container
++        run: |
++          docker exec secondary pkidestroy -i pki-tomcat -s CA -v
++
++      - name: Re-install CA in secondary PKI container
++        run: |
++          docker exec secondary pkispawn \
++              -f /usr/share/pki/server/examples/installation/ca-secure-ds-secondary.cfg \
++              -s CA \
++              -v
++
+       - name: Gather artifacts from primary container
+         if: always()
+         run: |
+diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
+index 6eb5b0a78a..d179718dd6 100644
+--- a/base/server/python/pki/server/deployment/__init__.py
++++ b/base/server/python/pki/server/deployment/__init__.py
+@@ -1074,26 +1074,41 @@ class PKIDeployer:
+         secure_port = server_config.get_secure_port()
+ 
+         uid = 'CA-%s-%s' % (self.mdict['pki_hostname'], secure_port)
+-
+         logger.info('Adding %s', uid)
+-        subsystem.add_user(
+-            uid,
+-            full_name=uid,
+-            user_type='agentType',
+-            state='1')
+ 
+-        logger.info('Adding subsystem certificate into %s', uid)
++        try:
++            subsystem.add_user(
++                uid,
++                full_name=uid,
++                user_type='agentType',
++                state='1')
++        except Exception:    # pylint: disable=W0703
++            logger.warning('Unable to add %s', uid)
++            # TODO: ignore error only if user already exists
++
+         cert_data = pki.nssdb.convert_cert(
+             cert['data'],
+             'base64',
+             'pem')
+-        subsystem.add_user_cert(
+-            uid,
+-            cert_data=cert_data.encode(),
+-            cert_format='PEM')
++
++        logger.info('Adding certificate for %s', uid)
++
++        try:
++            subsystem.add_user_cert(
++                uid,
++                cert_data=cert_data.encode(),
++                cert_format='PEM')
++        except Exception:    # pylint: disable=W0703
++            logger.warning('Unable to add certificate for %s', uid)
++            # TODO: ignore error only if user cert already exists
+ 
+         logger.info('Adding %s into Subsystem Group', uid)
+-        subsystem.add_group_member('Subsystem Group', uid)
++
++        try:
++            subsystem.add_group_member('Subsystem Group', uid)
++        except Exception:    # pylint: disable=W0703
++            logger.warning('Unable to add %s into Subsystem Group', uid)
++            # TODO: ignore error only if user already exists in the group
+ 
+     def backup_keys(self, instance, subsystem):
+ 
+diff --git a/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py b/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py
+index 342477028a..f9e73fd069 100644
+--- a/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py
++++ b/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py
+@@ -60,12 +60,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
+ 
+         logger.info('Undeploying /%s web application', deployer.mdict['pki_subsystem'].lower())
+ 
+-        # Delete <instance>/Catalina/localhost/<subsystem>.xml
+-        pki.util.remove(
+-            path=os.path.join(
+-                deployer.mdict['pki_instance_configuration_path'],
+-                "Catalina",
+-                "localhost",
+-                deployer.mdict['pki_subsystem'].lower() + ".xml"),
+-            force=deployer.mdict['pki_force_destroy']
+-        )
++        # Delete <instance>/Catalina/localhost/<subsystem>.xml if exists
++
++        context_xml = os.path.join(
++            deployer.mdict['pki_instance_configuration_path'],
++            'Catalina',
++            'localhost',
++            deployer.mdict['pki_subsystem'].lower() + '.xml')
++
++        if os.path.exists(context_xml):
++            pki.util.remove(context_xml)
+diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java
+index 651d166321..1e0364cfea 100644
+--- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java
++++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java
+@@ -661,26 +661,35 @@ public class LDAPConfigurator {
+ 
+         try {
+             connection.add(entry);
++            // replication manager added -> done
++            return;
+ 
+         } catch (LDAPException e) {
+-            if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) {
+-                logger.warn("Entry already exists: " + dn);
++            if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) {
++                logger.error("Unable to add " + dn + ": " + e.getMessage(), e);
++                throw e;
++            }
++            logger.warn("Replication manager already exists: " + dn);
++        }
+ 
+-                try {
+-                    logger.info("Deleting " + dn);
+-                    connection.delete(dn);
++        logger.warn("Deleting existing replication manager: " + dn);
+ 
+-                    logger.info("Re-adding " + dn);
+-                    connection.add(entry);
++        try {
++            connection.delete(dn);
+ 
+-                } catch (LDAPException ee) {
+-                    logger.warn("Unable to recreate " + dn + ": " + ee.getMessage());
+-                }
++        } catch (LDAPException e) {
++            logger.error("Unable to delete " + dn + ": " + e.getMessage());
++            throw e;
++        }
+ 
+-            } else {
+-                logger.error("Unable to add " + dn + ": " + e.getMessage(), e);
+-                throw e;
+-            }
++        logger.warn("Adding new replication manager: " + dn);
++
++        try {
++            connection.add(entry);
++
++        } catch (LDAPException e) {
++            logger.error("Unable to add " + dn + ": " + e.getMessage());
++            throw e;
+         }
+     }
+ 
+@@ -799,28 +808,41 @@ public class LDAPConfigurator {
+ 
+         try {
+             connection.add(entry);
++            // replica object added -> done
++            return true;
+ 
+         } catch (LDAPException e) {
+-
+             if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) {
++                logger.error("Unable to add " + replicaDN + ": " + e.getMessage(), e);
+                 throw e;
+             }
++            logger.warn("Replica object already exists: " + replicaDN);
++        }
++
++        logger.info("Adding replica bind DN");
+ 
+-            // BZ 470918: We can't just add the new dn.
+-            // We need to do a replace until the bug is fixed.
+-            logger.warn("Entry already exists, adding bind DN");
++        // BZ 470918: We can't just add the new dn.
++        // We need to do a replace until the bug is fixed.
+ 
+-            entry = connection.read(replicaDN);
+-            LDAPAttribute attr = entry.getAttribute("nsDS5ReplicaBindDN");
+-            attr.addValue(bindDN);
++        entry = connection.read(replicaDN);
++        LDAPAttribute attr = entry.getAttribute("nsDS5ReplicaBindDN");
++        attr.addValue(bindDN);
+ 
+-            LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr);
++        LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr);
++
++        try {
+             connection.modify(replicaDN, mod);
++            // replica bind DN added -> done
+ 
+-            return false;
++        } catch (LDAPException e) {
++            if (e.getLDAPResultCode() != LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) {
++                logger.error("Unable to add " + bindDN + ": " + e.getMessage(), e);
++                throw e;
++            }
++            logger.warn("Replica bind DN already exists: " + bindDN);
+         }
+ 
+-        return true;
++        return false;
+     }
+ 
+     public void createReplicationAgreement(
+@@ -864,29 +886,33 @@ public class LDAPConfigurator {
+ 
+         try {
+             connection.add(entry);
++            // replication agreement added -> done
++            return;
+ 
+         } catch (LDAPException e) {
+-            if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) {
+-                logger.warn("Entry already exists: " + dn);
+-
+-                try {
+-                    connection.delete(dn);
+-                } catch (LDAPException ee) {
+-                    logger.error("Unable to delete " + dn + ": " + ee.getMessage(), ee);
+-                    throw ee;
+-                }
+-
+-                try {
+-                    connection.add(entry);
+-                } catch (LDAPException ee) {
+-                    logger.error("Unable to add " + dn + ": " + ee.getMessage(), ee);
+-                    throw ee;
+-                }
+-
+-            } else {
++            if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) {
+                 logger.error("Unable to add " + dn + ": " + e.getMessage(), e);
+                 throw e;
+             }
++            logger.warn("Replication agreement already exists: " + dn);
++        }
++
++        logger.warn("Removing existing replication agreement: " + dn);
++
++        try {
++            connection.delete(dn);
++        } catch (LDAPException e) {
++            logger.error("Unable to delete " + dn + ": " + e.getMessage(), e);
++            throw e;
++        }
++
++        logger.warn("Adding new replication agreement: " + dn);
++
++        try {
++            connection.add(entry);
++        } catch (LDAPException e) {
++            logger.error("Unable to add " + dn + ": " + e.getMessage(), e);
++            throw e;
+         }
+     }
+ 
+-- 
+2.31.1
+

SPECS/pki-core.spec

@@ -13,7 +13,7 @@ License:          GPLv2 and LGPLv2
 # For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
 # For official (i.e. supported) releases, use x.y.z-r where r >=1.
 Version:          10.11.2
-Release:          2%{?_timestamp}%{?_commit_id}%{?dist}
+Release:          4%{?_timestamp}%{?_commit_id}%{?dist}
 #global           _phase -alpha1
 
 # To create a tarball from a version tag:
@@ -31,6 +31,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
 #     > pki-VERSION-RELEASE.patch
 # Patch: pki-VERSION-RELEASE.patch
 Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
+Patch2: 0001-Fix-replica-reinstallation.patch
+Patch3: 0001-Fix-AJP-connector-migration.patch
 
 # md2man isn't available on i686. Additionally, we aren't generally multi-lib
 # compatible (https://fedoraproject.org/wiki/Packaging:Java)
@@ -1363,6 +1365,12 @@ fi
 
 ################################################################################
 %changelog
+* Tue Jan 04 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-4
+- Bug 2029023 - Fix AJP connector migration
+
+* Tue Dec 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-3
+- Bug 2024676 - Unable to reinstall PKI clone
+
 * Fri Sep 24 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-2
 - Bug 2001576 - pki instance creation fails for IPA in FIPS mode