rpms
/
pki-core
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import pki-core-10.11.2-5.module+el8.5.0+14437+bc030dcc

This commit is contained in:
CentOS Sources 2022-04-26 09:52:41 -04:00 committed by Stepan Oksanichenko
parent 5e63d40a69
commit f4fe8795bb
2 changed files with 230 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

225
SOURCES/0001-Fix-pki-server-migrate-CLI.patch Normal file
View File

@ -0,0 +1,225 @@
From bbdb82268026821cd6a00edae09cc30079effd30 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 8 Mar 2022 15:19:09 -0600
Subject: [PATCH] Fix pki-server migrate CLI
The pki-server migrate CLI has been modified to configure the
AJP connectors with either secret or requiredSecret parameter
(mutually exclusive) depending on the Tomcat version.
https://bugzilla.redhat.com/show_bug.cgi?id=2061458
---
base/server/python/pki/server/cli/migrate.py | 60 ----------
base/server/python/pki/server/instance.py | 118 +++++++++++++++++++
2 files changed, 118 insertions(+), 60 deletions(-)
diff --git a/base/server/python/pki/server/cli/migrate.py b/base/server/python/pki/server/cli/migrate.py
index 2005004c4e..6e0ed6c2a7 100644
--- a/base/server/python/pki/server/cli/migrate.py
+++ b/base/server/python/pki/server/cli/migrate.py
@@ -23,7 +23,6 @@ from __future__ import print_function
import getopt
import logging
-import re
import sys
from lxml import etree
@@ -104,62 +103,3 @@ class MigrateCLI(pki.cli.CLI):
for instance in instances:
instance.init()
-
- # update AJP connectors for Tomcat 9.0.31 or later
-
- tomcat_version = pki.server.Tomcat.get_version()
- if tomcat_version >= pki.util.Version('9.0.31'):
-
- for instance in instances:
- self.update_ajp_connectors(instance)
-
- def update_ajp_connectors(self, instance):
-
- logger.info('Updating AJP connectors in %s', instance.server_xml)
-
- document = etree.parse(instance.server_xml, self.parser)
- server = document.getroot()
-
- # replace 'requiredSecret' with 'secret' in comments
-
- services = server.findall('Service')
- for service in services:
-
- children = list(service)
- for child in children:
-
- if not isinstance(child, etree._Comment): # pylint: disable=protected-access
- # not a comment -> skip
- continue
-
- if 'protocol="AJP/1.3"' not in child.text:
- # not an AJP connector -> skip
- continue
-
- child.text = re.sub(r'requiredSecret=',
- r'secret=',
- child.text,
- flags=re.MULTILINE)
-
- # replace 'requiredSecret' with 'secret' in Connectors
-
- connectors = server.findall('Service/Connector')
- for connector in connectors:
-
- if connector.get('protocol') != 'AJP/1.3':
- # not an AJP connector -> skip
- continue
-
- if connector.get('secret'):
- # already has a 'secret' -> skip
- continue
-
- if connector.get('requiredSecret') is None:
- # does not have a 'requiredSecret' -> skip
- continue
-
- value = connector.attrib.pop('requiredSecret')
- connector.set('secret', value)
-
- with open(instance.server_xml, 'wb') as f:
- document.write(f, pretty_print=True, encoding='utf-8')
diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py
index ad938b841d..ff43dae8ec 100644
--- a/base/server/python/pki/server/instance.py
+++ b/base/server/python/pki/server/instance.py
@@ -836,9 +836,127 @@ class PKIInstance(pki.server.PKIServer):
nssdb.close()
shutil.rmtree(tmpdir)
+ def configure_ajp_connectors_secret(self):
+
+ logger.info('Configuring AJP connectors secret')
+
+ document = etree.parse(self.server_xml, parser)
+ server = document.getroot()
+
+ # replace 'requiredSecret' with 'secret' in comments
+
+ services = server.findall('Service')
+ for service in services:
+
+ children = list(service)
+ for child in children:
+
+ if not isinstance(child, etree._Comment): # pylint: disable=protected-access
+ # not a comment -> skip
+ continue
+
+ if 'protocol="AJP/1.3"' not in child.text:
+ # not an AJP connector -> skip
+ continue
+
+ child.text = re.sub(r'requiredSecret=',
+ r'secret=',
+ child.text,
+ flags=re.MULTILINE)
+
+ # replace 'requiredSecret' with 'secret' in Connectors
+
+ connectors = server.findall('Service/Connector')
+ for connector in connectors:
+
+ if connector.get('protocol') != 'AJP/1.3':
+ # not an AJP connector -> skip
+ continue
+
+ # remove existing 'requiredSecret' if any
+ value = connector.attrib.pop('requiredSecret', None)
+ print('AJP connector requiredSecret: %s' % value)
+
+ if connector.get('secret'):
+ # already has a 'secret' -> skip
+ continue
+
+ if not value:
+ raise Exception('Missing AJP connector secret in %s' % self.server_xml)
+
+ # store 'secret'
+ connector.set('secret', value)
+
+ with open(self.server_xml, 'wb') as f:
+ document.write(f, pretty_print=True, encoding='utf-8')
+
+ def configure_ajp_connectors_required_secret(self):
+
+ logger.info('Configuring AJP connectors requiredSecret')
+
+ document = etree.parse(self.server_xml, parser)
+ server = document.getroot()
+
+ # replace 'secret' with 'requiredSecret' in comments
+
+ services = server.findall('Service')
+ for service in services:
+
+ children = list(service)
+ for child in children:
+
+ if not isinstance(child, etree._Comment): # pylint: disable=protected-access
+ # not a comment -> skip
+ continue
+
+ if 'protocol="AJP/1.3"' not in child.text:
+ # not an AJP connector -> skip
+ continue
+
+ child.text = re.sub(r'secret=',
+ r'requiredSecret=',
+ child.text,
+ flags=re.MULTILINE)
+
+ # replace 'secret' with 'requiredSecret' in Connectors
+
+ connectors = server.findall('Service/Connector')
+ for connector in connectors:
+
+ if connector.get('protocol') != 'AJP/1.3':
+ # not an AJP connector -> skip
+ continue
+
+ # remove existing 'secret' if any
+ value = connector.attrib.pop('secret', None)
+ print('AJP connector secret: %s' % value)
+
+ if connector.get('requiredSecret'):
+ # already has a 'requiredSecret' -> skip
+ continue
+
+ if not value:
+ raise Exception('Missing AJP connector requiredSecret in %s' % self.server_xml)
+
+ # store 'requiredSecret'
+ connector.set('requiredSecret', value)
+
+ with open(self.server_xml, 'wb') as f:
+ document.write(f, pretty_print=True, encoding='utf-8')
+
+ def configure_ajp_connectors(self):
+
+ tomcat_version = pki.server.Tomcat.get_version()
+
+ if tomcat_version >= pki.util.Version('9.0.31'):
+ self.configure_ajp_connectors_secret()
+ else:
+ self.configure_ajp_connectors_required_secret()
+
def init(self):
super(PKIInstance, self).init()
self.validate_banner()
+ self.configure_ajp_connectors()
@classmethod
def instances(cls):
--
2.33.1

6
SPECS/pki-core.spec
View File

@ -13,7 +13,7 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
Version: 10.11.2
Release: 4%{?_timestamp}%{?_commit_id}%{?dist}
Release: 5%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase -alpha1
# To create a tarball from a version tag:
@ -33,6 +33,7 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch
Patch2: 0001-Fix-replica-reinstallation.patch
Patch3: 0001-Fix-AJP-connector-migration.patch
Patch4: 0001-Fix-pki-server-migrate-CLI.patch
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
@ -1365,6 +1366,9 @@ fi
################################################################################
%changelog
* Wed Mar 09 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-5
- Bug 2061458 - Additional fix for AJP connector migration
* Tue Jan 04 2022 Red Hat PKI Team <rhcs-maint@redhat.com> 10.11.2-4
- Bug 2029023 - Fix AJP connector migration