[Freeipa-devel] [PATCH] 983 add subject key identifier

Martin Kosek mkosek at redhat.com
Fri Mar 9 13:31:19 UTC 2012 

On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote:
> Add subject key identifier to the dogtag server cert profile.
> 
> This will add it on upgrades too and any new certs issued will have a 
> subject key identifier set.
> 
> If the user has customized the profile themselves then this won't be 
> applied.
> 
> rob

NACK

I found few issues with the patch:

1) There is an extraneous pdb statement:
+    import pdb; pdb.set_trace()

2) A name of config file should be put to some variable once and not
created every time again in enable_subject_key_identifier. It would be
much more readable and less error prone:
+            installutils.set_directive('/var/lib/%
s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False,
separator='=')
+            installutils.set_directive('/var/lib/%
s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl',
quotes=False, separator='=')
...

3) We do not handle gracefully missing config file. This is what happens
when replica without CA is upgraded:
# rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-*
Preparing...                ########################################### [100%]
   1:freeipa-python         ########################################### [ 17%]
   2:freeipa-client         ########################################### [ 33%]
   3:freeipa-admintools     ########################################### [ 50%]
   4:freeipa-server         ########################################### [ 67%]
Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1
Traceback (most recent call last):
  File "/usr/sbin/ipa-upgradeconfig", line 301, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-upgradeconfig", line 297, in main
    upgrade_ipa_profile(krbctx.default_realm)
  File "/usr/sbin/ipa-upgradeconfig", line 243, in upgrade_ipa_profile
    if ca.enable_subject_key_identifier():
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1079, in enable_subject_key_identifier
    setlist = installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=')
  File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 429, in get_directive
    fd = open(filename, "r")
IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg'
   5:freeipa-server-selinux ########################################### [ 83%]
   6:freeipa-debuginfo      ########################################### [100%]

     1. Martin

More information about the Freeipa-devel mailing list