Revert "Remove test for minimum ACME support and rely on package deps"

This reverts commit 81c97bb992. This is to make IPA installable again with older versions of dogtag so it will install on CentOS 8 Stream. ACME will not be deployed but on upgrade, if pki 10.10.x is available then it will be. https://pagure.io/freeipa/issue/8634 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2021-01-04 08:55:18 -05:00
parent 99ea326b1c
commit 85d4f2d9c6
2 changed files with 38 additions and 1 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -37,6 +37,7 @@ import syslog
 import time
 import tempfile
 from configparser import RawConfigParser
+from pkg_resources import parse_version

 from ipalib import api
 from ipalib import x509
@@ -473,7 +474,8 @@ class CAInstance(DogtagInstance):

                self.step("configuring certmonger renewal for lightweight CAs",
                          self.add_lightweight_ca_tracking_requests)
-                self.step("deploying ACME service", self.setup_acme)
+                if minimum_acme_support():
+                    self.step("deploying ACME service", self.setup_acme)

        if ra_only:
            runtime = None
@@ -1481,6 +1483,9 @@ class CAInstance(DogtagInstance):
            logger.debug('ACME service is already deployed')
            return False

+        if not minimum_acme_support():
+            return False
+
        self._ldap_mod('/usr/share/pki/acme/database/ds/schema.ldif')

        configure_acme_acls()
@@ -1734,6 +1739,33 @@ def ensure_lightweight_cas_container():
    )


+def minimum_acme_support(data=None):
+    """
+    ACME with global enable/disable is required.
+
+    This first shipped in dogtag version 10.10.0.
+
+    Parse the version string to determine if the minimum version
+    is met. If parsing fails return False.
+
+    :param: data: The string value to parse for version. Defaults to
+                  reading from the filesystem.
+    """
+    if not data:
+        with open('/usr/share/pki/VERSION', 'r') as fd:
+            data = fd.read()
+
+    groups = re.match(r'.*\nSpecification-Version: ([\d+\.]*)\n.*', data)
+    if groups:
+        version_string = groups.groups(0)[0]
+        minimum_version = parse_version('10.10.0')
+
+        return parse_version(version_string) >= minimum_version
+    else:
+        logger.debug('Unable to parse version from %s', data)
+        return False
+
+
 def ensure_acme_containers():
    """
    Create the ACME container objects under ou=acme,o=ipaca if