[Pki-devel] [PATCH] 0124 Add profiles container to LDAP if missing

2016-06-22 Thread Fraser Tweedale 
The attached patch fixes https://fedorahosted.org/pki/ticket/2285.
See commit message and bz1323400[1] for full history and details.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1323400

The fix should be merged to master and DOGTAG_10_2_BRANCH, and a new
10.2.x release cut for f23.

I have an f23 COPR build containing the fix for anyone wishing to
test:
https://copr.fedorainfracloud.org/coprs/ftweedal/freeipa/packages/

Huge props to Adam Williamson for doing a lot of legwork in tracking
down the cause of this issue.

Thanks,
Fraser
From 4cbaf297690bf95fffc864cb109bdd6ae49c9dc3 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 22 Jun 2016 13:34:01 +1000
Subject: [PATCH] Add profiles container to LDAP if missing

CMS startup was changed a while back to wait for
LDAPProfileSubsystem initialisation, while LDAPProfileSubsystem
initialisation waits for all known profiles to be loaded by the LDAP
persistent search thread.  If the ou=certificateProfiles container
object does not exist, startup hangs.

This can cause a race condition in FreeIPA upgrade.  FreeIPA
switches the Dogtag instance to the LDAPProfileSubsystem and
restarts it.  The restart fails because the container object does
not get added until after the restart.

Update LDAPProfileSubsystem to add the container object itself, if
it is missing, before commencing the persistent search.

Fixes: https://fedorahosted.org/pki/ticket/2285
---
 .../cmscore/profile/LDAPProfileSubsystem.java | 19 +++
 1 file changed, 19 insertions(+)

diff --git 
a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
 
b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
index 
28b34cda889cc6c2eba4fc3392863df36717fa14..6dea1a0d88beaefeea489ea58ad9ad13d2da8bd7
 100644
--- 
a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
+++ 
b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
@@ -27,6 +27,7 @@ import java.util.TreeSet;
 import java.util.concurrent.CountDownLatch;
 
 import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
 import netscape.ldap.LDAPConnection;
 import netscape.ldap.LDAPDN;
 import netscape.ldap.LDAPEntry;
@@ -400,6 +401,23 @@ public class LDAPProfileSubsystem
 initialLoadDone.countDown();
 }
 
+private void ensureProfilesOU(LDAPConnection conn) throws LDAPException {
+try {
+conn.search(dn, LDAPConnection.SCOPE_BASE, "(objectclass=*)", 
null, false);
+} catch (LDAPException e) {
+if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) {
+CMS.debug("Adding LDAP certificate profiles container");
+LDAPAttribute[] attrs = {
+new LDAPAttribute("objectClass", "organizationalUnit"),
+new LDAPAttribute("ou", "certificateProfiles")
+};
+LDAPAttributeSet attrSet = new LDAPAttributeSet(attrs);
+LDAPEntry entry = new LDAPEntry(dn, attrSet);
+conn.add(entry);
+}
+}
+}
+
 public void run() {
 int op = LDAPPersistSearchControl.ADD
 | LDAPPersistSearchControl.MODIFY
@@ -416,6 +434,7 @@ public class LDAPProfileSubsystem
 forgetAllProfiles();
 try {
 conn = dbFactory.getConn();
+ensureProfilesOU(conn);
 LDAPSearchConstraints cons = conn.getSearchConstraints();
 cons.setServerControls(persistCtrl);
 cons.setBatchSize(1);
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Added --token-password in pki-server instance-externalcert-add / del command.

2016-06-22 Thread Amol Kahat 

Hi,

Please review this patch.

Fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1348531

Thanks
Amol K
>From d0e514e4f3c96ce5f8c6dba9efc05aaa819d94e6 Mon Sep 17 00:00:00 2001
From: Amol Kahat 
Date: Wed, 22 Jun 2016 13:36:33 +0530
Subject: [PATCH] Added --token-password option in pki-server-externalcert-add
 / del command.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1348531
---
 base/server/python/pki/server/cli/instance.py | 76 ++-
 1 file changed, 63 insertions(+), 13 deletions(-)

diff --git a/base/server/python/pki/server/cli/instance.py b/base/server/python/pki/server/cli/instance.py
index b2b31e1b806162caf74277504cfb08f79810a3ef..0cf60cb8a2db615aa1f5e987c5f5621b934a5981 100644
--- a/base/server/python/pki/server/cli/instance.py
+++ b/base/server/python/pki/server/cli/instance.py
@@ -629,6 +629,7 @@ class InstanceExternalCertAddCLI(pki.cli.CLI):
 print('  --trust-args   Trust args (default \",,\").')
 print('  --nickname   Nickname to be used.')
 print('  --tokenToken (default: internal).')
+print('  --token-password Token password.')
 print('  -v, --verbose  Run in verbose mode.')
 print('  --help Show help message.')
 print()
@@ -636,8 +637,8 @@ class InstanceExternalCertAddCLI(pki.cli.CLI):
 def execute(self, argv):
 try:
 opts, _ = getopt.gnu_getopt(argv, 'i:v', [
-'instance=',
-'cert-file=', 'trust-args=', 'nickname=','token=',
+'instance=', 'cert-file=', 'trust-args=',
+'nickname=','token=', 'token-password=',
 'verbose', 'help'])
 
 except getopt.GetoptError as e:
@@ -650,6 +651,7 @@ class InstanceExternalCertAddCLI(pki.cli.CLI):
 trust_args = '\",,\"'
 nickname = None
 token = 'internal'
+token_password = None
 
 for o, a in opts:
 if o in ('-i', '--instance'):
@@ -667,6 +669,9 @@ class InstanceExternalCertAddCLI(pki.cli.CLI):
 elif o == '--token':
 token = a
 
+elif o == '--token-password':
+token_password = a
+
 elif o in ('-v', '--verbose'):
 self.set_verbose(True)
 
@@ -683,12 +688,27 @@ class InstanceExternalCertAddCLI(pki.cli.CLI):
 print('ERROR: missing input file containing certificate')
 self.print_help()
 sys.exit(1)
+
+if os.path.isfile(cert_file):
+pass
+
+else:
+print('ERROR: Invalid certificate file, no such file or directory.')
+sys.exit(1)
 
 if not nickname:
 print('ERROR: missing nickname')
 self.print_help()
 sys.exit(1)
 
+if token is 'internal' and token_password is None:
+pass
+
+elif token is not 'internal' and token_password is None:
+print('ERROR: Specify token password')
+self.print_help()
+sys.exit(1)
+
 instance = pki.server.PKIInstance(instance_name)
 
 if instance.is_valid():
@@ -703,14 +723,23 @@ class InstanceExternalCertAddCLI(pki.cli.CLI):
 sys.exit(1)
 
 nicks = self.import_certs(
-instance, cert_file, nickname, token, trust_args)
-self.update_instance_config(instance, nicks, token)
+instance, cert_file, nickname, token, trust_args, token_password)
+
+try:
+self.update_instance_config(instance, nicks, token)
 
-self.print_message('Certificate imported for instance %s.' %
+self.print_message('Certificate imported for instance %s.' %
instance_name)
+except:
+print('ERROR: Failed to run pki-server instance-externalcert-add command')
+sys.exit(1)
+
+def import_certs(self, instance, cert_file, nickname, token, trust_args, token_password):
+if not token_password:
+password = instance.get_password(token)
+else:
+password = token_password
 
-def import_certs(self, instance, cert_file, nickname, token, trust_args):
-password = instance.get_password(token)
 certdb = pki.nssdb.NSSDatabase(
 directory=instance.nssdb_dir,
 password=password,
@@ -737,6 +766,7 @@ class InstanceExternalCertDeleteCLI(pki.cli.CLI):
 print('  -i, --instanceInstance ID (default: pki-tomcat).')
 print('  --nickname   Nickname to be used.')
 print('  --tokenToken (default: internal).')
+print('  --token-password Token password.')
 print('  -v, --verbose  Run in verbose mode.')
 print('  --help Show help message.')
 print()
@@ -745,7 +775,7

[Pki-devel] Updated External EPEL CentOS 7 COPR builds are now available . . .

2016-06-22 Thread Matthew Harmsen 

An updated external EPEL CentOS 7 COPR repo is now available which contains 
Dogtag 10.3.3 builds:

 *

   
https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo

   [group_pki-10.3.3]
   name=Copr repo for 10.3.3 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/
   skip_if_unavailable=True
   gpgcheck=1
   gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg
   enabled=1
   enabled_metadata=1

-- Matt


___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel