URL: https://github.com/freeipa/freeipa/pull/5389 Author: rcritten Title: #5389: Revert "Remove test for minimum ACME support and rely on package deps" Action: opened
PR body: """ This reverts commit 81c97bb9928a88a595b3afe6fa70fcfb267b1440. This is to make IPA installable again with older versions of dogtag so it will install on CentOS 8 Stream. ACME will not be deployed but on upgrade, if pki 10.10.x is available then it will be. https://pagure.io/freeipa/issue/8634 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> Alternative PR to #5386 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5389/head:pr5389 git checkout pr5389
From 44925169ea61c4c7a1e8ffe6a4b4825c0da37d3f Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 4 Jan 2021 08:55:18 -0500 Subject: [PATCH] Revert "Remove test for minimum ACME support and rely on package deps" This reverts commit 81c97bb9928a88a595b3afe6fa70fcfb267b1440. This is to make IPA installable again with older versions of dogtag so it will install on CentOS 8 Stream. ACME will not be deployed but on upgrade, if pki 10.10.x is available then it will be. https://pagure.io/freeipa/issue/8634 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/install/cainstance.py | 34 +++++++++++++++++++++++++- ipatests/test_integration/test_acme.py | 5 ++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 94662d9d06c..131418df7b0 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -37,6 +37,7 @@ import time import tempfile from configparser import RawConfigParser +from pkg_resources import parse_version from ipalib import api from ipalib import x509 @@ -473,7 +474,8 @@ def configure_instance(self, host_name, dm_password, admin_password, self.step("configuring certmonger renewal for lightweight CAs", self.add_lightweight_ca_tracking_requests) - self.step("deploying ACME service", self.setup_acme) + if minimum_acme_support(): + self.step("deploying ACME service", self.setup_acme) if ra_only: runtime = None @@ -1481,6 +1483,9 @@ def setup_acme(self) -> bool: logger.debug('ACME service is already deployed') return False + if not minimum_acme_support(): + return False + self._ldap_mod('/usr/share/pki/acme/database/ds/schema.ldif') configure_acme_acls() @@ -1734,6 +1739,33 @@ def ensure_lightweight_cas_container(): ) +def minimum_acme_support(data=None): + """ + ACME with global enable/disable is required. + + This first shipped in dogtag version 10.10.0. + + Parse the version string to determine if the minimum version + is met. If parsing fails return False. + + :param: data: The string value to parse for version. Defaults to + reading from the filesystem. + """ + if not data: + with open('/usr/share/pki/VERSION', 'r') as fd: + data = fd.read() + + groups = re.match(r'.*\nSpecification-Version: ([\d+\.]*)\n.*', data) + if groups: + version_string = groups.groups(0)[0] + minimum_version = parse_version('10.10.0') + + return parse_version(version_string) >= minimum_version + else: + logger.debug('Unable to parse version from %s', data) + return False + + def ensure_acme_containers(): """ Create the ACME container objects under ou=acme,o=ipaca if diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py index 1d2370c59ba..473e8c7907f 100644 --- a/ipatests/test_integration/test_acme.py +++ b/ipatests/test_integration/test_acme.py @@ -14,6 +14,7 @@ from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup from ipaplatform.osinfo import osinfo from ipaplatform.paths import paths +from ipaserver.install import cainstance from ipatests.test_integration.test_external_ca import ( install_server_external_ca_step1, install_server_external_ca_step2, @@ -77,6 +78,8 @@ def wrapped(*args): return wrapped +@pytest.mark.skipif(not cainstance.minimum_acme_support(), + reason="does not provide ACME") class TestACME(CALessBase): """ Test the FreeIPA ACME service by using ACME clients on a FreeIPA client. @@ -420,6 +423,8 @@ def test_third_party_certs(self): assert "invalid 'certificate'" in result.stderr_text +@pytest.mark.skipif(not cainstance.minimum_acme_support(), + reason="does not provide ACME") class TestACMECALess(IntegrationTest): """Test to check the CA less replica setup""" num_replicas = 1
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
