freeipa.git/install/certmonger, branch fix_ber_scanf FreeIPA patches Skip lock and fork in ipa-server-guard on unsupported ops 2019-09-06T14:29:43+00:00 Rob Crittenden rcritten@redhat.com 2019-09-04T17:32:56+00:00 65d38af9e27f894ec8260b9d8d7bcbdcb79b5c0f On startup certmonger performs a number of options on the configured CA (IPA, not to be confused with the real dogtag CA) and the tracking requests. Break early for operations that are not supported by ipa-submit. This will save both a fork and a lock call. https://bugzilla.redhat.com/show_bug.cgi?id=1656519 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
On startup certmonger performs a number of options on the
configured CA (IPA, not to be confused with the real dogtag CA)
and the tracking requests.

Break early for operations that are not supported by ipa-submit.
This will save both a fork and a lock call.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Defer initializing the API in dogtag-ipa-ca-renew-agent-submit 2019-09-06T14:29:43+00:00 Rob Crittenden rcritten@redhat.com 2019-09-04T17:31:58+00:00 0770254ce347c9892f6b143bb5f48fb1b0826e2a Wait until we know a supported operation is being called (SUBMIT and POLL) before initializing the API, which can be an expensive operation. https://bugzilla.redhat.com/show_bug.cgi?id=1656519 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
Wait until we know a supported operation is being called
(SUBMIT and POLL) before initializing the API, which can be
an expensive operation.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
dogtag-ipa-ca-renew-agent: always use profile-based renewal 2019-07-22T03:33:24+00:00 Fraser Tweedale ftweedal@redhat.com 2019-05-17T06:38:01+00:00 1fb6fda01f2aca5fadc3707b7c7a3f3c9e647f85 Update the renewal helper to always request a new certificate ("enrollment request") instead of using "renewal request". The latter is brittle in the face of: - missing certificate record in database - missing original request record in database (pointed to by certificate record) - "mismatched" certificate or request records (there have been many cases of this; it is suspected that request/serial range conflicts, or something similar, may be the cause) The Dogtag tracking request must know what profile to use, except where the certificate uses the default profile ("caServerCert" per 'dogtag-ipa-renew-agent' implementation in Certmonger itself). This part of the puzzle was dealt with in previous commits. Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Update the renewal helper to always request a new certificate
("enrollment request") instead of using "renewal request".  The
latter is brittle in the face of:

- missing certificate record in database

- missing original request record in database (pointed to by
  certificate record)

- "mismatched" certificate or request records (there have been many
  cases of this; it is suspected that request/serial range conflicts,
  or something similar, may be the cause)

The Dogtag tracking request must know what profile to use, except
where the certificate uses the default profile ("caServerCert" per
'dogtag-ipa-renew-agent' implementation in Certmonger itself).
This part of the puzzle was dealt with in previous commits.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
certmonger: use long options when invoking dogtag-ipa-renew-agent 2019-07-22T03:33:24+00:00 Fraser Tweedale ftweedal@redhat.com 2019-05-17T01:43:18+00:00 858ef59948f5c8edd511f4db0b5fd69a1169f19b To aid reader comprehension, use long options instead of short options when invoking dogtag-ipa-renew-agent. -N -> --force-new -O -> --approval-option Part of: https://pagure.io/freeipa/issue/7991 Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
To aid reader comprehension, use long options instead of short
options when invoking dogtag-ipa-renew-agent.

  -N -> --force-new
  -O -> --approval-option

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace PYTHONSHEBANG with valid shebang 2019-06-24T07:35:57+00:00 Christian Heimes cheimes@redhat.com 2019-06-21T10:05:19+00:00 6d02eddd3ef7f65c1a922125371fcbb83e35d7f8 Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3 shebang. This turns Python .in files into valid Python files. The files can now be checked with pylint and IDEs recognize the files as Python files. The shebang is still replaced with "#!$(PYTHON) -E" to support platform-python. Related: https://pagure.io/freeipa/issue/7984 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com> 
Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3
shebang. This turns Python .in files into valid Python files. The files
can now be checked with pylint and IDEs recognize the files as Python
files.

The shebang is still replaced with "#!$(PYTHON) -E" to support
platform-python.

Related: https://pagure.io/freeipa/issue/7984
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
cainstance: add function to determine ca_renewal nickname 2019-05-29T02:49:27+00:00 Fraser Tweedale ftweedal@redhat.com 2019-03-22T04:22:21+00:00 c28a42e27e1cff115aca1066bf3c943ff46ccc48 The ipa-cert-fix program needs to know where to put shared certificates. Extract the logic that computes the nickname from dogtag-ipa-ca-renew-agent to new subroutine cainstance.get_ca_renewal_nickname(). Part of: https://pagure.io/freeipa/issue/7885 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
The ipa-cert-fix program needs to know where to put shared
certificates.  Extract the logic that computes the nickname from
dogtag-ipa-ca-renew-agent to new subroutine
cainstance.get_ca_renewal_nickname().

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Extract ca_renewal cert update subroutine 2019-05-29T02:49:27+00:00 Fraser Tweedale ftweedal@redhat.com 2019-03-22T02:37:45+00:00 a2a006c74667155e5e4c4a1bb0bd9c12da9b4aed When the CA renewal master renews certificates that are shared across CA replicas, it puts them in LDAP for the other CA replicas to see. The code to create/update these entries lives in the dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for the ipa-cert-fix program too. Extract it to a subroutine in the cainstance module. Part of: https://pagure.io/freeipa/issue/7885 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
When the CA renewal master renews certificates that are shared
across CA replicas, it puts them in LDAP for the other CA replicas
to see.  The code to create/update these entries lives in the
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
the ipa-cert-fix program too.  Extract it to a subroutine in the
cainstance module.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Generate scripts from templates 2018-08-23T12:49:06+00:00 Christian Heimes cheimes@redhat.com 2018-08-22T15:15:55+00:00 c8da61b92ac08ab206df260765c531e70d0342f5 Python scripts are now generated from templates. The scripts are marked as nodist (no distribution) but install targets. The templates for the scripts are extra distribution data, no installation (noinst). Fixes: https://pagure.io/freeipa/issue/7680 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Python scripts are now generated from templates. The scripts are marked
as nodist (no distribution) but install targets. The templates for the
scripts are extra distribution data, no installation (noinst).

Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Rename Python scripts and add dynamic shebang 2018-08-23T12:49:06+00:00 Christian Heimes cheimes@redhat.com 2018-08-22T13:55:17+00:00 a347c1165073e61572993a64c00b122cb49dabe1 All Python scripts are now generated from a template with a dynamic shebang. ipatests/i18n.py is no longer an executable script with shebang. The module is not executed as script directly, but rather as $(PYTHON) ipatests/i18n.py Fixes: https://pagure.io/freeipa/issue/7680 All Python scripts are now template files with a dynamic shebang line. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
All Python scripts are now generated from a template with a dynamic
shebang.

ipatests/i18n.py is no longer an executable script with shebang. The
module is not executed as script directly, but rather as

    $(PYTHON) ipatests/i18n.py

Fixes: https://pagure.io/freeipa/issue/7680
All Python scripts are now template files with a dynamic shebang line.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Have all the scripts run in python 3 by default 2018-02-15T17:43:12+00:00 Stanislav Laznicka slaznick@redhat.com 2017-08-31T08:45:31+00:00 f31797c70ac6d1fe4a651def1f87350bec16d194 The Python 3 refactoring effort is finishing, it should be safe to turn all scripts to run in Python 3 by default. https://pagure.io/freeipa/issue/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>