import pki-core-10.11.2-4.module+el8.5.0+13827+5b1d191d

2022-02-01 15:11:48 -05:00 · 2022-02-01 15:11:48 -05:00 · 5e63d40a69
commit 5e63d40a69
parent 2e7f456c68
3 changed files with 515 additions and 1 deletions
--- a/SOURCES/0001-Fix-AJP-connector-migration.patch
+++ b/SOURCES/0001-Fix-AJP-connector-migration.patch
@ -0,0 +1,217 @@
 From 8a8fc41a10ffb20e9e4902a9e9f74b2f05948b7a Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
 Date: Wed, 3 Nov 2021 20:46:46 -0500
 Subject: [PATCH] Fix AJP connector migration
 In commit e70373ab131aba810f318c1d917896392b49ff4b the AJP
 connector migration code for Tomcat 9.0.31 in pki-server
 migrate CLI was converted into an upgrade script that would
 run regardless of the Tomcat version, and this was causing
 a problem on platforms that only has older Tomcat versions.
 To fix the problem, the upgrade script has been converted back
 into pki-server migrate, and it will check the Tomcat version
 before performing the migration. The server.xml has also been
 reverted to have the old AJP connectors by default.
 Whenever the server is restarted the pki-server migrate will
 run so it can migrate the AJP connectors automatically in
 case Tomcat is upgraded to a newer version.
 https://bugzilla.redhat.com/show_bug.cgi?id=2029023
 ---
 base/server/python/pki/server/cli/migrate.py  | 61 +++++++++++++++++
 .../upgrade/10.11.0/04-UpdateAJPConnectors.py | 67 -------------------
 ...lowLinking.py => 04-UpdateAllowLinking.py} |  0
 ...UpdateJavaHome.py => 05-UpdateJavaHome.py} |  0
 base/tomcat-9.0/conf/server.xml               |  4 +-
 5 files changed, 63 insertions(+), 69 deletions(-)
 delete mode 100644 base/server/upgrade/10.11.0/04-UpdateAJPConnectors.py
 rename base/server/upgrade/10.11.0/{05-UpdateAllowLinking.py => 04-UpdateAllowLinking.py} (100%)
 rename base/server/upgrade/10.11.0/{06-UpdateJavaHome.py => 05-UpdateJavaHome.py} (100%)
 diff --git a/base/server/python/pki/server/cli/migrate.py b/base/server/python/pki/server/cli/migrate.py
 index 256b83c845..2005004c4e 100644
 --- a/base/server/python/pki/server/cli/migrate.py
 +++ b/base/server/python/pki/server/cli/migrate.py
@@ -23,6 +23,7 @@ from __future__ import print_function
 import getopt
 import logging
 +import re
 import sys
 from lxml import etree
@@ -96,9 +97,69 @@ class MigrateCLI(pki.cli.CLI):
             instance.load()
             instance.init()
 +            instances = [instance]
         else:
             instances = pki.server.instance.PKIInstance.instances()
             for instance in instances:
                 instance.init()
 +
 +        # update AJP connectors for Tomcat 9.0.31 or later
 +
 +        tomcat_version = pki.server.Tomcat.get_version()
 +        if tomcat_version >= pki.util.Version('9.0.31'):
 +
 +            for instance in instances:
 +                self.update_ajp_connectors(instance)
 +
 +    def update_ajp_connectors(self, instance):
 +
 +        logger.info('Updating AJP connectors in %s', instance.server_xml)
 +
 +        document = etree.parse(instance.server_xml, self.parser)
 +        server = document.getroot()
 +
 +        # replace 'requiredSecret' with 'secret' in comments
 +
 +        services = server.findall('Service')
 +        for service in services:
 +
 +            children = list(service)
 +            for child in children:
 +
 +                if not isinstance(child, etree._Comment):  # pylint: disable=protected-access
 +                    # not a comment -> skip
 +                    continue
 +
 +                if 'protocol="AJP/1.3"' not in child.text:
 +                    # not an AJP connector -> skip
 +                    continue
 +
 +                child.text = re.sub(r'requiredSecret=',
 +                                    r'secret=',
 +                                    child.text,
 +                                    flags=re.MULTILINE)
 +
 +        # replace 'requiredSecret' with 'secret' in Connectors
 +
 +        connectors = server.findall('Service/Connector')
 +        for connector in connectors:
 +
 +            if connector.get('protocol') != 'AJP/1.3':
 +                # not an AJP connector -> skip
 +                continue
 +
 +            if connector.get('secret'):
 +                # already has a 'secret' -> skip
 +                continue
 +
 +            if connector.get('requiredSecret') is None:
 +                # does not have a 'requiredSecret' -> skip
 +                continue
 +
 +            value = connector.attrib.pop('requiredSecret')
 +            connector.set('secret', value)
 +
 +        with open(instance.server_xml, 'wb') as f:
 +            document.write(f, pretty_print=True, encoding='utf-8')
 diff --git a/base/server/upgrade/10.11.0/04-UpdateAJPConnectors.py b/base/server/upgrade/10.11.0/04-UpdateAJPConnectors.py
 deleted file mode 100644
 index 6e7bbdae24..0000000000
 --- a/base/server/upgrade/10.11.0/04-UpdateAJPConnectors.py
 +++ /dev/null
@@ -1,67 +0,0 @@
 -#
 -# Copyright Red Hat, Inc.
 -#
 -# SPDX-License-Identifier: GPL-2.0-or-later
 -#
 -from __future__ import absolute_import
 -import logging
 -from lxml import etree
 -import re
 -
 -import pki
 -
 -logger = logging.getLogger(__name__)
 -
 -
 -class UpdateAJPConnectors(pki.server.upgrade.PKIServerUpgradeScriptlet):
 -
 -    def __init__(self):
 -        super(UpdateAJPConnectors, self).__init__()
 -        self.message = 'Update AJP connectors in server.xml'
 -
 -        self.parser = etree.XMLParser(remove_blank_text=True)
 -
 -    def upgrade_instance(self, instance):
 -
 -        logger.info('Updating %s', instance.server_xml)
 -        self.backup(instance.server_xml)
 -
 -        document = etree.parse(instance.server_xml, self.parser)
 -        server = document.getroot()
 -
 -        logger.info('Renaming requiredSecret to secret')
 -
 -        services = server.findall('Service')
 -        for service in services:
 -
 -            children = list(service)
 -            for child in children:
 -
 -                if isinstance(child, etree._Comment):  # pylint: disable=protected-access
 -                    if 'protocol="AJP/1.3"' in child.text:
 -                        child.text = re.sub(r'requiredSecret=',
 -                                            r'secret=',
 -                                            child.text,
 -                                            flags=re.MULTILINE)
 -
 -        connectors = server.findall('Service/Connector')
 -        for connector in connectors:
 -
 -            if connector.get('protocol') != 'AJP/1.3':
 -                # Only modify AJP connectors.
 -                continue
 -
 -            if connector.get('secret'):
 -                # Nothing to migrate because the secret attribute already
 -                # exists.
 -                continue
 -
 -            if connector.get('requiredSecret') is None:
 -                # No requiredSecret field either; nothing to do.
 -                continue
 -
 -            connector.set('secret', connector.get('requiredSecret'))
 -            connector.attrib.pop('requiredSecret', None)
 -
 -        with open(instance.server_xml, 'wb') as f:
 -            document.write(f, pretty_print=True, encoding='utf-8')
 diff --git a/base/server/upgrade/10.11.0/05-UpdateAllowLinking.py b/base/server/upgrade/10.11.0/04-UpdateAllowLinking.py
 similarity index 100%
 rename from base/server/upgrade/10.11.0/05-UpdateAllowLinking.py
 rename to base/server/upgrade/10.11.0/04-UpdateAllowLinking.py
 diff --git a/base/server/upgrade/10.11.0/06-UpdateJavaHome.py b/base/server/upgrade/10.11.0/05-UpdateJavaHome.py
 similarity index 100%
 rename from base/server/upgrade/10.11.0/06-UpdateJavaHome.py
 rename to base/server/upgrade/10.11.0/05-UpdateJavaHome.py
 diff --git a/base/tomcat-9.0/conf/server.xml b/base/tomcat-9.0/conf/server.xml
 index 528300fd27..d6f3bb7ff0 100644
 --- a/base/tomcat-9.0/conf/server.xml
 +++ b/base/tomcat-9.0/conf/server.xml
@@ -190,12 +190,12 @@ Tomcat Port         = [TOMCAT_SERVER_PORT] (for shutdown)
                protocol="AJP/1.3"
                redirectPort="[PKI_AJP_REDIRECT_PORT]"
                address="[PKI_AJP_HOST_IPv4]"
 -               secret="[PKI_AJP_SECRET]" />
 +               requiredSecret="[PKI_AJP_SECRET]" />
     <Connector port="[PKI_AJP_PORT]"
                protocol="AJP/1.3"
                redirectPort="[PKI_AJP_REDIRECT_PORT]"
                address="[PKI_AJP_HOST_IPv6]"
 -               secret="[PKI_AJP_SECRET]" />
 +               requiredSecret="[PKI_AJP_SECRET]" />
 [PKI_CLOSE_AJP_PORT_COMMENT]
 -- 
 2.33.1
--- a/SOURCES/0001-Fix-replica-reinstallation.patch
+++ b/SOURCES/0001-Fix-replica-reinstallation.patch
@ -0,0 +1,289 @@
 From 5d377f31292da71f6ec4a29b13a66a9bea967102 Mon Sep 17 00:00:00 2001
 From: "Endi S. Dewata" <edewata@redhat.com>
 Date: Tue, 2 Nov 2021 14:46:02 -0500
 Subject: [PATCH] Fix replica reinstallation
 The pkispawn and pkidestroy have been modified to ignore
 failures caused by adding an entry or attribute that is
 already exists and to check whether a file exists before
 removing it during replica removal and reinstallation.
 One of the CA clone tests has been modified to test
 removing and reinstalling a replica.
 Resolves: https://github.com/dogtagpki/pki/issues/3544
 ---
 .github/workflows/ca-tests.yml                |  11 ++
 .../python/pki/server/deployment/__init__.py  |  39 +++++--
 .../scriptlets/webapp_deployment.py           |  19 +--
 .../cms/servlet/csadmin/LDAPConfigurator.java | 110 +++++++++++-------
 4 files changed, 116 insertions(+), 63 deletions(-)
 diff --git a/.github/workflows/ca-tests.yml b/.github/workflows/ca-tests.yml
 index 4832e73c65..fffcb9c3e4 100644
 --- a/.github/workflows/ca-tests.yml
 +++ b/.github/workflows/ca-tests.yml
@@ -1137,6 +1137,17 @@ jobs:
               --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf
           docker exec secondary pki -n caadmin ca-user-show caadmin
 +      - name: Remove CA from secondary PKI container
 +        run: |
 +          docker exec secondary pkidestroy -i pki-tomcat -s CA -v
 +
 +      - name: Re-install CA in secondary PKI container
 +        run: |
 +          docker exec secondary pkispawn \
 +              -f /usr/share/pki/server/examples/installation/ca-secure-ds-secondary.cfg \
 +              -s CA \
 +              -v
 +
       - name: Gather artifacts from primary container
         if: always()
         run: |
 diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
 index 6eb5b0a78a..d179718dd6 100644
 --- a/base/server/python/pki/server/deployment/__init__.py
 +++ b/base/server/python/pki/server/deployment/__init__.py
@@ -1074,26 +1074,41 @@ class PKIDeployer:
         secure_port = server_config.get_secure_port()
         uid = 'CA-%s-%s' % (self.mdict['pki_hostname'], secure_port)
 -
         logger.info('Adding %s', uid)
 -        subsystem.add_user(
 -            uid,
 -            full_name=uid,
 -            user_type='agentType',
 -            state='1')
 -        logger.info('Adding subsystem certificate into %s', uid)
 +        try:
 +            subsystem.add_user(
 +                uid,
 +                full_name=uid,
 +                user_type='agentType',
 +                state='1')
 +        except Exception:    # pylint: disable=W0703
 +            logger.warning('Unable to add %s', uid)
 +            # TODO: ignore error only if user already exists
 +
         cert_data = pki.nssdb.convert_cert(
             cert['data'],
             'base64',
             'pem')
 -        subsystem.add_user_cert(
 -            uid,
 -            cert_data=cert_data.encode(),
 -            cert_format='PEM')
 +
 +        logger.info('Adding certificate for %s', uid)
 +
 +        try:
 +            subsystem.add_user_cert(
 +                uid,
 +                cert_data=cert_data.encode(),
 +                cert_format='PEM')
 +        except Exception:    # pylint: disable=W0703
 +            logger.warning('Unable to add certificate for %s', uid)
 +            # TODO: ignore error only if user cert already exists
         logger.info('Adding %s into Subsystem Group', uid)
 -        subsystem.add_group_member('Subsystem Group', uid)
 +
 +        try:
 +            subsystem.add_group_member('Subsystem Group', uid)
 +        except Exception:    # pylint: disable=W0703
 +            logger.warning('Unable to add %s into Subsystem Group', uid)
 +            # TODO: ignore error only if user already exists in the group
     def backup_keys(self, instance, subsystem):
 diff --git a/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py b/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py
 index 342477028a..f9e73fd069 100644
 --- a/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py
 +++ b/base/server/python/pki/server/deployment/scriptlets/webapp_deployment.py
@@ -60,12 +60,13 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         logger.info('Undeploying /%s web application', deployer.mdict['pki_subsystem'].lower())
 -        # Delete <instance>/Catalina/localhost/<subsystem>.xml
 -        pki.util.remove(
 -            path=os.path.join(
 -                deployer.mdict['pki_instance_configuration_path'],
 -                "Catalina",
 -                "localhost",
 -                deployer.mdict['pki_subsystem'].lower() + ".xml"),
 -            force=deployer.mdict['pki_force_destroy']
 -        )
 +        # Delete <instance>/Catalina/localhost/<subsystem>.xml if exists
 +
 +        context_xml = os.path.join(
 +            deployer.mdict['pki_instance_configuration_path'],
 +            'Catalina',
 +            'localhost',
 +            deployer.mdict['pki_subsystem'].lower() + '.xml')
 +
 +        if os.path.exists(context_xml):
 +            pki.util.remove(context_xml)
 diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java
 index 651d166321..1e0364cfea 100644
 --- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java
 +++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java
@@ -661,26 +661,35 @@ public class LDAPConfigurator {
         try {
             connection.add(entry);
 +            // replication manager added -> done
 +            return;
         } catch (LDAPException e) {
 -            if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) {
 -                logger.warn("Entry already exists: " + dn);
 +            if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) {
 +                logger.error("Unable to add " + dn + ": " + e.getMessage(), e);
 +                throw e;
 +            }
 +            logger.warn("Replication manager already exists: " + dn);
 +        }
 -                try {
 -                    logger.info("Deleting " + dn);
 -                    connection.delete(dn);
 +        logger.warn("Deleting existing replication manager: " + dn);
 -                    logger.info("Re-adding " + dn);
 -                    connection.add(entry);
 +        try {
 +            connection.delete(dn);
 -                } catch (LDAPException ee) {
 -                    logger.warn("Unable to recreate " + dn + ": " + ee.getMessage());
 -                }
 +        } catch (LDAPException e) {
 +            logger.error("Unable to delete " + dn + ": " + e.getMessage());
 +            throw e;
 +        }
 -            } else {
 -                logger.error("Unable to add " + dn + ": " + e.getMessage(), e);
 -                throw e;
 -            }
 +        logger.warn("Adding new replication manager: " + dn);
 +
 +        try {
 +            connection.add(entry);
 +
 +        } catch (LDAPException e) {
 +            logger.error("Unable to add " + dn + ": " + e.getMessage());
 +            throw e;
         }
     }
@@ -799,28 +808,41 @@ public class LDAPConfigurator {
         try {
             connection.add(entry);
 +            // replica object added -> done
 +            return true;
         } catch (LDAPException e) {
 -
             if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) {
 +                logger.error("Unable to add " + replicaDN + ": " + e.getMessage(), e);
                 throw e;
             }
 +            logger.warn("Replica object already exists: " + replicaDN);
 +        }
 +
 +        logger.info("Adding replica bind DN");
 -            // BZ 470918: We can't just add the new dn.
 -            // We need to do a replace until the bug is fixed.
 -            logger.warn("Entry already exists, adding bind DN");
 +        // BZ 470918: We can't just add the new dn.
 +        // We need to do a replace until the bug is fixed.
 -            entry = connection.read(replicaDN);
 -            LDAPAttribute attr = entry.getAttribute("nsDS5ReplicaBindDN");
 -            attr.addValue(bindDN);
 +        entry = connection.read(replicaDN);
 +        LDAPAttribute attr = entry.getAttribute("nsDS5ReplicaBindDN");
 +        attr.addValue(bindDN);
 -            LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr);
 +        LDAPModification mod = new LDAPModification(LDAPModification.REPLACE, attr);
 +
 +        try {
             connection.modify(replicaDN, mod);
 +            // replica bind DN added -> done
 -            return false;
 +        } catch (LDAPException e) {
 +            if (e.getLDAPResultCode() != LDAPException.ATTRIBUTE_OR_VALUE_EXISTS) {
 +                logger.error("Unable to add " + bindDN + ": " + e.getMessage(), e);
 +                throw e;
 +            }
 +            logger.warn("Replica bind DN already exists: " + bindDN);
         }
 -        return true;
 +        return false;
     }
     public void createReplicationAgreement(
@@ -864,29 +886,33 @@ public class LDAPConfigurator {
         try {
             connection.add(entry);
 +            // replication agreement added -> done
 +            return;
         } catch (LDAPException e) {
 -            if (e.getLDAPResultCode() == LDAPException.ENTRY_ALREADY_EXISTS) {
 -                logger.warn("Entry already exists: " + dn);
 -
 -                try {
 -                    connection.delete(dn);
 -                } catch (LDAPException ee) {
 -                    logger.error("Unable to delete " + dn + ": " + ee.getMessage(), ee);
 -                    throw ee;
 -                }
 -
 -                try {
 -                    connection.add(entry);
 -                } catch (LDAPException ee) {
 -                    logger.error("Unable to add " + dn + ": " + ee.getMessage(), ee);
 -                    throw ee;
 -                }
 -
 -            } else {
 +            if (e.getLDAPResultCode() != LDAPException.ENTRY_ALREADY_EXISTS) {
                 logger.error("Unable to add " + dn + ": " + e.getMessage(), e);
                 throw e;
             }
 +            logger.warn("Replication agreement already exists: " + dn);
 +        }
 +
 +        logger.warn("Removing existing replication agreement: " + dn);
 +
 +        try {
 +            connection.delete(dn);
 +        } catch (LDAPException e) {
 +            logger.error("Unable to delete " + dn + ": " + e.getMessage(), e);
 +            throw e;
 +        }
 +
 +        logger.warn("Adding new replication agreement: " + dn);
 +
 +        try {
 +            connection.add(entry);
 +        } catch (LDAPException e) {
 +            logger.error("Unable to add " + dn + ": " + e.getMessage(), e);
 +            throw e;
         }
     }
 -- 
 2.31.1
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@ -13,7 +13,7 @@ License:          GPLv2 and LGPLv2
 # For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
 # For official (i.e. supported) releases, use x.y.z-r where r >=1.
 Version:          10.11.2
-Release:          2%{?_timestamp}%{?_commit_id}%{?dist}
+Release:          4%{?_timestamp}%{?_commit_id}%{?dist}
 #global           _phase -alpha1
 # To create a tarball from a version tag:
@ -31,6 +31,8 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
 #     > pki-VERSION-RELEASE.patch
 # Patch: pki-VERSION-RELEASE.patch
 Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
 Patch2: 0001-Fix-replica-reinstallation.patch
 Patch3: 0001-Fix-AJP-connector-migration.patch
 # md2man isn't available on i686. Additionally, we aren't generally multi-lib
 # compatible (https://fedoraproject.org/wiki/Packaging:Java)
@ -1363,6 +1365,12 @@ fi
 ################################################################################
 %changelog
 * Tue Jan 04 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-4
 - Bug 2029023 - Fix AJP connector migration
 * Tue Dec 14 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-3
 - Bug 2024676 - Unable to reinstall PKI clone
 * Fri Sep 24 2021 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-2
 - Bug 2001576 - pki instance creation fails for IPA in FIPS mode