URL: https://github.com/freeipa/freeipa/pull/5329
Author: flo-renaud
Title: #5329: [Backport][ipa-4-6] Improve PKI subsystem detection
Action: opened
PR body:
"""
This is a manual backport of PR #5290 to ipa-4-6 branch.
Cherry-pick had issues with the tests commit (missing imports, line length).
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5329/head:pr5329
git checkout pr5329
From 92d4d22472109e7bdb37ca6c645c3c4b4c511c4c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Wed, 25 Nov 2020 09:53:54 +0100
Subject: [PATCH 1/2] Improve PKI subsystem detection
The dogtaginstance.is_installed() method currently relies on
the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra},
even if it is empty.
An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA
is installed and crashing when trying to upgrade a not-installed
component.
The fix relies on the command "pki-server subsystem-show {ca|kra}" to
detect if a subsystem is installed. The command does not require PKI
to be running (hence can be called anytime) and is delivered by
the pki-server package which is already required by ipa server pkg.
Fixes: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <aboko...@redhat.com>
---
ipaserver/install/dogtaginstance.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index a84368344f5..7f26696850c 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -148,8 +148,14 @@ def is_installed(self):
Returns True/False
"""
- return os.path.exists(os.path.join(
- paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower()))
+ try:
+ result = ipautil.run(
+ ['pki-server', 'subsystem-show', self.subsystem.lower()],
+ capture_output=True)
+ # parse the command output
+ return 'Enabled: True' in result.output
+ except ipautil.CalledProcessError:
+ return False
def spawn_instance(self, cfg_file, nolog_list=()):
"""
From db5d4ca3268b13f1f82705b0fb70aef4835a413b Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Wed, 25 Nov 2020 10:00:39 +0100
Subject: [PATCH 2/2] ipatests: add test for PKI subsystem detection
Add a new upgrade test. Scenario:
- create an empty /var/lib/pki/pki-tomcat/kra directory
- call ipa-server-upgrade
With issue 8596, the upgrade fails because it assumes KRA is
installed. With the fix, ipa-server-upgrade completes successfully.
Related: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <aboko...@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 12 +++++++++
ipatests/test_integration/test_upgrade.py | 30 +++++++++++++++++++++++
2 files changed, 42 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index cab2911feed..3bdaba72467 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -1938,3 +1938,15 @@ def get_sssd_version(host):
"""Get sssd version on remote host."""
version = host.run_command('sssd --version').stdout_text.strip()
return parse_version(version)
+
+
+def get_pki_version(host):
+ """Get pki version on remote host."""
+ data = host.get_file_contents("/usr/share/pki/VERSION", encoding="utf-8")
+
+ groups = re.match(r'.*\nSpecification-Version: ([\d+\.]*)\n.*', data)
+ if groups:
+ version_string = groups.groups(0)[0]
+ return parse_version(version_string)
+ else:
+ raise ValueError("get_pki_version: pki is not installed")
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
index ff8e186adf1..273671a3dfc 100644
--- a/ipatests/test_integration/test_upgrade.py
+++ b/ipatests/test_integration/test_upgrade.py
@@ -7,7 +7,11 @@
"""
import base64
+import os
from cryptography.hazmat.primitives import serialization
+import pytest
+
+from ipaplatform.paths import paths
from ipapython.dn import DN
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
@@ -72,3 +76,29 @@ def test_admin_root_alias_upgrade_CVE_2020_10747(self):
self.master.run_command(['ipa-server-upgrade'])
result = self.master.run_command(["ipa", "user-show", "admin"])
assert rootprinc in result.stdout_text
+
+ def test_kra_detection(self):
+ """Test that ipa-server-upgrade correctly detects KRA presence
+
+ Test for https://pagure.io/freeipa/issue/8596
+ When the directory /var/lib/pki/pki-tomcat/kra/ exists, the upgrade
+ wrongly assumes that KRA component is installed and crashes.
+ The test creates an empty dir and calls ipa-server-upgrade
+ to make sure that KRA detection is not based on the directory
+ presence.
+ """
+ # Skip test if pki 10.10.0 is installed
+ # because of https://github.com/dogtagpki/pki/issues/3397
+ # pki fails to start if empty dir /var/lib/pki/pki-tomcat/kra exists
+ if tasks.get_pki_version(self.master) \
+ == tasks.parse_version('10.10.0'):
+ pytest.skip("Skip test with pki 10.10.0")
+
+ kra_path = os.path.join(paths.VAR_LIB_PKI_TOMCAT_DIR, "kra")
+ try:
+ self.master.run_command(["mkdir", "-p", kra_path])
+ result = self.master.run_command(['ipa-server-upgrade'])
+ err_msg = 'Upgrade failed with no such entry'
+ assert err_msg not in result.stderr_text
+ finally:
+ self.master.run_command(["rmdir", kra_path])
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
