Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/09/2012 06:01 PM, Petr Vobornik wrote:
On 10/09/2012 05:26 PM, Petr Viktorin wrote:
On 10/09/2012 05:16 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/3150
Patch 0086:
I found an old unused function while working on this, the patch
removes it.
Patch 0087:
Replica files generated on older masters don't contain the Firefox
extension files. Skip installing them in this case.
Patch 0088:
Servers upgraded from IPA 2.2 need the Firefox extension installed. This
is done in ipa-upgradeconfig if they're missing.
I made the setup_firefox_extension method independent on the
httpinstance state (which is mostly set in create_instance).
Similarly, the files are installed ipa-replica-install if they're
missing (i.e. skipped by the previous patch).
If the Signing-Cert is not on this master, create an unsigned extension
using the zip command. I needed to add Popen's `cwd` argument to
ipautil.run() to get the right filenames out of zip.
The patches add copy_template_file and copy_file_if_exists utilities
I've written for some of my WIP patches, expect me to use them more when
I get time to work on the installer code.
In my previous mail I've attached an old version of patch 88. Please use
this one. Sorry!
nack
1) patch 83-01 doesn't apply.
There were conflicts with recent CRL and audit cert renewal patches.
Rebased.
2) When pwd is supplied to setup_firefox_extension `db =
certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore
`db.has_nickname` will fail.
Thanks for the catch, fixed.
--
Petr³
From 77c7a209ad4e803cf909a5fc5c747810a3163bb5 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 9 Oct 2012 04:10:06 -0400
Subject: [PATCH] ipa-upgradeconfig: Remove the upgrade_httpd_selinux function
This function was never called from anywhere.
---
install/tools/ipa-upgradeconfig | 8
1 file changed, 8 deletions(-)
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4ed718a9b9faea0821db5642544e9bb1194dbce4..55b8bdeea07b8da2fb11c4c52c1d3b8b536e5467 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -304,14 +304,6 @@ def upgrade_ipa_profile(ca):
return False
-def upgrade_httpd_selinux(fstore):
-
-Update SElinux configuration for httpd instance in the same way as the
-new server installation does.
-
-root_logger.info('[Verifying the Apache SELinux configuration]')
-http = httpinstance.HTTPInstance(fstore)
-http.configure_selinux_for_httpd()
def named_enable_psearch():
--
1.7.11.4
From 415eb7b717de70547a65f1530986c9e182be7b37 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 8 Oct 2012 08:02:55 -0400
Subject: [PATCH] replica-install: Don't copy Firefox config extension files
if they're not in the replica file
This allows cloning from older masters.
https://fedorahosted.org/freeipa/ticket/3150
---
install/tools/ipa-replica-install | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c1679c723bc50fb318b4fa1a0ff10d6032c991b4..8f55d7578e93eb39b5a9848bc5e704e2a1ef34b6 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -207,8 +207,12 @@ def install_http(config, auto_redirect):
try:
shutil.copy(config.dir + /preferences.html, /usr/share/ipa/html/preferences.html)
shutil.copy(config.dir + /configure.jar, /usr/share/ipa/html/configure.jar)
-shutil.copy(config.dir + /krb.js, /usr/share/ipa/html/krb.js)
-shutil.copy(config.dir + /kerberosauth.xpi, /usr/share/ipa/html/kerberosauth.xpi)
+if ipautil.file_exists(config.dir + /krb.js):
+shutil.copy(
+config.dir + /krb.js, /usr/share/ipa/html/krb.js)
+shutil.copy(
+config.dir + /kerberosauth.xpi,
+/usr/share/ipa/html/kerberosauth.xpi)
except Exception, e:
print error copying files: + str(e)
sys.exit(1)
--
1.7.11.4
From c7f0e1770f5c8c526db011fa53c8167196f98487 Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 8 Oct 2012 07:54:47 -0400
Subject: [PATCH] Create Firefox extension on upgrade and replica-install
If the signing cert is not available, create an unsigned extension.
Add a zip dependency to the specfile.
https://fedorahosted.org/freeipa/ticket/3150
---
freeipa.spec.in | 4 +++
install/tools/ipa-replica-install | 3 ++
install/tools/ipa-upgradeconfig | 13
ipapython/ipautil.py | 17 ---
ipaserver/install/httpinstance.py | 63 ++-
5 files changed, 76 insertions(+), 24 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index
Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/10/2012 10:55 AM, Petr Viktorin wrote: On 10/09/2012 06:01 PM, Petr Vobornik wrote: On 10/09/2012 05:26 PM, Petr Viktorin wrote: On 10/09/2012 05:16 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3150 Patch 0086: I found an old unused function while working on this, the patch removes it. Patch 0087: Replica files generated on older masters don't contain the Firefox extension files. Skip installing them in this case. Patch 0088: Servers upgraded from IPA 2.2 need the Firefox extension installed. This is done in ipa-upgradeconfig if they're missing. I made the setup_firefox_extension method independent on the httpinstance state (which is mostly set in create_instance). Similarly, the files are installed ipa-replica-install if they're missing (i.e. skipped by the previous patch). If the Signing-Cert is not on this master, create an unsigned extension using the zip command. I needed to add Popen's `cwd` argument to ipautil.run() to get the right filenames out of zip. The patches add copy_template_file and copy_file_if_exists utilities I've written for some of my WIP patches, expect me to use them more when I get time to work on the installer code. In my previous mail I've attached an old version of patch 88. Please use this one. Sorry! nack 1) patch 83-01 doesn't apply. There were conflicts with recent CRL and audit cert renewal patches. Rebased. 2) When pwd is supplied to setup_firefox_extension `db = certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore `db.has_nickname` will fail. Thanks for the catch, fixed. I tried different installation and upgrade procedures and it seems to work fine. I have found few minorish issues when inspecting the code: Patch 0086-01 looks OK. Patch 0087-01 looks OK. Patch 0088-02: 1) In http.setup_firefox_extension() - why do you require subject_base? AFAIK, it is not needed for the signtool and you do not have it right anyway: a) You use 0=$REALM, i.e. *zero*=$REALM, which would not be a valid subject base anyway b) Even when it would be used, a correct subject base is in IPA config (it does not have to be O=$REALM. Thus, I would not require it at all, it would safe us some code and potential confusion if subject base would be actually used. 2) [nitpick] In http.setup_firefox_extension() I would not format the string before logging: +root_logger.info( +'%s exists, skipping install of Firefox extension' % +target_fname) A desired pattern would be to pass formatting parameters as standard function parameters, it may save us few cycles in some situations. 3) In httpinstance.py, I would like to see an absolute path to zip executable. It is a common pattern in IPA and more secure: +ipautil.run(['zip', '-r', target_fname] + filenames, cwd=extdir) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/10/2012 03:37 PM, Martin Kosek wrote:
On 10/10/2012 10:55 AM, Petr Viktorin wrote:
On 10/09/2012 06:01 PM, Petr Vobornik wrote:
On 10/09/2012 05:26 PM, Petr Viktorin wrote:
On 10/09/2012 05:16 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/3150
Patch 0086:
I found an old unused function while working on this, the patch
removes it.
Patch 0087:
Replica files generated on older masters don't contain the Firefox
extension files. Skip installing them in this case.
Patch 0088:
Servers upgraded from IPA 2.2 need the Firefox extension installed. This
is done in ipa-upgradeconfig if they're missing.
I made the setup_firefox_extension method independent on the
httpinstance state (which is mostly set in create_instance).
Similarly, the files are installed ipa-replica-install if they're
missing (i.e. skipped by the previous patch).
If the Signing-Cert is not on this master, create an unsigned extension
using the zip command. I needed to add Popen's `cwd` argument to
ipautil.run() to get the right filenames out of zip.
The patches add copy_template_file and copy_file_if_exists utilities
I've written for some of my WIP patches, expect me to use them more when
I get time to work on the installer code.
In my previous mail I've attached an old version of patch 88. Please use
this one. Sorry!
nack
1) patch 83-01 doesn't apply.
There were conflicts with recent CRL and audit cert renewal patches. Rebased.
2) When pwd is supplied to setup_firefox_extension `db =
certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore
`db.has_nickname` will fail.
Thanks for the catch, fixed.
I tried different installation and upgrade procedures and it seems to work
fine. I have found few minorish issues when inspecting the code:
Patch 0086-01 looks OK.
Patch 0087-01 looks OK.
Patch 0088-02:
1) In http.setup_firefox_extension() - why do you require subject_base? AFAIK,
it is not needed for the signtool and you do not have it right anyway:
a) You use 0=$REALM, i.e. *zero*=$REALM, which would not be a valid subject
base anyway
b) Even when it would be used, a correct subject base is in IPA config (it
does not have to be O=$REALM.
Thus, I would not require it at all, it would safe us some code and potential
confusion if subject base would be actually used.
2) [nitpick] In http.setup_firefox_extension() I would not format the string
before logging:
+root_logger.info(
+'%s exists, skipping install of Firefox extension' %
+target_fname)
A desired pattern would be to pass formatting parameters as standard function
parameters, it may save us few cycles in some situations.
3) In httpinstance.py, I would like to see an absolute path to zip executable.
It is a common pattern in IPA and more secure:
+ipautil.run(['zip', '-r', target_fname] + filenames, cwd=extdir)
Martin
Thanks, fixed in attached patch.
--
Petr³
From 4991004becdb85b2b1c34a2edd4e7bd6580589bf Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 8 Oct 2012 07:54:47 -0400
Subject: [PATCH] Create Firefox extension on upgrade and replica-install
If the signing cert is not available, create an unsigned extension.
Add a zip dependency to the specfile.
https://fedorahosted.org/freeipa/ticket/3150
---
freeipa.spec.in | 4 +++
install/tools/ipa-replica-install | 2 ++
install/tools/ipa-upgradeconfig | 12
ipapython/ipautil.py | 17 ---
ipaserver/install/httpinstance.py | 63 ++-
5 files changed, 74 insertions(+), 24 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index cc27ffe43758eaedcaaf31b7f55d35d689cec0ae..318638c20a946b26aaffdf8dc105d458cb1a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -173,6 +173,7 @@ Requires(postun): python initscripts chkconfig
%endif
Requires: python-dns
Requires: keyutils
+Requires: zip
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
@@ -786,6 +787,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Wed Oct 10 2012 Petr Viktorin pvikt...@redhat.com - 2.99.0-49
+- Add zip dependency, needed for creating unsigned Firefox extensions
+
* Mon Oct 8 2012 Martin Kosek mko...@redhat.com - 2.99.0-48
- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 8f55d7578e93eb39b5a9848bc5e704e2a1ef34b6..92e5f8659d3d96f1b37540f5b7f17ea7d869a6d2 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -217,6 +217,8 @@ def install_http(config, auto_redirect):
print error copying files: + str(e)
sys.exit(1)
+http.setup_firefox_extension(config.realm_name, config.domain_name)
+
return http
def
Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/10/2012 04:23 PM, Petr Viktorin wrote: On 10/10/2012 03:37 PM, Martin Kosek wrote: On 10/10/2012 10:55 AM, Petr Viktorin wrote: On 10/09/2012 06:01 PM, Petr Vobornik wrote: On 10/09/2012 05:26 PM, Petr Viktorin wrote: On 10/09/2012 05:16 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3150 Patch 0086: I found an old unused function while working on this, the patch removes it. Patch 0087: Replica files generated on older masters don't contain the Firefox extension files. Skip installing them in this case. Patch 0088: Servers upgraded from IPA 2.2 need the Firefox extension installed. This is done in ipa-upgradeconfig if they're missing. I made the setup_firefox_extension method independent on the httpinstance state (which is mostly set in create_instance). Similarly, the files are installed ipa-replica-install if they're missing (i.e. skipped by the previous patch). If the Signing-Cert is not on this master, create an unsigned extension using the zip command. I needed to add Popen's `cwd` argument to ipautil.run() to get the right filenames out of zip. The patches add copy_template_file and copy_file_if_exists utilities I've written for some of my WIP patches, expect me to use them more when I get time to work on the installer code. In my previous mail I've attached an old version of patch 88. Please use this one. Sorry! nack 1) patch 83-01 doesn't apply. There were conflicts with recent CRL and audit cert renewal patches. Rebased. 2) When pwd is supplied to setup_firefox_extension `db = certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore `db.has_nickname` will fail. Thanks for the catch, fixed. I tried different installation and upgrade procedures and it seems to work fine. I have found few minorish issues when inspecting the code: Patch 0086-01 looks OK. Patch 0087-01 looks OK. Patch 0088-02: 1) In http.setup_firefox_extension() - why do you require subject_base? AFAIK, it is not needed for the signtool and you do not have it right anyway: a) You use 0=$REALM, i.e. *zero*=$REALM, which would not be a valid subject base anyway b) Even when it would be used, a correct subject base is in IPA config (it does not have to be O=$REALM. Thus, I would not require it at all, it would safe us some code and potential confusion if subject base would be actually used. 2) [nitpick] In http.setup_firefox_extension() I would not format the string before logging: +root_logger.info( +'%s exists, skipping install of Firefox extension' % +target_fname) A desired pattern would be to pass formatting parameters as standard function parameters, it may save us few cycles in some situations. 3) In httpinstance.py, I would like to see an absolute path to zip executable. It is a common pattern in IPA and more secure: +ipautil.run(['zip', '-r', target_fname] + filenames, cwd=extdir) Martin Thanks, fixed in attached patch. ACK. Pushed all three patches to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/09/2012 05:16 PM, Petr Viktorin wrote:
https://fedorahosted.org/freeipa/ticket/3150
Patch 0086:
I found an old unused function while working on this, the patch removes it.
Patch 0087:
Replica files generated on older masters don't contain the Firefox
extension files. Skip installing them in this case.
Patch 0088:
Servers upgraded from IPA 2.2 need the Firefox extension installed. This
is done in ipa-upgradeconfig if they're missing.
I made the setup_firefox_extension method independent on the
httpinstance state (which is mostly set in create_instance).
Similarly, the files are installed ipa-replica-install if they're
missing (i.e. skipped by the previous patch).
If the Signing-Cert is not on this master, create an unsigned extension
using the zip command. I needed to add Popen's `cwd` argument to
ipautil.run() to get the right filenames out of zip.
The patches add copy_template_file and copy_file_if_exists utilities
I've written for some of my WIP patches, expect me to use them more when
I get time to work on the installer code.
In my previous mail I've attached an old version of patch 88. Please use
this one. Sorry!
--
Petr³
From a19e5d1e0129a5f498b4b9c276e1e768c1c4e8ba Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Mon, 8 Oct 2012 07:54:47 -0400
Subject: [PATCH] Create Firefox extension on upgrade and replica-install
If the signing cert is not available, create an unsigned extension.
Add a zip dependency to the specfile.
https://fedorahosted.org/freeipa/ticket/3150
---
freeipa.spec.in | 4 +++
install/tools/ipa-replica-install | 3 ++
install/tools/ipa-upgradeconfig | 11 +++
ipapython/ipautil.py | 17 +++---
ipaserver/install/httpinstance.py | 69 ++-
5 files changed, 78 insertions(+), 26 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7c8314a04dbd01303c9122b4822b074bc7bbff88..b700fa6cb5606b65a2814935e7c7e7cd53f7b868 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -173,6 +173,7 @@ Requires(postun): python initscripts chkconfig
%endif
Requires: python-dns
Requires: keyutils
+Requires: zip
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
@@ -783,6 +784,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Mon Oct 9 2012 Petr Viktorin pvikt...@redhat.com - 2.99.0-48
+- Add zip dependency, needed for creating unsigned Firefox extensions
+
* Mon Oct 1 2012 Martin Kosek mko...@redhat.com - 2.99.0-47
- Require samba packages instead of samba4 packages obsoleted in Fedora 18 and later
- Add libwbclient-devel BuildRequires to pick up libwbclient.h on Fedora 18 and later
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 2bc571c2edf466d8e60121d79e7a0e17630b439b..1aab5997a9048d6e18ddbd6bf28d4a74dae6519b 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -216,6 +216,9 @@ def install_http(config, auto_redirect):
print error copying files: + str(e)
sys.exit(1)
+http.setup_firefox_extension(config.realm_name, config.domain_name,
+subject_base=0= + config.realm_name)
+
return http
def install_bind(config, options):
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index c74ebe33d228c20508e734c7d5c9b41573145003..5e5b0f6c0f030c739162183e149701f737d77e64 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -281,6 +281,16 @@ def cleanup_kdc(fstore):
fstore.untrack_file(filename)
root_logger.debug('Uninstalling %s', filename)
+def setup_firefox_extension(fstore):
+Set up the Firefox configuration extension, if it's not set up yet
+
+root_logger.info('[Setting up Firefox extension]')
+http = httpinstance.HTTPInstance(fstore)
+realm = api.env.realm
+domain = api.env.domain
+subject_base = 0= + realm
+http.setup_firefox_extension(realm, domain, subject_base)
+
def upgrade_ipa_profile(realm):
Update the IPA Profile provided by dogtag
@@ -522,6 +532,7 @@ def main():
cleanup_kdc(fstore)
upgrade_ipa_profile(api.env.realm)
+setup_firefox_extension(fstore)
changed_psearch = named_enable_psearch()
changed_autoincrement = named_enable_serial_autoincrement()
if changed_psearch or changed_autoincrement:
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 11433b4be832c1f6a79d17056e830c9582f3ca6e..0b519c2957f63770f9a28d7abe9083f724a9cf40 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -223,8 +223,17 @@ def template_str(txt, vars):
return val
def template_file(infilename, vars):
-txt = open(infilename).read()
-return template_str(txt, vars)
+Read a file and perform template substitutions
+with open(infilename) as f:
+
Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/09/2012 05:26 PM, Petr Viktorin wrote: On 10/09/2012 05:16 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3150 Patch 0086: I found an old unused function while working on this, the patch removes it. Patch 0087: Replica files generated on older masters don't contain the Firefox extension files. Skip installing them in this case. Patch 0088: Servers upgraded from IPA 2.2 need the Firefox extension installed. This is done in ipa-upgradeconfig if they're missing. I made the setup_firefox_extension method independent on the httpinstance state (which is mostly set in create_instance). Similarly, the files are installed ipa-replica-install if they're missing (i.e. skipped by the previous patch). If the Signing-Cert is not on this master, create an unsigned extension using the zip command. I needed to add Popen's `cwd` argument to ipautil.run() to get the right filenames out of zip. The patches add copy_template_file and copy_file_if_exists utilities I've written for some of my WIP patches, expect me to use them more when I get time to work on the installer code. In my previous mail I've attached an old version of patch 88. Please use this one. Sorry! nack 1) patch 83-01 doesn't apply. 2) When pwd is supplied to setup_firefox_extension `db = certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore `db.has_nickname` will fail. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
