[Pki-devel] [PATCH] 0113..0114 Lightweight CAs: renewal support

Sat Jun 4 12:43:48 UTC 2016

On Thu, Jun 02, 2016 at 10:28:00PM -0500, Endi Sukma Dewata wrote:
> On 5/17/2016 12:26 AM, Fraser Tweedale wrote:
> > Attached patches implement LWCA renewal support
> > (https://fedorahosted.org/pki/ticket/2327).
> > 
> > It includes REST API
> > 
> >     POST /ca/rest/authorities/<id>/renew
> > 
> > But not implemented in CLI tool yet.  If we decide to make it a
> > first-class CLI feature (cf certmonger, IPA, etc managing the
> > renewal) then I'll file the ticket and implement it at that time.
> > 
> > Cheers,
> > Fraser
> 
> Some comments:
> 
> 1. This is related to patch #111 too. Suppose an authority is
> added/deleted/renewed in one replica while another replica is down, when the
> second replica is brought back up will it know that it's missing the changes
> and be able to update the NSSDB accordingly?
> 
> I'm thinking when the server is started there should be a process to
> synchronize the NSSDB with the authorities in LDAP. Do we have something
> like that already, or is this not an issue?
> 
Nice pickup - this will be an issue (I agree it can be addressed
later; I'll create a ticket).

> 2. The locale object for the RenewalProcessor should be obtained from the
> client, not from the server. See PKIService.getLocale(). In this case you
> probably need to pass HttpServletRequest to the renewAuthority().
> 
> 3. The HttpServletRequest can be used to call processRenewal() as well.
> 
> I think #1 can be done separately later. The patches are ACKed assuming #2
> and #3 are addressed.
> 
Updated patch attached.  I pass in the HttpServletRequest to
processRenewal() and use the authToken from the principal if
available (I also removed the method signature with the IAuthToken
argument, which was added in the first patch).

If you're happy with the updated patch and I'm not around, would you
kindly merge it on my behalf?

Thanks for your many reviews this week, Endi.
Fraser