Create Firefox extension on upgrade and replica-install

If the signing cert is not available, create an unsigned extension.

Add a zip dependency to the specfile.

https://fedorahosted.org/freeipa/ticket/3150

freeipa.spec.in

@@ -173,6 +173,7 @@ Requires(postun): python initscripts chkconfig
 %endif
 Requires: python-dns
 Requires: keyutils
+Requires: zip
 
 # We have a soft-requires on bind. It is an optional part of
 # IPA but if it is configured we need a way to require versions
@@ -786,6 +787,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
 %changelog
+* Wed Oct 10 2012 Petr Viktorin <pviktori@redhat.com> - 2.99.0-49
+- Add zip dependency, needed for creating unsigned Firefox extensions
+
 * Mon Oct  8 2012 Martin Kosek <mkosek@redhat.com> - 2.99.0-48
 - Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca
 

install/tools/ipa-replica-install

@@ -217,6 +217,8 @@ def install_http(config, auto_redirect):
             print "error copying files: " + str(e)
             sys.exit(1)
 
+    http.setup_firefox_extension(config.realm_name, config.domain_name)
+
     return http
 
 def install_bind(config, options):

install/tools/ipa-upgradeconfig

@@ -283,6 +283,17 @@ def cleanup_kdc(fstore):
             fstore.untrack_file(filename)
             root_logger.debug('Uninstalling %s', filename)
 
+
+def setup_firefox_extension(fstore):
+    """Set up the Firefox configuration extension, if it's not set up yet
+    """
+    root_logger.info('[Setting up Firefox extension]')
+    http = httpinstance.HTTPInstance(fstore)
+    realm = api.env.realm
+    domain = api.env.domain
+    http.setup_firefox_extension(realm, domain)
+
+
 def upgrade_ipa_profile(ca):
     """
     Update the IPA Profile provided by dogtag
@@ -624,6 +635,7 @@ def main():
         pass
 
     cleanup_kdc(fstore)
+    setup_firefox_extension(fstore)
     changed_psearch = named_enable_psearch()
     changed_autoincrement = named_enable_serial_autoincrement()
     if changed_psearch or changed_autoincrement:

ipapython/ipautil.py

@@ -223,8 +223,17 @@ def template_str(txt, vars):
     return val
 
 def template_file(infilename, vars):
-    txt = open(infilename).read()
+    """Read a file and perform template substitutions"""
-    return template_str(txt, vars)
+    with open(infilename) as f:
+        return template_str(f.read(), vars)
+
+
+def copy_template_file(infilename, outfilename, vars):
+    """Copy a file, performing template substitutions"""
+    txt = template_file(infilename, vars)
+    with open(outfilename, 'w') as file:
+        file.write(txt)
+
 
 def write_tmp_file(txt):
     fd = tempfile.NamedTemporaryFile()
@@ -237,7 +246,7 @@ def shell_quote(string):
     return "'" + string.replace("'", "'\\''") + "'"
 
 def run(args, stdin=None, raiseonerr=True,
-        nolog=(), env=None, capture_output=True):
+        nolog=(), env=None, capture_output=True, cwd=None):
     """
     Execute a command and return stdin, stdout and the process return code.
 
@@ -285,7 +294,7 @@ def run(args, stdin=None, raiseonerr=True,
 
     try:
         p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
-                             close_fds=True, env=env)
+                             close_fds=True, env=env, cwd=cwd)
         stdout,stderr = p.communicate(stdin)
         stdout,stderr = str(stdout), str(stderr)    # Make pylint happy
     except KeyboardInterrupt:

ipaserver/install/httpinstance.py

@@ -286,27 +286,18 @@ class HTTPInstance(service.Service):
 
     def __setup_autoconfig(self):
         target_fname = '/usr/share/ipa/html/preferences.html'
-        prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "preferences.html.template", self.sub_dict)
+        ipautil.copy_template_file(
-        prefs_fd = open(target_fname, "w")
+            ipautil.SHARE_DIR + "preferences.html.template",
-        prefs_fd.write(prefs_txt)
+            target_fname, self.sub_dict)
-        prefs_fd.close()
-        os.chmod(target_fname, 0644)
-
-        target_fname = '/usr/share/ipa/html/krb.js'
-        prefs_txt = ipautil.template_file(ipautil.SHARE_DIR + "krb.js.template", self.sub_dict)
-        prefs_fd = open(target_fname, "w")
-        prefs_fd.write(prefs_txt)
-        prefs_fd.close()
         os.chmod(target_fname, 0644)
 
         # The signing cert is generated in __setup_ssl
         db = certs.CertDB(self.realm, subject_base=self.subject_base)
-        pwdfile = open(db.passwd_fname)
+        with open(db.passwd_fname) as pwdfile:
-        pwd = pwdfile.read()
+            pwd = pwdfile.read()
-        pwdfile.close()
 
         # Setup configure.jar
-        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+        tmpdir = tempfile.mkdtemp(prefix="tmp-")
         target_fname = '/usr/share/ipa/html/configure.jar'
         shutil.copy("/usr/share/ipa/html/preferences.html", tmpdir)
         db.run_signtool(["-k", "Signing-Cert",
@@ -316,15 +307,47 @@ class HTTPInstance(service.Service):
         shutil.rmtree(tmpdir)
         os.chmod(target_fname, 0644)
 
+        self.setup_firefox_extension(self.realm, self.domain, force=True)
+
+    def setup_firefox_extension(self, realm, domain, force=False):
+        """Set up the signed browser configuration extension
+
+        If the extension is already set up, skip the installation unless
+        ``force`` is true.
+        """
+
+        target_fname = '/usr/share/ipa/html/krb.js'
+        if os.path.exists(target_fname) and not force:
+            root_logger.info(
+                '%s exists, skipping install of Firefox extension',
+                    target_fname)
+            return
+
+        sub_dict = dict(REALM=realm, DOMAIN=domain)
+        db = certs.CertDB(realm)
+        with open(db.passwd_fname) as pwdfile:
+            pwd = pwdfile.read()
+
+        ipautil.copy_template_file(ipautil.SHARE_DIR + "krb.js.template",
+            target_fname, sub_dict)
+        os.chmod(target_fname, 0644)
+
         # Setup extension
-        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+        tmpdir = tempfile.mkdtemp(prefix="tmp-")
         extdir = tmpdir + "/ext"
         target_fname = "/usr/share/ipa/html/kerberosauth.xpi"
         shutil.copytree("/usr/share/ipa/ffextension", extdir)
-        db.run_signtool(["-k", "Signing-Cert",
+        if db.has_nickname('Signing-Cert'):
-                            "-p", pwd,
+            db.run_signtool(["-k", "Signing-Cert",
-                            "-X", "-Z", target_fname,
+                                "-p", pwd,
-                            extdir])
+                                "-X", "-Z", target_fname,
+                                extdir])
+        else:
+            root_logger.warning('Object-signing certificate was not found. '
+                'Creating unsigned Firefox configuration extension.')
+            filenames = os.listdir(extdir)
+            ipautil.run(['/usr/bin/zip', '-r', target_fname] + filenames,
+                cwd=extdir)
         shutil.rmtree(tmpdir)
         os.chmod(target_fname, 0644)