| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
An upgrade script has been added to set the keepAliveTimeout
attribute for the Secure connector in the server.xml.
https://pagure.io/dogtagpki/issue/2687
Change-Id: Ia61ed49d0ffc26d4bb44738c71fc663bde37fb1d
|
|
|
|
|
|
| |
Part of: https://pagure.io/dogtagpki/issue/1408
Change-Id: Iaa1c2c3b6f7de178bd38c2b5b8df57a2a99f64b1
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To process a cert request immediately (rather than having it queued
as pending), the user must be authenticated *by the profile*; auth
tokens from the main authentication system are not used.
For external authentication support it is possible that the external
authentication is sufficient to authenticate use of a problem;
especially when the profile uses componenets like
ExternalProcessConstraint to perform validation of the cert request
against external sources of information.
To support this use case, add the SessionAuthentication profile
authenticator, which merely reuses the IAuthToken from the session
context, if present.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
|
|
|
|
|
|
| |
Add the ExternalProcessConstraint profile policy constraint class.
It can be configured to execute an arbitrary program that performs
additional request validation, rejecting the request if it
terminates with a nonzero exit status. Information about the
request is conveyed in the subprocess' environment.
Part of: https://pagure.io/dogtagpki/issue/1359
|
|
|
|
| |
Part of: https://fedorahosted.org/pki/ticket/1710
|
|
|
|
|
|
|
| |
The MergePKIWebapps upgrade script has been modified to ensure
that the old deployment descriptors exist before deleting them.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the /pki webapp was only added if the theme was present
during installation, and there were separate webapps for /pki/admin
and /pki/js. If the theme was installed later, the /pki webapp had
to be configured manually.
To simplify the installation and to support other developments
(e.g. login banner), the /pki webapp will always be added during
installation regardless of theme, and the /pki/admin and /pki/js
webapps are merged into /pki webapp. When the theme package is
installed, it will create links in /pki webapp so the theme files
will become available without additional configuration.
An upgrade script has been added to merge the /pki webapp in
existing instances.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
|
| |
An upgrade script has been added to replace IPv4- and IPv6-specific
AJP loopback address with a more generic "localhost" in existing
instances.
https://fedorahosted.org/pki/ticket/2570
|
|
|
|
|
|
|
|
|
|
| |
The FixSELinuxContexts upgrade script has been removed temporarily
due to a problem importing selinux library during RPM upgrade.
The FixDeploymentDescriptor script number has been changed
accordingly.
https://fedorahosted.org/pki/ticket/2452
|
|
|
|
|
|
|
|
| |
An upgrade script has been added to fix missing deployment
descriptors or deployment descriptors that are pointing to
non-existent or empty folders.
https://fedorahosted.org/pki/ticket/2439
|
|
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to set up SELinux contexts
after all instance files have been created to ensure they have the
correct contexts.
An upgrade script has been added to fix existing instances.
https://fedorahosted.org/pki/ticket/2421
|
|
|
|
|
|
|
|
| |
An upgrade script has been added to replace the <instance>/common
in existing instances with a link to /usr/share/pki/server/common
which contains links to server dependencies.
https://fedorahosted.org/pki/ticket/2403
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/2363
|
|
|
|
|
|
|
|
|
|
| |
The code has been modified to use the JAVA_HOME path specified in
the pki.conf.
The spec file has been modified to depend specifically on OpenJDK
1.8.0 and to provide the default JAVA_HOME path for the pki.conf.
https://fedorahosted.org/pki/ticket/2363
|
|
|
|
| |
Part of Ticket 2041
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1738
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Properly formed GET-based OCSP requests can contain URL-encoded
slashes in the HTTP path[1] but our Tomcat configuration does not
permit this (returns 400 Bad Request). Change catalina.properties
to allow URL-encoded slashes in HTTP paths.
[1] https://tools.ietf.org/html/rfc6960#appendix-A.1
Also add an upgrade script to update catalina.properties in existing
instances.
Fixes: https://fedorahosted.org/pki/ticket/1658
|
|
|
|
|
|
|
|
|
| |
In Python 3 subprocess.Popen() and check_out() return bytes. The rest of
PKI expects text, so the output has to be decoded.
- ascii for dnsdomainname
- sys.getfilesystemencoding() for paths
- utf-8 for the rest
|
|
|
|
|
| |
Python 3 treats serialized XML as encoded bytes. etree must encode XML
to UTF-8 and write it to a file opened in binary mode.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Python 3's exception class has no message attribute. e.message can
either be replaced with string representation of e or e.args[0].
Use print(line, end='') instead of sys.stdout.write(). With end='' no
new line is appended.
Use six.reraise() to reraise an exception.
Remove sys.exc_clear() as it is no longer available in Python 3.
Conditionally import shutil.WindowsError.
Use six.move to import correct modules / function like quote, urlparse
and configparser.
Silence some pylint warnings. pylint doesn't understand six.moves magic
and emits a import-error warning.
Add additional tox envs to check for Python 3 compatibility.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce absolute imports or explicit relative imports. Python 3 no
longer supports implicit relative imports, that is unqualified imports
from a module's directory. In order to load a module from the same
directory inside a package, use
from . import module
The future feature 'from __future__ import absolute_import' ensures that
pki uses absolute imports on Python 2, too.
See https://www.python.org/dev/peps/pep-0328/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Large portions of the patch was automatically created with autopep8:
find base/ -name '*.py' | xargs autopep8 --in-place --ignore E309 \
--aggressive
find base/common/upgrade base/server/upgrade -type f -and \
-not -name .gitignore | autopep8 --in-place --ignore E309 --aggressive
autopep8 --in-place --ignore E309 --aggressive \
base/common/sbin/pki-upgrade \
base/server/sbin/pkispawn \
base/server/sbin/pkidestroy \
base/server/sbin/pki-server \
base/server/sbin/pki-server-upgrade
About two dozent violations were fixed manually.
https://fedorahosted.org/pki/ticket/708
|
|
|
|
|
|
|
| |
- PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI
subsystems which are not accessible
- PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat
shows an error page
|
|
|
|
|
|
| |
Ticket # 1466 .
Also remove some needless copies of server.xml from the code.
|
| |
|
|
|
|
| |
expressions used by system call to 'sed'.
|
|
|
|
|
| |
- PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI
subsystems which are not accessible
|
|
|
|
|
|
|
| |
pylint-build-scan.sh doesn't checked the upgrader's Python files yet.
This patch adds the common and server upgrade scripts to
pylint-build-scan.sh. It also fixes a couple of pylint violations,
mostly missing calls to __init__().
|
|
|
|
|
|
|
| |
The patch implements an updater, that adds the new KRA signed audit
events (#1160) to KRA's CS.cfg.
https://fedorahosted.org/pki/ticket/1382
|
|
|
|
|
| |
The 10.2.3/02-FixBindPWPrompt upgrade scriptlet leaves CS.cfg owned
by root. chown CS.cfg to the instance owner.
|
| |
|
|
|
|
|
|
| |
Dogtag entered a state where an upgrade script failed before it was
trying to chown a file that didn't exist. Add a check that the file
exists.
|
|
|
|
|
|
|
| |
The upgrade scripts have been modified to use the uid and gid
provided by PKIInstance object.
https://fedorahosted.org/pki/ticket/1341
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
The <instance>/work/Catalina/localhost/pki folder was owned by
root in Dogtag 10.0.x but now should be owned by pkiuser. An
upgrade script has been added to fix the ownership.
https://fedorahosted.org/pki/ticket/802
|
|
|
|
|
|
|
|
|
|
| |
In Fedora 22 the Resteasy package has been split into several
subpackages. The pki-core.spec has been modified to depend on
more specific Resteasy packages which depend only on Jackson
1.x. The classpaths and various scripts have been modified to
remove unused references to Jackson 2.x.
https://fedorahosted.org/pki/ticket/1254
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new pki-server CLI has been added to manage the instances and
subsystems using the server management library. This CLI manages
the system files directly, so it can only be run locally on the
server by the system administrator.
The autoDeploy setting in server.xml has been enabled by default.
An upgrade script has been added to enable the autoDeploy setting
in existing instances.
https://fedorahosted.org/pki/ticket/1183
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently web applications are deployed into Host's appBase (i.e.
<instance>/webapps). To allow better control of individual
subsystem deployments, the web applications have to be moved out
of the appBase so that the autoDeploy can work properly later.
This patch moves the common web applications to <instance>/
common/webapps and subsystem web applications to <instance>/
<subsystem>/webapps. An upgrade script has been added to update
existing deployments.
https://fedorahosted.org/pki/ticket/1183
|
|
|
|
| |
and upgrade
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1191
|
|
|
|
| |
Added to 10.1.1 to be consistent with 10.1 branch.
|
|
|
|
|
|
| |
The current upgrade framework requires that all supported versions
to upgrade from to have corresponding upgrade folders even though
they might be empty. New empty folders have been added for 10.1.1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the CMSStartServlet always requires a cfgPath parameter
pointing to the CS.cfg location. By default the parameter points to
<instance>/conf/<subsystem>/CS.cfg unless it's manually changed by
the admin after installation.
Recently the servlet has been modified such that if the parameter
is not specified it will generate the default path automatically.
So it is no longer necessary to keep the cfgPath parameter in the
web.xml templates because it will point to the same location.
This patch removes the cfgPath parameters from all web.xml templates.
This way newly created subsystems will not have this parameter, which
will help direct deployment in the future. An upgrade script has been
added to remove the parameter from existing instances if it points to
the default location. If the parameter points to a different location
that means the subsystem has been customized so it will not be changed.
Ticket #748, #499
|
|
|
|
|
|
|
|
| |
The REST service classes have been moved into org.dogtagpki.server
namespace. A new upgrade script has been added to update existing
instances.
Ticket #114
|
|
|
|
|
|
|
|
|
|
| |
The Dogtag client library has been modified to use RESTEasy 3.0 client
library. A new upgrade script has been added to update existing servers.
The JAXB annotation in ResourceMessage has been modified to require
explicit property mapping.
Ticket #554
|
|
|
|
|
|
|
| |
A new upgrade script has been added to replace Jettison links with
Jackson links in Tomcat's common library.
Ticket #817
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The location of web application context file has been changed from
<instance>/webapps/<name>/META-INF/context.xml
into
<instance>/conf/Catalina/localhost/<name>.xml.
This will eventually allow deploying the web application directly
from the shared folder.
A new upgrade script has been added to move the context files in
the existing instances.
Ticket #499
|
|
|
|
|
|
|
|
|
|
|
|
| |
Migration scripts have been added to update the registry file
for tomcat instances to use PKI_INSTANCE_NAME instead of PKI_INSTANCE_ID.
File ownershipof the registry file and log files is also fixed.
Also removed unused lock file logic in operations startup script.
This is for migration from 10.0 -> 10.1
Ticket 805
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ACL mapping files have been renamed from auth.properties to
acl.properties to match the actual content and moved into the
subsystem conf folder. The authentication method mapping files
have been extracted from the interceptor into actual files.
The ACLInterceptor and AuthMethodInterceptors have been modified to read
the default mapping first, then overwrite it with custom mapping if it
exists in the subsystem folder.
The UpdateAuthzProperties upgrade script has been replaced with
RemoveAuthProperties that will remove the old auth.properties.
|