diff options
author | Ade Lee <alee@redhat.com> | 2014-09-01 12:53:28 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2014-09-02 15:45:33 -0400 |
commit | 0507afc6b1226b2878aafde8487eba736c74514f (patch) | |
tree | d08bc1b97c7652ce30396619a126b1dab494bb0d /base/server | |
parent | 99e6330ce13e55ac325d76bdc33f1b1b00cba5d3 (diff) | |
download | pki-0507afc6b1226b2878aafde8487eba736c74514f.tar.gz pki-0507afc6b1226b2878aafde8487eba736c74514f.tar.xz pki-0507afc6b1226b2878aafde8487eba736c74514f.zip |
Fix kra-connector-remove
The code to remove the connector from the pki CLI was found to be broken
because of invalid message type (partly due to void returns).
On uninstall, we need to remove the kra-connector from all relevant CA's
in the security domain. The best way to do this is to keep kra-connector
info in LDAP, so that only one call is needed. Until that change has
been made, we are adding a hack to remove the connector from all CA's
in the secutrity domain (if it exists).
Due to issues with proxy configurations, we will continue to use sslget
and a url-encoded-form version of the servlet.
In addition, it was found that when removing a KRA from a shared subsystem,
the updateDomainXML servlet was erroneously returning failure when it
was unsuccessful in removing a non-existent user from a group.
Ticket 1113
Diffstat (limited to 'base/server')
5 files changed, 76 insertions, 23 deletions
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java index b958791bb..2fe78bf2a 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java +++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java @@ -57,7 +57,8 @@ public class PKIService { public static List<MediaType> MESSAGE_FORMATS = Arrays.asList( MediaType.APPLICATION_XML_TYPE, - MediaType.APPLICATION_JSON_TYPE + MediaType.APPLICATION_JSON_TYPE, + MediaType.APPLICATION_FORM_URLENCODED_TYPE ); public final static int MIN_FILTER_LENGTH = 3; diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java index b783c359b..9aa150475 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java +++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java @@ -96,7 +96,8 @@ public class UpdateDomainXML extends CMSServlet { conn = connFactory.getConn(); conn.delete(dn); } catch (LDAPException e) { - if (e.getLDAPResultCode() != LDAPException.NO_SUCH_OBJECT) { + int resultCode = e.getLDAPResultCode(); + if (resultCode != LDAPException.NO_SUCH_OBJECT) { status = FAILED; CMS.debug("Failed to delete entry" + e.toString()); } @@ -129,7 +130,9 @@ public class UpdateDomainXML extends CMSServlet { conn = connFactory.getConn(); conn.modify(dn, mod); } catch (LDAPException e) { - if (e.getLDAPResultCode() != LDAPException.NO_SUCH_OBJECT) { + int resultCode = e.getLDAPResultCode(); + if ((resultCode != LDAPException.NO_SUCH_OBJECT) && + (resultCode != LDAPException.NO_SUCH_ATTRIBUTE)) { status = FAILED; CMS.debug("Failed to modify entry" + e.toString()); } diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index 823a20711..afb7eea29 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -27,6 +27,7 @@ import os import fileinput import random import re +import requests.exceptions import shutil from shutil import Error, WindowsError import string @@ -2649,20 +2650,9 @@ class KRAConnector: self.mdict['pki_target_cs_cfg']) krahost = cs_cfg.get('service.machineName') kraport = cs_cfg.get('pkicreate.secure_port') - cahost = cs_cfg.get('cloning.ca.hostname') - caport = cs_cfg.get('cloning.ca.httpsport') - if cahost is None or\ - caport is None: - config.pki_log.warning( - log.PKIHELPER_KRACONNECTOR_UPDATE_FAILURE, - extra=config.PKI_INDENTATION_LEVEL_2) - config.pki_log.error( - log.PKIHELPER_UNDEFINED_CA_HOST_PORT, - extra=config.PKI_INDENTATION_LEVEL_2) - if critical_failure: - raise Exception(log.PKIHELPER_UNDEFINED_CA_HOST_PORT) - else: - return + proxy_secure_port = cs_cfg.get('proxy.securePort', '') + if proxy_secure_port != '': + kraport = proxy_secure_port # retrieve subsystem nickname subsystemnick = cs_cfg.get('kra.cert.subsystem.nickname') @@ -2703,9 +2693,49 @@ class KRAConnector: else: return - self.execute_using_sslget( - caport, cahost, subsystemnick, - token_pwd, krahost, kraport) + # Note: this is a hack to resolve Trac Ticket 1113 + # We need to remove the KRA connector data from all relevant clones, + # but we have no way of easily identifying which instances are + # the right ones. Instead, We will attempt to remove the KRA + # connector from all CAs in the security domain. + # The better - and long term solution is to store the connector + # configuration in LDAP so that updating one clone will + # automatically update the rest. + # TODO(alee): Fix this logic once we move connector data to LDAP + + # get a list of all the CA's in the security domain + # noinspection PyBroadException + # pylint: disable-msg=W0703 + sechost = cs_cfg.get('securitydomain.host') + secport = cs_cfg.get('securitydomain.httpsadminport') + try: + ca_list = self.get_ca_list_from_security_domain( + sechost, secport) + except Exception as e: + config.pki_log.error( + "unable to access security domain. Continuing .. " + str(e), + extra=config.PKI_INDENTATION_LEVEL_2) + ca_list = [] + + for ca in ca_list: + ca_host = ca.hostname + ca_port = ca.secure_port + + # catching all exceptions because we do not want to break if + # the auth is not successful or servers are down. In the + # worst case, we will time out anyways. + # noinspection PyBroadException + # pylint: disable-msg=W0703 + try: + self.execute_using_sslget( + ca_port, ca_host, subsystemnick, + token_pwd, krahost, kraport) + except Exception: + # ignore exceptions + config.pki_log.warning( + log.PKIHELPER_KRACONNECTOR_DEREGISTER_FAILURE_4, + str(krahost), str(kraport), str(ca_host), str(ca_port), + extra=config.PKI_INDENTATION_LEVEL_2) except subprocess.CalledProcessError as exc: config.pki_log.warning( @@ -2719,6 +2749,24 @@ class KRAConnector: raise return + @staticmethod + def get_ca_list_from_security_domain(sechost, secport): + sd_connection = pki.client.PKIConnection( + protocol='https', + hostname=sechost, + port=secport, + subsystem='ca') + sd = pki.system.SecurityDomainClient(sd_connection) + try: + info = sd.get_security_domain_info() + except requests.exceptions.HTTPError as e: + config.pki_log.info( + "unable to access security domain through REST interface. " + + "Trying old interface. " + str(e), + extra=config.PKI_INDENTATION_LEVEL_2) + info = sd.get_old_security_domain_info() + return info.systems['CA'].hosts.values() + def execute_using_pki( self, caport, cahost, subsystemnick, token_pwd, krahost, kraport, critical_failure=False): @@ -2732,8 +2780,7 @@ class KRAConnector: "ca-kraconnector-del", krahost, str(kraport)] output = subprocess.check_output(command, - stderr=subprocess.STDOUT, - shell=True) + stderr=subprocess.STDOUT) error = re.findall("ClientResponseFailure:(.*?)", output) if error: diff --git a/base/server/python/pki/server/deployment/pkimessages.py b/base/server/python/pki/server/deployment/pkimessages.py index 8b5ce3f2c..1c21e8689 100644 --- a/base/server/python/pki/server/deployment/pkimessages.py +++ b/base/server/python/pki/server/deployment/pkimessages.py @@ -216,6 +216,8 @@ PKIHELPER_KRACONNECTOR_UPDATE_CONTACT = \ PKIHELPER_KRACONNECTOR_UPDATE_FAILURE = "Failed to update KRA connector on CA" PKIHELPER_KRACONNECTOR_UPDATE_FAILURE_2 = \ "Failed to update KRA connector for %s:%s" +PKIHELPER_KRACONNECTOR_DEREGISTER_FAILURE_4 = \ + "Failed to deregister KRA connector %s:%s from CA %s:%s" PKIHELPER_LINK_S_2 = "ln -s %s %s" PKIHELPER_MKDIR_1 = "mkdir -p %s" PKIHELPER_MODIFY_DIR_1 = "modifying '%s'" diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 3b2a99c9f..1f6cbe0b4 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -27,7 +27,7 @@ import ldap import logging import os import random -import requests +import requests.exceptions import string import subprocess import xml.etree.ElementTree as ET |