On 10/09/2012 06:01 PM, Petr Vobornik wrote:
On 10/09/2012 05:26 PM, Petr Viktorin wrote:
On 10/09/2012 05:16 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/3150


Patch 0086:
I found an old unused function while working on this, the patch
removes it.

Patch 0087:
Replica files generated on older masters don't contain the Firefox
extension files. Skip installing them in this case.

Patch 0088:
Servers upgraded from IPA 2.2 need the Firefox extension installed. This
is done in ipa-upgradeconfig if they're missing.
I made the setup_firefox_extension method independent on the
httpinstance state (which is mostly set in create_instance).
Similarly, the files are installed ipa-replica-install if they're
missing (i.e. skipped by the previous patch).
If the Signing-Cert is not on this master, create an unsigned extension
using the "zip" command. I needed to add Popen's `cwd` argument to
ipautil.run() to get the right filenames out of zip.

The patches add "copy_template_file" and "copy_file_if_exists" utilities
I've written for some of my WIP patches, expect me to use them more when
I get time to work on the installer code.


In my previous mail I've attached an old version of patch 88. Please use
this one. Sorry!



nack

1) patch 83-01 doesn't apply.

There were conflicts with recent CRL and audit cert renewal patches. Rebased.

2) When pwd is supplied to setup_firefox_extension `db =
certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore
`db.has_nickname` will fail.

Thanks for the catch, fixed.


--
PetrĀ³
From 77c7a209ad4e803cf909a5fc5c747810a3163bb5 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 9 Oct 2012 04:10:06 -0400
Subject: [PATCH] ipa-upgradeconfig: Remove the upgrade_httpd_selinux function

This function was never called from anywhere.
---
 install/tools/ipa-upgradeconfig | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4ed718a9b9faea0821db5642544e9bb1194dbce4..55b8bdeea07b8da2fb11c4c52c1d3b8b536e5467 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -304,14 +304,6 @@ def upgrade_ipa_profile(ca):
 
     return False
 
-def upgrade_httpd_selinux(fstore):
-    """
-    Update SElinux configuration for httpd instance in the same way as the
-    new server installation does.
-    """
-    root_logger.info('[Verifying the Apache SELinux configuration]')
-    http = httpinstance.HTTPInstance(fstore)
-    http.configure_selinux_for_httpd()
 
 def named_enable_psearch():
     """
-- 
1.7.11.4

From 415eb7b717de70547a65f1530986c9e182be7b37 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Mon, 8 Oct 2012 08:02:55 -0400
Subject: [PATCH] replica-install: Don't copy Firefox config extension files
 if they're not in the replica file

This allows cloning from older masters.

https://fedorahosted.org/freeipa/ticket/3150
---
 install/tools/ipa-replica-install | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c1679c723bc50fb318b4fa1a0ff10d6032c991b4..8f55d7578e93eb39b5a9848bc5e704e2a1ef34b6 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -207,8 +207,12 @@ def install_http(config, auto_redirect):
         try:
             shutil.copy(config.dir + "/preferences.html", "/usr/share/ipa/html/preferences.html")
             shutil.copy(config.dir + "/configure.jar", "/usr/share/ipa/html/configure.jar")
-            shutil.copy(config.dir + "/krb.js", "/usr/share/ipa/html/krb.js")
-            shutil.copy(config.dir + "/kerberosauth.xpi", "/usr/share/ipa/html/kerberosauth.xpi")
+            if ipautil.file_exists(config.dir + "/krb.js"):
+                shutil.copy(
+                    config.dir + "/krb.js", "/usr/share/ipa/html/krb.js")
+                shutil.copy(
+                    config.dir + "/kerberosauth.xpi",
+                    "/usr/share/ipa/html/kerberosauth.xpi")
         except Exception, e:
             print "error copying files: " + str(e)
             sys.exit(1)
-- 
1.7.11.4

From c7f0e1770f5c8c526db011fa53c8167196f98487 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Mon, 8 Oct 2012 07:54:47 -0400
Subject: [PATCH] Create Firefox extension on upgrade and replica-install

If the signing cert is not available, create an unsigned extension.

Add a zip dependency to the specfile.

https://fedorahosted.org/freeipa/ticket/3150
---
 freeipa.spec.in                   |  4 +++
 install/tools/ipa-replica-install |  3 ++
 install/tools/ipa-upgradeconfig   | 13 ++++++++
 ipapython/ipautil.py              | 17 ++++++++---
 ipaserver/install/httpinstance.py | 63 ++++++++++++++++++++++++++-------------
 5 files changed, 76 insertions(+), 24 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index cc27ffe43758eaedcaaf31b7f55d35d689cec0ae..318638c20a946b26aaffdf8dc1dddd05d458cb1a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -173,6 +173,7 @@ Requires(postun): python initscripts chkconfig
 %endif
 Requires: python-dns
 Requires: keyutils
+Requires: zip
 
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
@@ -786,6 +787,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Wed Oct 10 2012 Petr Viktorin <pvikt...@redhat.com> - 2.99.0-49
+- Add zip dependency, needed for creating unsigned Firefox extensions
+
 * Mon Oct  8 2012 Martin Kosek <mko...@redhat.com> - 2.99.0-48
 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
 
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 8f55d7578e93eb39b5a9848bc5e704e2a1ef34b6..d9fed060bd1bb32476d9cd0dfee833b5353d7634 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -217,6 +217,9 @@ def install_http(config, auto_redirect):
             print "error copying files: " + str(e)
             sys.exit(1)
 
+    http.setup_firefox_extension(config.realm_name, config.domain_name,
+        subject_base="0=" + config.realm_name)
+
     return http
 
 def install_bind(config, options):
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 55b8bdeea07b8da2fb11c4c52c1d3b8b536e5467..b379b53527381c41bfd5875eb7a277d3abbab6be 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -283,6 +283,18 @@ def cleanup_kdc(fstore):
             fstore.untrack_file(filename)
             root_logger.debug('Uninstalling %s', filename)
 
+
+def setup_firefox_extension(fstore):
+    """Set up the Firefox configuration extension, if it's not set up yet
+    """
+    root_logger.info('[Setting up Firefox extension]')
+    http = httpinstance.HTTPInstance(fstore)
+    realm = api.env.realm
+    domain = api.env.domain
+    subject_base = "0=" + realm
+    http.setup_firefox_extension(realm, domain, subject_base)
+
+
 def upgrade_ipa_profile(ca):
     """
     Update the IPA Profile provided by dogtag
@@ -609,6 +621,7 @@ def main():
         pass
 
     cleanup_kdc(fstore)
+    setup_firefox_extension(fstore)
     changed_psearch = named_enable_psearch()
     changed_autoincrement = named_enable_serial_autoincrement()
     if changed_psearch or changed_autoincrement:
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 11433b4be832c1f6a79d17056e830c9582f3ca6e..0b519c2957f63770f9a28d7abe9083f724a9cf40 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -223,8 +223,17 @@ def template_str(txt, vars):
     return val
 
 def template_file(infilename, vars):
-    txt = open(infilename).read()
-    return template_str(txt, vars)
+    """Read a file and perform template substitutions"""
+    with open(infilename) as f:
+        return template_str(f.read(), vars)
+
+
+def copy_template_file(infilename, outfilename, vars):
+    """Copy a file, performing template substitutions"""
+    txt = template_file(infilename, vars)
+    with open(outfilename, 'w') as file:
+        file.write(txt)
+
 
 def write_tmp_file(txt):
     fd = tempfile.NamedTemporaryFile()
@@ -237,7 +246,7 @@ def shell_quote(string):
     return "'" + string.replace("'", "'\\''") + "'"
 
 def run(args, stdin=None, raiseonerr=True,
-        nolog=(), env=None, capture_output=True):
+        nolog=(), env=None, capture_output=True, cwd=None):
     """
     Execute a command and return stdin, stdout and the process return code.
 
@@ -285,7 +294,7 @@ def run(args, stdin=None, raiseonerr=True,
 
     try:
         p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
-                             close_fds=True, env=env)
+                             close_fds=True, env=env, cwd=cwd)
         stdout,stderr = p.communicate(stdin)
         stdout,stderr = str(stdout), str(stderr)    # Make pylint happy
     except KeyboardInterrupt:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index afadde40bb0a8623d1eefc7960e69c48510ebdb8..df085be745945012b2a469acbca91da855aefd03 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -286,45 +286,68 @@ def __setup_ssl(self):
 
     def __setup_autoconfig(self):
         target_fname = '/usr/share/ipa/html/preferences.html'
-        prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
-        prefs_fd = open(target_fname, "w")
-        prefs_fd.write(prefs_txt)
-        prefs_fd.close()
-        os.chmod(target_fname, 0644)
-
-        target_fname = '/usr/share/ipa/html/krb.js'
-        prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "krb.js.template", self.sub_dict)
-        prefs_fd = open(target_fname, "w")
-        prefs_fd.write(prefs_txt)
-        prefs_fd.close()
+        ipautil.copy_template_file(
+            ipautil.SHARE_DIR + "preferences.html.template",
+            target_fname, self.sub_dict)
         os.chmod(target_fname, 0644)
 
         # The signing cert is generated in __setup_ssl
         db = certs.CertDB(self.realm, subject_base=self.subject_base)
-        pwdfile = open(db.passwd_fname)
-        pwd = pwdfile.read()
-        pwdfile.close()
+        with open(db.passwd_fname) as pwdfile:
+            pwd = pwdfile.read()
 
         # Setup configure.jar
-        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+        tmpdir = tempfile.mkdtemp(prefix="tmp-")
         target_fname = '/usr/share/ipa/html/configure.jar'
         shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
         db.run_signtool(["-k", "Signing-Cert",
                          "-Z", target_fname,
                          "-e", ".html", "-p", pwd,
                          tmpdir])
         shutil.rmtree(tmpdir)
         os.chmod(target_fname, 0644)
 
+        self.setup_firefox_extension(
+            self.realm, self.domain, self.subject_base, force=False)
+
+    def setup_firefox_extension(self, realm, domain, subject_base, force=False):
+        """Set up the signed browser configuration extension
+
+        If the extension is already set up, skip the installation unless
+        ``force`` is true.
+        """
+
+        target_fname = '/usr/share/ipa/html/krb.js'
+        if os.path.exists(target_fname) and not force:
+            root_logger.info(
+                '%s exists, skipping install of Firefox extension' %
+                    target_fname)
+            return
+
+        sub_dict = dict(REALM=realm, DOMAIN=domain)
+        db = certs.CertDB(realm, subject_base=subject_base)
+        with open(db.passwd_fname) as pwdfile:
+            pwd = pwdfile.read()
+
+        ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template",
+            target_fname, sub_dict)
+        os.chmod(target_fname, 0644)
+
         # Setup extension
-        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+        tmpdir = tempfile.mkdtemp(prefix="tmp-")
         extdir = tmpdir + "/ext"
         target_fname = "/usr/share/ipa/html/kerberosauth.xpi"
         shutil.copytree("/usr/share/ipa/ffextension", extdir)
-        db.run_signtool(["-k", "Signing-Cert",
-                            "-p", pwd,
-                            "-X", "-Z", target_fname,
-                            extdir])
+        if db.has_nickname('Signing-Cert'):
+            db.run_signtool(["-k", "Signing-Cert",
+                                "-p", pwd,
+                                "-X", "-Z", target_fname,
+                                extdir])
+        else:
+            root_logger.warning('Object-signing certificate was not found. '
+                'Creating unsigned Firefox configuration extension.')
+            filenames = os.listdir(extdir)
+            ipautil.run(['zip', '-r', target_fname] + filenames, cwd=extdir)
         shutil.rmtree(tmpdir)
         os.chmod(target_fname, 0644)
 
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to