[Pkg-freeipa-devel] [Git][freeipa-team/dogtag-pki][upstream] 64 commits: Convert QE test to Docker

Mon Sep 6 08:36:06 BST 2021

Timo Aaltonen pushed to branch upstream at FreeIPA packaging / dogtag-pki

Commits:
1a5d9024 by Endi S. Dewata at 2021-02-25T20:32:52-06:00
Convert QE test to Docker

Previously the QE test was running on Vagrant which can only
run on macOS runners on GitHub:
https://stackoverflow.com/questions/66261101/using-vagrant-on-github-actions-ideally-incl-virtualbox

However, there is a performance issue with the macOS runners
which is causing the test to fail occasionally:
https://github.com/actions/virtual-environments/issues/1336

To improve the reliability, the QE test has been converted
to run on Docker instead. Some steps for configuring the
machine hostname in configure_common.yml have been removed
since it's no longer necessary.

- - - - -
d23b75b7 by Endi S. Dewata at 2021-03-03T14:49:26-06:00
Add test for installing CA with ECC

- - - - -
d5ba9b2d by Endi S. Dewata at 2021-03-03T14:49:26-06:00
Update CI Dockerfile

The CI Dockerfile has been modified to install PKI packages
in the container image.

- - - - -
5262e598 by Endi S. Dewata at 2021-03-03T14:49:26-06:00
Remove redundant PKI package installations

The CI tests have been modified to no longer install PKI
packages since they are already installed in the container
image.

- - - - -
8420dec8 by Endi S. Dewata at 2021-03-03T14:49:26-06:00
Clean up redundant CI dependencies

- - - - -
d33839ae by Endi S. Dewata at 2021-03-03T14:53:39-06:00
Add COPR_REPO argument in CI Dockerfile

The CI Dockerfile has been modified to provide an argument
to override the COPR repository used for building the
container image.

- - - - -
c3f1afdd by Endi S. Dewata at 2021-03-03T14:53:43-06:00
Update CI to use multi-stage builds

The CI has been modified to build PKI packages and the
container image using multi-stage builds.

- - - - -
5c2d6679 by Endi S. Dewata at 2021-03-08T10:40:47-06:00
Move CI Dockerfile

The CI Dockerfile has been moved to the top-level folder.

- - - - -
1c3e0d39 by Endi S. Dewata at 2021-03-08T10:41:46-06:00
Move list of IPA CI tests

The list of IPA CI tests has been moved into ipa-test.sh.

- - - - -
a86b28f3 by Endi S. Dewata at 2021-03-08T10:41:47-06:00
Clean up CI build options

The CI BUILD_OPTS have been modified to no longer use timestamps
and commit IDs in PKI package names. The build-push-action has
also been modified to use the default Git context.

- - - - -
d3ba096f by Endi S. Dewata at 2021-03-08T10:41:47-06:00
Rename CI runner container image

- - - - -
23853644 by Endi S. Dewata at 2021-03-08T10:44:20-06:00
Remove unused CI LOGS variable

- - - - -
a279c4ce by Endi S. Dewata at 2021-03-08T14:36:26-06:00
Clean up ACME CI tests

- - - - -
00434743 by Endi S. Dewata at 2021-03-08T20:40:55-06:00
Update ACME Dockerfile

The ACME Dockerfile has been updated to work with Quay and
Docker Hub.

- - - - -
398fedba by Endi S. Dewata at 2021-03-09T20:43:24-06:00
Copy ACME Dockerfile into main Dockerfile

The ACME Dockerfile has been copied from base/acme/Dockerfile
which uses a single build stage into the main Dockerfile which
uses multiple build stages.

- - - - -
ea30f0a3 by Endi S. Dewata at 2021-03-09T20:44:22-06:00
Add test for ACME container

- - - - -
739aaf35 by Endi S. Dewata at 2021-03-10T12:03:06-06:00
Restore timestamp and commit ID in CI build options

Commit a86b28f3b794a5d816d9eded66f8ef156f5c55ac has been
reverted to avoid conflicts with COPR builds.

- - - - -
5f4abfab by Alexander Bokovoy at 2021-03-10T20:56:51-06:00
Update pki.spec to not depend on esc for s390(x) architectures

- - - - -
5f907f09 by Endi S. Dewata at 2021-03-10T21:03:12-06:00
Clean up spec file

- - - - -
608e9bbe by Fraser Tweedale at 2021-03-15T11:37:57-05:00
Fix renewal profile approval process

Due to a recent change in PKI CLI, the CLI now passes along user
authentication with submissions to the renewal endpoint. Unlike the EE
pages, the REST API has passed along this authentication for a while.
Due to a bug in the RenewalProcessor, requests with credentials against
profiles with no authentication method and no ACLs result in the
certificiate automatically being approved. This occurs because, when
an earlier commit (cb9eb967b5e24f5fde8bbf8ae87aa615b7033db7) modified
the code to allow Light-Weight SubCAs to issue certificates, validation
wasn't done on the passed principal, to see if it was a trusted agent.
Because profiles requring Agent approval have an empty ACL list (as, no
user should be able to submit a certificate request and have it
automatically signed without agent approval), authorize allows any user
to approve this request and thus accepts the AuthToken.

Critical analysis: the RenewalProcessor code interprets (authToken
!= null) as evidence that the authenticated user is /authorized/ to
immediately issue the certificate.  This mismatch of concerns (authn
vs authz) resulted in a misunderstanding of system behaviour.  The
"latent" AuthToken (from the HTTP request) was assigned to authToken
without realising that authorization needed to be performed.

We fix this by splitting the logic on whether the profile defines an
authenticator.  If so, we (re)authenticate and authorize the user
according to the profile configuration.

If the profile does not define an authenticator but there is a
principal in the HTTP request, if (and only if) the user has
permission to approve certificate requests *and* the requested
renewal profile is caManualRenewal (which is hardcoded to be used
for LWCA renewal), then we issue the certificate immediately.  This
special case ensures that LWCA renewal keeps working.

Otherwise, if there is no principal in the HTTP request or the
principal does not have permission to approve certificate requests,
we leave the authToken unset.  The resulting renewal request will be
created with status PENDING, i.e. enqueued for agent review.

Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>
Signed-off-by: Alexander Scheel <ascheel at redhat.com>

- - - - -
9af79a3d by Alexander Scheel at 2021-03-15T22:11:18-05:00
Remove i686 builds in the future

For Fedora and RHEL-9, we probably should drop i686 builds. This is
partially due to the lack md2man (for converting our man pages) but also
due to the lack of multilib compatible Java packages. Best to ship
64-bit only packages then.

Discussed with Alexander Bokovoy in #freeipa.

Signed-off-by: Alexander Scheel <alexander.m.scheel at gmail.com>

- - - - -
f3d7274f by Endi S. Dewata at 2021-03-15T22:11:41-05:00
Fix QE tests reliability

- - - - -
8f89e5e1 by Endi S. Dewata at 2021-03-15T22:11:53-05:00
Update pki.spec for ELN/RHEL

- - - - -
a415a788 by Alexander Scheel at 2021-03-22T14:07:51-05:00
Remove dep on jakarta-commons

- - - - -
d7d33622 by Endi S. Dewata at 2021-03-22T14:07:51-05:00
Fix files listed twice in pki.spec

https://github.com/dogtagpki/pki/issues/3321

- - - - -
3ff77046 by Endi S. Dewata at 2021-03-22T14:07:51-05:00
Update version number to 10.10.6

- - - - -
583a8ca2 by Endi S. Dewata at 2021-03-23T17:20:10-05:00
Clean up CA test artifacts

The CA tests have been modified to store PKI and DS config files
and log files into a single file.

- - - - -
873b3611 by Endi S. Dewata at 2021-03-23T17:21:59-05:00
Add test for installing CA with secure DS

- - - - -
f67323cf by Endi S. Dewata at 2021-03-25T09:28:21-05:00
Add test for installing CA clone with secure DS

- - - - -
08cf8da5 by Pritam Singh at 2021-03-26T11:51:45-05:00
Added_doc_for_installing_CA_clone_with_secure_DS (#3486)

Signed-off-by: Pritam Singh <prisingh at redhat.com>
- - - - -
91d1ae2d by Endi S. Dewata at 2021-03-26T13:36:59-05:00
Clean up KRA test artifacts

The KRA tests have been modified to store PKI and DS config
files and log files into a single file.

- - - - -
e1934a30 by Endi S. Dewata at 2021-03-31T11:59:27-05:00
Clean up tests for PKI tools

- - - - -
326a478b by Endi S. Dewata at 2021-03-31T14:46:15-05:00
Add test for creating CA agent

- - - - -
96203df2 by Endi S. Dewata at 2021-03-31T15:13:44-05:00
Add test for issuing SSL server cert using PKI NSS CLI

- - - - -
f05d253a by Endi S. Dewata at 2021-04-07T10:26:56-05:00
Add test for generating cert with existing key

- - - - -
885121fd by Endi S. Dewata at 2021-04-07T17:32:43-05:00
Clean up OCSP test artifacts

The OCSP tests have been modified to store PKI and DS config
files and log files into a single file.

- - - - -
ac3ca064 by Endi S. Dewata at 2021-04-08T12:11:38-05:00
Update docs for deploying ACME with DS on OpenShift

- - - - -
a6193955 by Endi S. Dewata at 2021-04-08T13:38:06-05:00
Add test for PKI NSS CLI with ECC

- - - - -
328c0643 by Endi S. Dewata at 2021-04-12T15:28:16-05:00
Add scripts to save test artifacts

- - - - -
43920881 by Endi S. Dewata at 2021-04-12T15:28:16-05:00
Clean up TKS test artifacts

The TKS tests have been modified to store PKI and DS config
and log files into a single tarball.

- - - - -
216e749f by Endi S. Dewata at 2021-04-12T15:28:16-05:00
Clean up TPS test artifacts

The TPS tests have been modified to store PKI and DS config
and log files into a single tarball.

- - - - -
e0646e84 by Endi S. Dewata at 2021-04-12T15:28:16-05:00
Clean up ACME test artifacts

The ACME tests have been modified to store PKI and DS config
and log files into a single tarball.

- - - - -
bbf31086 by Endi S. Dewata at 2021-04-12T15:28:16-05:00
Clean up IPA test artifacts

The IPA tests have been modified to store IPA, PKI, and DS
config and log files into a single tarball.

- - - - -
0d41ea57 by Endi S. Dewata at 2021-04-12T15:28:17-05:00
Clean up QE test artifacts

The QE tests have been modified to store PKI and DS config
and log files into a single tarball.

- - - - -
542d0333 by Endi S. Dewata at 2021-04-26T13:14:10-05:00
Remove unused SecurityDomainLogin servlet

- - - - -
6a9e9aa9 by Endi S. Dewata at 2021-04-26T13:14:10-05:00
Remove unused LoginServlet

- - - - -
f04dd958 by Endi S. Dewata at 2021-04-26T13:14:10-05:00
Remove unused BaseServlet

- - - - -
624223b2 by Endi S. Dewata at 2021-04-26T13:14:10-05:00
Remove velocity dependency

The remaining servlets that use velocity have been removed
since they are no longer used so the velocity dependency
can be removed as well.

Resolves: #1952969

- - - - -
01d485ac by Endi S. Dewata at 2021-04-26T14:05:21-05:00
Fix cert file loading in CryptographyCryptoProvider

As suggested by cheimes, the CryptographyCryptoProvider
has been modified to load the cert file as binary.

Resolves: https://github.com/dogtagpki/pki/issues/3499

- - - - -
c8a7cb4a by Christian Heimes at 2021-04-26T14:05:21-05:00
Make python-nss optional

Signed-off-by: Christian Heimes <cheimes at redhat.com>

- - - - -
3a5e8262 by Christian Heimes at 2021-04-26T14:05:21-05:00
Remove deprecated DRM client

The code was marked as deprecated in commit f4aafb999e from 2014.

- - - - -
07511637 by Endi S. Dewata at 2021-04-27T12:39:47-05:00
Reorganized ACME database configuration docs

- - - - -
dc4776f7 by Endi S. Dewata at 2021-05-07T14:58:35-05:00
Reorganize ACME issuer doc

- - - - -
509c9e85 by Endi S. Dewata at 2021-05-07T14:58:36-05:00
Reorganize ACME realm doc

- - - - -
7e4d2e27 by Endi S. Dewata at 2021-05-07T14:58:36-05:00
Add ACME metadata doc

- - - - -
1fbba7fb by Endi S. Dewata at 2021-05-07T15:34:24-05:00
Clean up unused classpaths

- - - - -
6bb7004d by Endi S. Dewata at 2021-05-07T15:34:24-05:00
Remove JNA dependency

The SystemdStartupNotifier has been renamed to SystemdNotifier
and modified to use systemd-notify instead of JNA to notify
other systems when the subsystem is ready.

Since the SystemdNotifier is no longer dependent on JNA, it
has been moved into pki-server.jar and the JNA dependency has
been dropped.

The StartupNotifier has been renamed into SubsystemListener
such that it can be expanded to listen to other subsystem
events (e.g. shutdown).

Resolves: #1953671

- - - - -
e787719b by Fraser Tweedale at 2021-05-07T15:34:24-05:00
SystemdNotifier: document how to configure systemd unit

- - - - -
6945b57a by Endi S. Dewata at 2021-05-18T15:31:33-05:00
Update ACME install doc

- - - - -
b2bd603c by fdelehay at 2021-05-18T15:32:06-05:00
Update Nuxwdog.md

typo in command
- - - - -
a47f76a0 by Tomasz Torcz at 2021-05-18T15:32:35-05:00
acme: don't fail on resubmitted valid challenges

Some acme clients, like cert-manager, happen to resubmit already
valid challenges. This is not 100% in line with RFC8555, but it is
not a reason to throw Exception.

- - - - -
75bdbbc2 by Endi S. Dewata at 2021-06-09T11:20:21-05:00
Use password file when creating admin user

The pki-server <subsystem>-user-add has been updated to
provide a --password-file option. The deployment tool
has been modified to use this option when creating the
admin user to avoid the password from getting logged in
the debug mode.

Resolves: CVE-2021-3551

- - - - -
e60ca102 by Endi S. Dewata at 2021-06-09T11:20:21-05:00
Fix permission for new installation logs

The enable_pki_logger() has been updated to disable
world access for new installation logs to be created
in /var/log/pki.

Resolves: CVE-2021-3551

- - - - -
1c0a7b45 by Endi S. Dewata at 2021-06-09T11:20:21-05:00
Fix permission for existing installation logs

The spec file has been updated to remove world access
from existing installation logs in /var/log/pki.

Resolves: CVE-2021-3551

- - - - -

9 changed files:

- .classpath
- .github/workflows/acme-tests.yml
- .github/workflows/ca-tests.yml
- .github/workflows/ipa-tests.yml
- .github/workflows/kra-tests.yml
- .github/workflows/ocsp-tests.yml
- .github/workflows/python-tests.yml
- .github/workflows/qe-tests.yml
- .github/workflows/tks-tests.yml

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/5b5ddd5d736fd719cc94a159af392fff91a734c7...1c0a7b45225aadc6efde21f92b0103937ae99d6d

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/dogtag-pki/-/compare/5b5ddd5d736fd719cc94a159af392fff91a734c7...1c0a7b45225aadc6efde21f92b0103937ae99d6d
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20210906/a569398e/attachment-0001.htm>