| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently when installing an additional subsystem to an existing
instance the install tool always generates a new random password in
the pki_pin property which would not work with the existing NSS
database. The code has been modified to load the existing NSS
database password from the instance if the instance already exists.
The PKIInstance class has been modified to allow loading partially
created instance to help the installation.
https://fedorahosted.org/pki/ticket/2247
|
|
|
|
|
|
|
| |
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
| |
The upgrade uses instance and subsystem as keys for dicts.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.
This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.
Then, when cloning:
1. When the pk12 file is created by the pki-server ca-clone-prepare
command, the external certs are automatically included.
2. When creating the clone, the new pki_server_pk12_path and
password must be provided. Also, a copy of the
external_certs.conf file must be provided.
3. This copy will be read and merged with the existing
external_certs.conf if one exists.
|
|
|
|
|
|
|
|
| |
In Python 3 subclasses no longer implement automatic ordering. To
provide ordering for sort() and custom comparison, __eq__ and __lt__ are
required.
https://fedorahosted.org/pki/ticket/2216
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some pki-server commands have been added to simplify exporting
the required certificates for subsystem installations. These
commands will invoke the pki pkcs12 utility to export the
certificates from the instance NSS database.
The pki-server ca-cert-chain-export command will export the
the certificate chain needed for installing additional
subsystems running on a separate instance.
The pki-server <subsystem>-clone-prepare commands will export
the certificates required for cloning a subsystem.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
| |
I forgot to decode the output of subprocess.check_call(). All other
places decode bytes to text properly.
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1738
|
|
|
|
|
|
|
| |
The pki.nss module has been renamed into pki.nssdb to prevent
conflicts with the nss module.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
|
|
|
|
|
| |
A lot of Python files start with a #!/usr/bin/python shebang although
the files are neither executables nor designed as scripts. Shebangs are
only required for executable scripts.
Without unnecessary shebangs it's a bit easier to track Python 3
porting.
|
|
|
|
|
|
|
|
|
|
|
| |
The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
|
|
|
|
| |
A new command has been added to export a system certificate, the
CSR, and the key. This command can be used to migrate a system
certificate into another instance.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-core.spec has been modified to execute pki-server migrate
when the package is installed. This way when upgrading from F22 to
F23 all PKI instances will be migrated automatically to Tomcat 8.
The pki-server migrate command has been modified such that if there
is no specific Tomcat version specified it will use the current
Tomcat version.
The top attribute in the CLI class was not functioning properly,
so it has been replaced with get_top_module() method.
The getopt() invocations in pki-server subcommands have been
replaced with gnu_getopt() to allow intermixing options and
arguments.
https://fedorahosted.org/pki/ticket/1310
|
|
|
|
|
|
| |
Includes python code (and unit tests!) to list, get
and create subCAs. Also fixed a couple of PEP 8 violations that
crept in.
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update has been modified to support
secure database connection with client certificate authentication.
The pki client-cert-show has been modified to provide an option
to export client certificate's private key.
https://fedorahosted.org/pki/ticket/1551
|
|
|
|
|
|
|
|
|
| |
A set of new pki-server commands have been added to simplify
updating the cert data and cert request stored in the CS.cfg with
the cert data and cert request stored in the NSS and LDAP database,
respectively.
https://fedorahosted.org/pki/ticket/1551
|
|
|
|
|
| |
Python 3 treats serialized XML as encoded bytes. etree must encode XML
to UTF-8 and write it to a file opened in binary mode.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce absolute imports or explicit relative imports. Python 3 no
longer supports implicit relative imports, that is unqualified imports
from a module's directory. In order to load a module from the same
directory inside a package, use
from . import module
The future feature 'from __future__ import absolute_import' ensures that
pki uses absolute imports on Python 2, too.
See https://www.python.org/dev/peps/pep-0328/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Large portions of the patch was automatically created with autopep8:
find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \
--aggressive
find base/common/upgrade base/server/upgrade -type f -and \
-not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive
autopep8 --in-place --ignore E309 --aggressive \
base/common/sbin/pki-upgrade \
base/server/sbin/pkispawn \
base/server/sbin/pkidestroy \
base/server/sbin/pki-server \
base/server/sbin/pki-server-upgrade
About two dozent violations were fixed manually.
https://fedorahosted.org/pki/ticket/708
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-enable CLI has been modified to deploy
the subsystem from a custom location if available, or from the
default location otherwise.
https://fedorahosted.org/pki/ticket/1381
|
|
|
|
|
|
|
| |
The pki.server Python module has been fixed to remove pylint
warnings generated by recent changes.
https://fedorahosted.org/pki/ticket/1353
|
|
|
|
|
|
|
|
| |
The migration tool has been fixed to update the links to Tomcat
libraries in the instance folder to match the current Tomcat
version installed on the system.
https://fedorahosted.org/pki/ticket/1353
|
|
|
|
|
|
|
|
|
|
|
|
| |
New pki-server CLI commands have been added to migrate the server
configuration from Tomcat 7 to Tomcat 8 and vice versa. These
commands can be used later during system upgrade to migrate
existing instances from Tomcat 7 in F22 to Tomcat 8 in F23.
The Python CLI framework has been refactored to provide a way to
find other CLI modules by the command names.
https://fedorahosted.org/pki/ticket/1264
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously pylint report was saved it into a file which may not be
accessible on a build system. The pylint-build-scan.sh has been
changed to display the report so it will appear in the build log.
The pylint configuration has also been modified to disable C and R
messages by default. This way when other errors or warnings occur
the build will fail without having to check for specific codes.
Some Python codes have been modified to reduce the number of pylint
warnings.
https://fedorahosted.org/pki/ticket/703
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKISubsystem and PKIInstance classes used by the upgrade
framework have been converted into a server management library.
They have been enhanced to provide the following functionalities:
* starting and stopping instances
* enabling and disabling subsystems
* checking instance and subsystem statuses
The validate() invocation has been moved out of the constructors
into the upgrade framework such that these objects can be created
to represent subsystems and instances that do not exist yet.
https://fedorahosted.org/pki/ticket/1183
|
|
|
|
|
| |
Mostly reformatting due to PEP8. Not all pycharm warnings are
addressed, but the vast majority are.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ACL mapping files have been renamed from auth.properties to
acl.properties to match the actual content and moved into the
subsystem conf folder. The authentication method mapping files
have been extracted from the interceptor into actual files.
The ACLInterceptor and AuthMethodInterceptors have been modified to read
the default mapping first, then overwrite it with custom mapping if it
exists in the subsystem folder.
The UpdateAuthzProperties upgrade script has been replaced with
RemoveAuthProperties that will remove the old auth.properties.
|
|
|
|
|
| |
A bug introduced in upgrade scripts while fixing pylint errors
and warnings are fixed.
|
|
|
|
|
| |
Fixes for issues in other files.
Ticket #316
|
|
|
|
|
|
|
| |
General formatting done for all the python files except for the line
length issue, which could not be formatted using Pydev in Eclipse.
Ticket #316
|
|
|
|
|
| |
The pki.server module has been fixed to include the module name
of the PKIException.
|
|
|
|
|
| |
The pki.server module has been fixed to include the module name
of the BASE_DIR.
|
|
|
|
|
|
|
|
|
|
| |
A new upgrade scriptlet has been added to add JNI_JAR_DIR into
pki.conf. The code to manipulate property files has been refactored
from PKIUpgradeTracker into a separate PropertyFile class to allow
reuse.
The pki-base package has been modified to deliver a default pki.conf
in /usr/share/pki/etc and copy it into /etc/pki if it doesn't exist.
|
|
The upgrade framework has been split into base and server upgrade
frameworks since they will be run automatically by different RPM
packages during upgrade. The base upgrade framework will upgrade
the system configuration. The server upgrade framework will upgrade
the instances and subsystems.
Ticket #544
|