Compare commits

...

No commits in common. "stream-pki-core-10.6-rhel-8.9.0" and "c8-stream-10.6" have entirely different histories.

15 changed files with 22 additions and 511 deletions

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/pki-10.14.3.tar.gz
/pki-10.14.3.tar.gz
SOURCES/pki-10.15.0.tar.gz

1
.pki-core.metadata Normal file
View File

@ -0,0 +1 @@
93ab86c656d28da1aeb388e6d4d1d88bb64b2dee SOURCES/pki-10.15.0.tar.gz

View File

@ -1,332 +0,0 @@
From 7d62105c676fc79e0c32766c41cd034655a524ff Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 25 Jan 2022 16:29:53 -0600
Subject: [PATCH] Fix pki-healthcheck for clones
Previously the ClonesConnectivyAndDataCheck.check_kra_clones()
was trying to check KRA clone status by retrieving a key using
the subsystem cert. This operation did not work since the user
associated with the cert did not have access to the keys. The
code has been changed to get the status from GetStatus service
instead. The original code might be moved into IPA later so it
could run with IPA's RA agent credentials which would allow
access to the keys.
Previously the ClonesPlugin.contact_subsystem_using_sslget()
used sslget to call GetStatus service and returned the entire
output which was then incorrectly processed in XML format. The
method has been renamed to get_status() and changed to use
PKIConnection and process the response in either JSON or XML
format, then only return the subsystem status. All callers
have been updated accordingly.
The ClonesPlugin.contact_subsystem_using_pki() is no longer
used so it has been removed.
---
.../clones/connectivity_and_data.py | 130 ++++++++----------
.../pki/server/healthcheck/clones/plugin.py | 75 ++++------
base/server/python/pki/server/__init__.py | 8 +-
3 files changed, 91 insertions(+), 122 deletions(-)
diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
index ca5d6dae48..d9bb480f7f 100644
--- a/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
+++ b/base/server/healthcheck/pki/server/healthcheck/clones/connectivity_and_data.py
@@ -46,93 +46,83 @@ class ClonesConnectivyAndDataCheck(ClonesPlugin):
def check_kra_clones(self):
for host in self.clone_kras:
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
- # Reach out and get some keys or requests , to serve as a data and connectivity check
+
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
+
try:
- client_nick = self.security_domain.config.get('ca.connector.KRA.nickName')
-
- output = self.contact_subsystem_using_pki(
- host.SecurePort, host.Hostname, client_nick,
- self.passwd, self.db_dir, 'kra-key-show', ['0x01'])
-
- # check to see if we either got a key or a key not found exception
- # of which either will imply a successful connection
- if output is not None:
- key_found = output.find('Key ID:')
- key_not_found = output.find('KeyNotFoundException:')
- if key_found >= 0:
- logger.info('Key material found from kra clone.')
-
- if key_not_found >= 0:
- logger.info('key not found, possibly empty kra')
-
- if key_not_found == -1 and key_found == -1:
- logger.info('Failure to get key material from kra')
- raise BaseException('KRA clone problem detected ' + cur_clone_msg)
- else:
- raise BaseException('No data obtained from KRA clone.' + cur_clone_msg)
+ status = self.get_status(
+ host.Hostname,
+ host.SecurePort,
+ '/kra/admin/kra/getStatus')
- except BaseException as e:
- logger.error("Internal error testing KRA clone. %s", e)
- raise BaseException('Internal error testing KRA clone.' + cur_clone_msg)
+ logger.info('KRA at %s is %s', url, status)
- return
+ if status != 'running':
+ raise Exception('KRA at %s is %s' % (url, status))
+
+ except Exception as e:
+ logger.error('Unable to reach KRA at %s: %s', url, e)
+ raise Exception('Unable to reach KRA at %s: %s' % (url, e))
def check_ocsp_clones(self):
for host in self.clone_ocsps:
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
- # Reach out to the ocsp clones
+
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
+
try:
- output = self.contact_subsystem_using_sslget(
- host.SecurePort, host.Hostname, None,
- self.passwd, self.db_dir, None, '/ocsp/admin/ocsp/getStatus')
-
- good_status = output.find('<State>1</State>')
- if good_status == -1:
- raise BaseException('OCSP clone problem detected.' + cur_clone_msg)
- logger.info('good_status %s ', good_status)
- except BaseException as e:
- logger.error("Internal error testing OCSP clone. %s", e)
- raise BaseException('Internal error testing OCSP clone.' + cur_clone_msg)
+ status = self.get_status(
+ host.Hostname,
+ host.SecurePort,
+ '/ocsp/admin/ocsp/getStatus')
- return
+ logger.info('OCSP at %s is %s', url, status)
+
+ if status != 'running':
+ raise Exception('OCSP at %s is %s' % (url, status))
+
+ except Exception as e:
+ logger.error('Unable to reach OCSP at %s: %s', url, e)
+ raise Exception('Unable to reach OCSP at %s: %s' % (url, e))
def check_tks_clones(self):
for host in self.clone_tkss:
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
- # Reach out to the tks clones
+
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
+
try:
- output = self.contact_subsystem_using_sslget(
- host.SecurePort, host.Hostname, None,
- self.passwd, self.db_dir, None, '/tks/admin/tks/getStatus')
-
- good_status = output.find('<State>1</State>')
- if good_status == -1:
- raise BaseException('TKS clone problem detected.' + cur_clone_msg)
- logger.info('good_status %s ', good_status)
- except BaseException as e:
- logger.error("Internal error testing TKS clone. %s", e)
- raise BaseException('Internal error testing TKS clone.' + cur_clone_msg)
+ status = self.get_status(
+ host.Hostname,
+ host.SecurePort,
+ '/tks/admin/tks/getStatus')
- return
+ logger.info('TKS at %s is %s', url, status)
+
+ if status != 'running':
+ raise Exception('TKS at %s is %s' % (url, status))
+
+ except Exception as e:
+ logger.error('Unable to reach TKS at %s: %s', url, e)
+ raise Exception('Unable to reach TKS at %s: %s' % (url, e))
def check_tps_clones(self):
for host in self.clone_tpss:
- cur_clone_msg = ' Host: ' + host.Hostname + ' Port: ' + host.SecurePort
- # Reach out to the tps clones
+
+ url = 'https://' + host.Hostname + ':' + host.SecurePort
+
try:
- output = self.contact_subsystem_using_sslget(
- host.SecurePort, host.Hostname, None,
- self.passwd, self.db_dir, None, '/tps/admin/tps/getStatus')
-
- good_status = output.find('<State>1</State>')
- if good_status == -1:
- raise BaseException('TPS clone problem detected.' + cur_clone_msg)
- logger.info('good_status %s ', good_status)
- except BaseException as e:
- logger.error("Internal error testing TPS clone. %s", e)
- raise BaseException('Internal error testing TPS clone.' + cur_clone_msg)
- return
+ status = self.get_status(
+ host.Hostname,
+ host.SecurePort,
+ '/tps/admin/tps/getStatus')
+
+ logger.info('TPS at %s is %s', url, status)
+
+ if status != 'running':
+ raise Exception('TPS at %s is %s' % (url, status))
+
+ except Exception as e:
+ logger.error('Unable to reach TPS at %s: %s', url, e)
+ raise Exception('Unable to reach TPS at %s: %s' % (url, e))
@duration
def check(self):
diff --git a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
index 2472f35b5b..824c36a1a9 100644
--- a/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
+++ b/base/server/healthcheck/pki/server/healthcheck/clones/plugin.py
@@ -6,6 +6,10 @@
# SPDX-License-Identifier: GPL-2.0-or-later
#
+import json
+import logging
+import xml.etree.ElementTree as ET
+
from ipahealthcheck.core.plugin import Plugin, Registry
from pki.server.instance import PKIInstance
from pki.client import PKIConnection
@@ -13,9 +17,6 @@ from pki.system import SecurityDomainClient
from pki.server.healthcheck.core.main import merge_dogtag_config
-import logging
-import subprocess
-
logger = logging.getLogger(__name__)
# Temporary workaround to skip VERBOSE data. Fix already pushed to upstream
@@ -46,60 +47,36 @@ class ClonesPlugin(Plugin):
self.instance = PKIInstance(self.config.instance_name)
- def contact_subsystem_using_pki(
- self, subport, subhost, subsystemnick,
- token_pwd, db_path, cmd, exts=None):
- command = ["/usr/bin/pki",
- "-p", str(subport),
- "-h", subhost,
- "-n", subsystemnick,
- "-P", "https",
- "-d", db_path,
- "-c", token_pwd,
- cmd]
-
- if exts is not None:
- command.extend(exts)
-
- output = None
- try:
- output = subprocess.check_output(command, stderr=subprocess.STDOUT)
- except subprocess.CalledProcessError as e:
- output = e.output.decode('utf-8')
- return output
+ def get_status(self, host, port, path):
- output = output.decode('utf-8')
+ self.instance.export_ca_cert()
- return output
+ connection = PKIConnection(
+ protocol='https',
+ hostname=host,
+ port=port,
+ cert_paths=self.instance.ca_cert)
- def contact_subsystem_using_sslget(
- self, port, host, subsystemnick,
- token_pwd, db_path, params, url):
+ response = connection.get(path)
- command = ["/usr/bin/sslget"]
+ content_type = response.headers['Content-Type']
+ content = response.text
+ logger.info('Content:\n%s', content)
- if subsystemnick is not None:
- command.extend(["-n", subsystemnick])
+ # https://github.com/dogtagpki/pki/wiki/GetStatus-Service
+ if content_type == 'application/json':
+ json_response = json.loads(content)
+ status = json_response['Response']['Status']
- command.extend(["-p", token_pwd, "-d", db_path])
-
- if params is not None:
- command.extend(["-e", params])
-
- command.extend([
- "-r", url, host + ":" + port])
-
- logger.info(' command : %s ', command)
- output = None
- try:
- output = subprocess.check_output(command, stderr=subprocess.STDOUT)
- except subprocess.CalledProcessError as e:
- output = e.output.decode('utf-8')
- return output
+ elif content_type == 'application/xml':
+ root = ET.fromstring(content)
+ status = root.findtext('Status')
- output = output.decode('utf-8')
+ else:
+ raise Exception('Unsupported content-type: %s' % content_type)
- return output
+ logger.info('Status: %s', status)
+ return status
def get_security_domain_data(self, host, port):
domain_data = None
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 4fbb74684b..0515bbb197 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -241,6 +241,10 @@ class PKIServer(object):
def jss_conf(self):
return os.path.join(self.conf_dir, 'jss.conf')
+ @property
+ def ca_cert(self):
+ return os.path.join(self.nssdb_dir, 'ca.crt')
+
def is_valid(self):
return self.exists()
@@ -259,8 +263,6 @@ class PKIServer(object):
def export_ca_cert(self):
- ca_path = os.path.join(self.nssdb_dir, 'ca.crt')
-
token = pki.nssdb.INTERNAL_TOKEN_NAME
nickname = self.get_sslserver_cert_nickname()
@@ -272,7 +274,7 @@ class PKIServer(object):
nssdb = self.open_nssdb(token=token)
try:
- nssdb.extract_ca_cert(ca_path, nickname)
+ nssdb.extract_ca_cert(self.ca_cert, nickname)
finally:
nssdb.close()
--
2.33.1

View File

@ -12,10 +12,10 @@ License: GPLv2 and LGPLv2
# For development (i.e. unsupported) releases, use x.y.z-0.n.<phase>.
# For official (i.e. supported) releases, use x.y.z-r where r >=1.
%global release_number 2
Version: 10.14.3
%global release_number 1
Version: 10.15.0
Release: %{?release_number}%{?_timestamp}%{?_commit_id}%{?dist}
#global _phase
#global _phase -alpha1
# To create a tarball from a version tag:
# $ git archive \
@ -34,7 +34,6 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver
# md2man isn't available on i686. Additionally, we aren't generally multi-lib
# compatible (https://fedoraproject.org/wiki/Packaging:Java)
# md2man has now also been dropped in RHEL 8 so exlcude from RHEL 8+
%if ! 0%{?rhel} || 0%{?rhel} >= 8
ExcludeArch: i686
%endif
@ -175,7 +174,7 @@ BuildRequires: zip
BuildRequires: %{java_devel}
BuildRequires: javapackages-tools
BuildRequires: redhat-rpm-config
BuildRequires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0
BuildRequires: ldapjdk >= 4.24.0, ldapjdk < 5.0.0
BuildRequires: apache-commons-cli
BuildRequires: apache-commons-codec
BuildRequires: apache-commons-io
@ -214,8 +213,8 @@ BuildRequires: tomcat
BuildRequires: junit
BuildRequires: jpackage-utils >= 0:1.7.5-10
BuildRequires: jss >= 4.9.0, jss < 5.0.0
BuildRequires: tomcatjss >= 7.7.0, tomcatjss < 8.0.0
BuildRequires: jss >= 4.11.0, jss < 5.0.0
BuildRequires: tomcatjss >= 7.8.0, tomcatjss < 8.0.0
BuildRequires: systemd-units
@ -334,7 +333,7 @@ Provides: pki-symkey = %{version}-%{release}
Requires: %{java_headless}
Requires: jpackage-utils >= 0:1.7.5-10
Requires: jss >= 4.9.0, jss < 5.0.0
Requires: jss >= 4.11.0, jss < 5.0.0
Requires: nss >= 3.38.0
# Ensure we end up with a useful installation
@ -422,8 +421,8 @@ Requires: glassfish-jaxb-api
Requires: slf4j
Requires: slf4j-jdk14
Requires: jpackage-utils >= 0:1.7.5-10
Requires: jss >= 4.9.0, jss < 5.0.0
Requires: ldapjdk >= 4.23.0, ldapjdk < 5.0.0
Requires: jss >= 4.11.0, jss < 5.0.0
Requires: ldapjdk >= 4.24.0, ldapjdk < 5.0.0
Requires: %{product_id}-base = %{version}-%{release}
%if 0%{?rhel} && 0%{?rhel} <= 8
@ -511,7 +510,7 @@ Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires(pre): shadow-utils
Requires: tomcatjss >= 7.7.0, tomcatjss < 8.0.0
Requires: tomcatjss >= 7.8.0, tomcatjss < 8.0.0
# pki-healthcheck depends on the following library
%if 0%{?rhel}
@ -776,9 +775,9 @@ BuildArch: noarch
Obsoletes: pki-console < %{version}-%{release}
Provides: pki-console = %{version}-%{release}
BuildRequires: idm-console-framework >= 1.2.0, idm-console-framework < 2.0.0
BuildRequires: idm-console-framework >= 1.4.0, idm-console-framework < 2.0.0
Requires: idm-console-framework >= 1.2.0, idm-console-framework < 2.0.0
Requires: idm-console-framework >= 1.4.0, idm-console-framework < 2.0.0
Requires: %{product_id}-base-java = %{version}-%{release}
Requires: %{product_id}-console-theme = %{version}-%{release}
@ -1395,8 +1394,14 @@ fi
################################################################################
%changelog
* Thu Mar 21 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.3-2
- RHEL-30063: Replace pki-servlet-engine with tomcat
* Thu Feb 08 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 10.15.0-1
- Rebase to PKI 10.15.0
* Tue Jan 16 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 10.15.0-0.1
- Rebase to PKI 10.15.0-alpha1
* Mon Jan 15 2024 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.3-2
- Replace pki-servlet-engine with tomcat
* Fri Feb 03 2023 Red Hat PKI Team <rhcs-maint@redhat.com> 10.14.3-1
- Rebase to PKI 10.14.3
@ -1669,4 +1674,3 @@ fi
* Thu Mar 15 2018 Red Hat PKI Team <rhcs-maint@redhat.com> 10.6.0-0.2
- Rebase to PKI 10.6.0 beta

View File

@ -1,9 +0,0 @@
#!/bin/sh
REPO=$1
if [ "$REPO" == "" ]; then
REPO="pki-10.6"
fi
fedpkg copr-build --nowait $REPO

View File

@ -1,8 +0,0 @@
# recipients: rhcs-team
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
- !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

View File

@ -1,4 +0,0 @@
addFilter('W: spelling-error')
addFilter('W: dangling-symlink')
addFilter('W: no-manual-page-for-binary')
addFilter('W: log-files-without-logrotate')

View File

@ -1,6 +0,0 @@
---
specname:
match: suffix
runpath:
allowed_paths:
- /usr/lib64/tps

View File

@ -1 +0,0 @@
SHA512 (pki-10.14.3.tar.gz) = ffdd8240bcbfc1c3cd28fecc4eb092767d8afab2df7a9354264081f9c5449f12eb06726045758515b1a27f32af622dca557cc8d370d6c5f5eaaf8d8117b94773

View File

@ -1,7 +0,0 @@
#!/bin/sh
SOURCE=$1
TARGET=`basename $1`
cp $SOURCE $TARGET
sha512sum --tag $TARGET > sources

View File

@ -1,25 +0,0 @@
[DEFAULT]
pki_server_database_password=Secret.123
[CA]
pki_admin_email=caadmin@example.com
pki_admin_name=caadmin
pki_admin_nickname=caadmin
pki_admin_password=Secret.123
pki_admin_uid=caadmin
pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=ca,dc=pki,dc=example,dc=com
pki_ds_database=ca
pki_ds_password=Secret.123
pki_security_domain_name=EXAMPLE
pki_ca_signing_nickname=ca_signing
pki_ocsp_signing_nickname=ca_ocsp_signing
pki_audit_signing_nickname=ca_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem

View File

@ -1,24 +0,0 @@
#!/bin/bash -ex
# This command needs to be executed as it pulls the machine name
# dynamically.
dscreate create-template /tmp/test_dir/ds.inf
sed -i \
-e "s/;instance_name = .*/instance_name = localhost/g" \
-e "s/;root_password = .*/root_password = Secret.123/g" \
-e "s/;suffix = .*/suffix = dc=example,dc=com/g" \
-e "s/;self_sign_cert = .*/self_sign_cert = False/g" \
/tmp/test_dir/ds.inf
dscreate from-file /tmp/test_dir/ds.inf
ldapadd -h $HOSTNAME -x -D "cn=Directory Manager" -w Secret.123 << EOF
dn: dc=example,dc=com
objectClass: domain
dc: example
dn: dc=pki,dc=example,dc=com
objectClass: domain
dc: pki
EOF

View File

@ -1,27 +0,0 @@
[DEFAULT]
pki_server_database_password=Secret.123
[KRA]
pki_admin_email=kraadmin@example.com
pki_admin_name=kraadmin
pki_admin_nickname=kraadmin
pki_admin_password=Secret.123
pki_admin_uid=kraadmin
pki_client_database_password=Secret.123
pki_client_database_purge=False
pki_client_pkcs12_password=Secret.123
pki_ds_base_dn=dc=kra,dc=pki,dc=example,dc=com
pki_ds_database=kra
pki_ds_password=Secret.123
pki_security_domain_name=EXAMPLE
pki_security_domain_user=caadmin
pki_security_domain_password=Secret.123
pki_storage_nickname=kra_storage
pki_transport_nickname=kra_transport
pki_audit_signing_nickname=kra_audit_signing
pki_sslserver_nickname=sslserver
pki_subsystem_nickname=subsystem

View File

@ -1,21 +0,0 @@
---
- name: Install required packages
dnf:
name: >
389-ds-base, pki-ca, pki-kra
- name: Creates directory
file: path=/tmp/test_files state=directory
- name: Copying templates to /tmp folder
copy : src=. dest=/tmp/test_dir
- name: Setup DS Service
shell: sh /tmp/test_dir/ds-create.sh
- name: Install CA subsystem
shell: pkispawn -f /tmp/test_dir/ca.cfg -s CA -v
- name: Install KRA subsystem
shell: pkispawn -f /tmp/test_dir/kra.cfg -s KRA -v

View File

@ -1,29 +0,0 @@
- hosts: localhost
remote_user: root
tags:
- classic
roles:
- role: Test_Setup
- role: standard-test-basic
tests:
- verify_spawn_ca:
dir: .
run: "curl http://localhost:8080/ca/admin/ca/getStatus | grep '\"Status\" : \"running\"'"
- verify_spawn_kra:
dir: .
run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep '\"Status\" : \"running\"'"
- destroy_kra:
dir: .
run: "pkidestroy -i pki-tomcat -s KRA && sleep 5"
- verify_destroy_kra:
dir: .
run: "curl http://localhost:8080/kra/admin/kra/getStatus | grep 'HTTP Status 404'"
- destroy_ca:
dir: .
run: "pkidestroy -i pki-tomcat -s CA"
- verify_destroy_ca:
dir: .
run: "curl http://localhost:8080/ca/admin/ca/getStatus &> testfile.log || true && grep 'Connection refused' testfile.log"
required_packages:
- pki-ca
- pki-kra