Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/09/2012 06:01 PM, Petr Vobornik wrote: On 10/09/2012 05:26 PM, Petr Viktorin wrote: On 10/09/2012 05:16 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3150 Patch 0086: I found an old unused function while working on this, the patch removes it. Patch 0087: Replica files generated on older masters don't contain the Firefox extension files. Skip installing them in this case. Patch 0088: Servers upgraded from IPA 2.2 need the Firefox extension installed. This is done in ipa-upgradeconfig if they're missing. I made the setup_firefox_extension method independent on the httpinstance state (which is mostly set in create_instance). Similarly, the files are installed ipa-replica-install if they're missing (i.e. skipped by the previous patch). If the Signing-Cert is not on this master, create an unsigned extension using the zip command. I needed to add Popen's `cwd` argument to ipautil.run() to get the right filenames out of zip. The patches add copy_template_file and copy_file_if_exists utilities I've written for some of my WIP patches, expect me to use them more when I get time to work on the installer code. In my previous mail I've attached an old version of patch 88. Please use this one. Sorry! nack 1) patch 83-01 doesn't apply. There were conflicts with recent CRL and audit cert renewal patches. Rebased. 2) When pwd is supplied to setup_firefox_extension `db = certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore `db.has_nickname` will fail. Thanks for the catch, fixed. -- Petr³ From 77c7a209ad4e803cf909a5fc5c747810a3163bb5 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Tue, 9 Oct 2012 04:10:06 -0400 Subject: [PATCH] ipa-upgradeconfig: Remove the upgrade_httpd_selinux function This function was never called from anywhere. --- install/tools/ipa-upgradeconfig | 8 1 file changed, 8 deletions(-) diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 4ed718a9b9faea0821db5642544e9bb1194dbce4..55b8bdeea07b8da2fb11c4c52c1d3b8b536e5467 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -304,14 +304,6 @@ def upgrade_ipa_profile(ca): return False -def upgrade_httpd_selinux(fstore): - -Update SElinux configuration for httpd instance in the same way as the -new server installation does. - -root_logger.info('[Verifying the Apache SELinux configuration]') -http = httpinstance.HTTPInstance(fstore) -http.configure_selinux_for_httpd() def named_enable_psearch(): -- 1.7.11.4 From 415eb7b717de70547a65f1530986c9e182be7b37 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 8 Oct 2012 08:02:55 -0400 Subject: [PATCH] replica-install: Don't copy Firefox config extension files if they're not in the replica file This allows cloning from older masters. https://fedorahosted.org/freeipa/ticket/3150 --- install/tools/ipa-replica-install | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c1679c723bc50fb318b4fa1a0ff10d6032c991b4..8f55d7578e93eb39b5a9848bc5e704e2a1ef34b6 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -207,8 +207,12 @@ def install_http(config, auto_redirect): try: shutil.copy(config.dir + /preferences.html, /usr/share/ipa/html/preferences.html) shutil.copy(config.dir + /configure.jar, /usr/share/ipa/html/configure.jar) -shutil.copy(config.dir + /krb.js, /usr/share/ipa/html/krb.js) -shutil.copy(config.dir + /kerberosauth.xpi, /usr/share/ipa/html/kerberosauth.xpi) +if ipautil.file_exists(config.dir + /krb.js): +shutil.copy( +config.dir + /krb.js, /usr/share/ipa/html/krb.js) +shutil.copy( +config.dir + /kerberosauth.xpi, +/usr/share/ipa/html/kerberosauth.xpi) except Exception, e: print error copying files: + str(e) sys.exit(1) -- 1.7.11.4 From c7f0e1770f5c8c526db011fa53c8167196f98487 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 8 Oct 2012 07:54:47 -0400 Subject: [PATCH] Create Firefox extension on upgrade and replica-install If the signing cert is not available, create an unsigned extension. Add a zip dependency to the specfile. https://fedorahosted.org/freeipa/ticket/3150 --- freeipa.spec.in | 4 +++ install/tools/ipa-replica-install | 3 ++ install/tools/ipa-upgradeconfig | 13 ipapython/ipautil.py | 17 --- ipaserver/install/httpinstance.py | 63 ++- 5 files changed, 76 insertions(+), 24 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index
Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/10/2012 10:55 AM, Petr Viktorin wrote: On 10/09/2012 06:01 PM, Petr Vobornik wrote: On 10/09/2012 05:26 PM, Petr Viktorin wrote: On 10/09/2012 05:16 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3150 Patch 0086: I found an old unused function while working on this, the patch removes it. Patch 0087: Replica files generated on older masters don't contain the Firefox extension files. Skip installing them in this case. Patch 0088: Servers upgraded from IPA 2.2 need the Firefox extension installed. This is done in ipa-upgradeconfig if they're missing. I made the setup_firefox_extension method independent on the httpinstance state (which is mostly set in create_instance). Similarly, the files are installed ipa-replica-install if they're missing (i.e. skipped by the previous patch). If the Signing-Cert is not on this master, create an unsigned extension using the zip command. I needed to add Popen's `cwd` argument to ipautil.run() to get the right filenames out of zip. The patches add copy_template_file and copy_file_if_exists utilities I've written for some of my WIP patches, expect me to use them more when I get time to work on the installer code. In my previous mail I've attached an old version of patch 88. Please use this one. Sorry! nack 1) patch 83-01 doesn't apply. There were conflicts with recent CRL and audit cert renewal patches. Rebased. 2) When pwd is supplied to setup_firefox_extension `db = certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore `db.has_nickname` will fail. Thanks for the catch, fixed. I tried different installation and upgrade procedures and it seems to work fine. I have found few minorish issues when inspecting the code: Patch 0086-01 looks OK. Patch 0087-01 looks OK. Patch 0088-02: 1) In http.setup_firefox_extension() - why do you require subject_base? AFAIK, it is not needed for the signtool and you do not have it right anyway: a) You use 0=$REALM, i.e. *zero*=$REALM, which would not be a valid subject base anyway b) Even when it would be used, a correct subject base is in IPA config (it does not have to be O=$REALM. Thus, I would not require it at all, it would safe us some code and potential confusion if subject base would be actually used. 2) [nitpick] In http.setup_firefox_extension() I would not format the string before logging: +root_logger.info( +'%s exists, skipping install of Firefox extension' % +target_fname) A desired pattern would be to pass formatting parameters as standard function parameters, it may save us few cycles in some situations. 3) In httpinstance.py, I would like to see an absolute path to zip executable. It is a common pattern in IPA and more secure: +ipautil.run(['zip', '-r', target_fname] + filenames, cwd=extdir) Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/10/2012 03:37 PM, Martin Kosek wrote: On 10/10/2012 10:55 AM, Petr Viktorin wrote: On 10/09/2012 06:01 PM, Petr Vobornik wrote: On 10/09/2012 05:26 PM, Petr Viktorin wrote: On 10/09/2012 05:16 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3150 Patch 0086: I found an old unused function while working on this, the patch removes it. Patch 0087: Replica files generated on older masters don't contain the Firefox extension files. Skip installing them in this case. Patch 0088: Servers upgraded from IPA 2.2 need the Firefox extension installed. This is done in ipa-upgradeconfig if they're missing. I made the setup_firefox_extension method independent on the httpinstance state (which is mostly set in create_instance). Similarly, the files are installed ipa-replica-install if they're missing (i.e. skipped by the previous patch). If the Signing-Cert is not on this master, create an unsigned extension using the zip command. I needed to add Popen's `cwd` argument to ipautil.run() to get the right filenames out of zip. The patches add copy_template_file and copy_file_if_exists utilities I've written for some of my WIP patches, expect me to use them more when I get time to work on the installer code. In my previous mail I've attached an old version of patch 88. Please use this one. Sorry! nack 1) patch 83-01 doesn't apply. There were conflicts with recent CRL and audit cert renewal patches. Rebased. 2) When pwd is supplied to setup_firefox_extension `db = certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore `db.has_nickname` will fail. Thanks for the catch, fixed. I tried different installation and upgrade procedures and it seems to work fine. I have found few minorish issues when inspecting the code: Patch 0086-01 looks OK. Patch 0087-01 looks OK. Patch 0088-02: 1) In http.setup_firefox_extension() - why do you require subject_base? AFAIK, it is not needed for the signtool and you do not have it right anyway: a) You use 0=$REALM, i.e. *zero*=$REALM, which would not be a valid subject base anyway b) Even when it would be used, a correct subject base is in IPA config (it does not have to be O=$REALM. Thus, I would not require it at all, it would safe us some code and potential confusion if subject base would be actually used. 2) [nitpick] In http.setup_firefox_extension() I would not format the string before logging: +root_logger.info( +'%s exists, skipping install of Firefox extension' % +target_fname) A desired pattern would be to pass formatting parameters as standard function parameters, it may save us few cycles in some situations. 3) In httpinstance.py, I would like to see an absolute path to zip executable. It is a common pattern in IPA and more secure: +ipautil.run(['zip', '-r', target_fname] + filenames, cwd=extdir) Martin Thanks, fixed in attached patch. -- Petr³ From 4991004becdb85b2b1c34a2edd4e7bd6580589bf Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 8 Oct 2012 07:54:47 -0400 Subject: [PATCH] Create Firefox extension on upgrade and replica-install If the signing cert is not available, create an unsigned extension. Add a zip dependency to the specfile. https://fedorahosted.org/freeipa/ticket/3150 --- freeipa.spec.in | 4 +++ install/tools/ipa-replica-install | 2 ++ install/tools/ipa-upgradeconfig | 12 ipapython/ipautil.py | 17 --- ipaserver/install/httpinstance.py | 63 ++- 5 files changed, 74 insertions(+), 24 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index cc27ffe43758eaedcaaf31b7f55d35d689cec0ae..318638c20a946b26aaffdf8dc105d458cb1a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -173,6 +173,7 @@ Requires(postun): python initscripts chkconfig %endif Requires: python-dns Requires: keyutils +Requires: zip # We have a soft-requires on bind. It is an optional part of # IPA but if it is configured we need a way to require versions @@ -786,6 +787,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Wed Oct 10 2012 Petr Viktorin pvikt...@redhat.com - 2.99.0-49 +- Add zip dependency, needed for creating unsigned Firefox extensions + * Mon Oct 8 2012 Martin Kosek mko...@redhat.com - 2.99.0-48 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 8f55d7578e93eb39b5a9848bc5e704e2a1ef34b6..92e5f8659d3d96f1b37540f5b7f17ea7d869a6d2 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -217,6 +217,8 @@ def install_http(config, auto_redirect): print error copying files: + str(e) sys.exit(1) +http.setup_firefox_extension(config.realm_name, config.domain_name) + return http def
Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/10/2012 04:23 PM, Petr Viktorin wrote: On 10/10/2012 03:37 PM, Martin Kosek wrote: On 10/10/2012 10:55 AM, Petr Viktorin wrote: On 10/09/2012 06:01 PM, Petr Vobornik wrote: On 10/09/2012 05:26 PM, Petr Viktorin wrote: On 10/09/2012 05:16 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3150 Patch 0086: I found an old unused function while working on this, the patch removes it. Patch 0087: Replica files generated on older masters don't contain the Firefox extension files. Skip installing them in this case. Patch 0088: Servers upgraded from IPA 2.2 need the Firefox extension installed. This is done in ipa-upgradeconfig if they're missing. I made the setup_firefox_extension method independent on the httpinstance state (which is mostly set in create_instance). Similarly, the files are installed ipa-replica-install if they're missing (i.e. skipped by the previous patch). If the Signing-Cert is not on this master, create an unsigned extension using the zip command. I needed to add Popen's `cwd` argument to ipautil.run() to get the right filenames out of zip. The patches add copy_template_file and copy_file_if_exists utilities I've written for some of my WIP patches, expect me to use them more when I get time to work on the installer code. In my previous mail I've attached an old version of patch 88. Please use this one. Sorry! nack 1) patch 83-01 doesn't apply. There were conflicts with recent CRL and audit cert renewal patches. Rebased. 2) When pwd is supplied to setup_firefox_extension `db = certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore `db.has_nickname` will fail. Thanks for the catch, fixed. I tried different installation and upgrade procedures and it seems to work fine. I have found few minorish issues when inspecting the code: Patch 0086-01 looks OK. Patch 0087-01 looks OK. Patch 0088-02: 1) In http.setup_firefox_extension() - why do you require subject_base? AFAIK, it is not needed for the signtool and you do not have it right anyway: a) You use 0=$REALM, i.e. *zero*=$REALM, which would not be a valid subject base anyway b) Even when it would be used, a correct subject base is in IPA config (it does not have to be O=$REALM. Thus, I would not require it at all, it would safe us some code and potential confusion if subject base would be actually used. 2) [nitpick] In http.setup_firefox_extension() I would not format the string before logging: +root_logger.info( +'%s exists, skipping install of Firefox extension' % +target_fname) A desired pattern would be to pass formatting parameters as standard function parameters, it may save us few cycles in some situations. 3) In httpinstance.py, I would like to see an absolute path to zip executable. It is a common pattern in IPA and more secure: +ipautil.run(['zip', '-r', target_fname] + filenames, cwd=extdir) Martin Thanks, fixed in attached patch. ACK. Pushed all three patches to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/09/2012 05:16 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3150 Patch 0086: I found an old unused function while working on this, the patch removes it. Patch 0087: Replica files generated on older masters don't contain the Firefox extension files. Skip installing them in this case. Patch 0088: Servers upgraded from IPA 2.2 need the Firefox extension installed. This is done in ipa-upgradeconfig if they're missing. I made the setup_firefox_extension method independent on the httpinstance state (which is mostly set in create_instance). Similarly, the files are installed ipa-replica-install if they're missing (i.e. skipped by the previous patch). If the Signing-Cert is not on this master, create an unsigned extension using the zip command. I needed to add Popen's `cwd` argument to ipautil.run() to get the right filenames out of zip. The patches add copy_template_file and copy_file_if_exists utilities I've written for some of my WIP patches, expect me to use them more when I get time to work on the installer code. In my previous mail I've attached an old version of patch 88. Please use this one. Sorry! -- Petr³ From a19e5d1e0129a5f498b4b9c276e1e768c1c4e8ba Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 8 Oct 2012 07:54:47 -0400 Subject: [PATCH] Create Firefox extension on upgrade and replica-install If the signing cert is not available, create an unsigned extension. Add a zip dependency to the specfile. https://fedorahosted.org/freeipa/ticket/3150 --- freeipa.spec.in | 4 +++ install/tools/ipa-replica-install | 3 ++ install/tools/ipa-upgradeconfig | 11 +++ ipapython/ipautil.py | 17 +++--- ipaserver/install/httpinstance.py | 69 ++- 5 files changed, 78 insertions(+), 26 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 7c8314a04dbd01303c9122b4822b074bc7bbff88..b700fa6cb5606b65a2814935e7c7e7cd53f7b868 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -173,6 +173,7 @@ Requires(postun): python initscripts chkconfig %endif Requires: python-dns Requires: keyutils +Requires: zip # We have a soft-requires on bind. It is an optional part of # IPA but if it is configured we need a way to require versions @@ -783,6 +784,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Mon Oct 9 2012 Petr Viktorin pvikt...@redhat.com - 2.99.0-48 +- Add zip dependency, needed for creating unsigned Firefox extensions + * Mon Oct 1 2012 Martin Kosek mko...@redhat.com - 2.99.0-47 - Require samba packages instead of samba4 packages obsoleted in Fedora 18 and later - Add libwbclient-devel BuildRequires to pick up libwbclient.h on Fedora 18 and later diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 2bc571c2edf466d8e60121d79e7a0e17630b439b..1aab5997a9048d6e18ddbd6bf28d4a74dae6519b 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -216,6 +216,9 @@ def install_http(config, auto_redirect): print error copying files: + str(e) sys.exit(1) +http.setup_firefox_extension(config.realm_name, config.domain_name, +subject_base=0= + config.realm_name) + return http def install_bind(config, options): diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index c74ebe33d228c20508e734c7d5c9b41573145003..5e5b0f6c0f030c739162183e149701f737d77e64 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -281,6 +281,16 @@ def cleanup_kdc(fstore): fstore.untrack_file(filename) root_logger.debug('Uninstalling %s', filename) +def setup_firefox_extension(fstore): +Set up the Firefox configuration extension, if it's not set up yet + +root_logger.info('[Setting up Firefox extension]') +http = httpinstance.HTTPInstance(fstore) +realm = api.env.realm +domain = api.env.domain +subject_base = 0= + realm +http.setup_firefox_extension(realm, domain, subject_base) + def upgrade_ipa_profile(realm): Update the IPA Profile provided by dogtag @@ -522,6 +532,7 @@ def main(): cleanup_kdc(fstore) upgrade_ipa_profile(api.env.realm) +setup_firefox_extension(fstore) changed_psearch = named_enable_psearch() changed_autoincrement = named_enable_serial_autoincrement() if changed_psearch or changed_autoincrement: diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 11433b4be832c1f6a79d17056e830c9582f3ca6e..0b519c2957f63770f9a28d7abe9083f724a9cf40 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -223,8 +223,17 @@ def template_str(txt, vars): return val def template_file(infilename, vars): -txt = open(infilename).read() -return template_str(txt, vars) +Read a file and perform template substitutions +with open(infilename) as f: +
Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades
On 10/09/2012 05:26 PM, Petr Viktorin wrote: On 10/09/2012 05:16 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3150 Patch 0086: I found an old unused function while working on this, the patch removes it. Patch 0087: Replica files generated on older masters don't contain the Firefox extension files. Skip installing them in this case. Patch 0088: Servers upgraded from IPA 2.2 need the Firefox extension installed. This is done in ipa-upgradeconfig if they're missing. I made the setup_firefox_extension method independent on the httpinstance state (which is mostly set in create_instance). Similarly, the files are installed ipa-replica-install if they're missing (i.e. skipped by the previous patch). If the Signing-Cert is not on this master, create an unsigned extension using the zip command. I needed to add Popen's `cwd` argument to ipautil.run() to get the right filenames out of zip. The patches add copy_template_file and copy_file_if_exists utilities I've written for some of my WIP patches, expect me to use them more when I get time to work on the installer code. In my previous mail I've attached an old version of patch 88. Please use this one. Sorry! nack 1) patch 83-01 doesn't apply. 2) When pwd is supplied to setup_firefox_extension `db = certs.CertDB(realm, subject_base=subject_base)` is skipped and therefore `db.has_nickname` will fail. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel