[Pki-devel] [PATCH] patches for authz realm and fixing output on request rejection

Endi Sukma Dewata edewata at redhat.com
Mon May 9 22:51:59 UTC 2016 

On 5/9/2016 2:18 PM, Ade Lee wrote:
> Patch descriptions .. in reverse order.
>
> Note that the CA setup for authz is further documented at
> pki.fedoraproject.org/wiki/Kra_authz_realm , where I have added a
> section on 'CA Configuration".
>
> Thanks,
> Ade
>
> ****************************************************************
> commit ad1fcecc2f36cc1ebc1f13efe3df9d1e138224b7
> Author: Ade Lee <alee at redhat.com>
> Date:   Mon May 9 15:00:20 2016 -0400
>
>      Add authz realm check for cert enrollment
>
>      Ticket 2041
>
> commit b5232ce101083409ed9a86e9057620cca7288f62
> Author: Ade Lee <alee at redhat.com>
> Date:   Sat May 7 00:06:08 2016 -0400
>
>      Fix error output when request is rejected
>
>      With this fix, error messages are returned to the user when
>      a request is rejected - either in the UI or from the pki CLI.
>
>      Trac Ticket 1247 (amongst others)
>
> commit 82d18a99103de1fa749b077cfccec5ff65ceb4a5
> Author: Ade Lee <alee at redhat.com>
> Date:   Wed May 4 18:25:51 2016 -0400
>
>      Add realm to requests coming in from CA
>
>      Requests to the KRA through the CA-KRA connector use the Enrollment
>      Service.  This has been modified to read and store any realm passed in.
>      The realm can be added to the request by havibg the admin add
>      a AuthzRealmDefault and AuthzRealmConstraint in a profile.
>
>      At this point, all the constraint does is verify that the realm is
>      one of a specified list of realms.  More verification will be added
>      in a subsequent patch.
>
>      No attempt is made yet to allow users to specify the realm.  This
>      would need to be added as a ProfileInput.
>
>      Part of Ticket 2041

ACK. Just some comments:

1. In AuthzRealmDefault.populate() we should wrap and rethrow the 
exception instead of ignoring it.

2. In UserMessages.properties let's use "Authorization" instead of 
"Authz" to be more user-friendly. Or just "Realm" instead of "Authz realm".

3. In HttpPKIMessage.fromRequest() we probably want to copy the realm 
without any condition (e.g. to copy the null value).

     reqRealm = r.getRealm();

4. In CertRequestInfoFactory.create() this if condition is redundant:

     if (error != null) {
         info.setErrorMessage(error);
     }

-- 
Endi S. Dewata

More information about the Pki-devel mailing list