Bug 745677

Summary: Firefox Launcher on Panel being modified for all users.
Product: Red Hat Enterprise Linux 6 Reporter: Jason Montleon <jmontleo>
Component: pki-coreAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.2CC: dpal, jgalipea, kchamart, mkosek, nkinder
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-9.0.3-23.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 767800 (view as bug list) Environment:
Last Closed: 2012-06-20 12:07:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 756082, 767800    
Attachments:
Description Flags
Remove CA desktop icon
none
Remove all other PKI desktop icons
none
Apply patch to remove CA desktop icon none

Description Jason Montleon 2011-10-13 02:04:17 UTC
Description of problem:
On IPA servers ~/.local/share/applications/preferred-web-browser.desktop gets created for new users with an exec similar to the following:
Exec=firefox https://<fqdn>:9443/ca/admin/console/config/login?pin=<pin>

which does not appear to be a working page on a default install of IPA

This appears to be what the Firefox launcher on the top panel in gnome uses and therefore when you click on it you get a page that does not work because you do not have a client cert.

Version-Release number of selected component (if applicable):
ipa-pki-common-theme-9.0.3-7.el6.noarch
ipa-server-2.1.1-4.el6.x86_64
ipa-python-2.1.1-4.el6.x86_64
ipa-server-selinux-2.1.1-4.el6.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-client-2.1.1-4.el6.x86_64
ipa-admintools-2.1.1-4.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL 6.2 Beta
2. Run ipa-server-install and set up the IPA server
3. Log into a gnome session on the server and open firefox using the launcher created on the panel.
  
Actual results:
You get pointed at https://<fqdn>:443/ca/admin/console/config/login?

Expected results:
It works with the default behavior and opens firefox, or at least opens to the IPA web UI.

Additional info:
ayoung took a quick look at /usr/bin/pkicreate and it does contain code which looks like it creates a URL of similar format, but I don't see anything anywhere that would be making a modification so that this launcher gets created this way for new users.

Comment 2 Rob Crittenden 2011-10-13 03:04:12 UTC
Re-assigning to CS team, they own /usr/bin/pkicreate.

Comment 3 Jenny Severance 2011-10-14 13:07:24 UTC
I would like to see this fixed in 6.2 :-)

Comment 5 Nathan Kinder 2012-02-29 23:14:29 UTC
The pki-create script appears to have a "config.desktop" file that is installed:

    # Linux required desktop files
    $setup_config_area = "/usr/share/applications";
    $setup_config_name = "config.desktop";

This config.desktop file contains the firefox launcher URL.  We generate the config.desktop files from "config.desktop.in" templates for each subsystem.  These templates are in the source tree under the "pki/base/<subsystem>/setup" directories.

Comment 6 Matthew Harmsen 2012-03-01 01:07:38 UTC
To fix this, I would propose the following:

(1) First, move the 'config.desktop.in' files and associated CMake logic
    for building them from their primary PKI component to their
    corresponding PKI-UI component:

    ca/setup/config.desktop.in   --> ca-ui/setup/config.desktop.in
    kra/setup/config.desktop.in  --> kra-ui/setup/config.desktop.in
    ocsp/setup/config.desktop.in --> ocsp-ui/setup/config.desktop.in
    ra/setup/config.desktop.in   --> ra-ui/setup/config.desktop.in
    tks/setup/config.desktop.in  --> tks-ui/setup/config.desktop.in
    tps/setup/config.desktop.in  --> tps-ui/setup/config.desktop.in

(2) Fix the "dogtag-pki-theme.spec" (and if ever available,
    "redhat-pki-theme.spec") to INCLUDE the
    "/usr/share/pki/<subsystem>-ui/setup" directories and
    "/usr/share/pki/<subsystem>-ui/setup/config.file" files.

(3) Fix the "ipa-pki-theme.spec" to EXCLUDE the
    "/usr/share/pki/<subsystem>-ui/setup" directories and
    "/usr/share/pki/<subsystem>-ui/setup/config.file" files.

(4) Fix the logic in "pki-create" to first check for the existence of
    a file called "/usr/share/pki/<subsystem>-ui/setup/config.desktop"
    prior to attempting to create an instance of
    "/usr/share/applications/<pki_instance_name>-config.desktop".

This should fix the issue on RHEL 6 since it utilizes the empty
'ipa-pki-theme' packages.

However, this may remain an issue for FreeIPA when attempting to live in
concert with Dogtag PKI (unsure it this is a problem for FreeIPA).

Comment 7 Matthew Harmsen 2012-03-06 02:11:36 UTC
Created attachment 567798 [details]
Remove CA desktop icon

Comment 8 Matthew Harmsen 2012-03-06 02:12:20 UTC
Created attachment 567800 [details]
Remove all other PKI desktop icons

Comment 9 Matthew Harmsen 2012-03-06 02:17:09 UTC
Created attachment 567801 [details]
Apply patch to remove CA desktop icon

Comment 10 Matthew Harmsen 2012-03-06 02:23:40 UTC
After discussions on IRC, it was determined that the desktop icon logic would be removed rather than located to the UI components.  The three previous attachments implement this approach.

Comment 11 Matthew Harmsen 2012-03-06 02:59:50 UTC
# git am  0026-BZ-745677-Remove-CA-desktop-icon.patch
Applying: Remove CA desktop icon

# git log -1
commit 15e6ec8158eff9895b54a163f4031532692322e3
Author: Matthew Harmsen <mharmsen>
Date:   Mon Mar 5 17:16:28 2012 -0800

    Remove CA desktop icon
    
    Bugzilla Bug #745677 - Firefox Launcher on Panel being modified for all user

# git push
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (8/8), done.
Writing objects: 100% (9/9), 804 bytes, done.
Total 9 (delta 6), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   889694d..15e6ec8  IPA_v2_RHEL_6_ERRATA_BRANCH -> IPA_v2_RHEL_6_ERRATA_BRANCH

# git am 0001-Remove-all-other-PKI-desktop-icons.patch 
Applying: Remove all other PKI desktop icons

# git log -1
commit f6f83148f9dffd35a9226b4e7f8701d66738cb73
Author: Matthew Harmsen <mharmsen>
Date:   Mon Mar 5 17:23:24 2012 -0800

    Remove all other PKI desktop icons
    
    Bugzilla Bug #745677 - Firefox Launcher on Panel being modified for all user

# git push
Counting objects: 21, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (10/10), done.
Writing objects: 100% (11/11), 1.05 KiB, done.
Total 11 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   15e6ec8..f6f8314  IPA_v2_RHEL_6_ERRATA_BRANCH -> IPA_v2_RHEL_6_ERRATA_BRANCH

# git am 0001-Apply-patch-to-remove-CA-desktop-icon.patch
Applying: Apply patch to remove CA desktop icon
/home/mharmsen/DOGTAG/pkigit.ipa/.git/rebase-apply/patch:31: trailing whitespace.
 
/home/mharmsen/DOGTAG/pkigit.ipa/.git/rebase-apply/patch:94: trailing whitespace.
 
/home/mharmsen/DOGTAG/pkigit.ipa/.git/rebase-apply/patch:102: trailing whitespace.
 
/home/mharmsen/DOGTAG/pkigit.ipa/.git/rebase-apply/patch:112: trailing whitespace.
 
/home/mharmsen/DOGTAG/pkigit.ipa/.git/rebase-apply/patch:114: trailing whitespace.
 
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.

# git log -1
commit f1e0c039172512389dddf51372411b5799fc6c5c
Author: Matthew Harmsen <mharmsen>
Date:   Mon Mar 5 18:14:33 2012 -0800

    Apply patch to remove CA desktop icon
    
    Bugzilla Bug #745677 - Firefox Launcher on Panel being modified for all user

# git push
Counting objects: 8, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 2.46 KiB, done.
Total 5 (delta 2), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   f6f8314..f1e0c03  IPA_v2_RHEL_6_ERRATA_BRANCH -> IPA_v2_RHEL_6_ERRATA_BRANCH

Comment 13 Matthew Harmsen 2012-03-06 03:38:54 UTC
Forgot to add spec file:

# git push
Counting objects: 9, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (5/5), 684 bytes, done.
Total 5 (delta 3), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   f1e0c03..f70660c  IPA_v2_RHEL_6_ERRATA_BRANCH -> IPA_v2_RHEL_6_ERRATA_BRANCH

Comment 14 Kashyap Chamarthy 2012-04-11 06:55:18 UTC
VERIFIED.

===========================================================
[root@dhcp201-219 ~]# cat /etc/redhat-release ; arch
Red Hat Enterprise Linux Server release 6.3 Beta (Santiago)
x86_64
[root@dhcp201-219 ~]# 
===========================================================

Version Info:
===========================================================
[root@dhcp201-219 ~]# rpm -q pki-ca
pki-ca-9.0.3-24.el6.noarch
[root@dhcp201-219 ~]# 
===========================================================
[root@dhcp201-219 ~]# rpm -q pki-ca --changelog | grep 745677 -A1 -B1
* Mon Mar 05 2012 Matthew Harmsen <mharmsen> 9.0.3-22
- Resolves #745677 - Firefox Launcher on Panel being modified for all users.
  (fixed in Git repo)
[root@dhcp201-219 ~]# 
===========================================================

Launching firefox from the gnome session now does not go to the PKI configuration URL. (which is expected after this bug fix)

Comment 15 Kashyap Chamarthy 2012-04-11 06:56:02 UTC
Missed to add in the above comment, for the IPA server staus:
===========================================================
[root@dhcp201-219 ~]# ipactl status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
DNS Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
[root@dhcp201-219 ~]# 
===========================================================

Comment 17 errata-xmlrpc 2012-06-20 12:07:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0761.html