[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][master] 67 commits: Fix JNA build dependency

Sun Dec 6 08:17:58 GMT 2020

Timo Aaltonen pushed to branch master at FreeIPA packaging / dogtag-pki

Commits:
769d4866 by Endi S. Dewata at 2020-10-28T18:16:35-05:00
Fix JNA build dependency

- - - - -
8f288e20 by Endi S. Dewata at 2020-10-29T11:14:00-05:00
Add workaround for missing capture_output in Python 3.6

- - - - -
5d674aef by Endi S. Dewata at 2020-10-29T11:16:58-05:00
Fix JSS initialization in pki-server <subsystem>-user-cert-add

The pki-server <subsystem>-user-cert-add failed with
NoSuchProviderException when importing a certificate with
RSA/PSS algorithm. It turns out the JSS has to be initialized
before parsing the certificate using X509CertImpl.

- - - - -
263739df by Endi S. Dewata at 2020-10-29T21:45:45-05:00
Fix ACME doc

- - - - -
c073c85d by Endi S. Dewata at 2020-11-02T12:30:41-06:00
Clean up pki-server <subsystem>-user-show

- - - - -
5d0dae12 by Endi S. Dewata at 2020-11-02T19:54:46-06:00
Fix invalid attribute syntax during installation

Recently the pki.convert_x509_name_to_dn() was used to convert
the subsystem cert's subject name into a DN during installation.
However, the original code did not escape attributes in the DN
properly, so if the subject name contained a special character
(e.g. comma), the syntax of the DN could become invalid.

To fix the problem the pki.convert_x509_name_to_dn() has been
modified to escape attributes in the DN properly.

https://github.com/dogtagpki/pki/issues/3367

- - - - -
6989a2ff by Endi S. Dewata at 2020-11-03T21:21:04-06:00
Clean up log messages in CAService

- - - - -
0f74e07b by Endi S. Dewata at 2020-11-03T21:21:06-06:00
Clean up log messages in EnrollProfile

- - - - -
bb939bcd by Endi S. Dewata at 2020-11-04T09:08:34-06:00
Clean up log messages in AuditService

- - - - -
749c2d94 by Endi S. Dewata at 2020-11-04T09:08:35-06:00
Fix NPE in UGSubsystem.findUsersByKeyword()

- - - - -
c9eb3d5e by fdelehay at 2020-11-05T01:05:29+01:00
Update PKI_Health_Check_Tool.md

typos
- - - - -
602a53c6 by Endi S. Dewata at 2020-11-04T18:10:33-06:00
Update links in docs

- - - - -
9a2cf4f1 by Endi S. Dewata at 2020-11-04T19:01:42-06:00
Add FQDN configuration doc

- - - - -
4c322622 by cpinjani at 2020-11-05T12:55:52+05:30
Check 'man pkispawn' having reference of setup-ds.pl (#3371)

Signed-off-by: Chandan Pinjani <cpinjani at redhat.com>

Co-authored-by: Chandan Pinjani <cpinjani at redhat.com>
- - - - -
9e450c26 by gswami90 at 2020-11-05T17:56:32+05:30
Test_automation_for_RFE_Need_Method_to_copy_SKI_from_CSR_to_Certifica… (#3351)

* Test_automation_for_RFE_Need_Method_to_copy_SKI_from_CSR_to_Certificate_signed

Signed-off-by: Gaurav Swami <gswami at redhat.com>

* Test_automation_for_RFE_Need_Method_to_copy_SKI_from_CSR_to_Certificate_signed

Signed-off-by: Gaurav Swami <gswami at redhat.com>
- - - - -
1b6b426a by Endi S. Dewata at 2020-11-06T15:16:38-06:00
Fix concurrency issue in ACME PKIIssuer

The PKIIssuer has been modified to create a new PKIClient
instance for each request to avoid concurrency issue when
handling multiple clients.

The PKIIssuer.issueCertificate() has been modified to no
longer call CAClient.login() since the login operation will
actually be performed automatically by the PKIConnection
if required by the server. The CAClient.login() is mainly
used to get the account info (e.g. user roles) which is not
needed in this case.

https://bugzilla.redhat.com/show_bug.cgi?id=1889691

- - - - -
09ca2e4e by Endi S. Dewata at 2020-11-06T16:33:17-06:00
Fix pki <subsystem>-audit-mod

The AuditService.updateAuditConfig() has been modified to
no longer throw an exception when it encounters a disabled
event. Instead, it will ignore the disabled event and not
add it into the list of enabled events.

https://bugzilla.redhat.com/show_bug.cgi?id=1843416

- - - - -
fa861277 by Endi S. Dewata at 2020-11-06T20:19:48-06:00
Add upgrade docs

- - - - -
5dcdd5ef by dpuniaredhat at 2020-11-11T13:24:24+05:30
Bugzilla automation 1843416 kra-audit-mod fail (#3375)

Bug 1843416 - kra-audit-mod fail with Invalid event configuration if we have disabled entry in input file

Signed-off-by: Deepak Punia <dpunia at redhat.com>
- - - - -
8e9c247c by Endi S. Dewata at 2020-11-11T08:55:23-06:00
Update DS instance name in CI tests

The CI tests have been updated to use a more generic
DS instance name.

- - - - -
357d7363 by Endi S. Dewata at 2020-11-11T12:00:59-06:00
Update PKI instance name in CI tests

The CI tests have been updated to use the default
PKI instance name.

- - - - -
ae8dba6d by Endi S. Dewata at 2020-11-11T13:51:05-06:00
Update LDAP suffixes in CI tests

The CI tests have been updated to use example LDAP suffixes.

- - - - -
c436eb9e by Endi S. Dewata at 2020-11-11T13:51:05-06:00
Update security domain name in CI tests

The CI tests have been updated to use example security
domain name.

- - - - -
4c74ba7a by Endi S. Dewata at 2020-11-11T13:51:05-06:00
Update network domain name in CI tests

The CI tests have been updated to use example network
domain name.

- - - - -
90f7e320 by Endi S. Dewata at 2020-11-11T13:51:05-06:00
Update container names in CI tests

The CI tests have been updated to use more descriptive
container names.

- - - - -
292d20d8 by Endi S. Dewata at 2020-11-11T16:44:56-06:00
Update pki pkcs12-cert-mod

The pki pkcs12-cert-mod has been modified to search
for the cert to modify in a PKCS #12 file by its ID
in addition to its nickname. If a cert ID is provided,
there will be at most one cert matching the ID. If a
nickname is provided, there could be multiple certs
matching the nickname, but only the first one will
be processed.

- - - - -
481632eb by Endi S. Dewata at 2020-11-11T16:44:56-06:00
Add --friendly-name option for pki pkcs12-cert-mod

The pki pkcs12-cert-mod has been modified to provide
a --friendly-name option to change the nickname of a
cert in PKCS #12 file.

The --trust-flags option has been changed to become
optional.

- - - - -
36c209e1 by Endi S. Dewata at 2020-11-11T16:47:28-06:00
Move IPA tests into separate workflow

- - - - -
68d6cb36 by Endi S. Dewata at 2020-11-11T16:47:28-06:00
Simplified build task in IPA tests

- - - - -
382e18f2 by Endi S. Dewata at 2020-11-11T16:47:28-06:00
Rename Required Tests to Installation Tests

- - - - -
9396a54a by Alexander Scheel at 2020-11-12T11:16:32-05:00
Document how to debug QE pipeline failures

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
b45f7a8e by Alexander Scheel at 2020-11-12T11:16:32-05:00
Update Debugging_Pipeline.md
- - - - -
5689e792 by Alexander Scheel at 2020-11-12T11:16:32-05:00
Fix spelling of Ansible
- - - - -
e11e7014 by Endi S. Dewata at 2020-11-12T11:23:49-06:00
Use hostnames as container names in CI tests

- - - - -
ef41bc53 by Endi S. Dewata at 2020-11-12T12:23:59-06:00
Refactor CAConfigurator.createLocalCert()

The CAConfigurator.createLocalCert() has been modified
to take a list of DNS names for SAN extension.

- - - - -
056e8cf0 by Endi S. Dewata at 2020-11-12T12:34:44-06:00
Refactor Configurator.createCert()

The Configurator.createCert() has been modified to take
a profile ID and a list of DNS names for SAN extension.

- - - - -
bdfbc3ea by Endi S. Dewata at 2020-11-12T12:44:01-06:00
Refactor Configurator.loadCert()

The Configurator.loadCert() has been modified to take
a profile ID and a list of DNS names for SAN extension.

- - - - -
68162f18 by Timo Aaltonen at 2020-11-13T18:40:50+02:00
control: Pki-tools should depend on pki-base-java instead of just pki-base.

- - - - -
e2d28ec5 by Endi S. Dewata at 2020-11-13T11:24:31-06:00
Update log messages in LDAPConfigurator.importLDIFRecord()

- - - - -
2338cc58 by Endi S. Dewata at 2020-11-13T11:24:31-06:00
Update log messages in LDAPConfigurator.createSystemContainer()

- - - - -
e10d7829 by Endi S. Dewata at 2020-11-13T11:24:31-06:00
Update log messages in PKIInstance.load()

- - - - -
26d89ac9 by Endi S. Dewata at 2020-11-13T11:24:31-06:00
Update log messages in PluginRegistry

- - - - -
aeec176e by Endi S. Dewata at 2020-11-13T11:34:40-06:00
Update log messages in UGSubsystem.addUser()

- - - - -
026e1c17 by Endi S. Dewata at 2020-11-13T12:33:35-06:00
Convert deployment configs in CI tests into examples

The pki.cfg in CI tests has been split into separate
deployment configs for each subsystem and moved into a
new examples folder. The installation docs have been
updated to point to these examples.

The create and remove scripts have been removed since
they contain only a single command. The CI tests have
been modified to call pkispawn and pkidestroy directly.

- - - - -
e3a9e57b by Endi S. Dewata at 2020-11-13T12:35:08-06:00
Update log messages in Configurator.createRemoteCert()

- - - - -
3f58ee57 by Endi S. Dewata at 2020-11-13T15:25:01-06:00
Fix ACME Dockerfile

- - - - -
9c10e652 by Endi S. Dewata at 2020-11-13T20:24:53-06:00
Clean up installation tests

- - - - -
bae0609f by Endi S. Dewata at 2020-11-13T20:24:53-06:00
Fix LDAPConfigurator.importLDIFRecord()

The LDAPConfigurator.importLDIFRecord() has been updated
to ignore modification error due to missing entry.

- - - - -
d8bcc489 by Timo Aaltonen at 2020-11-14T13:05:40+02:00
fix-runuser-path.diff: Fix path to /sbin/runuser.

- - - - -
525968e1 by Endi S. Dewata at 2020-11-16T10:15:27-06:00
Fix cloning issue on F33

Since Fedora 33 the DS changelog has moved and will be
created automatically when the replication is enabled. Also,
the operation to add the old changelog will fail with LDAP
error 53. However, in older DS versions the old changelog
still needs to be added manually. To support all DS versions
the code will now ignore LDAP error 53.

https://github.com/dogtagpki/pki/issues/3379

- - - - -
51db62f9 by Endi S. Dewata at 2020-11-16T10:15:27-06:00
Updated CA cloning doc

- - - - -
e12a078b by Endi S. Dewata at 2020-11-16T11:03:32-06:00
Fix NPE during subordinate CA installation

Due to recent changes, the CAConfigurator.createCert()
incorrectly tried to issue the subordinate CA cert locally,
which failed since there was no local CA signing cert yet
on the new subordinate CA being installed.

To fix the problem, the CAConfigurator.createCert() has
been modified to call the Configurator.createCert() to
obtain the subordinate CA cert from the remote root CA.

https://bugzilla.redhat.com/show_bug.cgi?id=1891577

- - - - -
64cf25ea by Endi S. Dewata at 2020-11-16T11:03:32-06:00
Add pki_cert_chain_path validation

The PKIDeployer.sd_connect() has been modified to validate
that the cert chain file exists if it's specified in the
pki_cert_chain_path parameter.

- - - - -
9e5138d9 by Endi S. Dewata at 2020-11-16T11:03:32-06:00
Add subordinate CA installation doc

- - - - -
4c705de8 by Endi S. Dewata at 2020-11-16T15:57:30-06:00
Update status badges

- - - - -
1906afbe by Alexander Scheel at 2020-11-17T13:25:14-05:00
Introduce IPv4 and IPv6-specific AJP adapters

In order to facilitate IPv4-only and IPv6-onyly stacks, begin binding
separately to IPv4 and IPv6. If a Connector fails to bind, Tomcat will
continue running, but won't listen on that address. This allows both
127.0.0.1 and ::1 to function on new Dogtag installs.

Note that the limitation here comes not from Tomcat but from JDK: it
only allows binding to a single (IPv4 or IPv6) stack with a given
address.

Resolves: rh-bz#1780082

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
f685919e by Alexander Scheel at 2020-11-17T13:25:14-05:00
Add new AJP adapter upgrade script

This lets us migrate "localhost"-only adapters to localhost4/localhost6
split adapters.

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
e544a3c7 by Alexander Scheel at 2020-11-17T13:25:14-05:00
Mark pki_ajp_host as deprecated

Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
51cdc1f6 by Endi S. Dewata at 2020-11-17T14:34:29-06:00
Replace TomcatJSS.loadTomcatConfig() with loadConfig()

The TomcatJSS.loadTomcatConfig() invocations have been
replaced with loadConfig() such that the config file
doesn't need to be specified explicitly.

- - - - -
c5f961cd by Endi S. Dewata at 2020-11-17T14:35:32-06:00
Update version number to 10.10.1

- - - - -
40a2af93 by Endi S. Dewata at 2020-11-17T19:17:54-06:00
Replace cryptography.x509.name._escape_dn_value()

The cryptography.x509.name._escape_dn_value() has been
replaced with a more standard ldap.dn.escape_dn_chars().

https://github.com/dogtagpki/pki/issues/3367

- - - - -
067ab904 by Timo Aaltonen at 2020-11-23T07:54:49+02:00
control: Add python3-pki-base to pki-tools depends.

- - - - -
7bc2d645 by Timo Aaltonen at 2020-11-23T19:14:20+02:00
Merge branch 'upstream'

- - - - -
0d3740b0 by Timo Aaltonen at 2020-11-23T19:15:45+02:00
bump the version

- - - - -
9d30b081 by Timo Aaltonen at 2020-12-03T17:51:39+02:00
control: Bump libtomcatjss-java dependencies.

- - - - -
fa44f05b by Timo Aaltonen at 2020-12-06T10:12:14+02:00
control: Add python3-ldap to build-depends.

- - - - -
f3cf51b2 by Timo Aaltonen at 2020-12-06T10:13:38+02:00
releasing package dogtag-pki version 10.10.1-1

- - - - -

30 changed files:

- .github/workflows/required-tests.yml → .github/workflows/installation-tests.yml
- + .github/workflows/ipa-tests.yml
- .github/workflows/qe-tests.yml
- README.md
- base/acme/Dockerfile
- base/acme/src/main/java/org/dogtagpki/acme/issuer/PKIIssuer.java
- base/ca/src/com/netscape/ca/CAService.java
- base/ca/src/org/dogtagpki/server/ca/CAConfigurator.java
- base/common/python/pki/__init__.py
- base/kra/functional/drmtest.readme.txt
- base/server/CMakeLists.txt
- base/server/cmsbundle/src/LogMessages.properties
- base/server/config/pkislots.cfg
- base/server/etc/default.cfg
- + base/server/examples/installation/ca-clone.cfg
- + base/server/examples/installation/ca.cfg
- + base/server/examples/installation/kra.cfg
- + base/server/examples/installation/ocsp.cfg
- + base/server/examples/installation/subca.cfg
- + base/server/examples/installation/tks.cfg
- + base/server/examples/installation/tps.cfg
- base/server/python/pki/server/deployment/__init__.py
- base/server/python/pki/server/deployment/pkiparser.py
- base/server/python/pki/server/instance.py
- base/server/python/pki/server/subsystem.py
- base/server/src/com/netscape/cms/profile/common/EnrollProfile.java
- base/server/src/com/netscape/cms/servlet/csadmin/Configurator.java
- base/server/src/com/netscape/cms/servlet/csadmin/LDAPConfigurator.java
- base/server/src/com/netscape/cmscore/dbs/DBSSession.java
- base/server/src/com/netscape/cmscore/registry/PluginRegistry.java

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/00a2c828318e46e973e02ddd3f742e5d634e6dba...f3cf51b2fb18b071cfff0424e0808e02833234ec

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/00a2c828318e46e973e02ddd3f742e5d634e6dba...f3cf51b2fb18b071cfff0424e0808e02833234ec
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201206/67588347/attachment-0001.html>