From tjaalton at ubuntu.com Fri Dec 2 10:01:38 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Fri, 2 Dec 2016 12:01:38 +0200 Subject: [Pki-devel] port to tomcat 8.5? Message-ID: <584bea78-91a6-9918-68f6-c8e7396b6e73@ubuntu.com> Hi Debian recently switched to tomcat 8.5 which broke Dogtag. First issue that I found was that Http11Protocol is no more, need to use Http11NioProtocol. Fixing that it then fails with: 02-Dec-2016 11:26:05.270 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at org.apache.catalina.startup.Catalina.load(Catalina.java:629) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) Caused by: java.lang.NoClassDefFoundError: org/apache/tomcat/util/net/ServerSocketFactory ... I see Fedora is still at 8.0, so no-one has tried 8.5 yet? -- t From tjaalton at ubuntu.com Sat Dec 3 11:00:54 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Sat, 3 Dec 2016 13:00:54 +0200 Subject: [Pki-devel] port to tomcat 8.5? In-Reply-To: <63ef425c-2c92-d904-2c82-41e7d1fb94e4@debian.org> References: <63ef425c-2c92-d904-2c82-41e7d1fb94e4@debian.org> Message-ID: <2c824d3c-f3db-33f5-4977-2ad2300538ec@ubuntu.com> On 02.12.2016 12:01, Timo Aaltonen wrote: > > Hi > > Debian recently switched to tomcat 8.5 which broke Dogtag. First issue that I found was that Http11Protocol is no more, need to use Http11NioProtocol. Fixing that it then fails with: > > 02-Dec-2016 11:26:05.270 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113) > at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) > at org.apache.catalina.startup.Catalina.load(Catalina.java:629) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > Caused by: java.lang.NoClassDefFoundError: org/apache/tomcat/util/net/ServerSocketFactory > ... > > I see Fedora is still at 8.0, so no-one has tried 8.5 yet? Looks like tomcat 8.5 breaks the build as well for both dogtag and tomcatjss. Debian freeze is in Jan 5th, this needs to be fixed well before x-mas just to be on the safe side :/ dogtag build log: http://pastebin.com/gabUtiTy tomcatjss build log: http://pastebin.com/3qrh5Eqp -- t From ftweedal at redhat.com Wed Dec 7 04:33:09 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 7 Dec 2016 14:33:09 +1000 Subject: [Pki-devel] [PATCH] 0142 LDAPProfileSubsystem: log exception if profile creation fails Message-ID: <20161207043309.GH28337@dhcp-40-8.bne.redhat.com> Attached patch logs exception if profile creation fails. Pushed under one-liner/trivial rule. Thanks, Fraser -------------- next part -------------- From 9b13a4d0a3750c01b025f3eeebd438cb2e6ea07b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 6 Dec 2016 19:48:40 +1000 Subject: [PATCH 142/143] LDAPProfileSubsystem: log exception if profile creation fails Part of: https://fedorahosted.org/pki/ticket/1359 --- .../cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java | 1 + 1 file changed, 1 insertion(+) diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java index fd5aa64eed8385ad18a307b6addaee6222d9f9cf..213c7a9f19f93ded4c42b6c06768a893a1257f71 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java @@ -199,6 +199,7 @@ public class LDAPProfileSubsystem CMS.debug("Done Profile Creation - " + profileId); } catch (EProfileException e) { CMS.debug("Error creating profile '" + profileId + "'; skipping."); + CMS.debug(e); } } } -- 2.7.4 From ftweedal at redhat.com Wed Dec 7 04:34:03 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 7 Dec 2016 14:34:03 +1000 Subject: [Pki-devel] [PATCH] 0143 Remove unused string constant Message-ID: <20161207043403.GI28337@dhcp-40-8.bne.redhat.com> What it says on the tin. Pushed under one-liner rule. Thanks, Fraser -------------- next part -------------- From 01956aedf62f20713ca191c254a20f0b50d8e7af Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 7 Dec 2016 14:23:18 +1000 Subject: [PATCH 143/143] Remove unused string constant Part of: https://fedorahosted.org/pki/ticket/1359 --- base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java | 1 - 1 file changed, 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java index 606b6afaa60c48bb6eec2602b86ae1ed68a22d26..bb3cfa84a423fe452ef55fb20e23c03911831690 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java @@ -116,7 +116,6 @@ public class CAProcessor extends Processor { public static final String AUTHZ_MGR = "authzMgr"; public static final String GET_CLIENT_CERT = "getClientCert"; public static final String ACL_INFO = "ACLinfo"; - public static final String AUTHORITY_ID = "authorityId"; public static final String PROFILE_SUB_ID = "profileSubId"; public final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED = -- 2.7.4 From ftweedal at redhat.com Wed Dec 7 04:39:22 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 7 Dec 2016 14:39:22 +1000 Subject: [Pki-devel] [PATCH] 0144..0146 Move IRequest extdata-related constants Message-ID: <20161207043922.GJ28337@dhcp-40-8.bne.redhat.com> The attached patches relocate / redefine some constants that are used as keys when setting or getting IRequest extdata attributes. In some cases this removes duplicate constants or string literals. In other cases it actually defines a new constant. In all cases the key now uses a constant defined in IRequest, which is the appropriate place. This is refactoring work undertaken as part of GSSAPI support. Thanks, Fraser -------------- next part -------------- From 31d9026f2be5204dd4742ce00542bc80b614d9b9 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 7 Dec 2016 12:25:01 +1000 Subject: [PATCH 144/146] Define "auth_token" IRequest extdata key prefix in one place Part of: https://fedorahosted.org/pki/ticket/1359 --- base/common/src/com/netscape/certsrv/request/IRequest.java | 4 ++++ .../cms/src/com/netscape/cms/servlet/cert/CertProcessor.java | 9 +++++++-- .../src/com/netscape/cms/servlet/processors/CAProcessor.java | 1 - .../cms/servlet/profile/ProfileSubmitCMCServlet.java | 12 +++++++----- 4 files changed, 18 insertions(+), 8 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java index c892dbb1dc5d75d4b44e4e26b584f94717b2457c..f17f560de75e54cb7650ee06d870f3d1491e52ac 100644 --- a/base/common/src/com/netscape/certsrv/request/IRequest.java +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java @@ -85,6 +85,10 @@ public interface IRequest extends Serializable { // server attributes: attributes generated by server modules. public static final String SERVER_ATTRS = "SERVER_ATTRS"; + // Sometimes individual IAuthToken fields get set in request + // extdata, with key ("auth_token." + field_name). + public static final String AUTH_TOKEN_PREFIX = "auth_token"; + public static final String RESULT = "Result"; // service result. public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value public static final Integer RES_ERROR = Integer.valueOf(2); // result value diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java index 17b453ab5d82bd7c18612263f01e297a4e9df3da..cb5efa0b0e14274e0c4a9393522ab18071f60fd8 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java @@ -310,12 +310,17 @@ public class CertProcessor extends CAProcessor { String[] tokenVals = authToken.getInStringArray(tokenName); if (tokenVals != null) { for (int i = 0; i < tokenVals.length; i++) { - req.setExtData(ARG_AUTH_TOKEN + "." + tokenName + "[" + i + "]", tokenVals[i]); + req.setExtData( + IRequest.AUTH_TOKEN_PREFIX + + "." + tokenName + "[" + i + "]" + , tokenVals[i]); } } else { String tokenVal = authToken.getInString(tokenName); if (tokenVal != null) { - req.setExtData(ARG_AUTH_TOKEN + "." + tokenName, tokenVal); + req.setExtData( + IRequest.AUTH_TOKEN_PREFIX + "." + tokenName, + tokenVal); // if RA agent, auto assign the request if (tokenName.equals("uid")) uid = tokenVal; diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java index bb3cfa84a423fe452ef55fb20e23c03911831690..ae91f649541db5ce77679844ad7a4fec680e99e9 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java @@ -72,7 +72,6 @@ import netscape.security.x509.X509CertImpl; public class CAProcessor extends Processor { - public final static String ARG_AUTH_TOKEN = "auth_token"; public final static String ARG_REQUEST_OWNER = "requestOwner"; public final static String HDR_LANG = "accept-language"; public final static String ARG_PROFILE = "profile"; diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java index f3adc5e85e58e3fb2dbf47984cfeca6797cd569b..6191031905626cc7acb6ccbdc41ff84942baf86f 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java @@ -76,7 +76,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { * */ private static final long serialVersionUID = -8017841111435988197L; - private static final String ARG_AUTH_TOKEN = "auth_token"; private static final String PROP_PROFILE_ID = "profileId"; private String mProfileId = null; @@ -545,14 +544,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { String[] vals = authToken.getInStringArray(tokenName); if (vals != null) { for (int i = 0; i < vals.length; i++) { - reqs[k].setExtData(ARG_AUTH_TOKEN + "." + - tokenName + "[" + i + "]", vals[i]); + reqs[k].setExtData( + IRequest.AUTH_TOKEN_PREFIX + + "." + tokenName + "[" + i + "]", + vals[i]); } } else { String val = authToken.getInString(tokenName); if (val != null) { - reqs[k].setExtData(ARG_AUTH_TOKEN + "." + tokenName, - val); + reqs[k].setExtData( + IRequest.AUTH_TOKEN_PREFIX + "." + tokenName, + val); } } } -- 2.7.4 -------------- next part -------------- From eb0c0fdf115639a5cf3ed9beb1ab2df0553e1627 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 7 Dec 2016 13:40:04 +1000 Subject: [PATCH 145/146] Define "profileId" IRequest extdata key in one place Part of: https://fedorahosted.org/pki/ticket/1359 --- base/ca/src/com/netscape/ca/CAService.java | 4 ++-- base/ca/src/org/dogtagpki/legacy/ca/CAPolicy.java | 4 ++-- base/common/src/com/netscape/certsrv/request/IRequest.java | 2 ++ base/kra/src/com/netscape/kra/EnrollmentService.java | 6 +++--- .../src/com/netscape/cms/listeners/CertificateIssuedListener.java | 2 +- .../cms/src/com/netscape/cms/listeners/RequestInQListener.java | 2 +- .../server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java | 2 +- .../cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java | 2 +- .../cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java | 2 +- .../cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java | 4 ++-- .../cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java | 4 ++-- .../src/com/netscape/cms/servlet/connector/ConnectorServlet.java | 4 ++-- .../cms/src/com/netscape/cms/servlet/processors/CAProcessor.java | 1 - .../src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java | 2 +- .../src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java | 2 +- .../cms/src/com/netscape/cms/servlet/request/CheckRequest.java | 2 +- .../cmscore/src/com/netscape/cmscore/connector/RequestTransfer.java | 2 +- .../cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java | 2 +- .../org/dogtagpki/legacy/core/policy/GenericPolicyProcessor.java | 2 +- 19 files changed, 26 insertions(+), 25 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java index 9bf237ffd7060c1955b8e163a0c94c62db6739b1..31df1537e337e669a5221c938b7454c72337d254 100644 --- a/base/ca/src/com/netscape/ca/CAService.java +++ b/base/ca/src/com/netscape/ca/CAService.java @@ -308,7 +308,7 @@ public class CAService implements ICAService, IService { } public boolean isProfileRequest(IRequest request) { - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null || profileId.equals("")) return false; @@ -325,7 +325,7 @@ public class CAService implements ICAService, IService { CMS.debug("CAService: serviceProfileRequest requestId=" + request.getRequestId().toString()); - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null || profileId.equals("")) { throw new EBaseException("profileId not found"); diff --git a/base/ca/src/org/dogtagpki/legacy/ca/CAPolicy.java b/base/ca/src/org/dogtagpki/legacy/ca/CAPolicy.java index 75c2945882c7ce9c2fceb7228d848a7432ace7ae..878955e6e2b7b93714fb7906efe3c8658b0646d2 100644 --- a/base/ca/src/org/dogtagpki/legacy/ca/CAPolicy.java +++ b/base/ca/src/org/dogtagpki/legacy/ca/CAPolicy.java @@ -82,7 +82,7 @@ public class CAPolicy implements IPolicy { } public boolean isProfileRequest(IRequest request) { - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null || profileId.equals("")) return false; @@ -110,7 +110,7 @@ public class CAPolicy implements IPolicy { CMS.debug("CAPolicy: requestId=" + r.getRequestId().toString()); - String profileId = r.getExtDataInString("profileId"); + String profileId = r.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null || profileId.equals("")) { return PolicyResult.REJECTED; diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java index f17f560de75e54cb7650ee06d870f3d1491e52ac..b83d5309e0b2aaf271cf4fba3c1ee7d13b347a58 100644 --- a/base/common/src/com/netscape/certsrv/request/IRequest.java +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java @@ -89,6 +89,8 @@ public interface IRequest extends Serializable { // extdata, with key ("auth_token." + field_name). public static final String AUTH_TOKEN_PREFIX = "auth_token"; + public static final String PROFILE_ID = "profileId"; + public static final String RESULT = "Result"; // service result. public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value public static final Integer RES_ERROR = Integer.valueOf(2); // result value diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index 398d1780275f9106271f3c83e958d7e618febaf8..f901b5767d61e143c47ab23fad0595cff46d6421 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -195,7 +195,7 @@ public class EnrollmentService implements IService { byte tmp_unwrapped[] = null; PKIArchiveOptionsContainer aOpts[] = null; - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null || profileId.equals("")) { try { @@ -759,7 +759,7 @@ public class EnrollmentService implements IService { * @exception EBaseException failed to retrieve public key */ private X509Key getPublicKey(IRequest request, int i) throws EBaseException { - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); if (profileId != null && !profileId.equals("")) { byte[] certKeyData = request.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY); @@ -822,7 +822,7 @@ public class EnrollmentService implements IService { private String getOwnerName(IRequest request, int i) throws EBaseException { - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); if (profileId != null && !profileId.equals("")) { CertificateSubjectName sub = request.getExtDataInCertSubjectName( diff --git a/base/server/cms/src/com/netscape/cms/listeners/CertificateIssuedListener.java b/base/server/cms/src/com/netscape/cms/listeners/CertificateIssuedListener.java index 44ff46a9be2721ab01eda8b376de74302f4cb937..6d119e1336be1379ef79e63089aefbf172760f53 100644 --- a/base/server/cms/src/com/netscape/cms/listeners/CertificateIssuedListener.java +++ b/base/server/cms/src/com/netscape/cms/listeners/CertificateIssuedListener.java @@ -180,7 +180,7 @@ public class CertificateIssuedListener implements IRequestListener { CMS.debug("CertificateIssuedListener: accept check status "); // check if it is profile request - String profileId = r.getExtDataInString("profileId"); + String profileId = r.getExtDataInString(IRequest.PROFILE_ID); // check if request failed. if (profileId == null) { diff --git a/base/server/cms/src/com/netscape/cms/listeners/RequestInQListener.java b/base/server/cms/src/com/netscape/cms/listeners/RequestInQListener.java index f1f396ca3343977fb9f2334d525d82ecf85a14b5..3c2c15123cae0cab674b3803b40d8fdfa0eafe0c 100644 --- a/base/server/cms/src/com/netscape/cms/listeners/RequestInQListener.java +++ b/base/server/cms/src/com/netscape/cms/listeners/RequestInQListener.java @@ -198,7 +198,7 @@ public class RequestInQListener implements IRequestListener { mConfig.getName()); Object val = null; - String profileId = r.getExtDataInString("profileId"); + String profileId = r.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null) { val = r.getExtDataInString(IRequest.HTTP_PARAMS, "csrRequestorEmail"); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java index cb5efa0b0e14274e0c4a9393522ab18071f60fd8..026f4d4af5c2316ae8a93b2ecc62bc398d3b8b71 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java @@ -339,7 +339,7 @@ public class CertProcessor extends CAProcessor { // put profile framework parameters into the request req.setExtData(ARG_PROFILE, "true"); - req.setExtData(ARG_PROFILE_ID, profileId); + req.setExtData(IRequest.PROFILE_ID, profileId); if (isRenewal) req.setExtData(ARG_RENEWAL_PROFILE_ID, data.getProfileId()); req.setExtData(ARG_PROFILE_APPROVED_BY, profile.getApprovedBy()); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java index 306fbf570103daf09401faa0b615ae11f6b18953..93df6fb37949a9b40de9f427b1c3e7cf6fb5ef05 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java @@ -140,7 +140,7 @@ public class CertRequestDAO extends CMSRequestDAO { if (request == null) { return null; } - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); IProfile profile = ps.getProfile(profileId); CertReviewResponse info = CertReviewResponseFactory.create(request, profile, uriInfo, locale); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java index 206d23a5d7898af2e7e93f98080dfa8b009d07ef..01ffc8be43a90c428fa61e97a70cfe3d87b8710f 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java @@ -213,7 +213,7 @@ public class RenewalProcessor extends CertProcessor { throw new EBaseException(CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR")); } - String profileId = origReq.getExtDataInString("profileId"); + String profileId = origReq.getExtDataInString(IRequest.PROFILE_ID); CMS.debug("RenewalSubmitter: renewal original profileId=" + profileId); String aidString = origReq.getExtDataInString( diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java index b92ffb1d7527178e38eeaa4e35b83940167e9f4d..7f0c89ce5fad8c334dd204188c3e9ce103c207bd 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java @@ -71,7 +71,7 @@ public class RequestProcessor extends CertProcessor { HttpServletRequest req = cmsReq.getHttpReq(); IRequest ireq = cmsReq.getIRequest(); - String profileId = ireq.getExtDataInString("profileId"); + String profileId = ireq.getExtDataInString(IRequest.PROFILE_ID); IProfile profile = ps.getProfile(profileId); CertReviewResponse data = CertReviewResponseFactory.create( cmsReq, profile, authority.noncesEnabled(), locale); @@ -134,7 +134,7 @@ public class RequestProcessor extends CertProcessor { // save auth token in request saveAuthToken(authToken, req); - String profileId = req.getExtDataInString("profileId"); + String profileId = req.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null || profileId.equals("")) { CMS.debug("RequestProcessor: Profile Id not found in request"); throw new EBaseException(CMS.getUserMessage(locale, "CMS_PROFILE_ID_NOT_FOUND")); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java index 744f9347265fb89491e2673151ab9aac9ab8a271..fa36dea2657238949cd1b716d43676eb5244fb31 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java @@ -1622,7 +1622,7 @@ public class CRSEnrollment extends HttpServlet { // set transaction id reqs[0].setSourceId(req.getTransactionID()); reqs[0].setExtData("profile", "true"); - reqs[0].setExtData("profileId", mProfileId); + reqs[0].setExtData(IRequest.PROFILE_ID, mProfileId); reqs[0].setExtData(IEnrollProfile.CTX_CERT_REQUEST_TYPE, IEnrollProfile.REQ_TYPE_PKCS10); reqs[0].setExtData(IEnrollProfile.CTX_CERT_REQUEST, pkcs10blob); reqs[0].setExtData("requestor_name", ""); @@ -1734,7 +1734,7 @@ public class CRSEnrollment extends HttpServlet { RequestStatus status = pkiReq.getRequestStatus(); - String profileId = pkiReq.getExtDataInString("profileId"); + String profileId = pkiReq.getExtDataInString(IRequest.PROFILE_ID); if (profileId != null) { CMS.debug("CRSEnrollment: Found profile request"); X509CertImpl cert = diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java index 582223ecb2c49344d3b03bfb9b7d61f4d12233a9..e6dfbc43ee29a4365ba5c197fb8e6ce575294136 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java @@ -307,7 +307,7 @@ public class ConnectorServlet extends CMSServlet { } public static boolean isProfileRequest(IRequest request) { - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null || profileId.equals("")) return false; @@ -369,7 +369,7 @@ public class ConnectorServlet extends CMSServlet { e.toString()); } - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem("profile"); IEnrollProfile profile = null; diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java index ae91f649541db5ce77679844ad7a4fec680e99e9..62b9a7c4b0437c011700d8d35b917e9a48e06af9 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java @@ -76,7 +76,6 @@ public class CAProcessor extends Processor { public final static String HDR_LANG = "accept-language"; public final static String ARG_PROFILE = "profile"; public final static String ARG_REQUEST_NOTES = "requestNotes"; - public final static String ARG_PROFILE_ID = "profileId"; public final static String ARG_RENEWAL_PROFILE_ID = "rprofileId"; public final static String ARG_PROFILE_IS_ENABLED = "profileIsEnable"; public final static String ARG_PROFILE_IS_VISIBLE = "profileIsVisible"; diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java index 33de8ff909992d859d54b92d917bd4fd55408a09..00fcbb30cd022fc30f8057fcc976746a5e45ec70 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java @@ -94,7 +94,7 @@ public class ProfileProcessServlet extends ProfileServlet { return; } - String profileId = req.getExtDataInString("profileId"); + String profileId = req.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null || profileId.equals("")) { CMS.debug("ProfileProcessServlet: Profile Id not found"); setError(args, CMS.getUserMessage(locale, "CMS_PROFILE_ID_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)), request, response); diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java index dc6560d066be6fb677ff47344d6aee79295da48a..fe3c139169c5801f84a8f4d4221ea32012918db3 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java @@ -206,7 +206,7 @@ public class ProfileReviewServlet extends ProfileServlet { return; } - String profileId = req.getExtDataInString("profileId"); + String profileId = req.getExtDataInString(IRequest.PROFILE_ID); CMS.debug("ProfileReviewServlet: requestId=" + requestId + " profileId=" + profileId); diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java b/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java index cba79c338a027abf114ad1bd3fdf19e8ec5a9e4b..76700fe5f50d73063a404fa60f6b0d8f3f0f8d6e 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java +++ b/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java @@ -335,7 +335,7 @@ public class CheckRequest extends CMSServlet { argSet.addRepeatRecord(rarg); } */ - String profileId = r.getExtDataInString("profileId"); + String profileId = r.getExtDataInString(IRequest.PROFILE_ID); if (profileId != null) { result = IRequest.RES_SUCCESS; } diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/RequestTransfer.java b/base/server/cmscore/src/com/netscape/cmscore/connector/RequestTransfer.java index 6000aeb3e8449414679537b4fc487b43ad28940e..9f77920137fef6a3c14a9432b7362ba51ca3f7d4 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/connector/RequestTransfer.java +++ b/base/server/cmscore/src/com/netscape/cmscore/connector/RequestTransfer.java @@ -55,7 +55,7 @@ public class RequestTransfer { }; public static boolean isProfileRequest(IRequest request) { - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null || profileId.equals("")) return false; diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java b/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java index 3d4f75466dcb57d6a877401ff02724647874a07b..812381c22cc8ab95499722b72e2b83ef344b7c8c 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java +++ b/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java @@ -181,7 +181,7 @@ class LdapEnrollmentListener implements IRequestListener { "LdapRequestListener handling publishing for enrollment request id " + r.getRequestId()); - String profileId = r.getExtDataInString("profileId"); + String profileId = r.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null) { // in case it's not meant for us diff --git a/base/server/cmscore/src/org/dogtagpki/legacy/core/policy/GenericPolicyProcessor.java b/base/server/cmscore/src/org/dogtagpki/legacy/core/policy/GenericPolicyProcessor.java index 44506e6ff5be5b869805c771da394d56f150a929..38cb9cdf53dfed4acffa7296a9af4870070e56db 100644 --- a/base/server/cmscore/src/org/dogtagpki/legacy/core/policy/GenericPolicyProcessor.java +++ b/base/server/cmscore/src/org/dogtagpki/legacy/core/policy/GenericPolicyProcessor.java @@ -360,7 +360,7 @@ public class GenericPolicyProcessor implements IPolicyProcessor { } public boolean isProfileRequest(IRequest request) { - String profileId = request.getExtDataInString("profileId"); + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); if (profileId == null || profileId.equals("")) return false; -- 2.7.4 -------------- next part -------------- From e417e593facf6ebe819627599df4bd3351a8ced1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 7 Dec 2016 14:22:30 +1000 Subject: [PATCH 146/146] Define "req_authority_id" IRequest extdata key in IRequest Part of: https://fedorahosted.org/pki/ticket/1359 --- base/common/src/com/netscape/certsrv/request/IRequest.java | 5 +++++ .../cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java | 2 +- .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 2 +- .../netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java | 3 +-- .../cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java | 2 +- .../cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java | 2 +- 6 files changed, 10 insertions(+), 6 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java index b83d5309e0b2aaf271cf4fba3c1ee7d13b347a58..29b1bbb879220a485388cb38af8a8c5508578752 100644 --- a/base/common/src/com/netscape/certsrv/request/IRequest.java +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java @@ -91,6 +91,11 @@ public interface IRequest extends Serializable { public static final String PROFILE_ID = "profileId"; + /** + * ID of requested certificate authority (absense implies host authority) + */ + public static final String AUTHORITY_ID = "req_authority_id"; + public static final String RESULT = "Result"; // service result. public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value public static final Integer RES_ERROR = Integer.valueOf(2); // result value diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java index 53edca3a93c28a4fdd6c476bbdd2dc3d83869505..8c14e91767f6cc765413821da71b2c26d86f77d3 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java @@ -192,7 +192,7 @@ public class CAEnrollProfile extends EnrollProfile { sc.put("profileSetId", setId); } AuthorityID aid = null; - String aidString = request.getExtDataInString(REQUEST_AUTHORITY_ID); + String aidString = request.getExtDataInString(IRequest.AUTHORITY_ID); if (aidString != null) aid = new AuthorityID(aidString); try { diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java index e828b82f203edfc6e6fb8797c5909c7cdd6a32d9..fbb98262929f1c5e12ab54a7514c15297364e971 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java @@ -192,7 +192,7 @@ public abstract class EnrollProfile extends BasicProfile } // set requested CA - result[i].setExtData(REQUEST_AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID)); + result[i].setExtData(IRequest.AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID)); } return result; } diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java index 9aaa29d7a417739c62c9c46968933253dbcddd89..42931de2644e602089fc40d331f73964ad35390f 100644 --- a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java +++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java @@ -26,7 +26,6 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.profile.EProfileException; -import com.netscape.certsrv.profile.IEnrollProfile; import com.netscape.certsrv.profile.IProfile; import com.netscape.certsrv.property.Descriptor; import com.netscape.certsrv.property.EPropertyException; @@ -172,7 +171,7 @@ public class AuthorityKeyIdentifierExtDefault extends CAEnrollDefault { ICertificateAuthority ca = (ICertificateAuthority) CMS.getSubsystem(CMS.SUBSYSTEM_CA); String aidString = request.getExtDataInString( - IEnrollProfile.REQUEST_AUTHORITY_ID); + IRequest.AUTHORITY_ID); if (aidString != null) ca = ca.getCA(new AuthorityID(aidString)); if (ca == null) diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java index 01ffc8be43a90c428fa61e97a70cfe3d87b8710f..1c9f0d6acad00025884a33a22461c7d61b4a5676 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java @@ -217,7 +217,7 @@ public class RenewalProcessor extends CertProcessor { CMS.debug("RenewalSubmitter: renewal original profileId=" + profileId); String aidString = origReq.getExtDataInString( - IEnrollProfile.REQUEST_AUTHORITY_ID); + IRequest.AUTHORITY_ID); Integer origSeqNum = origReq.getExtDataInInteger(IEnrollProfile.REQUEST_SEQ_NUM); IProfile profile = ps.getProfile(profileId); diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java index 7f0c89ce5fad8c334dd204188c3e9ce103c207bd..436e7a99a78e7bf4a46f626f628652f5d3d1301c 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java @@ -378,7 +378,7 @@ public class RequestProcessor extends CertProcessor { String auditRequesterID = auditRequesterID(req); // ensure target CA is enabled - String aidString = req.getExtDataInString(IEnrollProfile.REQUEST_AUTHORITY_ID); + String aidString = req.getExtDataInString(IRequest.AUTHORITY_ID); if (aidString != null) ensureCAEnabled(aidString); -- 2.7.4 From ftweedal at redhat.com Wed Dec 7 04:44:07 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Wed, 7 Dec 2016 14:44:07 +1000 Subject: [Pki-devel] [PATCH] 0147 Replace duplicate string literals with a constant Message-ID: <20161207044407.GK28337@dhcp-40-8.bne.redhat.com> Does what it says on the tin. Pushed under trivial rule. Thanks, Fraser -------------- next part -------------- From ebd755bac7474acc4389a5454dcf6689f219354b Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 6 Dec 2016 19:39:14 +1000 Subject: [PATCH] Replace duplicate string literals with a constant Just a small drive-by refactor. Part of: https://fedorahosted.org/pki/ticket/1359 --- .../src/com/netscape/cms/profile/constraint/EnrollConstraint.java | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java index 96b29d669992f36b4b849eac68b2af8695c46ce8..8f385ea6fc9cae331c8c1e2b8f95aab123e6b836 100644 --- a/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java +++ b/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java @@ -45,6 +45,7 @@ import com.netscape.cms.profile.common.EnrollProfile; */ public abstract class EnrollConstraint implements IPolicyConstraint { public static final String CONFIG_NAME = "name"; + public static final String CONFIG_PARAMS = "params"; protected IConfigStore mConfig = null; protected Vector mConfigNames = new Vector(); @@ -80,10 +81,10 @@ public abstract class EnrollConstraint implements IPolicyConstraint { public void setConfig(String name, String value) throws EPropertyException { - if (mConfig.getSubStore("params") == null) { + if (mConfig.getSubStore(CONFIG_PARAMS) == null) { // } else { - mConfig.getSubStore("params").putString(name, value); + mConfig.getSubStore(CONFIG_PARAMS).putString(name, value); } } @@ -105,7 +106,7 @@ public abstract class EnrollConstraint implements IPolicyConstraint { return null; } - IConfigStore params = mConfig.getSubStore("params"); + IConfigStore params = mConfig.getSubStore(CONFIG_PARAMS); if (params == null) { CMS.debug("Error: Missing constraint parameters"); return null; -- 2.7.4 From mharmsen at redhat.com Wed Dec 7 19:54:14 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 7 Dec 2016 12:54:14 -0700 Subject: [Pki-devel] port to tomcat 8.5? In-Reply-To: <2c824d3c-f3db-33f5-4977-2ad2300538ec@ubuntu.com> References: <63ef425c-2c92-d904-2c82-41e7d1fb94e4@debian.org> <2c824d3c-f3db-33f5-4977-2ad2300538ec@ubuntu.com> Message-ID: <0a9f5738-8ad2-a209-6fbc-3883bf0b87ce@redhat.com> On 12/03/2016 04:00 AM, Timo Aaltonen wrote: > On 02.12.2016 12:01, Timo Aaltonen wrote: >> Hi >> >> Debian recently switched to tomcat 8.5 which broke Dogtag. First issue that I found was that Http11Protocol is no more, need to use Http11NioProtocol. Fixing that it then fails with: >> >> 02-Dec-2016 11:26:05.270 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] >> org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113) >> at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:606) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:629) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:498) >> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) >> Caused by: java.lang.NoClassDefFoundError: org/apache/tomcat/util/net/ServerSocketFactory >> ... >> >> I see Fedora is still at 8.0, so no-one has tried 8.5 yet? > Looks like tomcat 8.5 breaks the build as well for both dogtag > and tomcatjss. Debian freeze is in Jan 5th, this needs to be fixed well > before x-mas just to be on the safe side :/ > > dogtag build log: http://pastebin.com/gabUtiTy > tomcatjss build log: http://pastebin.com/3qrh5Eqp > > > Timo, I just looked in Bodhi, and the latest version of Tomcat in Fedora is 8.0.39 (currently in testing). What version of Tomcat were you using previously from which you upgraded? Also, does Debian use JBoss? If so, does Tomcat 8.5 work with that? -- Matt From edewata at redhat.com Thu Dec 8 00:03:43 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 7 Dec 2016 18:03:43 -0600 Subject: [Pki-devel] [PATCH] Fixed user certificate renewal using pki client-cert-request. Message-ID: When a user renews its certificate using pki client-cert-request the CLI will authenticate using the certificate and send an empty request message. The server is supposed to use the certificate's serial number to process the renewal request. Currently the request fails if the serial number is missing from the request message. The server has been fixed such that it ignores the missing serial number and use the certificate's serial number instead. https://fedorahosted.org/pki/ticket/2476 Pushed to master under one-liner/trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0880-Fixed-user-certificate-renewal-using-pki-client-cert.patch Type: text/x-patch Size: 2433 bytes Desc: not available URL: From ftweedal at redhat.com Thu Dec 8 03:59:45 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 8 Dec 2016 13:59:45 +1000 Subject: [Pki-devel] [Pki-users] CS Server error In-Reply-To: References: <20161208002506.GR28337@dhcp-40-8.bne.redhat.com> Message-ID: <20161208035945.GT28337@dhcp-40-8.bne.redhat.com> On Wed, Dec 07, 2016 at 05:29:41PM -0800, Rafael Leiva-Ochoa wrote: > Here you go....I hope you can help. I am already starting to use it in > production testing...I would hate to start all over...: ( > The error in your log is: [06/Dec/2016:23:28:45][localhost-startStop-1]: AuthSubsystem: initializing authentication manager flatFileAuth Property auths.instance.flatFileAuth.pluginName missing value at com.netscape.cmscore.base.PropConfigStore.getString(PropConfigStore.java:258) at com.netscape.cmscore.authentication.AuthSubsystem.init(AuthSubsystem.java:200) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:582) at com.netscape.certsrv.apps.CMS.init(CMS.java:187) at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) ... lots more traceback This causes a shutdown of the Dogtag application (but not Tomcat itself, hence it is still able to respond to HTTP requests). Have you modified anything in /etc/pki/pki-tomcat/ca/CS.cfg yourself? If not, perhaps it was an update gone awry, or some other corruption of CS.cfg. The `flatFileAuth' properties in CS.cfg should be something like: auths.instance.flatFileAuth.authAttributes=PWD auths.instance.flatFileAuth.deferOnFailure=true auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt auths.instance.flatFileAuth.keyAttributes=UID auths.instance.flatFileAuth.pluginName=FlatFileAuth Try fixing that up and seeing if Dogtag starts. If it does not, please attach debug log (latter portions thereof) and the CS.cfg. Thanks, Fraser > On Wed, Dec 7, 2016 at 4:25 PM, Fraser Tweedale wrote: > > > On Wed, Dec 07, 2016 at 02:11:53PM -0800, Rafael Leiva-Ochoa wrote: > > > Hi Team, > > > > > > I have installed Dogtag on one of my Raspberry PI 3 devices for > > > testing. At first it was working great. Then, I noticed that it took a > > very > > > long time for the DogTag Start Page to startup when I rebooted my Pi. In > > > some cases, it took 10min's, but I attributed this to the fact that it > > was > > > running on a ARM processor, and it takes a while to start up. Now, for > > some > > > reason, I am getting this error: > > > > > > HTTP Status 500 - CS server is not ready to serve. > > > > > > *type* Exception report > > > > > > *message* *CS server is not ready to serve.* > > > > > > *description* *The server encountered an internal error that prevented it > > > from fulfilling this request.* > > > > > > *exception* > > > > > > java.io.IOException: CS server is not ready to serve. > > > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet. > > java:445) > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:729) > > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > sun.reflect.NativeMethodAccessorImpl.invoke( > > NativeMethodAccessorImpl.java:62) > > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > > DelegatingMethodAccessorImpl.java:43) > > > java.lang.reflect.Method.invoke(Method.java:498) > > > org.apache.catalina.security.SecurityUtil$1.run( > > SecurityUtil.java:293) > > > org.apache.catalina.security.SecurityUtil$1.run( > > SecurityUtil.java:290) > > > java.security.AccessController.doPrivileged(Native Method) > > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > > org.apache.catalina.security.SecurityUtil.execute( > > SecurityUtil.java:325) > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege( > > SecurityUtil.java:176) > > > java.security.AccessController.doPrivileged(Native Method) > > > org.apache.tomcat.websocket.server.WsFilter.doFilter( > > WsFilter.java:52) > > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > sun.reflect.NativeMethodAccessorImpl.invoke( > > NativeMethodAccessorImpl.java:62) > > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > > DelegatingMethodAccessorImpl.java:43) > > > java.lang.reflect.Method.invoke(Method.java:498) > > > org.apache.catalina.security.SecurityUtil$1.run( > > SecurityUtil.java:293) > > > org.apache.catalina.security.SecurityUtil$1.run( > > SecurityUtil.java:290) > > > java.security.AccessController.doPrivileged(Native Method) > > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > > org.apache.catalina.security.SecurityUtil.execute( > > SecurityUtil.java:325) > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege( > > SecurityUtil.java:264) > > > > > > *note* *The full stack trace of the root cause is available in the Apache > > > Tomcat/8.0.38 logs.* > > > ------------------------------ > > > Apache Tomcat/8.0.38 > > > > > > I have tried rebooting the PI many times, and looking at the logs, but no > > > luck. Any ideas? > > > > > > Thanks, > > > > > > Rafael > > > > Thank you for testing Dogtag an ARM / RPi :) > > > > Could you please provide the /var/log/pki/pki-tomcat/ca/debug log > > file? Probably best to upload the file somewhere and point us to > > it, or send it to me off-list; it can be quite large. > > > > I will take a look at it and try and work out what's causing the > > failure. > > > > Thanks, > > Fraser > > From ftweedal at redhat.com Thu Dec 8 04:07:53 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 8 Dec 2016 14:07:53 +1000 Subject: [Pki-devel] [Pki-users] CS Server error In-Reply-To: <20161208035945.GT28337@dhcp-40-8.bne.redhat.com> References: <20161208002506.GR28337@dhcp-40-8.bne.redhat.com> <20161208035945.GT28337@dhcp-40-8.bne.redhat.com> Message-ID: <20161208040753.GV28337@dhcp-40-8.bne.redhat.com> (Sorry, I sent this to the wrong list.) On Thu, Dec 08, 2016 at 01:59:45PM +1000, Fraser Tweedale wrote: > On Wed, Dec 07, 2016 at 05:29:41PM -0800, Rafael Leiva-Ochoa wrote: > > Here you go....I hope you can help. I am already starting to use it in > > production testing...I would hate to start all over...: ( > > > The error in your log is: > > [06/Dec/2016:23:28:45][localhost-startStop-1]: AuthSubsystem: initializing authentication manager flatFileAuth > Property auths.instance.flatFileAuth.pluginName missing value > at com.netscape.cmscore.base.PropConfigStore.getString(PropConfigStore.java:258) > at com.netscape.cmscore.authentication.AuthSubsystem.init(AuthSubsystem.java:200) > at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:1169) > at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:1075) > at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:582) > at com.netscape.certsrv.apps.CMS.init(CMS.java:187) > at com.netscape.certsrv.apps.CMS.start(CMS.java:1616) > ... lots more traceback > > This causes a shutdown of the Dogtag application (but not Tomcat > itself, hence it is still able to respond to HTTP requests). > > Have you modified anything in /etc/pki/pki-tomcat/ca/CS.cfg > yourself? If not, perhaps it was an update gone awry, or some other > corruption of CS.cfg. > > The `flatFileAuth' properties in CS.cfg should be something like: > > auths.instance.flatFileAuth.authAttributes=PWD > auths.instance.flatFileAuth.deferOnFailure=true > auths.instance.flatFileAuth.fileName=/var/lib/pki/pki-tomcat/conf/ca/flatfile.txt > auths.instance.flatFileAuth.keyAttributes=UID > auths.instance.flatFileAuth.pluginName=FlatFileAuth > > Try fixing that up and seeing if Dogtag starts. If it does not, > please attach debug log (latter portions thereof) and the CS.cfg. > > Thanks, > Fraser > > > > On Wed, Dec 7, 2016 at 4:25 PM, Fraser Tweedale wrote: > > > > > On Wed, Dec 07, 2016 at 02:11:53PM -0800, Rafael Leiva-Ochoa wrote: > > > > Hi Team, > > > > > > > > I have installed Dogtag on one of my Raspberry PI 3 devices for > > > > testing. At first it was working great. Then, I noticed that it took a > > > very > > > > long time for the DogTag Start Page to startup when I rebooted my Pi. In > > > > some cases, it took 10min's, but I attributed this to the fact that it > > > was > > > > running on a ARM processor, and it takes a while to start up. Now, for > > > some > > > > reason, I am getting this error: > > > > > > > > HTTP Status 500 - CS server is not ready to serve. > > > > > > > > *type* Exception report > > > > > > > > *message* *CS server is not ready to serve.* > > > > > > > > *description* *The server encountered an internal error that prevented it > > > > from fulfilling this request.* > > > > > > > > *exception* > > > > > > > > java.io.IOException: CS server is not ready to serve. > > > > com.netscape.cms.servlet.base.CMSServlet.service(CMSServlet. > > > java:445) > > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:729) > > > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > sun.reflect.NativeMethodAccessorImpl.invoke( > > > NativeMethodAccessorImpl.java:62) > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > > > DelegatingMethodAccessorImpl.java:43) > > > > java.lang.reflect.Method.invoke(Method.java:498) > > > > org.apache.catalina.security.SecurityUtil$1.run( > > > SecurityUtil.java:293) > > > > org.apache.catalina.security.SecurityUtil$1.run( > > > SecurityUtil.java:290) > > > > java.security.AccessController.doPrivileged(Native Method) > > > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > > > org.apache.catalina.security.SecurityUtil.execute( > > > SecurityUtil.java:325) > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege( > > > SecurityUtil.java:176) > > > > java.security.AccessController.doPrivileged(Native Method) > > > > org.apache.tomcat.websocket.server.WsFilter.doFilter( > > > WsFilter.java:52) > > > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > sun.reflect.NativeMethodAccessorImpl.invoke( > > > NativeMethodAccessorImpl.java:62) > > > > sun.reflect.DelegatingMethodAccessorImpl.invoke( > > > DelegatingMethodAccessorImpl.java:43) > > > > java.lang.reflect.Method.invoke(Method.java:498) > > > > org.apache.catalina.security.SecurityUtil$1.run( > > > SecurityUtil.java:293) > > > > org.apache.catalina.security.SecurityUtil$1.run( > > > SecurityUtil.java:290) > > > > java.security.AccessController.doPrivileged(Native Method) > > > > javax.security.auth.Subject.doAsPrivileged(Subject.java:549) > > > > org.apache.catalina.security.SecurityUtil.execute( > > > SecurityUtil.java:325) > > > > org.apache.catalina.security.SecurityUtil.doAsPrivilege( > > > SecurityUtil.java:264) > > > > > > > > *note* *The full stack trace of the root cause is available in the Apache > > > > Tomcat/8.0.38 logs.* > > > > ------------------------------ > > > > Apache Tomcat/8.0.38 > > > > > > > > I have tried rebooting the PI many times, and looking at the logs, but no > > > > luck. Any ideas? > > > > > > > > Thanks, > > > > > > > > Rafael > > > > > > Thank you for testing Dogtag an ARM / RPi :) > > > > > > Could you please provide the /var/log/pki/pki-tomcat/ca/debug log > > > file? Probably best to upload the file somewhere and point us to > > > it, or send it to me off-list; it can be quite large. > > > > > > I will take a look at it and try and work out what's causing the > > > failure. > > > > > > Thanks, > > > Fraser > > > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From tjaalton at ubuntu.com Thu Dec 8 07:48:59 2016 From: tjaalton at ubuntu.com (Timo Aaltonen) Date: Thu, 8 Dec 2016 09:48:59 +0200 Subject: [Pki-devel] port to tomcat 8.5? In-Reply-To: <0a9f5738-8ad2-a209-6fbc-3883bf0b87ce@redhat.com> References: <63ef425c-2c92-d904-2c82-41e7d1fb94e4@debian.org> <2c824d3c-f3db-33f5-4977-2ad2300538ec@ubuntu.com> <0a9f5738-8ad2-a209-6fbc-3883bf0b87ce@redhat.com> Message-ID: On 07.12.2016 21:54, Matthew Harmsen wrote: > On 12/03/2016 04:00 AM, Timo Aaltonen wrote: >> On 02.12.2016 12:01, Timo Aaltonen wrote: >>> Hi >>> >>> Debian recently switched to tomcat 8.5 which broke Dogtag. First >>> issue that I found was that Http11Protocol is no more, need to use >>> Http11NioProtocol. Fixing that it then fails with: >>> >>> 02-Dec-2016 11:26:05.270 SEVERE [main] >>> org.apache.catalina.core.StandardService.initInternal Failed to >>> initialize connector [Connector[HTTP/1.1-8443]] >>> org.apache.catalina.LifecycleException: Failed to initialize >>> component [Connector[HTTP/1.1-8443]] >>> at >>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:113) >>> at >>> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) >>> >>> at >>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >>> at >>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) >>> >>> at >>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >>> at org.apache.catalina.startup.Catalina.load(Catalina.java:606) >>> at org.apache.catalina.startup.Catalina.load(Catalina.java:629) >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>> >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> >>> at java.lang.reflect.Method.invoke(Method.java:498) >>> at >>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) >>> at >>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) >>> Caused by: java.lang.NoClassDefFoundError: >>> org/apache/tomcat/util/net/ServerSocketFactory >>> ... >>> >>> I see Fedora is still at 8.0, so no-one has tried 8.5 yet? >> Looks like tomcat 8.5 breaks the build as well for both dogtag >> and tomcatjss. Debian freeze is in Jan 5th, this needs to be fixed well >> before x-mas just to be on the safe side :/ >> >> dogtag build log: http://pastebin.com/gabUtiTy >> tomcatjss build log: http://pastebin.com/3qrh5Eqp >> >> >> > Timo, > > I just looked in Bodhi, and the latest version of Tomcat in Fedora is > 8.0.39 (currently in testing). > > What version of Tomcat were you using previously from which you upgraded? 8.0.39, upstream removed some stuff from 8.5: https://tomcat.apache.org/migration-85.html > Also, does Debian use JBoss? If so, does Tomcat 8.5 work with that? There are some packages that could be found searching for 'jboss', but these seem to be just some libs and not the EAP: libjboss-classfilewriter-java - bytecode writer that creates .class files at runtime libjboss-classfilewriter-java-doc - Documentation for JBoss Class File Writer libjboss-jdeparser2-java - Java source code generating library libjboss-jdeparser2-java-doc - Documentation for libjboss-jdeparser2-java libjboss-logging-java - JBoss Logging Framework libjboss-logging-java-doc - Documentation for the JBoss Logging Framework libjboss-logging-tools-java - create internationalized logger messages and exceptions libjboss-logging-tools-java-doc - Documentation for JBoss Logging Tools libjboss-logmanager-java - implementation of java.util.logging.LogManager libjboss-logmanager-java-doc - Documentation for JBoss Log Manager libjboss-modules-java - Modular Classloading System libjboss-modules-java-doc - Documentation for JBoss Modules libjboss-xnio-java - simplified low-level I/O layer for NIO libjboss-xnio-java-doc - Documentation for jboss-xnio libjboss-marshalling-java - alternative serialization API libjboss-serialization-java - JBoss Serialization -- t From jmagne at redhat.com Fri Dec 9 00:42:30 2016 From: jmagne at redhat.com (John Magne) Date: Thu, 8 Dec 2016 19:42:30 -0500 (EST) Subject: [Pki-devel] [pki-devel][PATCH] 0086-Resolve-pkispawn-does-not-change-default-ecc-key-siz.patch In-Reply-To: <1078044356.5444230.1481244140294.JavaMail.zimbra@redhat.com> Message-ID: <1340840577.5444240.1481244150043.JavaMail.zimbra@redhat.com> Simple patch will provide a fix to this issue. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0086-Resolve-pkispawn-does-not-change-default-ecc-key-siz.patch Type: text/x-patch Size: 2489 bytes Desc: not available URL: From mharmsen at redhat.com Fri Dec 9 01:36:24 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 8 Dec 2016 18:36:24 -0700 Subject: [Pki-devel] [pki-devel][PATCH] 0086-Resolve-pkispawn-does-not-change-default-ecc-key-siz.patch In-Reply-To: <1340840577.5444240.1481244150043.JavaMail.zimbra@redhat.com> References: <1340840577.5444240.1481244150043.JavaMail.zimbra@redhat.com> Message-ID: <52e4213b-c86d-5b64-afca-445ab7762445@redhat.com> On 12/08/2016 05:42 PM, John Magne wrote: > Simple patch will provide a fix to this issue. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel Tested original code to confirm incorrect ECC signing curve; tested patched code to confirm correct ECC signing curve. ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From mharmsen at redhat.com Fri Dec 9 01:47:00 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 8 Dec 2016 18:47:00 -0700 Subject: [Pki-devel] [PATCH] - remove xenroll.dll from pki-core Message-ID: <9499a6de-9dfa-3907-15a1-036a3629069d@redhat.com> Please review the attached patch addresses the following bug: * PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20161206-Removed-all-references-to-xenroll.dll.patch Type: text/x-patch Size: 130149 bytes Desc: not available URL: From jmagne at redhat.com Fri Dec 9 18:42:29 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 9 Dec 2016 13:42:29 -0500 (EST) Subject: [Pki-devel] [pki-devel][PATCH] 0086-Resolve-pkispawn-does-not-change-default-ecc-key-siz.patch In-Reply-To: <52e4213b-c86d-5b64-afca-445ab7762445@redhat.com> References: <1340840577.5444240.1481244150043.JavaMail.zimbra@redhat.com> <52e4213b-c86d-5b64-afca-445ab7762445@redhat.com> Message-ID: <571789012.5597593.1481308949708.JavaMail.zimbra@redhat.com> ACKED, by mharmsen, thanks! Pushed to master: commit ae350a3d4e0ae9b82fa44ebdfa37654f0083b4c1 Author: Jack Magne Date: Thu Dec 8 16:35:20 2016 -0800 Resolve: pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config Ticket #2552. This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the "keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense. Closing ticket #2552 ----- Original Message ----- > From: "Matthew Harmsen" > To: "John Magne" , "pki-devel" > Sent: Thursday, December 8, 2016 5:36:24 PM > Subject: Re: [Pki-devel] [pki-devel][PATCH] 0086-Resolve-pkispawn-does-not-change-default-ecc-key-siz.patch > > On 12/08/2016 05:42 PM, John Magne wrote: > > Simple patch will provide a fix to this issue. > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > Tested original code to confirm incorrect ECC signing curve; tested > patched code to confirm correct ECC signing curve. > > ACK > > From mharmsen at redhat.com Fri Dec 9 23:07:20 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 9 Dec 2016 16:07:20 -0700 Subject: [Pki-devel] Fwd: [PATCH] - remove xenroll.dll from pki-core In-Reply-To: <9499a6de-9dfa-3907-15a1-036a3629069d@redhat.com> References: <9499a6de-9dfa-3907-15a1-036a3629069d@redhat.com> Message-ID: Attached REVISED patch. -------- Forwarded Message -------- Subject: [PATCH] - remove xenroll.dll from pki-core Date: Thu, 8 Dec 2016 18:47:00 -0700 From: Matthew Harmsen To: pki-devel Please review the attached patch addresses the following bug: * PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core Thanks, -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20161209-Removed-all-references-to-xenroll.dll.patch Type: text/x-patch Size: 154025 bytes Desc: not available URL: From jmagne at redhat.com Fri Dec 9 23:23:36 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 9 Dec 2016 18:23:36 -0500 (EST) Subject: [Pki-devel] Fwd: [PATCH] - remove xenroll.dll from pki-core In-Reply-To: References: <9499a6de-9dfa-3907-15a1-036a3629069d@redhat.com> Message-ID: <1768819462.5628590.1481325816218.JavaMail.zimbra@redhat.com> ACK Participated in demo of the code and was able to enroll for and import a cert using IE. ----- Original Message ----- From: "Matthew Harmsen" To: "pki-devel" Sent: Friday, December 9, 2016 3:07:20 PM Subject: [Pki-devel] Fwd: [PATCH] - remove xenroll.dll from pki-core Attached REVISED patch. -------- Forwarded Message -------- Subject: [PATCH] - remove xenroll.dll from pki-core Date: Thu, 8 Dec 2016 18:47:00 -0700 From: Matthew Harmsen To: pki-devel Please review the attached patch addresses the following bug: * PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core Thanks, -- Matt _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Mon Dec 12 01:53:10 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 12 Dec 2016 11:53:10 +1000 Subject: [Pki-devel] [PATCH] 0138 Move AuthToken key constants to IAuthToken In-Reply-To: <20161129090212.GC28337@dhcp-40-8.bne.redhat.com> References: <20161129090212.GC28337@dhcp-40-8.bne.redhat.com> Message-ID: <20161212015310.GE4232@dhcp-40-8.bne.redhat.com> Acked by alee: https://github.com/frasertweedale/pki/commit/b775ca19b2c1a3d554aca3134308a71fecd7bdd0 Pushed to master (1407b5f3af27d05970bb42ac2fefe51cb6b01abd) Thanks, Fraser On Tue, Nov 29, 2016 at 07:02:12PM +1000, Fraser Tweedale wrote: > The attached patch moves some string constants from AuthToken to > IAuthToken. External authentication support will bring a new > implementation of IAuthToken so moving these to the interface > simplifies things. > > Thanks, > Fraser > From 8118f83cc7691e48c63111a050540c9180fd29e5 Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Tue, 29 Nov 2016 16:10:58 +1000 > Subject: [PATCH 138/141] Move AuthToken key constants to IAuthToken > > Part of: https://fedorahosted.org/pki/ticket/1359 > --- > .../netscape/certsrv/authentication/AuthToken.java | 34 ---------------------- > .../certsrv/authentication/IAuthToken.java | 34 ++++++++++++++++++++++ > 2 files changed, 34 insertions(+), 34 deletions(-) > > diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java > index 0febf87727d2ebde9dbcacbd5059f9b9afa13701..53959b131f2d9a99e6b9b65640f8546e84468c66 100644 > --- a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java > +++ b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java > @@ -51,40 +51,6 @@ import com.netscape.certsrv.usrgrp.Certificates; > public class AuthToken implements IAuthToken { > protected Hashtable mAttrs = null; > > - /* Subject name of the certificate in the authenticating entry */ > - public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject"; > - > - /* NotBefore value of the certificate in the authenticating entry */ > - public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore"; > - > - /* NotAfter value of the certificate in the authenticating entry */ > - public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter"; > - > - /* Cert Extentions value of the certificate in the authenticating entry */ > - public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts"; > - > - /* Serial number of the certificate in the authenticating entry */ > - public static final String TOKEN_CERT_SERIALNUM = "certSerial"; > - > - /** > - * Certificate to be renewed > - */ > - public static final String TOKEN_CERT = "tokenCert"; > - > - /* Certificate to be revoked */ > - public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke"; > - > - /** > - * Name of the authentication manager that created the AuthToken > - * as a string. > - */ > - public static final String TOKEN_AUTHMGR_INST_NAME = "authMgrInstName"; > - > - /** > - * Time of authentication as a java.util.Date > - */ > - public static final String TOKEN_AUTHTIME = "authTime"; > - > /** > * Constructs an instance of a authentication token. > * The token by default contains the following attributes:
> diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java > index a71432446edcf6b5d838f1115df16b26acd01dce..a3f240e9c35987462eb2f176de650a769df1005c 100644 > --- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java > +++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java > @@ -41,6 +41,40 @@ public interface IAuthToken { > public static final String UID = "uid"; > public static final String GROUPS = "groups"; > > + /* Subject name of the certificate in the authenticating entry */ > + public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject"; > + > + /* NotBefore value of the certificate in the authenticating entry */ > + public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore"; > + > + /* NotAfter value of the certificate in the authenticating entry */ > + public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter"; > + > + /* Cert Extentions value of the certificate in the authenticating entry */ > + public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts"; > + > + /* Serial number of the certificate in the authenticating entry */ > + public static final String TOKEN_CERT_SERIALNUM = "certSerial"; > + > + /** > + * Certificate to be renewed > + */ > + public static final String TOKEN_CERT = "tokenCert"; > + > + /* Certificate to be revoked */ > + public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke"; > + > + /** > + * Name of the authentication manager that created the AuthToken > + * as a string. > + */ > + public static final String TOKEN_AUTHMGR_INST_NAME = "authMgrInstName"; > + > + /** > + * Time of authentication as a java.util.Date > + */ > + public static final String TOKEN_AUTHTIME = "authTime"; > + > /** > * Sets an attribute value within this AttrSet. > * > -- > 2.7.4 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Mon Dec 12 01:58:04 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 12 Dec 2016 11:58:04 +1000 Subject: [Pki-devel] [PATCH] 0139 Merge duplicate authz plugin code into superclass In-Reply-To: <20161129090426.GD28337@dhcp-40-8.bne.redhat.com> References: <20161129090426.GD28337@dhcp-40-8.bne.redhat.com> Message-ID: <20161212015804.GF4232@dhcp-40-8.bne.redhat.com> Acked by alee: https://github.com/frasertweedale/pki/commit/2d6e917470fce977d2537eba0b9ef2ee17fd0a41 Pushed to master (bfcf597d569e24fe6ec60062e37908c62bcff76) On Tue, Nov 29, 2016 at 07:04:26PM +1000, Fraser Tweedale wrote: > The attached patch merges some duplicate authz manager code into the > existing AAclAuthz superclass. > > It simplifies things if we end up adding a new authz manager as part > of external authentication / GSS-API support. But it's a nice > refactor to do anyway :) > > Thanks, > Fraser > From afc5fc3da5f1ea61305fb237e002bbe8b3d26e8c Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Fri, 25 Nov 2016 14:29:40 +1000 > Subject: [PATCH 139/141] Merge duplicate authz plugin code into superclass > > DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is > still a lot of duplicate code. Push the duplicated bits up into the > AAclAuthz. > > Also remove abstract method flushResourceACLs() from AAclAuthz, and > its implementation from BasicAclAuthz, because it is only > implemented (meaningfully) by DirAclAuthz. > > Part of: https://fedorahosted.org/pki/ticket/1359 > --- > .../com/netscape/cms/authorization/AAclAuthz.java | 93 ++++++++++--- > .../netscape/cms/authorization/BasicAclAuthz.java | 144 +-------------------- > .../netscape/cms/authorization/DirAclAuthz.java | 105 +-------------- > 3 files changed, 78 insertions(+), 264 deletions(-) > > diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java > index b3e447cfca49951fe78f6b4896652921ffc43406..f95c98174a06dba9ebf3e43238e566be2e6b5594 100644 > --- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java > +++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java > @@ -30,6 +30,9 @@ import com.netscape.certsrv.acls.IACL; > import com.netscape.certsrv.apps.CMS; > import com.netscape.certsrv.authentication.IAuthToken; > import com.netscape.certsrv.authorization.AuthzToken; > +import com.netscape.certsrv.authorization.EAuthzAccessDenied; > +import com.netscape.certsrv.authorization.EAuthzInternalError; > +import com.netscape.certsrv.authorization.IAuthzManager; > import com.netscape.certsrv.base.EBaseException; > import com.netscape.certsrv.base.IConfigStore; > import com.netscape.certsrv.evaluators.IAccessEvaluator; > @@ -61,7 +64,7 @@ import com.netscape.cmsutil.util.Utils; > * @version $Revision$, $Date$ > * @see ACL Files > */ > -public abstract class AAclAuthz { > +public abstract class AAclAuthz implements IAuthzManager { > > protected static final String PROP_CLASS = "class"; > protected static final String PROP_IMPL = "impl"; > @@ -69,6 +72,12 @@ public abstract class AAclAuthz { > > protected static final String ACLS_ATTR = "aclResources"; > > + /* name of this authorization manager instance */ > + private String mName = null; > + > + /* name of the authorization manager plugin */ > + private String mImplName = null; > + > private IConfigStore mConfig = null; > > private Hashtable mACLs = new Hashtable(); > @@ -93,14 +102,14 @@ public abstract class AAclAuthz { > /** > * Initializes > */ > - protected void init(IConfigStore config) > + public void init(String name, String implName, IConfigStore config) > throws EBaseException { > - > + mName = name; > + mImplName = implName; > + mConfig = config; > mLogger = CMS.getLogger(); > CMS.debug("AAclAuthz: init begins"); > > - mConfig = config; > - > // load access evaluators specified in the config file > IConfigStore mainConfig = CMS.getConfigStore(); > IConfigStore evalConfig = mainConfig.getSubStore(PROP_EVAL); > @@ -144,6 +153,20 @@ public abstract class AAclAuthz { > } > > /** > + * gets the name of this authorization manager instance > + */ > + public String getName() { > + return mName; > + } > + > + /** > + * gets the plugin name of this authorization manager. > + */ > + public String getImplName() { > + return mImplName; > + } > + > + /** > * Parse ACL resource attributes, then update the ACLs memory store > * This is intended to be used if storing ACLs on ldap is not desired, > * and the caller is expected to call this method to add resource > @@ -818,7 +841,7 @@ public abstract class AAclAuthz { > } > } > > - private void log(int level, String msg) { > + protected void log(int level, String msg) { > if (mLogger == null) > return; > mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, > @@ -830,24 +853,58 @@ public abstract class AAclAuthz { > **********************************/ > > /** > - * update acls. called after memory upate is done to flush to permanent > - * storage. > - *

> - */ > - protected abstract void flushResourceACLs() throws EACLsException; > - > - /** > - * an abstract class that enforces implementation of the > - * authorize() method that will authorize an operation on a > - * particular resource > + * check the authorization permission for the user associated with > + * authToken on operation > + * > + * Example: > + * > + * For example, if UsrGrpAdminServlet needs to authorize the > + * caller it would do be done in the following fashion: > + * > + * try { > + * authzTok = mAuthz.authorize( > + * "DirAclAuthz", authToken, RES_GROUP, "read"); > + * } catch (EBaseException e) { > + * log(ILogger.LL_FAILURE, "authorize call: " + e.toString()); > + * } > * > * @param authToken the authToken associated with a user > * @param resource - the protected resource name > * @param operation - the protected resource operation name > - * @exception EBaseException If an internal error occurred. > + * @exception EAuthzAccessDenied If access was denied > + * @exception EAuthzInternalError If an internal error occurred. > * @return authzToken > */ > - public abstract AuthzToken authorize(IAuthToken authToken, String resource, String operation) throws EBaseException; > + public AuthzToken authorize(IAuthToken authToken, String resource, String operation) > + throws EAuthzInternalError, EAuthzAccessDenied { > + try { > + checkPermission(authToken, resource, operation); > + // compose AuthzToken > + AuthzToken authzToken = new AuthzToken(this); > + authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); > + authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); > + authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, AuthzToken.AUTHZ_STATUS_SUCCESS); > + CMS.debug(mName + ": authorization passed"); > + return authzToken; > + } catch (EACLsException e) { > + // audit here later > + log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); > + String params[] = { resource, operation }; > + log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_AUTHZ_ACCESS_DENIED_2", params)); > + > + throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); > + } > + } > + > + public AuthzToken authorize(IAuthToken authToken, String expression) > + throws EAuthzAccessDenied { > + if (evaluateACLs(authToken, expression)) { > + return (new AuthzToken(this)); > + } else { > + String params[] = { expression }; > + throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); > + } > + } > > public String getOrder() { > IConfigStore mainConfig = CMS.getConfigStore(); > diff --git a/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java > index c883758b39ee018ab6aeb82bdfb5242bcc32c439..6b33c2041d0b41ac5db31c3ebf8a3ae1d33632b9 100644 > --- a/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java > +++ b/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java > @@ -18,12 +18,7 @@ > package com.netscape.cms.authorization; > > // cert server imports. > -import com.netscape.certsrv.acls.EACLsException; > import com.netscape.certsrv.apps.CMS; > -import com.netscape.certsrv.authentication.IAuthToken; > -import com.netscape.certsrv.authorization.AuthzToken; > -import com.netscape.certsrv.authorization.EAuthzAccessDenied; > -import com.netscape.certsrv.authorization.EAuthzInternalError; > import com.netscape.certsrv.authorization.IAuthzManager; > import com.netscape.certsrv.base.EBaseException; > import com.netscape.certsrv.base.IConfigStore; > @@ -38,23 +33,6 @@ import com.netscape.certsrv.logging.ILogger; > public class BasicAclAuthz extends AAclAuthz > implements IAuthzManager, IExtendedPluginInfo { > > - // members > - > - /* name of this authorization manager instance */ > - private String mName = null; > - > - /* name of the authorization manager plugin */ > - private String mImplName = null; > - > - /* configuration store */ > - @SuppressWarnings("unused") > - private IConfigStore mConfig; > - > - /* the system logger */ > - private ILogger mLogger = null; > - > - protected static final String PROP_BASEDN = "basedn"; > - > static { > mExtendedPluginInfo.add("nothing for now"); > } > @@ -80,135 +58,15 @@ public class BasicAclAuthz extends AAclAuthz > */ > public void init(String name, String implName, IConfigStore config) > throws EBaseException { > - mName = name; > - mImplName = implName; > - mConfig = config; > - mLogger = CMS.getLogger(); > - > - super.init(config); > + super.init(name, implName, config); > > log(ILogger.LL_INFO, "initialization done"); > } > > /** > - * gets the name of this authorization manager instance > - */ > - public String getName() { > - return mName; > - } > - > - /** > - * gets the plugin name of this authorization manager. > - */ > - public String getImplName() { > - return mImplName; > - } > - > - /** > - * check the authorization permission for the user associated with > - * authToken on operation > - *

> - * Example: > - *

> - * For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: > - * > - * 

> -     * try {
> -     *     authzTok = mAuthz.authorize("DirACLBasedAuthz", authToken, RES_GROUP, "read");
> -     * } catch (EBaseException e) {
> -     *     log(ILogger.LL_FAILURE, "authorize call: " + e.toString());
> -     * }
> -     *
> - * > - * @param authToken the authToken associated with a user > - * @param resource - the protected resource name > - * @param operation - the protected resource operation name > - * @exception EAuthzInternalError if an internal error occurred. > - * @exception EAuthzAccessDenied if access denied > - * @return authzToken if success > - */ > - public AuthzToken authorize(IAuthToken authToken, String resource, String operation) > - throws EAuthzInternalError, EAuthzAccessDenied { > - AuthzToken authzToken = new AuthzToken(this); > - > - try { > - checkPermission(authToken, resource, operation); > - > - CMS.debug("BasicAclAuthz: authorization passed"); > - > - // compose AuthzToken > - authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); > - authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); > - authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, > - AuthzToken.AUTHZ_STATUS_SUCCESS); > - } catch (EACLsException e) { > - // audit here later > - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); > - String params[] = { resource, operation }; > - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_AUTHZ_ACCESS_DENIED_2", params)); > - > - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); > - } > - > - return authzToken; > - } > - > - public AuthzToken authorize(IAuthToken authToken, String expression) > - throws EAuthzAccessDenied { > - if (evaluateACLs(authToken, expression)) { > - return (new AuthzToken(this)); > - } else { > - String params[] = { expression }; > - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); > - } > - } > - > - /** > - * This currently does not flush to permanent storage > - * > - * @param id is the resource id > - * @param strACLs > - */ > - public void updateACLs(String id, String rights, String strACLs, > - String desc) throws EACLsException { > - try { > - super.updateACLs(id, rights, strACLs, desc); > - // flushResourceACLs(); > - } catch (EACLsException ex) { > - > - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString())); > - > - throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL")); > - } > - } > - > - /** > - * updates resourceACLs to permanent storage. > - * currently not implemented for this authzMgr > - */ > - protected void flushResourceACLs() throws EACLsException { > - log(ILogger.LL_FAILURE, "flushResourceACL() is not implemented"); > - throw new EACLsException(CMS.getUserMessage("CMS_ACL_METHOD_NOT_IMPLEMENTED")); > - } > - > - /** > * graceful shutdown > */ > public void shutdown() { > log(ILogger.LL_INFO, "shutting down"); > } > - > - /** > - * Logs a message for this class in the system log file. > - * > - * @param level The log level. > - * @param msg The message to log. > - * @see com.netscape.certsrv.logging.ILogger > - */ > - protected void log(int level, String msg) { > - if (mLogger == null) > - return; > - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, > - level, msg); > - } > } > diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java > index 4f14f4c4098c31bdad8b85260a1ea14b1c917f52..bcb81f3d0e390545fed2fbf530cf9b57e6bc48ea 100644 > --- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java > +++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java > @@ -24,8 +24,6 @@ import com.netscape.certsrv.acls.EACLsException; > import com.netscape.certsrv.apps.CMS; > import com.netscape.certsrv.authentication.IAuthToken; > import com.netscape.certsrv.authorization.AuthzToken; > -import com.netscape.certsrv.authorization.EAuthzAccessDenied; > -import com.netscape.certsrv.authorization.EAuthzInternalError; > import com.netscape.certsrv.authorization.IAuthzManager; > import com.netscape.certsrv.base.EBaseException; > import com.netscape.certsrv.base.IConfigStore; > @@ -54,18 +52,6 @@ public class DirAclAuthz extends AAclAuthz > > // members > > - /* name of this authentication manager instance */ > - private String mName = null; > - > - /* name of the authentication manager plugin */ > - private String mImplName = null; > - > - /* configuration store */ > - private IConfigStore mConfig; > - > - /* the system logger */ > - private ILogger mLogger = null; > - > protected static final String PROP_BASEDN = "basedn"; > > private ILdapConnFactory mLdapConnFactory = null; > @@ -118,15 +104,10 @@ public class DirAclAuthz extends AAclAuthz > */ > public void init(String name, String implName, IConfigStore config) > throws EBaseException { > - mName = name; > - mImplName = implName; > - mConfig = config; > - mLogger = CMS.getLogger(); > - > - super.init(config); > + super.init(name, implName, config); > > // initialize LDAP connection factory > - IConfigStore ldapConfig = mConfig.getSubStore("ldap"); > + IConfigStore ldapConfig = config.getSubStore("ldap"); > > if (ldapConfig == null) { > log(ILogger.LL_MISCONF, "failed to get config ldap info"); > @@ -186,75 +167,6 @@ public class DirAclAuthz extends AAclAuthz > } > > /** > - * gets the name of this authorization manager instance > - */ > - public String getName() { > - return mName; > - } > - > - /** > - * gets the plugin name of this authorization manager. > - */ > - public String getImplName() { > - return mImplName; > - } > - > - /** > - * check the authorization permission for the user associated with > - * authToken on operation > - *

> - * Example: > - *

> - * For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: > - * > - * 

> -     * try {
> -     *     authzTok = mAuthz.authorize("DirAclAuthz", authToken, RES_GROUP, "read");
> -     * } catch (EBaseException e) {
> -     *     log(ILogger.LL_FAILURE, "authorize call: " + e.toString());
> -     * }
> -     *
> - * > - * @param authToken the authToken associated with a user > - * @param resource - the protected resource name > - * @param operation - the protected resource operation name > - * @exception EBaseException If an internal error occurred. > - * @return authzToken > - */ > - public AuthzToken authorize(IAuthToken authToken, String resource, String operation) > - throws EAuthzInternalError, EAuthzAccessDenied { > - AuthzToken authzToken = new AuthzToken(this); > - > - try { > - checkPermission(authToken, resource, operation); > - // compose AuthzToken > - authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); > - authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); > - authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, AuthzToken.AUTHZ_STATUS_SUCCESS); > - CMS.debug("DirAclAuthz: authorization passed"); > - } catch (EACLsException e) { > - // audit here later > - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); > - String params[] = { resource, operation }; > - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_AUTHZ_ACCESS_DENIED_2", params)); > - > - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); > - } > - > - return authzToken; > - } > - > - public AuthzToken authorize(IAuthToken authToken, String expression) > - throws EAuthzAccessDenied { > - if (evaluateACLs(authToken, expression)) { > - return (new AuthzToken(this)); > - } else { > - String params[] = { expression }; > - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); > - } > - } > - > - /** > * update acls. when memory update is done, flush to ldap. > *

> * Currently, it is possible that when the memory is updated successfully, and the ldap isn't, the memory upates > @@ -353,17 +265,4 @@ public class DirAclAuthz extends AAclAuthz > } > } > > - /** > - * Logs a message for this class in the system log file. > - * > - * @param level The log level. > - * @param msg The message to log. > - * @see com.netscape.certsrv.logging.ILogger > - */ > - protected void log(int level, String msg) { > - if (mLogger == null) > - return; > - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, > - level, msg); > - } > } > -- > 2.7.4 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Mon Dec 12 02:00:03 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 12 Dec 2016 12:00:03 +1000 Subject: [Pki-devel] [PATCH] 0140 Allow ':' to appear in ACL expressions In-Reply-To: <20161129090848.GE28337@dhcp-40-8.bne.redhat.com> References: <20161129090848.GE28337@dhcp-40-8.bne.redhat.com> Message-ID: <20161212020003.GG4232@dhcp-40-8.bne.redhat.com> Acked by alee: https://github.com/frasertweedale/pki/commit/037c16e3e78bccfa16e3d50ef840675ad2e0f3ec Pushed to master (7ab1bbb708d539d4db4e494418fedb952e4880bc) Thanks, Fraser On Tue, Nov 29, 2016 at 07:08:48PM +1000, Fraser Tweedale wrote: > With current ACL parsing, if you have a ':' in a group name (as > occurs with FreeIPA permissions, which matter for upcoming external > principal support) you are stuffed. This commit fixes that. > > It is really a band aid - the existing parsing code is poor and > should be replaced with a nice combinatorial parser... but who has > the time for that right now? ?\_(?)_/? > > Note that if there is a ':' in any of the ACL descriptions/comments > (the final field) this change breaks it. We don't have any > occurrences of that in our codebase. > > Thanks, > Fraser > From 4e13cd0c960558b0f590c5f74ef0b52f0eb667f2 Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Fri, 25 Nov 2016 18:04:22 +1000 > Subject: [PATCH 140/141] Allow ':' to appear in ACL expressions > > Currently if ':' appears in an ACL expression (e.g. a group name, as > occurs in FreeIPA permissions), the ACL gets parsed incorrectly. > > Look backwards from end of string for the final ':', so that the ACL > parses correctly. > > Part of: https://fedorahosted.org/pki/ticket/1359 > --- > base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java > index e37ba25e0446108e266a1b068a7ba2a6e60fb769..9b87f6e2437a398ffd6c4956a8e91809918ab8b9 100644 > --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java > +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java > @@ -681,8 +681,10 @@ public class CMSEngine implements ICMSEngine { > > acl = new ACL(resource, rights, resACLs); > > + // search *backwards* for final instance of ':', to handle case > + // where acl expressions contain colon, e.g. in a group name. > String stx = st.substring(idx2 + 1); > - int idx3 = stx.indexOf(":"); > + int idx3 = stx.lastIndexOf(":"); > String aclStr = stx.substring(0, idx3); > > // getting list of acl entries > -- > 2.7.4 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Mon Dec 12 02:01:12 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 12 Dec 2016 12:01:12 +1000 Subject: [Pki-devel] [PATCH] 0141 Add getAuthzManagerNameByRealm to IAuthzSubsystem In-Reply-To: <20161129091228.GF28337@dhcp-40-8.bne.redhat.com> References: <20161129091228.GF28337@dhcp-40-8.bne.redhat.com> Message-ID: <20161212020112.GH4232@dhcp-40-8.bne.redhat.com> Acked by alee: https://github.com/frasertweedale/pki/commit/4a43f08a96f80a44ad0d8fffcb49f70b5d274277 Pushed to master (e2e4b70bab9c81b9007057cafd25447190d6cde4). Thanks, Fraser On Tue, Nov 29, 2016 at 07:12:28PM +1000, Fraser Tweedale wrote: > This patch renames (a better name) and moves to the IAuthzSubsystem > interface a method in AuthzSubsystem that may be useful for doing > authorisation checks for external principals. > > Thanks, > Fraser > From 6a1ddf4cf79e40ff0a0702e063afa6e6237f0fb6 Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Fri, 25 Nov 2016 21:08:56 +1000 > Subject: [PATCH 141/141] Add getAuthzManagerNameByRealm to IAuthzSubsystem > > The getAuthzManagerByRealm public method is defined in > AuthzSubsystem but to support external principals we want to make > this part of the IAuthzSubsystem interface, so other classes (e.g. > ACLInterceptor) can use it. > > Part of: https://fedorahosted.org/pki/ticket/1359 > --- > .../netscape/certsrv/authorization/IAuthzSubsystem.java | 9 +++++++++ > .../netscape/cmscore/authorization/AuthzSubsystem.java | 16 +++++++++------- > 2 files changed, 18 insertions(+), 7 deletions(-) > > diff --git a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java > index c7d8df56bbfb1bf8af6c51ce491fc1384560b4a8..6fcf8e7b03eb596bb7914912474eeb3c298b6da1 100644 > --- a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java > +++ b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java > @@ -21,6 +21,7 @@ import java.util.Enumeration; > import java.util.Hashtable; > > import com.netscape.certsrv.authentication.IAuthToken; > +import com.netscape.certsrv.authorization.EAuthzUnknownRealm; > import com.netscape.certsrv.base.EBaseException; > import com.netscape.certsrv.base.ISubsystem; > > @@ -181,4 +182,12 @@ public interface IAuthzSubsystem extends ISubsystem { > * @return an authorization manager interface > */ > public IAuthzManager get(String name); > + > + /** > + * Given a realm name, return the name of an authz manager for that realm. > + * > + * @throws EAuthzUnknownRealm if no authz manager is found. > + */ > + public String getAuthzManagerNameByRealm(String realm) > + throws EAuthzUnknownRealm; > } > diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java > index 31d5e71b4bdd672fa3eae3108824480d87eafdf3..67d12bdff2e716bcea4034726d189a23c6f50796 100644 > --- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java > +++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java > @@ -495,10 +495,7 @@ public class AuthzSubsystem implements IAuthzSubsystem { > // if record owner == requester, SUCCESS > if ((owner != null) && owner.equals(authToken.getInString(IAuthToken.USER_ID))) return; > > - String mgrName = getAuthzManagerByRealm(realm); > - if (mgrName == null) { > - throw new EAuthzUnknownRealm("Realm not found"); > - } > + String mgrName = getAuthzManagerNameByRealm(realm); > > AuthzToken authzToken = authorize(mgrName, authToken, resource, operation, realm); > if (authzToken == null) { > @@ -506,12 +503,17 @@ public class AuthzSubsystem implements IAuthzSubsystem { > } > } > > - public String getAuthzManagerByRealm(String realm) throws EBaseException { > + public String getAuthzManagerNameByRealm(String realm) throws EAuthzUnknownRealm { > for (AuthzManagerProxy proxy : mAuthzMgrInsts.values()) { > IAuthzManager mgr = proxy.getAuthzManager(); > if (mgr != null) { > IConfigStore cfg = mgr.getConfigStore(); > - String mgrRealmString = cfg.getString(PROP_REALM, null); > + String mgrRealmString = null; > + try { > + mgrRealmString = cfg.getString(PROP_REALM, null); > + } catch (EBaseException e) { > + // never mind > + } > if (mgrRealmString == null) continue; > > List mgrRealms = Arrays.asList(mgrRealmString.split(",")); > @@ -521,7 +523,7 @@ public class AuthzSubsystem implements IAuthzSubsystem { > } > } > } > - return null; > + throw new EAuthzUnknownRealm("Realm not found"); > } > > } > -- > 2.7.4 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Mon Dec 12 02:22:45 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 12 Dec 2016 12:22:45 +1000 Subject: [Pki-devel] [PATCH] 0144..0146 Move IRequest extdata-related constants In-Reply-To: <20161207043922.GJ28337@dhcp-40-8.bne.redhat.com> References: <20161207043922.GJ28337@dhcp-40-8.bne.redhat.com> Message-ID: <20161212022245.GI4232@dhcp-40-8.bne.redhat.com> Acked by alee: - https://github.com/frasertweedale/pki/commit/9826013dfcab72481f3ad6462e1d2c4692367a02 - https://github.com/frasertweedale/pki/commit/59071b422637e6e99dd956eed12c5c26e19c3ffc - https://github.com/frasertweedale/pki/commit/7f1f4a2504280a5b8504b4db5df40eac122c280f Pushed to master: - 9c23b02b00b13a834b636e9266ee1ae80506f228 Define "req_authority_id" IRequest extdata key in IRequest - a1b56be53d37561c6e80c2aa7daf1e7ab07518c5 Define "profileId" IRequest extdata key in one place - d699d27c7d7a59cf613380ec2214333ecc96ec23 Define "auth_token" IRequest extdata key prefix in one place Thanks, Fraser On Wed, Dec 07, 2016 at 02:39:22PM +1000, Fraser Tweedale wrote: > The attached patches relocate / redefine some constants that are > used as keys when setting or getting IRequest extdata attributes. > > In some cases this removes duplicate constants or string literals. > In other cases it actually defines a new constant. > In all cases the key now uses a constant defined in IRequest, which > is the appropriate place. > > This is refactoring work undertaken as part of GSSAPI support. > > Thanks, > Fraser > From 31d9026f2be5204dd4742ce00542bc80b614d9b9 Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Wed, 7 Dec 2016 12:25:01 +1000 > Subject: [PATCH 144/146] Define "auth_token" IRequest extdata key prefix in > one place > > Part of: https://fedorahosted.org/pki/ticket/1359 > --- > base/common/src/com/netscape/certsrv/request/IRequest.java | 4 ++++ > .../cms/src/com/netscape/cms/servlet/cert/CertProcessor.java | 9 +++++++-- > .../src/com/netscape/cms/servlet/processors/CAProcessor.java | 1 - > .../cms/servlet/profile/ProfileSubmitCMCServlet.java | 12 +++++++----- > 4 files changed, 18 insertions(+), 8 deletions(-) > > diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java > index c892dbb1dc5d75d4b44e4e26b584f94717b2457c..f17f560de75e54cb7650ee06d870f3d1491e52ac 100644 > --- a/base/common/src/com/netscape/certsrv/request/IRequest.java > +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java > @@ -85,6 +85,10 @@ public interface IRequest extends Serializable { > // server attributes: attributes generated by server modules. > public static final String SERVER_ATTRS = "SERVER_ATTRS"; > > + // Sometimes individual IAuthToken fields get set in request > + // extdata, with key ("auth_token." + field_name). > + public static final String AUTH_TOKEN_PREFIX = "auth_token"; > + > public static final String RESULT = "Result"; // service result. > public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value > public static final Integer RES_ERROR = Integer.valueOf(2); // result value > diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java > index 17b453ab5d82bd7c18612263f01e297a4e9df3da..cb5efa0b0e14274e0c4a9393522ab18071f60fd8 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java > @@ -310,12 +310,17 @@ public class CertProcessor extends CAProcessor { > String[] tokenVals = authToken.getInStringArray(tokenName); > if (tokenVals != null) { > for (int i = 0; i < tokenVals.length; i++) { > - req.setExtData(ARG_AUTH_TOKEN + "." + tokenName + "[" + i + "]", tokenVals[i]); > + req.setExtData( > + IRequest.AUTH_TOKEN_PREFIX > + + "." + tokenName + "[" + i + "]" > + , tokenVals[i]); > } > } else { > String tokenVal = authToken.getInString(tokenName); > if (tokenVal != null) { > - req.setExtData(ARG_AUTH_TOKEN + "." + tokenName, tokenVal); > + req.setExtData( > + IRequest.AUTH_TOKEN_PREFIX + "." + tokenName, > + tokenVal); > // if RA agent, auto assign the request > if (tokenName.equals("uid")) > uid = tokenVal; > diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java > index bb3cfa84a423fe452ef55fb20e23c03911831690..ae91f649541db5ce77679844ad7a4fec680e99e9 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java > @@ -72,7 +72,6 @@ import netscape.security.x509.X509CertImpl; > > public class CAProcessor extends Processor { > > - public final static String ARG_AUTH_TOKEN = "auth_token"; > public final static String ARG_REQUEST_OWNER = "requestOwner"; > public final static String HDR_LANG = "accept-language"; > public final static String ARG_PROFILE = "profile"; > diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java > index f3adc5e85e58e3fb2dbf47984cfeca6797cd569b..6191031905626cc7acb6ccbdc41ff84942baf86f 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java > @@ -76,7 +76,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { > * > */ > private static final long serialVersionUID = -8017841111435988197L; > - private static final String ARG_AUTH_TOKEN = "auth_token"; > private static final String PROP_PROFILE_ID = "profileId"; > > private String mProfileId = null; > @@ -545,14 +544,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet { > String[] vals = authToken.getInStringArray(tokenName); > if (vals != null) { > for (int i = 0; i < vals.length; i++) { > - reqs[k].setExtData(ARG_AUTH_TOKEN + "." + > - tokenName + "[" + i + "]", vals[i]); > + reqs[k].setExtData( > + IRequest.AUTH_TOKEN_PREFIX > + + "." + tokenName + "[" + i + "]", > + vals[i]); > } > } else { > String val = authToken.getInString(tokenName); > if (val != null) { > - reqs[k].setExtData(ARG_AUTH_TOKEN + "." + tokenName, > - val); > + reqs[k].setExtData( > + IRequest.AUTH_TOKEN_PREFIX + "." + tokenName, > + val); > } > } > } > -- > 2.7.4 > > From eb0c0fdf115639a5cf3ed9beb1ab2df0553e1627 Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Wed, 7 Dec 2016 13:40:04 +1000 > Subject: [PATCH 145/146] Define "profileId" IRequest extdata key in one place > > Part of: https://fedorahosted.org/pki/ticket/1359 > --- > base/ca/src/com/netscape/ca/CAService.java | 4 ++-- > base/ca/src/org/dogtagpki/legacy/ca/CAPolicy.java | 4 ++-- > base/common/src/com/netscape/certsrv/request/IRequest.java | 2 ++ > base/kra/src/com/netscape/kra/EnrollmentService.java | 6 +++--- > .../src/com/netscape/cms/listeners/CertificateIssuedListener.java | 2 +- > .../cms/src/com/netscape/cms/listeners/RequestInQListener.java | 2 +- > .../server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java | 2 +- > .../cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java | 2 +- > .../cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java | 2 +- > .../cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java | 4 ++-- > .../cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java | 4 ++-- > .../src/com/netscape/cms/servlet/connector/ConnectorServlet.java | 4 ++-- > .../cms/src/com/netscape/cms/servlet/processors/CAProcessor.java | 1 - > .../src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java | 2 +- > .../src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java | 2 +- > .../cms/src/com/netscape/cms/servlet/request/CheckRequest.java | 2 +- > .../cmscore/src/com/netscape/cmscore/connector/RequestTransfer.java | 2 +- > .../cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java | 2 +- > .../org/dogtagpki/legacy/core/policy/GenericPolicyProcessor.java | 2 +- > 19 files changed, 26 insertions(+), 25 deletions(-) > > diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java > index 9bf237ffd7060c1955b8e163a0c94c62db6739b1..31df1537e337e669a5221c938b7454c72337d254 100644 > --- a/base/ca/src/com/netscape/ca/CAService.java > +++ b/base/ca/src/com/netscape/ca/CAService.java > @@ -308,7 +308,7 @@ public class CAService implements ICAService, IService { > } > > public boolean isProfileRequest(IRequest request) { > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId == null || profileId.equals("")) > return false; > @@ -325,7 +325,7 @@ public class CAService implements ICAService, IService { > CMS.debug("CAService: serviceProfileRequest requestId=" + > request.getRequestId().toString()); > > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId == null || profileId.equals("")) { > throw new EBaseException("profileId not found"); > diff --git a/base/ca/src/org/dogtagpki/legacy/ca/CAPolicy.java b/base/ca/src/org/dogtagpki/legacy/ca/CAPolicy.java > index 75c2945882c7ce9c2fceb7228d848a7432ace7ae..878955e6e2b7b93714fb7906efe3c8658b0646d2 100644 > --- a/base/ca/src/org/dogtagpki/legacy/ca/CAPolicy.java > +++ b/base/ca/src/org/dogtagpki/legacy/ca/CAPolicy.java > @@ -82,7 +82,7 @@ public class CAPolicy implements IPolicy { > } > > public boolean isProfileRequest(IRequest request) { > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId == null || profileId.equals("")) > return false; > @@ -110,7 +110,7 @@ public class CAPolicy implements IPolicy { > CMS.debug("CAPolicy: requestId=" + > r.getRequestId().toString()); > > - String profileId = r.getExtDataInString("profileId"); > + String profileId = r.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId == null || profileId.equals("")) { > return PolicyResult.REJECTED; > diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java > index f17f560de75e54cb7650ee06d870f3d1491e52ac..b83d5309e0b2aaf271cf4fba3c1ee7d13b347a58 100644 > --- a/base/common/src/com/netscape/certsrv/request/IRequest.java > +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java > @@ -89,6 +89,8 @@ public interface IRequest extends Serializable { > // extdata, with key ("auth_token." + field_name). > public static final String AUTH_TOKEN_PREFIX = "auth_token"; > > + public static final String PROFILE_ID = "profileId"; > + > public static final String RESULT = "Result"; // service result. > public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value > public static final Integer RES_ERROR = Integer.valueOf(2); // result value > diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java > index 398d1780275f9106271f3c83e958d7e618febaf8..f901b5767d61e143c47ab23fad0595cff46d6421 100644 > --- a/base/kra/src/com/netscape/kra/EnrollmentService.java > +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java > @@ -195,7 +195,7 @@ public class EnrollmentService implements IService { > byte tmp_unwrapped[] = null; > PKIArchiveOptionsContainer aOpts[] = null; > > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId == null || profileId.equals("")) { > try { > @@ -759,7 +759,7 @@ public class EnrollmentService implements IService { > * @exception EBaseException failed to retrieve public key > */ > private X509Key getPublicKey(IRequest request, int i) throws EBaseException { > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId != null && !profileId.equals("")) { > byte[] certKeyData = request.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY); > @@ -822,7 +822,7 @@ public class EnrollmentService implements IService { > private String getOwnerName(IRequest request, int i) > throws EBaseException { > > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId != null && !profileId.equals("")) { > CertificateSubjectName sub = request.getExtDataInCertSubjectName( > diff --git a/base/server/cms/src/com/netscape/cms/listeners/CertificateIssuedListener.java b/base/server/cms/src/com/netscape/cms/listeners/CertificateIssuedListener.java > index 44ff46a9be2721ab01eda8b376de74302f4cb937..6d119e1336be1379ef79e63089aefbf172760f53 100644 > --- a/base/server/cms/src/com/netscape/cms/listeners/CertificateIssuedListener.java > +++ b/base/server/cms/src/com/netscape/cms/listeners/CertificateIssuedListener.java > @@ -180,7 +180,7 @@ public class CertificateIssuedListener implements IRequestListener { > CMS.debug("CertificateIssuedListener: accept check status "); > > // check if it is profile request > - String profileId = r.getExtDataInString("profileId"); > + String profileId = r.getExtDataInString(IRequest.PROFILE_ID); > > // check if request failed. > if (profileId == null) { > diff --git a/base/server/cms/src/com/netscape/cms/listeners/RequestInQListener.java b/base/server/cms/src/com/netscape/cms/listeners/RequestInQListener.java > index f1f396ca3343977fb9f2334d525d82ecf85a14b5..3c2c15123cae0cab674b3803b40d8fdfa0eafe0c 100644 > --- a/base/server/cms/src/com/netscape/cms/listeners/RequestInQListener.java > +++ b/base/server/cms/src/com/netscape/cms/listeners/RequestInQListener.java > @@ -198,7 +198,7 @@ public class RequestInQListener implements IRequestListener { > mConfig.getName()); > Object val = null; > > - String profileId = r.getExtDataInString("profileId"); > + String profileId = r.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId == null) { > val = r.getExtDataInString(IRequest.HTTP_PARAMS, "csrRequestorEmail"); > diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java > index cb5efa0b0e14274e0c4a9393522ab18071f60fd8..026f4d4af5c2316ae8a93b2ecc62bc398d3b8b71 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java > @@ -339,7 +339,7 @@ public class CertProcessor extends CAProcessor { > > // put profile framework parameters into the request > req.setExtData(ARG_PROFILE, "true"); > - req.setExtData(ARG_PROFILE_ID, profileId); > + req.setExtData(IRequest.PROFILE_ID, profileId); > if (isRenewal) > req.setExtData(ARG_RENEWAL_PROFILE_ID, data.getProfileId()); > req.setExtData(ARG_PROFILE_APPROVED_BY, profile.getApprovedBy()); > diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java > index 306fbf570103daf09401faa0b615ae11f6b18953..93df6fb37949a9b40de9f427b1c3e7cf6fb5ef05 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertRequestDAO.java > @@ -140,7 +140,7 @@ public class CertRequestDAO extends CMSRequestDAO { > if (request == null) { > return null; > } > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > IProfile profile = ps.getProfile(profileId); > CertReviewResponse info = CertReviewResponseFactory.create(request, profile, uriInfo, locale); > > diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java > index 206d23a5d7898af2e7e93f98080dfa8b009d07ef..01ffc8be43a90c428fa61e97a70cfe3d87b8710f 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java > @@ -213,7 +213,7 @@ public class RenewalProcessor extends CertProcessor { > throw new EBaseException(CMS.getUserMessage(locale, "CMS_INTERNAL_ERROR")); > } > > - String profileId = origReq.getExtDataInString("profileId"); > + String profileId = origReq.getExtDataInString(IRequest.PROFILE_ID); > CMS.debug("RenewalSubmitter: renewal original profileId=" + profileId); > > String aidString = origReq.getExtDataInString( > diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java > index b92ffb1d7527178e38eeaa4e35b83940167e9f4d..7f0c89ce5fad8c334dd204188c3e9ce103c207bd 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java > @@ -71,7 +71,7 @@ public class RequestProcessor extends CertProcessor { > HttpServletRequest req = cmsReq.getHttpReq(); > IRequest ireq = cmsReq.getIRequest(); > > - String profileId = ireq.getExtDataInString("profileId"); > + String profileId = ireq.getExtDataInString(IRequest.PROFILE_ID); > IProfile profile = ps.getProfile(profileId); > CertReviewResponse data = CertReviewResponseFactory.create( > cmsReq, profile, authority.noncesEnabled(), locale); > @@ -134,7 +134,7 @@ public class RequestProcessor extends CertProcessor { > // save auth token in request > saveAuthToken(authToken, req); > > - String profileId = req.getExtDataInString("profileId"); > + String profileId = req.getExtDataInString(IRequest.PROFILE_ID); > if (profileId == null || profileId.equals("")) { > CMS.debug("RequestProcessor: Profile Id not found in request"); > throw new EBaseException(CMS.getUserMessage(locale, "CMS_PROFILE_ID_NOT_FOUND")); > diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java > index 744f9347265fb89491e2673151ab9aac9ab8a271..fa36dea2657238949cd1b716d43676eb5244fb31 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java > @@ -1622,7 +1622,7 @@ public class CRSEnrollment extends HttpServlet { > // set transaction id > reqs[0].setSourceId(req.getTransactionID()); > reqs[0].setExtData("profile", "true"); > - reqs[0].setExtData("profileId", mProfileId); > + reqs[0].setExtData(IRequest.PROFILE_ID, mProfileId); > reqs[0].setExtData(IEnrollProfile.CTX_CERT_REQUEST_TYPE, IEnrollProfile.REQ_TYPE_PKCS10); > reqs[0].setExtData(IEnrollProfile.CTX_CERT_REQUEST, pkcs10blob); > reqs[0].setExtData("requestor_name", ""); > @@ -1734,7 +1734,7 @@ public class CRSEnrollment extends HttpServlet { > > RequestStatus status = pkiReq.getRequestStatus(); > > - String profileId = pkiReq.getExtDataInString("profileId"); > + String profileId = pkiReq.getExtDataInString(IRequest.PROFILE_ID); > if (profileId != null) { > CMS.debug("CRSEnrollment: Found profile request"); > X509CertImpl cert = > diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java > index 582223ecb2c49344d3b03bfb9b7d61f4d12233a9..e6dfbc43ee29a4365ba5c197fb8e6ce575294136 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java > @@ -307,7 +307,7 @@ public class ConnectorServlet extends CMSServlet { > } > > public static boolean isProfileRequest(IRequest request) { > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId == null || profileId.equals("")) > return false; > @@ -369,7 +369,7 @@ public class ConnectorServlet extends CMSServlet { > e.toString()); > } > > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > IProfileSubsystem ps = (IProfileSubsystem) > CMS.getSubsystem("profile"); > IEnrollProfile profile = null; > diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java > index ae91f649541db5ce77679844ad7a4fec680e99e9..62b9a7c4b0437c011700d8d35b917e9a48e06af9 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java > @@ -76,7 +76,6 @@ public class CAProcessor extends Processor { > public final static String HDR_LANG = "accept-language"; > public final static String ARG_PROFILE = "profile"; > public final static String ARG_REQUEST_NOTES = "requestNotes"; > - public final static String ARG_PROFILE_ID = "profileId"; > public final static String ARG_RENEWAL_PROFILE_ID = "rprofileId"; > public final static String ARG_PROFILE_IS_ENABLED = "profileIsEnable"; > public final static String ARG_PROFILE_IS_VISIBLE = "profileIsVisible"; > diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java > index 33de8ff909992d859d54b92d917bd4fd55408a09..00fcbb30cd022fc30f8057fcc976746a5e45ec70 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileProcessServlet.java > @@ -94,7 +94,7 @@ public class ProfileProcessServlet extends ProfileServlet { > return; > } > > - String profileId = req.getExtDataInString("profileId"); > + String profileId = req.getExtDataInString(IRequest.PROFILE_ID); > if (profileId == null || profileId.equals("")) { > CMS.debug("ProfileProcessServlet: Profile Id not found"); > setError(args, CMS.getUserMessage(locale, "CMS_PROFILE_ID_NOT_FOUND",CMSTemplate.escapeJavaScriptStringHTML(profileId)), request, response); > diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java > index dc6560d066be6fb677ff47344d6aee79295da48a..fe3c139169c5801f84a8f4d4221ea32012918db3 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileReviewServlet.java > @@ -206,7 +206,7 @@ public class ProfileReviewServlet extends ProfileServlet { > return; > } > > - String profileId = req.getExtDataInString("profileId"); > + String profileId = req.getExtDataInString(IRequest.PROFILE_ID); > > CMS.debug("ProfileReviewServlet: requestId=" + > requestId + " profileId=" + profileId); > diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java b/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java > index cba79c338a027abf114ad1bd3fdf19e8ec5a9e4b..76700fe5f50d73063a404fa60f6b0d8f3f0f8d6e 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/request/CheckRequest.java > @@ -335,7 +335,7 @@ public class CheckRequest extends CMSServlet { > argSet.addRepeatRecord(rarg); > } > */ > - String profileId = r.getExtDataInString("profileId"); > + String profileId = r.getExtDataInString(IRequest.PROFILE_ID); > if (profileId != null) { > result = IRequest.RES_SUCCESS; > } > diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/RequestTransfer.java b/base/server/cmscore/src/com/netscape/cmscore/connector/RequestTransfer.java > index 6000aeb3e8449414679537b4fc487b43ad28940e..9f77920137fef6a3c14a9432b7362ba51ca3f7d4 100644 > --- a/base/server/cmscore/src/com/netscape/cmscore/connector/RequestTransfer.java > +++ b/base/server/cmscore/src/com/netscape/cmscore/connector/RequestTransfer.java > @@ -55,7 +55,7 @@ public class RequestTransfer { > }; > > public static boolean isProfileRequest(IRequest request) { > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId == null || profileId.equals("")) > return false; > diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java b/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java > index 3d4f75466dcb57d6a877401ff02724647874a07b..812381c22cc8ab95499722b72e2b83ef344b7c8c 100644 > --- a/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java > +++ b/base/server/cmscore/src/com/netscape/cmscore/ldap/LdapRequestListener.java > @@ -181,7 +181,7 @@ class LdapEnrollmentListener implements IRequestListener { > "LdapRequestListener handling publishing for enrollment request id " + > r.getRequestId()); > > - String profileId = r.getExtDataInString("profileId"); > + String profileId = r.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId == null) { > // in case it's not meant for us > diff --git a/base/server/cmscore/src/org/dogtagpki/legacy/core/policy/GenericPolicyProcessor.java b/base/server/cmscore/src/org/dogtagpki/legacy/core/policy/GenericPolicyProcessor.java > index 44506e6ff5be5b869805c771da394d56f150a929..38cb9cdf53dfed4acffa7296a9af4870070e56db 100644 > --- a/base/server/cmscore/src/org/dogtagpki/legacy/core/policy/GenericPolicyProcessor.java > +++ b/base/server/cmscore/src/org/dogtagpki/legacy/core/policy/GenericPolicyProcessor.java > @@ -360,7 +360,7 @@ public class GenericPolicyProcessor implements IPolicyProcessor { > } > > public boolean isProfileRequest(IRequest request) { > - String profileId = request.getExtDataInString("profileId"); > + String profileId = request.getExtDataInString(IRequest.PROFILE_ID); > > if (profileId == null || profileId.equals("")) > return false; > -- > 2.7.4 > > From e417e593facf6ebe819627599df4bd3351a8ced1 Mon Sep 17 00:00:00 2001 > From: Fraser Tweedale > Date: Wed, 7 Dec 2016 14:22:30 +1000 > Subject: [PATCH 146/146] Define "req_authority_id" IRequest extdata key in > IRequest > > Part of: https://fedorahosted.org/pki/ticket/1359 > --- > base/common/src/com/netscape/certsrv/request/IRequest.java | 5 +++++ > .../cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java | 2 +- > .../cms/src/com/netscape/cms/profile/common/EnrollProfile.java | 2 +- > .../netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java | 3 +-- > .../cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java | 2 +- > .../cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java | 2 +- > 6 files changed, 10 insertions(+), 6 deletions(-) > > diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java > index b83d5309e0b2aaf271cf4fba3c1ee7d13b347a58..29b1bbb879220a485388cb38af8a8c5508578752 100644 > --- a/base/common/src/com/netscape/certsrv/request/IRequest.java > +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java > @@ -91,6 +91,11 @@ public interface IRequest extends Serializable { > > public static final String PROFILE_ID = "profileId"; > > + /** > + * ID of requested certificate authority (absense implies host authority) > + */ > + public static final String AUTHORITY_ID = "req_authority_id"; > + > public static final String RESULT = "Result"; // service result. > public static final Integer RES_SUCCESS = Integer.valueOf(1); // result value > public static final Integer RES_ERROR = Integer.valueOf(2); // result value > diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java > index 53edca3a93c28a4fdd6c476bbdd2dc3d83869505..8c14e91767f6cc765413821da71b2c26d86f77d3 100644 > --- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java > +++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java > @@ -192,7 +192,7 @@ public class CAEnrollProfile extends EnrollProfile { > sc.put("profileSetId", setId); > } > AuthorityID aid = null; > - String aidString = request.getExtDataInString(REQUEST_AUTHORITY_ID); > + String aidString = request.getExtDataInString(IRequest.AUTHORITY_ID); > if (aidString != null) > aid = new AuthorityID(aidString); > try { > diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java > index e828b82f203edfc6e6fb8797c5909c7cdd6a32d9..fbb98262929f1c5e12ab54a7514c15297364e971 100644 > --- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java > +++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java > @@ -192,7 +192,7 @@ public abstract class EnrollProfile extends BasicProfile > } > > // set requested CA > - result[i].setExtData(REQUEST_AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID)); > + result[i].setExtData(IRequest.AUTHORITY_ID, ctx.get(REQUEST_AUTHORITY_ID)); > } > return result; > } > diff --git a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java > index 9aaa29d7a417739c62c9c46968933253dbcddd89..42931de2644e602089fc40d331f73964ad35390f 100644 > --- a/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java > +++ b/base/server/cms/src/com/netscape/cms/profile/def/AuthorityKeyIdentifierExtDefault.java > @@ -26,7 +26,6 @@ import com.netscape.certsrv.base.IConfigStore; > import com.netscape.certsrv.ca.AuthorityID; > import com.netscape.certsrv.ca.ICertificateAuthority; > import com.netscape.certsrv.profile.EProfileException; > -import com.netscape.certsrv.profile.IEnrollProfile; > import com.netscape.certsrv.profile.IProfile; > import com.netscape.certsrv.property.Descriptor; > import com.netscape.certsrv.property.EPropertyException; > @@ -172,7 +171,7 @@ public class AuthorityKeyIdentifierExtDefault extends CAEnrollDefault { > ICertificateAuthority ca = (ICertificateAuthority) > CMS.getSubsystem(CMS.SUBSYSTEM_CA); > String aidString = request.getExtDataInString( > - IEnrollProfile.REQUEST_AUTHORITY_ID); > + IRequest.AUTHORITY_ID); > if (aidString != null) > ca = ca.getCA(new AuthorityID(aidString)); > if (ca == null) > diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java > index 01ffc8be43a90c428fa61e97a70cfe3d87b8710f..1c9f0d6acad00025884a33a22461c7d61b4a5676 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RenewalProcessor.java > @@ -217,7 +217,7 @@ public class RenewalProcessor extends CertProcessor { > CMS.debug("RenewalSubmitter: renewal original profileId=" + profileId); > > String aidString = origReq.getExtDataInString( > - IEnrollProfile.REQUEST_AUTHORITY_ID); > + IRequest.AUTHORITY_ID); > > Integer origSeqNum = origReq.getExtDataInInteger(IEnrollProfile.REQUEST_SEQ_NUM); > IProfile profile = ps.getProfile(profileId); > diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java > index 7f0c89ce5fad8c334dd204188c3e9ce103c207bd..436e7a99a78e7bf4a46f626f628652f5d3d1301c 100644 > --- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java > +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java > @@ -378,7 +378,7 @@ public class RequestProcessor extends CertProcessor { > String auditRequesterID = auditRequesterID(req); > > // ensure target CA is enabled > - String aidString = req.getExtDataInString(IEnrollProfile.REQUEST_AUTHORITY_ID); > + String aidString = req.getExtDataInString(IRequest.AUTHORITY_ID); > if (aidString != null) > ensureCAEnabled(aidString); > > -- > 2.7.4 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Mon Dec 12 04:32:26 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Mon, 12 Dec 2016 14:32:26 +1000 Subject: [Pki-devel] [PATCH] 0148 Remove principal type assumption from AuthorityService Message-ID: <20161212043226.GJ4232@dhcp-40-8.bne.redhat.com> Reviewed by alee: https://github.com/frasertweedale/pki/commit/967727ea3104accbf1bd1e05fc676bfef0d9ba6d Pushed to master (1d706a075f32d7c30a6259be675b8f34ef2a9c99). Thanks, Fraser -------------- next part -------------- From 1d706a075f32d7c30a6259be675b8f34ef2a9c99 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 30 Nov 2016 10:06:15 +1000 Subject: [PATCH] Remove principal type assumption from AuthorityService Part of: https://fedorahosted.org/pki/ticket/1359 --- .../src/org/dogtagpki/server/ca/rest/AuthorityService.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java index 584ab6e59638beada6c89a1882a176b4743a861d..18542d3794f2f1ba3975c634ee726f6d94ebba5b 100644 --- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java +++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java @@ -36,6 +36,7 @@ import javax.ws.rs.core.Response; import javax.ws.rs.core.UriInfo; import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authority.AuthorityData; import com.netscape.certsrv.authority.AuthorityResource; import com.netscape.certsrv.base.BadRequestDataException; @@ -46,6 +47,7 @@ import com.netscape.certsrv.base.ForbiddenException; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.ResourceNotFoundException; import com.netscape.certsrv.base.ServiceUnavailableException; +import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.CADisabledException; import com.netscape.certsrv.ca.CAEnabledException; @@ -59,7 +61,6 @@ import com.netscape.certsrv.ca.IssuerUnavailableException; import com.netscape.certsrv.common.OpDef; import com.netscape.certsrv.common.ScopeDef; import com.netscape.certsrv.logging.ILogger; -import com.netscape.cms.realm.PKIPrincipal; import com.netscape.cms.servlet.base.PKIService; import com.netscape.cmsutil.util.Utils; @@ -191,9 +192,6 @@ public class AuthorityService extends PKIService implements AuthorityResource { } } - PKIPrincipal principal = - (PKIPrincipal) servletRequest.getUserPrincipal(); - Map auditParams = new LinkedHashMap<>(); auditParams.put("dn", data.getDN()); if (parentAID != null) @@ -201,10 +199,12 @@ public class AuthorityService extends PKIService implements AuthorityResource { if (data.getDescription() != null) auditParams.put("description", data.getDescription()); + IAuthToken authToken = (IAuthToken) + SessionContext.getContext().get(SessionContext.AUTH_TOKEN); + try { ICertificateAuthority subCA = hostCA.createCA( - principal.getAuthToken(), - data.getDN(), parentAID, data.getDescription()); + authToken, data.getDN(), parentAID, data.getDescription()); audit(ILogger.SUCCESS, OpDef.OP_ADD, subCA.getAuthorityID().toString(), auditParams); return createOKResponse(readAuthorityData(subCA)); -- 2.7.4 From mharmsen at redhat.com Fri Dec 16 01:32:08 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 15 Dec 2016 18:32:08 -0700 Subject: [Pki-devel] Karma Requests for pki-core-10.3.5-9 Message-ID: <3077f1ef-58bc-e1f0-1ab1-05cc27cc259b@redhat.com> *The following updated candidate builds of pki-core 10.3.5 were generated:* * *Fedora 24* o *pki-core-10.3.5-9.fc24 * * *Fedora 25* o *pki-core-10.3.5-9.fc25 * * *Fedora 26* o *pki-core-10.3.5-9.fc26 * *These builds address the following PKI tickets:* * *PKI TRAC Ticket #1517 - user-cert-add --serial CLI request to secure port with remote CA shows authentication failure * * *PKI TRAC Ticket #1897 - [MAN] Man page for logging configuration. * * *PKI TRAC Ticket #1920 - [MAN] Man page for PKCS #12 utilities * * *PKI TRAC Ticket #2226 - KRA installation: NullPointerException in ProxyRealm.findSecurityConstraints * * *PKI TRAC Ticket #2289 - [MAN] pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any * * *PKI TRAC Ticket #2523 - Changes to target.agent.approve.list parameter is not reflected in the TPS Web UI * * *PKI TRAC Ticket #2534 - Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status * * *PKI TRAC Ticket #2543 - Unable to install subordinate CA with HSM in FIPS mode * * *PKI TRAC Ticket #2544 - TPS throws "err=6" when attempting to format and enroll G&D Cards * * *PKI TRAC Ticket #2552 - pkispawn does not change default ecc key size from nistp256 when nistp384 is specified in spawn config * *Please provide Karma for the following builds:* * *Fedora 24* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-346c2e1366 pki-core-10.3.5-9.fc24 * * *Fedora 25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-9100653751 pki-core-10.3.5-9.fc25 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From jmagne at redhat.com Sat Dec 17 00:28:52 2016 From: jmagne at redhat.com (John Magne) Date: Fri, 16 Dec 2016 19:28:52 -0500 (EST) Subject: [Pki-devel] [pki-devel][PATCH] 0086-Ticket-2569-Token-memory-not-wiped-after-key-deletio.patch In-Reply-To: <656892253.8138597.1481934496539.JavaMail.zimbra@redhat.com> Message-ID: <2095269352.8138640.1481934532217.JavaMail.zimbra@redhat.com> Author: Jack Magne Date: Fri Dec 16 16:25:48 2016 -0800 Ticket #2569: Token memory not wiped after key deletion This is the dogtag upstream side of the TPS portion of this ticket. This fix also involves an applet fix, handled in another bug. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0086-Ticket-2569-Token-memory-not-wiped-after-key-deletio.patch Type: text/x-patch Size: 11185 bytes Desc: not available URL: From edewata at redhat.com Sun Dec 18 12:04:19 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 18 Dec 2016 06:04:19 -0600 Subject: [Pki-devel] [PATCH] 881 Fixed pki-tools build order. Message-ID: <352ddb0d-b782-1db8-b074-81b5bc8cc10a@redhat.com> To help troubleshooting build issues the pki-tools build targets have been modified such that they run sequentially. This way error messages will be easier to find in the build log. https://fedorahosted.org/pki/ticket/2463 Pushed to master under trivial rule. -- Endi S. Dewata From edewata at redhat.com Sun Dec 18 12:05:30 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 18 Dec 2016 06:05:30 -0600 Subject: [Pki-devel] [PATCH] 882 Removed redundant find_file() for Tomcat libraries. Message-ID: <8536022a-c686-e970-25ba-4462e489daf4@redhat.com> The CMake scripts have been modified to remove redundant invocations of find_file() to find Tomcat libraries. https://fedorahosted.org/pki/ticket/2560 Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0882-Removed-redundant-find_file-for-Tomcat-libraries.patch Type: text/x-patch Size: 9952 bytes Desc: not available URL: From edewata at redhat.com Sun Dec 18 12:38:30 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 18 Dec 2016 06:38:30 -0600 Subject: [Pki-devel] [PATCH] 883 Added support for building with generic Tomcat. Message-ID: <6aa15fa7-820c-ea30-9f1e-16923907e32d@redhat.com> Previously the build scripts would only work with specific Tomcat versions officially supported by the operating system. To support other Tomcat versions the build scripts have been modified such that they will use the Tomcat installation specified in the TOMCAT_HOME variable. The Tomcat-specific PKI source folder to use can now be specified in the PKI_TOMCAT_SRC variable. https://fedorahosted.org/pki/ticket/2560 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0883-Added-support-for-building-with-generic-Tomcat.patch Type: text/x-patch Size: 7231 bytes Desc: not available URL: From edewata at redhat.com Sun Dec 18 12:38:37 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 18 Dec 2016 06:38:37 -0600 Subject: [Pki-devel] [PATCH] 884 Added support for deploying with generic Tomcat. Message-ID: <029fbaac-511b-1486-d334-ccf829666c40@redhat.com> The start(), stop() and restart() methods in PKIInstance have been modified to provide a unified way to manage instances using different types of Tomcat installations: * generic Tomcat * standard Tomcat on Debian * nuxwdog-enabled Tomcat on Fedora/RHEL * standard Tomcat on Fedora/RHEL The deployment tool has been modified to provide a parameter to specify the Tomcat home for the instance. It has also been modified to utilize the unified instance startup methods. https://fedorahosted.org/pki/ticket/2560 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0884-Added-support-for-deploying-with-generic-Tomcat.patch Type: text/x-patch Size: 12702 bytes Desc: not available URL: From edewata at redhat.com Sun Dec 18 12:38:47 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sun, 18 Dec 2016 06:38:47 -0600 Subject: [Pki-devel] [PATCH] 885 Added startup CLI for generic Tomcat. Message-ID: <195915bd-664a-8890-849d-e8d2b860bf16@redhat.com> New pki-server commands have been added to provide a consistent way to start, stop, and restart PKI instances using different types of Tomcat installations. https://fedorahosted.org/pki/ticket/2560 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0885-Added-startup-CLI-for-generic-Tomcat.patch Type: text/x-patch Size: 8145 bytes Desc: not available URL: From edewata at redhat.com Wed Dec 21 02:31:19 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 20 Dec 2016 20:31:19 -0600 Subject: [Pki-devel] [PATCH] Refactored pki_copytree(). Message-ID: The pki_copytree() has been moved from pkihelper.py into pki/util.py such that it can be reused in non-deployment scenarios. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0886-Refactored-pki_copytree.patch Type: text/x-patch Size: 8222 bytes Desc: not available URL: From edewata at redhat.com Wed Dec 21 07:00:39 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 21 Dec 2016 01:00:39 -0600 Subject: [Pki-devel] [PATCH] 887 Refactored master & slots dictionaries creation. Message-ID: <8be8c51b-69d0-fede-dc71-48867a079b05@redhat.com> To improve reusability the deployment tools have been modified such that the master and slots dictionary objects are created in PKIDeployer at the beginning of the program. The PKIConfigParser has been modified to use the same dictionary objects. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0887-Refactored-master-slots-dictionaries-creation.patch Type: text/x-patch Size: 5919 bytes Desc: not available URL: From edewata at redhat.com Wed Dec 21 07:26:25 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 21 Dec 2016 01:26:25 -0600 Subject: [Pki-devel] [PATCH] 888 Refactored user_config object in pkiconfig.py. Message-ID: To improve reusability the user_config object has been converted from a global variable in pkiconfig.py into an attribute in PKIDeployer. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0888-Refactored-user_config-object-in-pkiconfig.py.patch Type: text/x-patch Size: 5539 bytes Desc: not available URL: From edewata at redhat.com Wed Dec 21 13:44:55 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 21 Dec 2016 07:44:55 -0600 Subject: [Pki-devel] [PATCH] 889 Refactored pki_config object in pkiparser.py. Message-ID: <78de8d82-6286-895a-9656-1c4e2d4d5f6a@redhat.com> To improve reusability the pki_config object has been moved from PKIConfigParser into PKIDeployer. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0889-Refactored-pki_config-object-in-pkiparser.py.patch Type: text/x-patch Size: 7374 bytes Desc: not available URL: From edewata at redhat.com Wed Dec 21 13:45:00 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 21 Dec 2016 07:45:00 -0600 Subject: [Pki-devel] [PATCH] 890 Refactored pki_subsystem object in pkiconfig.py. Message-ID: To improve reusability the pki_subsystem object has been converted from a global variable in pkiconfig.py into an attribute in PKIDeployer. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0890-Refactored-pki_subsystem-object-in-pkiconfig.py.patch Type: text/x-patch Size: 25296 bytes Desc: not available URL: From edewata at redhat.com Thu Dec 22 05:16:25 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 21 Dec 2016 23:16:25 -0600 Subject: [Pki-devel] [PATCH] 891 Refactored PKIDeployer. Message-ID: To improve reusability the PKIDeployer class has been moved from the pkihelper.py into the top level pki.server.deployment module. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0891-Refactored-PKIDeployer.patch Type: text/x-patch Size: 12811 bytes Desc: not available URL: From edewata at redhat.com Thu Dec 22 05:16:32 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 21 Dec 2016 23:16:32 -0600 Subject: [Pki-devel] [PATCH] 892 Refactored PKIConfigParser.flatten_master_dict(). Message-ID: <08bd0743-dddc-5826-967b-48380c22f983@redhat.com> To improve reusability the flatten_master_dict() has been moved from PKIConfigParser into PKIDeployer. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0892-Refactored-PKIConfigParser.flatten_master_dict.patch Type: text/x-patch Size: 4393 bytes Desc: not available URL: From edewata at redhat.com Thu Dec 22 05:17:45 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 21 Dec 2016 23:17:45 -0600 Subject: [Pki-devel] [PATCH] 893 Refactored deployment timestamp variables. Message-ID: <6d88d51e-4a81-8357-b276-c7e1e46eb16c@redhat.com> To improve reusability the deployment timestamp variables have been converted from global variables in pkiconfig.py into attributes in PKIDeployer. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0893-Refactored-deployment-timestamp-variables.patch Type: text/x-patch Size: 6765 bytes Desc: not available URL: From edewata at redhat.com Thu Dec 22 05:17:51 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 21 Dec 2016 23:17:51 -0600 Subject: [Pki-devel] [PATCH] 894 Refactored deployment system variables. Message-ID: <55abe4bb-71d7-fd56-3bbd-52d8bc9d9247@redhat.com> To improve reusability the deployment system variables have been converted from global variables in pkiconfig.py into attributes in PKIDeployer. Pushed to master under trivial rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0894-Refactored-deployment-system-variables.patch Type: text/x-patch Size: 7759 bytes Desc: not available URL: