On 08/18/2014 07:36 PM, Ade Lee wrote:
[...]

After discussion with Endi, I also removed some functions in dogtag.py
(the plugin) which basically just wrapped calls to the keyclient.  There
is no need to do this wrapping and it is much more flexible for IPA code
to call the keyclient directly.  Accordingly, I have added a method to
get the keyclient.  Your test code would look like this now:

        from ipalib import api
        from pki.key import KeyClient
        api.bootstrap(context='server')
        api.finalize()
        keyclient = api.Backend.kra.get_keyclient()
        keyclient.archive_key('test', KeyClient.PASS_PHRASE_TYPE,'tkey')

I added a couple of directives in the proxy file to allow it to progress
further and it now fails in trying to do the archive_key due to
authentication issues.

It was never the intention of this patch to get the plugin completely
working though.  That was the goal of a follow on patch being written by
Endi.  This patch is already pretty long and touches a lot of code.  I
propose we let Endi fix the above issue.

I understand. However, I don't know another way to do a functional test.
Without the plugin the best I can do is look if there are some extra entries in DS, and since I don't know KRA internals I can't check if they're correct.

With the above script, I get:

>>> from ipalib import api
>>> from pki.key import KeyClient
>>> api.bootstrap(context='server')
>>> api.finalize()
>>> keyclient = api.Backend.kra.get_keyclient()
>>>
>>> keyclient.archive_key('test', KeyClient.PASS_PHRASE_TYPE,'tkey')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 253, in handler
    return fn_call(inst, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/pki/key.py", line 616, in archive_key
    key_size=key_size)
File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 253, in handler
    return fn_call(inst, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/pki/key.py", line 669, in archive_encrypted_data
    return self.create_request(request)
File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 253, in handler
    return fn_call(inst, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/pki/key.py", line 527, in create_request
    response = self.connection.post(url, key_request, self.headers)
  File "/usr/lib/python2.7/site-packages/pki/client.py", line 70, in post
    params=params)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 377, in post
    return self.request('POST', url, data=data, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 335, in request
    resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 438, in send
    r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 331, in send
    raise SSLError(e)
requests.exceptions.SSLError: [Errno 1] _ssl.c:1419: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message


I have squashed the drm-> kra changes and created just a single patch,
which is attached.  This is the only patch needed.

I didn't find any issues except the error above.

I'm also starting a new COPR build, just to be sure we all have the most
up-to-date dogtag build.

Things are working nicely for the most part. However I still did manage to break my installation:


- Install master and replica, both with CA and KRA
- Remove KRA on both hosts

At this point, trying to instal KRA on the replica fails:

$ sudo ipa-kra-install replica-info-file.gpg
Usage: ipa-kra-install [options] [replica_file]

ipa-kra-install: error: Too many parameters provided. No replica file is required.
$ sudo ipa-kra-install
Directory Manager password:


===================================================================
This program will setup Dogtag KRA for the FreeIPA Server.


Configuring KRA server (pki-tomcatd): Estimated time 2 minutes 6 seconds
  [1/5]: configuring KRA instance
failed to configure KRA instance Command ''/usr/sbin/pkispawn' '-s' 'KRA' '-f' '/tmp/tmp_FKfkR'' returned non-zero exit status 1

Your system may be partly configured.
Run ipa-kra-install --uninstall to clean up.

Configuration of KRA failed


This seems to cripple the installation: ipa-kra-install --uninstall will complain that KRA is not installed. Also, ipa-kra-install on the master will complain that it wasn't given a replica file.

I understand this is an edge case, but we should handle it if we support uninstallation. I'd be okay with disabling --uninstall for now and filing a ticket for later. (After all, ipa-ca-install doesn't have --uninstall at all.)

--
PetrĀ³

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to