From 6faa627560b22551e449cab5364ed965cffc69fc Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 26 2022 13:52:41 +0000 Subject: import pki-core-10.11.2-5.module+el8.5.0+14437+bc030dcc --- diff --git a/SOURCES/0001-Fix-pki-server-migrate-CLI.patch b/SOURCES/0001-Fix-pki-server-migrate-CLI.patch new file mode 100644 index 0000000..db5395a --- /dev/null +++ b/SOURCES/0001-Fix-pki-server-migrate-CLI.patch @@ -0,0 +1,225 @@ +From bbdb82268026821cd6a00edae09cc30079effd30 Mon Sep 17 00:00:00 2001 +From: "Endi S. Dewata" +Date: Tue, 8 Mar 2022 15:19:09 -0600 +Subject: [PATCH] Fix pki-server migrate CLI + +The pki-server migrate CLI has been modified to configure the +AJP connectors with either secret or requiredSecret parameter +(mutually exclusive) depending on the Tomcat version. + +https://bugzilla.redhat.com/show_bug.cgi?id=2061458 +--- + base/server/python/pki/server/cli/migrate.py | 60 ---------- + base/server/python/pki/server/instance.py | 118 +++++++++++++++++++ + 2 files changed, 118 insertions(+), 60 deletions(-) + +diff --git a/base/server/python/pki/server/cli/migrate.py b/base/server/python/pki/server/cli/migrate.py +index 2005004c4e..6e0ed6c2a7 100644 +--- a/base/server/python/pki/server/cli/migrate.py ++++ b/base/server/python/pki/server/cli/migrate.py +@@ -23,7 +23,6 @@ from __future__ import print_function + + import getopt + import logging +-import re + import sys + + from lxml import etree +@@ -104,62 +103,3 @@ class MigrateCLI(pki.cli.CLI): + + for instance in instances: + instance.init() +- +- # update AJP connectors for Tomcat 9.0.31 or later +- +- tomcat_version = pki.server.Tomcat.get_version() +- if tomcat_version >= pki.util.Version('9.0.31'): +- +- for instance in instances: +- self.update_ajp_connectors(instance) +- +- def update_ajp_connectors(self, instance): +- +- logger.info('Updating AJP connectors in %s', instance.server_xml) +- +- document = etree.parse(instance.server_xml, self.parser) +- server = document.getroot() +- +- # replace 'requiredSecret' with 'secret' in comments +- +- services = server.findall('Service') +- for service in services: +- +- children = list(service) +- for child in children: +- +- if not isinstance(child, etree._Comment): # pylint: disable=protected-access +- # not a comment -> skip +- continue +- +- if 'protocol="AJP/1.3"' not in child.text: +- # not an AJP connector -> skip +- continue +- +- child.text = re.sub(r'requiredSecret=', +- r'secret=', +- child.text, +- flags=re.MULTILINE) +- +- # replace 'requiredSecret' with 'secret' in Connectors +- +- connectors = server.findall('Service/Connector') +- for connector in connectors: +- +- if connector.get('protocol') != 'AJP/1.3': +- # not an AJP connector -> skip +- continue +- +- if connector.get('secret'): +- # already has a 'secret' -> skip +- continue +- +- if connector.get('requiredSecret') is None: +- # does not have a 'requiredSecret' -> skip +- continue +- +- value = connector.attrib.pop('requiredSecret') +- connector.set('secret', value) +- +- with open(instance.server_xml, 'wb') as f: +- document.write(f, pretty_print=True, encoding='utf-8') +diff --git a/base/server/python/pki/server/instance.py b/base/server/python/pki/server/instance.py +index ad938b841d..ff43dae8ec 100644 +--- a/base/server/python/pki/server/instance.py ++++ b/base/server/python/pki/server/instance.py +@@ -836,9 +836,127 @@ class PKIInstance(pki.server.PKIServer): + nssdb.close() + shutil.rmtree(tmpdir) + ++ def configure_ajp_connectors_secret(self): ++ ++ logger.info('Configuring AJP connectors secret') ++ ++ document = etree.parse(self.server_xml, parser) ++ server = document.getroot() ++ ++ # replace 'requiredSecret' with 'secret' in comments ++ ++ services = server.findall('Service') ++ for service in services: ++ ++ children = list(service) ++ for child in children: ++ ++ if not isinstance(child, etree._Comment): # pylint: disable=protected-access ++ # not a comment -> skip ++ continue ++ ++ if 'protocol="AJP/1.3"' not in child.text: ++ # not an AJP connector -> skip ++ continue ++ ++ child.text = re.sub(r'requiredSecret=', ++ r'secret=', ++ child.text, ++ flags=re.MULTILINE) ++ ++ # replace 'requiredSecret' with 'secret' in Connectors ++ ++ connectors = server.findall('Service/Connector') ++ for connector in connectors: ++ ++ if connector.get('protocol') != 'AJP/1.3': ++ # not an AJP connector -> skip ++ continue ++ ++ # remove existing 'requiredSecret' if any ++ value = connector.attrib.pop('requiredSecret', None) ++ print('AJP connector requiredSecret: %s' % value) ++ ++ if connector.get('secret'): ++ # already has a 'secret' -> skip ++ continue ++ ++ if not value: ++ raise Exception('Missing AJP connector secret in %s' % self.server_xml) ++ ++ # store 'secret' ++ connector.set('secret', value) ++ ++ with open(self.server_xml, 'wb') as f: ++ document.write(f, pretty_print=True, encoding='utf-8') ++ ++ def configure_ajp_connectors_required_secret(self): ++ ++ logger.info('Configuring AJP connectors requiredSecret') ++ ++ document = etree.parse(self.server_xml, parser) ++ server = document.getroot() ++ ++ # replace 'secret' with 'requiredSecret' in comments ++ ++ services = server.findall('Service') ++ for service in services: ++ ++ children = list(service) ++ for child in children: ++ ++ if not isinstance(child, etree._Comment): # pylint: disable=protected-access ++ # not a comment -> skip ++ continue ++ ++ if 'protocol="AJP/1.3"' not in child.text: ++ # not an AJP connector -> skip ++ continue ++ ++ child.text = re.sub(r'secret=', ++ r'requiredSecret=', ++ child.text, ++ flags=re.MULTILINE) ++ ++ # replace 'secret' with 'requiredSecret' in Connectors ++ ++ connectors = server.findall('Service/Connector') ++ for connector in connectors: ++ ++ if connector.get('protocol') != 'AJP/1.3': ++ # not an AJP connector -> skip ++ continue ++ ++ # remove existing 'secret' if any ++ value = connector.attrib.pop('secret', None) ++ print('AJP connector secret: %s' % value) ++ ++ if connector.get('requiredSecret'): ++ # already has a 'requiredSecret' -> skip ++ continue ++ ++ if not value: ++ raise Exception('Missing AJP connector requiredSecret in %s' % self.server_xml) ++ ++ # store 'requiredSecret' ++ connector.set('requiredSecret', value) ++ ++ with open(self.server_xml, 'wb') as f: ++ document.write(f, pretty_print=True, encoding='utf-8') ++ ++ def configure_ajp_connectors(self): ++ ++ tomcat_version = pki.server.Tomcat.get_version() ++ ++ if tomcat_version >= pki.util.Version('9.0.31'): ++ self.configure_ajp_connectors_secret() ++ else: ++ self.configure_ajp_connectors_required_secret() ++ + def init(self): + super(PKIInstance, self).init() + self.validate_banner() ++ self.configure_ajp_connectors() + + @classmethod + def instances(cls): +-- +2.33.1 + diff --git a/SPECS/pki-core.spec b/SPECS/pki-core.spec index bf8aa96..adc4290 100644 --- a/SPECS/pki-core.spec +++ b/SPECS/pki-core.spec @@ -13,7 +13,7 @@ License: GPLv2 and LGPLv2 # For development (i.e. unsupported) releases, use x.y.z-0.n.. # For official (i.e. supported) releases, use x.y.z-r where r >=1. Version: 10.11.2 -Release: 4%{?_timestamp}%{?_commit_id}%{?dist} +Release: 5%{?_timestamp}%{?_commit_id}%{?dist} #global _phase -alpha1 # To create a tarball from a version tag: @@ -33,6 +33,7 @@ Source: https://github.com/dogtagpki/pki/archive/v%{version}%{?_phase}/pki-%{ver Patch1: 0001-Fix-Bug-2001576-pki-instance-creation-fails-for-IPA-.patch Patch2: 0001-Fix-replica-reinstallation.patch Patch3: 0001-Fix-AJP-connector-migration.patch +Patch4: 0001-Fix-pki-server-migrate-CLI.patch # md2man isn't available on i686. Additionally, we aren't generally multi-lib # compatible (https://fedoraproject.org/wiki/Packaging:Java) @@ -1365,6 +1366,9 @@ fi ################################################################################ %changelog +* Wed Mar 09 2022 Red Hat PKI Team 10.11.2-5 +- Bug 2061458 - Additional fix for AJP connector migration + * Tue Jan 04 2022 Red Hat PKI Team 10.11.2-4 - Bug 2029023 - Fix AJP connector migration