From edewata at redhat.com  Mon Jan  4 20:31:28 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 4 Jan 2016 14:31:28 -0600
Subject: [Pki-devel] [PATCH] 665 Added table to manage TPS user profiles.
Message-ID: <568AD6A0.1090606@redhat.com>

The TPS UI has been modified to provide a table as an interface
to manage the user profiles. When adding a profile, the profile
can be selected from a list of available profiles.

The UserService and UGSubsystem have been modified to allow adding
a user with no assigned profiles.

https://fedorahosted.org/pki/ticket/1478

-- 
Endi S. Dewata
-------------- next part --------------
From 31972666380c97fc29f3095cfe7eb026b2e6e81d Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Thu, 24 Dec 2015 17:20:58 +0100
Subject: [PATCH] Added table to manage TPS user profiles.

The TPS UI has been modified to provide a table as an interface
to manage the user profiles. When adding a profile, the profile
can be selected from a list of available profiles.

The UserService and UGSubsystem have been modified to allow adding
a user with no assigned profiles.

https://fedorahosted.org/pki/ticket/1478
---
 .../src/org/dogtagpki/server/rest/UserService.java |  97 +++++++---
 .../com/netscape/cmscore/usrgrp/UGSubsystem.java   |  86 ++++-----
 base/server/share/webapps/pki/js/pki-ui.js         |   8 +-
 base/tps/shared/webapps/tps/js/user.js             | 196 +++++++++++++++++++--
 base/tps/shared/webapps/tps/ui/user.html           |  78 +++++++-
 5 files changed, 358 insertions(+), 107 deletions(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
index 53ecc2b9e778db3bf6e14bc05989446d4a741223..3de7384ee0dc8789e74b619191e7e4c4e739ae6f 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
@@ -39,9 +39,6 @@ import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 
-import netscape.security.pkcs.PKCS7;
-import netscape.security.x509.X509CertImpl;
-
 import org.apache.commons.lang.StringUtils;
 import org.jboss.resteasy.plugins.providers.atom.Link;
 import org.mozilla.jss.CryptoManager;
@@ -79,6 +76,9 @@ import com.netscape.cms.servlet.base.PKIService;
 import com.netscape.cmsutil.util.Cert;
 import com.netscape.cmsutil.util.Utils;
 
+import netscape.security.pkcs.PKCS7;
+import netscape.security.x509.X509CertImpl;
+
 /**
  * @author Endi S. Dewata
  */
@@ -209,6 +209,7 @@ public class UserService extends PKIService implements UserResource {
                 throw new BadRequestException(getUserMessage("CMS_ADMIN_SRVLT_NULL_RS_ID", headers));
             }
 
+            IConfigStore cs = CMS.getConfigStore();
             IUser user;
 
             try {
@@ -237,17 +238,22 @@ public class UserService extends PKIService implements UserResource {
             String type = user.getUserType();
             if (!StringUtils.isEmpty(type)) userData.setType(type);
 
-            List<String> profiles = user.getTpsProfiles();
-            if (profiles != null) {
-                StringBuilder sb = new StringBuilder();
-                String prefix = "";
-                for (String profile: profiles) {
-                    sb.append(prefix);
-                    prefix = ",";
-                    sb.append(profile);
+            // TODO: refactor into TPSUserService
+            String csType = cs.getString("cs.type");
+            if (csType.equals("TPS")) {
+
+                List<String> profiles = user.getTpsProfiles();
+                if (profiles != null) {
+                    StringBuilder sb = new StringBuilder();
+                    String prefix = "";
+                    for (String profile: profiles) {
+                        sb.append(prefix);
+                        prefix = ",";
+                        sb.append(profile);
+                    }
+
+                    userData.setAttribute(ATTR_TPS_PROFILES, sb.toString());
                 }
-
-                userData.setAttribute(ATTR_TPS_PROFILES, sb.toString());
             }
 
             return userData;
@@ -363,15 +369,23 @@ public class UserService extends PKIService implements UserResource {
                 user.setState(state);
             }
 
-            String tpsProfiles = userData.getAttribute(ATTR_TPS_PROFILES);
-            CMS.debug("TPS profiles: " + tpsProfiles);
+            // TODO: refactor into TPSUserService
             String csType = cs.getString("cs.type");
-            if (tpsProfiles != null) {
-                if (!csType.equals("TPS")) {
-                    throw new BadRequestException("Cannot set tpsProfiles on a non-TPS subsystem");
+            if (csType.equals("TPS")) {
+
+                String tpsProfiles = userData.getAttribute(ATTR_TPS_PROFILES);
+                CMS.debug("TPS profiles: " + tpsProfiles);
+                if (tpsProfiles != null) { // update profiles if specified
+
+                    String[] profiles;
+                    if (StringUtils.isEmpty(tpsProfiles)) {
+                        profiles = new String[0];
+                    } else {
+                        profiles = tpsProfiles.split(",");
+                    }
+
+                    user.setTpsProfiles(Arrays.asList(profiles));
                 }
-                String[] profiles = tpsProfiles.split(",");
-                user.setTpsProfiles(Arrays.asList(profiles));
             }
 
             userGroupManager.addUser(user);
@@ -443,11 +457,23 @@ public class UserService extends PKIService implements UserResource {
             String state = userData.getState();
             user.setState(state);
 
+            // TODO: refactor into TPSUserService
             String csType = cs.getString("cs.type");
             if (csType.equals("TPS")) {
+
                 String tpsProfiles = userData.getAttribute(ATTR_TPS_PROFILES);
-                String[] profiles = tpsProfiles.split(",");
-                user.setTpsProfiles(Arrays.asList(profiles));
+                CMS.debug("TPS Profiles: " + tpsProfiles);
+                if (tpsProfiles != null) { // update profiles if specified
+
+                    String[] profiles;
+                    if (StringUtils.isEmpty(tpsProfiles)) {
+                        profiles = new String[0];
+                    } else {
+                        profiles = tpsProfiles.split(",");
+                    }
+
+                    user.setTpsProfiles(Arrays.asList(profiles));
+                }
             }
 
             userGroupManager.modifyUser(user);
@@ -485,6 +511,8 @@ public class UserService extends PKIService implements UserResource {
     @Override
     public Response modifyUser(String userID, UserData userData) {
 
+        CMS.debug("UserService.modifyUser(" + userID + ")");
+
         if (userData == null) throw new BadRequestException("User data is null.");
 
         // ensure that any low-level exceptions are reported
@@ -499,11 +527,13 @@ public class UserService extends PKIService implements UserResource {
             IUser user = userGroupManager.createUser(userID);
 
             String fullName = userData.getFullName();
+            CMS.debug("Full name: " + fullName);
             if (fullName != null) {
                 user.setFullName(fullName);
             }
 
             String email = userData.getEmail();
+            CMS.debug("Email: " + email);
             if (email != null) {
                 user.setEmail(email);
             }
@@ -520,23 +550,34 @@ public class UserService extends PKIService implements UserResource {
             }
 
             String phone = userData.getPhone();
+            CMS.debug("Phone: " + phone);
             if (phone != null) {
                 user.setPhone(phone);
             }
 
             String state = userData.getState();
+            CMS.debug("State: " + state);
             if (state != null) {
                 user.setState(state);
             }
 
-            String tpsProfiles = userData.getAttribute(ATTR_TPS_PROFILES);
+            // TODO: refactor into TPSUserService
             String csType = cs.getString("cs.type");
-            if (tpsProfiles != null) {
-                if (!csType.equals("TPS")) {
-                    throw new BadRequestException("Cannot set tpsProfiles on a non-TPS subsystem");
+            if (csType.equals("TPS")) {
+
+                String tpsProfiles = userData.getAttribute(ATTR_TPS_PROFILES);
+                CMS.debug("TPS Profiles: " + tpsProfiles);
+                if (tpsProfiles != null) { // update profiles if specified
+
+                    String[] profiles;
+                    if (StringUtils.isEmpty(tpsProfiles)) {
+                        profiles = new String[0];
+                    } else {
+                        profiles = tpsProfiles.split(",");
+                    }
+
+                    user.setTpsProfiles(Arrays.asList(profiles));
                 }
-                String[] profiles = tpsProfiles.split(",");
-                user.setTpsProfiles(Arrays.asList(profiles));
             }
 
             userGroupManager.modifyUser(user);
diff --git a/base/server/cmscore/src/com/netscape/cmscore/usrgrp/UGSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
index d1277279e5c020aa688d1dedce9230d293fe3fac..a11c551e5424c55b41a53318689866c66aacff73 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/usrgrp/UGSubsystem.java
@@ -25,19 +25,6 @@ import java.util.Enumeration;
 import java.util.List;
 import java.util.Vector;
 
-import netscape.ldap.LDAPAttribute;
-import netscape.ldap.LDAPAttributeSet;
-import netscape.ldap.LDAPConnection;
-import netscape.ldap.LDAPDN;
-import netscape.ldap.LDAPEntry;
-import netscape.ldap.LDAPException;
-import netscape.ldap.LDAPModification;
-import netscape.ldap.LDAPModificationSet;
-import netscape.ldap.LDAPSearchConstraints;
-import netscape.ldap.LDAPSearchResults;
-import netscape.ldap.LDAPv2;
-import netscape.security.x509.X509CertImpl;
-
 import org.apache.commons.lang.StringUtils;
 
 import com.netscape.certsrv.apps.CMS;
@@ -60,6 +47,19 @@ import com.netscape.cmscore.ldapconn.LdapBoundConnFactory;
 import com.netscape.cmscore.util.Debug;
 import com.netscape.cmsutil.ldap.LDAPUtil;
 
+import netscape.ldap.LDAPAttribute;
+import netscape.ldap.LDAPAttributeSet;
+import netscape.ldap.LDAPConnection;
+import netscape.ldap.LDAPDN;
+import netscape.ldap.LDAPEntry;
+import netscape.ldap.LDAPException;
+import netscape.ldap.LDAPModification;
+import netscape.ldap.LDAPModificationSet;
+import netscape.ldap.LDAPSearchConstraints;
+import netscape.ldap.LDAPSearchResults;
+import netscape.ldap.LDAPv2;
+import netscape.security.x509.X509CertImpl;
+
 /**
  * This class defines low-level LDAP usr/grp management
  * usr/grp information is located remotely on another
@@ -738,11 +738,15 @@ public final class UGSubsystem implements IUGSubsystem {
         }
 
         // TODO add audit logging for profile
-        if (id.getTpsProfiles() != null) {
-            List<String> profiles = id.getTpsProfiles();
-            for (String profile: profiles) {
-                attrs.add(new LDAPAttribute(LDAP_ATTR_PROFILE_ID, profile));
+        List<String> profiles = id.getTpsProfiles();
+        if (profiles != null && profiles.size() > 0) {
+            CMS.debug("Adding " + LDAP_ATTR_PROFILE_ID + ":");
+            LDAPAttribute attr = new LDAPAttribute(LDAP_ATTR_PROFILE_ID);
+            for (String profile : profiles) {
+                CMS.debug(" - " + profile);
+                attr.addValue(profile);
             }
+            attrs.add(attr);
         }
 
         LDAPEntry entry = new LDAPEntry("uid=" + LDAPUtil.escapeRDNValue(id.getUserID()) +
@@ -763,12 +767,14 @@ public final class UGSubsystem implements IUGSubsystem {
             ldapconn.add(entry);
 
         } catch (LDAPException e) {
+            CMS.debug(e);
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString()));
             throw LDAPExceptionConverter.toPKIException(e);
 
         } catch (ELdapException e) {
+            CMS.debug(e);
             log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_USRGRP_ADD_USER", e.toString()));
-            throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_ADD_USER_FAIL"));
+            throw new EUsrGrpException(CMS.getUserMessage("CMS_USRGRP_ADD_USER_FAIL"), e);
 
         } finally {
             if (ldapconn != null)
@@ -1229,7 +1235,8 @@ public final class UGSubsystem implements IUGSubsystem {
                 }
             }
 
-            if (user.getTpsProfiles() != null) {
+            List<String> profiles = user.getTpsProfiles();
+            if (profiles != null) {
                 // TODO add audit logging for profile
 
                 // replace the objectclass in case tpsProfile is not present
@@ -1238,44 +1245,11 @@ public final class UGSubsystem implements IUGSubsystem {
                 attrs.add(LDAPModification.REPLACE,
                         new LDAPAttribute(OBJECTCLASS_ATTR, oc));
 
-                User ldapUser = (User) getUser(user.getUserID());
-                List<String> oldProfiles = ldapUser.getTpsProfiles();
-                List<String> profiles = user.getTpsProfiles();
-
-                if (oldProfiles == null) {
-                    for (String profile : profiles) {
-                        attrs.add(LDAPModification.ADD,
-                                new LDAPAttribute(LDAP_ATTR_PROFILE_ID, profile));
-                    }
-                } else {
-                    for (String profile : profiles) {
-                        boolean found = false;
-                        for (String oldProfile : oldProfiles) {
-                            if (profile.equals(oldProfile)) {
-                                found = true;
-                                break;
-                            }
-                        }
-                        if (!found) {
-                            attrs.add(LDAPModification.ADD,
-                                    new LDAPAttribute(LDAP_ATTR_PROFILE_ID, profile));
-                        }
-                    }
-
-                    for (String oldProfile : oldProfiles) {
-                        boolean found = false;
-                        for (String profile : profiles) {
-                            if (profile.equals(oldProfile)) {
-                                found = true;
-                                break;
-                            }
-                        }
-                        if (!found) {
-                            attrs.add(LDAPModification.DELETE,
-                                    new LDAPAttribute(LDAP_ATTR_PROFILE_ID, oldProfile));
-                        }
-                    }
+                LDAPAttribute attr = new LDAPAttribute(LDAP_ATTR_PROFILE_ID);
+                for (String profile : profiles) {
+                    attr.addValue(profile);
                 }
+                attrs.add(LDAPModification.REPLACE, attr);
             }
 
             /**
diff --git a/base/server/share/webapps/pki/js/pki-ui.js b/base/server/share/webapps/pki/js/pki-ui.js
index 2fa47ccc48a65ff781c694662734c5ca26d055d6..cf4b44e241aee2ab7817fbebcc26b1f28dfc5148 100644
--- a/base/server/share/webapps/pki/js/pki-ui.js
+++ b/base/server/share/webapps/pki/js/pki-ui.js
@@ -621,7 +621,7 @@ var Table = Backbone.View.extend({
         // check filter against all values in the entry
         var matches = false;
         _(entry).each(function(value, key) {
-            if (entry.name.indexOf(filter) >= 0) matches = true;
+            if (value && value.indexOf(filter) >= 0) matches = true;
         });
 
         return matches;
@@ -704,7 +704,7 @@ var Table = Backbone.View.extend({
 
             // save new entry
             dialog.save();
-            self.entries.push(dialog.entry);
+            self.addEntry(dialog.entry);
 
             // redraw table
             self.render();
@@ -713,6 +713,10 @@ var Table = Backbone.View.extend({
 
         dialog.open();
     },
+    addEntry: function(entry) {
+        var self = this;
+        self.entries.push(entry);
+    },
     remove: function(items) {
         var self = this;
 
diff --git a/base/tps/shared/webapps/tps/js/user.js b/base/tps/shared/webapps/tps/js/user.js
index 3a29f1dd137afc8f1157b627166c43734185f0bd..663b66fc57b77c0b5cbb146ce081cacc339680f2 100644
--- a/base/tps/shared/webapps/tps/js/user.js
+++ b/base/tps/shared/webapps/tps/js/user.js
@@ -86,41 +86,199 @@ var UserCollection = Collection.extend({
     }
 });
 
+var UserProfilesTableItem = TableItem.extend({
+    initialize: function(options) {
+        var self = this;
+        UserProfilesTableItem.__super__.initialize.call(self, options);
+    },
+    renderColumn: function(td, templateTD) {
+        var self = this;
+
+        UserProfilesTableItem.__super__.renderColumn.call(self, td, templateTD);
+
+        $("a", td).click(function(e) {
+            e.preventDefault();
+            self.table.open(self);
+        });
+    }
+});
+
+var UserProfilesTable = Table.extend({
+    initialize: function(options) {
+        var self = this;
+        options.tableItem = UserProfilesTableItem;
+        UserProfilesTable.__super__.initialize.call(self, options);
+    },
+    sort: function() {
+        var self = this;
+
+        // sort profiles by id
+        self.filteredEntries = _.sortBy(self.filteredEntries, function(entry) {
+            return entry.id;
+        });
+    },
+    add: function() {
+        var self = this;
+
+        profiles = new ProfileCollection();
+        profiles.fetch({
+            success: function(collection, response, options) {
+
+                var dialog = self.addDialog;
+                var select = dialog.$(".modal-body select").empty();
+
+                $('<option/>', {
+                    text: 'All Profiles',
+                    selected: true
+                }).appendTo(select);
+
+                profiles.each(function(profile) {
+
+                    if (_.find(self.entries, function(e) { return e.id == profile.id; })) {
+                        // profile already exists
+
+                    } else {
+                        // show profile option
+                        $('<option/>', {
+                            text: profile.id
+                        }).appendTo(select);
+                    }
+                });
+
+                UserProfilesTable.__super__.add.call(self);
+            }
+        });
+    },
+    addEntry: function(entry) {
+        var self = this;
+
+        if (entry.id == 'All Profiles') {
+            // replace existing profiles
+            self.entries = [];
+            self.entries.push(entry);
+
+        } else if (_.find(self.entries, function(e) { return e.id == entry.id; })) {
+            // profile already exists
+
+        } else {
+            // add new profile
+            self.entries.push(entry);
+        }
+    },
+    remove: function(items) {
+        var self = this;
+
+        // remove selected profiles
+        self.entries = _.reject(self.entries, function(entry) {
+            return _.contains(items, entry.id);
+        });
+
+        // redraw table
+        self.render();
+    },
+    renderControls: function() {
+        var self = this;
+
+        UserProfilesTable.__super__.renderControls.call(self);
+
+        if (self.mode == "edit") {
+
+            if (_.find(self.entries, function(e) { return e.id == 'All Profiles'; })) {
+                self.addButton.hide();
+
+            } else {
+                self.addButton.show();
+            }
+        }
+    }
+});
+
 var UserPage = EntryPage.extend({
     initialize: function(options) {
         var self = this;
         UserPage.__super__.initialize.call(self, options);
     },
-    loadField: function(input) {
+    setup: function() {
         var self = this;
 
-        var name = input.attr("name");
-        if (name != "tpsProfiles") {
-            UserPage.__super__.loadField.call(self, input);
-            return;
-        }
-
-        var attributes = self.entry.attributes;
-        if (attributes) {
-            var value = attributes.tpsProfiles;
-            input.val(value);
-        }
+        UserPage.__super__.setup.call(self);
+
+        var dialog = self.$("#user-profile-dialog");
+
+        var addDialog = new Dialog({
+            el: dialog,
+            title: "Add Profile",
+            actions: ["cancel", "add"]
+        });
+
+        self.profilesSection = self.$("[name='profiles']");
+        self.profilesList = $("[name='list']", self.profilesSection);
+
+        self.profilesTable = new UserProfilesTable({
+            el: self.profilesList,
+            addDialog: addDialog,
+            pageSize: 10,
+            parent: self
+        });
+
     },
-    saveField: function(input) {
+    saveFields: function() {
         var self = this;
 
-        var name = input.attr("name");
-        if (name != "tpsProfiles") {
-            UserPage.__super__.saveField.call(self, input);
-            return;
-        }
+        UserPage.__super__.saveFields.call(self);
 
         var attributes = self.entry.attributes;
         if (attributes == undefined) {
             attributes = {};
             self.entry.attributes = attributes;
         }
-        attributes.tpsProfiles = input.val();
+        attributes.tpsProfiles = self.getProfiles().join();
+    },
+    renderContent: function() {
+        var self = this;
+
+        UserPage.__super__.renderContent.call(self);
+
+        if (self.mode == "add") {
+            self.profilesTable.mode = "edit";
+
+        } else if (self.mode == "edit") {
+            self.profilesTable.mode = "edit";
+
+        } else { // self.mode == "view"
+            self.profilesTable.mode = "view";
+        }
+
+        var profiles = [];
+        var attributes = self.entry.attributes;
+        if (attributes) {
+            var value = attributes.tpsProfiles;
+            if (value) {
+                profiles = value.split(',');
+            }
+        }
+
+        self.setProfiles(profiles);
+    },
+    setProfiles: function(profiles) {
+        var self = this;
+
+        self.profilesTable.entries = [];
+        _.each(profiles, function(profile) {
+            self.profilesTable.entries.push({ id: profile });
+        });
+
+        self.profilesTable.render();
+    },
+    getProfiles: function() {
+        var self = this;
+
+        var profiles = [];
+        _.each(self.profilesTable.entries, function(profile) {
+            profiles.push(profile.id);
+        });
+
+        return profiles;
     }
 });
 
diff --git a/base/tps/shared/webapps/tps/ui/user.html b/base/tps/shared/webapps/tps/ui/user.html
index 9a9f9505b3e07a9a62ef6de17a956a03376e17f2..79867f900744ec3e8c65464c42cc44dccb86f1be 100644
--- a/base/tps/shared/webapps/tps/ui/user.html
+++ b/base/tps/shared/webapps/tps/ui/user.html
@@ -51,7 +51,81 @@
     <input name="type" readonly="readonly"><br>
     <label>State</label>
     <input name="state" readonly="readonly"><br>
-    <label>TPS Profiles</label>
-    <input name="tpsProfiles" readonly="readonly"><br>
 </fieldset>
 </div>
+
+<div name="profiles">
+
+<h2>Profiles</h2>
+
+<table name="list">
+<thead>
+    <tr>
+         <th class="pki-table-actions" colspan="2">
+             <span name="search">
+                 <input name="search" type="text" placeholder="Search...">
+             </span>
+             <span class="pki-table-buttons">
+                 <button name="add">Add</button>
+                 <button name="remove">Remove</button>
+             </span>
+         </th>
+    </tr>
+    <tr>
+        <th class="pki-select-column"><input id="user-profiles-selectall" type="checkbox"><label for="user-profiles-selectall">&nbsp;</label></th>
+        <th>Profile ID</th>
+    </tr>
+</thead>
+<tbody>
+    <tr>
+        <td class="pki-select-column"><input id="user-profiles-select" type="checkbox"><label for="user-profiles-select">&nbsp;</label></td>
+        <td name="id">${id}</td>
+    </tr>
+</tbody>
+<tfoot>
+    <tr>
+         <th class="pki-table-actions" colspan="2">
+             <div class="pki-table-info">
+                 Total: <span name="totalEntries">0</span> entries
+             </div>
+             <div class="pki-page-controls">
+                 <ul class="pagination">
+                     <li><a href="#" name="first"><span class="i fa fa-angle-double-left"></span></a></li>
+                     <li><a href="#" name="prev"><span class="i fa fa-angle-left"></span></a></li>
+                 </ul>
+                 <span class="pki-page-jump">
+                     <input name="page" type="text" value="1"> of <span name="totalPages">1</span>
+                 </span>
+                 <ul class="pagination">
+                     <li><a href="#" name="next"><span class="i fa fa-angle-right"></span></a></li>
+                     <li><a href="#" name="last"><span class="i fa fa-angle-double-right"></span></a></li>
+                 </ul>
+             </div>
+         </th>
+    </tr>
+</tfoot>
+</table>
+
+</div>
+
+<div id="user-profile-dialog" class="modal">
+    <div class="modal-dialog">
+        <div class="modal-content">
+            <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-hidden="true">
+                    <span class="pficon pficon-close"></span>
+                </button>
+                <h4 class="modal-title">Add Profile</h4>
+            </div>
+            <div class="modal-body">
+                Profile:
+                <select name="id">
+                </select>
+            </div>
+            <div class="modal-footer">
+                <button name="add" class="btn btn-primary">Add</button>
+                <button name="cancel" class="btn btn-default" data-dismiss="modal">Cancel</button>
+            </div>
+        </div>
+    </div>
+</div>
-- 
2.4.3


From edewata at redhat.com  Tue Jan  5 00:55:51 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 4 Jan 2016 18:55:51 -0600
Subject: [Pki-devel] [PATCH] 666 Updated CLI to run individual selftests.
Message-ID: <568B1497.2000302@redhat.com>

The pki selftest-run command has been modified to execute the
specified selftests, or all selftests if nothing is specified.
The command will also display the status of each test and the
stack trace if it fails.

https://fedorahosted.org/pki/ticket/1502

-- 
Endi S. Dewata
-------------- next part --------------
From 0050f2fd4811806b9205e60ece6d68b61b8e6f84 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Tue, 5 Jan 2016 01:39:06 +0100
Subject: [PATCH] Updated CLI to run individual selftests.

The pki selftest-run command has been modified to execute the
specified selftests, or all selftests if nothing is specified.
The command will also display the status of each test and the
stack trace if it fails.

https://fedorahosted.org/pki/ticket/1502
---
 .../certsrv/selftests/ISelfTestSubsystem.java      |   7 +
 .../netscape/certsrv/selftests/SelfTestClient.java |  10 ++
 .../certsrv/selftests/SelfTestResource.java        |  12 ++
 .../netscape/certsrv/selftests/SelfTestResult.java | 150 +++++++++++++++++++++
 .../certsrv/selftests/SelfTestResults.java         |  38 ++++++
 .../cmstools/selftests/SelfTestRunCLI.java         |  48 ++++++-
 .../org/dogtagpki/server/rest/SelfTestService.java |  58 +++++++-
 .../cmscore/selftests/SelfTestSubsystem.java       |  75 ++++++-----
 8 files changed, 353 insertions(+), 45 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/selftests/SelfTestResult.java
 create mode 100644 base/common/src/com/netscape/certsrv/selftests/SelfTestResults.java

diff --git a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
index 29adde0828332c600a325c4aa9e4418d718b8ea4..c07b96acb8f31095143b5288b238ee051dd23626 100644
--- a/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
+++ b/base/common/src/com/netscape/certsrv/selftests/ISelfTestSubsystem.java
@@ -139,6 +139,13 @@ public interface ISelfTestSubsystem
     public void runSelfTestsOnDemand()
             throws EMissingSelfTestException, ESelfTestException;
 
+    /**
+     * Execute a self test.
+     *
+     * @exception Exception self test exception
+     */
+    public void runSelfTest(String instanceName) throws Exception;
+
     //
     // methods associated with the list of startup self tests
     //
diff --git a/base/common/src/com/netscape/certsrv/selftests/SelfTestClient.java b/base/common/src/com/netscape/certsrv/selftests/SelfTestClient.java
index 108cc1f8f01689d846f0a45dc51b1b2c5f59d56a..7dce1db15aed5dc73657ab4f5cac5fd62c5037a2 100644
--- a/base/common/src/com/netscape/certsrv/selftests/SelfTestClient.java
+++ b/base/common/src/com/netscape/certsrv/selftests/SelfTestClient.java
@@ -50,6 +50,16 @@ public class SelfTestClient extends Client {
         client.getEntity(response, Void.class);
     }
 
+    public SelfTestResults runSelfTests() {
+        Response response = resource.runSelfTests();
+        return client.getEntity(response, SelfTestResults.class);
+    }
+
+    public SelfTestResult runSelfTest(String selfTestID) {
+        Response response = resource.runSelfTest(selfTestID);
+        return client.getEntity(response, SelfTestResult.class);
+    }
+
     public SelfTestData getSelfTest(String selfTestID) {
         Response response = resource.getSelfTest(selfTestID);
         return client.getEntity(response, SelfTestData.class);
diff --git a/base/common/src/com/netscape/certsrv/selftests/SelfTestResource.java b/base/common/src/com/netscape/certsrv/selftests/SelfTestResource.java
index 04f41999d6b830e5ec6782c24ad0464c5cc80146..2238beb11ffdff4b5f39fe50616595aa5e5b63db 100644
--- a/base/common/src/com/netscape/certsrv/selftests/SelfTestResource.java
+++ b/base/common/src/com/netscape/certsrv/selftests/SelfTestResource.java
@@ -50,8 +50,20 @@ public interface SelfTestResource {
     @ACLMapping("selftests.execute")
     public Response executeSelfTests(@QueryParam("action") String action);
 
+    @POST
+    @Path("run")
+    @ClientResponseType(entityType=SelfTestResults.class)
+    @ACLMapping("selftests.execute")
+    public Response runSelfTests();
+
     @GET
     @Path("{selfTestID}")
     @ClientResponseType(entityType=SelfTestData.class)
     public Response getSelfTest(@PathParam("selfTestID") String selfTestID);
+
+    @POST
+    @Path("{selfTestID}/run")
+    @ClientResponseType(entityType=SelfTestResult.class)
+    @ACLMapping("selftests.execute")
+    public Response runSelfTest(@PathParam("selfTestID") String selfTestID);
 }
diff --git a/base/common/src/com/netscape/certsrv/selftests/SelfTestResult.java b/base/common/src/com/netscape/certsrv/selftests/SelfTestResult.java
new file mode 100644
index 0000000000000000000000000000000000000000..1bb36192874253cfa7eb2f1ba37eb0ff65d8dc8c
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/selftests/SelfTestResult.java
@@ -0,0 +1,150 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2016 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.selftests;
+
+import java.io.StringReader;
+import java.io.StringWriter;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * @author Endi S. Dewata
+ */
+ at XmlRootElement(name="SelfTestResult")
+public class SelfTestResult {
+
+    public static Marshaller marshaller;
+    public static Unmarshaller unmarshaller;
+
+    static {
+        try {
+            marshaller = JAXBContext.newInstance(SelfTestResult.class).createMarshaller();
+            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
+            unmarshaller = JAXBContext.newInstance(SelfTestResult.class).createUnmarshaller();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    String id;
+    String status;
+    String output;
+
+    @XmlAttribute(name="id")
+    public String getID() {
+        return id;
+    }
+
+    public void setID(String id) {
+        this.id = id;
+    }
+
+    @XmlElement(name="Status")
+    public String getStatus() {
+        return status;
+    }
+
+    public void setStatus(String status) {
+        this.status = status;
+    }
+
+    @XmlElement(name="Output")
+    public String getOutput() {
+        return output;
+    }
+
+    public void setOutput(String output) {
+        this.output = output;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((id == null) ? 0 : id.hashCode());
+        result = prime * result + ((output == null) ? 0 : output.hashCode());
+        result = prime * result + ((status == null) ? 0 : status.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        SelfTestResult other = (SelfTestResult) obj;
+        if (id == null) {
+            if (other.id != null)
+                return false;
+        } else if (!id.equals(other.id))
+            return false;
+        if (output == null) {
+            if (other.output != null)
+                return false;
+        } else if (!output.equals(other.output))
+            return false;
+        if (status == null) {
+            if (other.status != null)
+                return false;
+        } else if (!status.equals(other.status))
+            return false;
+        return true;
+    }
+
+    public String toString() {
+        try {
+            StringWriter sw = new StringWriter();
+            marshaller.marshal(this, sw);
+            return sw.toString();
+
+        } catch (Exception e) {
+            return super.toString();
+        }
+    }
+
+    public static SelfTestResult valueOf(String string) throws Exception {
+        try {
+            return (SelfTestResult)unmarshaller.unmarshal(new StringReader(string));
+        } catch (Exception e) {
+            return null;
+        }
+    }
+
+    public static void main(String args[]) throws Exception {
+
+        SelfTestResult before = new SelfTestResult();
+        before.setID("selftest1");
+        before.setStatus("PASSED");
+        before.setOutput(null);
+
+        String string = before.toString();
+        System.out.println(string);
+
+        SelfTestResult after = SelfTestResult.valueOf(string);
+        System.out.println(before.equals(after));
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/selftests/SelfTestResults.java b/base/common/src/com/netscape/certsrv/selftests/SelfTestResults.java
new file mode 100644
index 0000000000000000000000000000000000000000..e4f2d951d537f81ec6d6652f23bbfe42eb3efc92
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/selftests/SelfTestResults.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2016 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.selftests;
+
+import java.util.Collection;
+
+import javax.xml.bind.annotation.XmlElementRef;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import com.netscape.certsrv.base.DataCollection;
+
+/**
+ * @author Endi S. Dewata
+ */
+ at XmlRootElement(name="SelfTestResults")
+public class SelfTestResults extends DataCollection<SelfTestResult> {
+
+    @XmlElementRef
+    public Collection<SelfTestResult> getEntries() {
+        return super.getEntries();
+    }
+}
diff --git a/base/java-tools/src/com/netscape/cmstools/selftests/SelfTestRunCLI.java b/base/java-tools/src/com/netscape/cmstools/selftests/SelfTestRunCLI.java
index a3827178f1083294607f6dd5f92b9c8bd9bcc71e..2e40ee4f885c3e48bf5d22847807517ddc626586 100644
--- a/base/java-tools/src/com/netscape/cmstools/selftests/SelfTestRunCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/selftests/SelfTestRunCLI.java
@@ -21,7 +21,10 @@ package com.netscape.cmstools.selftests;
 import java.util.Arrays;
 
 import org.apache.commons.cli.CommandLine;
+import org.apache.commons.lang.StringUtils;
 
+import com.netscape.certsrv.selftests.SelfTestResult;
+import com.netscape.certsrv.selftests.SelfTestResults;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.MainCLI;
 
@@ -38,7 +41,20 @@ public class SelfTestRunCLI extends CLI {
     }
 
     public void printHelp() {
-        formatter.printHelp(getFullName() + " [OPTIONS...]", options);
+        formatter.printHelp(getFullName() + " [selftests...] [OPTIONS...]", options);
+    }
+
+    public static void printSelfTestResult(SelfTestResult result) {
+        System.out.println("  Selftest ID: " + result.getID());
+
+        String status = result.getStatus();
+        System.out.println("  Status: " + status);
+
+        String output = result.getOutput();
+        if (StringUtils.isNotEmpty(output)) {
+            System.out.println("  Output:");
+            System.out.println(output);
+        }
     }
 
     public void execute(String[] args) throws Exception {
@@ -62,13 +78,33 @@ public class SelfTestRunCLI extends CLI {
 
         String[] cmdArgs = cmd.getArgs();
 
-        if (cmdArgs.length != 0) {
-            System.err.println("Error: Too many arguments specified.");
-            printHelp();
-            System.exit(-1);
+        SelfTestResults results;
+
+        if (cmdArgs.length == 0) {
+            results = selfTestCLI.selfTestClient.runSelfTests();
+
+        } else {
+
+            results = new SelfTestResults();
+
+            for (String selfTestID : cmdArgs) {
+                SelfTestResult result = selfTestCLI.selfTestClient.runSelfTest(selfTestID);
+                results.addEntry(result);;
+            }
         }
 
-        selfTestCLI.selfTestClient.executeSelfTests("run");
+        boolean first = true;
+
+        for (SelfTestResult result : results.getEntries()) {
+
+            if (first) {
+                first = false;
+            } else {
+                System.out.println();
+            }
+
+            printSelfTestResult(result);
+        }
 
         MainCLI.printMessage("Selftests completed");
     }
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
index de9bd04ad21d8f387c270e3a4ff20274d1951915..e662ba9e76706c425c97e0f788315a55a6985542 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
@@ -18,6 +18,8 @@
 
 package org.dogtagpki.server.rest;
 
+import java.io.PrintWriter;
+import java.io.StringWriter;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
 import java.net.URLEncoder;
@@ -42,6 +44,8 @@ import com.netscape.certsrv.selftests.ISelfTestSubsystem;
 import com.netscape.certsrv.selftests.SelfTestCollection;
 import com.netscape.certsrv.selftests.SelfTestData;
 import com.netscape.certsrv.selftests.SelfTestResource;
+import com.netscape.certsrv.selftests.SelfTestResult;
+import com.netscape.certsrv.selftests.SelfTestResults;
 import com.netscape.cms.servlet.base.PKIService;
 
 /**
@@ -144,7 +148,7 @@ public class SelfTestService extends PKIService implements SelfTestResource {
             return createOKResponse(response);
 
         } catch (Exception e) {
-            e.printStackTrace();
+            CMS.debug(e);
             throw new PKIException(e.getMessage());
         }
     }
@@ -161,7 +165,7 @@ public class SelfTestService extends PKIService implements SelfTestResource {
             return createOKResponse(createSelfTestData(subsystem, selfTestID));
 
         } catch (Exception e) {
-            e.printStackTrace();
+            CMS.debug(e);
             throw new PKIException(e.getMessage());
         }
     }
@@ -182,10 +186,58 @@ public class SelfTestService extends PKIService implements SelfTestResource {
             subsystem.runSelfTestsOnDemand();
 
         } catch (Exception e) {
-            e.printStackTrace();
+            CMS.debug(e);
             throw new PKIException(e.getMessage());
         }
 
         return createNoContentResponse();
     }
+
+    @Override
+    public Response runSelfTests() {
+
+        CMS.debug("SelfTestService.runSelfTests()");
+
+        SelfTestResults results = new SelfTestResults();
+
+        try {
+            ISelfTestSubsystem subsystem = (ISelfTestSubsystem)CMS.getSubsystem(ISelfTestSubsystem.ID);
+            for (String selfTestID : subsystem.listSelfTestsEnabledOnDemand()) {
+                Response response = runSelfTest(selfTestID);
+                SelfTestResult result = (SelfTestResult)response.getEntity();
+                results.addEntry(result);
+            }
+
+        } catch (Exception e) {
+            CMS.debug(e);
+            throw new PKIException(e.getMessage());
+        }
+
+        return createOKResponse(results);
+    }
+
+    @Override
+    public Response runSelfTest(String selfTestID) {
+
+        CMS.debug("SelfTestService.runSelfTest(" + selfTestID + ")");
+
+        SelfTestResult result = new SelfTestResult();
+        result.setID(selfTestID);
+
+        try {
+            ISelfTestSubsystem subsystem = (ISelfTestSubsystem)CMS.getSubsystem(ISelfTestSubsystem.ID);
+            subsystem.runSelfTest(selfTestID);
+            result.setStatus("PASSED");
+
+        } catch (Exception e) {
+            result.setStatus("FAILED");
+
+            StringWriter sw = new StringWriter();
+            PrintWriter out = new PrintWriter(sw);
+            e.printStackTrace(out);
+            result.setOutput(sw.toString());
+        }
+
+        return createOKResponse(result);
+    }
 }
diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
index 14fab26e4d3f9ffdfc305acbd94b742be6141604..4b89aa49efbaaeb1b1039b899cf77c24db49ac32 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
@@ -501,16 +501,11 @@ public class SelfTestSubsystem
         Enumeration<SelfTestOrderedInstance> instances = mOnDemandOrder.elements();
 
         while (instances.hasMoreElements()) {
+
             SelfTestOrderedInstance instance = instances.nextElement();
-
-            String instanceFullName = null;
             String instanceName = instance.getSelfTestName();
 
-            if (instanceName != null) {
-                instanceName = instanceName.trim();
-                instanceFullName = getFullName(mPrefix,
-                            instanceName);
-            } else {
+            if (instanceName == null) {
                 log(mLogger,
                         CMS.getLogMessage(
                                 "CMSCORE_SELFTESTS_PROPERTY_NAME_IS_NULL"));
@@ -518,37 +513,11 @@ public class SelfTestSubsystem
                 throw new EMissingSelfTestException();
             }
 
-            if (mSelfTestInstances.containsKey(instanceName)) {
-                ISelfTest test = mSelfTestInstances.get(instanceName);
+            instanceName = instanceName.trim();
 
-                try {
-                    if (CMS.debugOn()) {
-                        CMS.debug("SelfTestSubsystem::runSelfTestsOnDemand():"
-                                + "    running \""
-                                + test.getSelfTestName()
-                                + "\"");
-                    }
+            String instanceFullName = getFullName(mPrefix, instanceName);
 
-                    test.runSelfTest(mLogger);
-
-                } catch (Exception e) {
-
-                    CMS.debug(e);
-
-                    // Check to see if the self test was critical:
-                    if (isSelfTestCriticalOnDemand(instanceName)) {
-                        log(mLogger,
-                                CMS.getLogMessage(
-                                        "CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED",
-                                        instanceFullName));
-
-                        // shutdown the system gracefully
-                        CMS.shutdown();
-
-                        return;
-                    }
-                }
-            } else {
+            if (!mSelfTestInstances.containsKey(instanceName)) {
                 // self test plugin instance property name is not present
                 log(mLogger,
                         CMS.getLogMessage(
@@ -557,6 +526,27 @@ public class SelfTestSubsystem
 
                 throw new EMissingSelfTestException(instanceFullName);
             }
+
+            try {
+                runSelfTest(instanceName);
+
+            } catch (Exception e) {
+
+                CMS.debug(e);
+
+                // Check to see if the self test was critical:
+                if (isSelfTestCriticalOnDemand(instanceName)) {
+                    log(mLogger,
+                            CMS.getLogMessage(
+                                    "CMSCORE_SELFTESTS_RUN_ON_DEMAND_FAILED",
+                                    instanceFullName));
+
+                    // shutdown the system gracefully
+                    CMS.shutdown();
+
+                    return;
+                }
+            }
         }
 
         if (CMS.debugOn()) {
@@ -565,6 +555,19 @@ public class SelfTestSubsystem
         }
     }
 
+    public void runSelfTest(String instanceName) throws Exception {
+
+        CMS.debug("SelfTestSubsystem.runSelfTest(" + instanceName + ")");
+
+        ISelfTest test = mSelfTestInstances.get(instanceName);
+
+        if (test == null) {
+            throw new EMissingSelfTestException(instanceName);
+        }
+
+        test.runSelfTest(mLogger);
+    }
+
     //
     // methods associated with the list of startup self tests
     //
-- 
2.4.3


From edewata at redhat.com  Wed Jan  6 17:09:11 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 6 Jan 2016 11:09:11 -0600
Subject: [Pki-devel] [PATCH] 667 Added interface to run selftest in TPS UI.
Message-ID: <568D4A37.1020407@redhat.com>

The TPS UI has been modified to provide an interface to run the
selftests and display the results.

https://fedorahosted.org/pki/ticket/1502

-- 
Endi S. Dewata
-------------- next part --------------
From 880213c5bb173f872d0003f303143a5f49c2067a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Wed, 6 Jan 2016 05:10:33 +0100
Subject: [PATCH] Added interface to run selftest in TPS UI.

The TPS UI has been modified to provide an interface to run the
selftests and display the results.

https://fedorahosted.org/pki/ticket/1502
---
 base/server/share/webapps/pki/js/pki-ui.js    |  28 ++++--
 base/tps/shared/webapps/tps/js/selftest.js    | 133 +++++++++++++++++++++++++-
 base/tps/shared/webapps/tps/ui/selftest.html  |  35 +++++++
 base/tps/shared/webapps/tps/ui/selftests.html |  39 ++++++--
 4 files changed, 217 insertions(+), 18 deletions(-)

diff --git a/base/server/share/webapps/pki/js/pki-ui.js b/base/server/share/webapps/pki/js/pki-ui.js
index cf4b44e241aee2ab7817fbebcc26b1f28dfc5148..c6e326a0c4b10a672e67a40fc2d21bfea4be6b43 100644
--- a/base/server/share/webapps/pki/js/pki-ui.js
+++ b/base/server/share/webapps/pki/js/pki-ui.js
@@ -194,6 +194,8 @@ var Dialog = Backbone.View.extend({
         var self = this;
         Dialog.__super__.initialize.call(self, options);
 
+        self.body = self.$(".modal-body");
+
         self.title = options.title;
 
         self.readonly = options.readonly;
@@ -231,7 +233,8 @@ var Dialog = Backbone.View.extend({
         }
 
         // setup input fields
-        self.$(".modal-body input").each(function(index) {
+        // TODO: handle drop-down lists
+        $("input, textarea", self.body).each(function(index) {
             var input = $(this);
             var name = input.attr("name");
             if (_.contains(self.readonly, name)) {
@@ -287,13 +290,7 @@ var Dialog = Backbone.View.extend({
         var self = this;
 
         // load input fields
-        self.$(".modal-body input").each(function(index) {
-            var input = $(this);
-            self.loadField(input);
-        });
-
-        // load drop-down lists
-        self.$(".modal-body select").each(function(index) {
+        $("input, select, textarea", self.body).each(function(index) {
             var input = $(this);
             self.loadField(input);
         });
@@ -425,6 +422,17 @@ var TableItem = Backbone.View.extend({
             }
         });
     },
+    isSelected: function() {
+        var self = this;
+
+        var checkbox = $("td.pki-select-column input", self.$el);
+
+        // skip blank rows
+        var value = checkbox.val();
+        if (value == "") return false;
+
+        return checkbox.prop("checked");
+    },
     get: function(name) {
         var self = this;
         var attribute = self.table.columnMappings[name] || name;
@@ -664,6 +672,10 @@ var Table = Backbone.View.extend({
             item.reset();
         }
     },
+    getSelectedRows: function() {
+        var self = this;
+        return _.filter(self.items, function(item) { return item.isSelected(); });
+    },
     totalEntries: function() {
         var self = this;
         return self.filteredEntries.length;
diff --git a/base/tps/shared/webapps/tps/js/selftest.js b/base/tps/shared/webapps/tps/js/selftest.js
index d2890781760eb856f5684365dc3b7bc243c06302..0d402c597270a825bbde8c4ec4927b967f456ab5 100644
--- a/base/tps/shared/webapps/tps/js/selftest.js
+++ b/base/tps/shared/webapps/tps/js/selftest.js
@@ -38,6 +38,18 @@ var SelfTestModel = Model.extend({
             EnabledOnDemand: attributes.enabledOnDemand,
             CriticalOnDemand: attributes.criticalOnDemand
         };
+    },
+    run: function(options) {
+        var self = this;
+        $.ajax({
+            type: "POST",
+            url: self.url() + "/run",
+            dataType: "json"
+        }).done(function(data, textStatus, jqXHR) {
+            if (options.success) options.success.call(self, data, textStatus, jqXHR);
+        }).fail(function(jqXHR, textStatus, errorThrown) {
+            if (options.error) options.error.call(self, jqXHR, textStatus, errorThrown);
+        });
     }
 });
 
@@ -64,6 +76,48 @@ var SelfTestPage = EntryPage.extend({
     initialize: function(options) {
         var self = this;
         SelfTestPage.__super__.initialize.call(self, options);
+    },
+    setup: function() {
+        var self = this;
+
+        SelfTestPage.__super__.setup.call(self);
+
+        self.runAction = $("[name='run']", self.viewMenu);
+
+        $("a", self.runAction).click(function(e) {
+
+            e.preventDefault();
+
+            self.model.run({
+                success: function(data, textStatus, jqXHR) {
+                    self.showResult({
+                        id: data.id,
+                        status: data.Status,
+                        output: data.Output
+                    });
+                },
+                error: function(jqXHR, textStatus, errorThrown) {
+                    self.showResult({
+                        id: self.model.get("id"),
+                        status: textStatus,
+                        output: errorThrown
+                    });
+                }
+            });
+
+        });
+    },
+    showResult: function(data) {
+        var dialog = new Dialog({
+            el: self.$("#selftest-result-dialog"),
+            title: "Self Test Result",
+            readonly: ["id", "status", "output"],
+            actions: ["close"]
+        });
+
+        dialog.entry = data;
+
+        dialog.open();
     }
 });
 
@@ -71,6 +125,80 @@ var SelfTestsTable = ModelTable.extend({
     initialize: function(options) {
         var self = this;
         SelfTestsTable.__super__.initialize.call(self, options);
+
+        self.runButton = $("[name='run']", self.buttons);
+        self.runButton.click(function(e) {
+            var items = self.getSelectedRows();
+            _.each(items, function(item, index) {
+                self.runTest(item, index);
+            });
+        });
+
+        self.clearButton = $("[name='clear']", self.buttons);
+        self.clearButton.click(function(e) {
+            var items = self.getSelectedRows();
+            _.each(items, function(item, index) {
+                self.clearTest(item, index);
+            });
+        });
+    },
+    runTest: function(item, index) {
+        var self = this;
+
+        var statusTD = $("td[name='status']", item.$el);
+        statusTD.text("RUNNING");
+
+        var id = item.get("id");
+        var model = self.collection.get(id);
+
+        model.run({
+            success: function(data, textStatus, jqXHR) {
+                statusTD.empty();
+                var link = $("<a/>", {
+                    text: data.Status,
+                    click: function(e) {
+                        e.preventDefault();
+                        self.showResult({
+                            id: data.id,
+                            status: data.Status,
+                            output: data.Output
+                        });
+                    }
+                }).appendTo(statusTD);
+            },
+            error: function(jqXHR, textStatus, errorThrown) {
+                statusTD.empty();
+                var link = $("<a/>", {
+                    text: textStatus,
+                    click: function(e) {
+                        e.preventDefault();
+                        self.showResult({
+                            id: id,
+                            status: textStatus,
+                            output: errorThrown
+                        });
+                    }
+                }).appendTo(statusTD);
+            }
+        });
+    },
+    clearTest: function(item, index) {
+        var self = this;
+
+        var statusTD = $("td[name='status']", item.$el);
+        statusTD.empty();
+    },
+    showResult: function(data) {
+        var dialog = new Dialog({
+            el: self.parent.$("#selftest-result-dialog"),
+            title: "Self Test Result",
+            readonly: ["id", "status", "output"],
+            actions: ["close"]
+        });
+
+        dialog.entry = data;
+
+        dialog.open();
     }
 });
 
@@ -79,8 +207,9 @@ var SelfTestsPage = Page.extend({
         var self = this;
 
         var table = new SelfTestsTable({
-            el: $("table[name='selftests']"),
-            collection: new SelfTestCollection()
+            el: self.$("table[name='selftests']"),
+            collection: new SelfTestCollection(),
+            parent: self
         });
 
         table.render();
diff --git a/base/tps/shared/webapps/tps/ui/selftest.html b/base/tps/shared/webapps/tps/ui/selftest.html
index 8a680355a293b689dcac071a80dd2484c4c0e0d2..1b43cfe5e3c010da038850ec6c4b79783fd02bcd 100644
--- a/base/tps/shared/webapps/tps/ui/selftest.html
+++ b/base/tps/shared/webapps/tps/ui/selftest.html
@@ -24,6 +24,14 @@
 
 <span name="title" class="pki-title">Self Test ${id}</span>
 
+<span class="pki-actions">
+
+<ul name="view" class="pki-actions-menu">
+<li name="run"><a href="#">Run</a></li>
+</ul>
+
+</span>
+
 </div>
 
 <div name="user" class="pki-fields">
@@ -40,3 +48,30 @@
     <input name="criticalOnDemand" readonly="readonly"><br>
 </fieldset>
 </div>
+
+<div id="selftest-result-dialog" class="modal">
+    <div class="modal-dialog">
+        <div class="modal-content">
+            <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-hidden="true">
+                    <span class="pficon pficon-close"></span>
+                </button>
+                <h4 class="modal-title">Self Test Result</h4>
+            </div>
+            <div class="modal-body">
+                <fieldset>
+                <label>Self Test ID</label>
+                <input name="id" readonly="readonly"><br>
+                <label>Status</label>
+                <input name="status" readonly="readonly"><br>
+                <label>Output</label>
+                <textarea name="output" rows="20" style="width: 100%; white-space: pre;">
+                </textarea>
+                </fieldset>
+            </div>
+            <div class="modal-footer">
+                <button name="close" class="btn btn-default" data-dismiss="modal">Close</button>
+            </div>
+        </div>
+    </div>
+</div>
diff --git a/base/tps/shared/webapps/tps/ui/selftests.html b/base/tps/shared/webapps/tps/ui/selftests.html
index 95bafeaffcec1519e6c057a1902b13a87a6fa51c..92133c3d3edd1729a3a27d4eb658497a4cd90d52 100644
--- a/base/tps/shared/webapps/tps/ui/selftests.html
+++ b/base/tps/shared/webapps/tps/ui/selftests.html
@@ -32,26 +32,22 @@
                  <input name="search" type="text" placeholder="Search...">
              </span>
              <span class="pki-table-buttons">
+                 <button name="run">Run</button>
+                 <button name="clear">Clear</button>
              </span>
          </th>
     </tr>
     <tr>
         <th class="pki-select-column"><input id="selftests-selectall" type="checkbox"><label for="selftests-selectall">&nbsp;</label></th>
         <th>Self Test ID</th>
-        <th>Enabled at Statup</th>
-        <th>Critical at Startup</th>
-        <th>Enabled on Demand</th>
-        <th>Critical on Demand</th>
+        <th>Status</th>
     </tr>
 </thead>
 <tbody>
     <tr>
         <td class="pki-select-column"><input id="selftests-select" type="checkbox"><label for="selftests-select">&nbsp;</label></td>
         <td name="id"><a href="#selftests/${id}">${id}</a></td>
-        <td name="enabledAtStartup">${enabledAtStartup}</td>
-        <td name="criticalAtStartup">${criticalAtStartup}</td>
-        <td name="enabledOnDemand">${enabledOnDemand}</td>
-        <td name="criticalOnDemand">${criticalOnDemand}</td>
+        <td name="status"></td>
     </tr>
 </tbody>
 <tfoot>
@@ -77,3 +73,30 @@
     </tr>
 </tfoot>
 </table>
+
+<div id="selftest-result-dialog" class="modal">
+    <div class="modal-dialog">
+        <div class="modal-content">
+            <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-hidden="true">
+                    <span class="pficon pficon-close"></span>
+                </button>
+                <h4 class="modal-title">Self Test Result</h4>
+            </div>
+            <div class="modal-body">
+                <fieldset>
+                <label>Self Test ID</label>
+                <input name="id" readonly="readonly"><br>
+                <label>Status</label>
+                <input name="status" readonly="readonly"><br>
+                <label>Output</label>
+                <textarea name="output" rows="20" style="width: 100%; white-space: pre;">
+                </textarea>
+                </fieldset>
+            </div>
+            <div class="modal-footer">
+                <button name="close" class="btn btn-default" data-dismiss="modal">Close</button>
+            </div>
+        </div>
+    </div>
+</div>
-- 
2.4.3


From ftweedal at redhat.com  Thu Jan  7 05:22:26 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Thu, 7 Jan 2016 15:22:26 +1000
Subject: [Pki-devel] [PATCH] 0065 Profile service: respond 409 on
	conflicting operations
Message-ID: <20160107052225.GO31821@dhcp-40-8.bne.redhat.com>

Please review attached patch which fixes:
https://bugzilla.redhat.com/show_bug.cgi?id=1257518

Cheers,
Fraser
-------------- next part --------------
From 7f130751766da5b7f5ee1dca634020b17e09ca53 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 7 Jan 2016 16:11:01 +1100
Subject: [PATCH] Profile service: respond 409 on conflicting operations

The REST profile service current responds 400 on conflicting
operations, indicating that the client sent a bad request when this
not the case.  Respond with 409 Conflict instead.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1257518
---
 .../src/org/dogtagpki/server/ca/rest/ProfileService.java  | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
index 488dd5ab960fd45fa3dad0dd83398b4317f2cb4f..2bc7904a7d803c5df61daf5bd7478063f0b48838 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
@@ -46,6 +46,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.BadRequestException;
+import com.netscape.certsrv.base.ConflictingOperationException;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.PKIException;
@@ -415,7 +416,7 @@ public class ProfileService extends PKIService implements ProfileResource {
         switch (action) {
         case "enable":
             if (ps.isProfileEnable(profileId)) {
-                throw new BadRequestException("Profile already enabled");
+                throw new ConflictingOperationException("Profile already enabled");
             }
             try {
                 ps.enableProfile(profileId, principal.getName());
@@ -429,7 +430,7 @@ public class ProfileService extends PKIService implements ProfileResource {
             break;
         case "disable":
             if (!ps.isProfileEnable(profileId)) {
-                throw new BadRequestException("Profile already disabled");
+                throw new ConflictingOperationException("Profile already disabled");
             }
             String userid = principal.getName();
             try {
@@ -479,7 +480,7 @@ public class ProfileService extends PKIService implements ProfileResource {
         try {
             profile = ps.getProfile(profileId);
             if (profile != null) {
-                throw new BadRequestException("Profile already exists");
+                throw new ConflictingOperationException("Profile already exists");
             }
 
             auditParams.put("class_id", data.getClassId());
@@ -578,7 +579,7 @@ public class ProfileService extends PKIService implements ProfileResource {
 
             IProfile profile = ps.getProfile(profileId);
             if (profile != null) {
-                throw new BadRequestException("Profile already exists");
+                throw new ConflictingOperationException("Profile already exists");
             }
 
             auditParams.put("class_id", classId);
@@ -686,7 +687,7 @@ public class ProfileService extends PKIService implements ProfileResource {
         }
 
         if (ps.isProfileEnable(profileId)) {
-            throw new BadRequestException("Cannot change profile data.  Profile must be disabled");
+            throw new ConflictingOperationException("Cannot change profile data.  Profile must be disabled");
         }
 
         // First read the data into a Properties to process escaped
@@ -757,7 +758,7 @@ public class ProfileService extends PKIService implements ProfileResource {
             throw new PKIException("Error changing profile data. Profile not available.");
         }
         if (ps.isProfileEnable(profileId)) {
-            throw new BadRequestException("Cannot change profile data.  Profile must be disabled");
+            throw new ConflictingOperationException("Cannot change profile data.  Profile must be disabled");
         }
 
         Map<String, String> auditParams = new LinkedHashMap<String, String>();
@@ -1173,7 +1174,7 @@ public class ProfileService extends PKIService implements ProfileResource {
                         ILogger.FAILURE,
                         null);
 
-                throw new BadRequestException("Cannot delete profile `" + profileId +
+                throw new ConflictingOperationException("Cannot delete profile `" + profileId +
                         "`.  Profile must be disabled first.");
             }
 
-- 
2.5.0


From alee at redhat.com  Thu Jan  7 20:00:01 2016
From: alee at redhat.com (Ade Lee)
Date: Thu, 07 Jan 2016 15:00:01 -0500
Subject: [Pki-devel] [PATCH 0042] Fix escaping of password fields to
 prevent interpolation
In-Reply-To: <5652F3FC.7040200@redhat.com>
References: <5652F370.8090606@redhat.com> <5652F3FC.7040200@redhat.com>
Message-ID: <1452196801.3157.17.camel@redhat.com>

ACK.

On Mon, 2015-11-23 at 12:09 +0100, Christian Heimes wrote:
> On 2015-11-23 12:07, Christian Heimes wrote:
> > Some password and pin fields are missing from the no_interpolation
> > list.
> > One entry is misspelled. A '%' in password field such as
> > pki_clone_pkcs12_password causes an installation error.
> > 
> > https://fedorahosted.org/pki/ticket/1703
> > https://bugzilla.redhat.com/show_bug.cgi?id=1283631
> 
> And here is the patch file.
> 
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel



From edewata at redhat.com  Fri Jan  8 19:00:47 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 8 Jan 2016 13:00:47 -0600
Subject: [Pki-devel] [PATCH] 662 Fixed external CA case for IPA
 compatibility.
In-Reply-To: <56749722.4040408@redhat.com>
References: <56749722.4040408@redhat.com>
Message-ID: <5690075F.3040800@redhat.com>

On 12/18/2015 5:30 PM, Endi Sukma Dewata wrote:
> The installation code for external CA case has been fixed such
> that IPA can detect step 1 completion properly.
>
> The code that handles certificate data conversion has been fixed
> to reformat base-64 data for PEM output properly.
>
> The installation summary for step 1 has been updated to provide
> more accurate information.
>
> https://fedorahosted.org/pki/ticket/456

ACKed by mharmsen. Thanks!
It's pushed to master, I'll rebase it against relevant branches.

-- 
Endi S. Dewata



From edewata at redhat.com  Fri Jan  8 22:00:57 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 8 Jan 2016 16:00:57 -0600
Subject: [Pki-devel] [PATCH] 663 Fixed mismatching certificate validity
 calculation.
In-Reply-To: <567714FD.80209@redhat.com>
References: <567714FD.80209@redhat.com>
Message-ID: <56903199.5030102@redhat.com>

On 12/20/2015 2:52 PM, Endi Sukma Dewata wrote:
> The CAValidityDefault has been modified to use Calendar API to
> calculate the certificate validity range to be consistent with
> the ValidityConstraint and ValidityDefault.
>
> https://fedorahosted.org/pki/ticket/1682

Fixed the config descriptor for range unit to show all possible values. 
ACKed by jmagne (thanks!). Pushed to master.

-- 
Endi S. Dewata



From ftweedal at redhat.com  Mon Jan 11 04:11:23 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Mon, 11 Jan 2016 14:11:23 +1000
Subject: [Pki-devel] [PATCH] 666 Updated CLI to run individual selftests.
In-Reply-To: <568B1497.2000302@redhat.com>
References: <568B1497.2000302@redhat.com>
Message-ID: <20160111041123.GF31821@dhcp-40-8.bne.redhat.com>

On Mon, Jan 04, 2016 at 06:55:51PM -0600, Endi Sukma Dewata wrote:
> The pki selftest-run command has been modified to execute the
> specified selftests, or all selftests if nothing is specified.
> The command will also display the status of each test and the
> stack trace if it fails.
> 
> https://fedorahosted.org/pki/ticket/1502
> 
> -- 
> Endi S. Dewata
>
ACK



From ftweedal at redhat.com  Mon Jan 11 04:13:22 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Mon, 11 Jan 2016 14:13:22 +1000
Subject: [Pki-devel] [PATCH] 667 Added interface to run selftest in TPS
 UI.
In-Reply-To: <568D4A37.1020407@redhat.com>
References: <568D4A37.1020407@redhat.com>
Message-ID: <20160111041322.GG31821@dhcp-40-8.bne.redhat.com>

On Wed, Jan 06, 2016 at 11:09:11AM -0600, Endi Sukma Dewata wrote:
> The TPS UI has been modified to provide an interface to run the
> selftests and display the results.
> 
> https://fedorahosted.org/pki/ticket/1502
> 
> -- 
> Endi S. Dewata
>
ACK



From ftweedal at redhat.com  Mon Jan 11 06:28:30 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Mon, 11 Jan 2016 16:28:30 +1000
Subject: [Pki-devel] [PATCH] 664 Fixed TPS UI to display accessible
 services only.
In-Reply-To: <5679BE2D.9050708@redhat.com>
References: <5679BE2D.9050708@redhat.com>
Message-ID: <20160111062830.GJ31821@dhcp-40-8.bne.redhat.com>

On Tue, Dec 22, 2015 at 03:18:37PM -0600, Endi Sukma Dewata wrote:
> The TPS UI has been modified to display the accessible services
> based on the user's roles. A TPS admin has access to all services.
> A TPS agent has access to tokens, certificates, activities, and
> profiles. A TPS operator has access to tokens, certificates, and
> activities only.
> 
> https://fedorahosted.org/pki/ticket/1476
> 
> -- 
> Endi S. Dewata
>
ACK



From ftweedal at redhat.com  Mon Jan 11 10:50:36 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Mon, 11 Jan 2016 20:50:36 +1000
Subject: [Pki-devel] [PATCH] 0066 Remove unused TOKEN_AUTHMGR_IMPL_NAME
 AuthToken attribute
Message-ID: <20160111105035.GM31821@dhcp-40-8.bne.redhat.com>

Drive-by cleanup; patch attached.

Cheers,
Fraser
-------------- next part --------------
From 55f82ee1cbd3cc2653243c706c4dc857ec90a0a7 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 22 Dec 2015 12:43:34 +1100
Subject: [PATCH] Remove unused TOKEN_AUTHMGR_IMPL_NAME AuthToken attribute

---
 .../netscape/certsrv/authentication/AuthToken.java    | 19 -------------------
 1 file changed, 19 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
index c44ed76681021afd6d8f2dd7cb3996beb4e73a8f..0febf87727d2ebde9dbcacbd5059f9b9afa13701 100644
--- a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
+++ b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java
@@ -75,12 +75,6 @@ public class AuthToken implements IAuthToken {
     public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke";
 
     /**
-     * Plugin name of the authentication manager that created the
-     * AuthToken as a string.
-     */
-    public static final String TOKEN_AUTHMGR_IMPL_NAME = "authMgrImplName";
-
-    /**
      * Name of the authentication manager that created the AuthToken
      * as a string.
      */
@@ -97,7 +91,6 @@ public class AuthToken implements IAuthToken {
      *
      * <pre>
      * 	"authMgrInstName" - The authentication manager instance name.
-     * 	"authMgrImplName" - The authentication manager plugin name.
      * 	"authTime" - The - The time of authentication.
      * </pre>
      *
@@ -107,7 +100,6 @@ public class AuthToken implements IAuthToken {
         mAttrs = new Hashtable<String, Object>();
         if (authMgr != null) {
             set(TOKEN_AUTHMGR_INST_NAME, authMgr.getName());
-            set(TOKEN_AUTHMGR_IMPL_NAME, authMgr.getImplName());
         }
         set(TOKEN_AUTHTIME, new Date());
     }
@@ -419,17 +411,6 @@ public class AuthToken implements IAuthToken {
     }
 
     /**
-     * Gets the plugin name of the authentication manager that created this
-     * token.
-     *
-     * @return The plugin name of the authentication manager that created this
-     *         token.
-     */
-    public String getAuthManagerImplName() {
-        return ((String) mAttrs.get(TOKEN_AUTHMGR_IMPL_NAME));
-    }
-
-    /**
      * Gets the time of authentication.
      *
      * @return The time of authentication
-- 
2.5.0


From ftweedal at redhat.com  Mon Jan 11 12:05:28 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Mon, 11 Jan 2016 22:05:28 +1000
Subject: [Pki-devel] [PATCH] [WIP] Add external authentication support
Message-ID: <20160111120528.GN31821@dhcp-40-8.bne.redhat.com>

Hi all,

GSS-API authentication support is in progress.  The approach is
detailed in the design proposal[1], which is not complete.

The attached patch is provided for early review of the approach and
implementation.  It should not break existing behaviour for existing
authentication methods, but is not yet fully usable for externally
authenticated principals.

Some brief implementation notes:

- `ExternalAuthToken' class wraps an externally authenticated
  principal in order to provide reasonable values for common
  AuthToken attributes.  Many attributes are not yet implemented,
  and some never will be (i.e. some call sites may need to weaken
  their assumptions).

- There are ~9 explicit casts of principal from abstract `Principal'
  to `PKIPrincpial'; these sites need to be checked and probably
  updated in most cases, because (principal instanceof PKIPrincipal)
  is no longer a valid assumption.  Some are definitely broken.

- `AuthMethodInterceptor' currently treats all external
  authentication methods the same, allowing allowing access.  If
  needed, different external authn methods can be distinguished,
  allowing different access rules for different external authn
  methods.

- This patch does not configure the second tomcat AJP `Connector'
  required.  Also, the `Connector' needs to be "locked down" to a
  only allow traffic from the Apache frontend.  I need to confirm
  how to do this and clearly document it.

Regarding the design document, there is a lot more to come re:
authorization, especially for user-created objects such as secrets
in KRA.
-------------- next part --------------
From df1a7676c443e67328add77fea6b764ef5d211fa Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 22 Dec 2015 18:49:08 +1100
Subject: [PATCH] Add external authentication support

---
 .classpath                                         |   2 +
 base/ca/tomcat8/conf/Catalina/localhost/ca.xml     |   2 +
 .../certsrv/authentication/ExternalAuthToken.java  | 139 +++++++++++++++++++++
 .../org/dogtagpki/server/rest/ACLInterceptor.java  |  16 +--
 .../org/dogtagpki/server/rest/AccountService.java  |   5 +-
 .../server/rest/AuthMethodInterceptor.java         |  29 +++--
 .../server/rest/SessionContextInterceptor.java     |  30 ++---
 base/server/tomcat/src/CMakeLists.txt              |   8 ++
 .../cms/tomcat/ExternalAuthenticationValve.java    |  75 +++++++++++
 9 files changed, 264 insertions(+), 42 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java
 create mode 100644 base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java

diff --git a/.classpath b/.classpath
index 9fd5144bf32f3a4af6b6992f7b5027ef55d9f2df..2cac0dedce4376283783067312981998fbfad4a9 100644
--- a/.classpath
+++ b/.classpath
@@ -54,7 +54,9 @@
 	<classpathentry kind="lib" path="/usr/share/java/apache-commons-lang.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/resteasy/resteasy-atom-provider.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/tomcat/catalina.jar"/>
+	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-coyote.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
+	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util-scan.jar"/>
 	<classpathentry kind="lib" path="/usr/share/java/commons-io.jar"/>
 	<classpathentry kind="lib" path="/usr/lib/java/nuxwdog.jar"/>
 	<classpathentry kind="lib" path="/usr/lib/java/jss4.jar"/>
diff --git a/base/ca/tomcat8/conf/Catalina/localhost/ca.xml b/base/ca/tomcat8/conf/Catalina/localhost/ca.xml
index 46f270817a58282b950b75a15bb3bd052f178f0c..0268bc17e055b98198a9a44275319e77217c87fd 100644
--- a/base/ca/tomcat8/conf/Catalina/localhost/ca.xml
+++ b/base/ca/tomcat8/conf/Catalina/localhost/ca.xml
@@ -27,6 +27,8 @@
     <Manager
         secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
 
+    <Valve className="com.netscape.cms.tomcat.ExternalAuthenticationValve" />
+
     <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback"
         alwaysUseSession="true"
         secureRandomProvider="Mozilla-JSS"
diff --git a/base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java
new file mode 100644
index 0000000000000000000000000000000000000000..fff10e6a08dacbf8d6bb50bf65dff0eb2042e488
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java
@@ -0,0 +1,139 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2015 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.authentication;
+
+import java.math.BigInteger;
+import java.util.Date;
+import java.util.Enumeration;
+
+import org.apache.catalina.realm.GenericPrincipal;
+
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.X509CertImpl;
+
+import com.netscape.certsrv.usrgrp.Certificates;
+
+
+/**
+ * Authentication token that wraps an externally authenticated
+ * principal to return.
+ */
+public class ExternalAuthToken implements IAuthToken {
+
+    protected GenericPrincipal principal;
+
+    public ExternalAuthToken(GenericPrincipal principal) {
+        this.principal = principal;
+    }
+
+    public Enumeration<String> getElements() {
+        return null;
+    }
+
+    public Object get(String k) {
+        return null;
+    }
+
+    public boolean set(String k, String v) {
+        return false;
+    }
+
+    public String getInString(String k) {
+        if (k != null
+                && (k.equals(IAuthToken.USER_ID) || k.equals(IAuthToken.UID)))
+            return principal.getName();
+        else
+            return null;
+    }
+
+    public boolean set(String k, byte[] v) {
+        return false;
+    }
+
+    public byte[] getInByteArray(String k) {
+        return null;
+    }
+
+    public boolean set(String k, Integer v) {
+        return false;
+    }
+
+    public Integer getInInteger(String k) {
+        return null;
+    }
+
+    public boolean set(String k, BigInteger[] v) {
+        return false;
+    }
+
+    public BigInteger[] getInBigIntegerArray(String k) {
+        return null;
+    }
+
+    public boolean set(String k, Date v) {
+        return false;
+    }
+
+    public Date getInDate(String k) {
+        return null;
+    }
+
+    public boolean set(String k, String[] v) {
+        return false;
+    }
+
+    public String[] getInStringArray(String k) {
+        if (k != null && k.equals(IAuthToken.GROUPS))
+            return principal.getRoles();
+        else
+            return null;
+    }
+
+    public boolean set(String k, X509CertImpl v) {
+        return false;
+    }
+
+    public X509CertImpl getInCert(String k) {
+        return null;
+    }
+
+    public boolean set(String k, CertificateExtensions v) {
+        return false;
+    }
+
+    public CertificateExtensions getInCertExts(String k) {
+        return null;
+    }
+
+    public boolean set(String k, Certificates v) {
+        return false;
+    }
+
+    public Certificates getInCertificates(String k) {
+        return null;
+    }
+
+    public boolean set(String k, byte[][] v) {
+        return false;
+    }
+
+    public byte[][] getInByteArrayArray(String k) {
+        return null;
+    }
+}
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
index 49001168130831bbb002711120891195b5d54ba5..3a76a5c793f4c8ba346c3979cee86fe7a75a7d7a 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
@@ -31,11 +31,13 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.ext.Provider;
 
+import org.apache.catalina.realm.GenericPrincipal;
 import org.jboss.resteasy.core.ResourceMethodInvoker;
 import org.jboss.resteasy.spi.Failure;
 
 import com.netscape.certsrv.acls.ACLMapping;
 import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.ExternalAuthToken;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authorization.AuthzToken;
 import com.netscape.certsrv.authorization.EAuthzAccessDenied;
@@ -140,18 +142,12 @@ public class ACLInterceptor implements ContainerRequestFilter {
         if (principal != null)
             CMS.debug("ACLInterceptor: principal: " + principal.getName());
 
-        // If unrecognized principal, reject request.
-        if (principal != null && !(principal instanceof PKIPrincipal)) {
-            CMS.debug("ACLInterceptor: Invalid user principal.");
-            // audit comment: no Principal, no one to blame here
-            throw new ForbiddenException("Invalid user principal.");
-        }
-
-        PKIPrincipal pkiPrincipal = null;
         IAuthToken authToken = null;
         if (principal != null) {
-            pkiPrincipal = (PKIPrincipal) principal;
-            authToken = pkiPrincipal.getAuthToken();
+            if (principal instanceof PKIPrincipal)
+                authToken = ((PKIPrincipal) principal).getAuthToken();
+            else if (principal instanceof GenericPrincipal)
+                authToken = new ExternalAuthToken((GenericPrincipal) principal);
         }
 
         // If missing auth token, reject request.
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
index 4e8e6e6f89fc065e2ad0c5fa616165de929142db..827e99e076585d0732bfde8ae795d6ae63648d5f 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
@@ -29,6 +29,7 @@ import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.catalina.realm.GenericPrincipal;
 import org.apache.commons.lang.StringUtils;
 
 import com.netscape.certsrv.account.AccountInfo;
@@ -75,8 +76,10 @@ public class AccountService extends PKIService implements AccountResource {
 
             String email = user.getEmail();
             if (!StringUtils.isEmpty(email)) response.setEmail(email);
+        }
 
-            String[] roles = pkiPrincipal.getRoles();
+        if (principal instanceof GenericPrincipal) {
+            String[] roles = ((GenericPrincipal) principal).getRoles();
             response.setRoles(Arrays.asList(roles));
         }
 
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java
index ac0b2518cdc42528b7c0e94153f2b02777c26785..2a81813fad282ee943ea9eaae43291eb1397c686 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java
@@ -139,22 +139,20 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
                 throw new ForbiddenException("Anonymous access not allowed.");
             }
 
-            // If unrecognized principal, reject request.
-            if (!(principal instanceof PKIPrincipal)) {
-                CMS.debug("AuthMethodInterceptor: unknown principal");
-                throw new ForbiddenException("Unknown user principal");
-            }
+            String authManager = "external";
+            if (principal instanceof PKIPrincipal) {
+                PKIPrincipal pkiPrincipal = (PKIPrincipal) principal;
+                IAuthToken authToken = pkiPrincipal.getAuthToken();
 
-            PKIPrincipal pkiPrincipal = (PKIPrincipal) principal;
-            IAuthToken authToken = pkiPrincipal.getAuthToken();
+                // If missing auth token, reject request.
+                if (authToken == null) {
+                    CMS.debug("AuthMethodInterceptor: missing authentication token");
+                    throw new ForbiddenException("Missing authentication token.");
+                }
 
-            // If missing auth token, reject request.
-            if (authToken == null) {
-                CMS.debug("AuthMethodInterceptor: missing authentication token");
-                throw new ForbiddenException("Missing authentication token.");
+                authManager = (String) authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME);
             }
 
-            String authManager = (String) authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME);
             CMS.debug("AuthMethodInterceptor: authentication manager: " + authManager);
 
             if (authManager == null) {
@@ -162,7 +160,12 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
                 throw new ForbiddenException("Missing authentication manager.");
             }
 
-            if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) {
+            if (
+                authMethods.isEmpty()
+                || authManager.equals("external")
+                || authMethods.contains(authManager)
+                || authMethods.contains("*")
+            ) {
                 CMS.debug("AuthMethodInterceptor: access granted");
                 return;
             }
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
index b6461abfdee36ea4eeba4d07da815482b02712ba..e8def14d9d77f046ef1dd52dd5ceacf0041ed543 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
@@ -29,9 +29,11 @@ import javax.ws.rs.core.Context;
 import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.ext.Provider;
 
+import org.apache.catalina.realm.GenericPrincipal;
 import org.jboss.resteasy.core.ResourceMethodInvoker;
 
 import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.authentication.ExternalAuthToken;
 import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.base.ForbiddenException;
 import com.netscape.certsrv.base.SessionContext;
@@ -80,21 +82,6 @@ public class SessionContextInterceptor implements ContainerRequestFilter {
 
         CMS.debug("SessionContextInterceptor: principal: " + principal.getName());
 
-        // If unrecognized principal, reject request.
-        if (!(principal instanceof PKIPrincipal)) {
-            CMS.debug("SessionContextInterceptor: Invalid user principal.");
-            throw new ForbiddenException("Invalid user principal.");
-        }
-
-        PKIPrincipal pkiPrincipal = (PKIPrincipal) principal;
-        IAuthToken authToken = pkiPrincipal.getAuthToken();
-
-        // If missing auth token, reject request.
-        if (authToken == null) {
-            CMS.debug("SessionContextInterceptor: No authorization token present.");
-            throw new ForbiddenException("No authorization token present.");
-        }
-
         SessionContext context = SessionContext.getContext();
 
         String ip = servletRequest.getRemoteAddr();
@@ -103,8 +90,15 @@ public class SessionContextInterceptor implements ContainerRequestFilter {
         Locale locale = getLocale(servletRequest);
         context.put(SessionContext.LOCALE, locale);
 
-        context.put(SessionContext.AUTH_TOKEN, authToken);
-        context.put(SessionContext.USER_ID, pkiPrincipal.getName());
-        context.put(SessionContext.USER, pkiPrincipal.getUser());
+        context.put(SessionContext.USER_ID, principal.getName());
+
+        if (principal instanceof PKIPrincipal) {
+            PKIPrincipal pkiPrincipal = (PKIPrincipal) principal;
+            context.put(SessionContext.AUTH_TOKEN, pkiPrincipal.getAuthToken());
+            context.put(SessionContext.USER, pkiPrincipal.getUser());
+        } else if (principal instanceof GenericPrincipal) {
+            context.put(SessionContext.AUTH_TOKEN,
+                    new ExternalAuthToken((GenericPrincipal) principal));
+        }
     }
 }
diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat/src/CMakeLists.txt
index 669cc8883043062119afdb5b55db28828d09e92f..2e3658f4b12cdbc4515b0532c3c20b5c0194e84e 100644
--- a/base/server/tomcat/src/CMakeLists.txt
+++ b/base/server/tomcat/src/CMakeLists.txt
@@ -133,6 +133,13 @@ find_file(NUXWDOG_JAR
         /usr/share/java
 )
 
+find_file(TOMCAT_COYOTE_JAR
+    NAMES
+        tomcat-coyote.jar
+    PATHS
+        /usr/share/java/tomcat
+)
+
 # build pki-tomcat
 javac(pki-tomcat-classes
     SOURCES
@@ -140,6 +147,7 @@ javac(pki-tomcat-classes
     CLASSPATH
         ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR}
 		${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR}
+		${TOMCAT_COYOTE_JAR}
     OUTPUT_DIR
         ${CMAKE_BINARY_DIR}/../../tomcat
 )
diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java
new file mode 100644
index 0000000000000000000000000000000000000000..92cec5d301803be63dfb305b12aaca7985f6fc83
--- /dev/null
+++ b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java
@@ -0,0 +1,75 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2015 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cms.tomcat;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.ArrayList;
+import javax.servlet.ServletException;
+
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.realm.GenericPrincipal;
+import org.apache.catalina.valves.ValveBase;
+
+public class ExternalAuthenticationValve extends ValveBase {
+
+    public void invoke(Request req, Response resp)
+            throws IOException, ServletException {
+        System.out.println("ExternalAuthenticationValve; authType: "
+                + req.getAuthType());
+        System.out.println("ExternalAuthenticationValve; principal: "
+                + req.getUserPrincipal());
+        System.out.println(req.getCoyoteRequest().getAttributes().toString());
+
+        org.apache.coyote.Request coyoteReq = req.getCoyoteRequest();
+        Principal oldPrincipal = req.getUserPrincipal();
+
+        if (oldPrincipal != null) {
+            Integer numGroups = 0;
+            String numGroupsStr = (String)
+                coyoteReq.getAttribute("REMOTE_USER_GROUP_N");
+            if (numGroupsStr != null) {
+                try {
+                    numGroups = new Integer(numGroupsStr);
+                } catch (NumberFormatException e) {
+                    System.out.println("ExternalAuthenticationValve: invalid REMOTE_USER_GROUP_N value: " + e);
+                }
+            }
+
+            ArrayList<String> groups = new ArrayList<>();
+            for (int i = 1; i <= numGroups; i++) {
+                String k = "REMOTE_USER_GROUP_" + i;
+                String s = (String) coyoteReq.getAttribute(k);
+                if (s != null && !s.isEmpty())
+                    groups.add(s);
+                else
+                    System.out.println("ExternalAuthenticationValve: missing or empty attribute: " + k);
+            }
+
+            GenericPrincipal newPrincipal =
+                new GenericPrincipal(oldPrincipal.getName(), null, groups);
+
+            System.out.println("ExternalAuthenticationValve: setting new principal: " + newPrincipal);
+            req.setUserPrincipal(newPrincipal);
+        }
+
+        getNext().invoke(req, resp);
+    }
+}
-- 
2.5.0


From edewata at redhat.com  Mon Jan 11 19:11:24 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 11 Jan 2016 13:11:24 -0600
Subject: [Pki-devel] [PATCH] 0055 Allow encoded slashes in HTTP paths
In-Reply-To: <20151105052223.GC20018@dhcp-40-8.bne.redhat.com>
References: <20151105052223.GC20018@dhcp-40-8.bne.redhat.com>
Message-ID: <5693FE5C.8020806@redhat.com>

On 11/4/2015 11:22 PM, Fraser Tweedale wrote:
> The attached patch fixes GET-based OCSP requests,
> https://fedorahosted.org/pki/ticket/1658
>
> Cheers,
> Fraser

Some comments:

1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a 
security concern:

http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html

The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and 
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system 
properties allow non-standard parsing of the request URI. Using these 
options when behind a reverse proxy may enable an attacker to bypass any 
security constraints enforced by the proxy.

However, since we are not dependent on a proxy to protect PKI pages in 
Tomcat (we have our own ACL in PKI) I suppose this is not an issue, 
unless anybody else has a concern.

2. I think the catalina.properties that needs to be modified is in 
base/server/share/conf. The others are duplicates that should've been 
removed.

3. During deployment the catalina.properties is copied into <instance 
dir>/conf. So if we want to fix existing instances we need to write an 
upgrade script.

-- 
Endi S. Dewata



From ftweedal at redhat.com  Mon Jan 11 23:07:04 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Tue, 12 Jan 2016 09:07:04 +1000
Subject: [Pki-devel] [PATCH] [WIP] Add external authentication support
In-Reply-To: <20160111120528.GN31821@dhcp-40-8.bne.redhat.com>
References: <20160111120528.GN31821@dhcp-40-8.bne.redhat.com>
Message-ID: <20160111230704.GO31821@dhcp-40-8.bne.redhat.com>

On Mon, Jan 11, 2016 at 10:05:28PM +1000, Fraser Tweedale wrote:
> Hi all,
> 
> GSS-API authentication support is in progress.  The approach is
> detailed in the design proposal[1], which is not complete.
> 
Now with link!

[1] https://pagure.io/test_dogtag_designs/pull-request/8

> The attached patch is provided for early review of the approach and
> implementation.  It should not break existing behaviour for existing
> authentication methods, but is not yet fully usable for externally
> authenticated principals.
> 
> Some brief implementation notes:
> 
> - `ExternalAuthToken' class wraps an externally authenticated
>   principal in order to provide reasonable values for common
>   AuthToken attributes.  Many attributes are not yet implemented,
>   and some never will be (i.e. some call sites may need to weaken
>   their assumptions).
> 
> - There are ~9 explicit casts of principal from abstract `Principal'
>   to `PKIPrincpial'; these sites need to be checked and probably
>   updated in most cases, because (principal instanceof PKIPrincipal)
>   is no longer a valid assumption.  Some are definitely broken.
> 
> - `AuthMethodInterceptor' currently treats all external
>   authentication methods the same, allowing allowing access.  If
>   needed, different external authn methods can be distinguished,
>   allowing different access rules for different external authn
>   methods.
> 
> - This patch does not configure the second tomcat AJP `Connector'
>   required.  Also, the `Connector' needs to be "locked down" to a
>   only allow traffic from the Apache frontend.  I need to confirm
>   how to do this and clearly document it.
> 
> Regarding the design document, there is a lot more to come re:
> authorization, especially for user-created objects such as secrets
> in KRA.

> From df1a7676c443e67328add77fea6b764ef5d211fa Mon Sep 17 00:00:00 2001
> From: Fraser Tweedale <ftweedal at redhat.com>
> Date: Tue, 22 Dec 2015 18:49:08 +1100
> Subject: [PATCH] Add external authentication support
> 
> ---
>  .classpath                                         |   2 +
>  base/ca/tomcat8/conf/Catalina/localhost/ca.xml     |   2 +
>  .../certsrv/authentication/ExternalAuthToken.java  | 139 +++++++++++++++++++++
>  .../org/dogtagpki/server/rest/ACLInterceptor.java  |  16 +--
>  .../org/dogtagpki/server/rest/AccountService.java  |   5 +-
>  .../server/rest/AuthMethodInterceptor.java         |  29 +++--
>  .../server/rest/SessionContextInterceptor.java     |  30 ++---
>  base/server/tomcat/src/CMakeLists.txt              |   8 ++
>  .../cms/tomcat/ExternalAuthenticationValve.java    |  75 +++++++++++
>  9 files changed, 264 insertions(+), 42 deletions(-)
>  create mode 100644 base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java
>  create mode 100644 base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java
> 
> diff --git a/.classpath b/.classpath
> index 9fd5144bf32f3a4af6b6992f7b5027ef55d9f2df..2cac0dedce4376283783067312981998fbfad4a9 100644
> --- a/.classpath
> +++ b/.classpath
> @@ -54,7 +54,9 @@
>  	<classpathentry kind="lib" path="/usr/share/java/apache-commons-lang.jar"/>
>  	<classpathentry kind="lib" path="/usr/share/java/resteasy/resteasy-atom-provider.jar"/>
>  	<classpathentry kind="lib" path="/usr/share/java/tomcat/catalina.jar"/>
> +	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-coyote.jar"/>
>  	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util.jar"/>
> +	<classpathentry kind="lib" path="/usr/share/java/tomcat/tomcat-util-scan.jar"/>
>  	<classpathentry kind="lib" path="/usr/share/java/commons-io.jar"/>
>  	<classpathentry kind="lib" path="/usr/lib/java/nuxwdog.jar"/>
>  	<classpathentry kind="lib" path="/usr/lib/java/jss4.jar"/>
> diff --git a/base/ca/tomcat8/conf/Catalina/localhost/ca.xml b/base/ca/tomcat8/conf/Catalina/localhost/ca.xml
> index 46f270817a58282b950b75a15bb3bd052f178f0c..0268bc17e055b98198a9a44275319e77217c87fd 100644
> --- a/base/ca/tomcat8/conf/Catalina/localhost/ca.xml
> +++ b/base/ca/tomcat8/conf/Catalina/localhost/ca.xml
> @@ -27,6 +27,8 @@
>      <Manager
>          secureRandomProvider="Mozilla-JSS" secureRandomAlgorithm="pkcs11prng"/>
>  
> +    <Valve className="com.netscape.cms.tomcat.ExternalAuthenticationValve" />
> +
>      <Valve className="com.netscape.cms.tomcat.SSLAuthenticatorWithFallback"
>          alwaysUseSession="true"
>          secureRandomProvider="Mozilla-JSS"
> diff --git a/base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java
> new file mode 100644
> index 0000000000000000000000000000000000000000..fff10e6a08dacbf8d6bb50bf65dff0eb2042e488
> --- /dev/null
> +++ b/base/common/src/com/netscape/certsrv/authentication/ExternalAuthToken.java
> @@ -0,0 +1,139 @@
> +// --- BEGIN COPYRIGHT BLOCK ---
> +// This program is free software; you can redistribute it and/or modify
> +// it under the terms of the GNU General Public License as published by
> +// the Free Software Foundation; version 2 of the License.
> +//
> +// This program is distributed in the hope that it will be useful,
> +// but WITHOUT ANY WARRANTY; without even the implied warranty of
> +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +// GNU General Public License for more details.
> +//
> +// You should have received a copy of the GNU General Public License along
> +// with this program; if not, write to the Free Software Foundation, Inc.,
> +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> +//
> +// (C) 2015 Red Hat, Inc.
> +// All rights reserved.
> +// --- END COPYRIGHT BLOCK ---
> +
> +package com.netscape.certsrv.authentication;
> +
> +import java.math.BigInteger;
> +import java.util.Date;
> +import java.util.Enumeration;
> +
> +import org.apache.catalina.realm.GenericPrincipal;
> +
> +import netscape.security.x509.CertificateExtensions;
> +import netscape.security.x509.X509CertImpl;
> +
> +import com.netscape.certsrv.usrgrp.Certificates;
> +
> +
> +/**
> + * Authentication token that wraps an externally authenticated
> + * principal to return.
> + */
> +public class ExternalAuthToken implements IAuthToken {
> +
> +    protected GenericPrincipal principal;
> +
> +    public ExternalAuthToken(GenericPrincipal principal) {
> +        this.principal = principal;
> +    }
> +
> +    public Enumeration<String> getElements() {
> +        return null;
> +    }
> +
> +    public Object get(String k) {
> +        return null;
> +    }
> +
> +    public boolean set(String k, String v) {
> +        return false;
> +    }
> +
> +    public String getInString(String k) {
> +        if (k != null
> +                && (k.equals(IAuthToken.USER_ID) || k.equals(IAuthToken.UID)))
> +            return principal.getName();
> +        else
> +            return null;
> +    }
> +
> +    public boolean set(String k, byte[] v) {
> +        return false;
> +    }
> +
> +    public byte[] getInByteArray(String k) {
> +        return null;
> +    }
> +
> +    public boolean set(String k, Integer v) {
> +        return false;
> +    }
> +
> +    public Integer getInInteger(String k) {
> +        return null;
> +    }
> +
> +    public boolean set(String k, BigInteger[] v) {
> +        return false;
> +    }
> +
> +    public BigInteger[] getInBigIntegerArray(String k) {
> +        return null;
> +    }
> +
> +    public boolean set(String k, Date v) {
> +        return false;
> +    }
> +
> +    public Date getInDate(String k) {
> +        return null;
> +    }
> +
> +    public boolean set(String k, String[] v) {
> +        return false;
> +    }
> +
> +    public String[] getInStringArray(String k) {
> +        if (k != null && k.equals(IAuthToken.GROUPS))
> +            return principal.getRoles();
> +        else
> +            return null;
> +    }
> +
> +    public boolean set(String k, X509CertImpl v) {
> +        return false;
> +    }
> +
> +    public X509CertImpl getInCert(String k) {
> +        return null;
> +    }
> +
> +    public boolean set(String k, CertificateExtensions v) {
> +        return false;
> +    }
> +
> +    public CertificateExtensions getInCertExts(String k) {
> +        return null;
> +    }
> +
> +    public boolean set(String k, Certificates v) {
> +        return false;
> +    }
> +
> +    public Certificates getInCertificates(String k) {
> +        return null;
> +    }
> +
> +    public boolean set(String k, byte[][] v) {
> +        return false;
> +    }
> +
> +    public byte[][] getInByteArrayArray(String k) {
> +        return null;
> +    }
> +}
> diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
> index 49001168130831bbb002711120891195b5d54ba5..3a76a5c793f4c8ba346c3979cee86fe7a75a7d7a 100644
> --- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
> +++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
> @@ -31,11 +31,13 @@ import javax.ws.rs.core.Context;
>  import javax.ws.rs.core.SecurityContext;
>  import javax.ws.rs.ext.Provider;
>  
> +import org.apache.catalina.realm.GenericPrincipal;
>  import org.jboss.resteasy.core.ResourceMethodInvoker;
>  import org.jboss.resteasy.spi.Failure;
>  
>  import com.netscape.certsrv.acls.ACLMapping;
>  import com.netscape.certsrv.apps.CMS;
> +import com.netscape.certsrv.authentication.ExternalAuthToken;
>  import com.netscape.certsrv.authentication.IAuthToken;
>  import com.netscape.certsrv.authorization.AuthzToken;
>  import com.netscape.certsrv.authorization.EAuthzAccessDenied;
> @@ -140,18 +142,12 @@ public class ACLInterceptor implements ContainerRequestFilter {
>          if (principal != null)
>              CMS.debug("ACLInterceptor: principal: " + principal.getName());
>  
> -        // If unrecognized principal, reject request.
> -        if (principal != null && !(principal instanceof PKIPrincipal)) {
> -            CMS.debug("ACLInterceptor: Invalid user principal.");
> -            // audit comment: no Principal, no one to blame here
> -            throw new ForbiddenException("Invalid user principal.");
> -        }
> -
> -        PKIPrincipal pkiPrincipal = null;
>          IAuthToken authToken = null;
>          if (principal != null) {
> -            pkiPrincipal = (PKIPrincipal) principal;
> -            authToken = pkiPrincipal.getAuthToken();
> +            if (principal instanceof PKIPrincipal)
> +                authToken = ((PKIPrincipal) principal).getAuthToken();
> +            else if (principal instanceof GenericPrincipal)
> +                authToken = new ExternalAuthToken((GenericPrincipal) principal);
>          }
>  
>          // If missing auth token, reject request.
> diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
> index 4e8e6e6f89fc065e2ad0c5fa616165de929142db..827e99e076585d0732bfde8ae795d6ae63648d5f 100644
> --- a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
> +++ b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
> @@ -29,6 +29,7 @@ import javax.ws.rs.core.Request;
>  import javax.ws.rs.core.Response;
>  import javax.ws.rs.core.UriInfo;
>  
> +import org.apache.catalina.realm.GenericPrincipal;
>  import org.apache.commons.lang.StringUtils;
>  
>  import com.netscape.certsrv.account.AccountInfo;
> @@ -75,8 +76,10 @@ public class AccountService extends PKIService implements AccountResource {
>  
>              String email = user.getEmail();
>              if (!StringUtils.isEmpty(email)) response.setEmail(email);
> +        }
>  
> -            String[] roles = pkiPrincipal.getRoles();
> +        if (principal instanceof GenericPrincipal) {
> +            String[] roles = ((GenericPrincipal) principal).getRoles();
>              response.setRoles(Arrays.asList(roles));
>          }
>  
> diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java
> index ac0b2518cdc42528b7c0e94153f2b02777c26785..2a81813fad282ee943ea9eaae43291eb1397c686 100644
> --- a/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java
> +++ b/base/server/cms/src/org/dogtagpki/server/rest/AuthMethodInterceptor.java
> @@ -139,22 +139,20 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
>                  throw new ForbiddenException("Anonymous access not allowed.");
>              }
>  
> -            // If unrecognized principal, reject request.
> -            if (!(principal instanceof PKIPrincipal)) {
> -                CMS.debug("AuthMethodInterceptor: unknown principal");
> -                throw new ForbiddenException("Unknown user principal");
> -            }
> +            String authManager = "external";
> +            if (principal instanceof PKIPrincipal) {
> +                PKIPrincipal pkiPrincipal = (PKIPrincipal) principal;
> +                IAuthToken authToken = pkiPrincipal.getAuthToken();
>  
> -            PKIPrincipal pkiPrincipal = (PKIPrincipal) principal;
> -            IAuthToken authToken = pkiPrincipal.getAuthToken();
> +                // If missing auth token, reject request.
> +                if (authToken == null) {
> +                    CMS.debug("AuthMethodInterceptor: missing authentication token");
> +                    throw new ForbiddenException("Missing authentication token.");
> +                }
>  
> -            // If missing auth token, reject request.
> -            if (authToken == null) {
> -                CMS.debug("AuthMethodInterceptor: missing authentication token");
> -                throw new ForbiddenException("Missing authentication token.");
> +                authManager = (String) authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME);
>              }
>  
> -            String authManager = (String) authToken.get(AuthToken.TOKEN_AUTHMGR_INST_NAME);
>              CMS.debug("AuthMethodInterceptor: authentication manager: " + authManager);
>  
>              if (authManager == null) {
> @@ -162,7 +160,12 @@ public class AuthMethodInterceptor implements ContainerRequestFilter {
>                  throw new ForbiddenException("Missing authentication manager.");
>              }
>  
> -            if (authMethods.isEmpty() || authMethods.contains(authManager) || authMethods.contains("*")) {
> +            if (
> +                authMethods.isEmpty()
> +                || authManager.equals("external")
> +                || authMethods.contains(authManager)
> +                || authMethods.contains("*")
> +            ) {
>                  CMS.debug("AuthMethodInterceptor: access granted");
>                  return;
>              }
> diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
> index b6461abfdee36ea4eeba4d07da815482b02712ba..e8def14d9d77f046ef1dd52dd5ceacf0041ed543 100644
> --- a/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
> +++ b/base/server/cms/src/org/dogtagpki/server/rest/SessionContextInterceptor.java
> @@ -29,9 +29,11 @@ import javax.ws.rs.core.Context;
>  import javax.ws.rs.core.SecurityContext;
>  import javax.ws.rs.ext.Provider;
>  
> +import org.apache.catalina.realm.GenericPrincipal;
>  import org.jboss.resteasy.core.ResourceMethodInvoker;
>  
>  import com.netscape.certsrv.apps.CMS;
> +import com.netscape.certsrv.authentication.ExternalAuthToken;
>  import com.netscape.certsrv.authentication.IAuthToken;
>  import com.netscape.certsrv.base.ForbiddenException;
>  import com.netscape.certsrv.base.SessionContext;
> @@ -80,21 +82,6 @@ public class SessionContextInterceptor implements ContainerRequestFilter {
>  
>          CMS.debug("SessionContextInterceptor: principal: " + principal.getName());
>  
> -        // If unrecognized principal, reject request.
> -        if (!(principal instanceof PKIPrincipal)) {
> -            CMS.debug("SessionContextInterceptor: Invalid user principal.");
> -            throw new ForbiddenException("Invalid user principal.");
> -        }
> -
> -        PKIPrincipal pkiPrincipal = (PKIPrincipal) principal;
> -        IAuthToken authToken = pkiPrincipal.getAuthToken();
> -
> -        // If missing auth token, reject request.
> -        if (authToken == null) {
> -            CMS.debug("SessionContextInterceptor: No authorization token present.");
> -            throw new ForbiddenException("No authorization token present.");
> -        }
> -
>          SessionContext context = SessionContext.getContext();
>  
>          String ip = servletRequest.getRemoteAddr();
> @@ -103,8 +90,15 @@ public class SessionContextInterceptor implements ContainerRequestFilter {
>          Locale locale = getLocale(servletRequest);
>          context.put(SessionContext.LOCALE, locale);
>  
> -        context.put(SessionContext.AUTH_TOKEN, authToken);
> -        context.put(SessionContext.USER_ID, pkiPrincipal.getName());
> -        context.put(SessionContext.USER, pkiPrincipal.getUser());
> +        context.put(SessionContext.USER_ID, principal.getName());
> +
> +        if (principal instanceof PKIPrincipal) {
> +            PKIPrincipal pkiPrincipal = (PKIPrincipal) principal;
> +            context.put(SessionContext.AUTH_TOKEN, pkiPrincipal.getAuthToken());
> +            context.put(SessionContext.USER, pkiPrincipal.getUser());
> +        } else if (principal instanceof GenericPrincipal) {
> +            context.put(SessionContext.AUTH_TOKEN,
> +                    new ExternalAuthToken((GenericPrincipal) principal));
> +        }
>      }
>  }
> diff --git a/base/server/tomcat/src/CMakeLists.txt b/base/server/tomcat/src/CMakeLists.txt
> index 669cc8883043062119afdb5b55db28828d09e92f..2e3658f4b12cdbc4515b0532c3c20b5c0194e84e 100644
> --- a/base/server/tomcat/src/CMakeLists.txt
> +++ b/base/server/tomcat/src/CMakeLists.txt
> @@ -133,6 +133,13 @@ find_file(NUXWDOG_JAR
>          /usr/share/java
>  )
>  
> +find_file(TOMCAT_COYOTE_JAR
> +    NAMES
> +        tomcat-coyote.jar
> +    PATHS
> +        /usr/share/java/tomcat
> +)
> +
>  # build pki-tomcat
>  javac(pki-tomcat-classes
>      SOURCES
> @@ -140,6 +147,7 @@ javac(pki-tomcat-classes
>      CLASSPATH
>          ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR}
>  		${NUXWDOG_JAR} ${APACHE_COMMONS_LANG_JAR} ${TOMCATJSS_JAR}
> +		${TOMCAT_COYOTE_JAR}
>      OUTPUT_DIR
>          ${CMAKE_BINARY_DIR}/../../tomcat
>  )
> diff --git a/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java
> new file mode 100644
> index 0000000000000000000000000000000000000000..92cec5d301803be63dfb305b12aaca7985f6fc83
> --- /dev/null
> +++ b/base/server/tomcat/src/com/netscape/cms/tomcat/ExternalAuthenticationValve.java
> @@ -0,0 +1,75 @@
> +// --- BEGIN COPYRIGHT BLOCK ---
> +// This program is free software; you can redistribute it and/or modify
> +// it under the terms of the GNU General Public License as published by
> +// the Free Software Foundation; version 2 of the License.
> +//
> +// This program is distributed in the hope that it will be useful,
> +// but WITHOUT ANY WARRANTY; without even the implied warranty of
> +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +// GNU General Public License for more details.
> +//
> +// You should have received a copy of the GNU General Public License along
> +// with this program; if not, write to the Free Software Foundation, Inc.,
> +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
> +//
> +// (C) 2015 Red Hat, Inc.
> +// All rights reserved.
> +// --- END COPYRIGHT BLOCK ---
> +
> +package com.netscape.cms.tomcat;
> +
> +import java.io.IOException;
> +import java.security.Principal;
> +import java.util.ArrayList;
> +import javax.servlet.ServletException;
> +
> +import org.apache.catalina.connector.Request;
> +import org.apache.catalina.connector.Response;
> +import org.apache.catalina.realm.GenericPrincipal;
> +import org.apache.catalina.valves.ValveBase;
> +
> +public class ExternalAuthenticationValve extends ValveBase {
> +
> +    public void invoke(Request req, Response resp)
> +            throws IOException, ServletException {
> +        System.out.println("ExternalAuthenticationValve; authType: "
> +                + req.getAuthType());
> +        System.out.println("ExternalAuthenticationValve; principal: "
> +                + req.getUserPrincipal());
> +        System.out.println(req.getCoyoteRequest().getAttributes().toString());
> +
> +        org.apache.coyote.Request coyoteReq = req.getCoyoteRequest();
> +        Principal oldPrincipal = req.getUserPrincipal();
> +
> +        if (oldPrincipal != null) {
> +            Integer numGroups = 0;
> +            String numGroupsStr = (String)
> +                coyoteReq.getAttribute("REMOTE_USER_GROUP_N");
> +            if (numGroupsStr != null) {
> +                try {
> +                    numGroups = new Integer(numGroupsStr);
> +                } catch (NumberFormatException e) {
> +                    System.out.println("ExternalAuthenticationValve: invalid REMOTE_USER_GROUP_N value: " + e);
> +                }
> +            }
> +
> +            ArrayList<String> groups = new ArrayList<>();
> +            for (int i = 1; i <= numGroups; i++) {
> +                String k = "REMOTE_USER_GROUP_" + i;
> +                String s = (String) coyoteReq.getAttribute(k);
> +                if (s != null && !s.isEmpty())
> +                    groups.add(s);
> +                else
> +                    System.out.println("ExternalAuthenticationValve: missing or empty attribute: " + k);
> +            }
> +
> +            GenericPrincipal newPrincipal =
> +                new GenericPrincipal(oldPrincipal.getName(), null, groups);
> +
> +            System.out.println("ExternalAuthenticationValve: setting new principal: " + newPrincipal);
> +            req.setUserPrincipal(newPrincipal);
> +        }
> +
> +        getNext().invoke(req, resp);
> +    }
> +}
> -- 
> 2.5.0
> 



From ftweedal at redhat.com  Tue Jan 12 01:31:30 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Tue, 12 Jan 2016 11:31:30 +1000
Subject: [Pki-devel] [PATCH] 0067 Remove vestiges of NISAuth plugin
Message-ID: <20160112013130.GQ31821@dhcp-40-8.bne.redhat.com>

Attached patch fixes https://fedorahosted.org/pki/ticket/1674
(NISAuth Authentication plugin , which is not present, still in the
CS.cfg).

Thanks,
Fraser
-------------- next part --------------
From 5e53c639d1e0508a4f8307d1dcd9c01a0994bd5e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 12 Jan 2016 12:28:10 +1100
Subject: [PATCH] Remove vestiges of NISAuth plugin

Fixes: https://fedorahosted.org/pki/ticket/1674
---
 base/ca/shared/webapps/ca/ee/ca/NISUserEnroll.html | 508 ---------------------
 .../webapps/ca/ee/ca/policyEnrollment/index.html   |   9 -
 .../netscape/admin/certsrv/certsrv-help.properties |   2 -
 .../netscape/admin/certsrv/ug/AuthBaseDialog.java  |   2 -
 .../admin/certsrv/ug/AuthConfigDialog.java         |   3 -
 base/kra/shared/conf/CS.cfg.in                     |   1 -
 base/ocsp/shared/conf/CS.cfg.in                    |   2 -
 base/server/cmsbundle/src/LogMessages.properties   |   2 -
 base/server/cmsbundle/src/UserMessages.properties  |   2 -
 .../src/com/netscape/cmscore/apps/Setup.java       |   1 -
 base/tks/shared/conf/CS.cfg.in                     |   1 -
 base/tps/shared/conf/CS.cfg.in                     |   1 -
 12 files changed, 534 deletions(-)
 delete mode 100644 base/ca/shared/webapps/ca/ee/ca/NISUserEnroll.html

diff --git a/base/ca/shared/webapps/ca/ee/ca/NISUserEnroll.html b/base/ca/shared/webapps/ca/ee/ca/NISUserEnroll.html
deleted file mode 100644
index d671b4b22ab33d6333742448d20399d8cacbcd79..0000000000000000000000000000000000000000
--- a/base/ca/shared/webapps/ca/ee/ca/NISUserEnroll.html
+++ /dev/null
@@ -1,508 +0,0 @@
-<!-- --- BEGIN COPYRIGHT BLOCK ---
-     This program is free software; you can redistribute it and/or modify
-     it under the terms of the GNU General Public License as published by
-     the Free Software Foundation; version 2 of the License.
-
-     This program is distributed in the hope that it will be useful,
-     but WITHOUT ANY WARRANTY; without even the implied warranty of
-     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-     GNU General Public License for more details.
-
-     You should have received a copy of the GNU General Public License along
-     with this program; if not, write to the Free Software Foundation, Inc.,
-     51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-     Copyright (C) 2007 Red Hat, Inc.
-     All rights reserved.
-     --- END COPYRIGHT BLOCK --- -->
-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
-<html>
-<head>
-<TITLE>NIS Based User Enrollment Form</TITLE>
-<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
-<SCRIPT LANGUAGE="JavaScript"></SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="../cms-funcs.js"> </SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="../helpfun.js"> </SCRIPT>
-<SCRIPT LANGUAGE="JavaScript" SRC="/ca/ee/dynamicVars.js"> </SCRIPT>
-<SCRIPT>
-//<!--
-
-// Notice to administrators
-//
-// A link to this HTML form conditionally appears in the
-// main enrollment menu frame. This link will only appear if
-// a plugin of type 'NISAuth' has been configured in the console.
-
-var crmfObject;
-function validate(form)
-{
-    with (form) {
-        if (uid.value == "") {
-            alert("You must supply your uid");
-            return false;
-        }
-        if (pwd.value == "") {
-            alert("You must supply your password");
-            return false;
-        }
-
-        /////////////////////////////////////////////////////////////////
-        // To enable dual key feature, this page must be customized with
-        // appropriate Javascript call. For example,
-        //
-        //      crmfObject = crypto.generateCRMFRequest(
-        //              "CN=undefined",
-        //              "regToken", "authenticator",
-        //              null,
-        //              "setCRMFRequest();",
-        //              512, null, "rsa-ex",
-        //              1024, null, "rsa-sign");
-        //
-        // To enable key archival feature, this page must be customized with
-        // KRA's transport certificate. The transport certificate can be
-        // retrieved in the following ways:
-        // (1) Access "List Certificates" menu option in end-entity page
-        // (2) Access https://<host>:<agent_port>/kra/displayTransportCert
-        // (3) Use certutil command in <instance-dir>/config directory
-        //     (i.e. certutil -L -d . -n "kraTransportCert <instance-id>" -a)
-        //
-        // Once the transport certificate is obtained, the following
-        // javascript should be modified so that the transport certificate
-        // and appropriate key type are selected. For example,
-        //
-        //      var keyGenAlg = "rsa-ex";
-        //      crmfObject = crypto.generateCRMFRequest(
-        //              "CN=undefined",
-        //              "regToken", "authenticator",
-        //              keyTransportCert,
-        //              "setCRMFRequest();",
-        //              512, null, keyGenAlg);
-        /////////////////////////////////////////////////////////////////
-
-        // generate keys for nsm.
-        if (navigator.appName == "Netscape" && (navMajorVersion() > 3) && 
-			 typeof(crypto.version) != "undefined") {
-			//certNickname.value = uid.value;
-        	crmfObject = crypto.generateCRMFRequest(
-				"CN=undefined", 
-               	"regToken", "authenticator", 
-			null,
-                "setCRMFRequest();", 
-                1024, null, "rsa-dual-use");
-        }
-        return true;
-    }
-}
-
-function setCRMFRequest()
-{
-	with (document.forms[0]) {
-		CRMFRequest.value = crmfObject.request;
-		submit();
-	}
-}
-
-//-->
-</SCRIPT>
-</head>
-
-<OBJECT
-	classid="clsid:127698e4-e730-4e5c-a2b1-21490a70c8a1"
-	CODEBASE="/xenroll.dll"
-	id=Enroll    >
-</OBJECT>
-
-
-<SCRIPT LANGUAGE=VBS>
-<!--
-Function escapeDNComponent(comp)
-		escapeDNComponent = comp
-End Function
-
-Function doubleQuotes(comp)
-		doubleQuotes = False
-End Function
-
-Function formulateDN()
-		Dim dn
-		Dim TheForm
-		Set TheForm = Document.ReqForm
-
-		dn = Empty
-
-		If (TheForm.uid.Value <> Empty) Then
-			If doubleQuotes(TheForm.uid.Value) = True Then
-				MsgBox "Double quotes are not allowed in the uid field"
-				Exit Function
-			End If
-			If (dn <> Empty) Then
-				dn = dn & ","
-			End If
-			dn = dn & "0.9.2342.19200300.100.1.1=" & escapeDNComponent(TheForm.uid.Value)
-		End If
-
-		formulateDN = dn
-End Function
-
-Sub Send_OnClick
-  Dim TheForm
-  Dim szName
-  Dim options
-  Set TheForm = Document.ReqForm
-
-
-  ' Do a few sanity checks
-  If (TheForm.uid.Value = Empty) Then 
-    ret = MsgBox("You must supply your NIS uid for certificate enrollment", 0, "MSIE Certificate Request")
-	Exit Sub
-  End If
-
-  If (TheForm.pwd.Value = Empty) Then
-	ret = MsgBox("You must supply your NIS password for certificate enrollment", 0, "MSIE Certificate Request")
-	Exit Sub
-  End If
-
-'  If (TheForm.SSLClient.value = Empty AND
-'      TheForm.SMIME.value = Empty AND
-'      TheForm.ObjectSigning.value = Empty) Then
-'	ret = MsgBox("You must select atleast one certificate type", 0, 
-'		"MSIE Certificate Request")
-'	Exit Sub
-'  End If
-	
-
-  ' Contruct the X500 distinguished name
-  szName = formulateDN()
-
-  On Error Resume Next
-  Enroll.HashAlgorithm = "MD5"
-  Enroll.KeySpec = 1
-  Enroll.GenKeyFlags = 1        ' key exportable
-
-   ' Pick the provider that is selected
-   set options = TheForm.all.cryptprovider.options
-   index = options.selectedIndex
-   Enroll.providerType = options(index).value
-   Enroll.providerName = options(index).text
-
-  szCertReq = Enroll.createPKCS10(szName, "1.3.6.1.5.5.7.3.2")
-  theError = Err.Number
-  On Error Goto 0
-  '
-  ' If the user has cancelled things the we simply ignore whatever
-  ' they were doing ... need to think what should be done here
-  '
-  If (szCertReq = Empty AND theError = 0) Then
-    Exit Sub
-  End If
-
-  If (szCertReq = Empty OR theError <> 0) Then
-    '
-    ' There was an error in the key pair generation. The error value
-    ' is found in the variable 'theError' which we snarfed above before
-    ' we did the 'On Error Goto 0' which cleared it again.
-    '
-    sz = "The error '" & Hex(theError) & "' occurred." & chr(13) & chr(10) & "Your credentials could not be generated."
-    result = MsgBox(sz, 0, "Credentials Enrollment")
-    Exit Sub
-  End If
-
-  TheForm.pkcs10Request.Value = szCertReq
-  TheForm.Submit
-  Exit Sub
-
-End Sub
--->
-</SCRIPT>
-
-<body bgcolor="#FFFFFF" onload=checkClientTime()>
-
-
-<font size="+1" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">
-NIS Based User Enrollment <br>
-</font>
-  <font size="-1" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif"> 
-  Use this form to submit a request for a personal certificate through your
-  organization's NIS. With NIS based enrollment, you need only 
-  supply your user ID and password for the NIS; the directory 
-  supplies the rest of the information needed for certificate issuance. 
-  If the user ID and password are correct your certificate will be issued
-  automatically.
-  </font>
-
-<table border="0" cellspacing="0" cellpadding="2" background="/pki/images/hr.gif" width="100%">
-  <tr> 
-    <td>&nbsp;</td>
-  </tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="2">
-  <tr valign="TOP"> 
-    <td><font size="-1" face="PrimaSans BT, Verdana, sans-serif"> <b>
-	Important:
-	</b></font></td>
-    <td><font size="-1" face="PrimaSans BT, Verdana, sans-serif">
-	Be sure to request your certificate on the same computer on which you 
-	plan to use your certificate.  </font></td>
-  </tr>
-</table>
-<table border="0" cellspacing="0" cellpadding="0" background="/pki/images/hr.gif" width="100%">
-  <tr> 
-    <td>&nbsp;</td>
-  </tr>
-</table>
-
-<script lang="javascript">
-	if (navigator.appName == "Netscape" && (navMajorVersion() <= 3)) {
-		// short cut for Nav 3.x or eariler, crypto is not defined
-        	document.write(
-			'<form name="ReqForm" method="post" action="/enrollment">');
-        } else
-	if ((navigator.appName == "Netscape" && 
-		 typeof(crypto.version) != "undefined")) {
-        document.write(
-			'<form name="ReqForm" method="post" action="/enrollment">');
-	} else {
-        document.write(
-			'<form name="ReqForm" method="post" action="/enrollment" '+
-			'onSubmit="return validate(document.forms[0])">');
-	}
-</script>
-
-  <font size="-1" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">
-  <b>User's Identity</b><br>
-Enter your user ID and password for your organization's NIS. This 
-information will be used to verify your identity and to obtain
-information from the directory to fill in the certificate.
-  <br>
-
-<table border="0" width="100%" cellspacing="2" cellpadding="2">
-    <tr> 
-      <td width="30%" valign="TOP"> 
-        <div align="RIGHT">
-          <font size="-1" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">User ID: </font> 
-        </div>
-      </td>
-      <td valign="TOP"> 
-        <input type="TEXT" name="uid" size="30">
-      </td>
-    </tr>
-</table>
-
-<table border="0" width="100%" cellspacing="2" cellpadding="2">
-    <tr> 
-      <td width="30%" valign="TOP"> 
-        <div align="RIGHT">
-          <font size="-1" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">Password: </font> 
-        </div>
-      </td>
-      <td valign="TOP"> 
-        <input type="PASSWORD" name="pwd" AutoComplete=off size="30">
-      </td>
-    </tr>
-    <tr>
-    </tr>
-</table>
-
-<table border="0" width="100%" cellspacing="2" cellpadding="2">
-    <tr> 
-      <td valign="TOP"> 
-		<!-- for Netscape Certificate Type Extension -->
-		<input type="HIDDEN" name="email" value="true">
-		<input type="HIDDEN" name="ssl_client" value="true">
-		<!-- for Key Usage Extension -->
-		<input type="HIDDEN" name="digital_signature" value=true>
-		<input type="HIDDEN" name="non_repudiation" value=true>
-		<input type="HIDDEN" name="key_encipherment" value=true>
-      </td>
-    </tr>
-    <tr> 
-      <td valign="TOP" colspan="2">
-		<font size="-1" face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">
-</td></tr>
-</table>
-
-
-<script>
-		if (navigator.appName == "Netscape" && 
-			(navMajorVersion() <= 3 || typeof(crypto.version) == 'undefined')) {
-
-        document.writeln('<b>Public/Private Key Information</b><br>');
-		document.writeln(
-		  'When your submit this form, your browser generates a private and '+
-		  'public key. The browser retains the private key and submits the '+
-		  'public key along with your request for a certificate. '+
-		  'The public key becomes part of your certificate. '+
-		  '<P>'+
-		  'Select the length of the key to generate. The longer the key '+ 
-		  'length the greater the strength. You may want to check with your '+
-		  'system administrator about the length of key to specify.');
-
-			// short cut for Nav 3.x or eariler, crypto is not defined
-			document.writeln('Select the length of the key to generate. '+
-				'The longer the key length, the greater the strength. '+
-				'You may want to check with your system administrator about '+
-				'the length of key to specify.');
-		} 
-		//else if (navigator.appName == 'Netscape' && crypto.version == "undefined") {
-			//document.writeln('Select the length of the key to generate. '+
-			//	'The longer the key length, the greater the strength. '+
-			//	'You may want to check with your system administrator about '+
-			//	'the length of key to specify.');
-		//}
-
-//<!--
-        if (navigator.appName == "Netscape") {
-            document.writeln('<table border="0" width="100%" cellspacing="2" cellpadding="2">');
-			if (navMajorVersion() <= 3 || 
-				typeof(crypto.version) == "undefined") {
-				document.writeln('<td width="30%" valign=TOP>');
-				document.writeln('<div align=right>');
-				document.writeln('<font size=-1 face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">');
-				document.writeln('Key Length: ');
-				document.writeln('</font>');
-				document.writeln('</div>');
-				document.writeln('</td>');
-				document.write('<td valign=TOP>');
-                document.write('<KEYGEN name="subjectKeyGenInfo">');
-        	} 
-			//else {
-                //alert('nsm');
-                //document.writeln('<SELECT NAME=\"keyLength\">');
-                //document.writeln('<OPTION VALUE=512>512 bits');
-                //document.writeln('<OPTION VALUE=768>768 bits');
-                //document.writeln('<OPTION VALUE=1024>1024 bits');
-                //document.writeln('</SELECT>');
-			//}
-			document.write('</td></table>');
-        }
-	if (navigator.appName == "Microsoft Internet Explorer") {
-        document.writeln('<b>Public/Private Key Information</b><br>');
-                document.writeln(
-                  'When you submit this form, your browser generates a private and '+
-                  'public key. The browser retains the private key and submits the '+
-                  'public key along with your request for a certificate. '+
-                  'The public key becomes part of your certificate. '+
-                  '<P>'+
-                  'The Microsoft Base Cryptographic provider offers 512-bit key encryption which is adequate for most applications today, but you may select the Enhanced option if your browser offers this choice and you require the higher encryption strength. You may want to check with your '+
-                  'system administrator about the provider to specify.');
-
-           document.writeln('<p>');
-           document.writeln('<td>');
-           document.writeln('<font size=-1 face="PrimaSans BT, Verdana, Arial, Helvetica, sans-serif">');
-           document.writeln('Cryptographic Provider:');
-           document.writeln('</font>');
-           document.writeln('</td>');
-           document.writeln('<td>');
-	   document.writeln('<SELECT NAME=\"cryptprovider\"></SELECT>');
-           document.writeln('</td>');
-           document.writeln('<p>');
-	}
-//-->
-
-document.writeln('<table border="0" width="100%" cellspacing="0" cellpadding="6" bgcolor="#cccccc" background="/pki/images/gray90.gif"> <tr> <td width=100%> <div align="RIGHT">');
-//<!--
-			if (navigator.appName == "Netscape" && navMajorVersion() <= 3) {
-				// short cut for Nav 3.x or eariler, crypto is not defined
-				document.writeln(
-					'<input type="submit" value="Submit" '+
-					'name="submit" width="72">');
-			} else if (navigator.appName == "Netscape" && 
-			 		typeof(crypto.version) == "undefined") {
-				document.writeln(
-					'<input type="submit" value="Submit" '+
-					'name="submit" width="72">');
-			}
-			else if ((navigator.appName == "Microsoft Internet Explorer") ||
-					 (navigator.appName == "")) {
-				document.writeln(
-					'<input type="submit" value="Submit" '+
-					'name="Send" width="72">');
-			}
-			else {
-				// alert('nsm');
-				document.writeln(
-					'<input type="button" value="Submit" '+
-					'name="submitbutton" '+
-					'onclick="validate(form)" width="72">');
-			}
-			document.write('<img src="/pki/images/spacer.gif" width="6" height="6">' +
-			'<input type="reset" value="Reset" name="reset" width="72">' +
-			'<input type="hidden" name="certType" value="client">' +
-			'<input type="hidden" name="authenticator" ' +
-			  '  value="NISAuth">');
-
-				if (navigator.appName == 'Netscape') {
-					if ((navMajorVersion() > 3) && 
-						(typeof(crypto.version) != 'undefined')) {
-						//alert('cmmf response');
-						document.write(
-						  '<input type=hidden name=CRMFRequest value="">');
-						document.write(
-						  '<input type=hidden name=cmmfResponse value=true>');
-						//document.write(
-						  //'<input type=hidden name=certNickname value="">');
-					}
-					else {
-						document.write(
-						'<input type="hidden" name="importCert" value="off">');
-					}
-				}
-				else if ((navigator.appName == "Microsoft Internet Explorer")||
-						 (navigator.appName == "")) {
-					// navigator.appName == "" is for IE 3.
-					//alert('pkcs10Request');
-					document.write(
-					 '<input type="hidden" name="pkcs10Request" value="">');
-				}
-//-->
-              document.writeln('</div> </td> </tr> </table>');
-</script>
-  </form>
-<SCRIPT LANGUAGE=VBS>
-<!--
-
-FindProviders
-
-Function FindProviders
-	Dim i, j
-	Dim providers()
-	i = 0
-	j = 1
-	Dim el
-	Dim temp
-	Dim first
-	Dim TheForm
-	Set TheForm = document.ReqForm
-	On Error Resume Next
-	first = 0
-
-	Do While True
-	temp = ""
-	Enroll.providerType = j
-	temp = Enroll.enumProviders(i,0)
-	If Len(temp) = 0 Then
-	If j < 1 Then 
-	  j = j + 1
-	  i = 0 
-	Else
-	  Exit Do
-	End If
-	Else
-	set el = document.createElement("OPTION")
-	el.text = temp
-	el.value = j 
-	TheForm.cryptprovider.add(el)
-	If first = 0  Then
-	  first = 1
-	  TheForm.cryptprovider.selectedIndex = 0
-	End If
-	i = i + 1
-	End If
-	Loop
-
-End Function
-
--->
-</SCRIPT>
-</body>
-</html>
diff --git a/base/ca/shared/webapps/ca/ee/ca/policyEnrollment/index.html b/base/ca/shared/webapps/ca/ee/ca/policyEnrollment/index.html
index 74c3080f0d97da38075aaa737002018288291cd7..75fffe901d938ee7a94717137e1fae5b6efb2c7a 100644
--- a/base/ca/shared/webapps/ca/ee/ca/policyEnrollment/index.html
+++ b/base/ca/shared/webapps/ca/ee/ca/policyEnrollment/index.html
@@ -177,15 +177,6 @@ function initEnrollMenu()
     	count++;
 	}
 
-	// NISAuth - authenticates against NIS
-	if ( isAuthMgrEnabled("NISAuth") ) {
-		item = 'nisuser';
-		menuItems[count] = top.EnrollMenu[count] = 
-			new menuItem(item, 'NISUserEnroll.html', 'NIS');
-    
-    	count++;
-	}
-
 	// Kerberos - authenticates against a Kerberos server
 	if ( isAuthMgrEnabled("KerberosAuth") ) {
 		item = 'kerberos';
diff --git a/base/console/src/com/netscape/admin/certsrv/certsrv-help.properties b/base/console/src/com/netscape/admin/certsrv/certsrv-help.properties
index 1faf8ef6833fb5b8d3ed12990d18ce5e72d4b615..c5b97af2a5e0bb7a2dfa8fbb0a1bd10b989f7e92 100644
--- a/base/console/src/com/netscape/admin/certsrv/certsrv-help.properties
+++ b/base/console/src/com/netscape/admin/certsrv/certsrv-help.properties
@@ -315,7 +315,6 @@ authentication-certsrv-register-authplugin-dbox-help = cert
 authentication-certsrv-auth-dialog-help = cert
 ;OOTB Auth plugins
 configuration-authrules-kerberosauth = cert
-configuration-authrules-nisauth = cert
 configuration-authrules-portalauth = cert
 configuration-authrules-uidpwddirauth = cert
 configuration-authrules-uidpwdpindirauth = cert
@@ -323,7 +322,6 @@ configuration-authrules-uidpwdpindirauth = cert
 ;authentication implementations 1/1/2000
 authentication-certsrv-impl-ldap = cert
 authentication-certsrv-impl-ldappin = cert
-authentication-certsrv-impl-nis = cert
 authentication-certsrv-impl-portal= cert
 
 ;Certificate server status 
diff --git a/base/console/src/com/netscape/admin/certsrv/ug/AuthBaseDialog.java b/base/console/src/com/netscape/admin/certsrv/ug/AuthBaseDialog.java
index 78d89bb9c9d06c51a675de1207552394e510c385..c3c4b2cc3eea5488c46c68550939ab29a187ac4a 100644
--- a/base/console/src/com/netscape/admin/certsrv/ug/AuthBaseDialog.java
+++ b/base/console/src/com/netscape/admin/certsrv/ug/AuthBaseDialog.java
@@ -114,8 +114,6 @@ public class AuthBaseDialog extends JDialog
                 mAuthName.setText("UserDnEnrollment");
             else if (!userDirExist && str.equals("UserPwdDirAuth"))
                 mAuthName.setText("UserDirAuth");
-            else if (str.equals("NISAuth"))
-                mAuthName.setText("NISAuth");
             // Inserted by beomsuk
             else if (!portalExist && str.equals("PortalEnroll"))
                 mAuthName.setText("PortalEnrollment");
diff --git a/base/console/src/com/netscape/admin/certsrv/ug/AuthConfigDialog.java b/base/console/src/com/netscape/admin/certsrv/ug/AuthConfigDialog.java
index 22454e241ac71317644b64c1c7895c83eab33d60..da14c676b6b1eb8a65dbb0d646031644f07e6b38 100644
--- a/base/console/src/com/netscape/admin/certsrv/ug/AuthConfigDialog.java
+++ b/base/console/src/com/netscape/admin/certsrv/ug/AuthConfigDialog.java
@@ -78,9 +78,6 @@ public class AuthConfigDialog extends CMSBaseConfigDialog
 		else if (implName.equals("UserPwdDirAuth")) {
 			instanceName = "UserDirAuth";
 		}
-		else if (implName.equals("NISAuth")) {
-			instanceName = "NISAuth";
-		}
 		else if (implName.equals("PortalEnroll")) {
 			instanceName = "PortalEnrollment";
 		}
diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in
index 64a369e0a3822b9284f694c961ba9d178bb7e376..9435daa1823dc07358ab2ae9395bd95b1352dc3a 100644
--- a/base/kra/shared/conf/CS.cfg.in
+++ b/base/kra/shared/conf/CS.cfg.in
@@ -144,7 +144,6 @@ auths.impl._001=## authentication manager implementations
 auths.impl._002=##
 auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication
 auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth
-auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth
 auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll
 auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication
 auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication
diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in
index cea8e651215755dacd898d0b115192968d323309..9968bb06d7265dfe36744233a8b70e2f2cb0b518 100644
--- a/base/ocsp/shared/conf/CS.cfg.in
+++ b/base/ocsp/shared/conf/CS.cfg.in
@@ -131,8 +131,6 @@ auths.impl._001=## authentication manager implementations
 auths.impl._002=##
 auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication
 auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth
-auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth
-auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll
 auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication
 auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication
 auths.impl.UidPwdDirAuth.class=com.netscape.cms.authentication.UidPwdDirAuthentication
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index e0e926ccb43a94c01bcb40cad81f7f04ee437f45..1be16736213cf7473f3fc85dcef601bfbead5b9d 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -42,8 +42,6 @@ CMS_AUTH_CREATE_CERTINFO_ERROR=Could not create certinfo for {0}. Error - {1}
 CMS_AUTH_READ_ENTRIES=Read entries from password file - {0}
 CMS_AUTH_USER_NOT_FOUND=User not found in password file.
 CMS_AUTH_INVALID_FINGER_PRINT=Invalid fingerprint.
-CMS_AUTH_INVALID_NIS_SERVER=Invalid NIS Server - {0}
-CMS_AUTH_INVALID_NIS_SERVER_NAME=Invalid NIS Server Name - {0}
 CMS_AUTH_INVALID_DOMAIN=Invalid Domain Name - {0}
 CMS_AUTH_EMPTY_PASSWORD=UID {0} attempted a login with an empty password.
 CMS_AUTH_EMPTY_PIN=UID {0} attempted a login with an empty pin.
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
index 7c5c77d5b589886d0a8c6323436a1fdcdd4ce8f9..75aac4d7960cba03e83b6af37795b75eb9950450 100644
--- a/base/server/cmsbundle/src/UserMessages.properties
+++ b/base/server/cmsbundle/src/UserMessages.properties
@@ -306,8 +306,6 @@ CMS_ADMIN_SRVLT_CERT_VALIDATE_FAILED=Imported cert has not been verified to be v
 # ProfileSubmitServlet
 #######################################################
 CMS_POP_VERIFICATION_ERROR=Proof-of-Possession Verification Failed
-CMS_AUTHENTICATION_NIS_NAME=NIS Authentication
-CMS_AUTHENTICATION_NIS_TEXT=This plugin authenticates a user using NIS.
 CMS_AUTHENTICATION_AGENT_NAME=Agent Authentication
 CMS_AUTHENTICATION_AGENT_TEXT=This plugin authenticates agents using a certificate.
 CMS_AUTHENTICATION_SSL_CLIENT_NAME=SSL Client Authentication
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/Setup.java b/base/server/cmscore/src/com/netscape/cmscore/apps/Setup.java
index fecf024de4374161f2bdf2f69b0a2b4f8b7bcdf6..cddcfca50a0e6e5230edbc7284bfdfc0da08ae54 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/Setup.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/Setup.java
@@ -41,7 +41,6 @@ public class Setup {
             { "auths.impl.UidPwdDirAuth.class", "com.netscape.cms.authentication.UidPwdDirAuthentication" },
             { "auths.impl.UidPwdPinDirAuth.class", "com.netscape.cms.authentication.UidPwdPinDirAuthentication" },
             { "auths.impl.UdnPwdDirAuth.class", "com.netscape.cms.authentication.UdnPwdDirAuthentication" },
-            { "auths.impl.NISAuth.class", "com.netscape.cms.authentication.NISAuth" },
             { "auths.impl.CMCAuth.class", "com.netscape.cms.authentication.CMCAuth" },
             { "auths.impl.AgentCertAuth.class", "com.netscape.cms.authentication.AgentCertAuthentication" },
             { "auths.impl.PortalEnroll.class", "com.netscape.cms.authentication.PortalEnroll"
diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in
index e63f07d134719d1c1326fbe939c12157c0109bad..ae77fbe24b0f4c4e0c432ea49b262a9686a3751c 100644
--- a/base/tks/shared/conf/CS.cfg.in
+++ b/base/tks/shared/conf/CS.cfg.in
@@ -122,7 +122,6 @@ auths.impl._001=## authentication manager implementations
 auths.impl._002=##
 auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication
 auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth
-auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth
 auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll
 auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication
 auths.impl.UdnPwdDirAuth.class=com.netscape.cms.authentication.UdnPwdDirAuthentication
diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps/shared/conf/CS.cfg.in
index 48fd8fe43d5f2e5016e27cbb231f462c6e6a7b1d..41af0259824a950d835964ef6f357e4a60a30cd6 100644
--- a/base/tps/shared/conf/CS.cfg.in
+++ b/base/tps/shared/conf/CS.cfg.in
@@ -28,7 +28,6 @@ auths.impl._001=## authentication manager implementations
 auths.impl._002=##
 auths.impl.AgentCertAuth.class=com.netscape.cms.authentication.AgentCertAuthentication
 auths.impl.CMCAuth.class=com.netscape.cms.authentication.CMCAuth
-auths.impl.NISAuth.class=com.netscape.cms.authentication.NISAuth
 auths.impl.PortalEnroll.class=com.netscape.cms.authentication.PortalEnroll
 auths.impl.SSLclientCertAuth.class=com.netscape.cms.authentication.SSLclientCertAuthentication
 auths.impl.TokenAuth.class=com.netscape.cms.authentication.TokenAuthentication
-- 
2.5.0


From ftweedal at redhat.com  Tue Jan 12 02:16:28 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Tue, 12 Jan 2016 12:16:28 +1000
Subject: [Pki-devel] [PATCH] 0068 Remove execute permissions from systemd
	unit files
Message-ID: <20160112021628.GR31821@dhcp-40-8.bne.redhat.com>

Hi all,

The attached patch fixes https://fedorahosted.org/pki/ticket/1723.

Cheers,
Fraser
-------------- next part --------------
From 0e0202f642619d969a7551899cdf4803b4620953 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 12 Jan 2016 13:12:17 +1100
Subject: [PATCH] Remove execute permissions from systemd unit files

Fixes: https://fedorahosted.org/pki/ticket/1723
---
 specs/pki-core.spec | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index df2e3aa9e9de7fe8659074eacbd137d20e09197c..948a0ecdc06757f4baed845e8481ba1efa51f64d 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -919,11 +919,11 @@ systemctl daemon-reload
 %{_datadir}/pki/scripts/operations
 %{_bindir}/pkidaemon
 %dir %{_sysconfdir}/systemd/system/pki-tomcatd.target.wants
-%{_unitdir}/pki-tomcatd at .service
-%{_unitdir}/pki-tomcatd.target
+%attr(644,-,-) %{_unitdir}/pki-tomcatd at .service
+%attr(644,-,-) %{_unitdir}/pki-tomcatd.target
 %dir %{_sysconfdir}/systemd/system/pki-tomcatd-nuxwdog.target.wants
-%{_unitdir}/pki-tomcatd-nuxwdog at .service
-%{_unitdir}/pki-tomcatd-nuxwdog.target
+%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog at .service
+%attr(644,-,-) %{_unitdir}/pki-tomcatd-nuxwdog.target
 %{_javadir}/pki/pki-cms.jar
 %{_javadir}/pki/pki-cmsbundle.jar
 %{_javadir}/pki/pki-cmscore.jar
-- 
2.5.0


From edewata at redhat.com  Tue Jan 12 19:20:47 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Tue, 12 Jan 2016 13:20:47 -0600
Subject: [Pki-devel] [PATCH] 0057..0061 LDAPProfileSubsystem concurrency
 fixes
In-Reply-To: <20151201045650.GM23644@dhcp-40-8.bne.redhat.com>
References: <20151201045650.GM23644@dhcp-40-8.bne.redhat.com>
Message-ID: <5695520F.1010908@redhat.com>

On 11/30/2015 10:56 PM, Fraser Tweedale wrote:
> The attached patches resolve concurrency issues in the
> LDAPProfileSubsystem (which conducts its LDAP persisent search in
> background thread).
>
> Ticket: https://fedorahosted.org/pki/ticket/1700
>
> Thanks,
> Fraser

Patch #57 is ACKed.

Patch #58 is ACKed with some comments:

1. To help troubleshooting, the static initializer in 
LDAPPostReadControl should log the exception:

     static {
         try {
             register(OID_POSTREAD, LDAPPostReadControl.class);
         } catch (Throwable e) {
             e.printStackTrace();
         }
     }

2. In LDAPPostReadControl constructor is it necessary to catch & ignore 
the exception? I think the String constructor doesn't declare any 
throwable exceptions. If necessary, we could wrap the original exception 
and rethrow it so we'll know if there's an error.

     try {
         dn = new String(buf, "UTF8");
     } catch(Throwable e) {
         throw IOException(e);
     }

3. The LDAPPostReadControl is used for both request and response. It's 
not an issue, but it would be nice to use separate classes since they 
have different contents (e.g. the request doesn't have an LDAP entry).

Patch #59 is ACKed with some comments:

1. In AbstractProfileSubsystem and LDAPProfileSubsystem, the 
commitProfile() should chain the original exception to help troubleshooting:

      throw new EProfileException(
          "Failed to commit config store of profile '" + id + ": " + e,
          e);

2. In LDAPProfileSubsystem it would be nice to have a time- or 
size-based cache expiration for the entryUSNs map, but assuming the 
number of profiles will stay relatively small this may not be a problem. 
Just something to keep in mind.

More will follow.

-- 
Endi S. Dewata



From ftweedal at redhat.com  Wed Jan 13 01:37:42 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Wed, 13 Jan 2016 11:37:42 +1000
Subject: [Pki-devel] [PATCH] 0069 Import certs as DER-encoded X.509 in Chrome
Message-ID: <20160113013742.GU31821@dhcp-40-8.bne.redhat.com>

The attached patch fixes certificate import in Chrome.
https://fedorahosted.org/pki/ticket/1245#comment:5

Thanks,
Fraser
-------------- next part --------------
From 81fc2d83fa06c11d9f2f07529576dc7f560838ec Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 12 Jan 2016 16:12:50 +1100
Subject: [PATCH] Import certs as DER-encoded X.509 in Chrome

For certificate import, Google Chrome only handles DER-encoded X.509
certificate.  We are export DER-encoded PKCS #7 chain by default,
which Chrome does not recognise.

Update client-side Javascript to append 'importCAChain=false' query
param on Chrome only, so that the certificate will be retrieved in a
supported format.

Fixes: https://fedorahosted.org/pki/ticket/1245
---
 .../webapps/ca/admin/ca/EnrollSuccess.template     |  9 ++++--
 .../webapps/ca/agent/ca/EnrollSuccess.template     |  9 ++++--
 .../webapps/ca/agent/ca/displayBySerial.template   |  4 +++
 .../ca/agent/ca/displayCertFromRequest.template    |  7 ++++-
 .../shared/webapps/ca/ee/ca/EnrollSuccess.template | 21 +++++++++++--
 .../shared/webapps/ca/ee/ca/ProfileSubmit.template |  4 +++
 .../webapps/ca/ee/ca/RenewalSuccess.template       | 34 ++++++++++++++++++----
 .../webapps/ca/ee/ca/displayBySerial.template      |  4 +++
 .../ca/ee/ca/displayCertFromRequest.template       |  7 ++++-
 .../kra/agent/kra/displayBySerial2.template        |  4 +++
 10 files changed, 88 insertions(+), 15 deletions(-)

diff --git a/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template b/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template
index d3709831e9f9c1bba686fb5f45adec01a7e82e28..9fdfdd614e8ef62cf5ff35b1b4546bf61338069b 100644
--- a/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template
+++ b/base/ca/shared/webapps/ca/admin/ca/EnrollSuccess.template
@@ -180,8 +180,13 @@ if (navigator.appName == 'Netscape' &&
 } else if (navigator.appName == 'Netscape' && 
                 typeof(crypto.version) == "undefined") {
         // non Cartman
-        window.location = result.fixed.scheme + "://" + result.fixed.host + ":"
-+ result.fixed.port + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+        var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+            + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+        if (navigator.userAgent.indexOf("Chrome") != -1) {
+            // Chrome cannot handle PKCS #7; only DER-encoded X.509
+            loc = loc + '&importCAChain=false';
+        }
+        window.location = loc;
 }
 
 </SCRIPT>
diff --git a/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template b/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template
index 08bcd5240af0bbdcd01a0af441d83cddc7313db6..b627af22d9a943babc27bc15e46755dd98319db2 100644
--- a/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template
+++ b/base/ca/shared/webapps/ca/agent/ca/EnrollSuccess.template
@@ -154,8 +154,13 @@ if (navigator.appName == 'Netscape' &&
 } else if (navigator.appName == 'Netscape' && 
                 typeof(crypto.version) == "undefined") {
         // non Cartman
-        window.location = result.fixed.scheme + "://" + result.fixed.host + ":"
-+ result.fixed.port + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+        var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+            + "/ca/getAdminCertBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+        if (navigator.userAgent.indexOf("Chrome") != -1) {
+            // Chrome cannot handle PKCS #7; only DER-encoded X.509
+            loc = loc + '&importCAChain=false';
+        }
+        window.location = loc;
 }
 
 </SCRIPT>
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
index 3b58a47790dd9e99dbcdeb5fc520d5c3dd0eeec6..0ab5b7cb46ef7012459cc96dab1fbe035b137914 100644
--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
+++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
@@ -273,6 +273,10 @@ if (navigator.appName == "Netscape") {
 	if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined") {
 		loc = loc + '&cmmfResponse=true';
 	}
+	else if (navigator.userAgent.indexOf("Chrome") != -1) {
+		// Chrome cannot handle PKCS #7; only DER-encoded X.509
+		loc = loc + '&importCAChain=false';
+	}
 }
 if (result.header.noCertImport != null && result.header.noCertImport == false) {
     document.write('<form>\n'+
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
index f1148570c5e1cd3c251ee64008228da2e710b421..eb8451a5eaf1515a93df14ddf641ce06259eb647 100644
--- a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
+++ b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
@@ -133,8 +133,13 @@ function importCertificates(numCerts, requestId)
 	if (navigator.appName == "Netscape") {
 		if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined") 
 			loc = loc+'&cmmfResponse=true';
-		else 
+		else {
 			loc = loc + '&importCert=true';
+			if (navigator.userAgent.indexOf("Chrome") != -1) {
+				// Chrome cannot handle PKCS #7; only DER-encoded X.509
+				loc = loc + '&importCAChain=false';
+			}
+		}
 	}
 
 	document.writeln('<center>');
diff --git a/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template b/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template
index 771c6fb1b8898fe11dc674062da75c5ab5fc9261..4871322b50209641647455dbef96aa51b67500e4 100644
--- a/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template
+++ b/base/ca/shared/webapps/ca/ee/ca/EnrollSuccess.template
@@ -140,9 +140,14 @@ if (navigator.appName == 'Netscape' && (navMajorVersion() > 3) &&
     } else {
         for (var i = 0; i < result.recordSet.length; i++) {
             if (result.recordSet[i].serialNo != null) {
-                window.location = result.fixed.scheme + "://" + result.fixed.host + ":" + 
+                var loc         = result.fixed.scheme + "://" + result.fixed.host + ":" +
                                   result.fixed.port + "/ee/getBySerial?serialNumber=" + 
                                   record.recordSet[i].serialNo + "&importCert=true";
+                if (navigator.userAgent.indexOf("Chrome") != -1) {
+                    // Chrome cannot handle PKCS #7; only DER-encoded X.509
+                    loc = loc + '&importCAChain=false';
+                }
+                window.location = loc;
             }
         }
         if (result.recordSet.length > 0)
@@ -153,18 +158,28 @@ if (navigator.appName == 'Netscape' && (navMajorVersion() > 3) &&
         // non Cartman
         for (var i = 0; i < result.recordSet.length; i++) {
             if (result.recordSet[i].serialNo != null) {
-                window.location = result.fixed.scheme + "://" + result.fixed.host + ":" +
+                var loc         = result.fixed.scheme + "://" + result.fixed.host + ":" +
                                   result.fixed.port + "/ee/getBySerial?serialNumber=" + 
                                   record.recordSet[i].serialNo + "&importCert=true";
+                if (navigator.userAgent.indexOf("Chrome") != -1) {
+                    // Chrome cannot handle PKCS #7; only DER-encoded X.509
+                    loc = loc + '&importCAChain=false';
+                }
+                window.location = loc;
             }
         }
         if (result.recordSet.length > 0)
             alert("Your cert has been imported into the browser!");
     } else {
         // this must be a RA
-        window.location = result.fixed.scheme + "://" + result.fixed.host + ":" +
+        var loc         = result.fixed.scheme + "://" + result.fixed.host + ":" +
                           result.fixed.port + "/getCertFromRequest?requestId=" +
                           result.fixed.requestId + "&importCert=true";
+        if (navigator.userAgent.indexOf("Chrome") != -1) {
+            // Chrome cannot handle PKCS #7; only DER-encoded X.509
+            loc = loc + '&importCAChain=false';
+        }
+        window.location = loc;
         alert("Your cert has been imported into the browser!");
     }
 }
diff --git a/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template b/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template
index ce1ec122e726ac4986e79151413e4836ef5021fd..e32dd8f5e58b3ce47dad0e304d3c210adbc3cb89 100644
--- a/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template
+++ b/base/ca/shared/webapps/ca/ee/ca/ProfileSubmit.template
@@ -87,6 +87,10 @@ for (var i = 0; i < outputListSet.length; i++) {
 if (autoImport == 'true') {
     // only support one certificate import
    var loc = "getCertFromRequest?requestId="+ requestListSet[i].requestId + "&importCert=true";
+    if (navigator.userAgent.indexOf("Chrome") != -1) {
+      // Chrome cannot handle PKCS #7; only DER-encoded X.509
+      loc = loc + '&importCAChain=false';
+    }
    document.write("<iframe width='0' height='0' src='"+loc+"' </iframe>");
 } else {
     document.writeln('<form method=post action="getCertFromRequest">');
diff --git a/base/ca/shared/webapps/ca/ee/ca/RenewalSuccess.template b/base/ca/shared/webapps/ca/ee/ca/RenewalSuccess.template
index cb840d296bc4b916801e310f547cc7e3383370d4..76685146d46c247509a3ce036f5c48f8926f587a 100644
--- a/base/ca/shared/webapps/ca/ee/ca/RenewalSuccess.template
+++ b/base/ca/shared/webapps/ca/ee/ca/RenewalSuccess.template
@@ -136,22 +136,44 @@ if (navigator.appName == 'Netscape' && (navMajorVersion() > 3) &&
 //		'its serial number.');
     } else if (result.fixed.authorityName == 'Certificate Manager') {
 	alert("Success!!");
-        window.location = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port + "/getBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+        var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+            + "/getBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+        if (navigator.userAgent.indexOf("Chrome") != -1) {
+            // Chrome cannot handle PKCS #7; only DER-encoded X.509
+            loc = loc + '&importCAChain=false';
+        }
+        window.location = loc;
     } else {
 	alert("Success!!");
         // this must be a RA
-        window.location = result.fixed.scheme + "://" + result.fixed.host + ":"
-+ result.fixed.port + "/getCertFromRequest?requestId=" + result.fixed.requestId + "&importCert=true";
+        var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+            + "/getCertFromRequest?requestId=" + result.fixed.requestId + "&importCert=true";
+        if (navigator.userAgent.indexOf("Chrome") != -1) {
+            // Chrome cannot handle PKCS #7; only DER-encoded X.509
+            loc = loc + '&importCAChain=false';
+        }
+        window.location = loc;
     }
 } else if (navigator.appName == 'Netscape' && (navMajorVersion() >= 3)) {
         // non Cartman
     if (result.fixed.authorityName == 'Certificate Manager') {
         // non Cartman
-        window.location = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port + "/getBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+        var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+            + "/getBySerial?serialNumber=" + record.serialNo + "&importCert=true";
+        if (navigator.userAgent.indexOf("Chrome") != -1) {
+            // Chrome cannot handle PKCS #7; only DER-encoded X.509
+            loc = loc + '&importCAChain=false';
+        }
+        window.location = loc;
     } else {
         // this must be a RA
-        window.location = result.fixed.scheme + "://" + result.fixed.host + ":"
-+ result.fixed.port + "/getCertFromRequest?requestId=" + result.fixed.requestId + "&importCert=true";
+        var loc = result.fixed.scheme + "://" + result.fixed.host + ":" + result.fixed.port
+            + "/getCertFromRequest?requestId=" + result.fixed.requestId + "&importCert=true";
+        if (navigator.userAgent.indexOf("Chrome") != -1) {
+            // Chrome cannot handle PKCS #7; only DER-encoded X.509
+            loc = loc + '&importCAChain=false';
+        }
+        window.location = loc;
     }
 }
 
diff --git a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
index d1e65fa631e0107297cf8b5383197bb9e6f5c160..56cccbec167e7479d20243cc13eded7f81462ed2 100644
--- a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
+++ b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
@@ -193,6 +193,10 @@ if (navigator.appName == "Netscape") {
 	if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined") {
 		loc = loc + '&cmmfResponse=true';
 	}
+	else if (navigator.userAgent.indexOf("Chrome") != -1) {
+		// Chrome cannot handle PKCS #7; only DER-encoded X.509
+		loc = loc + '&importCAChain=false';
+	}
 }
 document.write('<form>\n'+
 			   '<INPUT TYPE=\"button\" VALUE=\"Import Your Certificate\"'+
diff --git a/base/ca/shared/webapps/ca/ee/ca/displayCertFromRequest.template b/base/ca/shared/webapps/ca/ee/ca/displayCertFromRequest.template
index aafa17aca89305e5a5789dbe43a14e5a4f5a6047..f7987fc692cd7ba913556af494e1458b467a3502 100644
--- a/base/ca/shared/webapps/ca/ee/ca/displayCertFromRequest.template
+++ b/base/ca/shared/webapps/ca/ee/ca/displayCertFromRequest.template
@@ -122,8 +122,13 @@ function importCertificates(numCerts, requestId)
 	if (navigator.appName == "Netscape") {
 		if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined") 
 			loc = loc+'&cmmfResponse=true';
-		else 
+		else {
 			loc = loc + '&importCert=true';
+			if (navigator.userAgent.indexOf("Chrome") != -1) {
+				// Chrome cannot handle PKCS #7; only DER-encoded X.509
+				loc = loc + '&importCAChain=false';
+			}
+		}
 	}
 	document.writeln('<center>');
 	document.writeln('<form>\n'+
diff --git a/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template b/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template
index 06bef2f9f1fde319bca4f55cf4af21d273dd2ee5..59cc27c3fc9ee105d290264512fb3f07fcb28a51 100644
--- a/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template
+++ b/base/kra/shared/webapps/kra/agent/kra/displayBySerial2.template
@@ -118,6 +118,10 @@ if (navigator.appName == "Netscape") {
 	if (navMajorVersion() > 3 && typeof(crypto.version) != "undefined") {
 		loc = loc + '&cmmfResponse=true';
 	}
+	else if (navigator.userAgent.indexOf("Chrome") != -1) {
+		// Chrome cannot handle PKCS #7; only DER-encoded X.509
+		loc = loc + '&importCAChain=false';
+	}
 }
 document.write('<form>\n'+
 			   '<INPUT TYPE=\"button\" VALUE=\"Download This Certificate\"'+
-- 
2.5.0


From ftweedal at redhat.com  Wed Jan 13 07:37:05 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Wed, 13 Jan 2016 17:37:05 +1000
Subject: [Pki-devel] [PATCH] 0070 Use correct textual encoding for PKCS #7
	objects
Message-ID: <20160113073705.GV31821@dhcp-40-8.bne.redhat.com>

Hi all,

Pursuant to RFC 7468 the attached patch replaces instances of
'CERTIFICATE CHAIN' in PEM headers with 'PKCS7'.

Fixes ticket https://fedorahosted.org/pki/ticket/1699.  I could not
reproduce any problems with `keytool' as mentioned in the ticket,
nor find cases online of programs supporting 'CERTIFICATE CHAIN' but
not 'PKCS7', so I think this is a good change to make.  We can
address counterexamples if/when we have hard evidence of them :)

Cheers,
Fraser
-------------- next part --------------
From 2e43f93d0727acdcc68f8c42809723fb099072be Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Wed, 13 Jan 2016 17:41:05 +1100
Subject: [PATCH] Use correct textual encoding for PKCS #7 objects

PKCS #7 objects are being output with the "CERTIFICATE CHAIN" label
which is invalid (RFC 7468) and unrecognised by many programs
(including OpenSSL).  Use the correct "PKCS7" label instead.

Also do a drive-by refactor of the normalizeCertAndReq to remove
some redundant code.

Fixes: https://fedorahosted.org/pki/ticket/1699
---
 .../webapps/ca/agent/ca/displayBySerial.template   |  4 +--
 .../webapps/ca/agent/ca/displayBySerial2.template  |  4 +--
 .../ca/agent/ca/displayCertFromRequest.template    |  4 +--
 .../webapps/ca/ee/ca/displayBySerial.template      |  4 +--
 .../shared/webapps/ca/ee/ca/displayCaCert.template |  4 +--
 .../com/netscape/cmsutil/crypto/CryptoUtil.java    | 35 ++--------------------
 6 files changed, 12 insertions(+), 43 deletions(-)

diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
index 3b58a47790dd9e99dbcdeb5fc520d5c3dd0eeec6..e02fe30ebb7fe29f68bf4032d026be2c4ddac02e 100644
--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
+++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial.template
@@ -192,9 +192,9 @@ Base 64 encoded certificate with CA certificate chain in pkcs7 format
 </font>
 <p><pre>
 <SCRIPT type="text/javascript">
-document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+document.writeln('-----BEGIN PKCS7-----');
 document.write(result.header.pkcs7ChainBase64);
-document.writeln('-----END CERTIFICATE CHAIN-----');
+document.writeln('-----END PKCS7-----');
 </SCRIPT>
 </pre>
 
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template b/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
index 7923f415326325acfc02b99e6c4caad60cbd7c01..f0604ef7fc3a7a9ec4c1dd016f0652c507e204dd 100644
--- a/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
+++ b/base/ca/shared/webapps/ca/agent/ca/displayBySerial2.template
@@ -98,9 +98,9 @@ Base 64 encoded certificate
 </font>
 <p><pre>
 <SCRIPT type="text/javascript">
-document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+document.writeln('-----BEGIN PKCS7-----');
 document.write(result.header.certChainBase64);
-document.writeln('-----END CERTIFICATE CHAIN-----');
+document.writeln('-----END PKCS7-----');
 </SCRIPT>
 </pre>
 
diff --git a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
index f1148570c5e1cd3c251ee64008228da2e710b421..402154037790343061dc4a711de0d0fba738dbf2 100644
--- a/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
+++ b/base/ca/shared/webapps/ca/agent/ca/displayCertFromRequest.template
@@ -102,9 +102,9 @@ function displayCert(cert)
 		'Base 64 encoded certificate with CA certificate chain in pkcs7 format'+
 		'</font>'+
 		'<p><pre>'+
-		'-----BEGIN CERTIFICATE CHAIN-----');
+		'-----BEGIN PKCS7-----');
 		document.writeln(cert.pkcs7ChainBase64);
-		document.writeln('-----END CERTIFICATE CHAIN-----'+
+		document.writeln('-----END PKCS7-----'+
 		'</pre>');
 
 }
diff --git a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
index d1e65fa631e0107297cf8b5383197bb9e6f5c160..33bc45f22273a3fe537df81ce12d79b119e72991 100644
--- a/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
+++ b/base/ca/shared/webapps/ca/ee/ca/displayBySerial.template
@@ -117,9 +117,9 @@ Base 64 encoded certificate with CA certificate chain in pkcs7 format
 </font>
 <p><pre>
 <SCRIPT LANGUAUGE="JavaScript">
-document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+document.writeln('-----BEGIN PKCS7-----');
 document.write(result.header.pkcs7ChainBase64);
-document.writeln('-----END CERTIFICATE CHAIN-----');
+document.writeln('-----END PKCS7-----');
 </SCRIPT>
 </pre>
 
diff --git a/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template b/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
index 49a91af11500daef2a5e7fbc042aba12595bf874..3e6a44da73f8d84286d37965096ff9dc8c8fbb1b 100644
--- a/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
+++ b/base/ca/shared/webapps/ca/ee/ca/displayCaCert.template
@@ -43,9 +43,9 @@ if (result.header.displayFormat == "chain") {
     document.writeln('<center><b>' + result.header.subjectdn);
     document.writeln('</b></center><p></font><br>');
     document.writeln('<pre>');
-    document.writeln('-----BEGIN CERTIFICATE CHAIN-----');
+    document.writeln('-----BEGIN PKCS7-----');
     document.write(result.header.chainBase64);
-    document.writeln('-----END CERTIFICATE CHAIN-----');
+    document.writeln('-----END PKCS7-----');
     document.writeln('</pre>');
 } else if (result.header.displayFormat == "individual") {
     if (result.recordSet.length == 0) {
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 2a3f95528251a326d8e66e44fa10e527d0c87f7f..e98027dcee49c0abf0176b6a932223ac74dbaeb1 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -1116,46 +1116,15 @@ public class CryptoUtil {
         if (s == null) {
             return s;
         }
-        s = s.replaceAll("-----BEGIN CERTIFICATE REQUEST-----", "");
-        s = s.replaceAll("-----BEGIN NEW CERTIFICATE REQUEST-----", "");
-        s = s.replaceAll("-----END CERTIFICATE REQUEST-----", "");
-        s = s.replaceAll("-----END NEW CERTIFICATE REQUEST-----", "");
-        s = s.replaceAll("-----BEGIN CERTIFICATE-----", "");
-        s = s.replaceAll("-----END CERTIFICATE-----", "");
-        s = s.replaceAll("-----BEGIN CERTIFICATE CHAIN-----", "");
-        s = s.replaceAll("-----END CERTIFICATE CHAIN-----", "");
+        // grammar defined at https://tools.ietf.org/html/rfc7468#section-3
+        s = s.replaceAll("-----(BEGIN|END) [\\p{Print}&&[^- ]]([- ]?[\\p{Print}&&[^- ]])*-----", "");
 
         StringBuffer sb = new StringBuffer();
         StringTokenizer st = new StringTokenizer(s, "\r\n ");
 
         while (st.hasMoreTokens()) {
             String nextLine = st.nextToken();
-
             nextLine = nextLine.trim();
-            if (nextLine.equals("-----BEGIN CERTIFICATE REQUEST-----")) {
-                continue;
-            }
-            if (nextLine.equals("-----BEGIN NEW CERTIFICATE REQUEST-----")) {
-                continue;
-            }
-            if (nextLine.equals("-----END CERTIFICATE REQUEST-----")) {
-                continue;
-            }
-            if (nextLine.equals("-----END NEW CERTIFICATE REQUEST-----")) {
-                continue;
-            }
-            if (nextLine.equals("-----BEGIN CERTIFICATE-----")) {
-                continue;
-            }
-            if (nextLine.equals("-----END CERTIFICATE-----")) {
-                continue;
-            }
-            if (nextLine.equals("-----BEGIN CERTIFICATE CHAIN-----")) {
-                continue;
-            }
-            if (nextLine.equals("-----END CERTIFICATE CHAIN-----")) {
-                continue;
-            }
             sb.append(nextLine);
         }
         return sb.toString();
-- 
2.5.0


From jmagne at redhat.com  Wed Jan 13 22:32:25 2016
From: jmagne at redhat.com (John Magne)
Date: Wed, 13 Jan 2016 17:32:25 -0500 (EST)
Subject: [Pki-devel] [pki-devel][PATCH]
 0060-Make-sure-the-ESC-auth-dialog-displays-the-User-Id-f.patch
In-Reply-To: <2022074412.12286743.1452724144982.JavaMail.zimbra@redhat.com>
Message-ID: <1813292266.12287110.1452724345708.JavaMail.zimbra@redhat.com>

[PATCH] Make sure the ESC auth dialog displays the User Id field
 first.

ESC displays the auth fields in the order they are received. It has been
determined that the latest TPS has been sending them in the wrong order.

This was convenient while under the hood assisting cfu with some external reg issues.
This simple fix merely assures that the UID will be displayed first by the UI.
The params for ldap auth have not changed in the life of the product, thus this simple
solution should suffice even if the params should change in any way in the future.

With the latest TPS the ESC auth dialog has displayed the password field before the UID field.
This patch addresses this in the simplest fashion by modifying the class that presents the field
data to the client to make sure that UID field is encountered first.

Ticket: https://fedorahosted.org/pki/ticket/1683 - Format/enroll of smartcard password is prompted before username
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0060-Make-sure-the-ESC-auth-dialog-displays-the-User-Id-f.patch
Type: text/x-patch
Size: 2912 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160113/d1771350/attachment.bin>

From cfu at redhat.com  Thu Jan 14 01:49:20 2016
From: cfu at redhat.com (Christina Fu)
Date: Wed, 13 Jan 2016 17:49:20 -0800
Subject: [Pki-devel] [PATCH]
 0109-Ticket-1375-Provide-cert-key-retention-for-externalR.patch
Message-ID: <5696FEA0.2040507@redhat.com>

Ticket #1375 Provide cert/key retention for externalReg
  Ticket #1514 TPS: Recovered certs on a token has status expired
Ticket #1587 External Registration Recovery only works for 1024 sized 
keys out of the box
  This patch provides the cert/key retention feature for externalReg. if the
  certsToAdd field contains (serial,ca#) instead of the full (serial, ca#,
  keyId, kra#), then it is expecting the cert/key to be retained from token
  without having to do a full retrieval (recovery). This patch also 
fixes the
  issues reported in #1514 and #1587 as testing of #1375 is easier with 
those
  two issues addressed. An issue was found during development where Coolkey
  puts limits on the cert/key ids on the token and make it impossible to 
inject
  cert ID higher than 4, as it would then result in key ids into two digits.
  This issue will be filed as a separte ticket and addressed separately. 
Most
  testing will then be conducted.

thanks,
Christina

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cfu-0109-Ticket-1375-Provide-cert-key-retention-for-externalR.patch
Type: text/x-patch
Size: 33207 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160113/405cbbb3/attachment.bin>

From ftweedal at redhat.com  Thu Jan 14 04:43:54 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Thu, 14 Jan 2016 14:43:54 +1000
Subject: [Pki-devel] [PATCH] 0071 Improve 'authz manager not found' message
	string
Message-ID: <20160114044354.GX31821@dhcp-40-8.bne.redhat.com>

Attached patch improves a string.  Pushed under one-liner rule.

master 933004ba052ec1ce93526616c67b5ed272f29779

Cheers,
Fraser
-------------- next part --------------
From 933004ba052ec1ce93526616c67b5ed272f29779 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 14 Jan 2016 15:26:59 +1100
Subject: [PATCH] Improve 'authz manager not found' message string

---
 base/server/cmsbundle/src/UserMessages.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
index 7c5c77d5b589886d0a8c6323436a1fdcdd4ce8f9..14f9bef643385a18f00923134b76148fca1e96ad 100644
--- a/base/server/cmsbundle/src/UserMessages.properties
+++ b/base/server/cmsbundle/src/UserMessages.properties
@@ -354,7 +354,7 @@ CMS_AUTHENTICATION_MGR_IMPL_NOT_FOUND=Cannot modify the auth manager plugin. Can
 #
 #######################################################
 CMS_AUTHORIZATION_INTERNAL_ERROR=Authorization encountered an internal error. Detailed msg: {0}
-CMS_AUTHORIZATION_AUTHZMGR_NOT_FOUND=Authorization {0} not found
+CMS_AUTHORIZATION_AUTHZMGR_NOT_FOUND=Authorization manager {0} not found
 CMS_AUTHORIZATION_AUTHZMGR_PLUGIN_NOT_FOUND=Authorization manager plugin name {0} not found
 CMS_AUTHORIZATION_UNKNOWN_PROTECTED_RESOURCE=Unknown protected resource specified: {0}
 CMS_AUTHORIZATION_UNKNOWN_OPERATION=Unknown operation specified: {0}
-- 
2.5.0


From ftweedal at redhat.com  Thu Jan 14 06:10:23 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Thu, 14 Jan 2016 16:10:23 +1000
Subject: [Pki-devel] [PATCH] 0072 Weaken PKIPrincipal to superclass in
	several places
Message-ID: <20160114061023.GY31821@dhcp-40-8.bne.redhat.com>

Hi all,

The attached patch (part of the GSS-API effort) weakens several
soon-to-be-unsafe casts of the user principal object.  It also adds
some commentary (in the form of TODOs) to replace hardcoded role
names with appropriate checks against authzManagers.

Thanks,
Fraser
-------------- next part --------------
From 368d81be5866739b4729952de2edeb4d5da14f43 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 14 Jan 2016 16:13:26 +1100
Subject: [PATCH] Weaken PKIPrincipal to superclass in several places

In several places we are casting a `Principal' to `PKIPrincpal',
when `GenericPrincpal' or even no cast will suffice.  In upcoming
external authentication support  externally authenticated principals
will not be instances of `PKIPrincipal', so weaken assumptions about
type of the principal where possible.

Part of: https://fedorahosted.org/pki/ticket/1359
---
 .../org/dogtagpki/server/ca/rest/CertService.java  |  8 ++++---
 .../dogtagpki/server/ca/rest/ProfileService.java   | 28 +++++++++++++---------
 .../org/dogtagpki/server/rest/AccountService.java  |  5 +++-
 .../com/netscape/cmscore/dbs/CSCfgDatabase.java    |  9 +++----
 .../server/tks/rest/TPSConnectorService.java       |  4 ++--
 5 files changed, 33 insertions(+), 21 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
index 440f756dee79904556f9f1671f2638cf22199e22..f219db63e4e1132f1fe166f5e753c650baa9344d 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
@@ -50,6 +50,7 @@ import netscape.security.x509.RevocationReason;
 import netscape.security.x509.X509CertImpl;
 import netscape.security.x509.X509Key;
 
+import org.apache.catalina.realm.GenericPrincipal;
 import org.jboss.resteasy.plugins.providers.atom.Link;
 
 import com.netscape.certsrv.apps.CMS;
@@ -75,7 +76,6 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequest;
-import com.netscape.cms.realm.PKIPrincipal;
 import com.netscape.cms.servlet.base.PKIService;
 import com.netscape.cms.servlet.cert.CertRequestDAO;
 import com.netscape.cms.servlet.cert.FilterBuilder;
@@ -242,8 +242,10 @@ public class CertService extends PKIService implements CertResource {
 
             processor.createCRLExtension();
 
-            PKIPrincipal principal = (PKIPrincipal)servletRequest.getUserPrincipal();
-            // TODO: do not hard-code role name
+            // TODO remove hardcoded role names and consult authzmgr
+            // (so that we can handle externally-authenticated principals)
+            GenericPrincipal principal =
+                (GenericPrincipal) servletRequest.getUserPrincipal();
             String subjectDN = principal.hasRole("Certificate Manager Agents") ?
                     null : clientSubjectDN;
 
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
index 488dd5ab960fd45fa3dad0dd83398b4317f2cb4f..28c50774148ec2e83bfaab15ed10adbb8dca0380 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
@@ -41,6 +41,7 @@ import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.catalina.realm.GenericPrincipal;
 import org.apache.commons.lang.StringUtils;
 import org.jboss.resteasy.plugins.providers.atom.Link;
 
@@ -76,7 +77,6 @@ import com.netscape.certsrv.profile.ProfileResource;
 import com.netscape.certsrv.property.EPropertyException;
 import com.netscape.certsrv.registry.IPluginInfo;
 import com.netscape.certsrv.registry.IPluginRegistry;
-import com.netscape.cms.realm.PKIPrincipal;
 import com.netscape.cms.servlet.base.PKIService;
 import com.netscape.cms.servlet.profile.PolicyConstraintFactory;
 import com.netscape.cms.servlet.profile.PolicyDefaultFactory;
@@ -124,11 +124,14 @@ public class ProfileService extends PKIService implements ProfileResource {
             throw new PKIException("Error listing profiles.  Profile Service not available");
         }
 
-        PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal();
-        if ((principal != null) &&
-                (principal.hasRole("Certificate Manager Agents") ||
-                principal.hasRole("Certificate Manager Administrators"))) {
-            visibleOnly = false;
+        // TODO remove hardcoded role names and consult authzmgr
+        // (so that we can handle externally-authenticated principals)
+        Principal principal = servletRequest.getUserPrincipal();
+        if (principal != null && principal instanceof GenericPrincipal) {
+            GenericPrincipal genPrincipal = (GenericPrincipal) principal;
+            if (genPrincipal.hasRole("Certificate Manager Agents") ||
+                genPrincipal.hasRole("Certificate Manager Administrators"))
+                    visibleOnly = false;
         }
 
         Enumeration<String> e = ps.getProfileIds();
@@ -181,11 +184,14 @@ public class ProfileService extends PKIService implements ProfileResource {
             throw new PKIException("Error retrieving profile.  Profile Service not available");
         }
 
-        PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal();
-        if ((principal != null) &&
-                (principal.hasRole("Certificate Manager Agents") ||
-                principal.hasRole("Certificate Manager Administrators"))) {
-            visibleOnly = false;
+        // TODO remove hardcoded role names and consult authzmgr
+        // (so that we can handle externally-authenticated principals)
+        Principal principal = servletRequest.getUserPrincipal();
+        if (principal != null && principal instanceof GenericPrincipal) {
+            GenericPrincipal genPrincipal = (GenericPrincipal) principal;
+            if (genPrincipal.hasRole("Certificate Manager Agents") ||
+                genPrincipal.hasRole("Certificate Manager Administrators"))
+                    visibleOnly = false;
         }
 
         IProfile profile;
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
index 4e8e6e6f89fc065e2ad0c5fa616165de929142db..827e99e076585d0732bfde8ae795d6ae63648d5f 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/AccountService.java
@@ -29,6 +29,7 @@ import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriInfo;
 
+import org.apache.catalina.realm.GenericPrincipal;
 import org.apache.commons.lang.StringUtils;
 
 import com.netscape.certsrv.account.AccountInfo;
@@ -75,8 +76,10 @@ public class AccountService extends PKIService implements AccountResource {
 
             String email = user.getEmail();
             if (!StringUtils.isEmpty(email)) response.setEmail(email);
+        }
 
-            String[] roles = pkiPrincipal.getRoles();
+        if (principal instanceof GenericPrincipal) {
+            String[] roles = ((GenericPrincipal) principal).getRoles();
             response.setRoles(Arrays.asList(roles));
         }
 
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java
index 38f542ffb879ed8ed87f8673c810da05ebed9917..38b174859383adbef7c044955355009f08a36cb7 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/CSCfgDatabase.java
@@ -21,13 +21,13 @@ package com.netscape.cmscore.dbs;
 import java.security.Principal;
 import java.util.Arrays;
 
+import org.apache.catalina.realm.GenericPrincipal;
 import org.apache.commons.lang.StringUtils;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.common.Constants;
-import com.netscape.cms.realm.PKIPrincipal;
 
 
 /**
@@ -51,12 +51,13 @@ public class CSCfgDatabase<E extends CSCfgRecord> extends Database<E> {
     }
 
     public boolean canApprove(Principal principal) {
-        if (!(principal instanceof PKIPrincipal)) {
+        if (!(principal instanceof GenericPrincipal)) {
             return false;
         }
 
-        PKIPrincipal pkiPrincipal = (PKIPrincipal)principal;
-        return pkiPrincipal.hasRole("TPS Agents");
+        // TODO remove hardcoded role name and consult authzmgr
+        // (so that we can handle externally-authenticated principals)
+        return ((GenericPrincipal) principal).hasRole("TPS Agents");
     }
 
     public String getRecordStatus(String recordID) throws EBaseException {
diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
index 93cd411cb6403ef68a9d9a0766cbaf6df30d40e1..bc655d6d0763ac9149a70e36703467b702da637d 100644
--- a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
+++ b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
@@ -5,6 +5,7 @@ import java.net.URI;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collection;
@@ -37,7 +38,6 @@ import com.netscape.certsrv.system.TPSConnectorResource;
 import com.netscape.certsrv.tps.cert.TPSCertResource;
 import com.netscape.certsrv.usrgrp.IUGSubsystem;
 import com.netscape.certsrv.usrgrp.IUser;
-import com.netscape.cms.realm.PKIPrincipal;
 import com.netscape.cms.servlet.base.PKIService;
 import com.netscape.cmsutil.crypto.CryptoUtil;
 import com.netscape.cmsutil.util.Utils;
@@ -326,7 +326,7 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
             throw new PKIException("Bad TPS connection configuration: userid not defined");
         }
 
-        PKIPrincipal principal = (PKIPrincipal) servletRequest.getUserPrincipal();
+        Principal principal = servletRequest.getUserPrincipal();
         if (principal == null) {
             throw new UnauthorizedException("User credentials not provided");
         }
-- 
2.5.0


From cheimes at redhat.com  Thu Jan 14 12:34:47 2016
From: cheimes at redhat.com (Christian Heimes)
Date: Thu, 14 Jan 2016 13:34:47 +0100
Subject: [Pki-devel] [PATCH 0044 Don't use settings like HTTP proxy from env
	vars
Message-ID: <569795E7.5050000@redhat.com>

The PKIConnection class uses python-requests for HTTPS. The library
picks up several settings from environment variables, e.g. HTTP proxy
server, certificate bundle with trust anchors and authentication. A
proxy can interfere with the Dogtag installer and cause some operations
to fail.

With session.trust_env = False python-requests no longer inspects the
environment and Dogtag has full controll over its connection settings.

https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env

https://fedorahosted.org/pki/ticket/1733
https://fedorahosted.org/freeipa/ticket/5555
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cheimes-0044-Don-t-use-settings-like-HTTP-proxy-from-env-vars.patch
Type: text/x-patch
Size: 1487 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160114/0a8f6047/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160114/0a8f6047/attachment.sig>

From cfu at redhat.com  Fri Jan 15 01:25:54 2016
From: cfu at redhat.com (Christina Fu)
Date: Thu, 14 Jan 2016 17:25:54 -0800
Subject: [Pki-devel] [pki-devel][PATCH]
 0060-Make-sure-the-ESC-auth-dialog-displays-the-User-Id-f.patch
In-Reply-To: <1813292266.12287110.1452724345708.JavaMail.zimbra@redhat.com>
References: <1813292266.12287110.1452724345708.JavaMail.zimbra@redhat.com>
Message-ID: <56984AA2.8030400@redhat.com>

The patch made sure that the UID is displayed first.  I tested out the 
patch to work.
ACK.

Christina

On 01/13/2016 02:32 PM, John Magne wrote:
> [PATCH] Make sure the ESC auth dialog displays the User Id field
>   first.
>
> ESC displays the auth fields in the order they are received. It has been
> determined that the latest TPS has been sending them in the wrong order.
>
> This was convenient while under the hood assisting cfu with some external reg issues.
> This simple fix merely assures that the UID will be displayed first by the UI.
> The params for ldap auth have not changed in the life of the product, thus this simple
> solution should suffice even if the params should change in any way in the future.
>
> With the latest TPS the ESC auth dialog has displayed the password field before the UID field.
> This patch addresses this in the simplest fashion by modifying the class that presents the field
> data to the client to make sure that UID field is encountered first.
>
> Ticket: https://fedorahosted.org/pki/ticket/1683 - Format/enroll of smartcard password is prompted before username
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160114/04f3bcc4/attachment.htm>

From ftweedal at redhat.com  Fri Jan 15 01:44:22 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Fri, 15 Jan 2016 11:44:22 +1000
Subject: [Pki-devel] [PATCH 0044 Don't use settings like HTTP proxy from
 env vars
In-Reply-To: <569795E7.5050000@redhat.com>
References: <569795E7.5050000@redhat.com>
Message-ID: <20160115014422.GC31821@dhcp-40-8.bne.redhat.com>

On Thu, Jan 14, 2016 at 01:34:47PM +0100, Christian Heimes wrote:
> The PKIConnection class uses python-requests for HTTPS. The library
> picks up several settings from environment variables, e.g. HTTP proxy
> server, certificate bundle with trust anchors and authentication. A
> proxy can interfere with the Dogtag installer and cause some operations
> to fail.
> 
> With session.trust_env = False python-requests no longer inspects the
> environment and Dogtag has full controll over its connection settings.
> 
> https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env
> 
> https://fedorahosted.org/pki/ticket/1733
> https://fedorahosted.org/freeipa/ticket/5555
>
Works as advertised :)

ACK



From cheimes at redhat.com  Fri Jan 15 13:06:00 2016
From: cheimes at redhat.com (Christian Heimes)
Date: Fri, 15 Jan 2016 14:06:00 +0100
Subject: [Pki-devel] [PATCH 45/46] Run flake8 and pylint --py3k and fix
	violations
Message-ID: <5698EEB8.5050104@redhat.com>

The first patch add flake8 tests and pylint --py3k to RPM build. The
second patch fixes a couple of flake8 violations that have accumulated
in the past month.

I'm still having a problem with sphinx autodocs. It can't build
documentation for pki.crypto. It looks like autodocs doesn't do relative
imports correctly and picks up pki/nss.py as nss.

SphinxWarning: /home/heimes/redhat/pki/base/common/python/pki.rst:39:
WARNING: autodoc: failed to import module u'pki.crypto'; the following
exception was raised:
Traceback (most recent call last):
  File
"/home/heimes/redhat/pki/.tox/docs/lib/python2.7/site-packages/sphinx/ext/autodoc.py",
line 385, in import_object
    __import__(self.modname)
  File
"/home/heimes/redhat/pki/.tox/docs/lib/python2.7/site-packages/pki/crypto.py",
line 26, in <module>
    import nss.nss as nss
ImportError: No module named nss


Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cheimes-0045-Run-flake8-and-pylint-py3k-tests-during-RPM-build.patch
Type: text/x-patch
Size: 2258 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160115/ffd545ad/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cheimes-0046-Fix-flake8-PEP-8-violations.patch
Type: text/x-patch
Size: 17028 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160115/ffd545ad/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160115/ffd545ad/attachment.sig>

From cfu at redhat.com  Fri Jan 15 17:23:20 2016
From: cfu at redhat.com (Christina Fu)
Date: Fri, 15 Jan 2016 09:23:20 -0800
Subject: [Pki-devel] [PATCH]
 0109-Ticket-1375-Provide-cert-key-retention-for-externalR.patch
In-Reply-To: <5696FEA0.2040507@redhat.com>
References: <5696FEA0.2040507@redhat.com>
Message-ID: <56992B08.4050709@redhat.com>

verbal conditional ack from Jack.
  addressed and committed.

commit 9a6a3d1cbf6e347b2cf0737afca4f793a6a0d0ba

Christina

On 01/13/2016 05:49 PM, Christina Fu wrote:
> Ticket #1375 Provide cert/key retention for externalReg
>  Ticket #1514 TPS: Recovered certs on a token has status expired
> Ticket #1587 External Registration Recovery only works for 1024 sized 
> keys out of the box
>  This patch provides the cert/key retention feature for externalReg. 
> if the
>  certsToAdd field contains (serial,ca#) instead of the full (serial, ca#,
>  keyId, kra#), then it is expecting the cert/key to be retained from 
> token
>  without having to do a full retrieval (recovery). This patch also 
> fixes the
>  issues reported in #1514 and #1587 as testing of #1375 is easier with 
> those
>  two issues addressed. An issue was found during development where 
> Coolkey
>  puts limits on the cert/key ids on the token and make it impossible 
> to inject
>  cert ID higher than 4, as it would then result in key ids into two 
> digits.
>  This issue will be filed as a separte ticket and addressed 
> separately. Most
>  testing will then be conducted.
>
> thanks,
> Christina
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160115/c9324a3c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cfu-0110-Ticket-1375-Provide-cert-key-retention-for-externalR.patch
Type: text/x-patch
Size: 33677 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160115/c9324a3c/attachment.bin>

From jmagne at redhat.com  Sat Jan 16 00:24:32 2016
From: jmagne at redhat.com (John Magne)
Date: Fri, 15 Jan 2016 19:24:32 -0500 (EST)
Subject: [Pki-devel]
	[pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch
In-Reply-To: <1789430958.13899889.1452903824918.JavaMail.zimbra@redhat.com>
Message-ID: <282683754.13899921.1452903872277.JavaMail.zimbra@redhat.com>

Enhance tkstool for capabilities and security

This simple ticket is to fix tkstool to allow it
to create the master key with the proper flags to make
the key data private such that it can't be easily viewed when
using tools to print out sym keys on the token.

Fix tested on the "internal" token by trying the various tkstool
cmds to make sure having the key private does not cause issues.
Also tried a simple key changeover operation with tpsclient to make
sure that symkey can still do what it needs to do witht the master key.

Further testing with a full hsm will be required.
The goal was the create the key with the same flags that are used with the
previous "PK11_GenKeyOnToken" (name approx) is used. This version had no
flags and created a default set. This fix uses the version With flags and
does what the old one did, but made sure the key is private and sensitive.

Master key can be tested by using the tool:

/usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0061-Enhance-tkstool-for-capabilities-and-security.patch
Type: text/x-patch
Size: 4923 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160115/05a04be6/attachment.bin>

From edewata at redhat.com  Mon Jan 18 15:58:24 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 18 Jan 2016 09:58:24 -0600
Subject: [Pki-devel] [PATCH] 664 Fixed TPS UI to display accessible
 services only.
In-Reply-To: <20160111062830.GJ31821@dhcp-40-8.bne.redhat.com>
References: <5679BE2D.9050708@redhat.com>
	<20160111062830.GJ31821@dhcp-40-8.bne.redhat.com>
Message-ID: <569D0BA0.3070709@redhat.com>

On 1/11/2016 12:28 AM, Fraser Tweedale wrote:
> ACK

Thanks! Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Mon Jan 18 15:58:28 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 18 Jan 2016 09:58:28 -0600
Subject: [Pki-devel] [PATCH] 665 Added table to manage TPS user profiles.
In-Reply-To: <20160111070208.GK31821@dhcp-40-8.bne.redhat.com>
References: <568AD6A0.1090606@redhat.com>
	<20160111070208.GK31821@dhcp-40-8.bne.redhat.com>
Message-ID: <569D0BA4.6080302@redhat.com>

On 1/11/2016 1:02 AM, Fraser Tweedale wrote:
> ACK

Thanks! Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Mon Jan 18 15:58:43 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 18 Jan 2016 09:58:43 -0600
Subject: [Pki-devel] [PATCH] 666 Updated CLI to run individual selftests.
In-Reply-To: <20160111041123.GF31821@dhcp-40-8.bne.redhat.com>
References: <568B1497.2000302@redhat.com>
	<20160111041123.GF31821@dhcp-40-8.bne.redhat.com>
Message-ID: <569D0BB3.7020109@redhat.com>

On 1/10/2016 10:11 PM, Fraser Tweedale wrote:
> ACK

Thanks! Pushed to master.

-- 
Endi S. Dewata



From edewata at redhat.com  Mon Jan 18 15:58:49 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 18 Jan 2016 09:58:49 -0600
Subject: [Pki-devel] [PATCH] 667 Added interface to run selftest in TPS
 UI.
In-Reply-To: <20160111041322.GG31821@dhcp-40-8.bne.redhat.com>
References: <568D4A37.1020407@redhat.com>
	<20160111041322.GG31821@dhcp-40-8.bne.redhat.com>
Message-ID: <569D0BB9.4040507@redhat.com>

On 1/10/2016 10:13 PM, Fraser Tweedale wrote:
> ACK

Thanks! Pushed to master.

-- 
Endi S. Dewata



From jmagne at redhat.com  Mon Jan 18 21:36:55 2016
From: jmagne at redhat.com (John Magne)
Date: Mon, 18 Jan 2016 16:36:55 -0500 (EST)
Subject: [Pki-devel] [pki-devel][PATCH]
 0060-Make-sure-the-ESC-auth-dialog-displays-the-User-Id-f.patch
In-Reply-To: <56984AA2.8030400@redhat.com>
References: <1813292266.12287110.1452724345708.JavaMail.zimbra@redhat.com>
	<56984AA2.8030400@redhat.com>
Message-ID: <2012067029.14893945.1453153015764.JavaMail.zimbra@redhat.com>

ACKED by cfu, pushed to master.

Writing objects: 100% (10/10), 1.22 KiB | 0 bytes/s, done.
Total 10 (delta 6), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/pki.git
   e7f4ecd..18e8344  master -> master


----- Original Message -----
From: "Christina Fu" <cfu at redhat.com>
To: pki-devel at redhat.com
Sent: Thursday, January 14, 2016 5:25:54 PM
Subject: Re: [Pki-devel] [pki-devel][PATCH] 0060-Make-sure-the-ESC-auth-dialog-displays-the-User-Id-f.patch

The patch made sure that the UID is displayed first. I tested out the patch to work. 
ACK. 

Christina 

On 01/13/2016 02:32 PM, John Magne wrote: 



[PATCH] Make sure the ESC auth dialog displays the User Id field
 first.

ESC displays the auth fields in the order they are received. It has been
determined that the latest TPS has been sending them in the wrong order.

This was convenient while under the hood assisting cfu with some external reg issues.
This simple fix merely assures that the UID will be displayed first by the UI.
The params for ldap auth have not changed in the life of the product, thus this simple
solution should suffice even if the params should change in any way in the future.

With the latest TPS the ESC auth dialog has displayed the password field before the UID field.
This patch addresses this in the simplest fashion by modifying the class that presents the field
data to the client to make sure that UID field is encountered first.

Ticket: https://fedorahosted.org/pki/ticket/1683 - Format/enroll of smartcard password is prompted before username 


_______________________________________________
Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel 


_______________________________________________
Pki-devel mailing list
Pki-devel at redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel



From ftweedal at redhat.com  Tue Jan 19 00:07:35 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Tue, 19 Jan 2016 10:07:35 +1000
Subject: [Pki-devel] [PATCH] 0057..0061 LDAPProfileSubsystem concurrency
 fixes
In-Reply-To: <5695520F.1010908@redhat.com>
References: <20151201045650.GM23644@dhcp-40-8.bne.redhat.com>
	<5695520F.1010908@redhat.com>
Message-ID: <20160119000735.GG31821@dhcp-40-8.bne.redhat.com>

Hi Endi, thanks for reviewing.  I've addressed your comments
(commentary inline) and pushed 57..59 to master:

0057 d272cec2614a4a45abd3fdbf7139dbd52b3275ae
0058 2bd89f148b4b347fc80285ec521d2af0299da746
0059 81af68d3e3b1a89f799693e7f7ecda59f57abfe4

On Tue, Jan 12, 2016 at 01:20:47PM -0600, Endi Sukma Dewata wrote:
> On 11/30/2015 10:56 PM, Fraser Tweedale wrote:
> >The attached patches resolve concurrency issues in the
> >LDAPProfileSubsystem (which conducts its LDAP persisent search in
> >background thread).
> >
> >Ticket: https://fedorahosted.org/pki/ticket/1700
> >
> >Thanks,
> >Fraser
> 
> Patch #57 is ACKed.
> 
> Patch #58 is ACKed with some comments:
> 
> 1. To help troubleshooting, the static initializer in LDAPPostReadControl
> should log the exception:
> 
>     static {
>         try {
>             register(OID_POSTREAD, LDAPPostReadControl.class);
>         } catch (Throwable e) {
>             e.printStackTrace();
>         }
>     }
> 
Done.

> 2. In LDAPPostReadControl constructor is it necessary to catch & ignore the
> exception? I think the String constructor doesn't declare any throwable
> exceptions. If necessary, we could wrap the original exception and rethrow
> it so we'll know if there's an error.
> 
>     try {
>         dn = new String(buf, "UTF8");
>     } catch(Throwable e) {
>         throw IOException(e);
>     }
> 
This constructor can throw UnsupportedEncodingException which is a
subclass of IOException.  IOException is declared by the method so I
changed it to just let the exception through.

> 3. The LDAPPostReadControl is used for both request and response. It's not
> an issue, but it would be nice to use separate classes since they have
> different contents (e.g. the request doesn't have an LDAP entry).
> 
Not possible, unfortunately.  The same OID is used for both the
request and response structures, and the control is registered by
OID.

> Patch #59 is ACKed with some comments:
> 
> 1. In AbstractProfileSubsystem and LDAPProfileSubsystem, the commitProfile()
> should chain the original exception to help troubleshooting:
> 
>      throw new EProfileException(
>          "Failed to commit config store of profile '" + id + ": " + e,
>          e);
> 
Done, thanks.

> 2. In LDAPProfileSubsystem it would be nice to have a time- or size-based
> cache expiration for the entryUSNs map, but assuming the number of profiles
> will stay relatively small this may not be a problem. Just something to keep
> in mind.
> 
Size is linear in number of profiles; nothing to worry about :)

> More will follow.
> 
> -- 
> Endi S. Dewata
>
Cheers,
Fraser



From ftweedal at redhat.com  Tue Jan 19 06:06:38 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Tue, 19 Jan 2016 16:06:38 +1000
Subject: [Pki-devel] [PATCH] 0055 Allow encoded slashes in HTTP paths
In-Reply-To: <5693FE5C.8020806@redhat.com>
References: <20151105052223.GC20018@dhcp-40-8.bne.redhat.com>
	<5693FE5C.8020806@redhat.com>
Message-ID: <20160119060638.GH31821@dhcp-40-8.bne.redhat.com>

Updated patch attached; comments inline.

On Mon, Jan 11, 2016 at 01:11:24PM -0600, Endi Sukma Dewata wrote:
> On 11/4/2015 11:22 PM, Fraser Tweedale wrote:
> >The attached patch fixes GET-based OCSP requests,
> >https://fedorahosted.org/pki/ticket/1658
> >
> >Cheers,
> >Fraser
> 
> Some comments:
> 
> 1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a
> security concern:
> 
> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
> 
> The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and
> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system properties
> allow non-standard parsing of the request URI. Using these options when
> behind a reverse proxy may enable an attacker to bypass any security
> constraints enforced by the proxy.
> 
> However, since we are not dependent on a proxy to protect PKI pages in
> Tomcat (we have our own ACL in PKI) I suppose this is not an issue, unless
> anybody else has a concern.
> 
I do not see a vulnerability - AFAICT the vulnerability was from
proxies enforcing path-based access control but parsed path
differently, which as you point out is not our situation.  Hopefully
we are not overlooking something.

> 2. I think the catalina.properties that needs to be modified is in
> base/server/share/conf. The others are duplicates that should've been
> removed.
> 
Patch updated.  I'll send another patch removing the obsolete
catalina.properties files soon.

> 3. During deployment the catalina.properties is copied into <instance
> dir>/conf. So if we want to fix existing instances we need to write an
> upgrade script.
> 
Added an upgrade script.

Thanks for reviewing!
Fraser
-------------- next part --------------
From e4cd7e5974e1be74ac4d360eb881e73b7d5142cc Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 5 Nov 2015 00:17:24 -0500
Subject: [PATCH] Allow encoded slashes in HTTP paths

Properly formed GET-based OCSP requests can contain URL-encoded
slashes in the HTTP path[1] but our Tomcat configuration does not
permit this (returns 400 Bad Request).  Change catalina.properties
to allow URL-encoded slashes in HTTP paths.

[1] https://tools.ietf.org/html/rfc6960#appendix-A.1

Also add an upgrade script to update catalina.properties in existing
instances.

Fixes: https://fedorahosted.org/pki/ticket/1658
---
 base/server/share/conf/catalina.properties      |  2 ++
 base/server/upgrade/10.3.0/01-AllowEncodedSlash | 37 +++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100755 base/server/upgrade/10.3.0/01-AllowEncodedSlash

diff --git a/base/server/share/conf/catalina.properties b/base/server/share/conf/catalina.properties
index 003089a4310455f68c067ccf669123e37a568fe3..2199a78d881da214130f05d186819a043b5e7ee2 100644
--- a/base/server/share/conf/catalina.properties
+++ b/base/server/share/conf/catalina.properties
@@ -123,3 +123,5 @@ tomcat.util.buf.StringCache.byte.enabled=true
 #tomcat.util.buf.StringCache.char.enabled=true
 #tomcat.util.buf.StringCache.trainThreshold=500000
 #tomcat.util.buf.StringCache.cacheSize=5000
+
+org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
diff --git a/base/server/upgrade/10.3.0/01-AllowEncodedSlash b/base/server/upgrade/10.3.0/01-AllowEncodedSlash
new file mode 100755
index 0000000000000000000000000000000000000000..3225d3a7e754e629eb42b1612684695856720134
--- /dev/null
+++ b/base/server/upgrade/10.3.0/01-AllowEncodedSlash
@@ -0,0 +1,37 @@
+#!/usr/bin/python
+# Authors:
+#     Fraser Tweedale <ftweedal at redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+
+from __future__ import absolute_import
+import os.path
+import pki.server.upgrade
+
+class AllowEncodedSlash(pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+    def __init__(self):
+        super(AllowEncodedSlash, self).__init__()
+        self.message = 'Enable Tomcat ALLOW_ENCODED_SLASH parameter'
+
+    def upgrade_instance(self, instance):
+        path = os.path.join(instance.base_dir, 'conf', 'catalina.properties')
+        if os.path.isfile(path):
+            with open(path, 'a+') as f:
+                data = f.read()
+                if 'ALLOW_ENCODED_SLASH=' not in data:
+                    f.write('\norg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true\n')
-- 
2.5.0


From cheimes at redhat.com  Tue Jan 19 10:26:12 2016
From: cheimes at redhat.com (Christian Heimes)
Date: Tue, 19 Jan 2016 11:26:12 +0100
Subject: [Pki-devel] [PATCH 0044 Don't use settings like HTTP proxy from
 env vars
In-Reply-To: <569795E7.5050000@redhat.com>
References: <569795E7.5050000@redhat.com>
Message-ID: <569E0F44.1090000@redhat.com>

On 2016-01-14 13:34, Christian Heimes wrote:
> The PKIConnection class uses python-requests for HTTPS. The library
> picks up several settings from environment variables, e.g. HTTP proxy
> server, certificate bundle with trust anchors and authentication. A
> proxy can interfere with the Dogtag installer and cause some operations
> to fail.
> 
> With session.trust_env = False python-requests no longer inspects the
> environment and Dogtag has full controll over its connection settings.
> 
> https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env
> 
> https://fedorahosted.org/pki/ticket/1733
> https://fedorahosted.org/freeipa/ticket/5555

Endi suggested to keep the default and only disable trust_env in the
installer. Here is an updated patch.

Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cheimes-0044-2-Dont-use-settings-like-HTTP-proxy-from-env-vars.patch
Type: text/x-patch
Size: 5163 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160119/5aef051d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160119/5aef051d/attachment.sig>

From cheimes at redhat.com  Tue Jan 19 13:48:41 2016
From: cheimes at redhat.com (Christian Heimes)
Date: Tue, 19 Jan 2016 14:48:41 +0100
Subject: [Pki-devel] [PATCH 0047] Remove #!python shebang from
	non-executables
Message-ID: <569E3EB9.3030400@redhat.com>

A lot of Python files start with a #!/usr/bin/python shebang although
the files are neither executables nor designed as scripts. Shebangs are
only required for executable scripts.

Without unnecessary shebangs it's a bit easier to track Python 3
porting.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cheimes-0047-Remove-python-shebang-from-non-executables.patch
Type: text/x-patch
Size: 21300 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160119/65b37728/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160119/65b37728/attachment.sig>

From ftweedal at redhat.com  Tue Jan 19 22:45:46 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Wed, 20 Jan 2016 08:45:46 +1000
Subject: [Pki-devel] [PATCH] 0073 Remove obsolete catalina config files
Message-ID: <20160119224546.GI31821@dhcp-40-8.bne.redhat.com>

The attached patch removes some config files that are not used now
that we use shared Tomcat instance.

Thanks,
Fraser
-------------- next part --------------
From 8d94d4c3afdea713d1f00e5760e4a28976b5191c Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 19 Jan 2016 16:27:59 +1100
Subject: [PATCH] Remove obsolete catalina config files

---
 base/ca/shared/conf/catalina.policy       | 184 ------------------------------
 base/ca/shared/conf/catalina.properties   |  87 --------------
 base/kra/shared/conf/catalina.policy      | 184 ------------------------------
 base/kra/shared/conf/catalina.properties  |  87 --------------
 base/ocsp/shared/conf/catalina.policy     | 184 ------------------------------
 base/ocsp/shared/conf/catalina.properties |  87 --------------
 base/tks/shared/conf/catalina.policy      | 184 ------------------------------
 base/tks/shared/conf/catalina.properties  |  87 --------------
 base/tps/shared/conf/catalina.policy      | 182 -----------------------------
 base/tps/shared/conf/catalina.properties  |  87 --------------
 10 files changed, 1353 deletions(-)
 delete mode 100644 base/ca/shared/conf/catalina.policy
 delete mode 100644 base/ca/shared/conf/catalina.properties
 delete mode 100644 base/kra/shared/conf/catalina.policy
 delete mode 100644 base/kra/shared/conf/catalina.properties
 delete mode 100644 base/ocsp/shared/conf/catalina.policy
 delete mode 100644 base/ocsp/shared/conf/catalina.properties
 delete mode 100644 base/tks/shared/conf/catalina.policy
 delete mode 100644 base/tks/shared/conf/catalina.properties
 delete mode 100644 base/tps/shared/conf/catalina.policy
 delete mode 100644 base/tps/shared/conf/catalina.properties

diff --git a/base/ca/shared/conf/catalina.policy b/base/ca/shared/conf/catalina.policy
deleted file mode 100644
index cf8302cd0a1fddbe02cfc3ab784a5361c6fc4e2b..0000000000000000000000000000000000000000
--- a/base/ca/shared/conf/catalina.policy
+++ /dev/null
@@ -1,184 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// Copyright (C) 2006-2010 Red Hat, Inc.
-// All rights reserved.
-// Modifications: configuration parameters
-// --- END COPYRIGHT BLOCK ---
-
-// Licensed to the Apache Software Foundation (ASF) under one or more
-// contributor license agreements.  See the NOTICE file distributed with
-// this work for additional information regarding copyright ownership.
-// The ASF licenses this file to You under the Apache License, Version 2.0
-// (the "License"); you may not use this file except in compliance with
-// the License.  You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// ============================================================================
-// catalina.corepolicy - Security Policy Permissions for Tomcat 6
-//
-// This file contains a default set of security policies to be enforced (by the
-// JVM) when Catalina is executed with the "-security" option.  In addition
-// to the permissions granted here, the following additional permissions are
-// granted to the codebase specific to each web application:
-//
-// * Read access to the document root directory
-//
-// $Id$
-// ============================================================================
-
-
-// ========== SYSTEM CODE PERMISSIONS =========================================
-
-
-// These permissions apply to javac
-grant codeBase "file:${java.home}/lib/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions
-grant codeBase "file:${java.home}/jre/lib/ext/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/../lib/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions when
-// ${java.home} points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/lib/ext/-" {
-        permission java.security.AllPermission;
-};
-
-
-// ========== CATALINA CODE PERMISSIONS =======================================
-
-
-// These permissions apply to the daemon code
-grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to the logging API
-grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
-        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
-        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
-        permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; 
-        permission java.lang.RuntimePermission "shutdownHooks";
-        permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
-        permission java.util.PropertyPermission "catalina.base", "read";
-        permission java.util.logging.LoggingPermission "control";
-        permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
-        permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
-        permission java.lang.RuntimePermission "getClassLoader";
-        // To enable per context logging configuration, permit read access to the appropriate file.
-        // Be sure that the logging configuration is secure before enabling such access
-        // eg for the examples web application:
-        // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
-};
-
-// These permissions apply to the server startup code
-grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to the servlet API classes
-// and those that are shared across all class loaders
-// located in the "lib" directory
-grant codeBase "file:${catalina.home}/lib/-" {
-        permission java.security.AllPermission;
-};
-
-
-// ========== WEB APPLICATION PERMISSIONS =====================================
-
-
-// These permissions are granted by default to all web applications
-// In addition, a web application will be given a read FilePermission
-// and JndiPermission for all files and directories in its document root.
-grant { 
-    // Required for JNDI lookup of named JDBC DataSource's and
-    // javamail named MimePart DataSource used to send mail
-    permission java.util.PropertyPermission "java.home", "read";
-    permission java.util.PropertyPermission "java.naming.*", "read";
-    permission java.util.PropertyPermission "javax.sql.*", "read";
-
-    // OS Specific properties to allow read access
-    permission java.util.PropertyPermission "os.name", "read";
-    permission java.util.PropertyPermission "os.version", "read";
-    permission java.util.PropertyPermission "os.arch", "read";
-    permission java.util.PropertyPermission "file.separator", "read";
-    permission java.util.PropertyPermission "path.separator", "read";
-    permission java.util.PropertyPermission "line.separator", "read";
-
-    // JVM properties to allow read access
-    permission java.util.PropertyPermission "java.version", "read";
-    permission java.util.PropertyPermission "java.vendor", "read";
-    permission java.util.PropertyPermission "java.vendor.url", "read";
-    permission java.util.PropertyPermission "java.class.version", "read";
-	permission java.util.PropertyPermission "java.specification.version", "read";
-	permission java.util.PropertyPermission "java.specification.vendor", "read";
-	permission java.util.PropertyPermission "java.specification.name", "read";
-
-	permission java.util.PropertyPermission "java.vm.specification.version", "read";
-	permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
-	permission java.util.PropertyPermission "java.vm.specification.name", "read";
-	permission java.util.PropertyPermission "java.vm.version", "read";
-	permission java.util.PropertyPermission "java.vm.vendor", "read";
-	permission java.util.PropertyPermission "java.vm.name", "read";
-
-    // Required for OpenJMX
-    permission java.lang.RuntimePermission "getAttribute";
-
-	// Allow read of JAXP compliant XML parser debug
-	permission java.util.PropertyPermission "jaxp.debug", "read";
-
-    // Precompiled JSPs need access to this package.
-    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
-    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
-    
-    // Precompiled JSPs need access to this system property.
-    permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
-
-};
-
-
-// You can assign additional permissions to particular web applications by
-// adding additional "grant" entries here, based on the code base for that
-// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
-//
-// Different permissions can be granted to JSP pages, classes loaded from
-// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
-// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
-//
-// For instance, assume that the standard "examples" application
-// included a JDBC driver that needed to establish a network connection to the
-// corresponding database and used the scrape taglib to get the weather from
-// the NOAA web server.  You might create a "grant" entries like this:
-//
-// The permissions granted to the context root directory apply to JSP pages.
-// grant codeBase "file:${catalina.home}/webapps/examples/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-//
-// The permissions granted to the context WEB-INF/classes directory
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
-// };
-//
-// The permission granted to your JDBC driver
-// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// };
-// The permission granted to the scrape taglib
-// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-
diff --git a/base/ca/shared/conf/catalina.properties b/base/ca/shared/conf/catalina.properties
deleted file mode 100644
index 70cb7c05e78e0c4ab4b64a74d3f9eaadf96a1420..0000000000000000000000000000000000000000
--- a/base/ca/shared/conf/catalina.properties
+++ /dev/null
@@ -1,87 +0,0 @@
-# --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2006-2010 Red Hat, Inc.
-# All rights reserved.
-# Modifications: configuration parameters
-# --- END COPYRIGHT BLOCK ---
-
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageAccess unless the
-# corresponding RuntimePermission ("accessClassInPackage."+package) has
-# been granted.
-package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageDefinition unless the
-# corresponding RuntimePermission ("defineClassInPackage."+package) has
-# been granted.
-#
-# by default, no packages are restricted for definition, and none of
-# the class loaders supplied with the JDK call checkPackageDefinition.
-#
-package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
-
-#
-#
-# List of comma-separated paths defining the contents of the "common" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank,the JVM system loader will be used as Catalina's "common" 
-# loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
-
-#
-# List of comma-separated paths defining the contents of the "server" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank, the "common" loader will be used as Catalina's "server" 
-# loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-server.loader=
-
-#
-# List of comma-separated paths defining the contents of the "shared" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
-# the "common" loader will be used as Catalina's "shared" loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository 
-# Please note that for single jars, e.g. bar.jar, you need the URL form
-# starting with file:.
-shared.loader=
-
-#
-# String cache configuration.
-tomcat.util.buf.StringCache.byte.enabled=true
-#tomcat.util.buf.StringCache.char.enabled=true
-#tomcat.util.buf.StringCache.trainThreshold=500000
-#tomcat.util.buf.StringCache.cacheSize=5000
diff --git a/base/kra/shared/conf/catalina.policy b/base/kra/shared/conf/catalina.policy
deleted file mode 100644
index cf8302cd0a1fddbe02cfc3ab784a5361c6fc4e2b..0000000000000000000000000000000000000000
--- a/base/kra/shared/conf/catalina.policy
+++ /dev/null
@@ -1,184 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// Copyright (C) 2006-2010 Red Hat, Inc.
-// All rights reserved.
-// Modifications: configuration parameters
-// --- END COPYRIGHT BLOCK ---
-
-// Licensed to the Apache Software Foundation (ASF) under one or more
-// contributor license agreements.  See the NOTICE file distributed with
-// this work for additional information regarding copyright ownership.
-// The ASF licenses this file to You under the Apache License, Version 2.0
-// (the "License"); you may not use this file except in compliance with
-// the License.  You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// ============================================================================
-// catalina.corepolicy - Security Policy Permissions for Tomcat 6
-//
-// This file contains a default set of security policies to be enforced (by the
-// JVM) when Catalina is executed with the "-security" option.  In addition
-// to the permissions granted here, the following additional permissions are
-// granted to the codebase specific to each web application:
-//
-// * Read access to the document root directory
-//
-// $Id$
-// ============================================================================
-
-
-// ========== SYSTEM CODE PERMISSIONS =========================================
-
-
-// These permissions apply to javac
-grant codeBase "file:${java.home}/lib/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions
-grant codeBase "file:${java.home}/jre/lib/ext/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/../lib/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions when
-// ${java.home} points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/lib/ext/-" {
-        permission java.security.AllPermission;
-};
-
-
-// ========== CATALINA CODE PERMISSIONS =======================================
-
-
-// These permissions apply to the daemon code
-grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to the logging API
-grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
-        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
-        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
-        permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; 
-        permission java.lang.RuntimePermission "shutdownHooks";
-        permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
-        permission java.util.PropertyPermission "catalina.base", "read";
-        permission java.util.logging.LoggingPermission "control";
-        permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
-        permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
-        permission java.lang.RuntimePermission "getClassLoader";
-        // To enable per context logging configuration, permit read access to the appropriate file.
-        // Be sure that the logging configuration is secure before enabling such access
-        // eg for the examples web application:
-        // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
-};
-
-// These permissions apply to the server startup code
-grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to the servlet API classes
-// and those that are shared across all class loaders
-// located in the "lib" directory
-grant codeBase "file:${catalina.home}/lib/-" {
-        permission java.security.AllPermission;
-};
-
-
-// ========== WEB APPLICATION PERMISSIONS =====================================
-
-
-// These permissions are granted by default to all web applications
-// In addition, a web application will be given a read FilePermission
-// and JndiPermission for all files and directories in its document root.
-grant { 
-    // Required for JNDI lookup of named JDBC DataSource's and
-    // javamail named MimePart DataSource used to send mail
-    permission java.util.PropertyPermission "java.home", "read";
-    permission java.util.PropertyPermission "java.naming.*", "read";
-    permission java.util.PropertyPermission "javax.sql.*", "read";
-
-    // OS Specific properties to allow read access
-    permission java.util.PropertyPermission "os.name", "read";
-    permission java.util.PropertyPermission "os.version", "read";
-    permission java.util.PropertyPermission "os.arch", "read";
-    permission java.util.PropertyPermission "file.separator", "read";
-    permission java.util.PropertyPermission "path.separator", "read";
-    permission java.util.PropertyPermission "line.separator", "read";
-
-    // JVM properties to allow read access
-    permission java.util.PropertyPermission "java.version", "read";
-    permission java.util.PropertyPermission "java.vendor", "read";
-    permission java.util.PropertyPermission "java.vendor.url", "read";
-    permission java.util.PropertyPermission "java.class.version", "read";
-	permission java.util.PropertyPermission "java.specification.version", "read";
-	permission java.util.PropertyPermission "java.specification.vendor", "read";
-	permission java.util.PropertyPermission "java.specification.name", "read";
-
-	permission java.util.PropertyPermission "java.vm.specification.version", "read";
-	permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
-	permission java.util.PropertyPermission "java.vm.specification.name", "read";
-	permission java.util.PropertyPermission "java.vm.version", "read";
-	permission java.util.PropertyPermission "java.vm.vendor", "read";
-	permission java.util.PropertyPermission "java.vm.name", "read";
-
-    // Required for OpenJMX
-    permission java.lang.RuntimePermission "getAttribute";
-
-	// Allow read of JAXP compliant XML parser debug
-	permission java.util.PropertyPermission "jaxp.debug", "read";
-
-    // Precompiled JSPs need access to this package.
-    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
-    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
-    
-    // Precompiled JSPs need access to this system property.
-    permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
-
-};
-
-
-// You can assign additional permissions to particular web applications by
-// adding additional "grant" entries here, based on the code base for that
-// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
-//
-// Different permissions can be granted to JSP pages, classes loaded from
-// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
-// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
-//
-// For instance, assume that the standard "examples" application
-// included a JDBC driver that needed to establish a network connection to the
-// corresponding database and used the scrape taglib to get the weather from
-// the NOAA web server.  You might create a "grant" entries like this:
-//
-// The permissions granted to the context root directory apply to JSP pages.
-// grant codeBase "file:${catalina.home}/webapps/examples/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-//
-// The permissions granted to the context WEB-INF/classes directory
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
-// };
-//
-// The permission granted to your JDBC driver
-// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// };
-// The permission granted to the scrape taglib
-// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-
diff --git a/base/kra/shared/conf/catalina.properties b/base/kra/shared/conf/catalina.properties
deleted file mode 100644
index 70cb7c05e78e0c4ab4b64a74d3f9eaadf96a1420..0000000000000000000000000000000000000000
--- a/base/kra/shared/conf/catalina.properties
+++ /dev/null
@@ -1,87 +0,0 @@
-# --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2006-2010 Red Hat, Inc.
-# All rights reserved.
-# Modifications: configuration parameters
-# --- END COPYRIGHT BLOCK ---
-
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageAccess unless the
-# corresponding RuntimePermission ("accessClassInPackage."+package) has
-# been granted.
-package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageDefinition unless the
-# corresponding RuntimePermission ("defineClassInPackage."+package) has
-# been granted.
-#
-# by default, no packages are restricted for definition, and none of
-# the class loaders supplied with the JDK call checkPackageDefinition.
-#
-package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
-
-#
-#
-# List of comma-separated paths defining the contents of the "common" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank,the JVM system loader will be used as Catalina's "common" 
-# loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
-
-#
-# List of comma-separated paths defining the contents of the "server" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank, the "common" loader will be used as Catalina's "server" 
-# loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-server.loader=
-
-#
-# List of comma-separated paths defining the contents of the "shared" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
-# the "common" loader will be used as Catalina's "shared" loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository 
-# Please note that for single jars, e.g. bar.jar, you need the URL form
-# starting with file:.
-shared.loader=
-
-#
-# String cache configuration.
-tomcat.util.buf.StringCache.byte.enabled=true
-#tomcat.util.buf.StringCache.char.enabled=true
-#tomcat.util.buf.StringCache.trainThreshold=500000
-#tomcat.util.buf.StringCache.cacheSize=5000
diff --git a/base/ocsp/shared/conf/catalina.policy b/base/ocsp/shared/conf/catalina.policy
deleted file mode 100644
index cf8302cd0a1fddbe02cfc3ab784a5361c6fc4e2b..0000000000000000000000000000000000000000
--- a/base/ocsp/shared/conf/catalina.policy
+++ /dev/null
@@ -1,184 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// Copyright (C) 2006-2010 Red Hat, Inc.
-// All rights reserved.
-// Modifications: configuration parameters
-// --- END COPYRIGHT BLOCK ---
-
-// Licensed to the Apache Software Foundation (ASF) under one or more
-// contributor license agreements.  See the NOTICE file distributed with
-// this work for additional information regarding copyright ownership.
-// The ASF licenses this file to You under the Apache License, Version 2.0
-// (the "License"); you may not use this file except in compliance with
-// the License.  You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// ============================================================================
-// catalina.corepolicy - Security Policy Permissions for Tomcat 6
-//
-// This file contains a default set of security policies to be enforced (by the
-// JVM) when Catalina is executed with the "-security" option.  In addition
-// to the permissions granted here, the following additional permissions are
-// granted to the codebase specific to each web application:
-//
-// * Read access to the document root directory
-//
-// $Id$
-// ============================================================================
-
-
-// ========== SYSTEM CODE PERMISSIONS =========================================
-
-
-// These permissions apply to javac
-grant codeBase "file:${java.home}/lib/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions
-grant codeBase "file:${java.home}/jre/lib/ext/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/../lib/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions when
-// ${java.home} points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/lib/ext/-" {
-        permission java.security.AllPermission;
-};
-
-
-// ========== CATALINA CODE PERMISSIONS =======================================
-
-
-// These permissions apply to the daemon code
-grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to the logging API
-grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
-        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
-        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
-        permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; 
-        permission java.lang.RuntimePermission "shutdownHooks";
-        permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
-        permission java.util.PropertyPermission "catalina.base", "read";
-        permission java.util.logging.LoggingPermission "control";
-        permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
-        permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
-        permission java.lang.RuntimePermission "getClassLoader";
-        // To enable per context logging configuration, permit read access to the appropriate file.
-        // Be sure that the logging configuration is secure before enabling such access
-        // eg for the examples web application:
-        // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
-};
-
-// These permissions apply to the server startup code
-grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to the servlet API classes
-// and those that are shared across all class loaders
-// located in the "lib" directory
-grant codeBase "file:${catalina.home}/lib/-" {
-        permission java.security.AllPermission;
-};
-
-
-// ========== WEB APPLICATION PERMISSIONS =====================================
-
-
-// These permissions are granted by default to all web applications
-// In addition, a web application will be given a read FilePermission
-// and JndiPermission for all files and directories in its document root.
-grant { 
-    // Required for JNDI lookup of named JDBC DataSource's and
-    // javamail named MimePart DataSource used to send mail
-    permission java.util.PropertyPermission "java.home", "read";
-    permission java.util.PropertyPermission "java.naming.*", "read";
-    permission java.util.PropertyPermission "javax.sql.*", "read";
-
-    // OS Specific properties to allow read access
-    permission java.util.PropertyPermission "os.name", "read";
-    permission java.util.PropertyPermission "os.version", "read";
-    permission java.util.PropertyPermission "os.arch", "read";
-    permission java.util.PropertyPermission "file.separator", "read";
-    permission java.util.PropertyPermission "path.separator", "read";
-    permission java.util.PropertyPermission "line.separator", "read";
-
-    // JVM properties to allow read access
-    permission java.util.PropertyPermission "java.version", "read";
-    permission java.util.PropertyPermission "java.vendor", "read";
-    permission java.util.PropertyPermission "java.vendor.url", "read";
-    permission java.util.PropertyPermission "java.class.version", "read";
-	permission java.util.PropertyPermission "java.specification.version", "read";
-	permission java.util.PropertyPermission "java.specification.vendor", "read";
-	permission java.util.PropertyPermission "java.specification.name", "read";
-
-	permission java.util.PropertyPermission "java.vm.specification.version", "read";
-	permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
-	permission java.util.PropertyPermission "java.vm.specification.name", "read";
-	permission java.util.PropertyPermission "java.vm.version", "read";
-	permission java.util.PropertyPermission "java.vm.vendor", "read";
-	permission java.util.PropertyPermission "java.vm.name", "read";
-
-    // Required for OpenJMX
-    permission java.lang.RuntimePermission "getAttribute";
-
-	// Allow read of JAXP compliant XML parser debug
-	permission java.util.PropertyPermission "jaxp.debug", "read";
-
-    // Precompiled JSPs need access to this package.
-    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
-    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
-    
-    // Precompiled JSPs need access to this system property.
-    permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
-
-};
-
-
-// You can assign additional permissions to particular web applications by
-// adding additional "grant" entries here, based on the code base for that
-// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
-//
-// Different permissions can be granted to JSP pages, classes loaded from
-// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
-// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
-//
-// For instance, assume that the standard "examples" application
-// included a JDBC driver that needed to establish a network connection to the
-// corresponding database and used the scrape taglib to get the weather from
-// the NOAA web server.  You might create a "grant" entries like this:
-//
-// The permissions granted to the context root directory apply to JSP pages.
-// grant codeBase "file:${catalina.home}/webapps/examples/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-//
-// The permissions granted to the context WEB-INF/classes directory
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
-// };
-//
-// The permission granted to your JDBC driver
-// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// };
-// The permission granted to the scrape taglib
-// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-
diff --git a/base/ocsp/shared/conf/catalina.properties b/base/ocsp/shared/conf/catalina.properties
deleted file mode 100644
index 70cb7c05e78e0c4ab4b64a74d3f9eaadf96a1420..0000000000000000000000000000000000000000
--- a/base/ocsp/shared/conf/catalina.properties
+++ /dev/null
@@ -1,87 +0,0 @@
-# --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2006-2010 Red Hat, Inc.
-# All rights reserved.
-# Modifications: configuration parameters
-# --- END COPYRIGHT BLOCK ---
-
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageAccess unless the
-# corresponding RuntimePermission ("accessClassInPackage."+package) has
-# been granted.
-package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageDefinition unless the
-# corresponding RuntimePermission ("defineClassInPackage."+package) has
-# been granted.
-#
-# by default, no packages are restricted for definition, and none of
-# the class loaders supplied with the JDK call checkPackageDefinition.
-#
-package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
-
-#
-#
-# List of comma-separated paths defining the contents of the "common" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank,the JVM system loader will be used as Catalina's "common" 
-# loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
-
-#
-# List of comma-separated paths defining the contents of the "server" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank, the "common" loader will be used as Catalina's "server" 
-# loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-server.loader=
-
-#
-# List of comma-separated paths defining the contents of the "shared" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
-# the "common" loader will be used as Catalina's "shared" loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository 
-# Please note that for single jars, e.g. bar.jar, you need the URL form
-# starting with file:.
-shared.loader=
-
-#
-# String cache configuration.
-tomcat.util.buf.StringCache.byte.enabled=true
-#tomcat.util.buf.StringCache.char.enabled=true
-#tomcat.util.buf.StringCache.trainThreshold=500000
-#tomcat.util.buf.StringCache.cacheSize=5000
diff --git a/base/tks/shared/conf/catalina.policy b/base/tks/shared/conf/catalina.policy
deleted file mode 100644
index cf8302cd0a1fddbe02cfc3ab784a5361c6fc4e2b..0000000000000000000000000000000000000000
--- a/base/tks/shared/conf/catalina.policy
+++ /dev/null
@@ -1,184 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// Copyright (C) 2006-2010 Red Hat, Inc.
-// All rights reserved.
-// Modifications: configuration parameters
-// --- END COPYRIGHT BLOCK ---
-
-// Licensed to the Apache Software Foundation (ASF) under one or more
-// contributor license agreements.  See the NOTICE file distributed with
-// this work for additional information regarding copyright ownership.
-// The ASF licenses this file to You under the Apache License, Version 2.0
-// (the "License"); you may not use this file except in compliance with
-// the License.  You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// ============================================================================
-// catalina.corepolicy - Security Policy Permissions for Tomcat 6
-//
-// This file contains a default set of security policies to be enforced (by the
-// JVM) when Catalina is executed with the "-security" option.  In addition
-// to the permissions granted here, the following additional permissions are
-// granted to the codebase specific to each web application:
-//
-// * Read access to the document root directory
-//
-// $Id$
-// ============================================================================
-
-
-// ========== SYSTEM CODE PERMISSIONS =========================================
-
-
-// These permissions apply to javac
-grant codeBase "file:${java.home}/lib/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions
-grant codeBase "file:${java.home}/jre/lib/ext/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/../lib/-" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions when
-// ${java.home} points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/lib/ext/-" {
-        permission java.security.AllPermission;
-};
-
-
-// ========== CATALINA CODE PERMISSIONS =======================================
-
-
-// These permissions apply to the daemon code
-grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to the logging API
-grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
-        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
-        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
-        permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; 
-        permission java.lang.RuntimePermission "shutdownHooks";
-        permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
-        permission java.util.PropertyPermission "catalina.base", "read";
-        permission java.util.logging.LoggingPermission "control";
-        permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
-        permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
-        permission java.lang.RuntimePermission "getClassLoader";
-        // To enable per context logging configuration, permit read access to the appropriate file.
-        // Be sure that the logging configuration is secure before enabling such access
-        // eg for the examples web application:
-        // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
-};
-
-// These permissions apply to the server startup code
-grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
-        permission java.security.AllPermission;
-};
-
-// These permissions apply to the servlet API classes
-// and those that are shared across all class loaders
-// located in the "lib" directory
-grant codeBase "file:${catalina.home}/lib/-" {
-        permission java.security.AllPermission;
-};
-
-
-// ========== WEB APPLICATION PERMISSIONS =====================================
-
-
-// These permissions are granted by default to all web applications
-// In addition, a web application will be given a read FilePermission
-// and JndiPermission for all files and directories in its document root.
-grant { 
-    // Required for JNDI lookup of named JDBC DataSource's and
-    // javamail named MimePart DataSource used to send mail
-    permission java.util.PropertyPermission "java.home", "read";
-    permission java.util.PropertyPermission "java.naming.*", "read";
-    permission java.util.PropertyPermission "javax.sql.*", "read";
-
-    // OS Specific properties to allow read access
-    permission java.util.PropertyPermission "os.name", "read";
-    permission java.util.PropertyPermission "os.version", "read";
-    permission java.util.PropertyPermission "os.arch", "read";
-    permission java.util.PropertyPermission "file.separator", "read";
-    permission java.util.PropertyPermission "path.separator", "read";
-    permission java.util.PropertyPermission "line.separator", "read";
-
-    // JVM properties to allow read access
-    permission java.util.PropertyPermission "java.version", "read";
-    permission java.util.PropertyPermission "java.vendor", "read";
-    permission java.util.PropertyPermission "java.vendor.url", "read";
-    permission java.util.PropertyPermission "java.class.version", "read";
-	permission java.util.PropertyPermission "java.specification.version", "read";
-	permission java.util.PropertyPermission "java.specification.vendor", "read";
-	permission java.util.PropertyPermission "java.specification.name", "read";
-
-	permission java.util.PropertyPermission "java.vm.specification.version", "read";
-	permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
-	permission java.util.PropertyPermission "java.vm.specification.name", "read";
-	permission java.util.PropertyPermission "java.vm.version", "read";
-	permission java.util.PropertyPermission "java.vm.vendor", "read";
-	permission java.util.PropertyPermission "java.vm.name", "read";
-
-    // Required for OpenJMX
-    permission java.lang.RuntimePermission "getAttribute";
-
-	// Allow read of JAXP compliant XML parser debug
-	permission java.util.PropertyPermission "jaxp.debug", "read";
-
-    // Precompiled JSPs need access to this package.
-    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
-    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
-    
-    // Precompiled JSPs need access to this system property.
-    permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
-
-};
-
-
-// You can assign additional permissions to particular web applications by
-// adding additional "grant" entries here, based on the code base for that
-// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
-//
-// Different permissions can be granted to JSP pages, classes loaded from
-// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
-// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
-//
-// For instance, assume that the standard "examples" application
-// included a JDBC driver that needed to establish a network connection to the
-// corresponding database and used the scrape taglib to get the weather from
-// the NOAA web server.  You might create a "grant" entries like this:
-//
-// The permissions granted to the context root directory apply to JSP pages.
-// grant codeBase "file:${catalina.home}/webapps/examples/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-//
-// The permissions granted to the context WEB-INF/classes directory
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
-// };
-//
-// The permission granted to your JDBC driver
-// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// };
-// The permission granted to the scrape taglib
-// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-
diff --git a/base/tks/shared/conf/catalina.properties b/base/tks/shared/conf/catalina.properties
deleted file mode 100644
index 70cb7c05e78e0c4ab4b64a74d3f9eaadf96a1420..0000000000000000000000000000000000000000
--- a/base/tks/shared/conf/catalina.properties
+++ /dev/null
@@ -1,87 +0,0 @@
-# --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2006-2010 Red Hat, Inc.
-# All rights reserved.
-# Modifications: configuration parameters
-# --- END COPYRIGHT BLOCK ---
-
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageAccess unless the
-# corresponding RuntimePermission ("accessClassInPackage."+package) has
-# been granted.
-package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageDefinition unless the
-# corresponding RuntimePermission ("defineClassInPackage."+package) has
-# been granted.
-#
-# by default, no packages are restricted for definition, and none of
-# the class loaders supplied with the JDK call checkPackageDefinition.
-#
-package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
-
-#
-#
-# List of comma-separated paths defining the contents of the "common" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank,the JVM system loader will be used as Catalina's "common" 
-# loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
-
-#
-# List of comma-separated paths defining the contents of the "server" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank, the "common" loader will be used as Catalina's "server" 
-# loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-server.loader=
-
-#
-# List of comma-separated paths defining the contents of the "shared" 
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
-# the "common" loader will be used as Catalina's "shared" loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class 
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository 
-# Please note that for single jars, e.g. bar.jar, you need the URL form
-# starting with file:.
-shared.loader=
-
-#
-# String cache configuration.
-tomcat.util.buf.StringCache.byte.enabled=true
-#tomcat.util.buf.StringCache.char.enabled=true
-#tomcat.util.buf.StringCache.trainThreshold=500000
-#tomcat.util.buf.StringCache.cacheSize=5000
diff --git a/base/tps/shared/conf/catalina.policy b/base/tps/shared/conf/catalina.policy
deleted file mode 100644
index 5ccc7959e55b512889d74d7331fe8af071b15a8f..0000000000000000000000000000000000000000
--- a/base/tps/shared/conf/catalina.policy
+++ /dev/null
@@ -1,182 +0,0 @@
-// --- BEGIN COPYRIGHT BLOCK ---
-// Copyright (C) 2006-2010 Red Hat, Inc.
-// All rights reserved.
-// Modifications: configuration parameters
-// --- END COPYRIGHT BLOCK ---
-
-// Licensed to the Apache Software Foundation (ASF) under one or more
-// contributor license agreements.  See the NOTICE file distributed with
-// this work for additional information regarding copyright ownership.
-// The ASF licenses this file to You under the Apache License, Version 2.0
-// (the "License"); you may not use this file except in compliance with
-// the License.  You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// ============================================================================
-// catalina.corepolicy - Security Policy Permissions for Tomcat 6
-//
-// This file contains a default set of security policies to be enforced (by the
-// JVM) when Catalina is executed with the "-security" option.  In addition
-// to the permissions granted here, the following additional permissions are
-// granted to the codebase specific to each web application:
-//
-// * Read access to the document root directory
-//
-// $Id$
-// ============================================================================
-
-
-// ========== SYSTEM CODE PERMISSIONS =========================================
-
-
-// These permissions apply to javac
-grant codeBase "file:${java.home}/lib/-" {
-    permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions
-grant codeBase "file:${java.home}/jre/lib/ext/-" {
-    permission java.security.AllPermission;
-};
-
-// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/../lib/-" {
-    permission java.security.AllPermission;
-};
-
-// These permissions apply to all shared system extensions when
-// ${java.home} points at $JAVA_HOME/jre
-grant codeBase "file:${java.home}/lib/ext/-" {
-    permission java.security.AllPermission;
-};
-
-
-// ========== CATALINA CODE PERMISSIONS =======================================
-
-
-// These permissions apply to the daemon code
-grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" {
-    permission java.security.AllPermission;
-};
-
-// These permissions apply to the logging API
-grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
-    permission java.util.PropertyPermission "java.util.logging.config.class", "read";
-    permission java.util.PropertyPermission "java.util.logging.config.file", "read";
-    permission java.io.FilePermission "${java.home}${file.separator}lib${file.separator}logging.properties", "read";
-    permission java.lang.RuntimePermission "shutdownHooks";
-    permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
-    permission java.util.PropertyPermission "catalina.base", "read";
-    permission java.util.logging.LoggingPermission "control";
-    permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
-    permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
-    permission java.lang.RuntimePermission "getClassLoader";
-    // To enable per context logging configuration, permit read access to the appropriate file.
-    // Be sure that the logging configuration is secure before enabling such access
-    // eg for the examples web application:
-    // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
-};
-
-// These permissions apply to the server startup code
-grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
-    permission java.security.AllPermission;
-};
-
-// These permissions apply to the servlet API classes
-// and those that are shared across all class loaders
-// located in the "lib" directory
-grant codeBase "file:${catalina.home}/lib/-" {
-    permission java.security.AllPermission;
-};
-
-
-// ========== WEB APPLICATION PERMISSIONS =====================================
-
-
-// These permissions are granted by default to all web applications
-// In addition, a web application will be given a read FilePermission
-// and JndiPermission for all files and directories in its document root.
-grant {
-    // Required for JNDI lookup of named JDBC DataSource's and
-    // javamail named MimePart DataSource used to send mail
-    permission java.util.PropertyPermission "java.home", "read";
-    permission java.util.PropertyPermission "java.naming.*", "read";
-    permission java.util.PropertyPermission "javax.sql.*", "read";
-
-    // OS Specific properties to allow read access
-    permission java.util.PropertyPermission "os.name", "read";
-    permission java.util.PropertyPermission "os.version", "read";
-    permission java.util.PropertyPermission "os.arch", "read";
-    permission java.util.PropertyPermission "file.separator", "read";
-    permission java.util.PropertyPermission "path.separator", "read";
-    permission java.util.PropertyPermission "line.separator", "read";
-
-    // JVM properties to allow read access
-    permission java.util.PropertyPermission "java.version", "read";
-    permission java.util.PropertyPermission "java.vendor", "read";
-    permission java.util.PropertyPermission "java.vendor.url", "read";
-    permission java.util.PropertyPermission "java.class.version", "read";
-    permission java.util.PropertyPermission "java.specification.version", "read";
-    permission java.util.PropertyPermission "java.specification.vendor", "read";
-    permission java.util.PropertyPermission "java.specification.name", "read";
-
-    permission java.util.PropertyPermission "java.vm.specification.version", "read";
-    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
-    permission java.util.PropertyPermission "java.vm.specification.name", "read";
-    permission java.util.PropertyPermission "java.vm.version", "read";
-    permission java.util.PropertyPermission "java.vm.vendor", "read";
-    permission java.util.PropertyPermission "java.vm.name", "read";
-
-    // Required for OpenJMX
-    permission java.lang.RuntimePermission "getAttribute";
-
-    // Allow read of JAXP compliant XML parser debug
-    permission java.util.PropertyPermission "jaxp.debug", "read";
-
-    // Precompiled JSPs need access to this package.
-    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
-    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
-
-    // Precompiled JSPs need access to this system property.
-    permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
-};
-
-
-// You can assign additional permissions to particular web applications by
-// adding additional "grant" entries here, based on the code base for that
-// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
-//
-// Different permissions can be granted to JSP pages, classes loaded from
-// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
-// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
-//
-// For instance, assume that the standard "examples" application
-// included a JDBC driver that needed to establish a network connection to the
-// corresponding database and used the scrape taglib to get the weather from
-// the NOAA web server.  You might create a "grant" entries like this:
-//
-// The permissions granted to the context root directory apply to JSP pages.
-// grant codeBase "file:${catalina.home}/webapps/examples/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
-//
-// The permissions granted to the context WEB-INF/classes directory
-// grant codeBase "file:${catalina.home}/webapps/examples/WEB-INF/classes/-" {
-// };
-//
-// The permission granted to your JDBC driver
-// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
-//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
-// };
-// The permission granted to the scrape taglib
-// grant codeBase "jar:file:${catalina.home}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
-//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
-// };
diff --git a/base/tps/shared/conf/catalina.properties b/base/tps/shared/conf/catalina.properties
deleted file mode 100644
index f6d1d1415cdbe55d7ef5fee0f5ba7437f1560c5e..0000000000000000000000000000000000000000
--- a/base/tps/shared/conf/catalina.properties
+++ /dev/null
@@ -1,87 +0,0 @@
-# --- BEGIN COPYRIGHT BLOCK ---
-# Copyright (C) 2006-2010 Red Hat, Inc.
-# All rights reserved.
-# Modifications: configuration parameters
-# --- END COPYRIGHT BLOCK ---
-
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageAccess unless the
-# corresponding RuntimePermission ("accessClassInPackage."+package) has
-# been granted.
-package.access=sun.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.,sun.beans.
-#
-# List of comma-separated packages that start with or equal this string
-# will cause a security exception to be thrown when
-# passed to checkPackageDefinition unless the
-# corresponding RuntimePermission ("defineClassInPackage."+package) has
-# been granted.
-#
-# by default, no packages are restricted for definition, and none of
-# the class loaders supplied with the JDK call checkPackageDefinition.
-#
-package.definition=sun.,java.,org.apache.catalina.,org.apache.coyote.,org.apache.tomcat.,org.apache.jasper.
-
-#
-#
-# List of comma-separated paths defining the contents of the "common"
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank,the JVM system loader will be used as Catalina's "common"
-# loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-common.loader=${catalina.home}/lib,${catalina.home}/lib/*.jar,[TOMCAT_INSTANCE_COMMON_LIB]
-
-#
-# List of comma-separated paths defining the contents of the "server"
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_HOME or CATALINA_BASE path or absolute.
-# If left as blank, the "common" loader will be used as Catalina's "server"
-# loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-server.loader=
-
-#
-# List of comma-separated paths defining the contents of the "shared"
-# classloader. Prefixes should be used to define what is the repository type.
-# Path may be relative to the CATALINA_BASE path or absolute. If left as blank,
-# the "common" loader will be used as Catalina's "shared" loader.
-# Examples:
-#     "foo": Add this folder as a class repository
-#     "foo/*.jar": Add all the JARs of the specified folder as class
-#                  repositories
-#     "foo/bar.jar": Add bar.jar as a class repository
-# Please note that for single jars, e.g. bar.jar, you need the URL form
-# starting with file:.
-shared.loader=
-
-#
-# String cache configuration.
-tomcat.util.buf.StringCache.byte.enabled=true
-#tomcat.util.buf.StringCache.char.enabled=true
-#tomcat.util.buf.StringCache.trainThreshold=500000
-#tomcat.util.buf.StringCache.cacheSize=5000
-- 
2.5.0


From ftweedal at redhat.com  Wed Jan 20 01:56:20 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Wed, 20 Jan 2016 11:56:20 +1000
Subject: [Pki-devel] [PATCH 0044 Don't use settings like HTTP proxy from
 env vars
In-Reply-To: <569E0F44.1090000@redhat.com>
References: <569795E7.5050000@redhat.com>
 <569E0F44.1090000@redhat.com>
Message-ID: <20160120015620.GK31821@dhcp-40-8.bne.redhat.com>

On Tue, Jan 19, 2016 at 11:26:12AM +0100, Christian Heimes wrote:
> On 2016-01-14 13:34, Christian Heimes wrote:
> > The PKIConnection class uses python-requests for HTTPS. The library
> > picks up several settings from environment variables, e.g. HTTP proxy
> > server, certificate bundle with trust anchors and authentication. A
> > proxy can interfere with the Dogtag installer and cause some operations
> > to fail.
> > 
> > With session.trust_env = False python-requests no longer inspects the
> > environment and Dogtag has full controll over its connection settings.
> > 
> > https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env
> > 
> > https://fedorahosted.org/pki/ticket/1733
> > https://fedorahosted.org/freeipa/ticket/5555
> 
> Endi suggested to keep the default and only disable trust_env in the
> installer. Here is an updated patch.
> 
> Christian

ACK on updated patch



From ftweedal at redhat.com  Wed Jan 20 02:07:28 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Wed, 20 Jan 2016 12:07:28 +1000
Subject: [Pki-devel] [PATCH] 0057..0061 LDAPProfileSubsystem concurrency
 fixes
In-Reply-To: <20160119000735.GG31821@dhcp-40-8.bne.redhat.com>
References: <20151201045650.GM23644@dhcp-40-8.bne.redhat.com>
	<5695520F.1010908@redhat.com>
	<20160119000735.GG31821@dhcp-40-8.bne.redhat.com>
Message-ID: <20160120020728.GL31821@dhcp-40-8.bne.redhat.com>

Rebase was needed for the remaining patches; 0060-2 and 0061-2
attached.

Thanks,
Fraser
-------------- next part --------------
From 2367b829f518a0003a461115fc2a905c0cc03a24 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Mon, 30 Nov 2015 16:05:03 +1100
Subject: [PATCH 60/61] Handle LDAPProfileSubsystem delete-then-recreate races

Deleting and then immediately recreating a profile can result in the
new profile temporarily going missing, if the DELETE
EntryChangeControl is processed after profile readdition.

Handle this case by tracking the nsUniqueId of entries that are
deleted by an LDAPProfileSubsystem and NOT (re-)forgetting the
profile when the subsequent EntryChangeControl gets processed.

Fixes: https://fedorahosted.org/pki/ticket/1700
---
 .../cmscore/profile/LDAPProfileSubsystem.java      | 112 +++++++++++++++++----
 1 file changed, 92 insertions(+), 20 deletions(-)

diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
index b16a33fe25881956051e2f65a5a99b73f7a624b4..f48aea3918e6fc4a08c9bc90a433b834a29f35d3 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/profile/LDAPProfileSubsystem.java
@@ -22,6 +22,7 @@ import java.io.InputStream;
 import java.util.Hashtable;
 import java.util.LinkedHashMap;
 import java.util.TreeMap;
+import java.util.TreeSet;
 
 import netscape.ldap.LDAPAttribute;
 import netscape.ldap.LDAPConnection;
@@ -62,6 +63,11 @@ public class LDAPProfileSubsystem
      * of the profile entry that this instance has seen */
     private TreeMap<String,Integer> entryUSNs;
 
+    private TreeMap<String,String> nsUniqueIds;
+
+    /* Set of nsUniqueIds of deleted entries */
+    private TreeSet<String> deletedNsUniqueIds;
+
     /**
      * Initializes this subsystem with the given configuration
      * store.
@@ -79,6 +85,8 @@ public class LDAPProfileSubsystem
         mProfiles = new LinkedHashMap<String, IProfile>();
         mProfileClassIds = new Hashtable<String, String>();
         entryUSNs = new TreeMap<>();
+        nsUniqueIds = new TreeMap<>();
+        deletedNsUniqueIds = new TreeSet<>();
 
         IConfigStore cs = CMS.getConfigStore();
         IConfigStore dbCfg = cs.getSubStore("internaldb");
@@ -110,6 +118,14 @@ public class LDAPProfileSubsystem
         IPluginRegistry registry = (IPluginRegistry)
             CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
 
+        String nsUniqueId =
+            ldapProfile.getAttribute("nsUniqueId").getStringValueArray()[0];
+        if (deletedNsUniqueIds.contains(nsUniqueId)) {
+            CMS.debug("readProfile: ignoring entry with nsUniqueId '"
+                    + nsUniqueId + "' due to deletion");
+            return;
+        }
+
         String profileId = null;
         String dn = ldapProfile.getDN();
         if (!dn.startsWith("cn=")) {
@@ -145,6 +161,7 @@ public class LDAPProfileSubsystem
                 CMS.debug("Start Profile Creation - " + profileId + " " + classId + " " + info.getClassName());
                 createProfile(profileId, classId, info.getClassName(), data);
                 entryUSNs.put(profileId, newEntryUSN);
+                nsUniqueIds.put(profileId, nsUniqueId);
                 CMS.debug("Done Profile Creation - " + profileId);
             } catch (EProfileException e) {
                 CMS.debug("Error creating profile '" + profileId + "'; skipping.");
@@ -192,7 +209,7 @@ public class LDAPProfileSubsystem
         }
     }
 
-    public void deleteProfile(String id) throws EProfileException {
+    public synchronized void deleteProfile(String id) throws EProfileException {
         if (isProfileEnable(id)) {
             throw new EProfileException("CMS_PROFILE_DELETE_ENABLEPROFILE");
         }
@@ -215,9 +232,31 @@ public class LDAPProfileSubsystem
             }
         }
 
+        deletedNsUniqueIds.add(nsUniqueIds.get(id));
         forgetProfile(id);
     }
 
+    private synchronized void handleDELETE(LDAPEntry entry) {
+        LDAPAttribute attr = entry.getAttribute("nsUniqueId");
+        String nsUniqueId = null;
+        if (attr != null)
+            nsUniqueId = attr.getStringValueArray()[0];
+
+       if (deletedNsUniqueIds.remove(nsUniqueId)) {
+            CMS.debug("handleDELETE: delete was already effected");
+            return;
+        }
+
+        String profileId = null;
+        String dn = entry.getDN();
+        if (!dn.startsWith("cn=")) {
+            CMS.debug("handleDELETE: DN " + dn + " does not start with 'cn='");
+            return;
+        }
+        profileId = LDAPDN.explodeDN(dn, true)[0];
+        forgetProfile(profileId);
+    }
+
     private synchronized void handleMODDN(DN oldDN, LDAPEntry entry) {
         DN profilesDN = new DN(dn);
 
@@ -231,20 +270,61 @@ public class LDAPProfileSubsystem
     @Override
     public synchronized void commitProfile(String id) throws EProfileException {
         LDAPConfigStore cs = (LDAPConfigStore) mProfiles.get(id).getConfigStore();
+
+        // first create a *new* profile object from the configStore
+        // and initialise it with the updated configStore
+        //
+        IPluginRegistry registry = (IPluginRegistry)
+            CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
+        String classId = mProfileClassIds.get(id);
+        IPluginInfo info = registry.getPluginInfo("profile", classId);
+        String className = info.getClassName();
+        IProfile newProfile = null;
         try {
-            String[] attrs = {"entryUSN"};
+            newProfile = (IProfile) Class.forName(className).newInstance();
+        } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) {
+            throw new EProfileException("Could not instantiate class '"
+                    + classId + "' for profile '" + id + "': " + e);
+        }
+        newProfile.setId(id);
+        try {
+            newProfile.init(this, cs);
+        } catch (EBaseException e) {
+            throw new EProfileException(
+                    "Failed to initialise profile '" + id + "': " + e);
+        }
+
+        // next replace the existing profile with the new profile;
+        // this is to avoid any intermediate state where the profile
+        // is not fully initialised with its inputs, outputs and
+        // policy objects.
+        //
+        mProfiles.put(id, newProfile);
+
+        // finally commit the configStore and track the resulting
+        // entryUSN and (in case of add) the nsUniqueId
+        //
+        try {
+            String[] attrs = {"entryUSN", "nsUniqueId"};
             LDAPEntry entry = cs.commitReturn(false, attrs);
-
-            LDAPAttribute attr = null;
-            if (entry != null)
-                attr = entry.getAttribute("entryUSN");
+            if (entry == null) {
+                // shouldn't happen, but let's be sure not to crash anyway
+                return;
+            }
 
             Integer entryUSN = null;
+            LDAPAttribute attr = entry.getAttribute("entryUSN");
             if (attr != null)
                 entryUSN = new Integer(attr.getStringValueArray()[0]);
-
             entryUSNs.put(id, entryUSN);
             CMS.debug("commitProfile: new entryUSN = " + entryUSN);
+
+            String nsUniqueId = null;
+            attr = entry.getAttribute("nsUniqueId");
+            if (attr != null)
+                nsUniqueId = attr.getStringValueArray()[0];
+            CMS.debug("commitProfile: nsUniqueId = " + nsUniqueId);
+            nsUniqueIds.put(id, nsUniqueId);
         } catch (ELdapException e) {
             throw new EProfileException(
                 "Failed to commit config store of profile '" + id + ": " + e);
@@ -261,17 +341,7 @@ public class LDAPProfileSubsystem
         mProfiles.remove(id);
         mProfileClassIds.remove(id);
         entryUSNs.remove(id);
-    }
-
-    private void forgetProfile(LDAPEntry entry) {
-        String profileId = null;
-        String dn = entry.getDN();
-        if (!dn.startsWith("cn=")) {
-            CMS.debug("forgetProfile: DN " + dn + " does not start with 'cn='");
-            return;
-        }
-        profileId = LDAPDN.explodeDN(dn, true)[0];
-        forgetProfile(profileId);
+        nsUniqueIds.remove(id);
     }
 
     /**
@@ -296,6 +366,8 @@ public class LDAPProfileSubsystem
         mProfiles.clear();
         mProfileClassIds.clear();
         entryUSNs.clear();
+        nsUniqueIds.clear();
+        deletedNsUniqueIds.clear();
     }
 
     /**
@@ -328,7 +400,7 @@ public class LDAPProfileSubsystem
                 cons.setServerControls(persistCtrl);
                 cons.setBatchSize(1);
                 cons.setServerTimeLimit(0 /* seconds */);
-                String[] attrs = {"*", "entryUSN"};
+                String[] attrs = {"*", "entryUSN", "nsUniqueId"};
                 LDAPSearchResults results = conn.search(
                     dn, LDAPConnection.SCOPE_ONE, "(objectclass=*)",
                     attrs, false, cons);
@@ -347,7 +419,7 @@ public class LDAPProfileSubsystem
                             break;
                         case LDAPPersistSearchControl.DELETE:
                             CMS.debug("Profile change monitor: DELETE");
-                            forgetProfile(entry);
+                            handleDELETE(entry);
                             break;
                         case LDAPPersistSearchControl.MODIFY:
                             CMS.debug("Profile change monitor: MODIFY");
-- 
2.5.0

-------------- next part --------------
From 40eb5e91d1140caa6313ec6d9aa69d3b6f75b9fa Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue, 1 Dec 2015 14:21:08 +1100
Subject: [PATCH 61/61] Ensure config store commits refresh file-based profile
 data

The file-based LDAP profile subsystem does not update profiles
correctly.  Ensure that each commit of the underlying config store
refreshes the profile inputs, outputs and policy objects.

Part of: https://fedorahosted.org/pki/ticket/1700
---
 .../cmscore/profile/AbstractProfileSubsystem.java  | 39 +++++++++++++++++++++-
 1 file changed, 38 insertions(+), 1 deletion(-)

diff --git a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
index e93e090de9244a3a4ad4f17e0616cce5d65a978c..116b8e2026e80b012fb87647fd8924b567194fa3 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/profile/AbstractProfileSubsystem.java
@@ -22,12 +22,15 @@ import java.util.Enumeration;
 import java.util.Hashtable;
 import java.util.LinkedHashMap;
 
+import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.ISubsystem;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IProfile;
 import com.netscape.certsrv.profile.IProfileSubsystem;
+import com.netscape.certsrv.registry.IPluginInfo;
+import com.netscape.certsrv.registry.IPluginRegistry;
 
 public abstract class AbstractProfileSubsystem implements IProfileSubsystem {
     protected static final String PROP_CHECK_OWNER = "checkOwner";
@@ -120,8 +123,42 @@ public abstract class AbstractProfileSubsystem implements IProfileSubsystem {
      */
     public void commitProfile(String id)
             throws EProfileException {
+        IConfigStore cs = mProfiles.get(id).getConfigStore();
+
+        // first create a *new* profile object from the configStore
+        // and initialise it with the updated configStore
+        //
+        IPluginRegistry registry = (IPluginRegistry)
+            CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
+        String classId = mProfileClassIds.get(id);
+        IPluginInfo info = registry.getPluginInfo("profile", classId);
+        String className = info.getClassName();
+        IProfile newProfile = null;
         try {
-            mProfiles.get(id).getConfigStore().commit(false);
+            newProfile = (IProfile) Class.forName(className).newInstance();
+        } catch (ClassNotFoundException | InstantiationException | IllegalAccessException e) {
+            throw new EProfileException("Could not instantiate class '"
+                    + classId + "' for profile '" + id + "': " + e);
+        }
+        newProfile.setId(id);
+        try {
+            newProfile.init(this, cs);
+        } catch (EBaseException e) {
+            throw new EProfileException(
+                    "Failed to initialise profile '" + id + "': " + e);
+        }
+
+        // next replace the existing profile with the new profile;
+        // this is to avoid any intermediate state where the profile
+        // is not fully initialised with its inputs, outputs and
+        // policy objects.
+        //
+        mProfiles.put(id, newProfile);
+
+        // finally commit the configStore
+        //
+        try {
+            cs.commit(false);
         } catch (EBaseException e) {
             throw new EProfileException(
                 "Failed to commit config store of profile '" + id + ": " + e,
-- 
2.5.0


From cfu at redhat.com  Wed Jan 20 03:08:31 2016
From: cfu at redhat.com (Christina Fu)
Date: Tue, 19 Jan 2016 19:08:31 -0800
Subject: [Pki-devel] [PATCH]
 pki-cfu-0111-Ticket-1007-preparation-work-replace-auditMsg-with-l.patch
Message-ID: <569EFA2F.9000700@redhat.com>

This patch replaces "auditMsg" with "logMsg" in the TPS source.

     For ticket #1007 TPS Audit Events, we need to add audit messages.
     The existing parameter name "auditMsg" has been used broadly for
     TPS logging, which could be confused for the actual audit messages.
     This patch is to replace all the existing "auditMsg" parameters with
     "logMsg" instead.

thanks,
Christina



From ftweedal at redhat.com  Wed Jan 20 03:34:45 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Wed, 20 Jan 2016 13:34:45 +1000
Subject: [Pki-devel] [PATCH 0047] Remove #!python shebang from
 non-executables
In-Reply-To: <569E3EB9.3030400@redhat.com>
References: <569E3EB9.3030400@redhat.com>
Message-ID: <20160120031702.GM31821@dhcp-40-8.bne.redhat.com>

On Tue, Jan 19, 2016 at 02:48:41PM +0100, Christian Heimes wrote:
> A lot of Python files start with a #!/usr/bin/python shebang although
> the files are neither executables nor designed as scripts. Shebangs are
> only required for executable scripts.
> 
> Without unnecessary shebangs it's a bit easier to track Python 3
> porting.
>
ACK



From cheimes at redhat.com  Wed Jan 20 11:00:06 2016
From: cheimes at redhat.com (Christian Heimes)
Date: Wed, 20 Jan 2016 12:00:06 +0100
Subject: [Pki-devel] [PATCH 0047] Remove #!python shebang from
 non-executables
In-Reply-To: <20160120031702.GM31821@dhcp-40-8.bne.redhat.com>
References: <569E3EB9.3030400@redhat.com>
	<20160120031702.GM31821@dhcp-40-8.bne.redhat.com>
Message-ID: <569F68B6.4030600@redhat.com>

On 2016-01-20 04:34, Fraser Tweedale wrote:
> On Tue, Jan 19, 2016 at 02:48:41PM +0100, Christian Heimes wrote:
>> A lot of Python files start with a #!/usr/bin/python shebang although
>> the files are neither executables nor designed as scripts. Shebangs are
>> only required for executable scripts.
>>
>> Without unnecessary shebangs it's a bit easier to track Python 3
>> porting.
>>
> ACK
> 

Pushed to master 5bf3a94a9c3374e34bf66fe5b1725ff9b49a1f3c

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160120/3290bdc9/attachment.sig>

From cheimes at redhat.com  Wed Jan 20 11:04:46 2016
From: cheimes at redhat.com (Christian Heimes)
Date: Wed, 20 Jan 2016 12:04:46 +0100
Subject: [Pki-devel] [PATCH 0044 Don't use settings like HTTP proxy from
 env vars
In-Reply-To: <20160120015620.GK31821@dhcp-40-8.bne.redhat.com>
References: <569795E7.5050000@redhat.com> <569E0F44.1090000@redhat.com>
	<20160120015620.GK31821@dhcp-40-8.bne.redhat.com>
Message-ID: <569F69CE.4070400@redhat.com>

On 2016-01-20 02:56, Fraser Tweedale wrote:
> On Tue, Jan 19, 2016 at 11:26:12AM +0100, Christian Heimes wrote:
>> On 2016-01-14 13:34, Christian Heimes wrote:
>>> The PKIConnection class uses python-requests for HTTPS. The library
>>> picks up several settings from environment variables, e.g. HTTP proxy
>>> server, certificate bundle with trust anchors and authentication. A
>>> proxy can interfere with the Dogtag installer and cause some operations
>>> to fail.
>>>
>>> With session.trust_env = False python-requests no longer inspects the
>>> environment and Dogtag has full controll over its connection settings.
>>>
>>> https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env
>>>
>>> https://fedorahosted.org/pki/ticket/1733
>>> https://fedorahosted.org/freeipa/ticket/5555
>>
>> Endi suggested to keep the default and only disable trust_env in the
>> installer. Here is an updated patch.
>>
>> Christian
> 
> ACK on updated patch
> 

Thanks for the reviews!

Pushed to master in 387d09045fb37b71bc0f1980f16ca70bc071996c

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160120/25870d4c/attachment.sig>

From edewata at redhat.com  Wed Jan 20 15:58:23 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 20 Jan 2016 09:58:23 -0600
Subject: [Pki-devel] [PATCH] 0055 Allow encoded slashes in HTTP paths
In-Reply-To: <20160119060638.GH31821@dhcp-40-8.bne.redhat.com>
References: <20151105052223.GC20018@dhcp-40-8.bne.redhat.com>
	<5693FE5C.8020806@redhat.com>
	<20160119060638.GH31821@dhcp-40-8.bne.redhat.com>
Message-ID: <569FAE9F.7050600@redhat.com>

On 1/19/2016 12:06 AM, Fraser Tweedale wrote:
> Updated patch attached; comments inline.
>
> On Mon, Jan 11, 2016 at 01:11:24PM -0600, Endi Sukma Dewata wrote:
>> On 11/4/2015 11:22 PM, Fraser Tweedale wrote:
>>> The attached patch fixes GET-based OCSP requests,
>>> https://fedorahosted.org/pki/ticket/1658
>>>
>>> Cheers,
>>> Fraser
>>
>> Some comments:
>>
>> 1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a
>> security concern:
>>
>> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
>>
>> The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and
>> org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system properties
>> allow non-standard parsing of the request URI. Using these options when
>> behind a reverse proxy may enable an attacker to bypass any security
>> constraints enforced by the proxy.
>>
>> However, since we are not dependent on a proxy to protect PKI pages in
>> Tomcat (we have our own ACL in PKI) I suppose this is not an issue, unless
>> anybody else has a concern.
>>
> I do not see a vulnerability - AFAICT the vulnerability was from
> proxies enforcing path-based access control but parsed path
> differently, which as you point out is not our situation.  Hopefully
> we are not overlooking something.
>
>> 2. I think the catalina.properties that needs to be modified is in
>> base/server/share/conf. The others are duplicates that should've been
>> removed.
>>
> Patch updated.  I'll send another patch removing the obsolete
> catalina.properties files soon.
>
>> 3. During deployment the catalina.properties is copied into <instance
>> dir>/conf. So if we want to fix existing instances we need to write an
>> upgrade script.
>>
> Added an upgrade script.
>
> Thanks for reviewing!
> Fraser
>

ACK.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Jan 20 16:00:09 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 20 Jan 2016 10:00:09 -0600
Subject: [Pki-devel] [PATCH] 0073 Remove obsolete catalina config files
In-Reply-To: <20160119224546.GI31821@dhcp-40-8.bne.redhat.com>
References: <20160119224546.GI31821@dhcp-40-8.bne.redhat.com>
Message-ID: <569FAF09.3000502@redhat.com>

On 1/19/2016 4:45 PM, Fraser Tweedale wrote:
> The attached patch removes some config files that are not used now
> that we use shared Tomcat instance.
>
> Thanks,
> Fraser
>

ACK.

-- 
Endi S. Dewata



From cfu at redhat.com  Wed Jan 20 16:56:06 2016
From: cfu at redhat.com (Christina Fu)
Date: Wed, 20 Jan 2016 08:56:06 -0800
Subject: [Pki-devel] [PATCH]
 pki-cfu-0111-Ticket-1007-preparation-work-replace-auditMsg-with-l.patch
In-Reply-To: <569EFA2F.9000700@redhat.com>
References: <569EFA2F.9000700@redhat.com>
Message-ID: <569FBC26.6070002@redhat.com>

and here is the patch.

On 01/19/2016 07:08 PM, Christina Fu wrote:
> This patch replaces "auditMsg" with "logMsg" in the TPS source.
>
>     For ticket #1007 TPS Audit Events, we need to add audit messages.
>     The existing parameter name "auditMsg" has been used broadly for
>     TPS logging, which could be confused for the actual audit messages.
>     This patch is to replace all the existing "auditMsg" parameters with
>     "logMsg" instead.
>
> thanks,
> Christina
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cfu-0111-Ticket-1007-preparation-work-replace-auditMsg-with-l.patch
Type: text/x-patch
Size: 80438 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160120/b30fb067/attachment.bin>

From cfu at redhat.com  Wed Jan 20 17:15:36 2016
From: cfu at redhat.com (Christina Fu)
Date: Wed, 20 Jan 2016 09:15:36 -0800
Subject: [Pki-devel] [PATCH]
 pki-cfu-0111-Ticket-1007-preparation-work-replace-auditMsg-with-l.patch
In-Reply-To: <569FBC26.6070002@redhat.com>
References: <569EFA2F.9000700@redhat.com> <569FBC26.6070002@redhat.com>
Message-ID: <569FC0B8.7020605@redhat.com>

verbal ACK by edewata

pushed to master:
commit 7aa1cdd52eca390dee6d8ec4d1e7a956114383c5

Please update your trees and avoid using the parameter name "auditMsg" 
unless it's for actual auditing.

thanks,
Christina

On 01/20/2016 08:56 AM, Christina Fu wrote:
> and here is the patch.
>
> On 01/19/2016 07:08 PM, Christina Fu wrote:
>> This patch replaces "auditMsg" with "logMsg" in the TPS source.
>>
>>     For ticket #1007 TPS Audit Events, we need to add audit messages.
>>     The existing parameter name "auditMsg" has been used broadly for
>>     TPS logging, which could be confused for the actual audit messages.
>>     This patch is to replace all the existing "auditMsg" parameters with
>>     "logMsg" instead.
>>
>> thanks,
>> Christina
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160120/690d9468/attachment.htm>

From edewata at redhat.com  Wed Jan 20 18:44:38 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 20 Jan 2016 12:44:38 -0600
Subject: [Pki-devel] [PATCH] 0057..0061 LDAPProfileSubsystem concurrency
 fixes
In-Reply-To: <20160120020728.GL31821@dhcp-40-8.bne.redhat.com>
References: <20151201045650.GM23644@dhcp-40-8.bne.redhat.com>
	<5695520F.1010908@redhat.com>
	<20160119000735.GG31821@dhcp-40-8.bne.redhat.com>
	<20160120020728.GL31821@dhcp-40-8.bne.redhat.com>
Message-ID: <569FD596.800@redhat.com>

On 1/19/2016 8:07 PM, Fraser Tweedale wrote:
> Rebase was needed for the remaining patches; 0060-2 and 0061-2
> attached.
>
> Thanks,
> Fraser
>

ACK for both of them.

Just wondering, would it be possible to distinguish local and remote 
persistent search results? So if a profile is changed on a machine, the 
profile object will be updated immediately in memory, then persistent 
search result for that modification will be ignored since it's initiated 
locally. Other machines, however, will pick up the changes from the 
persistent search result since it's initiated remotely.

-- 
Endi S. Dewata



From edewata at redhat.com  Wed Jan 20 20:30:40 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 20 Jan 2016 14:30:40 -0600
Subject: [Pki-devel] [PATCH] 0062 Block startup until initial profile
 load completed
In-Reply-To: <20151201055718.GN23644@dhcp-40-8.bne.redhat.com>
References: <20151201055718.GN23644@dhcp-40-8.bne.redhat.com>
Message-ID: <569FEE70.5010904@redhat.com>

On 11/30/2015 11:57 PM, Fraser Tweedale wrote:
> Hi all,
>
> The attached patch fixes https://fedorahosted.org/pki/ticket/1702
>
> Cheers,
> Fraser

ACK. Just some comments:

1. It would be nice to log the InterruptedException so we know if it 
happens.

2. Not a problem, but the code that reads the numSubordinates probably 
could be moved before the loop so it's guaranteed to be executed exactly 
once.

-- 
Endi S. Dewata



From ftweedal at redhat.com  Wed Jan 20 23:47:22 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Thu, 21 Jan 2016 09:47:22 +1000
Subject: [Pki-devel] [PATCH] 0073 Remove obsolete catalina config files
In-Reply-To: <569FAF09.3000502@redhat.com>
References: <20160119224546.GI31821@dhcp-40-8.bne.redhat.com>
	<569FAF09.3000502@redhat.com>
Message-ID: <20160120234721.GR31821@dhcp-40-8.bne.redhat.com>

On Wed, Jan 20, 2016 at 10:00:09AM -0600, Endi Sukma Dewata wrote:
> On 1/19/2016 4:45 PM, Fraser Tweedale wrote:
> >The attached patch removes some config files that are not used now
> >that we use shared Tomcat instance.
> >
> >Thanks,
> >Fraser
> >
> 
> ACK.
> 
Thanks!  Pushed to master

- ebb9b22ac679b8fcbb0c32f558627c1fdbb9ce51



From ftweedal at redhat.com  Thu Jan 21 00:06:41 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Thu, 21 Jan 2016 10:06:41 +1000
Subject: [Pki-devel] [PATCH] 0057..0061 LDAPProfileSubsystem concurrency
 fixes
In-Reply-To: <569FD596.800@redhat.com>
References: <20151201045650.GM23644@dhcp-40-8.bne.redhat.com>
	<5695520F.1010908@redhat.com>
	<20160119000735.GG31821@dhcp-40-8.bne.redhat.com>
	<20160120020728.GL31821@dhcp-40-8.bne.redhat.com>
	<569FD596.800@redhat.com>
Message-ID: <20160121000641.GS31821@dhcp-40-8.bne.redhat.com>

On Wed, Jan 20, 2016 at 12:44:38PM -0600, Endi Sukma Dewata wrote:
> On 1/19/2016 8:07 PM, Fraser Tweedale wrote:
> >Rebase was needed for the remaining patches; 0060-2 and 0061-2
> >attached.
> >
> >Thanks,
> >Fraser
> >
> 
> ACK for both of them.
> 
Thanks!  Pushed to master

- 41717cb774f53e30caf7a57c2e07526445bf0988 Ensure config store commits refresh file-based profile data
- 0af4a9393ce38216689e9afe17514b9441784133 Handle LDAPProfileSubsystem delete-then-recreate races

> Just wondering, would it be possible to distinguish local and remote
> persistent search results? So if a profile is changed on a machine, the
> profile object will be updated immediately in memory, then persistent search
> result for that modification will be ignored since it's initiated locally.
> Other machines, however, will pick up the changes from the persistent search
> result since it's initiated remotely.
> 
This is indeed accomplished by the tracking of the entryUSN
resulting from a change (via the PostReadControl) and the deleted
entries.

Cheers,
Fraser



From edewata at redhat.com  Thu Jan 21 00:28:21 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Wed, 20 Jan 2016 18:28:21 -0600
Subject: [Pki-devel] [PATCH] 0063 Extract common base class for
 SSLAuthenticatorWithFallback
In-Reply-To: <20151203063141.GY23644@dhcp-40-8.bne.redhat.com>
References: <20151203063141.GY23644@dhcp-40-8.bne.redhat.com>
Message-ID: <56A02625.6020207@redhat.com>

On 12/3/2015 12:31 AM, Fraser Tweedale wrote:
> The attached patch was written as part of work implementing GSS-API
> authentication.  We actually might not end up using
> SSLAuthenticatorWithFallback to interpret the authentication data
> but I think this refactor is worthwhile on its own, so here's the
> patch.
>
> Cheers,
> Fraser

Ideally the SSLAuthenticatorWithFallback for Tomcat 7 should not store 
the LoginConfig as an attribute because potentially it can be shared by 
multiple web applications. Since each PKI web application has a separate 
instance of the SSLAuthenticatorWithFallback this is probably not a 
problem. So the patch is ACKed as is.

But if you want, the code probably can be modified like this:

   public boolean authenticate(..., config) {
       HashMap attributes = new HashMap();
       attributes.put("loginConfig", config);
       return doAuthenticate(..., attributes);
   }

   public boolean doSubAuthenticate(..., attributes) {
       LoginConfig config = attributes.get("loginConfig");
       return auth.authenticate(..., loginConfig);
   }

   public String goGetRealName(..., attributes) {
       LoginConfig config = attributes.get("loginConfig");
       return loginConfig.getRealName();
   }

For Tomcat 8 the attributes map can be null.

It might even be possible to merge the two implementations. Recent 
Tomcat 7 contains additional stuff that reduces the differences with 
Tomcat 8. But we will need to make sure the latest Tomcat 7 is available 
on all platforms that we support. This can be done later though.

-- 
Endi S. Dewata



From ftweedal at redhat.com  Thu Jan 21 01:07:14 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Thu, 21 Jan 2016 11:07:14 +1000
Subject: [Pki-devel] [PATCH] 0062 Block startup until initial profile
 load completed
In-Reply-To: <569FEE70.5010904@redhat.com>
References: <20151201055718.GN23644@dhcp-40-8.bne.redhat.com>
	<569FEE70.5010904@redhat.com>
Message-ID: <20160121010714.GT31821@dhcp-40-8.bne.redhat.com>

On Wed, Jan 20, 2016 at 02:30:40PM -0600, Endi Sukma Dewata wrote:
> On 11/30/2015 11:57 PM, Fraser Tweedale wrote:
> >Hi all,
> >
> >The attached patch fixes https://fedorahosted.org/pki/ticket/1702
> >
> >Cheers,
> >Fraser
> 
> ACK. Just some comments:
> 
Thanks; pushed to master (5fae5826e5442d7266681d19f282dc7728062b89).
Will push to 10.2 branch shortly.

> 1. It would be nice to log the InterruptedException so we know if it
> happens.
> 
I added a log message.

> 2. Not a problem, but the code that reads the numSubordinates probably could
> be moved before the loop so it's guaranteed to be executed exactly once.
> 
It has to be done as part of the one search, to guarantee that no
profiles are added/removed between the search to determine the
number of profiles, and a subsequent search to load them.

Cheers,
Fraser



From ftweedal at redhat.com  Thu Jan 21 01:55:01 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Thu, 21 Jan 2016 11:55:01 +1000
Subject: [Pki-devel] [PATCH] 0057..0061 LDAPProfileSubsystem concurrency
 fixes
In-Reply-To: <20160121000641.GS31821@dhcp-40-8.bne.redhat.com>
References: <20151201045650.GM23644@dhcp-40-8.bne.redhat.com>
	<5695520F.1010908@redhat.com>
	<20160119000735.GG31821@dhcp-40-8.bne.redhat.com>
	<20160120020728.GL31821@dhcp-40-8.bne.redhat.com>
	<569FD596.800@redhat.com>
	<20160121000641.GS31821@dhcp-40-8.bne.redhat.com>
Message-ID: <20160121015501.GU31821@dhcp-40-8.bne.redhat.com>

On Thu, Jan 21, 2016 at 10:06:41AM +1000, Fraser Tweedale wrote:
> On Wed, Jan 20, 2016 at 12:44:38PM -0600, Endi Sukma Dewata wrote:
> > On 1/19/2016 8:07 PM, Fraser Tweedale wrote:
> > >Rebase was needed for the remaining patches; 0060-2 and 0061-2
> > >attached.
> > >
> > >Thanks,
> > >Fraser
> > >
> > 
> > ACK for both of them.
> > 
> Thanks!  Pushed to master
> 
> - 41717cb774f53e30caf7a57c2e07526445bf0988 Ensure config store commits refresh file-based profile data
> - 0af4a9393ce38216689e9afe17514b9441784133 Handle LDAPProfileSubsystem delete-then-recreate races
> 
All five commits have been pushed to DOGTAG_10_2_BRANCH:

* 1c9cbd1 Ensure config store commits refresh file-based profile data
* 7957c80 Handle LDAPProfileSubsystem delete-then-recreate races
* 2cb2e9c Avoid profile race conditions by tracking entryUSN
* 6371ea5 Add LDAPPostReadControl class
* 6ed6230 Extract LDAPControl search function to LDAPUtil



From ftweedal at redhat.com  Thu Jan 21 01:57:09 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Thu, 21 Jan 2016 11:57:09 +1000
Subject: [Pki-devel] [PATCH] 0062 Block startup until initial profile
 load completed
In-Reply-To: <20160121010714.GT31821@dhcp-40-8.bne.redhat.com>
References: <20151201055718.GN23644@dhcp-40-8.bne.redhat.com>
	<569FEE70.5010904@redhat.com>
	<20160121010714.GT31821@dhcp-40-8.bne.redhat.com>
Message-ID: <20160121015709.GV31821@dhcp-40-8.bne.redhat.com>

On Thu, Jan 21, 2016 at 11:07:14AM +1000, Fraser Tweedale wrote:
> On Wed, Jan 20, 2016 at 02:30:40PM -0600, Endi Sukma Dewata wrote:
> > On 11/30/2015 11:57 PM, Fraser Tweedale wrote:
> > >Hi all,
> > >
> > >The attached patch fixes https://fedorahosted.org/pki/ticket/1702
> > >
> > >Cheers,
> > >Fraser
> > 
> > ACK. Just some comments:
> > 
> Thanks; pushed to master (5fae5826e5442d7266681d19f282dc7728062b89).
> Will push to 10.2 branch shortly.
> 
Pushed to DOGTAG_10_2_BRANCH:

* e8a1d9c Block startup until initial profile load completed



From ftweedal at redhat.com  Thu Jan 21 03:39:36 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Thu, 21 Jan 2016 13:39:36 +1000
Subject: [Pki-devel] [PATCH] 0055 Allow encoded slashes in HTTP paths
In-Reply-To: <569FAE9F.7050600@redhat.com>
References: <20151105052223.GC20018@dhcp-40-8.bne.redhat.com>
	<5693FE5C.8020806@redhat.com>
	<20160119060638.GH31821@dhcp-40-8.bne.redhat.com>
	<569FAE9F.7050600@redhat.com>
Message-ID: <20160121033936.GW31821@dhcp-40-8.bne.redhat.com>

On Wed, Jan 20, 2016 at 09:58:23AM -0600, Endi Sukma Dewata wrote:
> On 1/19/2016 12:06 AM, Fraser Tweedale wrote:
> >Updated patch attached; comments inline.
> >
> >On Mon, Jan 11, 2016 at 01:11:24PM -0600, Endi Sukma Dewata wrote:
> >>On 11/4/2015 11:22 PM, Fraser Tweedale wrote:
> >>>The attached patch fixes GET-based OCSP requests,
> >>>https://fedorahosted.org/pki/ticket/1658
> >>>
> >>>Cheers,
> >>>Fraser
> >>
> >>Some comments:
> >>
> >>1. The ALLOW_ENCODED_SLASH parameter will fix the problem, but there's a
> >>security concern:
> >>
> >>http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
> >>
> >>The org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH and
> >>org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH system properties
> >>allow non-standard parsing of the request URI. Using these options when
> >>behind a reverse proxy may enable an attacker to bypass any security
> >>constraints enforced by the proxy.
> >>
> >>However, since we are not dependent on a proxy to protect PKI pages in
> >>Tomcat (we have our own ACL in PKI) I suppose this is not an issue, unless
> >>anybody else has a concern.
> >>
> >I do not see a vulnerability - AFAICT the vulnerability was from
> >proxies enforcing path-based access control but parsed path
> >differently, which as you point out is not our situation.  Hopefully
> >we are not overlooking something.
> >
> >>2. I think the catalina.properties that needs to be modified is in
> >>base/server/share/conf. The others are duplicates that should've been
> >>removed.
> >>
> >Patch updated.  I'll send another patch removing the obsolete
> >catalina.properties files soon.
> >
> >>3. During deployment the catalina.properties is copied into <instance
> >>dir>/conf. So if we want to fix existing instances we need to write an
> >>upgrade script.
> >>
> >Added an upgrade script.
> >
> >Thanks for reviewing!
> >Fraser
> >
> 
> ACK.
> 
Thanks; pushed to master:

cbcdeddc2e794be3955edf20ea1597e58c443ba6 Allow encoded slashes in HTTP paths



From ftweedal at redhat.com  Thu Jan 21 10:03:32 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Thu, 21 Jan 2016 20:03:32 +1000
Subject: [Pki-devel] [PATCH] 0063 Extract common base class for
 SSLAuthenticatorWithFallback
In-Reply-To: <56A02625.6020207@redhat.com>
References: <20151203063141.GY23644@dhcp-40-8.bne.redhat.com>
	<56A02625.6020207@redhat.com>
Message-ID: <20160121100332.GA24555@dhcp-40-8.bne.redhat.com>

On Wed, Jan 20, 2016 at 06:28:21PM -0600, Endi Sukma Dewata wrote:
> On 12/3/2015 12:31 AM, Fraser Tweedale wrote:
> >The attached patch was written as part of work implementing GSS-API
> >authentication.  We actually might not end up using
> >SSLAuthenticatorWithFallback to interpret the authentication data
> >but I think this refactor is worthwhile on its own, so here's the
> >patch.
> >
> >Cheers,
> >Fraser
> 
> Ideally the SSLAuthenticatorWithFallback for Tomcat 7 should not store the
> LoginConfig as an attribute because potentially it can be shared by multiple
> web applications. Since each PKI web application has a separate instance of
> the SSLAuthenticatorWithFallback this is probably not a problem. So the
> patch is ACKed as is.
> 
> But if you want, the code probably can be modified like this:
> 
>   public boolean authenticate(..., config) {
>       HashMap attributes = new HashMap();
>       attributes.put("loginConfig", config);
>       return doAuthenticate(..., attributes);
>   }
> 
>   public boolean doSubAuthenticate(..., attributes) {
>       LoginConfig config = attributes.get("loginConfig");
>       return auth.authenticate(..., loginConfig);
>   }
> 
>   public String goGetRealName(..., attributes) {
>       LoginConfig config = attributes.get("loginConfig");
>       return loginConfig.getRealName();
>   }
> 
> For Tomcat 8 the attributes map can be null.
> 
> It might even be possible to merge the two implementations. Recent Tomcat 7
> contains additional stuff that reduces the differences with Tomcat 8. But we
> will need to make sure the latest Tomcat 7 is available on all platforms
> that we support. This can be done later though.
> 
Since loginConfig is immediately set with the passed LoginConfig on
each call to authenticate(), we can use ThreadLocal[1] to prevent
interference in a less intrusive way that is still type-safe.

[1] http://docs.oracle.com/javase/7/docs/api/java/lang/ThreadLocal.html

Updated patch attached.

Thanks for reviewing,
Fraser
-------------- next part --------------
From 67ac39227e5db83c7a4a7ad72364f3dcd30db05e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 3 Dec 2015 16:09:04 +1100
Subject: [PATCH] Extract common base class for SSLAuthenticatorWithFallback

Two Tomcat version-specific implementations of
SSLAuthenticatorWithFallback exist, with much duplicate code.
Extract an abstract base class 'AbstractPKIAuthenticator' and
implement just the unique bits in the concrete classes.

Part of: https://fedorahosted.org/pki/ticket/1359
---
 .../cms/tomcat/AbstractPKIAuthenticator.java}      |  35 +++--
 base/server/tomcat7/src/CMakeLists.txt             |   3 +
 .../cms/tomcat/SSLAuthenticatorWithFallback.java   | 143 +++------------------
 base/server/tomcat8/src/CMakeLists.txt             |   3 +
 .../cms/tomcat/SSLAuthenticatorWithFallback.java   | 140 ++------------------
 5 files changed, 51 insertions(+), 273 deletions(-)
 copy base/server/{tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java => tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java} (86%)

diff --git a/base/server/tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java b/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java
similarity index 86%
copy from base/server/tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
copy to base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java
index 3678791b927a9d6bca523d6a79a5fbfff1b675cf..f98377dc2322d7fa525d360a401348468f840f43 100644
--- a/base/server/tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
+++ b/base/server/tomcat/src/com/netscape/cms/tomcat/AbstractPKIAuthenticator.java
@@ -28,6 +28,7 @@ import javax.servlet.http.HttpServletResponseWrapper;
 import org.apache.catalina.Container;
 import org.apache.catalina.Globals;
 import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Authenticator;
 import org.apache.catalina.authenticator.AuthenticatorBase;
 import org.apache.catalina.authenticator.BasicAuthenticator;
 import org.apache.catalina.authenticator.FormAuthenticator;
@@ -37,7 +38,7 @@ import org.apache.catalina.connector.Request;
 /**
  * @author Endi S. Dewata
  */
-public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
+public abstract class AbstractPKIAuthenticator extends AuthenticatorBase {
 
     public final static String BASIC_AUTHENTICATOR = "BASIC";
     public final static String FORM_AUTHENTICATOR = "FORM";
@@ -47,7 +48,7 @@ public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
     AuthenticatorBase sslAuthenticator = new SSLAuthenticator();
     AuthenticatorBase fallbackAuthenticator = new BasicAuthenticator();
 
-    public SSLAuthenticatorWithFallback() {
+    public AbstractPKIAuthenticator() {
         log("Creating SSL authenticator with fallback");
     }
 
@@ -68,9 +69,7 @@ public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
 
     }
 
-    @Override
-    public boolean authenticate(Request request, HttpServletResponse response) throws IOException {
-
+    public boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {
         X509Certificate certs[] = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
         boolean result;
 
@@ -84,7 +83,7 @@ public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
                     log("SSL auth return code: "+code);
                 }
             };
-            result = sslAuthenticator.authenticate(request, wrapper);
+            result = doSubAuthenticate(sslAuthenticator, request, wrapper);
 
         } else {
             log("Authenticating with "+fallbackMethod+" authentication");
@@ -96,30 +95,28 @@ public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
                     log("Fallback auth return code: "+code);
                 }
             };
-            result = fallbackAuthenticator.authenticate(request, wrapper);
+            result = doSubAuthenticate(fallbackAuthenticator, request, wrapper);
         }
 
         if (result)
             return true;
 
         log("Result: "+result);
-        String realmName = AuthenticatorBase.getRealmName(request.getContext());
-
-
-        StringBuilder value = new StringBuilder(16);
-        value.append("Basic realm=\"");
-        if (realmName != null) {
-            value.append(REALM_NAME);
-        } else {
-            value.append(realmName);
-        }
-        value.append('\"');
-        response.setHeader(AUTH_HEADER_NAME, value.toString());
+        String realmName = doGetRealmName(request);
+        response.setHeader(AUTH_HEADER_NAME,
+            "Basic realm=\"" + (realmName == null ? REALM_NAME : realmName) + "\"");
         response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
 
         return false;
     }
 
+    public abstract boolean doSubAuthenticate(
+        Authenticator auth, Request req, HttpServletResponse resp)
+        throws IOException;
+
+    public abstract String doGetRealmName(Request req);
+
+
     @Override
     protected String getAuthMethod() {
         return HttpServletRequest.CLIENT_CERT_AUTH;
diff --git a/base/server/tomcat7/src/CMakeLists.txt b/base/server/tomcat7/src/CMakeLists.txt
index 77293a654d5335ad134afaac30e4678360e0cc05..bb42bfe0a4a840f0b271a83600f79686f76cc353 100644
--- a/base/server/tomcat7/src/CMakeLists.txt
+++ b/base/server/tomcat7/src/CMakeLists.txt
@@ -124,8 +124,11 @@ javac(pki-tomcat7-classes
         com/netscape/cms/tomcat/*.java
     CLASSPATH
         ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR}
+            ${CMAKE_BINARY_DIR}/../../tomcat
     OUTPUT_DIR
         ${CMAKE_BINARY_DIR}/../../tomcat
+    DEPENDS
+        pki-tomcat-classes
 )
 
 configure_file(
diff --git a/base/server/tomcat7/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java b/base/server/tomcat7/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
index 20bf85d221bac3f5dbd1cac73aa9b8252a1cc6e8..38c2431d8ed0775bb2ca2b5c32ca87fc07b180c5 100644
--- a/base/server/tomcat7/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
+++ b/base/server/tomcat7/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
@@ -19,154 +19,47 @@
 package com.netscape.cms.tomcat;
 
 import java.io.IOException;
-import java.security.cert.X509Certificate;
+import java.lang.ThreadLocal;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletResponseWrapper;
 
-import org.apache.catalina.Container;
-import org.apache.catalina.Globals;
-import org.apache.catalina.LifecycleException;
-import org.apache.catalina.authenticator.AuthenticatorBase;
-import org.apache.catalina.authenticator.BasicAuthenticator;
-import org.apache.catalina.authenticator.FormAuthenticator;
-import org.apache.catalina.authenticator.SSLAuthenticator;
+import org.apache.catalina.Authenticator;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.deploy.LoginConfig;
 
 /**
  * @author Endi S. Dewata
  */
-public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
+public class SSLAuthenticatorWithFallback extends AbstractPKIAuthenticator {
 
-    public final static String BASIC_AUTHENTICATOR = "BASIC";
-    public final static String FORM_AUTHENTICATOR = "FORM";
-
-    String fallbackMethod = BASIC_AUTHENTICATOR;
-
-    AuthenticatorBase sslAuthenticator = new SSLAuthenticator();
-    AuthenticatorBase fallbackAuthenticator = new BasicAuthenticator();
-
-    public SSLAuthenticatorWithFallback() {
-        log("Creating SSL authenticator with fallback");
-    }
+    protected static final ThreadLocal<LoginConfig> loginConfig =
+        new ThreadLocal<>();
 
     @Override
     public String getInfo() {
         return "SSL authenticator with "+fallbackMethod+" fallback.";
     }
 
-    public String getFallbackMethod() {
-        return fallbackMethod;
+    @Override
+    public boolean doSubAuthenticate(
+            Authenticator auth, Request req, HttpServletResponse resp)
+            throws IOException {
+        return auth.authenticate(req, resp, loginConfig.get());
     }
 
-    public void setFallbackMethod(String fallbackMethod) {
-        log("Fallback method: "+fallbackMethod);
-        this.fallbackMethod = fallbackMethod;
-
-        if (BASIC_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) {
-            fallbackAuthenticator = new BasicAuthenticator();
-
-        } else if (FORM_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) {
-            fallbackAuthenticator = new FormAuthenticator();
-        }
-
+    @Override
+    public String doGetRealmName(Request request /* ignored */) {
+        return loginConfig.get().getRealmName();
     }
 
     @Override
     public boolean authenticate(Request request, HttpServletResponse response, LoginConfig config) throws IOException {
-
-        X509Certificate certs[] = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
-        boolean result;
-
-        if (certs != null && certs.length > 0) {
-            log("Authenticate with client certificate authentication");
-            HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {
-                public void setHeader(String name, String value) {
-                    log("SSL auth header: "+name+"="+value);
-                };
-                public void sendError(int code) {
-                    log("SSL auth return code: "+code);
-                }
-            };
-            result = sslAuthenticator.authenticate(request, wrapper, config);
-
-        } else {
-            log("Authenticating with "+fallbackMethod+" authentication");
-            HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {
-                public void setHeader(String name, String value) {
-                    log("Fallback auth header: "+name+"="+value);
-                };
-                public void sendError(int code) {
-                    log("Fallback auth return code: "+code);
-                }
-            };
-            result = fallbackAuthenticator.authenticate(request, wrapper, config);
+        loginConfig.set(config);
+        try {
+            return doAuthenticate(request, response);
+        } finally {
+            loginConfig.remove();
         }
-
-        if (result)
-            return true;
-
-        log("Result: "+result);
-
-        StringBuilder value = new StringBuilder(16);
-        value.append("Basic realm=\"");
-        if (config.getRealmName() == null) {
-            value.append(REALM_NAME);
-        } else {
-            value.append(config.getRealmName());
-        }
-        value.append('\"');
-        response.setHeader(AUTH_HEADER_NAME, value.toString());
-        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
-
-        return false;
-    }
-
-    @Override
-    protected String getAuthMethod() {
-        return HttpServletRequest.CLIENT_CERT_AUTH;
-    };
-
-    @Override
-    public void setContainer(Container container) {
-        log("Setting container");
-        super.setContainer(container);
-        sslAuthenticator.setContainer(container);
-        fallbackAuthenticator.setContainer(container);
     }
 
-    @Override
-    protected void initInternal() throws LifecycleException {
-        log("Initializing authenticators");
-
-        super.initInternal();
-
-        sslAuthenticator.setAlwaysUseSession(alwaysUseSession);
-        sslAuthenticator.init();
-
-        fallbackAuthenticator.setAlwaysUseSession(alwaysUseSession);
-        fallbackAuthenticator.init();
-    }
-
-    @Override
-    public void startInternal() throws LifecycleException {
-        log("Starting authenticators");
-        super.startInternal();
-        sslAuthenticator.start();
-        fallbackAuthenticator.start();
-    }
-
-    @Override
-    public void stopInternal() throws LifecycleException {
-        log("Stopping authenticators");
-        super.stopInternal();
-        sslAuthenticator.stop();
-        fallbackAuthenticator.stop();
-    }
-
-    public void log(String message) {
-        System.out.println("SSLAuthenticatorWithFallback: "+message);
-    }
 }
diff --git a/base/server/tomcat8/src/CMakeLists.txt b/base/server/tomcat8/src/CMakeLists.txt
index a2badac69837023ca7078cfeaa80cdf98ba2a63b..df55916bc0bc0e2bb010239115c68b8bc5ad6c84 100644
--- a/base/server/tomcat8/src/CMakeLists.txt
+++ b/base/server/tomcat8/src/CMakeLists.txt
@@ -124,8 +124,11 @@ javac(pki-tomcat8-classes
         com/netscape/cms/tomcat/*.java
     CLASSPATH
         ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_SCAN_JAR}
+            ${CMAKE_BINARY_DIR}/../../tomcat
     OUTPUT_DIR
         ${CMAKE_BINARY_DIR}/../../tomcat
+    DEPENDS
+        pki-tomcat-classes
 )
 
 configure_file(
diff --git a/base/server/tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java b/base/server/tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
index 3678791b927a9d6bca523d6a79a5fbfff1b675cf..12ca0bb7c5213f8e833f75bfb92826dbc8718d87 100644
--- a/base/server/tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
+++ b/base/server/tomcat8/src/com/netscape/cms/tomcat/SSLAuthenticatorWithFallback.java
@@ -19,150 +19,32 @@
 package com.netscape.cms.tomcat;
 
 import java.io.IOException;
-import java.security.cert.X509Certificate;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpServletResponseWrapper;
 
-import org.apache.catalina.Container;
-import org.apache.catalina.Globals;
-import org.apache.catalina.LifecycleException;
-import org.apache.catalina.authenticator.AuthenticatorBase;
-import org.apache.catalina.authenticator.BasicAuthenticator;
-import org.apache.catalina.authenticator.FormAuthenticator;
-import org.apache.catalina.authenticator.SSLAuthenticator;
+import org.apache.catalina.Authenticator;
 import org.apache.catalina.connector.Request;
 
 /**
  * @author Endi S. Dewata
  */
-public class SSLAuthenticatorWithFallback extends AuthenticatorBase {
+public class SSLAuthenticatorWithFallback extends AbstractPKIAuthenticator {
 
-    public final static String BASIC_AUTHENTICATOR = "BASIC";
-    public final static String FORM_AUTHENTICATOR = "FORM";
-
-    String fallbackMethod = BASIC_AUTHENTICATOR;
-
-    AuthenticatorBase sslAuthenticator = new SSLAuthenticator();
-    AuthenticatorBase fallbackAuthenticator = new BasicAuthenticator();
-
-    public SSLAuthenticatorWithFallback() {
-        log("Creating SSL authenticator with fallback");
-    }
-
-    public String getFallbackMethod() {
-        return fallbackMethod;
+    @Override
+    public boolean doSubAuthenticate(
+            Authenticator auth, Request req, HttpServletResponse resp)
+            throws IOException {
+        return auth.authenticate(req, resp);
     }
 
-    public void setFallbackMethod(String fallbackMethod) {
-        log("Fallback method: "+fallbackMethod);
-        this.fallbackMethod = fallbackMethod;
-
-        if (BASIC_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) {
-            fallbackAuthenticator = new BasicAuthenticator();
-
-        } else if (FORM_AUTHENTICATOR.equalsIgnoreCase(fallbackMethod)) {
-            fallbackAuthenticator = new FormAuthenticator();
-        }
-
+    @Override
+    public String doGetRealmName(Request request) {
+        return getRealmName(request.getContext());
     }
 
     @Override
     public boolean authenticate(Request request, HttpServletResponse response) throws IOException {
-
-        X509Certificate certs[] = (X509Certificate[]) request.getAttribute(Globals.CERTIFICATES_ATTR);
-        boolean result;
-
-        if (certs != null && certs.length > 0) {
-            log("Authenticate with client certificate authentication");
-            HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {
-                public void setHeader(String name, String value) {
-                    log("SSL auth header: "+name+"="+value);
-                };
-                public void sendError(int code) {
-                    log("SSL auth return code: "+code);
-                }
-            };
-            result = sslAuthenticator.authenticate(request, wrapper);
-
-        } else {
-            log("Authenticating with "+fallbackMethod+" authentication");
-            HttpServletResponseWrapper wrapper = new HttpServletResponseWrapper(response) {
-                public void setHeader(String name, String value) {
-                    log("Fallback auth header: "+name+"="+value);
-                };
-                public void sendError(int code) {
-                    log("Fallback auth return code: "+code);
-                }
-            };
-            result = fallbackAuthenticator.authenticate(request, wrapper);
-        }
-
-        if (result)
-            return true;
-
-        log("Result: "+result);
-        String realmName = AuthenticatorBase.getRealmName(request.getContext());
-
-
-        StringBuilder value = new StringBuilder(16);
-        value.append("Basic realm=\"");
-        if (realmName != null) {
-            value.append(REALM_NAME);
-        } else {
-            value.append(realmName);
-        }
-        value.append('\"');
-        response.setHeader(AUTH_HEADER_NAME, value.toString());
-        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
-
-        return false;
-    }
-
-    @Override
-    protected String getAuthMethod() {
-        return HttpServletRequest.CLIENT_CERT_AUTH;
-    };
-
-    @Override
-    public void setContainer(Container container) {
-        log("Setting container");
-        super.setContainer(container);
-        sslAuthenticator.setContainer(container);
-        fallbackAuthenticator.setContainer(container);
+        return doAuthenticate(request, response);
     }
 
-    @Override
-    protected void initInternal() throws LifecycleException {
-        log("Initializing authenticators");
-
-        super.initInternal();
-
-        sslAuthenticator.setAlwaysUseSession(alwaysUseSession);
-        sslAuthenticator.init();
-
-        fallbackAuthenticator.setAlwaysUseSession(alwaysUseSession);
-        fallbackAuthenticator.init();
-    }
-
-    @Override
-    public void startInternal() throws LifecycleException {
-        log("Starting authenticators");
-        super.startInternal();
-        sslAuthenticator.start();
-        fallbackAuthenticator.start();
-    }
-
-    @Override
-    public void stopInternal() throws LifecycleException {
-        log("Stopping authenticators");
-        super.stopInternal();
-        sslAuthenticator.stop();
-        fallbackAuthenticator.stop();
-    }
-
-    public void log(String message) {
-        System.out.println("SSLAuthenticatorWithFallback: "+message);
-    }
 }
-- 
2.5.0


From cheimes at redhat.com  Thu Jan 21 13:22:22 2016
From: cheimes at redhat.com (Christian Heimes)
Date: Thu, 21 Jan 2016 14:22:22 +0100
Subject: [Pki-devel] [PATCH 0048] Package pki client library for Python 3
Message-ID: <56A0DB8E.4040204@redhat.com>

Hi,

Dogtag's Python code has been compatible with Python 3 for a while. So
far the code hasn't been packages for Python 3 yet. I've been exploring
ways to package the client part of Dogtag's pki package for FreeIPA. The
attached patch packages the client libraries from base/common/python/pki
as a new python3-pki package.

Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-cheimes-0048-Package-pki-client-library-for-Python-3.patch
Type: text/x-patch
Size: 6433 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160121/ec16ba78/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160121/ec16ba78/attachment.sig>

From edewata at redhat.com  Thu Jan 21 14:52:11 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 21 Jan 2016 08:52:11 -0600
Subject: [Pki-devel] [PATCH] 0057..0061 LDAPProfileSubsystem concurrency
 fixes
In-Reply-To: <20160121000641.GS31821@dhcp-40-8.bne.redhat.com>
References: <20151201045650.GM23644@dhcp-40-8.bne.redhat.com>
	<5695520F.1010908@redhat.com>
	<20160119000735.GG31821@dhcp-40-8.bne.redhat.com>
	<20160120020728.GL31821@dhcp-40-8.bne.redhat.com>
	<569FD596.800@redhat.com>
	<20160121000641.GS31821@dhcp-40-8.bne.redhat.com>
Message-ID: <56A0F09B.8000804@redhat.com>

On 1/20/2016 6:06 PM, Fraser Tweedale wrote:
> On Wed, Jan 20, 2016 at 12:44:38PM -0600, Endi Sukma Dewata wrote:
>> On 1/19/2016 8:07 PM, Fraser Tweedale wrote:
>>> Rebase was needed for the remaining patches; 0060-2 and 0061-2
>>> attached.
>>>
>>> Thanks,
>>> Fraser
>>>
>>
>> ACK for both of them.
>>
> Thanks!  Pushed to master
>
> - 41717cb774f53e30caf7a57c2e07526445bf0988 Ensure config store commits refresh file-based profile data
> - 0af4a9393ce38216689e9afe17514b9441784133 Handle LDAPProfileSubsystem delete-then-recreate races
>
>> Just wondering, would it be possible to distinguish local and remote
>> persistent search results? So if a profile is changed on a machine, the
>> profile object will be updated immediately in memory, then persistent search
>> result for that modification will be ignored since it's initiated locally.
>> Other machines, however, will pick up the changes from the persistent search
>> result since it's initiated remotely.
>>
> This is indeed accomplished by the tracking of the entryUSN
> resulting from a change (via the PostReadControl) and the deleted
> entries.

Right. I was just thinking suppose the persistent search result contains 
a 'modifiedBy' attribute that stores the hostname, we might be able use 
that to ignore local changes without storing anything in the memory.

-- 
Endi S. Dewata



From edewata at redhat.com  Thu Jan 21 14:54:20 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Thu, 21 Jan 2016 08:54:20 -0600
Subject: [Pki-devel] [PATCH] 0063 Extract common base class for
 SSLAuthenticatorWithFallback
In-Reply-To: <20160121100332.GA24555@dhcp-40-8.bne.redhat.com>
References: <20151203063141.GY23644@dhcp-40-8.bne.redhat.com>
	<56A02625.6020207@redhat.com>
	<20160121100332.GA24555@dhcp-40-8.bne.redhat.com>
Message-ID: <56A0F11C.2060802@redhat.com>

On 1/21/2016 4:03 AM, Fraser Tweedale wrote:
> Since loginConfig is immediately set with the passed LoginConfig on
> each call to authenticate(), we can use ThreadLocal[1] to prevent
> interference in a less intrusive way that is still type-safe.
>
> [1] http://docs.oracle.com/javase/7/docs/api/java/lang/ThreadLocal.html
>
> Updated patch attached.
>
> Thanks for reviewing,
> Fraser

ACK.

-- 
Endi S. Dewata



From ftweedal at redhat.com  Thu Jan 21 23:47:43 2016
From: ftweedal at redhat.com (Fraser Tweedale)
Date: Fri, 22 Jan 2016 09:47:43 +1000
Subject: [Pki-devel] [PATCH] 0063 Extract common base class for
 SSLAuthenticatorWithFallback
In-Reply-To: <56A0F11C.2060802@redhat.com>
References: <20151203063141.GY23644@dhcp-40-8.bne.redhat.com>
	<56A02625.6020207@redhat.com>
	<20160121100332.GA24555@dhcp-40-8.bne.redhat.com>
	<56A0F11C.2060802@redhat.com>
Message-ID: <20160121234743.GB24555@dhcp-40-8.bne.redhat.com>

On Thu, Jan 21, 2016 at 08:54:20AM -0600, Endi Sukma Dewata wrote:
> On 1/21/2016 4:03 AM, Fraser Tweedale wrote:
> >Since loginConfig is immediately set with the passed LoginConfig on
> >each call to authenticate(), we can use ThreadLocal[1] to prevent
> >interference in a less intrusive way that is still type-safe.
> >
> >[1] http://docs.oracle.com/javase/7/docs/api/java/lang/ThreadLocal.html
> >
> >Updated patch attached.
> >
> >Thanks for reviewing,
> >Fraser
> 
> ACK.
> 
Thanks; pushed to master

67ac39227e5db83c7a4a7ad72364f3dcd30db05e

Fraser



From edewata at redhat.com  Fri Jan 22 15:56:49 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 22 Jan 2016 09:56:49 -0600
Subject: [Pki-devel] [PATCH] 668 Fixed installation summary for existing CA.
Message-ID: <56A25141.3040505@redhat.com>

The pkispawn has been modified to display the proper summary for
external CA and existing CA cases.

https://fedorahosted.org/pki/ticket/456

-- 
Endi S. Dewata
-------------- next part --------------
From 9d6b801afdc4d3209c203c21b6894af52fc5355b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Fri, 22 Jan 2016 00:03:39 +0100
Subject: [PATCH] Fixed installation summary for existing CA.

The pkispawn has been modified to display the proper summary for
external CA and existing CA cases.

https://fedorahosted.org/pki/ticket/456
---
 .../python/pki/server/deployment/pkihelper.py      |  1 +
 .../server/deployment/scriptlets/configuration.py  | 13 ++++++-------
 base/server/sbin/pkispawn                          | 22 +++++++++++++++++++---
 3 files changed, 26 insertions(+), 10 deletions(-)

diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 1db23582620fa8b4bc2abe03bb91724cb32fecf0..c5c71ef997d8d3c768324c0fdaa1124a2f4a16dc 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -504,6 +504,7 @@ class ConfigurationFile:
         self.external = config.str2bool(self.mdict['pki_external'])
         self.external_step_one = not config.str2bool(self.mdict['pki_external_step_two'])
         self.external_step_two = not self.external_step_one
+        self.external_csr_path = self.mdict['pki_external_csr_path']
 
         if self.external:
             # generic extension support in CSR - for external CA
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index 575a347c20285454b80e6394c5168c77bf2af885..a5ab3f88b6c74de7acf8ca6224c87a71e1211c08 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -96,6 +96,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
         external = deployer.configuration_file.external
         step_one = deployer.configuration_file.external_step_one
         step_two = deployer.configuration_file.external_step_two
+        external_csr_path = deployer.configuration_file.external_csr_path
 
         try:
             if external and step_one: # external/existing CA step 1
@@ -127,16 +128,15 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
                 # If filename specified, generate CA cert request and
                 # import it into CS.cfg.
-                request_file = deployer.mdict['pki_external_csr_path']
-                if request_file:
+                if external_csr_path:
                     nssdb.create_request(
                         subject_dn=deployer.mdict['pki_ca_signing_subject_dn'],
-                        request_file=request_file,
+                        request_file=external_csr_path,
                         key_type=key_type,
                         key_size=key_size,
                         curve=curve,
                         hash_alg=hash_alg)
-                    with open(request_file) as f:
+                    with open(external_csr_path) as f:
                         signing_csr = f.read()
                     signing_csr = pki.nss.convert_csr(signing_csr, 'pem', 'base64')
                     subsystem.config['ca.signing.certreq'] = signing_csr
@@ -150,9 +150,8 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
             elif external and step_two: # external/existing CA step 2
 
                 # If specified, import existing CA cert request into CS.cfg.
-                request_file = deployer.mdict['pki_external_csr_path']
-                if request_file:
-                    with open(request_file) as f:
+                if external_csr_path:
+                    with open(external_csr_path) as f:
                         signing_csr = f.read()
                     signing_csr = pki.nss.convert_csr(signing_csr, 'pem', 'base64')
                     subsystem.config['ca.signing.certreq'] = signing_csr
diff --git a/base/server/sbin/pkispawn b/base/server/sbin/pkispawn
index 9c2aa2d665b2e523bae242bebb27c06c471ce2c7..bca33799c111cae40e530ec97c38cc0e06ce0223 100755
--- a/base/server/sbin/pkispawn
+++ b/base/server/sbin/pkispawn
@@ -616,9 +616,13 @@ def main(argv):
 
     external = deployer.configuration_file.external
     step_one = deployer.configuration_file.external_step_one
+    external_csr_path = deployer.configuration_file.external_csr_path
 
     if external and step_one:
-        print_step_one_information(parser.mdict)
+        if external_csr_path:
+            print_external_ca_step_one_information(parser.mdict)
+        else:
+            print_existing_ca_step_one_information(parser.mdict)
     else:
         print_install_information(parser.mdict)
 
@@ -630,7 +634,7 @@ def set_port(parser, tag, prompt, existing_data):
         parser.read_text(prompt, config.pki_subsystem, tag)
 
 
-def print_step_one_information(mdict):
+def print_external_ca_step_one_information(mdict):
 
     print(log.PKI_SPAWN_INFORMATION_HEADER)
     print("      The %s subsystem of the '%s' instance is still incomplete." %
@@ -641,7 +645,19 @@ def print_step_one_information(mdict):
           % mdict['pki_external_csr_path'])
     print()
     print("      Submit the CSR to an external CA to generate a CA certificate\n"
-          "      for this subsystem.")
+          "      for this subsystem. Import the CA certificate and the certificate\n"
+          "      chain, then continue the installation.")
+    print(log.PKI_SPAWN_INFORMATION_FOOTER)
+
+
+def print_existing_ca_step_one_information(mdict):
+
+    print(log.PKI_SPAWN_INFORMATION_HEADER)
+    print("      The %s subsystem of the '%s' instance is still incomplete." %
+          (config.pki_subsystem, mdict['pki_instance_name']))
+    print()
+    print("      Import an existing CA certificate with the key and the CSR, and\n"
+          "      the certificate chain if available, then continue the installation.")
     print(log.PKI_SPAWN_INFORMATION_FOOTER)
 
 
-- 
2.4.3


From edewata at redhat.com  Fri Jan 22 15:57:06 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 22 Jan 2016 09:57:06 -0600
Subject: [Pki-devel] [PATCH] 669 Merged pki.nss into pki.crypto.
Message-ID: <56A25152.5060408@redhat.com>

The pki.nss module has been merged into pki.crypto to prevent
conflicts with nss module.

https://fedorahosted.org/pki/ticket/456

-- 
Endi S. Dewata
-------------- next part --------------
From a0200070efd13fd0c68909b22f3d507b21131aff Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Fri, 22 Jan 2016 00:47:28 +0100
Subject: [PATCH] Merged pki.nss into pki.crypto.

The pki.nss module has been merged into pki.crypto to prevent
conflicts with nss module.

https://fedorahosted.org/pki/ticket/456
---
 base/common/python/pki/crypto.py                   | 512 ++++++++++++++++++++
 base/common/python/pki/nss.py                      | 532 ---------------------
 base/server/python/pki/server/__init__.py          |   4 +-
 base/server/python/pki/server/cli/subsystem.py     |   6 +-
 .../server/deployment/scriptlets/configuration.py  |   6 +-
 5 files changed, 520 insertions(+), 540 deletions(-)
 delete mode 100644 base/common/python/pki/nss.py

diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
index 60e83c924a6986152ba732cc63b668a906350228..44347031e9df62538da48a59a0315741a911690f 100644
--- a/base/common/python/pki/crypto.py
+++ b/base/common/python/pki/crypto.py
@@ -22,6 +22,7 @@ Module containing crypto classes.
 """
 from __future__ import absolute_import
 import abc
+import base64
 import nss.nss as nss
 import os
 import six
@@ -30,6 +31,81 @@ import subprocess
 import tempfile
 
 
+CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----'
+CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----'
+
+CERT_HEADER = '-----BEGIN CERTIFICATE-----'
+CERT_FOOTER = '-----END CERTIFICATE-----'
+
+PKCS7_HEADER = '-----BEGIN PKCS7-----'
+PKCS7_FOOTER = '-----END PKCS7-----'
+
+
+def convert_data(data, input_format, output_format, header=None, footer=None):
+
+    if input_format == output_format:
+        return data
+
+    if input_format == 'base64' and output_format == 'pem':
+
+        # join base-64 data into a single line
+        data = data.replace('\r', '').replace('\n', '')
+
+        # re-split the line into fixed-length lines
+        lines = [data[i:i+64] for i in range(0, len(data), 64)]
+
+        # add header and footer
+        return '%s\n%s\n%s\n' % (header, '\n'.join(lines), footer)
+
+    if input_format == 'pem' and output_format == 'base64':
+
+        # join multiple lines into a single line
+        lines = []
+        for line in data.splitlines():
+            line = line.rstrip('\r\n')
+            if line == header:
+                continue
+            if line == footer:
+                continue
+            lines.append(line)
+
+        return ''.join(lines)
+
+    raise Exception('Unable to convert data from %s to %s' % (input_format, output_format))
+
+
+def convert_csr(csr_data, input_format, output_format):
+
+    return convert_data(csr_data, input_format, output_format, CSR_HEADER, CSR_FOOTER)
+
+
+def convert_cert(cert_data, input_format, output_format):
+
+    return convert_data(cert_data, input_format, output_format, CERT_HEADER, CERT_FOOTER)
+
+
+def convert_pkcs7(pkcs7_data, input_format, output_format):
+
+    return convert_data(pkcs7_data, input_format, output_format, PKCS7_HEADER, PKCS7_FOOTER)
+
+
+def get_file_type(filename):
+
+    with open(filename, 'r') as f:
+        data = f.read()
+
+    if data.startswith(CSR_HEADER):
+        return 'csr'
+
+    if data.startswith(CERT_HEADER):
+        return 'cert'
+
+    if data.startswith(PKCS7_HEADER):
+        return 'pkcs7'
+
+    return None
+
+
 class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
     """
     Abstract class containing methods to do cryptographic operations.
@@ -287,3 +363,439 @@ class NSSCryptoProvider(CryptoProvider):
         Searches NSS database and returns SecItem object for this certificate.
         """
         return nss.find_cert_from_nickname(cert_nick)
+
+
+class NSSDatabase(object):
+
+    def __init__(self, directory, token='internal', password=None, password_file=None):
+        self.directory = directory
+        self.token = token
+
+        self.tmpdir = tempfile.mkdtemp()
+
+        if password:
+            self.password_file = os.path.join(self.tmpdir, 'password.txt')
+            with open(self.password_file, 'w') as f:
+                f.write(password)
+
+        elif password_file:
+            self.password_file = password_file
+
+        else:
+            raise Exception('Missing NSS database password')
+
+    def close(self):
+        shutil.rmtree(self.tmpdir)
+
+    def add_cert(self,
+        nickname,
+        cert_file,
+        trust_attributes=',,'):
+
+        cmd = [
+            'certutil',
+            '-A',
+            '-d', self.directory,
+            '-h', self.token,
+            '-f', self.password_file,
+            '-n', nickname,
+            '-i', cert_file,
+            '-t', trust_attributes
+        ]
+
+        subprocess.check_call(cmd)
+
+    def modify_cert(self,
+        nickname,
+        trust_attributes):
+
+        cmd = [
+            'certutil',
+            '-M',
+            '-d', self.directory,
+            '-h', self.token,
+            '-f', self.password_file,
+            '-n', nickname,
+            '-t', trust_attributes
+        ]
+
+        subprocess.check_call(cmd)
+
+    def create_noise(self, noise_file, size=2048):
+
+        subprocess.check_call([
+            'openssl',
+            'rand',
+            '-out', noise_file,
+            str(size)
+        ])
+
+    def create_request(self,
+        subject_dn,
+        request_file,
+        noise_file=None,
+        key_type=None,
+        key_size=None,
+        curve=None,
+        hash_alg=None):
+
+        tmpdir = tempfile.mkdtemp()
+
+        try:
+            if not noise_file:
+                noise_file = os.path.join(tmpdir, 'noise.bin')
+                if key_size:
+                    size = key_size
+                else:
+                    size = 2048
+                self.create_noise(
+                    noise_file=noise_file,
+                    size=size)
+
+            binary_request_file = os.path.join(tmpdir, 'request.bin')
+
+            cmd = [
+                'certutil',
+                '-R',
+                '-d', self.directory,
+                '-h', self.token,
+                '-f', self.password_file,
+                '-s', subject_dn,
+                '-o', binary_request_file,
+                '-z', noise_file
+            ]
+
+            if key_type:
+                cmd.extend(['-k', key_type])
+
+            if key_size:
+                cmd.extend(['-g', str(key_size)])
+
+            if curve:
+                cmd.extend(['-q', curve])
+
+            if hash_alg:
+                cmd.extend(['-Z', hash_alg])
+
+            # generate binary request
+            subprocess.check_call(cmd)
+
+            # encode binary request in base-64
+            b64_request_file = os.path.join(tmpdir, 'request.b64')
+            subprocess.check_call([
+                'BtoA', binary_request_file, b64_request_file])
+
+            # read base-64 request
+            with open(b64_request_file, 'r') as f:
+                b64_request = f.read()
+
+            # add header and footer
+            with open(request_file, 'w') as f:
+                f.write('-----BEGIN NEW CERTIFICATE REQUEST-----\n')
+                f.write(b64_request)
+                f.write('-----END NEW CERTIFICATE REQUEST-----\n')
+
+        finally:
+            shutil.rmtree(tmpdir)
+
+    def create_self_signed_ca_cert(self,
+        subject_dn,
+        request_file,
+        cert_file,
+        serial='1',
+        validity=240):
+
+        cmd = [
+            'certutil',
+            '-C',
+            '-x',
+            '-d', self.directory,
+            '-h', self.token,
+            '-f', self.password_file,
+            '-c', subject_dn,
+            '-a',
+            '-i', request_file,
+            '-o', cert_file,
+            '-m', serial,
+            '-v', str(validity),
+            '--keyUsage', 'digitalSignature,nonRepudiation,certSigning,crlSigning,critical',
+            '-2',
+            '-3',
+            '--extSKID',
+            '--extAIA'
+        ]
+
+        p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+
+        keystroke = ''
+
+        # Is this a CA certificate [y/N]?
+        keystroke += 'y\n'
+
+        # Enter the path length constraint, enter to skip [<0 for unlimited path]:
+        keystroke += '\n'
+
+        # Is this a critical extension [y/N]?
+        keystroke += 'y\n'
+
+        # Enter value for the authKeyID extension [y/N]?
+        keystroke += 'y\n'
+
+        # TODO: generate SHA1 ID (see APolicyRule.formSHA1KeyId())
+        # Enter value for the key identifier fields,enter to omit:
+        keystroke += '2d:7e:83:37:75:5a:fd:0e:8d:52:a3:70:16:93:36:b8:4a:d6:84:9f\n'
+
+        # Select one of the following general name type:
+        keystroke += '0\n'
+
+        # Enter value for the authCertSerial field, enter to omit:
+        keystroke += '\n'
+
+        # Is this a critical extension [y/N]?
+        keystroke += '\n'
+
+        # TODO: generate SHA1 ID (see APolicyRule.formSHA1KeyId())
+        # Adding Subject Key ID extension.
+        # Enter value for the key identifier fields,enter to omit:
+        keystroke += '2d:7e:83:37:75:5a:fd:0e:8d:52:a3:70:16:93:36:b8:4a:d6:84:9f\n'
+
+        # Is this a critical extension [y/N]?
+        keystroke += '\n'
+
+        # Enter access method type for Authority Information Access extension:
+        keystroke += '2\n'
+
+        # Select one of the following general name type:
+        keystroke += '7\n'
+
+        # TODO: replace with actual hostname name and port number
+        # Enter data:
+        keystroke += 'http://server.example.com:8080/ca/ocsp\n'
+
+        # Select one of the following general name type:
+        keystroke += '0\n'
+
+        # Add another location to the Authority Information Access extension [y/N]
+        keystroke += '\n'
+
+        # Is this a critical extension [y/N]?
+        keystroke += '\n'
+
+        p.communicate(keystroke)
+
+        rc = p.wait()
+
+        if rc:
+            raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc)
+
+    def get_cert(self, nickname, output_format='pem'):
+
+        if output_format == 'pem':
+            output_format_option = '-a'
+
+        elif output_format == 'base64':
+            output_format_option = '-r'
+
+        else:
+            raise Exception('Unsupported output format: %s' % output_format)
+
+        cmd = [
+            'certutil',
+            '-L',
+            '-d', self.directory,
+            '-h', self.token,
+            '-f', self.password_file,
+            '-n', nickname,
+            output_format_option
+        ]
+
+        cert_data = subprocess.check_output(cmd)
+
+        if output_format == 'base64':
+            cert_data = base64.b64encode(cert_data)
+
+        return cert_data
+
+    def remove_cert(self, nickname):
+
+        cmd = [
+            'certutil',
+            '-D',
+            '-d', self.directory,
+            '-h', self.token,
+            '-f', self.password_file,
+            '-n', nickname
+        ]
+
+        subprocess.check_call(cmd)
+
+    def import_cert_chain(self, nickname, cert_chain_file, trust_attributes=None):
+
+        tmpdir = tempfile.mkdtemp()
+
+        try:
+            file_type = get_file_type(cert_chain_file)
+
+            if file_type == 'cert': # import single PEM cert
+                self.add_cert(
+                    nickname=nickname,
+                    cert_file=cert_chain_file,
+                    trust_attributes=trust_attributes)
+                return self.get_cert(
+                    nickname=nickname,
+                    output_format='base64')
+
+            elif file_type == 'pkcs7': # import PKCS #7 cert chain
+                return self.import_pkcs7(
+                    pkcs7_file=cert_chain_file,
+                    nickname=nickname,
+                    trust_attributes=trust_attributes,
+                    output_format='base64')
+
+            else: # import PKCS #7 data without header/footer
+                with open(cert_chain_file, 'r') as f:
+                    base64_data = f.read()
+                pkcs7_data = convert_pkcs7(base64_data, 'base64', 'pem')
+
+                tmp_cert_chain_file = os.path.join(tmpdir, 'cert_chain.p7b')
+                with open(tmp_cert_chain_file, 'w') as f:
+                    f.write(pkcs7_data)
+
+                self.import_pkcs7(
+                    pkcs7_file=tmp_cert_chain_file,
+                    nickname=nickname,
+                    trust_attributes=trust_attributes)
+
+                return base64_data
+
+        finally:
+            shutil.rmtree(tmpdir)
+
+    def import_pkcs7(self, pkcs7_file, nickname, trust_attributes=None, output_format='pem'):
+
+        tmpdir = tempfile.mkdtemp()
+
+        try:
+            # export certs from PKCS #7 into PEM output
+            output = subprocess.check_output([
+                'openssl',
+                'pkcs7',
+                '-print_certs',
+                '-in', pkcs7_file
+            ])
+
+            # parse PEM output into separate PEM certificates
+            certs = []
+            lines = []
+            state = 'header'
+
+            for line in output.splitlines():
+
+                if state == 'header':
+                    if line != CERT_HEADER:
+                        # ignore header lines
+                        pass
+                    else:
+                        # save cert header
+                        lines.append(line)
+                        state = 'body'
+
+                elif state == 'body':
+                    if line != CERT_FOOTER:
+                        # save cert body
+                        lines.append(line)
+                    else:
+                        # save cert footer
+                        lines.append(line)
+
+                        # construct PEM cert
+                        cert = '\n'.join(lines)
+                        certs.append(cert)
+                        lines = []
+                        state = 'header'
+
+            # import PEM certs into NSS database
+            counter = 1
+            for cert in certs:
+
+                cert_file = os.path.join(tmpdir, 'cert%d.pem' % counter)
+                with open(cert_file, 'w') as f:
+                    f.write(cert)
+
+                if counter == 1:
+                    n = nickname
+                else:
+                    n = '%s #%d' % (nickname, counter)
+
+                self.add_cert(n, cert_file, trust_attributes)
+
+                counter += 1
+
+            # convert PKCS #7 data to the requested format
+            with open(pkcs7_file, 'r') as f:
+                data = f.read()
+
+            return convert_pkcs7(data, 'pem', output_format)
+
+        finally:
+            shutil.rmtree(tmpdir)
+
+    def import_pkcs12(self, pkcs12_file, pkcs12_password=None, pkcs12_password_file=None):
+
+        tmpdir = tempfile.mkdtemp()
+
+        try:
+            if pkcs12_password:
+                password_file = os.path.join(tmpdir, 'password.txt')
+                with open(password_file, 'w') as f:
+                    f.write(pkcs12_password)
+
+            elif pkcs12_password_file:
+                password_file = pkcs12_password_file
+
+            else:
+                raise Exception('Missing PKCS #12 password')
+
+            cmd = [
+                'pk12util',
+                '-d', self.directory,
+                '-h', self.token,
+                '-k', self.password_file,
+                '-i', pkcs12_file,
+                '-w', password_file
+            ]
+
+            subprocess.check_call(cmd)
+
+        finally:
+            shutil.rmtree(tmpdir)
+
+    def export_pkcs12(self, pkcs12_file, nickname, pkcs12_password=None, pkcs12_password_file=None):
+
+        tmpdir = tempfile.mkdtemp()
+
+        try:
+            if pkcs12_password:
+                password_file = os.path.join(tmpdir, 'password.txt')
+                with open(password_file, 'w') as f:
+                    f.write(pkcs12_password)
+
+            elif pkcs12_password_file:
+                password_file = pkcs12_password_file
+
+            else:
+                raise Exception('Missing PKCS #12 password')
+
+            cmd = [
+                'pk12util',
+                '-d', self.directory,
+                '-k', self.password_file,
+                '-o', pkcs12_file,
+                '-w', password_file,
+                '-n', nickname
+            ]
+
+            subprocess.check_call(cmd)
+
+        finally:
+            shutil.rmtree(tmpdir)
diff --git a/base/common/python/pki/nss.py b/base/common/python/pki/nss.py
deleted file mode 100644
index 44e286853c252675bff9e25c32377aaa86f8cf18..0000000000000000000000000000000000000000
--- a/base/common/python/pki/nss.py
+++ /dev/null
@@ -1,532 +0,0 @@
-# Authors:
-#     Endi S. Dewata <edewata at redhat.com>
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; version 2 of the License.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License along
-# with this program; if not, write to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# Copyright (C) 2015 Red Hat, Inc.
-# All rights reserved.
-#
-
-import base64
-import os
-import shutil
-import subprocess
-import tempfile
-
-
-CSR_HEADER = '-----BEGIN NEW CERTIFICATE REQUEST-----'
-CSR_FOOTER = '-----END NEW CERTIFICATE REQUEST-----'
-
-CERT_HEADER = '-----BEGIN CERTIFICATE-----'
-CERT_FOOTER = '-----END CERTIFICATE-----'
-
-PKCS7_HEADER = '-----BEGIN PKCS7-----'
-PKCS7_FOOTER = '-----END PKCS7-----'
-
-
-def convert_data(data, input_format, output_format, header=None, footer=None):
-
-    if input_format == output_format:
-        return data
-
-    if input_format == 'base64' and output_format == 'pem':
-
-        # join base-64 data into a single line
-        data = data.replace('\r', '').replace('\n', '')
-
-        # re-split the line into fixed-length lines
-        lines = [data[i:i+64] for i in range(0, len(data), 64)]
-
-        # add header and footer
-        return '%s\n%s\n%s\n' % (header, '\n'.join(lines), footer)
-
-    if input_format == 'pem' and output_format == 'base64':
-
-        # join multiple lines into a single line
-        lines = []
-        for line in data.splitlines():
-            line = line.rstrip('\r\n')
-            if line == header:
-                continue
-            if line == footer:
-                continue
-            lines.append(line)
-
-        return ''.join(lines)
-
-    raise Exception('Unable to convert data from %s to %s' % (input_format, output_format))
-
-def convert_csr(csr_data, input_format, output_format):
-
-    return convert_data(csr_data, input_format, output_format, CSR_HEADER, CSR_FOOTER)
-
-def convert_cert(cert_data, input_format, output_format):
-
-    return convert_data(cert_data, input_format, output_format, CERT_HEADER, CERT_FOOTER)
-
-def convert_pkcs7(pkcs7_data, input_format, output_format):
-
-    return convert_data(pkcs7_data, input_format, output_format, PKCS7_HEADER, PKCS7_FOOTER)
-
-def get_file_type(filename):
-
-    with open(filename, 'r') as f:
-        data = f.read()
-
-    if data.startswith(CSR_HEADER):
-        return 'csr'
-
-    if data.startswith(CERT_HEADER):
-        return 'cert'
-
-    if data.startswith(PKCS7_HEADER):
-        return 'pkcs7'
-
-    return None
-
-
-class NSSDatabase(object):
-
-    def __init__(self, directory, token='internal', password=None, password_file=None):
-        self.directory = directory
-        self.token = token
-
-        self.tmpdir = tempfile.mkdtemp()
-
-        if password:
-            self.password_file = os.path.join(self.tmpdir, 'password.txt')
-            with open(self.password_file, 'w') as f:
-                f.write(password)
-
-        elif password_file:
-            self.password_file = password_file
-
-        else:
-            raise Exception('Missing NSS database password')
-
-    def close(self):
-        shutil.rmtree(self.tmpdir)
-
-    def add_cert(self,
-        nickname,
-        cert_file,
-        trust_attributes=',,'):
-
-        cmd = [
-            'certutil',
-            '-A',
-            '-d', self.directory,
-            '-h', self.token,
-            '-f', self.password_file,
-            '-n', nickname,
-            '-i', cert_file,
-            '-t', trust_attributes
-        ]
-
-        subprocess.check_call(cmd)
-
-    def modify_cert(self,
-        nickname,
-        trust_attributes):
-
-        cmd = [
-            'certutil',
-            '-M',
-            '-d', self.directory,
-            '-h', self.token,
-            '-f', self.password_file,
-            '-n', nickname,
-            '-t', trust_attributes
-        ]
-
-        subprocess.check_call(cmd)
-
-    def create_noise(self, noise_file, size=2048):
-
-        subprocess.check_call([
-            'openssl',
-            'rand',
-            '-out', noise_file,
-            str(size)
-        ])
-
-    def create_request(self,
-        subject_dn,
-        request_file,
-        noise_file=None,
-        key_type=None,
-        key_size=None,
-        curve=None,
-        hash_alg=None):
-
-        tmpdir = tempfile.mkdtemp()
-
-        try:
-            if not noise_file:
-                noise_file = os.path.join(tmpdir, 'noise.bin')
-                if key_size:
-                    size = key_size
-                else:
-                    size = 2048
-                self.create_noise(
-                    noise_file=noise_file,
-                    size=size)
-
-            binary_request_file = os.path.join(tmpdir, 'request.bin')
-
-            cmd = [
-                'certutil',
-                '-R',
-                '-d', self.directory,
-                '-h', self.token,
-                '-f', self.password_file,
-                '-s', subject_dn,
-                '-o', binary_request_file,
-                '-z', noise_file
-            ]
-
-            if key_type:
-                cmd.extend(['-k', key_type])
-
-            if key_size:
-                cmd.extend(['-g', str(key_size)])
-
-            if curve:
-                cmd.extend(['-q', curve])
-
-            if hash_alg:
-                cmd.extend(['-Z', hash_alg])
-
-            # generate binary request
-            subprocess.check_call(cmd)
-
-            # encode binary request in base-64
-            b64_request_file = os.path.join(tmpdir, 'request.b64')
-            subprocess.check_call([
-                'BtoA', binary_request_file, b64_request_file])
-
-            # read base-64 request
-            with open(b64_request_file, 'r') as f:
-                b64_request = f.read()
-
-            # add header and footer
-            with open(request_file, 'w') as f:
-                f.write('-----BEGIN NEW CERTIFICATE REQUEST-----\n')
-                f.write(b64_request)
-                f.write('-----END NEW CERTIFICATE REQUEST-----\n')
-
-        finally:
-            shutil.rmtree(tmpdir)
-
-    def create_self_signed_ca_cert(self,
-        subject_dn,
-        request_file,
-        cert_file,
-        serial='1',
-        validity=240):
-
-        cmd = [
-            'certutil',
-            '-C',
-            '-x',
-            '-d', self.directory,
-            '-h', self.token,
-            '-f', self.password_file,
-            '-c', subject_dn,
-            '-a',
-            '-i', request_file,
-            '-o', cert_file,
-            '-m', serial,
-            '-v', str(validity),
-            '--keyUsage', 'digitalSignature,nonRepudiation,certSigning,crlSigning,critical',
-            '-2',
-            '-3',
-            '--extSKID',
-            '--extAIA'
-        ]
-
-        p = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
-
-        keystroke = ''
-
-        # Is this a CA certificate [y/N]?
-        keystroke += 'y\n'
-
-        # Enter the path length constraint, enter to skip [<0 for unlimited path]:
-        keystroke += '\n'
-
-        # Is this a critical extension [y/N]?
-        keystroke += 'y\n'
-
-        # Enter value for the authKeyID extension [y/N]?
-        keystroke += 'y\n'
-
-        # TODO: generate SHA1 ID (see APolicyRule.formSHA1KeyId())
-        # Enter value for the key identifier fields,enter to omit:
-        keystroke += '2d:7e:83:37:75:5a:fd:0e:8d:52:a3:70:16:93:36:b8:4a:d6:84:9f\n'
-
-        # Select one of the following general name type:
-        keystroke += '0\n'
-
-        # Enter value for the authCertSerial field, enter to omit:
-        keystroke += '\n'
-
-        # Is this a critical extension [y/N]?
-        keystroke += '\n'
-
-        # TODO: generate SHA1 ID (see APolicyRule.formSHA1KeyId())
-        # Adding Subject Key ID extension.
-        # Enter value for the key identifier fields,enter to omit:
-        keystroke += '2d:7e:83:37:75:5a:fd:0e:8d:52:a3:70:16:93:36:b8:4a:d6:84:9f\n'
-
-        # Is this a critical extension [y/N]?
-        keystroke += '\n'
-
-        # Enter access method type for Authority Information Access extension:
-        keystroke += '2\n'
-
-        # Select one of the following general name type:
-        keystroke += '7\n'
-
-        # TODO: replace with actual hostname name and port number
-        # Enter data:
-        keystroke += 'http://server.example.com:8080/ca/ocsp\n'
-
-        # Select one of the following general name type:
-        keystroke += '0\n'
-
-        # Add another location to the Authority Information Access extension [y/N]
-        keystroke += '\n'
-
-        # Is this a critical extension [y/N]?
-        keystroke += '\n'
-
-        p.communicate(keystroke)
-
-        rc = p.wait()
-
-        if rc:
-            raise Exception('Failed to generate self-signed CA certificate. RC: %d' % rc)
-
-    def get_cert(self, nickname, output_format='pem'):
-
-        if output_format == 'pem':
-            output_format_option = '-a'
-
-        elif output_format == 'base64':
-            output_format_option = '-r'
-
-        else:
-            raise Exception('Unsupported output format: %s' % output_format)
-
-        cmd = [
-            'certutil',
-            '-L',
-            '-d', self.directory,
-            '-h', self.token,
-            '-f', self.password_file,
-            '-n', nickname,
-            output_format_option
-        ]
-
-        cert_data = subprocess.check_output(cmd)
-
-        if output_format == 'base64':
-            cert_data = base64.b64encode(cert_data)
-
-        return cert_data
-
-    def remove_cert(self, nickname):
-
-        cmd = [
-            'certutil',
-            '-D',
-            '-d', self.directory,
-            '-h', self.token,
-            '-f', self.password_file,
-            '-n', nickname
-        ]
-
-        subprocess.check_call(cmd)
-
-    def import_cert_chain(self, nickname, cert_chain_file, trust_attributes=None):
-
-        tmpdir = tempfile.mkdtemp()
-
-        try:
-            file_type = get_file_type(cert_chain_file)
-
-            if file_type == 'cert': # import single PEM cert
-                self.add_cert(
-                    nickname=nickname,
-                    cert_file=cert_chain_file,
-                    trust_attributes=trust_attributes)
-                return self.get_cert(
-                    nickname=nickname,
-                    output_format='base64')
-
-            elif file_type == 'pkcs7': # import PKCS #7 cert chain
-                return self.import_pkcs7(
-                    pkcs7_file=cert_chain_file,
-                    nickname=nickname,
-                    trust_attributes=trust_attributes,
-                    output_format='base64')
-
-            else: # import PKCS #7 data without header/footer
-                with open(cert_chain_file, 'r') as f:
-                    base64_data = f.read()
-                pkcs7_data = convert_pkcs7(base64_data, 'base64', 'pem')
-
-                tmp_cert_chain_file = os.path.join(tmpdir, 'cert_chain.p7b')
-                with open(tmp_cert_chain_file, 'w') as f:
-                    f.write(pkcs7_data)
-
-                self.import_pkcs7(
-                    pkcs7_file=tmp_cert_chain_file,
-                    nickname=nickname,
-                    trust_attributes=trust_attributes)
-
-                return base64_data
-
-        finally:
-            shutil.rmtree(tmpdir)
-
-    def import_pkcs7(self, pkcs7_file, nickname, trust_attributes=None, output_format='pem'):
-
-        tmpdir = tempfile.mkdtemp()
-
-        try:
-            # export certs from PKCS #7 into PEM output
-            output = subprocess.check_output([
-                'openssl',
-                'pkcs7',
-                '-print_certs',
-                '-in', pkcs7_file
-            ])
-
-            # parse PEM output into separate PEM certificates
-            certs = []
-            lines = []
-            state = 'header'
-
-            for line in output.splitlines():
-
-                if state == 'header':
-                    if line != CERT_HEADER:
-                        # ignore header lines
-                        pass
-                    else:
-                        # save cert header
-                        lines.append(line)
-                        state = 'body'
-
-                elif state == 'body':
-                    if line != CERT_FOOTER:
-                        # save cert body
-                        lines.append(line)
-                    else:
-                        # save cert footer
-                        lines.append(line)
-
-                        # construct PEM cert
-                        cert = '\n'.join(lines)
-                        certs.append(cert)
-                        lines = []
-                        state = 'header'
-
-            # import PEM certs into NSS database
-            counter = 1
-            for cert in certs:
-
-                cert_file = os.path.join(tmpdir, 'cert%d.pem' % counter)
-                with open(cert_file, 'w') as f:
-                    f.write(cert)
-
-                if counter == 1:
-                    n = nickname
-                else:
-                    n = '%s #%d' % (nickname, counter)
-
-                self.add_cert(n, cert_file, trust_attributes)
-
-                counter += 1
-
-            # convert PKCS #7 data to the requested format
-            with open(pkcs7_file, 'r') as f:
-                data = f.read()
-
-            return convert_pkcs7(data, 'pem', output_format)
-
-        finally:
-            shutil.rmtree(tmpdir)
-
-    def import_pkcs12(self, pkcs12_file, pkcs12_password=None, pkcs12_password_file=None):
-
-        tmpdir = tempfile.mkdtemp()
-
-        try:
-            if pkcs12_password:
-                password_file = os.path.join(tmpdir, 'password.txt')
-                with open(password_file, 'w') as f:
-                    f.write(pkcs12_password)
-
-            elif pkcs12_password_file:
-                password_file = pkcs12_password_file
-
-            else:
-                raise Exception('Missing PKCS #12 password')
-
-            cmd = [
-                'pk12util',
-                '-d', self.directory,
-                '-h', self.token,
-                '-k', self.password_file,
-                '-i', pkcs12_file,
-                '-w', password_file
-            ]
-
-            subprocess.check_call(cmd)
-
-        finally:
-            shutil.rmtree(tmpdir)
-
-    def export_pkcs12(self, pkcs12_file, nickname, pkcs12_password=None, pkcs12_password_file=None):
-
-        tmpdir = tempfile.mkdtemp()
-
-        try:
-            if pkcs12_password:
-                password_file = os.path.join(tmpdir, 'password.txt')
-                with open(password_file, 'w') as f:
-                    f.write(pkcs12_password)
-
-            elif pkcs12_password_file:
-                password_file = pkcs12_password_file
-
-            else:
-                raise Exception('Missing PKCS #12 password')
-
-            cmd = [
-                'pk12util',
-                '-d', self.directory,
-                '-k', self.password_file,
-                '-o', pkcs12_file,
-                '-w', password_file,
-                '-n', nickname
-            ]
-
-            subprocess.check_call(cmd)
-
-        finally:
-            shutil.rmtree(tmpdir)
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 98b7d97bfaf237d97bda1246ac9a26fde1c70402..0bbf69eb8c37b78653df61b3711420e927feb19d 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -33,7 +33,7 @@ import subprocess
 import tempfile
 
 import pki
-import pki.nss
+import pki.crypto
 
 INSTANCE_BASE_DIR = '/var/lib/pki'
 REGISTRY_DIR = '/etc/sysconfig/pki'
@@ -328,7 +328,7 @@ class PKIInstance(object):
         return password
 
     def open_nssdb(self, token='internal'):
-        return pki.nss.NSSDatabase(
+        return pki.crypto.NSSDatabase(
             directory=self.nssdb_dir,
             token=token,
             password=self.get_password(token))
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index d033142f5be2a221a30b9b750da80a3143b79574..b915017cbf6003502559581ee393e6953d41c36f 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -28,7 +28,7 @@ import string
 import sys
 
 import pki.cli
-import pki.nss
+import pki.crypto
 import pki.server
 
 
@@ -537,13 +537,13 @@ class SubsystemCertExportCLI(pki.cli.CLI):
 
         if cert_file:
 
-            cert_data = pki.nss.convert_cert(subsystem_cert['data'], 'base64', 'pem')
+            cert_data = pki.crypto.convert_cert(subsystem_cert['data'], 'base64', 'pem')
             with open(cert_file, 'w') as f:
                 f.write(cert_data)
 
         if csr_file:
 
-            csr_data = pki.nss.convert_csr(subsystem_cert['request'], 'base64', 'pem')
+            csr_data = pki.crypto.convert_csr(subsystem_cert['request'], 'base64', 'pem')
             with open(csr_file, 'w') as f:
                 f.write(csr_data)
 
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index a5ab3f88b6c74de7acf8ca6224c87a71e1211c08..f466df93beb0349966167f432df12d6605ac89d9 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -27,8 +27,8 @@ from .. import pkiconfig as config
 from .. import pkimessages as log
 from .. import pkiscriptlet
 
+import pki.crypto
 import pki.encoder
-import pki.nss
 import pki.server
 import pki.system
 import pki.util
@@ -138,7 +138,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                         hash_alg=hash_alg)
                     with open(external_csr_path) as f:
                         signing_csr = f.read()
-                    signing_csr = pki.nss.convert_csr(signing_csr, 'pem', 'base64')
+                    signing_csr = pki.crypto.convert_csr(signing_csr, 'pem', 'base64')
                     subsystem.config['ca.signing.certreq'] = signing_csr
 
                 # This is needed by IPA to detect step 1 completion.
@@ -153,7 +153,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 if external_csr_path:
                     with open(external_csr_path) as f:
                         signing_csr = f.read()
-                    signing_csr = pki.nss.convert_csr(signing_csr, 'pem', 'base64')
+                    signing_csr = pki.crypto.convert_csr(signing_csr, 'pem', 'base64')
                     subsystem.config['ca.signing.certreq'] = signing_csr
 
                 # If specified, import external CA cert into NSS database.
-- 
2.4.3


From edewata at redhat.com  Fri Jan 22 18:23:55 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 22 Jan 2016 12:23:55 -0600
Subject: [Pki-devel] [PATCH] 669 Merged pki.nss into pki.crypto.
In-Reply-To: <56A25152.5060408@redhat.com>
References: <56A25152.5060408@redhat.com>
Message-ID: <56A273BB.8080208@redhat.com>

On 1/22/2016 9:57 AM, Endi Sukma Dewata wrote:
> The pki.nss module has been merged into pki.crypto to prevent
> conflicts with nss module.
>
> https://fedorahosted.org/pki/ticket/456

Renamed pki.nss to pki.nssdb instead per Christian's feedback.

-- 
Endi S. Dewata
-------------- next part --------------
>From 0cbd26ec5c1c8e34601eb2f07c23f84da073289b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Fri, 22 Jan 2016 17:34:19 +0100
Subject: [PATCH] Renamed pki.nss into pki.nssdb.

The pki.nss module has been renamed into pki.nssdb to prevent
conflicts with the nss module.

https://fedorahosted.org/pki/ticket/456
---
 base/common/python/pki/{nss.py => nssdb.py}                         | 0
 base/server/python/pki/server/__init__.py                           | 4 ++--
 base/server/python/pki/server/cli/subsystem.py                      | 6 +++---
 .../server/python/pki/server/deployment/scriptlets/configuration.py | 6 +++---
 4 files changed, 8 insertions(+), 8 deletions(-)
 rename base/common/python/pki/{nss.py => nssdb.py} (100%)

diff --git a/base/common/python/pki/nss.py b/base/common/python/pki/nssdb.py
similarity index 100%
rename from base/common/python/pki/nss.py
rename to base/common/python/pki/nssdb.py
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 98b7d97bfaf237d97bda1246ac9a26fde1c70402..604a56e7a630b19b01016c111faa0d8934b70e2e 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -33,7 +33,7 @@ import subprocess
 import tempfile
 
 import pki
-import pki.nss
+import pki.nssdb
 
 INSTANCE_BASE_DIR = '/var/lib/pki'
 REGISTRY_DIR = '/etc/sysconfig/pki'
@@ -328,7 +328,7 @@ class PKIInstance(object):
         return password
 
     def open_nssdb(self, token='internal'):
-        return pki.nss.NSSDatabase(
+        return pki.nssdb.NSSDatabase(
             directory=self.nssdb_dir,
             token=token,
             password=self.get_password(token))
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index d033142f5be2a221a30b9b750da80a3143b79574..1be91b10e65f3185414976a6de63ff5c9e37d986 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -28,7 +28,7 @@ import string
 import sys
 
 import pki.cli
-import pki.nss
+import pki.nssdb
 import pki.server
 
 
@@ -537,13 +537,13 @@ class SubsystemCertExportCLI(pki.cli.CLI):
 
         if cert_file:
 
-            cert_data = pki.nss.convert_cert(subsystem_cert['data'], 'base64', 'pem')
+            cert_data = pki.nssdb.convert_cert(subsystem_cert['data'], 'base64', 'pem')
             with open(cert_file, 'w') as f:
                 f.write(cert_data)
 
         if csr_file:
 
-            csr_data = pki.nss.convert_csr(subsystem_cert['request'], 'base64', 'pem')
+            csr_data = pki.nssdb.convert_csr(subsystem_cert['request'], 'base64', 'pem')
             with open(csr_file, 'w') as f:
                 f.write(csr_data)
 
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index a5ab3f88b6c74de7acf8ca6224c87a71e1211c08..5ec46c86f9a27e90745bc74e83039467d46540e7 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -28,7 +28,7 @@ from .. import pkimessages as log
 from .. import pkiscriptlet
 
 import pki.encoder
-import pki.nss
+import pki.nssdb
 import pki.server
 import pki.system
 import pki.util
@@ -138,7 +138,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                         hash_alg=hash_alg)
                     with open(external_csr_path) as f:
                         signing_csr = f.read()
-                    signing_csr = pki.nss.convert_csr(signing_csr, 'pem', 'base64')
+                    signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64')
                     subsystem.config['ca.signing.certreq'] = signing_csr
 
                 # This is needed by IPA to detect step 1 completion.
@@ -153,7 +153,7 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 if external_csr_path:
                     with open(external_csr_path) as f:
                         signing_csr = f.read()
-                    signing_csr = pki.nss.convert_csr(signing_csr, 'pem', 'base64')
+                    signing_csr = pki.nssdb.convert_csr(signing_csr, 'pem', 'base64')
                     subsystem.config['ca.signing.certreq'] = signing_csr
 
                 # If specified, import external CA cert into NSS database.
-- 
2.4.3


From cheimes at redhat.com  Fri Jan 22 19:10:02 2016
From: cheimes at redhat.com (Christian Heimes)
Date: Fri, 22 Jan 2016 20:10:02 +0100
Subject: [Pki-devel] [PATCH] 669 Merged pki.nss into pki.crypto.
In-Reply-To: <56A273BB.8080208@redhat.com>
References: <56A25152.5060408@redhat.com> <56A273BB.8080208@redhat.com>
Message-ID: <56A27E8A.4060708@redhat.com>

On 2016-01-22 19:23, Endi Sukma Dewata wrote:
> On 1/22/2016 9:57 AM, Endi Sukma Dewata wrote:
>> The pki.nss module has been merged into pki.crypto to prevent
>> conflicts with nss module.
>>
>> https://fedorahosted.org/pki/ticket/456
> 
> Renamed pki.nss to pki.nssdb instead per Christian's feedback.

ACK


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160122/506ac89e/attachment.sig>

From mharmsen at redhat.com  Fri Jan 22 21:49:34 2016
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Fri, 22 Jan 2016 14:49:34 -0700
Subject: [Pki-devel] Karma Request for Dogtag 10.2.6 in Fedora 22 and Fedora
	23
Message-ID: <56A2A3EE.8060408@redhat.com>

Everyone,

Please provide Karma for the following Dogtag 10.2.6 packages in Fedora 
22 and Fedora 23:

  * pki-core-10.2.6-10.fc22
    <https://bodhi.fedoraproject.org/updates/FEDORA-2016-8b0acbb511>
  * pki-core-10.2.6-14.fc23
    <https://bodhi.fedoraproject.org/updates/FEDORA-2016-a559308357>

Additionally, a new Dogtag 10.2.6 package was created for Fedora 24:

  * pki-core-10.2.6-14.fc24
    <http://koji.fedoraproject.org/koji/buildinfo?buildID=713133>

These packages resolve the following issues:

  * PKI TRAC Ticket #1700 - Profile creation (LDAPProfileSubsystem) can
    fail due to race condition <https://fedorahosted.org/pki/ticket/1700>
  * PKI TRAC Ticket #1702 - getStatus reports ready before
    LDAPProfileSubsystem has loaded all profiles
    <https://fedorahosted.org/pki/ticket/1702>

Thanks,
-- Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160122/e2369503/attachment.htm>

From mharmsen at redhat.com  Fri Jan 22 23:11:47 2016
From: mharmsen at redhat.com (Matthew Harmsen)
Date: Fri, 22 Jan 2016 16:11:47 -0700
Subject: [Pki-devel] [PATCH] 668 Fixed installation summary for existing
 CA.
In-Reply-To: <56A25141.3040505@redhat.com>
References: <56A25141.3040505@redhat.com>
Message-ID: <56A2B733.4030607@redhat.com>

On 01/22/2016 08:56 AM, Endi Sukma Dewata wrote:
> The pkispawn has been modified to display the proper summary for
> external CA and existing CA cases.
>
> https://fedorahosted.org/pki/ticket/456
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
ACK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160122/c503defb/attachment.htm>

From edewata at redhat.com  Sat Jan 23 01:15:05 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 22 Jan 2016 19:15:05 -0600
Subject: [Pki-devel] [PATCH] 668 Fixed installation summary for existing
 CA.
In-Reply-To: <56A2B733.4030607@redhat.com>
References: <56A25141.3040505@redhat.com> <56A2B733.4030607@redhat.com>
Message-ID: <56A2D419.6020005@redhat.com>

On 1/22/2016 5:11 PM, Matthew Harmsen wrote:
> ACK

Pushed to master. Thanks!

-- 
Endi S. Dewata



From edewata at redhat.com  Sat Jan 23 01:15:10 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Fri, 22 Jan 2016 19:15:10 -0600
Subject: [Pki-devel] [PATCH] 669 Merged pki.nss into pki.crypto.
In-Reply-To: <56A27E8A.4060708@redhat.com>
References: <56A25152.5060408@redhat.com> <56A273BB.8080208@redhat.com>
	<56A27E8A.4060708@redhat.com>
Message-ID: <56A2D41E.4020905@redhat.com>

On 1/22/2016 1:10 PM, Christian Heimes wrote:
> ACK

Pushed to master. Thanks!

-- 
Endi S. Dewata



From edewata at redhat.com  Mon Jan 25 05:42:32 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Sun, 24 Jan 2016 23:42:32 -0600
Subject: [Pki-devel] [PATCH 45/46] Run flake8 and pylint --py3k and fix
 violations
In-Reply-To: <5698EEB8.5050104@redhat.com>
References: <5698EEB8.5050104@redhat.com>
Message-ID: <56A5B5C8.7040300@redhat.com>

On 1/15/2016 7:06 AM, Christian Heimes wrote:
> The first patch add flake8 tests and pylint --py3k to RPM build. The
> second patch fixes a couple of flake8 violations that have accumulated
> in the past month.
>
> I'm still having a problem with sphinx autodocs. It can't build
> documentation for pki.crypto. It looks like autodocs doesn't do relative
> imports correctly and picks up pki/nss.py as nss.
>
> SphinxWarning: /home/heimes/redhat/pki/base/common/python/pki.rst:39:
> WARNING: autodoc: failed to import module u'pki.crypto'; the following
> exception was raised:
> Traceback (most recent call last):
>    File
> "/home/heimes/redhat/pki/.tox/docs/lib/python2.7/site-packages/sphinx/ext/autodoc.py",
> line 385, in import_object
>      __import__(self.modname)
>    File
> "/home/heimes/redhat/pki/.tox/docs/lib/python2.7/site-packages/pki/crypto.py",
> line 26, in <module>
>      import nss.nss as nss
> ImportError: No module named nss
>
>
> Christian

Patch #45 is ACKed.

Patch #46 needs a rebase due to renaming nss.py to nssdb.py which also 
fixes the above error. Also there's a new upgrade script 
base/server/upgrade/10.3.0/01-AllowEncodedSlash that needs a minor fix. 
Other than that it's ACKed.

These patches should be pushed together to avoid build breaks.

-- 
Endi S. Dewata



From cheimes at redhat.com  Mon Jan 25 15:03:12 2016
From: cheimes at redhat.com (Christian Heimes)
Date: Mon, 25 Jan 2016 16:03:12 +0100
Subject: [Pki-devel] [PATCH 45/46] Run flake8 and pylint --py3k and fix
 violations
In-Reply-To: <56A5B5C8.7040300@redhat.com>
References: <5698EEB8.5050104@redhat.com> <56A5B5C8.7040300@redhat.com>
Message-ID: <56A63930.2060606@redhat.com>

On 2016-01-25 06:42, Endi Sukma Dewata wrote:
> On 1/15/2016 7:06 AM, Christian Heimes wrote:
>> The first patch add flake8 tests and pylint --py3k to RPM build. The
>> second patch fixes a couple of flake8 violations that have accumulated
>> in the past month.
>>
>> I'm still having a problem with sphinx autodocs. It can't build
>> documentation for pki.crypto. It looks like autodocs doesn't do relative
>> imports correctly and picks up pki/nss.py as nss.
>>
>> SphinxWarning: /home/heimes/redhat/pki/base/common/python/pki.rst:39:
>> WARNING: autodoc: failed to import module u'pki.crypto'; the following
>> exception was raised:
>> Traceback (most recent call last):
>>    File
>> "/home/heimes/redhat/pki/.tox/docs/lib/python2.7/site-packages/sphinx/ext/autodoc.py",
>>
>> line 385, in import_object
>>      __import__(self.modname)
>>    File
>> "/home/heimes/redhat/pki/.tox/docs/lib/python2.7/site-packages/pki/crypto.py",
>>
>> line 26, in <module>
>>      import nss.nss as nss
>> ImportError: No module named nss
>>
>>
>> Christian
> 
> Patch #45 is ACKed.
> 
> Patch #46 needs a rebase due to renaming nss.py to nssdb.py which also
> fixes the above error. Also there's a new upgrade script
> base/server/upgrade/10.3.0/01-AllowEncodedSlash that needs a minor fix.
> Other than that it's ACKed.
> 
> These patches should be pushed together to avoid build breaks.

Thanks for the review.

I've rebased my local branch to the latest master, fixed
01-AllowEncodedSlash and pushed both patches on master in commits
0d2d97f9bf6802f6f81090eca6e135e50fea7883 (pylint and flake8 checks) and
cb6b0c4855885c03d056acb8f98c96de986e081e (fix violations).

Christian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160125/7b2b6f6d/attachment.sig>

From edewata at redhat.com  Mon Jan 25 22:25:58 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 25 Jan 2016 16:25:58 -0600
Subject: [Pki-devel] [PATCH] 670 Reloading systemd daemons on RPM upgrade.
Message-ID: <56A6A0F6.7060307@redhat.com>

Reloading systemd daemons has been limited to happen only during
RPM upgrade operation.

https://fedorahosted.org/pki/ticket/1722

-- 
Endi S. Dewata
-------------- next part --------------
From 243fdaed3e146c897e94bb7ddc65b8c268b144af Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Mon, 25 Jan 2016 23:10:57 +0100
Subject: [PATCH] Reloading systemd daemons on RPM upgrade.

Reloading systemd daemons has been limited to happen only during
RPM upgrade operation.

https://fedorahosted.org/pki/ticket/1722
---
 specs/pki-core.spec | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 6aea274e527db909c6e8350be5ffb3d00fd6ee92..0d05d8cd29ef7f4cd5174fad8973a8c51954789d 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -827,7 +827,11 @@ echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
 /sbin/pki-server migrate >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
 echo >> /var/log/pki/pki-server-upgrade-%{version}.log 2>&1
 
-systemctl daemon-reload
+# Reload systemd daemons on upgrade only
+if [ $1 -eq 2 ]
+then
+    systemctl daemon-reload
+fi
 
 ## %preun -n pki-server
 ## NOTE:  At this time, NO attempt has been made to update ANY PKI subsystem
-- 
2.4.3


From edewata at redhat.com  Tue Jan 26 05:13:59 2016
From: edewata at redhat.com (Endi Sukma Dewata)
Date: Mon, 25 Jan 2016 23:13:59 -0600
Subject: [Pki-devel] [PATCH 0048] Package pki client library for Python 3
In-Reply-To: <56A0DB8E.4040204@redhat.com>
References: <56A0DB8E.4040204@redhat.com>
Message-ID: <56A70097.4070305@redhat.com>

On 1/21/2016 7:22 AM, Christian Heimes wrote:
> Hi,
>
> Dogtag's Python code has been compatible with Python 3 for a while. So
> far the code hasn't been packages for Python 3 yet. I've been exploring
> ways to package the client part of Dogtag's pki package for FreeIPA. The
> attached patch packages the client libraries from base/common/python/pki
> as a new python3-pki package.
>
> Christian

The patch looks good. I'd ACK this unless somebody else still wants to 
look at it.

-- 
Endi S. Dewata



From cheimes at redhat.com  Wed Jan 27 09:21:03 2016
From: cheimes at redhat.com (Christian Heimes)
Date: Wed, 27 Jan 2016 10:21:03 +0100
Subject: [Pki-devel] [PATCH 0048] Package pki client library for Python 3
In-Reply-To: <56A70097.4070305@redhat.com>
References: <56A0DB8E.4040204@redhat.com> <56A70097.4070305@redhat.com>
Message-ID: <56A88BFF.6040804@redhat.com>

On 2016-01-26 06:13, Endi Sukma Dewata wrote:
> On 1/21/2016 7:22 AM, Christian Heimes wrote:
>> Hi,
>>
>> Dogtag's Python code has been compatible with Python 3 for a while. So
>> far the code hasn't been packages for Python 3 yet. I've been exploring
>> ways to package the client part of Dogtag's pki package for FreeIPA. The
>> attached patch packages the client libraries from base/common/python/pki
>> as a new python3-pki package.
>>
>> Christian
> 
> The patch looks good. I'd ACK this unless somebody else still wants to
> look at it.

I asked Petr Viktorin for a review. He pointed out that cmake doesn't
byte compile the Python files to pyc/pyo files. It's not a problem for
RPM builds, rpmbuild automatically compiles Python the files in
site-packages. It might be a small issue on platforms that use cmake
directly to install Dogtag.

Christian


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160127/1d9baf4d/attachment.sig>

From cfu at redhat.com  Wed Jan 27 18:24:26 2016
From: cfu at redhat.com (Christina Fu)
Date: Wed, 27 Jan 2016 10:24:26 -0800
Subject: [Pki-devel]
 [pki-devel][PATCH]0061-Enhance-tkstool-for-capabilities-and-security.patch
In-Reply-To: <282683754.13899921.1452903872277.JavaMail.zimbra@redhat.com>
References: <282683754.13899921.1452903872277.JavaMail.zimbra@redhat.com>
Message-ID: <56A90B5A.2090503@redhat.com>

I think I will be more conservative and give conditional ACK to this 
patch pending on tests on servers running on both LunaSA and nethsm.  
Although the code in the patch might very well work for both, those two 
HSM's are known to require different sets of pk11AtrFlags and often one 
set would work for one but not the other.

thanks,
Christina

On 01/15/2016 04:24 PM, John Magne wrote:
> Enhance tkstool for capabilities and security
>
> This simple ticket is to fix tkstool to allow it
> to create the master key with the proper flags to make
> the key data private such that it can't be easily viewed when
> using tools to print out sym keys on the token.
>
> Fix tested on the "internal" token by trying the various tkstool
> cmds to make sure having the key private does not cause issues.
> Also tried a simple key changeover operation with tpsclient to make
> sure that symkey can still do what it needs to do witht the master key.
>
> Further testing with a full hsm will be required.
> The goal was the create the key with the same flags that are used with the
> previous "PK11_GenKeyOnToken" (name approx) is used. This version had no
> flags and created a default set. This fix uses the version With flags and
> does what the old one did, but made sure the key is private and sensitive.
>
> Master key can be tested by using the tool:
>
> /usr/lib64/nss/unsupported-tools/symkeyutil -d ./ -L
>
>
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20160127/85762c56/attachment.htm>