https://fedorahosted.org/freeipa/ticket/3150
Patch 0086:
I found an old unused function while working on this, the patch removes it.
Patch 0087:
Replica files generated on older masters don't contain the Firefox
extension files. Skip installing them in this case.
Patch 0088:
Servers upgraded from IPA 2.2 need the Firefox extension installed. This
is done in ipa-upgradeconfig if they're missing.
I made the setup_firefox_extension method independent on the
httpinstance state (which is mostly set in create_instance).
Similarly, the files are installed ipa-replica-install if they're
missing (i.e. skipped by the previous patch).
If the Signing-Cert is not on this master, create an unsigned extension
using the "zip" command. I needed to add Popen's `cwd` argument to
ipautil.run() to get the right filenames out of zip.
The patches add "copy_template_file" and "copy_file_if_exists" utilities
I've written for some of my WIP patches, expect me to use them more when
I get time to work on the installer code.
--
PetrĀ³
From 2e81d46f2481c34cf58b3c66cdb6850b025a5488 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 9 Oct 2012 04:10:06 -0400
Subject: [PATCH] ipa-upgradeconfig: Remove the upgrade_httpd_selinux function
This function was never called from anywhere.
---
install/tools/ipa-upgradeconfig | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 6c0437180c2b47f4d88154741c96648975b30d34..c74ebe33d228c20508e734c7d5c9b41573145003 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -296,15 +296,6 @@ def upgrade_ipa_profile(realm):
else:
root_logger.debug('CA is not configured')
-def upgrade_httpd_selinux(fstore):
- """
- Update SElinux configuration for httpd instance in the same way as the
- new server installation does.
- """
- root_logger.info('[Verifying the Apache SELinux configuration]')
- http = httpinstance.HTTPInstance(fstore)
- http.configure_selinux_for_httpd()
-
def named_enable_psearch():
"""
From IPA 3.0, persistent search is a preferred mechanism for new DNS zone
--
1.7.11.4
From dd5934af098648860e253c24ab8d3dc63c05f8d7 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Mon, 8 Oct 2012 08:02:55 -0400
Subject: [PATCH] replica-install: Don't copy Firefox config extension files
if they're not in the replica file
This allows cloning from older masters.
https://fedorahosted.org/freeipa/ticket/3150
---
install/tools/ipa-replica-install | 7 +++++--
ipaserver/install/installutils.py | 6 ++++++
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c1679c723bc50fb318b4fa1a0ff10d6032c991b4..2bc571c2edf466d8e60121d79e7a0e17630b439b 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -207,8 +207,11 @@ def install_http(config, auto_redirect):
try:
shutil.copy(config.dir + "/preferences.html", "/usr/share/ipa/html/preferences.html")
shutil.copy(config.dir + "/configure.jar", "/usr/share/ipa/html/configure.jar")
- shutil.copy(config.dir + "/krb.js", "/usr/share/ipa/html/krb.js")
- shutil.copy(config.dir + "/kerberosauth.xpi", "/usr/share/ipa/html/kerberosauth.xpi")
+ installutils.copy_file_if_exists(
+ config.dir + "/krb.js", "/usr/share/ipa/html/krb.js")
+ installutils.copy_file_if_exists(
+ config.dir + "/kerberosauth.xpi",
+ "/usr/share/ipa/html/kerberosauth.xpi")
except Exception, e:
print "error copying files: " + str(e)
sys.exit(1)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 754d5fc98f3122cc82064c039236f5916eabf469..d662b63cd1b2b3844406beab73985bfbb60deb56 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -566,6 +566,12 @@ def rmtree(path):
except Exception, e:
root_logger.error('Error removing %s: %s' % (path, str(e)))
+
+def copy_file_if_exists(src, dest):
+ if os.path.exists(src):
+ shutil.copy(src, dest)
+
+
def is_ipa_configured():
"""
Using the state and index install files determine if IPA is already
--
1.7.11.4
From 04bd0ba7e431804e56b91f0bfb70676b70c10fb2 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Mon, 8 Oct 2012 07:54:47 -0400
Subject: [PATCH] Create Firefox extension on upgrade and replica-install
If the signing cert is not available, create an unsigned extension.
Add a zip dependency to the specfile.
https://fedorahosted.org/freeipa/ticket/3150
---
freeipa.spec.in | 4 +++
install/tools/ipa-replica-install | 3 ++
install/tools/ipa-upgradeconfig | 11 +++++++
ipapython/ipautil.py | 13 ++++++--
ipaserver/install/httpinstance.py | 69 ++++++++++++++++++++++++++-------------
5 files changed, 76 insertions(+), 24 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7c8314a04dbd01303c9122b4822b074bc7bbff88..b700fa6cb5606b65a2814935e7c7e7cd53f7b868 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -173,6 +173,7 @@ Requires(postun): python initscripts chkconfig
%endif
Requires: python-dns
Requires: keyutils
+Requires: zip
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
@@ -783,6 +784,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Mon Oct 9 2012 Petr Viktorin <pvikt...@redhat.com> - 2.99.0-48
+- Add zip dependency, needed for creating unsigned Firefox extensions
+
* Mon Oct 1 2012 Martin Kosek <mko...@redhat.com> - 2.99.0-47
- Require samba packages instead of samba4 packages obsoleted in Fedora 18 and later
- Add libwbclient-devel BuildRequires to pick up libwbclient.h on Fedora 18 and later
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 2bc571c2edf466d8e60121d79e7a0e17630b439b..1aab5997a9048d6e18ddbd6bf28d4a74dae6519b 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -216,6 +216,9 @@ def install_http(config, auto_redirect):
print "error copying files: " + str(e)
sys.exit(1)
+ http.setup_firefox_extension(config.realm_name, config.domain_name,
+ subject_base="0=" + config.realm_name)
+
return http
def install_bind(config, options):
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index c74ebe33d228c20508e734c7d5c9b41573145003..5e5b0f6c0f030c739162183e149701f737d77e64 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -281,6 +281,16 @@ def cleanup_kdc(fstore):
fstore.untrack_file(filename)
root_logger.debug('Uninstalling %s', filename)
+def setup_firefox_extension(fstore):
+ """Set up the Firefox configuration extension, if it's not set up yet
+ """
+ root_logger.info('[Setting up Firefox extension]')
+ http = httpinstance.HTTPInstance(fstore)
+ realm = api.env.realm
+ domain = api.env.domain
+ subject_base = "0=" + realm
+ http.setup_firefox_extension(realm, domain, subject_base)
+
def upgrade_ipa_profile(realm):
"""
Update the IPA Profile provided by dogtag
@@ -522,6 +532,7 @@ def main():
cleanup_kdc(fstore)
upgrade_ipa_profile(api.env.realm)
+ setup_firefox_extension(fstore)
changed_psearch = named_enable_psearch()
changed_autoincrement = named_enable_serial_autoincrement()
if changed_psearch or changed_autoincrement:
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 11433b4be832c1f6a79d17056e830c9582f3ca6e..558e4a85149fb46b4045f98bfce7e8fd6a1e9ae2 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -223,8 +223,17 @@ def template_str(txt, vars):
return val
def template_file(infilename, vars):
- txt = open(infilename).read()
- return template_str(txt, vars)
+ """Read a file and perform template substitutions"""
+ with open(infilename) as f:
+ return template_str(f.read(), vars)
+
+
+def copy_template_file(infilename, outfilename, vars):
+ """Copy a file, performing template substitutions"""
+ txt = template_file(infilename, vars)
+ with open(outfilename, 'w') as file:
+ file.write(txt)
+
def write_tmp_file(txt):
fd = tempfile.NamedTemporaryFile()
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index afadde40bb0a8623d1eefc7960e69c48510ebdb8..78f195466a7c880de3502cfe838114b8ee9af6b9 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -285,46 +285,71 @@ def __setup_ssl(self):
os.chmod(certs.CA_SERIALNO, 0664)
def __setup_autoconfig(self):
+
target_fname = '/usr/share/ipa/html/preferences.html'
- prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
- prefs_fd = open(target_fname, "w")
- prefs_fd.write(prefs_txt)
- prefs_fd.close()
- os.chmod(target_fname, 0644)
-
- target_fname = '/usr/share/ipa/html/krb.js'
- prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "krb.js.template", self.sub_dict)
- prefs_fd = open(target_fname, "w")
- prefs_fd.write(prefs_txt)
- prefs_fd.close()
+ ipautil.copy_template_file(
+ ipautil.SHARE_DIR + "preferences.html.template",
+ target_fname, self.sub_dict)
os.chmod(target_fname, 0644)
# The signing cert is generated in __setup_ssl
db = certs.CertDB(self.realm, subject_base=self.subject_base)
- pwdfile = open(db.passwd_fname)
- pwd = pwdfile.read()
- pwdfile.close()
+ with open(db.passwd_fname) as pwdfile:
+ pwd = pwdfile.read()
# Setup configure.jar
- tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+ tmpdir = tempfile.mkdtemp(prefix="tmp-")
target_fname = '/usr/share/ipa/html/configure.jar'
shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
db.run_signtool(["-k", "Signing-Cert",
"-Z", target_fname,
"-e", ".html", "-p", pwd,
tmpdir])
shutil.rmtree(tmpdir)
os.chmod(target_fname, 0644)
- # Setup extension
- tmpdir = tempfile.mkdtemp(prefix = "tmp-")
- extdir = tmpdir + "/ext"
+ self.setup_firefox_extension(
+ self.realm, self.domain, self.subject_base, pwd, force=False)
+
+ def setup_firefox_extension(self, realm, domain, subject_base, pwd=None,
+ force=False):
+ """Set up the signed browser configuration extension
+
+ If the extension is already set up, skip the installation unless
+ ``force`` is true.
+ """
+
+ target_fname = '/usr/share/ipa/html/krb.js'
+ if os.path.exists(target_fname) and not force:
+ root_logger.info(
+ '%s exists, skipping install of Firefox extension' %
+ target_fname)
+ return
+
+ sub_dict = dict(REALM=realm, DOMAIN=domain)
+ if not pwd:
+ db = certs.CertDB(realm, subject_base=subject_base)
+ with open(db.passwd_fname) as pwdfile:
+ pwd = pwdfile.read()
+
+ ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template",
+ target_fname, sub_dict)
+ os.chmod(target_fname, 0644)
+
target_fname = "/usr/share/ipa/html/kerberosauth.xpi"
+ tmpdir = tempfile.mkdtemp(prefix="tmp-")
+ extdir = tmpdir + "/ext"
shutil.copytree("/usr/share/ipa/ffextension", extdir)
- db.run_signtool(["-k", "Signing-Cert",
- "-p", pwd,
- "-X", "-Z", target_fname,
- extdir])
+ if db.has_nickname('Signing-Cert'):
+ db.run_signtool(["-k", "Signing-Cert",
+ "-p", pwd,
+ "-X", "-Z", target_fname,
+ extdir])
+ else:
+ root_logger.warning('Object-signing certificate was not found. '
+ 'Creating unsigned Firefox configuration extension.')
+ filenames = [os.path.join(tmpdir, p) for p in os.listdir(tmpdir)]
+ ipautil.run(['zip', '-r', '-j', target_fname] + filenames)
shutil.rmtree(tmpdir)
os.chmod(target_fname, 0644)
--
1.7.11.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
