[Pki-devel] [PATCH] pki-cfu-0027-ticket-882-tokendb-policy-handling-revocation-and-re.patch
Christina Fu
cfu at redhat.com
Wed Aug 20 17:23:51 UTC 2014
Agreed to table the structure discussion (#2) to next patch - Note: I
have converted Hashtables to ArrayList since.
Verbal ACK received from Jack.
Pushed to master:
commit f90798b725430ac2ec44d1e29ea9fbd53abc4c64
thanks,
Christina
On 08/18/2014 07:56 PM, Christina Fu wrote:
> Thanks for the review, jack. Please find the new patch that:
> 1. checks for tps null value in TPSTokenPolicy constructor
> 2. for the methods with Hashtables passing around, I added comments
> to explain what they are, and renamed the methods to be more clear on
> what they do. However, I need time to think about creating classes
> for them as I'm not very certain we want to do that at the moment. I
> will add the discussion to the next patch, if it's okay with you,.
> 3. I moved the check with revokeCert config to the top of the method.
>
> Finally, as I stated, there are improvements to come for the recovery
> decision method.
>
> thanks,
> Christina
>
> On 08/18/2014 07:16 PM, John Magne wrote:
>> Comments:
>>
>> -This method:
>>
>> public TPSTokenPolicy (TPSSubsystem tps) {
>> + this.tps = tps;
>> + // init from config first
>> + String policySetString = getDefaultPolicySetString();
>> + parsePolicySetString(policySetString);
>>
>>
>> Maybe just check for a null tps in the constructor and throw an
>> exception.
>> Then we don't have to worry about tps being invalid again.
>>
>>
>> -This method:
>>
>> public Hashtable<String, TokenRecord> tdbFindTokenRecords(String
>> uid)
>> + throws Exception {
>>
>> OK, there are a bunch of places where we are passing back and passing
>> around these hashbables of tokens or certs or whatever.
>>
>> First we have no idea what is in the the hash table unless inspecting
>> the code closely.
>> Second. It looks like this method is takin an Iterator returned by
>> the DB code and then making this hash table.
>>
>> I propose that we create classes for this such as
>> "TPSTokenRecordList" and then provide convenient methods to return
>> the entries
>> to the caller. We could even just use the Iterator returned before.
>> Then when we pass this stuff to other functions , we pass
>> the convenient class.
>>
>> -This method:
>>
>> + private TPSStatus
>> generateCertsAfterRenewalRecoveryPolicy(EnrolledCertsInfo certsInfo,
>> SecureChannel channel, AppletInfo aInfo)
>> + throws TPSException {
>>
>> Just restating what you said earlier in that this thing is way to
>> complex and confusing to digest. It needs simplification.
>>
>>
>> - This method:
>>
>> protected void revokeCertificates(String cuid) throws
>> TPSException {
>>
>>
>> Here we wait until we are like 70% of the way through the processing
>> to see if we are even configured to revoke certificates.
>> I see that in the beginning we try to cull out already revoked certs,
>> but this could be done in another method or just
>> wait for the next time we actually need to revoke anything.
>>
>>
>>
>>
>> ----- Original Message -----
>> From: "Christina Fu" <cfu at redhat.com>
>> To: pki-devel at redhat.com
>> Sent: Monday, August 18, 2014 6:56:17 PM
>> Subject: [Pki-devel] [PATCH]
>> pki-cfu-0027-ticket-882-tokendb-policy-handling-revocation-and-re.patch
>>
>> This is continuation of token policy work from ticket #882
>>
>> This patch provides
>> 1. the 2nd part (and not last) of the token policy work
>> - determining policies for Enrollment, Re-enrollment, Renewal,
>> Recovery, and Revocation
>> (note: Recovery decision needs more refinement in later patch. The
>> generateCertsAfterRenewalRecoveryPolicy method is currently just a close
>> translation from the original TPS and is extremely complex. It deserves
>> some close inspection and improvement at later time, in next round)
>> 2. revocation for certificates due to token operations
>> (note: administrator initiated will be handled in later patch)
>>
>> thanks,
>> Christina
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20140820/3949a66b/attachment.htm>
More information about the Pki-devel
mailing list