Re: [Pki-devel] [pki-devel][PATCH] 0077-Make-starting-CRL-Number-configurable.patch

[John Magne]

Verbally acked by edewata thanks! :

pushed to master

Closing ticket: #2406



- Original Message -
> From: "John Magne" 
> To: "pki-devel" 
> Sent: Wednesday, July 27, 2016 11:53:34 AM
> Subject: [Pki-devel] [pki-devel][PATCH]   
> 0077-Make-starting-CRL-Number-configurable.patch
> 
> Make starting CRL Number configurable.
> 
> Ticket #2406 Make starting CRL Number configurable
> 
> This simple patch provides a pkispawn config param that passes
> some starting crl number value to the config process.
> 
> Here is a sample:
> 
> [CA]
> pki_ca_starting_crl_number=4000
> 
> After the CA comes up the value of "crlNumber" in the db will
> reflect that value of 4000.
> 
> Currently no other values are changed. We can talk about if we
> need more values reset in the given case.
> 
> Also, this creates a setting in the CS.cfg
> 
> ca.crl.MasterCrl.startingCrlNumber=4000
> 
> This setting is only consulted when the crl Issuing Point record is
> created
> for the first time.
> 
> ___
> Pki-devel mailing list
> Pki-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Re: [Pki-devel] [PATCH] Fix NumberFormatException for tps-cert-find when given non integer value to size and start option

[Endi Sukma Dewata]

Geetika,

Yes, more info would be helpful. I have some comments below.

On 7/27/2016 7:37 AM, Geetika Kapoor wrote:

Hi,

I tried to fix NumberFormatException when i did tps-cert-find with
non-integer/invalid range value for size and start.I was doing testing
for tps-cert and then i came across this.I thought giving some
additional info to users inplace of numberformat.I have done similar
fix  on rhel7  compile it and make a jar and test on rhel7 .I can share
that patch if needed. Below are the test result.

Before fix testing:

1. pki -h pki1.example.com -p 25080 tps-cert-find --start "gy"
NumberFormatException: For input string: "gy"

2. pki -h pki1.example.com -p 25080 tps-cert-find --size "gy"
NumberFormatException: For input string: "gy"

3. pki -p 25080 tps-cert-find --start
178999
NumberFormatException: For input string:
"178999"


After fix testing:

1. [root@pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h
pki1.example.com -p 25080 tps-cert-find --start "gy"
Error: Enter valid integer value for size/start option
usage: tps-cert-find [FILTER] [OPTIONS...]
--helpShow help options
--size  Page size
--startPage start
--token   Token ID


I think it would be useful to show the user which the parameter has the 
invalid value and also the invalid value itself, so something like this:


Error: Invalid value for --start parameter: gy


2. [root@pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h
pki1.example.com -p 25080 tps-cert-find --size "hy"
Error: Enter valid integer value for size/start option
usage: tps-cert-find [FILTER] [OPTIONS...]
--helpShow help options
--size  Page size
--startPage start
--token   Token ID


Same thing here:

Error: Invalid value for --size parameter: hy

So you may need to create separate try-catch blocks for each parameter.

Another thing, I'm not sure if we should display the command usage after 
the failure. The usage could be very long and it may obscure the error 
message. The error message itself should be sufficient to fix the 
problem, and if needed the user can see the usage using --help 
parameter. We probably can display something like this after the error 
message (replace  with the actual command name):


Try 'pki  --help' for more information.

One more thing, please preserve the formatting of the existing code. We 
use 4 spaces instead of tabs for indentation. Thanks.


--
Endi S. Dewata

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 803 Fixed SELinux contexts.

[Endi Sukma Dewata]

The deployment tool has been modified to set up SELinux contexts
after all instance files have been created to ensure they have the
correct contexts.

An upgrade script has been added to fix existing instances.

https://fedorahosted.org/pki/ticket/2421

--
Endi S. Dewata
>From e82d59dd702390111ee7b9bd2aab512e2c850aeb Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Wed, 27 Jul 2016 19:51:37 +0200
Subject: [PATCH] Fixed SELinux contexts.

The deployment tool has been modified to set up SELinux contexts
after all instance files have been created to ensure they have the
correct contexts.

An upgrade script has been added to fix existing instances.

https://fedorahosted.org/pki/ticket/2421
---
 base/server/etc/default.cfg  |  2 +-
 base/server/python/pki/server/__init__.py|  7 -
 base/server/upgrade/10.3.5/02-FixSELinuxContexts | 36 
 3 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 base/server/upgrade/10.3.5/02-FixSELinuxContexts

diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg
index 4919cb46d0088d29cb23fea179469a822f60bac7..8504c5129f9494457b7591e099bdcf1b0ff1b66c 100644
--- a/base/server/etc/default.cfg
+++ b/base/server/etc/default.cfg
@@ -39,10 +39,10 @@ spawn_scriplets=
 infrastructure_layout
 instance_layout
 subsystem_layout
-selinux_setup
 webapp_deployment
 slot_substitution
 security_databases
+selinux_setup
 configuration
 finalization
 
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 03bb225dca48b396c342af50fab421491d052622..13b3258580e6536cea2b99ad9955ae8ff2e32de5 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -39,7 +39,10 @@ import pki.nssdb
 import pki.util
 
 INSTANCE_BASE_DIR = '/var/lib/pki'
+CONFIG_BASE_DIR = '/etc/pki'
+LOG_BASE_DIR = '/var/log/pki'
 REGISTRY_DIR = '/etc/sysconfig/pki'
+
 SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps']
 SUBSYSTEM_CLASSES = {}
 
@@ -476,7 +479,9 @@ class PKIInstance(object):
 else:
 self.base_dir = os.path.join(pki.BASE_DIR, name)
 
-self.conf_dir = os.path.join(self.base_dir, 'conf')
+self.conf_dir = os.path.join(CONFIG_BASE_DIR, name)
+self.log_dir = os.path.join(LOG_BASE_DIR, name)
+
 self.password_conf = os.path.join(self.conf_dir, 'password.conf')
 self.external_certs_conf = os.path.join(
 self.conf_dir, 'external_certs.conf')
diff --git a/base/server/upgrade/10.3.5/02-FixSELinuxContexts b/base/server/upgrade/10.3.5/02-FixSELinuxContexts
new file mode 100644
index ..f3d981efac5d69515387b424ac6e04733f5e3a7d
--- /dev/null
+++ b/base/server/upgrade/10.3.5/02-FixSELinuxContexts
@@ -0,0 +1,36 @@
+#!/usr/bin/python
+# Authors:
+# Endi S. Dewata 
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+
+from __future__ import absolute_import
+import selinux
+import pki.server.upgrade
+
+
+class FixSELinuxContexts(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+def __init__(self):
+super(FixSELinuxContexts, self).__init__()
+self.message = 'Fix SELinux contexts'
+
+def upgrade_instance(self, instance):
+
+selinux.restorecon(instance.base_dir, True)
+selinux.restorecon(instance.conf_dir, True)
+selinux.restorecon(instance.log_dir, True)
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] 802 Added upgrade scripts to fix server library.

[Endi Sukma Dewata]

An upgrade script has been added to replace the /common
in existing instances with a link to /usr/share/pki/server/common
which contains links to server dependencies.

https://fedorahosted.org/pki/ticket/2403

--
Endi S. Dewata
>From d9f054449015c69e93eb2cdad6377c7073e97812 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" 
Date: Sun, 24 Jul 2016 07:36:36 +0200
Subject: [PATCH] Added upgrade scripts to fix server library.

An upgrade script has been added to replace the /common
in existing instances with a link to /usr/share/pki/server/common
which contains links to server dependencies.

https://fedorahosted.org/pki/ticket/2403
---
 base/common/upgrade/10.3.4/.gitignore  |  4 +++
 base/common/upgrade/10.3.5/.gitignore  |  4 +++
 base/server/upgrade/10.3.4/.gitignore  |  4 +++
 base/server/upgrade/10.3.5/01-FixServerLibrary | 46 ++
 4 files changed, 58 insertions(+)
 create mode 100644 base/common/upgrade/10.3.4/.gitignore
 create mode 100644 base/common/upgrade/10.3.5/.gitignore
 create mode 100644 base/server/upgrade/10.3.4/.gitignore
 create mode 100644 base/server/upgrade/10.3.5/01-FixServerLibrary

diff --git a/base/common/upgrade/10.3.4/.gitignore b/base/common/upgrade/10.3.4/.gitignore
new file mode 100644
index ..5e7d2734cfc60289debf74293817c0a8f572ff32
--- /dev/null
+++ b/base/common/upgrade/10.3.4/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/common/upgrade/10.3.5/.gitignore b/base/common/upgrade/10.3.5/.gitignore
new file mode 100644
index ..5e7d2734cfc60289debf74293817c0a8f572ff32
--- /dev/null
+++ b/base/common/upgrade/10.3.5/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/server/upgrade/10.3.4/.gitignore b/base/server/upgrade/10.3.4/.gitignore
new file mode 100644
index ..5e7d2734cfc60289debf74293817c0a8f572ff32
--- /dev/null
+++ b/base/server/upgrade/10.3.4/.gitignore
@@ -0,0 +1,4 @@
+# Ignore everything in this directory
+*
+# Except this file
+!.gitignore
diff --git a/base/server/upgrade/10.3.5/01-FixServerLibrary b/base/server/upgrade/10.3.5/01-FixServerLibrary
new file mode 100644
index ..79d496559ba1e1cb02ea5f0d02364dd230a6f4d5
--- /dev/null
+++ b/base/server/upgrade/10.3.5/01-FixServerLibrary
@@ -0,0 +1,46 @@
+#!/usr/bin/python
+# Authors:
+# Endi S. Dewata 
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+
+from __future__ import absolute_import
+import os.path
+import shutil
+import pki.server.upgrade
+
+
+class FixServerLibrary(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+def __init__(self):
+super(FixServerLibrary, self).__init__()
+self.message = 'Fix server library'
+
+def upgrade_instance(self, instance):
+
+common_dir = os.path.join(instance.base_dir, 'common')
+
+# if /common is already a link, skip
+if os.path.islink(common_dir):
+return
+
+# remove old /common
+shutil.rmtree(common_dir)
+
+# link /common to /usr/share/pki/server/common
+os.symlink('/usr/share/pki/server/common', common_dir)
+os.lchown(common_dir, instance.uid, instance.gid)
-- 
2.5.5

___
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

[Pki-devel] [PATCH] Fix NumberFormatException for tps-cert-find when given non integer value to size and start option

[Geetika Kapoor]

Hi,

I tried to fix NumberFormatException when i did tps-cert-find with
non-integer/invalid range value for size and start.I was doing testing
for tps-cert and then i came across this.I thought giving some
additional info to users inplace of numberformat.I have done similar
fix  on rhel7  compile it and make a jar and test on rhel7 .I can share
that patch if needed. Below are the test result.

Before fix testing:

1. pki -h pki1.example.com -p 25080 tps-cert-find --start "gy"
NumberFormatException: For input string: "gy"

2. pki -h pki1.example.com -p 25080 tps-cert-find --size "gy"
NumberFormatException: For input string: "gy"

3. pki -p 25080 tps-cert-find --start
178999
NumberFormatException: For input string:
"178999"


After fix testing:

1. [root@pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h
pki1.example.com -p 25080 tps-cert-find --start "gy"
Error: Enter valid integer value for size/start option
usage: tps-cert-find [FILTER] [OPTIONS...]
--helpShow help options
--size  Page size
--startPage start
--token   Token ID

2. [root@pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h
pki1.example.com -p 25080 tps-cert-find --size "hy"
Error: Enter valid integer value for size/start option
usage: tps-cert-find [FILTER] [OPTIONS...]
--helpShow help options
--size  Page size
--startPage start
--token   Token ID

3. [root@pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h
pki1.example.com -p 25080 tps-cert-find --start 1
-
2 entries matched
-
  Cert ID: 3d.20160720042931
  Serial Number: 0x3d
  Subject: UID=ldapuser7,O=Token Key User
  Token ID: 40906145C76224192D78
  Key Type: encryption
  Status: active
  User ID: ldapuser7
  Create Time: Wed Jul 20 04:29:31 EDT 2016

Number of entries returned 1


4. [root@pki1 ~]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h
pki1.example.com -p 25080 tps-cert-find --size 1
-
2 entries matched
-
  Cert ID: 3c.20160720042931
  Serial Number: 0x3c
  Subject: UID=ldapuser7,O=Token Key User
  Token ID: 40906145C76224192D78
  Key Type: signing
  Status: active
  User ID: ldapuser7
  Create Time: Wed Jul 20 04:29:31 EDT 2016

Number of entries returned 1


5. [root@pki1 cert]# pki -d /opt/rhqa_pki/certdb -c Secret123 -h
pki1.example.com -p 25080 tps-cert-find --start
178999
Error: Enter valid integer value for size/start option
usage: tps-cert-find [FILTER] [OPTIONS...]
--helpShow help options
--size  Page size
--startPage start
--token   Token ID

Thanks
Geetika
From 6ed113a347f392c5237c59f4e3b7bda71dd1aee3 Mon Sep 17 00:00:00 2001
From: Geetika Kapoor 
Date: Wed, 27 Jul 2016 08:15:59 -0400
Subject: [PATCH] Added logging inplace of NumberFormatException for tps-cert
 size and start

Signed-off-by: Geetika Kapoor 
---
 .../netscape/cmstools/tps/cert/TPSCertFindCLI.java | 54 +++---
 1 file changed, 28 insertions(+), 26 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java
index 9cbdad6da5ea26a618c8fda05a575ced9b4942d0..ec03c1a0e923453da8ed2c1141792f29c00c3616 100644
--- a/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/tps/cert/TPSCertFindCLI.java
@@ -84,32 +84,34 @@ public class TPSCertFindCLI extends CLI {
 String filter = cmdArgs.length > 0 ? cmdArgs[0] : null;
 
 String tokenID = cmd.getOptionValue("token");
-
-String s = cmd.getOptionValue("start");
-Integer start = s == null ? null : Integer.valueOf(s);
-
-s = cmd.getOptionValue("size");
-Integer size = s == null ? null : Integer.valueOf(s);
-
-TPSCertCollection result = certCLI.certClient.findCerts(filter, tokenID, start, size);
-
-MainCLI.printMessage(result.getTotal() + " entries matched");
-if (result.getTotal() == 0) return;
-
-Collection certs = result.getEntries();
-boolean first = true;
-
-for (TPSCertData certData : certs) {
-
-if (first) {
-first = false;
-} else {
-System.out.println();
-}
-
-TPSCertCLI.printCert(certData);
+try {
+
+   	String s = cmd.getOptionValue("start");
+Integer start = s == null ? null : Integer.valueOf(s);
+	s = cmd.getOptionValue("size");
+Integer size = s == null ? null : Integer.valueOf(s);
+TPSCertCollection result = certCLI.certClient.findCerts(filter, tokenID, start, size);
+