From 8d9e81e64a5cee59d11cd55e68987f4351ac92ae Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 14 Feb 2024 14:51:02 -0600 Subject: [PATCH] Fix pki-server subsystem-show The PKIServer.load_subsystems() has been modified to skip loading a subsystem if the subsystem folder doesn't exist or is empty. This will restore pki-server subsystem-show to work more consistently as in the previous PKI version. Resolves: https://issues.redhat.com/browse/RHEL-21568 --- .github/workflows/ca-basic-test.yml | 16 +++++++++ .github/workflows/ipa-basic-test.yml | 33 +++++++++++++++++++ .github/workflows/server-basic-test.yml | 28 ++++++++++++++++ base/server/python/pki/server/__init__.py | 9 ++++- .../server/python/pki/server/cli/subsystem.py | 4 +-- 5 files changed, 87 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ca-basic-test.yml b/.github/workflows/ca-basic-test.yml index 16e49a0c30d..c062c2490c1 100644 --- a/.github/workflows/ca-basic-test.yml +++ b/.github/workflows/ca-basic-test.yml @@ -71,6 +71,22 @@ jobs: docker exec pki pki-server webapp-show ca docker exec pki pki-server webapp-show pki + - name: Check subsystems + run: | + docker exec pki pki-server subsystem-find | tee output + + # CA instance should have CA subsystem + echo "ca" > expected + sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual + diff expected actual + + docker exec pki pki-server subsystem-show ca | tee output + + # CA subsystem should be enabled + echo "True" > expected + sed -n 's/^ *Enabled: *\(.*\)$/\1/p' output > actual + diff expected actual + - name: Check CA certs and keys run: | # check certs diff --git a/.github/workflows/ipa-basic-test.yml b/.github/workflows/ipa-basic-test.yml index f17703cdae4..0bbb4394d64 100644 --- a/.github/workflows/ipa-basic-test.yml +++ b/.github/workflows/ipa-basic-test.yml @@ -64,6 +64,22 @@ jobs: docker exec ipa pki-server webapp-show ca docker exec ipa pki-server webapp-show pki + - name: Check subsystems + run: | + docker exec ipa pki-server subsystem-find | tee output + + # IPA server should have CA subsystem + echo "ca" > expected + sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual + diff expected actual + + docker exec ipa pki-server subsystem-show ca | tee output + + # CA subsystem should be enabled + echo "True" > expected + sed -n 's/^ *Enabled: *\(.*\)$/\1/p' output > actual + diff expected actual + - name: Check DS certs and keys run: | docker exec ipa ls -la /etc/dirsrv/slapd-EXAMPLE-COM @@ -162,6 +178,23 @@ jobs: docker exec ipa pki-server webapp-show kra + - name: Check subsystems + run: | + docker exec ipa pki-server subsystem-find | tee output + + # IPA server should now have CA and KRA subsystems + echo "ca" > expected + echo "kra" >> expected + sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual + diff expected actual + + docker exec ipa pki-server subsystem-show kra | tee output + + # KRA subsystem should be enabled + echo "True" > expected + sed -n 's/^ *Enabled: *\(.*\)$/\1/p' output > actual + diff expected actual + - name: Run PKI healthcheck run: docker exec ipa pki-healthcheck --failures-only diff --git a/.github/workflows/server-basic-test.yml b/.github/workflows/server-basic-test.yml index ea1421917f0..fbd19ea9b6a 100644 --- a/.github/workflows/server-basic-test.yml +++ b/.github/workflows/server-basic-test.yml @@ -53,6 +53,34 @@ jobs: sed -n 's/^ *Webapp ID: *\(.*\)$/\1/p' output > actual diff /dev/null actual + - name: Check subsystems + run: | + docker exec pki pki-server subsystem-find | tee output + + # basic PKI server should have no subsystems + sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual + diff /dev/null actual + + # CA subsystem should not exist + docker exec pki pki-server subsystem-show ca \ + > >(tee stdout) 2> >(tee stderr >&2) || true + + echo "ERROR: No ca subsystem in instance pki-tomcat." > expected + diff expected stderr + + # create empty CA subsystem folder + docker exec pki mkdir -p /var/lib/pki/pki-tomcat/ca + + # CA subsystem should not exist + docker exec pki pki-server subsystem-show ca \ + > >(tee stdout) 2> >(tee stderr >&2) || true + + echo "ERROR: No ca subsystem in instance pki-tomcat." > expected + diff expected stderr + + # remove CA subsystem folder + docker exec pki rm -rf /var/lib/pki/pki-tomcat/ca + - name: Set up client container run: | tests/bin/runner-init.sh client diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index ea977cfe2a5..5452a86ec53 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -1222,8 +1222,15 @@ def load_subsystems(self): for subsystem_name in SUBSYSTEM_TYPES: subsystem_dir = os.path.join(self.base_dir, subsystem_name) + + # ensure /var/lib/pki// exists if not os.path.exists(subsystem_dir): - # Directory does not exist + continue + + # ensure /var/lib/pki// is not empty + # https://issues.redhat.com/browse/RHEL-21568 + if not os.listdir(subsystem_dir): + # Directory exists but it is empty continue subsystem = pki.server.subsystem.PKISubsystemFactory.create(self, subsystem_name) diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index ca153d4a62a..0a442fc8cd5 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -189,7 +189,7 @@ def execute(self, argv): subsystem = instance.get_subsystem(subsystem_name) if not subsystem: - logger.error('ERROR: No %s subsystem in instance %s.', + logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) @@ -944,7 +944,7 @@ def execute(self, argv): subsystem = instance.get_subsystem(subsystem_name) if not subsystem: - logger.error('ERROR: No %s subsystem in instance %s.', + logger.error('No %s subsystem in instance %s.', subsystem_name, instance_name) sys.exit(1) cert = subsystem.get_subsystem_cert(cert_id)