|
|
6faa62 |
From bbdb82268026821cd6a00edae09cc30079effd30 Mon Sep 17 00:00:00 2001
|
|
|
6faa62 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
6faa62 |
Date: Tue, 8 Mar 2022 15:19:09 -0600
|
|
|
6faa62 |
Subject: [PATCH] Fix pki-server migrate CLI
|
|
|
6faa62 |
|
|
|
6faa62 |
The pki-server migrate CLI has been modified to configure the
|
|
|
6faa62 |
AJP connectors with either secret or requiredSecret parameter
|
|
|
6faa62 |
(mutually exclusive) depending on the Tomcat version.
|
|
|
6faa62 |
|
|
|
6faa62 |
https://bugzilla.redhat.com/show_bug.cgi?id=2061458
|
|
|
6faa62 |
---
|
|
|
6faa62 |
base/server/python/pki/server/cli/migrate.py | 60 ----------
|
|
|
6faa62 |
base/server/python/pki/server/instance.py | 118 +++++++++++++++++++
|
|
|
6faa62 |
2 files changed, 118 insertions(+), 60 deletions(-)
|
|
|
6faa62 |
|
|
|
6faa62 |
diff --git a/base/server/python/pki/server/cli/migrate.py b/base/server/python/pki/server/cli/migrate.py
|
|
|
6faa62 |
index 2005004c4e..6e0ed6c2a7 100644
|
|
|
6faa62 |
--- a/base/server/python/pki/server/cli/migrate.py
|
|
|
6faa62 |
+++ b/base/server/python/pki/server/cli/migrate.py
|
|
|
6faa62 |
@@ -23,7 +23,6 @@ from __future__ import print_function
|
|
|
6faa62 |
|
|
|
6faa62 |
import getopt
|
|
|
6faa62 |
import logging
|
|
|
6faa62 |
-import re
|
|
|
6faa62 |
import sys
|
|
|
6faa62 |
|
|
|
6faa62 |
from lxml import etree
|
|
|
6faa62 |
@@ -104,62 +103,3 @@ class MigrateCLI(pki.cli.CLI):
|
|
|
6faa62 |
|
|
|
6faa62 |
for instance in instances:
|
|
|
6faa62 |
instance.init()
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- # update AJP connectors for Tomcat 9.0.31 or later
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- tomcat_version = pki.server.Tomcat.get_version()
|
|
|
6faa62 |
- if tomcat_version >= pki.util.Version('9.0.31'):
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- for instance in instances:
|
|
|
6faa62 |
- self.update_ajp_connectors(instance)
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- def update_ajp_connectors(self, instance):
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- logger.info('Updating AJP connectors in %s', instance.server_xml)
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- document = etree.parse(instance.server_xml, self.parser)
|
|
|
6faa62 |
- server = document.getroot()
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- # replace 'requiredSecret' with 'secret' in comments
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- services = server.findall('Service')
|
|
|
6faa62 |
- for service in services:
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- children = list(service)
|
|
|
6faa62 |
- for child in children:
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- if not isinstance(child, etree._Comment): # pylint: disable=protected-access
|
|
|
6faa62 |
- # not a comment -> skip
|
|
|
6faa62 |
- continue
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- if 'protocol="AJP/1.3"' not in child.text:
|
|
|
6faa62 |
- # not an AJP connector -> skip
|
|
|
6faa62 |
- continue
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- child.text = re.sub(r'requiredSecret=',
|
|
|
6faa62 |
- r'secret=',
|
|
|
6faa62 |
- child.text,
|
|
|
6faa62 |
- flags=re.MULTILINE)
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- # replace 'requiredSecret' with 'secret' in Connectors
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- connectors = server.findall('Service/Connector')
|
|
|
6faa62 |
- for connector in connectors:
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- if connector.get('protocol') != 'AJP/1.3':
|
|
|
6faa62 |
- # not an AJP connector -> skip
|
|
|
6faa62 |
- continue
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- if connector.get('secret'):
|
|
|
6faa62 |
- # already has a 'secret' -> skip
|
|
|
6faa62 |
- continue
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- if connector.get('requiredSecret') is None:
|
|
|
6faa62 |
- # does not have a 'requiredSecret' -> skip
|
|
|
6faa62 |
- continue
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- value = connector.attrib.pop('requiredSecret')
|
|
|
6faa62 |
- connector.set('secret', value)
|
|
|
6faa62 |
-
|
|
|
6faa62 |
- with open(instance.server_xml, 'wb') as f:
|
|
|
6faa62 |
- document.write(f, pretty_print=True, encoding='utf-8')
|
|
|
6faa62 |
diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py
|
|
|
6faa62 |
index ad938b841d..ff43dae8ec 100644
|
|
|
6faa62 |
--- a/base/server/python/pki/server/instance.py
|
|
|
6faa62 |
+++ b/base/server/python/pki/server/instance.py
|
|
|
6faa62 |
@@ -836,9 +836,127 @@ class PKIInstance(pki.server.PKIServer):
|
|
|
6faa62 |
nssdb.close()
|
|
|
6faa62 |
shutil.rmtree(tmpdir)
|
|
|
6faa62 |
|
|
|
6faa62 |
+ def configure_ajp_connectors_secret(self):
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ logger.info('Configuring AJP connectors secret')
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ document = etree.parse(self.server_xml, parser)
|
|
|
6faa62 |
+ server = document.getroot()
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ # replace 'requiredSecret' with 'secret' in comments
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ services = server.findall('Service')
|
|
|
6faa62 |
+ for service in services:
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ children = list(service)
|
|
|
6faa62 |
+ for child in children:
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if not isinstance(child, etree._Comment): # pylint: disable=protected-access
|
|
|
6faa62 |
+ # not a comment -> skip
|
|
|
6faa62 |
+ continue
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if 'protocol="AJP/1.3"' not in child.text:
|
|
|
6faa62 |
+ # not an AJP connector -> skip
|
|
|
6faa62 |
+ continue
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ child.text = re.sub(r'requiredSecret=',
|
|
|
6faa62 |
+ r'secret=',
|
|
|
6faa62 |
+ child.text,
|
|
|
6faa62 |
+ flags=re.MULTILINE)
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ # replace 'requiredSecret' with 'secret' in Connectors
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ connectors = server.findall('Service/Connector')
|
|
|
6faa62 |
+ for connector in connectors:
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if connector.get('protocol') != 'AJP/1.3':
|
|
|
6faa62 |
+ # not an AJP connector -> skip
|
|
|
6faa62 |
+ continue
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ # remove existing 'requiredSecret' if any
|
|
|
6faa62 |
+ value = connector.attrib.pop('requiredSecret', None)
|
|
|
6faa62 |
+ print('AJP connector requiredSecret: %s' % value)
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if connector.get('secret'):
|
|
|
6faa62 |
+ # already has a 'secret' -> skip
|
|
|
6faa62 |
+ continue
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if not value:
|
|
|
6faa62 |
+ raise Exception('Missing AJP connector secret in %s' % self.server_xml)
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ # store 'secret'
|
|
|
6faa62 |
+ connector.set('secret', value)
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ with open(self.server_xml, 'wb') as f:
|
|
|
6faa62 |
+ document.write(f, pretty_print=True, encoding='utf-8')
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ def configure_ajp_connectors_required_secret(self):
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ logger.info('Configuring AJP connectors requiredSecret')
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ document = etree.parse(self.server_xml, parser)
|
|
|
6faa62 |
+ server = document.getroot()
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ # replace 'secret' with 'requiredSecret' in comments
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ services = server.findall('Service')
|
|
|
6faa62 |
+ for service in services:
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ children = list(service)
|
|
|
6faa62 |
+ for child in children:
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if not isinstance(child, etree._Comment): # pylint: disable=protected-access
|
|
|
6faa62 |
+ # not a comment -> skip
|
|
|
6faa62 |
+ continue
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if 'protocol="AJP/1.3"' not in child.text:
|
|
|
6faa62 |
+ # not an AJP connector -> skip
|
|
|
6faa62 |
+ continue
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ child.text = re.sub(r'secret=',
|
|
|
6faa62 |
+ r'requiredSecret=',
|
|
|
6faa62 |
+ child.text,
|
|
|
6faa62 |
+ flags=re.MULTILINE)
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ # replace 'secret' with 'requiredSecret' in Connectors
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ connectors = server.findall('Service/Connector')
|
|
|
6faa62 |
+ for connector in connectors:
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if connector.get('protocol') != 'AJP/1.3':
|
|
|
6faa62 |
+ # not an AJP connector -> skip
|
|
|
6faa62 |
+ continue
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ # remove existing 'secret' if any
|
|
|
6faa62 |
+ value = connector.attrib.pop('secret', None)
|
|
|
6faa62 |
+ print('AJP connector secret: %s' % value)
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if connector.get('requiredSecret'):
|
|
|
6faa62 |
+ # already has a 'requiredSecret' -> skip
|
|
|
6faa62 |
+ continue
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if not value:
|
|
|
6faa62 |
+ raise Exception('Missing AJP connector requiredSecret in %s' % self.server_xml)
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ # store 'requiredSecret'
|
|
|
6faa62 |
+ connector.set('requiredSecret', value)
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ with open(self.server_xml, 'wb') as f:
|
|
|
6faa62 |
+ document.write(f, pretty_print=True, encoding='utf-8')
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ def configure_ajp_connectors(self):
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ tomcat_version = pki.server.Tomcat.get_version()
|
|
|
6faa62 |
+
|
|
|
6faa62 |
+ if tomcat_version >= pki.util.Version('9.0.31'):
|
|
|
6faa62 |
+ self.configure_ajp_connectors_secret()
|
|
|
6faa62 |
+ else:
|
|
|
6faa62 |
+ self.configure_ajp_connectors_required_secret()
|
|
|
6faa62 |
+
|
|
|
6faa62 |
def init(self):
|
|
|
6faa62 |
super(PKIInstance, self).init()
|
|
|
6faa62 |
self.validate_banner()
|
|
|
6faa62 |
+ self.configure_ajp_connectors()
|
|
|
6faa62 |
|
|
|
6faa62 |
@classmethod
|
|
|
6faa62 |
def instances(cls):
|
|
|
6faa62 |
--
|
|
|
6faa62 |
2.33.1
|
|
|
6faa62 |
|