[Pki-devel] [PATCH] 159, 160 - allow for automated generation of shared secrets for TKS/TPS connectors

Ade Lee alee at redhat.com
Mon Sep 30 16:26:47 UTC 2013 

acked by Endi with a couple small changes.  Nickname no longer permitted
to be modified, and attempt to modify nickname/userid results in
UnauthorizedException being thrown.

All pushed to master.
 
On Mon, 2013-09-30 at 11:52 -0400, Ade Lee wrote:
> Based on revire comments and ack from Endi and Jack, I will push 159,
> 160 and 161.
> 
> Attaching 162 to add a modify option and add ability for a tks admin to
> remove a connector.
> 
> Please review.
> 
> Thanks, Ade
> 
> On Fri, 2013-09-27 at 14:36 -0400, Ade Lee wrote:
> > OK - I added a new patch to address the comments below and do some
> > cleanup.
> > 
> > Please apply on top of the 159 and 160.
> > 
> > Ade
> > 
> > On Thu, 2013-09-26 at 21:04 -0500, Endi Sukma Dewata wrote:
> > > On 9/26/2013 11:12 AM, Ade Lee wrote:
> > > > Patch 159:
> > > >
> > > >   Add service to generate and retrieve a shared secret
> > > >
> > > >      A new REST service has been added to the TKS to manage shared secrets.
> > > >      The shared secret is tied to the TKS-TPS connector, and is created at the
> > > >      end of the TPS configuration.  At this point, the TPS contacts the TKS and
> > > >      requests that the shared secret be generated.  The secret is returned to the
> > > >      TPS, wrapped using the subsystem certificate of the TPS.
> > > >
> > > >      The TPS should then decrypt the shared secret and store it in its certificate
> > > >      database.  This operations requires JSS changes, though, and so will be deferred
> > > >      to a later patch.  For now, though, if the TPS and TKS share the same certdb, then
> > > >      it is sufficient to generate the shared secret.
> > > >
> > > >      Clients and CLI are also provided.  The CLI in particular is used to remove the
> > > >      TPSConnector entries and the shared secret when the TPS is pkidestroyed.
> > > 
> > > In addition to the things that were discussed over IRC earlier I have 
> > > some comments:
> > > 
> > > 1. The createConnector() probably should return HTTP 201 since it's 
> > > creating a new entry. This would be consistent with other resources.
> > > 
> > > 2. The capitalization of "connector" in the help message is not consistent:
> > > 
> > >    tks-tpsconnector        TPS Connector management commands
> > >    tks-tpsconnector-add    Add TPS Connector to TKS
> > >    tks-tpsconnector-find   Find TPS connector details on TKS
> > >    tks-tpsconnector-del    Remove TPS connector from TKS
> > > 
> > > 3. The tks-tpsconnector-find output should have a header and footer like 
> > > other *-find commands:
> > > 
> > >    ----------------------
> > >    1 connector(s) matched
> > >    ----------------------
> > >      Connector ID: 0
> > >      Host: server.example.com
> > >      Port: 8443
> > >      User ID: TPS-server.example.com-8443
> > >      Nickname: TPS-server.example.com-8443 sharedSecret
> > >    ----------------------------
> > >    Number of entries returned 1
> > >    ----------------------------
> > > 
> > > 4. Currently the access to the connector is limited to the subsystem 
> > > user, which doesn't correspond to a real person. It should allow the TKS 
> > > administrator to add/delete the connectors. This can be done by checking 
> > > the principal.getRoles() in validateUser().
> > > 
> > > 5. The tks-tpsconnector-add/del parameters right now are passed as 
> > > arguments. It probably should be passed using options because it may 
> > > change in the future:
> > > 
> > >    tks-tpsconnector-add --host <host> --port <port>
> > >    tks-tpsconnector-del --connector-id <connector ID>
> > > 
> > > 6. We discussed about changing the error code for non-existent entries 
> > > to 204 (https://fedorahosted.org/pki/ticket/746). However, now I think 
> > > 404 actually makes more sense. See 
> > > http://stackoverflow.com/questions/11746894/what-is-the-proper-rest-response-code-for-a-valid-request-but-an-empty-data. 
> > > Both of the following URL's should return the same error code because 
> > > the client shouldn't need to know which path is mapped to REST method:
> > > * /rest/users/wronguser
> > > * /rest/wrongpath
> > > 
> > > So methods like deleteConnector(), deleteSharedSecret(), etc. should 
> > > throw ResourceNotFoundException instead of returning silently if the 
> > > entry doesn't exist.
> > > 
> > > I'll continue the review tomorrow.
> > > 
> > 
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list