[Pkg-freeipa-devel] [Git][freeipa-team/certmonger][upstream] 20 commits: Don't free soptions while it is still needed

Timo Aaltonen gitlab at salsa.debian.org
Wed Oct 28 14:29:23 GMT 2020



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / certmonger


Commits:
c5270bde by Rob Crittenden at 2020-07-01T11:58:11-04:00
Don't free soptions while it is still needed

Introduced in fbcf03dd44007a9b231e9396cc418a00e1a4b49a trying
to avoid leaking soptions and aoptions.

https://pagure.io/certmonger/issue/163
Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
79020646 by Rob Crittenden at 2020-07-30T11:20:10-04:00
Revert "Adapt to the new behavior of disconnect in dbus-broker"

This reverts commit 39ce89ec821d02643681795d2149b20198f0fe42.

systemd will kill certmonger anyway. Let it go ahead and die
and we'll use PartOf to link the two services together instead.

- - - - -
5e45029b by Rob Crittenden at 2020-07-30T11:20:10-04:00
Link certmonger to dbus so it stops and restarts with it

This will ensure that certmonger will run if dbus is restarted.

- - - - -
00e94804 by Rob Crittenden at 2020-09-08T13:56:49-04:00
Don't send SIGKILL to children, give them a chance to die

This was causing issues in IPA which uses a lock file to
serialize some operations. The kill was leaving the lock in
place causing things to time out.

- - - - -
fcc3a370 by Rob Crittenden at 2020-09-09T16:07:22-04:00
Remove empty translation files

https://pagure.io/certmonger/issue/141

- - - - -
93974735 by Fraser Tweedale at 2020-09-16T15:54:00+10:00
remove dead make targets

Commit 13abd68c7b862719e7b0ed065906cc28c6157a41 removed some files,
but left dangling references to those files in tests/Makefile.am,
breaking the build.  Delete references to the deleted files.

- - - - -
1de7c2e7 by Rob Crittenden at 2020-09-16T10:34:45-04:00
Require jansson for IPA RPC calls, make xmlrpc optional

xmlrpc is now only used for certmaster

IPA will only make JSON RPC calls to retrieve certificates

- - - - -
aedf7f64 by Rob Crittenden at 2020-09-16T11:31:07-04:00
Make xmlrpc optional in the certmonger spec file, disable certmaster

This disables certmaster support by default since it requires
xmlrpc

- - - - -
4347ce74 by Rob Crittenden at 2020-09-16T11:31:07-04:00
Add Referer header option to the submit-h API

This will allow IPA API requests that require the Referer header
to be set.

- - - - -
fdc28512 by Rob Crittenden at 2020-09-16T11:31:07-04:00
Switch IPA calls to use the JSON-RPC endpoint instead of XMLRPC

IPA has provided a JSON-RPC interface for many years now and has
long term plans to drop support for XMLRPC.

- - - - -
dd8dcb89 by Rob Crittenden at 2020-09-16T11:31:07-04:00
Remove the certmaster CA from the 028-dbus test

The certmaster CA is disabled by default so no longer look for it
in the dbus test.

This test will fail if certmaster is enabled. There is currently no
mechanism to dynamically enable/disable features of the tests. It
can be added if it comes up but its unclear if anyoen took advantage
of the certmaster support in the first place.

- - - - -
94dfc2f3 by Rob Crittenden at 2020-09-16T11:31:08-04:00
Add a local-srpm target to build an srpm from the current checkout

The srpm target will pull the origin master branch and build from
that so it isn't useful for testing local changes.

- - - - -
eda1134a by Rob Crittenden at 2020-09-16T11:31:08-04:00
Silence a rpm macro warning with an unescaped % in a comment

- - - - -
5faaac05 by Rob Crittenden at 2020-10-05T11:16:44-04:00
Tag 0.79.12

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
f167cff1 by Rob Crittenden at 2020-10-09T11:10:02-04:00
Fix NSS shutdown issues when obtaining the internal token name

The slot wasn't being freed every time util_internal_token_name()
was called which caused NSS_Shutdown() and NSS_ShutdownContext()
to return SEC_ERROR_BUSY.

Discovered in IPA issue https://pagure.io/freeipa/issue/8533

- - - - -
be632059 by Rob Crittenden at 2020-10-20T14:47:52-04:00
Save a copy of the IPA error message when parsing the JSON result

json_decref() is freeing the parsed value so the error message was
undefined.

Issued discovered in https://pagure.io/freeipa/issue/8537

- - - - -
5e77bf10 by Rob Crittenden at 2020-10-20T14:50:20-04:00
certread-n: Look up certs using PK11_FindCertFromNickname()

Don't loop through all the tokens looking for a given nickname, look
it up directly. If a nickname does not contain a token then NSS
treats it as the internal token. Otherwise it uses the token name
to retrieve the slot and looks for certificates in that slot.

Looping through the certificates in each slot using
PK11_ListCertsInSlot() was sometimes taking as many as 14 seconds
for no apparent reason. This slowdown is not seen when using
PK11_FindCertFromNickname().

This 14 second delay was causing client DBus timeouts which was
causing IPA server installation failures when running start-tracking
on the CA subsystem certificates.

Related IPA issue https://pagure.io/freeipa/issue/8533

- - - - -
f25222fc by Rob Crittenden at 2020-10-20T14:50:20-04:00
Free public key information after storing and displaying

This fixes an NSS shutdown error.

- - - - -
8a477832 by Rob Crittenden at 2020-10-20T15:22:16-04:00
Don't report a spurious error if no SCEP pkiMessage is ready yet

On a brand new request in the state op_pkcsreq there will be no
pkiMessage to send yet because there is no CSR yet.

It correctly detects this state but also displays the message:

    Error reading request.  Expected PKCS7 data containing a
    PKCSReq pkiMessage, got nothing.

This is confusing if the request eventually succeeds.

It really only needs to report this if it is passed in a file name
to read the message from, otherwise silently return
CM_SUBMIT_STATUS_NEED_SCEP_MESSAGES.

The same issue existed in the op_get_cert_initial state.

https://bugzilla.redhat.com/show_bug.cgi?id=1253009

- - - - -
3514c6d7 by Rob Crittenden at 2020-10-20T15:39:55-04:00
Tag 0.79.13

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -


5 changed files:

- Makefile.am
- certmonger.spec
- configure.ac
- − po/ach.po
- − po/af.po


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/14f75bf805fbfbf9caf33958afd211c99170f59b...3514c6d7a9d61a48f09f4f7affe06fa508a494ee

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/certmonger/-/compare/14f75bf805fbfbf9caf33958afd211c99170f59b...3514c6d7a9d61a48f09f4f7affe06fa508a494ee
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20201028/0a0a549f/attachment-0001.html>


More information about the Pkg-freeipa-devel mailing list