15 changed files with 501 additions and 13 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 SOURCES/pki-10.14.3.tar.gz
+/pki-10.14.3.tar.gz
--- a/.pki-core.metadata
+++ b/.pki-core.metadata
@ -1 +0,0 @@
-0508d8fa638b11f309d958338afc71e4c9f24f8d SOURCES/pki-10.14.3.tar.gz
--- a/0001-Fix-pki-healthcheck-for-clones.patch
+++ b/0001-Fix-pki-healthcheck-for-clones.patch
@ -0,0 +1,332 @@
+From 7d62105c676fc79e0c32766c41cd034655a524ff Mon Sep 17 00:00:00 2001
+From: "Endi S. Dewata" <edewata@redhat.com>
+Date: Tue, 25 Jan 2022 16:29:53 -0600
+Subject: [PATCH] Fix pki-healthcheck for clones
+
+Previously the ClonesConnectivyAndDataCheck.check_kra_clones()
+was trying to check KRA clone status by retrieving a key using
+the subsystem cert. This operation did not work since the user
+associated with the cert did not have access to the keys. The
+code has been changed to get the status from GetStatus service
+instead. The original code might be moved into IPA later so it
+could run with IPA's RA agent credentials which would allow
+access to the keys.
+
+Previously the ClonesPlugin.contact_subsystem_using_sslget()
+used sslget to call GetStatus service and returned the entire
+output which was then incorrectly processed in XML format. The
+method has been renamed to get_status() and changed to use
+PKIConnection and process the response in either JSON or XML
+format, then only return the subsystem status. All callers
+have been updated accordingly.
+
+The ClonesPlugin.contact_subsystem_using_pki() is no longer
+used so it has been removed.
+---
+ .../clones/connectivity_and_data.py           | 130 ++++++++----------
+ .../pki/server/healthcheck/clones/plugin.py   |  75 ++++------
+ base/server/python/pki/server/__init__.py     |   8 +-
+ 3 files changed, 91 insertions(+), 122 deletions(-)
+
+diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
+index ca5d6dae48..d9bb480f7f 100644
+--- a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
+++ b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
+@@ -46,93 +46,83 @@ class ClonesConnectivyAndDataCheck(ClonesPlugin):
+ 
+     def check_kra_clones(self):
+         for host in self.clone_kras:
+-            cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
+-            # Reach out and get some keys or requests , to serve as a data and connectivity check
+
+            url = 'https://' + host.Hostname + ':' + host.SecurePort
+
+             try:
+-                client_nick = self.security_domain.config.get('ca.connector.KRA.nickName')
+-
+-                output = self.contact_subsystem_using_pki(
+-                    host.SecurePort, host.Hostname, client_nick,
+-                    self.passwd, self.db_dir, 'kra-key-show', ['0x01'])
+-
+-                # check to see if we either got a key or a key not found exception
+-                # of which either will imply a successful connection
+-                if output is not None:
+-                    key_found = output.find('Key ID:')
+-                    key_not_found = output.find('KeyNotFoundException:')
+-                    if key_found >= 0:
+-                        logger.info('Key material found from kra clone.')
+-
+-                    if key_not_found >= 0:
+-                        logger.info('key not found, possibly empty kra')
+-
+-                    if key_not_found == -1 and key_found == -1:
+-                        logger.info('Failure to get key material from kra')
+-                        raise BaseException('KRA clone problem detected ' + cur_clone_msg)
+-                else:
+-                    raise BaseException('No data obtained from KRA clone.' + cur_clone_msg)
+                status = self.get_status(
+                    host.Hostname,
+                    host.SecurePort,
+                    '/kra/admin/kra/getStatus')
+ 
+-            except BaseException as e:
+-                logger.error("Internal error testing KRA clone. %s", e)
+-                raise BaseException('Internal error testing KRA clone.' + cur_clone_msg)
+                logger.info('KRA at %s is %s', url, status)
+ 
+-        return
+                if status != 'running':
+                    raise Exception('KRA at %s is %s' % (url, status))
+
+            except Exception as e:
+                logger.error('Unable to reach KRA at %s: %s', url, e)
+                raise Exception('Unable to reach KRA at %s: %s' % (url, e))
+ 
+     def check_ocsp_clones(self):
+         for host in self.clone_ocsps:
+-            cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
+-            # Reach out to the ocsp clones
+
+            url = 'https://' + host.Hostname + ':' + host.SecurePort
+
+             try:
+-                output = self.contact_subsystem_using_sslget(
+-                    host.SecurePort, host.Hostname, None,
+-                    self.passwd, self.db_dir, None, '/ocsp/admin/ocsp/getStatus')
+-
+-                good_status = output.find('<State>1</State>')
+-                if good_status == -1:
+-                    raise BaseException('OCSP clone problem detected.' + cur_clone_msg)
+-                logger.info('good_status %s ', good_status)
+-            except BaseException as e:
+-                logger.error("Internal error testing OCSP clone.  %s", e)
+-                raise BaseException('Internal error testing OCSP clone.' + cur_clone_msg)
+                status = self.get_status(
+                    host.Hostname,
+                    host.SecurePort,
+                    '/ocsp/admin/ocsp/getStatus')
+ 
+-        return
+                logger.info('OCSP at %s is %s', url, status)
+
+                if status != 'running':
+                    raise Exception('OCSP at %s is %s' % (url, status))
+
+            except Exception as e:
+                logger.error('Unable to reach OCSP at %s: %s', url, e)
+                raise Exception('Unable to reach OCSP at %s: %s' % (url, e))
+ 
+     def check_tks_clones(self):
+         for host in self.clone_tkss:
+-            cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
+-            # Reach out to the tks clones
+
+            url = 'https://' + host.Hostname + ':' + host.SecurePort
+
+             try:
+-                output = self.contact_subsystem_using_sslget(
+-                    host.SecurePort, host.Hostname, None,
+-                    self.passwd, self.db_dir, None, '/tks/admin/tks/getStatus')
+-
+-                good_status = output.find('<State>1</State>')
+-                if good_status == -1:
+-                    raise BaseException('TKS clone problem detected.' + cur_clone_msg)
+-                logger.info('good_status %s ', good_status)
+-            except BaseException as e:
+-                logger.error("Internal error testing TKS clone. %s", e)
+-                raise BaseException('Internal error testing TKS clone.' + cur_clone_msg)
+                status = self.get_status(
+                    host.Hostname,
+                    host.SecurePort,
+                    '/tks/admin/tks/getStatus')
+ 
+-        return
+                logger.info('TKS at %s is %s', url, status)
+
+                if status != 'running':
+                    raise Exception('TKS at %s is %s' % (url, status))
+
+            except Exception as e:
+                logger.error('Unable to reach TKS at %s: %s', url, e)
+                raise Exception('Unable to reach TKS at %s: %s' % (url, e))
+ 
+     def check_tps_clones(self):
+         for host in self.clone_tpss:
+-            cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
+-            # Reach out to the tps clones
+
+            url = 'https://' + host.Hostname + ':' + host.SecurePort
+
+             try:
+-                output = self.contact_subsystem_using_sslget(
+-                    host.SecurePort, host.Hostname, None,
+-                    self.passwd, self.db_dir, None, '/tps/admin/tps/getStatus')
+-
+-                good_status = output.find('<State>1</State>')
+-                if good_status == -1:
+-                    raise BaseException('TPS clone problem detected.' + cur_clone_msg)
+-                logger.info('good_status  %s ', good_status)
+-            except BaseException as e:
+-                logger.error("Internal error testing TPS clone. %s", e)
+-                raise BaseException('Internal error testing TPS clone.' + cur_clone_msg)
+-        return
+                status = self.get_status(
+                    host.Hostname,
+                    host.SecurePort,
+                    '/tps/admin/tps/getStatus')
+
+                logger.info('TPS at %s is %s', url, status)
+
+                if status != 'running':
+                    raise Exception('TPS at %s is %s' % (url, status))
+
+            except Exception as e:
+                logger.error('Unable to reach TPS at %s: %s', url, e)
+                raise Exception('Unable to reach TPS at %s: %s' % (url, e))
+ 
+     @duration
+     def check(self):
+diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
+index 2472f35b5b..824c36a1a9 100644
+--- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
+++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
+@@ -6,6 +6,10 @@
+ # SPDX-License-Identifier: GPL-2.0-or-later
+ #
+ 
+import json
+import logging
+import xml.etree.ElementTree as ET
+
+ from ipahealthcheck.core.plugin import Plugin, Registry
+ from pki.server.instance import PKIInstance
+ from pki.client import PKIConnection
+@@ -13,9 +17,6 @@ from pki.system import SecurityDomainClient
+ 
+ from pki.server.healthcheck.core.main import merge_dogtag_config
+ 
+-import logging
+-import subprocess
+-
+ logger = logging.getLogger(__name__)
+ 
+ # Temporary workaround to skip VERBOSE data. Fix already pushed to upstream
+@@ -46,60 +47,36 @@ class ClonesPlugin(Plugin):
+ 
+         self.instance = PKIInstance(self.config.instance_name)
+ 
+-    def contact_subsystem_using_pki(
+-            self, subport, subhost, subsystemnick,
+-            token_pwd, db_path, cmd, exts=None):
+-        command = ["/usr/bin/pki",
+-                   "-p", str(subport),
+-                   "-h", subhost,
+-                   "-n", subsystemnick,
+-                   "-P", "https",
+-                   "-d", db_path,
+-                   "-c", token_pwd,
+-                   cmd]
+-
+-        if exts is not None:
+-            command.extend(exts)
+-
+-        output = None
+-        try:
+-            output = subprocess.check_output(command, stderr=subprocess.STDOUT)
+-        except subprocess.CalledProcessError as e:
+-            output = e.output.decode('utf-8')
+-            return output
+    def get_status(self, host, port, path):
+ 
+-        output = output.decode('utf-8')
+        self.instance.export_ca_cert()
+ 
+-        return output
+        connection = PKIConnection(
+            protocol='https',
+            hostname=host,
+            port=port,
+            cert_paths=self.instance.ca_cert)
+ 
+-    def contact_subsystem_using_sslget(
+-            self, port, host, subsystemnick,
+-            token_pwd, db_path, params, url):
+        response = connection.get(path)
+ 
+-        command = ["/usr/bin/sslget"]
+        content_type = response.headers['Content-Type']
+        content = response.text
+        logger.info('Content:\n%s', content)
+ 
+-        if subsystemnick is not None:
+-            command.extend(["-n", subsystemnick])
+        # https://github.com/dogtagpki/pki/wiki/GetStatus-Service
+        if content_type == 'application/json':
+            json_response = json.loads(content)
+            status = json_response['Response']['Status']
+ 
+-        command.extend(["-p", token_pwd, "-d", db_path])
+-
+-        if params is not None:
+-            command.extend(["-e", params])
+-
+-        command.extend([
+-            "-r", url, host + ":" + port])
+-
+-        logger.info(' command : %s ', command)
+-        output = None
+-        try:
+-            output = subprocess.check_output(command, stderr=subprocess.STDOUT)
+-        except subprocess.CalledProcessError as e:
+-            output = e.output.decode('utf-8')
+-            return output
+        elif content_type == 'application/xml':
+            root = ET.fromstring(content)
+            status = root.findtext('Status')
+ 
+-        output = output.decode('utf-8')
+        else:
+            raise Exception('Unsupported content-type: %s' % content_type)
+ 
+-        return output
+        logger.info('Status: %s', status)
+        return status
+ 
+     def get_security_domain_data(self, host, port):
+         domain_data = None
+diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
+index 4fbb74684b..0515bbb197 100644
+--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
+@@ -241,6 +241,10 @@ class PKIServer(object):
+     def jss_conf(self):
+         return os.path.join(self.conf_dir, 'jss.conf')
+ 
+    @property
+    def ca_cert(self):
+        return os.path.join(self.nssdb_dir, 'ca.crt')
+
+     def is_valid(self):
+         return self.exists()
+ 
+@@ -259,8 +263,6 @@ class PKIServer(object):
+ 
+     def export_ca_cert(self):
+ 
+-        ca_path = os.path.join(self.nssdb_dir, 'ca.crt')
+-
+         token = pki.nssdb.INTERNAL_TOKEN_NAME
+         nickname = self.get_sslserver_cert_nickname()
+ 
+@@ -272,7 +274,7 @@ class PKIServer(object):
+         nssdb = self.open_nssdb(token=token)
+ 
+         try:
+-            nssdb.extract_ca_cert(ca_path, nickname)
+            nssdb.extract_ca_cert(self.ca_cert, nickname)
+         finally:
+             nssdb.close()
+ 
+-- 
+2.33.1
+
--- a/copr-build.sh
+++ b/copr-build.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+
+REPO=$1
+
+if [ "$REPO" == "" ]; then
+    REPO="pki-10.6"
+fi
+
+fedpkg copr-build --nowait $REPO
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,8 @@
+# recipients: rhcs-team
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}
--- a/pki-core.rpmlintrc
+++ b/pki-core.rpmlintrc
@ -0,0 +1,4 @@
+addFilter('W: spelling-error')
+addFilter('W: dangling-symlink')
+addFilter('W: no-manual-page-for-binary')
+addFilter('W: log-files-without-logrotate')
--- a/SPECS/pki-core.spec
+++ b/SPECS/pki-core.spec
@ -12,7 +12,7 @@ License:          GPLv2 and LGPLv2

 # For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
 # For official (i.e. supported) releases, use x.y.z-r where r >=1.
-%global           release_number 1
+%global           release_number 2
 Version:          10.14.3
 Release:          %{?release_number}%{?_timestamp}%{?_commit_id}%{?dist}
 #global           _phase
@ -210,6 +210,8 @@ BuildRequires:    python3-libselinux
 BuildRequires:    python3-requests >= 2.6.0
 BuildRequires:    python3-six

+BuildRequires:    tomcat
+
 BuildRequires:    junit
 BuildRequires:    jpackage-utils >= 0:1.7.5-10
 BuildRequires:    jss >= 4.9.0, jss < 5.0.0
@ -217,12 +219,6 @@ BuildRequires:    tomcatjss >= 7.7.0, tomcatjss < 8.0.0

 BuildRequires:    systemd-units

-%if 0%{?rhel} && ! 0%{?eln}
-BuildRequires:    pki-servlet-engine
-%else
-BuildRequires:    tomcat >= 1:9.0.7
-%endif
-
 # additional build requirements needed to build native 'tpsclient'
 # REMINDER:  Revisit these once 'tpsclient' is rewritten as a Java app
 BuildRequires:    apr-devel
@ -507,11 +503,7 @@ Requires:         python3-policycoreutils

 Requires:         selinux-policy-targeted >= 3.13.1-159

-%if 0%{?rhel} && ! 0%{?eln}
-Requires:         pki-servlet-engine
-%else
-Requires:         tomcat >= 1:9.0.7
-%endif
+Requires:         tomcat

 Requires:         sudo
 Requires:         systemd
@ -1403,6 +1395,9 @@ fi

 ################################################################################
 %changelog
+* Thu Mar 21 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.3-2
+- RHEL-30063: Replace pki-servlet-engine with tomcat
+
 * Fri Feb 03 2023 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.3-1
 - Rebase to PKI 10.14.3
 - Bug 1959057 - An error has ocorred (IPA Error 4301:CertificateOperationError)
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -0,0 +1,6 @@
+---
+specname:
+    match: suffix
+runpath:
+    allowed_paths:
+        - /usr/lib64/tps
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (pki-10.14.3.tar.gz) = ffdd8240bcbfc1c3cd28fecc4eb092767d8afab2df7a9354264081f9c5449f12eb06726045758515b1a27f32af622dca557cc8d370d6c5f5eaaf8d8117b94773
--- a/sources-update.sh
+++ b/sources-update.sh
@ -0,0 +1,7 @@
+#!/bin/sh
+
+SOURCE=$1
+TARGET=`basename $1`
+
+cp $SOURCE $TARGET
+sha512sum --tag $TARGET > sources
--- a/tests/roles/Test_Setup/files/ca.cfg
+++ b/tests/roles/Test_Setup/files/ca.cfg
@ -0,0 +1,25 @@
+[DEFAULT]
+pki_server_database_password=Secret.123
+
+[CA]
+pki_admin_email=caadmin@example.com
+pki_admin_name=caadmin
+pki_admin_nickname=caadmin
+pki_admin_password=Secret.123
+pki_admin_uid=caadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
+pki_ds_database=ca
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+
+pki_ca_signing_nickname=ca_signing
+pki_ocsp_signing_nickname=ca_ocsp_signing
+pki_audit_signing_nickname=ca_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
--- a/tests/roles/Test_Setup/files/ds-create.sh
+++ b/tests/roles/Test_Setup/files/ds-create.sh
@ -0,0 +1,24 @@
+#!/bin/bash -ex
+
+# This command needs to be executed as it pulls the machine name
+# dynamically.
+dscreate create-template /tmp/test_dir/ds.inf
+
+sed -i \
+    -e "s/;instance_name = .*/instance_name = localhost/g" \
+    -e "s/;root_password = .*/root_password = Secret.123/g" \
+    -e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
+    -e "s/;self_sign_cert = .*/self_sign_cert = False/g" \
+    /tmp/test_dir/ds.inf
+
+dscreate from-file /tmp/test_dir/ds.inf
+
+ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
+dn: dc=example,dc=com
+objectClass: domain
+dc: example
+
+dn: dc=pki,dc=example,dc=com
+objectClass: domain
+dc: pki
+EOF
--- a/tests/roles/Test_Setup/files/kra.cfg
+++ b/tests/roles/Test_Setup/files/kra.cfg
@ -0,0 +1,27 @@
+[DEFAULT]
+pki_server_database_password=Secret.123
+
+[KRA]
+pki_admin_email=kraadmin@example.com
+pki_admin_name=kraadmin
+pki_admin_nickname=kraadmin
+pki_admin_password=Secret.123
+pki_admin_uid=kraadmin
+
+pki_client_database_password=Secret.123
+pki_client_database_purge=False
+pki_client_pkcs12_password=Secret.123
+
+pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
+pki_ds_database=kra
+pki_ds_password=Secret.123
+
+pki_security_domain_name=EXAMPLE
+pki_security_domain_user=caadmin
+pki_security_domain_password=Secret.123
+
+pki_storage_nickname=kra_storage
+pki_transport_nickname=kra_transport
+pki_audit_signing_nickname=kra_audit_signing
+pki_sslserver_nickname=sslserver
+pki_subsystem_nickname=subsystem
--- a/tests/roles/Test_Setup/tasks/main.yml
+++ b/tests/roles/Test_Setup/tasks/main.yml
@ -0,0 +1,21 @@
+---
+
+- name: Install required packages
+  dnf:
+    name: >
+      389-ds-base, pki-ca, pki-kra
+
+- name: Creates directory
+  file: path=/tmp/test_files state=directory
+
+- name: Copying templates to /tmp folder
+  copy : src=.  dest=/tmp/test_dir
+
+- name: Setup DS Service
+  shell: sh /tmp/test_dir/ds-create.sh
+
+- name: Install CA subsystem
+  shell: pkispawn -f /tmp/test_dir/ca.cfg -s CA -v
+
+- name: Install KRA subsystem
+  shell: pkispawn -f /tmp/test_dir/kra.cfg -s KRA -v
--- a/tests/tests.yml
+++ b/tests/tests.yml
@ -0,0 +1,29 @@
+- hosts: localhost
+  remote_user: root
+  tags:
+    - classic
+  roles:
+  - role: Test_Setup
+  - role: standard-test-basic
+    tests:
+    - verify_spawn_ca:
+        dir: .
+        run: "curl http://localhost:8080/ca/admin/ca/getStatus | grep '\"Status\" : \"running\"'"
+    - verify_spawn_kra:
+        dir: .
+        run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep '\"Status\" : \"running\"'"
+    - destroy_kra:
+        dir: .
+        run: "pkidestroy -i pki-tomcat -s KRA && sleep 5"
+    - verify_destroy_kra:
+        dir: .
+        run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep 'HTTP Status 404'"
+    - destroy_ca:
+        dir: .
+        run: "pkidestroy -i pki-tomcat -s CA"
+    - verify_destroy_ca:
+        dir: .
+        run: "curl http://localhost:8080/ca/admin/ca/getStatus  &> testfile.log || true && grep 'Connection refused' testfile.log"
+    required_packages:
+    - pki-ca
+    - pki-kra
				`@ -1 +0,0 @@`
				`0508d8fa638b11f309d958338afc71e4c9f24f8d SOURCES/pki-10.14.3.tar.gz`
				`@ -0,0 +1 @@`
				`SHA512 (pki-10.14.3.tar.gz) = ffdd8240bcbfc1c3cd28fecc4eb092767d8afab2df7a9354264081f9c5449f12eb06726045758515b1a27f32af622dca557cc8d370d6c5f5eaaf8d8117b94773`