From jmagne at redhat.com Thu May 1 03:15:01 2014 From: jmagne at redhat.com (John Magne) Date: Wed, 30 Apr 2014 23:15:01 -0400 (EDT) Subject: [Pki-devel] 0011-Support-for-Applet-Upgrade-and-Format.patch In-Reply-To: <1174494254.10893114.1398887401351.JavaMail.zimbra@redhat.com> References: <1174494254.10893114.1398887401351.JavaMail.zimbra@redhat.com> Message-ID: <1884474920.11081408.1398914101319.JavaMail.zimbra@redhat.com> ACKED online by edewata and cfu. Pushed to master. ----- Original Message ----- > From: "John Magne" > To: "pki-devel" > Sent: Wednesday, April 30, 2014 12:50:01 PM > Subject: 0011-Support-for-Applet-Upgrade-and-Format.patch > > Support for Applet Upgrade and Format. > > Tickets: #875, #895 > > The following changes have been done: > > 1. Applet Upgrade for real token. The applet is written and an instance > of applet created. > 2. 95% of the format operation done. This includes proper status update > progreass bar > for esc and writing the phone home url to the token. Once this operation > is complete, > the token can be entered into esc and esc will be able to phone home and > point to TPS > for further operations such as enrollment and pin reset when they are > implemented. > 3. The phoneHome xml file changed slightly to prevent esc from reading > exttraneous line > feeds when phoning home. > 4. The CS.cfg has been changed to correctly reflect the phone home url we > want to write to > the token. > > The following to be done to fully finish format, later tickets. > > 1.Updating the tokendb with tne newly formatted token. Future ticket. > 2.Revoking tokens current certificates, if any. Future ticket. > 3.Symmetric Key changeover. Future ticket. > From edewata at redhat.com Thu May 1 23:19:14 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 01 May 2014 18:19:14 -0500 Subject: [Pki-devel] [PATCH] 479 Fixed database user verification. In-Reply-To: <53612106.9050209@redhat.com> References: <53612106.9050209@redhat.com> Message-ID: <5362D672.90908@redhat.com> On 4/30/2014 11:12 AM, Endi Sukma Dewata wrote: > Previously the ConfigurationUtils.setupDBUser() was checking > whether the database user already exists by calling findUsers() > which may return multiple results or throw an exception if not > found. The code has been modified to call getUser() which will > return exactly one user or null if not found. > > Ticket #920 New patch attached. Removed redundant try-catch block. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0479-1-Fixed-ConfigurationUtils.setupDBUser.patch Type: text/x-patch Size: 4223 bytes Desc: not available URL: From edewata at redhat.com Thu May 1 23:19:17 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 01 May 2014 18:19:17 -0500 Subject: [Pki-devel] [PATCH] 480 Fixed UGSubsystem.getUser(). In-Reply-To: <5361210A.3050405@redhat.com> References: <5361210A.3050405@redhat.com> Message-ID: <5362D675.6070400@redhat.com> On 4/30/2014 11:12 AM, Endi Sukma Dewata wrote: > Previously the getUser() method in UGSubsystem was using findUsers() > which uses a subtree search to find users. It has been replaced with > a base search which is more accurate since the user DN is known. > > Ticket #920 New patch attached. Removed redundant throw statements. Combined the code that handle the two possible types of input: user ID and user DN. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0480-1-Fixed-UGSubsystem.getUser.patch Type: text/x-patch Size: 4204 bytes Desc: not available URL: From edewata at redhat.com Thu May 1 23:19:22 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 01 May 2014 18:19:22 -0500 Subject: [Pki-devel] [PATCH] 482 Replace filter in UGSubsystem.listGroups(). Message-ID: <5362D67A.5040500@redhat.com> The UGSubsystem.listGroups() has been modified to generate an LDAP filter from a keyword. The filter itself cannot contain wildcards. The wildcard will be added in listGroups(). In the future the filter will be made configurable to allow searching different attributes. Ticket #920 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0482-Replace-filter-in-UGSubsystem.listGroups.patch Type: text/x-patch Size: 6467 bytes Desc: not available URL: From akoneru at redhat.com Mon May 5 10:44:12 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 05 May 2014 06:44:12 -0400 Subject: [Pki-devel] [PATCH] Refactored CertRevokeRequest and CertUnrevokeRequest classes in Dogtag 10 Message-ID: <1399286652.3985.3.camel@akoneru.redhat.com> Please review the patch which refactors the CertRevokeRequest class and removes the CertUnrevokeRequest class in Dogtag 10. Description of the patch: There seems to be no use of the requestID parameter in both revoke and unrevoke request. Removed requestID attribute in CertRevokeRequest remove the class CertUnrevokeRequest. Also made changes in RevocationProcesor to use the requestID of the request created in it. The setRequestID() is being called in the DoRevoke and DoUnRevoke servlets. Removed the call and a function auditRequesterId in both the classes. The auditRequestorId method tries to get a "requestID" stored as a INPUT field in the reasonToRequest page. The ReasonToRevoke class which generates this page does not set the value. * This patch is required for patch 92. The unrevoke_request method in CertClient on the python side will not work without this patch. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0091-Removed-requestID-parameter-usage-in-un-revoke-reque.patch Type: text/x-patch Size: 19395 bytes Desc: not available URL: From akoneru at redhat.com Mon May 5 10:46:39 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 05 May 2014 06:46:39 -0400 Subject: [Pki-devel] [PATCH] 92 Implemented the methods for Cert resource in the CertClient on the python side(Dogtag 10) Message-ID: <1399286799.3985.6.camel@akoneru.redhat.com> Please review the attached patch which implements the Cert resource methods in CertClient on the python side. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0092-Implemented-CertResource-methods-in-CertClient.patch Type: text/x-patch Size: 26357 bytes Desc: not available URL: From akoneru at redhat.com Mon May 5 10:48:14 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 05 May 2014 06:48:14 -0400 Subject: [Pki-devel] [PATCH] 91 Refactored CertRevokeRequest and CertUnrevokeRequest classes in Dogtag 10 In-Reply-To: <1399286652.3985.3.camel@akoneru.redhat.com> References: <1399286652.3985.3.camel@akoneru.redhat.com> Message-ID: <1399286894.3985.8.camel@akoneru.redhat.com> Sorry for the spam! Please ignore the previous email. --Abhishek On Mon, 2014-05-05 at 06:44 -0400, Abhishek Koneru wrote: > Please review the patch which refactors the CertRevokeRequest class and > removes the CertUnrevokeRequest class in Dogtag 10. Description of the > patch: > > There seems to be no use of the requestID parameter in both revoke > and unrevoke request. Removed requestID attribute in CertRevokeRequest > remove the class CertUnrevokeRequest. > > Also made changes in RevocationProcesor to use the requestID of the > request created in it. > > The setRequestID() is being called in the DoRevoke and DoUnRevoke > servlets. > Removed the call and a function auditRequesterId in both the classes. > > The auditRequestorId method tries to get a "requestID" stored as a INPUT > field > in the reasonToRequest page. The ReasonToRevoke class which generates > this page does not set the value. > > * This patch is required for patch 92. The unrevoke_request method in > CertClient on the python side will not work without this patch. > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0091-Removed-requestID-parameter-usage-in-un-revoke-reque.patch Type: text/x-patch Size: 19395 bytes Desc: not available URL: From alee at redhat.com Mon May 5 14:13:39 2014 From: alee at redhat.com (Ade Lee) Date: Mon, 05 May 2014 10:13:39 -0400 Subject: [Pki-devel] Dogtag 10 Python Profile Client API documentation for review In-Reply-To: <1788300501.6536107.1398834023164.JavaMail.zimbra@redhat.com> References: <1788300501.6536107.1398834023164.JavaMail.zimbra@redhat.com> Message-ID: <1399299219.20073.14.camel@aleeredhat.laptop> Some basic comments to be begin with: 1. You do not include methods and parameters for ProfileOutputa and ProfilePolicySets. 2. In your initial setup code, you put the auth-cert.pem in /tmp. Its better to put that in the user's home directory. Also, you make a connection to the http port. That cannot be correct because all these calls require client auth. 3. In your code example in creating an profile, you use the add_attribute() method to add attributes to an existing inout. It would also be valuable to add methods to add/remove attributes from ProfileInput. so input = ProfileInput("SubjectNameInput", "com.netscape....") input.add_attribute(ProfileAttribute("sn_e")) ... profile.add_input("id1", input) 4. In fact, I think your example is not correct. There is an id -- like "id1" which is associated with the profile, not the specific input. 5. You need to specify which paramters are optional. Those that are optional should be made keyword params with a default. 6. When deleting a profile, the profile must be disabled first. Ade On Wed, 2014-04-30 at 01:00 -0400, Abhishek Koneru wrote: > Please review the documentation for the ProfileClient on the python side. > > Link: http://pki.fedoraproject.org/wiki/Dogtag_10_Python_Profile_Client_API > > --Abhishek > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Mon May 5 17:11:41 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 05 May 2014 12:11:41 -0500 Subject: [Pki-devel] [PATCH] 483 Fixed message format for PKIException. Message-ID: <5367C64D.6040304@redhat.com> Previously PKIException was not displayed properly in browser because it doesn't have a writer for HTML. Now the exception mapper will compute the message format properly, and will default to XML. The exception mapper itself has been moved into a server package due to class dependency. The REST application classes have been updated accordingly. Ticket #554 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0483-Fixed-message-format-for-PKIException.patch Type: text/x-patch Size: 12052 bytes Desc: not available URL: From edewata at redhat.com Mon May 5 17:11:47 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 05 May 2014 12:11:47 -0500 Subject: [Pki-devel] [PATCH] 484 Added filter to GroupMemberProcessor.findGroupMembers(). Message-ID: <5367C653.1050107@redhat.com> The GroupMemberProcessor.findGroupMembers() has been modified to accept an additional parameter to filter the group members to be returned. The CLI has been modified accordingly. Ticket #920 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0484-Added-filter-to-GroupMemberProcessor.findGroupMember.patch Type: text/x-patch Size: 8715 bytes Desc: not available URL: From edewata at redhat.com Mon May 5 19:02:19 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 05 May 2014 14:02:19 -0500 Subject: [Pki-devel] [PATCH] 479 Fixed database user verification. In-Reply-To: <5362D672.90908@redhat.com> References: <53612106.9050209@redhat.com> <5362D672.90908@redhat.com> Message-ID: <5367E03B.6090803@redhat.com> On 5/1/2014 6:19 PM, Endi Sukma Dewata wrote: > On 4/30/2014 11:12 AM, Endi Sukma Dewata wrote: >> Previously the ConfigurationUtils.setupDBUser() was checking >> whether the database user already exists by calling findUsers() >> which may return multiple results or throw an exception if not >> found. The code has been modified to call getUser() which will >> return exactly one user or null if not found. >> >> Ticket #920 > > New patch attached. Removed redundant try-catch block. ACKed by Jack and Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon May 5 19:02:34 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 05 May 2014 14:02:34 -0500 Subject: [Pki-devel] [PATCH] 480 Fixed UGSubsystem.getUser(). In-Reply-To: <5362D675.6070400@redhat.com> References: <5361210A.3050405@redhat.com> <5362D675.6070400@redhat.com> Message-ID: <5367E04A.7080703@redhat.com> On 5/1/2014 6:19 PM, Endi Sukma Dewata wrote: > On 4/30/2014 11:12 AM, Endi Sukma Dewata wrote: >> Previously the getUser() method in UGSubsystem was using findUsers() >> which uses a subtree search to find users. It has been replaced with >> a base search which is more accurate since the user DN is known. >> >> Ticket #920 > > New patch attached. Removed redundant throw statements. Combined the > code that handle the two possible types of input: user ID and user DN. ACKed by Jack and Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon May 5 19:02:57 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 05 May 2014 14:02:57 -0500 Subject: [Pki-devel] [PATCH] 481 Replaced filter in UGSubsystem.findUsers(). In-Reply-To: <53612110.5000908@redhat.com> References: <53612110.5000908@redhat.com> Message-ID: <5367E061.5020809@redhat.com> On 4/30/2014 11:13 AM, Endi Sukma Dewata wrote: > The findUsers() method in UGSubsystem has been modified to search > additional attributes in the user database. This method is only > used by the UserService, so the impact is limited to user-find > CLI command in all subsystems. > > Ticket #920 ACKed by Jack and Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon May 5 20:18:59 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 05 May 2014 15:18:59 -0500 Subject: [Pki-devel] [PATCH] 485 Added filter to UserService.findUserMemberships(). Message-ID: <5367F233.7060006@redhat.com> The UserService.findUserMemberships() has been modified to accept an additional parameter to filter the groups in which the user is a member. The CLI has been updated accordingly. Ticket #920 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0485-Added-filter-to-UserService.findUserMemberships.patch Type: text/x-patch Size: 9976 bytes Desc: not available URL: From edewata at redhat.com Mon May 5 21:40:34 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 05 May 2014 16:40:34 -0500 Subject: [Pki-devel] [PATCH] 486 Fixed new group page in TPS UI. Message-ID: <53680552.5040100@redhat.com> Previously the TPS UI generates an error when adding a new group because it's trying to fetch the members of the new group which has not been added yet. The code has been changed to detect this particular case and avoid fetching the data. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0486-Fixed-new-group-page-in-TPS-UI.patch Type: text/x-patch Size: 2617 bytes Desc: not available URL: From ftweedal at redhat.com Tue May 6 00:37:02 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 6 May 2014 10:37:02 +1000 Subject: [Pki-devel] Dogtag 10 Python Profile Client API documentation for review In-Reply-To: <1399299219.20073.14.camel@aleeredhat.laptop> References: <1788300501.6536107.1398834023164.JavaMail.zimbra@redhat.com> <1399299219.20073.14.camel@aleeredhat.laptop> Message-ID: <20140506003702.GA24202@dhcp-40-8.bne.redhat.com> On Mon, May 05, 2014 at 10:13:39AM -0400, Ade Lee wrote: > Some basic comments to be begin with: > > 1. You do not include methods and parameters for ProfileOutputa and > ProfilePolicySets. > > 2. In your initial setup code, you put the auth-cert.pem in /tmp. Its > better to put that in the user's home directory. Also, you make a > connection to the http port. That cannot be correct because all these > calls require client auth. > > 3. In your code example in creating an profile, you use the > add_attribute() method to add attributes to an existing inout. It would > also be valuable to add methods to add/remove attributes from > ProfileInput. > > so input = ProfileInput("SubjectNameInput", "com.netscape....") > input.add_attribute(ProfileAttribute("sn_e")) > ... > profile.add_input("id1", input) > > 4. In fact, I think your example is not correct. There is an id -- > like "id1" which is associated with the profile, not the specific input. > > 5. You need to specify which paramters are optional. Those that are > optional should be made keyword params with a default. > > 6. When deleting a profile, the profile must be disabled first. > > Ade > On Wed, 2014-04-30 at 01:00 -0400, Abhishek Koneru wrote: > > Please review the documentation for the ProfileClient on the python side. > > > > Link: http://pki.fedoraproject.org/wiki/Dogtag_10_Python_Profile_Client_API > > > > --Abhishek > > Is someone (Abhishek?) already assigned to implement this API once the design is finalised? If not, I'll take it, as I think I'm going to need it for profiles in FreeIPA. Fraser > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Tue May 6 04:14:43 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 05 May 2014 23:14:43 -0500 Subject: [Pki-devel] [PATCH] 487-491 Renamed TPS connection to TPS connector Message-ID: <536861B3.2030407@redhat.com> These patches rename TPS connection into TPS connector in various places. Ticket #977 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0487-Renamed-TPS-connection-to-TPS-connector-part-1.patch Type: text/x-patch Size: 19770 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0488-Renamed-TPS-connection-to-TPS-connector-part-2.patch Type: text/x-patch Size: 10151 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0489-Renamed-TPS-connection-to-TPS-connector-part-3.patch Type: text/x-patch Size: 33995 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0490-Renamed-TPS-connection-to-TPS-connector-part-4.patch Type: text/x-patch Size: 25614 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0491-Renamed-TPS-connection-to-TPS-connector-part-5.patch Type: text/x-patch Size: 20778 bytes Desc: not available URL: From akoneru at redhat.com Tue May 6 14:35:32 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 06 May 2014 10:35:32 -0400 Subject: [Pki-devel] Dogtag 10 Python Profile Client API documentation for review In-Reply-To: <20140506003702.GA24202@dhcp-40-8.bne.redhat.com> References: <1788300501.6536107.1398834023164.JavaMail.zimbra@redhat.com> <1399299219.20073.14.camel@aleeredhat.laptop> <20140506003702.GA24202@dhcp-40-8.bne.redhat.com> Message-ID: <1399386932.2819.9.camel@akoneru.redhat.com> On Tue, 2014-05-06 at 10:37 +1000, Fraser Tweedale wrote: > On Mon, May 05, 2014 at 10:13:39AM -0400, Ade Lee wrote: > > Some basic comments to be begin with: > > > > 1. You do not include methods and parameters for ProfileOutputa and > > ProfilePolicySets. > > > > 2. In your initial setup code, you put the auth-cert.pem in /tmp. Its > > better to put that in the user's home directory. Also, you make a > > connection to the http port. That cannot be correct because all these > > calls require client auth. > > > > 3. In your code example in creating an profile, you use the > > add_attribute() method to add attributes to an existing inout. It would > > also be valuable to add methods to add/remove attributes from > > ProfileInput. > > > > so input = ProfileInput("SubjectNameInput", "com.netscape....") > > input.add_attribute(ProfileAttribute("sn_e")) > > ... > > profile.add_input("id1", input) > > > > 4. In fact, I think your example is not correct. There is an id -- > > like "id1" which is associated with the profile, not the specific input. > > > > 5. You need to specify which paramters are optional. Those that are > > optional should be made keyword params with a default. > > > > 6. When deleting a profile, the profile must be disabled first. > > > > Ade > > On Wed, 2014-04-30 at 01:00 -0400, Abhishek Koneru wrote: > > > Please review the documentation for the ProfileClient on the python side. > > > > > > Link: http://pki.fedoraproject.org/wiki/Dogtag_10_Python_Profile_Client_API > > > > > > --Abhishek > > > > > Is someone (Abhishek?) already assigned to implement this API once > the design is finalised? If not, I'll take it, as I think I'm going > to need it for profiles in FreeIPA. > > Fraser Yes, Fraser. Once the design is done, i can start implementing it. The design is based on the implementation on the Java side. Btw, are you OK with the methods defined in the design? Do you have any other methods in mind, that you may need for IPA and should be part of ProfileClient? --Abhishek > > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Tue May 6 22:28:47 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 06 May 2014 17:28:47 -0500 Subject: [Pki-devel] [PATCH] 492-495 Replaced RCUE with PatternFly Message-ID: <5369621F.6010109@redhat.com> These patches replaced RCUE with PatternFly and made the necessary adjustments. Ticket #958 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0492-Replaced-RCUE-with-PatternFly-part-1.patch Type: text/x-patch Size: 8152 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0493-Replaced-RCUE-with-PatternFly-part-2.patch Type: text/x-patch Size: 231066 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0494-Replaced-RCUE-with-PatternFly-part-3.patch Type: text/x-patch Size: 34219 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0495-Replaced-RCUE-with-PatternFly-part-4.patch Type: text/x-patch Size: 210070 bytes Desc: not available URL: From edewata at redhat.com Wed May 7 17:14:52 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 May 2014 12:14:52 -0500 Subject: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page. Message-ID: <536A6A0C.1060704@redhat.com> The profile doc in TPS configuration file has been converted into a man page pki-tps-profile. Ticket #950 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0496-Converted-TPS-profile-doc-into-man-page.patch Type: text/x-patch Size: 16097 bytes Desc: not available URL: From edewata at redhat.com Wed May 7 17:49:36 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 May 2014 12:49:36 -0500 Subject: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page. In-Reply-To: <536A6A0C.1060704@redhat.com> References: <536A6A0C.1060704@redhat.com> Message-ID: <536A7230.6040008@redhat.com> On 5/7/2014 12:14 PM, Endi Sukma Dewata wrote: > The profile doc in TPS configuration file has been converted into > a man page pki-tps-profile. > > Ticket #950 New patch attached. Fixed spec file. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0496-1-Converted-TPS-profile-doc-into-man-page.patch Type: text/x-patch Size: 16557 bytes Desc: not available URL: From edewata at redhat.com Wed May 7 20:12:18 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 May 2014 15:12:18 -0500 Subject: [Pki-devel] [PATCH] 497 Fixed problem adding enabled TPS profile. Message-ID: <536A93A2.8020306@redhat.com> The profile, profile mapping, connector, and authenticator services in TPS have been modified to allow adding enabled entries directly if the user has the proper rights. The authenticator database has been moved into the config package for consistency. Ticket #948 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0497-Fixed-problem-adding-enabled-TPS-profile.patch Type: text/x-patch Size: 15595 bytes Desc: not available URL: From edewata at redhat.com Wed May 7 20:28:15 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 May 2014 15:28:15 -0500 Subject: [Pki-devel] [PATCH] 498 Fixed missing links in TPS UI. Message-ID: <536A975F.8000701@redhat.com> New links to profiles and profile mappings have been added to TPS UI home page. Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0498-Fixed-missing-links-in-TPS-UI.patch Type: text/x-patch Size: 1123 bytes Desc: not available URL: From edewata at redhat.com Wed May 7 23:34:09 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 May 2014 18:34:09 -0500 Subject: [Pki-devel] [PATCH] 499 Added logout support for IE. Message-ID: <536AC2F1.6040606@redhat.com> The TPS UI logout functionality has been modified to clear the authentication credential cache on IE. Ticket #903 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0499-Added-logout-support-for-IE.patch Type: text/x-patch Size: 3345 bytes Desc: not available URL: From edewata at redhat.com Wed May 7 23:38:24 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 May 2014 18:38:24 -0500 Subject: [Pki-devel] [PATCH] 483 Fixed message format for PKIException. In-Reply-To: <5367C64D.6040304@redhat.com> References: <5367C64D.6040304@redhat.com> Message-ID: <536AC3F0.6020000@redhat.com> On 5/5/2014 12:11 PM, Endi Sukma Dewata wrote: > Previously PKIException was not displayed properly in browser > because it doesn't have a writer for HTML. Now the exception mapper > will compute the message format properly, and will default to XML. > The exception mapper itself has been moved into a server package > due to class dependency. The REST application classes have been > updated accordingly. > > Ticket #554 ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Thu May 8 00:45:15 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 07 May 2014 19:45:15 -0500 Subject: [Pki-devel] [PATCH] 492-495 Replaced RCUE with PatternFly In-Reply-To: <5369621F.6010109@redhat.com> References: <5369621F.6010109@redhat.com> Message-ID: <536AD39B.5040705@redhat.com> On 5/6/2014 5:28 PM, Endi Sukma Dewata wrote: > These patches replaced RCUE with PatternFly and made the necessary > adjustments. > > Ticket #958 New patch #493 attached. Fixed paths to the font files. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0493-1-Replaced-RCUE-with-PatternFly-part-2.patch Type: text/x-patch Size: 230786 bytes Desc: not available URL: From akoneru at redhat.com Thu May 8 14:10:34 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 08 May 2014 10:10:34 -0400 Subject: [Pki-devel] [PATCH] 92-2 Fixes for comments on PATCH 92- Implemented the methods for Cert resource in the CertClient on the python side(Dogtag 10) In-Reply-To: <1399286799.3985.6.camel@akoneru.redhat.com> References: <1399286799.3985.6.camel@akoneru.redhat.com> Message-ID: <1399558234.4563.7.camel@akoneru.redhat.com> Please review the attached patch with fixes for Ade's comments on IRC. - Fix all the errors/warnings and some typos shown by PyCharm. - Add Link class which stores information of the Link object. - Add an internal method _submit_revoke_request and for the common code in revoke_cert and revoke_ca_cert. - Mention the need of agent authentication for the methods where it is required. - Default revocation_reason should be REASON_UNSPECIFIED - Add the decorator pki.handle_exceptions() to handle the PKIExceptions sent by the server. --Abhishek On Mon, 2014-05-05 at 06:46 -0400, Abhishek Koneru wrote: > Please review the attached patch which implements the Cert resource > methods in CertClient on the python side. > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-92-2-Implemented-CertResource-methods-in-CertClient-on-th.patch Type: text/x-patch Size: 29522 bytes Desc: not available URL: From edewata at redhat.com Fri May 9 03:19:27 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 08 May 2014 22:19:27 -0500 Subject: [Pki-devel] [PATCH] 482 Replace filter in UGSubsystem.listGroups(). In-Reply-To: <5362D67A.5040500@redhat.com> References: <5362D67A.5040500@redhat.com> Message-ID: <536C493F.4050208@redhat.com> On 5/1/2014 6:19 PM, Endi Sukma Dewata wrote: > The UGSubsystem.listGroups() has been modified to generate an > LDAP filter from a keyword. The filter itself cannot contain > wildcards. The wildcard will be added in listGroups(). In the > future the filter will be made configurable to allow searching > different attributes. > > Ticket #920 ACKed by Jack. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri May 9 03:19:51 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 08 May 2014 22:19:51 -0500 Subject: [Pki-devel] [PATCH] 484 Added filter to GroupMemberProcessor.findGroupMembers(). In-Reply-To: <5367C653.1050107@redhat.com> References: <5367C653.1050107@redhat.com> Message-ID: <536C4957.1060606@redhat.com> On 5/5/2014 12:11 PM, Endi Sukma Dewata wrote: > The GroupMemberProcessor.findGroupMembers() has been modified to > accept an additional parameter to filter the group members to be > returned. The CLI has been modified accordingly. > > Ticket #920 ACKed by Jack. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri May 9 03:20:27 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 08 May 2014 22:20:27 -0500 Subject: [Pki-devel] [PATCH] 486 Fixed new group page in TPS UI. In-Reply-To: <53680552.5040100@redhat.com> References: <53680552.5040100@redhat.com> Message-ID: <536C497B.20908@redhat.com> On 5/5/2014 4:40 PM, Endi Sukma Dewata wrote: > Previously the TPS UI generates an error when adding a new group > because it's trying to fetch the members of the new group which > has not been added yet. The code has been changed to detect this > particular case and avoid fetching the data. ACKed by Jack. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri May 9 03:21:01 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 08 May 2014 22:21:01 -0500 Subject: [Pki-devel] [PATCH] 487-491 Renamed TPS connection to TPS connector In-Reply-To: <536861B3.2030407@redhat.com> References: <536861B3.2030407@redhat.com> Message-ID: <536C499D.8070302@redhat.com> On 5/5/2014 11:14 PM, Endi Sukma Dewata wrote: > These patches rename TPS connection into TPS connector in various places. > > Ticket #977 ACKed by Jack. Pushed to master. -- Endi S. Dewata From cfu at redhat.com Fri May 9 03:52:46 2014 From: cfu at redhat.com (Christina Fu) Date: Thu, 08 May 2014 20:52:46 -0700 Subject: [Pki-devel] [PATCH] 0005 TPS User Authenticator Framework Message-ID: <536C510E.9050100@redhat.com> This patch implements ticket https://fedorahosted.org/pki/ticket/879 TPS Rewrite: Implement User Authentication This patch provides the framework that allows people to 1. write their own authentication plugins using the authentication plugin framework 2. map the authenticaiton credential from client side (e.g. ESC or alike) in both display language characters and numbers of credential parameters to the specified authentication plugin required parameters. I will create a separate ticket to provide plugin instruction much like http://pki.fedoraproject.org/wiki/PKI_Authentication_Plug-ins to RHCS Please review. Thanks! Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0005-TPS-User-Authenticator-Framework-https-fedorahosted..patch Type: text/x-patch Size: 45868 bytes Desc: not available URL: From edewata at redhat.com Fri May 9 03:20:08 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 08 May 2014 22:20:08 -0500 Subject: [Pki-devel] [PATCH] 485 Added filter to UserService.findUserMemberships(). In-Reply-To: <5367F233.7060006@redhat.com> References: <5367F233.7060006@redhat.com> Message-ID: <536C4968.1020701@redhat.com> On 5/5/2014 3:18 PM, Endi Sukma Dewata wrote: > The UserService.findUserMemberships() has been modified to accept > an additional parameter to filter the groups in which the user > is a member. The CLI has been updated accordingly. > > Ticket #920 ACKed by Jack. Pushed to master. -- Endi S. Dewata From alee at redhat.com Fri May 9 13:41:21 2014 From: alee at redhat.com (Ade Lee) Date: Fri, 09 May 2014 09:41:21 -0400 Subject: [Pki-devel] [PATCH] 170-172 formatting and improvements to security domain python api Message-ID: <1399642881.4804.6.camel@aleeredhat.laptop> Added security domain functionality to python API Currently the security domain python API just extracts the security domain name from the json returned by the server. This patch allows it to extract and use all the information in the response. This info is needed to determine the state of the security domain for the IPA vault case. Also I started using pycharm (and its awesome - I think we all should use it for python work) and it identified a bunch of formatting etc. issues. Those are fixed for system.py and key.py. Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0172-Added-security-domain-functionality-to-python-API.patch Type: text/x-patch Size: 3245 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0171-fix-issues-identified-by-pycharm-for-system.py.patch Type: text/x-patch Size: 5194 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0170-Fix-formatting-issues-identified-by-pycharm-in-key.p.patch Type: text/x-patch Size: 33277 bytes Desc: not available URL: From akoneru at redhat.com Fri May 9 16:04:27 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 09 May 2014 12:04:27 -0400 Subject: [Pki-devel] [PATCH] 170-172 formatting and improvements to security domain python api In-Reply-To: <1399642881.4804.6.camel@aleeredhat.laptop> References: <1399642881.4804.6.camel@aleeredhat.laptop> Message-ID: <1399651467.6329.16.camel@akoneru.redhat.com> Few comments: 170: -- Variable Names - replace camelCase with _separated_words (All weak warnings reported by PyCharm) Since the objects of KeyData, KeyInfo, KeyRequestInfo, KeyRequestResponse have only client side use, we can set the attribute names as _separated_words in the from_json method of these classes. -- Replacing the get methods in KeyInfo and KeyRequestInfo to property type @property def request_id(self): if self.requestURL is not None: indx = str(self.requestURL).rfind("/") + 1 return str(self.requestURL)[indx:] return None 171 - -- class ConfigurationRequest. we can use setattr(), so that PyCharm does not throw the weak errors.(Optional. It is your call. I think this is an internal class.) Other than that. ACK from me for all three patches. --Abhishek On Fri, 2014-05-09 at 09:41 -0400, Ade Lee wrote: > Added security domain functionality to python API > > Currently the security domain python API just extracts the security > domain name from the json returned by the server. This patch allows > it to extract and use all the information in the response. > > This info is needed to determine the state of the security domain for > the IPA vault case. > > Also I started using pycharm (and its awesome - I think we all should use it for python work) > and it identified a bunch of formatting etc. issues. Those are fixed for system.py and key.py. > > Please review, > Ade > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Fri May 9 20:42:05 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 09 May 2014 15:42:05 -0500 Subject: [Pki-devel] [PATCH] 500 Renamed TPS groups. Message-ID: <536D3D9D.4020401@redhat.com> The TPS groups have been renamed for clarity and consistency: - TUS Administrators -> Administrators - TUS Agents -> TPS Agents - TUS Officers -> TPS Officers - TUS Operators -> TPS Operators Ticket #963 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0500-Renamed-TPS-groups.patch Type: text/x-patch Size: 8268 bytes Desc: not available URL: From edewata at redhat.com Fri May 9 20:42:17 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 09 May 2014 15:42:17 -0500 Subject: [Pki-devel] [PATCH] 501 Fixed internal errors in RenewalProcessor. Message-ID: <536D3DA9.7060901@redhat.com> The RenewalProcessor was throwing NumberFormatException if the renewal request contains an empty serial number. The code has been modified to check for null and empty string. If the serial number is unavailable, the code will try to get the serial number from the client certificate. If that is unavailable either, the code has been fixed to return a proper message. Ticket #999 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0501-Fixed-internal-errors-in-RenewalProcessor.patch Type: text/x-patch Size: 4299 bytes Desc: not available URL: From edewata at redhat.com Fri May 9 21:32:10 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 09 May 2014 16:32:10 -0500 Subject: [Pki-devel] [PATCH] 170-172 formatting and improvements to security domain python api In-Reply-To: <1399651467.6329.16.camel@akoneru.redhat.com> References: <1399642881.4804.6.camel@aleeredhat.laptop> <1399651467.6329.16.camel@akoneru.redhat.com> Message-ID: <536D495A.3000508@redhat.com> On 5/9/2014 11:04 AM, Abhishek Koneru wrote: > 170: > -- Replacing the get methods in KeyInfo and KeyRequestInfo to property > type > > @property > def request_id(self): > if self.requestURL is not None: > indx = str(self.requestURL).rfind("/") + 1 > return str(self.requestURL)[indx:] > return None This looks like something that can be done to most/all get_* methods. Probably separate patch? > Other than that. ACK from me for all three patches. > > --Abhishek In patch #172, in the Python API the SecurityDomainInfo uses a dict called 'systems' to map the subsystem name to the list of SecurityDomainHosts. In the Java API the DomainInfo it uses a map is called 'subsystems' to map the subsystem name to SecurityDomainSubsystem which contains another map of hosts. So the map name & the structure are different. Is this intentional? Do we need to change the Java API to match the Python API? -- Endi S. Dewata From akoneru at redhat.com Fri May 9 22:21:56 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 09 May 2014 18:21:56 -0400 Subject: [Pki-devel] Dogtag 10 Python Profile Client API documentation for review In-Reply-To: <1399299219.20073.14.camel@aleeredhat.laptop> References: <1788300501.6536107.1398834023164.JavaMail.zimbra@redhat.com> <1399299219.20073.14.camel@aleeredhat.laptop> Message-ID: <1399674116.2881.5.camel@akoneru.redhat.com> Please review the document as i addressed the below comments. Python profile client API - http://pki.fedoraproject.org/wiki/Dogtag_10_Python_Profile_Client_API. --Abhishek On Mon, 2014-05-05 at 10:13 -0400, Ade Lee wrote: > Some basic comments to be begin with: > > 1. You do not include methods and parameters for ProfileOutputa and > ProfilePolicySets. Included the classes. > > 2. In your initial setup code, you put the auth-cert.pem in /tmp. Its > better to put that in the user's home directory. Also, you make a > connection to the http port. That cannot be correct because all these > calls require client auth. > Changed the connections details to use https. > 3. In your code example in creating an profile, you use the > add_attribute() method to add attributes to an existing inout. It would > also be valuable to add methods to add/remove attributes from > ProfileInput. > > so input = ProfileInput("SubjectNameInput", "com.netscape....") > input.add_attribute(ProfileAttribute("sn_e")) > ... > profile.add_input("id1", input) > Added methods to ProfileInput and ProfileOutput as well. > 4. In fact, I think your example is not correct. There is an id -- > like "id1" which is associated with the profile, not the specific input. > As discussed with Ade on IRC, the example is correct. The id is associated with the input for a specific profile. > 5. You need to specify which paramters are optional. Those that are > optional should be made keyword params with a default. Checked all ProfileClient methods for the same. > 6. When deleting a profile, the profile must be disabled first. > Added a call to disable_profile. > Ade From edewata at redhat.com Mon May 12 13:08:11 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 12 May 2014 08:08:11 -0500 Subject: [Pki-devel] [PATCH] 502 Added minimum search keyword length requirement. Message-ID: <5370C7BB.7090901@redhat.com> Some REST services that accept search keywords have been modified to require a minimum length of 3 characters. The DEFAULT_SIZE constant has been moved into the base PKIService class to reduce multiple declarations. Ticket #920 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0502-Added-minimum-search-keyword-length-requirement.patch Type: text/x-patch Size: 22303 bytes Desc: not available URL: From edewata at redhat.com Mon May 12 18:20:20 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 12 May 2014 13:20:20 -0500 Subject: [Pki-devel] [PATCH] 0005 TPS User Authenticator Framework In-Reply-To: <536C510E.9050100@redhat.com> References: <536C510E.9050100@redhat.com> Message-ID: <537110E4.9030507@redhat.com> On 5/8/2014 10:52 PM, Christina Fu wrote: > This patch implements ticket https://fedorahosted.org/pki/ticket/879 TPS > Rewrite: Implement User Authentication > > This patch provides the framework that allows people to > 1. write their own authentication plugins using the authentication > plugin framework > 2. map the authenticaiton credential from client side (e.g. ESC or > alike) > in both display language characters and numbers of credential > parameters > to the specified authentication plugin required parameters. > > I will create a separate ticket to provide plugin instruction much like > http://pki.fedoraproject.org/wiki/PKI_Authentication_Plug-ins to RHCS > > Please review. > Thanks! > Christina Some comments: 1. As discussed over IRC, there are legacy properties that should be updated so that the UI can manage the authenticator configuration. target.Authentication_Sources.displayname=Authentication Source target.Authentication_Sources.list=0,1 target.Authentication_Sources.pattern=auth\.instance\.$name\..* 2. Also discussed over IRC, in AuthenticationManager initAuthInstances() the code ignores createAuthentication() failures and continues with the loop. I'd suggest we don't catch the exception so the problem can be detected early. 3. In general we should avoid using Hashtable because it's synchronized (i.e. slower). Unless synchronization is required, a HashMap or LinkedHashMap would be a better alternative. See: http://stackoverflow.com/questions/40471/differences-between-hashmap-and-hashtable 4. Checking both for null and empty string can be simplified with StringUtils.isEmpty(): http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/StringUtils.html#isEmpty(java.lang.String) if (title == null || title.equals("")) { if (description == null || description.equals("")) { if (name == null || name.equals("")) { if (desc == null || desc.equals("")) { if (prefix == null || prefix.equals("") || tokenType == null || tokenType.equals("")) { if (op == null || op.equals("") || userAuth == null || userCred == null) { if (op == null || op.equals("") || cuid == null || cuid.equals("") || auth == null || extensions == null) { if (title==null || title.equals("")) if (description==null || description.equals("")) if (parameters == null || title == null || title.equals("") || description == null || description.equals("") || auth == null) 5. In TPSProcessor.authenticateUser() if aToken is null it will throw an exception, then the exception will be caught and thrown again. try { IAuthToken aToken = auth.authenticate(...); if (aToken != null) ... else { throw new TPSException(...); } } catch (Exception e) { throw new TPSException(...); } To avoid this problem the code can be changed to only catch EBaseException. Everything else is good. ACK. -- Endi S. Dewata From edewata at redhat.com Mon May 12 19:23:33 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 12 May 2014 14:23:33 -0500 Subject: [Pki-devel] [PATCH] 500 Renamed TPS groups. In-Reply-To: <536D3D9D.4020401@redhat.com> References: <536D3D9D.4020401@redhat.com> Message-ID: <53711FB5.2030306@redhat.com> On 5/9/2014 3:42 PM, Endi Sukma Dewata wrote: > The TPS groups have been renamed for clarity and consistency: > - TUS Administrators -> Administrators > - TUS Agents -> TPS Agents > - TUS Officers -> TPS Officers > - TUS Operators -> TPS Operators > > Ticket #963 ACKed by Christina. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon May 12 19:23:50 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 12 May 2014 14:23:50 -0500 Subject: [Pki-devel] [PATCH] 502 Added minimum search keyword length requirement. In-Reply-To: <5370C7BB.7090901@redhat.com> References: <5370C7BB.7090901@redhat.com> Message-ID: <53711FC6.5040100@redhat.com> On 5/12/2014 8:08 AM, Endi Sukma Dewata wrote: > Some REST services that accept search keywords have been modified to > require a minimum length of 3 characters. > > The DEFAULT_SIZE constant has been moved into the base PKIService > class to reduce multiple declarations. > > Ticket #920 ACKed by Abhishek. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon May 12 22:38:40 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 12 May 2014 17:38:40 -0500 Subject: [Pki-devel] [PATCH] 492-495 Replaced RCUE with PatternFly In-Reply-To: <536AD39B.5040705@redhat.com> References: <5369621F.6010109@redhat.com> <536AD39B.5040705@redhat.com> Message-ID: <53714D70.50509@redhat.com> On 5/7/2014 7:45 PM, Endi Sukma Dewata wrote: > On 5/6/2014 5:28 PM, Endi Sukma Dewata wrote: >> These patches replaced RCUE with PatternFly and made the necessary >> adjustments. >> >> Ticket #958 > > New patch #493 attached. Fixed paths to the font files. ACKed by Jack. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon May 12 23:11:23 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 12 May 2014 18:11:23 -0500 Subject: [Pki-devel] [PATCH] 499 Added logout support for IE. In-Reply-To: <536AC2F1.6040606@redhat.com> References: <536AC2F1.6040606@redhat.com> Message-ID: <5371551B.8060208@redhat.com> On 5/7/2014 6:34 PM, Endi Sukma Dewata wrote: > The TPS UI logout functionality has been modified to clear the > authentication credential cache on IE. > > Ticket #903 Revised to work with IE 11. ACKed by Jack. Pushed to master. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0499-1-Added-logout-support-for-IE.patch Type: text/x-patch Size: 3309 bytes Desc: not available URL: From cfu at redhat.com Tue May 13 16:44:32 2014 From: cfu at redhat.com (Christina Fu) Date: Tue, 13 May 2014 09:44:32 -0700 Subject: [Pki-devel] [PATCH] 0005 TPS User Authenticator Framework In-Reply-To: <537110E4.9030507@redhat.com> References: <536C510E.9050100@redhat.com> <537110E4.9030507@redhat.com> Message-ID: <53724BF0.9040407@redhat.com> Thanks to Endi and Jack for your review comments and ACK. All comments addressed and checked in: commit 7c1fc987bdd28b70eee1a5a0bf18c252bb31fa3f Ticket #879 has now been completed and closed. Christina On 05/12/2014 11:20 AM, Endi Sukma Dewata wrote: > On 5/8/2014 10:52 PM, Christina Fu wrote: >> This patch implements ticket https://fedorahosted.org/pki/ticket/879 TPS >> Rewrite: Implement User Authentication >> >> This patch provides the framework that allows people to >> 1. write their own authentication plugins using the authentication >> plugin framework >> 2. map the authenticaiton credential from client side (e.g. ESC or >> alike) >> in both display language characters and numbers of credential >> parameters >> to the specified authentication plugin required parameters. >> >> I will create a separate ticket to provide plugin instruction much like >> http://pki.fedoraproject.org/wiki/PKI_Authentication_Plug-ins to RHCS >> >> Please review. >> Thanks! >> Christina > > Some comments: > > 1. As discussed over IRC, there are legacy properties that should be > updated so that the UI can manage the authenticator configuration. > > target.Authentication_Sources.displayname=Authentication Source > target.Authentication_Sources.list=0,1 > target.Authentication_Sources.pattern=auth\.instance\.$name\..* > > 2. Also discussed over IRC, in AuthenticationManager > initAuthInstances() the code ignores createAuthentication() failures > and continues with the loop. I'd suggest we don't catch the exception > so the problem can be detected early. > > 3. In general we should avoid using Hashtable because it's > synchronized (i.e. slower). Unless synchronization is required, a > HashMap or LinkedHashMap would be a better alternative. See: > http://stackoverflow.com/questions/40471/differences-between-hashmap-and-hashtable > > > 4. Checking both for null and empty string can be simplified with > StringUtils.isEmpty(): > http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/StringUtils.html#isEmpty(java.lang.String) > > > if (title == null || title.equals("")) { > if (description == null || description.equals("")) { > if (name == null || name.equals("")) { > if (desc == null || desc.equals("")) { > if (prefix == null || prefix.equals("") > || tokenType == null || tokenType.equals("")) { > if (op == null || op.equals("") > || userAuth == null || userCred == null) { > if (op == null || op.equals("") || > cuid == null || cuid.equals("") || auth == null || extensions == > null) { > if (title==null || title.equals("")) > if (description==null || description.equals("")) > if (parameters == null || title == null || title.equals("") || > description == null || description.equals("") || auth == null) > > 5. In TPSProcessor.authenticateUser() if aToken is null it will throw > an exception, then the exception will be caught and thrown again. > > try { > IAuthToken aToken = auth.authenticate(...); > if (aToken != null) > ... > else { > throw new TPSException(...); > } > } catch (Exception e) { > throw new TPSException(...); > } > > To avoid this problem the code can be changed to only catch > EBaseException. > > Everything else is good. ACK. > From cfu at redhat.com Tue May 13 18:02:29 2014 From: cfu at redhat.com (Christina Fu) Date: Tue, 13 May 2014 11:02:29 -0700 Subject: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page. In-Reply-To: <536A7230.6040008@redhat.com> References: <536A6A0C.1060704@redhat.com> <536A7230.6040008@redhat.com> Message-ID: <53725E35.6090806@redhat.com> Just a few comments: 1. How about change ""userKey" to "", and "signing" to "? +The following property specifies the CUID shown in the certificate. + +.B op.enroll.userKey.keyGen.signing.cuid_label + +The following property specifies the token name. +All resulting labels for co-existing keys on the same token must be unique. + +.B op.enroll.userKey.keyGen.signing.label 2. How about replace all reference of "RA" (an outdated name for "TPS") with "TPS"? 3. We added support for ECC, so a couple params added to the mix (I have my understanding of what they are, but it's best to ask Jack to provide official info on those two) : +The following properties specify the key usage and which PIN user should be granted. + +.nf *+.B op.enroll..keyGen..alg=1** **+.B op.enroll..keyGen..keySize=1024* +.B op.enroll..keyGen..keyUsage=0 +.B op.enroll..keyGen..keyUser=0 +.fi 3. Same comment from 1 for the following: +There is a special case of tokenType userKeyTemporary. +Make sure the profile specified by the profileId to have +short validity period (e.g. 7 days) for the certificate. + +.nf +.B op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher +.B op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher +.f 4. You asked me about the following, I think I just realized what it was now. Its for things like op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey so, a generic thing is: op.enroll..keyGen..recovery..scheme=GenerateNewKey +The three recovery schemes supported are: + \fBGenerateNewKey\fR - Generate a new cert for the encryption cert. + \fBRecoverLast\fR - Recover the most recent cert for the encryption cert. + \fBGenerateNewKeyandRecoverLast\fR - Generate new cert AND recover last for encryption cert. 5. for the following you might want to add a generic thing as well: e.g. op.enroll..renewal.* +.SS Token Renewal 5. There seems to be profile-related comments for "Format Operation For tokenKey" and "Pin Reset Operation For CoolKey". Are they significant enough to be added? thanks, Christina On 05/07/2014 10:49 AM, Endi Sukma Dewata wrote: > On 5/7/2014 12:14 PM, Endi Sukma Dewata wrote: >> The profile doc in TPS configuration file has been converted into >> a man page pki-tps-profile. >> >> Ticket #950 > > New patch attached. Fixed spec file. > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftweedal at redhat.com Wed May 14 08:00:22 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 14 May 2014 18:00:22 +1000 Subject: [Pki-devel] profile inputs and constraints; open tickets? Message-ID: <20140514080021.GO13285@dhcp-40-8.bne.redhat.com> Hi y'all, For my next blog post I'm going to modify and/or implement some profile inputs or constraints. It would be good to do something that's actually needed. I've have a quick look on the Trac for tickets in this area; a few pertain to issues with validity and DN selection - #858 looks particularly juicy - but I didn't see any that required new constraints/inputs/defaults. If anyone has a preference for what I should tackle in this exercise or knows of a relevant ticket I may have overlooked, let me know. Cheers, Fraser From mharmsen at redhat.com Thu May 15 03:51:15 2014 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 14 May 2014 20:51:15 -0700 Subject: [Pki-devel] [PATCHES] PKI TRAC Ticket #946 - Installation of IPA hangs up when LANG is set to tr_TR.UTF8 [Fedora 20] Message-ID: <537439B3.6000208@redhat.com> Please review the two attached patches which address: * PKI TRAC Ticket #946 - Installation of IPA hangs up when LANG is set to tr_TR.UTF8 The first patch attempts to insure that 'UTF-8' encoding is always used when importing data from an LDIF file by replacing the Java commands which utilize the default Locale and thus potentially would override the use of 'UTF-8' when working with LDIF files. The following ticket has been issued to address further concerns related to this issue: * PKI TRAC Ticket #1005 - Analyze source code for Java commands which utilize default Locale and honor 'i18n' The second patch specifically addresses the use of the 'tr_TR.UTF-8' issue reported in this ticket by changing the following problematic LDIF attribute names: * index.ldif o nsIndexType --> nsindexType o nsSystemIndex --> nsSystemindex * vlvtasks.ldif o nsInstance --> nsinstance o nsIndexVLVAttribute --> nsindexVLVAttribute The root of the problem that appears to cause this issue is the use of the 'toLowerCase()' method as utilized in the LDAPJDK. The following bug has been issued which fully describes this issue: * Bugzilla Bug #1097868 - Proposal: Consider not honoring 'i18n' on LDAP attribute names . . . These patches were tested on a 64-bit Fedora 20 machine by doing the following: * Install the patched RPMS onto the Fedora 20 test machine * Set contents of '/etc/locale.conf': o LANG="tr_TR.UTF-8" * Reboot machine * LANG="tr_TR.UTF-8" ssh root at fedora20.example.com * cat /etc/resolv.conf * ipa-server-install --setup-dns o Choose defaults and change the BIND settings using the values from '/etc/resolv.conf' * klist * kinit admin * klist * ipa user-find * ipa help cert * ipa cert-show -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20140514-Prevent-LDAP-Attributes-from-being-affected-by-Locale.patch Type: text/x-patch Size: 2559 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20140514-Change-LDAP-Attributes-to-allow-for-tr_TR-locale.patch Type: text/x-patch Size: 34136 bytes Desc: not available URL: From edewata at redhat.com Thu May 15 13:55:35 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 15 May 2014 08:55:35 -0500 Subject: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page. In-Reply-To: <53725E35.6090806@redhat.com> References: <536A6A0C.1060704@redhat.com> <536A7230.6040008@redhat.com> <53725E35.6090806@redhat.com> Message-ID: <5374C757.2040705@redhat.com> New patch attached. Please see comments below. On 5/13/2014 1:02 PM, Christina Fu wrote: > 1. How about change ""userKey" to "", and "signing" to > "? > > +The following property specifies the CUID shown in the certificate. > + > +.B op.enroll.userKey.keyGen.signing.cuid_label > > + > +The following property specifies the token name. > +All resulting labels for co-existing keys on the same token must be unique. > + > +.B op.enroll.userKey.keyGen.signing.label Sure. It's been changed. > 2. How about replace all reference of "RA" (an outdated name for "TPS") > with "TPS"? Changed also. > 3. We added support for ECC, so a couple params added to the mix (I have > my understanding of what they are, but it's best to ask Jack to provide > official info on those two) : > > +The following properties specify the key usage and which PIN user should be granted. > + > +.nf > *+.B op.enroll..keyGen..alg=1** > **+.B op.enroll..keyGen..keySize=1024* > +.B op.enroll..keyGen..keyUsage=0 > +.B op.enroll..keyGen..keyUser=0 > +.fi I added the alg and keySize properties. Jack, please let me know how we can change the text above to describe all properties above. > 3. Same comment from 1 for the following: > > +There is a special case of tokenType userKeyTemporary. > +Make sure the profile specified by the profileId to have > +short validity period (e.g. 7 days) for the certificate. > + > +.nf > +.B op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher > +.B op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher > +.f I've changed the "signing" to "", but if I change the "userKey" and "userKeyTemporary" into "" too the two lines will become identical. Is that ok, or are these two are special cases? Note that the text and the properties don't seem to be related and we discussed about fixing it separately later. > 4. You asked me about the following, I think I just realized what it was > now. Its for things like > op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey > so, a generic thing is: > op.enroll..keyGen..recovery..scheme=GenerateNewKey > > +The three recovery schemes supported are: > + \fBGenerateNewKey\fR - Generate a new cert for the encryption cert. > + \fBRecoverLast\fR - Recover the most recent cert for the encryption cert. > + \fBGenerateNewKeyandRecoverLast\fR - Generate new cert AND recover last for encryption cert. OK, the property has been added. > 5. for the following you might want to add a generic thing as well: > e.g. > op.enroll..renewal.* > > +.SS Token Renewal Added. > 5. There seems to be profile-related comments for "Format Operation For > tokenKey" and "Pin Reset Operation For CoolKey". Are they significant > enough to be added? Added now. They didn't appear in the UI so I wasn't aware of them. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0496-2-Converted-TPS-profile-doc-into-man-page.patch Type: text/x-patch Size: 20044 bytes Desc: not available URL: From jmagne at redhat.com Thu May 15 17:46:41 2014 From: jmagne at redhat.com (John Magne) Date: Thu, 15 May 2014 13:46:41 -0400 (EDT) Subject: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page. In-Reply-To: <5374C757.2040705@redhat.com> References: <536A6A0C.1060704@redhat.com> <536A7230.6040008@redhat.com> <53725E35.6090806@redhat.com> <5374C757.2040705@redhat.com> Message-ID: <826365303.10529679.1400176001472.JavaMail.zimbra@redhat.com> Edewata info about ecc params below: thanks, jack ----- Original Message ----- > From: "Endi Sukma Dewata" > To: "Christina Fu" , pki-devel at redhat.com, "John Magne" > Sent: Thursday, May 15, 2014 6:55:35 AM > Subject: Re: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page. > > New patch attached. Please see comments below. > > On 5/13/2014 1:02 PM, Christina Fu wrote: > > 1. How about change ""userKey" to "", and "signing" to > > "? > > > > +The following property specifies the CUID shown in the certificate. > > + > > +.B op.enroll.userKey.keyGen.signing.cuid_label > > > > + > > +The following property specifies the token name. > > +All resulting labels for co-existing keys on the same token must be > > unique. > > + > > +.B op.enroll.userKey.keyGen.signing.label > > Sure. It's been changed. > > > 2. How about replace all reference of "RA" (an outdated name for "TPS") > > with "TPS"? > > Changed also. > > > 3. We added support for ECC, so a couple params added to the mix (I have > > my understanding of what they are, but it's best to ask Jack to provide > > official info on those two) : > > > > +The following properties specify the key usage and which PIN user should > > be granted. > > + > > +.nf > > *+.B op.enroll..keyGen..alg=1** > > **+.B op.enroll..keyGen..keySize=1024* > > +.B op.enroll..keyGen..keyUsage=0 > > +.B op.enroll..keyGen..keyUser=0 > > +.fi For ECC the keySizes we support are 256, 384. Theoretically we could do 521, but I'm not sure we tested that yet, so just put the first two. The algs are as follows: ALG_EC_F2M = 4, ALG_EC_FP = 5 These are just two different types of EC algs. We really only support ALG_EC_FP_5 = 5 though. so you can either emphasize that or just leave out the other one for now. > > I added the alg and keySize properties. Jack, please let me know how we > can change the text above to describe all properties above. > > > 3. Same comment from 1 for the following: > > > > +There is a special case of tokenType userKeyTemporary. > > +Make sure the profile specified by the profileId to have > > +short validity period (e.g. 7 days) for the certificate. > > + > > +.nf > > +.B op.enroll.userKey.keyGen.signing.publisherId=fileBasedPublisher > > +.B > > op.enroll.userKeyTemporary.keyGen.signing.publisherId=fileBasedPublisher > > +.f > > I've changed the "signing" to "", but if I change the "userKey" > and "userKeyTemporary" into "" too the two lines will become > identical. Is that ok, or are these two are special cases? > > Note that the text and the properties don't seem to be related and we > discussed about fixing it separately later. > > > 4. You asked me about the following, I think I just realized what it was > > now. Its for things like > > op.enroll.userKey.keyGen.signing.recovery.destroyed.scheme=GenerateNewKey > > so, a generic thing is: > > op.enroll..keyGen..recovery..scheme=GenerateNewKey > > > > +The three recovery schemes supported are: > > + \fBGenerateNewKey\fR - Generate a new cert for the encryption cert. > > + \fBRecoverLast\fR - Recover the most recent cert for the encryption > > cert. > > + \fBGenerateNewKeyandRecoverLast\fR - Generate new cert AND recover last > > for encryption cert. > > OK, the property has been added. > > > 5. for the following you might want to add a generic thing as well: > > e.g. > > op.enroll..renewal.* > > > > +.SS Token Renewal > > Added. > > > 5. There seems to be profile-related comments for "Format Operation For > > tokenKey" and "Pin Reset Operation For CoolKey". Are they significant > > enough to be added? > > Added now. They didn't appear in the UI so I wasn't aware of them. > > -- > Endi S. Dewata > From edewata at redhat.com Thu May 15 20:26:57 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 15 May 2014 15:26:57 -0500 Subject: [Pki-devel] [PATCH] 503 Replaced group for RegisterUser. Message-ID: <53752311.5080300@redhat.com> The RegisterUser servlets in CA, KRA, and TKS have been updated to add the user into Trusted Managers group instead of Agents. A new upgrade script has been added to update existing instances. The XML formatting in TKS's web.xml has been cleaned up. Ticket #990 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0503-Replaced-group-for-RegisterUser.patch Type: text/x-patch Size: 8640 bytes Desc: not available URL: From edewata at redhat.com Thu May 15 21:21:52 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 15 May 2014 16:21:52 -0500 Subject: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page. In-Reply-To: <826365303.10529679.1400176001472.JavaMail.zimbra@redhat.com> References: <536A6A0C.1060704@redhat.com> <536A7230.6040008@redhat.com> <53725E35.6090806@redhat.com> <5374C757.2040705@redhat.com> <826365303.10529679.1400176001472.JavaMail.zimbra@redhat.com> Message-ID: <53752FF0.8060303@redhat.com> Thanks for the info. A new patch is attached. I've included the ECC information based on the IRC discussion. -- Endi S. Dewata On 5/15/2014 12:46 PM, John Magne wrote: > Edewata info about ecc params below: > > thanks, > jack > > ----- Original Message ----- >>> 3. We added support for ECC, so a couple params added to the mix (I have >>> my understanding of what they are, but it's best to ask Jack to provide >>> official info on those two) : >>> >>> +The following properties specify the key usage and which PIN user should >>> be granted. >>> + >>> +.nf >>> *+.B op.enroll..keyGen..alg=1** >>> **+.B op.enroll..keyGen..keySize=1024* >>> +.B op.enroll..keyGen..keyUsage=0 >>> +.B op.enroll..keyGen..keyUser=0 >>> +.fi > > For ECC the keySizes we support are 256, 384. Theoretically we could do 521, but I'm not sure we tested that yet, so just put the first two. > > The algs are as follows: > > ALG_EC_F2M = 4, > ALG_EC_FP = 5 > > These are just two different types of EC algs. > > We really only support ALG_EC_FP_5 = 5 though. so you can either emphasize that or just leave out the other one for now. -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0496-3-Converted-TPS-profile-doc-into-man-page.patch Type: text/x-patch Size: 20186 bytes Desc: not available URL: From cfu at redhat.com Thu May 15 22:33:32 2014 From: cfu at redhat.com (Christina Fu) Date: Thu, 15 May 2014 15:33:32 -0700 Subject: [Pki-devel] [PATCH] 91 Refactored CertRevokeRequest and CertUnrevokeRequest classes in Dogtag 10 In-Reply-To: <1399286894.3985.8.camel@akoneru.redhat.com> References: <1399286652.3985.3.camel@akoneru.redhat.com> <1399286894.3985.8.camel@akoneru.redhat.com> Message-ID: <537540BC.1060607@redhat.com> Hi Abhishek, The code appears to be correct, provided that the previously refactored code (which I did not review) works correctly, and it does not break the non-REST code. Could you please 1. provide a signed audit log event for one revocation request from the cli, where it shows an actual request id and verify that it is indeed the correct request id? 2.perform one single revocation from the non-REST agent interface and then verify the same revocation log event type for log request id? thanks, Christina On 05/05/2014 03:48 AM, Abhishek Koneru wrote: > Sorry for the spam! > Please ignore the previous email. > > --Abhishek > On Mon, 2014-05-05 at 06:44 -0400, Abhishek Koneru wrote: >> Please review the patch which refactors the CertRevokeRequest class and >> removes the CertUnrevokeRequest class in Dogtag 10. Description of the >> patch: >> >> There seems to be no use of the requestID parameter in both revoke >> and unrevoke request. Removed requestID attribute in CertRevokeRequest >> remove the class CertUnrevokeRequest. >> >> Also made changes in RevocationProcesor to use the requestID of the >> request created in it. >> >> The setRequestID() is being called in the DoRevoke and DoUnRevoke >> servlets. >> Removed the call and a function auditRequesterId in both the classes. >> >> The auditRequestorId method tries to get a "requestID" stored as a INPUT >> field >> in the reasonToRequest page. The ReasonToRevoke class which generates >> this page does not set the value. >> >> * This patch is required for patch 92. The unrevoke_request method in >> CertClient on the python side will not work without this patch. >> >> --Abhishek >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu May 15 22:55:35 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 15 May 2014 17:55:35 -0500 Subject: [Pki-devel] [PATCH] 497 Fixed problem adding enabled TPS profile. In-Reply-To: <536A93A2.8020306@redhat.com> References: <536A93A2.8020306@redhat.com> Message-ID: <537545E7.80908@redhat.com> On 5/7/2014 3:12 PM, Endi Sukma Dewata wrote: > The profile, profile mapping, connector, and authenticator services > in TPS have been modified to allow adding enabled entries directly > if the user has the proper rights. > > The authenticator database has been moved into the config package > for consistency. > > Ticket #948 Rebased and some cleanups. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0497-1-Fixed-problem-adding-enabled-TPS-profile.patch Type: text/x-patch Size: 14219 bytes Desc: not available URL: From edewata at redhat.com Fri May 16 15:30:12 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 16 May 2014 10:30:12 -0500 Subject: [Pki-devel] [PATCH] 503 Replaced group for RegisterUser. In-Reply-To: <53752311.5080300@redhat.com> References: <53752311.5080300@redhat.com> Message-ID: <53762F04.4010803@redhat.com> On 5/15/2014 3:26 PM, Endi Sukma Dewata wrote: > The RegisterUser servlets in CA, KRA, and TKS have been updated to > add the user into Trusted Managers group instead of Agents. > > A new upgrade script has been added to update existing instances. > > The XML formatting in TKS's web.xml has been cleaned up. > > Ticket #990 New patch attached. Added empty 10.0.7 and 10.1.1 folders to support upgrading from those versions. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0503-1-Replaced-group-for-RegisterUser.patch Type: text/x-patch Size: 10131 bytes Desc: not available URL: From akoneru at redhat.com Fri May 16 15:49:37 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 16 May 2014 11:49:37 -0400 Subject: [Pki-devel] [PATCH] 91 Refactored CertRevokeRequest and CertUnrevokeRequest classes in Dogtag 10 In-Reply-To: <537540BC.1060607@redhat.com> References: <1399286652.3985.3.camel@akoneru.redhat.com> <1399286894.3985.8.camel@akoneru.redhat.com> <537540BC.1060607@redhat.com> Message-ID: <1400255377.3272.5.camel@akoneru.redhat.com> Hi Christina, Please find the revocation logs below. Revocation using UI - Without patch 91 - [16/May/2014:11:18:09][http-bio-8443-exec-2]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=$Unidentified$][CertSerialNum=0x7][RequestType=on-hold][RevokeReasonNum=6][Approval=complete] certificate status change request processed With patch 91 [16/May/2014:11:36:52][http-bio-8443-exec-11]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=8][CertSerialNum=0x7][RequestType=on-hold][RevokeReasonNum=6][Approval=complete] certificate status change request processed Revocation using CLI - command - pki -d nssdb/ -c Secret123 -n "PKI Administrator for redhat.com" cert-revoke 8 Without patch 91 [16/May/2014:11:24:36][http-bio-8443-exec-24]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID= $NonRoleUser$][Outcome=Success][ReqID=$Unidentified $][CertSerialNum=0x8][RequestType=revoke][RevokeReasonNum=0][Approval=complete] certificate status change request processed With patch 91 - [16/May/2014:11:41:33][http-bio-8443-exec-17]: SignedAuditEventFactory: create() message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID= $NonRoleUser $][Outcome=Success][ReqID=10][CertSerialNum=0x8][RequestType=revoke][RevokeReasonNum=0][Approval=complete] certificate status change request processed Listing the certificate requests for enrolling the above certificates using cli. Request ID: 7 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x7 Request ID: 8 Type: revocation Request Status: complete Operation Result: success Request ID: 9 Type: enrollment Request Status: complete Operation Result: success Certificate ID: 0x8 Request ID: 10 Type: revocation Request Status: complete Operation Result: success --Abhishek On Thu, 2014-05-15 at 15:33 -0700, Christina Fu wrote: > Hi Abhishek, > The code appears to be correct, provided that the previously > refactored code (which I did not review) works correctly, and it does > not break the non-REST code. Could you please > > 1. provide a signed audit log event for one revocation request from > the cli, where it shows an actual request id and verify that it is > indeed the correct request id? > 2.perform one single revocation from the non-REST agent interface and > then verify the same revocation log event type for log request id? > > thanks, > Christina > > On 05/05/2014 03:48 AM, Abhishek Koneru wrote: > > > Sorry for the spam! > > Please ignore the previous email. > > > > --Abhishek > > On Mon, 2014-05-05 at 06:44 -0400, Abhishek Koneru wrote: > > > Please review the patch which refactors the CertRevokeRequest class and > > > removes the CertUnrevokeRequest class in Dogtag 10. Description of the > > > patch: > > > > > > There seems to be no use of the requestID parameter in both revoke > > > and unrevoke request. Removed requestID attribute in CertRevokeRequest > > > remove the class CertUnrevokeRequest. > > > > > > Also made changes in RevocationProcesor to use the requestID of the > > > request created in it. > > > > > > The setRequestID() is being called in the DoRevoke and DoUnRevoke > > > servlets. > > > Removed the call and a function auditRequesterId in both the classes. > > > > > > The auditRequestorId method tries to get a "requestID" stored as a INPUT > > > field > > > in the reasonToRequest page. The ReasonToRevoke class which generates > > > this page does not set the value. > > > > > > * This patch is required for patch 92. The unrevoke_request method in > > > CertClient on the python side will not work without this patch. > > > > > > --Abhishek > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Fri May 16 16:11:36 2014 From: cfu at redhat.com (Christina Fu) Date: Fri, 16 May 2014 09:11:36 -0700 Subject: [Pki-devel] [PATCH] 91 Refactored CertRevokeRequest and CertUnrevokeRequest classes in Dogtag 10 In-Reply-To: <1400255377.3272.5.camel@akoneru.redhat.com> References: <1399286652.3985.3.camel@akoneru.redhat.com> <1399286894.3985.8.camel@akoneru.redhat.com> <537540BC.1060607@redhat.com> <1400255377.3272.5.camel@akoneru.redhat.com> Message-ID: <537638B8.10508@redhat.com> Hi Abhishek, nice. ACK. thanks, Christina On 05/16/2014 08:49 AM, Abhishek Koneru wrote: > Hi Christina, > > Please find the revocation logs below. > > Revocation using UI - > > Without patch 91 - > [16/May/2014:11:18:09][http-bio-8443-exec-2]: SignedAuditEventFactory: > create() > message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=$Unidentified$][CertSerialNum=0x7][RequestType=on-hold][RevokeReasonNum=6][Approval=complete] certificate status change request processed > > With patch 91 > [16/May/2014:11:36:52][http-bio-8443-exec-11]: SignedAuditEventFactory: > create() > message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=8][CertSerialNum=0x7][RequestType=on-hold][RevokeReasonNum=6][Approval=complete] certificate status change request processed > > Revocation using CLI - > > command - pki -d nssdb/ -c Secret123 -n "PKI Administrator for > redhat.com" cert-revoke 8 > > Without patch 91 > [16/May/2014:11:24:36][http-bio-8443-exec-24]: SignedAuditEventFactory: > create() > message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID= > $NonRoleUser$][Outcome=Success][ReqID=$Unidentified > $][CertSerialNum=0x8][RequestType=revoke][RevokeReasonNum=0][Approval=complete] certificate status change request processed > > With patch 91 - > [16/May/2014:11:41:33][http-bio-8443-exec-17]: SignedAuditEventFactory: > create() > message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID= > $NonRoleUser > $][Outcome=Success][ReqID=10][CertSerialNum=0x8][RequestType=revoke][RevokeReasonNum=0][Approval=complete] certificate status change request processed > > Listing the certificate requests for enrolling the above certificates > using cli. > Request ID: 7 > Type: enrollment > Request Status: complete > Operation Result: success > Certificate ID: 0x7 > > Request ID: 8 > Type: revocation > Request Status: complete > Operation Result: success > > Request ID: 9 > Type: enrollment > Request Status: complete > Operation Result: success > Certificate ID: 0x8 > > Request ID: 10 > Type: revocation > Request Status: complete > Operation Result: success > > --Abhishek > > > > On Thu, 2014-05-15 at 15:33 -0700, Christina Fu wrote: >> Hi Abhishek, >> The code appears to be correct, provided that the previously >> refactored code (which I did not review) works correctly, and it does >> not break the non-REST code. Could you please >> >> 1. provide a signed audit log event for one revocation request from >> the cli, where it shows an actual request id and verify that it is >> indeed the correct request id? >> 2.perform one single revocation from the non-REST agent interface and >> then verify the same revocation log event type for log request id? >> >> thanks, >> Christina >> >> On 05/05/2014 03:48 AM, Abhishek Koneru wrote: >> >>> Sorry for the spam! >>> Please ignore the previous email. >>> >>> --Abhishek >>> On Mon, 2014-05-05 at 06:44 -0400, Abhishek Koneru wrote: >>>> Please review the patch which refactors the CertRevokeRequest class and >>>> removes the CertUnrevokeRequest class in Dogtag 10. Description of the >>>> patch: >>>> >>>> There seems to be no use of the requestID parameter in both revoke >>>> and unrevoke request. Removed requestID attribute in CertRevokeRequest >>>> remove the class CertUnrevokeRequest. >>>> >>>> Also made changes in RevocationProcesor to use the requestID of the >>>> request created in it. >>>> >>>> The setRequestID() is being called in the DoRevoke and DoUnRevoke >>>> servlets. >>>> Removed the call and a function auditRequesterId in both the classes. >>>> >>>> The auditRequestorId method tries to get a "requestID" stored as a INPUT >>>> field >>>> in the reasonToRequest page. The ReasonToRevoke class which generates >>>> this page does not set the value. >>>> >>>> * This patch is required for patch 92. The unrevoke_request method in >>>> CertClient on the python side will not work without this patch. >>>> >>>> --Abhishek >>>> _______________________________________________ >>>> Pki-devel mailing list >>>> Pki-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-devel >>> >>> _______________________________________________ >>> Pki-devel mailing list >>> Pki-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-devel >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > From cfu at redhat.com Fri May 16 17:56:04 2014 From: cfu at redhat.com (Christina Fu) Date: Fri, 16 May 2014 10:56:04 -0700 Subject: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page. In-Reply-To: <53752FF0.8060303@redhat.com> References: <536A6A0C.1060704@redhat.com> <536A7230.6040008@redhat.com> <53725E35.6090806@redhat.com> <5374C757.2040705@redhat.com> <826365303.10529679.1400176001472.JavaMail.zimbra@redhat.com> <53752FF0.8060303@redhat.com> Message-ID: <53765134.8090205@redhat.com> Hi Endi, Just a couple things: 1. I still see "userKey" in the patch, like +.B op.pinReset.userKey.update.applet.emptyToken.enable=false, do you think need to be made generic ? 2. also, what happened to the "ECC alg should use 5" message? It's supposed to be in there right? 3. for this line: +.B op.format.tokenKey.update.applet.emptyToken.enable=false, is "tokenKey" supposed to be ""? ACK. thanks, Christina On 05/15/2014 02:21 PM, Endi Sukma Dewata wrote: > Thanks for the info. A new patch is attached. I've included the ECC > information based on the IRC discussion. > From akoneru at redhat.com Fri May 16 18:19:29 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 16 May 2014 14:19:29 -0400 Subject: [Pki-devel] [PATCH] 91 Refactored CertRevokeRequest and CertUnrevokeRequest classes in Dogtag 10 In-Reply-To: <537638B8.10508@redhat.com> References: <1399286652.3985.3.camel@akoneru.redhat.com> <1399286894.3985.8.camel@akoneru.redhat.com> <537540BC.1060607@redhat.com> <1400255377.3272.5.camel@akoneru.redhat.com> <537638B8.10508@redhat.com> Message-ID: <1400264369.3272.6.camel@akoneru.redhat.com> Thanks Christina. Pushed to master. --Abhishek On Fri, 2014-05-16 at 09:11 -0700, Christina Fu wrote: > Hi Abhishek, > nice. ACK. > thanks, > Christina > > On 05/16/2014 08:49 AM, Abhishek Koneru wrote: > > Hi Christina, > > > > Please find the revocation logs below. > > > > Revocation using UI - > > > > Without patch 91 - > > [16/May/2014:11:18:09][http-bio-8443-exec-2]: SignedAuditEventFactory: > > create() > > message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=$Unidentified$][CertSerialNum=0x7][RequestType=on-hold][RevokeReasonNum=6][Approval=complete] certificate status change request processed > > > > With patch 91 > > [16/May/2014:11:36:52][http-bio-8443-exec-11]: SignedAuditEventFactory: > > create() > > message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID=caadmin][Outcome=Success][ReqID=8][CertSerialNum=0x7][RequestType=on-hold][RevokeReasonNum=6][Approval=complete] certificate status change request processed > > > > Revocation using CLI - > > > > command - pki -d nssdb/ -c Secret123 -n "PKI Administrator for > > redhat.com" cert-revoke 8 > > > > Without patch 91 > > [16/May/2014:11:24:36][http-bio-8443-exec-24]: SignedAuditEventFactory: > > create() > > message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID= > > $NonRoleUser$][Outcome=Success][ReqID=$Unidentified > > $][CertSerialNum=0x8][RequestType=revoke][RevokeReasonNum=0][Approval=complete] certificate status change request processed > > > > With patch 91 - > > [16/May/2014:11:41:33][http-bio-8443-exec-17]: SignedAuditEventFactory: > > create() > > message=[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED][SubjectID= > > $NonRoleUser > > $][Outcome=Success][ReqID=10][CertSerialNum=0x8][RequestType=revoke][RevokeReasonNum=0][Approval=complete] certificate status change request processed > > > > Listing the certificate requests for enrolling the above certificates > > using cli. > > Request ID: 7 > > Type: enrollment > > Request Status: complete > > Operation Result: success > > Certificate ID: 0x7 > > > > Request ID: 8 > > Type: revocation > > Request Status: complete > > Operation Result: success > > > > Request ID: 9 > > Type: enrollment > > Request Status: complete > > Operation Result: success > > Certificate ID: 0x8 > > > > Request ID: 10 > > Type: revocation > > Request Status: complete > > Operation Result: success > > > > --Abhishek > > > > > > > > On Thu, 2014-05-15 at 15:33 -0700, Christina Fu wrote: > >> Hi Abhishek, > >> The code appears to be correct, provided that the previously > >> refactored code (which I did not review) works correctly, and it does > >> not break the non-REST code. Could you please > >> > >> 1. provide a signed audit log event for one revocation request from > >> the cli, where it shows an actual request id and verify that it is > >> indeed the correct request id? > >> 2.perform one single revocation from the non-REST agent interface and > >> then verify the same revocation log event type for log request id? > >> > >> thanks, > >> Christina > >> > >> On 05/05/2014 03:48 AM, Abhishek Koneru wrote: > >> > >>> Sorry for the spam! > >>> Please ignore the previous email. > >>> > >>> --Abhishek > >>> On Mon, 2014-05-05 at 06:44 -0400, Abhishek Koneru wrote: > >>>> Please review the patch which refactors the CertRevokeRequest class and > >>>> removes the CertUnrevokeRequest class in Dogtag 10. Description of the > >>>> patch: > >>>> > >>>> There seems to be no use of the requestID parameter in both revoke > >>>> and unrevoke request. Removed requestID attribute in CertRevokeRequest > >>>> remove the class CertUnrevokeRequest. > >>>> > >>>> Also made changes in RevocationProcesor to use the requestID of the > >>>> request created in it. > >>>> > >>>> The setRequestID() is being called in the DoRevoke and DoUnRevoke > >>>> servlets. > >>>> Removed the call and a function auditRequesterId in both the classes. > >>>> > >>>> The auditRequestorId method tries to get a "requestID" stored as a INPUT > >>>> field > >>>> in the reasonToRequest page. The ReasonToRevoke class which generates > >>>> this page does not set the value. > >>>> > >>>> * This patch is required for patch 92. The unrevoke_request method in > >>>> CertClient on the python side will not work without this patch. > >>>> > >>>> --Abhishek > >>>> _______________________________________________ > >>>> Pki-devel mailing list > >>>> Pki-devel at redhat.com > >>>> https://www.redhat.com/mailman/listinfo/pki-devel > >>> > >>> _______________________________________________ > >>> Pki-devel mailing list > >>> Pki-devel at redhat.com > >>> https://www.redhat.com/mailman/listinfo/pki-devel > >> _______________________________________________ > >> Pki-devel mailing list > >> Pki-devel at redhat.com > >> https://www.redhat.com/mailman/listinfo/pki-devel > > > From edewata at redhat.com Fri May 16 18:43:52 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 16 May 2014 13:43:52 -0500 Subject: [Pki-devel] [PATCH] 496 Converted TPS profile doc into man page. In-Reply-To: <53765134.8090205@redhat.com> References: <536A6A0C.1060704@redhat.com> <536A7230.6040008@redhat.com> <53725E35.6090806@redhat.com> <5374C757.2040705@redhat.com> <826365303.10529679.1400176001472.JavaMail.zimbra@redhat.com> <53752FF0.8060303@redhat.com> <53765134.8090205@redhat.com> Message-ID: <53765C68.8040202@redhat.com> On 5/16/2014 12:56 PM, Christina Fu wrote: > 1. I still see "userKey" in the patch, like +.B > op.pinReset.userKey.update.applet.emptyToken.enable=false, do you think > need to be made generic ? OK, changed. > 2. also, what happened to the "ECC alg should use 5" message? It's > supposed to be in there right? As discussed over IRC, the current message already lists the alg values for RSA and ECC. > 3. for this line: +.B > op.format.tokenKey.update.applet.emptyToken.enable=false, is "tokenKey" > supposed to be ""? Changed as well. > ACK. > thanks, > Christina Thanks. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon May 19 16:21:41 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 19 May 2014 11:21:41 -0500 Subject: [Pki-devel] [PATCH] 504 Fixed TPS database indexes. Message-ID: <537A2F95.2030604@redhat.com> The index.ldif for TPS has been fixed to remove hard-coded database names and to add the missing the index for the description attribute. Ticket #979 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0504-Fixed-TPS-database-indexes.patch Type: text/x-patch Size: 3004 bytes Desc: not available URL: From edewata at redhat.com Mon May 19 16:21:47 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 19 May 2014 11:21:47 -0500 Subject: [Pki-devel] [PATCH] 505 Removed unnecessary variable in ConfigurationUtils.configCert(). Message-ID: <537A2F9B.8080402@redhat.com> The original_caType variable has been removed because it's not necessary. The variable was used to store the original value of caType, but after restoring the original value, the caType was no longer used by the code. So it's actually not necessary to restore the original value, and therefore it's not necessary to keep the original value of caType. Ticket #990 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0505-Removed-unnecessary-variable-in-ConfigurationUtils.c.patch Type: text/x-patch Size: 2519 bytes Desc: not available URL: From edewata at redhat.com Mon May 19 16:22:02 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 19 May 2014 11:22:02 -0500 Subject: [Pki-devel] [PATCH] 506 Refactored ConfigurationUtils.configCert(). Message-ID: <537A2FAA.4030500@redhat.com> The ConfigurationUtils.configCert() has been refactored into smaller methods: createRemoteCert() and createLocalCert(). Ticket #990 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0506-Refactored-ConfigurationUtils.configCert.patch Type: text/x-patch Size: 22510 bytes Desc: not available URL: From edewata at redhat.com Mon May 19 16:56:50 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 19 May 2014 11:56:50 -0500 Subject: [Pki-devel] [PATCH] 501 Fixed internal errors in RenewalProcessor. In-Reply-To: <536D3DA9.7060901@redhat.com> References: <536D3DA9.7060901@redhat.com> Message-ID: <537A37D2.2080308@redhat.com> On 5/9/2014 3:42 PM, Endi Sukma Dewata wrote: > The RenewalProcessor was throwing NumberFormatException if the > renewal request contains an empty serial number. The code has been > modified to check for null and empty string. > > If the serial number is unavailable, the code will try to get the > serial number from the client certificate. If that is unavailable > either, the code has been fixed to return a proper message. > > Ticket #999 ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon May 19 18:20:50 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 19 May 2014 13:20:50 -0500 Subject: [Pki-devel] [PATCH] 507 Refactored ConfigurationUtils.setupClientAuthUser(). Message-ID: <537A4B82.9090200@redhat.com> The ConfigurationUtils.setupClientAuthUser() has been converted from a static method into an instance method in a new class PKIInstaller. The PKIInstaller will become the base class of all subsystem-specific installer which will help clean up installation process. Ticket #990 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0507-Refactored-ConfigurationUtils.setupClientAuthUser.patch Type: text/x-patch Size: 13942 bytes Desc: not available URL: From edewata at redhat.com Mon May 19 18:21:02 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 19 May 2014 13:21:02 -0500 Subject: [Pki-devel] [PATCH] 508 Refactored ConfigurationUtils.registerUser(). Message-ID: <537A4B8E.1060105@redhat.com> The ConfigurationUtils.registerUser() has been converted from a static method into an instance method in PKIInstaller. Ticket #990 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0508-Refactored-ConfigurationUtils.registerUser.patch Type: text/x-patch Size: 11142 bytes Desc: not available URL: From edewata at redhat.com Tue May 20 00:05:18 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 19 May 2014 19:05:18 -0500 Subject: [Pki-devel] [PATCH] 497 Fixed problem adding enabled TPS profile. In-Reply-To: <537545E7.80908@redhat.com> References: <536A93A2.8020306@redhat.com> <537545E7.80908@redhat.com> Message-ID: <537A9C3E.9070400@redhat.com> On 5/15/2014 5:55 PM, Endi Sukma Dewata wrote: > On 5/7/2014 3:12 PM, Endi Sukma Dewata wrote: >> The profile, profile mapping, connector, and authenticator services >> in TPS have been modified to allow adding enabled entries directly >> if the user has the proper rights. >> >> The authenticator database has been moved into the config package >> for consistency. >> >> Ticket #948 > > Rebased and some cleanups. ACKed by Ade and Christina. Pushed to master. -- Endi S. Dewata From ftweedal at redhat.com Tue May 20 04:42:01 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 20 May 2014 14:42:01 +1000 Subject: [Pki-devel] configuring tomcat for remote debug Message-ID: <20140520044201.GB20862@dhcp-40-8.bne.redhat.com> Hi all, I'm having difficulty getting tomcat-pki to run with remote debugging available. The pki instance was configured via ipa-server-install. I have set ``pki_enable_java_debugger=True`` in ``/etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg`` and in ``/etc/pki/pki-tomcat/tomcat.conf``: JAVA_OPTS="-DRESTEASY_LIB=/usr/share/java/resteasy -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n -Djava.awt.headless=true -Xmx128M" Alas, restarting the server does not result in a debug socket on port 8000. I must be missing something; can someone assist? Cheers, Fraser From ftweedal at redhat.com Tue May 20 05:19:46 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 20 May 2014 15:19:46 +1000 Subject: [Pki-devel] [PATCH] 1 Correct debug message in 'pkiconfig.py' Message-ID: <20140520051946.GC20862@dhcp-40-8.bne.redhat.com> A drive-by fix for #937, since I came across it while trying to sort out my own remote-debug issues :) -------------- next part -------------- >From 6f2ed2f3cad8c13de7fe690f089212d4633bf6eb Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 20 May 2014 15:12:29 +1000 Subject: [PATCH] Correct debug message in 'pkiconfig.py' The instructions for enabling external debugging shown during installation is incorrect. Fix the message. Ticket #937 --- base/server/python/pki/server/deployment/pkiconfig.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/base/server/python/pki/server/deployment/pkiconfig.py b/base/server/python/pki/server/deployment/pkiconfig.py index 2e9463b9d082e611007810729110bd7a14a7b995..bb89cc5fc561b62959498ef7eb7ed1b8aae9f5a8 100644 --- a/base/server/python/pki/server/deployment/pkiconfig.py +++ b/base/server/python/pki/server/deployment/pkiconfig.py @@ -132,11 +132,13 @@ def prepare_for_an_external_java_debugger(instance): print print PKI_DEPLOYMENT_INTERRUPT_BANNER print - print "The following 'JAVA_OPTS' MUST be enabled (uncommented) in" + print "The following 'JAVA_OPTS' MUST be edited in" print "'%s':" % instance print - print " JAVA_OPTS=\"-Xdebug -Xrunjdwp:transport=dt_socket,\"" - print " \"address=8000,server=y,suspend\"" + print " JAVA_OPTS=\"-DRESTEASY_LIB=/usr/share/java/resteasy \"" + print " \"-Xdebug -Xrunjdwp:transport=dt_socket,\"" + print " \"address=8000,server=y,suspend=n \"" + print " \"-Djava.awt.headless=true -Xmx128M\"" print raw_input("Enable external java debugger 'JAVA_OPTS' "\ "and press return to continue . . . ") -- 1.9.0 From akoneru at redhat.com Tue May 20 15:02:21 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 20 May 2014 11:02:21 -0400 Subject: [Pki-devel] [PATCH] 93 Add methods for CertRequestResource to CertClient in the python client Message-ID: <1400598141.3184.10.camel@akoneru.redhat.com> Please review the attached patch which adds methods to deal with the CertRequest resource in CertClient on the python side. These methods provide functionality like - -Fetching the enrollment templates. -Creating an enrollment request from a dictionary of input key-value pairs. -Submitting an enrollment request. -Reviewing the request. -Performing an action on a request(approve/reject/cancel/etc.) Also defined all the classes needed for data representation. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0093-Added-methods-in-CertClient-for-CertRequestResource.patch Type: text/x-patch Size: 49920 bytes Desc: not available URL: From jmagne at redhat.com Tue May 20 22:34:39 2014 From: jmagne at redhat.com (John Magne) Date: Tue, 20 May 2014 18:34:39 -0400 (EDT) Subject: [Pki-devel] configuring tomcat for remote debug In-Reply-To: <20140520044201.GB20862@dhcp-40-8.bne.redhat.com> References: <20140520044201.GB20862@dhcp-40-8.bne.redhat.com> Message-ID: <627117611.14792408.1400625279432.JavaMail.zimbra@redhat.com> Hello: I believe the actual file you want is this: /etc/sysconfig/pki-tomcat Modify that one and I think it should work. ----- Original Message ----- > From: "Fraser Tweedale" > To: pki-devel at redhat.com > Sent: Monday, May 19, 2014 9:42:01 PM > Subject: [Pki-devel] configuring tomcat for remote debug > > Hi all, > > I'm having difficulty getting tomcat-pki to run with remote > debugging available. The pki instance was configured via > ipa-server-install. > > I have set ``pki_enable_java_debugger=True`` in > ``/etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg`` and in > ``/etc/pki/pki-tomcat/tomcat.conf``: > > JAVA_OPTS="-DRESTEASY_LIB=/usr/share/java/resteasy -Xdebug > -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n > -Djava.awt.headless=true -Xmx128M" > > Alas, restarting the server does not result in a debug socket on > port 8000. I must be missing something; can someone assist? > > Cheers, > > Fraser > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel > From ftweedal at redhat.com Wed May 21 06:59:13 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 21 May 2014 16:59:13 +1000 Subject: [Pki-devel] [PATCH] 1 Correct debug message in 'pkiconfig.py' In-Reply-To: <537BC831.5060103@redhat.com> References: <20140520051946.GC20862@dhcp-40-8.bne.redhat.com> <537BC831.5060103@redhat.com> Message-ID: <20140521065913.GA3851@dhcp-40-8.bne.redhat.com> On Tue, May 20, 2014 at 02:25:05PM -0700, Matthew Harmsen wrote: > On 05/19/14 22:19, Fraser Tweedale wrote: > >A drive-by fix for #937, since I came across it while trying to sort > >out my own remote-debug issues :) > > > ACK > > Acked by mharmsen; pushed to master. > > > >_______________________________________________ > >Pki-devel mailing list > >Pki-devel at redhat.com > >https://www.redhat.com/mailman/listinfo/pki-devel > From ftweedal at redhat.com Wed May 21 07:11:37 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 21 May 2014 17:11:37 +1000 Subject: [Pki-devel] configuring tomcat for remote debug In-Reply-To: <627117611.14792408.1400625279432.JavaMail.zimbra@redhat.com> References: <20140520044201.GB20862@dhcp-40-8.bne.redhat.com> <627117611.14792408.1400625279432.JavaMail.zimbra@redhat.com> Message-ID: <20140521071137.GC3851@dhcp-40-8.bne.redhat.com> On Tue, May 20, 2014 at 06:34:39PM -0400, John Magne wrote: > > Hello: > > I believe the actual file you want is this: > > /etc/sysconfig/pki-tomcat > > Modify that one and I think it should work. > Yes, that one did the trick. Thank you. Fraser > > ----- Original Message ----- > > From: "Fraser Tweedale" > > To: pki-devel at redhat.com > > Sent: Monday, May 19, 2014 9:42:01 PM > > Subject: [Pki-devel] configuring tomcat for remote debug > > > > Hi all, > > > > I'm having difficulty getting tomcat-pki to run with remote > > debugging available. The pki instance was configured via > > ipa-server-install. > > > > I have set ``pki_enable_java_debugger=True`` in > > ``/etc/sysconfig/pki/tomcat/pki-tomcat/ca/default.cfg`` and in > > ``/etc/pki/pki-tomcat/tomcat.conf``: > > > > JAVA_OPTS="-DRESTEASY_LIB=/usr/share/java/resteasy -Xdebug > > -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n > > -Djava.awt.headless=true -Xmx128M" > > > > Alas, restarting the server does not result in a debug socket on > > port 8000. I must be missing something; can someone assist? > > > > Cheers, > > > > Fraser > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > From alee at redhat.com Wed May 21 13:21:46 2014 From: alee at redhat.com (Ade Lee) Date: Wed, 21 May 2014 09:21:46 -0400 Subject: [Pki-devel] [PATCH] 1 Correct debug message in 'pkiconfig.py' In-Reply-To: <20140521065913.GA3851@dhcp-40-8.bne.redhat.com> References: <20140520051946.GC20862@dhcp-40-8.bne.redhat.com> <537BC831.5060103@redhat.com> <20140521065913.GA3851@dhcp-40-8.bne.redhat.com> Message-ID: <1400678506.8281.6.camel@aleeredhat.laptop> Woohoo! First commit .. Welcome to the group. Ade On Wed, 2014-05-21 at 16:59 +1000, Fraser Tweedale wrote: > On Tue, May 20, 2014 at 02:25:05PM -0700, Matthew Harmsen wrote: > > On 05/19/14 22:19, Fraser Tweedale wrote: > > >A drive-by fix for #937, since I came across it while trying to sort > > >out my own remote-debug issues :) > > > > > ACK > > > > > Acked by mharmsen; pushed to master. > > > > > > >_______________________________________________ > > >Pki-devel mailing list > > >Pki-devel at redhat.com > > >https://www.redhat.com/mailman/listinfo/pki-devel > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Wed May 21 21:32:16 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 21 May 2014 16:32:16 -0500 Subject: [Pki-devel] [PATCH] 509 Added README for pki-server. Message-ID: <537D1B60.3060708@redhat.com> A README file has been added containing a link to the Database Upgrade wiki page. Ticket #998 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0509-Added-README-for-pki-server.patch Type: text/x-patch Size: 2122 bytes Desc: not available URL: From ftweedal at redhat.com Thu May 22 00:21:18 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 22 May 2014 10:21:18 +1000 Subject: [Pki-devel] [PATCH] 509 Added README for pki-server. In-Reply-To: <537D1B60.3060708@redhat.com> References: <537D1B60.3060708@redhat.com> Message-ID: <20140522002118.GE3851@dhcp-40-8.bne.redhat.com> On Wed, May 21, 2014 at 04:32:16PM -0500, Endi Sukma Dewata wrote: > A README file has been added containing a link to the Database > Upgrade wiki page. > > Ticket #998 > > -- > Endi S. Dewata ACK; looks fine to me. From ftweedal at redhat.com Thu May 22 08:52:40 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 22 May 2014 18:52:40 +1000 Subject: [Pki-devel] [PATCH] 92-2 Fixes for comments on PATCH 92- Implemented the methods for Cert resource in the CertClient on the python side(Dogtag 10) In-Reply-To: <1399558234.4563.7.camel@akoneru.redhat.com> References: <1399286799.3985.6.camel@akoneru.redhat.com> <1399558234.4563.7.camel@akoneru.redhat.com> Message-ID: <20140522085239.GH3851@dhcp-40-8.bne.redhat.com> On Thu, May 08, 2014 at 10:10:34AM -0400, Abhishek Koneru wrote: > Please review the attached patch with fixes for Ade's comments on IRC. > > - Fix all the errors/warnings and some typos shown by PyCharm. > - Add Link class which stores information of the Link object. > - Add an internal method _submit_revoke_request and for the common code > in revoke_cert and revoke_ca_cert. > - Mention the need of agent authentication for the methods where it is > required. > - Default revocation_reason should be REASON_UNSPECIFIED > - Add the decorator pki.handle_exceptions() to handle the PKIExceptions > sent by the server. > > --Abhishek > On Mon, 2014-05-05 at 06:46 -0400, Abhishek Koneru wrote: > > Please review the attached patch which implements the Cert resource > > methods in CertClient on the python side. > > > > --Abhishek > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > This change (along with patch 93) works fine for the examples in the ``main`` method. I'm going to test it some more, though. Some stylistic comments inline below. Cheers, Fraser 8< SNIP >8 > class CertSearchRequest(object): > + """ > + An object of this class is used to store the search parameters > + and send them to server. > + """ > > - def __init__(self): > - self.serialNumberRangeInUse = False > - self.serialTo = None > - self.serialFrom = None > - self.subjectInUse = False > - self.eMail = None > - self.commonName = None > - self.userID = None > - self.orgUnit = None > - self.org = None > - self.locality = None > - self.state = None > - self.country = None > - self.matchExactly = None > - self.status = None > - self.revokedBy = None > - self.revokedOnFrom = None > - self.revokedOnTo = None > - self.revocationReason = None > - self.issuedBy = None > - self.issuedOnFrom = None > - self.issuedOnTo = None > - self.validNotBeforeFrom = None > - self.validNotBeforeTo = None > - self.validNotAfterFrom = None > - self.validNotAfterTo = None > - self.validityOperation = None > - self.validityCount = None > - self.validityUnit = None > - self.certTypeSubEmailCA = None > - self.certTypeSubSSLCA = None > - self.certTypeSecureEmail = None > - self.certTypeSSLClient = None > - self.certTypeSSLServer = None > - self.revokedByInUse = False > - self.revokedOnInUse = False > - self.revocationReasonInUse = None > - self.issuedByInUse = False > - self.issuedOnInUse = False > - self.validNotBeforeInUse = False > - self.validNotAfterInUse = False > - self.validityLengthInUse = False > - self.certTypeInUse = False > + search_params = {'serial_to': 'serialTo', 'serial_from': 'serialFrom', > + 'email': 'eMail', 'common_name': 'commonName', 'user_id': 'userID', > + 'org_unit': 'orgUnit', 'org': 'org', 'locality': 'locality', > + 'state': 'state', 'country': 'country', 'match_exactly': 'matchExactly', > + 'status': 'status', 'revoked_by': 'revokedBy', 'revoked_on_from': 'revokedOnFrom', > + 'revoked_on_to': 'revokedOnTo', 'revocation_reason': 'revocationReason', > + 'issued_by': 'issuedBy', 'issued_on_from': 'issuedOnFrom', 'issued_on_to': 'issuedOnTo', > + 'valid_not_before_from': 'validNotBeforeFrom', 'valid_not_before_to': 'validNotBeforeTo', > + 'valid_not_after_from': 'validNotAfterFrom', 'valid_not_after_to': 'validNotAfterTo', > + 'validity_operation': 'validityOperation', 'validity_count': 'validityCount', > + 'validity_unit': 'validityUnit', 'cert_type_sub_email_ca': 'certTypeSubEmailCA', > + 'cert_type_sub_ssl_ca': 'certTypeSubSSLCA', 'cert_type_secure_email': 'certTypeSecureEmail', > + 'cert_type_ssl_client': 'certTypeSSLClient', 'cert_type_ssl_server': 'certTypeSSLServer'} > + > + def __init__(self, **cert_search_params): > + """ Constructor """ > + > + if len(cert_search_params) == 0: > + setattr(self, 'serialNumberRangeInUse', True) > + > + for param in cert_search_params: Here you could iterate the (key, value) pairs to save keystrokes and a bit of CPU doing ``cert_search_params[param]`` in all those places below. e.g.: for param, value in cert_search_params.viewitems(): ... ``dict.viewitems()`` returns a *dictview* iterator-like object that avoids creating an intermediate list as ``dict.items()`` would. > + if not param in CertSearchRequest.search_params: > + raise ValueError('Invalid search parameter: ' + param) > + > + if param == 'serial_to' or param == 'serial_from': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'serialNumberRangeInUse', True) > + > + if param == 'email' or param == 'common_name' or param == 'user_id' or param == 'org_unit' \ > + or param == 'org' or param == 'locality' or param == 'state' or param == 'country' \ > + or param == 'match_exactly': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'subjectInUse', True) Here and in a few other places below it might improve readability to test for set membership, e.g.: if param in { 'email', 'common_name', 'user'_id', 'org_unit', 'org', ... }: setattr... > + > + if param == 'status': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + > + if param == 'revoked_by': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'revokedByInUse', True) > + > + if param == 'revoked_on_from' or param == 'revoked_on_to': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'revokedOnInUse', True) > + > + if param == 'revocation_reason': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'revocationReasonInUse', True) > + > + if param == 'issued_by': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'issuedByInUse', True) > + > + if param == 'issued_on_from' or param == 'issued_on_to': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'issuedOnInUse', True) > + > + if param == 'valid_not_before_from' or param == 'valid_not_before_to': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'validNotBeforeInUse', True) > + > + if param == 'valid_not_after_from' or param == 'valid_not_after_to': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'validNotAfterInUse', True) > + > + if param == 'validity_operation' or param == 'validity_count' or param == 'validity_unit': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'validityLengthInUse', True) > + > + if param == 'cert_type_sub_email_ca' or param == 'cert_type_sub_ssl_ca' \ > + or param == 'cert_type_secure_email' or param == 'cert_type_ssl_client' \ > + or param == 'cert_type_ssl_server': > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, 'certTypeInUse', True) 8< SNIP >8 From edewata at redhat.com Thu May 22 12:39:53 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 22 May 2014 07:39:53 -0500 Subject: [Pki-devel] [PATCH] 509 Added README for pki-server. In-Reply-To: <20140522002118.GE3851@dhcp-40-8.bne.redhat.com> References: <537D1B60.3060708@redhat.com> <20140522002118.GE3851@dhcp-40-8.bne.redhat.com> Message-ID: <537DF019.8070102@redhat.com> On 5/21/2014 7:21 PM, Fraser Tweedale wrote: >> A README file has been added containing a link to the Database >> Upgrade wiki page. >> >> Ticket #998 > > ACK; looks fine to me. Thanks. Also ACKed by Christina and Ade. There's a concern during review that this note might not get read by the admin, but this why ticket #998 was created in the first place, also the automated database upgrade and database version checking are beyond the scope of 10.2. Based on IRC discussion, a README is sufficient for now. Pushed to master. -- Endi S. Dewata From akoneru at redhat.com Thu May 22 18:38:48 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 22 May 2014 14:38:48 -0400 Subject: [Pki-devel] [PATCH] 94 Initial patch with implementation for ProfileClient Message-ID: <1400783928.4329.4.camel@akoneru.redhat.com> Please review the attached patch with the implementation of ProfileClient. The following methods are implemented in this patch - list_profiles - Returns a list of profiles. get_profile - Retrieves information of a profile. enable_profile - Enables a profile disable_profile - disables a profile. Also includes some cosmetic changes account.py and client.py. Thanks, Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0094-Initial-patch-for-ProfileClient-implementation.patch Type: text/x-patch Size: 16121 bytes Desc: not available URL: From akoneru at redhat.com Thu May 22 18:41:07 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 22 May 2014 14:41:07 -0400 Subject: [Pki-devel] [PATCH] 94 Initial patch with implementation for ProfileClient In-Reply-To: <1400783928.4329.4.camel@akoneru.redhat.com> References: <1400783928.4329.4.camel@akoneru.redhat.com> Message-ID: <1400784067.4329.6.camel@akoneru.redhat.com> Sorry for the spam. This patch requires patches 92-2 and 93 to be applied before. --Abhishek. On Thu, 2014-05-22 at 14:38 -0400, Abhishek Koneru wrote: > Please review the attached patch with the implementation of > ProfileClient. > > The following methods are implemented in this patch - > list_profiles - Returns a list of profiles. > get_profile - Retrieves information of a profile. > enable_profile - Enables a profile > disable_profile - disables a profile. > > Also includes some cosmetic changes account.py and client.py. > > Thanks, > Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Thu May 22 19:41:10 2014 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 22 May 2014 14:41:10 -0500 Subject: [Pki-devel] [PATCH] 504 Fixed TPS database indexes. In-Reply-To: <537A2F95.2030604@redhat.com> References: <537A2F95.2030604@redhat.com> Message-ID: <537E52D6.5070802@redhat.com> On 5/19/2014 11:21 AM, Endi Sukma Dewata wrote: > The index.ldif for TPS has been fixed to remove hard-coded database > names and to add the missing the index for the description attribute. > > Ticket #979 ACKed by Christina. Pushed to master. -- Endi S. Dewata From ftweedal at redhat.com Fri May 23 05:53:33 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 23 May 2014 15:53:33 +1000 Subject: [Pki-devel] [PATCH] 94 Initial patch with implementation for ProfileClient In-Reply-To: <1400783928.4329.4.camel@akoneru.redhat.com> References: <1400783928.4329.4.camel@akoneru.redhat.com> Message-ID: <20140523055332.GI3851@dhcp-40-8.bne.redhat.com> On Thu, May 22, 2014 at 02:38:48PM -0400, Abhishek Koneru wrote: > Please review the attached patch with the implementation of > ProfileClient. > > The following methods are implemented in this patch - > list_profiles - Returns a list of profiles. > get_profile - Retrieves information of a profile. > enable_profile - Enables a profile > disable_profile - disables a profile. > > Also includes some cosmetic changes account.py and client.py. > > Thanks, > Abhishek Hi Abhishek, I'm happy with the overall feel of the API. Some comments follow. 1) Copy pasta error in ProfileData.from_json; ``policy_sets`` used instead of ``inputs``/``outputs`` when processing json_value['Input'] or json_value['Output'] lists. 2) Could you please make ProfileDataInfoCollection an iterable? It doesn't make sense to be to have to access the ``profile_data_list`` attribute just to iterate the ProfileDataInfo objects. 3) Could you please add a ``repr`` method to ProfileData that includes at least the profile_id? Maybe summary information about whether it is visible/active as well, but I think just the ID should be fine. Same goes for other classes that show up in lists, please. 4) I'm a little concerned about having the properties set/get top-level attributes, e.g. ``enabled_by`` sets/gets ``enabledBy``. Following this pattern where you wish to use the same name as in the JSON would result in infinite loop; indeed you do treat some keys different to avoid this, e.g. ``description``. This inconsistency makes me wonder if there's a better pattern. My suggestion would be to stash the JSON dict in a top-level attribute (the constructor would have to initialise it to an empty dict before other attributes are assigned) and then have the properties set/get items in that dict. You could further cut down boilerplate and duplication by definite a descriptor for this purpose, e.g.: class JSONProperty(object): def __init__(self, attr): self.attr def __get__(self, instance, owner) return obj.json_value[self.attr] def __set__(self, instance, value) obj.json_value[self.attr] = value Then, most of the assignments in ``from_json`` go away , and the corresponding property declarations follow the new pattern: enabled_by = JSONProperty('enabledBy') You would still need to treat Input, Output and PolicySets differently, but you could also abstract over this pattern with yet another class, i.e. a "JSON list property". Anyhow, 4) isn't a show-stopper, just a (lengthy) nit-pick. Cheers, Fraser From nkinder at redhat.com Fri May 23 16:48:15 2014 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 23 May 2014 09:48:15 -0700 Subject: [Pki-devel] [PATCH] 1 Correct debug message in 'pkiconfig.py' In-Reply-To: <1400678506.8281.6.camel@aleeredhat.laptop> References: <20140520051946.GC20862@dhcp-40-8.bne.redhat.com> <537BC831.5060103@redhat.com> <20140521065913.GA3851@dhcp-40-8.bne.redhat.com> <1400678506.8281.6.camel@aleeredhat.laptop> Message-ID: <537F7BCF.7070400@redhat.com> On 05/21/2014 06:21 AM, Ade Lee wrote: > Woohoo! First commit .. Welcome to the group. +1! > > Ade > On Wed, 2014-05-21 at 16:59 +1000, Fraser Tweedale wrote: >> On Tue, May 20, 2014 at 02:25:05PM -0700, Matthew Harmsen wrote: >>> On 05/19/14 22:19, Fraser Tweedale wrote: >>>> A drive-by fix for #937, since I came across it while trying to sort >>>> out my own remote-debug issues :) >>>> >>> ACK >>>> >> >> Acked by mharmsen; pushed to master. >> >>>> >>>> _______________________________________________ >>>> Pki-devel mailing list >>>> Pki-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/pki-devel >>> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel > From alee at redhat.com Fri May 23 19:24:44 2014 From: alee at redhat.com (Ade Lee) Date: Fri, 23 May 2014 15:24:44 -0400 Subject: [Pki-devel] [PATCH] 92-2 Fixes for comments on PATCH 92- Implemented the methods for Cert resource in the CertClient on the python side(Dogtag 10) In-Reply-To: <20140522085239.GH3851@dhcp-40-8.bne.redhat.com> References: <1399286799.3985.6.camel@akoneru.redhat.com> <1399558234.4563.7.camel@akoneru.redhat.com> <20140522085239.GH3851@dhcp-40-8.bne.redhat.com> Message-ID: <1400873084.25270.18.camel@aleeredhat.laptop> In general it looks pretty good. Some minor points: 1. pycharm appears to be set to 120 columns width by default. We need to set to 80 and reformat accordingly. Please check in a pycharm settings file. All new code should follow PEP8. 2. In CertRevokeRequest, a number of constants are defined for possible reason settings. You should group those, and test for invalid reasons. 3. Do we use CertID anywhere? Other than that, looks pretty good. ACK once you have addressed these issues. Ade On Thu, 2014-05-22 at 18:52 +1000, Fraser Tweedale wrote: > On Thu, May 08, 2014 at 10:10:34AM -0400, Abhishek Koneru wrote: > > Please review the attached patch with fixes for Ade's comments on IRC. > > > > - Fix all the errors/warnings and some typos shown by PyCharm. > > - Add Link class which stores information of the Link object. > > - Add an internal method _submit_revoke_request and for the common code > > in revoke_cert and revoke_ca_cert. > > - Mention the need of agent authentication for the methods where it is > > required. > > - Default revocation_reason should be REASON_UNSPECIFIED > > - Add the decorator pki.handle_exceptions() to handle the PKIExceptions > > sent by the server. > > > > --Abhishek > > On Mon, 2014-05-05 at 06:46 -0400, Abhishek Koneru wrote: > > > Please review the attached patch which implements the Cert resource > > > methods in CertClient on the python side. > > > > > > --Abhishek > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > This change (along with patch 93) works fine for the examples in the > ``main`` method. I'm going to test it some more, though. > > Some stylistic comments inline below. > > Cheers, > Fraser > > 8< SNIP >8 > > > class CertSearchRequest(object): > > + """ > > + An object of this class is used to store the search parameters > > + and send them to server. > > + """ > > > > - def __init__(self): > > - self.serialNumberRangeInUse = False > > - self.serialTo = None > > - self.serialFrom = None > > - self.subjectInUse = False > > - self.eMail = None > > - self.commonName = None > > - self.userID = None > > - self.orgUnit = None > > - self.org = None > > - self.locality = None > > - self.state = None > > - self.country = None > > - self.matchExactly = None > > - self.status = None > > - self.revokedBy = None > > - self.revokedOnFrom = None > > - self.revokedOnTo = None > > - self.revocationReason = None > > - self.issuedBy = None > > - self.issuedOnFrom = None > > - self.issuedOnTo = None > > - self.validNotBeforeFrom = None > > - self.validNotBeforeTo = None > > - self.validNotAfterFrom = None > > - self.validNotAfterTo = None > > - self.validityOperation = None > > - self.validityCount = None > > - self.validityUnit = None > > - self.certTypeSubEmailCA = None > > - self.certTypeSubSSLCA = None > > - self.certTypeSecureEmail = None > > - self.certTypeSSLClient = None > > - self.certTypeSSLServer = None > > - self.revokedByInUse = False > > - self.revokedOnInUse = False > > - self.revocationReasonInUse = None > > - self.issuedByInUse = False > > - self.issuedOnInUse = False > > - self.validNotBeforeInUse = False > > - self.validNotAfterInUse = False > > - self.validityLengthInUse = False > > - self.certTypeInUse = False > > + search_params = {'serial_to': 'serialTo', 'serial_from': 'serialFrom', > > + 'email': 'eMail', 'common_name': 'commonName', 'user_id': 'userID', > > + 'org_unit': 'orgUnit', 'org': 'org', 'locality': 'locality', > > + 'state': 'state', 'country': 'country', 'match_exactly': 'matchExactly', > > + 'status': 'status', 'revoked_by': 'revokedBy', 'revoked_on_from': 'revokedOnFrom', > > + 'revoked_on_to': 'revokedOnTo', 'revocation_reason': 'revocationReason', > > + 'issued_by': 'issuedBy', 'issued_on_from': 'issuedOnFrom', 'issued_on_to': 'issuedOnTo', > > + 'valid_not_before_from': 'validNotBeforeFrom', 'valid_not_before_to': 'validNotBeforeTo', > > + 'valid_not_after_from': 'validNotAfterFrom', 'valid_not_after_to': 'validNotAfterTo', > > + 'validity_operation': 'validityOperation', 'validity_count': 'validityCount', > > + 'validity_unit': 'validityUnit', 'cert_type_sub_email_ca': 'certTypeSubEmailCA', > > + 'cert_type_sub_ssl_ca': 'certTypeSubSSLCA', 'cert_type_secure_email': 'certTypeSecureEmail', > > + 'cert_type_ssl_client': 'certTypeSSLClient', 'cert_type_ssl_server': 'certTypeSSLServer'} > > + > > + def __init__(self, **cert_search_params): > > + """ Constructor """ > > + > > + if len(cert_search_params) == 0: > > + setattr(self, 'serialNumberRangeInUse', True) > > + > > + for param in cert_search_params: > > Here you could iterate the (key, value) pairs to save keystrokes and > a bit of CPU doing ``cert_search_params[param]`` in all those places > below. e.g.: > > for param, value in cert_search_params.viewitems(): > ... > > ``dict.viewitems()`` returns a *dictview* iterator-like object that > avoids creating an intermediate list as ``dict.items()`` would. > > > + if not param in CertSearchRequest.search_params: > > + raise ValueError('Invalid search parameter: ' + param) > > + > > + if param == 'serial_to' or param == 'serial_from': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'serialNumberRangeInUse', True) > > + > > + if param == 'email' or param == 'common_name' or param == 'user_id' or param == 'org_unit' \ > > + or param == 'org' or param == 'locality' or param == 'state' or param == 'country' \ > > + or param == 'match_exactly': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'subjectInUse', True) > > Here and in a few other places below it might improve readability to > test for set membership, e.g.: > > if param in { > 'email', 'common_name', 'user'_id', 'org_unit', > 'org', ... > }: > setattr... > > > + > > + if param == 'status': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + > > + if param == 'revoked_by': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'revokedByInUse', True) > > + > > + if param == 'revoked_on_from' or param == 'revoked_on_to': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'revokedOnInUse', True) > > + > > + if param == 'revocation_reason': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'revocationReasonInUse', True) > > + > > + if param == 'issued_by': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'issuedByInUse', True) > > + > > + if param == 'issued_on_from' or param == 'issued_on_to': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'issuedOnInUse', True) > > + > > + if param == 'valid_not_before_from' or param == 'valid_not_before_to': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'validNotBeforeInUse', True) > > + > > + if param == 'valid_not_after_from' or param == 'valid_not_after_to': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'validNotAfterInUse', True) > > + > > + if param == 'validity_operation' or param == 'validity_count' or param == 'validity_unit': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'validityLengthInUse', True) > > + > > + if param == 'cert_type_sub_email_ca' or param == 'cert_type_sub_ssl_ca' \ > > + or param == 'cert_type_secure_email' or param == 'cert_type_ssl_client' \ > > + or param == 'cert_type_ssl_server': > > + setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > > + setattr(self, 'certTypeInUse', True) > > 8< SNIP >8 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Fri May 23 19:30:00 2014 From: alee at redhat.com (Ade Lee) Date: Fri, 23 May 2014 15:30:00 -0400 Subject: [Pki-devel] [PATCH] 93 Add methods for CertRequestResource to CertClient in the python client In-Reply-To: <1400598141.3184.10.camel@akoneru.redhat.com> References: <1400598141.3184.10.camel@akoneru.redhat.com> Message-ID: <1400873400.25270.24.camel@aleeredhat.laptop> Looks pretty good. 1. list_entrollment_templates has a print r statement in it. Is that supposed to be there? 2. get_enrollment_template should check for None for the profileID. 3. CertRequestInfoCollection has an element - cert_info_list, should be cert_request_info_list 4. ProfileConstraint -- why is id renamed to name? Why not just use "id" 5. We need some documentation, either in the class docstring or elsewhere in the file that explains why some attributes have been defined as properties with a setter and some have not. You should explain that these properties need to be transformed to be sent back to the server. Once these are fixed, ACK. On Tue, 2014-05-20 at 11:02 -0400, Abhishek Koneru wrote: > Please review the attached patch which adds methods to deal with the > CertRequest resource in CertClient on the python side. > > These methods provide functionality like - > > -Fetching the enrollment templates. > -Creating an enrollment request from a dictionary of input key-value > pairs. > -Submitting an enrollment request. > -Reviewing the request. > -Performing an action on a request(approve/reject/cancel/etc.) > > Also defined all the classes needed for data representation. > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Fri May 23 20:08:53 2014 From: alee at redhat.com (Ade Lee) Date: Fri, 23 May 2014 16:08:53 -0400 Subject: [Pki-devel] [PATCH] 94 Initial patch with implementation for ProfileClient In-Reply-To: <20140523055332.GI3851@dhcp-40-8.bne.redhat.com> References: <1400783928.4329.4.camel@akoneru.redhat.com> <20140523055332.GI3851@dhcp-40-8.bne.redhat.com> Message-ID: <1400875733.25270.30.camel@aleeredhat.laptop> On Fri, 2014-05-23 at 15:53 +1000, Fraser Tweedale wrote: > On Thu, May 22, 2014 at 02:38:48PM -0400, Abhishek Koneru wrote: > > Please review the attached patch with the implementation of > > ProfileClient. > > > > The following methods are implemented in this patch - > > list_profiles - Returns a list of profiles. > > get_profile - Retrieves information of a profile. > > enable_profile - Enables a profile > > disable_profile - disables a profile. > > > > Also includes some cosmetic changes account.py and client.py. > > > > Thanks, > > Abhishek > > Hi Abhishek, > > I'm happy with the overall feel of the API. Some comments follow. > > 1) Copy pasta error in ProfileData.from_json; ``policy_sets`` used > instead of ``inputs``/``outputs`` when processing > json_value['Input'] or json_value['Output'] lists. > > 2) Could you please make ProfileDataInfoCollection an iterable? It > doesn't make sense to be to have to access the ``profile_data_list`` > attribute just to iterate the ProfileDataInfo objects. > > 3) Could you please add a ``repr`` method to ProfileData that > includes at least the profile_id? Maybe summary information about > whether it is visible/active as well, but I think just the ID should > be fine. Same goes for other classes that show up in lists, please. > > 4) I'm a little concerned about having the properties set/get > top-level attributes, e.g. ``enabled_by`` sets/gets ``enabledBy``. > Following this pattern where you wish to use the same name as in the > JSON would result in infinite loop; indeed you do treat some keys > different to avoid this, e.g. ``description``. This inconsistency > makes me wonder if there's a better pattern. > > My suggestion would be to stash the JSON dict in a top-level > attribute (the constructor would have to initialise it to an empty > dict before other attributes are assigned) and then have the > properties set/get items in that dict. > > You could further cut down boilerplate and duplication by definite a > descriptor for this purpose, e.g.: > > class JSONProperty(object): > def __init__(self, attr): > self.attr > > def __get__(self, instance, owner) > return obj.json_value[self.attr] > > def __set__(self, instance, value) > obj.json_value[self.attr] = value > > Then, most of the assignments in ``from_json`` go away , and > the corresponding property declarations follow the new pattern: > > enabled_by = JSONProperty('enabledBy') > > You would still need to treat Input, Output and PolicySets > differently, but you could also abstract over this pattern with yet > another class, i.e. a "JSON list property". > > Anyhow, 4) isn't a show-stopper, just a (lengthy) nit-pick. > I'd like to consider this approach or another way to solve this as well. Right now, it is a little confusing. Basically the rule is - if the json name is different from the python attribute name, and that parameter may be sent back to the server (rather than just being read on the client side, then it needs a property/setter) It would be nice to have a more uniform mechanism of mapping the attributes - and to be able to avoid a lot of the boilerplate code in to/from_json. Lets try address this now, because its a pattern that is being set in cert.py, key.py and profile.py. > Cheers, > > Fraser > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Tue May 27 07:00:45 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 27 May 2014 17:00:45 +1000 Subject: [Pki-devel] [Freeipa-devel] faster ways to build/test dogtag? Message-ID: <20140527070045.GA28407@dhcp-40-8.bne.redhat.com> Hi all, I've been working on a fix for a profile issue (https://fedorahosted.org/freeipa/ticket/2915). Unfortunately I find the scripts/compose_pki_core_packages -> yum install -> test cycle frustratingly slow on idm.lab.bos. Is there a quicker way to build and test the software - particularly as part of the larger IPA/certmonger/dogtag ecosystem? Cheers, Fraser _______________________________________________ Freeipa-devel mailing list Freeipa-devel at redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel From alee at redhat.com Tue May 27 21:08:52 2014 From: alee at redhat.com (Ade Lee) Date: Tue, 27 May 2014 17:08:52 -0400 Subject: [Pki-devel] patches for pycharm cleanup and security domain python client api Message-ID: <1401224932.9297.3.camel@aleeredhat.laptop> This is mostly the same patches that were reviewed before with fixes for the issues identified. I ended up making these changes over Abhishek's first cert patch, so please apply that first when reviewing. This patch is: 05e9fa7 Implemented CertResource methods in CertClient. Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0217-latest-changes-for-code-review.patch Type: text/x-patch Size: 15760 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0216-Fix-minor-user-creation-issue.patch Type: text/x-patch Size: 2268 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0215-Added-security-domain-functionality-to-python-API.patch Type: text/x-patch Size: 3245 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0214-fix-issues-identified-by-pycharm-for-system.py.patch Type: text/x-patch Size: 5194 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0213-Fix-formatting-issues-identified-by-pycharm-in-key.p.patch Type: text/x-patch Size: 33277 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0218-formatting-fixes-in-python-client-code-for-pycharm.patch Type: text/x-patch Size: 73322 bytes Desc: not available URL: From jmagne at redhat.com Thu May 29 02:47:45 2014 From: jmagne at redhat.com (John Magne) Date: Wed, 28 May 2014 22:47:45 -0400 (EDT) Subject: [Pki-devel] [pki-devel][Patch] 0013-Initial-enrollment-progress.patch In-Reply-To: <2113821588.21285174.1401331649935.JavaMail.zimbra@redhat.com> Message-ID: <4607864.21285349.1401331665396.JavaMail.zimbra@redhat.com> Initial enrollment operation progress. 1. Changed the names of some message classes for convenience. 2. Did some minor refactoring of methods needed by both the enroll and tps processor. 3. Created classes to handle the parsing and archival of PKCS#11 token data. 4. Created prep code for enrollment that reads in a bunch of config params and creates convenience objects to carry the data instead of the lengthy parameter lists we have had before. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0013-Initial-enrollment-progress.patch Type: text/x-patch Size: 180131 bytes Desc: not available URL: From akoneru at redhat.com Thu May 29 04:38:46 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 29 May 2014 00:38:46 -0400 Subject: [Pki-devel] patches for pycharm cleanup and security domain python client api In-Reply-To: <1401224932.9297.3.camel@aleeredhat.laptop> References: <1401224932.9297.3.camel@aleeredhat.laptop> Message-ID: <1401338326.9396.1.camel@akoneru.redhat.com> ACK on all patches. In patch 216 - i think the debug log should be "DonePanel display: successfully added the user" "DonePanel display: successfully added the user certificate" --Abhishek On Tue, 2014-05-27 at 17:08 -0400, Ade Lee wrote: > This is mostly the same patches that were reviewed before with fixes for > the issues identified. I ended up making these changes over Abhishek's > first cert patch, so please apply that first when reviewing. > > This patch is: > 05e9fa7 Implemented CertResource methods in CertClient. > > Please review, > Ade > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Thu May 29 07:02:14 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 29 May 2014 17:02:14 +1000 Subject: [Pki-devel] profile constraint being replaced with NoConstraint Message-ID: <20140529070214.GC3128@dhcp-40-8.bne.redhat.com> Hi all, I've been chipping away at the profile changes required for https://fedorahosted.org/freeipa/ticket/2915. I've encountered a problem where the EKU extension constraint is being replaced by NoConstraint for validation. The profile does read the constraint correctly, i.e. it appears in the "Manage Certificate Profiles" table in the web UI, but when it comes to performing the validation, it is instead using ``com.netscape.cms.profile.constraint.NoConstraint``. I am using a modified caServerCert profile; the only changed part being: policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 (This change was made to the caServerCert profile). This is occurring on master (989e5d3). A minimal patch that adds the logging which demonstrates this behaviour (for me) is attached. Any help in understanding this behaviour is appreciated :) Cheers, Fraser -------------- next part -------------- >From d1ba5eb560b65bf109d59ad6127e99bdec85a8e6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 29 May 2014 02:42:22 -0400 Subject: [PATCH] NOPUSH add constraint logging --- base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java | 1 + 1 file changed, 1 insertion(+) diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java index ea51084..5c103d3 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java @@ -1115,6 +1115,7 @@ public abstract class BasicProfile implements IProfile { for (int i = 0; i < policies.size(); i++) { IProfilePolicy policy = policies.elementAt(i); + CMS.debug(policy.getConstraint().getClass().getName()); policy.getConstraint().validate(request); } CMS.debug("BasicProfile: change to pending state"); -- 1.9.3 From ftweedal at redhat.com Thu May 29 07:12:42 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 29 May 2014 17:12:42 +1000 Subject: [Pki-devel] profile constraint being replaced with NoConstraint In-Reply-To: <20140529070214.GC3128@dhcp-40-8.bne.redhat.com> References: <20140529070214.GC3128@dhcp-40-8.bne.redhat.com> Message-ID: <20140529071242.GD3128@dhcp-40-8.bne.redhat.com> Nevermind, it's using a different profile from what I thought -_-. Sorry for the noise. Fraser On Thu, May 29, 2014 at 05:02:14PM +1000, Fraser Tweedale wrote: > Hi all, > > I've been chipping away at the profile changes required for > https://fedorahosted.org/freeipa/ticket/2915. > > I've encountered a problem where the EKU extension constraint is > being replaced by NoConstraint for validation. The profile does > read the constraint correctly, i.e. it appears in the "Manage > Certificate Profiles" table in the web UI, but when it comes to > performing the validation, it is instead using > ``com.netscape.cms.profile.constraint.NoConstraint``. > > I am using a modified caServerCert profile; the only changed part > being: > > policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl > policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension > policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false > policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 > policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl > policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default > policyset.serverCertSet.7.default.params.exKeyUsageCritical=false > policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 > > (This change was made to the caServerCert profile). > > This is occurring on master (989e5d3). A minimal patch that adds > the logging which demonstrates this behaviour (for me) is attached. > Any help in understanding this behaviour is appreciated :) > > Cheers, > > Fraser > >From d1ba5eb560b65bf109d59ad6127e99bdec85a8e6 Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Thu, 29 May 2014 02:42:22 -0400 > Subject: [PATCH] NOPUSH add constraint logging > > --- > base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java > index ea51084..5c103d3 100644 > --- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java > +++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java > @@ -1115,6 +1115,7 @@ public abstract class BasicProfile implements IProfile { > for (int i = 0; i < policies.size(); i++) { > IProfilePolicy policy = policies.elementAt(i); > > + CMS.debug(policy.getConstraint().getClass().getName()); > policy.getConstraint().validate(request); > } > CMS.debug("BasicProfile: change to pending state"); > -- > 1.9.3 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Thu May 29 15:24:00 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 29 May 2014 11:24:00 -0400 Subject: [Pki-devel] patches for pycharm cleanup and security domain python client api In-Reply-To: <1401338326.9396.1.camel@akoneru.redhat.com> References: <1401224932.9297.3.camel@aleeredhat.laptop> <1401338326.9396.1.camel@akoneru.redhat.com> Message-ID: <1401377040.8877.0.camel@akoneru.redhat.com> Sorry for the spam. i made a mistake on the comment. ACK on all patches. --Abhishek On Thu, 2014-05-29 at 00:38 -0400, Abhishek Koneru wrote: > ACK on all patches. > > In patch 216 - i think the debug log should be > > "DonePanel display: successfully added the user" > "DonePanel display: successfully added the user certificate" > > --Abhishek > > On Tue, 2014-05-27 at 17:08 -0400, Ade Lee wrote: > > This is mostly the same patches that were reviewed before with fixes for > > the issues identified. I ended up making these changes over Abhishek's > > first cert patch, so please apply that first when reviewing. > > > > This patch is: > > 05e9fa7 Implemented CertResource methods in CertClient. > > > > Please review, > > Ade > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Thu May 29 15:42:05 2014 From: alee at redhat.com (Ade Lee) Date: Thu, 29 May 2014 11:42:05 -0400 Subject: [Pki-devel] patches for pycharm cleanup and security domain python client api In-Reply-To: <1401377040.8877.0.camel@akoneru.redhat.com> References: <1401224932.9297.3.camel@aleeredhat.laptop> <1401338326.9396.1.camel@akoneru.redhat.com> <1401377040.8877.0.camel@akoneru.redhat.com> Message-ID: <1401378125.3635.2.camel@localhost.localdomain> Thanks. All pushed to master. Ade On Thu, 2014-05-29 at 11:24 -0400, Abhishek Koneru wrote: > Sorry for the spam. > i made a mistake on the comment. > > ACK on all patches. > > --Abhishek > > On Thu, 2014-05-29 at 00:38 -0400, Abhishek Koneru wrote: > > ACK on all patches. > > > > In patch 216 - i think the debug log should be > > > > "DonePanel display: successfully added the user" > > "DonePanel display: successfully added the user certificate" > > > > --Abhishek > > > > On Tue, 2014-05-27 at 17:08 -0400, Ade Lee wrote: > > > This is mostly the same patches that were reviewed before with fixes for > > > the issues identified. I ended up making these changes over Abhishek's > > > first cert patch, so please apply that first when reviewing. > > > > > > This patch is: > > > 05e9fa7 Implemented CertResource methods in CertClient. > > > > > > Please review, > > > Ade > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > From akoneru at redhat.com Thu May 29 20:03:14 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 29 May 2014 16:03:14 -0400 Subject: [Pki-devel] [PATCH] 95 Fixes for comments for patches 92-2, 93, 94(CertClient and ProfileClient python implementations) Message-ID: <1401393794.2803.10.camel@akoneru.redhat.com> Please review the patch which addresses the review comments given by Ade and Fraser for patches 92-2, 93, 94. 92-2 has been checked in already. 94 has been rebased to fix conflicts with Ade's checkins. I removed the changes to account.py and client.py form 94 to fix the conflicts. So update the master and apply patches 93, 94, 95. Following are the review comments addressed in this patch - ** No. 4 in the list is not included in this patch. It will be done in a separate patch. 1) Copy pasta error in ProfileData.from_json; ``policy_sets`` used instead of ``inputs``/``outputs`` when processing json_value['Input'] or json_value['Output'] lists. 2) Could you please make ProfileDataInfoCollection an iterable? It doesn't make sense to be to have to access the ``profile_data_list`` attribute just to iterate the ProfileDataInfo objects. 3) Could you please add a ``repr`` method to ProfileData that includes at least the profile_id? Maybe summary information about whether it is visible/active as well, but I think just the ID should be fine. Same goes for other classes that show up in lists, please. 4) I'm a little concerned about having the properties set/get top-level attributes, e.g. ``enabled_by`` sets/gets ``enabledBy``. Following this pattern where you wish to use the same name as in the JSON would result in infinite loop; indeed you do treat some keys different to avoid this, e.g. ``description``. This inconsistency makes me wonder if there's a better pattern. My suggestion would be to stash the JSON dict in a top-level attribute (the constructor would have to initialise it to an empty dict before other attributes are assigned) and then have the properties set/get items in that dict. You could further cut down boilerplate and duplication by definite a descriptor for this purpose, e.g.: class JSONProperty(object): def __init__(self, attr): self.attr def __get__(self, instance, owner) return obj.json_value[self.attr] def __set__(self, instance, value) obj.json_value[self.attr] = value Then, most of the assignments in ``from_json`` go away , and the corresponding property declarations follow the new pattern: enabled_by = JSONProperty('enabledBy') You would still need to treat Input, Output and PolicySets differently, but you could also abstract over this pattern with yet another class, i.e. a "JSON list property". Anyhow, 4) isn't a show-stopper, just a (lengthy) nit-pick. *** Will fix this in a separate patch. 5. Here you could iterate the (key, value) pairs to save keystrokes and a bit of CPU doing ``cert_search_params[param]`` in all those places below. e.g.: for param, value in cert_search_params.viewitems(): ... ``dict.viewitems()`` returns a *dictview* iterator-like object that avoids creating an intermediate list as ``dict.items()`` would. 6. Here and in a few other places below it might improve readability to test for set membership, e.g.: if param in { 'email', 'common_name', 'user'_id', 'org_unit', 'org', ... }: 7. pycharm appears to be set to 120 columns width by default. We need to set to 80 and reformat accordingly. Please check in a pycharm settings file. All new code should follow PEP8. 8. In CertRevokeRequest, a number of constants are defined for possible reason settings. You should group those, and test for invalid reasons. 9. Do we use CertID anywhere? --- Removed CertID 10. list_entrollment_templates has a print r statement in it. Is that supposed to be there? 11. get_enrollment_template should check for None for the profileID. 12. CertRequestInfoCollection has an element - cert_info_list, should be cert_request_info_list 13. ProfileConstraint -- why is id renamed to name? Why not just use "id" -- pycharm and pylint throw a warning when using id as an attribute name -- Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0093-Added-methods-in-CertClient-for-CertRequestResource.patch Type: text/x-patch Size: 49920 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0094-Initial-patch-for-ProfileClient-implementation.patch Type: text/x-patch Size: 13331 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0095-Addressed-comments-given-for-patches-92-2-93-94.patch Type: text/x-patch Size: 111130 bytes Desc: not available URL: From alee at redhat.com Fri May 30 05:18:33 2014 From: alee at redhat.com (Ade Lee) Date: Fri, 30 May 2014 01:18:33 -0400 Subject: [Pki-devel] [PATCH] 95 Fixes for comments for patches 92-2, 93, 94(CertClient and ProfileClient python implementations) In-Reply-To: <1401393794.2803.10.camel@akoneru.redhat.com> References: <1401393794.2803.10.camel@akoneru.redhat.com> Message-ID: <1401427113.4485.5.camel@aleeredhat.laptop> Still reviewing, but just a couple of quick notes. 1. You need to not track workspace.xml - and most likely add it to .gitignore. See http://manski.net/2012/05/which-project-files-under-version-control/#intellij.2C-pycharm.2C-phpstorm.2C-webstorm That said, it appears that Barbican for example, does not in fact check in their .idea files. You might want to ask them about that. 2. In CertRevoke, you do check to see if the reason provided is a valid reason, but do this by defining the valid reasons twice - once as a standalone field, and once in an anonymous list. Better to define all the reasons in a named list, and check that list. On Thu, 2014-05-29 at 16:03 -0400, Abhishek Koneru wrote: > Please review the patch which addresses the review comments given by Ade > and Fraser for patches 92-2, 93, 94. > > 92-2 has been checked in already. 94 has been rebased to fix conflicts > with Ade's checkins. I removed the changes to account.py and client.py > form 94 to fix the conflicts. > > So update the master and apply patches 93, 94, 95. > > Following are the review comments addressed in this patch - > > ** No. 4 in the list is not included in this patch. It will be done in a > separate patch. > > 1) Copy pasta error in ProfileData.from_json; ``policy_sets`` used > instead of ``inputs``/``outputs`` when processing > json_value['Input'] or json_value['Output'] lists. > > 2) Could you please make ProfileDataInfoCollection an iterable? It > doesn't make sense to be to have to access the ``profile_data_list`` > attribute just to iterate the ProfileDataInfo objects. > > 3) Could you please add a ``repr`` method to ProfileData that > includes at least the profile_id? Maybe summary information about > whether it is visible/active as well, but I think just the ID should > be fine. Same goes for other classes that show up in lists, please. > > 4) I'm a little concerned about having the properties set/get > top-level attributes, e.g. ``enabled_by`` sets/gets ``enabledBy``. > Following this pattern where you wish to use the same name as in the > JSON would result in infinite loop; indeed you do treat some keys > different to avoid this, e.g. ``description``. This inconsistency > makes me wonder if there's a better pattern. > > My suggestion would be to stash the JSON dict in a top-level > attribute (the constructor would have to initialise it to an empty > dict before other attributes are assigned) and then have the > properties set/get items in that dict. > > You could further cut down boilerplate and duplication by definite a > descriptor for this purpose, e.g.: > > class JSONProperty(object): > def __init__(self, attr): > self.attr > > def __get__(self, instance, owner) > return obj.json_value[self.attr] > > def __set__(self, instance, value) > obj.json_value[self.attr] = value > > Then, most of the assignments in ``from_json`` go away , and > the corresponding property declarations follow the new pattern: > > enabled_by = JSONProperty('enabledBy') > > You would still need to treat Input, Output and PolicySets > differently, but you could also abstract over this pattern with yet > another class, i.e. a "JSON list property". > > Anyhow, 4) isn't a show-stopper, just a (lengthy) nit-pick. > > *** Will fix this in a separate patch. > > 5. Here you could iterate the (key, value) pairs to save keystrokes and > a bit of CPU doing ``cert_search_params[param]`` in all those places > below. e.g.: > > for param, value in cert_search_params.viewitems(): > ... > > ``dict.viewitems()`` returns a *dictview* iterator-like object that > avoids creating an intermediate list as ``dict.items()`` would. > > 6. Here and in a few other places below it might improve readability to > test for set membership, e.g.: > > if param in { > 'email', 'common_name', 'user'_id', 'org_unit', > 'org', ... > }: > > 7. pycharm appears to be set to 120 columns width by default. We need > to set to 80 and reformat accordingly. Please check in a pycharm > settings file. All new code should follow PEP8. > > 8. In CertRevokeRequest, a number of constants are defined for possible > reason settings. You should group those, and test for invalid reasons. > > 9. Do we use CertID anywhere? --- Removed CertID > > 10. list_entrollment_templates has a print r statement in it. Is that > supposed to be there? > > 11. get_enrollment_template should check for None for the profileID. > > 12. CertRequestInfoCollection has an element - cert_info_list, should > be > cert_request_info_list > > 13. ProfileConstraint -- why is id renamed to name? Why not just use > "id" > -- pycharm and pylint throw a warning when using id as an attribute name > > -- Abhishek > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Fri May 30 06:38:46 2014 From: ftweedal at redhat.com (Fraser Tweedale) Date: Fri, 30 May 2014 16:38:46 +1000 Subject: [Pki-devel] [PATCH] 95 Fixes for comments for patches 92-2, 93, 94(CertClient and ProfileClient python implementations) In-Reply-To: <1401393794.2803.10.camel@akoneru.redhat.com> References: <1401393794.2803.10.camel@akoneru.redhat.com> Message-ID: <20140530063846.GA11349@dhcp-40-8.bne.redhat.com> On Thu, May 29, 2014 at 04:03:14PM -0400, Abhishek Koneru wrote: > Please review the patch which addresses the review comments given by Ade > and Fraser for patches 92-2, 93, 94. > > 92-2 has been checked in already. 94 has been rebased to fix conflicts > with Ade's checkins. I removed the changes to account.py and client.py > form 94 to fix the conflicts. > > So update the master and apply patches 93, 94, 95. > > Following are the review comments addressed in this patch - > > ** No. 4 in the list is not included in this patch. It will be done in a > separate patch. > > 1) Copy pasta error in ProfileData.from_json; ``policy_sets`` used > instead of ``inputs``/``outputs`` when processing > json_value['Input'] or json_value['Output'] lists. > > 2) Could you please make ProfileDataInfoCollection an iterable? It > doesn't make sense to be to have to access the ``profile_data_list`` > attribute just to iterate the ProfileDataInfo objects. > Using generators to implement ``__iter__`` is a fine solution (i.e. not a show-stopper IMO) but more terse and idiomatic would be:: def __iter__(self): return iter(self._internal_iterable) Nothing else stood out to me on eyeballing the new patch but I still have to test it. Fraser > 3) Could you please add a ``repr`` method to ProfileData that > includes at least the profile_id? Maybe summary information about > whether it is visible/active as well, but I think just the ID should > be fine. Same goes for other classes that show up in lists, please. > > 4) I'm a little concerned about having the properties set/get > top-level attributes, e.g. ``enabled_by`` sets/gets ``enabledBy``. > Following this pattern where you wish to use the same name as in the > JSON would result in infinite loop; indeed you do treat some keys > different to avoid this, e.g. ``description``. This inconsistency > makes me wonder if there's a better pattern. > > My suggestion would be to stash the JSON dict in a top-level > attribute (the constructor would have to initialise it to an empty > dict before other attributes are assigned) and then have the > properties set/get items in that dict. > > You could further cut down boilerplate and duplication by definite a > descriptor for this purpose, e.g.: > > class JSONProperty(object): > def __init__(self, attr): > self.attr > > def __get__(self, instance, owner) > return obj.json_value[self.attr] > > def __set__(self, instance, value) > obj.json_value[self.attr] = value > > Then, most of the assignments in ``from_json`` go away , and > the corresponding property declarations follow the new pattern: > > enabled_by = JSONProperty('enabledBy') > > You would still need to treat Input, Output and PolicySets > differently, but you could also abstract over this pattern with yet > another class, i.e. a "JSON list property". > > Anyhow, 4) isn't a show-stopper, just a (lengthy) nit-pick. > > *** Will fix this in a separate patch. > > 5. Here you could iterate the (key, value) pairs to save keystrokes and > a bit of CPU doing ``cert_search_params[param]`` in all those places > below. e.g.: > > for param, value in cert_search_params.viewitems(): > ... > > ``dict.viewitems()`` returns a *dictview* iterator-like object that > avoids creating an intermediate list as ``dict.items()`` would. > > 6. Here and in a few other places below it might improve readability to > test for set membership, e.g.: > > if param in { > 'email', 'common_name', 'user'_id', 'org_unit', > 'org', ... > }: > > 7. pycharm appears to be set to 120 columns width by default. We need > to set to 80 and reformat accordingly. Please check in a pycharm > settings file. All new code should follow PEP8. > > 8. In CertRevokeRequest, a number of constants are defined for possible > reason settings. You should group those, and test for invalid reasons. > > 9. Do we use CertID anywhere? --- Removed CertID > > 10. list_entrollment_templates has a print r statement in it. Is that > supposed to be there? > > 11. get_enrollment_template should check for None for the profileID. > > 12. CertRequestInfoCollection has an element - cert_info_list, should > be > cert_request_info_list > > 13. ProfileConstraint -- why is id renamed to name? Why not just use > "id" > -- pycharm and pylint throw a warning when using id as an attribute name > > -- Abhishek > > >From d3c10a6ff46bfc2f8afea849c2d3a297e47e305d Mon Sep 17 00:00:00 2001 > From: Abhishek Koneru > Date: Fri, 9 May 2014 10:16:44 -0400 > Subject: [PATCH] Added methods in CertClient for CertRequestResource > > Adds the methods for fetching the enrollment templates, > creating the enrollment requests, submitting the requests, > performing actions(approve, reject, cancel etc.) on the requests. > > Also defined the classes needed for representing data used to > perform the above mentioned operations. > --- > base/common/python/pki/cert.py | 694 +++++++++++++++++++++++++++++++++++++- > base/common/python/pki/profile.py | 577 +++++++++++++++++++++++++++++++ > 2 files changed, 1261 insertions(+), 10 deletions(-) > create mode 100644 base/common/python/pki/profile.py > > diff --git a/base/common/python/pki/cert.py b/base/common/python/pki/cert.py > index c0141048586c5fdbdf84cd0f1c204009e5cac715..b22307ad1b2c2456257dc9416208e6725234bf9c 100644 > --- a/base/common/python/pki/cert.py > +++ b/base/common/python/pki/cert.py > @@ -4,11 +4,14 @@ Created on Feb 13, 2014 > > @author: akoneru > """ > +import copy > import json > +import types > + > import pki > import pki.client as client > import pki.encoder as encoder > -import types > +import pki.profile as profile > > > class CertId(object): > @@ -104,8 +107,8 @@ class CertDataInfo(object): > > class CertDataInfoCollection(object): > """ > - Class containing lists of CertDataInfo objects. > - This data is returned when searching/listing certificate records on the CA. > + Class containing list of CertDataInfo objects and their respective link objects. > + This data is returned when searching/listing certificate records in the CA. > """ > > def __init__(self): > @@ -162,7 +165,7 @@ class CertRequestInfo(object): > cert_request_info.request_id = \ > str(cert_request_info.request_url)[(str(cert_request_info.request_url).rfind("/") + 1):] > #Optional parameters > - if 'certID' in attr_list: > + if 'certId' in attr_list: > cert_request_info.cert_id = attr_list['certId'] > if 'certURL' in attr_list: > cert_request_info.cert_url = attr_list['certURL'] > @@ -174,6 +177,37 @@ class CertRequestInfo(object): > return cert_request_info > > > +class CertRequestInfoCollection(object): > + """ > + Class containing list of CertRequestInfo objects. > + This data is returned when listing certificate request records in the CA. > + """ > + > + def __init__(self): > + self.cert_info_list = [] > + self.links = [] > + > + @classmethod > + def from_json(cls, json_value): > + """ Populate object from JSON input """ > + ret = cls() > + cert_req_infos = json_value['entries'] > + if not isinstance(cert_req_infos, types.ListType): > + ret.cert_info_list.append(CertRequestInfo.from_json(cert_req_infos)) > + else: > + for cert_info in cert_req_infos: > + ret.cert_info_list.append(CertRequestInfo.from_json(cert_info)) > + > + links = json_value['Link'] > + if not isinstance(links, types.ListType): > + ret.links.append(pki.Link.from_json(links)) > + else: > + for link in links: > + ret.links.append(pki.Link.from_json(link)) > + > + return ret > + > + > class CertSearchRequest(object): > """ > An object of this class is used to store the search parameters > @@ -285,6 +319,330 @@ class CertRevokeRequest(object): > setattr(self, "Comments", comments) > > > +class CertEnrollmentRequest(object): > + """ > + This class encapsulates the parameters required for a certificate enrollment request. > + """ > + > + def __init__(self, profile_id=None, renewal=False, serial_number=None, remote_host=None, remote_address=None, > + inputs=None, outputs=None): > + """ Constructor """ > + self.profile_id = profile_id > + self.renewal = renewal > + self.serial_number = serial_number > + self.remote_host = remote_host > + self.remote_address = remote_address > + if inputs is None: > + self.inputs = [] > + if outputs is None: > + self.outputs = [] > + > + @property > + def profile_id(self): > + return getattr(self, 'ProfileID', None) > + > + @profile_id.setter > + def profile_id(self, value): > + setattr(self, 'ProfileID', value) > + > + @property > + def renewal(self): > + return getattr(self, 'Renewal', False) > + > + @renewal.setter > + def renewal(self, value): > + setattr(self, 'Renewal', value) > + > + @property > + def serial_number(self): > + return getattr(self, 'SerialNumber', None) > + > + @serial_number.setter > + def serial_number(self, value): > + setattr(self, 'SerialNumber', value) > + > + @property > + def remote_host(self): > + return getattr(self, 'RemoteHost', None) > + > + @remote_host.setter > + def remote_host(self, value): > + setattr(self, 'RemoteHost', value) > + > + @property > + def remote_address(self): > + return getattr(self, 'RemoteAddress', None) > + > + @remote_address.setter > + def remote_address(self, value): > + setattr(self, 'RemoteAddress', value) > + > + @property > + def inputs(self): > + return getattr(self, 'Input') > + > + @inputs.setter > + def inputs(self, value): > + setattr(self, 'Input', value) > + > + @property > + def outputs(self): > + return getattr(self, 'Output') > + > + @outputs.setter > + def outputs(self, value): > + setattr(self, 'Output', value) > + > + def add_input(self, profile_input): > + self.inputs.append(profile_input) > + > + def remove_input(self, profile_input_name): > + for profile_input in self.inputs: > + if profile_input_name == profile_input.name: > + self.inputs.pop(profile_input) > + break > + > + def get_input(self, profile_input_name): > + for profile_input in self.inputs: > + if profile_input_name == profile_input.name: > + return profile_input > + > + return None > + > + def add_output(self, profile_output): > + self.outputs.append(profile_output) > + > + def remove_output(self, profile_output_name): > + for output in self.outputs: > + if profile_output_name == output.name: > + self.outputs.pop(output) > + break > + > + def get_output(self, profile_output_name): > + for output in self.outputs: > + if profile_output_name == output.name: > + return output > + > + return None > + > + @classmethod > + def from_json(cls, json_value): > + enroll_request = cls() > + > + enroll_request.profile_id = json_value['ProfileID'] > + enroll_request.renewal = json_value['Renewal'] > + if 'SerialNumber' in json_value: > + enroll_request.serial_number = json_value['SerialNumber'] > + if 'RemoteHost' in json_value: > + enroll_request.remote_host = json_value['RemoteHost'] > + if 'RemoteAddress' in json_value: > + enroll_request.remote_address = json_value['RemoteAddress'] > + > + inputs = json_value['Input'] > + if not isinstance(inputs, types.ListType): > + enroll_request.inputs.append(profile.ProfileInput.from_json(inputs)) > + else: > + for profile_input in inputs: > + enroll_request.inputs.append(profile.ProfileInput.from_json(profile_input)) > + > + outputs = json_value['Output'] > + if not isinstance(outputs, types.ListType): > + enroll_request.outputs.append(profile.ProfileOutput.from_json(outputs)) > + else: > + for profile_output in outputs: > + enroll_request.outputs.append(profile.ProfileOutput.from_json(profile_output)) > + > + return enroll_request > + > + > +class CertReviewResponse(CertEnrollmentRequest): > + """ > + An object of this class represent the response from the server when > + reviewing a certificate enrollment request. > + It contains a nonce required to perform action on the request. > + """ > + > + def __init__(self, profile_id=None, renewal=False, serial_number=None, remote_host=None, remote_address=None, > + inputs=None, outputs=None, nonce=None, request_id=None, request_type=None, request_status=None, > + request_owner=None, request_creation_time=None, request_modification_time=None, request_notes=None, > + profile_approval_by=None, profile_set_id=None, profile_is_visible=None, profile_name=None, > + profile_description=None, profile_remote_host=None, profile_remote_address=None, policy_sets=None): > + > + super(CertReviewResponse, self).__init__(profile_id, renewal, serial_number, remote_host, > + remote_address, inputs, outputs) > + self.nonce = nonce > + self.request_id = request_id > + self.request_type = request_type > + self.request_status = request_status > + self.request_owner = request_owner > + self.request_creation_time = request_creation_time > + self.request_modification_time = request_modification_time > + self.request_notes = request_notes > + self.profile_approved_by = profile_approval_by > + self.profile_set_id = profile_set_id > + self.profile_is_visible = profile_is_visible > + self.profile_name = profile_name > + self.profile_description = profile_description > + self.profile_remote_host = profile_remote_host > + self.profile_remote_address = profile_remote_address > + > + if policy_sets is None: > + self.policy_sets = [] > + else: > + self.policy_sets = policy_sets > + > + @property > + def request_id(self): > + return getattr(self, 'requestId') > + > + @request_id.setter > + def request_id(self, value): > + setattr(self, 'requestId', value) > + > + @property > + def request_type(self): > + return getattr(self, 'requestType') > + > + @request_type.setter > + def request_type(self, value): > + setattr(self, 'requestType', value) > + > + @property > + def request_status(self): > + return getattr(self, 'requestStatus') > + > + @request_status.setter > + def request_status(self, value): > + setattr(self, 'requestStatus', value) > + > + @property > + def request_owner(self): > + return getattr(self, 'requestOwner') > + > + @request_owner.setter > + def request_owner(self, value): > + setattr(self, 'requestOwner', value) > + > + @property > + def request_creation_time(self): > + return getattr(self, 'requestCreationTime') > + > + @request_creation_time.setter > + def request_creation_time(self, value): > + setattr(self, 'requestCreationTime', value) > + > + @property > + def request_modification_time(self): > + return getattr(self, 'requestModificationTime') > + > + @request_modification_time.setter > + def request_modification_time(self, value): > + setattr(self, 'requestModificationTime', value) > + > + @property > + def request_notes(self): > + return getattr(self, 'requestNotes') > + > + @request_notes.setter > + def request_notes(self, value): > + setattr(self, 'requestNotes', value) > + > + @property > + def profile_approved_by(self): > + return getattr(self, 'profileApprovedBy') > + > + @profile_approved_by.setter > + def profile_approved_by(self, value): > + setattr(self, 'profileApprovedBy', value) > + > + @property > + def profile_set_id(self): > + return getattr(self, 'profileSetId') > + > + @profile_set_id.setter > + def profile_set_id(self, value): > + setattr(self, 'profileSetId', value) > + > + @property > + def profile_is_visible(self): > + return getattr(self, 'profileIsVisible') > + > + @profile_is_visible.setter > + def profile_is_visible(self, value): > + setattr(self, 'profileIsVisible', value) > + > + @property > + def profile_name(self): > + return getattr(self, 'profileName') > + > + @profile_name.setter > + def profile_name(self, value): > + setattr(self, 'profileName', value) > + > + @property > + def profile_description(self): > + return getattr(self, 'profileDescription') > + > + @profile_description.setter > + def profile_description(self, value): > + setattr(self, 'profileDescription', value) > + > + @property > + def profile_remote_host(self): > + return getattr(self, 'profileRemoteHost') > + > + @profile_remote_host.setter > + def profile_remote_host(self, value): > + setattr(self, 'profileRemoteHost', value) > + > + @property > + def profile_remote_address(self): > + return getattr(self, 'profileRemoteAddr') > + > + @profile_remote_address.setter > + def profile_remote_address(self, value): > + setattr(self, 'profileRemoteAddr', value) > + > + @property > + def policy_sets(self): > + return getattr(self, 'ProfilePolicySet') > + > + @policy_sets.setter > + def policy_sets(self, value): > + setattr(self, 'ProfilePolicySet', value) > + > + @classmethod > + def from_json(cls, json_value): > + > + #First read the values for attributes defined in CertEnrollmentRequest > + review_response = super(CertReviewResponse, cls).from_json(json_value) > + > + review_response.nonce = json_value['nonce'] > + review_response.request_id = json_value['requestId'] > + review_response.request_type = json_value['requestType'] > + review_response.request_status = json_value['requestStatus'] > + review_response.request_owner = json_value['requestOwner'] > + review_response.request_creation_time = json_value['requestCreationTime'] > + review_response.request_modification_time = json_value['requestModificationTime'] > + review_response.request_notes = json_value['requestNotes'] > + review_response.profile_approved_by = json_value['profileApprovedBy'] > + review_response.profile_set_id = json_value['profileSetId'] > + review_response.profile_is_visible = json_value['profileIsVisible'] > + review_response.profile_name = json_value['profileName'] > + review_response.profile_description = json_value['profileDescription'] > + review_response.profile_remote_host = json_value['profileRemoteHost'] > + review_response.profile_remote_address = json_value['profileRemoteAddr'] > + > + profile_policy_sets = json_value['ProfilePolicySet'] > + if not isinstance(profile_policy_sets, types.ListType): > + review_response.policy_sets.append(profile.ProfilePolicySet.from_json(profile_policy_sets)) > + else: > + for policy_set in profile_policy_sets: > + review_response.policy_sets.append(profile.ProfilePolicySet.from_json(policy_set)) > + > + return review_response > + > + > class CertClient(object): > """ > Class encapsulating and mirroring the functionality in the CertResource Java interface class > @@ -298,6 +656,8 @@ class CertClient(object): > 'Accept': 'application/json'} > self.cert_url = '/rest/certs' > self.agent_cert_url = '/rest/agent/certs' > + self.cert_requests_url = '/rest/certrequests' > + self.agent_cert_requests_url = '/rest/agent/certrequests' > self.enrollment_templates = {} > > @pki.handle_exceptions() > @@ -399,10 +759,251 @@ class CertClient(object): > r = self.connection.post(url, None, headers=self.headers) > return CertRequestInfo.from_json(r.json()) > > + @pki.handle_exceptions() > + def get_request(self, request_id): > + """ > + Get information of a certificate request with the given request ID. > + Returns a CertRequestInfo object. > + """ > + > + if request_id is None: > + raise ValueError("Request ID must be specified") > + url = self.cert_requests_url + '/' + str(request_id) > + r = self.connection.get(url, headers=self.headers) > + > + return CertRequestInfo.from_json(r.json()) > + > + @pki.handle_exceptions() > + def list_requests(self, request_status=None, request_type=None, from_request_id=None, size=None, > + max_results=None, max_time=None): > + """ > + Query for a list of certificates using the arguments passed. > + Returns a CertRequestInfoCollection object. > + """ > + > + query_params = { > + 'requestStatus': request_status, > + 'requestType': request_type, > + 'start': from_request_id, > + 'pageSize': size, > + 'maxResults': max_results, > + 'maxTime': max_time > + } > + r = self.connection.get(self.agent_cert_requests_url, self.headers, query_params) > + return CertRequestInfoCollection.from_json(r.json()) > + > + @pki.handle_exceptions() > + def review_request(self, request_id): > + """ > + Reviews a certificate enrollment request. > + Returns a CertReviewResponse object which contains the nonce > + from the server needed to perform an action on the request. > + """ > + if request_id is None: > + raise ValueError("Request Id must be specified.") > + > + url = self.agent_cert_requests_url + '/' + str(request_id) > + r = self.connection.get(url, headers=self.headers) > + return CertReviewResponse.from_json(r.json()) > + > + @pki.handle_exceptions() > + def _perform_action(self, request_id, cert_review_response, action): > + """ > + An internal method used by all the action methods to perform > + an action on a certificate request. > + The parameter cert_review_response > + """ > + if request_id is None: > + raise ValueError("Request Id must be specified.") > + if cert_review_response is None: > + cert_review_response = self.review_request(request_id) > + > + url = self.agent_cert_requests_url + '/' + request_id + '/' + action > + review_response = json.dumps(cert_review_response, cls=encoder.CustomTypeEncoder, sort_keys=True) > + r = self.connection.post(url, review_response, headers=self.headers) > + return r > + > + def approve_request(self, request_id, cert_review_response=None): > + """ > + Approves a certificate enrollment request. > + If cert_review_response is None, a review request operation is performed to fetch the > + CertReviewResponse object. > + Requires as agent level authentication. > + """ > + return self._perform_action(request_id, cert_review_response, 'approve') > + > + def cancel_request(self, request_id, cert_review_response=None): > + """ > + Cancels a certificate enrollment request. > + If cert_review_response is None, a review request operation is performed to fetch the > + CertReviewResponse object. > + Requires as agent level authentication. > + """ > + return self._perform_action(request_id, cert_review_response, 'cancel') > + > + def reject_request(self, request_id, cert_review_response=None): > + """ > + Rejects a certificate enrollment request. > + If cert_review_response is None, a review request operation is performed to fetch the > + CertReviewResponse object. > + Requires as agent level authentication. > + """ > + return self._perform_action(request_id, cert_review_response, 'reject') > + > + def validate_request(self, request_id, cert_review_response): > + """ > + Validates a certificate enrollment request. > + If cert_review_response is None, a review request operation is performed to fetch the > + CertReviewResponse object. > + Requires as agent level authentication. > + """ > + return self._perform_action(request_id, cert_review_response, 'validate') > + > + def update_request(self, request_id, cert_review_response): > + """ > + Updates a certificate enrollment request. > + If cert_review_response is None, a review request operation is performed to fetch the > + CertReviewResponse object. > + Requires as agent level authentication. > + """ > + return self._perform_action(request_id, cert_review_response, 'update') > + > + def assign_request(self, request_id, cert_review_response): > + """ > + Assigns a certificate enrollment request. > + If cert_review_response is None, a review request operation is performed to fetch the > + CertReviewResponse object. > + Requires as agent level authentication. > + """ > + return self._perform_action(request_id, cert_review_response, 'assign') > + > + def unassign_request(self, request_id, cert_review_response): > + """ > + Un-assigns a certificate enrollment request. > + If cert_review_response is None, a review request operation is performed to fetch the > + CertReviewResponse object. > + Requires as agent level authentication. > + """ > + return self._perform_action(request_id, cert_review_response, 'unassign') > + > + @pki.handle_exceptions() > + def list_enrollment_templates(self, start=None, size=None): > + """ > + Gets the list of profile templates supported by the CA. > + The values for start and size arguments determine the starting point and the length of the list. > + Returns a ProfileDataInfoCollection object. > + """ > + > + url = self.cert_requests_url + '/profiles' > + query_params = { > + 'start': start, > + 'size': size > + } > + r = self.connection.get(url, self.headers, query_params) > + print r > + return profile.ProfileDataInfoCollection.from_json(r.json()) > + > + @pki.handle_exceptions() > + def get_enrollment_template(self, profile_id): > + """ > + Fetch the enrollment template for the given profile id. > + For the first time, the request is sent to the server. > + The retrieved CertEnrollmentRequest object is then cached locally for future requests. > + Returns a CerEnrollmentRequest object. > + """ > + > + if profile_id in self.enrollment_templates: > + return copy.deepcopy(self.enrollment_templates[profile_id]) > + url = self.cert_requests_url + '/profiles/' + str(profile_id) > + r = self.connection.get(url, self.headers) > + > + #Caching the enrollment template object in-memory for future use. > + enrollment_template = CertEnrollmentRequest.from_json(r.json()) > + self.enrollment_templates[profile_id] = enrollment_template > + > + return copy.deepcopy(enrollment_template) > + > + @pki.handle_exceptions() > + def create_enrollment_request(self, profile_id, inputs): > + """ > + Fetches the enrollment request object for the given profile and > + sets values to its attributes using the values provided in the inputs dictionary. > + Returns the CertEnrollmentRequest object, which can be submitted to enroll a certificate. > + """ > + if inputs is None or len(inputs) == 0: > + raise ValueError("No inputs provided.") > + > + enrollment_template = self.get_enrollment_template(profile_id) > + for profile_input in enrollment_template.inputs: > + for attribute in profile_input.attributes: > + if attribute.name in inputs: > + attribute.value = inputs[attribute.name] > + > + return enrollment_template > + > + @pki.handle_exceptions() > + def submit_enrollment_request(self, enrollment_request): > + """ > + Submits the CertEnrollmentRequest object to the server. > + Returns a CertRequestInfoCollection object with information about the certificate requests > + enrolled at the CA. > + """ > + request_object = json.dumps(enrollment_request, cls=encoder.CustomTypeEncoder, sort_keys=True) > + r = self.connection.post(self.cert_requests_url, request_object, self.headers) > + return CertRequestInfoCollection.from_json(r.json()) > + > + @pki.handle_exceptions() > + def enroll_cert(self, profile_id, inputs): > + """ > + A convenience method for enrolling a certificate for a given profile id. > + The inputs parameter should be a dictionary with values for the profile attributes > + for an enrollment request. > + > + Calling this method with valid arguments, creates an enrollment request, submits it > + to the server, approves the certificate requests generated for the enrollment and > + returns a list of CertData objects for all the certificates generated as part of this > + enrollment. > + > + Note: This method supports only certificate enrollment where only one agent approval > + is sufficient. > + > + Requires an agent level authentication. > + """ > + > + # Create a CertEnrollmentRequest object using the inputs for the given profile id. > + enroll_request = self.create_enrollment_request(profile_id, inputs) > + > + # Submit the enrollment request > + cert_request_infos = self.submit_enrollment_request(enroll_request) > + > + # Approve the requests generated for the certificate enrollment. > + # Fetch the CertData objects for all the certificates created and return to the caller. > + > + certificates = [] > + for cert_request_info in cert_request_infos.cert_info_list: > + request_id = cert_request_info.request_id > + self.approve_request(request_id) > + cert_id = self.get_request(request_id).cert_id > + certificates.append(self.get_cert(cert_id)) > + > + return certificates > + > > encoder.NOTYPES['CertData'] = CertData > encoder.NOTYPES['CertSearchRequest'] = CertSearchRequest > encoder.NOTYPES['CertRevokeRequest'] = CertRevokeRequest > +encoder.NOTYPES['CertEnrollmentRequest'] = CertEnrollmentRequest > +encoder.NOTYPES['ProfileInput'] = profile.ProfileInput > +encoder.NOTYPES['ProfileAttribute'] = profile.ProfileAttribute > +encoder.NOTYPES['Descriptor'] = profile.Descriptor > +encoder.NOTYPES['ProfileOutput'] = profile.ProfileOutput > +encoder.NOTYPES['CertReviewResponse'] = CertReviewResponse > +encoder.NOTYPES['ProfilePolicySet'] = profile.ProfilePolicySet > +encoder.NOTYPES['ProfilePolicy'] = profile.ProfilePolicy > +encoder.NOTYPES['PolicyDefault'] = profile.PolicyDefault > +encoder.NOTYPES['PolicyConstraint'] = profile.PolicyConstraint > +encoder.NOTYPES['PolicyConstraintValue'] = profile.PolicyConstraintValue > +encoder.NOTYPES['ProfileParameter'] = profile.ProfileParameter > > > def main(): > @@ -416,16 +1017,76 @@ def main(): > #Instantiate the CertClient > cert_client = CertClient(connection) > > + cert_client.get_enrollment_template('caUserCert') > + > + #Enrolling an user certificate > + print('Enrolling an user certificate') > + print('-----------------------------') > + > + inputs = dict() > + inputs['cert_request_type'] = 'crmf' > + inputs['cert_request'] = "MIIBpDCCAaAwggEGAgUA5n9VYTCBx4ABAqUOMAwxCjAIBgNVBAMTAXimgZ8wDQYJKoZIhvcNAQEBBQAD" \ > + "gY0AMIGJAoGBAK/SmUVoUjBtqHNw/e3OoCSXw42pdQSR53/eYJWpf7nyTbZ9UuIhGfXOtxy5vRetmDHE" \ > + "9u0AopmuJbr1rL17/tSnDakpkE9umQ2lMOReLloSdX32w2xOeulUwh5BGbFpq10S0SvW1H93Vn0eCy2a" \ > + "a4UtILNEsp7JJ3FnYJibfuMPAgMBAAGpEDAOBgNVHQ8BAf8EBAMCBeAwMzAVBgkrBgEFBQcFAQEMCHJl" \ > + "Z1Rva2VuMBoGCSsGAQUFBwUBAgwNYXV0aGVudGljYXRvcqGBkzANBgkqhkiG9w0BAQUFAAOBgQCuywnr" \ > + "Dk/wGwfbguw9oVs9gzFQwM4zeFbk+z82G5CWoG/4mVOT5LPL5Q8iF+KfnaU9Qcu6zZPxW6ZmDd8WpPJ+" \ > + "MTPyQl3Q5BfiKa4l5ra1NeqxMOlMiiupwINmm7jd1KaA2eIjuyC8/gTaO4b14R6aRaOj+Scp9cNYbthA7REhJw==" > + inputs['sn_uid'] = 'test12345' > + inputs['sn_e'] = 'example at redhat.com' > + inputs['sn_cn'] = 'TestUser' > + > + cert_data_infos = cert_client.enroll_cert('caUserCert', inputs) > + > + for data in cert_data_infos: > + print('Serial Number: ' + data.serial_number) > + print('Issuer: ' + data.issuer_dn) > + print('Subject: ' + data.subject_dn) > + print('Pretty Print:') > + print(data.pretty_repr) > + > + print > + > + # Enrolling a server certificate > + print("Enrolling a server certificate") > + print('------------------------------') > + > + inputs = dict() > + inputs['cert_request_type'] = 'pkcs10' > + inputs['cert_request'] = "MIIBmDCCAQECAQAwWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5DMRAwDgYDVQQHDAdSYWxlaWdoMRUwE" \ > + "wYDVQQKDAxSZWQgSGF0IEluYy4xEzARBgNVBAMMClRlc3RTZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY" \ > + "0AMIGJAoGBAMJpWz92dSYCvWxllrQCY5atPKCswUwyppRNGPnKmJ77AdHBBI4dFyET+h/+69jQMTLZMa8" \ > + "FX7SbyHvgbgLBP4Q/RzCSE2S87qFNjriOqiQCqJmcrzDzdncJQiP+O7T6MSpLo3smLP7dK1Vd7vK0Vy8y" \ > + "HwV0eBx7DgYedv2slBPHAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBvkxAGKwkfK3TKwLc5Mg0IWp8zG" \ > + "RVwxdIlghAL8DugNocCNNgmZazglJOOehLuk0/NkLX1ZM5RrVgM09W6kcfWZtIwr5Uje2K/+6tW2ZTGrb" \ > + "izs7CNOTMzA/9H8CkHb4H9P/qRT275zHIocYj4smUnXLwWGsBMeGs+OMMbGvSrHg==" > + > + inputs['requestor_name'] = 'Tester' > + inputs['requestor_email'] = 'example at redhat.com' > + > + cert_data_infos_2 = cert_client.enroll_cert('caServerCert', inputs) > + for data in cert_data_infos_2: > + print('Serial Number: ' + data.serial_number) > + print('Issuer: ' + data.issuer_dn) > + print('Subject: ' + data.subject_dn) > + print('Pretty Print:') > + print(data.pretty_repr) > + > + print > + > # List all the VALID certs > + print('An example listing all VALID certs') > + print('----------------------------------') > + > search_params = {'status': 'VALID'} > - cert_data_infos = cert_client.list_certs(**search_params) > - for cert_data_info in cert_data_infos.cert_info_list: > + cert_data_list = cert_client.list_certs(**search_params) > + for cert_data_info in cert_data_list.cert_info_list: > print("Serial Number: " + cert_data_info.cert_id) > print("Subject DN: " + cert_data_info.subject_dn) > print("Status: " + cert_data_info.status) > print > > - #Trying an invalid get cert > + #Trying to get a non-existing cert > #Assuming that there is no certificate with serial number = 100 > try: > cert_data = cert_client.get_cert(100) > @@ -437,10 +1098,14 @@ def main(): > print > > # Certificate Serial Number used for CertClient methods. > - # 7 and '0x7' are also valid values > - cert_id = 0x7 > + # 7, 0x7 and '0x7' are also valid values > + # Following examples use the serial number of the user certificate enrolled before. > + cert_id = cert_data_infos[0].serial_number > > #Get certificate data > + print('Getting information of a certificate') > + print('------------------------------------') > + > cert_data = cert_client.get_cert(cert_id) > # Print the certificate information > print('Serial Number: ' + cert_data.serial_number) > @@ -456,6 +1121,9 @@ def main(): > print > > # Review a certificate - used to get a nonce for revoke request. > + print('Reviewing a certificate') > + print('-----------------------') > + > cert_data = cert_client.review_cert(cert_id) > print('Serial Number: ' + cert_data.serial_number) > print('Issuer: ' + cert_data.issuer_dn) > @@ -465,6 +1133,9 @@ def main(): > print > > #Revoke a certificate > + print('Revoking a certificate') > + print('----------------------') > + > cert_request_info = cert_client.revoke_cert(cert_data.serial_number, > revocation_reason=CertRevokeRequest.REASON_CERTIFICATE_HOLD, > comments="Test revoking a cert", nonce=cert_data.nonce) > @@ -474,6 +1145,9 @@ def main(): > print > > #Un-revoke a certificate > + print('Un-revoking a certificate') > + print('-------------------------') > + > cert_request_info = cert_client.unrevoke_cert(cert_data.serial_number) > print('Request ID: ' + cert_request_info.request_id) > print('Request Type: ' + cert_request_info.request_type) > @@ -482,4 +1156,4 @@ def main(): > > > if __name__ == "__main__": > - main() > + main() > \ No newline at end of file > diff --git a/base/common/python/pki/profile.py b/base/common/python/pki/profile.py > new file mode 100644 > index 0000000000000000000000000000000000000000..490db0994cacf927ced96b5ed43790fda4327894 > --- /dev/null > +++ b/base/common/python/pki/profile.py > @@ -0,0 +1,577 @@ > +#!/usr/bin/python > +""" > +Created on May 13,, 2014 > + > + at author: akoneru > +""" > + > +import types > + > +import pki > + > + > +class ProfileDataInfo(object): > + """Stores information about a profile""" > + def __init__(self): > + self.profile_id = None > + self.profile_name = None > + self.profile_description = None > + self.profile_url = None > + > + @classmethod > + def from_json(cls, attr_list): > + profile_data_info = cls() > + profile_data_info.profile_id = attr_list['profileId'] > + profile_data_info.profile_name = attr_list['profileName'] > + profile_data_info.profile_description = attr_list['profileDescription'] > + profile_data_info.profile_url = attr_list['profileURL'] > + > + return profile_data_info > + > + > +class ProfileDataInfoCollection(object): > + """ > + Represents a collection of ProfileDataInfo objects. > + Also encapsulates the links for the list of the objects stored. > + """ > + > + def __init__(self): > + self.profile_data_list = [] > + self.links = [] > + > + @classmethod > + def from_json(cls, json_value): > + ret = cls() > + profile_data_infos = json_value['entries'] > + if not isinstance(profile_data_infos, types.ListType): > + ret.profile_data_list.append(ProfileDataInfo.from_json(profile_data_infos)) > + else: > + for profile_info in profile_data_infos: > + ret.profile_data_list.append(ProfileDataInfo.from_json(profile_info)) > + > + links = json_value['Link'] > + if not isinstance(links, types.ListType): > + ret.links.append(pki.Link.from_json(links)) > + else: > + for link in links: > + ret.links.append(pki.Link.from_json(link)) > + > + return ret > + > + > +class Descriptor(object): > + """ > + This class represents the description of a ProfileAttribute. > + It stores information such as the syntax, constraint and default value of a profile attribute. > + """ > + > + def __init__(self, syntax=None, constraint=None, description=None, default_value=None): > + self.syntax = syntax > + self.constraint = constraint > + self.description = description > + self.default_value = default_value > + > + @property > + def syntax(self): > + return getattr(self, 'Syntax', None) > + > + @syntax.setter > + def syntax(self, value): > + setattr(self, 'Syntax', value) > + > + @property > + def constraint(self): > + return getattr(self, 'Constraint', None) > + > + @constraint.setter > + def constraint(self, value): > + setattr(self, 'Constraint', value) > + > + @property > + def description(self): > + return getattr(self, 'Description', None) > + > + @description.setter > + def description(self, value): > + setattr(self, 'Description', value) > + > + @property > + def default_value(self): > + return getattr(self, 'DefaultValue', None) > + > + @default_value.setter > + def default_value(self, value): > + setattr(self, 'DefaultValue', value) > + > + @classmethod > + def from_json(cls, attr_list): > + descriptor = cls() > + for attr in attr_list: > + setattr(descriptor, attr, attr_list[attr]) > + > + return descriptor > + > + > +class ProfileAttribute(object): > + """ > + Represents a profile attribute of a ProfileInput. > + """ > + def __init__(self, name=None, value=None, descriptor=None): > + self.name = name > + self.value = value > + self.descriptor = descriptor > + > + @property > + def descriptor(self): > + return getattr(self, 'Descriptor') > + > + @descriptor.setter > + def descriptor(self, value): > + setattr(self, 'Descriptor', value) > + > + @property > + def value(self): > + return getattr(self, 'Value') > + > + @value.setter > + def value(self, value): > + setattr(self, 'Value', value) > + > + @classmethod > + def from_json(cls, attr_list): > + attribute = cls() > + attribute.name = attr_list['name'] > + if 'Value' in attr_list: > + attribute.value = attr_list['Value'] > + if 'Descriptor' in attr_list: > + attribute.descriptor = Descriptor.from_json(attr_list['Descriptor']) > + > + return attribute > + > + > +class ProfileInput(object): > + """ > + This class encapsulates all the attributes of a profile to generate a > + specific property of a certificate. > + Ex. Subject name, Requestor Information etc. > + """ > + > + def __init__(self, profile_input_id=None, class_id=None, name=None, text=None, attributes=None, > + config_attributes=None): > + > + self.profile_input_id = profile_input_id > + self.class_id = class_id > + self.name = name > + self.text = text > + if attributes is None: > + self.attributes = [] > + if config_attributes is None: > + self.config_attributes = [] > + > + @property > + def profile_input_id(self): > + return getattr(self, 'id') > + > + @profile_input_id.setter > + def profile_input_id(self, value): > + setattr(self, 'id', value) > + > + @property > + def class_id(self): > + return getattr(self, 'ClassID', None) > + > + @class_id.setter > + def class_id(self, value): > + setattr(self, 'ClassID', value) > + > + @property > + def name(self): > + return getattr(self, 'Name', None) > + > + @name.setter > + def name(self, value): > + setattr(self, 'Name', value) > + > + @property > + def text(self): > + return getattr(self, 'Text', None) > + > + @text.setter > + def text(self, value): > + setattr(self, 'Text', value) > + > + @property > + def attributes(self): > + return getattr(self, 'Attribute') > + > + @attributes.setter > + def attributes(self, value): > + setattr(self, 'Attribute', value) > + > + @property > + def config_attributes(self): > + return getattr(self, 'ConfigAttribute') > + > + @config_attributes.setter > + def config_attributes(self, value): > + setattr(self, 'ConfigAttribute', value) > + > + def add_attribute(self, profile_attribute): > + self.attributes.append(profile_attribute) > + > + def remove_attribute(self, profile_attribute_name): > + for attr in self.attributes: > + if attr.name == profile_attribute_name: > + self.attributes.remove(attr) > + break > + > + def get_attribute(self, profile_attribute_name): > + for attr in self.attributes: > + if attr.name == profile_attribute_name: > + return attr > + > + return None > + > + def add_config_attribute(self, profile_attribute): > + self.attributes.append(profile_attribute) > + > + def remove_config_attribute(self, config_attribute_name): > + for attr in self.config_attributes: > + if attr.name == config_attribute_name: > + self.attributes.remove(attr) > + break > + > + def get_config_attribute(self, config_attribute_name): > + for attr in self.attributes: > + if attr.name == config_attribute_name: > + return attr > + > + return None > + > + @classmethod > + def from_json(cls, json_value): > + profile_input = cls() > + profile_input.profile_input_id = json_value['id'] > + profile_input.class_id = json_value['ClassID'] > + profile_input.name = json_value['Name'] > + if 'Text' in json_value: > + profile_input.text = json_value['Text'] > + > + attributes = json_value['Attribute'] > + if not isinstance(attributes, types.ListType): > + profile_input.attributes.append(ProfileAttribute.from_json(attributes)) > + else: > + for profile_info in attributes: > + profile_input.attributes.append(ProfileAttribute.from_json(profile_info)) > + > + config_attributes = json_value['ConfigAttribute'] > + if not isinstance(config_attributes, types.ListType): > + profile_input.config_attributes.append(ProfileAttribute.from_json(config_attributes)) > + else: > + for config_attribute in config_attributes: > + profile_input.config_attributes.append(ProfileAttribute.from_json(config_attribute)) > + > + return profile_input > + > + > +class ProfileOutput(object): > + """ > + This class defines the output of a certificate enrollment request > + using a profile. > + """ > + > + def __init__(self, profile_output_id=None, name=None, text=None, class_id=None, attributes=None): > + self.profile_output_id = profile_output_id > + self.name = name > + self.text = text > + self.class_id = class_id > + if attributes is None: > + self.attributes = [] > + > + @property > + def profile_output_id(self): > + return getattr(self, 'id') > + > + @profile_output_id.setter > + def profile_output_id(self, value): > + setattr(self, 'id', value) > + > + @property > + def class_id(self): > + return getattr(self, 'classId', None) > + > + @class_id.setter > + def class_id(self, value): > + setattr(self, 'classId', value) > + > + def add_attribute(self, profile_attribute): > + self.attributes.append(profile_attribute) > + > + def remove_attribute(self, profile_attribute_name): > + for attr in self.attributes: > + if attr.name == profile_attribute_name: > + self.attributes.remove(attr) > + break > + > + def get_attribute(self, profile_attribute_name): > + for attr in self.attributes: > + if attr.name == profile_attribute_name: > + return attr > + > + return None > + > + @classmethod > + def from_json(cls, json_value): > + profile_output = cls() > + profile_output.profile_output_id = json_value['id'] > + profile_output.name = json_value['name'] > + profile_output.text = json_value['text'] > + profile_output.class_id = json_value['classId'] > + attributes = json_value['attributes'] > + if not isinstance(attributes, types.ListType): > + profile_output.attributes.append(ProfileAttribute.from_json(attributes)) > + else: > + for profile_info in attributes: > + profile_output.attributes.append(ProfileAttribute.from_json(profile_info)) > + return profile_output > + > + > +class ProfileParameter(object): > + > + def __init__(self, name=None, value=None): > + self.name = name > + self.value = value > + > + @classmethod > + def from_json(cls, attr_list): > + param = cls() > + for attr in attr_list: > + setattr(param, attr, attr_list[attr]) > + return param > + > + > +class PolicyDefault(object): > + """ > + An object of this class contains information of the default usage of a specific ProfileInput. > + """ > + > + def __init__(self, name=None, class_id=None, description=None, policy_attributes=None, policy_params=None): > + self.name = name > + self.class_id = class_id > + self.description = description > + if policy_attributes is None: > + self.policy_attributes = [] > + else: > + self.policy_attributes = policy_attributes > + if policy_params is None: > + self.policy_params = [] > + else: > + self.policy_params = policy_params > + > + @property > + def name(self): > + return getattr(self, 'id') > + > + @name.setter > + def name(self, value): > + setattr(self, 'id', value) > + > + @property > + def class_id(self): > + return getattr(self, 'classId') > + > + @class_id.setter > + def class_id(self, value): > + setattr(self, 'classId', value) > + > + @property > + def policy_attributes(self): > + return getattr(self, 'policyAttribute') > + > + @policy_attributes.setter > + def policy_attributes(self, value): > + setattr(self, 'policyAttribute', value) > + > + @property > + def policy_params(self): > + return getattr(self, 'params') > + > + @policy_params.setter > + def policy_params(self, value): > + setattr(self, 'params', value) > + > + @classmethod > + def from_json(cls, json_value): > + policy_def = cls() > + if 'id' in json_value: > + policy_def.name = json_value['id'] > + if 'classId' in json_value: > + policy_def.class_id = json_value['classId'] > + if 'description' in json_value: > + policy_def.description = json_value['description'] > + if 'policyAttribute' in json_value: > + attributes = json_value['policyAttribute'] > + if not isinstance(attributes, types.ListType): > + policy_def.policy_attributes.append(ProfileAttribute.from_json(attributes)) > + else: > + for attr in attributes: > + policy_def.policy_attributes.append(ProfileAttribute.from_json(attr)) > + > + if 'params' in json_value: > + params = json_value['params'] > + if not isinstance(params, types.ListType): > + policy_def.policy_params.append(ProfileParameter.from_json(params)) > + else: > + for param in params: > + policy_def.policy_params.append(ProfileParameter.from_json(param)) > + > + return policy_def > + > + > +class PolicyConstraintValue(object): > + > + def __init__(self, name=None, value=None, descriptor=None): > + self.name = name > + self.value = value > + self.descriptor = descriptor > + > + @property > + def name(self): > + return getattr(self, 'id') > + > + @name.setter > + def name(self, value): > + setattr(self, 'id', value) > + > + @classmethod > + def from_json(cls, json_value): > + ret = cls() > + > + ret.name = json_value['id'] > + ret.value = json_value['value'] > + if 'descriptor' in json_value: > + ret.descriptor = Descriptor.from_json(json_value['descriptor']) > + > + return ret > + > + > +class PolicyConstraint(object): > + """ > + An object of this class contains the policy constraints applied to a ProfileInput > + used by a certificate enrollment request. > + """ > + > + def __init__(self, name=None, description=None, class_id=None, policy_constraint_values=None): > + self.name = name > + self.description = description > + self.class_id = class_id > + if policy_constraint_values is None: > + self.policy_constraint_values = [] > + else: > + self.policy_constraint_values = policy_constraint_values > + > + @property > + def name(self): > + return getattr(self, 'id') > + > + @name.setter > + def name(self, value): > + setattr(self, 'id', value) > + > + @property > + def class_id(self): > + return getattr(self, 'classId') > + > + @class_id.setter > + def class_id(self, value): > + setattr(self, 'classId', value) > + > + @property > + def policy_constraint_values(self): > + return getattr(self, 'constraint') > + > + @policy_constraint_values.setter > + def policy_constraint_values(self, value): > + setattr(self, 'constraint', value) > + > + @classmethod > + def from_json(cls, json_value): > + policy_constraint = cls() > + if 'id' in json_value: > + policy_constraint.name = json_value['id'] > + if 'description' in json_value: > + policy_constraint.description = json_value['description'] > + if 'classId' in json_value: > + policy_constraint.class_id = json_value['classId'] > + if 'constraint' in json_value: > + constraints = json_value['constraint'] > + if not isinstance(constraints, types.ListType): > + policy_constraint.policy_constraint_values.append(PolicyConstraintValue.from_json(constraints)) > + else: > + for constraint in constraints: > + policy_constraint.policy_constraint_values.append(PolicyConstraintValue.from_json(constraint)) > + > + return policy_constraint > + > + > +class ProfilePolicy(object): > + """ > + This class represents the policy a profile adheres to. > + An object of this class stores the default values for profile and the constraints present on the > + values of the attributes of the profile submitted for an enrollment request. > + """ > + > + def __init__(self, policy_id=None, policy_default=None, policy_constraint=None): > + self.policy_id = policy_id > + self.policy_default = policy_default > + self.policy_constraint = policy_constraint > + > + @property > + def policy_id(self): > + return getattr(self, 'id') > + > + @policy_id.setter > + def policy_id(self, value): > + setattr(self, 'id', value) > + > + @property > + def policy_default(self): > + return getattr(self, 'def') > + > + @policy_default.setter > + def policy_default(self, value): > + setattr(self, 'def', value) > + > + @property > + def policy_constraint(self): > + return getattr(self, 'constraint') > + > + @policy_constraint.setter > + def policy_constraint(self, value): > + setattr(self, 'constraint', value) > + > + @classmethod > + def from_json(cls, json_value): > + return cls(json_value['id'], PolicyDefault.from_json(json_value['def']), > + PolicyConstraint.from_json(json_value['constraint'])) > + > + > +class ProfilePolicySet(object): > + """ > + Stores a list of ProfilePolicy objects. > + """ > + def __init__(self): > + self.policies = [] > + > + @classmethod > + def from_json(cls, attr_list): > + policy_set = cls() > + > + policies = attr_list['policies'] > + if not isinstance(policies, types.ListType): > + policy_set.policies.append(ProfilePolicy.from_json(policies)) > + else: > + for policy in policies: > + policy_set.policies.append(ProfilePolicy.from_json(policy)) > + > + return policy_set > -- > 1.8.5.3 > > >From ae8c2c3bbe0c4ac6ab62b6a58c71ce1899fe8c74 Mon Sep 17 00:00:00 2001 > From: Abhishek Koneru > Date: Tue, 20 May 2014 21:01:24 -0400 > Subject: [PATCH] Initial patch for ProfileClient implementation > > This patch adds methods for listing profiles, retrieving aprofile, > enabling a profile and disabling a profile. > It also contains few cosmetic changes in account.py and > client.py(pycharm PEP8 warnings addressed) > --- > base/common/python/pki/profile.py | 357 +++++++++++++++++++++++++++++++++++++- > 1 file changed, 356 insertions(+), 1 deletion(-) > > diff --git a/base/common/python/pki/profile.py b/base/common/python/pki/profile.py > index 490db0994cacf927ced96b5ed43790fda4327894..83cd8bcca0d9ad3841b0b6b74e2aa4a6724e5bbc 100644 > --- a/base/common/python/pki/profile.py > +++ b/base/common/python/pki/profile.py > @@ -8,6 +8,8 @@ Created on May 13,, 2014 > import types > > import pki > +import pki.client as client > +import pki.account as account > > > class ProfileDataInfo(object): > @@ -325,7 +327,8 @@ class ProfileOutput(object): > profile_output = cls() > profile_output.profile_output_id = json_value['id'] > profile_output.name = json_value['name'] > - profile_output.text = json_value['text'] > + if 'text' in json_value: > + profile_output.text = json_value['text'] > profile_output.class_id = json_value['classId'] > attributes = json_value['attributes'] > if not isinstance(attributes, types.ListType): > @@ -575,3 +578,355 @@ class ProfilePolicySet(object): > policy_set.policies.append(ProfilePolicy.from_json(policy)) > > return policy_set > + > + > +class PolicySet(object): > + """ > + An object of this class contains a name value pair of the > + policy name and the ProfilePolicy object. > + """ > + def __init__(self, name=None, policy_list=None): > + self.name = name > + if policy_list is None: > + self.policy_list = [] > + else: > + self.policy_list = policy_list > + > + @property > + def name(self): > + return getattr(self, 'id') > + > + @name.setter > + def name(self, value): > + setattr(self, 'id', value) > + > + @property > + def policy_list(self): > + return getattr(self, 'value') > + > + @policy_list.setter > + def policy_list(self, value): > + setattr(self, 'value', value) > + > + @classmethod > + def from_json(cls, json_value): > + policy_set = cls() > + > + policy_set.name = json_value['id'] > + policies = json_value['value'] > + if not isinstance(policies, types.ListType): > + policy_set.policy_list.append(ProfilePolicy.from_json(policies)) > + else: > + for policy in policies: > + policy_set.policy_list.append(ProfilePolicy.from_json(policy)) > + > + > +class PolicySetList(object): > + """ > + An object of this class stores a list of ProfileSet objects. > + """ > + > + def __init__(self, policy_sets=None): > + if policy_sets is None: > + self.policy_sets = [] > + else: > + self.policy_sets = policy_sets > + > + @property > + def policy_sets(self): > + return getattr(self, 'PolicySet') > + > + @policy_sets.setter > + def policy_sets(self, value): > + setattr(self, 'PolicySet', value) > + > + @classmethod > + def from_json(cls, json_value): > + policy_set_list = cls() > + policy_sets = json_value['PolicySet'] > + if not isinstance(policy_sets, types.ListType): > + policy_set_list.policy_sets.append(PolicySet.from_json(policy_sets)) > + else: > + for policy_set in policy_sets: > + policy_set_list.policy_sets.append(PolicySet.from_json(policy_set)) > + > + > +class ProfileData(object): > + """ > + This class represents an enrollment profile. > + """ > + > + def __init__(self, profile_id=None, class_id=None, name=None, description=None, enabled=None, visible=None, > + enabled_by=None, authenticator_id=None, authorization_acl=None, renewal=None, xml_output=None, > + inputs=None, outputs=None, policy_sets=None, link=None): > + > + self.profile_id = profile_id > + self.name = name > + self.class_id = class_id > + self.description = description > + self.enabled = enabled > + self.visible = visible > + self.enabled_by = enabled_by > + self.authenticator_id = authenticator_id > + self.authorization_acl = authorization_acl > + self.renewal = renewal > + self.xml_output = xml_output > + if inputs is None: > + self.inputs = [] > + else: > + self.inputs = inputs > + if outputs is None: > + self.outputs = [] > + else: > + self.outputs = outputs > + if policy_sets is None: > + self.policy_sets = [] > + else: > + self.policy_sets = policy_sets > + self.link = link > + > + @property > + def profile_id(self): > + return getattr(self, 'id') > + > + @profile_id.setter > + def profile_id(self, value): > + setattr(self, 'id', value) > + > + @property > + def class_id(self): > + return getattr(self, 'classId') > + > + @class_id.setter > + def class_id(self, value): > + setattr(self, 'classId', value) > + > + @property > + def enabled_by(self): > + return getattr(self, 'enabledBy') > + > + @enabled_by.setter > + def enabled_by(self, value): > + setattr(self, 'enabledBy', value) > + > + @property > + def authenticator_id(self): > + return getattr(self, 'authenticatorId') > + > + @authenticator_id.setter > + def authenticator_id(self, value): > + setattr(self, 'authenticatorId', value) > + > + @property > + def authorization_acl(self): > + return getattr(self, 'authzAcl') > + > + @authorization_acl.setter > + def authorization_acl(self, value): > + setattr(self, 'authzAcl', value) > + > + @property > + def xml_output(self): > + return getattr(self, 'xmlOutput') > + > + @xml_output.setter > + def xml_output(self, value): > + setattr(self, 'xmlOutput', value) > + > + @property > + def inputs(self): > + return getattr(self, 'Input') > + > + @inputs.setter > + def inputs(self, value): > + setattr(self, 'Input', value) > + > + @property > + def outputs(self): > + return getattr(self, 'Output') > + > + @outputs.setter > + def outputs(self, value): > + setattr(self, 'Output', value) > + > + @property > + def policy_sets(self): > + return getattr(self, 'PolicySets') > + > + @policy_sets.setter > + def policy_sets(self, value): > + setattr(self, 'PolicySets', value) > + > + @classmethod > + def from_json(cls, json_value): > + profile_data = cls() > + profile_data.profile_id = json_value['id'] > + profile_data.class_id = json_value['classId'] > + profile_data.name = json_value['name'] > + profile_data.description = json_value['description'] > + profile_data.enabled = json_value['enabled'] > + profile_data.visible = json_value['visible'] > + if 'enabledBy' in json_value: > + profile_data.enabled_by = json_value['enabledBy'] > + if 'authenticatorId' in json_value: > + profile_data.authenticator_id = json_value['authenticatorId'] > + profile_data.authorization_acl = json_value['authzAcl'] > + profile_data.renewal = json_value['renewal'] > + profile_data.xml_output = json_value['xmlOutput'] > + > + profile_inputs = json_value['Input'] > + if not isinstance(profile_inputs, types.ListType): > + profile_data.inputs.append(ProfileInput.from_json(profile_inputs)) > + else: > + for profile_input in profile_inputs: > + profile_data.policy_sets.append(ProfileInput.from_json(profile_input)) > + > + profile_outputs = json_value['Output'] > + if not isinstance(profile_outputs, types.ListType): > + profile_data.outputs.append(ProfileOutput.from_json(profile_outputs)) > + else: > + for profile_output in profile_outputs: > + profile_data.policy_sets.append(ProfileOutput.from_json(profile_output)) > + > + policy_sets = json_value['PolicySets'] > + if not isinstance(policy_sets, types.ListType): > + profile_data.policy_sets.append(PolicySetList.from_json(policy_sets)) > + else: > + for policy_set in policy_sets: > + profile_data.policy_sets.append(PolicySetList.from_json(policy_set)) > + > + profile_data.link = pki.Link.from_json(json_value['link']) > + > + return profile_data > + > + > +class ProfileClient(object): > + """ > + This class consists of methods for accessing the ProfileResource. > + """ > + def __init__(self, connection): > + self.connection = connection > + self.headers = {'Content-type': 'application/json', > + 'Accept': 'application/json'} > + self.profiles_url = '/rest/profiles' > + self.account_client = account.AccountClient(connection) > + > + def _get(self, url, query_params=None, payload=None): > + self.account_client.login() > + r = self.connection.get(url, self.headers, query_params, payload) > + self.account_client.logout() > + return r > + > + def _post(self, url, payload=None, query_params=None): > + self.account_client.login() > + r = self.connection.post(url, payload, self.headers, query_params) > + self.account_client.logout() > + return r > + > + @pki.handle_exceptions() > + def list_profiles(self, start=None, size=None): > + """ > + Fetches the list of profiles. > + The start and size arguments provide pagination support. > + Returns a ProfileDataInfoCollection object. > + """ > + query_params = { > + 'start': start, > + 'size': size > + } > + r = self._get(self.profiles_url, query_params) > + return ProfileDataInfoCollection.from_json(r.json()) > + > + @pki.handle_exceptions() > + def get_profile(self, profile_id): > + """ > + Fetches information for the profile for the given profile id. > + Returns a ProfileData object. > + """ > + if profile_id is None: > + raise ValueError("Profile ID must be specified.") > + url = self.profiles_url + '/' + str(profile_id) > + r = self._get(url) > + return ProfileData.from_json(r.json()) > + > + def _modify_profile_state(self, profile_id, action): > + """ > + Internal method used to modify the profile state. > + """ > + if profile_id is None: > + raise ValueError("Profile ID must be specified.") > + if action is None: > + raise ValueError("A valid action(enable/disable) must be specified.") > + > + url = self.profiles_url + '/' + str(profile_id) > + params = {'action': action} > + self._post(url, query_params=params) > + > + @pki.handle_exceptions() > + def enable_profile(self, profile_id): > + """ > + Enables a profile. > + """ > + return self._modify_profile_state(profile_id, 'enable') > + > + @pki.handle_exceptions() > + def disable_profile(self, profile_id): > + """ > + Disables a profile. > + """ > + return self._modify_profile_state(profile_id, 'disable') > + > + > +def main(): > + # Initialize a PKIConnection object for the CA > + connection = client.PKIConnection('https', 'localhost', '8443', 'ca') > + > + # The pem file used for authentication. Created from a p12 file using the command - > + # openssl pkcs12 -in -out /tmp/auth.pem -nodes > + connection.set_authentication_cert("/tmp/auth.pem") > + > + #Initialize the ProfileClient class > + profile_client = ProfileClient(connection) > + > + #Fetching a list of profiles > + profile_data_infos = profile_client.list_profiles() > + print('List of profiles:') > + print('-----------------') > + for profile_data_info in profile_data_infos.profile_data_list: > + print(' Profile ID: ' + profile_data_info.profile_id) > + print(' Profile Name: ' + profile_data_info.profile_name) > + print(' Profile Description: ' + profile_data_info.profile_description) > + print > + > + # Get a specific profile > + profile_data = profile_client.get_profile('caUserCert') > + print('Profile Data for caUserCert:') > + print('----------------------------') > + print(' Profile ID: ' + profile_data.profile_id) > + print(' Profile Name: ' + profile_data.name) > + print(' Profile Description: ' + profile_data.description) > + print(' Is profile enabled? ' + str(profile_data.enabled)) > + print(' Is profile visible? ' + str(profile_data.visible)) > + print > + > + # Disabling a profile > + print('Disabling a profile:') > + print('--------------------') > + profile_client.disable_profile('caUserCert') > + profile = profile_client.get_profile('caUserCert') > + print(' Profile ID: ' + profile.profile_id) > + print(' Is profile enabled? ' + str(profile.enabled)) > + print > + > + # Disabling a profile > + print('Enabling a profile:') > + print('-------------------') > + profile_client.enable_profile('caUserCert') > + profile = profile_client.get_profile('caUserCert') > + print(' Profile ID: ' + profile_data.profile_id) > + print(' Is profile enabled? ' + str(profile.enabled)) > + print > + > + > +if __name__ == "__main__": > + main() > \ No newline at end of file > -- > 1.8.5.3 > > >From 4a237ad0edd25ddf378d204e26b835951aaaa3b2 Mon Sep 17 00:00:00 2001 > From: Abhishek Koneru > Date: Fri, 23 May 2014 12:17:38 -0400 > Subject: [PATCH] Addressed comments given for patches 92-2, 93, 94. > > Addressed review comments for the patches that > implement the CertClient and a part of ProfileClient. > > Also includes the pycharm project files in pki/.idea. > --- > .idea/.name | 1 + > .idea/codeStyleSettings.xml | 14 + > .idea/encodings.xml | 5 + > .idea/misc.xml | 5 + > .idea/modules.xml | 9 + > .idea/pki.iml | 9 + > .idea/scopes/scope_settings.xml | 5 + > .idea/vcs.xml | 7 + > .idea/workspace.xml | 780 ++++++++++++++++++++++++++++++++++++++ > base/common/python/pki/account.py | 3 + > base/common/python/pki/cert.py | 480 ++++++++++++++--------- > base/common/python/pki/profile.py | 137 +++++-- > 12 files changed, 1242 insertions(+), 213 deletions(-) > create mode 100644 .idea/.name > create mode 100644 .idea/codeStyleSettings.xml > create mode 100644 .idea/encodings.xml > create mode 100644 .idea/misc.xml > create mode 100644 .idea/modules.xml > create mode 100644 .idea/pki.iml > create mode 100644 .idea/scopes/scope_settings.xml > create mode 100644 .idea/vcs.xml > create mode 100644 .idea/workspace.xml > > diff --git a/.idea/.name b/.idea/.name > new file mode 100644 > index 0000000000000000000000000000000000000000..a1cbd55fe0d55b799879256c4def7367783c2877 > --- /dev/null > +++ b/.idea/.name > @@ -0,0 +1 @@ > +pki > \ No newline at end of file > diff --git a/.idea/codeStyleSettings.xml b/.idea/codeStyleSettings.xml > new file mode 100644 > index 0000000000000000000000000000000000000000..f99399bf8bc3e5c2de6d4ff649dd30eb634a18b7 > --- /dev/null > +++ b/.idea/codeStyleSettings.xml > @@ -0,0 +1,14 @@ > + > + > + > + > + > + > + > diff --git a/.idea/encodings.xml b/.idea/encodings.xml > new file mode 100644 > index 0000000000000000000000000000000000000000..e206d70d8595e2a50675ba11de48efcfa012497d > --- /dev/null > +++ b/.idea/encodings.xml > @@ -0,0 +1,5 @@ > + > + > + > + > + > diff --git a/.idea/misc.xml b/.idea/misc.xml > new file mode 100644 > index 0000000000000000000000000000000000000000..2e6cdab0109625e557c43478dd443d0b3bc05fac > --- /dev/null > +++ b/.idea/misc.xml > @@ -0,0 +1,5 @@ > + > + > + > + > + > diff --git a/.idea/modules.xml b/.idea/modules.xml > new file mode 100644 > index 0000000000000000000000000000000000000000..34a47cab36485cf5819e2ebf3e1f27488da1ff38 > --- /dev/null > +++ b/.idea/modules.xml > @@ -0,0 +1,9 @@ > + > + > + > + > + > + > + > + > + > diff --git a/.idea/pki.iml b/.idea/pki.iml > new file mode 100644 > index 0000000000000000000000000000000000000000..a34a85703f063917904e9e958b91cf9f4a2504e1 > --- /dev/null > +++ b/.idea/pki.iml > @@ -0,0 +1,9 @@ > + > + > + > + > + > + > + > + > + > diff --git a/.idea/scopes/scope_settings.xml b/.idea/scopes/scope_settings.xml > new file mode 100644 > index 0000000000000000000000000000000000000000..922003b8433bcad6ce9778a37628d738faa26389 > --- /dev/null > +++ b/.idea/scopes/scope_settings.xml > @@ -0,0 +1,5 @@ > + > + > + > + > \ No newline at end of file > diff --git a/.idea/vcs.xml b/.idea/vcs.xml > new file mode 100644 > index 0000000000000000000000000000000000000000..c80f2198b5f6863fd489ec8ac6c40a50ac1f7b30 > --- /dev/null > +++ b/.idea/vcs.xml > @@ -0,0 +1,7 @@ > + > + > + > + > + > + > + > diff --git a/.idea/workspace.xml b/.idea/workspace.xml > new file mode 100644 > index 0000000000000000000000000000000000000000..17337d1f91ac4a118650061cd97d58b25b0171a6 > --- /dev/null > +++ b/.idea/workspace.xml > @@ -0,0 +1,780 @@ > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + 1399489373098 > + 1399489373098 > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > + > diff --git a/base/common/python/pki/account.py b/base/common/python/pki/account.py > index 1ab5b2ddb47804771d6cc89cd11f7f1d9b043856..0916ec7cccf25357b75161d08fea32626fdf9486 100644 > --- a/base/common/python/pki/account.py > +++ b/base/common/python/pki/account.py > @@ -18,6 +18,7 @@ > # Copyright (C) 2013 Red Hat, Inc. > # All rights reserved. > # > +import pki > > > class AccountClient: > @@ -25,8 +26,10 @@ class AccountClient: > def __init__(self, connection): > self.connection = connection > > + @pki.handle_exceptions() > def login(self): > self.connection.get('/rest/account/login') > > + @pki.handle_exceptions() > def logout(self): > self.connection.get('/rest/account/logout') > diff --git a/base/common/python/pki/cert.py b/base/common/python/pki/cert.py > index b22307ad1b2c2456257dc9416208e6725234bf9c..c3ed435d1c395060690f8c15a5b83bfac34059f4 100644 > --- a/base/common/python/pki/cert.py > +++ b/base/common/python/pki/cert.py > @@ -14,16 +14,6 @@ import pki.encoder as encoder > import pki.profile as profile > > > -class CertId(object): > - """ > - Class encapsulating a certificate serial number > - """ > - > - def __init__(self, cert_id): > - """ Constructor """ > - self.value = cert_id > - > - > class CertData(object): > """ > Class containing certificate data as returned from getCert() > @@ -43,6 +33,16 @@ class CertData(object): > self.nonce = None > self.link = None > > + def __repr__(self): > + attributes = { > + "CertData": { > + "serial_number": self.serial_number, > + "subject_dn": self.subject_dn, > + "status": self.status > + } > + } > + return str(attributes) > + > @classmethod > def from_json(cls, attr_list): > """ Return CertData object from JSON dict """ > @@ -72,7 +72,7 @@ class CertDataInfo(object): > > def __init__(self): > """ Constructor """ > - self.cert_id = None > + self.serial_number = None > self.subject_dn = None > self.status = None > self.type = None > @@ -85,11 +85,21 @@ class CertDataInfo(object): > self.issued_by = None > self.link = None > > + def __repr__(self): > + obj = { > + "CertDataInfo": { > + 'serial_number': self.serial_number, > + 'subject_dn': self.subject_dn, > + 'type': self.type, > + 'status': self.status > + }} > + return str(obj) > + > @classmethod > def from_json(cls, attr_list): > """ Return CertDataInfo object from JSON dict """ > cert_data_info = cls() > - cert_data_info.cert_id = attr_list['id'] > + cert_data_info.serial_number = attr_list['id'] > cert_data_info.subject_dn = attr_list['SubjectDN'] > cert_data_info.status = attr_list['Status'] > cert_data_info.type = attr_list['Type'] > @@ -107,25 +117,31 @@ class CertDataInfo(object): > > class CertDataInfoCollection(object): > """ > - Class containing list of CertDataInfo objects and their respective link objects. > + Class containing list of CertDataInfo objects and their respective link > + objects. > This data is returned when searching/listing certificate records in the CA. > """ > > def __init__(self): > """ Constructor """ > - self.cert_info_list = [] > + self.cert_data_info_list = [] > self.links = [] > > + def __iter__(self): > + for cert_data_info in self.cert_data_info_list: > + yield cert_data_info > + > @classmethod > def from_json(cls, json_value): > """ Populate object from JSON input """ > ret = cls() > cert_infos = json_value['entries'] > if not isinstance(cert_infos, types.ListType): > - ret.cert_info_list.append(CertDataInfo.from_json(cert_infos)) > + ret.cert_data_info_list.append(CertDataInfo.from_json(cert_infos)) > else: > for cert_info in cert_infos: > - ret.cert_info_list.append(CertDataInfo.from_json(cert_info)) > + ret.cert_data_info_list.append( > + CertDataInfo.from_json(cert_info)) > > links = json_value['Link'] > if not isinstance(links, types.ListType): > @@ -155,6 +171,17 @@ class CertRequestInfo(object): > self.cert_url = None > self.error_message = None > > + def __repr__(self): > + obj = { > + 'CertRequestInfo': { > + 'request_id': self.request_id, > + 'request_type': self.request_type, > + 'request_status': self.request_status, > + 'request_url': self.request_url > + } > + } > + return str(obj) > + > @classmethod > def from_json(cls, attr_list): > cert_request_info = cls() > @@ -163,7 +190,8 @@ class CertRequestInfo(object): > cert_request_info.request_status = attr_list['requestStatus'] > cert_request_info.operation_result = attr_list['operationResult'] > cert_request_info.request_id = \ > - str(cert_request_info.request_url)[(str(cert_request_info.request_url).rfind("/") + 1):] > + str(cert_request_info.request_url)[(str( > + cert_request_info.request_url).rfind("/") + 1):] > #Optional parameters > if 'certId' in attr_list: > cert_request_info.cert_id = attr_list['certId'] > @@ -184,19 +212,25 @@ class CertRequestInfoCollection(object): > """ > > def __init__(self): > - self.cert_info_list = [] > + self.cert_request_info_list = [] > self.links = [] > > + def __iter__(self): > + for cert_request_info in self.cert_request_info_list: > + yield cert_request_info > + > @classmethod > def from_json(cls, json_value): > """ Populate object from JSON input """ > ret = cls() > cert_req_infos = json_value['entries'] > if not isinstance(cert_req_infos, types.ListType): > - ret.cert_info_list.append(CertRequestInfo.from_json(cert_req_infos)) > + ret.cert_request_info_list.append( > + CertRequestInfo.from_json(cert_req_infos)) > else: > for cert_info in cert_req_infos: > - ret.cert_info_list.append(CertRequestInfo.from_json(cert_info)) > + ret.cert_request_info_list.append( > + CertRequestInfo.from_json(cert_info)) > > links = json_value['Link'] > if not isinstance(links, types.ListType): > @@ -215,18 +249,28 @@ class CertSearchRequest(object): > """ > > search_params = {'serial_to': 'serialTo', 'serial_from': 'serialFrom', > - 'email': 'eMail', 'common_name': 'commonName', 'user_id': 'userID', > - 'org_unit': 'orgUnit', 'org': 'org', 'locality': 'locality', > - 'state': 'state', 'country': 'country', 'match_exactly': 'matchExactly', > - 'status': 'status', 'revoked_by': 'revokedBy', 'revoked_on_from': 'revokedOnFrom', > - 'revoked_on_to': 'revokedOnTo', 'revocation_reason': 'revocationReason', > - 'issued_by': 'issuedBy', 'issued_on_from': 'issuedOnFrom', 'issued_on_to': 'issuedOnTo', > - 'valid_not_before_from': 'validNotBeforeFrom', 'valid_not_before_to': 'validNotBeforeTo', > - 'valid_not_after_from': 'validNotAfterFrom', 'valid_not_after_to': 'validNotAfterTo', > - 'validity_operation': 'validityOperation', 'validity_count': 'validityCount', > - 'validity_unit': 'validityUnit', 'cert_type_sub_email_ca': 'certTypeSubEmailCA', > - 'cert_type_sub_ssl_ca': 'certTypeSubSSLCA', 'cert_type_secure_email': 'certTypeSecureEmail', > - 'cert_type_ssl_client': 'certTypeSSLClient', 'cert_type_ssl_server': 'certTypeSSLServer'} > + 'email': 'eMail', 'common_name': 'commonName', > + 'user_id': 'userID', 'org_unit': 'orgUnit', 'org': 'org', > + 'locality': 'locality', 'state': 'state', > + 'country': 'country', 'match_exactly': 'matchExactly', > + 'status': 'status', 'revoked_by': 'revokedBy', > + 'revoked_on_from': 'revokedOnFrom', > + 'revoked_on_to': 'revokedOnTo', > + 'revocation_reason': 'revocationReason', > + 'issued_by': 'issuedBy', 'issued_on_from': 'issuedOnFrom', > + 'issued_on_to': 'issuedOnTo', > + 'valid_not_before_from': 'validNotBeforeFrom', > + 'valid_not_before_to': 'validNotBeforeTo', > + 'valid_not_after_from': 'validNotAfterFrom', > + 'valid_not_after_to': 'validNotAfterTo', > + 'validity_operation': 'validityOperation', > + 'validity_count': 'validityCount', > + 'validity_unit': 'validityUnit', > + 'cert_type_sub_email_ca': 'certTypeSubEmailCA', > + 'cert_type_sub_ssl_ca': 'certTypeSubSSLCA', > + 'cert_type_secure_email': 'certTypeSecureEmail', > + 'cert_type_ssl_client': 'certTypeSSLClient', > + 'cert_type_ssl_server': 'certTypeSSLServer'} > > def __init__(self, **cert_search_params): > """ Constructor """ > @@ -234,59 +278,64 @@ class CertSearchRequest(object): > if len(cert_search_params) == 0: > setattr(self, 'serialNumberRangeInUse', True) > > - for param in cert_search_params: > + for param, value in cert_search_params.viewitems(): > if not param in CertSearchRequest.search_params: > raise ValueError('Invalid search parameter: ' + param) > > - if param == 'serial_to' or param == 'serial_from': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + if param in {'serial_to', 'serial_from'}: > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'serialNumberRangeInUse', True) > > - if param == 'email' or param == 'common_name' or param == 'user_id' or param == 'org_unit' \ > - or param == 'org' or param == 'locality' or param == 'state' or param == 'country' \ > - or param == 'match_exactly': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + if param in { > + 'email', 'common_name', 'user_id', 'org_unit', 'org', > + 'locality', 'state', 'country', 'match_exactly' > + }: > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'subjectInUse', True) > > if param == 'status': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, CertSearchRequest.search_params[param], value) > > if param == 'revoked_by': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'revokedByInUse', True) > > - if param == 'revoked_on_from' or param == 'revoked_on_to': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + if param in {'revoked_on_from', 'revoked_on_to'}: > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'revokedOnInUse', True) > > if param == 'revocation_reason': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'revocationReasonInUse', True) > > if param == 'issued_by': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'issuedByInUse', True) > > - if param == 'issued_on_from' or param == 'issued_on_to': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + if param in {'issued_on_from', 'issued_on_to'}: > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'issuedOnInUse', True) > > - if param == 'valid_not_before_from' or param == 'valid_not_before_to': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + if param in {'valid_not_before_from', 'valid_not_before_to'}: > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'validNotBeforeInUse', True) > > - if param == 'valid_not_after_from' or param == 'valid_not_after_to': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + if param in {'valid_not_after_from', 'valid_not_after_to'}: > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'validNotAfterInUse', True) > > - if param == 'validity_operation' or param == 'validity_count' or param == 'validity_unit': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + if param in { > + 'validity_operation', 'validity_count', 'validity_unit' > + }: > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'validityLengthInUse', True) > > - if param == 'cert_type_sub_email_ca' or param == 'cert_type_sub_ssl_ca' \ > - or param == 'cert_type_secure_email' or param == 'cert_type_ssl_client' \ > - or param == 'cert_type_ssl_server': > - setattr(self, CertSearchRequest.search_params[param], cert_search_params[param]) > + if param in { > + 'cert_type_sub_email_ca', 'cert_type_sub_ssl_ca', > + 'cert_type_secure_email', 'cert_type_ssl_client', > + 'cert_type_ssl_server' > + }: > + setattr(self, CertSearchRequest.search_params[param], value) > setattr(self, 'certTypeInUse', True) > > > @@ -309,9 +358,25 @@ class CertRevokeRequest(object): > > def __init__(self, nonce, reason=None, invalidity_date=None, comments=None): > """ Constructor """ > + > setattr(self, "Nonce", nonce) > + > if reason is None: > reason = self.REASON_UNSPECIFIED > + else: > + if reason not in { > + CertRevokeRequest.REASON_AA_COMPROMISE, > + CertRevokeRequest.REASON_AFFILIATION_CHANGED, > + CertRevokeRequest.REASON_CA_COMPROMISE, > + CertRevokeRequest.REASON_CERTIFICATE_HOLD, > + CertRevokeRequest.REASON_CESSATION_OF_OPERATION, > + CertRevokeRequest.REASON_KEY_COMPROMISE, > + CertRevokeRequest.REASON_PRIVILEGE_WITHDRAWN, > + CertRevokeRequest.REASON_REMOVE_FROM_CRL, > + CertRevokeRequest.REASON_SUPERSEDED, > + CertRevokeRequest.REASON_UNSPECIFIED > + }: > + raise ValueError('Invalid revocation reason specified.') > setattr(self, "Reason", reason) > if invalidity_date is not None: > setattr(self, "InvalidityDate", invalidity_date) > @@ -321,11 +386,13 @@ class CertRevokeRequest(object): > > class CertEnrollmentRequest(object): > """ > - This class encapsulates the parameters required for a certificate enrollment request. > + This class encapsulates the parameters required for a certificate > + enrollment request. > """ > > - def __init__(self, profile_id=None, renewal=False, serial_number=None, remote_host=None, remote_address=None, > - inputs=None, outputs=None): > + def __init__(self, profile_id=None, renewal=False, serial_number=None, > + remote_host=None, remote_address=None, inputs=None, > + outputs=None): > """ Constructor """ > self.profile_id = profile_id > self.renewal = renewal > @@ -443,14 +510,17 @@ class CertEnrollmentRequest(object): > enroll_request.inputs.append(profile.ProfileInput.from_json(inputs)) > else: > for profile_input in inputs: > - enroll_request.inputs.append(profile.ProfileInput.from_json(profile_input)) > + enroll_request.inputs.append( > + profile.ProfileInput.from_json(profile_input)) > > outputs = json_value['Output'] > if not isinstance(outputs, types.ListType): > - enroll_request.outputs.append(profile.ProfileOutput.from_json(outputs)) > + enroll_request.outputs.append( > + profile.ProfileOutput.from_json(outputs)) > else: > for profile_output in outputs: > - enroll_request.outputs.append(profile.ProfileOutput.from_json(profile_output)) > + enroll_request.outputs.append( > + profile.ProfileOutput.from_json(profile_output)) > > return enroll_request > > @@ -462,14 +532,21 @@ class CertReviewResponse(CertEnrollmentRequest): > It contains a nonce required to perform action on the request. > """ > > - def __init__(self, profile_id=None, renewal=False, serial_number=None, remote_host=None, remote_address=None, > - inputs=None, outputs=None, nonce=None, request_id=None, request_type=None, request_status=None, > - request_owner=None, request_creation_time=None, request_modification_time=None, request_notes=None, > - profile_approval_by=None, profile_set_id=None, profile_is_visible=None, profile_name=None, > - profile_description=None, profile_remote_host=None, profile_remote_address=None, policy_sets=None): > + def __init__(self, profile_id=None, renewal=False, serial_number=None, > + remote_host=None, remote_address=None, inputs=None, > + outputs=None, nonce=None, request_id=None, request_type=None, > + request_status=None, request_owner=None, > + request_creation_time=None, request_modification_time=None, > + request_notes=None, profile_approval_by=None, > + profile_set_id=None, profile_is_visible=None, > + profile_name=None, profile_description=None, > + profile_remote_host=None, profile_remote_address=None, > + policy_sets=None): > > - super(CertReviewResponse, self).__init__(profile_id, renewal, serial_number, remote_host, > - remote_address, inputs, outputs) > + super(CertReviewResponse, self).__init__(profile_id, renewal, > + serial_number, remote_host, > + remote_address, inputs, > + outputs) > self.nonce = nonce > self.request_id = request_id > self.request_type = request_type > @@ -622,8 +699,10 @@ class CertReviewResponse(CertEnrollmentRequest): > review_response.request_type = json_value['requestType'] > review_response.request_status = json_value['requestStatus'] > review_response.request_owner = json_value['requestOwner'] > - review_response.request_creation_time = json_value['requestCreationTime'] > - review_response.request_modification_time = json_value['requestModificationTime'] > + review_response.request_creation_time = \ > + json_value['requestCreationTime'] > + review_response.request_modification_time = \ > + json_value['requestModificationTime'] > review_response.request_notes = json_value['requestNotes'] > review_response.profile_approved_by = json_value['profileApprovedBy'] > review_response.profile_set_id = json_value['profileSetId'] > @@ -635,18 +714,20 @@ class CertReviewResponse(CertEnrollmentRequest): > > profile_policy_sets = json_value['ProfilePolicySet'] > if not isinstance(profile_policy_sets, types.ListType): > - review_response.policy_sets.append(profile.ProfilePolicySet.from_json(profile_policy_sets)) > + review_response.policy_sets.append( > + profile.ProfilePolicySet.from_json(profile_policy_sets)) > else: > for policy_set in profile_policy_sets: > - review_response.policy_sets.append(profile.ProfilePolicySet.from_json(policy_set)) > + review_response.policy_sets.append( > + profile.ProfilePolicySet.from_json(policy_set)) > > return review_response > > > class CertClient(object): > """ > - Class encapsulating and mirroring the functionality in the CertResource Java interface class > - defining the REST API for Certificate resources. > + Class encapsulating and mirroring the functionality in the CertResource > + Java interface class defining the REST API for Certificate resources. > """ > > def __init__(self, connection): > @@ -661,101 +742,123 @@ class CertClient(object): > self.enrollment_templates = {} > > @pki.handle_exceptions() > - def get_cert(self, cert_id): > + def get_cert(self, cert_serial_number): > """ Return a CertData object for a particular certificate. """ > - if cert_id is None: > + if cert_serial_number is None: > raise ValueError("Certificate ID must be specified") > > - url = self.cert_url + '/' + str(cert_id) > + url = self.cert_url + '/' + str(cert_serial_number) > r = self.connection.get(url, self.headers) > return CertData.from_json(r.json()) > > @pki.handle_exceptions() > - def list_certs(self, max_results=None, max_time=None, start=None, size=None, **cert_search_params): > - """ Return a CertDataInfoCollection object with a information about all the > - certificates that satisfy the search criteria. > + def list_certs(self, max_results=None, max_time=None, start=None, size=None, > + **cert_search_params): > + """ Return a CertDataInfoCollection object with a information about all > + the certificates that satisfy the search criteria. > If cert_search_request=None, returns all the certificates. > """ > url = self.cert_url + '/search' > - query_params = {"maxResults": max_results, "maxTime": max_time, "start": start, "size": size} > + query_params = {"maxResults": max_results, "maxTime": max_time, > + "start": start, "size": size} > cert_search_request = CertSearchRequest(**cert_search_params) > - search_request = json.dumps(cert_search_request, cls=encoder.CustomTypeEncoder, sort_keys=True) > - response = self.connection.post(url, search_request, self.headers, query_params) > + search_request = json.dumps(cert_search_request, > + cls=encoder.CustomTypeEncoder, > + sort_keys=True) > + response = self.connection.post(url, search_request, self.headers, > + query_params) > return CertDataInfoCollection.from_json(response.json()) > > @pki.handle_exceptions() > - def review_cert(self, cert_id): > + def review_cert(self, cert_serial_number): > """ Reviews a certificate. Returns a CertData object with a nonce. > - This method requires an agent's authentication cert in the connection object. > + This method requires an agent's authentication cert in the > + connection object. > """ > - if cert_id is None: > + if cert_serial_number is None: > raise ValueError("Certificate ID must be specified") > > - url = self.agent_cert_url + '/' + str(cert_id) > + url = self.agent_cert_url + '/' + str(cert_serial_number) > r = self.connection.get(url, self.headers) > return CertData.from_json(r.json()) > > - def _submit_revoke_request(self, url, cert_id, revocation_reason=None, invalidity_date=None, comments=None, > - nonce=None): > + def _submit_revoke_request(self, url, cert_serial_number, > + revocation_reason=None, invalidity_date=None, > + comments=None, nonce=None): > """ > Submits a certificate revocation request. > Expects the URL for submitting the request. > Creates a CertRevokeRequest object using the arguments provided. > - If nonce is passed as an argument, reviews the cert to get a nonce from the server > - and passes it in the request. > + If nonce is passed as an argument, reviews the cert to get a nonce > + from the server and passes it in the request. > Returns a CertRequestInfo object. > """ > - if cert_id is None: > + if cert_serial_number is None: > raise ValueError("Certificate ID must be specified") > > if url is None: > raise ValueError("URL not specified") > > if nonce is None: > - cert_data = self.review_cert(cert_id) > + cert_data = self.review_cert(cert_serial_number) > nonce = cert_data.nonce > - request = CertRevokeRequest(nonce, revocation_reason, invalidity_date, comments) > - revoke_request = json.dumps(request, cls=encoder.CustomTypeEncoder, sort_keys=True) > + request = CertRevokeRequest(nonce, revocation_reason, invalidity_date, > + comments) > + revoke_request = json.dumps(request, cls=encoder.CustomTypeEncoder, > + sort_keys=True) > r = self.connection.post(url, revoke_request, headers=self.headers) > return CertRequestInfo.from_json(r.json()) > > @pki.handle_exceptions() > - def revoke_cert(self, cert_id, revocation_reason=None, invalidity_date=None, comments=None, nonce=None): > + def revoke_cert(self, cert_serial_number, revocation_reason=None, > + invalidity_date=None, comments=None, nonce=None): > """ Revokes a certificate. > Returns a CertRequestInfo object with information about the request. > - This method requires an agent's authentication cert in the connection object. > + This method requires an agent's authentication cert in the > + connection object. > """ > - url = self.agent_cert_url + '/' + str(cert_id) + '/revoke' > - return self._submit_revoke_request(url, cert_id, revocation_reason, invalidity_date, comments, nonce) > + url = self.agent_cert_url + '/' + str(cert_serial_number) + '/revoke' > + return self._submit_revoke_request(url, cert_serial_number, > + revocation_reason, invalidity_date, > + comments, nonce) > > @pki.handle_exceptions() > - def revoke_ca_cert(self, cert_id, revocation_reason=None, invalidity_date=None, comments=None, nonce=None): > + def revoke_ca_cert(self, cert_serial_number, revocation_reason=None, > + invalidity_date=None, comments=None, nonce=None): > """ Revokes a CA certificate. > Returns a CertRequestInfo object with information about the request. > - This method requires an agent's authentication cert in the connection object. > + This method requires an agent's authentication cert in the > + connection object. > """ > - url = self.agent_cert_url + '/' + str(cert_id) + '/revoke-ca' > - return self._submit_revoke_request(url, cert_id, revocation_reason, invalidity_date, comments, nonce) > + url = self.agent_cert_url + '/' + str(cert_serial_number) + '/revoke-ca' > + return self._submit_revoke_request(url, cert_serial_number, > + revocation_reason, invalidity_date, > + comments, nonce) > > @pki.handle_exceptions() > - def hold_cert(self, cert_id, comments=None): > + def hold_cert(self, cert_serial_number, comments=None): > """ Places a certificate on-hold. > - Calls the revoke_cert method with reason - CertRevokeRequest.REASON_CERTIFICATE_HOLD. > + Calls the revoke_cert method with reason - > + CertRevokeRequest.REASON_CERTIFICATE_HOLD. > Returns a CertRequestInfo object. > - This method requires an agent's authentication cert in the connection object. > + This method requires an agent's authentication cert in the > + connection object. > """ > - return self.revoke_cert(cert_id, CertRevokeRequest.REASON_CERTIFICATE_HOLD, comments=comments) > + return self.revoke_cert(cert_serial_number, > + CertRevokeRequest.REASON_CERTIFICATE_HOLD, > + comments=comments) > > @pki.handle_exceptions() > - def unrevoke_cert(self, cert_id): > + def unrevoke_cert(self, cert_serial_number): > """ Un-revokes a revoked certificate. > Returns a CertRequestInfo object. > - This method requires an agent's authentication cert in the connection object. > + This method requires an agent's authentication cert in the > + connection object. > """ > - if cert_id is None: > + if cert_serial_number is None: > raise ValueError("Certificate ID must be specified") > > - url = self.agent_cert_url + '/' + str(cert_id) + '/unrevoke' > + url = self.agent_cert_url + '/' + str(cert_serial_number) + '/unrevoke' > r = self.connection.post(url, None, headers=self.headers) > return CertRequestInfo.from_json(r.json()) > > @@ -774,8 +877,9 @@ class CertClient(object): > return CertRequestInfo.from_json(r.json()) > > @pki.handle_exceptions() > - def list_requests(self, request_status=None, request_type=None, from_request_id=None, size=None, > - max_results=None, max_time=None): > + def list_requests(self, request_status=None, request_type=None, > + from_request_id=None, size=None, max_results=None, > + max_time=None): > """ > Query for a list of certificates using the arguments passed. > Returns a CertRequestInfoCollection object. > @@ -789,7 +893,8 @@ class CertClient(object): > 'maxResults': max_results, > 'maxTime': max_time > } > - r = self.connection.get(self.agent_cert_requests_url, self.headers, query_params) > + r = self.connection.get(self.agent_cert_requests_url, self.headers, > + query_params) > return CertRequestInfoCollection.from_json(r.json()) > > @pki.handle_exceptions() > @@ -819,15 +924,17 @@ class CertClient(object): > cert_review_response = self.review_request(request_id) > > url = self.agent_cert_requests_url + '/' + request_id + '/' + action > - review_response = json.dumps(cert_review_response, cls=encoder.CustomTypeEncoder, sort_keys=True) > + review_response = json.dumps(cert_review_response, > + cls=encoder. CustomTypeEncoder, > + sort_keys=True) > r = self.connection.post(url, review_response, headers=self.headers) > return r > > def approve_request(self, request_id, cert_review_response=None): > """ > Approves a certificate enrollment request. > - If cert_review_response is None, a review request operation is performed to fetch the > - CertReviewResponse object. > + If cert_review_response is None, a review request operation is performed > + to fetch the CertReviewResponse object. > Requires as agent level authentication. > """ > return self._perform_action(request_id, cert_review_response, 'approve') > @@ -835,8 +942,8 @@ class CertClient(object): > def cancel_request(self, request_id, cert_review_response=None): > """ > Cancels a certificate enrollment request. > - If cert_review_response is None, a review request operation is performed to fetch the > - CertReviewResponse object. > + If cert_review_response is None, a review request operation is performed > + to fetch the CertReviewResponse object. > Requires as agent level authentication. > """ > return self._perform_action(request_id, cert_review_response, 'cancel') > @@ -844,8 +951,8 @@ class CertClient(object): > def reject_request(self, request_id, cert_review_response=None): > """ > Rejects a certificate enrollment request. > - If cert_review_response is None, a review request operation is performed to fetch the > - CertReviewResponse object. > + If cert_review_response is None, a review request operation is performed > + to fetch the CertReviewResponse object. > Requires as agent level authentication. > """ > return self._perform_action(request_id, cert_review_response, 'reject') > @@ -853,17 +960,18 @@ class CertClient(object): > def validate_request(self, request_id, cert_review_response): > """ > Validates a certificate enrollment request. > - If cert_review_response is None, a review request operation is performed to fetch the > - CertReviewResponse object. > + If cert_review_response is None, a review request operation is performed > + to fetch the CertReviewResponse object. > Requires as agent level authentication. > """ > - return self._perform_action(request_id, cert_review_response, 'validate') > + return self._perform_action(request_id, cert_review_response, > + 'validate') > > def update_request(self, request_id, cert_review_response): > """ > Updates a certificate enrollment request. > - If cert_review_response is None, a review request operation is performed to fetch the > - CertReviewResponse object. > + If cert_review_response is None, a review request operation is performed > + to fetch the CertReviewResponse object. > Requires as agent level authentication. > """ > return self._perform_action(request_id, cert_review_response, 'update') > @@ -871,8 +979,8 @@ class CertClient(object): > def assign_request(self, request_id, cert_review_response): > """ > Assigns a certificate enrollment request. > - If cert_review_response is None, a review request operation is performed to fetch the > - CertReviewResponse object. > + If cert_review_response is None, a review request operation is performed > + to fetch the CertReviewResponse object. > Requires as agent level authentication. > """ > return self._perform_action(request_id, cert_review_response, 'assign') > @@ -880,17 +988,19 @@ class CertClient(object): > def unassign_request(self, request_id, cert_review_response): > """ > Un-assigns a certificate enrollment request. > - If cert_review_response is None, a review request operation is performed to fetch the > - CertReviewResponse object. > + If cert_review_response is None, a review request operation is performed > + to fetch the CertReviewResponse object. > Requires as agent level authentication. > """ > - return self._perform_action(request_id, cert_review_response, 'unassign') > + return self._perform_action(request_id, cert_review_response, > + 'unassign') > > @pki.handle_exceptions() > def list_enrollment_templates(self, start=None, size=None): > """ > Gets the list of profile templates supported by the CA. > - The values for start and size arguments determine the starting point and the length of the list. > + The values for start and size arguments determine the starting point and > + the length of the list. > Returns a ProfileDataInfoCollection object. > """ > > @@ -900,7 +1010,6 @@ class CertClient(object): > 'size': size > } > r = self.connection.get(url, self.headers, query_params) > - print r > return profile.ProfileDataInfoCollection.from_json(r.json()) > > @pki.handle_exceptions() > @@ -908,10 +1017,13 @@ class CertClient(object): > """ > Fetch the enrollment template for the given profile id. > For the first time, the request is sent to the server. > - The retrieved CertEnrollmentRequest object is then cached locally for future requests. > + The retrieved CertEnrollmentRequest object is then cached locally for > + future requests. > Returns a CerEnrollmentRequest object. > """ > > + if profile_id is None: > + raise ValueError("Profile ID must be specified.") > if profile_id in self.enrollment_templates: > return copy.deepcopy(self.enrollment_templates[profile_id]) > url = self.cert_requests_url + '/profiles/' + str(profile_id) > @@ -927,8 +1039,10 @@ class CertClient(object): > def create_enrollment_request(self, profile_id, inputs): > """ > Fetches the enrollment request object for the given profile and > - sets values to its attributes using the values provided in the inputs dictionary. > - Returns the CertEnrollmentRequest object, which can be submitted to enroll a certificate. > + sets values to its attributes using the values provided in the inputs > + dictionary. > + Returns the CertEnrollmentRequest object, which can be submitted to > + enroll a certificate. > """ > if inputs is None or len(inputs) == 0: > raise ValueError("No inputs provided.") > @@ -945,42 +1059,48 @@ class CertClient(object): > def submit_enrollment_request(self, enrollment_request): > """ > Submits the CertEnrollmentRequest object to the server. > - Returns a CertRequestInfoCollection object with information about the certificate requests > - enrolled at the CA. > + Returns a CertRequestInfoCollection object with information about the > + certificate requests enrolled at the CA. > """ > - request_object = json.dumps(enrollment_request, cls=encoder.CustomTypeEncoder, sort_keys=True) > - r = self.connection.post(self.cert_requests_url, request_object, self.headers) > + request_object = json.dumps(enrollment_request, > + cls=encoder.CustomTypeEncoder, > + sort_keys=True) > + r = self.connection.post(self.cert_requests_url, request_object, > + self.headers) > return CertRequestInfoCollection.from_json(r.json()) > > @pki.handle_exceptions() > def enroll_cert(self, profile_id, inputs): > """ > A convenience method for enrolling a certificate for a given profile id. > - The inputs parameter should be a dictionary with values for the profile attributes > - for an enrollment request. > + The inputs parameter should be a dictionary with values for the profile > + attributes for an enrollment request. > > - Calling this method with valid arguments, creates an enrollment request, submits it > - to the server, approves the certificate requests generated for the enrollment and > - returns a list of CertData objects for all the certificates generated as part of this > - enrollment. > + Calling this method with valid arguments, creates an enrollment request, > + submits it to the server, approves the certificate requests generated > + for the enrollment and returns a list of CertData objects for all the > + certificates generated as part of this enrollment. > > - Note: This method supports only certificate enrollment where only one agent approval > - is sufficient. > + Note: This method supports only certificate enrollment where only one > + agent approval is sufficient. > > Requires an agent level authentication. > + Returns a list of CertData objects. > """ > > - # Create a CertEnrollmentRequest object using the inputs for the given profile id. > + # Create a CertEnrollmentRequest object using the inputs for the given > + # profile id. > enroll_request = self.create_enrollment_request(profile_id, inputs) > > # Submit the enrollment request > cert_request_infos = self.submit_enrollment_request(enroll_request) > > # Approve the requests generated for the certificate enrollment. > - # Fetch the CertData objects for all the certificates created and return to the caller. > + # Fetch the CertData objects for all the certificates created and > + # return to the caller. > > certificates = [] > - for cert_request_info in cert_request_infos.cert_info_list: > + for cert_request_info in cert_request_infos.cert_request_info_list: > request_id = cert_request_info.request_id > self.approve_request(request_id) > cert_id = self.get_request(request_id).cert_id > @@ -1010,7 +1130,8 @@ def main(): > # Create a PKIConnection object that stores the details of the CA. > connection = client.PKIConnection('https', 'localhost', '8443', 'ca') > > - # The pem file used for authentication. Created from a p12 file using the command - > + # The pem file used for authentication. Created from a p12 file using the > + # command - > # openssl pkcs12 -in -out /tmp/auth.pem -nodes > connection.set_authentication_cert("/tmp/auth.pem") > > @@ -1025,13 +1146,19 @@ def main(): > > inputs = dict() > inputs['cert_request_type'] = 'crmf' > - inputs['cert_request'] = "MIIBpDCCAaAwggEGAgUA5n9VYTCBx4ABAqUOMAwxCjAIBgNVBAMTAXimgZ8wDQYJKoZIhvcNAQEBBQAD" \ > - "gY0AMIGJAoGBAK/SmUVoUjBtqHNw/e3OoCSXw42pdQSR53/eYJWpf7nyTbZ9UuIhGfXOtxy5vRetmDHE" \ > - "9u0AopmuJbr1rL17/tSnDakpkE9umQ2lMOReLloSdX32w2xOeulUwh5BGbFpq10S0SvW1H93Vn0eCy2a" \ > - "a4UtILNEsp7JJ3FnYJibfuMPAgMBAAGpEDAOBgNVHQ8BAf8EBAMCBeAwMzAVBgkrBgEFBQcFAQEMCHJl" \ > - "Z1Rva2VuMBoGCSsGAQUFBwUBAgwNYXV0aGVudGljYXRvcqGBkzANBgkqhkiG9w0BAQUFAAOBgQCuywnr" \ > - "Dk/wGwfbguw9oVs9gzFQwM4zeFbk+z82G5CWoG/4mVOT5LPL5Q8iF+KfnaU9Qcu6zZPxW6ZmDd8WpPJ+" \ > - "MTPyQl3Q5BfiKa4l5ra1NeqxMOlMiiupwINmm7jd1KaA2eIjuyC8/gTaO4b14R6aRaOj+Scp9cNYbthA7REhJw==" > + inputs['cert_request'] = "MIIBpDCCAaAwggEGAgUA5n9VYTCBx4ABAqUOMAwxCjAIBgN" \ > + "VBAMTAXimgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAK" \ > + "/SmUVoUjBtqHNw/e3OoCSXw42pdQSR53/eYJWpf7nyTbZ9U" \ > + "uIhGfXOtxy5vRetmDHE9u0AopmuJbr1rL17/tSnDakpkE9u" \ > + "mQ2lMOReLloSdX32w2xOeulUwh5BGbFpq10S0SvW1H93Vn0" \ > + "eCy2aa4UtILNEsp7JJ3FnYJibfuMPAgMBAAGpEDAOBgNVHQ" \ > + "8BAf8EBAMCBeAwMzAVBgkrBgEFBQcFAQEMCHJlZ1Rva2VuM" \ > + "BoGCSsGAQUFBwUBAgwNYXV0aGVudGljYXRvcqGBkzANBgkq" \ > + "hkiG9w0BAQUFAAOBgQCuywnrDk/wGwfbguw9oVs9gzFQwM4" \ > + "zeFbk+z82G5CWoG/4mVOT5LPL5Q8iF+KfnaU9Qcu6zZPxW6" \ > + "ZmDd8WpPJ+MTPyQl3Q5BfiKa4l5ra1NeqxMOlMiiupwINmm" \ > + "7jd1KaA2eIjuyC8/gTaO4b14R6aRaOj+Scp9cNYbthA7REh" \ > + "Jw==" > inputs['sn_uid'] = 'test12345' > inputs['sn_e'] = 'example at redhat.com' > inputs['sn_cn'] = 'TestUser' > @@ -1053,13 +1180,18 @@ def main(): > > inputs = dict() > inputs['cert_request_type'] = 'pkcs10' > - inputs['cert_request'] = "MIIBmDCCAQECAQAwWDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5DMRAwDgYDVQQHDAdSYWxlaWdoMRUwE" \ > - "wYDVQQKDAxSZWQgSGF0IEluYy4xEzARBgNVBAMMClRlc3RTZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQADgY" \ > - "0AMIGJAoGBAMJpWz92dSYCvWxllrQCY5atPKCswUwyppRNGPnKmJ77AdHBBI4dFyET+h/+69jQMTLZMa8" \ > - "FX7SbyHvgbgLBP4Q/RzCSE2S87qFNjriOqiQCqJmcrzDzdncJQiP+O7T6MSpLo3smLP7dK1Vd7vK0Vy8y" \ > - "HwV0eBx7DgYedv2slBPHAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBvkxAGKwkfK3TKwLc5Mg0IWp8zG" \ > - "RVwxdIlghAL8DugNocCNNgmZazglJOOehLuk0/NkLX1ZM5RrVgM09W6kcfWZtIwr5Uje2K/+6tW2ZTGrb" \ > - "izs7CNOTMzA/9H8CkHb4H9P/qRT275zHIocYj4smUnXLwWGsBMeGs+OMMbGvSrHg==" > + inputs['cert_request'] = "MIIBmDCCAQECAQAwWDELMAkGA1UEBhMCVVMxCzAJBgNVBAg" \ > + "MAk5DMRAwDgYDVQQHDAdSYWxlaWdoMRUwEwYDVQQKDAxSZW" \ > + "QgSGF0IEluYy4xEzARBgNVBAMMClRlc3RTZXJ2ZXIwgZ8wD" \ > + "QYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMJpWz92dSYCvWxl" \ > + "lrQCY5atPKCswUwyppRNGPnKmJ77AdHBBI4dFyET+h/+69j" \ > + "QMTLZMa8FX7SbyHvgbgLBP4Q/RzCSE2S87qFNjriOqiQCqJ" \ > + "mcrzDzdncJQiP+O7T6MSpLo3smLP7dK1Vd7vK0Vy8yHwV0e" \ > + "Bx7DgYedv2slBPHAgMBAAGgADANBgkqhkiG9w0BAQUFAAOB" \ > + "gQBvkxAGKwkfK3TKwLc5Mg0IWp8zGRVwxdIlghAL8DugNoc" \ > + "CNNgmZazglJOOehLuk0/NkLX1ZM5RrVgM09W6kcfWZtIwr5" \ > + "Uje2K/+6tW2ZTGrbizs7CNOTMzA/9H8CkHb4H9P/qRT275z" \ > + "HIocYj4smUnXLwWGsBMeGs+OMMbGvSrHg==" > > inputs['requestor_name'] = 'Tester' > inputs['requestor_email'] = 'example at redhat.com' > @@ -1080,8 +1212,8 @@ def main(): > > search_params = {'status': 'VALID'} > cert_data_list = cert_client.list_certs(**search_params) > - for cert_data_info in cert_data_list.cert_info_list: > - print("Serial Number: " + cert_data_info.cert_id) > + for cert_data_info in cert_data_list: > + print("Serial Number: " + cert_data_info.serial_number) > print("Subject DN: " + cert_data_info.subject_dn) > print("Status: " + cert_data_info.status) > print > @@ -1099,7 +1231,8 @@ def main(): > > # Certificate Serial Number used for CertClient methods. > # 7, 0x7 and '0x7' are also valid values > - # Following examples use the serial number of the user certificate enrolled before. > + # Following examples use the serial number of the user certificate enrolled > + # before. > cert_id = cert_data_infos[0].serial_number > > #Get certificate data > @@ -1136,9 +1269,8 @@ def main(): > print('Revoking a certificate') > print('----------------------') > > - cert_request_info = cert_client.revoke_cert(cert_data.serial_number, > - revocation_reason=CertRevokeRequest.REASON_CERTIFICATE_HOLD, > - comments="Test revoking a cert", nonce=cert_data.nonce) > + cert_request_info = cert_client.hold_cert(cert_data.serial_number, > + comments="Test revoking a cert") > print('Request ID: ' + cert_request_info.request_id) > print('Request Type: ' + cert_request_info.request_type) > print('Request Status: ' + cert_request_info.request_status) > diff --git a/base/common/python/pki/profile.py b/base/common/python/pki/profile.py > index 83cd8bcca0d9ad3841b0b6b74e2aa4a6724e5bbc..0f2b4e3106260807433bf870706a6334d62c637c 100644 > --- a/base/common/python/pki/profile.py > +++ b/base/common/python/pki/profile.py > @@ -20,6 +20,17 @@ class ProfileDataInfo(object): > self.profile_description = None > self.profile_url = None > > + def __repr__(self): > + attributes = { > + "ProfileDataInfo": { > + 'profile_id': self.profile_id, > + 'name': self.profile_name, > + 'description': self.profile_description, > + 'url': self.profile_url > + } > + } > + return str(attributes) > + > @classmethod > def from_json(cls, attr_list): > profile_data_info = cls() > @@ -41,15 +52,21 @@ class ProfileDataInfoCollection(object): > self.profile_data_list = [] > self.links = [] > > + def __iter__(self): > + for profile_data_info in self.profile_data_list: > + yield profile_data_info > + > @classmethod > def from_json(cls, json_value): > ret = cls() > profile_data_infos = json_value['entries'] > if not isinstance(profile_data_infos, types.ListType): > - ret.profile_data_list.append(ProfileDataInfo.from_json(profile_data_infos)) > + ret.profile_data_list.append( > + ProfileDataInfo.from_json(profile_data_infos)) > else: > for profile_info in profile_data_infos: > - ret.profile_data_list.append(ProfileDataInfo.from_json(profile_info)) > + ret.profile_data_list.append( > + ProfileDataInfo.from_json(profile_info)) > > links = json_value['Link'] > if not isinstance(links, types.ListType): > @@ -64,10 +81,12 @@ class ProfileDataInfoCollection(object): > class Descriptor(object): > """ > This class represents the description of a ProfileAttribute. > - It stores information such as the syntax, constraint and default value of a profile attribute. > + It stores information such as the syntax, constraint and default value of > + a profile attribute. > """ > > - def __init__(self, syntax=None, constraint=None, description=None, default_value=None): > + def __init__(self, syntax=None, constraint=None, description=None, > + default_value=None): > self.syntax = syntax > self.constraint = constraint > self.description = description > @@ -158,8 +177,8 @@ class ProfileInput(object): > Ex. Subject name, Requestor Information etc. > """ > > - def __init__(self, profile_input_id=None, class_id=None, name=None, text=None, attributes=None, > - config_attributes=None): > + def __init__(self, profile_input_id=None, class_id=None, name=None, > + text=None, attributes=None, config_attributes=None): > > self.profile_input_id = profile_input_id > self.class_id = class_id > @@ -261,17 +280,21 @@ class ProfileInput(object): > > attributes = json_value['Attribute'] > if not isinstance(attributes, types.ListType): > - profile_input.attributes.append(ProfileAttribute.from_json(attributes)) > + profile_input.attributes.append( > + ProfileAttribute.from_json(attributes)) > else: > for profile_info in attributes: > - profile_input.attributes.append(ProfileAttribute.from_json(profile_info)) > + profile_input.attributes.append( > + ProfileAttribute.from_json(profile_info)) > > config_attributes = json_value['ConfigAttribute'] > if not isinstance(config_attributes, types.ListType): > - profile_input.config_attributes.append(ProfileAttribute.from_json(config_attributes)) > + profile_input.config_attributes.append( > + ProfileAttribute.from_json(config_attributes)) > else: > for config_attribute in config_attributes: > - profile_input.config_attributes.append(ProfileAttribute.from_json(config_attribute)) > + profile_input.config_attributes.append( > + ProfileAttribute.from_json(config_attribute)) > > return profile_input > > @@ -282,7 +305,8 @@ class ProfileOutput(object): > using a profile. > """ > > - def __init__(self, profile_output_id=None, name=None, text=None, class_id=None, attributes=None): > + def __init__(self, profile_output_id=None, name=None, text=None, > + class_id=None, attributes=None): > self.profile_output_id = profile_output_id > self.name = name > self.text = text > @@ -332,10 +356,12 @@ class ProfileOutput(object): > profile_output.class_id = json_value['classId'] > attributes = json_value['attributes'] > if not isinstance(attributes, types.ListType): > - profile_output.attributes.append(ProfileAttribute.from_json(attributes)) > + profile_output.attributes.append( > + ProfileAttribute.from_json(attributes)) > else: > for profile_info in attributes: > - profile_output.attributes.append(ProfileAttribute.from_json(profile_info)) > + profile_output.attributes.append( > + ProfileAttribute.from_json(profile_info)) > return profile_output > > > @@ -355,10 +381,12 @@ class ProfileParameter(object): > > class PolicyDefault(object): > """ > - An object of this class contains information of the default usage of a specific ProfileInput. > + An object of this class contains information of the default usage of a > + specific ProfileInput. > """ > > - def __init__(self, name=None, class_id=None, description=None, policy_attributes=None, policy_params=None): > + def __init__(self, name=None, class_id=None, description=None, > + policy_attributes=None, policy_params=None): > self.name = name > self.class_id = class_id > self.description = description > @@ -415,18 +443,22 @@ class PolicyDefault(object): > if 'policyAttribute' in json_value: > attributes = json_value['policyAttribute'] > if not isinstance(attributes, types.ListType): > - policy_def.policy_attributes.append(ProfileAttribute.from_json(attributes)) > + policy_def.policy_attributes.append( > + ProfileAttribute.from_json(attributes)) > else: > for attr in attributes: > - policy_def.policy_attributes.append(ProfileAttribute.from_json(attr)) > + policy_def.policy_attributes.append( > + ProfileAttribute.from_json(attr)) > > if 'params' in json_value: > params = json_value['params'] > if not isinstance(params, types.ListType): > - policy_def.policy_params.append(ProfileParameter.from_json(params)) > + policy_def.policy_params.append( > + ProfileParameter.from_json(params)) > else: > for param in params: > - policy_def.policy_params.append(ProfileParameter.from_json(param)) > + policy_def.policy_params.append( > + ProfileParameter.from_json(param)) > > return policy_def > > @@ -460,11 +492,12 @@ class PolicyConstraintValue(object): > > class PolicyConstraint(object): > """ > - An object of this class contains the policy constraints applied to a ProfileInput > - used by a certificate enrollment request. > + An object of this class contains the policy constraints applied to a > + ProfileInput used by a certificate enrollment request. > """ > > - def __init__(self, name=None, description=None, class_id=None, policy_constraint_values=None): > + def __init__(self, name=None, description=None, class_id=None, > + policy_constraint_values=None): > self.name = name > self.description = description > self.class_id = class_id > @@ -509,10 +542,12 @@ class PolicyConstraint(object): > if 'constraint' in json_value: > constraints = json_value['constraint'] > if not isinstance(constraints, types.ListType): > - policy_constraint.policy_constraint_values.append(PolicyConstraintValue.from_json(constraints)) > + policy_constraint.policy_constraint_values.append( > + PolicyConstraintValue.from_json(constraints)) > else: > for constraint in constraints: > - policy_constraint.policy_constraint_values.append(PolicyConstraintValue.from_json(constraint)) > + policy_constraint.policy_constraint_values.append( > + PolicyConstraintValue.from_json(constraint)) > > return policy_constraint > > @@ -520,11 +555,13 @@ class PolicyConstraint(object): > class ProfilePolicy(object): > """ > This class represents the policy a profile adheres to. > - An object of this class stores the default values for profile and the constraints present on the > - values of the attributes of the profile submitted for an enrollment request. > + An object of this class stores the default values for profile and the > + constraints present on the values of the attributes of the profile submitted > + for an enrollment request. > """ > > - def __init__(self, policy_id=None, policy_default=None, policy_constraint=None): > + def __init__(self, policy_id=None, policy_default=None, > + policy_constraint=None): > self.policy_id = policy_id > self.policy_default = policy_default > self.policy_constraint = policy_constraint > @@ -648,7 +685,8 @@ class PolicySetList(object): > policy_set_list.policy_sets.append(PolicySet.from_json(policy_sets)) > else: > for policy_set in policy_sets: > - policy_set_list.policy_sets.append(PolicySet.from_json(policy_set)) > + policy_set_list.policy_sets.append( > + PolicySet.from_json(policy_set)) > > > class ProfileData(object): > @@ -656,9 +694,11 @@ class ProfileData(object): > This class represents an enrollment profile. > """ > > - def __init__(self, profile_id=None, class_id=None, name=None, description=None, enabled=None, visible=None, > - enabled_by=None, authenticator_id=None, authorization_acl=None, renewal=None, xml_output=None, > - inputs=None, outputs=None, policy_sets=None, link=None): > + def __init__(self, profile_id=None, class_id=None, name=None, > + description=None, enabled=None, visible=None, enabled_by=None, > + authenticator_id=None, authorization_acl=None, renewal=None, > + xml_output=None, inputs=None, outputs=None, policy_sets=None, > + link=None): > > self.profile_id = profile_id > self.name = name > @@ -779,26 +819,43 @@ class ProfileData(object): > profile_data.inputs.append(ProfileInput.from_json(profile_inputs)) > else: > for profile_input in profile_inputs: > - profile_data.policy_sets.append(ProfileInput.from_json(profile_input)) > + profile_data.inputs.append( > + ProfileInput.from_json(profile_input)) > > profile_outputs = json_value['Output'] > if not isinstance(profile_outputs, types.ListType): > - profile_data.outputs.append(ProfileOutput.from_json(profile_outputs)) > + profile_data.outputs.append( > + ProfileOutput.from_json(profile_outputs)) > else: > for profile_output in profile_outputs: > - profile_data.policy_sets.append(ProfileOutput.from_json(profile_output)) > + profile_data.outputs.append( > + ProfileOutput.from_json(profile_output)) > > policy_sets = json_value['PolicySets'] > if not isinstance(policy_sets, types.ListType): > - profile_data.policy_sets.append(PolicySetList.from_json(policy_sets)) > + profile_data.policy_sets.append( > + PolicySetList.from_json(policy_sets)) > else: > for policy_set in policy_sets: > - profile_data.policy_sets.append(PolicySetList.from_json(policy_set)) > + profile_data.policy_sets.append( > + PolicySetList.from_json(policy_set)) > > profile_data.link = pki.Link.from_json(json_value['link']) > > return profile_data > > + def __repr__(self): > + attributes = { > + "ProfileData": { > + 'profile_id': self.profile_id, > + 'name': self.name, > + 'description': self.description, > + 'status': ('enabled' if self.enabled else 'disabled'), > + 'visible': self.visible > + } > + } > + return str(attributes) > + > > class ProfileClient(object): > """ > @@ -856,7 +913,8 @@ class ProfileClient(object): > if profile_id is None: > raise ValueError("Profile ID must be specified.") > if action is None: > - raise ValueError("A valid action(enable/disable) must be specified.") > + raise ValueError("A valid action(enable/disable) must be " > + "specified.") > > url = self.profiles_url + '/' + str(profile_id) > params = {'action': action} > @@ -881,7 +939,8 @@ def main(): > # Initialize a PKIConnection object for the CA > connection = client.PKIConnection('https', 'localhost', '8443', 'ca') > > - # The pem file used for authentication. Created from a p12 file using the command - > + # The pem file used for authentication. Created from a p12 file using the > + # command - > # openssl pkcs12 -in -out /tmp/auth.pem -nodes > connection.set_authentication_cert("/tmp/auth.pem") > > @@ -892,7 +951,7 @@ def main(): > profile_data_infos = profile_client.list_profiles() > print('List of profiles:') > print('-----------------') > - for profile_data_info in profile_data_infos.profile_data_list: > + for profile_data_info in profile_data_infos: > print(' Profile ID: ' + profile_data_info.profile_id) > print(' Profile Name: ' + profile_data_info.profile_name) > print(' Profile Description: ' + profile_data_info.profile_description) > -- > 1.8.5.3 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Fri May 30 20:13:53 2014 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 30 May 2014 16:13:53 -0400 Subject: [Pki-devel] [PATCH] 96 Updated man page for pki key CLI commands (Ticket 945) Message-ID: <1401480833.5379.1.camel@akoneru.redhat.com> Please review the patch which updates the man pages for the pki key CLI commands. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0096-Updated-man-page-for-pki-key-commands.patch Type: text/x-patch Size: 9134 bytes Desc: not available URL: From cfu at redhat.com Fri May 30 22:07:56 2014 From: cfu at redhat.com (Christina Fu) Date: Fri, 30 May 2014 15:07:56 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0009-TPS-Token-Profile-Resolver-Plugin-Framework-Ticket-4.patch Message-ID: <5389013C.1070500@redhat.com> This patch implements a Token Profile Resolver Plugin Framework for TPS. It allows a site to implement its own token profile resolver. The TokenProfileResolverManager initializes the token Resolver plugin framework from the following configuration files: - /conf/registry.cfg - /conf/CS.cfg The existing mapping method "getTokenType" was extracted into the default plugin code: MappingTokenProfileResolver. All resolver plugin codes will extend from BaseTokenProfileResolver. The most visible change from sites running previous versions of TPS is that the mapping related config params e.g. op.format.mapping.xxx have now being extracted into token resolver instance params e.g. tokenProfileResolver.formatMappingResolver.mapping.xxxx where "class_id" defines the plugin implementation name defined in the registry.cfg and op.format.tokenProfileResolver points to the defined resolver instance e.g. op.format.tokenProfileResolver=formatMappingResolver A separate ticket will be filed to provide actual plugin writing instruction as well as a sample plugin. Finally, even though this patch does not directly address https://fedorahosted.org/pki/ticket/447 RFE: Mapping tokens to tokentype, where the request was to figure out the tokenType (Token profile) by uid instead of the current mapping method, it provides the means for one to write any customized plugins. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0009-TPS-Token-Profile-Resolver-Plugin-Framework-Ticket-4.patch Type: text/x-patch Size: 62645 bytes Desc: not available URL: From jmagne at redhat.com Sat May 31 00:06:00 2014 From: jmagne at redhat.com (John Magne) Date: Fri, 30 May 2014 20:06:00 -0400 (EDT) Subject: [Pki-devel] [PATCH] pki-cfu-0009-TPS-Token-Profile-Resolver-Plugin-Framework-Ticket-4.patch In-Reply-To: <5389013C.1070500@redhat.com> References: <5389013C.1070500@redhat.com> Message-ID: <1226089808.23476585.1401494760081.JavaMail.zimbra@redhat.com> Couple of initial comments on this after looking over it: 1. Your TokenProfileParams class has this hash map. private HashMap content = new HashMap(); Then when we add items and get items from this thing, we have to do some fancy footwork to account for the fact that the "Object" part is holding either a String value or an int value. My opinion after doing some research is that this is kind of awkward. A couple of possible solutions: 1. Have the HashMap hold . When we want an int we just convert back and forth from string. This is done often when processing http name value pairs and such. 2. Instead of relying upon the "get" method of the hash map to return encoded values, maybe have the parent object "TokenProfileParams" have two separate methods getString() and getInt(). Each one would take the key name and output the proper value, int or String 2. We have the following abstract base class: public abstract class BaseTokenProfileResolver The abstract class sounds like a good way to have some base functionality to be used by derived classes. I also believe that the idea is to declare some abstract methods that forces derived classes to implement these methods. In this case it sounds like the following method would be a good candidate for abstract: public String getTokenType(TokenProfileParams pPram); ----- Original Message ----- > From: "Christina Fu" > To: pki-devel at redhat.com > Sent: Friday, May 30, 2014 3:07:56 PM > Subject: [Pki-devel] [PATCH] pki-cfu-0009-TPS-Token-Profile-Resolver-Plugin-Framework-Ticket-4.patch > > This patch implements a Token Profile Resolver Plugin Framework for > TPS. It allows a site to implement its own token profile resolver. > > The TokenProfileResolverManager initializes the token Resolver plugin > framework from the following configuration files: > - /conf/registry.cfg > - /conf/CS.cfg > > The existing mapping method "getTokenType" was extracted into the > default plugin code: MappingTokenProfileResolver. All resolver plugin > codes will extend from BaseTokenProfileResolver. > > The most visible change from sites running previous versions of TPS is > that the mapping related config params > e.g. op.format.mapping.xxx > have now being extracted into token resolver instance params > e.g. tokenProfileResolver.formatMappingResolver.mapping.xxxx > where "class_id" defines the plugin implementation name defined in the > registry.cfg > and op.format.tokenProfileResolver points to the defined resolver instance > e.g. op.format.tokenProfileResolver=formatMappingResolver > > A separate ticket will be filed to provide actual plugin writing > instruction as well as a sample plugin. > > Finally, even though this patch does not directly address > https://fedorahosted.org/pki/ticket/447 RFE: Mapping tokens to > tokentype, where the request was to figure out the tokenType (Token > profile) by uid instead of the current mapping method, it provides the > means for one to write any customized plugins. > > thanks, > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From mharmsen at redhat.com Sat May 31 03:46:12 2014 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 30 May 2014 20:46:12 -0700 Subject: [Pki-devel] [PATCH] 96 Updated man page for pki key CLI commands (Ticket 945) In-Reply-To: <1401480833.5379.1.camel@akoneru.redhat.com> References: <1401480833.5379.1.camel@akoneru.redhat.com> Message-ID: <53895084.9040003@redhat.com> On 05/30/14 13:13, Abhishek Koneru wrote: > Please review the patch which updates the man pages for the pki key CLI > commands. > > --Abhishek > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel Abhishek, What is there, is fine. However, the man page as is, is not very useful since it presumes a great deal of knowledge! I would strongly urge you to provide an EXAMPLES section utilizing sample agent authentication. For example, at the very least, please provide the most basic scenario of showing exactly what one would specify in a default installation of a CA and KRA to simply perform a "key-find" and a "key-show" using client certification. I would also suggest that you add your name to the list of Authors of this man page. -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: