[Freeipa-devel] [PATCH] 983 add subject key identifier

Rob Crittenden rcritten at redhat.com
Wed Mar 14 21:31:03 UTC 2012 

Martin Kosek wrote:
> On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote:
>> Add subject key identifier to the dogtag server cert profile.
>>
>> This will add it on upgrades too and any new certs issued will have a
>> subject key identifier set.
>>
>> If the user has customized the profile themselves then this won't be
>> applied.
>>
>> rob
>
> NACK
>
> I found few issues with the patch:
>
> 1) There is an extraneous pdb statement:
> +    import pdb; pdb.set_trace()
>
> 2) A name of config file should be put to some variable once and not
> created every time again in enable_subject_key_identifier. It would be
> much more readable and less error prone:
> +            installutils.set_directive('/var/lib/%
> s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
> 'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False,
> separator='=')
> +            installutils.set_directive('/var/lib/%
> s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
> 'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl',
> quotes=False, separator='=')
> ...
>
> 3) We do not handle gracefully missing config file. This is what happens
> when replica without CA is upgraded:
> # rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-*
> Preparing...                ########################################### [100%]
>     1:freeipa-python         ########################################### [ 17%]
>     2:freeipa-client         ########################################### [ 33%]
>     3:freeipa-admintools     ########################################### [ 50%]
>     4:freeipa-server         ########################################### [ 67%]
> Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1
> Traceback (most recent call last):
>    File "/usr/sbin/ipa-upgradeconfig", line 301, in<module>
>      sys.exit(main())
>    File "/usr/sbin/ipa-upgradeconfig", line 297, in main
>      upgrade_ipa_profile(krbctx.default_realm)
>    File "/usr/sbin/ipa-upgradeconfig", line 243, in upgrade_ipa_profile
>      if ca.enable_subject_key_identifier():
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1079, in enable_subject_key_identifier
>      setlist = installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=')
>    File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 429, in get_directive
>      fd = open(filename, "r")
> IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg'
>     5:freeipa-server-selinux ########################################### [ 83%]
>     6:freeipa-debuginfo      ########################################### [100%]
>
>       1. Martin
>

I think this should do it.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-983-2-dogtag.patch
Type: text/x-diff
Size: 6360 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120314/8cb4e9d3/attachment.bin>

More information about the Freeipa-devel mailing list