URL: https://github.com/freeipa/freeipa/pull/5329 Author: flo-renaud Title: #5329: [Backport][ipa-4-6] Improve PKI subsystem detection Action: opened
PR body: """ This is a manual backport of PR #5290 to ipa-4-6 branch. Cherry-pick had issues with the tests commit (missing imports, line length). """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5329/head:pr5329 git checkout pr5329
From 92d4d22472109e7bdb37ca6c645c3c4b4c511c4c Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Wed, 25 Nov 2020 09:53:54 +0100 Subject: [PATCH 1/2] Improve PKI subsystem detection The dogtaginstance.is_installed() method currently relies on the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra}, even if it is empty. An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA is installed and crashing when trying to upgrade a not-installed component. The fix relies on the command "pki-server subsystem-show {ca|kra}" to detect if a subsystem is installed. The command does not require PKI to be running (hence can be called anytime) and is delivered by the pki-server package which is already required by ipa server pkg. Fixes: https://pagure.io/freeipa/issue/8596 Reviewed-By: Alexander Bokovoy <aboko...@redhat.com> --- ipaserver/install/dogtaginstance.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py index a84368344f5..7f26696850c 100644 --- a/ipaserver/install/dogtaginstance.py +++ b/ipaserver/install/dogtaginstance.py @@ -148,8 +148,14 @@ def is_installed(self): Returns True/False """ - return os.path.exists(os.path.join( - paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower())) + try: + result = ipautil.run( + ['pki-server', 'subsystem-show', self.subsystem.lower()], + capture_output=True) + # parse the command output + return 'Enabled: True' in result.output + except ipautil.CalledProcessError: + return False def spawn_instance(self, cfg_file, nolog_list=()): """ From db5d4ca3268b13f1f82705b0fb70aef4835a413b Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Wed, 25 Nov 2020 10:00:39 +0100 Subject: [PATCH 2/2] ipatests: add test for PKI subsystem detection Add a new upgrade test. Scenario: - create an empty /var/lib/pki/pki-tomcat/kra directory - call ipa-server-upgrade With issue 8596, the upgrade fails because it assumes KRA is installed. With the fix, ipa-server-upgrade completes successfully. Related: https://pagure.io/freeipa/issue/8596 Reviewed-By: Alexander Bokovoy <aboko...@redhat.com> --- ipatests/pytest_ipa/integration/tasks.py | 12 +++++++++ ipatests/test_integration/test_upgrade.py | 30 +++++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py index cab2911feed..3bdaba72467 100755 --- a/ipatests/pytest_ipa/integration/tasks.py +++ b/ipatests/pytest_ipa/integration/tasks.py @@ -1938,3 +1938,15 @@ def get_sssd_version(host): """Get sssd version on remote host.""" version = host.run_command('sssd --version').stdout_text.strip() return parse_version(version) + + +def get_pki_version(host): + """Get pki version on remote host.""" + data = host.get_file_contents("/usr/share/pki/VERSION", encoding="utf-8") + + groups = re.match(r'.*\nSpecification-Version: ([\d+\.]*)\n.*', data) + if groups: + version_string = groups.groups(0)[0] + return parse_version(version_string) + else: + raise ValueError("get_pki_version: pki is not installed") diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py index ff8e186adf1..273671a3dfc 100644 --- a/ipatests/test_integration/test_upgrade.py +++ b/ipatests/test_integration/test_upgrade.py @@ -7,7 +7,11 @@ """ import base64 +import os from cryptography.hazmat.primitives import serialization +import pytest + +from ipaplatform.paths import paths from ipapython.dn import DN from ipatests.test_integration.base import IntegrationTest from ipatests.pytest_ipa.integration import tasks @@ -72,3 +76,29 @@ def test_admin_root_alias_upgrade_CVE_2020_10747(self): self.master.run_command(['ipa-server-upgrade']) result = self.master.run_command(["ipa", "user-show", "admin"]) assert rootprinc in result.stdout_text + + def test_kra_detection(self): + """Test that ipa-server-upgrade correctly detects KRA presence + + Test for https://pagure.io/freeipa/issue/8596 + When the directory /var/lib/pki/pki-tomcat/kra/ exists, the upgrade + wrongly assumes that KRA component is installed and crashes. + The test creates an empty dir and calls ipa-server-upgrade + to make sure that KRA detection is not based on the directory + presence. + """ + # Skip test if pki 10.10.0 is installed + # because of https://github.com/dogtagpki/pki/issues/3397 + # pki fails to start if empty dir /var/lib/pki/pki-tomcat/kra exists + if tasks.get_pki_version(self.master) \ + == tasks.parse_version('10.10.0'): + pytest.skip("Skip test with pki 10.10.0") + + kra_path = os.path.join(paths.VAR_LIB_PKI_TOMCAT_DIR, "kra") + try: + self.master.run_command(["mkdir", "-p", kra_path]) + result = self.master.run_command(['ipa-server-upgrade']) + err_msg = 'Upgrade failed with no such entry' + assert err_msg not in result.stderr_text + finally: + self.master.run_command(["rmdir", kra_path])
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org