[Freeipa-devel] [PATCH] 0016..0018 profiles regression fixes

Fraser Tweedale ftweedal at redhat.com
Fri Jun 5 11:53:39 UTC 2015 

On Fri, Jun 05, 2015 at 01:00:14PM +0200, Martin Basti wrote:
> On 05/06/15 11:47, Fraser Tweedale wrote:
> >Patches 16 and 17 fix regressions in the default profile.
> >
> >Patch 18 fixes the `ipa-replica-install --setup-ca' breakage.
> >
> >Cheers,
> >Fraser
> >
> >
> NACK, sorry
> 
> ./make-lint
> ************* Module ipaserver.plugins.dogtag
> ipaserver/plugins/dogtag.py:2010: [E1124(redundant-keyword-arg),
> RestClient.__enter__] Argument 'method' passed by position and keyword in
> function call)
> ipaserver/plugins/dogtag.py:2011: [E0602(undefined-variable),
> RestClient.__enter__] Undefined variable 'ca_host')
> 
> -- 
> Martin Basti
> 
Whoops.  One wayward comma that should have been a period!

Here's an updated 0017..0018.

Thanks,
Fraser
-------------- next part --------------
From 61677911dec136e6d022622549c476f8ca5f6e5b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 5 Jun 2015 02:57:48 -0400
Subject: [PATCH 17/18] Import profiles earlier during install

Currently, IPA certificate profile import happens at end of install.
Certificates issuance during the install process does work but uses
an un-customised caIPAserviceCert profile, resulting in incorrect
subject DNs and missing extensions.  Furthermore, the
caIPAserviceCert profile shipped with Dogtag will eventually be
removed.

Move the import of included certificate profiles to the end of the
cainstance deployment phase, prior to the issuance of DS and HTTP
certificates.

Part of: https://fedorahosted.org/freeipa/ticket/4002
---
 ipaserver/install/cainstance.py     |  5 +++++
 ipaserver/install/server/install.py |  3 ---
 ipaserver/plugins/dogtag.py         | 10 +++++++---
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 42225c28c8201bbae8ac0e46f7791a7f6ed3d158..563a198ab472a58cc6fbeeceb7731486ce7ca6b5 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -473,6 +473,9 @@ class CAInstance(DogtagInstance):
             self.step("configure Server-Cert certificate renewal", self.track_servercert)
             self.step("Configure HTTP to proxy connections",
                       self.http_proxy)
+            if not self.clone:
+                self.step("restarting certificate server", self.restart_instance)
+                self.step("Importing IPA certificate profiles", import_included_profiles)
 
         self.start_creation(runtime=210)
 
@@ -1694,6 +1697,7 @@ def import_included_profiles():
             )
             conn.add_entry(entry)
             api.Backend.ra_certprofile._read_password()
+            api.Backend.ra_certprofile.override_port = 8443
             with api.Backend.ra_certprofile as profile_api:
                 # import the profile
                 try:
@@ -1715,6 +1719,7 @@ def import_included_profiles():
                 except errors.RemoteRetrieveError:
                     pass
 
+            api.Backend.ra_certprofile.override_port = None
             root_logger.info("Imported profile '%s'", profile_id)
 
     conn.disconnect()
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 955e4cc11fba20475a07126f4101edbf1024290e..999766d677a19768fdc31b256a2d026b2204dbb0 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -906,9 +906,6 @@ def install(options):
         service.print_msg("Restarting the certificate server")
         ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
 
-        service.print_msg("Importing certificate profiles")
-        cainstance.import_included_profiles()
-
     if options.setup_dns:
         api.Backend.ldap2.connect(autobind=True)
         dns.install(False, False, options)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index e6668bb43b994863a14fdd347635753422ed9388..e60cced1a35df821d900407df2d9b66371c61510 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1973,6 +1973,7 @@ class RestClient(Backend):
         super(RestClient, self).__init__()
 
         # session cookie
+        self.override_port = None
         self.cookie = None
 
     def _read_password(self):
@@ -2007,7 +2008,8 @@ class RestClient(Backend):
         if self.cookie is not None:
             return
         status, status_text, resp_headers, resp_body = dogtag.https_request(
-            self.ca_host, self.env.ca_agent_port, '/ca/rest/account/login',
+            self.ca_host, self.override_port or self.env.ca_agent_port,
+            '/ca/rest/account/login',
             self.sec_dir, self.password, self.ipa_certificate_nickname,
             method='GET'
         )
@@ -2020,7 +2022,8 @@ class RestClient(Backend):
     def __exit__(self, exc_type, exc_value, traceback):
         """Log out of the REST API"""
         dogtag.https_request(
-            self.ca_host, self.env.ca_agent_port, '/ca/rest/account/logout',
+            self.ca_host, self.override_port or self.env.ca_agent_port,
+            '/ca/rest/account/logout',
             self.sec_dir, self.password, self.ipa_certificate_nickname,
             method='GET'
         )
@@ -2046,7 +2049,8 @@ class RestClient(Backend):
 
         # perform main request
         status, status_text, resp_headers, resp_body = dogtag.https_request(
-            self.ca_host, self.env.ca_agent_port, resource,
+            self.ca_host, self.override_port or self.env.ca_agent_port,
+            resource,
             self.sec_dir, self.password, self.ipa_certificate_nickname,
             method=method, headers=headers, body=body
         )
-- 
2.1.0

-------------- next part --------------
From b4252d8385f03558b335386a3827f1adb878308a Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Fri, 5 Jun 2015 05:02:58 -0400
Subject: [PATCH 18/18] ipa-pki-proxy: allow certificate and password
 authentication

ipa-replica-install --setup-ca is failing because the security
domain login attempts password authentication, but the current
ipa-pki-proxy requires certificate authentication.

Set NSSVerifyClient optional to allow both certificate and password
authentication to work.
---
 install/conf/ipa-pki-proxy.conf | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 366ca15a1868758547f9f1d3334fddba38793083..354b340f0a57d3424c3c13fd4054ed71080552fe 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,4 +1,4 @@
-# VERSION 6 - DO NOT REMOVE THIS LINE
+# VERSION 7 - DO NOT REMOVE THIS LINE
 
 ProxyRequests Off
 
@@ -27,9 +27,16 @@ ProxyRequests Off
 </LocationMatch>
 
 # matches for REST API
-<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/profiles">
+<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    NSSVerifyClient require
+    NSSVerifyClient optional
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
+<LocationMatch "^/ca/rest/profiles">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
     ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
-- 
2.1.0

More information about the Freeipa-devel mailing list