From bbdb82268026821cd6a00edae09cc30079effd30 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 8 Mar 2022 15:19:09 -0600
Subject: [PATCH] Fix pki-server migrate CLI
The pki-server migrate CLI has been modified to configure the
AJP connectors with either secret or requiredSecret parameter
(mutually exclusive) depending on the Tomcat version.
https://bugzilla.redhat.com/show_bug.cgi?id=2061458
---
base/server/python/pki/server/cli/migrate.py | 60 ----------
base/server/python/pki/server/instance.py | 118 +++++++++++++++++++
2 files changed, 118 insertions(+), 60 deletions(-)
diff --git a/base/server/python/pki/server/cli/migrate.py b/base/server/python/pki/server/cli/migrate.py
index 2005004c4e..6e0ed6c2a7 100644
--- a/base/server/python/pki/server/cli/migrate.py
+++ b/base/server/python/pki/server/cli/migrate.py
@@ -23,7 +23,6 @@ from __future__ import print_function
import getopt
import logging
-import re
import sys
from lxml import etree
@@ -104,62 +103,3 @@ class MigrateCLI(pki.cli.CLI):
for instance in instances:
instance.init()
-
- # update AJP connectors for Tomcat 9.0.31 or later
-
- tomcat_version = pki.server.Tomcat.get_version()
- if tomcat_version >= pki.util.Version('9.0.31'):
-
- for instance in instances:
- self.update_ajp_connectors(instance)
-
- def update_ajp_connectors(self, instance):
-
- logger.info('Updating AJP connectors in %s', instance.server_xml)
-
- document = etree.parse(instance.server_xml, self.parser)
- server = document.getroot()
-
- # replace 'requiredSecret' with 'secret' in comments
-
- services = server.findall('Service')
- for service in services:
-
- children = list(service)
- for child in children:
-
- if not isinstance(child, etree._Comment): # pylint: disable=protected-access
- # not a comment -> skip
- continue
-
- if 'protocol="AJP/1.3"' not in child.text:
- # not an AJP connector -> skip
- continue
-
- child.text = re.sub(r'requiredSecret=',
- r'secret=',
- child.text,
- flags=re.MULTILINE)
-
- # replace 'requiredSecret' with 'secret' in Connectors
-
- connectors = server.findall('Service/Connector')
- for connector in connectors:
-
- if connector.get('protocol') != 'AJP/1.3':
- # not an AJP connector -> skip
- continue
-
- if connector.get('secret'):
- # already has a 'secret' -> skip
- continue
-
- if connector.get('requiredSecret') is None:
- # does not have a 'requiredSecret' -> skip
- continue
-
- value = connector.attrib.pop('requiredSecret')
- connector.set('secret', value)
-
- with open(instance.server_xml, 'wb') as f:
- document.write(f, pretty_print=True, encoding='utf-8')
diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py
index ad938b841d..ff43dae8ec 100644
--- a/base/server/python/pki/server/instance.py
+++ b/base/server/python/pki/server/instance.py
@@ -836,9 +836,127 @@ class PKIInstance(pki.server.PKIServer):
nssdb.close()
shutil.rmtree(tmpdir)
+ def configure_ajp_connectors_secret(self):
+
+ logger.info('Configuring AJP connectors secret')
+
+ document = etree.parse(self.server_xml, parser)
+ server = document.getroot()
+
+ # replace 'requiredSecret' with 'secret' in comments
+
+ services = server.findall('Service')
+ for service in services:
+
+ children = list(service)
+ for child in children:
+
+ if not isinstance(child, etree._Comment): # pylint: disable=protected-access
+ # not a comment -> skip
+ continue
+
+ if 'protocol="AJP/1.3"' not in child.text:
+ # not an AJP connector -> skip
+ continue
+
+ child.text = re.sub(r'requiredSecret=',
+ r'secret=',
+ child.text,
+ flags=re.MULTILINE)
+
+ # replace 'requiredSecret' with 'secret' in Connectors
+
+ connectors = server.findall('Service/Connector')
+ for connector in connectors:
+
+ if connector.get('protocol') != 'AJP/1.3':
+ # not an AJP connector -> skip
+ continue
+
+ # remove existing 'requiredSecret' if any
+ value = connector.attrib.pop('requiredSecret', None)
+ print('AJP connector requiredSecret: %s' % value)
+
+ if connector.get('secret'):
+ # already has a 'secret' -> skip
+ continue
+
+ if not value:
+ raise Exception('Missing AJP connector secret in %s' % self.server_xml)
+
+ # store 'secret'
+ connector.set('secret', value)
+
+ with open(self.server_xml, 'wb') as f:
+ document.write(f, pretty_print=True, encoding='utf-8')
+
+ def configure_ajp_connectors_required_secret(self):
+
+ logger.info('Configuring AJP connectors requiredSecret')
+
+ document = etree.parse(self.server_xml, parser)
+ server = document.getroot()
+
+ # replace 'secret' with 'requiredSecret' in comments
+
+ services = server.findall('Service')
+ for service in services:
+
+ children = list(service)
+ for child in children:
+
+ if not isinstance(child, etree._Comment): # pylint: disable=protected-access
+ # not a comment -> skip
+ continue
+
+ if 'protocol="AJP/1.3"' not in child.text:
+ # not an AJP connector -> skip
+ continue
+
+ child.text = re.sub(r'secret=',
+ r'requiredSecret=',
+ child.text,
+ flags=re.MULTILINE)
+
+ # replace 'secret' with 'requiredSecret' in Connectors
+
+ connectors = server.findall('Service/Connector')
+ for connector in connectors:
+
+ if connector.get('protocol') != 'AJP/1.3':
+ # not an AJP connector -> skip
+ continue
+
+ # remove existing 'secret' if any
+ value = connector.attrib.pop('secret', None)
+ print('AJP connector secret: %s' % value)
+
+ if connector.get('requiredSecret'):
+ # already has a 'requiredSecret' -> skip
+ continue
+
+ if not value:
+ raise Exception('Missing AJP connector requiredSecret in %s' % self.server_xml)
+
+ # store 'requiredSecret'
+ connector.set('requiredSecret', value)
+
+ with open(self.server_xml, 'wb') as f:
+ document.write(f, pretty_print=True, encoding='utf-8')
+
+ def configure_ajp_connectors(self):
+
+ tomcat_version = pki.server.Tomcat.get_version()
+
+ if tomcat_version >= pki.util.Version('9.0.31'):
+ self.configure_ajp_connectors_secret()
+ else:
+ self.configure_ajp_connectors_required_secret()
+
def init(self):
super(PKIInstance, self).init()
self.validate_banner()
+ self.configure_ajp_connectors()
@classmethod
def instances(cls):
--
2.33.1