[Pki-devel] patch for review : https://bugzilla.redhat.com/show_bug.cgi?id=712931

Adam Young ayoung at redhat.com
Tue Aug 23 17:54:24 UTC 2011 

Looks Good.  ACK


On 08/23/2011 11:39 AM, Ade Lee wrote:
> On Mon, 2011-08-22 at 12:22 -0400, Adam Young wrote:
>> I'm strill tracking down why the install failed.  So far, I can just
>> determine that the CS DirSrv is not running when the ldap modify command
>> comes through, but I am not sure why.
>>
>>
>> base/ca/shared/conf/proxy.conf
>>
>> while it is a proxy to tomcat, from the apache perspective, tomcat is a
>> subordinate.  It might not be the clearest name.  Perhaps
>> proxy-tomcat.conf  or proxy-dogtag.conf,  although I thought
>> dogtag.conf  was a fairly descriptive name.
>>
> As discussed in review, we will leave this name as is.
>> All of the stanzas now appear identical with the exception of the
>> LocationMatch and one with NSSVerifyClient require.   Can the 3
>> NSSVerifyClient stanzas be collapsed   be collapsed into one?
>>
>>
> They could - but I suggest we leave that for a later patch where we
> clean up the URL structure.  For now, it makes more sense to me to keep
> them separate because the separate stanzas accurately describe what is
> on each of the admin, agent and ee ports.
>
> Another thing to consider.  In the non-IPA product, it is possible to
> configure the console (which uses admin URLs) to use client auth.  If we
> were to move some of the admin functions to http in future, I could see
> a need to make them client-auth. (and therefore, there may be a need to
> keep them separated).
>
>> ImportCAChainPanel.java:display
>>
>> if this line fails:
>> context.put("machineName", cs.getString("machineName"));
>>
>> The processing continue on, but the next two lines:
>>               context.put("https_port",
>> cs.getString("pkicreate.ee_secure_port"));
>>               context.put("http_port",
>> cs.getString("pkicreate.unsecure_port"));
>>
>> Will never get executed.  THat doesn't seem like the intention we want.
>> These two lines should probable be outside the catch block, and trigger
>> an exception that stops processing, as it seems like things are
>> significantly broken at this point.
>>
> The correct thing to do here if any of these lines are not executed is
> to log an error and display an error message to the user.  Which I have
> now done.
>
> Note that this does not affect IPA as this is in the display of an
> installation panel. pkisilent does not use these values.
>
>
>> AdminRequestFilter.java
>>
>> Drop the bad_port boolean and move the conditional code up to where
>> bad_port is set.
>>
>>       if (bad_port) {
>>                       CMS.debug( filterName + ":  " + msg );
>>                       CMS.debug( filterName + ": uri is " + uri);
>>                       if ((param_active != null)
>> &&(param_active.equals("false"))) {
>>                           CMS.debug("Filter is disabled .. continuing");
>>                       } else {
>>                           resp.sendError(
>> HttpServletResponse.SC_NOT_FOUND, msg );
>>                           return;
>>                       }
>>                   }
>>
> Actually, I disagree with this one.  There are two places where bad_port
> is set - so not using the boolean causes unnecessary duplication of
> code.  We might be able to do without the boolean, but not without
> compromising the readability of the code.
>
>> AgentRequestFilter.java
>> EEClientAuthRequestFilter.java
>> EERequestFilter.java
>>
>> Code is duplicate of the code in the AdminRequest\Filter.  refactor to a
>> common method.  Comment from above applies here as well re:  bad_port
>>
> Yes -- I agree with this.  Actually, as all the code in each of the
> filters is pretty much duplicated - I think we can refactor this to a
> single filter class which can be instantiated with a couple of
> parameters.
>
> As we want to get this out for 6.1 and in as much testing as possible, I
> suggest we open a bug to do this refactoring in the 8.2 timeframe.
>
>> fixProxyPorts: Why catch the exception and continue.  Wouldn't it be
>> better to throw the exception?  Do we really want to continue if this
>> code does not succeed?
>>
> Done
>
>> Relative paths in html files:  seesm like we should specify a place for
>> the helper files to live, instead of assuming they will be in
>> ../cms-funcs.js  as that is a little on the fragile side. I am guessing
>> that it can no longer be just /ee/  since we might be coming from
>> /eeca/    Probably OK as is for this commit, but lets figure out what
>> we'd ideally want to do.    I'm guessing that the eeca approach is
>> really not what we want, and this is a work around for it, too.
>>
> OK
>
>> I didn't give the perl code a thorough a look as the Java code, but it
>> looked OK.
>>
> We walked through it in the code review.
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list