From d9c0460a85dab6249844f6f8a2fe4d45c11554e5 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 31 Aug 2016 16:15:19 +0200 Subject: [PATCH 1/9] Fixed debug log in UpdateNumberRange servlet. To help troubleshooting the debug log in UpdateNumberRange servlet has been modified to show the exception stack trace. https://fedorahosted.org/pki/ticket/2436 (cherry picked from commit 1922f77e825c8c0ec742382b752b0a32afbff8a9) (cherry picked from commit a9db37c53fff88d0f00293df0fd29877bb797091) --- .../cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java index b99a298..e068bd4 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java @@ -247,7 +247,8 @@ public class UpdateNumberRange extends CMSServlet { audit(auditMessage); } catch (Exception e) { - CMS.debug("UpdateNumberRange: Failed to update number range. Exception: " + e.toString()); + CMS.debug("UpdateNumberRange: Failed to update number range: " + e); + CMS.debug(e); auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER, -- 1.8.3.1 From d0f45bfb653636673300b169dfa8ffe90b63cb58 Mon Sep 17 00:00:00 2001 From: Christina Fu Date: Wed, 31 Aug 2016 14:03:02 -0700 Subject: [PATCH 2/9] Ticket #2446 pkispawn: make subject_dn defaults unique per instance name (for shared HSM) When installing multiple instances on the same host sharing the same HSM, if subject_dn's are not specifically spelled out with unique names for each instance, installation will fail with complaints that same subject name and serial number already exist. This happens in the scenario if you are creating a subordinate CA, for example, that's in the same domain name as the root CA. It is very inconvenient that you are expected to spell out subject dn's of all system certs in the pkispawn config file. This patch changes default.cfg so that the instance name is in the default subject dn, e.g. adding it as an "ou" component: ou=%(pki_instance_name)s (cherry picked from commit 1195ee9d6e45783d238edc1799363c21590febce) (cherry picked from commit 1d1b3a705fdaca26d580566ff3fb1725334ff674) --- base/server/etc/default.cfg | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 51357e6..6e9b074 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -124,13 +124,13 @@ pki_ssl_server_key_algorithm=SHA256withRSA pki_ssl_server_key_size=2048 pki_ssl_server_key_type=rsa pki_ssl_server_nickname=Server-Cert cert-%(pki_instance_name)s -pki_ssl_server_subject_dn=cn=%(pki_hostname)s,o=%(pki_security_domain_name)s +pki_ssl_server_subject_dn=cn=%(pki_hostname)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ssl_server_token= pki_subsystem_key_algorithm=SHA256withRSA pki_subsystem_key_size=2048 pki_subsystem_key_type=rsa pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s -pki_subsystem_subject_dn=cn=Subsystem Certificate,o=%(pki_security_domain_name)s +pki_subsystem_subject_dn=cn=Subsystem Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_subsystem_token= pki_theme_enable=True pki_theme_server_dir=/usr/share/pki/common-ui @@ -292,7 +292,7 @@ pki_ca_signing_key_size=2048 pki_ca_signing_key_type=rsa pki_ca_signing_nickname=caSigningCert cert-%(pki_instance_name)s CA pki_ca_signing_signing_algorithm=SHA256withRSA -pki_ca_signing_subject_dn=cn=CA Signing Certificate,o=%(pki_security_domain_name)s +pki_ca_signing_subject_dn=cn=CA Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ca_signing_token= pki_ca_signing_csr_path= pki_ca_signing_cert_path= @@ -316,7 +316,7 @@ pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA pki_ocsp_signing_signing_algorithm=SHA256withRSA -pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ocsp_signing_token= pki_profiles_in_ldap=False pki_random_serial_numbers_enable=False @@ -326,10 +326,10 @@ pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_admin_uid=caadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s CA -pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_audit_signing_subject_dn=cn=CA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ds_base_dn=o=%(pki_instance_name)s-CA pki_ds_database=%(pki_instance_name)s-CA pki_ds_hostname=%(pki_hostname)s @@ -409,22 +409,22 @@ pki_storage_key_size=2048 pki_storage_key_type=rsa pki_storage_nickname=storageCert cert-%(pki_instance_name)s KRA pki_storage_signing_algorithm=SHA256withRSA -pki_storage_subject_dn=cn=DRM Storage Certificate,o=%(pki_security_domain_name)s +pki_storage_subject_dn=cn=DRM Storage Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_storage_token= pki_transport_key_algorithm=SHA256withRSA pki_transport_key_size=2048 pki_transport_key_type=rsa pki_transport_nickname=transportCert cert-%(pki_instance_name)s KRA pki_transport_signing_algorithm=SHA256withRSA -pki_transport_subject_dn=cn=DRM Transport Certificate,o=%(pki_security_domain_name)s +pki_transport_subject_dn=cn=DRM Transport Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_transport_token= pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_admin_uid=kraadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s KRA -pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_audit_signing_subject_dn=cn=KRA Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ds_base_dn=o=%(pki_instance_name)s-KRA pki_ds_database=%(pki_instance_name)s-KRA pki_ds_hostname=%(pki_hostname)s @@ -478,15 +478,15 @@ pki_ocsp_signing_key_size=2048 pki_ocsp_signing_key_type=rsa pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s OCSP pki_ocsp_signing_signing_algorithm=SHA256withRSA -pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,o=%(pki_security_domain_name)s +pki_ocsp_signing_subject_dn=cn=OCSP Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ocsp_signing_token= pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_admin_uid=ocspadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s OCSP -pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_audit_signing_subject_dn=cn=OCSP Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ds_base_dn=o=%(pki_instance_name)s-OCSP pki_ds_database=%(pki_instance_name)s-OCSP pki_ds_hostname=%(pki_hostname)s @@ -515,10 +515,10 @@ pki_import_admin_cert=True pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_admin_uid=tksadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TKS -pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_audit_signing_subject_dn=cn=TKS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ds_base_dn=o=%(pki_instance_name)s-TKS pki_ds_database=%(pki_instance_name)s-TKS pki_ds_hostname=%(pki_hostname)s @@ -537,10 +537,10 @@ pki_import_admin_cert=True pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s pki_admin_nickname=PKI Administrator for %(pki_dns_domainname)s -pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,o=%(pki_security_domain_name)s +pki_admin_subject_dn=cn=PKI Administrator,e=%(pki_admin_email)s,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_admin_uid=tpsadmin pki_audit_signing_nickname=auditSigningCert cert-%(pki_instance_name)s TPS -pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,o=%(pki_security_domain_name)s +pki_audit_signing_subject_dn=cn=TPS Audit Signing Certificate,ou=%(pki_instance_name)s,o=%(pki_security_domain_name)s pki_ds_base_dn=o=%(pki_instance_name)s-TPS pki_ds_database=%(pki_instance_name)s-TPS pki_ds_hostname=%(pki_hostname)s -- 1.8.3.1 From f142e739d0296e29914a39c1591a5f1681f0ac31 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 29 Aug 2016 08:33:05 +0200 Subject: [PATCH 3/9] Added support to create system certificates in different tokens. Previously all system certificates were always created in the same token specified in the pki_token_name parameter. To allow creating system certificates in different tokens, the configuration.py has been modified to store the system certificate token names specified in pki__token parameters into the CS.cfg before the server is started. After the server is started, the configuration servlet will read the token names from the CS.cfg and create the certificates in the appropriate token. https://fedorahosted.org/pki/ticket/2449 (cherry picked from commit bc65e12500cbc3381b4e755a4a50214f43049ad3) (cherry picked from commit 261e550a25ced3c61fc0c3afeb910d17b7472a3c) --- .../cms/servlet/csadmin/ConfigurationUtils.java | 18 +++++++---- .../dogtagpki/server/rest/SystemConfigService.java | 9 ++---- .../src/com/netscape/cmscore/apps/CMSEngine.java | 4 +-- .../server/deployment/scriptlets/configuration.py | 37 +++++++++++++++++++--- 4 files changed, 49 insertions(+), 19 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java index 34500d0..3e638ad 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java @@ -2826,7 +2826,7 @@ public class ConfigurationUtils { } config.putString(subsystem + "." + certTag + ".nickname", nickname); - config.putString(subsystem + "." + certTag + ".tokenname", token); + if (certTag.equals("audit_signing")) { if (!token.equals("Internal Key Storage Token") && !token.equals("")) { config.putString("log.instance.SignedAudit.signedAuditCertNickname", @@ -3325,14 +3325,15 @@ public class ConfigurationUtils { return 0; } - public static void setCertPermissions(String tag) throws EBaseException, NotInitializedException, + public static void setCertPermissions(Cert cert) throws EBaseException, NotInitializedException, ObjectNotFoundException, TokenException { + + String tag = cert.getCertTag(); if (tag.equals("signing") || tag.equals("external_signing")) return; - IConfigStore cs = CMS.getConfigStore(); - String nickname = cs.getString("preop.cert." + tag + ".nickname", ""); - String tokenname = cs.getString("preop.module.token", ""); + String nickname = cert.getNickname(); + String tokenname = cert.getTokenname(); if (!tokenname.equals("Internal Key Storage Token")) nickname = tokenname + ":" + nickname; @@ -4554,9 +4555,11 @@ public class ConfigurationUtils { public static String getSubsystemCert() throws EBaseException, NotInitializedException, ObjectNotFoundException, TokenException, CertificateEncodingException, IOException { + IConfigStore cs = CMS.getConfigStore(); - String nickname = cs.getString("preop.cert.subsystem.nickname", ""); - String tokenname = cs.getString("preop.module.token", ""); + String subsystem = cs.getString("cs.type").toLowerCase(); + String nickname = cs.getString(subsystem + ".subsystem.nickname", ""); + String tokenname = cs.getString(subsystem + ".subsystem.tokenname", ""); if (!tokenname.equals("internal") && !tokenname.equals("Internal Key Storage Token") && !tokenname.equals("")) { @@ -4571,6 +4574,7 @@ public class ConfigurationUtils { CMS.debug("ConfigurationUtils: getSubsystemCert: subsystem cert is null"); return null; } + byte[] bytes = cert.getEncoded(); String s = CryptoUtil.normalizeCertStr(CryptoUtil.base64Encode(bytes)); return s; diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 9d7c176..5cc6f63 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -199,7 +199,7 @@ public class SystemConfigService extends PKIService implements SystemConfigResou try { CMS.debug("Processing '" + cert.getCertTag() + "' certificate:"); ret = ConfigurationUtils.handleCerts(cert); - ConfigurationUtils.setCertPermissions(cert.getCertTag()); + ConfigurationUtils.setCertPermissions(cert); CMS.debug("Processed '" + cert.getCertTag() + "' certificate."); } catch (Exception e) { CMS.debug(e); @@ -386,7 +386,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou processCert( request, - token, certList, certs, hasSigningCert, @@ -415,7 +414,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou public void processCert( ConfigurationRequest request, - String token, Collection certList, Collection certs, MutableBoolean hasSigningCert, @@ -460,13 +458,13 @@ public class SystemConfigService extends PKIService implements SystemConfigResou String curvename = certData.getKeyCurveName() != null ? certData.getKeyCurveName() : cs.getString("keys.ecc.curve.default"); cs.putString("preop.cert." + tag + ".curvename.name", curvename); - ConfigurationUtils.createECCKeyPair(token, curvename, cs, tag); + ConfigurationUtils.createECCKeyPair(tokenName, curvename, cs, tag); } else { String keysize = certData.getKeySize() != null ? certData.getKeySize() : cs .getString("keys.rsa.keysize.default"); cs.putString("preop.cert." + tag + ".keysize.size", keysize); - ConfigurationUtils.createRSAKeyPair(token, Integer.parseInt(keysize), cs, tag); + ConfigurationUtils.createRSAKeyPair(tokenName, Integer.parseInt(keysize), cs, tag); } } else { @@ -600,7 +598,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } cs.putString(csSubsystem + "." + tag + ".nickname", cdata.getNickname()); - cs.putString(csSubsystem + "." + tag + ".tokenname", cdata.getToken()); cs.putString(csSubsystem + "." + tag + ".certreq", cdata.getRequest()); cs.putString(csSubsystem + "." + tag + ".cert", cdata.getCert()); cs.putString(csSubsystem + "." + tag + ".dn", cdata.getSubjectDN()); diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index c62087e..a334824 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -1235,8 +1235,8 @@ public class CMSEngine implements ICMSEngine { // get SSL server nickname IConfigStore serverCertStore = mConfig.getSubStore(id + "." + "sslserver"); if (serverCertStore != null && serverCertStore.size() > 0) { - String nickName = serverCertStore.getString("nickname"); - String tokenName = serverCertStore.getString("tokenname"); + String nickName = serverCertStore.getString("nickname", null); + String tokenName = serverCertStore.getString("tokenname", null); if (tokenName != null && tokenName.length() > 0 && nickName != null && nickName.length() > 0) { CMS.setServerCertNickname(tokenName, nickName); diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py index 64ee4e5..97f6d3e 100644 --- a/base/server/python/pki/server/deployment/scriptlets/configuration.py +++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py @@ -39,6 +39,31 @@ import pki.util # PKI Deployment Configuration Scriptlet class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): + def store_cert_tokens(self, subsystem, deployer): + + subsystem.config[subsystem.name + '.audit_signing.tokenname'] = ( + deployer.mdict['pki_audit_signing_token']) + subsystem.config[subsystem.name + '.sslserver.tokenname'] = ( + deployer.mdict['pki_ssl_server_token']) + subsystem.config[subsystem.name + '.subsystem.tokenname'] = ( + deployer.mdict['pki_subsystem_token']) + + if subsystem.name == 'ca': + subsystem.config['ca.signing.tokenname'] = ( + deployer.mdict['pki_ca_signing_token']) + subsystem.config['ca.ocsp_signing.tokenname'] = ( + deployer.mdict['pki_ocsp_signing_token']) + + elif subsystem.name == 'kra': + subsystem.config['kra.storage.tokenname'] = ( + deployer.mdict['pki_storage_token']) + subsystem.config['kra.transport.tokenname'] = ( + deployer.mdict['pki_transport_token']) + + elif subsystem.name == 'ocsp': + subsystem.config['ocsp.signing.tokenname'] = ( + deployer.mdict['pki_ocsp_signing_token']) + def spawn(self, deployer): if config.str2bool(deployer.mdict['pki_skip_configuration']): @@ -265,13 +290,14 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): nickname=signing_nickname, output_format='base64') subsystem.config['ca.signing.nickname'] = signing_nickname - subsystem.config['ca.signing.tokenname'] = ( - deployer.mdict['pki_ca_signing_token']) subsystem.config['ca.signing.cert'] = signing_cert_data subsystem.config['ca.signing.cacertnickname'] = signing_nickname subsystem.config['ca.signing.defaultSigningAlgorithm'] = ( deployer.mdict['pki_ca_signing_signing_algorithm']) + # Store cert tokens in CS.cfg. + self.store_cert_tokens(subsystem, deployer) + subsystem.save() # verify the signing certificate @@ -282,7 +308,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): instance, 'ca') verifier.verify_certificate('signing') - else: # self-signed CA + else: # other installation types # To be implemented in ticket #1692. @@ -290,7 +316,10 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): # Self sign CA cert. # Import self-signed CA cert into NSS database. - pass + # Store cert tokens in CS.cfg. + self.store_cert_tokens(subsystem, deployer) + + subsystem.save() finally: nssdb.close() -- 1.8.3.1 From 92d92c6ee2a0a531183a373cc1f3975662fdca40 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Fri, 2 Sep 2016 16:08:02 -0400 Subject: [PATCH 4/9] Fix CertRequestInfo URLs The URLs were generated by a UriBuilder that referred to the resource's annotated path. This top-level path changed though, even if the underlying paths did not. Replace this with a reference to the getX methods instead. Also fixed a few eclipse flagged warnings (unused imports etc). Ticket 2447 (cherry picked from commit 7a93dbeae18407e28437f4affc31ddc24a2c42f2) (cherry picked from commit 7baa7e60b708c5b4c79d6dd963321d34958cc81b) --- .../com/netscape/ca/ExternalProcessKeyRetriever.java | 7 +------ .../src/com/netscape/cmstools/HttpClient.java | 2 -- .../com/netscape/cms/servlet/cert/CertRequestDAO.java | 17 ++++++++++++++--- .../cms/servlet/cert/CertRequestInfoFactory.java | 15 ++++++++------- .../src/com/netscape/cms/servlet/cert/DoRevokeTPS.java | 15 +++++++-------- .../cms/servlet/profile/ProfileReviewServlet.java | 1 - .../dogtagpki/server/tps/rest/TPSInstallerService.java | 2 +- 7 files changed, 31 insertions(+), 28 deletions(-) diff --git a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java index a1b7748..736d870 100644 --- a/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java +++ b/base/ca/src/com/netscape/ca/ExternalProcessKeyRetriever.java @@ -20,16 +20,11 @@ package com.netscape.ca; import java.io.IOException; import java.io.InputStream; -import java.lang.Process; -import java.lang.ProcessBuilder; import java.util.Collection; import java.util.Stack; -import org.apache.commons.io.IOUtils; -import org.apache.commons.lang.ArrayUtils; - -import org.codehaus.jackson.map.ObjectMapper; import org.codehaus.jackson.JsonNode; +import org.codehaus.jackson.map.ObjectMapper; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; diff --git a/base/java-tools/src/com/netscape/cmstools/HttpClient.java b/base/java-tools/src/com/netscape/cmstools/HttpClient.java index 432be9c..594ec69 100644 --- a/base/java-tools/src/com/netscape/cmstools/HttpClient.java +++ b/base/java-tools/src/com/netscape/cmstools/HttpClient.java @@ -126,8 +126,6 @@ public class HttpClient { Password pass = new Password(password.toCharArray()); token.login(pass); - int i; - SSLHandshakeCompletedListener listener = new ClientHandshakeCB(this); org.mozilla.jss.ssl.SSLSocket.SSLVersionRange stream_range = new org.mozilla.jss.ssl.SSLSocket.SSLVersionRange( diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java index 6fbcd3c..306fbf5 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java @@ -197,8 +197,13 @@ public class CertRequestDAO extends CMSRequestDAO { IRequest reqs[] = (IRequest[]) results.get(CAProcessor.ARG_REQUESTS); for (IRequest req : reqs) { - CertRequestInfo info = CertRequestInfoFactory.create(req, uriInfo); - ret.addEntry(info); + try { + CertRequestInfo info = CertRequestInfoFactory.create(req, uriInfo); + ret.addEntry(info); + } catch (NoSuchMethodException e) { + CMS.debug("Error in creating certrequestinfo - no such method"); + e.printStackTrace(); + } } ret.setTotal(ret.getEntries().size()); @@ -221,7 +226,13 @@ public class CertRequestDAO extends CMSRequestDAO { @Override public CertRequestInfo createCMSRequestInfo(IRequest request, UriInfo uriInfo) { - return CertRequestInfoFactory.create(request, uriInfo); + try { + return CertRequestInfoFactory.create(request, uriInfo); + } catch (NoSuchMethodException e) { + CMS.debug("Error in creating certrequestinfo - no such method"); + e.printStackTrace(); + } + return null; } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java index 68f65bc..e8c44b3 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestInfoFactory.java @@ -37,7 +37,7 @@ import netscape.security.x509.X509CertImpl; public class CertRequestInfoFactory { - public static CertRequestInfo create(IRequest request, UriInfo uriInfo) { + public static CertRequestInfo create(IRequest request, UriInfo uriInfo) throws SecurityException, NoSuchMethodException { CertRequestInfo info = new CertRequestInfo(); @@ -49,12 +49,12 @@ public class CertRequestInfoFactory { info.setCertRequestType(request.getExtDataInString("cert_request_type")); - Path certRequestPath = CertRequestResource.class.getAnnotation(Path.class); + Path certRequestPath = CertRequestResource.class.getMethod("getRequestInfo", RequestId.class ).getAnnotation(Path.class); RequestId requestId = request.getRequestId(); UriBuilder reqBuilder = uriInfo.getBaseUriBuilder(); - reqBuilder.path(certRequestPath.value() + "/" + requestId); - info.setRequestURL(reqBuilder.build().toString()); + reqBuilder.path(certRequestPath.value()); + info.setRequestURL(reqBuilder.build(requestId).toString()); Integer result = request.getExtDataInInteger(IRequest.RESULT); if (result == null || result.equals(IRequest.RES_SUCCESS)) { @@ -84,11 +84,12 @@ public class CertRequestInfoFactory { BigInteger serialNo = impl.getSerialNumber(); info.setCertId(new CertId(serialNo)); - Path certPath = CertResource.class.getAnnotation(Path.class); + + Path certPath = CertResource.class.getMethod("getCert", CertId.class).getAnnotation(Path.class); UriBuilder certBuilder = uriInfo.getBaseUriBuilder(); - certBuilder.path(certPath.value() + "/" + serialNo); + certBuilder.path(certPath.value()); - info.setCertURL(certBuilder.build().toString()); + info.setCertURL(certBuilder.build(serialNo).toString()); return info; } diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java index 30bd2cd..79eba99 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java @@ -30,12 +30,7 @@ import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import netscape.security.x509.CRLExtensions; -import netscape.security.x509.CRLReasonExtension; -import netscape.security.x509.InvalidityDateExtension; -import netscape.security.x509.RevocationReason; -import netscape.security.x509.RevokedCertImpl; -import netscape.security.x509.X509CertImpl; +import org.dogtagpki.server.connector.IRemoteRequest; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.AuthToken; @@ -51,7 +46,6 @@ import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.common.ICMSRequest; import com.netscape.certsrv.dbs.certdb.ICertRecord; import com.netscape.certsrv.dbs.certdb.ICertificateRepository; -import com.netscape.certsrv.dbs.certdb.IRevocationInfo; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.publish.IPublisherProcessor; @@ -64,7 +58,12 @@ import com.netscape.cms.servlet.common.CMSTemplate; import com.netscape.cms.servlet.common.CMSTemplateParams; import com.netscape.cms.servlet.common.ECMSGWException; -import org.dogtagpki.server.connector.IRemoteRequest; +import netscape.security.x509.CRLExtensions; +import netscape.security.x509.CRLReasonExtension; +import netscape.security.x509.InvalidityDateExtension; +import netscape.security.x509.RevocationReason; +import netscape.security.x509.RevokedCertImpl; +import netscape.security.x509.X509CertImpl; /** * Revoke a Certificate diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java index 0073bd2..dc6560d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java @@ -43,7 +43,6 @@ import com.netscape.certsrv.profile.IProfileInput; import com.netscape.certsrv.profile.IProfileOutput; import com.netscape.certsrv.profile.IProfilePolicy; import com.netscape.certsrv.profile.IProfileSubsystem; -import com.netscape.certsrv.property.EPropertyException; import com.netscape.certsrv.property.IDescriptor; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IRequestQueue; diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java index 068293e..8fd24c8 100644 --- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java +++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSInstallerService.java @@ -50,7 +50,7 @@ public class TPSInstallerService extends SystemConfigService { // get token prefix, if applicable String tokPrefix = ""; - if (!request.getToken().equals(request.TOKEN_DEFAULT) && + if (!request.getToken().equals(ConfigurationRequest.TOKEN_DEFAULT) && !request.getToken().equals("internal")) { tokPrefix = request.getToken() + ":"; } -- 1.8.3.1 From 647388e39ccb69e3d8cadcc1d0a21c4ac6d83363 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 25 Aug 2016 12:55:14 +1000 Subject: [PATCH 5/9] Revoke lightweight CA certificate on deletion Fixes: https://fedorahosted.org/pki/ticket/1638 (cherry picked from commit af8ff4a7c36614c1b41338f9e32a83462d4163be) (cherry picked from commit 71bd236572968bdb1b8cb0c4c9a370c689a64687) --- .../src/com/netscape/ca/CertificateAuthority.java | 39 +++++++++++++++++++++- .../dogtagpki/server/ca/rest/AuthorityService.java | 2 +- .../netscape/certsrv/ca/ICertificateAuthority.java | 2 +- 3 files changed, 40 insertions(+), 3 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index a5397da..ab48409 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -124,6 +124,7 @@ import com.netscape.certsrv.util.IStatsSubsystem; import com.netscape.cms.servlet.cert.CertEnrollmentRequestFactory; import com.netscape.cms.servlet.cert.EnrollmentProcessor; import com.netscape.cms.servlet.cert.RenewalProcessor; +import com.netscape.cms.servlet.cert.RevocationProcessor; import com.netscape.cms.servlet.processors.CAProcessor; import com.netscape.cmscore.base.ArgBlock; import com.netscape.cmscore.dbs.CRLRepository; @@ -178,6 +179,7 @@ import netscape.security.x509.CertificateChain; import netscape.security.x509.CertificateIssuerName; import netscape.security.x509.CertificateSubjectName; import netscape.security.x509.CertificateVersion; +import netscape.security.x509.RevocationReason; import netscape.security.x509.X500Name; import netscape.security.x509.X500Signer; import netscape.security.x509.X509CRLImpl; @@ -2964,7 +2966,8 @@ public class CertificateAuthority authorityKeyHosts.add(thisClone); } - public synchronized void deleteAuthority() throws EBaseException { + public synchronized void deleteAuthority(HttpServletRequest httpReq) + throws EBaseException { if (isHostAuthority()) throw new CATypeException("Cannot delete the host CA"); @@ -2984,10 +2987,44 @@ public class CertificateAuthority shutdown(); + revokeAuthority(httpReq); deleteAuthorityEntry(authorityID); deleteAuthorityNSSDB(); } + /** Revoke the authority's certificate + * + * TODO: revocation reason, invalidity date parameters + */ + private void revokeAuthority(HttpServletRequest httpReq) + throws EBaseException { + CMS.debug("revokeAuthority: checking serial " + authoritySerial); + ICertRecord certRecord = mCertRepot.readCertificateRecord(authoritySerial); + String curStatus = certRecord.getStatus(); + CMS.debug("revokeAuthority: current cert status: " + curStatus); + if (curStatus.equals(CertRecord.STATUS_REVOKED) + || curStatus.equals(CertRecord.STATUS_REVOKED_EXPIRED)) { + return; // already revoked + } + + CMS.debug("revokeAuthority: revoking cert"); + RevocationProcessor processor = new RevocationProcessor( + "CertificateAuthority.revokeAuthority", httpReq.getLocale()); + processor.setSerialNumber(new CertId(authoritySerial)); + processor.setRevocationReason(RevocationReason.UNSPECIFIED); + processor.setAuthority(this); + try { + processor.createCRLExtension(); + } catch (IOException e) { + throw new ECAException("Unable to create CRL extensions", e); + } + processor.addCertificateToRevoke(mCaCert); + processor.createRevocationRequest(); + processor.auditChangeRequest(ILogger.SUCCESS); + processor.processRevocationRequest(); + processor.auditChangeRequestProcessed(ILogger.SUCCESS); + } + /** Delete keys and certs of this authority from NSSDB. */ private void deleteAuthorityNSSDB() throws ECAException { diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java index 246a3f0..584ab6e 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java @@ -329,7 +329,7 @@ public class AuthorityService extends PKIService implements AuthorityResource { Map auditParams = new LinkedHashMap<>(); try { - ca.deleteAuthority(); + ca.deleteAuthority(servletRequest); audit(ILogger.SUCCESS, OpDef.OP_DELETE, aidString, null); return createNoContentResponse(); } catch (CATypeException e) { diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java index 308bfba..5218a4c 100644 --- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java +++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java @@ -606,6 +606,6 @@ public interface ICertificateAuthority extends ISubsystem { /** * Delete this lightweight CA. */ - public void deleteAuthority() + public void deleteAuthority(HttpServletRequest httpReq) throws EBaseException; } -- 1.8.3.1 From 0dd6bf96dc2d711d59d5d7b34eba5953e69e5e4d Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 24 Aug 2016 14:40:46 +1000 Subject: [PATCH 6/9] Prevent deletion of host CA cert and key from NSSDB If authorityMonitor observes the deletion of the host CA's authority entry, it will treat it the same as any other lightweight CA and delete the signing cert AND KEY from the NSSDB. Because the database is replicated, the change would be observed and deletion immediately effected on all running clones. Unless the main CA private key is backed up somewhere there is no way to recover from this. Although this scenario does not arise in normal operation, the impact is severe so add a check that prevents cert and key deletion for host authority. Fixes: https://fedorahosted.org/pki/ticket/2443 (cherry picked from commit 68d98b63e18c5c952e0cdf3193b0ce1a5c55d5c1) (cherry picked from commit a1f225e0034d89cc011b81604439111ed725961e) --- base/ca/src/com/netscape/ca/CertificateAuthority.java | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index ab48409..bea129d 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -3028,6 +3028,13 @@ public class CertificateAuthority /** Delete keys and certs of this authority from NSSDB. */ private void deleteAuthorityNSSDB() throws ECAException { + if (isHostAuthority()) { + String msg = "Attempt to delete host authority signing key; not proceeding"; + log(ILogger.LL_WARN, msg); + CMS.debug(msg); + return; + } + CryptoManager cryptoManager; try { cryptoManager = CryptoManager.getInstance(); -- 1.8.3.1 From 06a85c76938211d6ecf2b49ac72b168e9f6e7fdd Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 23 Aug 2016 14:50:03 +1000 Subject: [PATCH 7/9] Accept LWCA entry with missing entryUSN if plugin enabled Currently we abort adding a lightweight CA if its entry does not have an 'entryUSN' attribute, and log a failure, even if the USN plugin is enabled. But if the plugin is enabled, it's fine to proceed. Update the authority monitor to check if the USN plugin is enabled and only log the failure if it is not. Clarify the log message accordingly. Part of: https://fedorahosted.org/pki/ticket/2444 (cherry picked from commit d1aa1ec049d7cb5beed9ba79b09930a90a3c51fe) (cherry picked from commit 21e268ae6d5f9c2f93d4d80a6285e453974b5c07) --- .../src/com/netscape/ca/CertificateAuthority.java | 46 ++++++++++++++++++---- 1 file changed, 38 insertions(+), 8 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index bea129d..aab9651 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -679,6 +679,24 @@ public class CertificateAuthority } } + private boolean entryUSNPluginEnabled() { + try { + LDAPConnection conn = dbFactory.getConn(); + try { + LDAPSearchResults results = conn.search( + "cn=usn,cn=plugins,cn=config", LDAPConnection.SCOPE_BASE, + "(nsslapd-pluginEnabled=on)", null, false); + return results != null && results.hasMoreElements(); + } catch (LDAPException e) { + return false; + } finally { + dbFactory.returnConn(conn); + } + } catch (ELdapException e) { + return false; // oh well + } + } + private void initCRLPublisher() throws EBaseException { // instantiate CRL publisher if (!isHostAuthority()) { @@ -3221,17 +3239,29 @@ public class CertificateAuthority AuthorityID aid = new AuthorityID((String) aidAttr.getStringValues().nextElement()); - LDAPAttribute entryUSN = entry.getAttribute("entryUSN"); - if (entryUSN == null) { - log(ILogger.LL_FAILURE, "Authority entry has no entryUSN. " + - "This is likely because the USN plugin is not enabled in the database"); - return; + Integer newEntryUSN = null; + LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN"); + if (entryUSNAttr == null) { + CMS.debug("readAuthority: no entryUSN"); + if (!entryUSNPluginEnabled()) { + CMS.debug("readAuthority: dirsrv USN plugin is not enabled; skipping entry"); + log(ILogger.LL_FAILURE, "Lightweight authority entry has no" + + " entryUSN attribute and USN plugin not enabled;" + + " skipping. Enable dirsrv USN plugin."); + return; + } else { + CMS.debug("readAuthority: dirsrv USN plugin is enabled; continuing"); + // entryUSN plugin is enabled, but no entryUSN attribute. We + // can proceed because future modifications will result in the + // entryUSN attribute being added. + } + } else { + newEntryUSN = new Integer(entryUSNAttr.getStringValueArray()[0]); + CMS.debug("readAuthority: new entryUSN = " + newEntryUSN); } - Integer newEntryUSN = new Integer(entryUSN.getStringValueArray()[0]); - CMS.debug("readAuthority: new entryUSN = " + newEntryUSN); Integer knownEntryUSN = entryUSNs.get(aid); - if (knownEntryUSN != null) { + if (newEntryUSN != null && knownEntryUSN != null) { CMS.debug("readAuthority: known entryUSN = " + knownEntryUSN); if (newEntryUSN <= knownEntryUSN) { CMS.debug("readAuthority: data is current"); -- 1.8.3.1 From 8e0235adccb11868f0036d48d2b52230c82b3e6b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 24 Aug 2016 14:10:55 +1000 Subject: [PATCH 8/9] Perform host authority check before entryUSN check When processing lightweight CAs, currently we perform the entryUSN check before the host authority check. If the entry does not have an entryUSN attribute, and if the DS USN plugin is not enabled, the entry gets skipped and we do not reach the host authority check. This causes the CA to believe that it has not seen the host authority entry, and results in additional entries being added. Move the host authority check before the entryUSN check to avoid this scenario. Fixes: https://fedorahosted.org/pki/ticket/2444 (cherry picked from commit e457cb8367f39562a844229ddb9da9c3a46d9611) (cherry picked from commit 3a97c5fc0df7015a7e19236778089c67441a1499) --- .../src/com/netscape/ca/CertificateAuthority.java | 41 +++++++++++----------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CertificateAuthority.java b/base/ca/src/com/netscape/ca/CertificateAuthority.java index aab9651..1f77fd8 100644 --- a/base/ca/src/com/netscape/ca/CertificateAuthority.java +++ b/base/ca/src/com/netscape/ca/CertificateAuthority.java @@ -3239,6 +3239,27 @@ public class CertificateAuthority AuthorityID aid = new AuthorityID((String) aidAttr.getStringValues().nextElement()); + X500Name dn = null; + try { + dn = new X500Name((String) dnAttr.getStringValues().nextElement()); + } catch (IOException e) { + CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN()); + } + + String desc = null; + LDAPAttribute descAttr = entry.getAttribute("description"); + if (descAttr != null) + desc = (String) descAttr.getStringValues().nextElement(); + + if (dn.equals(mName)) { + CMS.debug("Found host authority"); + foundHostAuthority = true; + this.authorityID = aid; + this.authorityDescription = desc; + caMap.put(aid, this); + return; + } + Integer newEntryUSN = null; LDAPAttribute entryUSNAttr = entry.getAttribute("entryUSN"); if (entryUSNAttr == null) { @@ -3269,26 +3290,6 @@ public class CertificateAuthority } } - X500Name dn = null; - try { - dn = new X500Name((String) dnAttr.getStringValues().nextElement()); - } catch (IOException e) { - CMS.debug("Malformed authority object; invalid authorityDN: " + entry.getDN()); - } - - String desc = null; - LDAPAttribute descAttr = entry.getAttribute("description"); - if (descAttr != null) - desc = (String) descAttr.getStringValues().nextElement(); - - if (dn.equals(mName)) { - foundHostAuthority = true; - this.authorityID = aid; - this.authorityDescription = desc; - caMap.put(aid, this); - return; - } - @SuppressWarnings("unused") X500Name parentDN = null; if (parentDNAttr != null) { -- 1.8.3.1 From 6cfdd4a6434c8ca08cdbcd659d44a74f6bb6d123 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 7 Sep 2016 00:35:40 +0200 Subject: [PATCH 9/9] Removed FixSELinuxContexts upgrade script. The FixSELinuxContexts upgrade script has been removed temporarily due to a problem importing selinux library during RPM upgrade. The FixDeploymentDescriptor script number has been changed accordingly. https://fedorahosted.org/pki/ticket/2452 (cherry picked from commit 76b3ae5062aef22eece89117a28bd9b86ddef92d) (cherry picked from commit b3248175d261bc82d3d9c965f047ea9d0fa2bc9e) --- .../upgrade/10.3.5/02-FixDeploymentDescriptor | 110 +++++++++++++++++++++ base/server/upgrade/10.3.5/02-FixSELinuxContexts | 36 ------- .../upgrade/10.3.5/03-FixDeploymentDescriptor | 110 --------------------- 3 files changed, 110 insertions(+), 146 deletions(-) create mode 100644 base/server/upgrade/10.3.5/02-FixDeploymentDescriptor delete mode 100644 base/server/upgrade/10.3.5/02-FixSELinuxContexts delete mode 100644 base/server/upgrade/10.3.5/03-FixDeploymentDescriptor diff --git a/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor new file mode 100644 index 0000000..27c8959 --- /dev/null +++ b/base/server/upgrade/10.3.5/02-FixDeploymentDescriptor @@ -0,0 +1,110 @@ +#!/usr/bin/python +# Authors: +# Endi S. Dewata +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. + +from __future__ import absolute_import +from lxml import etree +import os +import shutil + +import pki.server.upgrade + + +class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet): + + def __init__(self): + super(FixDeploymentDescriptor, self).__init__() + self.message = 'Fix deployment descriptor' + self.parser = etree.XMLParser(remove_blank_text=True) + + def upgrade_instance(self, instance): + + self.fix_webapp(instance, 'ROOT.xml') + self.fix_webapp(instance, 'pki#admin.xml') + self.fix_webapp(instance, 'pki#js.xml') + + self.fix_theme(instance, 'pki.xml') + + def fix_webapp(self, instance, context_xml): + + source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml + target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml + + # if deployment descriptor doesn't exist, install the default + if not os.path.exists(target_xml): + self.copy_file(instance, source_xml, target_xml) + return + + # get docBase from deployment descriptor + document = etree.parse(target_xml, self.parser) + context = document.getroot() + docBase = context.get('docBase') + + # if docBase is absolute and pointing to non-empty folder, ignore + if docBase.startswith('/') and \ + os.path.exists(docBase) and \ + os.listdir(docBase): + return + + # if docBase is relative and pointing to non-empty folder, ignore + if not docBase.startswith('/') and \ + os.path.exists(instance.base_dir + '/webapps/' + docBase) and \ + os.listdir(instance.base_dir + '/webapps/' + docBase): + return + + # docBase is pointing to non-existent/empty folder, replace with default + self.copy_file(instance, source_xml, target_xml) + + def fix_theme(self, instance, context_xml): + + source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml + target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml + + # if deployment descriptor doesn't exist, ignore (no theme) + if not os.path.exists(target_xml): + return + + # get docBase from deployment descriptor + document = etree.parse(target_xml, self.parser) + context = document.getroot() + docBase = context.get('docBase') + + # if docBase is absolute and pointing to non-empty folder, ignore + if docBase.startswith('/') and \ + os.path.exists(docBase) and \ + os.listdir(docBase): + return + + # if docBase is relative and pointing to non-empty folder, ignore + if not docBase.startswith('/') and \ + os.path.exists(instance.base_dir + '/webapps/' + docBase) and \ + os.listdir(instance.base_dir + '/webapps/' + docBase): + return + + # docBase is pointing to non-existent/empty folder + + # if theme package is installed, replace deployment descriptor + if os.path.exists(pki.SHARE_DIR + '/common-ui'): + self.copy_file(instance, source_xml, target_xml) + + def copy_file(self, instance, source, target): + + self.backup(target) + shutil.copyfile(source, target) + os.chown(target, instance.uid, instance.gid) diff --git a/base/server/upgrade/10.3.5/02-FixSELinuxContexts b/base/server/upgrade/10.3.5/02-FixSELinuxContexts deleted file mode 100644 index f3d981e..0000000 --- a/base/server/upgrade/10.3.5/02-FixSELinuxContexts +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/python -# Authors: -# Endi S. Dewata -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2016 Red Hat, Inc. -# All rights reserved. - -from __future__ import absolute_import -import selinux -import pki.server.upgrade - - -class FixSELinuxContexts(pki.server.upgrade.PKIServerUpgradeScriptlet): - - def __init__(self): - super(FixSELinuxContexts, self).__init__() - self.message = 'Fix SELinux contexts' - - def upgrade_instance(self, instance): - - selinux.restorecon(instance.base_dir, True) - selinux.restorecon(instance.conf_dir, True) - selinux.restorecon(instance.log_dir, True) diff --git a/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor b/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor deleted file mode 100644 index 27c8959..0000000 --- a/base/server/upgrade/10.3.5/03-FixDeploymentDescriptor +++ /dev/null @@ -1,110 +0,0 @@ -#!/usr/bin/python -# Authors: -# Endi S. Dewata -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; version 2 of the License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License along -# with this program; if not, write to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -# -# Copyright (C) 2016 Red Hat, Inc. -# All rights reserved. - -from __future__ import absolute_import -from lxml import etree -import os -import shutil - -import pki.server.upgrade - - -class FixDeploymentDescriptor(pki.server.upgrade.PKIServerUpgradeScriptlet): - - def __init__(self): - super(FixDeploymentDescriptor, self).__init__() - self.message = 'Fix deployment descriptor' - self.parser = etree.XMLParser(remove_blank_text=True) - - def upgrade_instance(self, instance): - - self.fix_webapp(instance, 'ROOT.xml') - self.fix_webapp(instance, 'pki#admin.xml') - self.fix_webapp(instance, 'pki#js.xml') - - self.fix_theme(instance, 'pki.xml') - - def fix_webapp(self, instance, context_xml): - - source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml - target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml - - # if deployment descriptor doesn't exist, install the default - if not os.path.exists(target_xml): - self.copy_file(instance, source_xml, target_xml) - return - - # get docBase from deployment descriptor - document = etree.parse(target_xml, self.parser) - context = document.getroot() - docBase = context.get('docBase') - - # if docBase is absolute and pointing to non-empty folder, ignore - if docBase.startswith('/') and \ - os.path.exists(docBase) and \ - os.listdir(docBase): - return - - # if docBase is relative and pointing to non-empty folder, ignore - if not docBase.startswith('/') and \ - os.path.exists(instance.base_dir + '/webapps/' + docBase) and \ - os.listdir(instance.base_dir + '/webapps/' + docBase): - return - - # docBase is pointing to non-existent/empty folder, replace with default - self.copy_file(instance, source_xml, target_xml) - - def fix_theme(self, instance, context_xml): - - source_xml = pki.SHARE_DIR + '/server/conf/Catalina/localhost/' + context_xml - target_xml = instance.conf_dir + '/Catalina/localhost/' + context_xml - - # if deployment descriptor doesn't exist, ignore (no theme) - if not os.path.exists(target_xml): - return - - # get docBase from deployment descriptor - document = etree.parse(target_xml, self.parser) - context = document.getroot() - docBase = context.get('docBase') - - # if docBase is absolute and pointing to non-empty folder, ignore - if docBase.startswith('/') and \ - os.path.exists(docBase) and \ - os.listdir(docBase): - return - - # if docBase is relative and pointing to non-empty folder, ignore - if not docBase.startswith('/') and \ - os.path.exists(instance.base_dir + '/webapps/' + docBase) and \ - os.listdir(instance.base_dir + '/webapps/' + docBase): - return - - # docBase is pointing to non-existent/empty folder - - # if theme package is installed, replace deployment descriptor - if os.path.exists(pki.SHARE_DIR + '/common-ui'): - self.copy_file(instance, source_xml, target_xml) - - def copy_file(self, instance, source, target): - - self.backup(target) - shutil.copyfile(source, target) - os.chown(target, instance.uid, instance.gid) -- 1.8.3.1