[Freeipa-devel] [PATCH] 983 add subject key identifier

Martin Kosek mkosek at redhat.com
Thu Mar 15 08:56:39 UTC 2012 

On Wed, 2012-03-14 at 17:31 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Wed, 2012-03-07 at 17:49 -0500, Rob Crittenden wrote:
> >> Add subject key identifier to the dogtag server cert profile.
> >>
> >> This will add it on upgrades too and any new certs issued will have a
> >> subject key identifier set.
> >>
> >> If the user has customized the profile themselves then this won't be
> >> applied.
> >>
> >> rob
> >
> > NACK
> >
> > I found few issues with the patch:
> >
> > 1) There is an extraneous pdb statement:
> > +    import pdb; pdb.set_trace()
> >
> > 2) A name of config file should be put to some variable once and not
> > created every time again in enable_subject_key_identifier. It would be
> > much more readable and less error prone:
> > +            installutils.set_directive('/var/lib/%
> > s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
> > 'policyset.serverCertSet.list', '1,2,3,4,5,6,7,8,10', quotes=False,
> > separator='=')
> > +            installutils.set_directive('/var/lib/%
> > s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME,
> > 'policyset.serverCertSet.10.constraint.class_id', 'noConstraintImpl',
> > quotes=False, separator='=')
> > ...
> >
> > 3) We do not handle gracefully missing config file. This is what happens
> > when replica without CA is upgraded:
> > # rpm -Uvh --force /home/mkosek/dist-review/rpms/freeipa-*
> > Preparing...                ########################################### [100%]
> >     1:freeipa-python         ########################################### [ 17%]
> >     2:freeipa-client         ########################################### [ 33%]
> >     3:freeipa-admintools     ########################################### [ 50%]
> >     4:freeipa-server         ########################################### [ 67%]
> > Upgraded /etc/httpd/conf.d/ipa-pki-proxy.conf to version 1
> > Traceback (most recent call last):
> >    File "/usr/sbin/ipa-upgradeconfig", line 301, in<module>
> >      sys.exit(main())
> >    File "/usr/sbin/ipa-upgradeconfig", line 297, in main
> >      upgrade_ipa_profile(krbctx.default_realm)
> >    File "/usr/sbin/ipa-upgradeconfig", line 243, in upgrade_ipa_profile
> >      if ca.enable_subject_key_identifier():
> >    File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 1079, in enable_subject_key_identifier
> >      setlist = installutils.get_directive('/var/lib/%s/profiles/ca/caIPAserviceCert.cfg' % PKI_INSTANCE_NAME, 'policyset.serverCertSet.list', separator='=')
> >    File "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", line 429, in get_directive
> >      fd = open(filename, "r")
> > IOError: [Errno 2] No such file or directory: '/var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg'
> >     5:freeipa-server-selinux ########################################### [ 83%]
> >     6:freeipa-debuginfo      ########################################### [100%]
> >
> >       1. Martin
> >
> 
> I think this should do it.
> 
> rob

Yup, its much better. ACK. Pushed to master, ipa-2-2.

Martin

More information about the Freeipa-devel mailing list